LKML Archive on lore.kernel.org
help / color / mirror / Atom feed
* [PATCH 4.9 000/102] 4.9.93-stable review
@ 2018-04-06 13:22 Greg Kroah-Hartman
  2018-04-06 13:22 ` [PATCH 4.9 001/102] ARM: 8746/1: vfp: Go back to clearing vfp_current_hw_state[] Greg Kroah-Hartman
                   ` (104 more replies)
  0 siblings, 105 replies; 111+ messages in thread
From: Greg Kroah-Hartman @ 2018-04-06 13:22 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, torvalds, akpm, linux, shuahkh, patches,
	ben.hutchings, lkft-triage, stable

This is the start of the stable review cycle for the 4.9.93 release.
There are 102 patches in this series, all will be posted as a response
to this one.  If anyone has any issues with these being applied, please
let me know.

Responses should be made by Sun Apr  8 08:42:55 UTC 2018.
Anything received after that time might be too late.

The whole patch series can be found in one patch at:
	https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.9.93-rc1.gz
or in the git tree and branch at:
	git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.9.y
and the diffstat can be found below.

thanks,

greg k-h

-------------
Pseudo-Shortlog of commits:

Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Linux 4.9.93-rc1

Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    spi: davinci: fix up dma_mapping_error() incorrect patch

Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Revert "ip6_vti: adjust vti mtu according to mtu of lower device"

Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Revert "mtip32xx: use runtime tag to initialize command header"

Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Revert "spi: bcm-qspi: shut up warning about cfi header inclusion"

Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Revert "ARM: dts: omap3-n900: Fix the audio CODEC's reset pin"

Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Revert "ARM: dts: am335x-pepper: Fix the audio CODEC's reset pin"

Mikulas Patocka <mpatocka@redhat.com>
    Fix slab name "biovec-(1<<(21-12))"

Matthias Brugger <matthias.bgg@gmail.com>
    net: hns: Fix ethtool private flags

Guoqing Jiang <gqjiang@suse.com>
    md/raid10: reset the 'first' at the end of loop

Keerthy <j-keerthy@ti.com>
    ARM: dts: am57xx-idk-common: Add overide powerhold property

Keerthy <j-keerthy@ti.com>
    ARM: dts: am57xx-beagle-x15-common: Add overide powerhold property

Keerthy <j-keerthy@ti.com>
    ARM: dts: dra7: Add power hold and power controller properties to palmas

Keerthy <j-keerthy@ti.com>
    Documentation: pinctrl: palmas: Add ti,palmas-powerhold-override property definition

Mike Frysinger <vapier@chromium.org>
    vt: change SGR 21 to follow the standards

Ondrej Zary <linux@rainbow-software.org>
    Input: i8042 - enable MUX on Sony VAIO VGN-CS series to fix touchpad

Dennis Wassenberg <dennis.wassenberg@secunet.com>
    Input: i8042 - add Lenovo ThinkPad L460 to i8042 reset list

Masaki Ota <masaki.ota@jp.alps.com>
    Input: ALPS - fix TrackStick detection on Thinkpad L570 and Latitude 7370

Frank Mori Hess <fmh6jj@gmail.com>
    staging: comedi: ni_mio_common: ack ai fifo error interrupts.

Eric Biggers <ebiggers@google.com>
    crypto: x86/cast5-avx - fix ECB encryption when long sg follows short one

Herbert Xu <herbert@gondor.apana.org.au>
    crypto: ahash - Fix early termination in hash walk

Alexander Gerasiov <gq@redlab-i.ru>
    parport_pc: Add support for WCH CH382L PCI-E single parallel port card.

Oliver Neukum <oneukum@suse.com>
    media: usbtv: prevent double free in error case

Colin Ian King <colin.king@canonical.com>
    mei: remove dev_err message on an unsupported ioctl

Johan Hovold <johan@kernel.org>
    USB: serial: cp210x: add ELDAT Easywave RX09 id

Clemens Werther <clemens.werther@gmail.com>
    USB: serial: ftdi_sio: add support for Harman FirmwareHubEmulator

Major Hayden <major@mhtx.net>
    USB: serial: ftdi_sio: add RT Systems VX-8 cable

Will Deacon <will.deacon@arm.com>
    arm64: idmap: Use "awx" flags for .idmap.text .pushsection directives

Will Deacon <will.deacon@arm.com>
    arm64: entry: Reword comment about post_ttbr_update_workaround

Marc Zyngier <marc.zyngier@arm.com>
    arm64: Force KPTI to be disabled on Cavium ThunderX

Will Deacon <will.deacon@arm.com>
    arm64: kpti: Add ->enable callback to remap swapper using nG mappings

Will Deacon <will.deacon@arm.com>
    arm64: kpti: Make use of nG dependent on arm64_kernel_unmapped_at_el0()

Jayachandran C <jnair@caviumnetworks.com>
    arm64: Turn on KPTI only on CPUs that need it

Jayachandran C <jnair@caviumnetworks.com>
    arm64: cputype: Add MIDR values for Cavium ThunderX2 CPUs

Suzuki K Poulose <suzuki.poulose@arm.com>
    arm64: capabilities: Handle duplicate entries for a capability

Marc Zyngier <marc.zyngier@arm.com>
    arm64: Allow checking of a CPU-local erratum

Will Deacon <will.deacon@arm.com>
    arm64: Take into account ID_AA64PFR0_EL1.CSV3

Will Deacon <will.deacon@arm.com>
    arm64: Kconfig: Reword UNMAP_KERNEL_AT_EL0 kconfig entry

Will Deacon <will.deacon@arm.com>
    arm64: Kconfig: Add CONFIG_UNMAP_KERNEL_AT_EL0

Will Deacon <will.deacon@arm.com>
    arm64: use RET instruction for exiting the trampoline

Will Deacon <will.deacon@arm.com>
    arm64: kaslr: Put kernel vectors address in separate data page

Will Deacon <will.deacon@arm.com>
    arm64: entry: Add fake CPU feature for unmapping the kernel at EL0

Will Deacon <will.deacon@arm.com>
    arm64: tls: Avoid unconditional zeroing of tpidrro_el0 for native tasks

Will Deacon <will.deacon@arm.com>
    arm64: entry: Hook up entry trampoline to exception vectors

Will Deacon <will.deacon@arm.com>
    arm64: entry: Explicitly pass exception level to kernel_ventry macro

Will Deacon <will.deacon@arm.com>
    arm64: mm: Map entry trampoline into trampoline and kernel page tables

Will Deacon <will.deacon@arm.com>
    arm64: entry: Add exception trampoline page for exceptions from EL0

AKASHI Takahiro <takahiro.akashi@linaro.org>
    module: extend 'rodata=off' boot cmdline parameter to module mappings

Mark Rutland <mark.rutland@arm.com>
    arm64: factor out entry stack manipulation

Will Deacon <will.deacon@arm.com>
    arm64: mm: Invalidate both kernel and user ASIDs when performing TLBI

Will Deacon <will.deacon@arm.com>
    arm64: mm: Add arm64_kernel_unmapped_at_el0 helper

Will Deacon <will.deacon@arm.com>
    arm64: mm: Allocate ASIDs in pairs

Will Deacon <will.deacon@arm.com>
    arm64: mm: Move ASID from TTBR0 to TTBR1

Will Deacon <will.deacon@arm.com>
    arm64: mm: Use non-global mappings for kernel space

John Stultz <john.stultz@linaro.org>
    usb: dwc2: Improve gadget state disconnection handling

Paolo Bonzini <pbonzini@redhat.com>
    scsi: virtio_scsi: always read VPD pages for multiqueue too

Alexander Potapenko <glider@google.com>
    llist: clang: introduce member_address_is_nonnull()

Szymon Janc <szymon.janc@codecoup.pl>
    Bluetooth: Fix missing encryption refresh on Security Request

Florian Westphal <fw@strlen.de>
    netfilter: x_tables: add and use xt_check_proc_name

Florian Westphal <fw@strlen.de>
    netfilter: bridge: ebt_among: add more missing match size checks

Steffen Klassert <steffen.klassert@secunet.com>
    xfrm: Refuse to insert 32 bit userspace socket policies on 64 bit systems

Greg Hackmann <ghackmann@google.com>
    net: xfrm: use preempt-safe this_cpu_read() in ipcomp_alloc_tfms()

Roland Dreier <roland@purestorage.com>
    RDMA/ucma: Introduce safer rdma_addr_size() variants

Leon Romanovsky <leonro@mellanox.com>
    RDMA/ucma: Check that device exists prior to accessing it

Leon Romanovsky <leonro@mellanox.com>
    RDMA/ucma: Check that device is connected prior to access it

Leon Romanovsky <leonro@mellanox.com>
    RDMA/ucma: Ensure that CM_ID exists prior to access it

Leon Romanovsky <leonro@mellanox.com>
    RDMA/ucma: Fix use-after-free access in ucma_close

Leon Romanovsky <leonro@mellanox.com>
    RDMA/ucma: Check AF family prior resolving address

Florian Westphal <fw@strlen.de>
    xfrm_user: uncoditionally validate esn replay attribute struct

Nick Desaulniers <nick.desaulniers@gmail.com>
    mm/vmscan.c: fix unsequenced modification and access warning

Matthias Kaehlcke <mka@chromium.org>
    selinux: Remove redundant check for unknown labeling behavior

Nick Desaulniers <ndesaulniers@google.com>
    arm64: avoid overflow in VA_START and PAGE_OFFSET

Matthias Kaehlcke <mka@chromium.org>
    btrfs: Remove extra parentheses from condition in copy_items()

Matthias Kaehlcke <mka@chromium.org>
    mac80211: ibss: Fix channel type enum in ieee80211_sta_join_ibss()

Matthias Kaehlcke <mka@chromium.org>
    mac80211: Fix clang warning about constant operand in logical operation

Matthias Kaehlcke <mka@chromium.org>
    netfilter: ctnetlink: Make some parameters integer to avoid enum mismatch

Frank Praznik <frank.praznik@gmail.com>
    HID: sony: Use LED_CORE_SUSPENDRESUME

Matthias Kaehlcke <mka@chromium.org>
    cfg80211: Fix array-bounds warning in fragment copy

Matthias Kaehlcke <mka@chromium.org>
    nl80211: Fix enum type of variable in nl80211_put_sta_rate()

Arnd Bergmann <arnd@arndb.de>
    xgene_enet: remove bogus forward declarations

Stefan Agner <stefan@agner.ch>
    usb: gadget: remove redundant self assignment

Matthias Kaehlcke <mka@chromium.org>
    frv: declare jiffies to be located in the .data section

Matthias Kaehlcke <mka@chromium.org>
    jiffies.h: declare jiffies and jiffies_64 with ____cacheline_aligned_in_smp

Mark Charlebois <charlebm@gmail.com>
    fs: compat: Remove warning from COMPATIBLE_IOCTL

Matthias Kaehlcke <mka@chromium.org>
    selinux: Remove unnecessary check of array base in selinux_set_mapping()

Matthias Kaehlcke <mka@chromium.org>
    cpumask: Add helper cpumask_available()

Matthias Kaehlcke <mka@chromium.org>
    genirq: Use cpumask_available() for check of cpumask variable

Nick Desaulniers <ndesaulniers@google.com>
    netfilter: nf_nat_h323: fix logical-not-parentheses warning

Nick Desaulniers <nick.desaulniers@gmail.com>
    Input: mousedev - fix implicit conversion warning

Matthias Kaehlcke <mka@chromium.org>
    dm ioctl: remove double parentheses

Matthias Kaehlcke <mka@chromium.org>
    PCI: Make PCI_ROM_ADDRESS_MASK a 32-bit constant

Masami Hiramatsu <mhiramat@kernel.org>
    kprobes/x86: Fix to set RWX bits correctly before releasing trampoline

Richard Narron <comet.berkeley@gmail.com>
    partitions/msdos: Unable to mount UFS 44bsd partitions

Nicholas Piggin <npiggin@gmail.com>
    powerpc/64s: Fix i-side SLB miss bad address handler saving nonvolatile GPRs

Nicholas Piggin <npiggin@gmail.com>
    powerpc/64s: Fix lost pending interrupt due to race causing lost update to irq_happened

Mike Kravetz <mike.kravetz@oracle.com>
    ipc/shm.c: add split function to shm_vm_ops

Yan, Zheng <zyan@redhat.com>
    ceph: only dirty ITER_IOVEC pages for direct read

Linus Torvalds <torvalds@linux-foundation.org>
    perf/hwbp: Simplify the perf-hwbp code, fix documentation

Dan Carpenter <dan.carpenter@oracle.com>
    ALSA: pcm: potential uninitialized return values

Stefan Roese <sr@denx.de>
    ALSA: pcm: Use dma_bytes as size parameter in dma_mmap_coherent()

Nobutaka Okabe <nob77413@gmail.com>
    ALSA: usb-audio: Add native DSD support for TEAC UD-301

Linus Walleij <linus.walleij@linaro.org>
    mtd: jedec_probe: Fix crash in jedec_read_mfr()

Fabio Estevam <festevam@gmail.com>
    ARM: 8746/1: vfp: Go back to clearing vfp_current_hw_state[]


-------------

Diffstat:

 .../devicetree/bindings/pinctrl/pinctrl-palmas.txt |   9 +
 Makefile                                           |   4 +-
 arch/arm/boot/dts/am335x-pepper.dts                |   2 +-
 arch/arm/boot/dts/am57xx-beagle-x15-common.dtsi    |   1 +
 arch/arm/boot/dts/am57xx-idk-common.dtsi           |   1 +
 arch/arm/boot/dts/dra7-evm.dts                     |   2 +
 arch/arm/boot/dts/omap3-n900.dts                   |   4 +-
 arch/arm/vfp/vfpmodule.c                           |   2 +-
 arch/arm64/Kconfig                                 |  12 ++
 arch/arm64/include/asm/assembler.h                 |   3 +
 arch/arm64/include/asm/cpucaps.h                   |   3 +-
 arch/arm64/include/asm/cputype.h                   |   3 +
 arch/arm64/include/asm/fixmap.h                    |   6 +
 arch/arm64/include/asm/memory.h                    |   6 +-
 arch/arm64/include/asm/mmu.h                       |  11 ++
 arch/arm64/include/asm/mmu_context.h               |   7 +
 arch/arm64/include/asm/pgtable-hwdef.h             |   1 +
 arch/arm64/include/asm/pgtable-prot.h              |  35 ++--
 arch/arm64/include/asm/pgtable.h                   |   1 +
 arch/arm64/include/asm/proc-fns.h                  |   6 -
 arch/arm64/include/asm/sysreg.h                    |   1 +
 arch/arm64/include/asm/tlbflush.h                  |  16 +-
 arch/arm64/kernel/asm-offsets.c                    |   6 +-
 arch/arm64/kernel/cpu-reset.S                      |   2 +-
 arch/arm64/kernel/cpufeature.c                     | 135 +++++++++++--
 arch/arm64/kernel/entry.S                          | 188 +++++++++++++++---
 arch/arm64/kernel/head.S                           |   2 +-
 arch/arm64/kernel/process.c                        |  12 +-
 arch/arm64/kernel/sleep.S                          |   2 +-
 arch/arm64/kernel/vmlinux.lds.S                    |  22 ++-
 arch/arm64/mm/context.c                            |  25 ++-
 arch/arm64/mm/mmu.c                                |  31 +++
 arch/arm64/mm/proc.S                               | 216 +++++++++++++++++++--
 arch/frv/include/asm/timex.h                       |   6 +
 arch/powerpc/kernel/exceptions-64s.S               |   2 +-
 arch/powerpc/kernel/irq.c                          |   8 +
 arch/x86/crypto/cast5_avx_glue.c                   |   3 +-
 arch/x86/kernel/kprobes/core.c                     |   9 +
 block/bio.c                                        |   4 +-
 block/partitions/msdos.c                           |   4 +-
 crypto/ahash.c                                     |   7 +-
 drivers/block/mtip32xx/mtip32xx.c                  |  36 ++--
 drivers/hid/hid-sony.c                             |  45 ++---
 drivers/infiniband/core/addr.c                     |  16 ++
 drivers/infiniband/core/ucma.c                     |  61 +++---
 drivers/input/mouse/alps.c                         |  24 ++-
 drivers/input/mousedev.c                           |  62 +++---
 drivers/input/serio/i8042-x86ia64io.h              |  24 +++
 drivers/md/dm-ioctl.c                              |   4 +-
 drivers/md/raid10.c                                |   1 +
 drivers/media/usb/usbtv/usbtv-core.c               |   2 +
 drivers/misc/mei/main.c                            |   1 -
 drivers/mtd/chips/jedec_probe.c                    |   2 +
 drivers/net/ethernet/apm/xgene/xgene_enet_main.c   |  50 +++--
 drivers/net/ethernet/hisilicon/hns/hns_dsaf_gmac.c |   2 +-
 drivers/net/ethernet/hisilicon/hns/hns_dsaf_ppe.c  |   2 +-
 drivers/net/ethernet/hisilicon/hns/hns_dsaf_rcb.c  |   2 +-
 drivers/net/ethernet/hisilicon/hns/hns_ethtool.c   |   4 +-
 drivers/net/phy/mdio-xgene.c                       |  50 +++--
 drivers/net/phy/mdio-xgene.h                       |   4 -
 drivers/parport/parport_pc.c                       |   4 +
 drivers/pci/probe.c                                |   2 +-
 drivers/pci/setup-res.c                            |   2 +-
 drivers/scsi/virtio_scsi.c                         |   1 +
 drivers/spi/Kconfig                                |   1 -
 drivers/spi/spi-davinci.c                          |   2 +-
 drivers/staging/comedi/drivers/ni_mio_common.c     |   2 +
 drivers/tty/vt/vt.c                                |   6 +-
 drivers/usb/dwc2/hcd.c                             |   7 +-
 drivers/usb/gadget/udc/core.c                      |   4 +-
 drivers/usb/serial/cp210x.c                        |   1 +
 drivers/usb/serial/ftdi_sio.c                      |   2 +
 drivers/usb/serial/ftdi_sio_ids.h                  |   9 +
 fs/btrfs/tree-log.c                                |   2 +-
 fs/ceph/file.c                                     |   9 +-
 fs/compat_ioctl.c                                  |   2 +-
 include/linux/cpumask.h                            |  10 +
 include/linux/init.h                               |   3 +
 include/linux/jiffies.h                            |  13 +-
 include/linux/llist.h                              |  21 +-
 include/linux/netfilter/x_tables.h                 |   2 +
 include/rdma/ib_addr.h                             |   2 +
 include/uapi/linux/pci_regs.h                      |   2 +-
 init/main.c                                        |   7 +-
 ipc/shm.c                                          |  12 ++
 kernel/events/hw_breakpoint.c                      |  30 +--
 kernel/irq/manage.c                                |   2 +-
 kernel/kprobes.c                                   |   2 +-
 kernel/module.c                                    |  20 +-
 mm/vmscan.c                                        |  13 +-
 net/bluetooth/smp.c                                |   8 +-
 net/bridge/netfilter/ebt_among.c                   |  34 ++++
 net/ipv4/netfilter/nf_nat_h323.c                   |  57 +++---
 net/ipv6/ip6_vti.c                                 |  20 --
 net/mac80211/ibss.c                                |   4 +-
 net/mac80211/rate.c                                |   6 +-
 net/netfilter/nf_conntrack_netlink.c               |   7 +-
 net/netfilter/x_tables.c                           |  30 +++
 net/netfilter/xt_hashlimit.c                       |  11 +-
 net/netfilter/xt_recent.c                          |   6 +-
 net/wireless/nl80211.c                             |   2 +-
 net/wireless/util.c                                |   6 +-
 net/xfrm/xfrm_ipcomp.c                             |   2 +-
 net/xfrm/xfrm_state.c                              |   5 +
 net/xfrm/xfrm_user.c                               |  21 +-
 security/selinux/hooks.c                           |  16 --
 security/selinux/ss/services.c                     |   2 +-
 sound/core/oss/pcm_oss.c                           |   4 +-
 sound/core/pcm_native.c                            |   2 +-
 sound/usb/quirks.c                                 |   1 +
 110 files changed, 1205 insertions(+), 446 deletions(-)

^ permalink raw reply	[flat|nested] 111+ messages in thread

* [PATCH 4.9 001/102] ARM: 8746/1: vfp: Go back to clearing vfp_current_hw_state[]
  2018-04-06 13:22 [PATCH 4.9 000/102] 4.9.93-stable review Greg Kroah-Hartman
@ 2018-04-06 13:22 ` Greg Kroah-Hartman
  2018-04-06 13:22 ` [PATCH 4.9 002/102] mtd: jedec_probe: Fix crash in jedec_read_mfr() Greg Kroah-Hartman
                   ` (103 subsequent siblings)
  104 siblings, 0 replies; 111+ messages in thread
From: Greg Kroah-Hartman @ 2018-04-06 13:22 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Kohji Okuno, Fabio Estevam, Russell King

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Fabio Estevam <festevam@gmail.com>

commit 1328f02005bbbaed15b9d5b7f3ab5ec9d4d5268a upstream.

Commit 384b38b66947 ("ARM: 7873/1: vfp: clear vfp_current_hw_state
for dying cpu") fixed the cpu dying notifier by clearing
vfp_current_hw_state[]. However commit e5b61bafe704 ("arm: Convert VFP
hotplug notifiers to state machine") incorrectly used the original
vfp_force_reload() function in the cpu dying notifier.

Fix it by going back to clearing vfp_current_hw_state[].

Fixes: e5b61bafe704 ("arm: Convert VFP hotplug notifiers to state machine")
Cc: linux-stable <stable@vger.kernel.org>
Reported-by: Kohji Okuno <okuno.kohji@jp.panasonic.com>
Signed-off-by: Fabio Estevam <fabio.estevam@nxp.com>
Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm/vfp/vfpmodule.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/arm/vfp/vfpmodule.c
+++ b/arch/arm/vfp/vfpmodule.c
@@ -648,7 +648,7 @@ int vfp_restore_user_hwstate(struct user
  */
 static int vfp_dying_cpu(unsigned int cpu)
 {
-	vfp_force_reload(cpu, current_thread_info());
+	vfp_current_hw_state[cpu] = NULL;
 	return 0;
 }
 

^ permalink raw reply	[flat|nested] 111+ messages in thread

* [PATCH 4.9 002/102] mtd: jedec_probe: Fix crash in jedec_read_mfr()
  2018-04-06 13:22 [PATCH 4.9 000/102] 4.9.93-stable review Greg Kroah-Hartman
  2018-04-06 13:22 ` [PATCH 4.9 001/102] ARM: 8746/1: vfp: Go back to clearing vfp_current_hw_state[] Greg Kroah-Hartman
@ 2018-04-06 13:22 ` Greg Kroah-Hartman
  2018-04-06 13:22 ` [PATCH 4.9 003/102] ALSA: usb-audio: Add native DSD support for TEAC UD-301 Greg Kroah-Hartman
                   ` (102 subsequent siblings)
  104 siblings, 0 replies; 111+ messages in thread
From: Greg Kroah-Hartman @ 2018-04-06 13:22 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Linus Walleij, Boris Brezillon

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Linus Walleij <linus.walleij@linaro.org>

commit 87a73eb5b56fd6e07c8e499fe8608ef2d8912b82 upstream.

It turns out that the loop where we read manufacturer
jedec_read_mfd() can under some circumstances get a
CFI_MFR_CONTINUATION repeatedly, making the loop go
over all banks and eventually hit the end of the
map and crash because of an access violation:

Unable to handle kernel paging request at virtual address c4980000
pgd = (ptrval)
[c4980000] *pgd=03808811, *pte=00000000, *ppte=00000000
Internal error: Oops: 7 [#1] PREEMPT ARM
CPU: 0 PID: 1 Comm: swapper Not tainted 4.16.0-rc1+ #150
Hardware name: Gemini (Device Tree)
PC is at jedec_probe_chip+0x6ec/0xcd0
LR is at 0x4
pc : [<c03a2bf4>]    lr : [<00000004>]    psr: 60000013
sp : c382dd18  ip : 0000ffff  fp : 00000000
r10: c0626388  r9 : 00020000  r8 : c0626340
r7 : 00000000  r6 : 00000001  r5 : c3a71afc  r4 : c382dd70
r3 : 00000001  r2 : c4900000  r1 : 00000002  r0 : 00080000
Flags: nZCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment none
Control: 0000397f  Table: 00004000  DAC: 00000053
Process swapper (pid: 1, stack limit = 0x(ptrval))

Fix this by breaking the loop with a return 0 if
the offset exceeds the map size.

Fixes: 5c9c11e1c47c ("[MTD] [NOR] Add support for flash chips with ID in bank other than 0")
Cc: <stable@vger.kernel.org>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Boris Brezillon <boris.brezillon@bootlin.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/mtd/chips/jedec_probe.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/mtd/chips/jedec_probe.c
+++ b/drivers/mtd/chips/jedec_probe.c
@@ -1889,6 +1889,8 @@ static inline u32 jedec_read_mfr(struct
 	do {
 		uint32_t ofs = cfi_build_cmd_addr(0 + (bank << 8), map, cfi);
 		mask = (1 << (cfi->device_type * 8)) - 1;
+		if (ofs >= map->size)
+			return 0;
 		result = map_read(map, base + ofs);
 		bank++;
 	} while ((result.x[0] & mask) == CFI_MFR_CONTINUATION);

^ permalink raw reply	[flat|nested] 111+ messages in thread

* [PATCH 4.9 003/102] ALSA: usb-audio: Add native DSD support for TEAC UD-301
  2018-04-06 13:22 [PATCH 4.9 000/102] 4.9.93-stable review Greg Kroah-Hartman
  2018-04-06 13:22 ` [PATCH 4.9 001/102] ARM: 8746/1: vfp: Go back to clearing vfp_current_hw_state[] Greg Kroah-Hartman
  2018-04-06 13:22 ` [PATCH 4.9 002/102] mtd: jedec_probe: Fix crash in jedec_read_mfr() Greg Kroah-Hartman
@ 2018-04-06 13:22 ` Greg Kroah-Hartman
  2018-04-06 13:22 ` [PATCH 4.9 004/102] ALSA: pcm: Use dma_bytes as size parameter in dma_mmap_coherent() Greg Kroah-Hartman
                   ` (101 subsequent siblings)
  104 siblings, 0 replies; 111+ messages in thread
From: Greg Kroah-Hartman @ 2018-04-06 13:22 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Nobutaka Okabe, Takashi Iwai

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Nobutaka Okabe <nob77413@gmail.com>

commit b00214865d65100163574ba250008f182cf90869 upstream.

Add native DSD support quirk for TEAC UD-301 DAC,
by adding the PID/VID 0644:804a.

Signed-off-by: Nobutaka Okabe <nob77413@gmail.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/usb/quirks.c |    1 +
 1 file changed, 1 insertion(+)

--- a/sound/usb/quirks.c
+++ b/sound/usb/quirks.c
@@ -1175,6 +1175,7 @@ static bool is_teac_dsd_dac(unsigned int
 	switch (id) {
 	case USB_ID(0x0644, 0x8043): /* TEAC UD-501/UD-503/NT-503 */
 	case USB_ID(0x0644, 0x8044): /* Esoteric D-05X */
+	case USB_ID(0x0644, 0x804a): /* TEAC UD-301 */
 		return true;
 	}
 	return false;

^ permalink raw reply	[flat|nested] 111+ messages in thread

* [PATCH 4.9 004/102] ALSA: pcm: Use dma_bytes as size parameter in dma_mmap_coherent()
  2018-04-06 13:22 [PATCH 4.9 000/102] 4.9.93-stable review Greg Kroah-Hartman
                   ` (2 preceding siblings ...)
  2018-04-06 13:22 ` [PATCH 4.9 003/102] ALSA: usb-audio: Add native DSD support for TEAC UD-301 Greg Kroah-Hartman
@ 2018-04-06 13:22 ` Greg Kroah-Hartman
  2018-04-06 13:22 ` [PATCH 4.9 005/102] ALSA: pcm: potential uninitialized return values Greg Kroah-Hartman
                   ` (100 subsequent siblings)
  104 siblings, 0 replies; 111+ messages in thread
From: Greg Kroah-Hartman @ 2018-04-06 13:22 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Stefan Roese, Takashi Iwai

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Stefan Roese <sr@denx.de>

commit 9066ae7ff5d89c0b5daa271e2d573540097a94fa upstream.

When trying to use the driver (e.g. aplay *.wav), the 4MiB DMA buffer
will get mmapp'ed in 16KiB chunks. But this fails with the 2nd 16KiB
area, as the page offset is outside of the VMA range (size), which is
currently used as size parameter in snd_pcm_lib_default_mmap(). By
using the DMA buffer size (dma_bytes) instead, the complete DMA buffer
can be mmapp'ed and the issue is fixed.

This issue was detected on an ARM platform (TI AM57xx) using the RME
HDSP MADI PCIe soundcard.

Fixes: 657b1989dacf ("ALSA: pcm - Use dma_mmap_coherent() if available")
Signed-off-by: Stefan Roese <sr@denx.de>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/core/pcm_native.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/sound/core/pcm_native.c
+++ b/sound/core/pcm_native.c
@@ -3410,7 +3410,7 @@ int snd_pcm_lib_default_mmap(struct snd_
 					 area,
 					 substream->runtime->dma_area,
 					 substream->runtime->dma_addr,
-					 area->vm_end - area->vm_start);
+					 substream->runtime->dma_bytes);
 #endif /* CONFIG_X86 */
 	/* mmap with fault handler */
 	area->vm_ops = &snd_pcm_vm_ops_data_fault;

^ permalink raw reply	[flat|nested] 111+ messages in thread

* [PATCH 4.9 005/102] ALSA: pcm: potential uninitialized return values
  2018-04-06 13:22 [PATCH 4.9 000/102] 4.9.93-stable review Greg Kroah-Hartman
                   ` (3 preceding siblings ...)
  2018-04-06 13:22 ` [PATCH 4.9 004/102] ALSA: pcm: Use dma_bytes as size parameter in dma_mmap_coherent() Greg Kroah-Hartman
@ 2018-04-06 13:22 ` Greg Kroah-Hartman
  2018-04-06 13:22 ` [PATCH 4.9 006/102] perf/hwbp: Simplify the perf-hwbp code, fix documentation Greg Kroah-Hartman
                   ` (99 subsequent siblings)
  104 siblings, 0 replies; 111+ messages in thread
From: Greg Kroah-Hartman @ 2018-04-06 13:22 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Dan Carpenter, Takashi Iwai

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Dan Carpenter <dan.carpenter@oracle.com>

commit 5607dddbfca774fb38bffadcb077fe03aa4ac5c6 upstream.

Smatch complains that "tmp" can be uninitialized if we do a zero size
write.

Fixes: 02a5d6925cd3 ("ALSA: pcm: Avoid potential races between OSS ioctls and read/write")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/core/oss/pcm_oss.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/sound/core/oss/pcm_oss.c
+++ b/sound/core/oss/pcm_oss.c
@@ -1361,7 +1361,7 @@ static ssize_t snd_pcm_oss_write2(struct
 static ssize_t snd_pcm_oss_write1(struct snd_pcm_substream *substream, const char __user *buf, size_t bytes)
 {
 	size_t xfer = 0;
-	ssize_t tmp;
+	ssize_t tmp = 0;
 	struct snd_pcm_runtime *runtime = substream->runtime;
 
 	if (atomic_read(&substream->mmap_count))
@@ -1468,7 +1468,7 @@ static ssize_t snd_pcm_oss_read2(struct
 static ssize_t snd_pcm_oss_read1(struct snd_pcm_substream *substream, char __user *buf, size_t bytes)
 {
 	size_t xfer = 0;
-	ssize_t tmp;
+	ssize_t tmp = 0;
 	struct snd_pcm_runtime *runtime = substream->runtime;
 
 	if (atomic_read(&substream->mmap_count))

^ permalink raw reply	[flat|nested] 111+ messages in thread

* [PATCH 4.9 006/102] perf/hwbp: Simplify the perf-hwbp code, fix documentation
  2018-04-06 13:22 [PATCH 4.9 000/102] 4.9.93-stable review Greg Kroah-Hartman
                   ` (4 preceding siblings ...)
  2018-04-06 13:22 ` [PATCH 4.9 005/102] ALSA: pcm: potential uninitialized return values Greg Kroah-Hartman
@ 2018-04-06 13:22 ` Greg Kroah-Hartman
  2018-04-06 13:22 ` [PATCH 4.9 007/102] ceph: only dirty ITER_IOVEC pages for direct read Greg Kroah-Hartman
                   ` (98 subsequent siblings)
  104 siblings, 0 replies; 111+ messages in thread
From: Greg Kroah-Hartman @ 2018-04-06 13:22 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Linus Torvalds, Thomas Gleixner,
	Alexander Shishkin, Andy Lutomirski, Arnaldo Carvalho de Melo,
	Frederic Weisbecker, Jiri Olsa, Peter Zijlstra, Stephane Eranian,
	Vince Weaver, Ingo Molnar

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Linus Torvalds <torvalds@linux-foundation.org>

commit f67b15037a7a50c57f72e69a6d59941ad90a0f0f upstream.

Annoyingly, modify_user_hw_breakpoint() unnecessarily complicates the
modification of a breakpoint - simplify it and remove the pointless
local variables.

Also update the stale Docbook while at it.

Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Acked-by: Thomas Gleixner <tglx@linutronix.de>
Cc: <stable@vger.kernel.org>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
Cc: Frederic Weisbecker <fweisbec@gmail.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Stephane Eranian <eranian@google.com>
Cc: Vince Weaver <vincent.weaver@maine.edu>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 kernel/events/hw_breakpoint.c |   30 +++++++-----------------------
 1 file changed, 7 insertions(+), 23 deletions(-)

--- a/kernel/events/hw_breakpoint.c
+++ b/kernel/events/hw_breakpoint.c
@@ -427,16 +427,9 @@ EXPORT_SYMBOL_GPL(register_user_hw_break
  * modify_user_hw_breakpoint - modify a user-space hardware breakpoint
  * @bp: the breakpoint structure to modify
  * @attr: new breakpoint attributes
- * @triggered: callback to trigger when we hit the breakpoint
- * @tsk: pointer to 'task_struct' of the process to which the address belongs
  */
 int modify_user_hw_breakpoint(struct perf_event *bp, struct perf_event_attr *attr)
 {
-	u64 old_addr = bp->attr.bp_addr;
-	u64 old_len = bp->attr.bp_len;
-	int old_type = bp->attr.bp_type;
-	int err = 0;
-
 	/*
 	 * modify_user_hw_breakpoint can be invoked with IRQs disabled and hence it
 	 * will not be possible to raise IPIs that invoke __perf_event_disable.
@@ -451,27 +444,18 @@ int modify_user_hw_breakpoint(struct per
 	bp->attr.bp_addr = attr->bp_addr;
 	bp->attr.bp_type = attr->bp_type;
 	bp->attr.bp_len = attr->bp_len;
+	bp->attr.disabled = 1;
 
-	if (attr->disabled)
-		goto end;
-
-	err = validate_hw_breakpoint(bp);
-	if (!err)
-		perf_event_enable(bp);
+	if (!attr->disabled) {
+		int err = validate_hw_breakpoint(bp);
 
-	if (err) {
-		bp->attr.bp_addr = old_addr;
-		bp->attr.bp_type = old_type;
-		bp->attr.bp_len = old_len;
-		if (!bp->attr.disabled)
-			perf_event_enable(bp);
+		if (err)
+			return err;
 
-		return err;
+		perf_event_enable(bp);
+		bp->attr.disabled = 0;
 	}
 
-end:
-	bp->attr.disabled = attr->disabled;
-
 	return 0;
 }
 EXPORT_SYMBOL_GPL(modify_user_hw_breakpoint);

^ permalink raw reply	[flat|nested] 111+ messages in thread

* [PATCH 4.9 007/102] ceph: only dirty ITER_IOVEC pages for direct read
  2018-04-06 13:22 [PATCH 4.9 000/102] 4.9.93-stable review Greg Kroah-Hartman
                   ` (5 preceding siblings ...)
  2018-04-06 13:22 ` [PATCH 4.9 006/102] perf/hwbp: Simplify the perf-hwbp code, fix documentation Greg Kroah-Hartman
@ 2018-04-06 13:22 ` Greg Kroah-Hartman
  2018-04-06 13:22 ` [PATCH 4.9 008/102] ipc/shm.c: add split function to shm_vm_ops Greg Kroah-Hartman
                   ` (97 subsequent siblings)
  104 siblings, 0 replies; 111+ messages in thread
From: Greg Kroah-Hartman @ 2018-04-06 13:22 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, stable, Yan, Zheng, Ilya Dryomov

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Yan, Zheng <zyan@redhat.com>

commit 85784f9395987a422fa04263e7c0fb13da11eb5c upstream.

If a page is already locked, attempting to dirty it leads to a deadlock
in lock_page().  This is what currently happens to ITER_BVEC pages when
a dio-enabled loop device is backed by ceph:

  $ losetup --direct-io /dev/loop0 /mnt/cephfs/img
  $ xfs_io -c 'pread 0 4k' /dev/loop0

Follow other file systems and only dirty ITER_IOVEC pages.

Cc: stable@kernel.org
Signed-off-by: "Yan, Zheng" <zyan@redhat.com>
Reviewed-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/ceph/file.c |    9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

--- a/fs/ceph/file.c
+++ b/fs/ceph/file.c
@@ -598,7 +598,8 @@ static ssize_t ceph_sync_read(struct kio
 struct ceph_aio_request {
 	struct kiocb *iocb;
 	size_t total_len;
-	int write;
+	bool write;
+	bool should_dirty;
 	int error;
 	struct list_head osd_reqs;
 	unsigned num_reqs;
@@ -708,7 +709,7 @@ static void ceph_aio_complete_req(struct
 		}
 	}
 
-	ceph_put_page_vector(osd_data->pages, num_pages, !aio_req->write);
+	ceph_put_page_vector(osd_data->pages, num_pages, aio_req->should_dirty);
 	ceph_osdc_put_request(req);
 
 	if (rc < 0)
@@ -890,6 +891,7 @@ ceph_direct_read_write(struct kiocb *ioc
 	size_t count = iov_iter_count(iter);
 	loff_t pos = iocb->ki_pos;
 	bool write = iov_iter_rw(iter) == WRITE;
+	bool should_dirty = !write && iter_is_iovec(iter);
 
 	if (write && ceph_snap(file_inode(file)) != CEPH_NOSNAP)
 		return -EROFS;
@@ -954,6 +956,7 @@ ceph_direct_read_write(struct kiocb *ioc
 			if (aio_req) {
 				aio_req->iocb = iocb;
 				aio_req->write = write;
+				aio_req->should_dirty = should_dirty;
 				INIT_LIST_HEAD(&aio_req->osd_reqs);
 				if (write) {
 					aio_req->mtime = mtime;
@@ -1012,7 +1015,7 @@ ceph_direct_read_write(struct kiocb *ioc
 				len = ret;
 		}
 
-		ceph_put_page_vector(pages, num_pages, !write);
+		ceph_put_page_vector(pages, num_pages, should_dirty);
 
 		ceph_osdc_put_request(req);
 		if (ret < 0)

^ permalink raw reply	[flat|nested] 111+ messages in thread

* [PATCH 4.9 008/102] ipc/shm.c: add split function to shm_vm_ops
  2018-04-06 13:22 [PATCH 4.9 000/102] 4.9.93-stable review Greg Kroah-Hartman
                   ` (6 preceding siblings ...)
  2018-04-06 13:22 ` [PATCH 4.9 007/102] ceph: only dirty ITER_IOVEC pages for direct read Greg Kroah-Hartman
@ 2018-04-06 13:22 ` Greg Kroah-Hartman
  2018-04-06 13:22 ` [PATCH 4.9 009/102] powerpc/64s: Fix lost pending interrupt due to race causing lost update to irq_happened Greg Kroah-Hartman
                   ` (96 subsequent siblings)
  104 siblings, 0 replies; 111+ messages in thread
From: Greg Kroah-Hartman @ 2018-04-06 13:22 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Mike Kravetz, Laurent Dufour,
	Dan Williams, Michal Hocko, Davidlohr Bueso, Manfred Spraul,
	Andrew Morton, Linus Torvalds

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Mike Kravetz <mike.kravetz@oracle.com>

commit 3d942ee079b917b24e2a0c5f18d35ac8ec9fee48 upstream.

If System V shmget/shmat operations are used to create a hugetlbfs
backed mapping, it is possible to munmap part of the mapping and split
the underlying vma such that it is not huge page aligned.  This will
untimately result in the following BUG:

  kernel BUG at /build/linux-jWa1Fv/linux-4.15.0/mm/hugetlb.c:3310!
  Oops: Exception in kernel mode, sig: 5 [#1]
  LE SMP NR_CPUS=2048 NUMA PowerNV
  Modules linked in: kcm nfc af_alg caif_socket caif phonet fcrypt
  CPU: 18 PID: 43243 Comm: trinity-subchil Tainted: G         C  E 4.15.0-10-generic #11-Ubuntu
  NIP:  c00000000036e764 LR: c00000000036ee48 CTR: 0000000000000009
  REGS: c000003fbcdcf810 TRAP: 0700   Tainted: G         C  E (4.15.0-10-generic)
  MSR:  9000000000029033 <SF,HV,EE,ME,IR,DR,RI,LE>  CR: 24002222  XER: 20040000
  CFAR: c00000000036ee44 SOFTE: 1
  NIP __unmap_hugepage_range+0xa4/0x760
  LR __unmap_hugepage_range_final+0x28/0x50
  Call Trace:
    0x7115e4e00000 (unreliable)
    __unmap_hugepage_range_final+0x28/0x50
    unmap_single_vma+0x11c/0x190
    unmap_vmas+0x94/0x140
    exit_mmap+0x9c/0x1d0
    mmput+0xa8/0x1d0
    do_exit+0x360/0xc80
    do_group_exit+0x60/0x100
    SyS_exit_group+0x24/0x30
    system_call+0x58/0x6c
  ---[ end trace ee88f958a1c62605 ]---

This bug was introduced by commit 31383c6865a5 ("mm, hugetlbfs:
introduce ->split() to vm_operations_struct").  A split function was
added to vm_operations_struct to determine if a mapping can be split.
This was mostly for device-dax and hugetlbfs mappings which have
specific alignment constraints.

Mappings initiated via shmget/shmat have their original vm_ops
overwritten with shm_vm_ops.  shm_vm_ops functions will call back to the
original vm_ops if needed.  Add such a split function to shm_vm_ops.

Link: http://lkml.kernel.org/r/20180321161314.7711-1-mike.kravetz@oracle.com
Fixes: 31383c6865a5 ("mm, hugetlbfs: introduce ->split() to vm_operations_struct")
Signed-off-by: Mike Kravetz <mike.kravetz@oracle.com>
Reported-by: Laurent Dufour <ldufour@linux.vnet.ibm.com>
Reviewed-by: Laurent Dufour <ldufour@linux.vnet.ibm.com>
Tested-by: Laurent Dufour <ldufour@linux.vnet.ibm.com>
Reviewed-by: Dan Williams <dan.j.williams@intel.com>
Acked-by: Michal Hocko <mhocko@suse.com>
Cc: Davidlohr Bueso <dave@stgolabs.net>
Cc: Manfred Spraul <manfred@colorfullife.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 ipc/shm.c |   12 ++++++++++++
 1 file changed, 12 insertions(+)

--- a/ipc/shm.c
+++ b/ipc/shm.c
@@ -381,6 +381,17 @@ static int shm_fault(struct vm_area_stru
 	return sfd->vm_ops->fault(vma, vmf);
 }
 
+static int shm_split(struct vm_area_struct *vma, unsigned long addr)
+{
+	struct file *file = vma->vm_file;
+	struct shm_file_data *sfd = shm_file_data(file);
+
+	if (sfd->vm_ops && sfd->vm_ops->split)
+		return sfd->vm_ops->split(vma, addr);
+
+	return 0;
+}
+
 #ifdef CONFIG_NUMA
 static int shm_set_policy(struct vm_area_struct *vma, struct mempolicy *new)
 {
@@ -503,6 +514,7 @@ static const struct vm_operations_struct
 	.open	= shm_open,	/* callback for a new vm-area open */
 	.close	= shm_close,	/* callback for when the vm-area is released */
 	.fault	= shm_fault,
+	.split	= shm_split,
 #if defined(CONFIG_NUMA)
 	.set_policy = shm_set_policy,
 	.get_policy = shm_get_policy,

^ permalink raw reply	[flat|nested] 111+ messages in thread

* [PATCH 4.9 009/102] powerpc/64s: Fix lost pending interrupt due to race causing lost update to irq_happened
  2018-04-06 13:22 [PATCH 4.9 000/102] 4.9.93-stable review Greg Kroah-Hartman
                   ` (7 preceding siblings ...)
  2018-04-06 13:22 ` [PATCH 4.9 008/102] ipc/shm.c: add split function to shm_vm_ops Greg Kroah-Hartman
@ 2018-04-06 13:22 ` Greg Kroah-Hartman
  2018-04-06 13:22 ` [PATCH 4.9 010/102] powerpc/64s: Fix i-side SLB miss bad address handler saving nonvolatile GPRs Greg Kroah-Hartman
                   ` (95 subsequent siblings)
  104 siblings, 0 replies; 111+ messages in thread
From: Greg Kroah-Hartman @ 2018-04-06 13:22 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Carol L. Soto, Nicholas Piggin,
	Michael Ellerman

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Nicholas Piggin <npiggin@gmail.com>

commit ff6781fd1bb404d8a551c02c35c70cec1da17ff1 upstream.

force_external_irq_replay() can be called in the do_IRQ path with
interrupts hard enabled and soft disabled if may_hard_irq_enable() set
MSR[EE]=1. It updates local_paca->irq_happened with a load, modify,
store sequence. If a maskable interrupt hits during this sequence, it
will go to the masked handler to be marked pending in irq_happened.
This update will be lost when the interrupt returns and the store
instruction executes. This can result in unpredictable latencies,
timeouts, lockups, etc.

Fix this by ensuring hard interrupts are disabled before modifying
irq_happened.

This could cause any maskable asynchronous interrupt to get lost, but
it was noticed on P9 SMP system doing RDMA NVMe target over 100GbE,
so very high external interrupt rate and high IPI rate. The hang was
bisected down to enabling doorbell interrupts for IPIs. These provided
an interrupt type that could run at high rates in the do_IRQ path,
stressing the race.

Fixes: 1d607bb3bd60 ("powerpc/irq: Add mechanism to force a replay of interrupts")
Cc: stable@vger.kernel.org # v4.8+
Reported-by: Carol L. Soto <clsoto@us.ibm.com>
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/powerpc/kernel/irq.c |    8 ++++++++
 1 file changed, 8 insertions(+)

--- a/arch/powerpc/kernel/irq.c
+++ b/arch/powerpc/kernel/irq.c
@@ -372,6 +372,14 @@ void force_external_irq_replay(void)
 	 */
 	WARN_ON(!arch_irqs_disabled());
 
+	/*
+	 * Interrupts must always be hard disabled before irq_happened is
+	 * modified (to prevent lost update in case of interrupt between
+	 * load and store).
+	 */
+	__hard_irq_disable();
+	local_paca->irq_happened |= PACA_IRQ_HARD_DIS;
+
 	/* Indicate in the PACA that we have an interrupt to replay */
 	local_paca->irq_happened |= PACA_IRQ_EE;
 }

^ permalink raw reply	[flat|nested] 111+ messages in thread

* [PATCH 4.9 010/102] powerpc/64s: Fix i-side SLB miss bad address handler saving nonvolatile GPRs
  2018-04-06 13:22 [PATCH 4.9 000/102] 4.9.93-stable review Greg Kroah-Hartman
                   ` (8 preceding siblings ...)
  2018-04-06 13:22 ` [PATCH 4.9 009/102] powerpc/64s: Fix lost pending interrupt due to race causing lost update to irq_happened Greg Kroah-Hartman
@ 2018-04-06 13:22 ` Greg Kroah-Hartman
  2018-04-06 13:22 ` [PATCH 4.9 011/102] partitions/msdos: Unable to mount UFS 44bsd partitions Greg Kroah-Hartman
                   ` (94 subsequent siblings)
  104 siblings, 0 replies; 111+ messages in thread
From: Greg Kroah-Hartman @ 2018-04-06 13:22 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Nicholas Piggin, Michael Ellerman

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Nicholas Piggin <npiggin@gmail.com>

commit 52396500f97c53860164debc7d4f759077853423 upstream.

The SLB bad address handler's trap number fixup does not preserve the
low bit that indicates nonvolatile GPRs have not been saved. This
leads save_nvgprs to skip saving them, and subsequent functions and
return from interrupt will think they are saved.

This causes kernel branch-to-garbage debugging to not have correct
registers, can also cause userspace to have its registers clobbered
after a segfault.

Fixes: f0f558b131db ("powerpc/mm: Preserve CFAR value on SLB miss caused by access to bogus address")
Cc: stable@vger.kernel.org # v4.9+
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/powerpc/kernel/exceptions-64s.S |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/powerpc/kernel/exceptions-64s.S
+++ b/arch/powerpc/kernel/exceptions-64s.S
@@ -723,7 +723,7 @@ EXC_COMMON_BEGIN(bad_addr_slb)
 	ld	r3, PACA_EXSLB+EX_DAR(r13)
 	std	r3, _DAR(r1)
 	beq	cr6, 2f
-	li	r10, 0x480		/* fix trap number for I-SLB miss */
+	li	r10, 0x481		/* fix trap number for I-SLB miss */
 	std	r10, _TRAP(r1)
 2:	bl	save_nvgprs
 	addi	r3, r1, STACK_FRAME_OVERHEAD

^ permalink raw reply	[flat|nested] 111+ messages in thread

* [PATCH 4.9 011/102] partitions/msdos: Unable to mount UFS 44bsd partitions
  2018-04-06 13:22 [PATCH 4.9 000/102] 4.9.93-stable review Greg Kroah-Hartman
                   ` (9 preceding siblings ...)
  2018-04-06 13:22 ` [PATCH 4.9 010/102] powerpc/64s: Fix i-side SLB miss bad address handler saving nonvolatile GPRs Greg Kroah-Hartman
@ 2018-04-06 13:22 ` Greg Kroah-Hartman
  2018-04-06 13:22 ` [PATCH 4.9 012/102] kprobes/x86: Fix to set RWX bits correctly before releasing trampoline Greg Kroah-Hartman
                   ` (93 subsequent siblings)
  104 siblings, 0 replies; 111+ messages in thread
From: Greg Kroah-Hartman @ 2018-04-06 13:22 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Richard Narron, Jens Axboe

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Richard Narron <comet.berkeley@gmail.com>

commit 5f15684bd5e5ef39d4337988864fec8012471dda upstream.

UFS partitions from newer versions of FreeBSD 10 and 11 use relative
addressing for their subpartitions. But older versions of FreeBSD still
use absolute addressing just like OpenBSD and NetBSD.

Instead of simply testing for a FreeBSD partition, the code needs to
also test if the starting offset of the C subpartition is zero.

https://bugzilla.kernel.org/show_bug.cgi?id=197733

Signed-off-by: Richard Narron <comet.berkeley@gmail.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 block/partitions/msdos.c |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/block/partitions/msdos.c
+++ b/block/partitions/msdos.c
@@ -300,7 +300,9 @@ static void parse_bsd(struct parsed_part
 			continue;
 		bsd_start = le32_to_cpu(p->p_offset);
 		bsd_size = le32_to_cpu(p->p_size);
-		if (memcmp(flavour, "bsd\0", 4) == 0)
+		/* FreeBSD has relative offset if C partition offset is zero */
+		if (memcmp(flavour, "bsd\0", 4) == 0 &&
+		    le32_to_cpu(l->d_partitions[2].p_offset) == 0)
 			bsd_start += offset;
 		if (offset == bsd_start && size == bsd_size)
 			/* full parent partition, we have it already */

^ permalink raw reply	[flat|nested] 111+ messages in thread

* [PATCH 4.9 012/102] kprobes/x86: Fix to set RWX bits correctly before releasing trampoline
  2018-04-06 13:22 [PATCH 4.9 000/102] 4.9.93-stable review Greg Kroah-Hartman
                   ` (10 preceding siblings ...)
  2018-04-06 13:22 ` [PATCH 4.9 011/102] partitions/msdos: Unable to mount UFS 44bsd partitions Greg Kroah-Hartman
@ 2018-04-06 13:22 ` Greg Kroah-Hartman
  2018-04-06 13:22 ` [PATCH 4.9 013/102] PCI: Make PCI_ROM_ADDRESS_MASK a 32-bit constant Greg Kroah-Hartman
                   ` (92 subsequent siblings)
  104 siblings, 0 replies; 111+ messages in thread
From: Greg Kroah-Hartman @ 2018-04-06 13:22 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Masami Hiramatsu,
	Steven Rostedt (VMware),
	Ben Hutchings

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Masami Hiramatsu <mhiramat@kernel.org>

commit c93f5cf571e7795f97d49ef51b766cf25e328545 upstream.

Fix kprobes to set(recover) RWX bits correctly on trampoline
buffer before releasing it. Releasing readonly page to
module_memfree() crash the kernel.

Without this fix, if kprobes user register a bunch of kprobes
in function body (since kprobes on function entry usually
use ftrace) and unregister it, kernel hits a BUG and crash.

Link: http://lkml.kernel.org/r/149570868652.3518.14120169373590420503.stgit@devbox

Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>
Fixes: d0381c81c2f7 ("kprobes/x86: Set kprobes pages read-only")
Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
Cc: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/x86/kernel/kprobes/core.c |    9 +++++++++
 kernel/kprobes.c               |    2 +-
 2 files changed, 10 insertions(+), 1 deletion(-)

--- a/arch/x86/kernel/kprobes/core.c
+++ b/arch/x86/kernel/kprobes/core.c
@@ -51,6 +51,7 @@
 #include <linux/ftrace.h>
 #include <linux/frame.h>
 #include <linux/kasan.h>
+#include <linux/moduleloader.h>
 
 #include <asm/text-patching.h>
 #include <asm/cacheflush.h>
@@ -405,6 +406,14 @@ int __copy_instruction(u8 *dest, u8 *src
 	return length;
 }
 
+/* Recover page to RW mode before releasing it */
+void free_insn_page(void *page)
+{
+	set_memory_nx((unsigned long)page & PAGE_MASK, 1);
+	set_memory_rw((unsigned long)page & PAGE_MASK, 1);
+	module_memfree(page);
+}
+
 static int arch_copy_kprobe(struct kprobe *p)
 {
 	int ret;
--- a/kernel/kprobes.c
+++ b/kernel/kprobes.c
@@ -125,7 +125,7 @@ static void *alloc_insn_page(void)
 	return module_alloc(PAGE_SIZE);
 }
 
-static void free_insn_page(void *page)
+void __weak free_insn_page(void *page)
 {
 	module_memfree(page);
 }

^ permalink raw reply	[flat|nested] 111+ messages in thread

* [PATCH 4.9 013/102] PCI: Make PCI_ROM_ADDRESS_MASK a 32-bit constant
  2018-04-06 13:22 [PATCH 4.9 000/102] 4.9.93-stable review Greg Kroah-Hartman
                   ` (11 preceding siblings ...)
  2018-04-06 13:22 ` [PATCH 4.9 012/102] kprobes/x86: Fix to set RWX bits correctly before releasing trampoline Greg Kroah-Hartman
@ 2018-04-06 13:22 ` Greg Kroah-Hartman
  2018-04-06 13:22 ` [PATCH 4.9 014/102] dm ioctl: remove double parentheses Greg Kroah-Hartman
                   ` (91 subsequent siblings)
  104 siblings, 0 replies; 111+ messages in thread
From: Greg Kroah-Hartman @ 2018-04-06 13:22 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Matthias Kaehlcke, Bjorn Helgaas,
	Nathan Chancellor

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Matthias Kaehlcke <mka@chromium.org>

commit 76dc52684d0f72971d9f6cc7d5ae198061b715bd upstream.

A 64-bit value is not needed since a PCI ROM address consists in 32 bits.
This fixes a clang warning about "implicit conversion from 'unsigned long'
to 'u32'".

Also remove now unnecessary casts to u32 from __pci_read_base() and
pci_std_update_resource().

Signed-off-by: Matthias Kaehlcke <mka@chromium.org>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Cc: Nathan Chancellor <natechancellor@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/pci/probe.c           |    2 +-
 drivers/pci/setup-res.c       |    2 +-
 include/uapi/linux/pci_regs.h |    2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

--- a/drivers/pci/probe.c
+++ b/drivers/pci/probe.c
@@ -231,7 +231,7 @@ int __pci_read_base(struct pci_dev *dev,
 			res->flags |= IORESOURCE_ROM_ENABLE;
 		l64 = l & PCI_ROM_ADDRESS_MASK;
 		sz64 = sz & PCI_ROM_ADDRESS_MASK;
-		mask64 = (u32)PCI_ROM_ADDRESS_MASK;
+		mask64 = PCI_ROM_ADDRESS_MASK;
 	}
 
 	if (res->flags & IORESOURCE_MEM_64) {
--- a/drivers/pci/setup-res.c
+++ b/drivers/pci/setup-res.c
@@ -63,7 +63,7 @@ static void pci_std_update_resource(stru
 		mask = (u32)PCI_BASE_ADDRESS_IO_MASK;
 		new |= res->flags & ~PCI_BASE_ADDRESS_IO_MASK;
 	} else if (resno == PCI_ROM_RESOURCE) {
-		mask = (u32)PCI_ROM_ADDRESS_MASK;
+		mask = PCI_ROM_ADDRESS_MASK;
 	} else {
 		mask = (u32)PCI_BASE_ADDRESS_MEM_MASK;
 		new |= res->flags & ~PCI_BASE_ADDRESS_MEM_MASK;
--- a/include/uapi/linux/pci_regs.h
+++ b/include/uapi/linux/pci_regs.h
@@ -106,7 +106,7 @@
 #define PCI_SUBSYSTEM_ID	0x2e
 #define PCI_ROM_ADDRESS		0x30	/* Bits 31..11 are address, 10..1 reserved */
 #define  PCI_ROM_ADDRESS_ENABLE	0x01
-#define PCI_ROM_ADDRESS_MASK	(~0x7ffUL)
+#define PCI_ROM_ADDRESS_MASK	(~0x7ffU)
 
 #define PCI_CAPABILITY_LIST	0x34	/* Offset of first capability list entry */
 

^ permalink raw reply	[flat|nested] 111+ messages in thread

* [PATCH 4.9 014/102] dm ioctl: remove double parentheses
  2018-04-06 13:22 [PATCH 4.9 000/102] 4.9.93-stable review Greg Kroah-Hartman
                   ` (12 preceding siblings ...)
  2018-04-06 13:22 ` [PATCH 4.9 013/102] PCI: Make PCI_ROM_ADDRESS_MASK a 32-bit constant Greg Kroah-Hartman
@ 2018-04-06 13:22 ` Greg Kroah-Hartman
  2018-04-06 13:22 ` [PATCH 4.9 015/102] Input: mousedev - fix implicit conversion warning Greg Kroah-Hartman
                   ` (90 subsequent siblings)
  104 siblings, 0 replies; 111+ messages in thread
From: Greg Kroah-Hartman @ 2018-04-06 13:22 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Matthias Kaehlcke, Mike Snitzer,
	Nathan Chancellor

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Matthias Kaehlcke <mka@chromium.org>

commit e36215d87f301f9567c8c99fd34e6c3521a94ddf upstream.

The extra pair of parantheses is not needed and causes clang to generate
warnings about the DM_DEV_CREATE_CMD comparison in validate_params().

Also remove another double parentheses that doesn't cause a warning.

Signed-off-by: Matthias Kaehlcke <mka@chromium.org>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Cc: Nathan Chancellor <natechancellor@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/md/dm-ioctl.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/md/dm-ioctl.c
+++ b/drivers/md/dm-ioctl.c
@@ -1777,12 +1777,12 @@ static int validate_params(uint cmd, str
 	    cmd == DM_LIST_VERSIONS_CMD)
 		return 0;
 
-	if ((cmd == DM_DEV_CREATE_CMD)) {
+	if (cmd == DM_DEV_CREATE_CMD) {
 		if (!*param->name) {
 			DMWARN("name not supplied when creating device");
 			return -EINVAL;
 		}
-	} else if ((*param->uuid && *param->name)) {
+	} else if (*param->uuid && *param->name) {
 		DMWARN("only supply one of name or uuid, cmd(%u)", cmd);
 		return -EINVAL;
 	}

^ permalink raw reply	[flat|nested] 111+ messages in thread

* [PATCH 4.9 015/102] Input: mousedev - fix implicit conversion warning
  2018-04-06 13:22 [PATCH 4.9 000/102] 4.9.93-stable review Greg Kroah-Hartman
                   ` (13 preceding siblings ...)
  2018-04-06 13:22 ` [PATCH 4.9 014/102] dm ioctl: remove double parentheses Greg Kroah-Hartman
@ 2018-04-06 13:22 ` Greg Kroah-Hartman
  2018-04-06 13:22 ` [PATCH 4.9 016/102] netfilter: nf_nat_h323: fix logical-not-parentheses warning Greg Kroah-Hartman
                   ` (89 subsequent siblings)
  104 siblings, 0 replies; 111+ messages in thread
From: Greg Kroah-Hartman @ 2018-04-06 13:22 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Nick Desaulniers, Dmitry Torokhov,
	Nathan Chancellor

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Nick Desaulniers <nick.desaulniers@gmail.com>

commit dae1a432ab1fe79ae53129ededeaece35a2dc14d upstream.

Clang warns:

drivers/input/mousedev.c:653:63: error: implicit conversion from 'int'
to 'signed char' changes value from 200 to -56
[-Wconstant-conversion]
  client->ps2[1] = 0x60; client->ps2[2] = 3; client->ps2[3] = 200;
                                                            ~ ^~~
As the PS2 data is really a stream of bytes, let's switch to using u8 type
for it, which silences this warning.

Signed-off-by: Nick Desaulniers <nick.desaulniers@gmail.com>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Cc: Nathan Chancellor <natechancellor@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/input/mousedev.c |   62 +++++++++++++++++++++++++----------------------
 1 file changed, 34 insertions(+), 28 deletions(-)

--- a/drivers/input/mousedev.c
+++ b/drivers/input/mousedev.c
@@ -15,6 +15,7 @@
 #define MOUSEDEV_MINORS		31
 #define MOUSEDEV_MIX		63
 
+#include <linux/bitops.h>
 #include <linux/sched.h>
 #include <linux/slab.h>
 #include <linux/poll.h>
@@ -103,7 +104,7 @@ struct mousedev_client {
 	spinlock_t packet_lock;
 	int pos_x, pos_y;
 
-	signed char ps2[6];
+	u8 ps2[6];
 	unsigned char ready, buffer, bufsiz;
 	unsigned char imexseq, impsseq;
 	enum mousedev_emul mode;
@@ -291,11 +292,10 @@ static void mousedev_notify_readers(stru
 		}
 
 		client->pos_x += packet->dx;
-		client->pos_x = client->pos_x < 0 ?
-			0 : (client->pos_x >= xres ? xres : client->pos_x);
+		client->pos_x = clamp_val(client->pos_x, 0, xres);
+
 		client->pos_y += packet->dy;
-		client->pos_y = client->pos_y < 0 ?
-			0 : (client->pos_y >= yres ? yres : client->pos_y);
+		client->pos_y = clamp_val(client->pos_y, 0, yres);
 
 		p->dx += packet->dx;
 		p->dy += packet->dy;
@@ -571,44 +571,50 @@ static int mousedev_open(struct inode *i
 	return error;
 }
 
-static inline int mousedev_limit_delta(int delta, int limit)
-{
-	return delta > limit ? limit : (delta < -limit ? -limit : delta);
-}
-
-static void mousedev_packet(struct mousedev_client *client,
-			    signed char *ps2_data)
+static void mousedev_packet(struct mousedev_client *client, u8 *ps2_data)
 {
 	struct mousedev_motion *p = &client->packets[client->tail];
+	s8 dx, dy, dz;
+
+	dx = clamp_val(p->dx, -127, 127);
+	p->dx -= dx;
+
+	dy = clamp_val(p->dy, -127, 127);
+	p->dy -= dy;
 
-	ps2_data[0] = 0x08 |
-		((p->dx < 0) << 4) | ((p->dy < 0) << 5) | (p->buttons & 0x07);
-	ps2_data[1] = mousedev_limit_delta(p->dx, 127);
-	ps2_data[2] = mousedev_limit_delta(p->dy, 127);
-	p->dx -= ps2_data[1];
-	p->dy -= ps2_data[2];
+	ps2_data[0] = BIT(3);
+	ps2_data[0] |= ((dx & BIT(7)) >> 3) | ((dy & BIT(7)) >> 2);
+	ps2_data[0] |= p->buttons & 0x07;
+	ps2_data[1] = dx;
+	ps2_data[2] = dy;
 
 	switch (client->mode) {
 	case MOUSEDEV_EMUL_EXPS:
-		ps2_data[3] = mousedev_limit_delta(p->dz, 7);
-		p->dz -= ps2_data[3];
-		ps2_data[3] = (ps2_data[3] & 0x0f) | ((p->buttons & 0x18) << 1);
+		dz = clamp_val(p->dz, -7, 7);
+		p->dz -= dz;
+
+		ps2_data[3] = (dz & 0x0f) | ((p->buttons & 0x18) << 1);
 		client->bufsiz = 4;
 		break;
 
 	case MOUSEDEV_EMUL_IMPS:
-		ps2_data[0] |=
-			((p->buttons & 0x10) >> 3) | ((p->buttons & 0x08) >> 1);
-		ps2_data[3] = mousedev_limit_delta(p->dz, 127);
-		p->dz -= ps2_data[3];
+		dz = clamp_val(p->dz, -127, 127);
+		p->dz -= dz;
+
+		ps2_data[0] |= ((p->buttons & 0x10) >> 3) |
+			       ((p->buttons & 0x08) >> 1);
+		ps2_data[3] = dz;
+
 		client->bufsiz = 4;
 		break;
 
 	case MOUSEDEV_EMUL_PS2:
 	default:
-		ps2_data[0] |=
-			((p->buttons & 0x10) >> 3) | ((p->buttons & 0x08) >> 1);
 		p->dz = 0;
+
+		ps2_data[0] |= ((p->buttons & 0x10) >> 3) |
+			       ((p->buttons & 0x08) >> 1);
+
 		client->bufsiz = 3;
 		break;
 	}
@@ -714,7 +720,7 @@ static ssize_t mousedev_read(struct file
 {
 	struct mousedev_client *client = file->private_data;
 	struct mousedev *mousedev = client->mousedev;
-	signed char data[sizeof(client->ps2)];
+	u8 data[sizeof(client->ps2)];
 	int retval = 0;
 
 	if (!client->ready && !client->buffer && mousedev->exist &&

^ permalink raw reply	[flat|nested] 111+ messages in thread

* [PATCH 4.9 016/102] netfilter: nf_nat_h323: fix logical-not-parentheses warning
  2018-04-06 13:22 [PATCH 4.9 000/102] 4.9.93-stable review Greg Kroah-Hartman
                   ` (14 preceding siblings ...)
  2018-04-06 13:22 ` [PATCH 4.9 015/102] Input: mousedev - fix implicit conversion warning Greg Kroah-Hartman
@ 2018-04-06 13:22 ` Greg Kroah-Hartman
  2018-04-06 13:22 ` [PATCH 4.9 017/102] genirq: Use cpumask_available() for check of cpumask variable Greg Kroah-Hartman
                   ` (88 subsequent siblings)
  104 siblings, 0 replies; 111+ messages in thread
From: Greg Kroah-Hartman @ 2018-04-06 13:22 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Nick Desaulniers, Pablo Neira Ayuso,
	Nathan Chancellor

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Nick Desaulniers <ndesaulniers@google.com>

commit eee6ebbac18a189ef33d25ea9b8bcae176515e49 upstream.

Clang produces the following warning:

net/ipv4/netfilter/nf_nat_h323.c:553:6: error:
logical not is only applied to the left hand side of this comparison
  [-Werror,-Wlogical-not-parentheses]
if (!set_h225_addr(skb, protoff, data, dataoff, taddr,
    ^
add parentheses after the '!' to evaluate the comparison first
add parentheses around left hand side expression to silence this warning

There's not necessarily a bug here, but it's cleaner to return early,
ex:

if (x)
  return
...

rather than:

if (x == 0)
  ...
else
  return

Also added a return code check that seemed to be missing in one
instance.

Signed-off-by: Nick Desaulniers <ndesaulniers@google.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: Nathan Chancellor <natechancellor@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/ipv4/netfilter/nf_nat_h323.c |   57 ++++++++++++++++++++-------------------
 1 file changed, 30 insertions(+), 27 deletions(-)

--- a/net/ipv4/netfilter/nf_nat_h323.c
+++ b/net/ipv4/netfilter/nf_nat_h323.c
@@ -252,16 +252,16 @@ static int nat_rtp_rtcp(struct sk_buff *
 	if (set_h245_addr(skb, protoff, data, dataoff, taddr,
 			  &ct->tuplehash[!dir].tuple.dst.u3,
 			  htons((port & htons(1)) ? nated_port + 1 :
-						    nated_port)) == 0) {
-		/* Save ports */
-		info->rtp_port[i][dir] = rtp_port;
-		info->rtp_port[i][!dir] = htons(nated_port);
-	} else {
+						    nated_port))) {
 		nf_ct_unexpect_related(rtp_exp);
 		nf_ct_unexpect_related(rtcp_exp);
 		return -1;
 	}
 
+	/* Save ports */
+	info->rtp_port[i][dir] = rtp_port;
+	info->rtp_port[i][!dir] = htons(nated_port);
+
 	/* Success */
 	pr_debug("nf_nat_h323: expect RTP %pI4:%hu->%pI4:%hu\n",
 		 &rtp_exp->tuple.src.u3.ip,
@@ -370,15 +370,15 @@ static int nat_h245(struct sk_buff *skb,
 	/* Modify signal */
 	if (set_h225_addr(skb, protoff, data, dataoff, taddr,
 			  &ct->tuplehash[!dir].tuple.dst.u3,
-			  htons(nated_port)) == 0) {
-		/* Save ports */
-		info->sig_port[dir] = port;
-		info->sig_port[!dir] = htons(nated_port);
-	} else {
+			  htons(nated_port))) {
 		nf_ct_unexpect_related(exp);
 		return -1;
 	}
 
+	/* Save ports */
+	info->sig_port[dir] = port;
+	info->sig_port[!dir] = htons(nated_port);
+
 	pr_debug("nf_nat_q931: expect H.245 %pI4:%hu->%pI4:%hu\n",
 		 &exp->tuple.src.u3.ip,
 		 ntohs(exp->tuple.src.u.tcp.port),
@@ -462,24 +462,27 @@ static int nat_q931(struct sk_buff *skb,
 	/* Modify signal */
 	if (set_h225_addr(skb, protoff, data, 0, &taddr[idx],
 			  &ct->tuplehash[!dir].tuple.dst.u3,
-			  htons(nated_port)) == 0) {
-		/* Save ports */
-		info->sig_port[dir] = port;
-		info->sig_port[!dir] = htons(nated_port);
-
-		/* Fix for Gnomemeeting */
-		if (idx > 0 &&
-		    get_h225_addr(ct, *data, &taddr[0], &addr, &port) &&
-		    (ntohl(addr.ip) & 0xff000000) == 0x7f000000) {
-			set_h225_addr(skb, protoff, data, 0, &taddr[0],
-				      &ct->tuplehash[!dir].tuple.dst.u3,
-				      info->sig_port[!dir]);
-		}
-	} else {
+			  htons(nated_port))) {
 		nf_ct_unexpect_related(exp);
 		return -1;
 	}
 
+	/* Save ports */
+	info->sig_port[dir] = port;
+	info->sig_port[!dir] = htons(nated_port);
+
+	/* Fix for Gnomemeeting */
+	if (idx > 0 &&
+	    get_h225_addr(ct, *data, &taddr[0], &addr, &port) &&
+	    (ntohl(addr.ip) & 0xff000000) == 0x7f000000) {
+		if (set_h225_addr(skb, protoff, data, 0, &taddr[0],
+				  &ct->tuplehash[!dir].tuple.dst.u3,
+				  info->sig_port[!dir])) {
+			nf_ct_unexpect_related(exp);
+			return -1;
+		}
+	}
+
 	/* Success */
 	pr_debug("nf_nat_ras: expect Q.931 %pI4:%hu->%pI4:%hu\n",
 		 &exp->tuple.src.u3.ip,
@@ -550,9 +553,9 @@ static int nat_callforwarding(struct sk_
 	}
 
 	/* Modify signal */
-	if (!set_h225_addr(skb, protoff, data, dataoff, taddr,
-			   &ct->tuplehash[!dir].tuple.dst.u3,
-			   htons(nated_port)) == 0) {
+	if (set_h225_addr(skb, protoff, data, dataoff, taddr,
+			  &ct->tuplehash[!dir].tuple.dst.u3,
+			  htons(nated_port))) {
 		nf_ct_unexpect_related(exp);
 		return -1;
 	}

^ permalink raw reply	[flat|nested] 111+ messages in thread

* [PATCH 4.9 017/102] genirq: Use cpumask_available() for check of cpumask variable
  2018-04-06 13:22 [PATCH 4.9 000/102] 4.9.93-stable review Greg Kroah-Hartman
                   ` (15 preceding siblings ...)
  2018-04-06 13:22 ` [PATCH 4.9 016/102] netfilter: nf_nat_h323: fix logical-not-parentheses warning Greg Kroah-Hartman
@ 2018-04-06 13:22 ` Greg Kroah-Hartman
  2018-04-06 13:22 ` [PATCH 4.9 018/102] cpumask: Add helper cpumask_available() Greg Kroah-Hartman
                   ` (87 subsequent siblings)
  104 siblings, 0 replies; 111+ messages in thread
From: Greg Kroah-Hartman @ 2018-04-06 13:22 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Matthias Kaehlcke, Grant Grundler,
	Rusty Russell, Greg Hackmann, Michael Davidson, Andrew Morton,
	Thomas Gleixner, Nathan Chancellor

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Matthias Kaehlcke <mka@chromium.org>

commit d170fe7dd992b313d4851ae5ab77ee7a51ed8c72 upstream.

This fixes the following clang warning when CONFIG_CPUMASK_OFFSTACK=n:

kernel/irq/manage.c:839:28: error: address of array
'desc->irq_common_data.affinity' will always evaluate to 'true'
[-Werror,-Wpointer-bool-conversion]

Signed-off-by: Matthias Kaehlcke <mka@chromium.org>
Cc: Grant Grundler <grundler@chromium.org>
Cc: Rusty Russell <rusty@rustcorp.com.au>
Cc: Greg Hackmann <ghackmann@google.com>
Cc: Michael Davidson <md@google.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Link: http://lkml.kernel.org/r/20170412182030.83657-2-mka@chromium.org
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: Nathan Chancellor <natechancellor@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 kernel/irq/manage.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/kernel/irq/manage.c
+++ b/kernel/irq/manage.c
@@ -850,7 +850,7 @@ irq_thread_check_affinity(struct irq_des
 	 * This code is triggered unconditionally. Check the affinity
 	 * mask pointer. For CPU_MASK_OFFSTACK=n this is optimized out.
 	 */
-	if (desc->irq_common_data.affinity)
+	if (cpumask_available(desc->irq_common_data.affinity))
 		cpumask_copy(mask, desc->irq_common_data.affinity);
 	else
 		valid = false;

^ permalink raw reply	[flat|nested] 111+ messages in thread

* [PATCH 4.9 018/102] cpumask: Add helper cpumask_available()
  2018-04-06 13:22 [PATCH 4.9 000/102] 4.9.93-stable review Greg Kroah-Hartman
                   ` (16 preceding siblings ...)
  2018-04-06 13:22 ` [PATCH 4.9 017/102] genirq: Use cpumask_available() for check of cpumask variable Greg Kroah-Hartman
@ 2018-04-06 13:22 ` Greg Kroah-Hartman
  2018-04-06 13:23 ` [PATCH 4.9 019/102] selinux: Remove unnecessary check of array base in selinux_set_mapping() Greg Kroah-Hartman
                   ` (86 subsequent siblings)
  104 siblings, 0 replies; 111+ messages in thread
From: Greg Kroah-Hartman @ 2018-04-06 13:22 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Matthias Kaehlcke, Grant Grundler,
	Rusty Russell, Greg Hackmann, Michael Davidson, Andrew Morton,
	Thomas Gleixner, Nathan Chancellor

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Matthias Kaehlcke <mka@chromium.org>

commit f7e30f01a9e221067bb4b579e3cfc25cd2617467 upstream.

With CONFIG_CPUMASK_OFFSTACK=y cpumask_var_t is a struct cpumask
pointer, otherwise a struct cpumask array with a single element.

Some code dealing with cpumasks needs to validate that a cpumask_var_t
is not a NULL pointer when CONFIG_CPUMASK_OFFSTACK=y. This is typically
done by performing the check always, regardless of the underlying type
of cpumask_var_t. This works in both cases, however clang raises a
warning like this when CONFIG_CPUMASK_OFFSTACK=n:

kernel/irq/manage.c:839:28: error: address of array
'desc->irq_common_data.affinity' will always evaluate to 'true'
[-Werror,-Wpointer-bool-conversion]

Add the inline helper cpumask_available() which only performs the
pointer check if CONFIG_CPUMASK_OFFSTACK=y.

Signed-off-by: Matthias Kaehlcke <mka@chromium.org>
Cc: Grant Grundler <grundler@chromium.org>
Cc: Rusty Russell <rusty@rustcorp.com.au>
Cc: Greg Hackmann <ghackmann@google.com>
Cc: Michael Davidson <md@google.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Link: http://lkml.kernel.org/r/20170412182030.83657-1-mka@chromium.org
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: Nathan Chancellor <natechancellor@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 include/linux/cpumask.h |   10 ++++++++++
 1 file changed, 10 insertions(+)

--- a/include/linux/cpumask.h
+++ b/include/linux/cpumask.h
@@ -680,6 +680,11 @@ void alloc_bootmem_cpumask_var(cpumask_v
 void free_cpumask_var(cpumask_var_t mask);
 void free_bootmem_cpumask_var(cpumask_var_t mask);
 
+static inline bool cpumask_available(cpumask_var_t mask)
+{
+	return mask != NULL;
+}
+
 #else
 typedef struct cpumask cpumask_var_t[1];
 
@@ -720,6 +725,11 @@ static inline void free_cpumask_var(cpum
 static inline void free_bootmem_cpumask_var(cpumask_var_t mask)
 {
 }
+
+static inline bool cpumask_available(cpumask_var_t mask)
+{
+	return true;
+}
 #endif /* CONFIG_CPUMASK_OFFSTACK */
 
 /* It's common to want to use cpu_all_mask in struct member initializers,

^ permalink raw reply	[flat|nested] 111+ messages in thread

* [PATCH 4.9 019/102] selinux: Remove unnecessary check of array base in selinux_set_mapping()
  2018-04-06 13:22 [PATCH 4.9 000/102] 4.9.93-stable review Greg Kroah-Hartman
                   ` (17 preceding siblings ...)
  2018-04-06 13:22 ` [PATCH 4.9 018/102] cpumask: Add helper cpumask_available() Greg Kroah-Hartman
@ 2018-04-06 13:23 ` Greg Kroah-Hartman
  2018-04-06 13:23 ` [PATCH 4.9 020/102] fs: compat: Remove warning from COMPATIBLE_IOCTL Greg Kroah-Hartman
                   ` (85 subsequent siblings)
  104 siblings, 0 replies; 111+ messages in thread
From: Greg Kroah-Hartman @ 2018-04-06 13:23 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Matthias Kaehlcke, Paul Moore,
	Nathan Chancellor

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Matthias Kaehlcke <mka@chromium.org>

commit 342e91578eb6909529bc7095964cd44b9c057c4e upstream.

'perms' will never be NULL since it isn't a plain pointer but an array
of u32 values.

This fixes the following warning when building with clang:

security/selinux/ss/services.c:158:16: error: address of array
'p_in->perms' will always evaluate to 'true'
[-Werror,-Wpointer-bool-conversion]
                while (p_in->perms && p_in->perms[k]) {

Signed-off-by: Matthias Kaehlcke <mka@chromium.org>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Cc: Nathan Chancellor <natechancellor@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 security/selinux/ss/services.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -155,7 +155,7 @@ static int selinux_set_mapping(struct po
 		}
 
 		k = 0;
-		while (p_in->perms && p_in->perms[k]) {
+		while (p_in->perms[k]) {
 			/* An empty permission string skips ahead */
 			if (!*p_in->perms[k]) {
 				k++;

^ permalink raw reply	[flat|nested] 111+ messages in thread

* [PATCH 4.9 020/102] fs: compat: Remove warning from COMPATIBLE_IOCTL
  2018-04-06 13:22 [PATCH 4.9 000/102] 4.9.93-stable review Greg Kroah-Hartman
                   ` (18 preceding siblings ...)
  2018-04-06 13:23 ` [PATCH 4.9 019/102] selinux: Remove unnecessary check of array base in selinux_set_mapping() Greg Kroah-Hartman
@ 2018-04-06 13:23 ` Greg Kroah-Hartman
  2018-04-06 13:23 ` [PATCH 4.9 021/102] jiffies.h: declare jiffies and jiffies_64 with ____cacheline_aligned_in_smp Greg Kroah-Hartman
                   ` (84 subsequent siblings)
  104 siblings, 0 replies; 111+ messages in thread
From: Greg Kroah-Hartman @ 2018-04-06 13:23 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Mark Charlebois, Behan Webster,
	Matthias Kaehlcke, Arnd Bergmann, Al Viro, Nathan Chancellor

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Mark Charlebois <charlebm@gmail.com>

commit 9280cdd6fe5b8287a726d24cc1d558b96c8491d7 upstream.

cmd in COMPATIBLE_IOCTL is always a u32, so cast it so there isn't a
warning about an overflow in XFORM.

From: Mark Charlebois <charlebm@gmail.com>
Signed-off-by: Mark Charlebois <charlebm@gmail.com>
Signed-off-by: Behan Webster <behanw@converseincode.com>
Signed-off-by: Matthias Kaehlcke <mka@chromium.org>
Acked-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Cc: Nathan Chancellor <natechancellor@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/compat_ioctl.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/fs/compat_ioctl.c
+++ b/fs/compat_ioctl.c
@@ -833,7 +833,7 @@ static int compat_ioctl_preallocate(stru
  */
 #define XFORM(i) (((i) ^ ((i) << 27) ^ ((i) << 17)) & 0xffffffff)
 
-#define COMPATIBLE_IOCTL(cmd) XFORM(cmd),
+#define COMPATIBLE_IOCTL(cmd) XFORM((u32)cmd),
 /* ioctl should not be warned about even if it's not implemented.
    Valid reasons to use this:
    - It is implemented with ->compat_ioctl on some device, but programs

^ permalink raw reply	[flat|nested] 111+ messages in thread

* [PATCH 4.9 021/102] jiffies.h: declare jiffies and jiffies_64 with ____cacheline_aligned_in_smp
  2018-04-06 13:22 [PATCH 4.9 000/102] 4.9.93-stable review Greg Kroah-Hartman
                   ` (19 preceding siblings ...)
  2018-04-06 13:23 ` [PATCH 4.9 020/102] fs: compat: Remove warning from COMPATIBLE_IOCTL Greg Kroah-Hartman
@ 2018-04-06 13:23 ` Greg Kroah-Hartman
  2018-04-06 13:23 ` [PATCH 4.9 022/102] frv: declare jiffies to be located in the .data section Greg Kroah-Hartman
                   ` (83 subsequent siblings)
  104 siblings, 0 replies; 111+ messages in thread
From: Greg Kroah-Hartman @ 2018-04-06 13:23 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Matthias Kaehlcke,
	Jason A . Donenfeld, Grant Grundler, Michael Davidson,
	Greg Hackmann, Thomas Gleixner, Andrew Morton, Linus Torvalds,
	Nathan Chancellor

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Matthias Kaehlcke <mka@chromium.org>

commit 7c30f352c852bae2715ad65ac4a38ca9af7d7696 upstream.

jiffies_64 is defined in kernel/time/timer.c with
____cacheline_aligned_in_smp, however this macro is not part of the
declaration of jiffies and jiffies_64 in jiffies.h.

As a result clang generates the following warning:

  kernel/time/timer.c:57:26: error: section does not match previous declaration [-Werror,-Wsection]
  __visible u64 jiffies_64 __cacheline_aligned_in_smp = INITIAL_JIFFIES;
                           ^
  include/linux/cache.h:39:36: note: expanded from macro '__cacheline_aligned_in_smp'
                                     ^
  include/linux/cache.h:34:4: note: expanded from macro '__cacheline_aligned'
                   __section__(".data..cacheline_aligned")))
                   ^
  include/linux/jiffies.h:77:12: note: previous attribute is here
  extern u64 __jiffy_data jiffies_64;
             ^
  include/linux/jiffies.h:70:38: note: expanded from macro '__jiffy_data'

Link: http://lkml.kernel.org/r/20170403190200.70273-1-mka@chromium.org
Signed-off-by: Matthias Kaehlcke <mka@chromium.org>
Cc: "Jason A . Donenfeld" <Jason@zx2c4.com>
Cc: Grant Grundler <grundler@chromium.org>
Cc: Michael Davidson <md@google.com>
Cc: Greg Hackmann <ghackmann@google.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Nathan Chancellor <natechancellor@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 include/linux/jiffies.h |   11 +++--------
 1 file changed, 3 insertions(+), 8 deletions(-)

--- a/include/linux/jiffies.h
+++ b/include/linux/jiffies.h
@@ -1,6 +1,7 @@
 #ifndef _LINUX_JIFFIES_H
 #define _LINUX_JIFFIES_H
 
+#include <linux/cache.h>
 #include <linux/math64.h>
 #include <linux/kernel.h>
 #include <linux/types.h>
@@ -63,19 +64,13 @@ extern int register_refined_jiffies(long
 /* TICK_USEC is the time between ticks in usec assuming fake USER_HZ */
 #define TICK_USEC ((1000000UL + USER_HZ/2) / USER_HZ)
 
-/* some arch's have a small-data section that can be accessed register-relative
- * but that can only take up to, say, 4-byte variables. jiffies being part of
- * an 8-byte variable may not be correctly accessed unless we force the issue
- */
-#define __jiffy_data  __attribute__((section(".data")))
-
 /*
  * The 64-bit value is not atomic - you MUST NOT read it
  * without sampling the sequence number in jiffies_lock.
  * get_jiffies_64() will do this for you as appropriate.
  */
-extern u64 __jiffy_data jiffies_64;
-extern unsigned long volatile __jiffy_data jiffies;
+extern u64 __cacheline_aligned_in_smp jiffies_64;
+extern unsigned long volatile __cacheline_aligned_in_smp jiffies;
 
 #if (BITS_PER_LONG < 64)
 u64 get_jiffies_64(void);

^ permalink raw reply	[flat|nested] 111+ messages in thread

* [PATCH 4.9 022/102] frv: declare jiffies to be located in the .data section
  2018-04-06 13:22 [PATCH 4.9 000/102] 4.9.93-stable review Greg Kroah-Hartman
                   ` (20 preceding siblings ...)
  2018-04-06 13:23 ` [PATCH 4.9 021/102] jiffies.h: declare jiffies and jiffies_64 with ____cacheline_aligned_in_smp Greg Kroah-Hartman
@ 2018-04-06 13:23 ` Greg Kroah-Hartman
  2018-04-06 13:23 ` [PATCH 4.9 023/102] usb: gadget: remove redundant self assignment Greg Kroah-Hartman
                   ` (82 subsequent siblings)
  104 siblings, 0 replies; 111+ messages in thread
From: Greg Kroah-Hartman @ 2018-04-06 13:23 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Matthias Kaehlcke, Guenter Roeck,
	David Howells, Sudip Mukherjee, Andrew Morton, Linus Torvalds

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Matthias Kaehlcke <mka@chromium.org>

commit 60b0a8c3d2480f3b57282b47b7cae7ee71c48635 upstream.

Commit 7c30f352c852 ("jiffies.h: declare jiffies and jiffies_64 with
____cacheline_aligned_in_smp") removed a section specification from the
jiffies declaration that caused conflicts on some platforms.

Unfortunately this change broke the build for frv:

  kernel/built-in.o: In function `__do_softirq': (.text+0x6460): relocation truncated to fit: R_FRV_GPREL12 against symbol
      `jiffies' defined in *ABS* section in .tmp_vmlinux1
  kernel/built-in.o: In function `__do_softirq': (.text+0x6574): relocation truncated to fit: R_FRV_GPREL12 against symbol
      `jiffies' defined in *ABS* section in .tmp_vmlinux1
  kernel/built-in.o: In function `pwq_activate_delayed_work': workqueue.c:(.text+0x15b9c): relocation truncated to fit: R_FRV_GPREL12 against
      symbol `jiffies' defined in *ABS* section in .tmp_vmlinux1
  ...

Add __jiffy_arch_data to the declaration of jiffies and use it on frv to
include the section specification.  For all other platforms
__jiffy_arch_data (currently) has no effect.

Fixes: 7c30f352c852 ("jiffies.h: declare jiffies and jiffies_64 with ____cacheline_aligned_in_smp")
Link: http://lkml.kernel.org/r/20170516221333.177280-1-mka@chromium.org
Signed-off-by: Matthias Kaehlcke <mka@chromium.org>
Reported-by: Guenter Roeck <linux@roeck-us.net>
Tested-by: Guenter Roeck <linux@roeck-us.net>
Reviewed-by: David Howells <dhowells@redhat.com>
Cc: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/frv/include/asm/timex.h |    6 ++++++
 include/linux/jiffies.h      |    6 +++++-
 2 files changed, 11 insertions(+), 1 deletion(-)

--- a/arch/frv/include/asm/timex.h
+++ b/arch/frv/include/asm/timex.h
@@ -16,5 +16,11 @@ static inline cycles_t get_cycles(void)
 #define vxtime_lock()		do {} while (0)
 #define vxtime_unlock()		do {} while (0)
 
+/* This attribute is used in include/linux/jiffies.h alongside with
+ * __cacheline_aligned_in_smp. It is assumed that __cacheline_aligned_in_smp
+ * for frv does not contain another section specification.
+ */
+#define __jiffy_arch_data	__attribute__((__section__(".data")))
+
 #endif
 
--- a/include/linux/jiffies.h
+++ b/include/linux/jiffies.h
@@ -64,13 +64,17 @@ extern int register_refined_jiffies(long
 /* TICK_USEC is the time between ticks in usec assuming fake USER_HZ */
 #define TICK_USEC ((1000000UL + USER_HZ/2) / USER_HZ)
 
+#ifndef __jiffy_arch_data
+#define __jiffy_arch_data
+#endif
+
 /*
  * The 64-bit value is not atomic - you MUST NOT read it
  * without sampling the sequence number in jiffies_lock.
  * get_jiffies_64() will do this for you as appropriate.
  */
 extern u64 __cacheline_aligned_in_smp jiffies_64;
-extern unsigned long volatile __cacheline_aligned_in_smp jiffies;
+extern unsigned long volatile __cacheline_aligned_in_smp __jiffy_arch_data jiffies;
 
 #if (BITS_PER_LONG < 64)
 u64 get_jiffies_64(void);

^ permalink raw reply	[flat|nested] 111+ messages in thread

* [PATCH 4.9 023/102] usb: gadget: remove redundant self assignment
  2018-04-06 13:22 [PATCH 4.9 000/102] 4.9.93-stable review Greg Kroah-Hartman
                   ` (21 preceding siblings ...)
  2018-04-06 13:23 ` [PATCH 4.9 022/102] frv: declare jiffies to be located in the .data section Greg Kroah-Hartman
@ 2018-04-06 13:23 ` Greg Kroah-Hartman
  2018-04-06 13:23 ` [PATCH 4.9 024/102] xgene_enet: remove bogus forward declarations Greg Kroah-Hartman
                   ` (81 subsequent siblings)
  104 siblings, 0 replies; 111+ messages in thread
From: Greg Kroah-Hartman @ 2018-04-06 13:23 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Krzysztof Opasiak, Peter Chen,
	Stefan Agner, Felipe Balbi, Nathan Chancellor

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Stefan Agner <stefan@agner.ch>

commit 8a8b161df5ce06ef5a315899f83978e765be09e8 upstream.

The assignment ret = ret is redundant and can be removed.

Reviewed-by: Krzysztof Opasiak <k.opasiak@samsung.com>
Reviewed-by: Peter Chen <peter.chen@nxp.com>
Signed-off-by: Stefan Agner <stefan@agner.ch>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Cc: Nathan Chancellor <natechancellor@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/gadget/udc/core.c |    4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

--- a/drivers/usb/gadget/udc/core.c
+++ b/drivers/usb/gadget/udc/core.c
@@ -139,10 +139,8 @@ int usb_ep_disable(struct usb_ep *ep)
 		goto out;
 
 	ret = ep->ops->disable(ep);
-	if (ret) {
-		ret = ret;
+	if (ret)
 		goto out;
-	}
 
 	ep->enabled = false;
 

^ permalink raw reply	[flat|nested] 111+ messages in thread

* [PATCH 4.9 024/102] xgene_enet: remove bogus forward declarations
  2018-04-06 13:22 [PATCH 4.9 000/102] 4.9.93-stable review Greg Kroah-Hartman
                   ` (22 preceding siblings ...)
  2018-04-06 13:23 ` [PATCH 4.9 023/102] usb: gadget: remove redundant self assignment Greg Kroah-Hartman
@ 2018-04-06 13:23 ` Greg Kroah-Hartman
  2018-04-06 13:23 ` [PATCH 4.9 025/102] nl80211: Fix enum type of variable in nl80211_put_sta_rate() Greg Kroah-Hartman
                   ` (80 subsequent siblings)
  104 siblings, 0 replies; 111+ messages in thread
From: Greg Kroah-Hartman @ 2018-04-06 13:23 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Arnd Bergmann, David S. Miller,
	Nathan Chancellor

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Arnd Bergmann <arnd@arndb.de>

commit 1f3d62090d3ba4d0c14e5271be87812fc577b197 upstream.

The device match tables for both the xgene_enet driver and its phy driver
have forward declarations that declare an array without a length, leading
to a clang warning when they are not followed by an actual defitinition:

drivers/net/ethernet/apm/xgene/../../../phy/mdio-xgene.h:135:34: warning: tentative array definition assumed to have one element
drivers/net/ethernet/apm/xgene/xgene_enet_main.c:33:36: warning: tentative array definition assumed to have one element

The declarations for the mdio driver are even in a header file, so they
cause duplicate definitions of the tables for each file that includes
them.

This removes all four forward declarations and moves the actual
definitions up a little, so they are in front of their first user. For
the OF match tables, this means having to remove the #ifdef around them,
and passing the actual structure into of_match_device(). This has no
effect on the generated object code though, as the of_match_device
function has an empty stub that does not evaluate its argument, and
the symbol gets dropped either way.

Fixes: 43b3cf6634a4 ("drivers: net: phy: xgene: Add MDIO driver")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Cc: Nathan Chancellor <natechancellor@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/net/ethernet/apm/xgene/xgene_enet_main.c |   50 +++++++++++------------
 drivers/net/phy/mdio-xgene.c                     |   50 +++++++++++------------
 drivers/net/phy/mdio-xgene.h                     |    4 -
 3 files changed, 48 insertions(+), 56 deletions(-)

--- a/drivers/net/ethernet/apm/xgene/xgene_enet_main.c
+++ b/drivers/net/ethernet/apm/xgene/xgene_enet_main.c
@@ -1680,6 +1680,30 @@ static void xgene_enet_napi_add(struct x
 	}
 }
 
+#ifdef CONFIG_ACPI
+static const struct acpi_device_id xgene_enet_acpi_match[] = {
+	{ "APMC0D05", XGENE_ENET1},
+	{ "APMC0D30", XGENE_ENET1},
+	{ "APMC0D31", XGENE_ENET1},
+	{ "APMC0D3F", XGENE_ENET1},
+	{ "APMC0D26", XGENE_ENET2},
+	{ "APMC0D25", XGENE_ENET2},
+	{ }
+};
+MODULE_DEVICE_TABLE(acpi, xgene_enet_acpi_match);
+#endif
+
+static const struct of_device_id xgene_enet_of_match[] = {
+	{.compatible = "apm,xgene-enet",    .data = (void *)XGENE_ENET1},
+	{.compatible = "apm,xgene1-sgenet", .data = (void *)XGENE_ENET1},
+	{.compatible = "apm,xgene1-xgenet", .data = (void *)XGENE_ENET1},
+	{.compatible = "apm,xgene2-sgenet", .data = (void *)XGENE_ENET2},
+	{.compatible = "apm,xgene2-xgenet", .data = (void *)XGENE_ENET2},
+	{},
+};
+
+MODULE_DEVICE_TABLE(of, xgene_enet_of_match);
+
 static int xgene_enet_probe(struct platform_device *pdev)
 {
 	struct net_device *ndev;
@@ -1826,32 +1850,6 @@ static void xgene_enet_shutdown(struct p
 	xgene_enet_remove(pdev);
 }
 
-#ifdef CONFIG_ACPI
-static const struct acpi_device_id xgene_enet_acpi_match[] = {
-	{ "APMC0D05", XGENE_ENET1},
-	{ "APMC0D30", XGENE_ENET1},
-	{ "APMC0D31", XGENE_ENET1},
-	{ "APMC0D3F", XGENE_ENET1},
-	{ "APMC0D26", XGENE_ENET2},
-	{ "APMC0D25", XGENE_ENET2},
-	{ }
-};
-MODULE_DEVICE_TABLE(acpi, xgene_enet_acpi_match);
-#endif
-
-#ifdef CONFIG_OF
-static const struct of_device_id xgene_enet_of_match[] = {
-	{.compatible = "apm,xgene-enet",    .data = (void *)XGENE_ENET1},
-	{.compatible = "apm,xgene1-sgenet", .data = (void *)XGENE_ENET1},
-	{.compatible = "apm,xgene1-xgenet", .data = (void *)XGENE_ENET1},
-	{.compatible = "apm,xgene2-sgenet", .data = (void *)XGENE_ENET2},
-	{.compatible = "apm,xgene2-xgenet", .data = (void *)XGENE_ENET2},
-	{},
-};
-
-MODULE_DEVICE_TABLE(of, xgene_enet_of_match);
-#endif
-
 static struct platform_driver xgene_enet_driver = {
 	.driver = {
 		   .name = "xgene-enet",
--- a/drivers/net/phy/mdio-xgene.c
+++ b/drivers/net/phy/mdio-xgene.c
@@ -314,6 +314,30 @@ static acpi_status acpi_register_phy(acp
 }
 #endif
 
+static const struct of_device_id xgene_mdio_of_match[] = {
+	{
+		.compatible = "apm,xgene-mdio-rgmii",
+		.data = (void *)XGENE_MDIO_RGMII
+	},
+	{
+		.compatible = "apm,xgene-mdio-xfi",
+		.data = (void *)XGENE_MDIO_XFI
+	},
+	{},
+};
+MODULE_DEVICE_TABLE(of, xgene_mdio_of_match);
+
+#ifdef CONFIG_ACPI
+static const struct acpi_device_id xgene_mdio_acpi_match[] = {
+	{ "APMC0D65", XGENE_MDIO_RGMII },
+	{ "APMC0D66", XGENE_MDIO_XFI },
+	{ }
+};
+
+MODULE_DEVICE_TABLE(acpi, xgene_mdio_acpi_match);
+#endif
+
+
 static int xgene_mdio_probe(struct platform_device *pdev)
 {
 	struct device *dev = &pdev->dev;
@@ -439,32 +463,6 @@ static int xgene_mdio_remove(struct plat
 	return 0;
 }
 
-#ifdef CONFIG_OF
-static const struct of_device_id xgene_mdio_of_match[] = {
-	{
-		.compatible = "apm,xgene-mdio-rgmii",
-		.data = (void *)XGENE_MDIO_RGMII
-	},
-	{
-		.compatible = "apm,xgene-mdio-xfi",
-		.data = (void *)XGENE_MDIO_XFI
-	},
-	{},
-};
-
-MODULE_DEVICE_TABLE(of, xgene_mdio_of_match);
-#endif
-
-#ifdef CONFIG_ACPI
-static const struct acpi_device_id xgene_mdio_acpi_match[] = {
-	{ "APMC0D65", XGENE_MDIO_RGMII },
-	{ "APMC0D66", XGENE_MDIO_XFI },
-	{ }
-};
-
-MODULE_DEVICE_TABLE(acpi, xgene_mdio_acpi_match);
-#endif
-
 static struct platform_driver xgene_mdio_driver = {
 	.driver = {
 		.name = "xgene-mdio",
--- a/drivers/net/phy/mdio-xgene.h
+++ b/drivers/net/phy/mdio-xgene.h
@@ -132,10 +132,6 @@ static inline u64 xgene_enet_get_field_v
 #define GET_BIT(field, src) \
 		xgene_enet_get_field_value(field ## _POS, 1, src)
 
-static const struct of_device_id xgene_mdio_of_match[];
-#ifdef CONFIG_ACPI
-static const struct acpi_device_id xgene_mdio_acpi_match[];
-#endif
 int xgene_mdio_rgmii_read(struct mii_bus *bus, int phy_id, int reg);
 int xgene_mdio_rgmii_write(struct mii_bus *bus, int phy_id, int reg, u16 data);
 struct phy_device *xgene_enet_phy_register(struct mii_bus *bus, int phy_addr);

^ permalink raw reply	[flat|nested] 111+ messages in thread

* [PATCH 4.9 025/102] nl80211: Fix enum type of variable in nl80211_put_sta_rate()
  2018-04-06 13:22 [PATCH 4.9 000/102] 4.9.93-stable review Greg Kroah-Hartman
                   ` (23 preceding siblings ...)
  2018-04-06 13:23 ` [PATCH 4.9 024/102] xgene_enet: remove bogus forward declarations Greg Kroah-Hartman
@ 2018-04-06 13:23 ` Greg Kroah-Hartman
  2018-04-06 13:23 ` [PATCH 4.9 026/102] cfg80211: Fix array-bounds warning in fragment copy Greg Kroah-Hartman
                   ` (79 subsequent siblings)
  104 siblings, 0 replies; 111+ messages in thread
From: Greg Kroah-Hartman @ 2018-04-06 13:23 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Matthias Kaehlcke, Johannes Berg,
	Nathan Chancellor

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Matthias Kaehlcke <mka@chromium.org>

commit bbf67e450a5dc2a595e1e7a67b4869f1a7f5a338 upstream.

rate_flg is of type 'enum nl80211_attrs', however it is assigned with
'enum nl80211_rate_info' values. Change the type of rate_flg accordingly.

Signed-off-by: Matthias Kaehlcke <mka@chromium.org>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Cc: Nathan Chancellor <natechancellor@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/wireless/nl80211.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -4081,7 +4081,7 @@ static bool nl80211_put_sta_rate(struct
 	struct nlattr *rate;
 	u32 bitrate;
 	u16 bitrate_compat;
-	enum nl80211_attrs rate_flg;
+	enum nl80211_rate_info rate_flg;
 
 	rate = nla_nest_start(msg, attr);
 	if (!rate)

^ permalink raw reply	[flat|nested] 111+ messages in thread

* [PATCH 4.9 026/102] cfg80211: Fix array-bounds warning in fragment copy
  2018-04-06 13:22 [PATCH 4.9 000/102] 4.9.93-stable review Greg Kroah-Hartman
                   ` (24 preceding siblings ...)
  2018-04-06 13:23 ` [PATCH 4.9 025/102] nl80211: Fix enum type of variable in nl80211_put_sta_rate() Greg Kroah-Hartman
@ 2018-04-06 13:23 ` Greg Kroah-Hartman
  2018-04-06 13:23 ` [PATCH 4.9 027/102] HID: sony: Use LED_CORE_SUSPENDRESUME Greg Kroah-Hartman
                   ` (78 subsequent siblings)
  104 siblings, 0 replies; 111+ messages in thread
From: Greg Kroah-Hartman @ 2018-04-06 13:23 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Matthias Kaehlcke, Johannes Berg,
	Nathan Chancellor

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Matthias Kaehlcke <mka@chromium.org>

commit aa1702dd162f420bf85ecef0c77686ef0dbc1496 upstream.

__ieee80211_amsdu_copy_frag intentionally initializes a pointer to
array[-1] to increment it later to valid values. clang rightfully
generates an array-bounds warning on the initialization statement.

Initialize the pointer to array[0] and change the algorithm from
increment before to increment after consume.

Signed-off-by: Matthias Kaehlcke <mka@chromium.org>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Cc: Nathan Chancellor <natechancellor@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/wireless/util.c |    6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

--- a/net/wireless/util.c
+++ b/net/wireless/util.c
@@ -663,7 +663,7 @@ __ieee80211_amsdu_copy_frag(struct sk_bu
 			    int offset, int len)
 {
 	struct skb_shared_info *sh = skb_shinfo(skb);
-	const skb_frag_t *frag = &sh->frags[-1];
+	const skb_frag_t *frag = &sh->frags[0];
 	struct page *frag_page;
 	void *frag_ptr;
 	int frag_len, frag_size;
@@ -676,10 +676,10 @@ __ieee80211_amsdu_copy_frag(struct sk_bu
 
 	while (offset >= frag_size) {
 		offset -= frag_size;
-		frag++;
 		frag_page = skb_frag_page(frag);
 		frag_ptr = skb_frag_address(frag);
 		frag_size = skb_frag_size(frag);
+		frag++;
 	}
 
 	frag_ptr += offset;
@@ -691,12 +691,12 @@ __ieee80211_amsdu_copy_frag(struct sk_bu
 	len -= cur_len;
 
 	while (len > 0) {
-		frag++;
 		frag_len = skb_frag_size(frag);
 		cur_len = min(len, frag_len);
 		__frame_add_frag(frame, skb_frag_page(frag),
 				 skb_frag_address(frag), cur_len, frag_len);
 		len -= cur_len;
+		frag++;
 	}
 }
 

^ permalink raw reply	[flat|nested] 111+ messages in thread

* [PATCH 4.9 027/102] HID: sony: Use LED_CORE_SUSPENDRESUME
  2018-04-06 13:22 [PATCH 4.9 000/102] 4.9.93-stable review Greg Kroah-Hartman
                   ` (25 preceding siblings ...)
  2018-04-06 13:23 ` [PATCH 4.9 026/102] cfg80211: Fix array-bounds warning in fragment copy Greg Kroah-Hartman
@ 2018-04-06 13:23 ` Greg Kroah-Hartman
  2018-04-06 13:23 ` [PATCH 4.9 028/102] netfilter: ctnetlink: Make some parameters integer to avoid enum mismatch Greg Kroah-Hartman
                   ` (77 subsequent siblings)
  104 siblings, 0 replies; 111+ messages in thread
From: Greg Kroah-Hartman @ 2018-04-06 13:23 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Frank Praznik, Jiri Kosina,
	Nathan Chancellor

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Frank Praznik <frank.praznik@gmail.com>

commit 765a1077c85e5f2efcc43582f80caf43a052e903 upstream.

The LED subsystem provides the LED_CORE_SUSPENDRESUME flag to handle
automatically turning off and restoring the state of device LEDs during
suspend/resume.  Use this flag instead of saving and restoring the state
locally.

Signed-off-by: Frank Praznik <frank.praznik@gmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Cc: Nathan Chancellor <natechancellor@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/hid/hid-sony.c |   45 +++++++++++++++------------------------------
 1 file changed, 15 insertions(+), 30 deletions(-)

--- a/drivers/hid/hid-sony.c
+++ b/drivers/hid/hid-sony.c
@@ -1056,7 +1056,6 @@ struct sony_sc {
 	u8 battery_charging;
 	u8 battery_capacity;
 	u8 led_state[MAX_LEDS];
-	u8 resume_led_state[MAX_LEDS];
 	u8 led_delay_on[MAX_LEDS];
 	u8 led_delay_off[MAX_LEDS];
 	u8 led_count;
@@ -1793,6 +1792,7 @@ static int sony_leds_init(struct sony_sc
 		led->name = name;
 		led->brightness = sc->led_state[n];
 		led->max_brightness = max_brightness[n];
+		led->flags = LED_CORE_SUSPENDRESUME;
 		led->brightness_get = sony_led_get_brightness;
 		led->brightness_set = sony_led_set_brightness;
 
@@ -2509,47 +2509,32 @@ static void sony_remove(struct hid_devic
 
 static int sony_suspend(struct hid_device *hdev, pm_message_t message)
 {
-	/*
-	 * On suspend save the current LED state,
-	 * stop running force-feedback and blank the LEDS.
-	 */
-	if (SONY_LED_SUPPORT || SONY_FF_SUPPORT) {
-		struct sony_sc *sc = hid_get_drvdata(hdev);
-
 #ifdef CONFIG_SONY_FF
-		sc->left = sc->right = 0;
-#endif
 
-		memcpy(sc->resume_led_state, sc->led_state,
-			sizeof(sc->resume_led_state));
-		memset(sc->led_state, 0, sizeof(sc->led_state));
+	/* On suspend stop any running force-feedback events */
+	if (SONY_FF_SUPPORT) {
+		struct sony_sc *sc = hid_get_drvdata(hdev);
 
+		sc->left = sc->right = 0;
 		sony_send_output_report(sc);
 	}
 
+#endif
 	return 0;
 }
 
 static int sony_resume(struct hid_device *hdev)
 {
-	/* Restore the state of controller LEDs on resume */
-	if (SONY_LED_SUPPORT) {
-		struct sony_sc *sc = hid_get_drvdata(hdev);
-
-		memcpy(sc->led_state, sc->resume_led_state,
-			sizeof(sc->led_state));
-
-		/*
-		 * The Sixaxis and navigation controllers on USB need to be
-		 * reinitialized on resume or they won't behave properly.
-		 */
-		if ((sc->quirks & SIXAXIS_CONTROLLER_USB) ||
-			(sc->quirks & NAVIGATION_CONTROLLER_USB)) {
-			sixaxis_set_operational_usb(sc->hdev);
-			sc->defer_initialization = 1;
-		}
+	struct sony_sc *sc = hid_get_drvdata(hdev);
 
-		sony_set_leds(sc);
+	/*
+	 * The Sixaxis and navigation controllers on USB need to be
+	 * reinitialized on resume or they won't behave properly.
+	 */
+	if ((sc->quirks & SIXAXIS_CONTROLLER_USB) ||
+		(sc->quirks & NAVIGATION_CONTROLLER_USB)) {
+		sixaxis_set_operational_usb(sc->hdev);
+		sc->defer_initialization = 1;
 	}
 
 	return 0;

^ permalink raw reply	[flat|nested] 111+ messages in thread

* [PATCH 4.9 028/102] netfilter: ctnetlink: Make some parameters integer to avoid enum mismatch
  2018-04-06 13:22 [PATCH 4.9 000/102] 4.9.93-stable review Greg Kroah-Hartman
                   ` (26 preceding siblings ...)
  2018-04-06 13:23 ` [PATCH 4.9 027/102] HID: sony: Use LED_CORE_SUSPENDRESUME Greg Kroah-Hartman
@ 2018-04-06 13:23 ` Greg Kroah-Hartman
  2018-04-06 13:23 ` [PATCH 4.9 029/102] mac80211: Fix clang warning about constant operand in logical operation Greg Kroah-Hartman
                   ` (76 subsequent siblings)
  104 siblings, 0 replies; 111+ messages in thread
From: Greg Kroah-Hartman @ 2018-04-06 13:23 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Matthias Kaehlcke, Pablo Neira Ayuso,
	Nathan Chancellor

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Matthias Kaehlcke <mka@chromium.org>

commit a2b7cbdd2559aff06cebc28a7150f81c307a90d3 upstream.

Not all parameters passed to ctnetlink_parse_tuple() and
ctnetlink_exp_dump_tuple() match the enum type in the signatures of these
functions. Since this is intended change the argument type of to be an
unsigned integer value.

Signed-off-by: Matthias Kaehlcke <mka@chromium.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: Nathan Chancellor <natechancellor@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/netfilter/nf_conntrack_netlink.c |    7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -1008,9 +1008,8 @@ static const struct nla_policy tuple_nla
 
 static int
 ctnetlink_parse_tuple(const struct nlattr * const cda[],
-		      struct nf_conntrack_tuple *tuple,
-		      enum ctattr_type type, u_int8_t l3num,
-		      struct nf_conntrack_zone *zone)
+		      struct nf_conntrack_tuple *tuple, u32 type,
+		      u_int8_t l3num, struct nf_conntrack_zone *zone)
 {
 	struct nlattr *tb[CTA_TUPLE_MAX+1];
 	int err;
@@ -2409,7 +2408,7 @@ static struct nfnl_ct_hook ctnetlink_glu
 
 static int ctnetlink_exp_dump_tuple(struct sk_buff *skb,
 				    const struct nf_conntrack_tuple *tuple,
-				    enum ctattr_expect type)
+				    u32 type)
 {
 	struct nlattr *nest_parms;
 

^ permalink raw reply	[flat|nested] 111+ messages in thread

* [PATCH 4.9 029/102] mac80211: Fix clang warning about constant operand in logical operation
  2018-04-06 13:22 [PATCH 4.9 000/102] 4.9.93-stable review Greg Kroah-Hartman
                   ` (27 preceding siblings ...)
  2018-04-06 13:23 ` [PATCH 4.9 028/102] netfilter: ctnetlink: Make some parameters integer to avoid enum mismatch Greg Kroah-Hartman
@ 2018-04-06 13:23 ` Greg Kroah-Hartman
  2018-04-06 13:23 ` [PATCH 4.9 030/102] mac80211: ibss: Fix channel type enum in ieee80211_sta_join_ibss() Greg Kroah-Hartman
                   ` (75 subsequent siblings)
  104 siblings, 0 replies; 111+ messages in thread
From: Greg Kroah-Hartman @ 2018-04-06 13:23 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Matthias Kaehlcke, Johannes Berg,
	Nathan Chancellor

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Matthias Kaehlcke <mka@chromium.org>

commit 93f56de259376d7e4fff2b2d104082e1fa66e237 upstream.

When clang detects a non-boolean constant in a logical operation it
generates a 'constant-logical-operand' warning. In
ieee80211_try_rate_control_ops_get() the result of strlen(<const str>)
is used in a logical operation, clang resolves the expression to an
(integer) constant at compile time when clang's builtin strlen function
is used.

Change the condition to check for strlen() > 0 to make the constant
operand boolean and thus avoid the warning.

Signed-off-by: Matthias Kaehlcke <mka@chromium.org>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Cc: Nathan Chancellor <natechancellor@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/mac80211/rate.c |    6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

--- a/net/mac80211/rate.c
+++ b/net/mac80211/rate.c
@@ -173,9 +173,11 @@ ieee80211_rate_control_ops_get(const cha
 		/* try default if specific alg requested but not found */
 		ops = ieee80211_try_rate_control_ops_get(ieee80211_default_rc_algo);
 
-	/* try built-in one if specific alg requested but not found */
-	if (!ops && strlen(CONFIG_MAC80211_RC_DEFAULT))
+	/* Note: check for > 0 is intentional to avoid clang warning */
+	if (!ops && (strlen(CONFIG_MAC80211_RC_DEFAULT) > 0))
+		/* try built-in one if specific alg requested but not found */
 		ops = ieee80211_try_rate_control_ops_get(CONFIG_MAC80211_RC_DEFAULT);
+
 	kernel_param_unlock(THIS_MODULE);
 
 	return ops;

^ permalink raw reply	[flat|nested] 111+ messages in thread

* [PATCH 4.9 030/102] mac80211: ibss: Fix channel type enum in ieee80211_sta_join_ibss()
  2018-04-06 13:22 [PATCH 4.9 000/102] 4.9.93-stable review Greg Kroah-Hartman
                   ` (28 preceding siblings ...)
  2018-04-06 13:23 ` [PATCH 4.9 029/102] mac80211: Fix clang warning about constant operand in logical operation Greg Kroah-Hartman
@ 2018-04-06 13:23 ` Greg Kroah-Hartman
  2018-04-06 13:23 ` [PATCH 4.9 031/102] btrfs: Remove extra parentheses from condition in copy_items() Greg Kroah-Hartman
                   ` (74 subsequent siblings)
  104 siblings, 0 replies; 111+ messages in thread
From: Greg Kroah-Hartman @ 2018-04-06 13:23 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Matthias Kaehlcke, Johannes Berg,
	Nathan Chancellor

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Matthias Kaehlcke <mka@chromium.org>

commit a4ac6f2e53e568a77a2eb3710efd99ca08634c0a upstream.

cfg80211_chandef_create() expects an 'enum nl80211_channel_type' as
channel type however in ieee80211_sta_join_ibss()
NL80211_CHAN_WIDTH_20_NOHT is passed in two occasions, which is of
the enum type 'nl80211_chan_width'. Change the value to NL80211_CHAN_NO_HT
(20 MHz, non-HT channel) of the channel type enum.

Signed-off-by: Matthias Kaehlcke <mka@chromium.org>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Cc: Nathan Chancellor <natechancellor@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/mac80211/ibss.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/net/mac80211/ibss.c
+++ b/net/mac80211/ibss.c
@@ -427,7 +427,7 @@ static void ieee80211_sta_join_ibss(stru
 	case NL80211_CHAN_WIDTH_5:
 	case NL80211_CHAN_WIDTH_10:
 		cfg80211_chandef_create(&chandef, cbss->channel,
-					NL80211_CHAN_WIDTH_20_NOHT);
+					NL80211_CHAN_NO_HT);
 		chandef.width = sdata->u.ibss.chandef.width;
 		break;
 	case NL80211_CHAN_WIDTH_80:
@@ -439,7 +439,7 @@ static void ieee80211_sta_join_ibss(stru
 	default:
 		/* fall back to 20 MHz for unsupported modes */
 		cfg80211_chandef_create(&chandef, cbss->channel,
-					NL80211_CHAN_WIDTH_20_NOHT);
+					NL80211_CHAN_NO_HT);
 		break;
 	}
 

^ permalink raw reply	[flat|nested] 111+ messages in thread

* [PATCH 4.9 031/102] btrfs: Remove extra parentheses from condition in copy_items()
  2018-04-06 13:22 [PATCH 4.9 000/102] 4.9.93-stable review Greg Kroah-Hartman
                   ` (29 preceding siblings ...)
  2018-04-06 13:23 ` [PATCH 4.9 030/102] mac80211: ibss: Fix channel type enum in ieee80211_sta_join_ibss() Greg Kroah-Hartman
@ 2018-04-06 13:23 ` Greg Kroah-Hartman
  2018-04-06 13:23 ` [PATCH 4.9 032/102] arm64: avoid overflow in VA_START and PAGE_OFFSET Greg Kroah-Hartman
                   ` (73 subsequent siblings)
  104 siblings, 0 replies; 111+ messages in thread
From: Greg Kroah-Hartman @ 2018-04-06 13:23 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Matthias Kaehlcke, David Sterba,
	Nathan Chancellor

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Matthias Kaehlcke <mka@chromium.org>

commit 0dde10bed2c44a4024eb446cc72fe4e0cb97ec06 upstream.

There is no need for the extra pair of parentheses, remove it. This
fixes the following warning when building with clang:

fs/btrfs/tree-log.c:3694:10: warning: equality comparison with extraneous
  parentheses [-Wparentheses-equality]
                if ((i == (nr - 1)))
                     ~~^~~~~~~~~~~

Also remove the unnecessary parentheses around the substraction.

Signed-off-by: Matthias Kaehlcke <mka@chromium.org>
Signed-off-by: David Sterba <dsterba@suse.com>
Cc: Nathan Chancellor <natechancellor@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/btrfs/tree-log.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/fs/btrfs/tree-log.c
+++ b/fs/btrfs/tree-log.c
@@ -3664,7 +3664,7 @@ static noinline int copy_items(struct bt
 
 		src_offset = btrfs_item_ptr_offset(src, start_slot + i);
 
-		if ((i == (nr - 1)))
+		if (i == nr - 1)
 			last_key = ins_keys[i];
 
 		if (ins_keys[i].type == BTRFS_INODE_ITEM_KEY) {

^ permalink raw reply	[flat|nested] 111+ messages in thread

* [PATCH 4.9 032/102] arm64: avoid overflow in VA_START and PAGE_OFFSET
  2018-04-06 13:22 [PATCH 4.9 000/102] 4.9.93-stable review Greg Kroah-Hartman
                   ` (30 preceding siblings ...)
  2018-04-06 13:23 ` [PATCH 4.9 031/102] btrfs: Remove extra parentheses from condition in copy_items() Greg Kroah-Hartman
@ 2018-04-06 13:23 ` Greg Kroah-Hartman
  2018-04-06 13:23 ` [PATCH 4.9 033/102] selinux: Remove redundant check for unknown labeling behavior Greg Kroah-Hartman
                   ` (72 subsequent siblings)
  104 siblings, 0 replies; 111+ messages in thread
From: Greg Kroah-Hartman @ 2018-04-06 13:23 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ard Biesheuvel, Yury Norov,
	Matthias Kaehlcke, Nick Desaulniers, Will Deacon,
	Nathan Chancellor

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Nick Desaulniers <ndesaulniers@google.com>

commit 82cd588052815eb4146f9f7c5347ca5e32c56360 upstream.

The bitmask used to define these values produces overflow, as seen by
this compiler warning:

arch/arm64/kernel/head.S:47:8: warning:
      integer overflow in preprocessor expression
  #elif (PAGE_OFFSET & 0x1fffff) != 0
         ^~~~~~~~~~~
arch/arm64/include/asm/memory.h:52:46: note:
      expanded from macro 'PAGE_OFFSET'
  #define PAGE_OFFSET             (UL(0xffffffffffffffff) << (VA_BITS -
1))
                                      ~~~~~~~~~~~~~~~~~~  ^

It would be preferrable to use GENMASK_ULL() instead, but it's not set
up to be used from assembly (the UL() macro token pastes UL suffixes
when not included in assembly sources).

Suggested-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Suggested-by: Yury Norov <ynorov@caviumnetworks.com>
Suggested-by: Matthias Kaehlcke <mka@chromium.org>
Signed-off-by: Nick Desaulniers <ndesaulniers@google.com>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Cc: Nathan Chancellor <natechancellor@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm64/include/asm/memory.h |    6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

--- a/arch/arm64/include/asm/memory.h
+++ b/arch/arm64/include/asm/memory.h
@@ -64,8 +64,10 @@
  * TASK_UNMAPPED_BASE - the lower boundary of the mmap VM area.
  */
 #define VA_BITS			(CONFIG_ARM64_VA_BITS)
-#define VA_START		(UL(0xffffffffffffffff) << VA_BITS)
-#define PAGE_OFFSET		(UL(0xffffffffffffffff) << (VA_BITS - 1))
+#define VA_START		(UL(0xffffffffffffffff) - \
+	(UL(1) << VA_BITS) + 1)
+#define PAGE_OFFSET		(UL(0xffffffffffffffff) - \
+	(UL(1) << (VA_BITS - 1)) + 1)
 #define KIMAGE_VADDR		(MODULES_END)
 #define MODULES_END		(MODULES_VADDR + MODULES_VSIZE)
 #define MODULES_VADDR		(VA_START + KASAN_SHADOW_SIZE)

^ permalink raw reply	[flat|nested] 111+ messages in thread

* [PATCH 4.9 033/102] selinux: Remove redundant check for unknown labeling behavior
  2018-04-06 13:22 [PATCH 4.9 000/102] 4.9.93-stable review Greg Kroah-Hartman
                   ` (31 preceding siblings ...)
  2018-04-06 13:23 ` [PATCH 4.9 032/102] arm64: avoid overflow in VA_START and PAGE_OFFSET Greg Kroah-Hartman
@ 2018-04-06 13:23 ` Greg Kroah-Hartman
  2018-04-06 13:23 ` [PATCH 4.9 034/102] mm/vmscan.c: fix unsequenced modification and access warning Greg Kroah-Hartman
                   ` (71 subsequent siblings)
  104 siblings, 0 replies; 111+ messages in thread
From: Greg Kroah-Hartman @ 2018-04-06 13:23 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Matthias Kaehlcke, Stephen Smalley,
	Paul Moore, Nathan Chancellor

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Matthias Kaehlcke <mka@chromium.org>

commit 270e8573145a26de924e2dc644596332d400445b upstream.

The check is already performed in ocontext_read() when the policy is
loaded. Removing the array also fixes the following warning when
building with clang:

security/selinux/hooks.c:338:20: error: variable 'labeling_behaviors'
    is not needed and will not be emitted
    [-Werror,-Wunneeded-internal-declaration]

Signed-off-by: Matthias Kaehlcke <mka@chromium.org>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Cc: Nathan Chancellor <natechancellor@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 security/selinux/hooks.c |   16 ----------------
 1 file changed, 16 deletions(-)

--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -406,18 +406,6 @@ static void superblock_free_security(str
 	kfree(sbsec);
 }
 
-/* The file system's label must be initialized prior to use. */
-
-static const char *labeling_behaviors[7] = {
-	"uses xattr",
-	"uses transition SIDs",
-	"uses task SIDs",
-	"uses genfs_contexts",
-	"not configured for labeling",
-	"uses mountpoint labeling",
-	"uses native labeling",
-};
-
 static inline int inode_doinit(struct inode *inode)
 {
 	return inode_doinit_with_dentry(inode, NULL);
@@ -528,10 +516,6 @@ static int sb_finish_set_opts(struct sup
 		}
 	}
 
-	if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
-		printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
-		       sb->s_id, sb->s_type->name);
-
 	sbsec->flags |= SE_SBINITIALIZED;
 	if (selinux_is_sblabel_mnt(sb))
 		sbsec->flags |= SBLABEL_MNT;

^ permalink raw reply	[flat|nested] 111+ messages in thread

* [PATCH 4.9 034/102] mm/vmscan.c: fix unsequenced modification and access warning
  2018-04-06 13:22 [PATCH 4.9 000/102] 4.9.93-stable review Greg Kroah-Hartman
                   ` (32 preceding siblings ...)
  2018-04-06 13:23 ` [PATCH 4.9 033/102] selinux: Remove redundant check for unknown labeling behavior Greg Kroah-Hartman
@ 2018-04-06 13:23 ` Greg Kroah-Hartman
  2018-04-06 13:23 ` [PATCH 4.9 035/102] xfrm_user: uncoditionally validate esn replay attribute struct Greg Kroah-Hartman
                   ` (70 subsequent siblings)
  104 siblings, 0 replies; 111+ messages in thread
From: Greg Kroah-Hartman @ 2018-04-06 13:23 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Nick Desaulniers, Michal Hocko,
	Andrew Morton, Linus Torvalds, Nathan Chancellor

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Nick Desaulniers <nick.desaulniers@gmail.com>

commit f2f43e566a02a3bdde0a65e6a2e88d707c212a29 upstream.

Clang and its -Wunsequenced emits a warning

  mm/vmscan.c:2961:25: error: unsequenced modification and access to 'gfp_mask' [-Wunsequenced]
                  .gfp_mask = (gfp_mask = current_gfp_context(gfp_mask)),
                                        ^

While it is not clear to me whether the initialization code violates the
specification (6.7.8 par 19 (ISO/IEC 9899) looks like it disagrees) the
code is quite confusing and worth cleaning up anyway.  Fix this by
reusing sc.gfp_mask rather than the updated input gfp_mask parameter.

Link: http://lkml.kernel.org/r/20170510154030.10720-1-nick.desaulniers@gmail.com
Signed-off-by: Nick Desaulniers <nick.desaulniers@gmail.com>
Acked-by: Michal Hocko <mhocko@suse.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[natechancellor: Adjust context due to abscence of 7dea19f9ee63]
Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 mm/vmscan.c |   13 ++++++-------
 1 file changed, 6 insertions(+), 7 deletions(-)

--- a/mm/vmscan.c
+++ b/mm/vmscan.c
@@ -2966,7 +2966,7 @@ unsigned long try_to_free_pages(struct z
 	unsigned long nr_reclaimed;
 	struct scan_control sc = {
 		.nr_to_reclaim = SWAP_CLUSTER_MAX,
-		.gfp_mask = (gfp_mask = memalloc_noio_flags(gfp_mask)),
+		.gfp_mask = memalloc_noio_flags(gfp_mask),
 		.reclaim_idx = gfp_zone(gfp_mask),
 		.order = order,
 		.nodemask = nodemask,
@@ -2981,12 +2981,12 @@ unsigned long try_to_free_pages(struct z
 	 * 1 is returned so that the page allocator does not OOM kill at this
 	 * point.
 	 */
-	if (throttle_direct_reclaim(gfp_mask, zonelist, nodemask))
+	if (throttle_direct_reclaim(sc.gfp_mask, zonelist, nodemask))
 		return 1;
 
 	trace_mm_vmscan_direct_reclaim_begin(order,
 				sc.may_writepage,
-				gfp_mask,
+				sc.gfp_mask,
 				sc.reclaim_idx);
 
 	nr_reclaimed = do_try_to_free_pages(zonelist, &sc);
@@ -3749,16 +3749,15 @@ static int __node_reclaim(struct pglist_
 	const unsigned long nr_pages = 1 << order;
 	struct task_struct *p = current;
 	struct reclaim_state reclaim_state;
-	int classzone_idx = gfp_zone(gfp_mask);
 	struct scan_control sc = {
 		.nr_to_reclaim = max(nr_pages, SWAP_CLUSTER_MAX),
-		.gfp_mask = (gfp_mask = memalloc_noio_flags(gfp_mask)),
+		.gfp_mask = memalloc_noio_flags(gfp_mask),
 		.order = order,
 		.priority = NODE_RECLAIM_PRIORITY,
 		.may_writepage = !!(node_reclaim_mode & RECLAIM_WRITE),
 		.may_unmap = !!(node_reclaim_mode & RECLAIM_UNMAP),
 		.may_swap = 1,
-		.reclaim_idx = classzone_idx,
+		.reclaim_idx = gfp_zone(gfp_mask),
 	};
 
 	cond_resched();
@@ -3768,7 +3767,7 @@ static int __node_reclaim(struct pglist_
 	 * and RECLAIM_UNMAP.
 	 */
 	p->flags |= PF_MEMALLOC | PF_SWAPWRITE;
-	lockdep_set_current_reclaim_state(gfp_mask);
+	lockdep_set_current_reclaim_state(sc.gfp_mask);
 	reclaim_state.reclaimed_slab = 0;
 	p->reclaim_state = &reclaim_state;
 

^ permalink raw reply	[flat|nested] 111+ messages in thread

* [PATCH 4.9 035/102] xfrm_user: uncoditionally validate esn replay attribute struct
  2018-04-06 13:22 [PATCH 4.9 000/102] 4.9.93-stable review Greg Kroah-Hartman
                   ` (33 preceding siblings ...)
  2018-04-06 13:23 ` [PATCH 4.9 034/102] mm/vmscan.c: fix unsequenced modification and access warning Greg Kroah-Hartman
@ 2018-04-06 13:23 ` Greg Kroah-Hartman
  2018-04-06 13:23 ` [PATCH 4.9 036/102] RDMA/ucma: Check AF family prior resolving address Greg Kroah-Hartman
                   ` (69 subsequent siblings)
  104 siblings, 0 replies; 111+ messages in thread
From: Greg Kroah-Hartman @ 2018-04-06 13:23 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzbot+0ab777c27d2bb7588f73,
	Mathias Krause, Florian Westphal, Steffen Klassert

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Florian Westphal <fw@strlen.de>

commit d97ca5d714a5334aecadadf696875da40f1fbf3e upstream.

The sanity test added in ecd7918745234 can be bypassed, validation
only occurs if XFRM_STATE_ESN flag is set, but rest of code doesn't care
and just checks if the attribute itself is present.

So always validate.  Alternative is to reject if we have the attribute
without the flag but that would change abi.

Reported-by: syzbot+0ab777c27d2bb7588f73@syzkaller.appspotmail.com
Cc: Mathias Krause <minipli@googlemail.com>
Fixes: ecd7918745234 ("xfrm_user: ensure user supplied esn replay window is valid")
Fixes: d8647b79c3b7e ("xfrm: Add user interface for esn and big anti-replay windows")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/xfrm/xfrm_user.c |   21 ++++++++-------------
 1 file changed, 8 insertions(+), 13 deletions(-)

--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -121,22 +121,17 @@ static inline int verify_replay(struct x
 	struct nlattr *rt = attrs[XFRMA_REPLAY_ESN_VAL];
 	struct xfrm_replay_state_esn *rs;
 
-	if (p->flags & XFRM_STATE_ESN) {
-		if (!rt)
-			return -EINVAL;
-
-		rs = nla_data(rt);
+	if (!rt)
+		return (p->flags & XFRM_STATE_ESN) ? -EINVAL : 0;
 
-		if (rs->bmp_len > XFRMA_REPLAY_ESN_MAX / sizeof(rs->bmp[0]) / 8)
-			return -EINVAL;
+	rs = nla_data(rt);
 
-		if (nla_len(rt) < xfrm_replay_state_esn_len(rs) &&
-		    nla_len(rt) != sizeof(*rs))
-			return -EINVAL;
-	}
+	if (rs->bmp_len > XFRMA_REPLAY_ESN_MAX / sizeof(rs->bmp[0]) / 8)
+		return -EINVAL;
 
-	if (!rt)
-		return 0;
+	if (nla_len(rt) < xfrm_replay_state_esn_len(rs) &&
+	    nla_len(rt) != sizeof(*rs))
+		return -EINVAL;
 
 	/* As only ESP and AH support ESN feature. */
 	if ((p->id.proto != IPPROTO_ESP) && (p->id.proto != IPPROTO_AH))

^ permalink raw reply	[flat|nested] 111+ messages in thread

* [PATCH 4.9 036/102] RDMA/ucma: Check AF family prior resolving address
  2018-04-06 13:22 [PATCH 4.9 000/102] 4.9.93-stable review Greg Kroah-Hartman
                   ` (34 preceding siblings ...)
  2018-04-06 13:23 ` [PATCH 4.9 035/102] xfrm_user: uncoditionally validate esn replay attribute struct Greg Kroah-Hartman
@ 2018-04-06 13:23 ` Greg Kroah-Hartman
  2018-04-06 13:23 ` [PATCH 4.9 037/102] RDMA/ucma: Fix use-after-free access in ucma_close Greg Kroah-Hartman
                   ` (68 subsequent siblings)
  104 siblings, 0 replies; 111+ messages in thread
From: Greg Kroah-Hartman @ 2018-04-06 13:23 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzbot+1d8c43206853b369d00c,
	Leon Romanovsky, Sean Hefty, Jason Gunthorpe

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Leon Romanovsky <leonro@mellanox.com>

commit 2975d5de6428ff6d9317e9948f0968f7d42e5d74 upstream.

Garbage supplied by user will cause to UCMA module provide zero
memory size for memcpy(), because it wasn't checked, it will
produce unpredictable results in rdma_resolve_addr().

[   42.873814] BUG: KASAN: null-ptr-deref in rdma_resolve_addr+0xc8/0xfb0
[   42.874816] Write of size 28 at addr 00000000000000a0 by task resaddr/1044
[   42.876765]
[   42.876960] CPU: 1 PID: 1044 Comm: resaddr Not tainted 4.16.0-rc1-00057-gaa56a5293d7e #34
[   42.877840] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.11.0-0-g63451fca13-prebuilt.qemu-project.org 04/01/2014
[   42.879691] Call Trace:
[   42.880236]  dump_stack+0x5c/0x77
[   42.880664]  kasan_report+0x163/0x380
[   42.881354]  ? rdma_resolve_addr+0xc8/0xfb0
[   42.881864]  memcpy+0x34/0x50
[   42.882692]  rdma_resolve_addr+0xc8/0xfb0
[   42.883366]  ? deref_stack_reg+0x88/0xd0
[   42.883856]  ? vsnprintf+0x31a/0x770
[   42.884686]  ? rdma_bind_addr+0xc40/0xc40
[   42.885327]  ? num_to_str+0x130/0x130
[   42.885773]  ? deref_stack_reg+0x88/0xd0
[   42.886217]  ? __read_once_size_nocheck.constprop.6+0x10/0x10
[   42.887698]  ? unwind_get_return_address_ptr+0x50/0x50
[   42.888302]  ? replace_slot+0x147/0x170
[   42.889176]  ? delete_node+0x12c/0x340
[   42.890223]  ? __radix_tree_lookup+0xa9/0x160
[   42.891196]  ? ucma_resolve_ip+0xb7/0x110
[   42.891917]  ucma_resolve_ip+0xb7/0x110
[   42.893003]  ? ucma_resolve_addr+0x190/0x190
[   42.893531]  ? _copy_from_user+0x5e/0x90
[   42.894204]  ucma_write+0x174/0x1f0
[   42.895162]  ? ucma_resolve_route+0xf0/0xf0
[   42.896309]  ? dequeue_task_fair+0x67e/0xd90
[   42.897192]  ? put_prev_entity+0x7d/0x170
[   42.897870]  ? ring_buffer_record_is_on+0xd/0x20
[   42.898439]  ? tracing_record_taskinfo_skip+0x20/0x50
[   42.899686]  __vfs_write+0xc4/0x350
[   42.900142]  ? kernel_read+0xa0/0xa0
[   42.900602]  ? firmware_map_remove+0xdf/0xdf
[   42.901135]  ? do_task_dead+0x5d/0x60
[   42.901598]  ? do_exit+0xcc6/0x1220
[   42.902789]  ? __fget+0xa8/0xf0
[   42.903190]  vfs_write+0xf7/0x280
[   42.903600]  SyS_write+0xa1/0x120
[   42.904206]  ? SyS_read+0x120/0x120
[   42.905710]  ? compat_start_thread+0x60/0x60
[   42.906423]  ? SyS_read+0x120/0x120
[   42.908716]  do_syscall_64+0xeb/0x250
[   42.910760]  entry_SYSCALL_64_after_hwframe+0x21/0x86
[   42.912735] RIP: 0033:0x7f138b0afe99
[   42.914734] RSP: 002b:00007f138b799e98 EFLAGS: 00000287 ORIG_RAX: 0000000000000001
[   42.917134] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f138b0afe99
[   42.919487] RDX: 000000000000002e RSI: 0000000020000c40 RDI: 0000000000000004
[   42.922393] RBP: 00007f138b799ec0 R08: 00007f138b79a700 R09: 0000000000000000
[   42.925266] R10: 00007f138b79a700 R11: 0000000000000287 R12: 00007f138b799fc0
[   42.927570] R13: 0000000000000000 R14: 00007ffdbae757c0 R15: 00007f138b79a9c0
[   42.930047]
[   42.932681] Disabling lock debugging due to kernel taint
[   42.934795] BUG: unable to handle kernel NULL pointer dereference at 00000000000000a0
[   42.936939] IP: memcpy_erms+0x6/0x10
[   42.938864] PGD 80000001bea92067 P4D 80000001bea92067 PUD 1bea96067 PMD 0
[   42.941576] Oops: 0002 [#1] SMP KASAN PTI
[   42.943952] CPU: 1 PID: 1044 Comm: resaddr Tainted: G    B 4.16.0-rc1-00057-gaa56a5293d7e #34
[   42.946964] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.11.0-0-g63451fca13-prebuilt.qemu-project.org 04/01/2014
[   42.952336] RIP: 0010:memcpy_erms+0x6/0x10
[   42.954707] RSP: 0018:ffff8801c8b479c8 EFLAGS: 00010286
[   42.957227] RAX: 00000000000000a0 RBX: ffff8801c8b47ba0 RCX: 000000000000001c
[   42.960543] RDX: 000000000000001c RSI: ffff8801c8b47bbc RDI: 00000000000000a0
[   42.963867] RBP: ffff8801c8b47b60 R08: 0000000000000000 R09: ffffed0039168ed1
[   42.967303] R10: 0000000000000001 R11: ffffed0039168ed0 R12: ffff8801c8b47bbc
[   42.970685] R13: 00000000000000a0 R14: 1ffff10039168f4a R15: 0000000000000000
[   42.973631] FS:  00007f138b79a700(0000) GS:ffff8801e5d00000(0000) knlGS:0000000000000000
[   42.976831] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   42.979239] CR2: 00000000000000a0 CR3: 00000001be908002 CR4: 00000000003606a0
[   42.982060] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   42.984877] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   42.988033] Call Trace:
[   42.990487]  rdma_resolve_addr+0xc8/0xfb0
[   42.993202]  ? deref_stack_reg+0x88/0xd0
[   42.996055]  ? vsnprintf+0x31a/0x770
[   42.998707]  ? rdma_bind_addr+0xc40/0xc40
[   43.000985]  ? num_to_str+0x130/0x130
[   43.003410]  ? deref_stack_reg+0x88/0xd0
[   43.006302]  ? __read_once_size_nocheck.constprop.6+0x10/0x10
[   43.008780]  ? unwind_get_return_address_ptr+0x50/0x50
[   43.011178]  ? replace_slot+0x147/0x170
[   43.013517]  ? delete_node+0x12c/0x340
[   43.016019]  ? __radix_tree_lookup+0xa9/0x160
[   43.018755]  ? ucma_resolve_ip+0xb7/0x110
[   43.021270]  ucma_resolve_ip+0xb7/0x110
[   43.023968]  ? ucma_resolve_addr+0x190/0x190
[   43.026312]  ? _copy_from_user+0x5e/0x90
[   43.029384]  ucma_write+0x174/0x1f0
[   43.031861]  ? ucma_resolve_route+0xf0/0xf0
[   43.034782]  ? dequeue_task_fair+0x67e/0xd90
[   43.037483]  ? put_prev_entity+0x7d/0x170
[   43.040215]  ? ring_buffer_record_is_on+0xd/0x20
[   43.042990]  ? tracing_record_taskinfo_skip+0x20/0x50
[   43.045595]  __vfs_write+0xc4/0x350
[   43.048624]  ? kernel_read+0xa0/0xa0
[   43.051604]  ? firmware_map_remove+0xdf/0xdf
[   43.055379]  ? do_task_dead+0x5d/0x60
[   43.058000]  ? do_exit+0xcc6/0x1220
[   43.060783]  ? __fget+0xa8/0xf0
[   43.063133]  vfs_write+0xf7/0x280
[   43.065677]  SyS_write+0xa1/0x120
[   43.068647]  ? SyS_read+0x120/0x120
[   43.071179]  ? compat_start_thread+0x60/0x60
[   43.074025]  ? SyS_read+0x120/0x120
[   43.076705]  do_syscall_64+0xeb/0x250
[   43.079006]  entry_SYSCALL_64_after_hwframe+0x21/0x86
[   43.081606] RIP: 0033:0x7f138b0afe99
[   43.083679] RSP: 002b:00007f138b799e98 EFLAGS: 00000287 ORIG_RAX: 0000000000000001
[   43.086802] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f138b0afe99
[   43.089989] RDX: 000000000000002e RSI: 0000000020000c40 RDI: 0000000000000004
[   43.092866] RBP: 00007f138b799ec0 R08: 00007f138b79a700 R09: 0000000000000000
[   43.096233] R10: 00007f138b79a700 R11: 0000000000000287 R12: 00007f138b799fc0
[   43.098913] R13: 0000000000000000 R14: 00007ffdbae757c0 R15: 00007f138b79a9c0
[   43.101809] Code: 90 90 90 90 90 eb 1e 0f 1f 00 48 89 f8 48 89 d1 48
c1 e9 03 83 e2 07 f3 48 a5 89 d1 f3 a4 c3 66 0f 1f 44 00 00 48 89 f8 48
89 d1 <f3> a4 c3 0f 1f 80 00 00 00 00 48 89 f8 48 83 fa 20 72 7e 40 38
[   43.107950] RIP: memcpy_erms+0x6/0x10 RSP: ffff8801c8b479c8

Reported-by: <syzbot+1d8c43206853b369d00c@syzkaller.appspotmail.com>
Fixes: 75216638572f ("RDMA/cma: Export rdma cm interface to userspace")
Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
Reviewed-by: Sean Hefty <sean.hefty@intel.com>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/infiniband/core/ucma.c |   10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

--- a/drivers/infiniband/core/ucma.c
+++ b/drivers/infiniband/core/ucma.c
@@ -662,19 +662,23 @@ static ssize_t ucma_resolve_ip(struct uc
 			       int in_len, int out_len)
 {
 	struct rdma_ucm_resolve_ip cmd;
+	struct sockaddr *src, *dst;
 	struct ucma_context *ctx;
 	int ret;
 
 	if (copy_from_user(&cmd, inbuf, sizeof(cmd)))
 		return -EFAULT;
 
+	src = (struct sockaddr *) &cmd.src_addr;
+	dst = (struct sockaddr *) &cmd.dst_addr;
+	if (!rdma_addr_size(src) || !rdma_addr_size(dst))
+		return -EINVAL;
+
 	ctx = ucma_get_ctx(file, cmd.id);
 	if (IS_ERR(ctx))
 		return PTR_ERR(ctx);
 
-	ret = rdma_resolve_addr(ctx->cm_id, (struct sockaddr *) &cmd.src_addr,
-				(struct sockaddr *) &cmd.dst_addr,
-				cmd.timeout_ms);
+	ret = rdma_resolve_addr(ctx->cm_id, src, dst, cmd.timeout_ms);
 	ucma_put_ctx(ctx);
 	return ret;
 }

^ permalink raw reply	[flat|nested] 111+ messages in thread

* [PATCH 4.9 037/102] RDMA/ucma: Fix use-after-free access in ucma_close
  2018-04-06 13:22 [PATCH 4.9 000/102] 4.9.93-stable review Greg Kroah-Hartman
                   ` (35 preceding siblings ...)
  2018-04-06 13:23 ` [PATCH 4.9 036/102] RDMA/ucma: Check AF family prior resolving address Greg Kroah-Hartman
@ 2018-04-06 13:23 ` Greg Kroah-Hartman
  2018-04-06 13:23 ` [PATCH 4.9 038/102] RDMA/ucma: Ensure that CM_ID exists prior to access it Greg Kroah-Hartman
                   ` (67 subsequent siblings)
  104 siblings, 0 replies; 111+ messages in thread
From: Greg Kroah-Hartman @ 2018-04-06 13:23 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzbot+dcfd344365a56fbebd0f,
	Leon Romanovsky, Sean Hefty, Jason Gunthorpe

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Leon Romanovsky <leonro@mellanox.com>

commit ed65a4dc22083e73bac599ded6a262318cad7baf upstream.

The error in ucma_create_id() left ctx in the list of contexts belong
to ucma file descriptor. The attempt to close this file descriptor causes
to use-after-free accesses while iterating over such list.

Fixes: 75216638572f ("RDMA/cma: Export rdma cm interface to userspace")
Reported-by: <syzbot+dcfd344365a56fbebd0f@syzkaller.appspotmail.com>
Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
Reviewed-by: Sean Hefty <sean.hefty@intel.com>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/infiniband/core/ucma.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/drivers/infiniband/core/ucma.c
+++ b/drivers/infiniband/core/ucma.c
@@ -495,6 +495,9 @@ err1:
 	mutex_lock(&mut);
 	idr_remove(&ctx_idr, ctx->id);
 	mutex_unlock(&mut);
+	mutex_lock(&file->mut);
+	list_del(&ctx->list);
+	mutex_unlock(&file->mut);
 	kfree(ctx);
 	return ret;
 }

^ permalink raw reply	[flat|nested] 111+ messages in thread

* [PATCH 4.9 038/102] RDMA/ucma: Ensure that CM_ID exists prior to access it
  2018-04-06 13:22 [PATCH 4.9 000/102] 4.9.93-stable review Greg Kroah-Hartman
                   ` (36 preceding siblings ...)
  2018-04-06 13:23 ` [PATCH 4.9 037/102] RDMA/ucma: Fix use-after-free access in ucma_close Greg Kroah-Hartman
@ 2018-04-06 13:23 ` Greg Kroah-Hartman
  2018-04-06 13:23 ` [PATCH 4.9 039/102] RDMA/ucma: Check that device is connected " Greg Kroah-Hartman
                   ` (66 subsequent siblings)
  104 siblings, 0 replies; 111+ messages in thread
From: Greg Kroah-Hartman @ 2018-04-06 13:23 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzbot+36712f50b0552615bf59,
	Leon Romanovsky, Jason Gunthorpe

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Leon Romanovsky <leonro@mellanox.com>

commit e8980d67d6017c8eee8f9c35f782c4bd68e004c9 upstream.

Prior to access UCMA commands, the context should be initialized
and connected to CM_ID with ucma_create_id(). In case user skips
this step, he can provide non-valid ctx without CM_ID and cause
to multiple NULL dereferences.

Also there are situations where the create_id can be raced with
other user access, ensure that the context is only shared to
other threads once it is fully initialized to avoid the races.

[  109.088108] BUG: unable to handle kernel NULL pointer dereference at 0000000000000020
[  109.090315] IP: ucma_connect+0x138/0x1d0
[  109.092595] PGD 80000001dc02d067 P4D 80000001dc02d067 PUD 1da9ef067 PMD 0
[  109.095384] Oops: 0000 [#1] SMP KASAN PTI
[  109.097834] CPU: 0 PID: 663 Comm: uclose Tainted: G    B 4.16.0-rc1-00062-g2975d5de6428 #45
[  109.100816] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.11.0-0-g63451fca13-prebuilt.qemu-project.org 04/01/2014
[  109.105943] RIP: 0010:ucma_connect+0x138/0x1d0
[  109.108850] RSP: 0018:ffff8801c8567a80 EFLAGS: 00010246
[  109.111484] RAX: 0000000000000000 RBX: 1ffff100390acf50 RCX: ffffffff9d7812e2
[  109.114496] RDX: 1ffffffff3f507a5 RSI: 0000000000000297 RDI: 0000000000000297
[  109.117490] RBP: ffff8801daa15600 R08: 0000000000000000 R09: ffffed00390aceeb
[  109.120429] R10: 0000000000000001 R11: ffffed00390aceea R12: 0000000000000000
[  109.123318] R13: 0000000000000120 R14: ffff8801de6459c0 R15: 0000000000000118
[  109.126221] FS:  00007fabb68d6700(0000) GS:ffff8801e5c00000(0000) knlGS:0000000000000000
[  109.129468] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  109.132523] CR2: 0000000000000020 CR3: 00000001d45d8003 CR4: 00000000003606b0
[  109.135573] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[  109.138716] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[  109.142057] Call Trace:
[  109.144160]  ? ucma_listen+0x110/0x110
[  109.146386]  ? wake_up_q+0x59/0x90
[  109.148853]  ? futex_wake+0x10b/0x2a0
[  109.151297]  ? save_stack+0x89/0xb0
[  109.153489]  ? _copy_from_user+0x5e/0x90
[  109.155500]  ucma_write+0x174/0x1f0
[  109.157933]  ? ucma_resolve_route+0xf0/0xf0
[  109.160389]  ? __mod_node_page_state+0x1d/0x80
[  109.162706]  __vfs_write+0xc4/0x350
[  109.164911]  ? kernel_read+0xa0/0xa0
[  109.167121]  ? path_openat+0x1b10/0x1b10
[  109.169355]  ? fsnotify+0x899/0x8f0
[  109.171567]  ? fsnotify_unmount_inodes+0x170/0x170
[  109.174145]  ? __fget+0xa8/0xf0
[  109.177110]  vfs_write+0xf7/0x280
[  109.179532]  SyS_write+0xa1/0x120
[  109.181885]  ? SyS_read+0x120/0x120
[  109.184482]  ? compat_start_thread+0x60/0x60
[  109.187124]  ? SyS_read+0x120/0x120
[  109.189548]  do_syscall_64+0xeb/0x250
[  109.192178]  entry_SYSCALL_64_after_hwframe+0x21/0x86
[  109.194725] RIP: 0033:0x7fabb61ebe99
[  109.197040] RSP: 002b:00007fabb68d5e98 EFLAGS: 00000202 ORIG_RAX: 0000000000000001
[  109.200294] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fabb61ebe99
[  109.203399] RDX: 0000000000000120 RSI: 00000000200001c0 RDI: 0000000000000004
[  109.206548] RBP: 00007fabb68d5ec0 R08: 0000000000000000 R09: 0000000000000000
[  109.209902] R10: 0000000000000000 R11: 0000000000000202 R12: 00007fabb68d5fc0
[  109.213327] R13: 0000000000000000 R14: 00007fff40ab2430 R15: 00007fabb68d69c0
[  109.216613] Code: 88 44 24 2c 0f b6 84 24 6e 01 00 00 88 44 24 2d 0f
b6 84 24 69 01 00 00 88 44 24 2e 8b 44 24 60 89 44 24 30 e8 da f6 06 ff
31 c0 <66> 41 83 7c 24 20 1b 75 04 8b 44 24 64 48 8d 74 24 20 4c 89 e7
[  109.223602] RIP: ucma_connect+0x138/0x1d0 RSP: ffff8801c8567a80
[  109.226256] CR2: 0000000000000020

Fixes: 75216638572f ("RDMA/cma: Export rdma cm interface to userspace")
Reported-by: <syzbot+36712f50b0552615bf59@syzkaller.appspotmail.com>
Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/infiniband/core/ucma.c |   15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

--- a/drivers/infiniband/core/ucma.c
+++ b/drivers/infiniband/core/ucma.c
@@ -132,7 +132,7 @@ static inline struct ucma_context *_ucma
 	ctx = idr_find(&ctx_idr, id);
 	if (!ctx)
 		ctx = ERR_PTR(-ENOENT);
-	else if (ctx->file != file)
+	else if (ctx->file != file || !ctx->cm_id)
 		ctx = ERR_PTR(-EINVAL);
 	return ctx;
 }
@@ -454,6 +454,7 @@ static ssize_t ucma_create_id(struct ucm
 	struct rdma_ucm_create_id cmd;
 	struct rdma_ucm_create_id_resp resp;
 	struct ucma_context *ctx;
+	struct rdma_cm_id *cm_id;
 	enum ib_qp_type qp_type;
 	int ret;
 
@@ -474,10 +475,10 @@ static ssize_t ucma_create_id(struct ucm
 		return -ENOMEM;
 
 	ctx->uid = cmd.uid;
-	ctx->cm_id = rdma_create_id(current->nsproxy->net_ns,
-				    ucma_event_handler, ctx, cmd.ps, qp_type);
-	if (IS_ERR(ctx->cm_id)) {
-		ret = PTR_ERR(ctx->cm_id);
+	cm_id = rdma_create_id(current->nsproxy->net_ns,
+			       ucma_event_handler, ctx, cmd.ps, qp_type);
+	if (IS_ERR(cm_id)) {
+		ret = PTR_ERR(cm_id);
 		goto err1;
 	}
 
@@ -487,10 +488,12 @@ static ssize_t ucma_create_id(struct ucm
 		ret = -EFAULT;
 		goto err2;
 	}
+
+	ctx->cm_id = cm_id;
 	return 0;
 
 err2:
-	rdma_destroy_id(ctx->cm_id);
+	rdma_destroy_id(cm_id);
 err1:
 	mutex_lock(&mut);
 	idr_remove(&ctx_idr, ctx->id);

^ permalink raw reply	[flat|nested] 111+ messages in thread

* [PATCH 4.9 039/102] RDMA/ucma: Check that device is connected prior to access it
  2018-04-06 13:22 [PATCH 4.9 000/102] 4.9.93-stable review Greg Kroah-Hartman
                   ` (37 preceding siblings ...)
  2018-04-06 13:23 ` [PATCH 4.9 038/102] RDMA/ucma: Ensure that CM_ID exists prior to access it Greg Kroah-Hartman
@ 2018-04-06 13:23 ` Greg Kroah-Hartman
  2018-04-06 13:23 ` [PATCH 4.9 040/102] RDMA/ucma: Check that device exists prior to accessing it Greg Kroah-Hartman
                   ` (65 subsequent siblings)
  104 siblings, 0 replies; 111+ messages in thread
From: Greg Kroah-Hartman @ 2018-04-06 13:23 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzbot+7b62c837c2516f8f38c8,
	Leon Romanovsky, Jason Gunthorpe

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Leon Romanovsky <leonro@mellanox.com>

commit 4b658d1bbc16605330694bb3ef2570c465ef383d upstream.

Add missing check that device is connected prior to access it.

[   55.358652] BUG: KASAN: null-ptr-deref in rdma_init_qp_attr+0x4a/0x2c0
[   55.359389] Read of size 8 at addr 00000000000000b0 by task qp/618
[   55.360255]
[   55.360432] CPU: 1 PID: 618 Comm: qp Not tainted 4.16.0-rc1-00071-gcaf61b1b8b88 #91
[   55.361693] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.11.0-0-g63451fca13-prebuilt.qemu-project.org 04/01/2014
[   55.363264] Call Trace:
[   55.363833]  dump_stack+0x5c/0x77
[   55.364215]  kasan_report+0x163/0x380
[   55.364610]  ? rdma_init_qp_attr+0x4a/0x2c0
[   55.365238]  rdma_init_qp_attr+0x4a/0x2c0
[   55.366410]  ucma_init_qp_attr+0x111/0x200
[   55.366846]  ? ucma_notify+0xf0/0xf0
[   55.367405]  ? _get_random_bytes+0xea/0x1b0
[   55.367846]  ? urandom_read+0x2f0/0x2f0
[   55.368436]  ? kmem_cache_alloc_trace+0xd2/0x1e0
[   55.369104]  ? refcount_inc_not_zero+0x9/0x60
[   55.369583]  ? refcount_inc+0x5/0x30
[   55.370155]  ? rdma_create_id+0x215/0x240
[   55.370937]  ? _copy_to_user+0x4f/0x60
[   55.371620]  ? mem_cgroup_commit_charge+0x1f5/0x290
[   55.372127]  ? _copy_from_user+0x5e/0x90
[   55.372720]  ucma_write+0x174/0x1f0
[   55.373090]  ? ucma_close_id+0x40/0x40
[   55.373805]  ? __lru_cache_add+0xa8/0xd0
[   55.374403]  __vfs_write+0xc4/0x350
[   55.374774]  ? kernel_read+0xa0/0xa0
[   55.375173]  ? fsnotify+0x899/0x8f0
[   55.375544]  ? fsnotify_unmount_inodes+0x170/0x170
[   55.376689]  ? __fsnotify_update_child_dentry_flags+0x30/0x30
[   55.377522]  ? handle_mm_fault+0x174/0x320
[   55.378169]  vfs_write+0xf7/0x280
[   55.378864]  SyS_write+0xa1/0x120
[   55.379270]  ? SyS_read+0x120/0x120
[   55.379643]  ? mm_fault_error+0x180/0x180
[   55.380071]  ? task_work_run+0x7d/0xd0
[   55.380910]  ? __task_pid_nr_ns+0x120/0x140
[   55.381366]  ? SyS_read+0x120/0x120
[   55.381739]  do_syscall_64+0xeb/0x250
[   55.382143]  entry_SYSCALL_64_after_hwframe+0x21/0x86
[   55.382841] RIP: 0033:0x7fc2ef803e99
[   55.383227] RSP: 002b:00007fffcc5f3be8 EFLAGS: 00000217 ORIG_RAX: 0000000000000001
[   55.384173] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fc2ef803e99
[   55.386145] RDX: 0000000000000057 RSI: 0000000020000080 RDI: 0000000000000003
[   55.388418] RBP: 00007fffcc5f3c00 R08: 0000000000000000 R09: 0000000000000000
[   55.390542] R10: 0000000000000000 R11: 0000000000000217 R12: 0000000000400480
[   55.392916] R13: 00007fffcc5f3cf0 R14: 0000000000000000 R15: 0000000000000000
[   55.521088] Code: e5 4d 1e ff 48 89 df 44 0f b6 b3 b8 01 00 00 e8 65 50 1e ff 4c 8b 2b 49
8d bd b0 00 00 00 e8 56 50 1e ff 41 0f b6 c6 48 c1 e0 04 <49> 03 85 b0 00 00 00 48 8d 78 08
48 89 04 24 e8 3a 4f 1e ff 48
[   55.525980] RIP: rdma_init_qp_attr+0x52/0x2c0 RSP: ffff8801e2c2f9d8
[   55.532648] CR2: 00000000000000b0
[   55.534396] ---[ end trace 70cee64090251c0b ]---

Fixes: 75216638572f ("RDMA/cma: Export rdma cm interface to userspace")
Fixes: d541e45500bd ("IB/core: Convert ah_attr from OPA to IB when copying to user")
Reported-by: <syzbot+7b62c837c2516f8f38c8@syzkaller.appspotmail.com>
Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/infiniband/core/ucma.c |    5 +++++
 1 file changed, 5 insertions(+)

--- a/drivers/infiniband/core/ucma.c
+++ b/drivers/infiniband/core/ucma.c
@@ -1156,6 +1156,11 @@ static ssize_t ucma_init_qp_attr(struct
 	if (IS_ERR(ctx))
 		return PTR_ERR(ctx);
 
+	if (!ctx->cm_id->device) {
+		ret = -EINVAL;
+		goto out;
+	}
+
 	resp.qp_attr_mask = 0;
 	memset(&qp_attr, 0, sizeof qp_attr);
 	qp_attr.qp_state = cmd.qp_state;

^ permalink raw reply	[flat|nested] 111+ messages in thread

* [PATCH 4.9 040/102] RDMA/ucma: Check that device exists prior to accessing it
  2018-04-06 13:22 [PATCH 4.9 000/102] 4.9.93-stable review Greg Kroah-Hartman
                   ` (38 preceding siblings ...)
  2018-04-06 13:23 ` [PATCH 4.9 039/102] RDMA/ucma: Check that device is connected " Greg Kroah-Hartman
@ 2018-04-06 13:23 ` Greg Kroah-Hartman
  2018-04-06 13:23 ` [PATCH 4.9 041/102] RDMA/ucma: Introduce safer rdma_addr_size() variants Greg Kroah-Hartman
                   ` (64 subsequent siblings)
  104 siblings, 0 replies; 111+ messages in thread
From: Greg Kroah-Hartman @ 2018-04-06 13:23 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzbot+71655d44855ac3e76366,
	Leon Romanovsky, Jason Gunthorpe

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Leon Romanovsky <leonro@mellanox.com>

commit c8d3bcbfc5eab3f01cf373d039af725f3b488813 upstream.

Ensure that device exists prior to accessing its properties.

Reported-by: <syzbot+71655d44855ac3e76366@syzkaller.appspotmail.com>
Fixes: 75216638572f ("RDMA/cma: Export rdma cm interface to userspace")
Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/infiniband/core/ucma.c |    6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

--- a/drivers/infiniband/core/ucma.c
+++ b/drivers/infiniband/core/ucma.c
@@ -1317,7 +1317,7 @@ static ssize_t ucma_notify(struct ucma_f
 {
 	struct rdma_ucm_notify cmd;
 	struct ucma_context *ctx;
-	int ret;
+	int ret = -EINVAL;
 
 	if (copy_from_user(&cmd, inbuf, sizeof(cmd)))
 		return -EFAULT;
@@ -1326,7 +1326,9 @@ static ssize_t ucma_notify(struct ucma_f
 	if (IS_ERR(ctx))
 		return PTR_ERR(ctx);
 
-	ret = rdma_notify(ctx->cm_id, (enum ib_event_type) cmd.event);
+	if (ctx->cm_id->device)
+		ret = rdma_notify(ctx->cm_id, (enum ib_event_type)cmd.event);
+
 	ucma_put_ctx(ctx);
 	return ret;
 }

^ permalink raw reply	[flat|nested] 111+ messages in thread

* [PATCH 4.9 041/102] RDMA/ucma: Introduce safer rdma_addr_size() variants
  2018-04-06 13:22 [PATCH 4.9 000/102] 4.9.93-stable review Greg Kroah-Hartman
                   ` (39 preceding siblings ...)
  2018-04-06 13:23 ` [PATCH 4.9 040/102] RDMA/ucma: Check that device exists prior to accessing it Greg Kroah-Hartman
@ 2018-04-06 13:23 ` Greg Kroah-Hartman
  2018-04-06 13:23 ` [PATCH 4.9 042/102] net: xfrm: use preempt-safe this_cpu_read() in ipcomp_alloc_tfms() Greg Kroah-Hartman
                   ` (63 subsequent siblings)
  104 siblings, 0 replies; 111+ messages in thread
From: Greg Kroah-Hartman @ 2018-04-06 13:23 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzbot+6800425d54ed3ed8135d,
	Roland Dreier, Jason Gunthorpe

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Roland Dreier <roland@purestorage.com>

commit 84652aefb347297aa08e91e283adf7b18f77c2d5 upstream.

There are several places in the ucma ABI where userspace can pass in a
sockaddr but set the address family to AF_IB.  When that happens,
rdma_addr_size() will return a size bigger than sizeof struct sockaddr_in6,
and the ucma kernel code might end up copying past the end of a buffer
not sized for a struct sockaddr_ib.

Fix this by introducing new variants

    int rdma_addr_size_in6(struct sockaddr_in6 *addr);
    int rdma_addr_size_kss(struct __kernel_sockaddr_storage *addr);

that are type-safe for the types used in the ucma ABI and return 0 if the
size computed is bigger than the size of the type passed in.  We can use
these new variants to check what size userspace has passed in before
copying any addresses.

Reported-by: <syzbot+6800425d54ed3ed8135d@syzkaller.appspotmail.com>
Signed-off-by: Roland Dreier <roland@purestorage.com>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/infiniband/core/addr.c |   16 ++++++++++++++++
 drivers/infiniband/core/ucma.c |   34 +++++++++++++++++-----------------
 include/rdma/ib_addr.h         |    2 ++
 3 files changed, 35 insertions(+), 17 deletions(-)

--- a/drivers/infiniband/core/addr.c
+++ b/drivers/infiniband/core/addr.c
@@ -209,6 +209,22 @@ int rdma_addr_size(struct sockaddr *addr
 }
 EXPORT_SYMBOL(rdma_addr_size);
 
+int rdma_addr_size_in6(struct sockaddr_in6 *addr)
+{
+	int ret = rdma_addr_size((struct sockaddr *) addr);
+
+	return ret <= sizeof(*addr) ? ret : 0;
+}
+EXPORT_SYMBOL(rdma_addr_size_in6);
+
+int rdma_addr_size_kss(struct __kernel_sockaddr_storage *addr)
+{
+	int ret = rdma_addr_size((struct sockaddr *) addr);
+
+	return ret <= sizeof(*addr) ? ret : 0;
+}
+EXPORT_SYMBOL(rdma_addr_size_kss);
+
 static struct rdma_addr_client self;
 
 void rdma_addr_register_client(struct rdma_addr_client *client)
--- a/drivers/infiniband/core/ucma.c
+++ b/drivers/infiniband/core/ucma.c
@@ -630,6 +630,9 @@ static ssize_t ucma_bind_ip(struct ucma_
 	if (copy_from_user(&cmd, inbuf, sizeof(cmd)))
 		return -EFAULT;
 
+	if (!rdma_addr_size_in6(&cmd.addr))
+		return -EINVAL;
+
 	ctx = ucma_get_ctx(file, cmd.id);
 	if (IS_ERR(ctx))
 		return PTR_ERR(ctx);
@@ -643,22 +646,21 @@ static ssize_t ucma_bind(struct ucma_fil
 			 int in_len, int out_len)
 {
 	struct rdma_ucm_bind cmd;
-	struct sockaddr *addr;
 	struct ucma_context *ctx;
 	int ret;
 
 	if (copy_from_user(&cmd, inbuf, sizeof(cmd)))
 		return -EFAULT;
 
-	addr = (struct sockaddr *) &cmd.addr;
-	if (cmd.reserved || !cmd.addr_size || (cmd.addr_size != rdma_addr_size(addr)))
+	if (cmd.reserved || !cmd.addr_size ||
+	    cmd.addr_size != rdma_addr_size_kss(&cmd.addr))
 		return -EINVAL;
 
 	ctx = ucma_get_ctx(file, cmd.id);
 	if (IS_ERR(ctx))
 		return PTR_ERR(ctx);
 
-	ret = rdma_bind_addr(ctx->cm_id, addr);
+	ret = rdma_bind_addr(ctx->cm_id, (struct sockaddr *) &cmd.addr);
 	ucma_put_ctx(ctx);
 	return ret;
 }
@@ -668,23 +670,22 @@ static ssize_t ucma_resolve_ip(struct uc
 			       int in_len, int out_len)
 {
 	struct rdma_ucm_resolve_ip cmd;
-	struct sockaddr *src, *dst;
 	struct ucma_context *ctx;
 	int ret;
 
 	if (copy_from_user(&cmd, inbuf, sizeof(cmd)))
 		return -EFAULT;
 
-	src = (struct sockaddr *) &cmd.src_addr;
-	dst = (struct sockaddr *) &cmd.dst_addr;
-	if (!rdma_addr_size(src) || !rdma_addr_size(dst))
+	if (!rdma_addr_size_in6(&cmd.src_addr) ||
+	    !rdma_addr_size_in6(&cmd.dst_addr))
 		return -EINVAL;
 
 	ctx = ucma_get_ctx(file, cmd.id);
 	if (IS_ERR(ctx))
 		return PTR_ERR(ctx);
 
-	ret = rdma_resolve_addr(ctx->cm_id, src, dst, cmd.timeout_ms);
+	ret = rdma_resolve_addr(ctx->cm_id, (struct sockaddr *) &cmd.src_addr,
+				(struct sockaddr *) &cmd.dst_addr, cmd.timeout_ms);
 	ucma_put_ctx(ctx);
 	return ret;
 }
@@ -694,24 +695,23 @@ static ssize_t ucma_resolve_addr(struct
 				 int in_len, int out_len)
 {
 	struct rdma_ucm_resolve_addr cmd;
-	struct sockaddr *src, *dst;
 	struct ucma_context *ctx;
 	int ret;
 
 	if (copy_from_user(&cmd, inbuf, sizeof(cmd)))
 		return -EFAULT;
 
-	src = (struct sockaddr *) &cmd.src_addr;
-	dst = (struct sockaddr *) &cmd.dst_addr;
-	if (cmd.reserved || (cmd.src_size && (cmd.src_size != rdma_addr_size(src))) ||
-	    !cmd.dst_size || (cmd.dst_size != rdma_addr_size(dst)))
+	if (cmd.reserved ||
+	    (cmd.src_size && (cmd.src_size != rdma_addr_size_kss(&cmd.src_addr))) ||
+	    !cmd.dst_size || (cmd.dst_size != rdma_addr_size_kss(&cmd.dst_addr)))
 		return -EINVAL;
 
 	ctx = ucma_get_ctx(file, cmd.id);
 	if (IS_ERR(ctx))
 		return PTR_ERR(ctx);
 
-	ret = rdma_resolve_addr(ctx->cm_id, src, dst, cmd.timeout_ms);
+	ret = rdma_resolve_addr(ctx->cm_id, (struct sockaddr *) &cmd.src_addr,
+				(struct sockaddr *) &cmd.dst_addr, cmd.timeout_ms);
 	ucma_put_ctx(ctx);
 	return ret;
 }
@@ -1414,7 +1414,7 @@ static ssize_t ucma_join_ip_multicast(st
 	join_cmd.response = cmd.response;
 	join_cmd.uid = cmd.uid;
 	join_cmd.id = cmd.id;
-	join_cmd.addr_size = rdma_addr_size((struct sockaddr *) &cmd.addr);
+	join_cmd.addr_size = rdma_addr_size_in6(&cmd.addr);
 	if (!join_cmd.addr_size)
 		return -EINVAL;
 
@@ -1433,7 +1433,7 @@ static ssize_t ucma_join_multicast(struc
 	if (copy_from_user(&cmd, inbuf, sizeof(cmd)))
 		return -EFAULT;
 
-	if (!rdma_addr_size((struct sockaddr *)&cmd.addr))
+	if (!rdma_addr_size_kss(&cmd.addr))
 		return -EINVAL;
 
 	return ucma_process_join(file, &cmd, out_len);
--- a/include/rdma/ib_addr.h
+++ b/include/rdma/ib_addr.h
@@ -129,6 +129,8 @@ int rdma_copy_addr(struct rdma_dev_addr
 	      const unsigned char *dst_dev_addr);
 
 int rdma_addr_size(struct sockaddr *addr);
+int rdma_addr_size_in6(struct sockaddr_in6 *addr);
+int rdma_addr_size_kss(struct __kernel_sockaddr_storage *addr);
 
 int rdma_addr_find_smac_by_sgid(union ib_gid *sgid, u8 *smac, u16 *vlan_id);
 int rdma_addr_find_l2_eth_by_grh(const union ib_gid *sgid,

^ permalink raw reply	[flat|nested] 111+ messages in thread

* [PATCH 4.9 042/102] net: xfrm: use preempt-safe this_cpu_read() in ipcomp_alloc_tfms()
  2018-04-06 13:22 [PATCH 4.9 000/102] 4.9.93-stable review Greg Kroah-Hartman
                   ` (40 preceding siblings ...)
  2018-04-06 13:23 ` [PATCH 4.9 041/102] RDMA/ucma: Introduce safer rdma_addr_size() variants Greg Kroah-Hartman
@ 2018-04-06 13:23 ` Greg Kroah-Hartman
  2018-04-06 13:23 ` [PATCH 4.9 043/102] xfrm: Refuse to insert 32 bit userspace socket policies on 64 bit systems Greg Kroah-Hartman
                   ` (62 subsequent siblings)
  104 siblings, 0 replies; 111+ messages in thread
From: Greg Kroah-Hartman @ 2018-04-06 13:23 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Greg Hackmann, Steffen Klassert

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Greg Hackmann <ghackmann@google.com>

commit 0dcd7876029b58770f769cbb7b484e88e4a305e5 upstream.

f7c83bcbfaf5 ("net: xfrm: use __this_cpu_read per-cpu helper") added a
__this_cpu_read() call inside ipcomp_alloc_tfms().

At the time, __this_cpu_read() required the caller to either not care
about races or to handle preemption/interrupt issues.  3.15 tightened
the rules around some per-cpu operations, and now __this_cpu_read()
should never be used in a preemptible context.  On 3.15 and later, we
need to use this_cpu_read() instead.

syzkaller reported this leading to the following kernel BUG while
fuzzing sendmsg:

BUG: using __this_cpu_read() in preemptible [00000000] code: repro/3101
caller is ipcomp_init_state+0x185/0x990
CPU: 3 PID: 3101 Comm: repro Not tainted 4.16.0-rc4-00123-g86f84779d8e9 #154
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014
Call Trace:
 dump_stack+0xb9/0x115
 check_preemption_disabled+0x1cb/0x1f0
 ipcomp_init_state+0x185/0x990
 ? __xfrm_init_state+0x876/0xc20
 ? lock_downgrade+0x5e0/0x5e0
 ipcomp4_init_state+0xaa/0x7c0
 __xfrm_init_state+0x3eb/0xc20
 xfrm_init_state+0x19/0x60
 pfkey_add+0x20df/0x36f0
 ? pfkey_broadcast+0x3dd/0x600
 ? pfkey_sock_destruct+0x340/0x340
 ? pfkey_seq_stop+0x80/0x80
 ? __skb_clone+0x236/0x750
 ? kmem_cache_alloc+0x1f6/0x260
 ? pfkey_sock_destruct+0x340/0x340
 ? pfkey_process+0x62a/0x6f0
 pfkey_process+0x62a/0x6f0
 ? pfkey_send_new_mapping+0x11c0/0x11c0
 ? mutex_lock_io_nested+0x1390/0x1390
 pfkey_sendmsg+0x383/0x750
 ? dump_sp+0x430/0x430
 sock_sendmsg+0xc0/0x100
 ___sys_sendmsg+0x6c8/0x8b0
 ? copy_msghdr_from_user+0x3b0/0x3b0
 ? pagevec_lru_move_fn+0x144/0x1f0
 ? find_held_lock+0x32/0x1c0
 ? do_huge_pmd_anonymous_page+0xc43/0x11e0
 ? lock_downgrade+0x5e0/0x5e0
 ? get_kernel_page+0xb0/0xb0
 ? _raw_spin_unlock+0x29/0x40
 ? do_huge_pmd_anonymous_page+0x400/0x11e0
 ? __handle_mm_fault+0x553/0x2460
 ? __fget_light+0x163/0x1f0
 ? __sys_sendmsg+0xc7/0x170
 __sys_sendmsg+0xc7/0x170
 ? SyS_shutdown+0x1a0/0x1a0
 ? __do_page_fault+0x5a0/0xca0
 ? lock_downgrade+0x5e0/0x5e0
 SyS_sendmsg+0x27/0x40
 ? __sys_sendmsg+0x170/0x170
 do_syscall_64+0x19f/0x640
 entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x7f0ee73dfb79
RSP: 002b:00007ffe14fc15a8 EFLAGS: 00000207 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f0ee73dfb79
RDX: 0000000000000000 RSI: 00000000208befc8 RDI: 0000000000000004
RBP: 00007ffe14fc15b0 R08: 00007ffe14fc15c0 R09: 00007ffe14fc15c0
R10: 0000000000000000 R11: 0000000000000207 R12: 0000000000400440
R13: 00007ffe14fc16b0 R14: 0000000000000000 R15: 0000000000000000

Signed-off-by: Greg Hackmann <ghackmann@google.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/xfrm/xfrm_ipcomp.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/net/xfrm/xfrm_ipcomp.c
+++ b/net/xfrm/xfrm_ipcomp.c
@@ -283,7 +283,7 @@ static struct crypto_comp * __percpu *ip
 		struct crypto_comp *tfm;
 
 		/* This can be any valid CPU ID so we don't need locking. */
-		tfm = __this_cpu_read(*pos->tfms);
+		tfm = this_cpu_read(*pos->tfms);
 
 		if (!strcmp(crypto_comp_name(tfm), alg_name)) {
 			pos->users++;

^ permalink raw reply	[flat|nested] 111+ messages in thread

* [PATCH 4.9 043/102] xfrm: Refuse to insert 32 bit userspace socket policies on 64 bit systems
  2018-04-06 13:22 [PATCH 4.9 000/102] 4.9.93-stable review Greg Kroah-Hartman
                   ` (41 preceding siblings ...)
  2018-04-06 13:23 ` [PATCH 4.9 042/102] net: xfrm: use preempt-safe this_cpu_read() in ipcomp_alloc_tfms() Greg Kroah-Hartman
@ 2018-04-06 13:23 ` Greg Kroah-Hartman
  2018-04-06 13:23 ` [PATCH 4.9 044/102] netfilter: bridge: ebt_among: add more missing match size checks Greg Kroah-Hartman
                   ` (61 subsequent siblings)
  104 siblings, 0 replies; 111+ messages in thread
From: Greg Kroah-Hartman @ 2018-04-06 13:23 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Steffen Klassert

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Steffen Klassert <steffen.klassert@secunet.com>

commit 19d7df69fdb2636856dc8919de72fc1bf8f79598 upstream.

We don't have a compat layer for xfrm, so userspace and kernel
structures have different sizes in this case. This results in
a broken configuration, so refuse to configure socket policies
when trying to insert from 32 bit userspace as we do it already
with policies inserted via netlink.

Reported-and-tested-by: syzbot+e1a1577ca8bcb47b769a@syzkaller.appspotmail.com
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/xfrm/xfrm_state.c |    5 +++++
 1 file changed, 5 insertions(+)

--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -1883,6 +1883,11 @@ int xfrm_user_policy(struct sock *sk, in
 	struct xfrm_mgr *km;
 	struct xfrm_policy *pol = NULL;
 
+#ifdef CONFIG_COMPAT
+	if (in_compat_syscall())
+		return -EOPNOTSUPP;
+#endif
+
 	if (!optval && !optlen) {
 		xfrm_sk_policy_insert(sk, XFRM_POLICY_IN, NULL);
 		xfrm_sk_policy_insert(sk, XFRM_POLICY_OUT, NULL);

^ permalink raw reply	[flat|nested] 111+ messages in thread

* [PATCH 4.9 044/102] netfilter: bridge: ebt_among: add more missing match size checks
  2018-04-06 13:22 [PATCH 4.9 000/102] 4.9.93-stable review Greg Kroah-Hartman
                   ` (42 preceding siblings ...)
  2018-04-06 13:23 ` [PATCH 4.9 043/102] xfrm: Refuse to insert 32 bit userspace socket policies on 64 bit systems Greg Kroah-Hartman
@ 2018-04-06 13:23 ` Greg Kroah-Hartman
  2018-04-06 13:23 ` [PATCH 4.9 045/102] netfilter: x_tables: add and use xt_check_proc_name Greg Kroah-Hartman
                   ` (60 subsequent siblings)
  104 siblings, 0 replies; 111+ messages in thread
From: Greg Kroah-Hartman @ 2018-04-06 13:23 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzbot+bdabab6f1983a03fc009,
	Florian Westphal, Eric Dumazet, Pablo Neira Ayuso

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Florian Westphal <fw@strlen.de>

commit c8d70a700a5b486bfa8e5a7d33d805389f6e59f9 upstream.

ebt_among is special, it has a dynamic match size and is exempt
from the central size checks.

commit c4585a2823edf ("bridge: ebt_among: add missing match size checks")
added validation for pool size, but missed fact that the macros
ebt_among_wh_src/dst can already return out-of-bound result because
they do not check value of wh_src/dst_ofs (an offset) vs. the size
of the match that userspace gave to us.

v2:
check that offset has correct alignment.
Paolo Abeni points out that we should also check that src/dst
wormhash arrays do not overlap, and src + length lines up with
start of dst (or vice versa).
v3: compact wormhash_sizes_valid() part

NB: Fixes tag is intentionally wrong, this bug exists from day
one when match was added for 2.6 kernel. Tag is there so stable
maintainers will notice this one too.

Tested with same rules from the earlier patch.

Fixes: c4585a2823edf ("bridge: ebt_among: add missing match size checks")
Reported-by: <syzbot+bdabab6f1983a03fc009@syzkaller.appspotmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/bridge/netfilter/ebt_among.c |   34 ++++++++++++++++++++++++++++++++++
 1 file changed, 34 insertions(+)

--- a/net/bridge/netfilter/ebt_among.c
+++ b/net/bridge/netfilter/ebt_among.c
@@ -177,6 +177,28 @@ static bool poolsize_invalid(const struc
 	return w && w->poolsize >= (INT_MAX / sizeof(struct ebt_mac_wormhash_tuple));
 }
 
+static bool wormhash_offset_invalid(int off, unsigned int len)
+{
+	if (off == 0) /* not present */
+		return false;
+
+	if (off < (int)sizeof(struct ebt_among_info) ||
+	    off % __alignof__(struct ebt_mac_wormhash))
+		return true;
+
+	off += sizeof(struct ebt_mac_wormhash);
+
+	return off > len;
+}
+
+static bool wormhash_sizes_valid(const struct ebt_mac_wormhash *wh, int a, int b)
+{
+	if (a == 0)
+		a = sizeof(struct ebt_among_info);
+
+	return ebt_mac_wormhash_size(wh) + a == b;
+}
+
 static int ebt_among_mt_check(const struct xt_mtchk_param *par)
 {
 	const struct ebt_among_info *info = par->matchinfo;
@@ -189,6 +211,10 @@ static int ebt_among_mt_check(const stru
 	if (expected_length > em->match_size)
 		return -EINVAL;
 
+	if (wormhash_offset_invalid(info->wh_dst_ofs, em->match_size) ||
+	    wormhash_offset_invalid(info->wh_src_ofs, em->match_size))
+		return -EINVAL;
+
 	wh_dst = ebt_among_wh_dst(info);
 	if (poolsize_invalid(wh_dst))
 		return -EINVAL;
@@ -201,6 +227,14 @@ static int ebt_among_mt_check(const stru
 	if (poolsize_invalid(wh_src))
 		return -EINVAL;
 
+	if (info->wh_src_ofs < info->wh_dst_ofs) {
+		if (!wormhash_sizes_valid(wh_src, info->wh_src_ofs, info->wh_dst_ofs))
+			return -EINVAL;
+	} else {
+		if (!wormhash_sizes_valid(wh_dst, info->wh_dst_ofs, info->wh_src_ofs))
+			return -EINVAL;
+	}
+
 	expected_length += ebt_mac_wormhash_size(wh_src);
 
 	if (em->match_size != EBT_ALIGN(expected_length)) {

^ permalink raw reply	[flat|nested] 111+ messages in thread

* [PATCH 4.9 045/102] netfilter: x_tables: add and use xt_check_proc_name
  2018-04-06 13:22 [PATCH 4.9 000/102] 4.9.93-stable review Greg Kroah-Hartman
                   ` (43 preceding siblings ...)
  2018-04-06 13:23 ` [PATCH 4.9 044/102] netfilter: bridge: ebt_among: add more missing match size checks Greg Kroah-Hartman
@ 2018-04-06 13:23 ` Greg Kroah-Hartman
  2018-04-06 13:23 ` [PATCH 4.9 046/102] Bluetooth: Fix missing encryption refresh on Security Request Greg Kroah-Hartman
                   ` (59 subsequent siblings)
  104 siblings, 0 replies; 111+ messages in thread
From: Greg Kroah-Hartman @ 2018-04-06 13:23 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Eric Dumazet,
	syzbot+0502b00edac2a0680b61, Florian Westphal, Pablo Neira Ayuso

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Florian Westphal <fw@strlen.de>

commit b1d0a5d0cba4597c0394997b2d5fced3e3841b4e upstream.

recent and hashlimit both create /proc files, but only check that
name is 0 terminated.

This can trigger WARN() from procfs when name is "" or "/".
Add helper for this and then use it for both.

Cc: Eric Dumazet <eric.dumazet@gmail.com>
Reported-by: Eric Dumazet <eric.dumazet@gmail.com>
Reported-by: <syzbot+0502b00edac2a0680b61@syzkaller.appspotmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 include/linux/netfilter/x_tables.h |    2 ++
 net/netfilter/x_tables.c           |   30 ++++++++++++++++++++++++++++++
 net/netfilter/xt_hashlimit.c       |   11 +++++++----
 net/netfilter/xt_recent.c          |    6 +++---
 4 files changed, 42 insertions(+), 7 deletions(-)

--- a/include/linux/netfilter/x_tables.h
+++ b/include/linux/netfilter/x_tables.h
@@ -254,6 +254,8 @@ unsigned int *xt_alloc_entry_offsets(uns
 bool xt_find_jump_offset(const unsigned int *offsets,
 			 unsigned int target, unsigned int size);
 
+int xt_check_proc_name(const char *name, unsigned int size);
+
 int xt_check_match(struct xt_mtchk_param *, unsigned int size, u_int8_t proto,
 		   bool inv_proto);
 int xt_check_target(struct xt_tgchk_param *, unsigned int size, u_int8_t proto,
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -367,6 +367,36 @@ textify_hooks(char *buf, size_t size, un
 	return buf;
 }
 
+/**
+ * xt_check_proc_name - check that name is suitable for /proc file creation
+ *
+ * @name: file name candidate
+ * @size: length of buffer
+ *
+ * some x_tables modules wish to create a file in /proc.
+ * This function makes sure that the name is suitable for this
+ * purpose, it checks that name is NUL terminated and isn't a 'special'
+ * name, like "..".
+ *
+ * returns negative number on error or 0 if name is useable.
+ */
+int xt_check_proc_name(const char *name, unsigned int size)
+{
+	if (name[0] == '\0')
+		return -EINVAL;
+
+	if (strnlen(name, size) == size)
+		return -ENAMETOOLONG;
+
+	if (strcmp(name, ".") == 0 ||
+	    strcmp(name, "..") == 0 ||
+	    strchr(name, '/'))
+		return -EINVAL;
+
+	return 0;
+}
+EXPORT_SYMBOL(xt_check_proc_name);
+
 int xt_check_match(struct xt_mtchk_param *par,
 		   unsigned int size, u_int8_t proto, bool inv_proto)
 {
--- a/net/netfilter/xt_hashlimit.c
+++ b/net/netfilter/xt_hashlimit.c
@@ -794,8 +794,9 @@ static int hashlimit_mt_check_v1(const s
 	struct hashlimit_cfg2 cfg = {};
 	int ret;
 
-	if (info->name[sizeof(info->name) - 1] != '\0')
-		return -EINVAL;
+	ret = xt_check_proc_name(info->name, sizeof(info->name));
+	if (ret)
+		return ret;
 
 	ret = cfg_copy(&cfg, (void *)&info->cfg, 1);
 
@@ -809,9 +810,11 @@ static int hashlimit_mt_check_v1(const s
 static int hashlimit_mt_check(const struct xt_mtchk_param *par)
 {
 	struct xt_hashlimit_mtinfo2 *info = par->matchinfo;
+	int ret;
 
-	if (info->name[sizeof(info->name) - 1] != '\0')
-		return -EINVAL;
+	ret = xt_check_proc_name(info->name, sizeof(info->name));
+	if (ret)
+		return ret;
 
 	return hashlimit_mt_check_common(par, &info->hinfo, &info->cfg,
 					 info->name, 2);
--- a/net/netfilter/xt_recent.c
+++ b/net/netfilter/xt_recent.c
@@ -361,9 +361,9 @@ static int recent_mt_check(const struct
 			info->hit_count, XT_RECENT_MAX_NSTAMPS - 1);
 		return -EINVAL;
 	}
-	if (info->name[0] == '\0' ||
-	    strnlen(info->name, XT_RECENT_NAME_LEN) == XT_RECENT_NAME_LEN)
-		return -EINVAL;
+	ret = xt_check_proc_name(info->name, sizeof(info->name));
+	if (ret)
+		return ret;
 
 	if (ip_pkt_list_tot && info->hit_count < ip_pkt_list_tot)
 		nstamp_mask = roundup_pow_of_two(ip_pkt_list_tot) - 1;

^ permalink raw reply	[flat|nested] 111+ messages in thread

* [PATCH 4.9 046/102] Bluetooth: Fix missing encryption refresh on Security Request
  2018-04-06 13:22 [PATCH 4.9 000/102] 4.9.93-stable review Greg Kroah-Hartman
                   ` (44 preceding siblings ...)
  2018-04-06 13:23 ` [PATCH 4.9 045/102] netfilter: x_tables: add and use xt_check_proc_name Greg Kroah-Hartman
@ 2018-04-06 13:23 ` Greg Kroah-Hartman
  2018-04-06 13:23 ` [PATCH 4.9 047/102] llist: clang: introduce member_address_is_nonnull() Greg Kroah-Hartman
                   ` (58 subsequent siblings)
  104 siblings, 0 replies; 111+ messages in thread
From: Greg Kroah-Hartman @ 2018-04-06 13:23 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Szymon Janc, Marcel Holtmann

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Szymon Janc <szymon.janc@codecoup.pl>

commit 64e759f58f128730b97a3c3a26d283c075ad7c86 upstream.

If Security Request is received on connection that is already encrypted
with sufficient security master should perform encryption key refresh
procedure instead of just ignoring Slave Security Request
(Core Spec 5.0 Vol 3 Part H 2.4.6).

> ACL Data RX: Handle 3585 flags 0x02 dlen 6
      SMP: Security Request (0x0b) len 1
        Authentication requirement: Bonding, No MITM, SC, No Keypresses (0x09)
< HCI Command: LE Start Encryption (0x08|0x0019) plen 28
        Handle: 3585
        Random number: 0x0000000000000000
        Encrypted diversifier: 0x0000
        Long term key: 44264272a5c426a9e868f034cf0e69f3
> HCI Event: Command Status (0x0f) plen 4
      LE Start Encryption (0x08|0x0019) ncmd 1
        Status: Success (0x00)
> HCI Event: Encryption Key Refresh Complete (0x30) plen 3
        Status: Success (0x00)
        Handle: 3585

Signed-off-by: Szymon Janc <szymon.janc@codecoup.pl>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/bluetooth/smp.c |    8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

--- a/net/bluetooth/smp.c
+++ b/net/bluetooth/smp.c
@@ -2233,8 +2233,14 @@ static u8 smp_cmd_security_req(struct l2
 	else
 		sec_level = authreq_to_seclevel(auth);
 
-	if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK))
+	if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK)) {
+		/* If link is already encrypted with sufficient security we
+		 * still need refresh encryption as per Core Spec 5.0 Vol 3,
+		 * Part H 2.4.6
+		 */
+		smp_ltk_encrypt(conn, hcon->sec_level);
 		return 0;
+	}
 
 	if (sec_level > hcon->pending_sec_level)
 		hcon->pending_sec_level = sec_level;

^ permalink raw reply	[flat|nested] 111+ messages in thread

* [PATCH 4.9 047/102] llist: clang: introduce member_address_is_nonnull()
  2018-04-06 13:22 [PATCH 4.9 000/102] 4.9.93-stable review Greg Kroah-Hartman
                   ` (45 preceding siblings ...)
  2018-04-06 13:23 ` [PATCH 4.9 046/102] Bluetooth: Fix missing encryption refresh on Security Request Greg Kroah-Hartman
@ 2018-04-06 13:23 ` Greg Kroah-Hartman
  2018-04-06 13:23 ` [PATCH 4.9 048/102] scsi: virtio_scsi: always read VPD pages for multiqueue too Greg Kroah-Hartman
                   ` (57 subsequent siblings)
  104 siblings, 0 replies; 111+ messages in thread
From: Greg Kroah-Hartman @ 2018-04-06 13:23 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Alexander Potapenko, Sodagudi Prasad,
	Linus Torvalds

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Alexander Potapenko <glider@google.com>

commit beaec533fc2701a28a4d667f67c9f59c6e4e0d13 upstream.

Currently llist_for_each_entry() and llist_for_each_entry_safe() iterate
until &pos->member != NULL.  But when building the kernel with Clang,
the compiler assumes &pos->member cannot be NULL if the member's offset
is greater than 0 (which would be equivalent to the object being
non-contiguous in memory).  Therefore the loop condition is always true,
and the loops become infinite.

To work around this, introduce the member_address_is_nonnull() macro,
which casts object pointer to uintptr_t, thus letting the member pointer
to be NULL.

Signed-off-by: Alexander Potapenko <glider@google.com>
Tested-by: Sodagudi Prasad <psodagud@codeaurora.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 include/linux/llist.h |   21 +++++++++++++++++++--
 1 file changed, 19 insertions(+), 2 deletions(-)

--- a/include/linux/llist.h
+++ b/include/linux/llist.h
@@ -88,6 +88,23 @@ static inline void init_llist_head(struc
 	container_of(ptr, type, member)
 
 /**
+ * member_address_is_nonnull - check whether the member address is not NULL
+ * @ptr:	the object pointer (struct type * that contains the llist_node)
+ * @member:	the name of the llist_node within the struct.
+ *
+ * This macro is conceptually the same as
+ *	&ptr->member != NULL
+ * but it works around the fact that compilers can decide that taking a member
+ * address is never a NULL pointer.
+ *
+ * Real objects that start at a high address and have a member at NULL are
+ * unlikely to exist, but such pointers may be returned e.g. by the
+ * container_of() macro.
+ */
+#define member_address_is_nonnull(ptr, member)	\
+	((uintptr_t)(ptr) + offsetof(typeof(*(ptr)), member) != 0)
+
+/**
  * llist_for_each - iterate over some deleted entries of a lock-less list
  * @pos:	the &struct llist_node to use as a loop cursor
  * @node:	the first entry of deleted list entries
@@ -121,7 +138,7 @@ static inline void init_llist_head(struc
  */
 #define llist_for_each_entry(pos, node, member)				\
 	for ((pos) = llist_entry((node), typeof(*(pos)), member);	\
-	     &(pos)->member != NULL;					\
+	     member_address_is_nonnull(pos, member);			\
 	     (pos) = llist_entry((pos)->member.next, typeof(*(pos)), member))
 
 /**
@@ -143,7 +160,7 @@ static inline void init_llist_head(struc
  */
 #define llist_for_each_entry_safe(pos, n, node, member)			       \
 	for (pos = llist_entry((node), typeof(*pos), member);		       \
-	     &pos->member != NULL &&					       \
+	     member_address_is_nonnull(pos, member) &&			       \
 	        (n = llist_entry(pos->member.next, typeof(*n), member), true); \
 	     pos = n)
 

^ permalink raw reply	[flat|nested] 111+ messages in thread

* [PATCH 4.9 048/102] scsi: virtio_scsi: always read VPD pages for multiqueue too
  2018-04-06 13:22 [PATCH 4.9 000/102] 4.9.93-stable review Greg Kroah-Hartman
                   ` (46 preceding siblings ...)
  2018-04-06 13:23 ` [PATCH 4.9 047/102] llist: clang: introduce member_address_is_nonnull() Greg Kroah-Hartman
@ 2018-04-06 13:23 ` Greg Kroah-Hartman
  2018-04-06 13:23 ` [PATCH 4.9 049/102] usb: dwc2: Improve gadget state disconnection handling Greg Kroah-Hartman
                   ` (56 subsequent siblings)
  104 siblings, 0 replies; 111+ messages in thread
From: Greg Kroah-Hartman @ 2018-04-06 13:23 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, David Gibson, Paolo Bonzini,
	Fam Zheng, Stefan Hajnoczi, Martin K. Petersen, Ben Hutchings

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Paolo Bonzini <pbonzini@redhat.com>

commit a680f1d463aeaeb00d22af257a56e111967c2f18 upstream.

Multi-queue virtio-scsi uses a different scsi_host_template struct.  Add
the .device_alloc field there, too.

Fixes: 25d1d50e23275e141e3a3fe06c25a99f4c4bf4e0
Cc: stable@vger.kernel.org
Cc: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: Fam Zheng <famz@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Cc: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/scsi/virtio_scsi.c |    1 +
 1 file changed, 1 insertion(+)

--- a/drivers/scsi/virtio_scsi.c
+++ b/drivers/scsi/virtio_scsi.c
@@ -819,6 +819,7 @@ static struct scsi_host_template virtscs
 	.change_queue_depth = virtscsi_change_queue_depth,
 	.eh_abort_handler = virtscsi_abort,
 	.eh_device_reset_handler = virtscsi_device_reset,
+	.slave_alloc = virtscsi_device_alloc,
 
 	.can_queue = 1024,
 	.dma_boundary = UINT_MAX,

^ permalink raw reply	[flat|nested] 111+ messages in thread

* [PATCH 4.9 049/102] usb: dwc2: Improve gadget state disconnection handling
  2018-04-06 13:22 [PATCH 4.9 000/102] 4.9.93-stable review Greg Kroah-Hartman
                   ` (47 preceding siblings ...)
  2018-04-06 13:23 ` [PATCH 4.9 048/102] scsi: virtio_scsi: always read VPD pages for multiqueue too Greg Kroah-Hartman
@ 2018-04-06 13:23 ` Greg Kroah-Hartman
  2018-04-06 13:23 ` [PATCH 4.9 050/102] arm64: mm: Use non-global mappings for kernel space Greg Kroah-Hartman
                   ` (55 subsequent siblings)
  104 siblings, 0 replies; 111+ messages in thread
From: Greg Kroah-Hartman @ 2018-04-06 13:23 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Wei Xu, Guodong Xu, Amit Pundir,
	YongQin Liu, John Youn, Minas Harutyunyan, Douglas Anderson,
	Chen Yu, Felipe Balbi, linux-usb, Minas Harutyunyan, John Stultz,
	Ben Hutchings

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: John Stultz <john.stultz@linaro.org>

commit d2471d4a24dfbff5e463d382e2c6fec7d7e25a09 upstream.

In the earlier commit dad3f793f20f ("usb: dwc2: Make sure we
disconnect the gadget state"), I was trying to fix up the
fact that we somehow weren't disconnecting the gadget state,
so that when the OTG port was plugged in the second time we
would get warnings about the state tracking being wrong.

(This seems to be due to a quirk of the HiKey board where
we do not ever get any otg interrupts, particularly the session
end detected signal. Instead we only see status change
interrupt.)

The fix there was somewhat simple, as it just made sure to
call dwc2_hsotg_disconnect() before we connected things up
in OTG mode, ensuring the state handling didn't throw errors.

But in looking at a different issue I was seeing with UDC
state handling, I realized that it would be much better
to call dwc2_hsotg_disconnect when we get the state change
signal moving to host mode.

Thus, this patch removes the earlier disconnect call I added
and moves it (and the needed locking) to the host mode
transition.

Cc: Wei Xu <xuwei5@hisilicon.com>
Cc: Guodong Xu <guodong.xu@linaro.org>
Cc: Amit Pundir <amit.pundir@linaro.org>
Cc: YongQin Liu <yongqin.liu@linaro.org>
Cc: John Youn <johnyoun@synopsys.com>
Cc: Minas Harutyunyan <Minas.Harutyunyan@synopsys.com>
Cc: Douglas Anderson <dianders@chromium.org>
Cc: Chen Yu <chenyu56@huawei.com>
Cc: Felipe Balbi <felipe.balbi@linux.intel.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: linux-usb@vger.kernel.org
Acked-by: Minas Harutyunyan <hminas@synopsys.com>
Tested-by: Minas Harutyunyan <hminas@synopsys.com>
Signed-off-by: John Stultz <john.stultz@linaro.org>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Cc: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/dwc2/hcd.c |    7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

--- a/drivers/usb/dwc2/hcd.c
+++ b/drivers/usb/dwc2/hcd.c
@@ -3220,7 +3220,6 @@ static void dwc2_conn_id_status_change(s
 		dwc2_core_init(hsotg, false);
 		dwc2_enable_global_interrupts(hsotg);
 		spin_lock_irqsave(&hsotg->lock, flags);
-		dwc2_hsotg_disconnect(hsotg);
 		dwc2_hsotg_core_init_disconnected(hsotg, false);
 		spin_unlock_irqrestore(&hsotg->lock, flags);
 		dwc2_hsotg_core_connect(hsotg);
@@ -3238,8 +3237,12 @@ static void dwc2_conn_id_status_change(s
 		if (count > 250)
 			dev_err(hsotg->dev,
 				"Connection id status change timed out\n");
-		hsotg->op_state = OTG_STATE_A_HOST;
 
+		spin_lock_irqsave(&hsotg->lock, flags);
+		dwc2_hsotg_disconnect(hsotg);
+		spin_unlock_irqrestore(&hsotg->lock, flags);
+
+		hsotg->op_state = OTG_STATE_A_HOST;
 		/* Initialize the Core for Host mode */
 		dwc2_core_init(hsotg, false);
 		dwc2_enable_global_interrupts(hsotg);

^ permalink raw reply	[flat|nested] 111+ messages in thread

* [PATCH 4.9 050/102] arm64: mm: Use non-global mappings for kernel space
  2018-04-06 13:22 [PATCH 4.9 000/102] 4.9.93-stable review Greg Kroah-Hartman
                   ` (48 preceding siblings ...)
  2018-04-06 13:23 ` [PATCH 4.9 049/102] usb: dwc2: Improve gadget state disconnection handling Greg Kroah-Hartman
@ 2018-04-06 13:23 ` Greg Kroah-Hartman
  2018-04-06 13:23 ` [PATCH 4.9 051/102] arm64: mm: Move ASID from TTBR0 to TTBR1 Greg Kroah-Hartman
                   ` (54 subsequent siblings)
  104 siblings, 0 replies; 111+ messages in thread
From: Greg Kroah-Hartman @ 2018-04-06 13:23 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Greg Kroah-Hartman, Mark Rutland, Laura Abbott,
	Shanker Donthineni, Will Deacon, Greg Hackmann, Alex Shi

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Will Deacon <will.deacon@arm.com>

commit e046eb0c9bf2 upstream.

In preparation for unmapping the kernel whilst running in userspace,
make the kernel mappings non-global so we can avoid expensive TLB
invalidation on kernel exit to userspace.

Reviewed-by: Mark Rutland <mark.rutland@arm.com>
Tested-by: Laura Abbott <labbott@redhat.com>
Tested-by: Shanker Donthineni <shankerd@codeaurora.org>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Alex Shi <alex.shi@linaro.org> [v4.9 backport]
Signed-off-by: Mark Rutland <mark.rutland@arm.com> [v4.9 backport]
Tested-by: Will Deacon <will.deacon@arm.com>
Tested-by: Greg Hackmann <ghackmann@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/arm64/include/asm/kernel-pgtable.h |   12 ++++++++++--
 arch/arm64/include/asm/pgtable-prot.h   |   21 +++++++++++++++------
 2 files changed, 25 insertions(+), 8 deletions(-)

--- a/arch/arm64/include/asm/kernel-pgtable.h
+++ b/arch/arm64/include/asm/kernel-pgtable.h
@@ -71,8 +71,16 @@
 /*
  * Initial memory map attributes.
  */
-#define SWAPPER_PTE_FLAGS	(PTE_TYPE_PAGE | PTE_AF | PTE_SHARED)
-#define SWAPPER_PMD_FLAGS	(PMD_TYPE_SECT | PMD_SECT_AF | PMD_SECT_S)
+#define _SWAPPER_PTE_FLAGS	(PTE_TYPE_PAGE | PTE_AF | PTE_SHARED)
+#define _SWAPPER_PMD_FLAGS	(PMD_TYPE_SECT | PMD_SECT_AF | PMD_SECT_S)
+
+#ifdef CONFIG_UNMAP_KERNEL_AT_EL0
+#define SWAPPER_PTE_FLAGS	(_SWAPPER_PTE_FLAGS | PTE_NG)
+#define SWAPPER_PMD_FLAGS	(_SWAPPER_PMD_FLAGS | PMD_SECT_NG)
+#else
+#define SWAPPER_PTE_FLAGS	_SWAPPER_PTE_FLAGS
+#define SWAPPER_PMD_FLAGS	_SWAPPER_PMD_FLAGS
+#endif
 
 #if ARM64_SWAPPER_USES_SECTION_MAPS
 #define SWAPPER_MM_MMUFLAGS	(PMD_ATTRINDX(MT_NORMAL) | SWAPPER_PMD_FLAGS)
--- a/arch/arm64/include/asm/pgtable-prot.h
+++ b/arch/arm64/include/asm/pgtable-prot.h
@@ -34,8 +34,16 @@
 
 #include <asm/pgtable-types.h>
 
-#define PROT_DEFAULT		(PTE_TYPE_PAGE | PTE_AF | PTE_SHARED)
-#define PROT_SECT_DEFAULT	(PMD_TYPE_SECT | PMD_SECT_AF | PMD_SECT_S)
+#define _PROT_DEFAULT		(PTE_TYPE_PAGE | PTE_AF | PTE_SHARED)
+#define _PROT_SECT_DEFAULT	(PMD_TYPE_SECT | PMD_SECT_AF | PMD_SECT_S)
+
+#ifdef CONFIG_UNMAP_KERNEL_AT_EL0
+#define PROT_DEFAULT		(_PROT_DEFAULT | PTE_NG)
+#define PROT_SECT_DEFAULT	(_PROT_SECT_DEFAULT | PMD_SECT_NG)
+#else
+#define PROT_DEFAULT		_PROT_DEFAULT
+#define PROT_SECT_DEFAULT	_PROT_SECT_DEFAULT
+#endif /* CONFIG_UNMAP_KERNEL_AT_EL0 */
 
 #define PROT_DEVICE_nGnRnE	(PROT_DEFAULT | PTE_PXN | PTE_UXN | PTE_DIRTY | PTE_WRITE | PTE_ATTRINDX(MT_DEVICE_nGnRnE))
 #define PROT_DEVICE_nGnRE	(PROT_DEFAULT | PTE_PXN | PTE_UXN | PTE_DIRTY | PTE_WRITE | PTE_ATTRINDX(MT_DEVICE_nGnRE))
@@ -48,6 +56,7 @@
 #define PROT_SECT_NORMAL_EXEC	(PROT_SECT_DEFAULT | PMD_SECT_UXN | PMD_ATTRINDX(MT_NORMAL))
 
 #define _PAGE_DEFAULT		(PROT_DEFAULT | PTE_ATTRINDX(MT_NORMAL))
+#define _HYP_PAGE_DEFAULT	(_PAGE_DEFAULT & ~PTE_NG)
 
 #define PAGE_KERNEL		__pgprot(_PAGE_DEFAULT | PTE_PXN | PTE_UXN | PTE_DIRTY | PTE_WRITE)
 #define PAGE_KERNEL_RO		__pgprot(_PAGE_DEFAULT | PTE_PXN | PTE_UXN | PTE_DIRTY | PTE_RDONLY)
@@ -55,15 +64,15 @@
 #define PAGE_KERNEL_EXEC	__pgprot(_PAGE_DEFAULT | PTE_UXN | PTE_DIRTY | PTE_WRITE)
 #define PAGE_KERNEL_EXEC_CONT	__pgprot(_PAGE_DEFAULT | PTE_UXN | PTE_DIRTY | PTE_WRITE | PTE_CONT)
 
-#define PAGE_HYP		__pgprot(_PAGE_DEFAULT | PTE_HYP | PTE_HYP_XN)
-#define PAGE_HYP_EXEC		__pgprot(_PAGE_DEFAULT | PTE_HYP | PTE_RDONLY)
-#define PAGE_HYP_RO		__pgprot(_PAGE_DEFAULT | PTE_HYP | PTE_RDONLY | PTE_HYP_XN)
+#define PAGE_HYP		__pgprot(_HYP_PAGE_DEFAULT | PTE_HYP | PTE_HYP_XN)
+#define PAGE_HYP_EXEC		__pgprot(_HYP_PAGE_DEFAULT | PTE_HYP | PTE_RDONLY)
+#define PAGE_HYP_RO		__pgprot(_HYP_PAGE_DEFAULT | PTE_HYP | PTE_RDONLY | PTE_HYP_XN)
 #define PAGE_HYP_DEVICE		__pgprot(PROT_DEVICE_nGnRE | PTE_HYP)
 
 #define PAGE_S2			__pgprot(PROT_DEFAULT | PTE_S2_MEMATTR(MT_S2_NORMAL) | PTE_S2_RDONLY)
 #define PAGE_S2_DEVICE		__pgprot(PROT_DEFAULT | PTE_S2_MEMATTR(MT_S2_DEVICE_nGnRE) | PTE_S2_RDONLY | PTE_UXN)
 
-#define PAGE_NONE		__pgprot(((_PAGE_DEFAULT) & ~PTE_VALID) | PTE_PROT_NONE | PTE_PXN | PTE_UXN)
+#define PAGE_NONE		__pgprot(((_PAGE_DEFAULT) & ~PTE_VALID) | PTE_PROT_NONE | PTE_NG | PTE_PXN | PTE_UXN)
 #define PAGE_SHARED		__pgprot(_PAGE_DEFAULT | PTE_USER | PTE_NG | PTE_PXN | PTE_UXN | PTE_WRITE)
 #define PAGE_SHARED_EXEC	__pgprot(_PAGE_DEFAULT | PTE_USER | PTE_NG | PTE_PXN | PTE_WRITE)
 #define PAGE_COPY		__pgprot(_PAGE_DEFAULT | PTE_USER | PTE_NG | PTE_PXN | PTE_UXN)

^ permalink raw reply	[flat|nested] 111+ messages in thread

* [PATCH 4.9 051/102] arm64: mm: Move ASID from TTBR0 to TTBR1
  2018-04-06 13:22 [PATCH 4.9 000/102] 4.9.93-stable review Greg Kroah-Hartman
                   ` (49 preceding siblings ...)
  2018-04-06 13:23 ` [PATCH 4.9 050/102] arm64: mm: Use non-global mappings for kernel space Greg Kroah-Hartman
@ 2018-04-06 13:23 ` Greg Kroah-Hartman
  2018-04-06 13:23 ` [PATCH 4.9 052/102] arm64: mm: Allocate ASIDs in pairs Greg Kroah-Hartman
                   ` (53 subsequent siblings)
  104 siblings, 0 replies; 111+ messages in thread
From: Greg Kroah-Hartman @ 2018-04-06 13:23 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Greg Kroah-Hartman, Mark Rutland, Laura Abbott,
	Shanker Donthineni, Will Deacon, Greg Hackmann, Alex Shi

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Will Deacon <will.deacon@arm.com>

commit 7655abb95386 upstream.

In preparation for mapping kernelspace and userspace with different
ASIDs, move the ASID to TTBR1 and update switch_mm to context-switch
TTBR0 via an invalid mapping (the zero page).

Reviewed-by: Mark Rutland <mark.rutland@arm.com>
Tested-by: Laura Abbott <labbott@redhat.com>
Tested-by: Shanker Donthineni <shankerd@codeaurora.org>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Alex Shi <alex.shi@linaro.org> [v4.9 backport]
Signed-off-by: Mark Rutland <mark.rutland@arm.com> [v4.9 backport]
Tested-by: Will Deacon <will.deacon@arm.com>
Tested-by: Greg Hackmann <ghackmann@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/arm64/include/asm/mmu_context.h   |    7 +++++++
 arch/arm64/include/asm/pgtable-hwdef.h |    1 +
 arch/arm64/include/asm/proc-fns.h      |    6 ------
 arch/arm64/mm/proc.S                   |    9 ++++++---
 4 files changed, 14 insertions(+), 9 deletions(-)

--- a/arch/arm64/include/asm/mmu_context.h
+++ b/arch/arm64/include/asm/mmu_context.h
@@ -50,6 +50,13 @@ static inline void cpu_set_reserved_ttbr
 	isb();
 }
 
+static inline void cpu_switch_mm(pgd_t *pgd, struct mm_struct *mm)
+{
+	BUG_ON(pgd == swapper_pg_dir);
+	cpu_set_reserved_ttbr0();
+	cpu_do_switch_mm(virt_to_phys(pgd),mm);
+}
+
 /*
  * TCR.T0SZ value to use when the ID map is active. Usually equals
  * TCR_T0SZ(VA_BITS), unless system RAM is positioned very high in
--- a/arch/arm64/include/asm/pgtable-hwdef.h
+++ b/arch/arm64/include/asm/pgtable-hwdef.h
@@ -272,6 +272,7 @@
 #define TCR_TG1_4K		(UL(2) << TCR_TG1_SHIFT)
 #define TCR_TG1_64K		(UL(3) << TCR_TG1_SHIFT)
 
+#define TCR_A1			(UL(1) << 22)
 #define TCR_ASID16		(UL(1) << 36)
 #define TCR_TBI0		(UL(1) << 37)
 #define TCR_HA			(UL(1) << 39)
--- a/arch/arm64/include/asm/proc-fns.h
+++ b/arch/arm64/include/asm/proc-fns.h
@@ -35,12 +35,6 @@ extern u64 cpu_do_resume(phys_addr_t ptr
 
 #include <asm/memory.h>
 
-#define cpu_switch_mm(pgd,mm)				\
-do {							\
-	BUG_ON(pgd == swapper_pg_dir);			\
-	cpu_do_switch_mm(virt_to_phys(pgd),mm);		\
-} while (0)
-
 #endif /* __ASSEMBLY__ */
 #endif /* __KERNEL__ */
 #endif /* __ASM_PROCFNS_H */
--- a/arch/arm64/mm/proc.S
+++ b/arch/arm64/mm/proc.S
@@ -132,9 +132,12 @@ ENDPROC(cpu_do_resume)
  *	- pgd_phys - physical address of new TTB
  */
 ENTRY(cpu_do_switch_mm)
+	mrs	x2, ttbr1_el1
 	mmid	x1, x1				// get mm->context.id
-	bfi	x0, x1, #48, #16		// set the ASID
-	msr	ttbr0_el1, x0			// set TTBR0
+	bfi	x2, x1, #48, #16		// set the ASID
+	msr	ttbr1_el1, x2			// in TTBR1 (since TCR.A1 is set)
+	isb
+	msr	ttbr0_el1, x0			// now update TTBR0
 	isb
 alternative_if ARM64_WORKAROUND_CAVIUM_27456
 	ic	iallu
@@ -222,7 +225,7 @@ ENTRY(__cpu_setup)
 	 * both user and kernel.
 	 */
 	ldr	x10, =TCR_TxSZ(VA_BITS) | TCR_CACHE_FLAGS | TCR_SMP_FLAGS | \
-			TCR_TG_FLAGS | TCR_ASID16 | TCR_TBI0
+			TCR_TG_FLAGS | TCR_ASID16 | TCR_TBI0 | TCR_A1
 	tcr_set_idmap_t0sz	x10, x9
 
 	/*

^ permalink raw reply	[flat|nested] 111+ messages in thread

* [PATCH 4.9 052/102] arm64: mm: Allocate ASIDs in pairs
  2018-04-06 13:22 [PATCH 4.9 000/102] 4.9.93-stable review Greg Kroah-Hartman
                   ` (50 preceding siblings ...)
  2018-04-06 13:23 ` [PATCH 4.9 051/102] arm64: mm: Move ASID from TTBR0 to TTBR1 Greg Kroah-Hartman
@ 2018-04-06 13:23 ` Greg Kroah-Hartman
  2018-04-06 13:23 ` [PATCH 4.9 053/102] arm64: mm: Add arm64_kernel_unmapped_at_el0 helper Greg Kroah-Hartman
                   ` (52 subsequent siblings)
  104 siblings, 0 replies; 111+ messages in thread
From: Greg Kroah-Hartman @ 2018-04-06 13:23 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Greg Kroah-Hartman, Mark Rutland, Laura Abbott,
	Shanker Donthineni, Will Deacon, Greg Hackmann, Alex Shi

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Will Deacon <will.deacon@arm.com>

commit 0c8ea531b774 upstream.

In preparation for separate kernel/user ASIDs, allocate them in pairs
for each mm_struct. The bottom bit distinguishes the two: if it is set,
then the ASID will map only userspace.

Reviewed-by: Mark Rutland <mark.rutland@arm.com>
Tested-by: Laura Abbott <labbott@redhat.com>
Tested-by: Shanker Donthineni <shankerd@codeaurora.org>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Alex Shi <alex.shi@linaro.org> [v4.9 backport]
Signed-off-by: Mark Rutland <mark.rutland@arm.com> [v4.9 backport]
Tested-by: Will Deacon <will.deacon@arm.com>
Tested-by: Greg Hackmann <ghackmann@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/arm64/include/asm/mmu.h |    2 ++
 arch/arm64/mm/context.c      |   25 +++++++++++++++++--------
 2 files changed, 19 insertions(+), 8 deletions(-)

--- a/arch/arm64/include/asm/mmu.h
+++ b/arch/arm64/include/asm/mmu.h
@@ -16,6 +16,8 @@
 #ifndef __ASM_MMU_H
 #define __ASM_MMU_H
 
+#define USER_ASID_FLAG	(UL(1) << 48)
+
 typedef struct {
 	atomic64_t	id;
 	void		*vdso;
--- a/arch/arm64/mm/context.c
+++ b/arch/arm64/mm/context.c
@@ -39,7 +39,16 @@ static cpumask_t tlb_flush_pending;
 
 #define ASID_MASK		(~GENMASK(asid_bits - 1, 0))
 #define ASID_FIRST_VERSION	(1UL << asid_bits)
-#define NUM_USER_ASIDS		ASID_FIRST_VERSION
+
+#ifdef CONFIG_UNMAP_KERNEL_AT_EL0
+#define NUM_USER_ASIDS		(ASID_FIRST_VERSION >> 1)
+#define asid2idx(asid)		(((asid) & ~ASID_MASK) >> 1)
+#define idx2asid(idx)		(((idx) << 1) & ~ASID_MASK)
+#else
+#define NUM_USER_ASIDS		(ASID_FIRST_VERSION)
+#define asid2idx(asid)		((asid) & ~ASID_MASK)
+#define idx2asid(idx)		asid2idx(idx)
+#endif
 
 /* Get the ASIDBits supported by the current CPU */
 static u32 get_cpu_asid_bits(void)
@@ -104,7 +113,7 @@ static void flush_context(unsigned int c
 		 */
 		if (asid == 0)
 			asid = per_cpu(reserved_asids, i);
-		__set_bit(asid & ~ASID_MASK, asid_map);
+		__set_bit(asid2idx(asid), asid_map);
 		per_cpu(reserved_asids, i) = asid;
 	}
 
@@ -159,16 +168,16 @@ static u64 new_context(struct mm_struct
 		 * We had a valid ASID in a previous life, so try to re-use
 		 * it if possible.
 		 */
-		asid &= ~ASID_MASK;
-		if (!__test_and_set_bit(asid, asid_map))
+		if (!__test_and_set_bit(asid2idx(asid), asid_map))
 			return newasid;
 	}
 
 	/*
 	 * Allocate a free ASID. If we can't find one, take a note of the
-	 * currently active ASIDs and mark the TLBs as requiring flushes.
-	 * We always count from ASID #1, as we use ASID #0 when setting a
-	 * reserved TTBR0 for the init_mm.
+	 * currently active ASIDs and mark the TLBs as requiring flushes.  We
+	 * always count from ASID #2 (index 1), as we use ASID #0 when setting
+	 * a reserved TTBR0 for the init_mm and we allocate ASIDs in even/odd
+	 * pairs.
 	 */
 	asid = find_next_zero_bit(asid_map, NUM_USER_ASIDS, cur_idx);
 	if (asid != NUM_USER_ASIDS)
@@ -185,7 +194,7 @@ static u64 new_context(struct mm_struct
 set_asid:
 	__set_bit(asid, asid_map);
 	cur_idx = asid;
-	return asid | generation;
+	return idx2asid(asid) | generation;
 }
 
 void check_and_switch_context(struct mm_struct *mm, unsigned int cpu)

^ permalink raw reply	[flat|nested] 111+ messages in thread

* [PATCH 4.9 053/102] arm64: mm: Add arm64_kernel_unmapped_at_el0 helper
  2018-04-06 13:22 [PATCH 4.9 000/102] 4.9.93-stable review Greg Kroah-Hartman
                   ` (51 preceding siblings ...)
  2018-04-06 13:23 ` [PATCH 4.9 052/102] arm64: mm: Allocate ASIDs in pairs Greg Kroah-Hartman
@ 2018-04-06 13:23 ` Greg Kroah-Hartman
  2018-04-06 13:23 ` [PATCH 4.9 054/102] arm64: mm: Invalidate both kernel and user ASIDs when performing TLBI Greg Kroah-Hartman
                   ` (51 subsequent siblings)
  104 siblings, 0 replies; 111+ messages in thread
From: Greg Kroah-Hartman @ 2018-04-06 13:23 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Greg Kroah-Hartman, Mark Rutland, Laura Abbott,
	Shanker Donthineni, Will Deacon, Greg Hackmann, Alex Shi

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Will Deacon <will.deacon@arm.com>

commit fc0e1299da54 upstream.

In order for code such as TLB invalidation to operate efficiently when
the decision to map the kernel at EL0 is determined at runtime, this
patch introduces a helper function, arm64_kernel_unmapped_at_el0, to
determine whether or not the kernel is mapped whilst running in userspace.

Currently, this just reports the value of CONFIG_UNMAP_KERNEL_AT_EL0,
but will later be hooked up to a fake CPU capability using a static key.

Reviewed-by: Mark Rutland <mark.rutland@arm.com>
Tested-by: Laura Abbott <labbott@redhat.com>
Tested-by: Shanker Donthineni <shankerd@codeaurora.org>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Alex Shi <alex.shi@linaro.org> [v4.9 backport]
Signed-off-by: Mark Rutland <mark.rutland@arm.com> [v4.9 backport]
Tested-by: Will Deacon <will.deacon@arm.com>
Tested-by: Greg Hackmann <ghackmann@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/arm64/include/asm/mmu.h |    8 ++++++++
 1 file changed, 8 insertions(+)

--- a/arch/arm64/include/asm/mmu.h
+++ b/arch/arm64/include/asm/mmu.h
@@ -18,6 +18,8 @@
 
 #define USER_ASID_FLAG	(UL(1) << 48)
 
+#ifndef __ASSEMBLY__
+
 typedef struct {
 	atomic64_t	id;
 	void		*vdso;
@@ -30,6 +32,11 @@ typedef struct {
  */
 #define ASID(mm)	((mm)->context.id.counter & 0xffff)
 
+static inline bool arm64_kernel_unmapped_at_el0(void)
+{
+	return IS_ENABLED(CONFIG_UNMAP_KERNEL_AT_EL0);
+}
+
 extern void paging_init(void);
 extern void bootmem_init(void);
 extern void __iomem *early_io_map(phys_addr_t phys, unsigned long virt);
@@ -39,4 +46,5 @@ extern void create_pgd_mapping(struct mm
 			       pgprot_t prot, bool allow_block_mappings);
 extern void *fixmap_remap_fdt(phys_addr_t dt_phys);
 
+#endif	/* !__ASSEMBLY__ */
 #endif

^ permalink raw reply	[flat|nested] 111+ messages in thread

* [PATCH 4.9 054/102] arm64: mm: Invalidate both kernel and user ASIDs when performing TLBI
  2018-04-06 13:22 [PATCH 4.9 000/102] 4.9.93-stable review Greg Kroah-Hartman
                   ` (52 preceding siblings ...)
  2018-04-06 13:23 ` [PATCH 4.9 053/102] arm64: mm: Add arm64_kernel_unmapped_at_el0 helper Greg Kroah-Hartman
@ 2018-04-06 13:23 ` Greg Kroah-Hartman
  2018-04-06 13:23 ` [PATCH 4.9 055/102] arm64: factor out entry stack manipulation Greg Kroah-Hartman
                   ` (50 subsequent siblings)
  104 siblings, 0 replies; 111+ messages in thread
From: Greg Kroah-Hartman @ 2018-04-06 13:23 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Greg Kroah-Hartman, Mark Rutland, Laura Abbott,
	Shanker Donthineni, Will Deacon, Greg Hackmann, Alex Shi

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Will Deacon <will.deacon@arm.com>

commit 9b0de864b5bc upstream.

Since an mm has both a kernel and a user ASID, we need to ensure that
broadcast TLB maintenance targets both address spaces so that things
like CoW continue to work with the uaccess primitives in the kernel.

Reviewed-by: Mark Rutland <mark.rutland@arm.com>
Tested-by: Laura Abbott <labbott@redhat.com>
Tested-by: Shanker Donthineni <shankerd@codeaurora.org>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Alex Shi <alex.shi@linaro.org> [v4.9 backport]
Signed-off-by: Mark Rutland <mark.rutland@arm.com> [v4.9 backport]
Tested-by: Will Deacon <will.deacon@arm.com>
Tested-by: Greg Hackmann <ghackmann@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/arm64/include/asm/tlbflush.h |   16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

--- a/arch/arm64/include/asm/tlbflush.h
+++ b/arch/arm64/include/asm/tlbflush.h
@@ -23,6 +23,7 @@
 
 #include <linux/sched.h>
 #include <asm/cputype.h>
+#include <asm/mmu.h>
 
 /*
  * Raw TLBI operations.
@@ -42,6 +43,11 @@
 
 #define __tlbi(op, ...)		__TLBI_N(op, ##__VA_ARGS__, 1, 0)
 
+#define __tlbi_user(op, arg) do {						\
+	if (arm64_kernel_unmapped_at_el0())					\
+		__tlbi(op, (arg) | USER_ASID_FLAG);				\
+} while (0)
+
 /*
  *	TLB Management
  *	==============
@@ -103,6 +109,7 @@ static inline void flush_tlb_mm(struct m
 
 	dsb(ishst);
 	__tlbi(aside1is, asid);
+	__tlbi_user(aside1is, asid);
 	dsb(ish);
 }
 
@@ -113,6 +120,7 @@ static inline void flush_tlb_page(struct
 
 	dsb(ishst);
 	__tlbi(vale1is, addr);
+	__tlbi_user(vale1is, addr);
 	dsb(ish);
 }
 
@@ -139,10 +147,13 @@ static inline void __flush_tlb_range(str
 
 	dsb(ishst);
 	for (addr = start; addr < end; addr += 1 << (PAGE_SHIFT - 12)) {
-		if (last_level)
+		if (last_level) {
 			__tlbi(vale1is, addr);
-		else
+			__tlbi_user(vale1is, addr);
+		} else {
 			__tlbi(vae1is, addr);
+			__tlbi_user(vae1is, addr);
+		}
 	}
 	dsb(ish);
 }
@@ -182,6 +193,7 @@ static inline void __flush_tlb_pgtable(s
 	unsigned long addr = uaddr >> 12 | (ASID(mm) << 48);
 
 	__tlbi(vae1is, addr);
+	__tlbi_user(vae1is, addr);
 	dsb(ish);
 }
 

^ permalink raw reply	[flat|nested] 111+ messages in thread

* [PATCH 4.9 055/102] arm64: factor out entry stack manipulation
  2018-04-06 13:22 [PATCH 4.9 000/102] 4.9.93-stable review Greg Kroah-Hartman
                   ` (53 preceding siblings ...)
  2018-04-06 13:23 ` [PATCH 4.9 054/102] arm64: mm: Invalidate both kernel and user ASIDs when performing TLBI Greg Kroah-Hartman
@ 2018-04-06 13:23 ` Greg Kroah-Hartman
  2018-04-06 13:23 ` [PATCH 4.9 056/102] module: extend rodata=off boot cmdline parameter to module mappings Greg Kroah-Hartman
                   ` (49 subsequent siblings)
  104 siblings, 0 replies; 111+ messages in thread
From: Greg Kroah-Hartman @ 2018-04-06 13:23 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Greg Kroah-Hartman, Ard Biesheuvel, Mark Rutland, Will Deacon,
	Laura Abbott, Catalin Marinas, James Morse, Greg Hackmann,
	Alex Shi

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Mark Rutland <mark.rutland@arm.com>

commit b11e5759bfac upstream.

In subsequent patches, we will detect stack overflow in our exception
entry code, by verifying the SP after it has been decremented to make
space for the exception regs.

This verification code is small, and we can minimize its impact by
placing it directly in the vectors. To avoid redundant modification of
the SP, we also need to move the initial decrement of the SP into the
vectors.

As a preparatory step, this patch introduces kernel_ventry, which
performs this decrement, and updates the entry code accordingly.
Subsequent patches will fold SP verification into kernel_ventry.

There should be no functional change as a result of this patch.

Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
[Mark: turn into prep patch, expand commit msg]
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Reviewed-by: Will Deacon <will.deacon@arm.com>
Tested-by: Laura Abbott <labbott@redhat.com>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: James Morse <james.morse@arm.com>
Signed-off-by: Alex Shi <alex.shi@linaro.org> [v4.9 backport]
Signed-off-by: Mark Rutland <mark.rutland@arm.com> [v4.9 backport]
Tested-by: Will Deacon <will.deacon@arm.com>
Tested-by: Greg Hackmann <ghackmann@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/arm64/kernel/entry.S |   51 +++++++++++++++++++++++++---------------------
 1 file changed, 28 insertions(+), 23 deletions(-)

--- a/arch/arm64/kernel/entry.S
+++ b/arch/arm64/kernel/entry.S
@@ -68,8 +68,13 @@
 #define BAD_FIQ		2
 #define BAD_ERROR	3
 
-	.macro	kernel_entry, el, regsize = 64
+	.macro kernel_ventry	label
+	.align 7
 	sub	sp, sp, #S_FRAME_SIZE
+	b	\label
+	.endm
+
+	.macro	kernel_entry, el, regsize = 64
 	.if	\regsize == 32
 	mov	w0, w0				// zero upper 32 bits of x0
 	.endif
@@ -257,31 +262,31 @@ tsk	.req	x28		// current thread_info
 
 	.align	11
 ENTRY(vectors)
-	ventry	el1_sync_invalid		// Synchronous EL1t
-	ventry	el1_irq_invalid			// IRQ EL1t
-	ventry	el1_fiq_invalid			// FIQ EL1t
-	ventry	el1_error_invalid		// Error EL1t
-
-	ventry	el1_sync			// Synchronous EL1h
-	ventry	el1_irq				// IRQ EL1h
-	ventry	el1_fiq_invalid			// FIQ EL1h
-	ventry	el1_error_invalid		// Error EL1h
-
-	ventry	el0_sync			// Synchronous 64-bit EL0
-	ventry	el0_irq				// IRQ 64-bit EL0
-	ventry	el0_fiq_invalid			// FIQ 64-bit EL0
-	ventry	el0_error_invalid		// Error 64-bit EL0
+	kernel_ventry	el1_sync_invalid		// Synchronous EL1t
+	kernel_ventry	el1_irq_invalid			// IRQ EL1t
+	kernel_ventry	el1_fiq_invalid			// FIQ EL1t
+	kernel_ventry	el1_error_invalid		// Error EL1t
+
+	kernel_ventry	el1_sync			// Synchronous EL1h
+	kernel_ventry	el1_irq				// IRQ EL1h
+	kernel_ventry	el1_fiq_invalid			// FIQ EL1h
+	kernel_ventry	el1_error_invalid		// Error EL1h
+
+	kernel_ventry	el0_sync			// Synchronous 64-bit EL0
+	kernel_ventry	el0_irq				// IRQ 64-bit EL0
+	kernel_ventry	el0_fiq_invalid			// FIQ 64-bit EL0
+	kernel_ventry	el0_error_invalid		// Error 64-bit EL0
 
 #ifdef CONFIG_COMPAT
-	ventry	el0_sync_compat			// Synchronous 32-bit EL0
-	ventry	el0_irq_compat			// IRQ 32-bit EL0
-	ventry	el0_fiq_invalid_compat		// FIQ 32-bit EL0
-	ventry	el0_error_invalid_compat	// Error 32-bit EL0
+	kernel_ventry	el0_sync_compat			// Synchronous 32-bit EL0
+	kernel_ventry	el0_irq_compat			// IRQ 32-bit EL0
+	kernel_ventry	el0_fiq_invalid_compat		// FIQ 32-bit EL0
+	kernel_ventry	el0_error_invalid_compat	// Error 32-bit EL0
 #else
-	ventry	el0_sync_invalid		// Synchronous 32-bit EL0
-	ventry	el0_irq_invalid			// IRQ 32-bit EL0
-	ventry	el0_fiq_invalid			// FIQ 32-bit EL0
-	ventry	el0_error_invalid		// Error 32-bit EL0
+	kernel_ventry	el0_sync_invalid		// Synchronous 32-bit EL0
+	kernel_ventry	el0_irq_invalid			// IRQ 32-bit EL0
+	kernel_ventry	el0_fiq_invalid			// FIQ 32-bit EL0
+	kernel_ventry	el0_error_invalid		// Error 32-bit EL0
 #endif
 END(vectors)
 

^ permalink raw reply	[flat|nested] 111+ messages in thread

* [PATCH 4.9 056/102] module: extend rodata=off boot cmdline parameter to module mappings
  2018-04-06 13:22 [PATCH 4.9 000/102] 4.9.93-stable review Greg Kroah-Hartman
                   ` (54 preceding siblings ...)
  2018-04-06 13:23 ` [PATCH 4.9 055/102] arm64: factor out entry stack manipulation Greg Kroah-Hartman
@ 2018-04-06 13:23 ` Greg Kroah-Hartman
  2018-04-06 13:23 ` [PATCH 4.9 057/102] arm64: entry: Add exception trampoline page for exceptions from EL0 Greg Kroah-Hartman
                   ` (48 subsequent siblings)
  104 siblings, 0 replies; 111+ messages in thread
From: Greg Kroah-Hartman @ 2018-04-06 13:23 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Greg Kroah-Hartman, and Acked-by: Mark Rutland, AKASHI Takahiro,
	Kees Cook, Rusty Russell, Jessica Yu, Will Deacon, Greg Hackmann,
	Alex Shi

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: AKASHI Takahiro <takahiro.akashi@linaro.org>

commit 39290b389ea upstream.

The current "rodata=off" parameter disables read-only kernel mappings
under CONFIG_DEBUG_RODATA:
    commit d2aa1acad22f ("mm/init: Add 'rodata=off' boot cmdline parameter
    to disable read-only kernel mappings")

This patch is a logical extension to module mappings ie. read-only mappings
at module loading can be disabled even if CONFIG_DEBUG_SET_MODULE_RONX
(mainly for debug use). Please note, however, that it only affects RO/RW
permissions, keeping NX set.

This is the first step to make CONFIG_DEBUG_SET_MODULE_RONX mandatory
(always-on) in the future as CONFIG_DEBUG_RODATA on x86 and arm64.

Suggested-by: and Acked-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Reviewed-by: Kees Cook <keescook@chromium.org>
Acked-by: Rusty Russell <rusty@rustcorp.com.au>
Link: http://lkml.kernel.org/r/20161114061505.15238-1-takahiro.akashi@linaro.org
Signed-off-by: Jessica Yu <jeyu@redhat.com>
Signed-off-by: Alex Shi <alex.shi@linaro.org> [v4.9 backport]
Signed-off-by: Mark Rutland <mark.rutland@arm.com> [v4.9 backport]
Tested-by: Will Deacon <will.deacon@arm.com>
Tested-by: Greg Hackmann <ghackmann@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 include/linux/init.h |    3 +++
 init/main.c          |    7 +++++--
 kernel/module.c      |   20 +++++++++++++++++---
 3 files changed, 25 insertions(+), 5 deletions(-)

--- a/include/linux/init.h
+++ b/include/linux/init.h
@@ -133,6 +133,9 @@ void prepare_namespace(void);
 void __init load_default_modules(void);
 int __init init_rootfs(void);
 
+#if defined(CONFIG_DEBUG_RODATA) || defined(CONFIG_DEBUG_SET_MODULE_RONX)
+extern bool rodata_enabled;
+#endif
 #ifdef CONFIG_DEBUG_RODATA
 void mark_rodata_ro(void);
 #endif
--- a/init/main.c
+++ b/init/main.c
@@ -81,6 +81,7 @@
 #include <linux/proc_ns.h>
 #include <linux/io.h>
 #include <linux/kaiser.h>
+#include <linux/cache.h>
 
 #include <asm/io.h>
 #include <asm/bugs.h>
@@ -914,14 +915,16 @@ static int try_to_run_init_process(const
 
 static noinline void __init kernel_init_freeable(void);
 
-#ifdef CONFIG_DEBUG_RODATA
-static bool rodata_enabled = true;
+#if defined(CONFIG_DEBUG_RODATA) || defined(CONFIG_SET_MODULE_RONX)
+bool rodata_enabled __ro_after_init = true;
 static int __init set_debug_rodata(char *str)
 {
 	return strtobool(str, &rodata_enabled);
 }
 __setup("rodata=", set_debug_rodata);
+#endif
 
+#ifdef CONFIG_DEBUG_RODATA
 static void mark_readonly(void)
 {
 	if (rodata_enabled)
--- a/kernel/module.c
+++ b/kernel/module.c
@@ -1911,6 +1911,9 @@ static void frob_writable_data(const str
 /* livepatching wants to disable read-only so it can frob module. */
 void module_disable_ro(const struct module *mod)
 {
+	if (!rodata_enabled)
+		return;
+
 	frob_text(&mod->core_layout, set_memory_rw);
 	frob_rodata(&mod->core_layout, set_memory_rw);
 	frob_ro_after_init(&mod->core_layout, set_memory_rw);
@@ -1920,6 +1923,9 @@ void module_disable_ro(const struct modu
 
 void module_enable_ro(const struct module *mod, bool after_init)
 {
+	if (!rodata_enabled)
+		return;
+
 	frob_text(&mod->core_layout, set_memory_ro);
 	frob_rodata(&mod->core_layout, set_memory_ro);
 	frob_text(&mod->init_layout, set_memory_ro);
@@ -1952,6 +1958,9 @@ void set_all_modules_text_rw(void)
 {
 	struct module *mod;
 
+	if (!rodata_enabled)
+		return;
+
 	mutex_lock(&module_mutex);
 	list_for_each_entry_rcu(mod, &modules, list) {
 		if (mod->state == MODULE_STATE_UNFORMED)
@@ -1968,6 +1977,9 @@ void set_all_modules_text_ro(void)
 {
 	struct module *mod;
 
+	if (!rodata_enabled)
+		return;
+
 	mutex_lock(&module_mutex);
 	list_for_each_entry_rcu(mod, &modules, list) {
 		if (mod->state == MODULE_STATE_UNFORMED)
@@ -1981,10 +1993,12 @@ void set_all_modules_text_ro(void)
 
 static void disable_ro_nx(const struct module_layout *layout)
 {
-	frob_text(layout, set_memory_rw);
-	frob_rodata(layout, set_memory_rw);
+	if (rodata_enabled) {
+		frob_text(layout, set_memory_rw);
+		frob_rodata(layout, set_memory_rw);
+		frob_ro_after_init(layout, set_memory_rw);
+	}
 	frob_rodata(layout, set_memory_x);
-	frob_ro_after_init(layout, set_memory_rw);
 	frob_ro_after_init(layout, set_memory_x);
 	frob_writable_data(layout, set_memory_x);
 }

^ permalink raw reply	[flat|nested] 111+ messages in thread

* [PATCH 4.9 057/102] arm64: entry: Add exception trampoline page for exceptions from EL0
  2018-04-06 13:22 [PATCH 4.9 000/102] 4.9.93-stable review Greg Kroah-Hartman
                   ` (55 preceding siblings ...)
  2018-04-06 13:23 ` [PATCH 4.9 056/102] module: extend rodata=off boot cmdline parameter to module mappings Greg Kroah-Hartman
@ 2018-04-06 13:23 ` Greg Kroah-Hartman
  2018-04-06 13:23 ` [PATCH 4.9 058/102] arm64: mm: Map entry trampoline into trampoline and kernel page tables Greg Kroah-Hartman
                   ` (47 subsequent siblings)
  104 siblings, 0 replies; 111+ messages in thread
From: Greg Kroah-Hartman @ 2018-04-06 13:23 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Greg Kroah-Hartman, Mark Rutland, Laura Abbott,
	Shanker Donthineni, Will Deacon, Greg Hackmann, Alex Shi

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Will Deacon <will.deacon@arm.com>

commit c7b9adaf85f8 upstream.

To allow unmapping of the kernel whilst running at EL0, we need to
point the exception vectors at an entry trampoline that can map/unmap
the kernel on entry/exit respectively.

This patch adds the trampoline page, although it is not yet plugged
into the vector table and is therefore unused.

Reviewed-by: Mark Rutland <mark.rutland@arm.com>
Tested-by: Laura Abbott <labbott@redhat.com>
Tested-by: Shanker Donthineni <shankerd@codeaurora.org>
Signed-off-by: Will Deacon <will.deacon@arm.com>
[Alex: avoid dependency on SW PAN patches]
Signed-off-by: Alex Shi <alex.shi@linaro.org> [v4.9 backport]
[Mark: remove dummy SW PAN definitions]
Signed-off-by: Mark Rutland <mark.rutland@arm.com> [v4.9 backport]
Tested-by: Will Deacon <will.deacon@arm.com>
Tested-by: Greg Hackmann <ghackmann@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/arm64/kernel/entry.S       |   86 ++++++++++++++++++++++++++++++++++++++++
 arch/arm64/kernel/vmlinux.lds.S |   17 +++++++
 2 files changed, 103 insertions(+)

--- a/arch/arm64/kernel/entry.S
+++ b/arch/arm64/kernel/entry.S
@@ -29,9 +29,11 @@
 #include <asm/esr.h>
 #include <asm/irq.h>
 #include <asm/memory.h>
+#include <asm/mmu.h>
 #include <asm/thread_info.h>
 #include <asm/asm-uaccess.h>
 #include <asm/unistd.h>
+#include <asm/kernel-pgtable.h>
 
 /*
  * Context tracking subsystem.  Used to instrument transitions
@@ -806,6 +808,90 @@ __ni_sys_trace:
 
 	.popsection				// .entry.text
 
+#ifdef CONFIG_UNMAP_KERNEL_AT_EL0
+/*
+ * Exception vectors trampoline.
+ */
+	.pushsection ".entry.tramp.text", "ax"
+
+	.macro tramp_map_kernel, tmp
+	mrs	\tmp, ttbr1_el1
+	sub	\tmp, \tmp, #SWAPPER_DIR_SIZE
+	bic	\tmp, \tmp, #USER_ASID_FLAG
+	msr	ttbr1_el1, \tmp
+	.endm
+
+	.macro tramp_unmap_kernel, tmp
+	mrs	\tmp, ttbr1_el1
+	add	\tmp, \tmp, #SWAPPER_DIR_SIZE
+	orr	\tmp, \tmp, #USER_ASID_FLAG
+	msr	ttbr1_el1, \tmp
+	/*
+	 * We avoid running the post_ttbr_update_workaround here because the
+	 * user and kernel ASIDs don't have conflicting mappings, so any
+	 * "blessing" as described in:
+	 *
+	 *   http://lkml.kernel.org/r/56BB848A.6060603@caviumnetworks.com
+	 *
+	 * will not hurt correctness. Whilst this may partially defeat the
+	 * point of using split ASIDs in the first place, it avoids
+	 * the hit of invalidating the entire I-cache on every return to
+	 * userspace.
+	 */
+	.endm
+
+	.macro tramp_ventry, regsize = 64
+	.align	7
+1:
+	.if	\regsize == 64
+	msr	tpidrro_el0, x30	// Restored in kernel_ventry
+	.endif
+	tramp_map_kernel	x30
+	ldr	x30, =vectors
+	prfm	plil1strm, [x30, #(1b - tramp_vectors)]
+	msr	vbar_el1, x30
+	add	x30, x30, #(1b - tramp_vectors)
+	isb
+	br	x30
+	.endm
+
+	.macro tramp_exit, regsize = 64
+	adr	x30, tramp_vectors
+	msr	vbar_el1, x30
+	tramp_unmap_kernel	x30
+	.if	\regsize == 64
+	mrs	x30, far_el1
+	.endif
+	eret
+	.endm
+
+	.align	11
+ENTRY(tramp_vectors)
+	.space	0x400
+
+	tramp_ventry
+	tramp_ventry
+	tramp_ventry
+	tramp_ventry
+
+	tramp_ventry	32
+	tramp_ventry	32
+	tramp_ventry	32
+	tramp_ventry	32
+END(tramp_vectors)
+
+ENTRY(tramp_exit_native)
+	tramp_exit
+END(tramp_exit_native)
+
+ENTRY(tramp_exit_compat)
+	tramp_exit	32
+END(tramp_exit_compat)
+
+	.ltorg
+	.popsection				// .entry.tramp.text
+#endif /* CONFIG_UNMAP_KERNEL_AT_EL0 */
+
 /*
  * Special system call wrappers.
  */
--- a/arch/arm64/kernel/vmlinux.lds.S
+++ b/arch/arm64/kernel/vmlinux.lds.S
@@ -56,6 +56,17 @@ jiffies = jiffies_64;
 #define HIBERNATE_TEXT
 #endif
 
+#ifdef CONFIG_UNMAP_KERNEL_AT_EL0
+#define TRAMP_TEXT					\
+	. = ALIGN(PAGE_SIZE);				\
+	VMLINUX_SYMBOL(__entry_tramp_text_start) = .;	\
+	*(.entry.tramp.text)				\
+	. = ALIGN(PAGE_SIZE);				\
+	VMLINUX_SYMBOL(__entry_tramp_text_end) = .;
+#else
+#define TRAMP_TEXT
+#endif
+
 /*
  * The size of the PE/COFF section that covers the kernel image, which
  * runs from stext to _edata, must be a round multiple of the PE/COFF
@@ -128,6 +139,7 @@ SECTIONS
 			HYPERVISOR_TEXT
 			IDMAP_TEXT
 			HIBERNATE_TEXT
+			TRAMP_TEXT
 			*(.fixup)
 			*(.gnu.warning)
 		. = ALIGN(16);
@@ -216,6 +228,11 @@ SECTIONS
 	swapper_pg_dir = .;
 	. += SWAPPER_DIR_SIZE;
 
+#ifdef CONFIG_UNMAP_KERNEL_AT_EL0
+	tramp_pg_dir = .;
+	. += PAGE_SIZE;
+#endif
+
 	_end = .;
 
 	STABS_DEBUG

^ permalink raw reply	[flat|nested] 111+ messages in thread

* [PATCH 4.9 058/102] arm64: mm: Map entry trampoline into trampoline and kernel page tables
  2018-04-06 13:22 [PATCH 4.9 000/102] 4.9.93-stable review Greg Kroah-Hartman
                   ` (56 preceding siblings ...)
  2018-04-06 13:23 ` [PATCH 4.9 057/102] arm64: entry: Add exception trampoline page for exceptions from EL0 Greg Kroah-Hartman
@ 2018-04-06 13:23 ` Greg Kroah-Hartman
  2018-04-06 13:23 ` [PATCH 4.9 059/102] arm64: entry: Explicitly pass exception level to kernel_ventry macro Greg Kroah-Hartman
                   ` (46 subsequent siblings)
  104 siblings, 0 replies; 111+ messages in thread
From: Greg Kroah-Hartman @ 2018-04-06 13:23 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Greg Kroah-Hartman, Mark Rutland, Laura Abbott,
	Shanker Donthineni, Will Deacon, Alex Shi, Greg Hackmann

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Will Deacon <will.deacon@arm.com>

commit 51a0048beb44 upstream.

The exception entry trampoline needs to be mapped at the same virtual
address in both the trampoline page table (which maps nothing else)
and also the kernel page table, so that we can swizzle TTBR1_EL1 on
exceptions from and return to EL0.

This patch maps the trampoline at a fixed virtual address in the fixmap
area of the kernel virtual address space, which allows the kernel proper
to be randomized with respect to the trampoline when KASLR is enabled.

Reviewed-by: Mark Rutland <mark.rutland@arm.com>
Tested-by: Laura Abbott <labbott@redhat.com>
Tested-by: Shanker Donthineni <shankerd@codeaurora.org>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Alex Shi <alex.shi@linaro.org>
Signed-off-by: Mark Rutland <mark.rutland@arm.com> [v4.9 backport]
Tested-by: Will Deacon <will.deacon@arm.com>
Tested-by: Greg Hackmann <ghackmann@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/arm64/include/asm/fixmap.h  |    5 +++++
 arch/arm64/include/asm/pgtable.h |    1 +
 arch/arm64/kernel/asm-offsets.c  |    6 +++++-
 arch/arm64/mm/mmu.c              |   23 +++++++++++++++++++++++
 4 files changed, 34 insertions(+), 1 deletion(-)

--- a/arch/arm64/include/asm/fixmap.h
+++ b/arch/arm64/include/asm/fixmap.h
@@ -51,6 +51,11 @@ enum fixed_addresses {
 
 	FIX_EARLYCON_MEM_BASE,
 	FIX_TEXT_POKE0,
+
+#ifdef CONFIG_UNMAP_KERNEL_AT_EL0
+	FIX_ENTRY_TRAMP_TEXT,
+#define TRAMP_VALIAS		(__fix_to_virt(FIX_ENTRY_TRAMP_TEXT))
+#endif /* CONFIG_UNMAP_KERNEL_AT_EL0 */
 	__end_of_permanent_fixed_addresses,
 
 	/*
--- a/arch/arm64/include/asm/pgtable.h
+++ b/arch/arm64/include/asm/pgtable.h
@@ -692,6 +692,7 @@ static inline void pmdp_set_wrprotect(st
 
 extern pgd_t swapper_pg_dir[PTRS_PER_PGD];
 extern pgd_t idmap_pg_dir[PTRS_PER_PGD];
+extern pgd_t tramp_pg_dir[PTRS_PER_PGD];
 
 /*
  * Encode and decode a swap entry:
--- a/arch/arm64/kernel/asm-offsets.c
+++ b/arch/arm64/kernel/asm-offsets.c
@@ -24,6 +24,7 @@
 #include <linux/kvm_host.h>
 #include <linux/suspend.h>
 #include <asm/cpufeature.h>
+#include <asm/fixmap.h>
 #include <asm/thread_info.h>
 #include <asm/memory.h>
 #include <asm/smp_plat.h>
@@ -144,11 +145,14 @@ int main(void)
   DEFINE(ARM_SMCCC_RES_X2_OFFS,		offsetof(struct arm_smccc_res, a2));
   DEFINE(ARM_SMCCC_QUIRK_ID_OFFS,	offsetof(struct arm_smccc_quirk, id));
   DEFINE(ARM_SMCCC_QUIRK_STATE_OFFS,	offsetof(struct arm_smccc_quirk, state));
-
   BLANK();
   DEFINE(HIBERN_PBE_ORIG,	offsetof(struct pbe, orig_address));
   DEFINE(HIBERN_PBE_ADDR,	offsetof(struct pbe, address));
   DEFINE(HIBERN_PBE_NEXT,	offsetof(struct pbe, next));
   DEFINE(ARM64_FTR_SYSVAL,	offsetof(struct arm64_ftr_reg, sys_val));
+  BLANK();
+#ifdef CONFIG_UNMAP_KERNEL_AT_EL0
+  DEFINE(TRAMP_VALIAS,		TRAMP_VALIAS);
+#endif
   return 0;
 }
--- a/arch/arm64/mm/mmu.c
+++ b/arch/arm64/mm/mmu.c
@@ -419,6 +419,29 @@ static void __init map_kernel_segment(pg
 	vm_area_add_early(vma);
 }
 
+#ifdef CONFIG_UNMAP_KERNEL_AT_EL0
+static int __init map_entry_trampoline(void)
+{
+	extern char __entry_tramp_text_start[];
+
+	pgprot_t prot = rodata_enabled ? PAGE_KERNEL_ROX : PAGE_KERNEL_EXEC;
+	phys_addr_t pa_start = __pa_symbol(__entry_tramp_text_start);
+
+	/* The trampoline is always mapped and can therefore be global */
+	pgprot_val(prot) &= ~PTE_NG;
+
+	/* Map only the text into the trampoline page table */
+	memset(tramp_pg_dir, 0, PGD_SIZE);
+	__create_pgd_mapping(tramp_pg_dir, pa_start, TRAMP_VALIAS, PAGE_SIZE,
+			     prot, pgd_pgtable_alloc, 0);
+
+	/* ...as well as the kernel page table */
+	__set_fixmap(FIX_ENTRY_TRAMP_TEXT, pa_start, prot);
+	return 0;
+}
+core_initcall(map_entry_trampoline);
+#endif
+
 /*
  * Create fine-grained mappings for the kernel.
  */

^ permalink raw reply	[flat|nested] 111+ messages in thread

* [PATCH 4.9 059/102] arm64: entry: Explicitly pass exception level to kernel_ventry macro
  2018-04-06 13:22 [PATCH 4.9 000/102] 4.9.93-stable review Greg Kroah-Hartman
                   ` (57 preceding siblings ...)
  2018-04-06 13:23 ` [PATCH 4.9 058/102] arm64: mm: Map entry trampoline into trampoline and kernel page tables Greg Kroah-Hartman
@ 2018-04-06 13:23 ` Greg Kroah-Hartman
  2018-04-06 13:23 ` [PATCH 4.9 060/102] arm64: entry: Hook up entry trampoline to exception vectors Greg Kroah-Hartman
                   ` (45 subsequent siblings)
  104 siblings, 0 replies; 111+ messages in thread
From: Greg Kroah-Hartman @ 2018-04-06 13:23 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Greg Kroah-Hartman, Mark Rutland, Laura Abbott,
	Shanker Donthineni, Will Deacon, Greg Hackmann, Alex Shi

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Will Deacon <will.deacon@arm.com>

commit 5b1f7fe41909 upstream.

We will need to treat exceptions from EL0 differently in kernel_ventry,
so rework the macro to take the exception level as an argument and
construct the branch target using that.

Reviewed-by: Mark Rutland <mark.rutland@arm.com>
Tested-by: Laura Abbott <labbott@redhat.com>
Tested-by: Shanker Donthineni <shankerd@codeaurora.org>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Alex Shi <alex.shi@linaro.org> [v4.9 backport]
[Mark: avoid dependency on C error handler backport]
Signed-off-by: Mark Rutland <mark.rutland@arm.com> [v4.9 backport]
Tested-by: Will Deacon <will.deacon@arm.com>
Tested-by: Greg Hackmann <ghackmann@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/arm64/kernel/entry.S |   48 +++++++++++++++++++++++-----------------------
 1 file changed, 24 insertions(+), 24 deletions(-)

--- a/arch/arm64/kernel/entry.S
+++ b/arch/arm64/kernel/entry.S
@@ -70,10 +70,10 @@
 #define BAD_FIQ		2
 #define BAD_ERROR	3
 
-	.macro kernel_ventry	label
+	.macro kernel_ventry, el, label, regsize = 64
 	.align 7
 	sub	sp, sp, #S_FRAME_SIZE
-	b	\label
+	b	el\()\el\()_\label
 	.endm
 
 	.macro	kernel_entry, el, regsize = 64
@@ -264,31 +264,31 @@ tsk	.req	x28		// current thread_info
 
 	.align	11
 ENTRY(vectors)
-	kernel_ventry	el1_sync_invalid		// Synchronous EL1t
-	kernel_ventry	el1_irq_invalid			// IRQ EL1t
-	kernel_ventry	el1_fiq_invalid			// FIQ EL1t
-	kernel_ventry	el1_error_invalid		// Error EL1t
-
-	kernel_ventry	el1_sync			// Synchronous EL1h
-	kernel_ventry	el1_irq				// IRQ EL1h
-	kernel_ventry	el1_fiq_invalid			// FIQ EL1h
-	kernel_ventry	el1_error_invalid		// Error EL1h
-
-	kernel_ventry	el0_sync			// Synchronous 64-bit EL0
-	kernel_ventry	el0_irq				// IRQ 64-bit EL0
-	kernel_ventry	el0_fiq_invalid			// FIQ 64-bit EL0
-	kernel_ventry	el0_error_invalid		// Error 64-bit EL0
+	kernel_ventry	1, sync_invalid			// Synchronous EL1t
+	kernel_ventry	1, irq_invalid			// IRQ EL1t
+	kernel_ventry	1, fiq_invalid			// FIQ EL1t
+	kernel_ventry	1, error_invalid		// Error EL1t
+
+	kernel_ventry	1, sync				// Synchronous EL1h
+	kernel_ventry	1, irq				// IRQ EL1h
+	kernel_ventry	1, fiq_invalid			// FIQ EL1h
+	kernel_ventry	1, error_invalid		// Error EL1h
+
+	kernel_ventry	0, sync				// Synchronous 64-bit EL0
+	kernel_ventry	0, irq				// IRQ 64-bit EL0
+	kernel_ventry	0, fiq_invalid			// FIQ 64-bit EL0
+	kernel_ventry	0, error_invalid		// Error 64-bit EL0
 
 #ifdef CONFIG_COMPAT
-	kernel_ventry	el0_sync_compat			// Synchronous 32-bit EL0
-	kernel_ventry	el0_irq_compat			// IRQ 32-bit EL0
-	kernel_ventry	el0_fiq_invalid_compat		// FIQ 32-bit EL0
-	kernel_ventry	el0_error_invalid_compat	// Error 32-bit EL0
+	kernel_ventry	0, sync_compat, 32		// Synchronous 32-bit EL0
+	kernel_ventry	0, irq_compat, 32		// IRQ 32-bit EL0
+	kernel_ventry	0, fiq_invalid_compat, 32	// FIQ 32-bit EL0
+	kernel_ventry	0, error_invalid_compat, 32	// Error 32-bit EL0
 #else
-	kernel_ventry	el0_sync_invalid		// Synchronous 32-bit EL0
-	kernel_ventry	el0_irq_invalid			// IRQ 32-bit EL0
-	kernel_ventry	el0_fiq_invalid			// FIQ 32-bit EL0
-	kernel_ventry	el0_error_invalid		// Error 32-bit EL0
+	kernel_ventry	0, sync_invalid, 32		// Synchronous 32-bit EL0
+	kernel_ventry	0, irq_invalid, 32		// IRQ 32-bit EL0
+	kernel_ventry	0, fiq_invalid, 32		// FIQ 32-bit EL0
+	kernel_ventry	0, error_invalid, 32		// Error 32-bit EL0
 #endif
 END(vectors)
 

^ permalink raw reply	[flat|nested] 111+ messages in thread

* [PATCH 4.9 060/102] arm64: entry: Hook up entry trampoline to exception vectors
  2018-04-06 13:22 [PATCH 4.9 000/102] 4.9.93-stable review Greg Kroah-Hartman
                   ` (58 preceding siblings ...)
  2018-04-06 13:23 ` [PATCH 4.9 059/102] arm64: entry: Explicitly pass exception level to kernel_ventry macro Greg Kroah-Hartman
@ 2018-04-06 13:23 ` Greg Kroah-Hartman
  2018-04-06 13:23 ` [PATCH 4.9 061/102] arm64: tls: Avoid unconditional zeroing of tpidrro_el0 for native tasks Greg Kroah-Hartman
                   ` (44 subsequent siblings)
  104 siblings, 0 replies; 111+ messages in thread
From: Greg Kroah-Hartman @ 2018-04-06 13:23 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Greg Kroah-Hartman, Mark Rutland, Laura Abbott,
	Shanker Donthineni, Will Deacon, Greg Hackmann, Alex Shi

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Will Deacon <will.deacon@arm.com>

commit 4bf3286d29f3 upstream.

Hook up the entry trampoline to our exception vectors so that all
exceptions from and returns to EL0 go via the trampoline, which swizzles
the vector base register accordingly. Transitioning to and from the
kernel clobbers x30, so we use tpidrro_el0 and far_el1 as scratch
registers for native tasks.

Reviewed-by: Mark Rutland <mark.rutland@arm.com>
Tested-by: Laura Abbott <labbott@redhat.com>
Tested-by: Shanker Donthineni <shankerd@codeaurora.org>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Alex Shi <alex.shi@linaro.org> [v4.9 backport]
Signed-off-by: Mark Rutland <mark.rutland@arm.com> [v4.9 backport]
Tested-by: Will Deacon <will.deacon@arm.com>
Tested-by: Greg Hackmann <ghackmann@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/arm64/kernel/entry.S |   39 ++++++++++++++++++++++++++++++++++++---
 1 file changed, 36 insertions(+), 3 deletions(-)

--- a/arch/arm64/kernel/entry.S
+++ b/arch/arm64/kernel/entry.S
@@ -72,10 +72,26 @@
 
 	.macro kernel_ventry, el, label, regsize = 64
 	.align 7
+#ifdef CONFIG_UNMAP_KERNEL_AT_EL0
+	.if	\el == 0
+	.if	\regsize == 64
+	mrs	x30, tpidrro_el0
+	msr	tpidrro_el0, xzr
+	.else
+	mov	x30, xzr
+	.endif
+	.endif
+#endif
+
 	sub	sp, sp, #S_FRAME_SIZE
 	b	el\()\el\()_\label
 	.endm
 
+	.macro tramp_alias, dst, sym
+	mov_q	\dst, TRAMP_VALIAS
+	add	\dst, \dst, #(\sym - .entry.tramp.text)
+	.endm
+
 	.macro	kernel_entry, el, regsize = 64
 	.if	\regsize == 32
 	mov	w0, w0				// zero upper 32 bits of x0
@@ -157,18 +173,20 @@
 	ct_user_enter
 	ldr	x23, [sp, #S_SP]		// load return stack pointer
 	msr	sp_el0, x23
+	tst	x22, #PSR_MODE32_BIT		// native task?
+	b.eq	3f
+
 #ifdef CONFIG_ARM64_ERRATUM_845719
 alternative_if ARM64_WORKAROUND_845719
-	tbz	x22, #4, 1f
 #ifdef CONFIG_PID_IN_CONTEXTIDR
 	mrs	x29, contextidr_el1
 	msr	contextidr_el1, x29
 #else
 	msr contextidr_el1, xzr
 #endif
-1:
 alternative_else_nop_endif
 #endif
+3:
 	.endif
 	msr	elr_el1, x21			// set up the return data
 	msr	spsr_el1, x22
@@ -189,7 +207,22 @@ alternative_else_nop_endif
 	ldp	x28, x29, [sp, #16 * 14]
 	ldr	lr, [sp, #S_LR]
 	add	sp, sp, #S_FRAME_SIZE		// restore sp
-	eret					// return to kernel
+
+#ifndef CONFIG_UNMAP_KERNEL_AT_EL0
+	eret
+#else
+	.if	\el == 0
+	bne	4f
+	msr	far_el1, x30
+	tramp_alias	x30, tramp_exit_native
+	br	x30
+4:
+	tramp_alias	x30, tramp_exit_compat
+	br	x30
+	.else
+	eret
+	.endif
+#endif
 	.endm
 
 	.macro	get_thread_info, rd

^ permalink raw reply	[flat|nested] 111+ messages in thread

* [PATCH 4.9 061/102] arm64: tls: Avoid unconditional zeroing of tpidrro_el0 for native tasks
  2018-04-06 13:22 [PATCH 4.9 000/102] 4.9.93-stable review Greg Kroah-Hartman
                   ` (59 preceding siblings ...)
  2018-04-06 13:23 ` [PATCH 4.9 060/102] arm64: entry: Hook up entry trampoline to exception vectors Greg Kroah-Hartman
@ 2018-04-06 13:23 ` Greg Kroah-Hartman
  2018-04-06 13:23 ` [PATCH 4.9 062/102] arm64: entry: Add fake CPU feature for unmapping the kernel at EL0 Greg Kroah-Hartman
                   ` (43 subsequent siblings)
  104 siblings, 0 replies; 111+ messages in thread
From: Greg Kroah-Hartman @ 2018-04-06 13:23 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Greg Kroah-Hartman, Mark Rutland, Laura Abbott,
	Shanker Donthineni, Will Deacon, Greg Hackmann, Alex Shi

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Will Deacon <will.deacon@arm.com>

commit 18011eac28c7 upstream.

When unmapping the kernel at EL0, we use tpidrro_el0 as a scratch register
during exception entry from native tasks and subsequently zero it in
the kernel_ventry macro. We can therefore avoid zeroing tpidrro_el0
in the context-switch path for native tasks using the entry trampoline.

Reviewed-by: Mark Rutland <mark.rutland@arm.com>
Tested-by: Laura Abbott <labbott@redhat.com>
Tested-by: Shanker Donthineni <shankerd@codeaurora.org>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Alex Shi <alex.shi@linaro.org> [v4.9 backport]
Signed-off-by: Mark Rutland <mark.rutland@arm.com> [v4.9 backport]
Tested-by: Will Deacon <will.deacon@arm.com>
Tested-by: Greg Hackmann <ghackmann@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/arm64/kernel/process.c |   12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

--- a/arch/arm64/kernel/process.c
+++ b/arch/arm64/kernel/process.c
@@ -306,17 +306,17 @@ int copy_thread(unsigned long clone_flag
 
 static void tls_thread_switch(struct task_struct *next)
 {
-	unsigned long tpidr, tpidrro;
+	unsigned long tpidr;
 
 	tpidr = read_sysreg(tpidr_el0);
 	*task_user_tls(current) = tpidr;
 
-	tpidr = *task_user_tls(next);
-	tpidrro = is_compat_thread(task_thread_info(next)) ?
-		  next->thread.tp_value : 0;
+	if (is_compat_thread(task_thread_info(next)))
+		write_sysreg(next->thread.tp_value, tpidrro_el0);
+	else if (!arm64_kernel_unmapped_at_el0())
+		write_sysreg(0, tpidrro_el0);
 
-	write_sysreg(tpidr, tpidr_el0);
-	write_sysreg(tpidrro, tpidrro_el0);
+	write_sysreg(*task_user_tls(next), tpidr_el0);
 }
 
 /* Restore the UAO state depending on next's addr_limit */

^ permalink raw reply	[flat|nested] 111+ messages in thread

* [PATCH 4.9 062/102] arm64: entry: Add fake CPU feature for unmapping the kernel at EL0
  2018-04-06 13:22 [PATCH 4.9 000/102] 4.9.93-stable review Greg Kroah-Hartman
                   ` (60 preceding siblings ...)
  2018-04-06 13:23 ` [PATCH 4.9 061/102] arm64: tls: Avoid unconditional zeroing of tpidrro_el0 for native tasks Greg Kroah-Hartman
@ 2018-04-06 13:23 ` Greg Kroah-Hartman
  2018-04-06 13:23 ` [PATCH 4.9 063/102] arm64: kaslr: Put kernel vectors address in separate data page Greg Kroah-Hartman
                   ` (42 subsequent siblings)
  104 siblings, 0 replies; 111+ messages in thread
From: Greg Kroah-Hartman @ 2018-04-06 13:23 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Greg Kroah-Hartman, Mark Rutland, Laura Abbott,
	Shanker Donthineni, Will Deacon, Greg Hackmann, Alex Shi

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Will Deacon <will.deacon@arm.com>

commit ea1e3de85e94 upstream.

Allow explicit disabling of the entry trampoline on the kernel command
line (kpti=off) by adding a fake CPU feature (ARM64_UNMAP_KERNEL_AT_EL0)
that can be used to toggle the alternative sequences in our entry code and
avoid use of the trampoline altogether if desired. This also allows us to
make use of a static key in arm64_kernel_unmapped_at_el0().

Reviewed-by: Mark Rutland <mark.rutland@arm.com>
Tested-by: Laura Abbott <labbott@redhat.com>
Tested-by: Shanker Donthineni <shankerd@codeaurora.org>
Signed-off-by: Will Deacon <will.deacon@arm.com>
[Alex: use first free cpucap number, use cpus_have_cap]
Signed-off-by: Alex Shi <alex.shi@linaro.org> [v4.9 backport]
Signed-off-by: Mark Rutland <mark.rutland@arm.com> [v4.9 backport]
Tested-by: Will Deacon <will.deacon@arm.com>
Tested-by: Greg Hackmann <ghackmann@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/arm64/include/asm/cpucaps.h |    3 +-
 arch/arm64/include/asm/mmu.h     |    3 +-
 arch/arm64/kernel/cpufeature.c   |   41 +++++++++++++++++++++++++++++++++++++++
 arch/arm64/kernel/entry.S        |    9 ++++----
 4 files changed, 50 insertions(+), 6 deletions(-)

--- a/arch/arm64/include/asm/cpucaps.h
+++ b/arch/arm64/include/asm/cpucaps.h
@@ -34,7 +34,8 @@
 #define ARM64_HAS_32BIT_EL0			13
 #define ARM64_HYP_OFFSET_LOW			14
 #define ARM64_MISMATCHED_CACHE_LINE_SIZE	15
+#define ARM64_UNMAP_KERNEL_AT_EL0		16
 
-#define ARM64_NCAPS				16
+#define ARM64_NCAPS				17
 
 #endif /* __ASM_CPUCAPS_H */
--- a/arch/arm64/include/asm/mmu.h
+++ b/arch/arm64/include/asm/mmu.h
@@ -34,7 +34,8 @@ typedef struct {
 
 static inline bool arm64_kernel_unmapped_at_el0(void)
 {
-	return IS_ENABLED(CONFIG_UNMAP_KERNEL_AT_EL0);
+	return IS_ENABLED(CONFIG_UNMAP_KERNEL_AT_EL0) &&
+	       cpus_have_cap(ARM64_UNMAP_KERNEL_AT_EL0);
 }
 
 extern void paging_init(void);
--- a/arch/arm64/kernel/cpufeature.c
+++ b/arch/arm64/kernel/cpufeature.c
@@ -746,6 +746,40 @@ static bool hyp_offset_low(const struct
 	return idmap_addr > GENMASK(VA_BITS - 2, 0) && !is_kernel_in_hyp_mode();
 }
 
+#ifdef CONFIG_UNMAP_KERNEL_AT_EL0
+static int __kpti_forced; /* 0: not forced, >0: forced on, <0: forced off */
+
+static bool unmap_kernel_at_el0(const struct arm64_cpu_capabilities *entry,
+				int __unused)
+{
+	/* Forced on command line? */
+	if (__kpti_forced) {
+		pr_info_once("kernel page table isolation forced %s by command line option\n",
+			     __kpti_forced > 0 ? "ON" : "OFF");
+		return __kpti_forced > 0;
+	}
+
+	/* Useful for KASLR robustness */
+	if (IS_ENABLED(CONFIG_RANDOMIZE_BASE))
+		return true;
+
+	return false;
+}
+
+static int __init parse_kpti(char *str)
+{
+	bool enabled;
+	int ret = strtobool(str, &enabled);
+
+	if (ret)
+		return ret;
+
+	__kpti_forced = enabled ? 1 : -1;
+	return 0;
+}
+__setup("kpti=", parse_kpti);
+#endif	/* CONFIG_UNMAP_KERNEL_AT_EL0 */
+
 static const struct arm64_cpu_capabilities arm64_features[] = {
 	{
 		.desc = "GIC system register CPU interface",
@@ -829,6 +863,13 @@ static const struct arm64_cpu_capabiliti
 		.def_scope = SCOPE_SYSTEM,
 		.matches = hyp_offset_low,
 	},
+#ifdef CONFIG_UNMAP_KERNEL_AT_EL0
+	{
+		.capability = ARM64_UNMAP_KERNEL_AT_EL0,
+		.def_scope = SCOPE_SYSTEM,
+		.matches = unmap_kernel_at_el0,
+	},
+#endif
 	{},
 };
 
--- a/arch/arm64/kernel/entry.S
+++ b/arch/arm64/kernel/entry.S
@@ -73,6 +73,7 @@
 	.macro kernel_ventry, el, label, regsize = 64
 	.align 7
 #ifdef CONFIG_UNMAP_KERNEL_AT_EL0
+alternative_if ARM64_UNMAP_KERNEL_AT_EL0
 	.if	\el == 0
 	.if	\regsize == 64
 	mrs	x30, tpidrro_el0
@@ -81,6 +82,7 @@
 	mov	x30, xzr
 	.endif
 	.endif
+alternative_else_nop_endif
 #endif
 
 	sub	sp, sp, #S_FRAME_SIZE
@@ -208,10 +210,9 @@ alternative_else_nop_endif
 	ldr	lr, [sp, #S_LR]
 	add	sp, sp, #S_FRAME_SIZE		// restore sp
 
-#ifndef CONFIG_UNMAP_KERNEL_AT_EL0
-	eret
-#else
 	.if	\el == 0
+alternative_insn eret, nop, ARM64_UNMAP_KERNEL_AT_EL0
+#ifdef CONFIG_UNMAP_KERNEL_AT_EL0
 	bne	4f
 	msr	far_el1, x30
 	tramp_alias	x30, tramp_exit_native
@@ -219,10 +220,10 @@ alternative_else_nop_endif
 4:
 	tramp_alias	x30, tramp_exit_compat
 	br	x30
+#endif
 	.else
 	eret
 	.endif
-#endif
 	.endm
 
 	.macro	get_thread_info, rd

^ permalink raw reply	[flat|nested] 111+ messages in thread

* [PATCH 4.9 063/102] arm64: kaslr: Put kernel vectors address in separate data page
  2018-04-06 13:22 [PATCH 4.9 000/102] 4.9.93-stable review Greg Kroah-Hartman
                   ` (61 preceding siblings ...)
  2018-04-06 13:23 ` [PATCH 4.9 062/102] arm64: entry: Add fake CPU feature for unmapping the kernel at EL0 Greg Kroah-Hartman
@ 2018-04-06 13:23 ` Greg Kroah-Hartman
  2018-04-06 13:23 ` [PATCH 4.9 064/102] arm64: use RET instruction for exiting the trampoline Greg Kroah-Hartman
                   ` (41 subsequent siblings)
  104 siblings, 0 replies; 111+ messages in thread
From: Greg Kroah-Hartman @ 2018-04-06 13:23 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Greg Kroah-Hartman, Ard Biesheuvel, Laura Abbott,
	Shanker Donthineni, Will Deacon, Greg Hackmann, Alex Shi,
	Mark Rutland

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Will Deacon <will.deacon@arm.com>

commit 6c27c4082f4f upstream.

The literal pool entry for identifying the vectors base is the only piece
of information in the trampoline page that identifies the true location
of the kernel.

This patch moves it into a page-aligned region of the .rodata section
and maps this adjacent to the trampoline text via an additional fixmap
entry, which protects against any accidental leakage of the trampoline
contents.

Suggested-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Tested-by: Laura Abbott <labbott@redhat.com>
Tested-by: Shanker Donthineni <shankerd@codeaurora.org>
Signed-off-by: Will Deacon <will.deacon@arm.com>
[Alex: avoid ARM64_WORKAROUND_QCOM_FALKOR_E1003 dependency]
Signed-off-by: Alex Shi <alex.shi@linaro.org> [v4.9 backport]
Signed-off-by: Mark Rutland <mark.rutland@arm.com> [v4.9 backport]
Tested-by: Will Deacon <will.deacon@arm.com>
Tested-by: Greg Hackmann <ghackmann@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/arm64/include/asm/fixmap.h |    1 +
 arch/arm64/kernel/entry.S       |   14 ++++++++++++++
 arch/arm64/kernel/vmlinux.lds.S |    5 ++++-
 arch/arm64/mm/mmu.c             |   10 +++++++++-
 4 files changed, 28 insertions(+), 2 deletions(-)

--- a/arch/arm64/include/asm/fixmap.h
+++ b/arch/arm64/include/asm/fixmap.h
@@ -53,6 +53,7 @@ enum fixed_addresses {
 	FIX_TEXT_POKE0,
 
 #ifdef CONFIG_UNMAP_KERNEL_AT_EL0
+	FIX_ENTRY_TRAMP_DATA,
 	FIX_ENTRY_TRAMP_TEXT,
 #define TRAMP_VALIAS		(__fix_to_virt(FIX_ENTRY_TRAMP_TEXT))
 #endif /* CONFIG_UNMAP_KERNEL_AT_EL0 */
--- a/arch/arm64/kernel/entry.S
+++ b/arch/arm64/kernel/entry.S
@@ -881,7 +881,13 @@ __ni_sys_trace:
 	msr	tpidrro_el0, x30	// Restored in kernel_ventry
 	.endif
 	tramp_map_kernel	x30
+#ifdef CONFIG_RANDOMIZE_BASE
+	adr	x30, tramp_vectors + PAGE_SIZE
+	isb
+	ldr	x30, [x30]
+#else
 	ldr	x30, =vectors
+#endif
 	prfm	plil1strm, [x30, #(1b - tramp_vectors)]
 	msr	vbar_el1, x30
 	add	x30, x30, #(1b - tramp_vectors)
@@ -924,6 +930,14 @@ END(tramp_exit_compat)
 
 	.ltorg
 	.popsection				// .entry.tramp.text
+#ifdef CONFIG_RANDOMIZE_BASE
+	.pushsection ".rodata", "a"
+	.align PAGE_SHIFT
+	.globl	__entry_tramp_data_start
+__entry_tramp_data_start:
+	.quad	vectors
+	.popsection				// .rodata
+#endif /* CONFIG_RANDOMIZE_BASE */
 #endif /* CONFIG_UNMAP_KERNEL_AT_EL0 */
 
 /*
--- a/arch/arm64/kernel/vmlinux.lds.S
+++ b/arch/arm64/kernel/vmlinux.lds.S
@@ -252,7 +252,10 @@ ASSERT(__idmap_text_end - (__idmap_text_
 ASSERT(__hibernate_exit_text_end - (__hibernate_exit_text_start & ~(SZ_4K - 1))
 	<= SZ_4K, "Hibernate exit text too big or misaligned")
 #endif
-
+#ifdef CONFIG_UNMAP_KERNEL_AT_EL0
+ASSERT((__entry_tramp_text_end - __entry_tramp_text_start) == PAGE_SIZE,
+	"Entry trampoline text too big")
+#endif
 /*
  * If padding is applied before .head.text, virt<->phys conversions will fail.
  */
--- a/arch/arm64/mm/mmu.c
+++ b/arch/arm64/mm/mmu.c
@@ -435,8 +435,16 @@ static int __init map_entry_trampoline(v
 	__create_pgd_mapping(tramp_pg_dir, pa_start, TRAMP_VALIAS, PAGE_SIZE,
 			     prot, pgd_pgtable_alloc, 0);
 
-	/* ...as well as the kernel page table */
+	/* Map both the text and data into the kernel page table */
 	__set_fixmap(FIX_ENTRY_TRAMP_TEXT, pa_start, prot);
+	if (IS_ENABLED(CONFIG_RANDOMIZE_BASE)) {
+		extern char __entry_tramp_data_start[];
+
+		__set_fixmap(FIX_ENTRY_TRAMP_DATA,
+			     __pa_symbol(__entry_tramp_data_start),
+			     PAGE_KERNEL_RO);
+	}
+
 	return 0;
 }
 core_initcall(map_entry_trampoline);

^ permalink raw reply	[flat|nested] 111+ messages in thread

* [PATCH 4.9 064/102] arm64: use RET instruction for exiting the trampoline
  2018-04-06 13:22 [PATCH 4.9 000/102] 4.9.93-stable review Greg Kroah-Hartman
                   ` (62 preceding siblings ...)
  2018-04-06 13:23 ` [PATCH 4.9 063/102] arm64: kaslr: Put kernel vectors address in separate data page Greg Kroah-Hartman
@ 2018-04-06 13:23 ` Greg Kroah-Hartman
  2018-04-06 13:23 ` [PATCH 4.9 065/102] arm64: Kconfig: Add CONFIG_UNMAP_KERNEL_AT_EL0 Greg Kroah-Hartman
                   ` (40 subsequent siblings)
  104 siblings, 0 replies; 111+ messages in thread
From: Greg Kroah-Hartman @ 2018-04-06 13:23 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Greg Kroah-Hartman, Will Deacon, Catalin Marinas, Greg Hackmann,
	Alex Shi, Mark Rutland

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Will Deacon <will.deacon@arm.com>

commit be04a6d1126b upstream.

Speculation attacks against the entry trampoline can potentially resteer
the speculative instruction stream through the indirect branch and into
arbitrary gadgets within the kernel.

This patch defends against these attacks by forcing a misprediction
through the return stack: a dummy BL instruction loads an entry into
the stack, so that the predicted program flow of the subsequent RET
instruction is to a branch-to-self instruction which is finally resolved
as a branch to the kernel vectors with speculation suppressed.

Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Alex Shi <alex.shi@linaro.org> [v4.9 backport]
Signed-off-by: Mark Rutland <mark.rutland@arm.com> [v4.9 backport]
Tested-by: Will Deacon <will.deacon@arm.com>
Tested-by: Greg Hackmann <ghackmann@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/arm64/kernel/entry.S |   10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

--- a/arch/arm64/kernel/entry.S
+++ b/arch/arm64/kernel/entry.S
@@ -880,6 +880,14 @@ __ni_sys_trace:
 	.if	\regsize == 64
 	msr	tpidrro_el0, x30	// Restored in kernel_ventry
 	.endif
+	/*
+	 * Defend against branch aliasing attacks by pushing a dummy
+	 * entry onto the return stack and using a RET instruction to
+	 * enter the full-fat kernel vectors.
+	 */
+	bl	2f
+	b	.
+2:
 	tramp_map_kernel	x30
 #ifdef CONFIG_RANDOMIZE_BASE
 	adr	x30, tramp_vectors + PAGE_SIZE
@@ -892,7 +900,7 @@ __ni_sys_trace:
 	msr	vbar_el1, x30
 	add	x30, x30, #(1b - tramp_vectors)
 	isb
-	br	x30
+	ret
 	.endm
 
 	.macro tramp_exit, regsize = 64

^ permalink raw reply	[flat|nested] 111+ messages in thread

* [PATCH 4.9 065/102] arm64: Kconfig: Add CONFIG_UNMAP_KERNEL_AT_EL0
  2018-04-06 13:22 [PATCH 4.9 000/102] 4.9.93-stable review Greg Kroah-Hartman
                   ` (63 preceding siblings ...)
  2018-04-06 13:23 ` [PATCH 4.9 064/102] arm64: use RET instruction for exiting the trampoline Greg Kroah-Hartman
@ 2018-04-06 13:23 ` Greg Kroah-Hartman
  2018-04-06 13:23 ` [PATCH 4.9 066/102] arm64: Kconfig: Reword UNMAP_KERNEL_AT_EL0 kconfig entry Greg Kroah-Hartman
                   ` (39 subsequent siblings)
  104 siblings, 0 replies; 111+ messages in thread
From: Greg Kroah-Hartman @ 2018-04-06 13:23 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Greg Kroah-Hartman, Mark Rutland, Laura Abbott,
	Shanker Donthineni, Will Deacon, Greg Hackmann, Alex Shi

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Will Deacon <will.deacon@arm.com>

commit 084eb77cd3a8 upstream.

Add a Kconfig entry to control use of the entry trampoline, which allows
us to unmap the kernel whilst running in userspace and improve the
robustness of KASLR.

Reviewed-by: Mark Rutland <mark.rutland@arm.com>
Tested-by: Laura Abbott <labbott@redhat.com>
Tested-by: Shanker Donthineni <shankerd@codeaurora.org>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Alex Shi <alex.shi@linaro.org> [v4.9 backport]
Signed-off-by: Mark Rutland <mark.rutland@arm.com> [v4.9 backport]
Tested-by: Will Deacon <will.deacon@arm.com>
Tested-by: Greg Hackmann <ghackmann@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/arm64/Kconfig |   13 +++++++++++++
 1 file changed, 13 insertions(+)

--- a/arch/arm64/Kconfig
+++ b/arch/arm64/Kconfig
@@ -733,6 +733,19 @@ config FORCE_MAX_ZONEORDER
 	  However for 4K, we choose a higher default value, 11 as opposed to 10, giving us
 	  4M allocations matching the default size used by generic code.
 
+config UNMAP_KERNEL_AT_EL0
+	bool "Unmap kernel when running in userspace (aka \"KAISER\")"
+	default y
+	help
+	  Some attacks against KASLR make use of the timing difference between
+	  a permission fault which could arise from a page table entry that is
+	  present in the TLB, and a translation fault which always requires a
+	  page table walk. This option defends against these attacks by unmapping
+	  the kernel whilst running in userspace, therefore forcing translation
+	  faults for all of kernel space.
+
+	  If unsure, say Y.
+
 menuconfig ARMV8_DEPRECATED
 	bool "Emulate deprecated/obsolete ARMv8 instructions"
 	depends on COMPAT

^ permalink raw reply	[flat|nested] 111+ messages in thread

* [PATCH 4.9 066/102] arm64: Kconfig: Reword UNMAP_KERNEL_AT_EL0 kconfig entry
  2018-04-06 13:22 [PATCH 4.9 000/102] 4.9.93-stable review Greg Kroah-Hartman
                   ` (64 preceding siblings ...)
  2018-04-06 13:23 ` [PATCH 4.9 065/102] arm64: Kconfig: Add CONFIG_UNMAP_KERNEL_AT_EL0 Greg Kroah-Hartman
@ 2018-04-06 13:23 ` Greg Kroah-Hartman
  2018-04-06 13:23 ` [PATCH 4.9 067/102] arm64: Take into account ID_AA64PFR0_EL1.CSV3 Greg Kroah-Hartman
                   ` (38 subsequent siblings)
  104 siblings, 0 replies; 111+ messages in thread
From: Greg Kroah-Hartman @ 2018-04-06 13:23 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Greg Kroah-Hartman, Will Deacon, Catalin Marinas, Greg Hackmann,
	Alex Shi, Mark Rutland

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Will Deacon <will.deacon@arm.com>

commit 0617052ddde3 upstream.

Although CONFIG_UNMAP_KERNEL_AT_EL0 does make KASLR more robust, it's
actually more useful as a mitigation against speculation attacks that
can leak arbitrary kernel data to userspace through speculation.

Reword the Kconfig help message to reflect this, and make the option
depend on EXPERT so that it is on by default for the majority of users.

Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Alex Shi <alex.shi@linaro.org> [v4.9 backport]
Signed-off-by: Mark Rutland <mark.rutland@arm.com> [v4.9 backport]
Tested-by: Will Deacon <will.deacon@arm.com>
Tested-by: Greg Hackmann <ghackmann@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/arm64/Kconfig |   13 ++++++-------
 1 file changed, 6 insertions(+), 7 deletions(-)

--- a/arch/arm64/Kconfig
+++ b/arch/arm64/Kconfig
@@ -734,15 +734,14 @@ config FORCE_MAX_ZONEORDER
 	  4M allocations matching the default size used by generic code.
 
 config UNMAP_KERNEL_AT_EL0
-	bool "Unmap kernel when running in userspace (aka \"KAISER\")"
+	bool "Unmap kernel when running in userspace (aka \"KAISER\")" if EXPERT
 	default y
 	help
-	  Some attacks against KASLR make use of the timing difference between
-	  a permission fault which could arise from a page table entry that is
-	  present in the TLB, and a translation fault which always requires a
-	  page table walk. This option defends against these attacks by unmapping
-	  the kernel whilst running in userspace, therefore forcing translation
-	  faults for all of kernel space.
+	  Speculation attacks against some high-performance processors can
+	  be used to bypass MMU permission checks and leak kernel data to
+	  userspace. This can be defended against by unmapping the kernel
+	  when running in userspace, mapping it back in on exception entry
+	  via a trampoline page in the vector table.
 
 	  If unsure, say Y.
 

^ permalink raw reply	[flat|nested] 111+ messages in thread

* [PATCH 4.9 067/102] arm64: Take into account ID_AA64PFR0_EL1.CSV3
  2018-04-06 13:22 [PATCH 4.9 000/102] 4.9.93-stable review Greg Kroah-Hartman
                   ` (65 preceding siblings ...)
  2018-04-06 13:23 ` [PATCH 4.9 066/102] arm64: Kconfig: Reword UNMAP_KERNEL_AT_EL0 kconfig entry Greg Kroah-Hartman
@ 2018-04-06 13:23 ` Greg Kroah-Hartman
  2018-04-06 13:23 ` [PATCH 4.9 068/102] arm64: Allow checking of a CPU-local erratum Greg Kroah-Hartman
                   ` (37 subsequent siblings)
  104 siblings, 0 replies; 111+ messages in thread
From: Greg Kroah-Hartman @ 2018-04-06 13:23 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Greg Kroah-Hartman, Suzuki K Poulose, Will Deacon,
	Catalin Marinas, Greg Hackmann, Alex Shi, Mark Rutland

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Will Deacon <will.deacon@arm.com>

commit 179a56f6f9fb upstream.

For non-KASLR kernels where the KPTI behaviour has not been overridden
on the command line we can use ID_AA64PFR0_EL1.CSV3 to determine whether
or not we should unmap the kernel whilst running at EL0.

Reviewed-by: Suzuki K Poulose <suzuki.poulose@arm.com>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
[Alex: s/read_sanitised_ftr_reg/read_system_reg/ to match v4.9 naming]
Signed-off-by: Alex Shi <alex.shi@linaro.org> [v4.9 backport]
[Mark: correct zero bits in ftr_id_aa64pfr0 to account for CSV3]
Signed-off-by: Mark Rutland <mark.rutland@arm.com> [v4.9 backport]
Tested-by: Will Deacon <will.deacon@arm.com>
Tested-by: Greg Hackmann <ghackmann@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/arm64/include/asm/sysreg.h |    1 +
 arch/arm64/kernel/cpufeature.c  |   10 ++++++++--
 2 files changed, 9 insertions(+), 2 deletions(-)

--- a/arch/arm64/include/asm/sysreg.h
+++ b/arch/arm64/include/asm/sysreg.h
@@ -117,6 +117,7 @@
 #define ID_AA64ISAR0_AES_SHIFT		4
 
 /* id_aa64pfr0 */
+#define ID_AA64PFR0_CSV3_SHIFT		60
 #define ID_AA64PFR0_GIC_SHIFT		24
 #define ID_AA64PFR0_ASIMD_SHIFT		20
 #define ID_AA64PFR0_FP_SHIFT		16
--- a/arch/arm64/kernel/cpufeature.c
+++ b/arch/arm64/kernel/cpufeature.c
@@ -93,7 +93,8 @@ static const struct arm64_ftr_bits ftr_i
 };
 
 static const struct arm64_ftr_bits ftr_id_aa64pfr0[] = {
-	ARM64_FTR_BITS(FTR_STRICT, FTR_EXACT, 32, 32, 0),
+	ARM64_FTR_BITS(FTR_NONSTRICT, FTR_LOWER_SAFE, ID_AA64PFR0_CSV3_SHIFT, 4, 0),
+	ARM64_FTR_BITS(FTR_STRICT, FTR_EXACT, 32, 28, 0),
 	ARM64_FTR_BITS(FTR_STRICT, FTR_EXACT, 28, 4, 0),
 	ARM64_FTR_BITS(FTR_STRICT, FTR_EXACT, ID_AA64PFR0_GIC_SHIFT, 4, 0),
 	S_ARM64_FTR_BITS(FTR_STRICT, FTR_LOWER_SAFE, ID_AA64PFR0_ASIMD_SHIFT, 4, ID_AA64PFR0_ASIMD_NI),
@@ -752,6 +753,8 @@ static int __kpti_forced; /* 0: not forc
 static bool unmap_kernel_at_el0(const struct arm64_cpu_capabilities *entry,
 				int __unused)
 {
+	u64 pfr0 = read_system_reg(SYS_ID_AA64PFR0_EL1);
+
 	/* Forced on command line? */
 	if (__kpti_forced) {
 		pr_info_once("kernel page table isolation forced %s by command line option\n",
@@ -763,7 +766,9 @@ static bool unmap_kernel_at_el0(const st
 	if (IS_ENABLED(CONFIG_RANDOMIZE_BASE))
 		return true;
 
-	return false;
+	/* Defer to CPU feature registers */
+	return !cpuid_feature_extract_unsigned_field(pfr0,
+						     ID_AA64PFR0_CSV3_SHIFT);
 }
 
 static int __init parse_kpti(char *str)
@@ -865,6 +870,7 @@ static const struct arm64_cpu_capabiliti
 	},
 #ifdef CONFIG_UNMAP_KERNEL_AT_EL0
 	{
+		.desc = "Kernel page table isolation (KPTI)",
 		.capability = ARM64_UNMAP_KERNEL_AT_EL0,
 		.def_scope = SCOPE_SYSTEM,
 		.matches = unmap_kernel_at_el0,

^ permalink raw reply	[flat|nested] 111+ messages in thread

* [PATCH 4.9 068/102] arm64: Allow checking of a CPU-local erratum
  2018-04-06 13:22 [PATCH 4.9 000/102] 4.9.93-stable review Greg Kroah-Hartman
                   ` (66 preceding siblings ...)
  2018-04-06 13:23 ` [PATCH 4.9 067/102] arm64: Take into account ID_AA64PFR0_EL1.CSV3 Greg Kroah-Hartman
@ 2018-04-06 13:23 ` Greg Kroah-Hartman
  2018-04-06 13:23 ` [PATCH 4.9 069/102] arm64: capabilities: Handle duplicate entries for a capability Greg Kroah-Hartman
                   ` (36 subsequent siblings)
  104 siblings, 0 replies; 111+ messages in thread
From: Greg Kroah-Hartman @ 2018-04-06 13:23 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Greg Kroah-Hartman, Thomas Gleixner, Daniel Lezcano,
	Suzuki K Poulose, Marc Zyngier, Will Deacon, Greg Hackmann,
	Alex Shi, Mark Rutland

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Marc Zyngier <marc.zyngier@arm.com>

commit 8f4137588261d7504f4aa022dc9d1a1fd1940e8e upstream.

this_cpu_has_cap() only checks the feature array, and not the errata
one. In order to be able to check for a CPU-local erratum, allow it
to inspect the latter as well.

This is consistent with cpus_have_cap()'s behaviour, which includes
errata already.

Acked-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: Daniel Lezcano <daniel.lezcano@linaro.org>
Reviewed-by: Suzuki K Poulose <suzuki.poulose@arm.com>
Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
Signed-off-by: Alex Shi <alex.shi@linaro.org> [v4.9 backport]
Signed-off-by: Mark Rutland <mark.rutland@arm.com> [v4.9 backport]
Tested-by: Will Deacon <will.deacon@arm.com>
Tested-by: Greg Hackmann <ghackmann@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/arm64/kernel/cpufeature.c |   13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

--- a/arch/arm64/kernel/cpufeature.c
+++ b/arch/arm64/kernel/cpufeature.c
@@ -1103,20 +1103,29 @@ static void __init setup_feature_capabil
  * Check if the current CPU has a given feature capability.
  * Should be called from non-preemptible context.
  */
-bool this_cpu_has_cap(unsigned int cap)
+static bool __this_cpu_has_cap(const struct arm64_cpu_capabilities *cap_array,
+			       unsigned int cap)
 {
 	const struct arm64_cpu_capabilities *caps;
 
 	if (WARN_ON(preemptible()))
 		return false;
 
-	for (caps = arm64_features; caps->desc; caps++)
+	for (caps = cap_array; caps->desc; caps++)
 		if (caps->capability == cap && caps->matches)
 			return caps->matches(caps, SCOPE_LOCAL_CPU);
 
 	return false;
 }
 
+extern const struct arm64_cpu_capabilities arm64_errata[];
+
+bool this_cpu_has_cap(unsigned int cap)
+{
+	return (__this_cpu_has_cap(arm64_features, cap) ||
+		__this_cpu_has_cap(arm64_errata, cap));
+}
+
 void __init setup_cpu_features(void)
 {
 	u32 cwg;

^ permalink raw reply	[flat|nested] 111+ messages in thread

* [PATCH 4.9 069/102] arm64: capabilities: Handle duplicate entries for a capability
  2018-04-06 13:22 [PATCH 4.9 000/102] 4.9.93-stable review Greg Kroah-Hartman
                   ` (67 preceding siblings ...)
  2018-04-06 13:23 ` [PATCH 4.9 068/102] arm64: Allow checking of a CPU-local erratum Greg Kroah-Hartman
@ 2018-04-06 13:23 ` Greg Kroah-Hartman
  2018-04-06 13:23 ` [PATCH 4.9 070/102] arm64: cputype: Add MIDR values for Cavium ThunderX2 CPUs Greg Kroah-Hartman
                   ` (35 subsequent siblings)
  104 siblings, 0 replies; 111+ messages in thread
From: Greg Kroah-Hartman @ 2018-04-06 13:23 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Greg Kroah-Hartman, Mark Rutland, Will Deacon, Marc Zyngier,
	Suzuki K Poulose, Catalin Marinas, Greg Hackmann, Alex Shi

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Suzuki K Poulose <suzuki.poulose@arm.com>

commit 67948af41f2e upstream.

Sometimes a single capability could be listed multiple times with
differing matches(), e.g, CPU errata for different MIDR versions.
This breaks verify_local_cpu_feature() and this_cpu_has_cap() as
we stop checking for a capability on a CPU with the first
entry in the given table, which is not sufficient. Make sure we
run the checks for all entries of the same capability. We do
this by fixing __this_cpu_has_cap() to run through all the
entries in the given table for a match and reuse it for
verify_local_cpu_feature().

Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Will Deacon <will.deacon@arm.com>
Acked-by: Marc Zyngier <marc.zyngier@arm.com>
Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Alex Shi <alex.shi@linaro.org> [v4.9 backport]
Signed-off-by: Mark Rutland <mark.rutland@arm.com> [v4.9 backport]
Tested-by: Will Deacon <will.deacon@arm.com>
Tested-by: Greg Hackmann <ghackmann@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/arm64/kernel/cpufeature.c |   44 +++++++++++++++++++++--------------------
 1 file changed, 23 insertions(+), 21 deletions(-)

--- a/arch/arm64/kernel/cpufeature.c
+++ b/arch/arm64/kernel/cpufeature.c
@@ -969,6 +969,26 @@ static void __init setup_elf_hwcaps(cons
 			cap_set_elf_hwcap(hwcaps);
 }
 
+/*
+ * Check if the current CPU has a given feature capability.
+ * Should be called from non-preemptible context.
+ */
+static bool __this_cpu_has_cap(const struct arm64_cpu_capabilities *cap_array,
+			       unsigned int cap)
+{
+	const struct arm64_cpu_capabilities *caps;
+
+	if (WARN_ON(preemptible()))
+		return false;
+
+	for (caps = cap_array; caps->desc; caps++)
+		if (caps->capability == cap &&
+		    caps->matches &&
+		    caps->matches(caps, SCOPE_LOCAL_CPU))
+			return true;
+	return false;
+}
+
 void update_cpu_capabilities(const struct arm64_cpu_capabilities *caps,
 			    const char *info)
 {
@@ -1037,8 +1057,9 @@ verify_local_elf_hwcaps(const struct arm
 }
 
 static void
-verify_local_cpu_features(const struct arm64_cpu_capabilities *caps)
+verify_local_cpu_features(const struct arm64_cpu_capabilities *caps_list)
 {
+	const struct arm64_cpu_capabilities *caps = caps_list;
 	for (; caps->matches; caps++) {
 		if (!cpus_have_cap(caps->capability))
 			continue;
@@ -1046,7 +1067,7 @@ verify_local_cpu_features(const struct a
 		 * If the new CPU misses an advertised feature, we cannot proceed
 		 * further, park the cpu.
 		 */
-		if (!caps->matches(caps, SCOPE_LOCAL_CPU)) {
+		if (!__this_cpu_has_cap(caps_list, caps->capability)) {
 			pr_crit("CPU%d: missing feature: %s\n",
 					smp_processor_id(), caps->desc);
 			cpu_die_early();
@@ -1099,25 +1120,6 @@ static void __init setup_feature_capabil
 	enable_cpu_capabilities(arm64_features);
 }
 
-/*
- * Check if the current CPU has a given feature capability.
- * Should be called from non-preemptible context.
- */
-static bool __this_cpu_has_cap(const struct arm64_cpu_capabilities *cap_array,
-			       unsigned int cap)
-{
-	const struct arm64_cpu_capabilities *caps;
-
-	if (WARN_ON(preemptible()))
-		return false;
-
-	for (caps = cap_array; caps->desc; caps++)
-		if (caps->capability == cap && caps->matches)
-			return caps->matches(caps, SCOPE_LOCAL_CPU);
-
-	return false;
-}
-
 extern const struct arm64_cpu_capabilities arm64_errata[];
 
 bool this_cpu_has_cap(unsigned int cap)

^ permalink raw reply	[flat|nested] 111+ messages in thread

* [PATCH 4.9 070/102] arm64: cputype: Add MIDR values for Cavium ThunderX2 CPUs
  2018-04-06 13:22 [PATCH 4.9 000/102] 4.9.93-stable review Greg Kroah-Hartman
                   ` (68 preceding siblings ...)
  2018-04-06 13:23 ` [PATCH 4.9 069/102] arm64: capabilities: Handle duplicate entries for a capability Greg Kroah-Hartman
@ 2018-04-06 13:23 ` Greg Kroah-Hartman
  2018-04-06 13:23 ` [PATCH 4.9 071/102] arm64: Turn on KPTI only on CPUs that need it Greg Kroah-Hartman
                   ` (34 subsequent siblings)
  104 siblings, 0 replies; 111+ messages in thread
From: Greg Kroah-Hartman @ 2018-04-06 13:23 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Greg Kroah-Hartman, Jayachandran C, Will Deacon, Catalin Marinas,
	Greg Hackmann, Alex Shi, Mark Rutland

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Jayachandran C <jnair@caviumnetworks.com>

commit 0d90718871fe upstream.

Add the older Broadcom ID as well as the new Cavium ID for ThunderX2
CPUs.

Signed-off-by: Jayachandran C <jnair@caviumnetworks.com>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Alex Shi <alex.shi@linaro.org> [v4.9 backport]
Signed-off-by: Mark Rutland <mark.rutland@arm.com> [v4.9 backport]
Tested-by: Will Deacon <will.deacon@arm.com>
Tested-by: Greg Hackmann <ghackmann@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/arm64/include/asm/cputype.h |    3 +++
 1 file changed, 3 insertions(+)

--- a/arch/arm64/include/asm/cputype.h
+++ b/arch/arm64/include/asm/cputype.h
@@ -81,6 +81,7 @@
 
 #define CAVIUM_CPU_PART_THUNDERX	0x0A1
 #define CAVIUM_CPU_PART_THUNDERX_81XX	0x0A2
+#define CAVIUM_CPU_PART_THUNDERX2	0x0AF
 
 #define BRCM_CPU_PART_VULCAN		0x516
 
@@ -88,6 +89,8 @@
 #define MIDR_CORTEX_A57 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A57)
 #define MIDR_THUNDERX	MIDR_CPU_MODEL(ARM_CPU_IMP_CAVIUM, CAVIUM_CPU_PART_THUNDERX)
 #define MIDR_THUNDERX_81XX MIDR_CPU_MODEL(ARM_CPU_IMP_CAVIUM, CAVIUM_CPU_PART_THUNDERX_81XX)
+#define MIDR_CAVIUM_THUNDERX2 MIDR_CPU_MODEL(ARM_CPU_IMP_CAVIUM, CAVIUM_CPU_PART_THUNDERX2)
+#define MIDR_BRCM_VULCAN MIDR_CPU_MODEL(ARM_CPU_IMP_BRCM, BRCM_CPU_PART_VULCAN)
 
 #ifndef __ASSEMBLY__
 

^ permalink raw reply	[flat|nested] 111+ messages in thread

* [PATCH 4.9 071/102] arm64: Turn on KPTI only on CPUs that need it
  2018-04-06 13:22 [PATCH 4.9 000/102] 4.9.93-stable review Greg Kroah-Hartman
                   ` (69 preceding siblings ...)
  2018-04-06 13:23 ` [PATCH 4.9 070/102] arm64: cputype: Add MIDR values for Cavium ThunderX2 CPUs Greg Kroah-Hartman
@ 2018-04-06 13:23 ` Greg Kroah-Hartman
  2018-04-06 13:23 ` [PATCH 4.9 072/102] arm64: kpti: Make use of nG dependent on arm64_kernel_unmapped_at_el0() Greg Kroah-Hartman
                   ` (33 subsequent siblings)
  104 siblings, 0 replies; 111+ messages in thread
From: Greg Kroah-Hartman @ 2018-04-06 13:23 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Greg Kroah-Hartman, Will Deacon, Jayachandran C, Catalin Marinas,
	Greg Hackmann, Alex Shi, Mark Rutland

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Jayachandran C <jnair@caviumnetworks.com>

commit 0ba2e29c7fc1 upstream.

Whitelist Broadcom Vulcan/Cavium ThunderX2 processors in
unmap_kernel_at_el0(). These CPUs are not vulnerable to
CVE-2017-5754 and do not need KPTI when KASLR is off.

Acked-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Jayachandran C <jnair@caviumnetworks.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Alex Shi <alex.shi@linaro.org> [v4.9 backport]
Signed-off-by: Mark Rutland <mark.rutland@arm.com> [v4.9 backport]
Tested-by: Will Deacon <will.deacon@arm.com>
Tested-by: Greg Hackmann <ghackmann@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/arm64/kernel/cpufeature.c |    7 +++++++
 1 file changed, 7 insertions(+)

--- a/arch/arm64/kernel/cpufeature.c
+++ b/arch/arm64/kernel/cpufeature.c
@@ -766,6 +766,13 @@ static bool unmap_kernel_at_el0(const st
 	if (IS_ENABLED(CONFIG_RANDOMIZE_BASE))
 		return true;
 
+	/* Don't force KPTI for CPUs that are not vulnerable */
+	switch (read_cpuid_id() & MIDR_CPU_MODEL_MASK) {
+	case MIDR_CAVIUM_THUNDERX2:
+	case MIDR_BRCM_VULCAN:
+		return false;
+	}
+
 	/* Defer to CPU feature registers */
 	return !cpuid_feature_extract_unsigned_field(pfr0,
 						     ID_AA64PFR0_CSV3_SHIFT);

^ permalink raw reply	[flat|nested] 111+ messages in thread

* [PATCH 4.9 072/102] arm64: kpti: Make use of nG dependent on arm64_kernel_unmapped_at_el0()
  2018-04-06 13:22 [PATCH 4.9 000/102] 4.9.93-stable review Greg Kroah-Hartman
                   ` (70 preceding siblings ...)
  2018-04-06 13:23 ` [PATCH 4.9 071/102] arm64: Turn on KPTI only on CPUs that need it Greg Kroah-Hartman
@ 2018-04-06 13:23 ` Greg Kroah-Hartman
  2018-04-06 13:23 ` [PATCH 4.9 073/102] arm64: kpti: Add ->enable callback to remap swapper using nG mappings Greg Kroah-Hartman
                   ` (32 subsequent siblings)
  104 siblings, 0 replies; 111+ messages in thread
From: Greg Kroah-Hartman @ 2018-04-06 13:23 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Greg Kroah-Hartman, Will Deacon, Catalin Marinas, Greg Hackmann,
	Alex Shi, Mark Rutland

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Will Deacon <will.deacon@arm.com>

commit 41acec624087 upstream.

To allow systems which do not require kpti to continue running with
global kernel mappings (which appears to be a requirement for Cavium
ThunderX due to a CPU erratum), make the use of nG in the kernel page
tables dependent on arm64_kernel_unmapped_at_el0(), which is resolved
at runtime.

Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Alex Shi <alex.shi@linaro.org> [v4.9 backport]
Signed-off-by: Mark Rutland <mark.rutland@arm.com> [v4.9 backport]
Tested-by: Will Deacon <will.deacon@arm.com>
Tested-by: Greg Hackmann <ghackmann@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/arm64/include/asm/kernel-pgtable.h |   12 ++----------
 arch/arm64/include/asm/pgtable-prot.h   |   30 ++++++++++++++----------------
 2 files changed, 16 insertions(+), 26 deletions(-)

--- a/arch/arm64/include/asm/kernel-pgtable.h
+++ b/arch/arm64/include/asm/kernel-pgtable.h
@@ -71,16 +71,8 @@
 /*
  * Initial memory map attributes.
  */
-#define _SWAPPER_PTE_FLAGS	(PTE_TYPE_PAGE | PTE_AF | PTE_SHARED)
-#define _SWAPPER_PMD_FLAGS	(PMD_TYPE_SECT | PMD_SECT_AF | PMD_SECT_S)
-
-#ifdef CONFIG_UNMAP_KERNEL_AT_EL0
-#define SWAPPER_PTE_FLAGS	(_SWAPPER_PTE_FLAGS | PTE_NG)
-#define SWAPPER_PMD_FLAGS	(_SWAPPER_PMD_FLAGS | PMD_SECT_NG)
-#else
-#define SWAPPER_PTE_FLAGS	_SWAPPER_PTE_FLAGS
-#define SWAPPER_PMD_FLAGS	_SWAPPER_PMD_FLAGS
-#endif
+#define SWAPPER_PTE_FLAGS	(PTE_TYPE_PAGE | PTE_AF | PTE_SHARED)
+#define SWAPPER_PMD_FLAGS	(PMD_TYPE_SECT | PMD_SECT_AF | PMD_SECT_S)
 
 #if ARM64_SWAPPER_USES_SECTION_MAPS
 #define SWAPPER_MM_MMUFLAGS	(PMD_ATTRINDX(MT_NORMAL) | SWAPPER_PMD_FLAGS)
--- a/arch/arm64/include/asm/pgtable-prot.h
+++ b/arch/arm64/include/asm/pgtable-prot.h
@@ -37,13 +37,11 @@
 #define _PROT_DEFAULT		(PTE_TYPE_PAGE | PTE_AF | PTE_SHARED)
 #define _PROT_SECT_DEFAULT	(PMD_TYPE_SECT | PMD_SECT_AF | PMD_SECT_S)
 
-#ifdef CONFIG_UNMAP_KERNEL_AT_EL0
-#define PROT_DEFAULT		(_PROT_DEFAULT | PTE_NG)
-#define PROT_SECT_DEFAULT	(_PROT_SECT_DEFAULT | PMD_SECT_NG)
-#else
-#define PROT_DEFAULT		_PROT_DEFAULT
-#define PROT_SECT_DEFAULT	_PROT_SECT_DEFAULT
-#endif /* CONFIG_UNMAP_KERNEL_AT_EL0 */
+#define PTE_MAYBE_NG		(arm64_kernel_unmapped_at_el0() ? PTE_NG : 0)
+#define PMD_MAYBE_NG		(arm64_kernel_unmapped_at_el0() ? PMD_SECT_NG : 0)
+
+#define PROT_DEFAULT		(_PROT_DEFAULT | PTE_MAYBE_NG)
+#define PROT_SECT_DEFAULT	(_PROT_SECT_DEFAULT | PMD_MAYBE_NG)
 
 #define PROT_DEVICE_nGnRnE	(PROT_DEFAULT | PTE_PXN | PTE_UXN | PTE_DIRTY | PTE_WRITE | PTE_ATTRINDX(MT_DEVICE_nGnRnE))
 #define PROT_DEVICE_nGnRE	(PROT_DEFAULT | PTE_PXN | PTE_UXN | PTE_DIRTY | PTE_WRITE | PTE_ATTRINDX(MT_DEVICE_nGnRE))
@@ -55,22 +53,22 @@
 #define PROT_SECT_NORMAL	(PROT_SECT_DEFAULT | PMD_SECT_PXN | PMD_SECT_UXN | PMD_ATTRINDX(MT_NORMAL))
 #define PROT_SECT_NORMAL_EXEC	(PROT_SECT_DEFAULT | PMD_SECT_UXN | PMD_ATTRINDX(MT_NORMAL))
 
-#define _PAGE_DEFAULT		(PROT_DEFAULT | PTE_ATTRINDX(MT_NORMAL))
-#define _HYP_PAGE_DEFAULT	(_PAGE_DEFAULT & ~PTE_NG)
+#define _PAGE_DEFAULT		(_PROT_DEFAULT | PTE_ATTRINDX(MT_NORMAL))
+#define _HYP_PAGE_DEFAULT	_PAGE_DEFAULT
 
-#define PAGE_KERNEL		__pgprot(_PAGE_DEFAULT | PTE_PXN | PTE_UXN | PTE_DIRTY | PTE_WRITE)
-#define PAGE_KERNEL_RO		__pgprot(_PAGE_DEFAULT | PTE_PXN | PTE_UXN | PTE_DIRTY | PTE_RDONLY)
-#define PAGE_KERNEL_ROX		__pgprot(_PAGE_DEFAULT | PTE_UXN | PTE_DIRTY | PTE_RDONLY)
-#define PAGE_KERNEL_EXEC	__pgprot(_PAGE_DEFAULT | PTE_UXN | PTE_DIRTY | PTE_WRITE)
-#define PAGE_KERNEL_EXEC_CONT	__pgprot(_PAGE_DEFAULT | PTE_UXN | PTE_DIRTY | PTE_WRITE | PTE_CONT)
+#define PAGE_KERNEL		__pgprot(PROT_NORMAL)
+#define PAGE_KERNEL_RO		__pgprot((PROT_NORMAL & ~PTE_WRITE) | PTE_RDONLY)
+#define PAGE_KERNEL_ROX		__pgprot((PROT_NORMAL & ~(PTE_WRITE | PTE_PXN)) | PTE_RDONLY)
+#define PAGE_KERNEL_EXEC	__pgprot(PROT_NORMAL & ~PTE_PXN)
+#define PAGE_KERNEL_EXEC_CONT	__pgprot((PROT_NORMAL & ~PTE_PXN) | PTE_CONT)
 
 #define PAGE_HYP		__pgprot(_HYP_PAGE_DEFAULT | PTE_HYP | PTE_HYP_XN)
 #define PAGE_HYP_EXEC		__pgprot(_HYP_PAGE_DEFAULT | PTE_HYP | PTE_RDONLY)
 #define PAGE_HYP_RO		__pgprot(_HYP_PAGE_DEFAULT | PTE_HYP | PTE_RDONLY | PTE_HYP_XN)
 #define PAGE_HYP_DEVICE		__pgprot(PROT_DEVICE_nGnRE | PTE_HYP)
 
-#define PAGE_S2			__pgprot(PROT_DEFAULT | PTE_S2_MEMATTR(MT_S2_NORMAL) | PTE_S2_RDONLY)
-#define PAGE_S2_DEVICE		__pgprot(PROT_DEFAULT | PTE_S2_MEMATTR(MT_S2_DEVICE_nGnRE) | PTE_S2_RDONLY | PTE_UXN)
+#define PAGE_S2			__pgprot(_PROT_DEFAULT | PTE_S2_MEMATTR(MT_S2_NORMAL) | PTE_S2_RDONLY)
+#define PAGE_S2_DEVICE		__pgprot(_PROT_DEFAULT | PTE_S2_MEMATTR(MT_S2_DEVICE_nGnRE) | PTE_S2_RDONLY | PTE_UXN)
 
 #define PAGE_NONE		__pgprot(((_PAGE_DEFAULT) & ~PTE_VALID) | PTE_PROT_NONE | PTE_NG | PTE_PXN | PTE_UXN)
 #define PAGE_SHARED		__pgprot(_PAGE_DEFAULT | PTE_USER | PTE_NG | PTE_PXN | PTE_UXN | PTE_WRITE)

^ permalink raw reply	[flat|nested] 111+ messages in thread

* [PATCH 4.9 073/102] arm64: kpti: Add ->enable callback to remap swapper using nG mappings
  2018-04-06 13:22 [PATCH 4.9 000/102] 4.9.93-stable review Greg Kroah-Hartman
                   ` (71 preceding siblings ...)
  2018-04-06 13:23 ` [PATCH 4.9 072/102] arm64: kpti: Make use of nG dependent on arm64_kernel_unmapped_at_el0() Greg Kroah-Hartman
@ 2018-04-06 13:23 ` Greg Kroah-Hartman
  2018-04-06 13:23 ` [PATCH 4.9 074/102] arm64: Force KPTI to be disabled on Cavium ThunderX Greg Kroah-Hartman
                   ` (31 subsequent siblings)
  104 siblings, 0 replies; 111+ messages in thread
From: Greg Kroah-Hartman @ 2018-04-06 13:23 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Greg Kroah-Hartman, Marc Zyngier, Will Deacon, Catalin Marinas,
	Ard Biesheuvel, Greg Hackmann, Alex Shi, Mark Rutland

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Will Deacon <will.deacon@arm.com>

commit f992b4dfd58b upstream.

Defaulting to global mappings for kernel space is generally good for
performance and appears to be necessary for Cavium ThunderX. If we
subsequently decide that we need to enable kpti, then we need to rewrite
our existing page table entries to be non-global. This is fiddly, and
made worse by the possible use of contiguous mappings, which require
a strict break-before-make sequence.

Since the enable callback runs on each online CPU from stop_machine
context, we can have all CPUs enter the idmap, where secondaries can
wait for the primary CPU to rewrite swapper with its MMU off. It's all
fairly horrible, but at least it only runs once.

Nicolas Dechesne <nicolas.dechesne@linaro.org> found a bug on this commit
which cause boot failure on db410c etc board. Ard Biesheuvel found it
writting wrong contenct to ttbr1_el1 in __idmap_cpu_set_reserved_ttbr1
macro and fixed it by give it the right content.

Tested-by: Marc Zyngier <marc.zyngier@arm.com>
Reviewed-by: Marc Zyngier <marc.zyngier@arm.com>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
[Alex: avoid dependency on 52-bit PA patches and TTBR/MMU erratum patches]
Signed-off-by: Alex Shi <alex.shi@linaro.org> [v4.9 backport]
Signed-off-by: Mark Rutland <mark.rutland@arm.com> [v4.9 backport]
Tested-by: Will Deacon <will.deacon@arm.com>
Tested-by: Greg Hackmann <ghackmann@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/arm64/include/asm/assembler.h |    3 
 arch/arm64/kernel/cpufeature.c     |   25 ++++
 arch/arm64/mm/proc.S               |  201 +++++++++++++++++++++++++++++++++++--
 3 files changed, 222 insertions(+), 7 deletions(-)

--- a/arch/arm64/include/asm/assembler.h
+++ b/arch/arm64/include/asm/assembler.h
@@ -413,4 +413,7 @@ alternative_endif
 	movk	\reg, :abs_g0_nc:\val
 	.endm
 
+	.macro	pte_to_phys, phys, pte
+	and	\phys, \pte, #(((1 << (48 - PAGE_SHIFT)) - 1) << PAGE_SHIFT)
+	.endm
 #endif	/* __ASM_ASSEMBLER_H */
--- a/arch/arm64/kernel/cpufeature.c
+++ b/arch/arm64/kernel/cpufeature.c
@@ -778,6 +778,30 @@ static bool unmap_kernel_at_el0(const st
 						     ID_AA64PFR0_CSV3_SHIFT);
 }
 
+static int kpti_install_ng_mappings(void *__unused)
+{
+	typedef void (kpti_remap_fn)(int, int, phys_addr_t);
+	extern kpti_remap_fn idmap_kpti_install_ng_mappings;
+	kpti_remap_fn *remap_fn;
+
+	static bool kpti_applied = false;
+	int cpu = smp_processor_id();
+
+	if (kpti_applied)
+		return 0;
+
+	remap_fn = (void *)__pa_symbol(idmap_kpti_install_ng_mappings);
+
+	cpu_install_idmap();
+	remap_fn(cpu, num_online_cpus(), __pa_symbol(swapper_pg_dir));
+	cpu_uninstall_idmap();
+
+	if (!cpu)
+		kpti_applied = true;
+
+	return 0;
+}
+
 static int __init parse_kpti(char *str)
 {
 	bool enabled;
@@ -881,6 +905,7 @@ static const struct arm64_cpu_capabiliti
 		.capability = ARM64_UNMAP_KERNEL_AT_EL0,
 		.def_scope = SCOPE_SYSTEM,
 		.matches = unmap_kernel_at_el0,
+		.enable = kpti_install_ng_mappings,
 	},
 #endif
 	{},
--- a/arch/arm64/mm/proc.S
+++ b/arch/arm64/mm/proc.S
@@ -148,6 +148,16 @@ alternative_else_nop_endif
 ENDPROC(cpu_do_switch_mm)
 
 	.pushsection ".idmap.text", "ax"
+
+.macro	__idmap_cpu_set_reserved_ttbr1, tmp1, tmp2
+	adrp	\tmp1, empty_zero_page
+	msr	ttbr1_el1, \tmp1
+	isb
+	tlbi	vmalle1
+	dsb	nsh
+	isb
+.endm
+
 /*
  * void idmap_cpu_replace_ttbr1(phys_addr_t new_pgd)
  *
@@ -158,13 +168,7 @@ ENTRY(idmap_cpu_replace_ttbr1)
 	mrs	x2, daif
 	msr	daifset, #0xf
 
-	adrp	x1, empty_zero_page
-	msr	ttbr1_el1, x1
-	isb
-
-	tlbi	vmalle1
-	dsb	nsh
-	isb
+	__idmap_cpu_set_reserved_ttbr1 x1, x3
 
 	msr	ttbr1_el1, x0
 	isb
@@ -175,6 +179,189 @@ ENTRY(idmap_cpu_replace_ttbr1)
 ENDPROC(idmap_cpu_replace_ttbr1)
 	.popsection
 
+#ifdef CONFIG_UNMAP_KERNEL_AT_EL0
+	.pushsection ".idmap.text", "ax"
+
+	.macro	__idmap_kpti_get_pgtable_ent, type
+	dc	cvac, cur_\()\type\()p		// Ensure any existing dirty
+	dmb	sy				// lines are written back before
+	ldr	\type, [cur_\()\type\()p]	// loading the entry
+	tbz	\type, #0, next_\()\type	// Skip invalid entries
+	.endm
+
+	.macro __idmap_kpti_put_pgtable_ent_ng, type
+	orr	\type, \type, #PTE_NG		// Same bit for blocks and pages
+	str	\type, [cur_\()\type\()p]	// Update the entry and ensure it
+	dc	civac, cur_\()\type\()p		// is visible to all CPUs.
+	.endm
+
+/*
+ * void __kpti_install_ng_mappings(int cpu, int num_cpus, phys_addr_t swapper)
+ *
+ * Called exactly once from stop_machine context by each CPU found during boot.
+ */
+__idmap_kpti_flag:
+	.long	1
+ENTRY(idmap_kpti_install_ng_mappings)
+	cpu		.req	w0
+	num_cpus	.req	w1
+	swapper_pa	.req	x2
+	swapper_ttb	.req	x3
+	flag_ptr	.req	x4
+	cur_pgdp	.req	x5
+	end_pgdp	.req	x6
+	pgd		.req	x7
+	cur_pudp	.req	x8
+	end_pudp	.req	x9
+	pud		.req	x10
+	cur_pmdp	.req	x11
+	end_pmdp	.req	x12
+	pmd		.req	x13
+	cur_ptep	.req	x14
+	end_ptep	.req	x15
+	pte		.req	x16
+
+	mrs	swapper_ttb, ttbr1_el1
+	adr	flag_ptr, __idmap_kpti_flag
+
+	cbnz	cpu, __idmap_kpti_secondary
+
+	/* We're the boot CPU. Wait for the others to catch up */
+	sevl
+1:	wfe
+	ldaxr	w18, [flag_ptr]
+	eor	w18, w18, num_cpus
+	cbnz	w18, 1b
+
+	/* We need to walk swapper, so turn off the MMU. */
+	mrs	x18, sctlr_el1
+	bic	x18, x18, #SCTLR_ELx_M
+	msr	sctlr_el1, x18
+	isb
+
+	/* Everybody is enjoying the idmap, so we can rewrite swapper. */
+	/* PGD */
+	mov	cur_pgdp, swapper_pa
+	add	end_pgdp, cur_pgdp, #(PTRS_PER_PGD * 8)
+do_pgd:	__idmap_kpti_get_pgtable_ent	pgd
+	tbnz	pgd, #1, walk_puds
+	__idmap_kpti_put_pgtable_ent_ng	pgd
+next_pgd:
+	add	cur_pgdp, cur_pgdp, #8
+	cmp	cur_pgdp, end_pgdp
+	b.ne	do_pgd
+
+	/* Publish the updated tables and nuke all the TLBs */
+	dsb	sy
+	tlbi	vmalle1is
+	dsb	ish
+	isb
+
+	/* We're done: fire up the MMU again */
+	mrs	x18, sctlr_el1
+	orr	x18, x18, #SCTLR_ELx_M
+	msr	sctlr_el1, x18
+	isb
+
+	/* Set the flag to zero to indicate that we're all done */
+	str	wzr, [flag_ptr]
+	ret
+
+	/* PUD */
+walk_puds:
+	.if CONFIG_PGTABLE_LEVELS > 3
+	pte_to_phys	cur_pudp, pgd
+	add	end_pudp, cur_pudp, #(PTRS_PER_PUD * 8)
+do_pud:	__idmap_kpti_get_pgtable_ent	pud
+	tbnz	pud, #1, walk_pmds
+	__idmap_kpti_put_pgtable_ent_ng	pud
+next_pud:
+	add	cur_pudp, cur_pudp, 8
+	cmp	cur_pudp, end_pudp
+	b.ne	do_pud
+	b	next_pgd
+	.else /* CONFIG_PGTABLE_LEVELS <= 3 */
+	mov	pud, pgd
+	b	walk_pmds
+next_pud:
+	b	next_pgd
+	.endif
+
+	/* PMD */
+walk_pmds:
+	.if CONFIG_PGTABLE_LEVELS > 2
+	pte_to_phys	cur_pmdp, pud
+	add	end_pmdp, cur_pmdp, #(PTRS_PER_PMD * 8)
+do_pmd:	__idmap_kpti_get_pgtable_ent	pmd
+	tbnz	pmd, #1, walk_ptes
+	__idmap_kpti_put_pgtable_ent_ng	pmd
+next_pmd:
+	add	cur_pmdp, cur_pmdp, #8
+	cmp	cur_pmdp, end_pmdp
+	b.ne	do_pmd
+	b	next_pud
+	.else /* CONFIG_PGTABLE_LEVELS <= 2 */
+	mov	pmd, pud
+	b	walk_ptes
+next_pmd:
+	b	next_pud
+	.endif
+
+	/* PTE */
+walk_ptes:
+	pte_to_phys	cur_ptep, pmd
+	add	end_ptep, cur_ptep, #(PTRS_PER_PTE * 8)
+do_pte:	__idmap_kpti_get_pgtable_ent	pte
+	__idmap_kpti_put_pgtable_ent_ng	pte
+next_pte:
+	add	cur_ptep, cur_ptep, #8
+	cmp	cur_ptep, end_ptep
+	b.ne	do_pte
+	b	next_pmd
+
+	/* Secondary CPUs end up here */
+__idmap_kpti_secondary:
+	/* Uninstall swapper before surgery begins */
+	__idmap_cpu_set_reserved_ttbr1 x18, x17
+
+	/* Increment the flag to let the boot CPU we're ready */
+1:	ldxr	w18, [flag_ptr]
+	add	w18, w18, #1
+	stxr	w17, w18, [flag_ptr]
+	cbnz	w17, 1b
+
+	/* Wait for the boot CPU to finish messing around with swapper */
+	sevl
+1:	wfe
+	ldxr	w18, [flag_ptr]
+	cbnz	w18, 1b
+
+	/* All done, act like nothing happened */
+	msr	ttbr1_el1, swapper_ttb
+	isb
+	ret
+
+	.unreq	cpu
+	.unreq	num_cpus
+	.unreq	swapper_pa
+	.unreq	swapper_ttb
+	.unreq	flag_ptr
+	.unreq	cur_pgdp
+	.unreq	end_pgdp
+	.unreq	pgd
+	.unreq	cur_pudp
+	.unreq	end_pudp
+	.unreq	pud
+	.unreq	cur_pmdp
+	.unreq	end_pmdp
+	.unreq	pmd
+	.unreq	cur_ptep
+	.unreq	end_ptep
+	.unreq	pte
+ENDPROC(idmap_kpti_install_ng_mappings)
+	.popsection
+#endif
+
 /*
  *	__cpu_setup
  *

^ permalink raw reply	[flat|nested] 111+ messages in thread

* [PATCH 4.9 074/102] arm64: Force KPTI to be disabled on Cavium ThunderX
  2018-04-06 13:22 [PATCH 4.9 000/102] 4.9.93-stable review Greg Kroah-Hartman
                   ` (72 preceding siblings ...)
  2018-04-06 13:23 ` [PATCH 4.9 073/102] arm64: kpti: Add ->enable callback to remap swapper using nG mappings Greg Kroah-Hartman
@ 2018-04-06 13:23 ` Greg Kroah-Hartman
  2018-04-06 13:23 ` [PATCH 4.9 075/102] arm64: entry: Reword comment about post_ttbr_update_workaround Greg Kroah-Hartman
                   ` (30 subsequent siblings)
  104 siblings, 0 replies; 111+ messages in thread
From: Greg Kroah-Hartman @ 2018-04-06 13:23 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Greg Kroah-Hartman, Marc Zyngier, Will Deacon, Catalin Marinas,
	Greg Hackmann, Alex Shi, Mark Rutland

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Marc Zyngier <marc.zyngier@arm.com>

commit 6dc52b15c4a4 upstream.

Cavium ThunderX's erratum 27456 results in a corruption of icache
entries that are loaded from memory that is mapped as non-global
(i.e. ASID-tagged).

As KPTI is based on memory being mapped non-global, let's prevent
it from kicking in if this erratum is detected.

Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
[will: Update comment]
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
[Alex: use cpus_have_cap as cpus_have_const_cap doesn't exist in v4.9]
Signed-off-by: Alex Shi <alex.shi@linaro.org> [v4.9 backport]
Signed-off-by: Mark Rutland <mark.rutland@arm.com> [v4.9 backport]
Tested-by: Will Deacon <will.deacon@arm.com>
Tested-by: Greg Hackmann <ghackmann@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/arm64/kernel/cpufeature.c |   17 ++++++++++++++---
 1 file changed, 14 insertions(+), 3 deletions(-)

--- a/arch/arm64/kernel/cpufeature.c
+++ b/arch/arm64/kernel/cpufeature.c
@@ -753,12 +753,23 @@ static int __kpti_forced; /* 0: not forc
 static bool unmap_kernel_at_el0(const struct arm64_cpu_capabilities *entry,
 				int __unused)
 {
+	char const *str = "command line option";
 	u64 pfr0 = read_system_reg(SYS_ID_AA64PFR0_EL1);
 
-	/* Forced on command line? */
+	/*
+	 * For reasons that aren't entirely clear, enabling KPTI on Cavium
+	 * ThunderX leads to apparent I-cache corruption of kernel text, which
+	 * ends as well as you might imagine. Don't even try.
+	 */
+	if (cpus_have_cap(ARM64_WORKAROUND_CAVIUM_27456)) {
+		str = "ARM64_WORKAROUND_CAVIUM_27456";
+		__kpti_forced = -1;
+	}
+
+	/* Forced? */
 	if (__kpti_forced) {
-		pr_info_once("kernel page table isolation forced %s by command line option\n",
-			     __kpti_forced > 0 ? "ON" : "OFF");
+		pr_info_once("kernel page table isolation forced %s by %s\n",
+			     __kpti_forced > 0 ? "ON" : "OFF", str);
 		return __kpti_forced > 0;
 	}
 

^ permalink raw reply	[flat|nested] 111+ messages in thread

* [PATCH 4.9 075/102] arm64: entry: Reword comment about post_ttbr_update_workaround
  2018-04-06 13:22 [PATCH 4.9 000/102] 4.9.93-stable review Greg Kroah-Hartman
                   ` (73 preceding siblings ...)
  2018-04-06 13:23 ` [PATCH 4.9 074/102] arm64: Force KPTI to be disabled on Cavium ThunderX Greg Kroah-Hartman
@ 2018-04-06 13:23 ` Greg Kroah-Hartman
  2018-04-06 13:23 ` [PATCH 4.9 076/102] arm64: idmap: Use "awx" flags for .idmap.text .pushsection directives Greg Kroah-Hartman
                   ` (29 subsequent siblings)
  104 siblings, 0 replies; 111+ messages in thread
From: Greg Kroah-Hartman @ 2018-04-06 13:23 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Greg Kroah-Hartman, Will Deacon, Catalin Marinas, Greg Hackmann,
	Alex Shi, Mark Rutland

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Will Deacon <will.deacon@arm.com>

commit f167211a93ac upstream.

We don't fully understand the Cavium ThunderX erratum, but it appears
that mapping the kernel as nG can lead to horrible consequences such as
attempting to execute userspace from kernel context. Since kpti isn't
enabled for these CPUs anyway, simplify the comment justifying the lack
of post_ttbr_update_workaround in the exception trampoline.

Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Alex Shi <alex.shi@linaro.org> [v4.9 backport]
Signed-off-by: Mark Rutland <mark.rutland@arm.com> [v4.9 backport]
Tested-by: Will Deacon <will.deacon@arm.com>
Tested-by: Greg Hackmann <ghackmann@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/arm64/kernel/entry.S |   13 +++----------
 1 file changed, 3 insertions(+), 10 deletions(-)

--- a/arch/arm64/kernel/entry.S
+++ b/arch/arm64/kernel/entry.S
@@ -861,16 +861,9 @@ __ni_sys_trace:
 	orr	\tmp, \tmp, #USER_ASID_FLAG
 	msr	ttbr1_el1, \tmp
 	/*
-	 * We avoid running the post_ttbr_update_workaround here because the
-	 * user and kernel ASIDs don't have conflicting mappings, so any
-	 * "blessing" as described in:
-	 *
-	 *   http://lkml.kernel.org/r/56BB848A.6060603@caviumnetworks.com
-	 *
-	 * will not hurt correctness. Whilst this may partially defeat the
-	 * point of using split ASIDs in the first place, it avoids
-	 * the hit of invalidating the entire I-cache on every return to
-	 * userspace.
+	 * We avoid running the post_ttbr_update_workaround here because
+	 * it's only needed by Cavium ThunderX, which requires KPTI to be
+	 * disabled.
 	 */
 	.endm
 

^ permalink raw reply	[flat|nested] 111+ messages in thread

* [PATCH 4.9 076/102] arm64: idmap: Use "awx" flags for .idmap.text .pushsection directives
  2018-04-06 13:22 [PATCH 4.9 000/102] 4.9.93-stable review Greg Kroah-Hartman
                   ` (74 preceding siblings ...)
  2018-04-06 13:23 ` [PATCH 4.9 075/102] arm64: entry: Reword comment about post_ttbr_update_workaround Greg Kroah-Hartman
@ 2018-04-06 13:23 ` Greg Kroah-Hartman
  2018-04-06 13:23 ` [PATCH 4.9 077/102] USB: serial: ftdi_sio: add RT Systems VX-8 cable Greg Kroah-Hartman
                   ` (28 subsequent siblings)
  104 siblings, 0 replies; 111+ messages in thread
From: Greg Kroah-Hartman @ 2018-04-06 13:23 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Greg Kroah-Hartman, Marc Zyngier, Will Deacon, Catalin Marinas,
	Greg Hackmann, Alex Shi, Mark Rutland

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Will Deacon <will.deacon@arm.com>

commit 439e70e27a51 upstream.

The identity map is mapped as both writeable and executable by the
SWAPPER_MM_MMUFLAGS and this is relied upon by the kpti code to manage
a synchronisation flag. Update the .pushsection flags to reflect the
actual mapping attributes.

Reported-by: Marc Zyngier <marc.zyngier@arm.com>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Alex Shi <alex.shi@linaro.org> [v4.9 backport]
Signed-off-by: Mark Rutland <mark.rutland@arm.com> [v4.9 backport]
Tested-by: Will Deacon <will.deacon@arm.com>
Tested-by: Greg Hackmann <ghackmann@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/arm64/kernel/cpu-reset.S |    2 +-
 arch/arm64/kernel/head.S      |    2 +-
 arch/arm64/kernel/sleep.S     |    2 +-
 arch/arm64/mm/proc.S          |    8 ++++----
 4 files changed, 7 insertions(+), 7 deletions(-)

--- a/arch/arm64/kernel/cpu-reset.S
+++ b/arch/arm64/kernel/cpu-reset.S
@@ -16,7 +16,7 @@
 #include <asm/virt.h>
 
 .text
-.pushsection    .idmap.text, "ax"
+.pushsection    .idmap.text, "awx"
 
 /*
  * __cpu_soft_restart(el2_switch, entry, arg0, arg1, arg2) - Helper for
--- a/arch/arm64/kernel/head.S
+++ b/arch/arm64/kernel/head.S
@@ -473,7 +473,7 @@ ENDPROC(__primary_switched)
  * end early head section, begin head code that is also used for
  * hotplug and needs to have the same protections as the text region
  */
-	.section ".idmap.text","ax"
+	.section ".idmap.text","awx"
 
 ENTRY(kimage_vaddr)
 	.quad		_text - TEXT_OFFSET
--- a/arch/arm64/kernel/sleep.S
+++ b/arch/arm64/kernel/sleep.S
@@ -95,7 +95,7 @@ ENTRY(__cpu_suspend_enter)
 	ret
 ENDPROC(__cpu_suspend_enter)
 
-	.pushsection ".idmap.text", "ax"
+	.pushsection ".idmap.text", "awx"
 ENTRY(cpu_resume)
 	bl	el2_setup		// if in EL2 drop to EL1 cleanly
 	bl	__cpu_setup
--- a/arch/arm64/mm/proc.S
+++ b/arch/arm64/mm/proc.S
@@ -83,7 +83,7 @@ ENDPROC(cpu_do_suspend)
  *
  * x0: Address of context pointer
  */
-	.pushsection ".idmap.text", "ax"
+	.pushsection ".idmap.text", "awx"
 ENTRY(cpu_do_resume)
 	ldp	x2, x3, [x0]
 	ldp	x4, x5, [x0, #16]
@@ -147,7 +147,7 @@ alternative_else_nop_endif
 	ret
 ENDPROC(cpu_do_switch_mm)
 
-	.pushsection ".idmap.text", "ax"
+	.pushsection ".idmap.text", "awx"
 
 .macro	__idmap_cpu_set_reserved_ttbr1, tmp1, tmp2
 	adrp	\tmp1, empty_zero_page
@@ -180,7 +180,7 @@ ENDPROC(idmap_cpu_replace_ttbr1)
 	.popsection
 
 #ifdef CONFIG_UNMAP_KERNEL_AT_EL0
-	.pushsection ".idmap.text", "ax"
+	.pushsection ".idmap.text", "awx"
 
 	.macro	__idmap_kpti_get_pgtable_ent, type
 	dc	cvac, cur_\()\type\()p		// Ensure any existing dirty
@@ -368,7 +368,7 @@ ENDPROC(idmap_kpti_install_ng_mappings)
  *	Initialise the processor for turning the MMU on.  Return in x0 the
  *	value of the SCTLR_EL1 register.
  */
-	.pushsection ".idmap.text", "ax"
+	.pushsection ".idmap.text", "awx"
 ENTRY(__cpu_setup)
 	tlbi	vmalle1				// Invalidate local TLB
 	dsb	nsh

^ permalink raw reply	[flat|nested] 111+ messages in thread

* [PATCH 4.9 077/102] USB: serial: ftdi_sio: add RT Systems VX-8 cable
  2018-04-06 13:22 [PATCH 4.9 000/102] 4.9.93-stable review Greg Kroah-Hartman
                   ` (75 preceding siblings ...)
  2018-04-06 13:23 ` [PATCH 4.9 076/102] arm64: idmap: Use "awx" flags for .idmap.text .pushsection directives Greg Kroah-Hartman
@ 2018-04-06 13:23 ` Greg Kroah-Hartman
  2018-04-06 13:23 ` [PATCH 4.9 078/102] USB: serial: ftdi_sio: add support for Harman FirmwareHubEmulator Greg Kroah-Hartman
                   ` (27 subsequent siblings)
  104 siblings, 0 replies; 111+ messages in thread
From: Greg Kroah-Hartman @ 2018-04-06 13:23 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Major Hayden, Johan Hovold

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Major Hayden <major@mhtx.net>

commit 9608e5c0f079390473b484ef92334dfd3431bb89 upstream.

This patch adds a device ID for the RT Systems cable used to
program Yaesu VX-8R/VX-8DR handheld radios. It uses the main
FTDI VID instead of the common RT Systems VID.

Signed-off-by: Major Hayden <major@mhtx.net>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/serial/ftdi_sio.c     |    1 +
 drivers/usb/serial/ftdi_sio_ids.h |    3 +++
 2 files changed, 4 insertions(+)

--- a/drivers/usb/serial/ftdi_sio.c
+++ b/drivers/usb/serial/ftdi_sio.c
@@ -773,6 +773,7 @@ static const struct usb_device_id id_tab
 		.driver_info = (kernel_ulong_t)&ftdi_NDI_device_quirk },
 	{ USB_DEVICE(TELLDUS_VID, TELLDUS_TELLSTICK_PID) },
 	{ USB_DEVICE(NOVITUS_VID, NOVITUS_BONO_E_PID) },
+	{ USB_DEVICE(FTDI_VID, RTSYSTEMS_USB_VX8_PID) },
 	{ USB_DEVICE(RTSYSTEMS_VID, RTSYSTEMS_USB_S03_PID) },
 	{ USB_DEVICE(RTSYSTEMS_VID, RTSYSTEMS_USB_59_PID) },
 	{ USB_DEVICE(RTSYSTEMS_VID, RTSYSTEMS_USB_57A_PID) },
--- a/drivers/usb/serial/ftdi_sio_ids.h
+++ b/drivers/usb/serial/ftdi_sio_ids.h
@@ -922,6 +922,9 @@
 /*
  * RT Systems programming cables for various ham radios
  */
+/* This device uses the VID of FTDI */
+#define RTSYSTEMS_USB_VX8_PID   0x9e50  /* USB-VX8 USB to 7 pin modular plug for Yaesu VX-8 radio */
+
 #define RTSYSTEMS_VID		0x2100	/* Vendor ID */
 #define RTSYSTEMS_USB_S03_PID	0x9001	/* RTS-03 USB to Serial Adapter */
 #define RTSYSTEMS_USB_59_PID	0x9e50	/* USB-59 USB to 8 pin plug */

^ permalink raw reply	[flat|nested] 111+ messages in thread

* [PATCH 4.9 078/102] USB: serial: ftdi_sio: add support for Harman FirmwareHubEmulator
  2018-04-06 13:22 [PATCH 4.9 000/102] 4.9.93-stable review Greg Kroah-Hartman
                   ` (76 preceding siblings ...)
  2018-04-06 13:23 ` [PATCH 4.9 077/102] USB: serial: ftdi_sio: add RT Systems VX-8 cable Greg Kroah-Hartman
@ 2018-04-06 13:23 ` Greg Kroah-Hartman
  2018-04-06 13:24 ` [PATCH 4.9 079/102] USB: serial: cp210x: add ELDAT Easywave RX09 id Greg Kroah-Hartman
                   ` (26 subsequent siblings)
  104 siblings, 0 replies; 111+ messages in thread
From: Greg Kroah-Hartman @ 2018-04-06 13:23 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Clemens Werther, Johan Hovold

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Clemens Werther <clemens.werther@gmail.com>

commit 6555ad13a01952c16485c82a52ad1f3e07e34b3a upstream.

Add device id for Harman FirmwareHubEmulator to make the device
auto-detectable by the driver.

Signed-off-by: Clemens Werther <clemens.werther@gmail.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/serial/ftdi_sio.c     |    1 +
 drivers/usb/serial/ftdi_sio_ids.h |    6 ++++++
 2 files changed, 7 insertions(+)

--- a/drivers/usb/serial/ftdi_sio.c
+++ b/drivers/usb/serial/ftdi_sio.c
@@ -936,6 +936,7 @@ static const struct usb_device_id id_tab
 	{ USB_DEVICE(FTDI_VID, FTDI_SCIENCESCOPE_LS_LOGBOOK_PID) },
 	{ USB_DEVICE(FTDI_VID, FTDI_SCIENCESCOPE_HS_LOGBOOK_PID) },
 	{ USB_DEVICE(FTDI_VID, FTDI_CINTERION_MC55I_PID) },
+	{ USB_DEVICE(FTDI_VID, FTDI_FHE_PID) },
 	{ USB_DEVICE(FTDI_VID, FTDI_DOTEC_PID) },
 	{ USB_DEVICE(QIHARDWARE_VID, MILKYMISTONE_JTAGSERIAL_PID),
 		.driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
--- a/drivers/usb/serial/ftdi_sio_ids.h
+++ b/drivers/usb/serial/ftdi_sio_ids.h
@@ -1444,6 +1444,12 @@
 #define FTDI_CINTERION_MC55I_PID	0xA951
 
 /*
+ * Product: FirmwareHubEmulator
+ * Manufacturer: Harman Becker Automotive Systems
+ */
+#define FTDI_FHE_PID		0xA9A0
+
+/*
  * Product: Comet Caller ID decoder
  * Manufacturer: Crucible Technologies
  */

^ permalink raw reply	[flat|nested] 111+ messages in thread

* [PATCH 4.9 079/102] USB: serial: cp210x: add ELDAT Easywave RX09 id
  2018-04-06 13:22 [PATCH 4.9 000/102] 4.9.93-stable review Greg Kroah-Hartman
                   ` (77 preceding siblings ...)
  2018-04-06 13:23 ` [PATCH 4.9 078/102] USB: serial: ftdi_sio: add support for Harman FirmwareHubEmulator Greg Kroah-Hartman
@ 2018-04-06 13:24 ` Greg Kroah-Hartman
  2018-04-06 13:24 ` [PATCH 4.9 080/102] mei: remove dev_err message on an unsupported ioctl Greg Kroah-Hartman
                   ` (25 subsequent siblings)
  104 siblings, 0 replies; 111+ messages in thread
From: Greg Kroah-Hartman @ 2018-04-06 13:24 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Jan Jansen, Johan Hovold

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Johan Hovold <johan@kernel.org>

commit 1f1e82f74c0947e40144688c9e36abe4b3999f49 upstream.

Add device id for ELDAT Easywave RX09 tranceiver.

Reported-by: Jan Jansen <nattelip@hotmail.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/serial/cp210x.c |    1 +
 1 file changed, 1 insertion(+)

--- a/drivers/usb/serial/cp210x.c
+++ b/drivers/usb/serial/cp210x.c
@@ -152,6 +152,7 @@ static const struct usb_device_id id_tab
 	{ USB_DEVICE(0x12B8, 0xEC62) }, /* Link G4+ ECU */
 	{ USB_DEVICE(0x13AD, 0x9999) }, /* Baltech card reader */
 	{ USB_DEVICE(0x1555, 0x0004) }, /* Owen AC4 USB-RS485 Converter */
+	{ USB_DEVICE(0x155A, 0x1006) },	/* ELDAT Easywave RX09 */
 	{ USB_DEVICE(0x166A, 0x0201) }, /* Clipsal 5500PACA C-Bus Pascal Automation Controller */
 	{ USB_DEVICE(0x166A, 0x0301) }, /* Clipsal 5800PC C-Bus Wireless PC Interface */
 	{ USB_DEVICE(0x166A, 0x0303) }, /* Clipsal 5500PCU C-Bus USB interface */

^ permalink raw reply	[flat|nested] 111+ messages in thread

* [PATCH 4.9 080/102] mei: remove dev_err message on an unsupported ioctl
  2018-04-06 13:22 [PATCH 4.9 000/102] 4.9.93-stable review Greg Kroah-Hartman
                   ` (78 preceding siblings ...)
  2018-04-06 13:24 ` [PATCH 4.9 079/102] USB: serial: cp210x: add ELDAT Easywave RX09 id Greg Kroah-Hartman
@ 2018-04-06 13:24 ` Greg Kroah-Hartman
  2018-04-06 13:24 ` [PATCH 4.9 081/102] media: usbtv: prevent double free in error case Greg Kroah-Hartman
                   ` (24 subsequent siblings)
  104 siblings, 0 replies; 111+ messages in thread
From: Greg Kroah-Hartman @ 2018-04-06 13:24 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Colin Ian King

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Colin Ian King <colin.king@canonical.com>

commit bb0829a741792b56c908d7745bc0b2b540293bcc upstream.

Currently the driver spams the kernel log on unsupported ioctls which is
unnecessary as the ioctl returns -ENOIOCTLCMD to indicate this anyway.
I suspect this was originally for debugging purposes but it really is not
required so remove it.

Signed-off-by: Colin Ian King <colin.king@canonical.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/misc/mei/main.c |    1 -
 1 file changed, 1 deletion(-)

--- a/drivers/misc/mei/main.c
+++ b/drivers/misc/mei/main.c
@@ -551,7 +551,6 @@ static long mei_ioctl(struct file *file,
 		break;
 
 	default:
-		dev_err(dev->dev, ": unsupported ioctl %d.\n", cmd);
 		rets = -ENOIOCTLCMD;
 	}
 

^ permalink raw reply	[flat|nested] 111+ messages in thread

* [PATCH 4.9 081/102] media: usbtv: prevent double free in error case
  2018-04-06 13:22 [PATCH 4.9 000/102] 4.9.93-stable review Greg Kroah-Hartman
                   ` (79 preceding siblings ...)
  2018-04-06 13:24 ` [PATCH 4.9 080/102] mei: remove dev_err message on an unsupported ioctl Greg Kroah-Hartman
@ 2018-04-06 13:24 ` Greg Kroah-Hartman
  2018-04-06 13:24 ` [PATCH 4.9 082/102] parport_pc: Add support for WCH CH382L PCI-E single parallel port card Greg Kroah-Hartman
                   ` (23 subsequent siblings)
  104 siblings, 0 replies; 111+ messages in thread
From: Greg Kroah-Hartman @ 2018-04-06 13:24 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Yavuz, Tuba, Oliver Neukum,
	Hans Verkuil, Mauro Carvalho Chehab

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Oliver Neukum <oneukum@suse.com>

commit 50e7044535537b2a54c7ab798cd34c7f6d900bd2 upstream.

Quoting the original report:

It looks like there is a double-free vulnerability in Linux usbtv driver
on an error path of usbtv_probe function. When audio registration fails,
usbtv_video_free function ends up freeing usbtv data structure, which
gets freed the second time under usbtv_video_fail label.

usbtv_audio_fail:

        usbtv_video_free(usbtv); =>

           v4l2_device_put(&usbtv->v4l2_dev);

              => v4l2_device_put

                  => kref_put

                      => v4l2_device_release

  => usbtv_release (CALLBACK)

                             => kfree(usbtv) (1st time)

usbtv_video_fail:

        usb_set_intfdata(intf, NULL);

        usb_put_dev(usbtv->udev);

        kfree(usbtv); (2nd time)

So, as we have refcounting, use it

Reported-by: Yavuz, Tuba <tuba@ece.ufl.edu>
Signed-off-by: Oliver Neukum <oneukum@suse.com>
CC: stable@vger.kernel.org
Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/media/usb/usbtv/usbtv-core.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/media/usb/usbtv/usbtv-core.c
+++ b/drivers/media/usb/usbtv/usbtv-core.c
@@ -109,6 +109,8 @@ static int usbtv_probe(struct usb_interf
 	return 0;
 
 usbtv_audio_fail:
+	/* we must not free at this point */
+	usb_get_dev(usbtv->udev);
 	usbtv_video_free(usbtv);
 
 usbtv_video_fail:

^ permalink raw reply	[flat|nested] 111+ messages in thread

* [PATCH 4.9 082/102] parport_pc: Add support for WCH CH382L PCI-E single parallel port card.
  2018-04-06 13:22 [PATCH 4.9 000/102] 4.9.93-stable review Greg Kroah-Hartman
                   ` (80 preceding siblings ...)
  2018-04-06 13:24 ` [PATCH 4.9 081/102] media: usbtv: prevent double free in error case Greg Kroah-Hartman
@ 2018-04-06 13:24 ` Greg Kroah-Hartman
  2018-04-06 13:24 ` [PATCH 4.9 083/102] crypto: ahash - Fix early termination in hash walk Greg Kroah-Hartman
                   ` (22 subsequent siblings)
  104 siblings, 0 replies; 111+ messages in thread
From: Greg Kroah-Hartman @ 2018-04-06 13:24 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Alexander Gerasiov

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Alexander Gerasiov <gq@redlab-i.ru>

commit 823f7923833c6cc2b16e601546d607dcfb368004 upstream.

WCH CH382L is a PCI-E adapter with 1 parallel port. It is similair to CH382
but serial ports are not soldered on board. Detected as
Serial controller: Device 1c00:3050 (rev 10) (prog-if 05 [16850])

Signed-off-by: Alexander Gerasiov <gq@redlab-i.ru>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/parport/parport_pc.c |    4 ++++
 1 file changed, 4 insertions(+)

--- a/drivers/parport/parport_pc.c
+++ b/drivers/parport/parport_pc.c
@@ -2646,6 +2646,7 @@ enum parport_pc_pci_cards {
 	netmos_9901,
 	netmos_9865,
 	quatech_sppxp100,
+	wch_ch382l,
 };
 
 
@@ -2708,6 +2709,7 @@ static struct parport_pc_pci {
 	/* netmos_9901 */               { 1, { { 0, -1 }, } },
 	/* netmos_9865 */               { 1, { { 0, -1 }, } },
 	/* quatech_sppxp100 */		{ 1, { { 0, 1 }, } },
+	/* wch_ch382l */		{ 1, { { 2, -1 }, } },
 };
 
 static const struct pci_device_id parport_pc_pci_tbl[] = {
@@ -2797,6 +2799,8 @@ static const struct pci_device_id parpor
 	/* Quatech SPPXP-100 Parallel port PCI ExpressCard */
 	{ PCI_VENDOR_ID_QUATECH, PCI_DEVICE_ID_QUATECH_SPPXP_100,
 	  PCI_ANY_ID, PCI_ANY_ID, 0, 0, quatech_sppxp100 },
+	/* WCH CH382L PCI-E single parallel port card */
+	{ 0x1c00, 0x3050, 0x1c00, 0x3050, 0, 0, wch_ch382l },
 	{ 0, } /* terminate list */
 };
 MODULE_DEVICE_TABLE(pci, parport_pc_pci_tbl);

^ permalink raw reply	[flat|nested] 111+ messages in thread

* [PATCH 4.9 083/102] crypto: ahash - Fix early termination in hash walk
  2018-04-06 13:22 [PATCH 4.9 000/102] 4.9.93-stable review Greg Kroah-Hartman
                   ` (81 preceding siblings ...)
  2018-04-06 13:24 ` [PATCH 4.9 082/102] parport_pc: Add support for WCH CH382L PCI-E single parallel port card Greg Kroah-Hartman
@ 2018-04-06 13:24 ` Greg Kroah-Hartman
  2018-04-06 13:24 ` [PATCH 4.9 084/102] crypto: x86/cast5-avx - fix ECB encryption when long sg follows short one Greg Kroah-Hartman
                   ` (21 subsequent siblings)
  104 siblings, 0 replies; 111+ messages in thread
From: Greg Kroah-Hartman @ 2018-04-06 13:24 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Eli Cooper, Herbert Xu

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Herbert Xu <herbert@gondor.apana.org.au>

commit 900a081f6912a8985dc15380ec912752cb66025a upstream.

When we have an unaligned SG list entry where there is no leftover
aligned data, the hash walk code will incorrectly return zero as if
the entire SG list has been processed.

This patch fixes it by moving onto the next page instead.

Reported-by: Eli Cooper <elicooper@gmx.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 crypto/ahash.c |    7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

--- a/crypto/ahash.c
+++ b/crypto/ahash.c
@@ -91,13 +91,14 @@ int crypto_hash_walk_done(struct crypto_
 
 	if (nbytes && walk->offset & alignmask && !err) {
 		walk->offset = ALIGN(walk->offset, alignmask + 1);
-		walk->data += walk->offset;
-
 		nbytes = min(nbytes,
 			     ((unsigned int)(PAGE_SIZE)) - walk->offset);
 		walk->entrylen -= nbytes;
 
-		return nbytes;
+		if (nbytes) {
+			walk->data += walk->offset;
+			return nbytes;
+		}
 	}
 
 	if (walk->flags & CRYPTO_ALG_ASYNC)

^ permalink raw reply	[flat|nested] 111+ messages in thread

* [PATCH 4.9 084/102] crypto: x86/cast5-avx - fix ECB encryption when long sg follows short one
  2018-04-06 13:22 [PATCH 4.9 000/102] 4.9.93-stable review Greg Kroah-Hartman
                   ` (82 preceding siblings ...)
  2018-04-06 13:24 ` [PATCH 4.9 083/102] crypto: ahash - Fix early termination in hash walk Greg Kroah-Hartman
@ 2018-04-06 13:24 ` Greg Kroah-Hartman
  2018-04-06 13:24 ` [PATCH 4.9 085/102] staging: comedi: ni_mio_common: ack ai fifo error interrupts Greg Kroah-Hartman
                   ` (20 subsequent siblings)
  104 siblings, 0 replies; 111+ messages in thread
From: Greg Kroah-Hartman @ 2018-04-06 13:24 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Eric Biggers, Herbert Xu

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Eric Biggers <ebiggers@google.com>

commit 8f461b1e02ed546fbd0f11611138da67fd85a30f upstream.

With ecb-cast5-avx, if a 128+ byte scatterlist element followed a
shorter one, then the algorithm accidentally encrypted/decrypted only 8
bytes instead of the expected 128 bytes.  Fix it by setting the
encryption/decryption 'fn' correctly.

Fixes: c12ab20b162c ("crypto: cast5/avx - avoid using temporary stack buffers")
Cc: <stable@vger.kernel.org> # v3.8+
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/x86/crypto/cast5_avx_glue.c |    3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

--- a/arch/x86/crypto/cast5_avx_glue.c
+++ b/arch/x86/crypto/cast5_avx_glue.c
@@ -66,8 +66,6 @@ static int ecb_crypt(struct blkcipher_de
 	void (*fn)(struct cast5_ctx *ctx, u8 *dst, const u8 *src);
 	int err;
 
-	fn = (enc) ? cast5_ecb_enc_16way : cast5_ecb_dec_16way;
-
 	err = blkcipher_walk_virt(desc, walk);
 	desc->flags &= ~CRYPTO_TFM_REQ_MAY_SLEEP;
 
@@ -79,6 +77,7 @@ static int ecb_crypt(struct blkcipher_de
 
 		/* Process multi-block batch */
 		if (nbytes >= bsize * CAST5_PARALLEL_BLOCKS) {
+			fn = (enc) ? cast5_ecb_enc_16way : cast5_ecb_dec_16way;
 			do {
 				fn(ctx, wdst, wsrc);
 

^ permalink raw reply	[flat|nested] 111+ messages in thread

* [PATCH 4.9 085/102] staging: comedi: ni_mio_common: ack ai fifo error interrupts.
  2018-04-06 13:22 [PATCH 4.9 000/102] 4.9.93-stable review Greg Kroah-Hartman
                   ` (83 preceding siblings ...)
  2018-04-06 13:24 ` [PATCH 4.9 084/102] crypto: x86/cast5-avx - fix ECB encryption when long sg follows short one Greg Kroah-Hartman
@ 2018-04-06 13:24 ` Greg Kroah-Hartman
  2018-04-06 13:24 ` [PATCH 4.9 086/102] Input: ALPS - fix TrackStick detection on Thinkpad L570 and Latitude 7370 Greg Kroah-Hartman
                   ` (19 subsequent siblings)
  104 siblings, 0 replies; 111+ messages in thread
From: Greg Kroah-Hartman @ 2018-04-06 13:24 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Frank Mori Hess, Ian Abbott

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Frank Mori Hess <fmh6jj@gmail.com>

commit e1d9fc04c41840a4688ef6ce90b6dcca157ea4d7 upstream.

Ack ai fifo error interrupts in interrupt handler to clear interrupt
after fifo overflow.  It should prevent lock-ups after the ai fifo
overflows.

Cc: <stable@vger.kernel.org> # v4.2+
Signed-off-by: Frank Mori Hess <fmh6jj@gmail.com>
Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/staging/comedi/drivers/ni_mio_common.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/staging/comedi/drivers/ni_mio_common.c
+++ b/drivers/staging/comedi/drivers/ni_mio_common.c
@@ -1284,6 +1284,8 @@ static void ack_a_interrupt(struct comed
 		ack |= NISTC_INTA_ACK_AI_START;
 	if (a_status & NISTC_AI_STATUS1_STOP)
 		ack |= NISTC_INTA_ACK_AI_STOP;
+	if (a_status & NISTC_AI_STATUS1_OVER)
+		ack |= NISTC_INTA_ACK_AI_ERR;
 	if (ack)
 		ni_stc_writew(dev, ack, NISTC_INTA_ACK_REG);
 }

^ permalink raw reply	[flat|nested] 111+ messages in thread

* [PATCH 4.9 086/102] Input: ALPS - fix TrackStick detection on Thinkpad L570 and Latitude 7370
  2018-04-06 13:22 [PATCH 4.9 000/102] 4.9.93-stable review Greg Kroah-Hartman
                   ` (84 preceding siblings ...)
  2018-04-06 13:24 ` [PATCH 4.9 085/102] staging: comedi: ni_mio_common: ack ai fifo error interrupts Greg Kroah-Hartman
@ 2018-04-06 13:24 ` Greg Kroah-Hartman
  2018-04-06 13:24 ` [PATCH 4.9 087/102] Input: i8042 - add Lenovo ThinkPad L460 to i8042 reset list Greg Kroah-Hartman
                   ` (18 subsequent siblings)
  104 siblings, 0 replies; 111+ messages in thread
From: Greg Kroah-Hartman @ 2018-04-06 13:24 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Masaki Ota, Aaron Ma, Jonathan Liu,
	Jaak Ristioja, Dmitry Torokhov

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Masaki Ota <masaki.ota@jp.alps.com>

commit 567b9b549cfa1cbc202762ae97b5385c29ade1e3 upstream.

The primary interface for the touchpad device in Thinkpad L570 is SMBus,
so ALPS overlooked PS2 interface Firmware setting of TrackStick, and
shipped with TrackStick otp bit is disabled.

The address 0xD7 contains device number information, so we can identify
the device by checking this value, but to access it we need to enable
Command mode, and then re-enable the device. Devices shipped in Thinkpad
L570 report either 0x0C or 0x1D as device numbers, if we see them we assume
that the devices are DualPoints.

The same issue exists on Dell Latitude 7370.

Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=196929
Fixes: 646580f793 ("Input: ALPS - fix multi-touch decoding on SS4 plus touchpads")
Signed-off-by: Masaki Ota <masaki.ota@jp.alps.com>
Tested-by: Aaron Ma <aaron.ma@canonical.com>
Tested-by: Jonathan Liu <net147@gmail.com>
Tested-by: Jaak Ristioja <jaak@ristioja.ee>
Cc: stable@vger.kernel.org
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/input/mouse/alps.c |   24 +++++++++++++++++++++---
 1 file changed, 21 insertions(+), 3 deletions(-)

--- a/drivers/input/mouse/alps.c
+++ b/drivers/input/mouse/alps.c
@@ -2538,13 +2538,31 @@ static int alps_update_btn_info_ss4_v2(u
 }
 
 static int alps_update_dual_info_ss4_v2(unsigned char otp[][4],
-				       struct alps_data *priv)
+					struct alps_data *priv,
+					struct psmouse *psmouse)
 {
 	bool is_dual = false;
+	int reg_val = 0;
+	struct ps2dev *ps2dev = &psmouse->ps2dev;
 
-	if (IS_SS4PLUS_DEV(priv->dev_id))
+	if (IS_SS4PLUS_DEV(priv->dev_id)) {
 		is_dual = (otp[0][0] >> 4) & 0x01;
 
+		if (!is_dual) {
+			/* For support TrackStick of Thinkpad L/E series */
+			if (alps_exit_command_mode(psmouse) == 0 &&
+				alps_enter_command_mode(psmouse) == 0) {
+				reg_val = alps_command_mode_read_reg(psmouse,
+									0xD7);
+			}
+			alps_exit_command_mode(psmouse);
+			ps2_command(ps2dev, NULL, PSMOUSE_CMD_ENABLE);
+
+			if (reg_val == 0x0C || reg_val == 0x1D)
+				is_dual = true;
+		}
+	}
+
 	if (is_dual)
 		priv->flags |= ALPS_DUALPOINT |
 					ALPS_DUALPOINT_WITH_PRESSURE;
@@ -2567,7 +2585,7 @@ static int alps_set_defaults_ss4_v2(stru
 
 	alps_update_btn_info_ss4_v2(otp, priv);
 
-	alps_update_dual_info_ss4_v2(otp, priv);
+	alps_update_dual_info_ss4_v2(otp, priv, psmouse);
 
 	return 0;
 }

^ permalink raw reply	[flat|nested] 111+ messages in thread

* [PATCH 4.9 087/102] Input: i8042 - add Lenovo ThinkPad L460 to i8042 reset list
  2018-04-06 13:22 [PATCH 4.9 000/102] 4.9.93-stable review Greg Kroah-Hartman
                   ` (85 preceding siblings ...)
  2018-04-06 13:24 ` [PATCH 4.9 086/102] Input: ALPS - fix TrackStick detection on Thinkpad L570 and Latitude 7370 Greg Kroah-Hartman
@ 2018-04-06 13:24 ` Greg Kroah-Hartman
  2018-04-06 13:24 ` [PATCH 4.9 088/102] Input: i8042 - enable MUX on Sony VAIO VGN-CS series to fix touchpad Greg Kroah-Hartman
                   ` (17 subsequent siblings)
  104 siblings, 0 replies; 111+ messages in thread
From: Greg Kroah-Hartman @ 2018-04-06 13:24 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dennis Wassenberg, Dmitry Torokhov

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Dennis Wassenberg <dennis.wassenberg@secunet.com>

commit b56af54ac78c54a519d82813836f305d7f76ef27 upstream.

Reset i8042 before probing because of insufficient BIOS initialisation of
the i8042 serial controller. This makes Synaptics touchpad detection
possible. Without resetting the Synaptics touchpad is not detected because
there are always NACK messages from AUX port.

Signed-off-by: Dennis Wassenberg <dennis.wassenberg@secunet.com>
Cc: stable@vger.kernel.org
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/input/serio/i8042-x86ia64io.h |    7 +++++++
 1 file changed, 7 insertions(+)

--- a/drivers/input/serio/i8042-x86ia64io.h
+++ b/drivers/input/serio/i8042-x86ia64io.h
@@ -693,6 +693,13 @@ static const struct dmi_system_id __init
 		},
 	},
 	{
+		/* Lenovo ThinkPad L460 */
+		.matches = {
+			DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+			DMI_MATCH(DMI_PRODUCT_VERSION, "ThinkPad L460"),
+		},
+	},
+	{
 		/* Clevo P650RS, 650RP6, Sager NP8152-S, and others */
 		.matches = {
 			DMI_MATCH(DMI_SYS_VENDOR, "Notebook"),

^ permalink raw reply	[flat|nested] 111+ messages in thread

* [PATCH 4.9 088/102] Input: i8042 - enable MUX on Sony VAIO VGN-CS series to fix touchpad
  2018-04-06 13:22 [PATCH 4.9 000/102] 4.9.93-stable review Greg Kroah-Hartman
                   ` (86 preceding siblings ...)
  2018-04-06 13:24 ` [PATCH 4.9 087/102] Input: i8042 - add Lenovo ThinkPad L460 to i8042 reset list Greg Kroah-Hartman
@ 2018-04-06 13:24 ` Greg Kroah-Hartman
  2018-04-06 13:24 ` [PATCH 4.9 089/102] vt: change SGR 21 to follow the standards Greg Kroah-Hartman
                   ` (16 subsequent siblings)
  104 siblings, 0 replies; 111+ messages in thread
From: Greg Kroah-Hartman @ 2018-04-06 13:24 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Ondrej Zary, Dmitry Torokhov

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Ondrej Zary <linux@rainbow-software.org>

commit 04bb1719c4de94700056241d4c0fe3c1413f5aff upstream.

The touch sensor buttons on Sony VAIO VGN-CS series laptops (e.g.
VGN-CS31S) are a separate PS/2 device. As the MUX is disabled for all
VAIO machines by the nomux blacklist, the data from touch sensor
buttons and touchpad are combined. The protocol used by the buttons is
probably similar to the touchpad protocol (both are Synaptics) so both
devices get enabled. The controller combines the data, creating a mess
which results in random button clicks, touchpad stopping working and
lost sync error messages:
psmouse serio1: TouchPad at isa0060/serio1/input0 lost sync at byte 4
psmouse serio1: TouchPad at isa0060/serio1/input0 lost sync at byte 1
psmouse serio1: TouchPad at isa0060/serio1/input0 lost sync at byte 1
psmouse serio1: TouchPad at isa0060/serio1/input0 lost sync at byte 1
psmouse serio1: TouchPad at isa0060/serio1/input0 lost sync at byte 1
psmouse serio1: issuing reconnect request

Add a new i8042_dmi_forcemux_table whitelist with VGN-CS.
With MUX enabled, touch sensor buttons are detected as separate device
(and left disabled as there's currently no driver), fixing all touchpad
problems.

Signed-off-by: Ondrej Zary <linux@rainbow-software.org>
Cc: stable@vger.kernel.org
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/input/serio/i8042-x86ia64io.h |   17 +++++++++++++++++
 1 file changed, 17 insertions(+)

--- a/drivers/input/serio/i8042-x86ia64io.h
+++ b/drivers/input/serio/i8042-x86ia64io.h
@@ -530,6 +530,20 @@ static const struct dmi_system_id __init
 	{ }
 };
 
+static const struct dmi_system_id i8042_dmi_forcemux_table[] __initconst = {
+	{
+		/*
+		 * Sony Vaio VGN-CS series require MUX or the touch sensor
+		 * buttons will disturb touchpad operation
+		 */
+		.matches = {
+			DMI_MATCH(DMI_SYS_VENDOR, "Sony Corporation"),
+			DMI_MATCH(DMI_PRODUCT_NAME, "VGN-CS"),
+		},
+	},
+	{ }
+};
+
 /*
  * On some Asus laptops, just running self tests cause problems.
  */
@@ -1230,6 +1244,9 @@ static int __init i8042_platform_init(vo
 	if (dmi_check_system(i8042_dmi_nomux_table))
 		i8042_nomux = true;
 
+	if (dmi_check_system(i8042_dmi_forcemux_table))
+		i8042_nomux = false;
+
 	if (dmi_check_system(i8042_dmi_notimeout_table))
 		i8042_notimeout = true;
 

^ permalink raw reply	[flat|nested] 111+ messages in thread

* [PATCH 4.9 089/102] vt: change SGR 21 to follow the standards
  2018-04-06 13:22 [PATCH 4.9 000/102] 4.9.93-stable review Greg Kroah-Hartman
                   ` (87 preceding siblings ...)
  2018-04-06 13:24 ` [PATCH 4.9 088/102] Input: i8042 - enable MUX on Sony VAIO VGN-CS series to fix touchpad Greg Kroah-Hartman
@ 2018-04-06 13:24 ` Greg Kroah-Hartman
  2018-04-06 13:24 ` [PATCH 4.9 090/102] Documentation: pinctrl: palmas: Add ti,palmas-powerhold-override property definition Greg Kroah-Hartman
                   ` (15 subsequent siblings)
  104 siblings, 0 replies; 111+ messages in thread
From: Greg Kroah-Hartman @ 2018-04-06 13:24 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Mike Frysinger

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Mike Frysinger <vapier@chromium.org>

commit 65d9982d7e523a1a8e7c9af012da0d166f72fc56 upstream.

ECMA-48 [1] (aka ISO 6429) has defined SGR 21 as "doubly underlined"
since at least March 1984.  The Linux kernel has treated it as SGR 22
"normal intensity" since it was added in Linux-0.96b in June 1992.
Before that, it was simply ignored.  Other terminal emulators have
either ignored it, or treat it as double underline now.  xterm for
example added support in its 304 release (May 2014) [2] where it was
previously ignoring it.

Changing this behavior shouldn't be an issue:
- It isn't a named capability in ncurses's terminfo database, so no
  script is using libtinfo/libcurses to look this up, or using tput
  to query & output the right sequence.
- Any script assuming SGR 21 will reset intensity in all terminals
  already do not work correctly on non-Linux VTs (including running
  under screen/tmux/etc...).
- If someone has written a script that only runs in the Linux VT, and
  they're using SGR 21 (instead of SGR 22), the output should still
  be readable.

imo it's important to change this as the Linux VT's non-conformance
is sometimes used as an argument for other terminal emulators to not
implement SGR 21 at all, or do so incorrectly.

[1]: https://www.ecma-international.org/publications/standards/Ecma-048.htm
[2]: https://github.com/ThomasDickey/xterm-snapshots/commit/2fd29cb98d214cb536bcafbee00bc73b3f1eeb9d

Signed-off-by: Mike Frysinger <vapier@chromium.org>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/tty/vt/vt.c |    6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

--- a/drivers/tty/vt/vt.c
+++ b/drivers/tty/vt/vt.c
@@ -1354,6 +1354,11 @@ static void csi_m(struct vc_data *vc)
 		case 3:
 			vc->vc_italic = 1;
 			break;
+		case 21:
+			/*
+			 * No console drivers support double underline, so
+			 * convert it to a single underline.
+			 */
 		case 4:
 			vc->vc_underline = 1;
 			break;
@@ -1389,7 +1394,6 @@ static void csi_m(struct vc_data *vc)
 			vc->vc_disp_ctrl = 1;
 			vc->vc_toggle_meta = 1;
 			break;
-		case 21:
 		case 22:
 			vc->vc_intensity = 1;
 			break;

^ permalink raw reply	[flat|nested] 111+ messages in thread

* [PATCH 4.9 090/102] Documentation: pinctrl: palmas: Add ti,palmas-powerhold-override property definition
  2018-04-06 13:22 [PATCH 4.9 000/102] 4.9.93-stable review Greg Kroah-Hartman
                   ` (88 preceding siblings ...)
  2018-04-06 13:24 ` [PATCH 4.9 089/102] vt: change SGR 21 to follow the standards Greg Kroah-Hartman
@ 2018-04-06 13:24 ` Greg Kroah-Hartman
  2018-04-06 13:24 ` [PATCH 4.9 091/102] ARM: dts: dra7: Add power hold and power controller properties to palmas Greg Kroah-Hartman
                   ` (14 subsequent siblings)
  104 siblings, 0 replies; 111+ messages in thread
From: Greg Kroah-Hartman @ 2018-04-06 13:24 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Keerthy, Rob Herring, Linus Walleij,
	Ben Hutchings

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Keerthy <j-keerthy@ti.com>

commit 0ea66f76ba17a4b229caaadd77de694111b21769 upstream.

GPIO7 is configured in POWERHOLD mode which has higher priority
over DEV_ON bit and keeps the PMIC supplies on even after the DEV_ON
bit is turned off. This property enables driver to over ride the
POWERHOLD value to GPIO7 so as to turn off the PMIC in power off
scenarios.

Signed-off-by: Keerthy <j-keerthy@ti.com>
Acked-by: Rob Herring <robh@kernel.org>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Cc: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 Documentation/devicetree/bindings/pinctrl/pinctrl-palmas.txt |    9 +++++++++
 1 file changed, 9 insertions(+)

--- a/Documentation/devicetree/bindings/pinctrl/pinctrl-palmas.txt
+++ b/Documentation/devicetree/bindings/pinctrl/pinctrl-palmas.txt
@@ -35,6 +35,15 @@ Optional properties:
 - ti,palmas-enable-dvfs2: Enable DVFS2. Configure pins for DVFS2 mode.
 	Selection primary or secondary function associated to GPADC_START
 	and SYSEN2 pin/pad for DVFS2 interface
+- ti,palmas-override-powerhold: This is applicable for PMICs for which
+	GPIO7 is configured in POWERHOLD mode which has higher priority
+	over DEV_ON bit and keeps the PMIC supplies on even after the DEV_ON
+	bit is turned off. This property enables driver to over ride the
+	POWERHOLD value to GPIO7 so as to turn off the PMIC in power off
+	scenarios. So for GPIO7 if ti,palmas-override-powerhold is set
+	then the GPIO_7 field should never be muxed to anything else.
+	It should be set to POWERHOLD by default and only in case of
+	power off scenarios the driver will over ride the mux value.
 
 This binding uses the following generic properties as defined in
 pinctrl-bindings.txt:

^ permalink raw reply	[flat|nested] 111+ messages in thread

* [PATCH 4.9 091/102] ARM: dts: dra7: Add power hold and power controller properties to palmas
  2018-04-06 13:22 [PATCH 4.9 000/102] 4.9.93-stable review Greg Kroah-Hartman
                   ` (89 preceding siblings ...)
  2018-04-06 13:24 ` [PATCH 4.9 090/102] Documentation: pinctrl: palmas: Add ti,palmas-powerhold-override property definition Greg Kroah-Hartman
@ 2018-04-06 13:24 ` Greg Kroah-Hartman
  2018-04-06 13:24 ` [PATCH 4.9 092/102] ARM: dts: am57xx-beagle-x15-common: Add overide powerhold property Greg Kroah-Hartman
                   ` (13 subsequent siblings)
  104 siblings, 0 replies; 111+ messages in thread
From: Greg Kroah-Hartman @ 2018-04-06 13:24 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Keerthy, Tony Lindgren, Ben Hutchings

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Keerthy <j-keerthy@ti.com>

commit 7c62de5f3fc92291decc0dac5f36949bdc3fb575 upstream.

Add power hold and power controller properties to palmas node.
This is needed to shutdown pmic correctly on boards with
powerhold set.

Signed-off-by: Keerthy <j-keerthy@ti.com>
Signed-off-by: Tony Lindgren <tony@atomide.com>
Cc: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm/boot/dts/dra7-evm.dts |    2 ++
 1 file changed, 2 insertions(+)

--- a/arch/arm/boot/dts/dra7-evm.dts
+++ b/arch/arm/boot/dts/dra7-evm.dts
@@ -398,6 +398,8 @@
 	tps659038: tps659038@58 {
 		compatible = "ti,tps659038";
 		reg = <0x58>;
+		ti,palmas-override-powerhold;
+		ti,system-power-controller;
 
 		tps659038_pmic {
 			compatible = "ti,tps659038-pmic";

^ permalink raw reply	[flat|nested] 111+ messages in thread

* [PATCH 4.9 092/102] ARM: dts: am57xx-beagle-x15-common: Add overide powerhold property
  2018-04-06 13:22 [PATCH 4.9 000/102] 4.9.93-stable review Greg Kroah-Hartman
                   ` (90 preceding siblings ...)
  2018-04-06 13:24 ` [PATCH 4.9 091/102] ARM: dts: dra7: Add power hold and power controller properties to palmas Greg Kroah-Hartman
@ 2018-04-06 13:24 ` Greg Kroah-Hartman
  2018-04-06 13:24 ` [PATCH 4.9 093/102] ARM: dts: am57xx-idk-common: " Greg Kroah-Hartman
                   ` (12 subsequent siblings)
  104 siblings, 0 replies; 111+ messages in thread
From: Greg Kroah-Hartman @ 2018-04-06 13:24 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Keerthy, Tony Lindgren, Ben Hutchings

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Keerthy <j-keerthy@ti.com>

commit 1f166499ce006b3770a3166122eda64e160736ab upstream.

The PMICs have POWERHOLD set by default which prevents PMIC shutdown
even on DEV_CTRL On bit set to 0 as the Powerhold has higher priority.
So to enable pmic power off this property lets one over ride the default
value and enable pmic power off.

Signed-off-by: Keerthy <j-keerthy@ti.com>
Signed-off-by: Tony Lindgren <tony@atomide.com>
Cc: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm/boot/dts/am57xx-beagle-x15-common.dtsi |    1 +
 1 file changed, 1 insertion(+)

--- a/arch/arm/boot/dts/am57xx-beagle-x15-common.dtsi
+++ b/arch/arm/boot/dts/am57xx-beagle-x15-common.dtsi
@@ -204,6 +204,7 @@
 		interrupt-controller;
 
 		ti,system-power-controller;
+		ti,palmas-override-powerhold;
 
 		tps659038_pmic {
 			compatible = "ti,tps659038-pmic";

^ permalink raw reply	[flat|nested] 111+ messages in thread

* [PATCH 4.9 093/102] ARM: dts: am57xx-idk-common: Add overide powerhold property
  2018-04-06 13:22 [PATCH 4.9 000/102] 4.9.93-stable review Greg Kroah-Hartman
                   ` (91 preceding siblings ...)
  2018-04-06 13:24 ` [PATCH 4.9 092/102] ARM: dts: am57xx-beagle-x15-common: Add overide powerhold property Greg Kroah-Hartman
@ 2018-04-06 13:24 ` Greg Kroah-Hartman
  2018-04-06 13:24 ` [PATCH 4.9 094/102] md/raid10: reset the first at the end of loop Greg Kroah-Hartman
                   ` (11 subsequent siblings)
  104 siblings, 0 replies; 111+ messages in thread
From: Greg Kroah-Hartman @ 2018-04-06 13:24 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Keerthy, Tony Lindgren, Ben Hutchings

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Keerthy <j-keerthy@ti.com>

commit 8804755bfb1f3cbc003e4ebe99eac491672f354c upstream.

The PMICs have POWERHOLD set by default which prevents PMIC shutdown
even on DEV_CTRL On bit set to 0 as the Powerhold has higher priority.
So to enable pmic power off this property lets one over ride the default
value and enable pmic power off.

Signed-off-by: Keerthy <j-keerthy@ti.com>
Signed-off-by: Tony Lindgren <tony@atomide.com>
Cc: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm/boot/dts/am57xx-idk-common.dtsi |    1 +
 1 file changed, 1 insertion(+)

--- a/arch/arm/boot/dts/am57xx-idk-common.dtsi
+++ b/arch/arm/boot/dts/am57xx-idk-common.dtsi
@@ -57,6 +57,7 @@
 		#interrupt-cells = <2>;
 		interrupt-controller;
 		ti,system-power-controller;
+		ti,palmas-override-powerhold;
 
 		tps659038_pmic {
 			compatible = "ti,tps659038-pmic";

^ permalink raw reply	[flat|nested] 111+ messages in thread

* [PATCH 4.9 094/102] md/raid10: reset the first at the end of loop
  2018-04-06 13:22 [PATCH 4.9 000/102] 4.9.93-stable review Greg Kroah-Hartman
                   ` (92 preceding siblings ...)
  2018-04-06 13:24 ` [PATCH 4.9 093/102] ARM: dts: am57xx-idk-common: " Greg Kroah-Hartman
@ 2018-04-06 13:24 ` Greg Kroah-Hartman
  2018-04-06 13:24 ` [PATCH 4.9 095/102] net: hns: Fix ethtool private flags Greg Kroah-Hartman
                   ` (10 subsequent siblings)
  104 siblings, 0 replies; 111+ messages in thread
From: Greg Kroah-Hartman @ 2018-04-06 13:24 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, NeilBrown, Guoqing Jiang, Shaohua Li,
	Ben Hutchings

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Guoqing Jiang <gqjiang@suse.com>

commit 6f287ca6046edd34ed83aafb7f9033c9c2e809e2 upstream.

We need to set "first = 0' at the end of rdev_for_each
loop, so we can get the array's min_offset_diff correctly
otherwise min_offset_diff just means the last rdev's
offset diff.

[only the first chunk, due to b506335e5d2b ("md/raid10: skip spare disk as
'first' disk") being already applied - gregkh]

Suggested-by: NeilBrown <neilb@suse.com>
Signed-off-by: Guoqing Jiang <gqjiang@suse.com>
Reviewed-by: NeilBrown <neilb@suse.com>
Signed-off-by: Shaohua Li <shli@fb.com>
Cc: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/md/raid10.c |    1 +
 1 file changed, 1 insertion(+)

--- a/drivers/md/raid10.c
+++ b/drivers/md/raid10.c
@@ -3681,6 +3681,7 @@ static int raid10_run(struct mddev *mdde
 
 		if (blk_queue_discard(bdev_get_queue(rdev->bdev)))
 			discard_supported = true;
+		first = 0;
 	}
 
 	if (mddev->queue) {

^ permalink raw reply	[flat|nested] 111+ messages in thread

* [PATCH 4.9 095/102] net: hns: Fix ethtool private flags
  2018-04-06 13:22 [PATCH 4.9 000/102] 4.9.93-stable review Greg Kroah-Hartman
                   ` (93 preceding siblings ...)
  2018-04-06 13:24 ` [PATCH 4.9 094/102] md/raid10: reset the first at the end of loop Greg Kroah-Hartman
@ 2018-04-06 13:24 ` Greg Kroah-Hartman
  2018-04-06 13:24 ` [PATCH 4.9 096/102] Fix slab name "biovec-(1<<(21-12))" Greg Kroah-Hartman
                   ` (9 subsequent siblings)
  104 siblings, 0 replies; 111+ messages in thread
From: Greg Kroah-Hartman @ 2018-04-06 13:24 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Matthias Brugger, David S. Miller,
	Ben Hutchings

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Matthias Brugger <matthias.bgg@gmail.com>

commit d61d263c8d82db7c4404a29ebc29674b1c0c05c9 upstream.

The driver implementation returns support for private flags, while
no private flags are present. When asked for the number of private
flags it returns the number of statistic flag names.

Fix this by returning EOPNOTSUPP for not implemented ethtool flags.

Signed-off-by: Matthias Brugger <mbrugger@suse.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Cc: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/net/ethernet/hisilicon/hns/hns_dsaf_gmac.c |    2 +-
 drivers/net/ethernet/hisilicon/hns/hns_dsaf_ppe.c  |    2 +-
 drivers/net/ethernet/hisilicon/hns/hns_dsaf_rcb.c  |    2 +-
 drivers/net/ethernet/hisilicon/hns/hns_ethtool.c   |    4 +++-
 4 files changed, 6 insertions(+), 4 deletions(-)

--- a/drivers/net/ethernet/hisilicon/hns/hns_dsaf_gmac.c
+++ b/drivers/net/ethernet/hisilicon/hns/hns_dsaf_gmac.c
@@ -671,7 +671,7 @@ static void hns_gmac_get_strings(u32 str
 
 static int hns_gmac_get_sset_count(int stringset)
 {
-	if (stringset == ETH_SS_STATS || stringset == ETH_SS_PRIV_FLAGS)
+	if (stringset == ETH_SS_STATS)
 		return ARRAY_SIZE(g_gmac_stats_string);
 
 	return 0;
--- a/drivers/net/ethernet/hisilicon/hns/hns_dsaf_ppe.c
+++ b/drivers/net/ethernet/hisilicon/hns/hns_dsaf_ppe.c
@@ -422,7 +422,7 @@ void hns_ppe_update_stats(struct hns_ppe
 
 int hns_ppe_get_sset_count(int stringset)
 {
-	if (stringset == ETH_SS_STATS || stringset == ETH_SS_PRIV_FLAGS)
+	if (stringset == ETH_SS_STATS)
 		return ETH_PPE_STATIC_NUM;
 	return 0;
 }
--- a/drivers/net/ethernet/hisilicon/hns/hns_dsaf_rcb.c
+++ b/drivers/net/ethernet/hisilicon/hns/hns_dsaf_rcb.c
@@ -798,7 +798,7 @@ void hns_rcb_get_stats(struct hnae_queue
  */
 int hns_rcb_get_ring_sset_count(int stringset)
 {
-	if (stringset == ETH_SS_STATS || stringset == ETH_SS_PRIV_FLAGS)
+	if (stringset == ETH_SS_STATS)
 		return HNS_RING_STATIC_REG_NUM;
 
 	return 0;
--- a/drivers/net/ethernet/hisilicon/hns/hns_ethtool.c
+++ b/drivers/net/ethernet/hisilicon/hns/hns_ethtool.c
@@ -1017,8 +1017,10 @@ int hns_get_sset_count(struct net_device
 			cnt--;
 
 		return cnt;
-	} else {
+	} else if (stringset == ETH_SS_STATS) {
 		return (HNS_NET_STATS_CNT + ops->get_sset_count(h, stringset));
+	} else {
+		return -EOPNOTSUPP;
 	}
 }
 

^ permalink raw reply	[flat|nested] 111+ messages in thread

* [PATCH 4.9 096/102] Fix slab name "biovec-(1<<(21-12))"
  2018-04-06 13:22 [PATCH 4.9 000/102] 4.9.93-stable review Greg Kroah-Hartman
                   ` (94 preceding siblings ...)
  2018-04-06 13:24 ` [PATCH 4.9 095/102] net: hns: Fix ethtool private flags Greg Kroah-Hartman
@ 2018-04-06 13:24 ` Greg Kroah-Hartman
  2018-04-06 13:24 ` [PATCH 4.9 097/102] Revert "ARM: dts: am335x-pepper: Fix the audio CODECs reset pin" Greg Kroah-Hartman
                   ` (8 subsequent siblings)
  104 siblings, 0 replies; 111+ messages in thread
From: Greg Kroah-Hartman @ 2018-04-06 13:24 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Mikulas Patocka, Jens Axboe

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Mikulas Patocka <mpatocka@redhat.com>

commit bd5c4facf59648581d2f1692dad7b107bf429954 upstream.

I'm getting a slab named "biovec-(1<<(21-12))". It is caused by unintended
expansion of the macro BIO_MAX_PAGES. This patch renames it to biovec-max.

Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Cc: stable@vger.kernel.org	# v4.14+
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 block/bio.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/block/bio.c
+++ b/block/bio.c
@@ -42,9 +42,9 @@
  * break badly! cannot be bigger than what you can fit into an
  * unsigned short
  */
-#define BV(x) { .nr_vecs = x, .name = "biovec-"__stringify(x) }
+#define BV(x, n) { .nr_vecs = x, .name = "biovec-"#n }
 static struct biovec_slab bvec_slabs[BVEC_POOL_NR] __read_mostly = {
-	BV(1), BV(4), BV(16), BV(64), BV(128), BV(BIO_MAX_PAGES),
+	BV(1, 1), BV(4, 4), BV(16, 16), BV(64, 64), BV(128, 128), BV(BIO_MAX_PAGES, max),
 };
 #undef BV
 

^ permalink raw reply	[flat|nested] 111+ messages in thread

* [PATCH 4.9 097/102] Revert "ARM: dts: am335x-pepper: Fix the audio CODECs reset pin"
  2018-04-06 13:22 [PATCH 4.9 000/102] 4.9.93-stable review Greg Kroah-Hartman
                   ` (95 preceding siblings ...)
  2018-04-06 13:24 ` [PATCH 4.9 096/102] Fix slab name "biovec-(1<<(21-12))" Greg Kroah-Hartman
@ 2018-04-06 13:24 ` Greg Kroah-Hartman
  2018-04-06 13:24 ` [PATCH 4.9 098/102] Revert "ARM: dts: omap3-n900: " Greg Kroah-Hartman
                   ` (7 subsequent siblings)
  104 siblings, 0 replies; 111+ messages in thread
From: Greg Kroah-Hartman @ 2018-04-06 13:24 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ben Hutchings, Andrew F. Davis,
	Tony Lindgren, Sasha Levin

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

This reverts commit 272b5eef085c23cd71eec30fe040fb1592682508 which was
comit e153db03c6b7a035c797bcdf35262586f003ee93 upstream.

It requires a driver that was not merged until 4.16, so remove it from
this stable tree as it is pointless.

Reported-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
Cc: Andrew F. Davis <afd@ti.com>
Cc: Tony Lindgren <tony@atomide.com>
Cc: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/arm/boot/dts/am335x-pepper.dts |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/arm/boot/dts/am335x-pepper.dts
+++ b/arch/arm/boot/dts/am335x-pepper.dts
@@ -139,7 +139,7 @@
 &audio_codec {
 	status = "okay";
 
-	reset-gpios = <&gpio1 16 GPIO_ACTIVE_LOW>;
+	gpio-reset = <&gpio1 16 GPIO_ACTIVE_LOW>;
 	AVDD-supply = <&ldo3_reg>;
 	IOVDD-supply = <&ldo3_reg>;
 	DRVDD-supply = <&ldo3_reg>;

^ permalink raw reply	[flat|nested] 111+ messages in thread

* [PATCH 4.9 098/102] Revert "ARM: dts: omap3-n900: Fix the audio CODECs reset pin"
  2018-04-06 13:22 [PATCH 4.9 000/102] 4.9.93-stable review Greg Kroah-Hartman
                   ` (96 preceding siblings ...)
  2018-04-06 13:24 ` [PATCH 4.9 097/102] Revert "ARM: dts: am335x-pepper: Fix the audio CODECs reset pin" Greg Kroah-Hartman
@ 2018-04-06 13:24 ` Greg Kroah-Hartman
  2018-04-06 13:24 ` [PATCH 4.9 099/102] Revert "spi: bcm-qspi: shut up warning about cfi header inclusion" Greg Kroah-Hartman
                   ` (6 subsequent siblings)
  104 siblings, 0 replies; 111+ messages in thread
From: Greg Kroah-Hartman @ 2018-04-06 13:24 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ben Hutchings, Andrew F. Davis,
	Tony Lindgren, Sasha Levin

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

This reverts commit e5ca83f556925b86133af12ef7f17c1a52c39d7e which was
commit 7be4b5dc7ffa9499ac6ef33a5ffa9ff43f9b7057 upstream.

It requires a driver that was not merged until 4.16, so remove it from
this stable tree as it is pointless.

Reported-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
Cc: Andrew F. Davis <afd@ti.com>
Cc: Tony Lindgren <tony@atomide.com>
Cc: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/arm/boot/dts/omap3-n900.dts |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/arch/arm/boot/dts/omap3-n900.dts
+++ b/arch/arm/boot/dts/omap3-n900.dts
@@ -510,7 +510,7 @@
 	tlv320aic3x: tlv320aic3x@18 {
 		compatible = "ti,tlv320aic3x";
 		reg = <0x18>;
-		reset-gpios = <&gpio2 28 GPIO_ACTIVE_LOW>; /* 60 */
+		gpio-reset = <&gpio2 28 GPIO_ACTIVE_HIGH>; /* 60 */
 		ai3x-gpio-func = <
 			0 /* AIC3X_GPIO1_FUNC_DISABLED */
 			5 /* AIC3X_GPIO2_FUNC_DIGITAL_MIC_INPUT */
@@ -527,7 +527,7 @@
 	tlv320aic3x_aux: tlv320aic3x@19 {
 		compatible = "ti,tlv320aic3x";
 		reg = <0x19>;
-		reset-gpios = <&gpio2 28 GPIO_ACTIVE_LOW>; /* 60 */
+		gpio-reset = <&gpio2 28 GPIO_ACTIVE_HIGH>; /* 60 */
 
 		AVDD-supply = <&vmmc2>;
 		DRVDD-supply = <&vmmc2>;

^ permalink raw reply	[flat|nested] 111+ messages in thread

* [PATCH 4.9 099/102] Revert "spi: bcm-qspi: shut up warning about cfi header inclusion"
  2018-04-06 13:22 [PATCH 4.9 000/102] 4.9.93-stable review Greg Kroah-Hartman
                   ` (97 preceding siblings ...)
  2018-04-06 13:24 ` [PATCH 4.9 098/102] Revert "ARM: dts: omap3-n900: " Greg Kroah-Hartman
@ 2018-04-06 13:24 ` Greg Kroah-Hartman
  2018-04-06 13:24 ` [PATCH 4.9 100/102] Revert "mtip32xx: use runtime tag to initialize command header" Greg Kroah-Hartman
                   ` (5 subsequent siblings)
  104 siblings, 0 replies; 111+ messages in thread
From: Greg Kroah-Hartman @ 2018-04-06 13:24 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Florian Fainelli, Arnd Bergmann

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

This reverts commit c30e6636ce101fd61331092c490b9d9c55b2d143.

Florian writes:
	Sorry for noticing so late, but this appears to be bogus, there
	is no MTD_NORFLASH symbol being defined in 4.9, in fact I can't
	find this Kconfig symbol in any kernel version, so this
	effectively results in the driver no longer being selectable, so
	this sure does silence the warning.

It's not good to just disable a whole driver :(

So let's revert the patch for now, Arnd can work on a better build
fix...

Reported-by: Florian Fainelli <f.fainelli@gmail.com>
Cc: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/spi/Kconfig |    1 -
 1 file changed, 1 deletion(-)

--- a/drivers/spi/Kconfig
+++ b/drivers/spi/Kconfig
@@ -156,7 +156,6 @@ config SPI_BCM63XX_HSSPI
 config SPI_BCM_QSPI
 	tristate "Broadcom BSPI and MSPI controller support"
 	depends on ARCH_BRCMSTB || ARCH_BCM || ARCH_BCM_IPROC || COMPILE_TEST
-	depends on MTD_NORFLASH
 	default ARCH_BCM_IPROC
 	help
 	  Enables support for the Broadcom SPI flash and MSPI controller.

^ permalink raw reply	[flat|nested] 111+ messages in thread

* [PATCH 4.9 100/102] Revert "mtip32xx: use runtime tag to initialize command header"
  2018-04-06 13:22 [PATCH 4.9 000/102] 4.9.93-stable review Greg Kroah-Hartman
                   ` (98 preceding siblings ...)
  2018-04-06 13:24 ` [PATCH 4.9 099/102] Revert "spi: bcm-qspi: shut up warning about cfi header inclusion" Greg Kroah-Hartman
@ 2018-04-06 13:24 ` Greg Kroah-Hartman
  2018-04-06 13:24 ` [PATCH 4.9 101/102] Revert "ip6_vti: adjust vti mtu according to mtu of lower device" Greg Kroah-Hartman
                   ` (4 subsequent siblings)
  104 siblings, 0 replies; 111+ messages in thread
From: Greg Kroah-Hartman @ 2018-04-06 13:24 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ben Hutchings, Ming Lei, Jens Axboe,
	Sasha Levin

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

This reverts commit db54facd56a40e7766bf7f7cda1ae138e72a691c which was
commit a4e84aae8139aca9fbfbced1f45c51ca81b57488 upstream.

Ben writes:
    MQ IO schedulers were introduced in 4.11, so this shouldn't be
    needed in older branches.  It also causes a performance
    regression (fixed upstream).  Please revert this for 4.4 and
    4.9.

So let's revert it!

Reported-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
Cc: Ming Lei <ming.lei@redhat.com>
Cc: Jens Axboe <axboe@fb.com>
Cc: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/block/mtip32xx/mtip32xx.c |   36 ++++++++++++------------------------
 1 file changed, 12 insertions(+), 24 deletions(-)

--- a/drivers/block/mtip32xx/mtip32xx.c
+++ b/drivers/block/mtip32xx/mtip32xx.c
@@ -169,25 +169,6 @@ static bool mtip_check_surprise_removal(
 	return false; /* device present */
 }
 
-/* we have to use runtime tag to setup command header */
-static void mtip_init_cmd_header(struct request *rq)
-{
-	struct driver_data *dd = rq->q->queuedata;
-	struct mtip_cmd *cmd = blk_mq_rq_to_pdu(rq);
-	u32 host_cap_64 = readl(dd->mmio + HOST_CAP) & HOST_CAP_64;
-
-	/* Point the command headers at the command tables. */
-	cmd->command_header = dd->port->command_list +
-				(sizeof(struct mtip_cmd_hdr) * rq->tag);
-	cmd->command_header_dma = dd->port->command_list_dma +
-				(sizeof(struct mtip_cmd_hdr) * rq->tag);
-
-	if (host_cap_64)
-		cmd->command_header->ctbau = __force_bit2int cpu_to_le32((cmd->command_dma >> 16) >> 16);
-
-	cmd->command_header->ctba = __force_bit2int cpu_to_le32(cmd->command_dma & 0xFFFFFFFF);
-}
-
 static struct mtip_cmd *mtip_get_int_command(struct driver_data *dd)
 {
 	struct request *rq;
@@ -199,9 +180,6 @@ static struct mtip_cmd *mtip_get_int_com
 	if (IS_ERR(rq))
 		return NULL;
 
-	/* Internal cmd isn't submitted via .queue_rq */
-	mtip_init_cmd_header(rq);
-
 	return blk_mq_rq_to_pdu(rq);
 }
 
@@ -3833,8 +3811,6 @@ static int mtip_queue_rq(struct blk_mq_h
 	struct request *rq = bd->rq;
 	int ret;
 
-	mtip_init_cmd_header(rq);
-
 	if (unlikely(mtip_check_unal_depth(hctx, rq)))
 		return BLK_MQ_RQ_QUEUE_BUSY;
 
@@ -3866,6 +3842,7 @@ static int mtip_init_cmd(void *data, str
 {
 	struct driver_data *dd = data;
 	struct mtip_cmd *cmd = blk_mq_rq_to_pdu(rq);
+	u32 host_cap_64 = readl(dd->mmio + HOST_CAP) & HOST_CAP_64;
 
 	/*
 	 * For flush requests, request_idx starts at the end of the
@@ -3882,6 +3859,17 @@ static int mtip_init_cmd(void *data, str
 
 	memset(cmd->command, 0, CMD_DMA_ALLOC_SZ);
 
+	/* Point the command headers at the command tables. */
+	cmd->command_header = dd->port->command_list +
+				(sizeof(struct mtip_cmd_hdr) * request_idx);
+	cmd->command_header_dma = dd->port->command_list_dma +
+				(sizeof(struct mtip_cmd_hdr) * request_idx);
+
+	if (host_cap_64)
+		cmd->command_header->ctbau = __force_bit2int cpu_to_le32((cmd->command_dma >> 16) >> 16);
+
+	cmd->command_header->ctba = __force_bit2int cpu_to_le32(cmd->command_dma & 0xFFFFFFFF);
+
 	sg_init_table(cmd->sg, MTIP_MAX_SG);
 	return 0;
 }

^ permalink raw reply	[flat|nested] 111+ messages in thread

* [PATCH 4.9 101/102] Revert "ip6_vti: adjust vti mtu according to mtu of lower device"
  2018-04-06 13:22 [PATCH 4.9 000/102] 4.9.93-stable review Greg Kroah-Hartman
                   ` (99 preceding siblings ...)
  2018-04-06 13:24 ` [PATCH 4.9 100/102] Revert "mtip32xx: use runtime tag to initialize command header" Greg Kroah-Hartman
@ 2018-04-06 13:24 ` Greg Kroah-Hartman
  2018-04-06 13:24 ` [PATCH 4.9 102/102] spi: davinci: fix up dma_mapping_error() incorrect patch Greg Kroah-Hartman
                   ` (3 subsequent siblings)
  104 siblings, 0 replies; 111+ messages in thread
From: Greg Kroah-Hartman @ 2018-04-06 13:24 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ben Hutchings, Petr Vorel,
	Alexey Kodanev, David S. Miller, Stefano Brivio

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

This reverts commit 1139d77d8a7f9aa6b6ae0a1c902f94775dad2f52 which is
commit 53c81e95df1793933f87748d36070a721f6cb287 upstream.

Ben writes that there are a number of follow-on patches needed to fix
this up, but they get complex to backport, and some custom fixes are
needed, so let's just revert this and wait for a "real" set of patches
to resolve this to be submitted if it is really needed.

Reported-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
Cc: Petr Vorel <pvorel@suse.cz>
Cc: Alexey Kodanev <alexey.kodanev@oracle.com>
Cc: David S. Miller <davem@davemloft.net>
Cc: Stefano Brivio <sbrivio@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/ipv6/ip6_vti.c |   20 --------------------
 1 file changed, 20 deletions(-)

--- a/net/ipv6/ip6_vti.c
+++ b/net/ipv6/ip6_vti.c
@@ -625,7 +625,6 @@ static void vti6_link_config(struct ip6_
 {
 	struct net_device *dev = t->dev;
 	struct __ip6_tnl_parm *p = &t->parms;
-	struct net_device *tdev = NULL;
 
 	memcpy(dev->dev_addr, &p->laddr, sizeof(struct in6_addr));
 	memcpy(dev->broadcast, &p->raddr, sizeof(struct in6_addr));
@@ -638,25 +637,6 @@ static void vti6_link_config(struct ip6_
 		dev->flags |= IFF_POINTOPOINT;
 	else
 		dev->flags &= ~IFF_POINTOPOINT;
-
-	if (p->flags & IP6_TNL_F_CAP_XMIT) {
-		int strict = (ipv6_addr_type(&p->raddr) &
-			      (IPV6_ADDR_MULTICAST | IPV6_ADDR_LINKLOCAL));
-		struct rt6_info *rt = rt6_lookup(t->net,
-						 &p->raddr, &p->laddr,
-						 p->link, strict);
-
-		if (rt)
-			tdev = rt->dst.dev;
-		ip6_rt_put(rt);
-	}
-
-	if (!tdev && p->link)
-		tdev = __dev_get_by_index(t->net, p->link);
-
-	if (tdev)
-		dev->mtu = max_t(int, tdev->mtu - dev->hard_header_len,
-				 IPV6_MIN_MTU);
 }
 
 /**

^ permalink raw reply	[flat|nested] 111+ messages in thread

* [PATCH 4.9 102/102] spi: davinci: fix up dma_mapping_error() incorrect patch
  2018-04-06 13:22 [PATCH 4.9 000/102] 4.9.93-stable review Greg Kroah-Hartman
                   ` (100 preceding siblings ...)
  2018-04-06 13:24 ` [PATCH 4.9 101/102] Revert "ip6_vti: adjust vti mtu according to mtu of lower device" Greg Kroah-Hartman
@ 2018-04-06 13:24 ` Greg Kroah-Hartman
  2018-04-06 17:22 ` [PATCH 4.9 000/102] 4.9.93-stable review kernelci.org bot
                   ` (2 subsequent siblings)
  104 siblings, 0 replies; 111+ messages in thread
From: Greg Kroah-Hartman @ 2018-04-06 13:24 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ben Hutchings, Kevin Hilman,
	Mark Brown, Sasha Levin

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit aabb797b4c1204b2e8518538b2616e476f2bac92, which is commit
c5a2a394835f473ae23931eda5066d3771d7b2f8 upstream had an error in it.

Ben writes:
	The '!' needs to be deleted.  This appears to have been fixed upstream
	by:

	commit 8aedbf580d21121d2a032e4c8ea12d8d2d85e275
	Author: Fabien Parent <fparent@baylibre.com>
	Date:   Thu Feb 23 19:01:56 2017 +0100

	    spi: davinci: Use SPI framework to handle DMA mapping

	which is not suitable for stable.

So I'm just fixing this up directly.

Reported-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
Cc: Kevin Hilman <khilman@baylibre.com>
Cc: Mark Brown <broonie@kernel.org>
Cc: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/spi/spi-davinci.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/spi/spi-davinci.c
+++ b/drivers/spi/spi-davinci.c
@@ -646,7 +646,7 @@ static int davinci_spi_bufs(struct spi_d
 			buf = t->rx_buf;
 		t->rx_dma = dma_map_single(&spi->dev, buf,
 				t->len, DMA_FROM_DEVICE);
-		if (dma_mapping_error(&spi->dev, !t->rx_dma)) {
+		if (dma_mapping_error(&spi->dev, t->rx_dma)) {
 			ret = -EFAULT;
 			goto err_rx_map;
 		}

^ permalink raw reply	[flat|nested] 111+ messages in thread

* Re: [PATCH 4.9 000/102] 4.9.93-stable review
  2018-04-06 13:22 [PATCH 4.9 000/102] 4.9.93-stable review Greg Kroah-Hartman
                   ` (101 preceding siblings ...)
  2018-04-06 13:24 ` [PATCH 4.9 102/102] spi: davinci: fix up dma_mapping_error() incorrect patch Greg Kroah-Hartman
@ 2018-04-06 17:22 ` kernelci.org bot
  2018-04-06 22:14 ` Shuah Khan
  2018-04-06 22:25 ` Dan Rue
  104 siblings, 0 replies; 111+ messages in thread
From: kernelci.org bot @ 2018-04-06 17:22 UTC (permalink / raw)
  To: Greg Kroah-Hartman, linux-kernel
  Cc: Greg Kroah-Hartman, torvalds, akpm, linux, shuahkh, patches,
	ben.hutchings, lkft-triage, stable

stable-rc/linux-4.9.y boot: 61 boots: 0 failed, 59 passed with 2 untried/unknown (v4.9.92-103-g7eea6c2b79f0)

Full Boot Summary: https://kernelci.org/boot/all/job/stable-rc/branch/linux-4.9.y/kernel/v4.9.92-103-g7eea6c2b79f0/
Full Build Summary: https://kernelci.org/build/stable-rc/branch/linux-4.9.y/kernel/v4.9.92-103-g7eea6c2b79f0/

Tree: stable-rc
Branch: linux-4.9.y
Git Describe: v4.9.92-103-g7eea6c2b79f0
Git Commit: 7eea6c2b79f0c0f15f8a519cd2797bcfffc47d4a
Git URL: http://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git
Tested: 30 unique boards, 14 SoC families, 17 builds out of 183

---
For more info write to <info@kernelci.org>

^ permalink raw reply	[flat|nested] 111+ messages in thread

* Re: [PATCH 4.9 000/102] 4.9.93-stable review
  2018-04-06 13:22 [PATCH 4.9 000/102] 4.9.93-stable review Greg Kroah-Hartman
                   ` (102 preceding siblings ...)
  2018-04-06 17:22 ` [PATCH 4.9 000/102] 4.9.93-stable review kernelci.org bot
@ 2018-04-06 22:14 ` Shuah Khan
  2018-04-06 22:25 ` Dan Rue
  104 siblings, 0 replies; 111+ messages in thread
From: Shuah Khan @ 2018-04-06 22:14 UTC (permalink / raw)
  To: Greg Kroah-Hartman, linux-kernel
  Cc: torvalds, akpm, linux, patches, ben.hutchings, lkft-triage,
	stable, Shuah Khan

On 04/06/2018 07:22 AM, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 4.9.93 release.
> There are 102 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
> 
> Responses should be made by Sun Apr  8 08:42:55 UTC 2018.
> Anything received after that time might be too late.
> 
> The whole patch series can be found in one patch at:
> 	https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.9.93-rc1.gz
> or in the git tree and branch at:
> 	git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.9.y
> and the diffstat can be found below.
> 
> thanks,
> 
> greg k-h
> 

Compiled and booted on my test system. No dmesg regressions.

thanks,
-- Shuah

^ permalink raw reply	[flat|nested] 111+ messages in thread

* Re: [PATCH 4.9 000/102] 4.9.93-stable review
  2018-04-06 13:22 [PATCH 4.9 000/102] 4.9.93-stable review Greg Kroah-Hartman
                   ` (103 preceding siblings ...)
  2018-04-06 22:14 ` Shuah Khan
@ 2018-04-06 22:25 ` Dan Rue
  2018-04-07  6:11   ` Greg Kroah-Hartman
  104 siblings, 1 reply; 111+ messages in thread
From: Dan Rue @ 2018-04-06 22:25 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: linux-kernel, torvalds, akpm, linux, shuahkh, patches,
	ben.hutchings, lkft-triage, stable, Nicolas Dechesne,
	Anibal Limon, Thierry Escande, Will Deacon

On Fri, Apr 06, 2018 at 03:22:41PM +0200, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 4.9.93 release.
> There are 102 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
> 
> Responses should be made by Sun Apr  8 08:42:55 UTC 2018.
> Anything received after that time might be too late.

Results from Linaro’s test farm.
No regressions on arm64, arm and x86_64.

There is a new test failure on dragonboard 410c (arm64) in
kselftest/cpu-on-off-test. However, it looks like the test was failing
but giving a false "PASS" on previous versions of 4.9. This -RC seems to
have changed the behavior enough to cause the test to actually mark a
failure.

In any event, this looks like a db410c-specific pre-existing issue that we have
already escalated to our Qualcomm team. Details can be found at
https://bugs.linaro.org/show_bug.cgi?id=3723 for those interested.


Summary
------------------------------------------------------------------------

kernel: 4.9.93-rc1
git repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git
git branch: linux-4.9.y
git commit: 7eea6c2b79f0c0f15f8a519cd2797bcfffc47d4a
git describe: v4.9.92-103-g7eea6c2b79f0
Test details: https://qa-reports.linaro.org/lkft/linux-stable-rc-4.9-oe/build/v4.9.92-103-g7eea6c2b79f0


No regressions (compared to build v4.9.92-85-g6664986610a8)

Boards, architectures and test suites:
-------------------------------------

dragonboard-410c
* boot - pass: 24
* kselftest - skip: 27, fail: 1, pass: 35
* libhugetlbfs - skip: 1, pass: 90
* ltp-cap_bounds-tests - pass: 2
* ltp-containers-tests - skip: 17, pass: 64
* ltp-fcntl-locktests-tests - pass: 2
* ltp-filecaps-tests - pass: 4
* ltp-fs-tests - skip: 2, pass: 61
* ltp-fs_bind-tests - pass: 4
* ltp-fs_perms_simple-tests - pass: 38
* ltp-fsx-tests - pass: 4
* ltp-hugetlb-tests - skip: 1, pass: 21
* ltp-io-tests - pass: 3
* ltp-ipc-tests - pass: 9
* ltp-math-tests - pass: 11
* ltp-nptl-tests - pass: 2
* ltp-pty-tests - pass: 4
* ltp-sched-tests - pass: 14
* ltp-securebits-tests - pass: 4
* ltp-syscalls-tests - skip: 148, pass: 1002
* ltp-timers-tests - skip: 1, pass: 12

hi6220-hikey - arm64
* boot - pass: 28
* kselftest - skip: 47, pass: 78
* libhugetlbfs - skip: 2, pass: 180
* ltp-cap_bounds-tests - pass: 2
* ltp-containers-tests - skip: 17, pass: 64
* ltp-fcntl-locktests-tests - pass: 2
* ltp-filecaps-tests - pass: 4
* ltp-fs-tests - skip: 4, pass: 122
* ltp-fs_bind-tests - pass: 2
* ltp-fs_perms_simple-tests - pass: 19
* ltp-fsx-tests - pass: 2
* ltp-hugetlb-tests - skip: 2, pass: 42
* ltp-io-tests - pass: 6
* ltp-ipc-tests - pass: 18
* ltp-math-tests - pass: 22
* ltp-nptl-tests - pass: 2
* ltp-pty-tests - pass: 4
* ltp-sched-tests - skip: 4, pass: 10
* ltp-securebits-tests - pass: 4
* ltp-syscalls-tests - skip: 151, pass: 999
* ltp-timers-tests - skip: 1, pass: 12

juno-r2 - arm64
* boot - pass: 27
* kselftest - skip: 23, pass: 40
* libhugetlbfs - skip: 1, pass: 90
* ltp-cap_bounds-tests - pass: 2
* ltp-containers-tests - skip: 17, pass: 64
* ltp-fcntl-locktests-tests - pass: 2
* ltp-filecaps-tests - pass: 2
* ltp-fs-tests - skip: 2, pass: 61
* ltp-fs_bind-tests - pass: 2
* ltp-fs_perms_simple-tests - pass: 19
* ltp-fsx-tests - pass: 2
* ltp-hugetlb-tests - pass: 22
* ltp-io-tests - pass: 3
* ltp-ipc-tests - pass: 9
* ltp-math-tests - pass: 22
* ltp-nptl-tests - pass: 4
* ltp-pty-tests - pass: 8
* ltp-sched-tests - skip: 8, pass: 20
* ltp-securebits-tests - pass: 4
* ltp-syscalls-tests - skip: 149, pass: 1001
* ltp-timers-tests - skip: 1, pass: 12

qemu_x86_64
* boot - pass: 22
* kselftest - skip: 28, pass: 52
* kselftest-vsyscall-mode-native - skip: 28, pass: 52
* kselftest-vsyscall-mode-none - skip: 28, pass: 52
* libhugetlbfs - skip: 1, pass: 90
* ltp-cap_bounds-tests - pass: 2
* ltp-containers-tests - skip: 17, pass: 64
* ltp-fcntl-locktests-tests - pass: 2
* ltp-filecaps-tests - pass: 2
* ltp-fs-tests - skip: 6, pass: 57
* ltp-fs_bind-tests - pass: 2
* ltp-fs_perms_simple-tests - pass: 19
* ltp-fsx-tests - pass: 2
* ltp-hugetlb-tests - pass: 22
* ltp-io-tests - pass: 3
* ltp-ipc-tests - pass: 9
* ltp-math-tests - pass: 11
* ltp-nptl-tests - pass: 2
* ltp-pty-tests - pass: 4
* ltp-sched-tests - skip: 1, pass: 13
* ltp-securebits-tests - pass: 4
* ltp-syscalls-tests - skip: 148, pass: 1002
* ltp-timers-tests - skip: 1, pass: 12

x15 - arm
* boot - pass: 21
* kselftest - skip: 24, pass: 38
* libhugetlbfs - skip: 1, pass: 87
* ltp-cap_bounds-tests - pass: 2
* ltp-containers-tests - skip: 17, pass: 64
* ltp-fcntl-locktests-tests - pass: 2
* ltp-filecaps-tests - pass: 2
* ltp-fs-tests - skip: 2, pass: 61
* ltp-fs_bind-tests - pass: 2
* ltp-fs_perms_simple-tests - pass: 19
* ltp-fsx-tests - pass: 2
* ltp-hugetlb-tests - skip: 2, pass: 20
* ltp-io-tests - pass: 3
* ltp-ipc-tests - pass: 9
* ltp-math-tests - pass: 11
* ltp-nptl-tests - pass: 2
* ltp-pty-tests - pass: 4
* ltp-sched-tests - skip: 1, pass: 13
* ltp-securebits-tests - pass: 4
* ltp-syscalls-tests - skip: 97, pass: 1053
* ltp-timers-tests - skip: 2, pass: 24

x86_64
* boot - pass: 22
* kselftest - skip: 25, fail: 1, pass: 54
* kselftest-vsyscall-mode-native - skip: 25, fail: 1, pass: 54
* kselftest-vsyscall-mode-none - skip: 25, fail: 2, pass: 53
* libhugetlbfs - skip: 1, pass: 90
* ltp-cap_bounds-tests - pass: 2
* ltp-containers-tests - skip: 17, pass: 64
* ltp-fcntl-locktests-tests - pass: 2
* ltp-filecaps-tests - pass: 2
* ltp-fs-tests - skip: 1, pass: 62
* ltp-fs_bind-tests - pass: 2
* ltp-fs_perms_simple-tests - pass: 19
* ltp-fsx-tests - pass: 2
* ltp-hugetlb-tests - pass: 22
* ltp-io-tests - pass: 3
* ltp-ipc-tests - pass: 9
* ltp-math-tests - pass: 11
* ltp-nptl-tests - pass: 2
* ltp-pty-tests - pass: 4
* ltp-sched-tests - skip: 5, pass: 9
* ltp-securebits-tests - pass: 4
* ltp-syscalls-tests - skip: 119, pass: 1031
* ltp-timers-tests - skip: 1, pass: 12

--
Linaro QA (beta)
https://qa-reports.linaro.org

^ permalink raw reply	[flat|nested] 111+ messages in thread

* Re: [PATCH 4.9 000/102] 4.9.93-stable review
  2018-04-06 22:25 ` Dan Rue
@ 2018-04-07  6:11   ` Greg Kroah-Hartman
  2018-04-12 12:17     ` Thierry Escande
  0 siblings, 1 reply; 111+ messages in thread
From: Greg Kroah-Hartman @ 2018-04-07  6:11 UTC (permalink / raw)
  To: linux-kernel, torvalds, akpm, linux, shuahkh, patches,
	ben.hutchings, lkft-triage, stable, Nicolas Dechesne,
	Anibal Limon, Thierry Escande, Will Deacon

On Fri, Apr 06, 2018 at 05:25:24PM -0500, Dan Rue wrote:
> On Fri, Apr 06, 2018 at 03:22:41PM +0200, Greg Kroah-Hartman wrote:
> > This is the start of the stable review cycle for the 4.9.93 release.
> > There are 102 patches in this series, all will be posted as a response
> > to this one.  If anyone has any issues with these being applied, please
> > let me know.
> > 
> > Responses should be made by Sun Apr  8 08:42:55 UTC 2018.
> > Anything received after that time might be too late.
> 
> Results from Linaro’s test farm.
> No regressions on arm64, arm and x86_64.
> 
> There is a new test failure on dragonboard 410c (arm64) in
> kselftest/cpu-on-off-test. However, it looks like the test was failing
> but giving a false "PASS" on previous versions of 4.9. This -RC seems to
> have changed the behavior enough to cause the test to actually mark a
> failure.
> 
> In any event, this looks like a db410c-specific pre-existing issue that we have
> already escalated to our Qualcomm team. Details can be found at
> https://bugs.linaro.org/show_bug.cgi?id=3723 for those interested.

Thanks for testing these and letting me know.

greg k-h

^ permalink raw reply	[flat|nested] 111+ messages in thread

* Re: [PATCH 4.9 000/102] 4.9.93-stable review
  2018-04-07  6:11   ` Greg Kroah-Hartman
@ 2018-04-12 12:17     ` Thierry Escande
  2018-04-12 12:23       ` Greg Kroah-Hartman
  0 siblings, 1 reply; 111+ messages in thread
From: Thierry Escande @ 2018-04-12 12:17 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: linux-kernel, torvalds, akpm, linux, shuahkh, patches,
	ben.hutchings, lkft-triage, stable, Nicolas Dechesne,
	Anibal Limon, Will Deacon

Hi Greg,

On 07/04/2018 08:11, Greg Kroah-Hartman wrote:
> On Fri, Apr 06, 2018 at 05:25:24PM -0500, Dan Rue wrote:
>> On Fri, Apr 06, 2018 at 03:22:41PM +0200, Greg Kroah-Hartman wrote:
>>> This is the start of the stable review cycle for the 4.9.93 release.
>>> There are 102 patches in this series, all will be posted as a response
>>> to this one.  If anyone has any issues with these being applied, please
>>> let me know.
>>>
>>> Responses should be made by Sun Apr  8 08:42:55 UTC 2018.
>>> Anything received after that time might be too late.
>>
>> Results from Linaro’s test farm.
>> No regressions on arm64, arm and x86_64.
>>
>> There is a new test failure on dragonboard 410c (arm64) in
>> kselftest/cpu-on-off-test. However, it looks like the test was failing
>> but giving a false "PASS" on previous versions of 4.9. This -RC seems to
>> have changed the behavior enough to cause the test to actually mark a
>> failure.
>>
>> In any event, this looks like a db410c-specific pre-existing issue that we have
>> already escalated to our Qualcomm team. Details can be found at
>> https://bugs.linaro.org/show_bug.cgi?id=3723 for those interested.
> 
> Thanks for testing these and letting me know.

The test failure on dragonboard 410c comes from [1] to fix a possible 
deadlock related to the hotplug rework. It's been reverted in v4.12 by 
[2] because the cpu hotplug rework was not ready yet at that time. Since 
the hotplug rework has not been backported to v4.9.y, the splat cannot 
be reproduced and so [1] can be reverted or [2] applied on v4.9.y.

[1] https://lkml.org/lkml/2018/3/23/452
[2] https://lkml.org/lkml/2017/5/7/124

Regards,
Thierry

^ permalink raw reply	[flat|nested] 111+ messages in thread

* Re: [PATCH 4.9 000/102] 4.9.93-stable review
  2018-04-12 12:17     ` Thierry Escande
@ 2018-04-12 12:23       ` Greg Kroah-Hartman
  2018-04-12 12:32         ` Thierry Escande
  0 siblings, 1 reply; 111+ messages in thread
From: Greg Kroah-Hartman @ 2018-04-12 12:23 UTC (permalink / raw)
  To: Thierry Escande
  Cc: linux-kernel, torvalds, akpm, linux, shuahkh, patches,
	ben.hutchings, lkft-triage, stable, Nicolas Dechesne,
	Anibal Limon, Will Deacon

On Thu, Apr 12, 2018 at 02:17:50PM +0200, Thierry Escande wrote:
> Hi Greg,
> 
> On 07/04/2018 08:11, Greg Kroah-Hartman wrote:
> > On Fri, Apr 06, 2018 at 05:25:24PM -0500, Dan Rue wrote:
> > > On Fri, Apr 06, 2018 at 03:22:41PM +0200, Greg Kroah-Hartman wrote:
> > > > This is the start of the stable review cycle for the 4.9.93 release.
> > > > There are 102 patches in this series, all will be posted as a response
> > > > to this one.  If anyone has any issues with these being applied, please
> > > > let me know.
> > > > 
> > > > Responses should be made by Sun Apr  8 08:42:55 UTC 2018.
> > > > Anything received after that time might be too late.
> > > 
> > > Results from Linaro’s test farm.
> > > No regressions on arm64, arm and x86_64.
> > > 
> > > There is a new test failure on dragonboard 410c (arm64) in
> > > kselftest/cpu-on-off-test. However, it looks like the test was failing
> > > but giving a false "PASS" on previous versions of 4.9. This -RC seems to
> > > have changed the behavior enough to cause the test to actually mark a
> > > failure.
> > > 
> > > In any event, this looks like a db410c-specific pre-existing issue that we have
> > > already escalated to our Qualcomm team. Details can be found at
> > > https://bugs.linaro.org/show_bug.cgi?id=3723 for those interested.
> > 
> > Thanks for testing these and letting me know.
> 
> The test failure on dragonboard 410c comes from [1] to fix a possible
> deadlock related to the hotplug rework. It's been reverted in v4.12 by [2]
> because the cpu hotplug rework was not ready yet at that time. Since the
> hotplug rework has not been backported to v4.9.y, the splat cannot be
> reproduced and so [1] can be reverted or [2] applied on v4.9.y.
> 
> [1] https://lkml.org/lkml/2018/3/23/452
> [2] https://lkml.org/lkml/2017/5/7/124

Hm, so I need to drop some patch, but what one?  lkml.org does not work
for me, please be specific and use the git commit ids, or at the
very-least, the subject of the patches.  Never make someone have to rely
on the existance of a random web site not under kernel developer's
control to figure out what to do...

greg k-h

^ permalink raw reply	[flat|nested] 111+ messages in thread

* Re: [PATCH 4.9 000/102] 4.9.93-stable review
  2018-04-12 12:23       ` Greg Kroah-Hartman
@ 2018-04-12 12:32         ` Thierry Escande
  2018-04-12 16:56           ` Greg Kroah-Hartman
  0 siblings, 1 reply; 111+ messages in thread
From: Thierry Escande @ 2018-04-12 12:32 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: linux-kernel, torvalds, akpm, linux, shuahkh, patches,
	ben.hutchings, lkft-triage, stable, Nicolas Dechesne,
	Anibal Limon, Will Deacon

On 12/04/2018 14:23, Greg Kroah-Hartman wrote:
> On Thu, Apr 12, 2018 at 02:17:50PM +0200, Thierry Escande wrote:
>> Hi Greg,
>>
>> On 07/04/2018 08:11, Greg Kroah-Hartman wrote:
>>> On Fri, Apr 06, 2018 at 05:25:24PM -0500, Dan Rue wrote:
>>>> On Fri, Apr 06, 2018 at 03:22:41PM +0200, Greg Kroah-Hartman wrote:
>>>>> This is the start of the stable review cycle for the 4.9.93 release.
>>>>> There are 102 patches in this series, all will be posted as a response
>>>>> to this one.  If anyone has any issues with these being applied, please
>>>>> let me know.
>>>>>
>>>>> Responses should be made by Sun Apr  8 08:42:55 UTC 2018.
>>>>> Anything received after that time might be too late.
>>>>
>>>> Results from Linaro’s test farm.
>>>> No regressions on arm64, arm and x86_64.
>>>>
>>>> There is a new test failure on dragonboard 410c (arm64) in
>>>> kselftest/cpu-on-off-test. However, it looks like the test was failing
>>>> but giving a false "PASS" on previous versions of 4.9. This -RC seems to
>>>> have changed the behavior enough to cause the test to actually mark a
>>>> failure.
>>>>
>>>> In any event, this looks like a db410c-specific pre-existing issue that we have
>>>> already escalated to our Qualcomm team. Details can be found at
>>>> https://bugs.linaro.org/show_bug.cgi?id=3723 for those interested.
>>>
>>> Thanks for testing these and letting me know.
>>
>> The test failure on dragonboard 410c comes from [1] to fix a possible
>> deadlock related to the hotplug rework. It's been reverted in v4.12 by [2]
>> because the cpu hotplug rework was not ready yet at that time. Since the
>> hotplug rework has not been backported to v4.9.y, the splat cannot be
>> reproduced and so [1] can be reverted or [2] applied on v4.9.y.
>>
>> [1] https://lkml.org/lkml/2018/3/23/452
>> [2] https://lkml.org/lkml/2017/5/7/124
> 
> Hm, so I need to drop some patch, but what one?  lkml.org does not work
> for me, please be specific and use the git commit ids, or at the
> very-least, the subject of the patches.  Never make someone have to rely
> on the existance of a random web site not under kernel developer's
> control to figure out what to do...

So the commit to be reverted is [1], introduced in v4.9.90. Or you can 
apply [2] from v4.12 that actually reverts [1].

[1] 18dd7b964c01ac44497471f4ea3f4c0c663eab55
[2] 51d638b1f56a0bfd9219800620994794a1a2b219

Regards,
Thierry

^ permalink raw reply	[flat|nested] 111+ messages in thread

* Re: [PATCH 4.9 000/102] 4.9.93-stable review
  2018-04-12 12:32         ` Thierry Escande
@ 2018-04-12 16:56           ` Greg Kroah-Hartman
  0 siblings, 0 replies; 111+ messages in thread
From: Greg Kroah-Hartman @ 2018-04-12 16:56 UTC (permalink / raw)
  To: Thierry Escande
  Cc: linux-kernel, torvalds, akpm, linux, shuahkh, patches,
	ben.hutchings, lkft-triage, stable, Nicolas Dechesne,
	Anibal Limon, Will Deacon

On Thu, Apr 12, 2018 at 02:32:09PM +0200, Thierry Escande wrote:
> On 12/04/2018 14:23, Greg Kroah-Hartman wrote:
> > On Thu, Apr 12, 2018 at 02:17:50PM +0200, Thierry Escande wrote:
> > > Hi Greg,
> > > 
> > > On 07/04/2018 08:11, Greg Kroah-Hartman wrote:
> > > > On Fri, Apr 06, 2018 at 05:25:24PM -0500, Dan Rue wrote:
> > > > > On Fri, Apr 06, 2018 at 03:22:41PM +0200, Greg Kroah-Hartman wrote:
> > > > > > This is the start of the stable review cycle for the 4.9.93 release.
> > > > > > There are 102 patches in this series, all will be posted as a response
> > > > > > to this one.  If anyone has any issues with these being applied, please
> > > > > > let me know.
> > > > > > 
> > > > > > Responses should be made by Sun Apr  8 08:42:55 UTC 2018.
> > > > > > Anything received after that time might be too late.
> > > > > 
> > > > > Results from Linaro’s test farm.
> > > > > No regressions on arm64, arm and x86_64.
> > > > > 
> > > > > There is a new test failure on dragonboard 410c (arm64) in
> > > > > kselftest/cpu-on-off-test. However, it looks like the test was failing
> > > > > but giving a false "PASS" on previous versions of 4.9. This -RC seems to
> > > > > have changed the behavior enough to cause the test to actually mark a
> > > > > failure.
> > > > > 
> > > > > In any event, this looks like a db410c-specific pre-existing issue that we have
> > > > > already escalated to our Qualcomm team. Details can be found at
> > > > > https://bugs.linaro.org/show_bug.cgi?id=3723 for those interested.
> > > > 
> > > > Thanks for testing these and letting me know.
> > > 
> > > The test failure on dragonboard 410c comes from [1] to fix a possible
> > > deadlock related to the hotplug rework. It's been reverted in v4.12 by [2]
> > > because the cpu hotplug rework was not ready yet at that time. Since the
> > > hotplug rework has not been backported to v4.9.y, the splat cannot be
> > > reproduced and so [1] can be reverted or [2] applied on v4.9.y.
> > > 
> > > [1] https://lkml.org/lkml/2018/3/23/452
> > > [2] https://lkml.org/lkml/2017/5/7/124
> > 
> > Hm, so I need to drop some patch, but what one?  lkml.org does not work
> > for me, please be specific and use the git commit ids, or at the
> > very-least, the subject of the patches.  Never make someone have to rely
> > on the existance of a random web site not under kernel developer's
> > control to figure out what to do...
> 
> So the commit to be reverted is [1], introduced in v4.9.90. Or you can apply
> [2] from v4.12 that actually reverts [1].
> 
> [1] 18dd7b964c01ac44497471f4ea3f4c0c663eab55
> [2] 51d638b1f56a0bfd9219800620994794a1a2b219

You do know about the "nice" way to display git ids, right:
	$ alias gsr
	alias gsr='git show -s --abbrev-commit --abbrev=12 --pretty=format:"%h (\"%s\")%n"'
	$ gsr 18dd7b964c01ac44497471f4ea3f4c0c663eab55
	18dd7b964c01 ("block/mq: Cure cpu hotplug lock inversion")
	$ gsr 51d638b1f56a0bfd9219800620994794a1a2b219
	51d638b1f56a ("block/mq: fix potential deadlock during cpu hotplug")

It makes it easier to read, footnotes suck for something that you have
to act on and not just want to read after-the-fact.

Anyway, I'll revert this for the next round after these releases come
out.

thanks,

greg "everyone deserves a copy editor!" k-h

^ permalink raw reply	[flat|nested] 111+ messages in thread

end of thread, other threads:[~2018-04-12 16:56 UTC | newest]

Thread overview: 111+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-04-06 13:22 [PATCH 4.9 000/102] 4.9.93-stable review Greg Kroah-Hartman
2018-04-06 13:22 ` [PATCH 4.9 001/102] ARM: 8746/1: vfp: Go back to clearing vfp_current_hw_state[] Greg Kroah-Hartman
2018-04-06 13:22 ` [PATCH 4.9 002/102] mtd: jedec_probe: Fix crash in jedec_read_mfr() Greg Kroah-Hartman
2018-04-06 13:22 ` [PATCH 4.9 003/102] ALSA: usb-audio: Add native DSD support for TEAC UD-301 Greg Kroah-Hartman
2018-04-06 13:22 ` [PATCH 4.9 004/102] ALSA: pcm: Use dma_bytes as size parameter in dma_mmap_coherent() Greg Kroah-Hartman
2018-04-06 13:22 ` [PATCH 4.9 005/102] ALSA: pcm: potential uninitialized return values Greg Kroah-Hartman
2018-04-06 13:22 ` [PATCH 4.9 006/102] perf/hwbp: Simplify the perf-hwbp code, fix documentation Greg Kroah-Hartman
2018-04-06 13:22 ` [PATCH 4.9 007/102] ceph: only dirty ITER_IOVEC pages for direct read Greg Kroah-Hartman
2018-04-06 13:22 ` [PATCH 4.9 008/102] ipc/shm.c: add split function to shm_vm_ops Greg Kroah-Hartman
2018-04-06 13:22 ` [PATCH 4.9 009/102] powerpc/64s: Fix lost pending interrupt due to race causing lost update to irq_happened Greg Kroah-Hartman
2018-04-06 13:22 ` [PATCH 4.9 010/102] powerpc/64s: Fix i-side SLB miss bad address handler saving nonvolatile GPRs Greg Kroah-Hartman
2018-04-06 13:22 ` [PATCH 4.9 011/102] partitions/msdos: Unable to mount UFS 44bsd partitions Greg Kroah-Hartman
2018-04-06 13:22 ` [PATCH 4.9 012/102] kprobes/x86: Fix to set RWX bits correctly before releasing trampoline Greg Kroah-Hartman
2018-04-06 13:22 ` [PATCH 4.9 013/102] PCI: Make PCI_ROM_ADDRESS_MASK a 32-bit constant Greg Kroah-Hartman
2018-04-06 13:22 ` [PATCH 4.9 014/102] dm ioctl: remove double parentheses Greg Kroah-Hartman
2018-04-06 13:22 ` [PATCH 4.9 015/102] Input: mousedev - fix implicit conversion warning Greg Kroah-Hartman
2018-04-06 13:22 ` [PATCH 4.9 016/102] netfilter: nf_nat_h323: fix logical-not-parentheses warning Greg Kroah-Hartman
2018-04-06 13:22 ` [PATCH 4.9 017/102] genirq: Use cpumask_available() for check of cpumask variable Greg Kroah-Hartman
2018-04-06 13:22 ` [PATCH 4.9 018/102] cpumask: Add helper cpumask_available() Greg Kroah-Hartman
2018-04-06 13:23 ` [PATCH 4.9 019/102] selinux: Remove unnecessary check of array base in selinux_set_mapping() Greg Kroah-Hartman
2018-04-06 13:23 ` [PATCH 4.9 020/102] fs: compat: Remove warning from COMPATIBLE_IOCTL Greg Kroah-Hartman
2018-04-06 13:23 ` [PATCH 4.9 021/102] jiffies.h: declare jiffies and jiffies_64 with ____cacheline_aligned_in_smp Greg Kroah-Hartman
2018-04-06 13:23 ` [PATCH 4.9 022/102] frv: declare jiffies to be located in the .data section Greg Kroah-Hartman
2018-04-06 13:23 ` [PATCH 4.9 023/102] usb: gadget: remove redundant self assignment Greg Kroah-Hartman
2018-04-06 13:23 ` [PATCH 4.9 024/102] xgene_enet: remove bogus forward declarations Greg Kroah-Hartman
2018-04-06 13:23 ` [PATCH 4.9 025/102] nl80211: Fix enum type of variable in nl80211_put_sta_rate() Greg Kroah-Hartman
2018-04-06 13:23 ` [PATCH 4.9 026/102] cfg80211: Fix array-bounds warning in fragment copy Greg Kroah-Hartman
2018-04-06 13:23 ` [PATCH 4.9 027/102] HID: sony: Use LED_CORE_SUSPENDRESUME Greg Kroah-Hartman
2018-04-06 13:23 ` [PATCH 4.9 028/102] netfilter: ctnetlink: Make some parameters integer to avoid enum mismatch Greg Kroah-Hartman
2018-04-06 13:23 ` [PATCH 4.9 029/102] mac80211: Fix clang warning about constant operand in logical operation Greg Kroah-Hartman
2018-04-06 13:23 ` [PATCH 4.9 030/102] mac80211: ibss: Fix channel type enum in ieee80211_sta_join_ibss() Greg Kroah-Hartman
2018-04-06 13:23 ` [PATCH 4.9 031/102] btrfs: Remove extra parentheses from condition in copy_items() Greg Kroah-Hartman
2018-04-06 13:23 ` [PATCH 4.9 032/102] arm64: avoid overflow in VA_START and PAGE_OFFSET Greg Kroah-Hartman
2018-04-06 13:23 ` [PATCH 4.9 033/102] selinux: Remove redundant check for unknown labeling behavior Greg Kroah-Hartman
2018-04-06 13:23 ` [PATCH 4.9 034/102] mm/vmscan.c: fix unsequenced modification and access warning Greg Kroah-Hartman
2018-04-06 13:23 ` [PATCH 4.9 035/102] xfrm_user: uncoditionally validate esn replay attribute struct Greg Kroah-Hartman
2018-04-06 13:23 ` [PATCH 4.9 036/102] RDMA/ucma: Check AF family prior resolving address Greg Kroah-Hartman
2018-04-06 13:23 ` [PATCH 4.9 037/102] RDMA/ucma: Fix use-after-free access in ucma_close Greg Kroah-Hartman
2018-04-06 13:23 ` [PATCH 4.9 038/102] RDMA/ucma: Ensure that CM_ID exists prior to access it Greg Kroah-Hartman
2018-04-06 13:23 ` [PATCH 4.9 039/102] RDMA/ucma: Check that device is connected " Greg Kroah-Hartman
2018-04-06 13:23 ` [PATCH 4.9 040/102] RDMA/ucma: Check that device exists prior to accessing it Greg Kroah-Hartman
2018-04-06 13:23 ` [PATCH 4.9 041/102] RDMA/ucma: Introduce safer rdma_addr_size() variants Greg Kroah-Hartman
2018-04-06 13:23 ` [PATCH 4.9 042/102] net: xfrm: use preempt-safe this_cpu_read() in ipcomp_alloc_tfms() Greg Kroah-Hartman
2018-04-06 13:23 ` [PATCH 4.9 043/102] xfrm: Refuse to insert 32 bit userspace socket policies on 64 bit systems Greg Kroah-Hartman
2018-04-06 13:23 ` [PATCH 4.9 044/102] netfilter: bridge: ebt_among: add more missing match size checks Greg Kroah-Hartman
2018-04-06 13:23 ` [PATCH 4.9 045/102] netfilter: x_tables: add and use xt_check_proc_name Greg Kroah-Hartman
2018-04-06 13:23 ` [PATCH 4.9 046/102] Bluetooth: Fix missing encryption refresh on Security Request Greg Kroah-Hartman
2018-04-06 13:23 ` [PATCH 4.9 047/102] llist: clang: introduce member_address_is_nonnull() Greg Kroah-Hartman
2018-04-06 13:23 ` [PATCH 4.9 048/102] scsi: virtio_scsi: always read VPD pages for multiqueue too Greg Kroah-Hartman
2018-04-06 13:23 ` [PATCH 4.9 049/102] usb: dwc2: Improve gadget state disconnection handling Greg Kroah-Hartman
2018-04-06 13:23 ` [PATCH 4.9 050/102] arm64: mm: Use non-global mappings for kernel space Greg Kroah-Hartman
2018-04-06 13:23 ` [PATCH 4.9 051/102] arm64: mm: Move ASID from TTBR0 to TTBR1 Greg Kroah-Hartman
2018-04-06 13:23 ` [PATCH 4.9 052/102] arm64: mm: Allocate ASIDs in pairs Greg Kroah-Hartman
2018-04-06 13:23 ` [PATCH 4.9 053/102] arm64: mm: Add arm64_kernel_unmapped_at_el0 helper Greg Kroah-Hartman
2018-04-06 13:23 ` [PATCH 4.9 054/102] arm64: mm: Invalidate both kernel and user ASIDs when performing TLBI Greg Kroah-Hartman
2018-04-06 13:23 ` [PATCH 4.9 055/102] arm64: factor out entry stack manipulation Greg Kroah-Hartman
2018-04-06 13:23 ` [PATCH 4.9 056/102] module: extend rodata=off boot cmdline parameter to module mappings Greg Kroah-Hartman
2018-04-06 13:23 ` [PATCH 4.9 057/102] arm64: entry: Add exception trampoline page for exceptions from EL0 Greg Kroah-Hartman
2018-04-06 13:23 ` [PATCH 4.9 058/102] arm64: mm: Map entry trampoline into trampoline and kernel page tables Greg Kroah-Hartman
2018-04-06 13:23 ` [PATCH 4.9 059/102] arm64: entry: Explicitly pass exception level to kernel_ventry macro Greg Kroah-Hartman
2018-04-06 13:23 ` [PATCH 4.9 060/102] arm64: entry: Hook up entry trampoline to exception vectors Greg Kroah-Hartman
2018-04-06 13:23 ` [PATCH 4.9 061/102] arm64: tls: Avoid unconditional zeroing of tpidrro_el0 for native tasks Greg Kroah-Hartman
2018-04-06 13:23 ` [PATCH 4.9 062/102] arm64: entry: Add fake CPU feature for unmapping the kernel at EL0 Greg Kroah-Hartman
2018-04-06 13:23 ` [PATCH 4.9 063/102] arm64: kaslr: Put kernel vectors address in separate data page Greg Kroah-Hartman
2018-04-06 13:23 ` [PATCH 4.9 064/102] arm64: use RET instruction for exiting the trampoline Greg Kroah-Hartman
2018-04-06 13:23 ` [PATCH 4.9 065/102] arm64: Kconfig: Add CONFIG_UNMAP_KERNEL_AT_EL0 Greg Kroah-Hartman
2018-04-06 13:23 ` [PATCH 4.9 066/102] arm64: Kconfig: Reword UNMAP_KERNEL_AT_EL0 kconfig entry Greg Kroah-Hartman
2018-04-06 13:23 ` [PATCH 4.9 067/102] arm64: Take into account ID_AA64PFR0_EL1.CSV3 Greg Kroah-Hartman
2018-04-06 13:23 ` [PATCH 4.9 068/102] arm64: Allow checking of a CPU-local erratum Greg Kroah-Hartman
2018-04-06 13:23 ` [PATCH 4.9 069/102] arm64: capabilities: Handle duplicate entries for a capability Greg Kroah-Hartman
2018-04-06 13:23 ` [PATCH 4.9 070/102] arm64: cputype: Add MIDR values for Cavium ThunderX2 CPUs Greg Kroah-Hartman
2018-04-06 13:23 ` [PATCH 4.9 071/102] arm64: Turn on KPTI only on CPUs that need it Greg Kroah-Hartman
2018-04-06 13:23 ` [PATCH 4.9 072/102] arm64: kpti: Make use of nG dependent on arm64_kernel_unmapped_at_el0() Greg Kroah-Hartman
2018-04-06 13:23 ` [PATCH 4.9 073/102] arm64: kpti: Add ->enable callback to remap swapper using nG mappings Greg Kroah-Hartman
2018-04-06 13:23 ` [PATCH 4.9 074/102] arm64: Force KPTI to be disabled on Cavium ThunderX Greg Kroah-Hartman
2018-04-06 13:23 ` [PATCH 4.9 075/102] arm64: entry: Reword comment about post_ttbr_update_workaround Greg Kroah-Hartman
2018-04-06 13:23 ` [PATCH 4.9 076/102] arm64: idmap: Use "awx" flags for .idmap.text .pushsection directives Greg Kroah-Hartman
2018-04-06 13:23 ` [PATCH 4.9 077/102] USB: serial: ftdi_sio: add RT Systems VX-8 cable Greg Kroah-Hartman
2018-04-06 13:23 ` [PATCH 4.9 078/102] USB: serial: ftdi_sio: add support for Harman FirmwareHubEmulator Greg Kroah-Hartman
2018-04-06 13:24 ` [PATCH 4.9 079/102] USB: serial: cp210x: add ELDAT Easywave RX09 id Greg Kroah-Hartman
2018-04-06 13:24 ` [PATCH 4.9 080/102] mei: remove dev_err message on an unsupported ioctl Greg Kroah-Hartman
2018-04-06 13:24 ` [PATCH 4.9 081/102] media: usbtv: prevent double free in error case Greg Kroah-Hartman
2018-04-06 13:24 ` [PATCH 4.9 082/102] parport_pc: Add support for WCH CH382L PCI-E single parallel port card Greg Kroah-Hartman
2018-04-06 13:24 ` [PATCH 4.9 083/102] crypto: ahash - Fix early termination in hash walk Greg Kroah-Hartman
2018-04-06 13:24 ` [PATCH 4.9 084/102] crypto: x86/cast5-avx - fix ECB encryption when long sg follows short one Greg Kroah-Hartman
2018-04-06 13:24 ` [PATCH 4.9 085/102] staging: comedi: ni_mio_common: ack ai fifo error interrupts Greg Kroah-Hartman
2018-04-06 13:24 ` [PATCH 4.9 086/102] Input: ALPS - fix TrackStick detection on Thinkpad L570 and Latitude 7370 Greg Kroah-Hartman
2018-04-06 13:24 ` [PATCH 4.9 087/102] Input: i8042 - add Lenovo ThinkPad L460 to i8042 reset list Greg Kroah-Hartman
2018-04-06 13:24 ` [PATCH 4.9 088/102] Input: i8042 - enable MUX on Sony VAIO VGN-CS series to fix touchpad Greg Kroah-Hartman
2018-04-06 13:24 ` [PATCH 4.9 089/102] vt: change SGR 21 to follow the standards Greg Kroah-Hartman
2018-04-06 13:24 ` [PATCH 4.9 090/102] Documentation: pinctrl: palmas: Add ti,palmas-powerhold-override property definition Greg Kroah-Hartman
2018-04-06 13:24 ` [PATCH 4.9 091/102] ARM: dts: dra7: Add power hold and power controller properties to palmas Greg Kroah-Hartman
2018-04-06 13:24 ` [PATCH 4.9 092/102] ARM: dts: am57xx-beagle-x15-common: Add overide powerhold property Greg Kroah-Hartman
2018-04-06 13:24 ` [PATCH 4.9 093/102] ARM: dts: am57xx-idk-common: " Greg Kroah-Hartman
2018-04-06 13:24 ` [PATCH 4.9 094/102] md/raid10: reset the first at the end of loop Greg Kroah-Hartman
2018-04-06 13:24 ` [PATCH 4.9 095/102] net: hns: Fix ethtool private flags Greg Kroah-Hartman
2018-04-06 13:24 ` [PATCH 4.9 096/102] Fix slab name "biovec-(1<<(21-12))" Greg Kroah-Hartman
2018-04-06 13:24 ` [PATCH 4.9 097/102] Revert "ARM: dts: am335x-pepper: Fix the audio CODECs reset pin" Greg Kroah-Hartman
2018-04-06 13:24 ` [PATCH 4.9 098/102] Revert "ARM: dts: omap3-n900: " Greg Kroah-Hartman
2018-04-06 13:24 ` [PATCH 4.9 099/102] Revert "spi: bcm-qspi: shut up warning about cfi header inclusion" Greg Kroah-Hartman
2018-04-06 13:24 ` [PATCH 4.9 100/102] Revert "mtip32xx: use runtime tag to initialize command header" Greg Kroah-Hartman
2018-04-06 13:24 ` [PATCH 4.9 101/102] Revert "ip6_vti: adjust vti mtu according to mtu of lower device" Greg Kroah-Hartman
2018-04-06 13:24 ` [PATCH 4.9 102/102] spi: davinci: fix up dma_mapping_error() incorrect patch Greg Kroah-Hartman
2018-04-06 17:22 ` [PATCH 4.9 000/102] 4.9.93-stable review kernelci.org bot
2018-04-06 22:14 ` Shuah Khan
2018-04-06 22:25 ` Dan Rue
2018-04-07  6:11   ` Greg Kroah-Hartman
2018-04-12 12:17     ` Thierry Escande
2018-04-12 12:23       ` Greg Kroah-Hartman
2018-04-12 12:32         ` Thierry Escande
2018-04-12 16:56           ` Greg Kroah-Hartman

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).