commit b32d16ec995683be888520d12d8f2833efee5dae Author: Greg Kroah-Hartman Date: Tue Nov 27 16:13:11 2018 +0100 Linux 4.19.5 commit 0d9813319b40399a0d8fd761d2fcfedee5701487 Author: Lorenzo Bianconi Date: Fri Sep 7 23:13:12 2018 +0200 mt76x0: run vco calibration for each channel configuration commit 473f0a763d2c7cd68a6dedf51e7d81e8f58f78ac upstream. According to vendor sdk, vco calibration has to be executed for each channel configuration whereas mcu calibration has to be performed during channel scanning. This patch fixes the mt76x0 monitor mode issue since in that configuration vco calibration was never executed Fixes: 10de7a8b4ab9 ("mt76x0: phy files") Tested-by: Sid Hayn Signed-off-by: Lorenzo Bianconi Signed-off-by: Felix Fietkau Cc: Stanislaw Gruszka Signed-off-by: Greg Kroah-Hartman commit 02e28d5b8537a4438207937e450c302c04db06f5 Author: Ilya Dryomov Date: Thu Nov 8 15:55:37 2018 +0100 libceph: fall back to sendmsg for slab pages commit 7e241f647dc7087a0401418a187f3f5b527cc690 upstream. skb_can_coalesce() allows coalescing neighboring slab objects into a single frag: return page == skb_frag_page(frag) && off == frag->page_offset + skb_frag_size(frag); ceph_tcp_sendpage() can be handed slab pages. One example of this is XFS: it passes down sector sized slab objects for its metadata I/O. If the kernel client is co-located on the OSD node, the skb may go through loopback and pop on the receive side with the exact same set of frags. When tcp_recvmsg() attempts to copy out such a frag, hardened usercopy complains because the size exceeds the object's allocated size: usercopy: kernel memory exposure attempt detected from ffff9ba917f20a00 (kmalloc-512) (1024 bytes) Although skb_can_coalesce() could be taught to return false if the resulting frag would cross a slab object boundary, we already have a fallback for non-refcounted pages. Utilize it for slab pages too. Cc: stable@vger.kernel.org # 4.8+ Signed-off-by: Ilya Dryomov Signed-off-by: Greg Kroah-Hartman commit 8ef7c76cb91afdb58b6b2a5933590e1dfbd0dc83 Author: Sebastian Parschauer Date: Wed Nov 7 13:36:40 2018 +0100 HID: Add quirk for Microsoft PIXART OEM mouse commit e82e62e390d39c3819641cd721695702180d54fb upstream. The PixArt OEM mice are known for disconnecting every minute in runlevel 1 or 3 if they are not always polled. So add quirk ALWAYS_POLL for this one as well. References: https://www.spinics.net/lists/linux-usb/msg88965.html http://linet.gr.jp/~kojima/PlamoWeb/ML/htdocs/201808/msg00019.html Signed-off-by: Sebastian Parschauer CC: stable@vger.kernel.org Signed-off-by: Jiri Kosina Signed-off-by: Greg Kroah-Hartman commit 0c874f9e7661b344e6ba527fcdfad59c982cb90f Author: Sebastian Parschauer Date: Tue Nov 20 07:25:08 2018 +0100 HID: Add quirk for Primax PIXART OEM mice commit fb862c3b199d28bee238d52e8270eae8650d6cb0 upstream. The PixArt OEM mice are known for disconnecting every minute in runlevel 1 or 3 if they are not always polled. So add quirk ALWAYS_POLL for two Primax mice as well. 0x4e22 is the Dell MS111-P and 0x4d0f is the unbranded HP Portia mouse HP 697738-001. Both were built until approx. 2014. Those were the standard mice from those vendors and are still around - even as new old stock. Reference: https://github.com/sriemer/fix-linux-mouse/issues/11 Signed-off-by: Sebastian Parschauer CC: stable@vger.kernel.org Signed-off-by: Jiri Kosina Signed-off-by: Greg Kroah-Hartman commit cf7de65800299b9699c401ea45b9536b8bacddf5 Author: Eric Biggers Date: Wed Nov 14 13:55:09 2018 -0800 HID: uhid: forbid UHID_CREATE under KERNEL_DS or elevated privileges commit 8c01db7619f07c85c5cd81ec5eb83608b56c88f5 upstream. When a UHID_CREATE command is written to the uhid char device, a copy_from_user() is done from a user pointer embedded in the command. When the address limit is KERNEL_DS, e.g. as is the case during sys_sendfile(), this can read from kernel memory. Alternatively, information can be leaked from a setuid binary that is tricked to write to the file descriptor. Therefore, forbid UHID_CREATE in these cases. No other commands in uhid_char_write() are affected by this bug and UHID_CREATE is marked as "obsolete", so apply the restriction to UHID_CREATE only rather than to uhid_char_write() entirely. Thanks to Dmitry Vyukov for adding uhid definitions to syzkaller and to Jann Horn for commit 9da3f2b740544 ("x86/fault: BUG() when uaccess helpers fault on kernel addresses"), allowing this bug to be found. Reported-by: syzbot+72473edc9bf4eb1c6556@syzkaller.appspotmail.com Fixes: d365c6cfd337 ("HID: uhid: add UHID_CREATE and UHID_DESTROY events") Cc: # v3.6+ Cc: Jann Horn Cc: Andy Lutomirski Signed-off-by: Eric Biggers Reviewed-by: Jann Horn Signed-off-by: Jiri Kosina Signed-off-by: Greg Kroah-Hartman commit a73a8c3b15f145f0fb8b52246994a88437f15381 Author: Hans de Goede Date: Mon Nov 19 19:06:01 2018 +0100 ACPI / platform: Add SMB0001 HID to forbidden_id_list commit 2bbb5fa37475d7aa5fa62f34db1623f3da2dfdfa upstream. Many HP AMD based laptops contain an SMB0001 device like this: Device (SMBD) { Name (_HID, "SMB0001") // _HID: Hardware ID Name (_CRS, ResourceTemplate () // _CRS: Current Resource Settings { IO (Decode16, 0x0B20, // Range Minimum 0x0B20, // Range Maximum 0x20, // Alignment 0x20, // Length ) IRQ (Level, ActiveLow, Shared, ) {7} }) } The legacy style IRQ resource here causes acpi_dev_get_irqresource() to be called with legacy=true and this message to show in dmesg: ACPI: IRQ 7 override to edge, high This causes issues when later on the AMD0030 GPIO device gets enumerated: Device (GPIO) { Name (_HID, "AMDI0030") // _HID: Hardware ID Name (_CID, "AMDI0030") // _CID: Compatible ID Name (_UID, Zero) // _UID: Unique ID Method (_CRS, 0, NotSerialized) // _CRS: Current Resource Settings { Name (RBUF, ResourceTemplate () { Interrupt (ResourceConsumer, Level, ActiveLow, Shared, ,, ) { 0x00000007, } Memory32Fixed (ReadWrite, 0xFED81500, // Address Base 0x00000400, // Address Length ) }) Return (RBUF) /* \_SB_.GPIO._CRS.RBUF */ } } Now acpi_dev_get_irqresource() gets called with legacy=false, but because of the earlier override of the trigger-type acpi_register_gsi() returns -EBUSY (because we try to register the same interrupt with a different trigger-type) and we end up setting IORESOURCE_DISABLED in the flags. The setting of IORESOURCE_DISABLED causes platform_get_irq() to call acpi_irq_get() which is not implemented on x86 and returns -EINVAL. resulting in the following in dmesg: amd_gpio AMDI0030:00: Failed to get gpio IRQ: -22 amd_gpio: probe of AMDI0030:00 failed with error -22 The SMB0001 is a "virtual" device in the sense that the only way the OS interacts with it is through calling a couple of methods to do SMBus transfers. As such it is weird that it has IO and IRQ resources at all, because the driver for it is not expected to ever access the hardware directly. The Linux driver for the SMB0001 device directly binds to the acpi_device through the acpi_bus, so we do not need to instantiate a platform_device for this ACPI device. This commit adds the SMB0001 HID to the forbidden_id_list, avoiding the instantiating of a platform_device for it. Not instantiating a platform_device means we will no longer call acpi_dev_get_irqresource() for the legacy IRQ resource fixing the probe of the AMDI0030 device failing. BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1644013 BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=198715 BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=199523 Reported-by: Lukas Kahnert Tested-by: Marc Cc: All applicable Signed-off-by: Hans de Goede Signed-off-by: Rafael J. Wysocki Signed-off-by: Greg Kroah-Hartman commit 3e31936ba001b3d7450898ece1bfeb7c1a6bbc5d Author: Gustavo A. R. Silva Date: Tue Oct 16 12:59:44 2018 +0200 drivers/misc/sgi-gru: fix Spectre v1 vulnerability commit fee05f455ceb5c670cbe48e2f9454ebc4a388554 upstream. req.gid can be indirectly controlled by user-space, hence leading to a potential exploitation of the Spectre variant 1 vulnerability. This issue was detected with the help of Smatch: vers/misc/sgi-gru/grukdump.c:200 gru_dump_chiplet_request() warn: potential spectre issue 'gru_base' [w] Fix this by sanitizing req.gid before calling macro GID_TO_GRU, which uses it to index gru_base. Notice that given that speculation windows are large, the policy is to kill the speculation on the first load and not worry if it can be completed with a dependent load/store [1]. [1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2 Cc: stable@vger.kernel.org Signed-off-by: Gustavo A. R. Silva Signed-off-by: Greg Kroah-Hartman commit 78ac3038245938d164b9843dcaa4794b0659ed31 Author: Johan Hovold Date: Mon Aug 27 10:21:49 2018 +0200 mtd: rawnand: atmel: fix OF child-node lookup commit 5d1e9c2212ea6b4dd735e4fc3dd6279a365d5d10 upstream. Use the new of_get_compatible_child() helper to lookup the nfc child node instead of using of_find_compatible_node(), which searches the entire tree from a given start node and thus can return an unrelated (i.e. non-child) node. This also addresses a potential use-after-free (e.g. after probe deferral) as the tree-wide helper drops a reference to its first argument (i.e. the node of the device being probed). While at it, also fix a related nfc-node reference leak. Fixes: f88fc122cc34 ("mtd: nand: Cleanup/rework the atmel_nand driver") Cc: stable # 4.11 Cc: Nicolas Ferre Cc: Josh Wu Cc: Boris Brezillon Signed-off-by: Johan Hovold Signed-off-by: Boris Brezillon Signed-off-by: Greg Kroah-Hartman commit 466720dc7769643948dc6c26e8162c82b88775fc Author: Johan Hovold Date: Wed Nov 14 09:37:54 2018 +0100 gnss: sirf: fix synchronous write timeout commit 1decef370456870bf448a565be95db636428e106 upstream. Passing a timeout of zero to the synchronous serdev_device_write() helper does currently not imply to wait forever (unlike passing zero to serdev_device_wait_until_sent()). Instead, if there's insufficient room in the write buffer, we'd end up with an incomplete write. Fixes: d2efbbd18b1e ("gnss: add driver for sirfstar-based receivers") Cc: stable # 4.19 Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 9cdfd2233a6b6e98f5221764b634227bdf6c1764 Author: Johan Hovold Date: Wed Nov 14 09:33:57 2018 +0100 gnss: serial: fix synchronous write timeout commit 56a6c7268312cba9436b84cac01b3e502c5c511d upstream. Passing a timeout of zero to the synchronous serdev_device_write() helper does currently not imply to wait forever (unlike passing zero to serdev_device_wait_until_sent()). Instead, if there's insufficient room in the write buffer, we'd end up with an incomplete write. Fixes: 37768b054f20 ("gnss: add generic serial driver") Cc: stable # 4.19 Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 3b0fa609e00140ee1ca7300eb6fd023ba5b00193 Author: Mattias Jacobsson <2pi@mok.nu> Date: Sun Oct 21 11:25:37 2018 +0200 USB: misc: appledisplay: add 20" Apple Cinema Display commit f6501f49199097b99e4e263644d88c90d1ec1060 upstream. Add another Apple Cinema Display to the list of supported displays Signed-off-by: Mattias Jacobsson <2pi@mok.nu> Cc: stable Signed-off-by: Greg Kroah-Hartman commit e591b9069b0c93be8e39ef054f07f41c1458e928 Author: Nathan Chancellor Date: Wed Oct 17 10:09:02 2018 -0700 misc: atmel-ssc: Fix section annotation on atmel_ssc_get_driver_data commit 7c97301285b62a41d6bceded7d964085fc8cc50f upstream. After building the kernel with Clang, the following section mismatch warning appears: WARNING: vmlinux.o(.text+0x3bf19a6): Section mismatch in reference from the function ssc_probe() to the function .init.text:atmel_ssc_get_driver_data() The function ssc_probe() references the function __init atmel_ssc_get_driver_data(). This is often because ssc_probe lacks a __init annotation or the annotation of atmel_ssc_get_driver_data is wrong. Remove __init from atmel_ssc_get_driver_data to get rid of the mismatch. Signed-off-by: Nathan Chancellor Cc: stable Signed-off-by: Greg Kroah-Hartman commit 74f5f46a088d5baa03dabe66965998a818fab099 Author: Emmanuel Pescosta Date: Fri Oct 26 14:48:09 2018 +0200 usb: quirks: Add delay-init quirk for Corsair K70 LUX RGB commit a77112577667cbda7c6292c52d909636aef31fd9 upstream. Following on from this patch: https://lkml.org/lkml/2017/11/3/516, Corsair K70 LUX RGB keyboards also require the DELAY_INIT quirk to start correctly at boot. Dmesg output: usb 1-6: string descriptor 0 read error: -110 usb 1-6: New USB device found, idVendor=1b1c, idProduct=1b33 usb 1-6: New USB device strings: Mfr=1, Product=2, SerialNumber=3 usb 1-6: can't set config #1, error -110 Signed-off-by: Emmanuel Pescosta Cc: stable Signed-off-by: Greg Kroah-Hartman commit ed8acd13e770a1c3ab660d1c0cd83807c3979631 Author: Kai-Heng Feng Date: Fri Oct 19 16:14:50 2018 +0800 USB: Wait for extra delay time after USB_PORT_FEAT_RESET for quirky hub commit 781f0766cc41a9dd2e5d118ef4b1d5d89430257b upstream. Devices connected under Terminus Technology Inc. Hub (1a40:0101) may fail to work after the system resumes from suspend: [ 206.063325] usb 3-2.4: reset full-speed USB device number 4 using xhci_hcd [ 206.143691] usb 3-2.4: device descriptor read/64, error -32 [ 206.351671] usb 3-2.4: device descriptor read/64, error -32 Info for this hub: T: Bus=03 Lev=01 Prnt=01 Port=01 Cnt=01 Dev#= 2 Spd=480 MxCh= 4 D: Ver= 2.00 Cls=09(hub ) Sub=00 Prot=01 MxPS=64 #Cfgs= 1 P: Vendor=1a40 ProdID=0101 Rev=01.11 S: Product=USB 2.0 Hub C: #Ifs= 1 Cfg#= 1 Atr=e0 MxPwr=100mA I: If#= 0 Alt= 0 #EPs= 1 Cls=09(hub ) Sub=00 Prot=00 Driver=hub Some expirements indicate that the USB devices connected to the hub are innocent, it's the hub itself is to blame. The hub needs extra delay time after it resets its port. Hence wait for extra delay, if the device is connected to this quirky hub. Signed-off-by: Kai-Heng Feng Cc: stable Acked-by: Alan Stern Signed-off-by: Greg Kroah-Hartman commit 20aa051f0004d809c5b8f821161880046c136bdd Author: Kai-Heng Feng Date: Fri Oct 26 13:33:15 2018 +0800 USB: quirks: Add no-lpm quirk for Raydium touchscreens commit deefd24228a172d1b27d4a9adbfd2cdacd60ae64 upstream. Raydium USB touchscreen fails to set config if LPM is enabled: [ 2.030658] usb 1-8: New USB device found, idVendor=2386, idProduct=3119 [ 2.030659] usb 1-8: New USB device strings: Mfr=1, Product=2, SerialNumber=0 [ 2.030660] usb 1-8: Product: Raydium Touch System [ 2.030661] usb 1-8: Manufacturer: Raydium Corporation [ 7.132209] usb 1-8: can't set config #1, error -110 Same behavior can be observed on 2386:3114. Raydium claims the touchscreen supports LPM under Windows, so I used Microsoft USB Test Tools (MUTT) [1] to check its LPM status. MUTT shows that the LPM doesn't work under Windows, either. So let's just disable LPM for Raydium touchscreens. [1] https://docs.microsoft.com/en-us/windows-hardware/drivers/usbcon/usb-test-tools Signed-off-by: Kai-Heng Feng Cc: stable Signed-off-by: Greg Kroah-Hartman Signed-off-by: Greg Kroah-Hartman commit 16a57ceaeddd9dae141c43a16ed15c1a6300e35b Author: Maarten Jacobs Date: Mon Nov 19 23:18:49 2018 +0000 usb: cdc-acm: add entry for Hiro (Conexant) modem commit 63529eaa6164ef7ab4b907b25ac3648177e5e78f upstream. The cdc-acm kernel module currently does not support the Hiro (Conexant) H05228 USB modem. The patch below adds the device specific information: idVendor 0x0572 idProduct 0x1349 Signed-off-by: Maarten Jacobs Acked-by: Oliver Neukum Cc: stable Signed-off-by: Greg Kroah-Hartman commit 2909e53a72ce7262a627658fdac65916e952ea73 Author: Jimmy Assarsson Date: Mon Aug 6 15:14:50 2018 +0200 can: kvaser_usb: Fix potential uninitialized variable use commit 95217260649aa504eb5d4a0d50959ca4e67c8f96 upstream. If alloc_can_err_skb() fails, cf is never initialized. Move assignment of cf inside check. Reported-by: Dan Carpenter Signed-off-by: Jimmy Assarsson Cc: linux-stable Signed-off-by: Marc Kleine-Budde Signed-off-by: Greg Kroah-Hartman commit 667bd202c5aa10d62afabd5b748bd6709227e88b Author: Jimmy Assarsson Date: Mon Aug 6 15:14:49 2018 +0200 can: kvaser_usb: Fix accessing freed memory in kvaser_usb_start_xmit() commit e13fb9b37cc00616b90df2d620f30345b5ada6ff upstream. The call to can_put_echo_skb() may result in the skb being freed. The skb is later used in the call to dev->ops->dev_frame_to_cmd(). This is avoided by moving the call to can_put_echo_skb() after dev->ops->dev_frame_to_cmd(). Reported-by: Dan Carpenter Signed-off-by: Jimmy Assarsson Cc: linux-stable Signed-off-by: Marc Kleine-Budde Signed-off-by: Greg Kroah-Hartman commit a0d5745e5a1c03650bb9f8012afda790e7910c07 Author: Takashi Iwai Date: Mon Nov 12 12:26:57 2018 +0100 ALSA: hda/ca0132 - Call pci_iounmap() instead of iounmap() commit d99501b8575dc1248bacf1b58d2241cb4b265d49 upstream. We need to call pci_iounmap() instead of iounmap() for the regions obtained via pci_iomap() call for some archs that need special treatment. Fixes: aa31704fd81c ("ALSA: hda/ca0132: Add PCI region2 iomap for SBZ") Cc: Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit e4d1784e1445409b264d6d2b756289144bfd4143 Author: Takashi Iwai Date: Mon Nov 12 09:43:12 2018 +0100 ALSA: hda/realtek - Add quirk entry for HP Pavilion 15 commit 563785edfcef02b566e64fb5292c74c1600808aa upstream. HP Pavilion 15 (103c:820d) with ALC295 codec requires the quirk for the mute LED control over mic3 pin. Added the corresponding quirk entry. Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=201653 Cc: Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 8600660ce149b32961d0f298eb6cd1c22a161fb1 Author: Dan Carpenter Date: Fri Oct 26 10:19:51 2018 +0300 uio: Fix an Oops on load commit 432798195bbce1f8cd33d1c0284d0538835e25fb upstream. I was trying to solve a double free but I introduced a more serious NULL dereference bug. The problem is that if there is an IRQ which triggers immediately, then we need "info->uio_dev" but it's not set yet. This patch puts the original initialization back to how it was and just sets info->uio_dev to NULL on the error path so it should solve both the Oops and the double free. Fixes: f019f07ecf6a ("uio: potential double frees if __uio_register_device() fails") Reported-by: Mathias Thore Signed-off-by: Dan Carpenter Cc: stable Tested-by: Mathias Thore Signed-off-by: Greg Kroah-Hartman commit a0d5f816c574fe5faaba7c19f4a3b5b11aca8c63 Author: Olof Johansson Date: Wed Nov 14 16:27:55 2018 -0800 RISC-V: Fix raw_copy_{to,from}_user() commit 21f70d4abf9e17c2e3d7e64b7bfa3424e017f176 upstream. Sparse highlighted it, and appears to be a pure bug (from vs to). ./arch/riscv/include/asm/uaccess.h:403:35: warning: incorrect type in argument 1 (different address spaces) ./arch/riscv/include/asm/uaccess.h:403:39: warning: incorrect type in argument 2 (different address spaces) ./arch/riscv/include/asm/uaccess.h:409:37: warning: incorrect type in argument 1 (different address spaces) ./arch/riscv/include/asm/uaccess.h:409:41: warning: incorrect type in argument 2 (different address spaces) Signed-off-by: Olof Johansson Cc: stable@vger.kernel.org Signed-off-by: Palmer Dabbelt Signed-off-by: Greg Kroah-Hartman commit 0483179a330f1ceeae6ba781f3590fd61b3502e8 Author: Aaro Koskinen Date: Sun Nov 11 00:06:12 2018 +0200 MIPS: OCTEON: cavium_octeon_defconfig: re-enable OCTEON USB driver commit 82fba2df7f7c019627f24c5036dc99f41731d770 upstream. Re-enable OCTEON USB driver which is needed on older hardware (e.g. EdgeRouter Lite) for mass storage etc. This got accidentally deleted when config options were changed for OCTEON2/3 USB. Signed-off-by: Aaro Koskinen Signed-off-by: Paul Burton Fixes: f922bc0ad08b ("MIPS: Octeon: cavium_octeon_defconfig: Enable more drivers") Patchwork: https://patchwork.linux-mips.org/patch/21077/ Cc: Ralf Baechle Cc: James Hogan Cc: linux-mips@linux-mips.org Cc: linux-kernel@vger.kernel.org Cc: stable@vger.kernel.org # 4.14+ Signed-off-by: Greg Kroah-Hartman commit eaa7def0549ee89f92e4e1b2627f1f4c7fa78bb4 Author: Sakari Ailus Date: Mon Nov 5 09:35:44 2018 -0500 media: v4l: event: Add subscription to list before calling "add" operation commit 92539d3eda2c090b382699bbb896d4b54e9bdece upstream. Patch ad608fbcf166 changed how events were subscribed to address an issue elsewhere. As a side effect of that change, the "add" callback was called before the event subscription was added to the list of subscribed events, causing the first event queued by the add callback (and possibly other events arriving soon afterwards) to be lost. Fix this by adding the subscription to the list before calling the "add" callback, and clean up afterwards if that fails. Fixes: ad608fbcf166 ("media: v4l: event: Prevent freeing event subscriptions while accessed") Reported-by: Dave Stevenson Signed-off-by: Sakari Ailus Tested-by: Dave Stevenson Reviewed-by: Hans Verkuil Tested-by: Hans Verkuil Cc: stable@vger.kernel.org (for 4.14 and up) Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit 88723e6ec53b135e6e4fde1e1336386fa358adc5 Author: Kirill A. Shutemov Date: Fri Oct 26 15:28:56 2018 +0300 x86/ldt: Remove unused variable in map_ldt_struct() commit b082f2dd80612015cd6d9d84e52099734ec9a0e1 upstream Splitting out the sanity check in map_ldt_struct() moved page table syncing into a separate function, which made the pgd variable unused. Remove it. [ tglx: Massaged changelog ] Fixes: 9bae3197e15d ("x86/ldt: Split out sanity check in map_ldt_struct()") Signed-off-by: Kirill A. Shutemov Signed-off-by: Thomas Gleixner Reviewed-by: Andy Lutomirski Cc: bp@alien8.de Cc: hpa@zytor.com Cc: dave.hansen@linux.intel.com Cc: peterz@infradead.org Cc: boris.ostrovsky@oracle.com Cc: jgross@suse.com Cc: bhe@redhat.com Cc: willy@infradead.org Cc: linux-mm@kvack.org Cc: stable@vger.kernel.org Link: https://lkml.kernel.org/r/20181026122856.66224-4-kirill.shutemov@linux.intel.com Signed-off-by: Sasha Levin commit b0f16f98d306c0ee0df7b506fd15a1dc3f8888dc Author: Kirill A. Shutemov Date: Fri Oct 26 15:28:55 2018 +0300 x86/ldt: Unmap PTEs for the slot before freeing LDT pages commit a0e6e0831c516860fc7f9be1db6c081fe902ebcf upstream modify_ldt(2) leaves the old LDT mapped after switching over to the new one. The old LDT gets freed and the pages can be re-used. Leaving the mapping in place can have security implications. The mapping is present in the userspace page tables and Meltdown-like attacks can read these freed and possibly reused pages. It's relatively simple to fix: unmap the old LDT and flush TLB before freeing the old LDT memory. This further allows to avoid flushing the TLB in map_ldt_struct() as the slot is unmapped and flushed by unmap_ldt_struct() or has never been mapped at all. [ tglx: Massaged changelog and removed the needless line breaks ] Fixes: f55f0501cbf6 ("x86/pti: Put the LDT in its own PGD if PTI is on") Signed-off-by: Kirill A. Shutemov Signed-off-by: Thomas Gleixner Cc: bp@alien8.de Cc: hpa@zytor.com Cc: dave.hansen@linux.intel.com Cc: luto@kernel.org Cc: peterz@infradead.org Cc: boris.ostrovsky@oracle.com Cc: jgross@suse.com Cc: bhe@redhat.com Cc: willy@infradead.org Cc: linux-mm@kvack.org Cc: stable@vger.kernel.org Link: https://lkml.kernel.org/r/20181026122856.66224-3-kirill.shutemov@linux.intel.com Signed-off-by: Sasha Levin commit 4074ca7d8a1832921c865d250bbd08f3441b3657 Author: Kirill A. Shutemov Date: Fri Oct 26 15:28:54 2018 +0300 x86/mm: Move LDT remap out of KASLR region on 5-level paging commit d52888aa2753e3063a9d3a0c9f72f94aa9809c15 upstream On 5-level paging the LDT remap area is placed in the middle of the KASLR randomization region and it can overlap with the direct mapping, the vmalloc or the vmap area. The LDT mapping is per mm, so it cannot be moved into the P4D page table next to the CPU_ENTRY_AREA without complicating PGD table allocation for 5-level paging. The 4 PGD slot gap just before the direct mapping is reserved for hypervisors, so it cannot be used. Move the direct mapping one slot deeper and use the resulting gap for the LDT remap area. The resulting layout is the same for 4 and 5 level paging. [ tglx: Massaged changelog ] Fixes: f55f0501cbf6 ("x86/pti: Put the LDT in its own PGD if PTI is on") Signed-off-by: Kirill A. Shutemov Signed-off-by: Thomas Gleixner Reviewed-by: Andy Lutomirski Cc: bp@alien8.de Cc: hpa@zytor.com Cc: dave.hansen@linux.intel.com Cc: peterz@infradead.org Cc: boris.ostrovsky@oracle.com Cc: jgross@suse.com Cc: bhe@redhat.com Cc: willy@infradead.org Cc: linux-mm@kvack.org Cc: stable@vger.kernel.org Link: https://lkml.kernel.org/r/20181026122856.66224-2-kirill.shutemov@linux.intel.com Signed-off-by: Sasha Levin commit 7818cf3d9aeab4374fa55f54a9da987381f807ff Author: YueHaibing Date: Thu Nov 8 02:04:57 2018 +0000 SUNRPC: drop pointless static qualifier in xdr_get_next_encode_buffer() [ Upstream commit 025911a5f4e36955498ed50806ad1b02f0f76288 ] There is no need to have the '__be32 *p' variable static since new value always be assigned before use it. Signed-off-by: YueHaibing Cc: stable@vger.kernel.org Signed-off-by: J. Bruce Fields Signed-off-by: Sasha Levin commit 62b5dea3ac936be3c6b268dcce6fcdb3d906f164 Author: Guenter Roeck Date: Tue Nov 6 10:10:38 2018 -0800 Revert "scripts/setlocalversion: git: Make -dirty check more robust" [ Upstream commit 8ef14c2c41d962756d314f1d7dc972b0ea7a180f ] This reverts commit 6147b1cf19651c7de297e69108b141fb30aa2349. The reverted patch results in attempted write access to the source repository, even if that repository is mounted read-only. Output from "strace git status -uno --porcelain": getcwd("/tmp/linux-test", 129) = 16 open("/tmp/linux-test/.git/index.lock", O_RDWR|O_CREAT|O_EXCL|O_CLOEXEC, 0666) = -1 EROFS (Read-only file system) While git appears to be able to handle this situation, a monitored build environment (such as the one used for Chrome OS kernel builds) may detect it and bail out with an access violation error. On top of that, the attempted write access suggests that git _will_ write to the file even if a build output directory is specified. Users may have the reasonable expectation that the source repository remains untouched in that situation. Fixes: 6147b1cf19651 ("scripts/setlocalversion: git: Make -dirty check more robust" Cc: Genki Sky Signed-off-by: Guenter Roeck Reviewed-by: Brian Norris Signed-off-by: Masahiro Yamada Signed-off-by: Sasha Levin commit 4d17f22eb16ed539f6162ea566e89acf6f44354a Author: Masahiro Yamada Date: Tue Nov 6 13:18:05 2018 +0900 kbuild: deb-pkg: fix too low build version number [ Upstream commit bbcde0a7241261cd0ca8d8e6b94a4113a4b71443 ] Since commit b41d920acff8 ("kbuild: deb-pkg: split generating packaging and build"), the build version of the kernel contained in a deb package is too low by 1. Prior to the bad commit, the kernel was built first, then the number in .version file was read out, and written into the debian control file. Now, the debian control file is created before the kernel is actually compiled, which is causing the version number mismatch. Let the mkdebian script pass KBUILD_BUILD_VERSION=${revision} to require the build system to use the specified version number. Fixes: b41d920acff8 ("kbuild: deb-pkg: split generating packaging and build") Reported-by: Doug Smythies Signed-off-by: Masahiro Yamada Tested-by: Doug Smythies Signed-off-by: Sasha Levin commit 30fc828c1e1d86a7e151d8a44ed66ed6e8c79016 Author: Dmitry Bogdanov Date: Fri Nov 9 11:54:01 2018 +0000 net: aquantia: invalid checksumm offload implementation [ Upstream commit ad703c2b9127f9acdef697ec4755f6da4beaa266 ] Packets with marked invalid IP/UDP/TCP checksums were considered as good by the driver. The error was in a logic, processing offload bits in RX descriptor. Signed-off-by: Igor Russkikh Signed-off-by: Dmitry Bogdanov Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit fb7c179f018110ee450d3a7f7bbb85863f2a4f0a Author: Igor Russkikh Date: Fri Nov 9 11:53:59 2018 +0000 net: aquantia: fixed enable unicast on 32 macvlan [ Upstream commit bfaa9f8553d5c20703781e63f4fc8cb4792f18fd ] Fixed a condition mistake due to which macvlans unicast item number 32 was not added in the unicast filter. The consequence is that when exactly 32 macvlans are created on NIC, the last created macvlan receives no traffic because its MAC was not registered in HW. Fixes: 94b3b542303f ("net: aquantia: vlan unicast address list correct handling") Signed-off-by: Igor Russkikh Tested-by: Nikita Danilov Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 0d70766b98307ca9e10a94e89043c3001fb5a10e Author: Dmitry Bogdanov Date: Fri Nov 9 11:53:57 2018 +0000 net: aquantia: fix potential IOMMU fault after driver unbind [ Upstream commit 7a1bb49461b12b2e6332a4d054256835f45203f3 ] IOMMU fault may occurr on unbind/bind or if_down/if_up sequence. Although driver disables the rings on down, this is not enough. Due to internal HW design, during subsequent initialization NIC sometimes may reuse RX descriptors cache and write to the host memory from the descriptor cache. That's get catched by IOMMU on host. This patch invalidates the descriptor cache in NIC on interface down to prevent writing to the cached descriptors and to the memory pointed in those descriptors. Signed-off-by: Dmitry Bogdanov Signed-off-by: Igor Russkikh Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 30d01cc8df84af5820117c6ae3cfeb2930d0d3e0 Author: Thor Thayer Date: Thu Nov 8 11:42:14 2018 -0600 net: stmmac: Fix RX packet size > 8191 [ Upstream commit 8137b6ef0ce469154e5cf19f8e7fe04d9a72ac5e ] Ping problems with packets > 8191 as shown: PING 192.168.1.99 (192.168.1.99) 8150(8178) bytes of data. 8158 bytes from 192.168.1.99: icmp_seq=1 ttl=64 time=0.669 ms wrong data byte 8144 should be 0xd0 but was 0x0 16 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f %< ---------------snip-------------------------------------- 8112 b0 b1 b2 b3 b4 b5 b6 b7 b8 b9 ba bb bc bd be bf c0 c1 c2 c3 c4 c5 c6 c7 c8 c9 ca cb cc cd ce cf 8144 0 0 0 0 d0 d1 ^^^^^^^ Notice the 4 bytes of 0 before the expected byte of d0. Databook notes that the RX buffer must be a multiple of 4/8/16 bytes [1]. Update the DMA Buffer size define to 8188 instead of 8192. Remove the -1 from the RX buffer size allocations and use the new DMA Buffer size directly. [1] Synopsys DesignWare Cores Ethernet MAC Universal v3.70a [section 8.4.2 - Table 8-24] Tested on SoCFPGA Stratix10 with ping sweep from 100 to 8300 byte packets. Fixes: 286a83721720 ("stmmac: add CHAINED descriptor mode support (V4)") Suggested-by: Jose Abreu Signed-off-by: Thor Thayer Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit f791728ec30bf93b5331668d7e79342a85cf4539 Author: Sagiv Ozeri Date: Thu Nov 8 16:46:11 2018 +0200 qed: Fix potential memory corruption [ Upstream commit fa5c448d98f0df660bfcad3dd5facc027ef84cd3 ] A stuck ramrod should be deleted from the completion_pending list, otherwise it will be added again in the future and corrupt the list. Return error value to inform that ramrod is stuck and should be deleted. Signed-off-by: Sagiv Ozeri Signed-off-by: Denis Bolotin Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit b228e58a6f1f56a4cc2dd0dae4881fbc99f367cb Author: Denis Bolotin Date: Thu Nov 8 16:46:10 2018 +0200 qed: Fix SPQ entries not returned to pool in error flows [ Upstream commit fb5e7438e7a3c8966e04ccb0760170e9e06f3699 ] qed_sp_destroy_request() API was added for SPQ users that need to free/return the entry they acquired in their error flows. Signed-off-by: Denis Bolotin Signed-off-by: Michal Kalderon Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit b2e5004e1e024e7f919bade2723c7c28fc3b56df Author: Denis Bolotin Date: Thu Nov 8 16:46:09 2018 +0200 qed: Fix blocking/unlimited SPQ entries leak [ Upstream commit 2632f22ebd08da249c2017962a199a0cfb2324bf ] When there are no SPQ entries left in the free_pool, new entries are allocated and are added to the unlimited list. When an entry in the pool is available, the content is copied from the original entry, and the new entry is sent to the device. qed_spq_post() is not aware of that, so the additional entry is stored in the original entry as p_post_ent, which can later be returned to the pool. Signed-off-by: Denis Bolotin Signed-off-by: Michal Kalderon Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 66473b0ac3afe9ccd4126424aa3054c95050dfdc Author: Denis Bolotin Date: Thu Nov 8 16:46:08 2018 +0200 qed: Fix memory/entry leak in qed_init_sp_request() [ Upstream commit 39477551df940ddb1339203817de04f5caaacf7a ] Free the allocated SPQ entry or return the acquired SPQ entry to the free list in error flows. Signed-off-by: Denis Bolotin Signed-off-by: Michal Kalderon Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 1c87c27ac49f2f5b16015240f96507bfdbc3a61c Author: Jacob Keller Date: Mon Oct 29 10:52:42 2018 -0700 i40e: restore NETIF_F_GSO_IPXIP[46] to netdev features [ Upstream commit ba766b8b99c30ad3c55ed8cf224d1185ecff1476 ] Since commit bacd75cfac8a ("i40e/i40evf: Add capability exchange for outer checksum", 2017-04-06) the i40e driver has not reported support for IP-in-IP offloads. This likely occurred due to a bad rebase, as the commit extracts hw_enc_features into its own variable. As part of this change, it dropped the NETIF_F_FSO_IPXIP flags from the netdev->hw_enc_features. This was unfortunately not caught during code review. Fix this by adding back the missing feature flags. For reference, NETIF_F_GSO_IPXIP4 was added in commit 7e13318daa4a ("net: define gso types for IPx over IPv4 and IPv6", 2016-05-20), replacing NETIF_F_GSO_IPIP and NETIF_F_GSO_SIT. NETIF_F_GSO_IPXIP6 was added in commit bf2d1df39502 ("intel: Add support for IPv6 IP-in-IP offload", 2016-05-20). Signed-off-by: Jacob Keller Tested-by: Andrew Bowers Signed-off-by: Jeff Kirsher Signed-off-by: Sasha Levin commit 06f5a1f3ea90f21bb16bef83e56cf7d495137124 Author: Chinh T Cao Date: Mon Nov 5 12:18:35 2018 -0800 ice: Change req_speeds to be u16 [ Upstream commit ffe498237b36ee42624e139b21efa05da4ff1f48 ] Since the req_speeds field in struct ice_link_status is a u8, req_speeds & ICE_AQ_LINK_SPEED_40GB always returns 0. This was caught by a coverity scan. Fix this by changing req_speeds to be u16. Reported-by: Bruce Allan Signed-off-by: Chinh T Cao Signed-off-by: Anirudh Venkataramanan Tested-by: Andrew Bowers Signed-off-by: Jeff Kirsher Signed-off-by: Sasha Levin commit 86927afbe9138f8483b44b705585ddb70e407cb9 Author: Brett Creeley Date: Fri Oct 26 10:40:59 2018 -0700 ice: Fix the bytecount sent to netdev_tx_sent_queue [ Upstream commit d944b46992f8e99b6bdc721e44b02e5ca294fa2b ] Currently if the driver does a TSO offload the bytecount sent to netdev_tx_sent_queue will be incorrect. This is because in ice_tso we overwrite the initial value that we set in ice_tx_map. This creates a mismatch between the Tx and Tx clean flow. In the Tx clean flow we calculate the bytecount (called total_bytes) as we clean the descriptors so the value used in the Tx clean path is correct. Fix this by using += in ice_tso instead of =. This fixes the mismatch in bytecount mentioned above. Signed-off-by: Brett Creeley Signed-off-by: Anirudh Venkataramanan Tested-by: Andrew Bowers Signed-off-by: Jeff Kirsher Signed-off-by: Sasha Levin commit 9d977cd15a474ea55e5ee2965429c4bdffb3d9a5 Author: Akeem G Abodunrin Date: Fri Oct 26 10:40:52 2018 -0700 ice: Fix dead device link issue with flow control [ Upstream commit 0f5d4c21a50716f8bd4e220544b82dca7408d113 ] Setting Rx or Tx pause parameter currently results in link loss on the interface, requiring the platform/host to be cold power cycled. Fix it. Signed-off-by: Akeem G Abodunrin Signed-off-by: Anirudh Venkataramanan Tested-by: Andrew Bowers Signed-off-by: Jeff Kirsher Signed-off-by: Sasha Levin commit 7934a53924aaa79d326c3276dc61eb0b5bca7261 Author: Jiri Olsa Date: Sun Sep 23 17:04:20 2018 +0200 perf tools: Do not zero sample_id_all for group members [ Upstream commit 8e88c29b351ed4e09dd63f825f1c8260b0cb0ab3 ] Andi reported following malfunction: # perf record -e '{ref-cycles,cycles}:S' -a sleep 1 # perf script non matching sample_id_all That's because we disable sample_id_all bit for non-sampling group members. We can't do that, because it needs to be the same over the whole event list. This patch keeps it untouched again. Reported-by: Andi Kleen Tested-by: Andi Kleen Signed-off-by: Jiri Olsa Cc: Alexander Shishkin Cc: Namhyung Kim Cc: Peter Zijlstra Link: http://lkml.kernel.org/r/20180923150420.27327-1-jolsa@kernel.org Fixes: e9add8bac6c6 ("perf evsel: Disable write_backward for leader sampling group events") Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Sasha Levin commit 1d6ab5f595b0da3a6f3cc2966e6081b66410b6b4 Author: Gustavo Romero Date: Thu Nov 1 20:13:21 2018 -0400 perf tools: Fix undefined symbol scnprintf in libperf-jvmti.so [ Upstream commit 6ac2226229d931153331a93d90655a3de05b9290 ] Currently jvmti agent can not be used because function scnprintf is not present in the agent libperf-jvmti.so. As a result the JVM when using such agent to record JITed code profiling information will fail on looking up scnprintf: java: symbol lookup error: lib/libperf-jvmti.so: undefined symbol: scnprintf This commit fixes that by reverting to the use of snprintf, that can be looked up, instead of scnprintf, adding a proper check for the returned value in order to print a better error message when the jitdump file pathname is too long. Checking the returned value also helps to comply with some recent gcc versions, like gcc8, which will fail due to truncated writing checks related to the -Werror=format-truncation= flag. Signed-off-by: Gustavo Romero Acked-by: Jiri Olsa LPU-Reference: 1541117601-18937-2-git-send-email-gromero@linux.vnet.ibm.com Link: https://lkml.kernel.org/n/tip-mvpxxxy7wnzaj74cq75muw3f@git.kernel.org Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Sasha Levin commit b1e814e4826635211cb020b767d374f01ba1679b Author: Valentin Schneider Date: Tue Oct 23 14:37:31 2018 +0100 sched/core: Take the hotplug lock in sched_init_smp() [ Upstream commit 40fa3780bac2b654edf23f6b13f4e2dd550aea10 ] When running on linux-next (8c60c36d0b8c ("Add linux-next specific files for 20181019")) + CONFIG_PROVE_LOCKING=y on a big.LITTLE system (e.g. Juno or HiKey960), we get the following report: [ 0.748225] Call trace: [ 0.750685] lockdep_assert_cpus_held+0x30/0x40 [ 0.755236] static_key_enable_cpuslocked+0x20/0xc8 [ 0.760137] build_sched_domains+0x1034/0x1108 [ 0.764601] sched_init_domains+0x68/0x90 [ 0.768628] sched_init_smp+0x30/0x80 [ 0.772309] kernel_init_freeable+0x278/0x51c [ 0.776685] kernel_init+0x10/0x108 [ 0.780190] ret_from_fork+0x10/0x18 The static_key in question is 'sched_asym_cpucapacity' introduced by commit: df054e8445a4 ("sched/topology: Add static_key for asymmetric CPU capacity optimizations") In this particular case, we enable it because smp_prepare_cpus() will end up fetching the capacity-dmips-mhz entry from the devicetree, so we already have some asymmetry detected when entering sched_init_smp(). This didn't get detected in tip/sched/core because we were missing: commit cb538267ea1e ("jump_label/lockdep: Assert we hold the hotplug lock for _cpuslocked() operations") Calls to build_sched_domains() post sched_init_smp() will hold the hotplug lock, it just so happens that this very first call is a special case. As stated by a comment in sched_init_smp(), "There's no userspace yet to cause hotplug operations" so this is a harmless warning. However, to both respect the semantics of underlying callees and make lockdep happy, take the hotplug lock in sched_init_smp(). This also satisfies the comment atop sched_init_domains() that says "Callers must hold the hotplug lock". Reported-by: Sudeep Holla Tested-by: Sudeep Holla Signed-off-by: Valentin Schneider Signed-off-by: Peter Zijlstra (Intel) Cc: Dietmar.Eggemann@arm.com Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Thomas Gleixner Cc: morten.rasmussen@arm.com Cc: quentin.perret@arm.com Link: http://lkml.kernel.org/r/1540301851-3048-1-git-send-email-valentin.schneider@arm.com Signed-off-by: Ingo Molnar Signed-off-by: Sasha Levin commit 1fac2f4f2faed9524d420f74c205f2fb65c72349 Author: Stephen Boyd Date: Fri Nov 2 13:57:32 2018 -0700 i2c: qcom-geni: Fix runtime PM mismatch with child devices [ Upstream commit 848bd3f3de9d44950c00eda6c115e8e9785440da ] We need to enable runtime PM on this i2c controller before populating child devices with i2c_add_adapter(). Otherwise, if a child device uses runtime PM and stays runtime PM enabled we'll get the following warning at boot. Enabling runtime PM for inactive device (a98000.i2c) with active children [...] Call trace: pm_runtime_enable+0xd8/0xf8 geni_i2c_probe+0x440/0x460 platform_drv_probe+0x74/0xc8 [...] Let's move the runtime PM enabling and setup to before we add the adapter, so that this device can respond to runtime PM requests from children. Fixes: 37692de5d523 ("i2c: i2c-qcom-geni: Add bus driver for the Qualcomm GENI I2C controller") Signed-off-by: Stephen Boyd Reviewed-by: Douglas Anderson Signed-off-by: Wolfram Sang Signed-off-by: Sasha Levin commit 7d5019ed49df80cc43f4bdd4edfe600160b709ee Author: Vignesh R Date: Fri Nov 9 16:44:11 2018 +0530 i2c: omap: Enable for ARCH_K3 [ Upstream commit 5b277402deac0691226a947df71c581686bd4020 ] Allow I2C_OMAP to be built for K3 platforms. Signed-off-by: Vignesh R Reviewed-by: Grygorii Strashko Signed-off-by: Wolfram Sang Signed-off-by: Sasha Levin commit fa4712942d8ee992af92aee78d6c07c6c5cbfb42 Author: Sagi Grimberg Date: Fri Nov 2 11:22:13 2018 -0700 nvme: make sure ns head inherits underlying device limits [ Upstream commit 8f676b8508c250bbe255096522fdefb73f1ea0b9 ] Whenever we update ns_head info, we need to make sure it is still compatible with all underlying backing devices because although nvme multipath doesn't have any explicit use of these limits, other devices can still be stacked on top of it which may rely on the underlying limits. Start with unlimited stacking limits, and every info update iterate over siblings and adjust queue limits. Signed-off-by: Sagi Grimberg Signed-off-by: Christoph Hellwig Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit 05e25696bd5fe64fc26ef7e9177a69819404b801 Author: Robin Murphy Date: Wed Nov 7 16:30:32 2018 +0000 of/device: Really only set bus DMA mask when appropriate [ Upstream commit 6778be4e520959659b27a441c06a84c9cb009085 ] of_dma_configure() was *supposed* to be following the same logic as acpi_dma_configure() and only setting bus_dma_mask if some range was specified by the firmware. However, it seems that subtlety got lost in the process of fitting it into the differently-shaped control flow, and as a result the force_dma==true case ends up always setting the bus mask to the 32-bit default, which is not what anyone wants. Make sure we only touch it if the DT actually said so. Fixes: 6c2fb2ea7636 ("of/device: Set bus DMA mask as appropriate") Reported-by: Aaro Koskinen Reported-by: Jean-Philippe Brucker Tested-by: Aaro Koskinen Tested-by: John Stultz Tested-by: Geert Uytterhoeven Tested-by: Robert Richter Signed-off-by: Robin Murphy Signed-off-by: Rob Herring Signed-off-by: Sasha Levin commit 956d9dd3a7eb3fdf19e068150e675af5afff5b7b Author: Luis Henriques Date: Mon Nov 5 19:00:52 2018 +0000 ceph: quota: fix null pointer dereference in quota check [ Upstream commit 71f2cc64d027d712f29bf8d09d3e123302d5f245 ] This patch fixes a possible null pointer dereference in check_quota_exceeded, detected by the static checker smatch, with the following warning:    fs/ceph/quota.c:240 check_quota_exceeded()     error: we previously assumed 'realm' could be null (see line 188) Fixes: b7a2921765cf ("ceph: quota: support for ceph.quota.max_files") Reported-by: Dan Carpenter Signed-off-by: Luis Henriques Reviewed-by: "Yan, Zheng" Signed-off-by: Ilya Dryomov Signed-off-by: Sasha Levin commit 990746203150ef965ecb649c9206bf023c63f781 Author: Thomas Richter Date: Mon Oct 29 08:11:33 2018 +0000 s390/perf: Change CPUM_CF return code in event init function [ Upstream commit 0bb2ae1b26e1fb7543ec7474cdd374ac4b88c4da ] The function perf_init_event() creates a new event and assignes it to a PMU. This a done in a loop over all existing PMUs. For each listed PMU the event init function is called and if this function does return any other error than -ENOENT, the loop is terminated the creation of the event fails. If the event is invalid, return -ENOENT to try other PMUs. Signed-off-by: Thomas Richter Reviewed-by: Hendrik Brueckner Signed-off-by: Martin Schwidefsky Signed-off-by: Sasha Levin commit ea1de530903dee6bfe815f1b82b3fde156c11e1d Author: Lyude Paul Date: Thu Nov 1 21:51:49 2018 -0400 drm/amd/amdgpu/dm: Fix dm_dp_create_fake_mst_encoder() [ Upstream commit 63237f8748bdf46dccf79ef8f98f05e9fe799162 ] [why] Removing connector reusage from DM to match the rest of the tree ended up revealing an issue that was surprisingly subtle. The original amdgpu code for DC that was submitted appears to have left a chunk in dm_dp_create_fake_mst_encoder() that tries to find a "master encoder", the likes of which isn't actually used or stored anywhere. It does so at the wrong time as well by trying to access parts of the drm_connector from the encoder init before it's actually been initialized. This results in a NULL pointer deref on MST hotplugs: [ 160.696613] BUG: unable to handle kernel NULL pointer dereference at 0000000000000000 [ 160.697234] PGD 0 P4D 0 [ 160.697814] Oops: 0010 [#1] SMP PTI [ 160.698430] CPU: 2 PID: 64 Comm: kworker/2:1 Kdump: loaded Tainted: G O 4.19.0Lyude-Test+ #2 [ 160.699020] Hardware name: HP HP ZBook 15 G4/8275, BIOS P70 Ver. 01.22 05/17/2018 [ 160.699672] Workqueue: events_long drm_dp_mst_link_probe_work [drm_kms_helper] [ 160.700322] RIP: 0010: (null) [ 160.700920] Code: Bad RIP value. [ 160.701541] RSP: 0018:ffffc9000029fc78 EFLAGS: 00010206 [ 160.702183] RAX: 0000000000000000 RBX: ffff8804440ed468 RCX: ffff8804440e9158 [ 160.702778] RDX: 0000000000000000 RSI: ffff8804556c5700 RDI: ffff8804440ed000 [ 160.703408] RBP: ffff880458e21800 R08: 0000000000000002 R09: 000000005fca0a25 [ 160.704002] R10: ffff88045a077a3d R11: ffff88045a077a3c R12: ffff8804440ed000 [ 160.704614] R13: ffff880458e21800 R14: ffff8804440e9000 R15: ffff8804440e9000 [ 160.705260] FS: 0000000000000000(0000) GS:ffff88045f280000(0000) knlGS:0000000000000000 [ 160.705854] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 160.706478] CR2: ffffffffffffffd6 CR3: 000000000200a001 CR4: 00000000003606e0 [ 160.707124] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 160.707724] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 160.708372] Call Trace: [ 160.708998] ? dm_dp_add_mst_connector+0xed/0x1d0 [amdgpu] [ 160.709625] ? drm_dp_add_port+0x2fa/0x470 [drm_kms_helper] [ 160.710284] ? wake_up_q+0x54/0x70 [ 160.710877] ? __mutex_unlock_slowpath.isra.18+0xb3/0x110 [ 160.711512] ? drm_dp_dpcd_access+0xe7/0x110 [drm_kms_helper] [ 160.712161] ? drm_dp_send_link_address+0x155/0x1e0 [drm_kms_helper] [ 160.712762] ? drm_dp_check_and_send_link_address+0xa3/0xd0 [drm_kms_helper] [ 160.713408] ? drm_dp_mst_link_probe_work+0x4b/0x80 [drm_kms_helper] [ 160.714013] ? process_one_work+0x1a1/0x3a0 [ 160.714667] ? worker_thread+0x30/0x380 [ 160.715326] ? wq_update_unbound_numa+0x10/0x10 [ 160.715939] ? kthread+0x112/0x130 [ 160.716591] ? kthread_create_worker_on_cpu+0x70/0x70 [ 160.717262] ? ret_from_fork+0x35/0x40 [ 160.717886] Modules linked in: amdgpu(O) vfat fat snd_hda_codec_generic joydev i915 chash gpu_sched ttm i2c_algo_bit drm_kms_helper snd_hda_codec_hdmi hp_wmi syscopyarea iTCO_wdt sysfillrect sparse_keymap sysimgblt fb_sys_fops snd_hda_intel usbhid wmi_bmof drm snd_hda_codec btusb snd_hda_core intel_rapl btrtl x86_pkg_temp_thermal btbcm btintel coretemp snd_pcm crc32_pclmul bluetooth psmouse snd_timer snd pcspkr i2c_i801 mei_me i2c_core soundcore mei tpm_tis wmi tpm_tis_core hp_accel ecdh_generic lis3lv02d tpm video rfkill acpi_pad input_polldev hp_wireless pcc_cpufreq crc32c_intel serio_raw tg3 xhci_pci xhci_hcd [last unloaded: amdgpu] [ 160.720141] CR2: 0000000000000000 Somehow the connector reusage DM was using for MST connectors managed to paper over this issue entirely; hence why this was never caught until now. [how] Since this code isn't used anywhere and seems useless anyway, we can just drop it entirely. This appears to fix the issue on my HP ZBook with an AMD WX4150. Signed-off-by: Lyude Paul Reviewed-by: Harry Wentland Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit b3db5d74b933a39267004bcb4c6bc619b9c96d3d Author: Jerry (Fangzhi) Zuo Date: Tue Oct 30 14:37:16 2018 -0400 drm/amd/display: Drop reusing drm connector for MST [ Upstream commit 0e6613e46fed29316f33acf86e1d1568288638b5 ] [why] It is not safe to keep existing connector while entire topology has been removed. Could lead potential impact to uapi. Entirely unregister all the connectors on the topology, and use a new set of connectors when the topology is plugged back on. [How] Remove the drm connector entirely each time when the corresponding MST topology is gone. When hotunplug a connector (e.g., DP2) 1. Remove connector from userspace. 2. Drop it's reference. When hotplug back on: 1. Detect new topology, and create new connectors. 2. Notify userspace with sysfs hotplug event. 3. Reprobe new connectors, and reassign CRTC from old (e.g., DP2) to new (e.g., DP3) connector. Signed-off-by: Jerry (Fangzhi) Zuo Reviewed-by: Harry Wentland Reviewed-by: Lyude Paul Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit a4da95ea101b2741488c6d84d3ce6e3d0cdffd62 Author: Keith Busch Date: Wed Nov 7 07:37:45 2018 -0700 block: Clear kernel memory before copying to user [ Upstream commit f3587d76da05f68098ddb1cb3c98cc6a9e8a402c ] If the kernel allocates a bounce buffer for user read data, this memory needs to be cleared before copying it to the user, otherwise it may leak kernel memory to user space. Laurence Oberman Signed-off-by: Keith Busch Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit b352afaac108d9d6c10cd1d9cd6155b83b779b65 Author: Harry Wentland Date: Sun Oct 7 10:01:23 2018 -0400 drm/amd/display: Stop leaking planes [ Upstream commit 02680efbb10be0d2c867fe722ae23d588f6bebef ] [Why] drm_plane_cleanup does not free the plane. [How] Call drm_primary_helper_destroy which will also free the plane. Signed-off-by: Harry Wentland Acked-by: Alex Deucher Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 365b1b122406ca26331fc48ab53dfbf5a9b0889c Author: Jeremy Linton Date: Mon Nov 5 18:14:41 2018 -0600 lib/raid6: Fix arm64 test build [ Upstream commit 313a06e636808387822af24c507cba92703568b1 ] The lib/raid6/test fails to build the neon objects on arm64 because the correct machine type is 'aarch64'. Once this is correctly enabled, the neon recovery objects need to be added to the build. Reviewed-by: Ard Biesheuvel Signed-off-by: Jeremy Linton Signed-off-by: Catalin Marinas Signed-off-by: Sasha Levin commit 238ab6deba302a1b9b083dbb1c456187105c4ddd Author: Boris Brezillon Date: Tue Nov 6 17:25:37 2018 +0100 mtd: nand: Fix nanddev_pos_next_page() kernel-doc header [ Upstream commit 98ee3fc7ef8395f8b7a379e6608aee91efc66d48 ] Function name is wrong in the kernel-doc header. Fixes: 9c3736a3de21 ("mtd: nand: Add core infrastructure to deal with NAND devices") Signed-off-by: Boris Brezillon Reviewed-by: Miquel Raynal Signed-off-by: Sasha Levin commit 20f020fd089395de918a3e6d4a4c141c25b9a6df Author: Ricardo Ribalda Delgado Date: Thu Nov 1 14:15:49 2018 +0100 clk: fixed-factor: fix of_node_get-put imbalance [ Upstream commit f98e8a572bddbf27032114127d2fcc78fa5e6a9d ] When the fixed factor clock is created by devicetree, of_clk_add_provider is called. Add a call to of_clk_del_provider in the remove function to balance it out. Reported-by: Alan Tull Fixes: 971451b3b15d ("clk: fixed-factor: Convert into a module platform driver") Signed-off-by: Ricardo Ribalda Delgado Signed-off-by: Stephen Boyd Signed-off-by: Sasha Levin commit dd9392292e5b769ae8496b6df6eb20668dd91827 Author: Liam Merwick Date: Fri Nov 2 14:04:23 2018 +0000 xen/grant-table: Fix incorrect gnttab_dma_free_pages() pr_debug message [ Upstream commit d9cccfa7c4d1d9ef967ec9308df7304a18609b30 ] If a call to xenmem_reservation_increase() in gnttab_dma_free_pages() fails it triggers a message "Failed to decrease reservation..." which should be "Failed to increase reservation..." Fixes: 9bdc7304f536 ('xen/grant-table: Allow allocating buffers suitable for DMA') Reported-by: Ross Philipson Signed-off-by: Liam Merwick Reviewed-by: Mark Kanda Reviewed-by: Juergen Gross Signed-off-by: Juergen Gross Signed-off-by: Sasha Levin commit 71076a71d81b49404a20307da699bfc719625f58 Author: Sergei Shtylyov Date: Thu Oct 18 19:48:53 2018 +0300 arm64: dts: renesas: condor: switch from EtherAVB to GEther [ Upstream commit eab53fdfd60a84b0cc514d4f1f5d79226c76df01 ] The "official" Condor boards have always been wired to mount NFS via GEther, not EtherAVB -- the boards resoldered for EtherAVB were local to Cogent Embedded, so we've been having an unpleasant situation where a "normal" Condor board still can't mount NFS (unless an EtherAVB PHY extension board is plugged in). Switch from EtherAVB to GEther at last! Fixes: 8091788f3d38 ("arm64: dts: renesas: condor: add EtherAVB support") Signed-off-by: Sergei Shtylyov Signed-off-by: Simon Horman Signed-off-by: Sasha Levin commit 9edc40fd786aa99d72095b848ea4fdd0050dc807 Author: Kuninori Morimoto Date: Fri Sep 28 02:38:36 2018 +0000 arm64: dts: renesas: r8a7795: add missing dma-names on hscif2 [ Upstream commit aab7a2414ba0d5c3d0571a90031b535adba7146a ] hscif2 has 4 dmas, but has only 2 dma-names. This patch add missing dma-names. Signed-off-by: Kuninori Morimoto Reviewed-by: Geert Uytterhoeven Fixes: e0f0bda79337701a ("arm64: dts: renesas: r8a7795: sort subnodes of the soc node") Signed-off-by: Simon Horman Signed-off-by: Sasha Levin commit 91611ad1bf69ec46d6c61f27eccb44064c28c45c Author: Inki Dae Date: Fri Oct 5 11:50:20 2018 +0900 Revert "drm/exynos/decon5433: implement frame counter" [ Upstream commit 6ca469e22a30992b4478d2ab88737c70667c1e00 ] This reverts commit 0586feba322e1de05075700eb4b835c8b683e62b This patch makes it to need get_vblank_counter callback in crtc to get frame counter from decon driver. However, drm_dev->max_vblank_count is a member unique to vendor's DRM driver but in case of ARM DRM, some CRTC devices don't provide the frame counter value. As a result, this patch made extension and clone mode not working. Instead of this patch, we may need separated max_vblank_count which belongs to each CRTC device, or need to implement frame counter emulation for them who don't support HW frame counter. Signed-off-by: Inki Dae Signed-off-by: Sasha Levin commit 3190aa80827d497eb1700ef75c28b6be5cc991ea Author: Rob Herring Date: Tue Oct 30 20:02:30 2018 -0500 ARM: dts: fsl: Fix improperly quoted stdout-path values [ Upstream commit 1af6ab3bac8458fc2e92ad7bb97b62de4a1fddef ] A quoted label reference doesn't expand to the node path and is taken as a literal string. Dropping the quotes can fix this unless the baudrate string is appended in which case we have to use the alias. At least on VF610, the problem was masked by setting the console in bootargs. Use the alias syntax with baudrate parameter so we can drop setting the console in bootargs. Cc: Shawn Guo Cc: Sascha Hauer Cc: Pengutronix Kernel Team Cc: NXP Linux Team Cc: Mark Rutland Reviewed-by: Fabio Estevam Reviewed-by: Stefan Agner Signed-off-by: Rob Herring Signed-off-by: Shawn Guo Signed-off-by: Sasha Levin commit 22ef72a086d56a56ecb44a5c04994bc71d1afd25 Author: Oleksij Rempel Date: Thu Oct 18 13:26:13 2018 +0200 ARM: dts: imx6sll: fix typo for fsl,imx6sll-i2c node [ Upstream commit 438ad09af5581b7024850b5dbb6353c7f2f7d8a9 ] Fix the type of compatible string "fs,imx6sll-i2c" which should be "fsl,imx6sll-i2c". Signed-off-by: Oleksij Rempel Acked-by: Uwe Kleine-König Signed-off-by: Shawn Guo Signed-off-by: Sasha Levin commit 1ea367bb99a0a31183bcf155974a33f6798dff13 Author: Geert Uytterhoeven Date: Sun Oct 28 18:16:51 2018 +0100 hwmon: (ibmpowernv) Remove bogus __init annotations [ Upstream commit e3e61f01d755188cb6c2dcf5a244b9c0937c258e ] If gcc decides not to inline make_sensor_label(): WARNING: vmlinux.o(.text+0x4df549c): Section mismatch in reference from the function .create_device_attrs() to the function .init.text:.make_sensor_label() The function .create_device_attrs() references the function __init .make_sensor_label(). This is often because .create_device_attrs lacks a __init annotation or the annotation of .make_sensor_label is wrong. As .probe() can be called after freeing of __init memory, all __init annotiations in the driver are bogus, and should be removed. Signed-off-by: Geert Uytterhoeven Signed-off-by: Guenter Roeck Signed-off-by: Sasha Levin commit c981726f16aab432e48cfcf7d72c26b31b50c516 Author: Yunsheng Lin Date: Fri Nov 2 17:47:48 2018 +0800 net: hns3: Fix for out-of-bounds access when setting pfc back pressure [ Upstream commit e8ccbb7d2f53c62e14b889faaa3f6f809b657278 ] The vport should be initialized to hdev->vport for each bp group, otherwise it will cause out-of-bounds access and bp setting not correct problem. [ 35.254124] BUG: KASAN: slab-out-of-bounds in hclge_pause_setup_hw+0x2a0/0x3f8 [hclge] [ 35.254126] Read of size 2 at addr ffff803b6651581a by task kworker/0:1/14 [ 35.254132] CPU: 0 PID: 14 Comm: kworker/0:1 Not tainted 4.19.0-rc7-hulk+ #85 [ 35.254133] Hardware name: Huawei D06/D06, BIOS Hisilicon D06 UEFI RC0 - B052 (V0.52) 09/14/2018 [ 35.254141] Workqueue: events work_for_cpu_fn [ 35.254144] Call trace: [ 35.254147] dump_backtrace+0x0/0x2f0 [ 35.254149] show_stack+0x24/0x30 [ 35.254154] dump_stack+0x110/0x184 [ 35.254157] print_address_description+0x168/0x2b0 [ 35.254160] kasan_report+0x184/0x310 [ 35.254162] __asan_load2+0x7c/0xa0 [ 35.254170] hclge_pause_setup_hw+0x2a0/0x3f8 [hclge] [ 35.254177] hclge_tm_init_hw+0x794/0x9f0 [hclge] [ 35.254184] hclge_tm_schd_init+0x48/0x58 [hclge] [ 35.254191] hclge_init_ae_dev+0x778/0x1168 [hclge] [ 35.254196] hnae3_register_ae_dev+0x14c/0x298 [hnae3] [ 35.254206] hns3_probe+0x88/0xa8 [hns3] [ 35.254210] local_pci_probe+0x7c/0xf0 [ 35.254212] work_for_cpu_fn+0x34/0x50 [ 35.254214] process_one_work+0x4d4/0xa38 [ 35.254216] worker_thread+0x55c/0x8d8 [ 35.254219] kthread+0x1b0/0x1b8 [ 35.254222] ret_from_fork+0x10/0x1c [ 35.254224] The buggy address belongs to the page: [ 35.254228] page:ffff7e00ed994400 count:1 mapcount:0 mapping:0000000000000000 index:0x0 compound_mapcount: 0 [ 35.273835] flags: 0xfffff8000008000(head) [ 35.282007] raw: 0fffff8000008000 dead000000000100 dead000000000200 0000000000000000 [ 35.282010] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 35.282012] page dumped because: kasan: bad access detected [ 35.282014] Memory state around the buggy address: [ 35.282017] ffff803b66515700: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe [ 35.282019] ffff803b66515780: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe [ 35.282021] >ffff803b66515800: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe [ 35.282022] ^ [ 35.282024] ffff803b66515880: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe [ 35.282026] ffff803b66515900: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe [ 35.282028] ================================================================== [ 35.282029] Disabling lock debugging due to kernel taint [ 35.282747] hclge driver initialization finished. Fixes: 67bf2541f4b9 ("net: hns3: Fixes the back pressure setting when sriov is enabled") Signed-off-by: Yunsheng Lin Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 99b9de47a8b64d534582d26c80f4220e6189df60 Author: Julian Wiedmann Date: Fri Nov 2 19:04:10 2018 +0100 s390/qeth: unregister netdevice only when registered [ Upstream commit 30356d08159d7899438e94503ae322a8b881e205 ] qeth only registers its netdevice when the qeth device is first set online. Thus a device that has never been set online will trigger a WARN ("network todo 'hsi%d' but state 0") in unregister_netdev() when removed. Fix this by protecting the unregister step, just like we already protect against repeated registering of the netdevice. Fixes: d3d1b205e89f ("s390/qeth: allocate netdevice early") Reported-by: Karsten Graul Signed-off-by: Julian Wiedmann Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit d005b563ae0cef9712077ba4407d771c75bd4194 Author: Julian Wiedmann Date: Fri Nov 2 19:04:09 2018 +0100 s390/qeth: fix HiperSockets sniffer [ Upstream commit bd74a7f9cc033cf4d405788f80292268987dc0c5 ] Sniffing mode for L3 HiperSockets requires that no IP addresses are registered with the HW. The preferred way to achieve this is for userspace to delete all the IPs on the interface. But qeth is expected to also tolerate a configuration where that is not the case, by skipping the IP registration when in sniffer mode. Since commit 5f78e29ceebf ("qeth: optimize IP handling in rx_mode callback") reworked the IP registration logic in the L3 subdriver, this no longer works. When the qeth device is set online, qeth_l3_recover_ip() now unconditionally registers all unicast addresses from our internal IP table. While we could fix this particular problem by skipping qeth_l3_recover_ip() on a sniffer device, the more future-proof change is to skip the IP address registration at the lowest level. This way we a) catch any future code path that attempts to register an IP address without considering the sniffer scenario, and b) continue to build up our internal IP table, so that if sniffer mode is switched off later we can operate just like normal. Fixes: 5f78e29ceebf ("qeth: optimize IP handling in rx_mode callback") Signed-off-by: Julian Wiedmann Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 1cf11e7ca034919f242a855b1a52c018b3cba911 Author: Florian Westphal Date: Fri Nov 2 11:33:37 2018 +0100 netfilter: nft_compat: ebtables 'nat' table is normal chain type [ Upstream commit e4844c9c62a0fe47980d6c3d4b7a096a5d755925 ] Unlike ip(6)tables, the ebtables nat table has no special properties. This bug causes 'ebtables -A' to fail when using a target such as 'snat' (ebt_snat target sets ".table = "nat"'). Targets that have no table restrictions work fine. Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin commit 2f6bf7917f55f9dae913193e49672b3598620eab Author: Jozsef Kadlecsik Date: Tue Oct 30 22:43:42 2018 +0100 netfilter: ipset: Fix calling ip_set() macro at dumping [ Upstream commit 8a02bdd50b2ecb6d62121d2958d3ea186cc88ce7 ] The ip_set() macro is called when either ip_set_ref_lock held only or no lock/nfnl mutex is held at dumping. Take this into account properly. Also, use Pablo's suggestion to use rcu_dereference_raw(), the ref_netlink protects the set. Signed-off-by: Jozsef Kadlecsik Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin commit e8b258ce87ff84ee967aad80095bc85dcc9db077 Author: Taehee Yoo Date: Sun Oct 21 00:00:08 2018 +0900 netfilter: xt_IDLETIMER: add sysfs filename checking routine [ Upstream commit 54451f60c8fa061af9051a53be9786393947367c ] When IDLETIMER rule is added, sysfs file is created under /sys/class/xt_idletimer/timers/ But some label name shouldn't be used. ".", "..", "power", "uevent", "subsystem", etc... So that sysfs filename checking routine is needed. test commands: %iptables -I INPUT -j IDLETIMER --timeout 1 --label "power" splat looks like: [95765.423132] sysfs: cannot create duplicate filename '/devices/virtual/xt_idletimer/timers/power' [95765.433418] CPU: 0 PID: 8446 Comm: iptables Not tainted 4.19.0-rc6+ #20 [95765.449755] Call Trace: [95765.449755] dump_stack+0xc9/0x16b [95765.449755] ? show_regs_print_info+0x5/0x5 [95765.449755] sysfs_warn_dup+0x74/0x90 [95765.449755] sysfs_add_file_mode_ns+0x352/0x500 [95765.449755] sysfs_create_file_ns+0x179/0x270 [95765.449755] ? sysfs_add_file_mode_ns+0x500/0x500 [95765.449755] ? idletimer_tg_checkentry+0x3e5/0xb1b [xt_IDLETIMER] [95765.449755] ? rcu_read_lock_sched_held+0x114/0x130 [95765.449755] ? __kmalloc_track_caller+0x211/0x2b0 [95765.449755] ? memcpy+0x34/0x50 [95765.449755] idletimer_tg_checkentry+0x4e2/0xb1b [xt_IDLETIMER] [ ... ] Fixes: 0902b469bd25 ("netfilter: xtables: idletimer target implementation") Signed-off-by: Taehee Yoo Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin commit e395c9d2d9c3d4986b2d79e23efb0d2a7b14e465 Author: Jozsef Kadlecsik Date: Fri Oct 19 19:35:19 2018 +0200 netfilter: ipset: Correct rcu_dereference() call in ip_set_put_comment() [ Upstream commit 17b8b74c0f8dbf9b9e3301f9ca5b65dd1c079951 ] The function is called when rcu_read_lock() is held and not when rcu_read_lock_bh() is held. Signed-off-by: Jozsef Kadlecsik Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin commit 1a7ccf42cb03cd9976134eea111cfc5168a0ea31 Author: Daniel Borkmann Date: Fri Nov 2 11:35:46 2018 +0100 bpf: fix bpf_prog_get_info_by_fd to return 0 func_lens for unpriv [ Upstream commit 28c2fae726bf5003cd209b0d5910a642af98316f ] While dbecd7388476 ("bpf: get kernel symbol addresses via syscall") zeroed info.nr_jited_ksyms in bpf_prog_get_info_by_fd() for queries from unprivileged users, commit 815581c11cc2 ("bpf: get JITed image lengths of functions via syscall") forgot about doing so and therefore returns the #elems of the user set up buffer which is incorrect. It also needs to indicate a info.nr_jited_func_lens of zero. Fixes: 815581c11cc2 ("bpf: get JITed image lengths of functions via syscall") Signed-off-by: Daniel Borkmann Cc: Sandipan Das Cc: Song Liu Signed-off-by: Alexei Starovoitov Signed-off-by: Sasha Levin commit 5e4ad7cec8f81ce022d51e6e2d4059d45cc3ac12 Author: Justin M. Forbes Date: Wed Oct 31 13:02:03 2018 -0500 s390/mm: Fix ERROR: "__node_distance" undefined! [ Upstream commit a541f0ebcc08ed8bc0cc492eec9a86cb280a9f24 ] Fixes: ERROR: "__node_distance" [drivers/nvme/host/nvme-core.ko] undefined! make[1]: *** [scripts/Makefile.modpost:92: __modpost] Error 1 make: *** [Makefile:1275: modules] Error 2 + exit 1 Signed-off-by: Justin M. Forbes Signed-off-by: Heiko Carstens Signed-off-by: Martin Schwidefsky Signed-off-by: Sasha Levin commit 4136161d676a93fc8df6bdb80d720c15522d6c24 Author: Martin Schwidefsky Date: Mon Oct 15 11:09:16 2018 +0200 s390/mm: fix mis-accounting of pgtable_bytes [ Upstream commit e12e4044aede97974f2222eb7f0ed726a5179a32 ] In case a fork or a clone system fails in copy_process and the error handling does the mmput() at the bad_fork_cleanup_mm label, the following warning messages will appear on the console: BUG: non-zero pgtables_bytes on freeing mm: 16384 The reason for that is the tricks we play with mm_inc_nr_puds() and mm_inc_nr_pmds() in init_new_context(). A normal 64-bit process has 3 levels of page table, the p4d level and the pud level are folded. On process termination the free_pud_range() function in mm/memory.c will subtract 16KB from pgtable_bytes with a mm_dec_nr_puds() call, but there actually is not really a pud table. One issue with this is the fact that pgtable_bytes is usually off by a few kilobytes, but the more severe problem is that for a failed fork or clone the free_pgtables() function is not called. In this case there is no mm_dec_nr_puds() or mm_dec_nr_pmds() that go together with the mm_inc_nr_puds() and mm_inc_nr_pmds in init_new_context(). The pgtable_bytes will be off by 16384 or 32768 bytes and we get the BUG message. The message itself is purely cosmetic, but annoying. To fix this override the mm_pmd_folded, mm_pud_folded and mm_p4d_folded function to check for the true size of the address space. Reported-by: Li Wang Tested-by: Li Wang Signed-off-by: Martin Schwidefsky Signed-off-by: Sasha Levin commit 97fdf29f7d537826b1174bcbc04a14938c8fae5f Author: Andrey Ryabinin Date: Mon Oct 22 23:30:40 2018 +0200 netfilter: ipset: fix ip_set_list allocation failure [ Upstream commit ed956f3947a01ff9875cd908d7c1ef1fe7f47bf0 ] ip_set_create() and ip_set_net_init() attempt to allocate physically contiguous memory for ip_set_list. If memory is fragmented, the allocations could easily fail: vzctl: page allocation failure: order:7, mode:0xc0d0 Call Trace: dump_stack+0x19/0x1b warn_alloc_failed+0x110/0x180 __alloc_pages_nodemask+0x7bf/0xc60 alloc_pages_current+0x98/0x110 kmalloc_order+0x18/0x40 kmalloc_order_trace+0x26/0xa0 __kmalloc+0x279/0x290 ip_set_net_init+0x4b/0x90 [ip_set] ops_init+0x3b/0xb0 setup_net+0xbb/0x170 copy_net_ns+0xf1/0x1c0 create_new_namespaces+0xf9/0x180 copy_namespaces+0x8e/0xd0 copy_process+0xb61/0x1a00 do_fork+0x91/0x320 Use kvcalloc() to fallback to 0-order allocations if high order page isn't available. Signed-off-by: Andrey Ryabinin Signed-off-by: Jozsef Kadlecsik Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin commit cb3e590df429ce151d5041884a4947099b8ad6a7 Author: Eric Westbrook Date: Tue Aug 28 15:14:42 2018 -0600 netfilter: ipset: actually allow allowable CIDR 0 in hash:net,port,net [ Upstream commit 886503f34d63e681662057448819edb5b1057a97 ] Allow /0 as advertised for hash:net,port,net sets. For "hash:net,port,net", ipset(8) says that "either subnet is permitted to be a /0 should you wish to match port between all destinations." Make that statement true. Before: # ipset create cidrzero hash:net,port,net # ipset add cidrzero 0.0.0.0/0,12345,0.0.0.0/0 ipset v6.34: The value of the CIDR parameter of the IP address is invalid # ipset create cidrzero6 hash:net,port,net family inet6 # ipset add cidrzero6 ::/0,12345,::/0 ipset v6.34: The value of the CIDR parameter of the IP address is invalid After: # ipset create cidrzero hash:net,port,net # ipset add cidrzero 0.0.0.0/0,12345,0.0.0.0/0 # ipset test cidrzero 192.168.205.129,12345,172.16.205.129 192.168.205.129,tcp:12345,172.16.205.129 is in set cidrzero. # ipset create cidrzero6 hash:net,port,net family inet6 # ipset add cidrzero6 ::/0,12345,::/0 # ipset test cidrzero6 fe80::1,12345,ff00::1 fe80::1,tcp:12345,ff00::1 is in set cidrzero6. See also: https://bugzilla.kernel.org/show_bug.cgi?id=200897 https://github.com/ewestbrook/linux/commit/df7ff6efb0934ab6acc11f003ff1a7580d6c1d9c Signed-off-by: Eric Westbrook Signed-off-by: Jozsef Kadlecsik Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin commit c75116e66ed3a000798d5a702349446153a0348f Author: Stefano Brivio Date: Sat Jul 14 21:59:43 2018 +0200 netfilter: ipset: list:set: Decrease refcount synchronously on deletion and replace [ Upstream commit 439cd39ea136d2c026805264d58a91f36b6b64ca ] Commit 45040978c899 ("netfilter: ipset: Fix set:list type crash when flush/dump set in parallel") postponed decreasing set reference counters to the RCU callback. An 'ipset del' command can terminate before the RCU grace period is elapsed, and if sets are listed before then, the reference counter shown in userspace will be wrong: # ipset create h hash:ip; ipset create l list:set; ipset add l # ipset del l h; ipset list h Name: h Type: hash:ip Revision: 4 Header: family inet hashsize 1024 maxelem 65536 Size in memory: 88 References: 1 Number of entries: 0 Members: # sleep 1; ipset list h Name: h Type: hash:ip Revision: 4 Header: family inet hashsize 1024 maxelem 65536 Size in memory: 88 References: 0 Number of entries: 0 Members: Fix this by making the reference count update synchronous again. As a result, when sets are listed, ip_set_name_byindex() might now fetch a set whose reference count is already zero. Instead of relying on the reference count to protect against concurrent set renaming, grab ip_set_ref_lock as reader and copy the name, while holding the same lock in ip_set_rename() as writer instead. Reported-by: Li Shuang Fixes: 45040978c899 ("netfilter: ipset: Fix set:list type crash when flush/dump set in parallel") Signed-off-by: Stefano Brivio Signed-off-by: Jozsef Kadlecsik Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin commit fecf70b13557328cbda7555633377e88ef8a62b6 Author: Pablo Neira Ayuso Date: Fri Oct 26 11:14:28 2018 +0200 Revert "netfilter: nft_numgen: add map lookups for numgen random operations" [ Upstream commit 4269fea768a11a447d8de620ce420f2214d4685c ] Laura found a better way to do this from userspace without requiring kernel infrastructure, revert this. Fixes: 978d8f9055c3 ("netfilter: nft_numgen: add map lookups for numgen random operations") Signed-off-by: Laura Garcia Liebana Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin commit 67b261d76df33d8f6f84754db0078cd9be7b3e34 Author: Benjamin Tissoires Date: Fri Oct 12 16:05:25 2018 +0200 HID: alps: allow incoming reports when only the trackstick is opened [ Upstream commit 7dd8db68949a7acc5bd528ee0ecb8f8720f49921 ] If userspace only reads the trackstick node, and no one is listening to the touchpad nor the hidraw node then, the device is not powered on. Add open/close callbacks to allow users to disable the touchpad in Gnome while keeping the trackstick active. Link: https://bugzilla.redhat.com/show_bug.cgi?id=1559632 Link: https://gitlab.gnome.org/GNOME/mutter/issues/128 Signed-off-by: Benjamin Tissoires Signed-off-by: Jiri Kosina Signed-off-by: Sasha Levin commit 3b7b23827dfbcf4d9b0e004016940586a9cc6639 Author: Benjamin Tissoires Date: Wed Oct 17 09:01:53 2018 +0200 Revert "HID: add NOGET quirk for Eaton Ellipse MAX UPS" [ Upstream commit 6298944d8f57f40ee2a3e6dcea1253e78d7a9969 ] This reverts commit 67ddbb3e6568fb1820b2cc45b00c50702b114801. 67ddbb3e656 ("HID: add NOGET quirk for Eaton Ellipse MAX UPS") was reported by Laurent Bigonville. It turns out that a later model Laurent got doesn't need the quirk after all. My take is that Eaton upgraded their firmwares, so we don't need it anymore. The old model was from 2012, so better make sure the new line works properly by removing the quirk. This allows upower to actually fetch the current data. Reported-by: Laurent Bigonville Signed-off-by: Benjamin Tissoires Signed-off-by: Jiri Kosina Signed-off-by: Sasha Levin commit 48d49b635b66f3017ecd795c211190d6d1beca57 Author: Kai-Heng Feng Date: Fri Oct 5 12:46:29 2018 +0800 HID: i2c-hid: Add a small delay after sleep command for Raydium touchpanel [ Upstream commit 00b790ea545b6ef30221adef6e9c3707e03b82b5 ] Raydium touchpanel (2386:4B33) sometimes does not work in desktop session although it works in display manager. During user logging, the display manager exits, close the HID device, then the device gets runtime suspended and powered off. The desktop session begins shortly after, opens the HID device, then the device gets runtime resumed and powered on. If the trasition from display manager to desktop sesesion is fast, the touchpanel cannot switch from powered off to powered on in short timeframe. So add a small delay to workaround the issue. Signed-off-by: Kai-Heng Feng Reviewed-by: Benjamin Tissoires Signed-off-by: Jiri Kosina Signed-off-by: Sasha Levin commit 1d5dfce77c957056f9d92fffa1df7daea757ba13 Author: Vasily Gorbik Date: Fri Oct 19 15:37:01 2018 +0200 s390/vdso: add missing FORCE to build targets [ Upstream commit b44b136a3773d8a9c7853f8df716bd1483613cbb ] According to Documentation/kbuild/makefiles.txt all build targets using if_changed should use FORCE as well. Add missing FORCE to make sure vdso targets are rebuild properly when not just immediate prerequisites have changed but also when build command differs. Reviewed-by: Philipp Rudo Signed-off-by: Vasily Gorbik Signed-off-by: Martin Schwidefsky Signed-off-by: Sasha Levin commit 9b2d5118f74fede5a989ef8747d8fdfca84771dd Author: Vasily Gorbik Date: Fri Oct 19 13:37:46 2018 +0200 s390/decompressor: add missing FORCE to build targets [ Upstream commit ef5febae1543f35a45f01614123e829d77326d0f ] According to Documentation/kbuild/makefiles.txt all build targets using if_changed should use FORCE as well. Add missing FORCE to make sure vmlinux decompressor targets are rebuild properly when not just immediate prerequisites have changed but also when build command differs. Reviewed-by: Philipp Rudo Signed-off-by: Vasily Gorbik Signed-off-by: Martin Schwidefsky Signed-off-by: Sasha Levin commit a3123502b84f33e743507a5e613c3363c16dc525 Author: Jiri Slaby Date: Wed Oct 24 13:54:03 2018 +0200 netfilter: bridge: define INT_MIN & INT_MAX in userspace [ Upstream commit 5a8de47b3c250521dd632cdedaac6db88367defa ] With 4.19, programs like ebtables fail to build when they include "linux/netfilter_bridge.h". It is caused by commit 94276fa8a2a4 which added a use of INT_MIN and INT_MAX to the header: : In file included from /usr/include/linux/netfilter_bridge/ebtables.h:18, : from include/ebtables_u.h:28, : from communication.c:23: : /usr/include/linux/netfilter_bridge.h:30:20: error: 'INT_MIN' undeclared here (not in a function) : NF_BR_PRI_FIRST = INT_MIN, : ^~~~~~~ Define these constants by including "limits.h" when !__KERNEL__ (the same way as for other netfilter_* headers). Fixes: 94276fa8a2a4 ("netfilter: bridge: Expose nf_tables bridge hook priorities through uapi") Signed-off-by: Jiri Slaby Acked-by: Máté Eckl Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin commit 84ed07d9577ec3965c6747ac3cd154844777060e Author: Florian Westphal Date: Tue Oct 23 16:47:16 2018 +0200 netfilter: ipv6: fix oops when defragmenting locally generated fragments [ Upstream commit 61792b677415b77c8db04991c22966bb8de7603e ] Unlike ipv4 and normal ipv6 defrag, netfilter ipv6 defragmentation did not save/restore skb->dst. This causes oops when handling locally generated ipv6 fragments, as output path needs a valid dst. Reported-by: Maciej Żenczykowski Fixes: 84379c9afe01 ("netfilter: ipv6: nf_defrag: drop skb dst before queueing") Signed-off-by: Florian Westphal Reviewed-by: Eric Dumazet Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin commit c2c72619cce2461203bab86984b92d6923882b8e Author: Geert Uytterhoeven Date: Tue Oct 9 19:41:58 2018 +0200 serial: sh-sci: Fix receive on SCIFA/SCIFB variants with DMA [ Upstream commit 202dc3cc10b4d37e5251431acf8d5040a8876c7d ] On SCIFA and SCIFB serial ports with DMA support (i.e. some ports on R-Car Gen2 and RZ/G1 SoCs), receive DMA operations are submitted before the DMA channel pointer is initialized. Hence this fails, and the driver tries to fall back to PIO. However, at this early phase in the initialization sequence, fallback to PIO does not work, leading to a serial port that cannot receive any data. Fix this by calling sci_submit_rx() after initialization of the DMA channel pointer. Reported-by: Yoshihiro Shimoda Fixes: 2c4ee23530ffc022 ("serial: sh-sci: Postpone DMA release when falling back to PIO") Signed-off-by: Geert Uytterhoeven Reviewed-by: Wolfram Sang Tested-by: Wolfram Sang Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 459852bfd6ed77449cbf0a7e7b650bf61dd96162 Author: Johan Hovold Date: Wed Aug 22 11:03:19 2018 +0200 clk: ti: fix OF child-node lookup [ Upstream commit 00a461cc32ec27fa7bd9c874a7b36b0c6c542c12 ] Fix child-node lookup which by using the wrong OF helper was searching the whole tree depth-first, something which could end up matching an unrelated node. Also fix the related node-reference leaks. Fixes: 5b385a45e001 ("clk: ti: add support for clkctrl aliases") Signed-off-by: Johan Hovold Acked-by: Tero Kristo Signed-off-by: Stephen Boyd Signed-off-by: Sasha Levin commit 1e5ac60289f941a42cb6cedc381f1681320626c5 Author: Phil Edworthy Date: Fri Aug 31 12:26:36 2018 +0100 clk: renesas: r9a06g032: Fix UART34567 clock rate [ Upstream commit ee02950d53eee0d4c7f1c08a35272b77d24b9459 ] The clock for UARTs 0 through 2 is UART012, the clock for UARTs 3 through 7 is UART34567. For UART012, we stop the clock driver from changing the clock rate. This is because the Synopsys UART driver simply sets the reference clock to 16x the baud rate, but doesn't check if the actual rate is within the required tolerance. The RZ/N1 clock divider can't provide this (we have to rely on the UART's internal divider to set the correct clock rate), so you end up with a clock rate that is way off what you wanted. In addition, since the clock is shared between multiple UARTs, you don't want the driver trying to change the clock rate as it may affect the other UARTs (which may not have been configured yet, so you don't know what baud rate they will use). Normally, the clock rate is set early on before Linux to some very high rate that supports all of the clock rates you want. This change stops the UART34567 clock rate from changing for the same reasons. Signed-off-by: Phil Edworthy Fixes: 4c3d88526eba2143 ("clk: renesas: Renesas R9A06G032 clock driver") Signed-off-by: Geert Uytterhoeven Signed-off-by: Sasha Levin commit a178c7abb3a774fbff7d19fd342175b71b592384 Author: Jerome Brunet Date: Wed Aug 1 16:00:51 2018 +0200 clk: meson: clk-pll: drop CLK_GET_RATE_NOCACHE where unnecessary [ Upstream commit 2303a9ca693e585a558497ad737728fec97e2b8a ] CLK_GET_RATE_NOCACHE should only be necessary when the registers controlling the rate of clock may change outside of CCF. On Amlogic, it should only be the case for the hdmi pll which is directly controlled by the display driver (WIP to fix this). The other plls should not require this flag. Reviewed-by: Martin Blumenstingl Tested-by: Martin Blumenstingl Signed-off-by: Jerome Brunet Signed-off-by: Sasha Levin commit ee9b38131b4b288d1db5ce2ac8617f703b3d93e1 Author: Nathan Chancellor Date: Tue Sep 25 12:44:59 2018 -0700 arm64: percpu: Initialize ret in the default case [ Upstream commit b5bb425871186303e6936fa2581521bdd1964a58 ] Clang warns that if the default case is taken, ret will be uninitialized. ./arch/arm64/include/asm/percpu.h:196:2: warning: variable 'ret' is used uninitialized whenever switch default is taken [-Wsometimes-uninitialized] default: ^~~~~~~ ./arch/arm64/include/asm/percpu.h:200:9: note: uninitialized use occurs here return ret; ^~~ ./arch/arm64/include/asm/percpu.h:157:19: note: initialize the variable 'ret' to silence this warning unsigned long ret, loop; ^ = 0 This warning appears several times while building the erofs filesystem. While it's not strictly wrong, the BUILD_BUG will prevent this from becoming a true problem. Initialize ret to 0 in the default case right before the BUILD_BUG to silence all of these warnings. Reported-by: Prasad Sodagudi Signed-off-by: Nathan Chancellor Reviewed-by: Nick Desaulniers Signed-off-by: Dennis Zhou Signed-off-by: Sasha Levin commit e252c95d05f61efbf8522ac7ed4f8ab7defb77de Author: Yixun Lan Date: Wed Aug 1 12:16:24 2018 +0000 clk: meson-axg: pcie: drop the mpll3 clock parent [ Upstream commit 69b93104c7ec5668019caf5d2dbfd0e182df06db ] We found the PCIe driver doesn't really work with the mpll3 clock which is actually reserved for debug, So drop it from the mux list. Fixes: 33b89db68236 ("clk: meson-axg: add clocks required by pcie driver") Tested-by: Jianxin Qin Signed-off-by: Yixun Lan Signed-off-by: Jerome Brunet Signed-off-by: Sasha Levin commit e28f46344721c8481afd2b706b533a187c0bdb0e Author: Paul Gortmaker Date: Thu Sep 20 21:44:19 2018 -0400 platform/x86: acerhdf: Add BIOS entry for Gateway LT31 v1.3307 [ Upstream commit 684238d79ad85c5e19a71bb5818e77e329912fbc ] To fix: acerhdf: unknown (unsupported) BIOS version Gateway /LT31 /v1.3307 , please report, aborting! As can be seen in the context, the BIOS registers haven't changed in the previous versions, so the assumption is they won't have changed in this last update for this somewhat older platform either. Cc: Peter Feuerer Cc: Darren Hart Cc: Andy Shevchenko Signed-off-by: Paul Gortmaker Signed-off-by: Andy Shevchenko Reviewed-by: Peter Feuerer Signed-off-by: Sasha Levin commit 9f0e46bf5559897f724d940e39e4ffc230413325 Author: Feng Tang Date: Wed Oct 3 00:49:21 2018 +0800 x86/earlyprintk: Add a force option for pciserial device [ Upstream commit d2266bbfa9e3e32e3b642965088ca461bd24a94f ] The "pciserial" earlyprintk variant helps much on many modern x86 platforms, but unfortunately there are still some platforms with PCI UART devices which have the wrong PCI class code. In that case, the current class code check does not allow for them to be used for logging. Add a sub-option "force" which overrides the class code check and thus the use of such device can be enforced. [ bp: massage formulations. ] Suggested-by: Borislav Petkov Signed-off-by: Feng Tang Signed-off-by: Borislav Petkov Cc: "H. Peter Anvin" Cc: "Stuart R . Anderson" Cc: Bjorn Helgaas Cc: David Rientjes Cc: Feng Tang Cc: Frederic Weisbecker Cc: Greg Kroah-Hartman Cc: H Peter Anvin Cc: Ingo Molnar Cc: Jiri Kosina Cc: Jonathan Corbet Cc: Kai-Heng Feng Cc: Kate Stewart Cc: Konrad Rzeszutek Wilk Cc: Peter Zijlstra Cc: Philippe Ombredanne Cc: Thomas Gleixner Cc: Thymo van Beers Cc: alan@linux.intel.com Cc: linux-doc@vger.kernel.org Link: http://lkml.kernel.org/r/20181002164921.25833-1-feng.tang@intel.com Signed-off-by: Sasha Levin commit c8a1685aa3cb6209c26da50f10364a9842fe2fda Author: Zubin Mithra Date: Thu Sep 27 14:49:17 2018 -0700 apparmor: Fix uninitialized value in aa_split_fqname [ Upstream commit 250f2da49cb8e582215a65c03f50e8ddf5cd119c ] Syzkaller reported a OOB-read with the stacktrace below. This occurs inside __aa_lookupn_ns as `n` is not initialized. `n` is obtained from aa_splitn_fqname. In cases where `name` is invalid, aa_splitn_fqname returns without initializing `ns_name` and `ns_len`. Fix this by always initializing `ns_name` and `ns_len`. __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1c4/0x2b4 lib/dump_stack.c:113 print_address_description.cold.8+0x9/0x1ff mm/kasan/report.c:256 kasan_report_error mm/kasan/report.c:354 [inline] kasan_report.cold.9+0x242/0x309 mm/kasan/report.c:412 __asan_report_load1_noabort+0x14/0x20 mm/kasan/report.c:430 memcmp+0xe3/0x160 lib/string.c:861 strnstr+0x4b/0x70 lib/string.c:934 __aa_lookupn_ns+0xc1/0x570 security/apparmor/policy_ns.c:209 aa_lookupn_ns+0x88/0x1e0 security/apparmor/policy_ns.c:240 aa_fqlookupn_profile+0x1b9/0x1010 security/apparmor/policy.c:468 fqlookupn_profile+0x80/0xc0 security/apparmor/label.c:1844 aa_label_strn_parse+0xa3a/0x1230 security/apparmor/label.c:1908 aa_label_parse+0x42/0x50 security/apparmor/label.c:1943 aa_change_profile+0x513/0x3510 security/apparmor/domain.c:1362 apparmor_setprocattr+0xaa4/0x1150 security/apparmor/lsm.c:658 security_setprocattr+0x66/0xc0 security/security.c:1298 proc_pid_attr_write+0x301/0x540 fs/proc/base.c:2555 __vfs_write+0x119/0x9f0 fs/read_write.c:485 vfs_write+0x1fc/0x560 fs/read_write.c:549 ksys_write+0x101/0x260 fs/read_write.c:598 __do_sys_write fs/read_write.c:610 [inline] __se_sys_write fs/read_write.c:607 [inline] __x64_sys_write+0x73/0xb0 fs/read_write.c:607 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe Fixes: 3b0aaf5866bf ("apparmor: add lib fn to find the "split" for fqnames") Reported-by: syzbot+61e4b490d9d2da591b50@syzkaller.appspotmail.com Signed-off-by: Zubin Mithra Reviewed-by: Kees Cook Signed-off-by: John Johansen Signed-off-by: Sasha Levin commit 8b9cdb75907735c5b7411a692bbd9b4a96d53830 Author: Marek Szyprowski Date: Mon Sep 24 13:01:20 2018 +0200 clk: samsung: exynos5420: Enable PERIS clocks for suspend [ Upstream commit b33228029d842269e17bba591609e83ed422005d ] Ensure that clocks for core SoC modules (including TZPC0..9 modules) are enabled for suspend/resume cycle. This fixes suspend/resume support on Exynos5422-based Odroid XU3/XU4 boards. Suggested-by: Joonyoung Shim Signed-off-by: Marek Szyprowski Signed-off-by: Sylwester Nawrocki Signed-off-by: Sasha Levin commit 33df917736f090740e8050d19437e5029be29d00 Author: Chengguang Xu Date: Wed Jun 13 12:05:13 2018 +0800 fs/exofs: fix potential memory leak in mount option parsing [ Upstream commit 515f1867addaba49c1c6ac73abfaffbc192c1db4 ] There are some cases can cause memory leak when parsing option 'osdname'. Signed-off-by: Chengguang Xu Signed-off-by: Al Viro Signed-off-by: Sasha Levin commit b7d1a7868cebb8cde5fe09ba41d44f8b04c990e2 Author: David Miller Date: Wed Oct 17 12:08:59 2018 -0700 perf symbols: Set PLT entry/header sizes properly on Sparc [ Upstream commit d6afa561e1471ccfdaf7191230c0c59a37e45a5b ] Using the sh_entsize for both values isn't correct. It happens to be correct on x86... For both 32-bit and 64-bit sparc, there are four PLT entries in the PLT section. Signed-off-by: David S. Miller Cc: Alexander Shishkin Cc: Alexis Berlemont Cc: David Tolnay Cc: Hanjun Guo Cc: Hemant Kumar Cc: Li Bin Cc: Masami Hiramatsu Cc: Milian Wolff Cc: Namhyung Kim Cc: Peter Zijlstra Cc: Wang Nan Cc: zhangmengting@huawei.com Fixes: b2f7605076d6 ("perf symbols: Fix plt entry calculation for ARM and AARCH64") Link: http://lkml.kernel.org/r/20181017.120859.2268840244308635255.davem@davemloft.net Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Sasha Levin commit 070bbd572c12bd782edcef4a0ebe2304236b0b3e Author: Alan Tull Date: Thu Oct 18 14:54:11 2018 -0500 clk: fixed-rate: fix of_node_get-put imbalance [ Upstream commit 52091c256bdcad0d01e2852a63f19cd2cce6af96 ] When the fixed rate clock is created by devicetree, of_clk_add_provider is called. Add a call to of_clk_del_provider in the remove function to balance it out. Signed-off-by: Alan Tull Fixes: 435779fe1336 ("clk: fixed-rate: Convert into a module platform driver") Signed-off-by: Stephen Boyd Signed-off-by: Sasha Levin commit c80506fa94531e6beb44658f30c0d375bce8658f Author: Rajneesh Bhardwaj Date: Sat Oct 6 12:21:13 2018 +0530 platform/x86: intel_telemetry: report debugfs failure [ Upstream commit 8d98b1ef368feeb7720b8b9b6f3bd93f2ad892bc ] On some Goldmont based systems such as ASRock J3455M the BIOS may not enable the IPC1 device that provides access to the PMC and PUNIT. In such scenarios, the IOSS and PSS resources from the platform device can not be obtained and result in a invalid telemetry_plt_config which is an internal data structure that holds platform config and is maintained by the telemetry platform driver. This is also applicable to the platforms where the BIOS supports IPC1 device under debug configurations but IPC1 is disabled by user or the policy. This change allows user to know the reason for not seeing entries under /sys/kernel/debug/telemetry/* when there is no apparent failure at boot. Cc: Matt Turner Cc: Len Brown Cc: Souvik Kumar Chakravarty Cc: Kuppuswamy Sathyanarayanan Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=198779 Acked-by: Matt Turner Signed-off-by: Rajneesh Bhardwaj Signed-off-by: Andy Shevchenko Signed-off-by: Sasha Levin commit 464ac699fcbfde1f99826c208de90070cd7ce68e Author: David Howells Date: Sat Oct 20 00:57:57 2018 +0100 afs: Handle EIO from delivery function [ Upstream commit 4ac15ea53622272c01954461b4814892b7481b40 ] Fix afs_deliver_to_call() to handle -EIO being returned by the operation delivery function, indicating that the call found itself in the wrong state, by printing an error and aborting the call. Currently, an assertion failure will occur. This can happen, say, if the delivery function falls off the end without calling afs_extract_data() with the want_more parameter set to false to collect the end of the Rx phase of a call. The assertion failure looks like: AFS: Assertion failed 4 == 7 is false 0x4 == 0x7 is false ------------[ cut here ]------------ kernel BUG at fs/afs/rxrpc.c:462! and is matched in the trace buffer by a line like: kworker/7:3-3226 [007] ...1 85158.030203: afs_io_error: c=0003be0c r=-5 CM_REPLY Fixes: 98bf40cd99fc ("afs: Protect call->state changes against signals") Reported-by: Marc Dionne Signed-off-by: David Howells Signed-off-by: Sasha Levin commit 6ea95033e66f5820a78ee4d1049c5b2eff74d201 Author: Lee, Shawn C Date: Sun Oct 28 22:49:33 2018 -0700 drm/edid: Add 6 bpc quirk for BOE panel. [ Upstream commit 922dceff8dc1fb4dafc9af78139ba65671408103 ] BOE panel (ID: 0x0771) that reports "DFP 1.x compliant TMDS". But it's 6bpc panel only instead of 8 bpc. Add panel ID to edid quirk list and set 6 bpc as default to work around this issue. Cc: Jani Nikula Cc: Maarten Lankhorst Cc: Gustavo Padovan Cc: Cooper Chiou Signed-off-by: Lee, Shawn C > Signed-off-by: Daniel Vetter Link: https://patchwork.freedesktop.org/patch/msgid/1540792173-7288-1-git-send-email-shawn.c.lee@intel.com Signed-off-by: Sasha Levin commit d21e4ba36f8980006c252752b9631c12f0f103b0 Author: Richard Weinberger Date: Fri Jun 15 16:42:56 2018 +0200 um: Give start_idle_thread() a return code [ Upstream commit 7ff1e34bbdc15acab823b1ee4240e94623d50ee8 ] Fixes: arch/um/os-Linux/skas/process.c:613:1: warning: control reaches end of non-void function [-Wreturn-type] longjmp() never returns but gcc still warns that the end of the function can be reached. Add a return code and debug aid to detect this impossible case. Signed-off-by: Richard Weinberger Signed-off-by: Sasha Levin commit 6cddd65095279b6f6045ad86624c54e2ee2701dd Author: Milian Wolff Date: Mon Oct 29 15:16:44 2018 +0100 perf unwind: Take pgoff into account when reporting elf to libdwfl [ Upstream commit 1fe627da30331024f453faef04d500079b901107 ] libdwfl parses an ELF file itself and creates mappings for the individual sections. perf on the other hand sees raw mmap events which represent individual sections. When we encounter an address pointing into a mapping with pgoff != 0, we must take that into account and report the file at the non-offset base address. This fixes unwinding with libdwfl in some cases. E.g. for a file like: ``` using namespace std; mutex g_mutex; double worker() { lock_guard guard(g_mutex); uniform_real_distribution uniform(-1E5, 1E5); default_random_engine engine; double s = 0; for (int i = 0; i < 1000; ++i) { s += norm(complex(uniform(engine), uniform(engine))); } cout << s << endl; return s; } int main() { vector> results; for (int i = 0; i < 10000; ++i) { results.push_back(async(launch::async, worker)); } return 0; } ``` Compile it with `g++ -g -O2 -lpthread cpp-locking.cpp -o cpp-locking`, then record it with `perf record --call-graph dwarf -e sched:sched_switch`. When you analyze it with `perf script` and libunwind, you should see: ``` cpp-locking 20038 [005] 54830.236589: sched:sched_switch: prev_comm=cpp-locking prev_pid=20038 prev_prio=120 prev_state=T ==> next_comm=swapper/5 next_pid=0 next_prio=120 ffffffffb166fec5 __sched_text_start+0x545 (/lib/modules/4.14.78-1-lts/build/vmlinux) ffffffffb166fec5 __sched_text_start+0x545 (/lib/modules/4.14.78-1-lts/build/vmlinux) ffffffffb1670208 schedule+0x28 (/lib/modules/4.14.78-1-lts/build/vmlinux) ffffffffb16737cc rwsem_down_read_failed+0xec (/lib/modules/4.14.78-1-lts/build/vmlinux) ffffffffb1665e04 call_rwsem_down_read_failed+0x14 (/lib/modules/4.14.78-1-lts/build/vmlinux) ffffffffb1672a03 down_read+0x13 (/lib/modules/4.14.78-1-lts/build/vmlinux) ffffffffb106bd85 __do_page_fault+0x445 (/lib/modules/4.14.78-1-lts/build/vmlinux) ffffffffb18015f5 page_fault+0x45 (/lib/modules/4.14.78-1-lts/build/vmlinux) 7f38e4252591 new_heap+0x101 (/usr/lib/libc-2.28.so) 7f38e4252d0b arena_get2.part.4+0x2fb (/usr/lib/libc-2.28.so) 7f38e4255b1c tcache_init.part.6+0xec (/usr/lib/libc-2.28.so) 7f38e42569e5 __GI___libc_malloc+0x115 (inlined) 7f38e4241790 __GI__IO_file_doallocate+0x90 (inlined) 7f38e424fbbf __GI__IO_doallocbuf+0x4f (inlined) 7f38e424ee47 __GI__IO_file_overflow+0x197 (inlined) 7f38e424df36 _IO_new_file_xsputn+0x116 (inlined) 7f38e4242bfb __GI__IO_fwrite+0xdb (inlined) 7f38e463fa6d std::basic_streambuf >::sputn(char const*, long)+0x1cd (inlined) 7f38e463fa6d std::ostreambuf_iterator >::_M_put(char const*, long)+0x1cd (inlined) 7f38e463fa6d std::ostreambuf_iterator > std::__write(std::ostreambuf_iterator >, char const*, int)+0x1cd (inlined) 7f38e463fa6d std::ostreambuf_iterator > std::num_put > >::_M_insert_float(std::ostreambuf_iterator 7f38e464bd70 std::num_put > >::put(std::ostreambuf_iterator >, std::ios_base&, char, double) const+0x90 (inl> 7f38e464bd70 std::ostream& std::ostream::_M_insert(double)+0x90 (/usr/lib/libstdc++.so.6.0.25) 563b9cb502f7 std::ostream::operator<<(double)+0xb7 (inlined) 563b9cb502f7 worker()+0xb7 (/ssd/milian/projects/kdab/rnd/hotspot/build/tests/test-clients/cpp-locking/cpp-locking) 563b9cb506fb double std::__invoke_impl(std::__invoke_other, double (*&&)())+0x2b (inlined) 563b9cb506fb std::__invoke_result::type std::__invoke(double (*&&)())+0x2b (inlined) 563b9cb506fb decltype (__invoke((_S_declval<0ul>)())) std::thread::_Invoker >::_M_invoke<0ul>(std::_Index_tuple<0ul>)+0x2b (inlined) 563b9cb506fb std::thread::_Invoker >::operator()()+0x2b (inlined) 563b9cb506fb std::__future_base::_Task_setter, std::__future_base::_Result_base::_Deleter>, std::thread::_Invoker >, dou> 563b9cb506fb std::_Function_handler (), std::__future_base::_Task_setter 563b9cb507e8 std::function ()>::operator()() const+0x28 (inlined) 563b9cb507e8 std::__future_base::_State_baseV2::_M_do_set(std::function ()>*, bool*)+0x28 (/ssd/milian/> 7f38e46d24fe __pthread_once_slow+0xbe (/usr/lib/libpthread-2.28.so) 563b9cb51149 __gthread_once+0xe9 (inlined) 563b9cb51149 void std::call_once ()>*, bool*)> 563b9cb51149 std::__future_base::_State_baseV2::_M_set_result(std::function ()>, bool)+0xe9 (inlined) 563b9cb51149 std::__future_base::_Async_state_impl >, double>::_Async_state_impl(std::thread::_Invoker >&&)::{lambda()#1}::op> 563b9cb51149 void std::__invoke_impl >, double>::_Async_state_impl(std::thread::_Invoker 563b9cb51149 std::__invoke_result >, double>::_Async_state_impl(std::thread::_Invoker >> 563b9cb51149 decltype (__invoke((_S_declval<0ul>)())) std::thread::_Invoker >, double>::_Async_state_> 563b9cb51149 std::thread::_Invoker >, double>::_Async_state_impl(std::thread::_Invoker 563b9cb51149 std::thread::_State_impl >, double>::_Async_state_impl(std::thread> 7f38e45f0062 execute_native_thread_routine+0x12 (/usr/lib/libstdc++.so.6.0.25) 7f38e46caa9c start_thread+0xfc (/usr/lib/libpthread-2.28.so) 7f38e42ccb22 __GI___clone+0x42 (inlined) ``` Before this patch, using libdwfl, you would see: ``` cpp-locking 20038 [005] 54830.236589: sched:sched_switch: prev_comm=cpp-locking prev_pid=20038 prev_prio=120 prev_state=T ==> next_comm=swapper/5 next_pid=0 next_prio=120 ffffffffb166fec5 __sched_text_start+0x545 (/lib/modules/4.14.78-1-lts/build/vmlinux) ffffffffb166fec5 __sched_text_start+0x545 (/lib/modules/4.14.78-1-lts/build/vmlinux) ffffffffb1670208 schedule+0x28 (/lib/modules/4.14.78-1-lts/build/vmlinux) ffffffffb16737cc rwsem_down_read_failed+0xec (/lib/modules/4.14.78-1-lts/build/vmlinux) ffffffffb1665e04 call_rwsem_down_read_failed+0x14 (/lib/modules/4.14.78-1-lts/build/vmlinux) ffffffffb1672a03 down_read+0x13 (/lib/modules/4.14.78-1-lts/build/vmlinux) ffffffffb106bd85 __do_page_fault+0x445 (/lib/modules/4.14.78-1-lts/build/vmlinux) ffffffffb18015f5 page_fault+0x45 (/lib/modules/4.14.78-1-lts/build/vmlinux) 7f38e4252591 new_heap+0x101 (/usr/lib/libc-2.28.so) a041161e77950c5c [unknown] ([unknown]) ``` With this patch applied, we get a bit further in unwinding: ``` cpp-locking 20038 [005] 54830.236589: sched:sched_switch: prev_comm=cpp-locking prev_pid=20038 prev_prio=120 prev_state=T ==> next_comm=swapper/5 next_pid=0 next_prio=120 ffffffffb166fec5 __sched_text_start+0x545 (/lib/modules/4.14.78-1-lts/build/vmlinux) ffffffffb166fec5 __sched_text_start+0x545 (/lib/modules/4.14.78-1-lts/build/vmlinux) ffffffffb1670208 schedule+0x28 (/lib/modules/4.14.78-1-lts/build/vmlinux) ffffffffb16737cc rwsem_down_read_failed+0xec (/lib/modules/4.14.78-1-lts/build/vmlinux) ffffffffb1665e04 call_rwsem_down_read_failed+0x14 (/lib/modules/4.14.78-1-lts/build/vmlinux) ffffffffb1672a03 down_read+0x13 (/lib/modules/4.14.78-1-lts/build/vmlinux) ffffffffb106bd85 __do_page_fault+0x445 (/lib/modules/4.14.78-1-lts/build/vmlinux) ffffffffb18015f5 page_fault+0x45 (/lib/modules/4.14.78-1-lts/build/vmlinux) 7f38e4252591 new_heap+0x101 (/usr/lib/libc-2.28.so) 7f38e4252d0b arena_get2.part.4+0x2fb (/usr/lib/libc-2.28.so) 7f38e4255b1c tcache_init.part.6+0xec (/usr/lib/libc-2.28.so) 7f38e42569e5 __GI___libc_malloc+0x115 (inlined) 7f38e4241790 __GI__IO_file_doallocate+0x90 (inlined) 7f38e424fbbf __GI__IO_doallocbuf+0x4f (inlined) 7f38e424ee47 __GI__IO_file_overflow+0x197 (inlined) 7f38e424df36 _IO_new_file_xsputn+0x116 (inlined) 7f38e4242bfb __GI__IO_fwrite+0xdb (inlined) 7f38e463fa6d std::basic_streambuf >::sputn(char const*, long)+0x1cd (inlined) 7f38e463fa6d std::ostreambuf_iterator >::_M_put(char const*, long)+0x1cd (inlined) 7f38e463fa6d std::ostreambuf_iterator > std::__write(std::ostreambuf_iterator >, char const*, int)+0x1cd (inlined) 7f38e463fa6d std::ostreambuf_iterator > std::num_put > >::_M_insert_float(std::ostreambuf_iterator 7f38e464bd70 std::num_put > >::put(std::ostreambuf_iterator >, std::ios_base&, char, double) const+0x90 (inl> 7f38e464bd70 std::ostream& std::ostream::_M_insert(double)+0x90 (/usr/lib/libstdc++.so.6.0.25) 563b9cb502f7 std::ostream::operator<<(double)+0xb7 (inlined) 563b9cb502f7 worker()+0xb7 (/ssd/milian/projects/kdab/rnd/hotspot/build/tests/test-clients/cpp-locking/cpp-locking) 6eab825c1ee3e4ff [unknown] ([unknown]) ``` Note that the backtrace is still stopping too early, when compared to the nice results obtained via libunwind. It's unclear so far what the reason for that is. Committer note: Further comment by Milian on the thread started on the Link: tag below: --- The remaining issue is due to a bug in elfutils: https://sourceware.org/ml/elfutils-devel/2018-q4/msg00089.html With both patches applied, libunwind and elfutils produce the same output for the above scenario. --- Signed-off-by: Milian Wolff Acked-by: Jiri Olsa Link: http://lkml.kernel.org/r/20181029141644.3907-1-milian.wolff@kdab.com Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Sasha Levin commit 52fc49b6ae578c6cd07920b29826503f75007eaf Author: Ernesto A. Fernández Date: Tue Oct 30 15:06:00 2018 -0700 hfsplus: prevent btree data loss on root split [ Upstream commit 0a3021d4f5295aa073c7bf5c5e4de60a2e292578 ] Creating, renaming or deleting a file may cause catalog corruption and data loss. This bug is randomly triggered by xfstests generic/027, but here is a faster reproducer: truncate -s 50M fs.iso mkfs.hfsplus fs.iso mount fs.iso /mnt i=100 while [ $i -le 150 ]; do touch /mnt/$i &>/dev/null ((++i)) done i=100 while [ $i -le 150 ]; do mv /mnt/$i /mnt/$(perl -e "print $i x82") &>/dev/null ((++i)) done umount /mnt fsck.hfsplus -n fs.iso The bug is triggered whenever hfs_brec_update_parent() needs to split the root node. The height of the btree is not increased, which leaves the new node orphaned and its records lost. Link: http://lkml.kernel.org/r/26d882184fc43043a810114258f45277752186c7.1535682461.git.ernesto.mnd.fernandez@gmail.com Signed-off-by: Ernesto A. Fernández Cc: Christoph Hellwig Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit ea54dce2062cbba2a6a7e3dcac51db6637343c7b Author: Ernesto A. Fernández Date: Tue Oct 30 15:06:07 2018 -0700 hfs: prevent btree data loss on root split [ Upstream commit d057c036672f33d43a5f7344acbb08cf3a8a0c09 ] This bug is triggered whenever hfs_brec_update_parent() needs to split the root node. The height of the btree is not increased, which leaves the new node orphaned and its records lost. It is not possible for this to happen on a valid hfs filesystem because the index nodes have fixed length keys. For reasons I ignore, the hfs module does have support for a number of hfsplus features. A corrupt btree header may report variable length keys and trigger this bug, so it's better to fix it. Link: http://lkml.kernel.org/r/9750b1415685c4adca10766895f6d5ef12babdb0.1535682463.git.ernesto.mnd.fernandez@gmail.com Signed-off-by: Ernesto A. Fernández Cc: Christoph Hellwig Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit ee38053fcf5d401e8b5c05bd6a40b687a875f02a Author: Jann Horn Date: Tue Oct 30 15:06:38 2018 -0700 reiserfs: propagate errors from fill_with_dentries() properly [ Upstream commit b10298d56c9623f9b173f19959732d3184b35f4f ] fill_with_dentries() failed to propagate errors up to reiserfs_for_each_xattr() properly. Plumb them through. Note that reiserfs_for_each_xattr() is only used by reiserfs_delete_xattrs() and reiserfs_chown_xattrs(). The result of reiserfs_delete_xattrs() is discarded anyway, the only difference there is whether a warning is printed to dmesg. The result of reiserfs_chown_xattrs() does matter because it can block chowning of the file to which the xattrs belong; but either way, the resulting state can have misaligned ownership, so my patch doesn't improve things greatly. Credit for making me look at this code goes to Al Viro, who pointed out that the ->actor calling convention is suboptimal and should be changed. Link: http://lkml.kernel.org/r/20180802163335.83312-1-jannh@google.com Signed-off-by: Jann Horn Reviewed-by: Andrew Morton Cc: Jeff Mahoney Cc: Eric Biggers Cc: Al Viro Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit 23ce028f4564d1ce2df1fc6f99d9fcad5beaa51b Author: Radoslaw Tyl Date: Mon Oct 22 08:44:31 2018 +0200 ixgbe: fix MAC anti-spoofing filter after VFLR [ Upstream commit 6702185c1ffec3421181b5e24491e3fac920cb61 ] This change resolves a driver bug where the driver is logging a message that says "Spoofed packets detected". This can occur on the PF (host) when a VF has VLAN+MACVLAN enabled and is re-started with a different MAC address. MAC and VLAN anti-spoofing filters are to be enabled together. Signed-off-by: Radoslaw Tyl Tested-by: Andrew Bowers Acked-by: Piotr Skajewski Signed-off-by: Jeff Kirsher Signed-off-by: Sasha Levin commit 91a52a44195e205aaf8a275621bf8fa9cc082b02 Author: Huazhong Tan Date: Tue Oct 30 21:50:46 2018 +0800 net: hns3: bugfix for the initialization of command queue's spin lock [ Upstream commit b2f74dbaf12bf59ff35d451005b3cdee78232ff0 ] The spin lock of the command queue only need to be initialized once when the driver initializes the command queue. It is not necessary to initialize the spin lock when resetting. At the same time, the modification of the queue member should be performed after acquiring the lock. Fixes: 3efb960f056d ("net: hns3: Refactor the initialization of command queue") Signed-off-by: Huazhong Tan Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 355ec07561044fadd1edc071315105cbdf9f79bf Author: Huazhong Tan Date: Tue Oct 30 21:50:51 2018 +0800 net: hns3: bugfix for handling mailbox while the command queue reinitialized [ Upstream commit 3c88ed1d798da355859ca083d3884a16ce0841f2 ] In a multi-core machine, the mailbox service and reset service will be executed at the same time. The reset service will re-initialize the command queue, before that, the mailbox handler can only get some invalid messages. The HCLGE_STATE_CMD_DISABLE flag means that the command queue is not available and needs to be reinitialized. Therefore, when the mailbox handler recognizes this flag, it should not process the command. Fixes: dde1a86e93ca ("net: hns3: Add mailbox support to PF driver") Signed-off-by: Huazhong Tan Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 92cb1b096a08723daaf78d5c202c53b11bb282b9 Author: Huazhong Tan Date: Tue Oct 30 21:50:52 2018 +0800 net: hns3: bugfix for rtnl_lock's range in the hclge_reset() [ Upstream commit a963052e539887df481d4d3a6ad4c92ca6461852 ] Since hclge_reset_wait() is used to wait for the hardware to complete the reset, it is not necessary to hold the rtnl_lock during hclge_reset_wait(). So this patch releases the lock for the duration of hclge_reset_wait(). Fixes: 6d4fab39533f ("net: hns3: Reset net device with rtnl_lock") Signed-off-by: Huazhong Tan Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 733edfd69e092cdabf5e26a41c157662e24279c0 Author: Huazhong Tan Date: Tue Oct 30 21:50:53 2018 +0800 net: hns3: bugfix for rtnl_lock's range in the hclgevf_reset() [ Upstream commit 29118ab962d5476fdc65fae312ac38db68092d78 ] Since hclgevf_reset_wait() is used to wait for the hardware to complete the reset, it is not necessary to hold the rtnl_lock during hclgevf_reset_wait(). So this patch releases the lock for the duration of hclgevf_reset_wait(). Fixes: 6988eb2a9b77 ("net: hns3: Add support to reset the enet/ring mgmt layer") Signed-off-by: Huazhong Tan Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 0987d5a67bc726e99136f623b09ae9e207f50e16 Author: Ming Lei Date: Fri Nov 2 08:50:51 2018 +0800 block: brd: associate with queue until adding disk [ Upstream commit 153fcd5f6d93b8e1e4040b1337f564a10f8d93af ] brd_free() may be called in failure path on one brd instance which disk isn't added yet, so release handler of gendisk may free the associated request_queue early and causes the following use-after-free[1]. This patch fixes this issue by associating gendisk with request_queue just before adding disk. [1] KASAN: use-after-free Read in del_timer_syncNon-volatile memory driver v1.3 Linux agpgart interface v0.103 [drm] Initialized vgem 1.0.0 20120112 for virtual device on minor 0 usbcore: registered new interface driver udl ================================================================== BUG: KASAN: use-after-free in __lock_acquire+0x36d9/0x4c20 kernel/locking/lockdep.c:3218 Read of size 8 at addr ffff8801d1b6b540 by task swapper/0/1 CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.19.0+ #88 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x244/0x39d lib/dump_stack.c:113 print_address_description.cold.7+0x9/0x1ff mm/kasan/report.c:256 kasan_report_error mm/kasan/report.c:354 [inline] kasan_report.cold.8+0x242/0x309 mm/kasan/report.c:412 __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433 __lock_acquire+0x36d9/0x4c20 kernel/locking/lockdep.c:3218 lock_acquire+0x1ed/0x520 kernel/locking/lockdep.c:3844 del_timer_sync+0xb7/0x270 kernel/time/timer.c:1283 blk_cleanup_queue+0x413/0x710 block/blk-core.c:809 brd_free+0x5d/0x71 drivers/block/brd.c:422 brd_init+0x2eb/0x393 drivers/block/brd.c:518 do_one_initcall+0x145/0x957 init/main.c:890 do_initcall_level init/main.c:958 [inline] do_initcalls init/main.c:966 [inline] do_basic_setup init/main.c:984 [inline] kernel_init_freeable+0x5c6/0x6b9 init/main.c:1148 kernel_init+0x11/0x1ae init/main.c:1068 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:350 Reported-by: syzbot+3701447012fe951dabb2@syzkaller.appspotmail.com Signed-off-by: Ming Lei Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit 262522ccef74e5f1a74f9f5591834f2a97a458fd Author: Anders Roxell Date: Tue Oct 30 12:38:50 2018 +0100 arm64: kprobe: make page to RO mode when allocate it [ Upstream commit 966866892cf89d606544bca22d584ba2ef9ec208 ] Commit 1404d6f13e47 ("arm64: dump: Add checking for writable and exectuable pages") has successfully identified code that leaves a page with W+X permissions. [ 3.245140] arm64/mm: Found insecure W+X mapping at address (____ptrval____)/0xffff000000d90000 [ 3.245771] WARNING: CPU: 0 PID: 1 at ../arch/arm64/mm/dump.c:232 note_page+0x410/0x420 [ 3.246141] Modules linked in: [ 3.246653] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.19.0-rc5-next-20180928-00001-ge70ae259b853-dirty #62 [ 3.247008] Hardware name: linux,dummy-virt (DT) [ 3.247347] pstate: 80000005 (Nzcv daif -PAN -UAO) [ 3.247623] pc : note_page+0x410/0x420 [ 3.247898] lr : note_page+0x410/0x420 [ 3.248071] sp : ffff00000804bcd0 [ 3.248254] x29: ffff00000804bcd0 x28: ffff000009274000 [ 3.248578] x27: ffff00000921a000 x26: ffff80007dfff000 [ 3.248845] x25: ffff0000093f5000 x24: ffff000009526f6a [ 3.249109] x23: 0000000000000004 x22: ffff000000d91000 [ 3.249396] x21: ffff000000d90000 x20: 0000000000000000 [ 3.249661] x19: ffff00000804bde8 x18: 0000000000000400 [ 3.249924] x17: 0000000000000000 x16: 0000000000000000 [ 3.250271] x15: ffffffffffffffff x14: 295f5f5f5f6c6176 [ 3.250594] x13: 7274705f5f5f5f28 x12: 2073736572646461 [ 3.250941] x11: 20746120676e6970 x10: 70616d20582b5720 [ 3.251252] x9 : 6572756365736e69 x8 : 3039643030303030 [ 3.251519] x7 : 306666666678302f x6 : ffff0000095467b2 [ 3.251802] x5 : 0000000000000000 x4 : 0000000000000000 [ 3.252060] x3 : 0000000000000000 x2 : ffffffffffffffff [ 3.252323] x1 : 4d151327adc50b00 x0 : 0000000000000000 [ 3.252664] Call trace: [ 3.252953] note_page+0x410/0x420 [ 3.253186] walk_pgd+0x12c/0x238 [ 3.253417] ptdump_check_wx+0x68/0xf8 [ 3.253637] mark_rodata_ro+0x68/0x98 [ 3.253847] kernel_init+0x38/0x160 [ 3.254103] ret_from_fork+0x10/0x18 kprobes allocates a writable executable page with module_alloc() in order to store executable code. Reworked to that when allocate a page it sets mode RO. Inspired by commit 63fef14fc98a ("kprobes/x86: Make insn buffer always ROX and use text_poke()"). Suggested-by: Arnd Bergmann Suggested-by: Ard Biesheuvel Acked-by: Will Deacon Acked-by: Masami Hiramatsu Reviewed-by: Laura Abbott Signed-off-by: Anders Roxell [catalin.marinas@arm.com: removed unnecessary casts] Signed-off-by: Catalin Marinas Signed-off-by: Sasha Levin commit e4ed4e68c6d8aba1e4cd63979e7ac7f42075e21a Author: Ronnie Sahlberg Date: Thu Oct 25 15:43:36 2018 +1000 cifs: fix return value for cifs_listxattr [ Upstream commit 0c5d6cb6643f48ad3775322f3ebab6c7eb67484e ] If the application buffer was too small to fit all the names we would still count the number of bytes and return this for listxattr. This would then trigger a BUG in usercopy.c Fix the computation of the size so that we return -ERANGE correctly when the buffer is too small. This fixes the kernel BUG for xfstest generic/377 Signed-off-by: Ronnie Sahlberg Signed-off-by: Steve French Reviewed-by: Aurelien Aptel Signed-off-by: Sasha Levin commit ad1834fd8a479f499918107e1f97591eb0a4b39f Author: Colin Ian King Date: Thu Nov 1 13:14:30 2018 +0000 cifs: don't dereference smb_file_target before null check [ Upstream commit 8c6c9bed8773375b1d54ccca2911ec892c59db5d ] There is a null check on dst_file->private data which suggests it can be potentially null. However, before this check, pointer smb_file_target is derived from dst_file->private and dereferenced in the call to tlink_tcon, hence there is a potential null pointer deference. Fix this by assigning smb_file_target and target_tcon after the null pointer sanity checks. Detected by CoverityScan, CID#1475302 ("Dereference before null check") Fixes: 04b38d601239 ("vfs: pull btrfs clone API to vfs layer") Signed-off-by: Colin Ian King Signed-off-by: Steve French Signed-off-by: Sasha Levin commit 1beb22c52484f8e4047af142ee70e1b357d561c9 Author: Ville Syrjälä Date: Thu Sep 13 18:04:05 2018 +0300 drm/i915: Replace some PAGE_SIZE with I915_GTT_PAGE_SIZE commit f6e35cda66146106cfeb85ed65696e0f8e793fee upstream. Use I915_GTT_PAGE_SIZE when talking about GTT pages rather than physical pages. There are some PAGE_SHIFTs left though. Not sure if we want to introduce I915_GTT_PAGE_SHIFT or what? Cc: Chris Wilson Suggested-by: Chris Wilson # at least some of it :) Signed-off-by: Ville Syrjälä Link: https://patchwork.freedesktop.org/patch/msgid/20180913150405.706-1-ville.syrjala@linux.intel.com Reviewed-by: Chris Wilson Signed-off-by: Greg Kroah-Hartman