commit 45100eec5f682b606e35ab0567417bf611821a60 Author: Greg Kroah-Hartman Date: Sun Aug 6 09:22:44 2017 -0700 Linux 4.12.5 commit b5dd7985e8d3357ff9537c0be231190ab1a131fe Author: Chris Brandt Date: Wed Jul 12 08:40:01 2017 -0700 mmc: tmio-mmc: fix bad pointer math commit 9c284c41c0886f09e75c323a16278b6d353b0b4a upstream. The existing code gives an incorrect pointer value. The buffer pointer 'buf' was of type unsigned short *, and 'count' was a number in bytes. A cast of buf should have been used. However, instead of casting, just change the code to use u32 pointers. Reported-by: Dan Carpenter Fixes: 8185e51f358a: ("mmc: tmio-mmc: add support for 32bit data port") Signed-off-by: Chris Brandt Reviewed-by: Geert Uytterhoeven Acked-by: Wolfram Sang Cc: Signed-off-by: Ulf Hansson Signed-off-by: Greg Kroah-Hartman commit 75791420f2942f47f4fb5626110723668feea9a7 Author: Al Viro Date: Fri Jul 7 14:51:19 2017 -0400 dentry name snapshots commit 49d31c2f389acfe83417083e1208422b4091cd9e upstream. take_dentry_name_snapshot() takes a safe snapshot of dentry name; if the name is a short one, it gets copied into caller-supplied structure, otherwise an extra reference to external name is grabbed (those are never modified). In either case the pointer to stable string is stored into the same structure. dentry must be held by the caller of take_dentry_name_snapshot(), but may be freely dropped afterwards - the snapshot will stay until destroyed by release_dentry_name_snapshot(). Intended use: struct name_snapshot s; take_dentry_name_snapshot(&s, dentry); ... access s.name ... release_dentry_name_snapshot(&s); Replaces fsnotify_oldname_...(), gets used in fsnotify to obtain the name to pass down with event. Signed-off-by: Al Viro Signed-off-by: Greg Kroah-Hartman commit fe57e31e40ae044d74dca595f1cdb9310ad982d7 Author: Valentin Vidic Date: Fri May 5 21:07:33 2017 +0200 ipmi/watchdog: fix watchdog timeout set on reboot commit 860f01e96981a68553f3ca49f574ff14fe955e72 upstream. systemd by default starts watchdog on reboot and sets the timer to ShutdownWatchdogSec=10min. Reboot handler in ipmi_watchdog than reduces the timer to 120s which is not enough time to boot a Xen machine with a lot of RAM. As a result the machine is rebooted the second time during the long run of (XEN) Scrubbing Free RAM..... Fix this by setting the timer to 120s only if it was previously set to a low value. Signed-off-by: Valentin Vidic Signed-off-by: Corey Minyard Signed-off-by: Greg Kroah-Hartman commit cd043db87e4c49fa909a81c0daa2a3786dacf349 Author: Annie Cherkaev Date: Sat Jul 15 15:08:58 2017 -0600 isdn/i4l: fix buffer overflow commit 9f5af546e6acc30f075828cb58c7f09665033967 upstream. This fixes a potential buffer overflow in isdn_net.c caused by an unbounded strcpy. [ ISDN seems to be effectively unmaintained, and the I4L driver in particular is long deprecated, but in case somebody uses this.. - Linus ] Signed-off-by: Jiten Thakkar Signed-off-by: Annie Cherkaev Cc: Karsten Keil Cc: Kees Cook Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 9ec2ee3a972d58f808dfadad92ba1b3617740a9f Author: Imre Deak Date: Thu Jul 20 14:28:20 2017 +0300 drm/i915: Fix scaler init during CRTC HW state readout commit 283d6860d64f5091565bf729b0a6d6af14ae6c27 upstream. The scaler allocation code depends on a non-zero default value for the crtc scaler_id, so make sure we initialize the scaler state accordingly even if the crtc is off. This fixes at least an initial YUV420 modeset (added in a follow-up patchset by Shashank) when booting with the screen off: after the initial HW readout and modeset which enables the scaler a subsequent modeset will disable the scaler which isn't properly allocated. This results in a funky HW state where the pipe scaler HW registers can't be modified and the normally black screen is grey and shifted to the right or jitters. The problem was revealed by Shashank's YUV420 patchset and first reported by Ville. v2: - In the stable tag also include versions which need backporting (Jani) Cc: Jani Nikula Cc: Shashank Sharma Cc: Ville Syrjälä Cc: Chandra Konduru Cc: Matt Roper Reported-by: Ville Syrjälä Fixes: a1b2278e4dfc ("drm/i915: skylake panel fitting using shared scalers") Signed-off-by: Imre Deak Reviewed-by: Mahesh Kumar Link: https://patchwork.freedesktop.org/patch/msgid/20170720112820.26816-1-imre.deak@intel.com Signed-off-by: Daniel Vetter (cherry picked from commit 5fb9dadf336f3590c799e8cbde348215dccc2aa2) Signed-off-by: Daniel Vetter Signed-off-by: Greg Kroah-Hartman commit 7a4337a68743a77bc60d7828bd5ed4cd0b416ba6 Author: Ben Skeggs Date: Tue Jul 25 11:06:47 2017 +1000 drm/nouveau/bar/gf100: fix access to upper half of BAR2 commit 38bcb208f60924a031b9f809f7cd252ea4a94e5f upstream. Bit 30 being set causes the upper half of BAR2 to stay in physical mode, mapped over the end of VRAM, even when the rest of the BAR has been set to virtual mode. We inherited our initial value from RM, but I'm not aware of any reason we need to keep it that way. This fixes severe GPU hang/lockup issues revealed by Wayland on F26. Shout-out to NVIDIA for the quick response with the potential cause! Signed-off-by: Ben Skeggs Signed-off-by: Greg Kroah-Hartman commit 3de4f5de00a0a0351e61d477ec33afc4cca711f7 Author: Ilia Mirkin Date: Wed Jun 28 08:24:45 2017 -0400 drm/nouveau/disp/nv50-: bump max chans to 21 commit a90e049cacd965dade4dae7263b4d3fd550e78b6 upstream. GP102's cursors go from chan 17..20. Increase the array size to hold their data properly. Fixes: e50fcff15f ("drm/nouveau/disp/gp102: fix cursor/overlay immediate channel indices") Signed-off-by: Ilia Mirkin Signed-off-by: Ben Skeggs Signed-off-by: Greg Kroah-Hartman commit 631c3a0a71b43e3d9dd99b15444c3533ed218192 Author: Sinclair Yeh Date: Mon Jul 17 07:49:22 2017 -0700 drm/vmwgfx: Limit max desktop dimensions to 8Kx8K commit 7b009e76797c82178d7a03ae0eaad5951d975277 upstream. This was originally chosen to be an arbitrarily large number. However, some user mode may actually try to set a 16Kx16K mode and run into other issues. Since 8Kx8K is the current texture limit for Mesa LLVM driver, we will just use this limit for now. Signed-off-by: Sinclair Yeh Reviewed-by: Brian Paul Signed-off-by: Greg Kroah-Hartman commit 555ac1e5516124dc4c180f059054998a8c9469ff Author: Sinclair Yeh Date: Mon Jul 17 23:28:36 2017 -0700 drm/vmwgfx: Fix gcc-7.1.1 warning commit fcfffdd8f98ac305285dca568b5065ef86be6458 upstream. The current code does not look correct, and the reason for it is probably lost. Since this now generates a compiler warning, fix it to what makes sense. Reported-by: Arnd Bergmann Reported-by: Linus Torvalds Signed-off-by: Sinclair Yeh Reviewed-by: Brian Paul Signed-off-by: Greg Kroah-Hartman commit 9425c1fdc48d3a05ea332b19454cc690faec3ee8 Author: Ofer Heifetz Date: Mon Jul 24 09:17:40 2017 +0300 md/raid5: add thread_group worker async_tx_issue_pending_all commit 7e96d559634b73a8158ee99a7abece2eacec2668 upstream. Since thread_group worker and raid5d kthread are not in sync, if worker writes stripe before raid5d then requests will be waiting for issue_pendig. Issue observed when building raid5 with ext4, in some build runs jbd2 would get hung and requests were waiting in the HW engine waiting to be issued. Fix this by adding a call to async_tx_issue_pending_all in the raid5_do_work. Signed-off-by: Ofer Heifetz Signed-off-by: Shaohua Li Signed-off-by: Greg Kroah-Hartman commit 270c1bc38fc531662bddd64a835f4afd83a9562d Author: Shaohua Li Date: Mon Jul 17 14:33:48 2017 -0700 md/raid1: fix writebehind bio clone commit 16d56e2fcc1fc15b981369653c3b41d7ff0b443d upstream. After bio is submitted, we should not clone it as its bi_iter might be invalid by driver. This is the case of behind_master_bio. In certain situration, we could dispatch behind_master_bio immediately for the first disk and then clone it for other disks. https://bugzilla.kernel.org/show_bug.cgi?id=196383 Reported-and-tested-by: Markus Reviewed-by: Ming Lei Fix: 841c1316c7da(md: raid1: improve write behind) Signed-off-by: Shaohua Li Signed-off-by: Greg Kroah-Hartman commit b70f86cedc1b5378815083db1d8f31fb9073ced0 Author: Ming Lei Date: Fri Jul 14 16:14:42 2017 +0800 md: remove 'idx' from 'struct resync_pages' commit 022e510fcbda79183fd2cdc01abb01b4be80d03f upstream. bio_add_page() won't fail for resync bio, and the page index for each bio is same, so remove it. More importantly the 'idx' of 'struct resync_pages' is initialized in mempool allocator function, the current way is wrong since mempool is only responsible for allocation, we can't use that for initialization. Suggested-by: NeilBrown Reported-by: NeilBrown Reported-and-tested-by: Patrick Fixes: f0250618361d(md: raid10: don't use bio's vec table to manage resync pages) Fixes: 98d30c5812c3(md: raid1: don't use bio's vec table to manage resync pages) Signed-off-by: Ming Lei Signed-off-by: Shaohua Li Signed-off-by: Greg Kroah-Hartman commit bce721912a18fcffda3a19947f5ec4d99996667e Author: Mikulas Patocka Date: Fri Jul 21 11:58:38 2017 -0400 dm integrity: test for corrupted disk format during table load commit bc86a41e96c5b6f07453c405e036d95acc673389 upstream. If the dm-integrity superblock was corrupted in such a way that the journal_sections field was zero, the integrity target would deadlock because it would wait forever for free space in the journal. Detect this situation and refuse to activate the device. Signed-off-by: Mikulas Patocka Fixes: 7eada909bfd7 ("dm: add integrity target") Signed-off-by: Mike Snitzer Signed-off-by: Greg Kroah-Hartman commit d2df849cda98d053cc29021898c4bcda6159de4f Author: Mikulas Patocka Date: Wed Jul 19 11:23:40 2017 -0400 dm integrity: fix inefficient allocation of journal space commit 9dd59727dbc21d33a9add4c5b308a5775cd5a6ef upstream. When using a block size greater than 512 bytes, the dm-integrity target allocates journal space inefficiently. It allocates one journal entry for each 512-byte chunk of data, fills an entry for each block of data and leaves the remaining entries unused. This issue doesn't cause data corruption, but all the unused journal entries degrade performance severely. For example, with 4k blocks and an 8k bio, it would allocate 16 journal entries but only use 2 entries. The remaining 14 entries were left unused. Fix this by adding the missing 'log2_sectors_per_block' shifts that are required to have each journal entry map to a full block. Signed-off-by: Mikulas Patocka Fixes: 7eada909bfd7 ("dm: add integrity target") Signed-off-by: Mike Snitzer Signed-off-by: Greg Kroah-Hartman commit 85fcbf3da682b217c02aa873fd64c73f6a346f58 Author: Paul Mackerras Date: Fri Jul 21 15:41:49 2017 +1000 KVM: PPC: Book3S HV: Fix host crash on changing HPT size commit ef42719814db06fdfa26cd7566de0b64de173320 upstream. Commit f98a8bf9ee20 ("KVM: PPC: Book3S HV: Allow KVM_PPC_ALLOCATE_HTAB ioctl() to change HPT size", 2016-12-20) changed the behaviour of the KVM_PPC_ALLOCATE_HTAB ioctl so that it now allocates a new HPT and new revmap array if there was a previously-allocated HPT of a different size from the size being requested. In this case, we need to reset the rmap arrays of the memslots, because the rmap arrays will contain references to HPTEs which are no longer valid. Worse, these references are also references to slots in the new revmap array (which parallels the HPT), and the new revmap array contains random contents, since it doesn't get zeroed on allocation. The effect of having these stale references to slots in the revmap array that contain random contents is that subsequent calls to functions such as kvmppc_add_revmap_chain will crash because they will interpret the non-zero contents of the revmap array as HPTE indexes and thus index outside of the revmap array. This leads to host crashes such as the following. [ 7072.862122] Unable to handle kernel paging request for data at address 0xd000000c250c00f8 [ 7072.862218] Faulting instruction address: 0xc0000000000e1c78 [ 7072.862233] Oops: Kernel access of bad area, sig: 11 [#1] [ 7072.862286] SMP NR_CPUS=1024 [ 7072.862286] NUMA [ 7072.862325] PowerNV [ 7072.862378] Modules linked in: kvm_hv vhost_net vhost tap xt_CHECKSUM ipt_MASQUERADE nf_nat_masquerade_ipv4 ip6t_rpfilter ip6t_REJECT nf_reject_ipv6 nf_conntrack_ipv6 nf_defrag_ipv6 xt_conntrack ip_set nfnetlink ebtable_nat ebtable_broute bridge stp llc ip6table_mangle ip6table_security ip6table_raw iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack iptable_mangle iptable_security iptable_raw ebtable_filter ebtables ip6table_filter ip6_tables rpcrdma ib_isert iscsi_target_mod ib_iser libiscsi scsi_transport_iscsi ib_srpt target_core_mod ib_srp scsi_transport_srp ib_ipoib rdma_ucm ib_ucm ib_uverbs ib_umad rdma_cm ib_cm iw_cm iw_cxgb3 mlx5_ib ib_core ses enclosure scsi_transport_sas ipmi_powernv ipmi_devintf ipmi_msghandler powernv_op_panel i2c_opal nfsd auth_rpcgss oid_registry [ 7072.863085] nfs_acl lockd grace sunrpc kvm_pr kvm xfs libcrc32c scsi_dh_alua dm_service_time radeon lpfc nvme_fc nvme_fabrics nvme_core scsi_transport_fc i2c_algo_bit tg3 drm_kms_helper ptp pps_core syscopyarea sysfillrect sysimgblt fb_sys_fops ttm drm dm_multipath i2c_core cxgb3 mlx5_core mdio [last unloaded: kvm_hv] [ 7072.863381] CPU: 72 PID: 56929 Comm: qemu-system-ppc Not tainted 4.12.0-kvm+ #59 [ 7072.863457] task: c000000fe29e7600 task.stack: c000001e3ffec000 [ 7072.863520] NIP: c0000000000e1c78 LR: c0000000000e2e3c CTR: c0000000000e25f0 [ 7072.863596] REGS: c000001e3ffef560 TRAP: 0300 Not tainted (4.12.0-kvm+) [ 7072.863658] MSR: 9000000100009033 [ 7072.863667] CR: 44082882 XER: 20000000 [ 7072.863767] CFAR: c0000000000e2e38 DAR: d000000c250c00f8 DSISR: 42000000 SOFTE: 1 GPR00: c0000000000e2e3c c000001e3ffef7e0 c000000001407d00 d000000c250c00f0 GPR04: d00000006509fb70 d00000000b3d2048 0000000003ffdfb7 0000000000000000 GPR08: 00000001007fdfb7 00000000c000000f d0000000250c0000 000000000070f7bf GPR12: 0000000000000008 c00000000fdad000 0000000010879478 00000000105a0d78 GPR16: 00007ffaf4080000 0000000000001190 0000000000000000 0000000000010000 GPR20: 4001ffffff000415 d00000006509fb70 0000000004091190 0000000ee1881190 GPR24: 0000000003ffdfb7 0000000003ffdfb7 00000000007fdfb7 c000000f5c958000 GPR28: d00000002d09fb70 0000000003ffdfb7 d00000006509fb70 d00000000b3d2048 [ 7072.864439] NIP [c0000000000e1c78] kvmppc_add_revmap_chain+0x88/0x130 [ 7072.864503] LR [c0000000000e2e3c] kvmppc_do_h_enter+0x84c/0x9e0 [ 7072.864566] Call Trace: [ 7072.864594] [c000001e3ffef7e0] [c000001e3ffef830] 0xc000001e3ffef830 (unreliable) [ 7072.864671] [c000001e3ffef830] [c0000000000e2e3c] kvmppc_do_h_enter+0x84c/0x9e0 [ 7072.864751] [c000001e3ffef920] [d00000000b38d878] kvmppc_map_vrma+0x168/0x200 [kvm_hv] [ 7072.864831] [c000001e3ffef9e0] [d00000000b38a684] kvmppc_vcpu_run_hv+0x1284/0x1300 [kvm_hv] [ 7072.864914] [c000001e3ffefb30] [d00000000f465664] kvmppc_vcpu_run+0x44/0x60 [kvm] [ 7072.865008] [c000001e3ffefb60] [d00000000f461864] kvm_arch_vcpu_ioctl_run+0x114/0x290 [kvm] [ 7072.865152] [c000001e3ffefbe0] [d00000000f453c98] kvm_vcpu_ioctl+0x598/0x7a0 [kvm] [ 7072.865292] [c000001e3ffefd40] [c000000000389328] do_vfs_ioctl+0xd8/0x8c0 [ 7072.865410] [c000001e3ffefde0] [c000000000389be4] SyS_ioctl+0xd4/0x130 [ 7072.865526] [c000001e3ffefe30] [c00000000000b760] system_call+0x58/0x6c [ 7072.865644] Instruction dump: [ 7072.865715] e95b2110 793a0020 7b4926e4 7f8a4a14 409e0098 807c000c 786326e4 7c6a1a14 [ 7072.865857] 935e0008 7bbd0020 813c000c 913e000c <93a30008> 93bc000c 48000038 60000000 [ 7072.866001] ---[ end trace 627b6e4bf8080edc ]--- Note that to trigger this, it is necessary to use a recent upstream QEMU (or other userspace that resizes the HPT at CAS time), specify a maximum memory size substantially larger than the current memory size, and boot a guest kernel that does not support HPT resizing. This fixes the problem by resetting the rmap arrays when the old HPT is freed. Fixes: f98a8bf9ee20 ("KVM: PPC: Book3S HV: Allow KVM_PPC_ALLOCATE_HTAB ioctl() to change HPT size") Reviewed-by: David Gibson Signed-off-by: Paul Mackerras Signed-off-by: Greg Kroah-Hartman commit 805f79fe40e7b9a3159e727cb8c41ba5722c6277 Author: Paul Mackerras Date: Fri Jul 21 13:57:14 2017 +1000 KVM: PPC: Book3S HV: Enable TM before accessing TM registers commit e47057151422a67ce08747176fa21cb3b526a2c9 upstream. Commit 46a704f8409f ("KVM: PPC: Book3S HV: Preserve userspace HTM state properly", 2017-06-15) added code to read transactional memory (TM) registers but forgot to enable TM before doing so. The result is that if userspace does have live values in the TM registers, a KVM_RUN ioctl will cause a host kernel crash like this: [ 181.328511] Unrecoverable TM Unavailable Exception f60 at d00000001e7d9980 [ 181.328605] Oops: Unrecoverable TM Unavailable Exception, sig: 6 [#1] [ 181.328613] SMP NR_CPUS=2048 [ 181.328613] NUMA [ 181.328618] PowerNV [ 181.328646] Modules linked in: vhost_net vhost tap nfs_layout_nfsv41_files rpcsec_gss_krb5 nfsv4 dns_resolver nfs +fscache xt_CHECKSUM iptable_mangle ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat nf_nat_ipv4 nf_nat +nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack ipt_REJECT nf_reject_ipv4 tun ebtable_filter ebtables +ip6table_filter ip6_tables iptable_filter bridge stp llc kvm_hv kvm nfsd ses enclosure scsi_transport_sas ghash_generic +auth_rpcgss gf128mul xts sg ctr nfs_acl lockd vmx_crypto shpchp ipmi_powernv i2c_opal grace ipmi_devintf i2c_core +powernv_rng sunrpc ipmi_msghandler ibmpowernv uio_pdrv_genirq uio leds_powernv powernv_op_panel ip_tables xfs sd_mod +lpfc ipr bnx2x libata mdio ptp pps_core scsi_transport_fc libcrc32c dm_mirror dm_region_hash dm_log dm_mod [ 181.329278] CPU: 40 PID: 9926 Comm: CPU 0/KVM Not tainted 4.12.0+ #1 [ 181.329337] task: c000003fc6980000 task.stack: c000003fe4d80000 [ 181.329396] NIP: d00000001e7d9980 LR: d00000001e77381c CTR: d00000001e7d98f0 [ 181.329465] REGS: c000003fe4d837e0 TRAP: 0f60 Not tainted (4.12.0+) [ 181.329523] MSR: 9000000000009033 [ 181.329527] CR: 24022448 XER: 00000000 [ 181.329608] CFAR: d00000001e773818 SOFTE: 1 [ 181.329608] GPR00: d00000001e77381c c000003fe4d83a60 d00000001e7ef410 c000003fdcfe0000 [ 181.329608] GPR04: c000003fe4f00000 0000000000000000 0000000000000000 c000003fd7954800 [ 181.329608] GPR08: 0000000000000001 c000003fc6980000 0000000000000000 d00000001e7e2880 [ 181.329608] GPR12: d00000001e7d98f0 c000000007b19000 00000001295220e0 00007fffc0ce2090 [ 181.329608] GPR16: 0000010011886608 00007fff8c89f260 0000000000000001 00007fff8c080028 [ 181.329608] GPR20: 0000000000000000 00000100118500a6 0000010011850000 0000010011850000 [ 181.329608] GPR24: 00007fffc0ce1b48 0000010011850000 00000000d673b901 0000000000000000 [ 181.329608] GPR28: 0000000000000000 c000003fdcfe0000 c000003fdcfe0000 c000003fe4f00000 [ 181.330199] NIP [d00000001e7d9980] kvmppc_vcpu_run_hv+0x90/0x6b0 [kvm_hv] [ 181.330264] LR [d00000001e77381c] kvmppc_vcpu_run+0x2c/0x40 [kvm] [ 181.330322] Call Trace: [ 181.330351] [c000003fe4d83a60] [d00000001e773478] kvmppc_set_one_reg+0x48/0x340 [kvm] (unreliable) [ 181.330437] [c000003fe4d83b30] [d00000001e77381c] kvmppc_vcpu_run+0x2c/0x40 [kvm] [ 181.330513] [c000003fe4d83b50] [d00000001e7700b4] kvm_arch_vcpu_ioctl_run+0x114/0x2a0 [kvm] [ 181.330586] [c000003fe4d83bd0] [d00000001e7642f8] kvm_vcpu_ioctl+0x598/0x7a0 [kvm] [ 181.330658] [c000003fe4d83d40] [c0000000003451b8] do_vfs_ioctl+0xc8/0x8b0 [ 181.330717] [c000003fe4d83de0] [c000000000345a64] SyS_ioctl+0xc4/0x120 [ 181.330776] [c000003fe4d83e30] [c00000000000b004] system_call+0x58/0x6c [ 181.330833] Instruction dump: [ 181.330869] e92d0260 e9290b50 e9290108 792807e3 41820058 e92d0260 e9290b50 e9290108 [ 181.330941] 792ae8a4 794a1f87 408204f4 e92d0260 <7d4022a6> f9490ff0 e92d0260 7d4122a6 [ 181.331013] ---[ end trace 6f6ddeb4bfe92a92 ]--- The fix is just to turn on the TM bit in the MSR before accessing the registers. Fixes: 46a704f8409f ("KVM: PPC: Book3S HV: Preserve userspace HTM state properly") Reported-by: Jan Stancek Tested-by: Jan Stancek Signed-off-by: Paul Mackerras Signed-off-by: Greg Kroah-Hartman commit 0cc185f8da6f5a2171a06251c503bfa73ad30326 Author: Herbert Xu Date: Mon Jul 17 15:32:30 2017 +0800 crypto: authencesn - Fix digest_null crash commit 41cdf7a45389e01991ee31e3301ed83cb3e3f7dc upstream. When authencesn is used together with digest_null a crash will occur on the decrypt path. This is because normally we perform a special setup to preserve the ESN, but this is skipped if there is no authentication. However, on the post-authentication path it always expects the preservation to be in place, thus causing a crash when digest_null is used. This patch fixes this by also skipping the post-processing when there is no authentication. Fixes: 104880a6b470 ("crypto: authencesn - Convert to new AEAD...") Reported-by: Jan Tluka Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit 7554163e07918b8923360772767f5072eade6137 Author: raveendra padasalagi Date: Tue Jul 11 15:50:06 2017 +0530 crypto: brcm - remove BCM_PDC_MBOX dependency in Kconfig commit efc856edfd66acc5da34fec92d7feca6fd0f9add upstream. SPU driver is dependent on generic MAILBOX API's to communicate with underlying DMA engine driver. So this patch removes BCM_PDC_MBOX "depends on" for SPU driver in Kconfig and adds MAILBOX as dependent module. Fixes: 9d12ba86f818 ("crypto: brcm - Add Broadcom SPU driver") Signed-off-by: Raveendra Padasalagi Reviewed-by: Ray Jui Reviewed-by: Scott Branden Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit cb427325a7584bde70289712202cc860f595d203 Author: raveendra padasalagi Date: Fri Jun 23 14:34:08 2017 +0530 crypto: brcm - Fix SHA3-512 algorithm failure commit a7e6e5d8b221e57fed9fda6ec81153fda773c073 upstream. In Broadcom SPU driver, due to missing break statement in spu2_hash_xlate() while mapping SPU2 equivalent SHA3-512 value, -EINVAL is chosen and hence leading to failure of SHA3-512 algorithm. This patch fixes the same. Fixes: 9d12ba86f818 ("crypto: brcm - Add Broadcom SPU driver") Signed-off-by: Raveendra Padasalagi Reviewed-by: Ray Jui Reviewed-by: Scott Branden Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit 18ba45c7a32379369a3b87ab78d2bedaacbf1bba Author: Frank Rowand Date: Wed Jul 19 18:35:31 2017 -0700 scripts/dtc: dtx_diff - update include dts paths to match build commit b4b201d88b7c9b3c6acdd03f9adec0c9857548ce upstream. Update the cpp include flags for compiling device tree dts files to match the changes made to the kernel build process in commit d5d332d3f7e8 ("devicetree: Move include prefixes from arch to separate directory"). Signed-off-by: Frank Rowand Signed-off-by: Rob Herring Signed-off-by: Greg Kroah-Hartman commit 444266929bcbf11264e8f98df58c4c662cc506b9 Author: Benjamin Coddington Date: Fri Jul 28 12:33:54 2017 -0400 NFSv4.1: Fix a race where CB_NOTIFY_LOCK fails to wake a waiter commit b7dbcc0e433f0f61acb89ed9861ec996be4f2b38 upstream. nfs4_retry_setlk() sets the task's state to TASK_INTERRUPTIBLE within the same region protected by the wait_queue's lock after checking for a notification from CB_NOTIFY_LOCK callback. However, after releasing that lock, a wakeup for that task may race in before the call to freezable_schedule_timeout_interruptible() and set TASK_WAKING, then freezable_schedule_timeout_interruptible() will set the state back to TASK_INTERRUPTIBLE before the task will sleep. The result is that the task will sleep for the entire duration of the timeout. Since we've already set TASK_INTERRUPTIBLE in the locked section, just use freezable_schedule_timout() instead. Fixes: a1d617d8f134 ("nfs: allow blocking locks to be awoken by lock callbacks") Signed-off-by: Benjamin Coddington Reviewed-by: Jeff Layton Signed-off-by: Anna Schumaker Signed-off-by: Greg Kroah-Hartman commit ff197322425b3a875c9cf247fad99b775e547e63 Author: NeilBrown Date: Mon Jul 24 13:18:50 2017 +1000 NFS: invalidate file size when taking a lock. commit 442ce0499c0535f8972b68fa1fda357357a5c953 upstream. Prior to commit ca0daa277aca ("NFS: Cache aggressively when file is open for writing"), NFS would revalidate, or invalidate, the file size when taking a lock. Since that commit it only invalidates the file content. If the file size is changed on the server while wait for the lock, the client will have an incorrect understanding of the file size and could corrupt data. This particularly happens when writing beyond the (supposed) end of file and can be easily be demonstrated with posix_fallocate(). If an application opens an empty file, waits for a write lock, and then calls posix_fallocate(), glibc will determine that the underlying filesystem doesn't support fallocate (assuming version 4.1 or earlier) and will write out a '0' byte at the end of each 4K page in the region being fallocated that is after the end of the file. NFS will (usually) detect that these writes are beyond EOF and will expand them to cover the whole page, and then will merge the pages. Consequently, NFS will write out large blocks of zeroes beyond where it thought EOF was. If EOF had moved, the pre-existing part of the file will be over-written. Locking should have protected against this, but it doesn't. This patch restores the use of nfs_zap_caches() which invalidated the cached attributes. When posix_fallocate() asks for the file size, the request will go to the server and get a correct answer. Fixes: ca0daa277aca ("NFS: Cache aggressively when file is open for writing") Signed-off-by: NeilBrown Signed-off-by: Anna Schumaker Signed-off-by: Greg Kroah-Hartman commit 81ee669342f9c04488beba297987e43254cb9178 Author: Chen-Yu Tsai Date: Fri Jul 14 14:42:55 2017 +0800 mmc: sunxi: Keep default timing phase settings for new timing mode commit 26cb2be4c7c42644ccd147c786edb9006300ee56 upstream. The register for the "new timing mode" also has bit fields for setting output and sample timing phases. According to comments in Allwinner's BSP kernel, the default values are good enough. Keep the default values already in the hardware when setting new timing mode, instead of overwriting the whole register. Fixes: 9a37e53e451e ("mmc: sunxi: Enable the new timings for the A64 MMC controllers") Signed-off-by: Chen-Yu Tsai Acked-by: Maxime Ripard Signed-off-by: Ulf Hansson Signed-off-by: Greg Kroah-Hartman commit 2759c248cddcb394b4858c57158fbb28eab1716f Author: Laurent Vivier Date: Fri Jul 21 16:51:39 2017 +0200 powerpc/pseries: Fix of_node_put() underflow during reconfig remove commit 4fd1bd443e80b12f0a01a45fb9a793206b41cb72 upstream. As for commit 68baf692c435 ("powerpc/pseries: Fix of_node_put() underflow during DLPAR remove"), the call to of_node_put() must be removed from pSeries_reconfig_remove_node(). dlpar_detach_node() and pSeries_reconfig_remove_node() both call of_detach_node(), and thus the node should not be released in both cases. Fixes: 0829f6d1f69e ("of: device_node kobject lifecycle fixes") Signed-off-by: Laurent Vivier Reviewed-by: David Gibson Signed-off-by: Michael Ellerman Signed-off-by: Greg Kroah-Hartman commit 54fcef6941197a97719e58d86c4658f3e61c24aa Author: Helge Deller Date: Tue Jul 25 21:41:41 2017 +0200 parisc: Suspend lockup detectors before system halt commit 56188832a50f09998cb570ba3771a1d25c193c0e upstream. Some machines can't power off the machine, so disable the lockup detectors to avoid this watchdog BUG to show up every few seconds: watchdog: BUG: soft lockup - CPU#0 stuck for 22s! [systemd-shutdow:1] Signed-off-by: Helge Deller Signed-off-by: Greg Kroah-Hartman commit 70f8efda5a9e473c4663ff1a9b3a783f88db3918 Author: John David Anglin Date: Tue Jul 25 17:23:35 2017 -0400 parisc: Extend disabled preemption in copy_user_page commit 56008c04ebc099940021b714da2d7779117cf6a7 upstream. It's always bothered me that we only disable preemption in copy_user_page around the call to flush_dcache_page_asm. This patch extends this to after the copy. Signed-off-by: John David Anglin Signed-off-by: Helge Deller Signed-off-by: Greg Kroah-Hartman commit 40b20d4ebd955a6be1fde47a54cc7f8173d54968 Author: John David Anglin Date: Tue Jul 25 17:11:26 2017 -0400 parisc: Prevent TLB speculation on flushed pages on CPUs that only support equivalent aliases commit ae7a609c34b6fb12328c553b5f9aab26ae74a28e upstream. Helge noticed that we flush the TLB page in flush_cache_page but not in flush_cache_range or flush_cache_mm. For a long time, we have had random segmentation faults building packages on machines with PA8800/8900 processors. These machines only support equivalent aliases. We don't see these faults on machines that don't require strict coherency. So, it appears TLB speculation sometimes leads to cache corruption on machines that require coherency. This patch adds TLB flushes to flush_cache_range and flush_cache_mm when coherency is required. We only flush the TLB in flush_cache_page when coherency is required. The patch also optimizes flush_cache_range. It turns out we always have the right context to use flush_user_dcache_range_asm and flush_user_icache_range_asm. The patch has been tested for some time on rp3440, rp3410 and A500-44. It's been boot tested on c8000. No random segmentation faults were observed during testing. Signed-off-by: John David Anglin Signed-off-by: Helge Deller Signed-off-by: Greg Kroah-Hartman commit a873b148ebfb24efb6fd5873dc7951d4f03cd1a6 Author: Kai-Heng Feng Date: Wed Jul 26 00:23:46 2017 +0800 ALSA: hda - Add mute led support for HP ProBook 440 G4 commit ba92b1142879731f80377770f4710e5f0a953aad upstream. Mic mute led does not work on HP ProBook 440 G4. We can use CXT_FIXUP_MUTE_LED_GPIO fixup to support it. BugLink: https://bugs.launchpad.net/bugs/1705586 Signed-off-by: Kai-Heng Feng Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 57ec4278773a52740854de09bb03d966d89e65a6 Author: Daniel Dadap Date: Thu Jul 13 19:27:39 2017 -0500 ALSA: hda - Add missing NVIDIA GPU codec IDs to patch table commit 74ec118152ea494a25ebb677cbc83a75c982ac5f upstream. Add codec IDs for several recently released, pending, and historical NVIDIA GPU audio controllers to the patch table, to allow the correct patch functions to be selected for them. Signed-off-by: Daniel Dadap Reviewed-by: Andy Ritger Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 4f767bbee0b441f6bce9759b762c6dc662944dfe Author: Andy Shevchenko Date: Sun Jul 16 21:40:03 2017 +0300 ALSA: fm801: Initialize chip after IRQ handler is registered commit 610e1ae9b533be82b3aa118b907e0a703256913d upstream. The commit b56fa687e02b ("ALSA: fm801: detect FM-only card earlier") rearranged initialization calls, i.e. it makes snd_fm801_chip_init() to be called before we register interrupt handler and set PCI bus mastering. Somehow it prevents FM801-AU to work properly. Thus, partially revert initialization order changed by commit mentioned above. Fixes: b56fa687e02b ("ALSA: fm801: detect FM-only card earlier") Reported-by: Émeric MASCHINO Tested-by: Émeric MASCHINO Signed-off-by: Andy Shevchenko Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit f6bf07da950f465c057ffa53c9a67c70262cdcb6 Author: Jan Kara Date: Thu Jun 22 15:31:10 2017 +0200 jfs: Don't clear SGID when inheriting ACLs commit 9bcf66c72d726322441ec82962994e69157613e4 upstream. When new directory 'DIR1' is created in a directory 'DIR0' with SGID bit set, DIR1 is expected to have SGID bit set (and owning group equal to the owning group of 'DIR0'). However when 'DIR0' also has some default ACLs that 'DIR1' inherits, setting these ACLs will result in SGID bit on 'DIR1' to get cleared if user is not member of the owning group. Fix the problem by moving posix_acl_update_mode() out of __jfs_set_acl() into jfs_set_acl(). That way the function will not be called when inheriting ACLs which is what we want as it prevents SGID bit clearing and the mode has been properly set by posix_acl_create() anyway. Fixes: 073931017b49d9458aa351605b43a7e34598caef CC: jfs-discussion@lists.sourceforge.net Signed-off-by: Jan Kara Signed-off-by: Dave Kleikamp Signed-off-by: Greg Kroah-Hartman