2018-07-01 18:48:37

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.18 00/85] 3.18.114-stable review

This is the start of the stable review cycle for the 3.18.114 release.
There are 85 patches in this series, all will be posted as a response
to this one. If anyone has any issues with these being applied, please
let me know.

Responses should be made by Tue Jul 3 15:31:04 UTC 2018.
Anything received after that time might be too late.

The whole patch series can be found in one patch at:
https://www.kernel.org/pub/linux/kernel/v3.x/stable-review/patch-3.18.114-rc1.gz
or in the git tree and branch at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-3.18.y
and the diffstat can be found below.

thanks,

greg k-h

-------------
Pseudo-Shortlog of commits:

Greg Kroah-Hartman <[email protected]>
Linux 3.18.114-rc1

Mike Snitzer <[email protected]>
dm thin: handle running out of data space vs concurrent discard

Keith Busch <[email protected]>
block: Fix transfer when chunk sectors exceeds max

Jan Kara <[email protected]>
udf: Detect incorrect directory size

Boris Ostrovsky <[email protected]>
xen: Remove unnecessary BUG_ON from __unbind_from_irq()

Kees Cook <[email protected]>
video: uvesafb: Fix integer overflow in allocation

Scott Mayhew <[email protected]>
nfsd: restrict rd_maxcount to svc_max_payload in nfsd_encode_readdir

Mauro Carvalho Chehab <[email protected]>
media: dvb_frontend: fix locking issues at dvb_frontend_get_event()

Kai-Heng Feng <[email protected]>
media: cx231xx: Add support for AverMedia DVD EZMaker 7

Mauro Carvalho Chehab <[email protected]>
media: v4l2-compat-ioctl32: prevent go past max size

Johan Hovold <[email protected]>
backlight: tps65217_bl: Fix Device Tree node lookup

Johan Hovold <[email protected]>
backlight: max8925_bl: Fix Device Tree node lookup

Johan Hovold <[email protected]>
backlight: as3711_bl: Fix Device Tree node lookup

Silvio Cesare <[email protected]>
UBIFS: Fix potential integer overflow in allocation

Himanshu Madhani <[email protected]>
scsi: qla2xxx: Fix setting lower transfer speed if GPSC fails

Geert Uytterhoeven <[email protected]>
time: Make sure jiffies_to_msecs() preserves non-zero time periods

Huacai Chen <[email protected]>
MIPS: io: Add barrier after register read in inX()

Mika Westerberg <[email protected]>
PCI: pciehp: Clear Presence Detect and Data Link Layer Status Changed on resume

Tokunori Ikegami <[email protected]>
MIPS: BCM47XX: Enable 74K Core ExternalSync for PCIe erratum

Joakim Tjernlund <[email protected]>
mtd: cfi_cmdset_0002: Avoid walking all chips when unlocking.

Joakim Tjernlund <[email protected]>
mtd: cfi_cmdset_0002: Fix unlocking requests crossing a chip boudary

Joakim Tjernlund <[email protected]>
mtd: cfi_cmdset_0002: fix SEGV unlocking multiple chips

Joakim Tjernlund <[email protected]>
mtd: cfi_cmdset_0002: Use right chip in do_ppb_xxlock()

Tokunori Ikegami <[email protected]>
mtd: cfi_cmdset_0002: Change write buffer to check correct value

David Rivshin <[email protected]>
ARM: 8764/1: kgdb: fix NUMREGBYTES so that gdb_regs[] is the correct size

Mahesh Salgaonkar <[email protected]>
powerpc/fadump: Unregister fadump on kexec down path.

Michael Neuling <[email protected]>
powerpc/ptrace: Fix enforcement of DAWR constraints

Michael Neuling <[email protected]>
powerpc/ptrace: Fix setting 512B aligned breakpoints with PTRACE_SET_DEBUGREG

Aneesh Kumar K.V <[email protected]>
powerpc/mm/hash: Add missing isync prior to kernel stack SLB switch

Tetsuo Handa <[email protected]>
fuse: don't keep dead fuse_conn at fuse_fill_super().

Miklos Szeredi <[email protected]>
fuse: atomic_o_trunc should truncate pagecache

Corey Minyard <[email protected]>
ipmi:bt: Set the timeout before doing a capabilities check

Mikulas Patocka <[email protected]>
branch-check: fix long->int truncation when profiling branches

Matthias Schiffer <[email protected]>
mips: ftrace: fix static function graph tracing

Alexander Sverdlin <[email protected]>
ASoC: cirrus: i2s: Fix {TX|RX}LinCtrlData setup

Alexander Sverdlin <[email protected]>
ASoC: cirrus: i2s: Fix LRCLK configuration

Srinivas Kandagatla <[email protected]>
ASoC: dapm: delete dapm_kcontrol_data paths list before freeing it

Maxim Moseychuk <[email protected]>
usb: do not reset if a low-speed or full-speed device timed out

Eric W. Biederman <[email protected]>
signal/xtensa: Consistenly use SIGBUS in do_unaligned_user

Michael Schmitz <[email protected]>
m68k/mm: Adjust VM area to be unmapped by gap size for __iounmap()

Thadeu Lima de Souza Cascardo <[email protected]>
fs/binfmt_misc.c: do not allow offset overflow

Stefan Potyra <[email protected]>
w1: mxc_w1: Enable clock before calling clk_get_rate() on it

Hans de Goede <[email protected]>
libata: Drop SanDisk SD7UB3Q*G1001 NOLPM quirk

Dan Carpenter <[email protected]>
libata: zpodd: small read overflow in eject_tray()

Colin Ian King <[email protected]>
libata: zpodd: make arrays cdb static, reduces object code size

Bo Chen <[email protected]>
ALSA: hda - Handle kzalloc() failure in snd_hda_attach_pcm_stream()

Qu Wenruo <[email protected]>
btrfs: scrub: Don't use inode pages for device replace

Jan Kara <[email protected]>
ext4: fix fencepost error in check for inode count overflow during resize

Lukas Czerner <[email protected]>
ext4: update mtime in ext4_punch_hole even if no blocks are released

Eric Dumazet <[email protected]>
tcp: do not overshoot window_clamp in tcp_rcv_space_adjust()

Łukasz Stelmach <[email protected]>
ARM: 8753/1: decompressor: add a missing parameter to the addruart macro

Helge Deller <[email protected]>
parisc: Move setup_profiling_timer() out of init section

Sekhar Nori <[email protected]>
ARM: davinci: board-dm646x-evm: set VPIF capture card name

Peter Rosin <[email protected]>
i2c: viperboard: return message count on master_xfer success

Peter Rosin <[email protected]>
i2c: pmcmsp: fix error return from master_xfer

Peter Rosin <[email protected]>
i2c: pmcmsp: return message count on master_xfer success

Russell King <[email protected]>
ARM: keystone: fix platform_domain_notifier array overrun

Daniel Glöckner <[email protected]>
usb: musb: fix remote wakeup racing with suspend

Mathieu Malaterre <[email protected]>
agp: uninorth: make two functions static

Jakob Unterwurzacher <[email protected]>
can: dev: increase bus-off message severity

Mathieu Malaterre <[email protected]>
driver core: add __printf verification to __ata_ehi_pushv_desc

Tomi Valkeinen <[email protected]>
drm/omap: fix possible NULL ref issue in tiler_reserve_2d

Ilan Peer <[email protected]>
mac80211: Adjust SAE authentication timeout

Peter Zijlstra <[email protected]>
kthread, sched/wait: Fix kthread_parkme() wait-loop

Helge Deller <[email protected]>
parisc: drivers.c: Fix section mismatches

Jim Gill <[email protected]>
scsi: vmw-pvscsi: return DID_BUS_BUSY for adapter-initated aborts

Arnd Bergmann <[email protected]>
hexagon: export csum_partial_copy_nocheck

Arnd Bergmann <[email protected]>
hexagon: add memset_io() helper

Sekhar Nori <[email protected]>
ARM: davinci: board-dm355-evm: fix broken networking

John Fastabend <[email protected]>
bpf: fix uninitialized variable in bpf tools

[email protected] <[email protected]>
x86/cpu/intel: Add missing TLB cpuid values

Dag Moxnes <[email protected]>
rds: ib: Fix missing call to rds_ib_dev_put in rds_ib_setup_qp

Masami Hiramatsu <[email protected]>
selftests: ftrace: Add a testcase for multiple actions on trigger

Mark Rutland <[email protected]>
arm64: ptrace: remove addr_limit manipulation

Jingju Hou <[email protected]>
net: phy: marvell: clear wol event before setting it

Colin Ian King <[email protected]>
scsi: isci: Fix infinite loop in while loop

Baolin Wang <[email protected]>
parisc: time: Convert read_persistent_clock() to read_persistent_clock64()

Ben Hutchings <[email protected]>
drm/msm: Fix possible null dereference on failure of get_pages()

Chris Leech <[email protected]>
scsi: iscsi: respond to netlink with unicast when appropriate

Chengguang Xu <[email protected]>
isofs: fix potential memory leak in mount option parsing

Martin Schwidefsky <[email protected]>
s390/smsgiucv: disable SMSG on module unload

Sinan Kaya <[email protected]>
MIPS: io: Add barrier after register read in readX()

Amir Goldstein <[email protected]>
fsnotify: fix ignore mask logic in send_to_group()

Kevin Easton <[email protected]>
af_key: Always verify length of provided sadb_key

Jiri Olsa <[email protected]>
tools build: Fix Makefile(s) to properly invoke tools build

Jiri Olsa <[email protected]>
tools build: No need to make libapi for perf explicitly


-------------

Diffstat:

Makefile | 9 ++---
arch/arm/boot/compressed/head.S | 16 ++++----
arch/arm/include/asm/kgdb.h | 2 +-
arch/arm/mach-davinci/board-dm355-evm.c | 6 +++
arch/arm/mach-davinci/board-dm646x-evm.c | 3 +-
arch/arm/mach-keystone/pm_domain.c | 1 +
arch/arm64/kernel/ptrace.c | 6 ---
arch/hexagon/include/asm/io.h | 6 +++
arch/hexagon/lib/checksum.c | 1 +
arch/m68k/mm/kmap.c | 3 +-
arch/mips/bcm47xx/setup.c | 6 +++
arch/mips/include/asm/io.h | 4 ++
arch/mips/include/asm/mipsregs.h | 3 ++
arch/mips/kernel/mcount.S | 27 ++++++-------
arch/parisc/kernel/drivers.c | 7 ++--
arch/parisc/kernel/smp.c | 3 +-
arch/parisc/kernel/time.c | 2 +-
arch/powerpc/kernel/entry_64.S | 1 +
arch/powerpc/kernel/fadump.c | 3 ++
arch/powerpc/kernel/hw_breakpoint.c | 4 +-
arch/powerpc/kernel/ptrace.c | 1 +
arch/x86/kernel/cpu/intel.c | 3 ++
arch/xtensa/kernel/traps.c | 2 +-
drivers/ata/libata-core.c | 3 --
drivers/ata/libata-eh.c | 4 +-
drivers/ata/libata-zpodd.c | 4 +-
drivers/char/agp/uninorth-agp.c | 4 +-
drivers/char/ipmi/ipmi_bt_sm.c | 3 +-
drivers/gpu/drm/msm/msm_gem.c | 20 +++++-----
drivers/gpu/drm/omapdrm/omap_dmm_tiler.c | 6 ++-
drivers/i2c/busses/i2c-pmcmsp.c | 4 +-
drivers/i2c/busses/i2c-viperboard.c | 2 +-
drivers/md/dm-thin.c | 11 +++++-
drivers/media/dvb-core/dvb_frontend.c | 23 +++++++----
drivers/media/usb/cx231xx/cx231xx-cards.c | 3 ++
drivers/media/v4l2-core/v4l2-compat-ioctl32.c | 2 +-
drivers/mtd/chips/cfi_cmdset_0002.c | 21 +++++-----
drivers/net/can/dev.c | 2 +-
drivers/net/phy/marvell.c | 9 +++++
drivers/pci/hotplug/pciehp.h | 2 +-
drivers/pci/hotplug/pciehp_core.c | 2 +-
drivers/pci/hotplug/pciehp_hpc.c | 13 ++++++-
drivers/s390/net/smsgiucv.c | 2 +-
drivers/scsi/isci/port_config.c | 3 +-
drivers/scsi/qla2xxx/qla_init.c | 3 +-
drivers/scsi/scsi_transport_iscsi.c | 29 ++++++++------
drivers/scsi/vmw_pvscsi.c | 2 +-
drivers/usb/core/hub.c | 4 +-
drivers/usb/musb/musb_host.c | 5 ++-
drivers/usb/musb/musb_host.h | 7 +++-
drivers/usb/musb/musb_virthub.c | 25 +++++++-----
drivers/video/backlight/as3711_bl.c | 33 +++++++++++-----
drivers/video/backlight/max8925_bl.c | 4 +-
drivers/video/backlight/tps65217_bl.c | 4 +-
drivers/video/fbdev/uvesafb.c | 3 +-
drivers/w1/masters/mxc_w1.c | 20 ++++++----
drivers/xen/events/events_base.c | 2 -
fs/binfmt_misc.c | 12 ++++--
fs/btrfs/scrub.c | 2 +-
fs/ext4/inode.c | 36 ++++++++---------
fs/ext4/resize.c | 2 +-
fs/fuse/dir.c | 13 ++++++-
fs/fuse/inode.c | 1 +
fs/isofs/inode.c | 3 ++
fs/nfsd/nfs4xdr.c | 5 ++-
fs/notify/fsnotify.c | 25 ++++++------
fs/ubifs/journal.c | 2 +-
fs/udf/directory.c | 3 ++
include/linux/blkdev.h | 4 +-
include/linux/compiler.h | 2 +-
kernel/kthread.c | 7 ++--
kernel/time/time.c | 6 ++-
net/ipv4/tcp_input.c | 2 +-
net/key/af_key.c | 45 +++++++++++++++++-----
net/mac80211/mlme.c | 25 ++++++++----
net/rds/ib_cm.c | 3 +-
sound/pci/hda/hda_controller.c | 4 +-
sound/soc/cirrus/edb93xx.c | 2 +-
sound/soc/cirrus/ep93xx-i2s.c | 26 +++++++------
sound/soc/cirrus/snappercl15.c | 2 +-
sound/soc/soc-dapm.c | 2 +
tools/Makefile | 20 +++++++---
tools/net/bpf_dbg.c | 7 +++-
.../inter-event/trigger-multi-actions-accept.tc | 44 +++++++++++++++++++++
84 files changed, 472 insertions(+), 236 deletions(-)




2018-07-01 16:12:32

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.18 01/85] tools build: No need to make libapi for perf explicitly

3.18-stable review patch. If anyone has any objections, please let me know.

------------------

From: Jiri Olsa <[email protected]>

commit 379a9a28a1b4364ab08fec35c84d39cf4995c509 upstream.

The perf build handles its dependencies by itself.

Also renaming libapi libapikfs to libapi as it got
changed just recently.

Signed-off-by: Jiri Olsa <[email protected]>
Cc: Borislav Petkov <[email protected]>
Cc: Brian Norris <[email protected]>
Cc: David Ahern <[email protected]>
Cc: David Howells <[email protected]>
Cc: Michal Marek <[email protected]>
Cc: Namhyung Kim <[email protected]>
Cc: Paul Mackerras <[email protected]>
Cc: Peter Zijlstra <[email protected]>
Cc: Sam Ravnborg <[email protected]>
Cc: [email protected]
Link: http://lkml.kernel.org/r/[email protected]
Signed-off-by: Arnaldo Carvalho de Melo <[email protected]>
Cc: Guenter Roeck <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
tools/Makefile | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)

--- a/tools/Makefile
+++ b/tools/Makefile
@@ -51,10 +51,10 @@ cgroup firewire hv guest usb virtio vm n
liblockdep: FORCE
$(call descend,lib/lockdep)

-libapikfs: FORCE
+libapi: FORCE
$(call descend,lib/api)

-perf: libapikfs FORCE
+perf: FORCE
$(call descend,$@)

selftests: FORCE
@@ -106,10 +106,10 @@ cgroup_clean hv_clean firewire_clean lgu
liblockdep_clean:
$(call descend,lib/lockdep,clean)

-libapikfs_clean:
+libapi_clean:
$(call descend,lib/api,clean)

-perf_clean: libapikfs_clean
+perf_clean:
$(call descend,$(@:_clean=),clean)

selftests_clean:



2018-07-01 16:12:36

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.18 12/85] net: phy: marvell: clear wol event before setting it

3.18-stable review patch. If anyone has any objections, please let me know.

------------------

From: Jingju Hou <[email protected]>

[ Upstream commit b6a930fa88083b41d26ddf1cab95cbd740936c22 ]

If WOL event happened once, the LED[2] interrupt pin will not be
cleared unless we read the CSISR register. If interrupts are in use,
the normal interrupt handling will clear the WOL event. Let's clear the
WOL event before enabling it if !phy_interrupt_is_valid().

Signed-off-by: Jingju Hou <[email protected]>
Signed-off-by: Jisheng Zhang <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/net/phy/marvell.c | 9 +++++++++
1 file changed, 9 insertions(+)

--- a/drivers/net/phy/marvell.c
+++ b/drivers/net/phy/marvell.c
@@ -828,6 +828,15 @@ static int m88e1318_set_wol(struct phy_d
if (err < 0)
return err;

+ /* If WOL event happened once, the LED[2] interrupt pin
+ * will not be cleared unless we reading the interrupt status
+ * register. If interrupts are in use, the normal interrupt
+ * handling will clear the WOL event. Clear the WOL event
+ * before enabling it if !phy_interrupt_is_valid()
+ */
+ if (!phy_interrupt_is_valid(phydev))
+ phy_read(phydev, MII_M1011_IEVENT);
+
/* Enable the WOL interrupt */
temp = phy_read(phydev, MII_88E1318S_PHY_CSIER);
temp |= MII_88E1318S_PHY_CSIER_WOL_EIE;



2018-07-01 16:13:17

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.18 16/85] x86/cpu/intel: Add missing TLB cpuid values

3.18-stable review patch. If anyone has any objections, please let me know.

------------------

From: "[email protected]" <[email protected]>

[ Upstream commit b837913fc2d9061bf9b8c0dd6bf2d24e2f98b84a ]

Make kernel print the correct number of TLB entries on Intel Xeon Phi 7210
(and others)

Before:
[ 0.320005] Last level dTLB entries: 4KB 0, 2MB 0, 4MB 0, 1GB 0
After:
[ 0.320005] Last level dTLB entries: 4KB 256, 2MB 128, 4MB 128, 1GB 16

The entries do exist in the official Intel SMD but the type column there is
incorrect (states "Cache" where it should read "TLB"), but the entries for
the values 0x6B, 0x6C and 0x6D are correctly described as 'Data TLB'.

Signed-off-by: Jacek Tomaka <[email protected]>
Signed-off-by: Thomas Gleixner <[email protected]>
Link: https://lkml.kernel.org/r/[email protected]
Signed-off-by: Sasha Levin <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
arch/x86/kernel/cpu/intel.c | 3 +++
1 file changed, 3 insertions(+)

--- a/arch/x86/kernel/cpu/intel.c
+++ b/arch/x86/kernel/cpu/intel.c
@@ -561,6 +561,9 @@ static const struct _tlb_table intel_tlb
{ 0x5d, TLB_DATA_4K_4M, 256, " TLB_DATA 4 KByte and 4 MByte pages" },
{ 0x61, TLB_INST_4K, 48, " TLB_INST 4 KByte pages, full associative" },
{ 0x63, TLB_DATA_1G, 4, " TLB_DATA 1 GByte pages, 4-way set associative" },
+ { 0x6b, TLB_DATA_4K, 256, " TLB_DATA 4 KByte pages, 8-way associative" },
+ { 0x6c, TLB_DATA_2M_4M, 128, " TLB_DATA 2 MByte or 4 MByte pages, 8-way associative" },
+ { 0x6d, TLB_DATA_1G, 16, " TLB_DATA 1 GByte pages, fully associative" },
{ 0x76, TLB_INST_2M_4M, 8, " TLB_INST 2-MByte or 4-MByte pages, fully associative" },
{ 0xb0, TLB_INST_4K, 128, " TLB_INST 4 KByte pages, 4-way set associative" },
{ 0xb1, TLB_INST_2M_4M, 4, " TLB_INST 2M pages, 4-way, 8 entries or 4M pages, 4-way entries" },



2018-07-01 16:13:27

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.18 31/85] i2c: pmcmsp: return message count on master_xfer success

3.18-stable review patch. If anyone has any objections, please let me know.

------------------

From: Peter Rosin <[email protected]>

[ Upstream commit de9a8634f1cb4560a35696d472cc7f1383d9b866 ]

Returning zero is wrong in this case.

Signed-off-by: Peter Rosin <[email protected]>
Signed-off-by: Wolfram Sang <[email protected]>
Fixes: 1b144df1d7d6 ("i2c: New PMC MSP71xx TWI bus driver")
Signed-off-by: Sasha Levin <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/i2c/busses/i2c-pmcmsp.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/i2c/busses/i2c-pmcmsp.c
+++ b/drivers/i2c/busses/i2c-pmcmsp.c
@@ -595,7 +595,7 @@ static int pmcmsptwi_master_xfer(struct
return -1;
}

- return 0;
+ return num;
}

static u32 pmcmsptwi_i2c_func(struct i2c_adapter *adapter)



2018-07-01 16:13:33

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.18 33/85] i2c: viperboard: return message count on master_xfer success

3.18-stable review patch. If anyone has any objections, please let me know.

------------------

From: Peter Rosin <[email protected]>

[ Upstream commit 35cd67a0caf767aba472452865dcb4471fcce2b1 ]

Returning zero is wrong in this case.

Signed-off-by: Peter Rosin <[email protected]>
Signed-off-by: Wolfram Sang <[email protected]>
Fixes: 174a13aa8669 ("i2c: Add viperboard i2c master driver")
Signed-off-by: Sasha Levin <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/i2c/busses/i2c-viperboard.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/i2c/busses/i2c-viperboard.c
+++ b/drivers/i2c/busses/i2c-viperboard.c
@@ -341,7 +341,7 @@ static int vprbrd_i2c_xfer(struct i2c_ad
}
mutex_unlock(&vb->lock);
}
- return 0;
+ return num;
error:
mutex_unlock(&vb->lock);
return error;



2018-07-01 16:13:40

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.18 32/85] i2c: pmcmsp: fix error return from master_xfer

3.18-stable review patch. If anyone has any objections, please let me know.

------------------

From: Peter Rosin <[email protected]>

[ Upstream commit 12d9bbc5a7f347eaa65ff2a9d34995cadc05eb1b ]

Returning -1 (-EPERM) is not appropriate here, go with -EIO.

Signed-off-by: Peter Rosin <[email protected]>
Signed-off-by: Wolfram Sang <[email protected]>
Fixes: 1b144df1d7d6 ("i2c: New PMC MSP71xx TWI bus driver")
Signed-off-by: Sasha Levin <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/i2c/busses/i2c-pmcmsp.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/i2c/busses/i2c-pmcmsp.c
+++ b/drivers/i2c/busses/i2c-pmcmsp.c
@@ -592,7 +592,7 @@ static int pmcmsptwi_master_xfer(struct
* TODO: We could potentially loop and retry in the case
* of MSP_TWI_XFER_TIMEOUT.
*/
- return -1;
+ return -EIO;
}

return num;



2018-07-01 16:13:43

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.18 35/85] parisc: Move setup_profiling_timer() out of init section

3.18-stable review patch. If anyone has any objections, please let me know.

------------------

From: Helge Deller <[email protected]>

[ Upstream commit 01f56832cfb6fcc204e7203f46841b6185ebd574 ]

No other architecture has setup_profiling_timer() in the init section,
thus on parisc we face this section mismatch warning:
Reference from the function devm_device_add_group() to the function .init.text:setup_profiling_timer()

Signed-off-by: Helge Deller <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
arch/parisc/kernel/smp.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)

--- a/arch/parisc/kernel/smp.c
+++ b/arch/parisc/kernel/smp.c
@@ -422,8 +422,7 @@ int __cpu_up(unsigned int cpu, struct ta
}

#ifdef CONFIG_PROC_FS
-int __init
-setup_profiling_timer(unsigned int multiplier)
+int setup_profiling_timer(unsigned int multiplier)
{
return -EINVAL;
}



2018-07-01 16:13:52

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.18 37/85] tcp: do not overshoot window_clamp in tcp_rcv_space_adjust()

3.18-stable review patch. If anyone has any objections, please let me know.

------------------

From: Eric Dumazet <[email protected]>

commit 02db55718d53f9d426cee504c27fb768e9ed4ffe upstream.

While rcvbuf is properly clamped by tcp_rmem[2], rcvwin
is left to a potentially too big value.

It has no serious effect, since :
1) tcp_grow_window() has very strict checks.
2) window_clamp can be mangled by user space to any value anyway.

tcp_init_buffer_space() and companions use tcp_full_space(),
we use tcp_win_from_space() to avoid reloading sk->sk_rcvbuf

Signed-off-by: Eric Dumazet <[email protected]>
Acked-by: Soheil Hassas Yeganeh <[email protected]>
Acked-by: Wei Wang <[email protected]>
Acked-by: Neal Cardwell <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Cc: Benjamin Gilbert <[email protected]>
Signed-off-by: Guenter Roeck <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
net/ipv4/tcp_input.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -605,7 +605,7 @@ void tcp_rcv_space_adjust(struct sock *s
sk->sk_rcvbuf = rcvbuf;

/* Make the window clamp follow along. */
- tp->window_clamp = rcvwin;
+ tp->window_clamp = tcp_win_from_space(rcvbuf);
}
}
tp->rcvq_space.space = copied;



2018-07-01 16:14:02

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.18 18/85] ARM: davinci: board-dm355-evm: fix broken networking

3.18-stable review patch. If anyone has any objections, please let me know.

------------------

From: Sekhar Nori <[email protected]>

[ Upstream commit 5c054de228dd6d97bf8e38962bd118953b66e5a0 ]

Since commit 09f3756bb9a8 ("dm9000: Return an ERR_PTR() in all
error conditions of dm9000_parse_dt()"), passing either non-NULL
platform data or device-tree for dm9000 driver to probe is
mandatory.

DM335 board was using none, so networking failed to initialize.
Fix it by passing non-NULL (but empty) platform data.

Fixes: 09f3756bb9a8 ("dm9000: Return an ERR_PTR() in all error conditions of dm9000_parse_dt()")
Signed-off-by: Sekhar Nori <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
arch/arm/mach-davinci/board-dm355-evm.c | 6 ++++++
1 file changed, 6 insertions(+)

--- a/arch/arm/mach-davinci/board-dm355-evm.c
+++ b/arch/arm/mach-davinci/board-dm355-evm.c
@@ -18,6 +18,7 @@
#include <linux/i2c.h>
#include <linux/gpio.h>
#include <linux/clk.h>
+#include <linux/dm9000.h>
#include <linux/videodev2.h>
#include <media/tvp514x.h>
#include <linux/spi/spi.h>
@@ -170,11 +171,16 @@ static struct resource dm355evm_dm9000_r
},
};

+static struct dm9000_plat_data dm335evm_dm9000_platdata;
+
static struct platform_device dm355evm_dm9000 = {
.name = "dm9000",
.id = -1,
.resource = dm355evm_dm9000_rsrc,
.num_resources = ARRAY_SIZE(dm355evm_dm9000_rsrc),
+ .dev = {
+ .platform_data = &dm335evm_dm9000_platdata,
+ },
};

static struct tvp514x_platform_data tvp5146_pdata = {



2018-07-01 16:14:34

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.18 27/85] can: dev: increase bus-off message severity

3.18-stable review patch. If anyone has any objections, please let me know.

------------------

From: Jakob Unterwurzacher <[email protected]>

[ Upstream commit 71c23a821c6bcacba71a094efe49ee689605906b ]

bus-off is usually caused by hardware malfunction or configuration error
(baud rate mismatch) and causes a complete loss of communication.

Increase the "bus-off" message's severity from netdev_dbg() to
netdev_info() to make it visible to the user.

A can interface going into bus-off is similar in severity to ethernet's
"Link is Down" message, which is also printed at info level.

It is debatable whether the the "restarted" message should also be
changed to netdev_info() to make the interface state changes
comprehensible from the kernel log. I have chosen to keep the
"restarted" message at dbg for now as the "bus-off" message should be
enough for the user to notice and investigate the problem.

Signed-off-by: Jakob Unterwurzacher <[email protected]>
Cc: [email protected]
Cc: [email protected]
Signed-off-by: Marc Kleine-Budde <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/net/can/dev.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/net/can/dev.c
+++ b/drivers/net/can/dev.c
@@ -471,7 +471,7 @@ void can_bus_off(struct net_device *dev)
{
struct can_priv *priv = netdev_priv(dev);

- netdev_dbg(dev, "bus-off\n");
+ netdev_info(dev, "bus-off\n");

netif_carrier_off(dev);
priv->can_stats.bus_off++;



2018-07-01 16:14:40

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.18 47/85] m68k/mm: Adjust VM area to be unmapped by gap size for __iounmap()

3.18-stable review patch. If anyone has any objections, please let me know.

------------------

From: Michael Schmitz <[email protected]>

commit 3f90f9ef2dda316d64e420d5d51ba369587ccc55 upstream.

If 020/030 support is enabled, get_io_area() leaves an IO_SIZE gap
between mappings which is added to the vm_struct representing the
mapping. __ioremap() uses the actual requested size (after alignment),
while __iounmap() is passed the size from the vm_struct.

On 020/030, early termination descriptors are used to set up mappings of
extent 'size', which are validated on unmapping. The unmapped gap of
size IO_SIZE defeats the sanity check of the pmd tables, causing
__iounmap() to loop forever on 030.

On 040/060, unmapping of page table entries does not check for a valid
mapping, so the umapping loop always completes there.

Adjust size to be unmapped by the gap that had been added in the
vm_struct prior.

This fixes the hang in atari_platform_init() reported a long time ago,
and a similar one reported by Finn recently (addressed by removing
ioremap() use from the SWIM driver.

Tested on my Falcon in 030 mode - untested but should work the same on
040/060 (the extra page tables cleared there would never have been set
up anyway).

Signed-off-by: Michael Schmitz <[email protected]>
[geert: Minor commit description improvements]
[geert: This was fixed in 2.4.23, but not in 2.5.x]
Signed-off-by: Geert Uytterhoeven <[email protected]>
Cc: [email protected]
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
arch/m68k/mm/kmap.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

--- a/arch/m68k/mm/kmap.c
+++ b/arch/m68k/mm/kmap.c
@@ -88,7 +88,8 @@ static inline void free_io_area(void *ad
for (p = &iolist ; (tmp = *p) ; p = &tmp->next) {
if (tmp->addr == addr) {
*p = tmp->next;
- __iounmap(tmp->addr, tmp->size);
+ /* remove gap added in get_io_area() */
+ __iounmap(tmp->addr, tmp->size - IO_SIZE);
kfree(tmp);
return;
}



2018-07-01 16:14:44

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.18 38/85] ext4: update mtime in ext4_punch_hole even if no blocks are released

3.18-stable review patch. If anyone has any objections, please let me know.

------------------

From: Lukas Czerner <[email protected]>

commit eee597ac931305eff3d3fd1d61d6aae553bc0984 upstream.

Currently in ext4_punch_hole we're going to skip the mtime update if
there are no actual blocks to release. However we've actually modified
the file by zeroing the partial block so the mtime should be updated.

Moreover the sync and datasync handling is skipped as well, which is
also wrong. Fix it.

Signed-off-by: Lukas Czerner <[email protected]>
Signed-off-by: Theodore Ts'o <[email protected]>
Reported-by: Joe Habermann <[email protected]>
Cc: <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
fs/ext4/inode.c | 40 ++++++++++++++++++++--------------------
1 file changed, 20 insertions(+), 20 deletions(-)

--- a/fs/ext4/inode.c
+++ b/fs/ext4/inode.c
@@ -3531,28 +3531,28 @@ int ext4_punch_hole(struct inode *inode,
EXT4_BLOCK_SIZE_BITS(sb);
stop_block = (offset + length) >> EXT4_BLOCK_SIZE_BITS(sb);

- /* If there are no blocks to remove, return now */
- if (first_block >= stop_block)
- goto out_stop;
-
- down_write(&EXT4_I(inode)->i_data_sem);
- ext4_discard_preallocations(inode);
-
- ret = ext4_es_remove_extent(inode, first_block,
- stop_block - first_block);
- if (ret) {
- up_write(&EXT4_I(inode)->i_data_sem);
- goto out_stop;
- }
+ /* If there are blocks to remove, do it */
+ if (stop_block > first_block) {
+
+ down_write(&EXT4_I(inode)->i_data_sem);
+ ext4_discard_preallocations(inode);

- if (ext4_test_inode_flag(inode, EXT4_INODE_EXTENTS))
- ret = ext4_ext_remove_space(inode, first_block,
- stop_block - 1);
- else
- ret = ext4_ind_remove_space(handle, inode, first_block,
- stop_block);
+ ret = ext4_es_remove_extent(inode, first_block,
+ stop_block - first_block);
+ if (ret) {
+ up_write(&EXT4_I(inode)->i_data_sem);
+ goto out_stop;
+ }
+
+ if (ext4_test_inode_flag(inode, EXT4_INODE_EXTENTS))
+ ret = ext4_ext_remove_space(inode, first_block,
+ stop_block - 1);
+ else
+ ret = ext4_ind_remove_space(handle, inode, first_block,
+ stop_block);

- up_write(&EXT4_I(inode)->i_data_sem);
+ up_write(&EXT4_I(inode)->i_data_sem);
+ }
if (IS_SYNC(inode))
ext4_handle_sync(handle);




2018-07-01 16:14:49

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.18 50/85] ASoC: dapm: delete dapm_kcontrol_data paths list before freeing it

3.18-stable review patch. If anyone has any objections, please let me know.

------------------

From: Srinivas Kandagatla <[email protected]>

commit ff2faf1289c1f81b5b26b9451dd1c2006aac8db8 upstream.

dapm_kcontrol_data is freed as part of dapm_kcontrol_free(), leaving the
paths pointer dangling in the list.

This leads to system crash when we try to unload and reload sound card.
I hit this bug during ADSP crash/reboot test case on Dragon board DB410c.

Without this patch, on SLAB Poisoning enabled build, kernel crashes with
"BUG kmalloc-128 (Tainted: G W ): Poison overwritten"

Signed-off-by: Srinivas Kandagatla <[email protected]>
Signed-off-by: Mark Brown <[email protected]>
Cc: [email protected]
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
sound/soc/soc-dapm.c | 2 ++
1 file changed, 2 insertions(+)

--- a/sound/soc/soc-dapm.c
+++ b/sound/soc/soc-dapm.c
@@ -254,6 +254,8 @@ static int dapm_kcontrol_data_alloc(stru
static void dapm_kcontrol_free(struct snd_kcontrol *kctl)
{
struct dapm_kcontrol_data *data = snd_kcontrol_chip(kctl);
+
+ list_del(&data->paths);
kfree(data->wlist);
kfree(data);
}



2018-07-01 16:15:12

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.18 21/85] scsi: vmw-pvscsi: return DID_BUS_BUSY for adapter-initated aborts

3.18-stable review patch. If anyone has any objections, please let me know.

------------------

From: Jim Gill <[email protected]>

[ Upstream commit f4b024271ae3e9786e5d6f1c05b01b57a74e1d6d ]

The vmw_pvscsi driver returns DID_ABORT for commands aborted internally
by the adapter, leading to the filesystem going read-only. Change the
result to DID_BUS_BUSY, causing the kernel to retry the command.

Signed-off-by: Jim Gill <[email protected]>
Signed-off-by: Martin K. Petersen <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/scsi/vmw_pvscsi.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/scsi/vmw_pvscsi.c
+++ b/drivers/scsi/vmw_pvscsi.c
@@ -615,7 +615,7 @@ static void pvscsi_complete_request(stru
break;

case BTSTAT_ABORTQUEUE:
- cmd->result = (DID_ABORT << 16);
+ cmd->result = (DID_BUS_BUSY << 16);
break;

case BTSTAT_SCSIPARITY:



2018-07-01 16:15:30

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.18 69/85] PCI: pciehp: Clear Presence Detect and Data Link Layer Status Changed on resume

3.18-stable review patch. If anyone has any objections, please let me know.

------------------

From: Mika Westerberg <[email protected]>

commit 13c65840feab8109194f9490c9870587173cb29d upstream.

After a suspend/resume cycle the Presence Detect or Data Link Layer Status
Changed bits might be set. If we don't clear them those events will not
fire anymore and nothing happens for instance when a device is now
hot-unplugged.

Fix this by clearing those bits in a newly introduced function
pcie_reenable_notification(). This should be fine because immediately
after, we check if the adapter is still present by reading directly from
the status register.

Signed-off-by: Mika Westerberg <[email protected]>
Signed-off-by: Bjorn Helgaas <[email protected]>
Reviewed-by: Rafael J. Wysocki <[email protected]>
Reviewed-by: Andy Shevchenko <[email protected]>
Cc: [email protected]
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
drivers/pci/hotplug/pciehp.h | 2 +-
drivers/pci/hotplug/pciehp_core.c | 2 +-
drivers/pci/hotplug/pciehp_hpc.c | 13 ++++++++++++-
3 files changed, 14 insertions(+), 3 deletions(-)

--- a/drivers/pci/hotplug/pciehp.h
+++ b/drivers/pci/hotplug/pciehp.h
@@ -144,7 +144,7 @@ struct controller *pcie_init(struct pcie
int pcie_init_notification(struct controller *ctrl);
int pciehp_enable_slot(struct slot *p_slot);
int pciehp_disable_slot(struct slot *p_slot);
-void pcie_enable_notification(struct controller *ctrl);
+void pcie_reenable_notification(struct controller *ctrl);
int pciehp_power_on_slot(struct slot *slot);
void pciehp_power_off_slot(struct slot *slot);
void pciehp_get_power_status(struct slot *slot, u8 *status);
--- a/drivers/pci/hotplug/pciehp_core.c
+++ b/drivers/pci/hotplug/pciehp_core.c
@@ -332,7 +332,7 @@ static int pciehp_resume(struct pcie_dev
ctrl = get_service_data(dev);

/* reinitialize the chipset's event detection logic */
- pcie_enable_notification(ctrl);
+ pcie_reenable_notification(ctrl);

slot = ctrl->slot;

--- a/drivers/pci/hotplug/pciehp_hpc.c
+++ b/drivers/pci/hotplug/pciehp_hpc.c
@@ -602,7 +602,7 @@ static irqreturn_t pcie_isr(int irq, voi
return IRQ_HANDLED;
}

-void pcie_enable_notification(struct controller *ctrl)
+static void pcie_enable_notification(struct controller *ctrl)
{
u16 cmd, mask;

@@ -642,6 +642,17 @@ void pcie_enable_notification(struct con
pci_pcie_cap(ctrl->pcie->port) + PCI_EXP_SLTCTL, cmd);
}

+void pcie_reenable_notification(struct controller *ctrl)
+{
+ /*
+ * Clear both Presence and Data Link Layer Changed to make sure
+ * those events still fire after we have re-enabled them.
+ */
+ pcie_capability_write_word(ctrl->pcie->port, PCI_EXP_SLTSTA,
+ PCI_EXP_SLTSTA_PDC | PCI_EXP_SLTSTA_DLLSC);
+ pcie_enable_notification(ctrl);
+}
+
static void pcie_disable_notification(struct controller *ctrl)
{
u16 mask;



2018-07-01 16:15:51

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.18 51/85] ASoC: cirrus: i2s: Fix LRCLK configuration

3.18-stable review patch. If anyone has any objections, please let me know.

------------------

From: Alexander Sverdlin <[email protected]>

commit 2d534113be9a2aa532a1ae127a57e83558aed358 upstream.

The bit responsible for LRCLK polarity is i2s_tlrs (0), not i2s_trel (2)
(refer to "EP93xx User's Guide").

Previously card drivers which specified SND_SOC_DAIFMT_NB_IF actually got
SND_SOC_DAIFMT_NB_NF, an adaptation is necessary to retain the old
behavior.

Signed-off-by: Alexander Sverdlin <[email protected]>
Signed-off-by: Mark Brown <[email protected]>
Cc: [email protected]
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
sound/soc/cirrus/edb93xx.c | 2 +-
sound/soc/cirrus/ep93xx-i2s.c | 8 ++++----
sound/soc/cirrus/snappercl15.c | 2 +-
3 files changed, 6 insertions(+), 6 deletions(-)

--- a/sound/soc/cirrus/edb93xx.c
+++ b/sound/soc/cirrus/edb93xx.c
@@ -67,7 +67,7 @@ static struct snd_soc_dai_link edb93xx_d
.cpu_dai_name = "ep93xx-i2s",
.codec_name = "spi0.0",
.codec_dai_name = "cs4271-hifi",
- .dai_fmt = SND_SOC_DAIFMT_I2S | SND_SOC_DAIFMT_NB_IF |
+ .dai_fmt = SND_SOC_DAIFMT_I2S | SND_SOC_DAIFMT_NB_NF |
SND_SOC_DAIFMT_CBS_CFS,
.ops = &edb93xx_ops,
};
--- a/sound/soc/cirrus/ep93xx-i2s.c
+++ b/sound/soc/cirrus/ep93xx-i2s.c
@@ -213,24 +213,24 @@ static int ep93xx_i2s_set_dai_fmt(struct
switch (fmt & SND_SOC_DAIFMT_INV_MASK) {
case SND_SOC_DAIFMT_NB_NF:
/* Negative bit clock, lrclk low on left word */
- clk_cfg &= ~(EP93XX_I2S_CLKCFG_CKP | EP93XX_I2S_CLKCFG_REL);
+ clk_cfg &= ~(EP93XX_I2S_CLKCFG_CKP | EP93XX_I2S_CLKCFG_LRS);
break;

case SND_SOC_DAIFMT_NB_IF:
/* Negative bit clock, lrclk low on right word */
clk_cfg &= ~EP93XX_I2S_CLKCFG_CKP;
- clk_cfg |= EP93XX_I2S_CLKCFG_REL;
+ clk_cfg |= EP93XX_I2S_CLKCFG_LRS;
break;

case SND_SOC_DAIFMT_IB_NF:
/* Positive bit clock, lrclk low on left word */
clk_cfg |= EP93XX_I2S_CLKCFG_CKP;
- clk_cfg &= ~EP93XX_I2S_CLKCFG_REL;
+ clk_cfg &= ~EP93XX_I2S_CLKCFG_LRS;
break;

case SND_SOC_DAIFMT_IB_IF:
/* Positive bit clock, lrclk low on right word */
- clk_cfg |= EP93XX_I2S_CLKCFG_CKP | EP93XX_I2S_CLKCFG_REL;
+ clk_cfg |= EP93XX_I2S_CLKCFG_CKP | EP93XX_I2S_CLKCFG_LRS;
break;
}

--- a/sound/soc/cirrus/snappercl15.c
+++ b/sound/soc/cirrus/snappercl15.c
@@ -72,7 +72,7 @@ static struct snd_soc_dai_link snappercl
.codec_dai_name = "tlv320aic23-hifi",
.codec_name = "tlv320aic23-codec.0-001a",
.platform_name = "ep93xx-i2s",
- .dai_fmt = SND_SOC_DAIFMT_I2S | SND_SOC_DAIFMT_NB_IF |
+ .dai_fmt = SND_SOC_DAIFMT_I2S | SND_SOC_DAIFMT_NB_NF |
SND_SOC_DAIFMT_CBS_CFS,
.ops = &snappercl15_ops,
};



2018-07-01 16:15:53

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.18 75/85] backlight: max8925_bl: Fix Device Tree node lookup

3.18-stable review patch. If anyone has any objections, please let me know.

------------------

From: Johan Hovold <[email protected]>

commit d1cc0ec3da23e44c23712579515494b374f111c9 upstream.

Fix child-node lookup during probe, which ended up searching the whole
device tree depth-first starting at the parent rather than just matching
on its children.

To make things worse, the parent mfd node was also prematurely freed,
while the child backlight node was leaked.

Cc: stable <[email protected]> # 3.9
Fixes: 47ec340cb8e2 ("mfd: max8925: Support dt for backlight")
Signed-off-by: Johan Hovold <[email protected]>
Acked-by: Daniel Thompson <[email protected]>
Signed-off-by: Lee Jones <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
drivers/video/backlight/max8925_bl.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)

--- a/drivers/video/backlight/max8925_bl.c
+++ b/drivers/video/backlight/max8925_bl.c
@@ -116,7 +116,7 @@ static void max8925_backlight_dt_init(st
if (!pdata)
return;

- np = of_find_node_by_name(nproot, "backlight");
+ np = of_get_child_by_name(nproot, "backlight");
if (!np) {
dev_err(&pdev->dev, "failed to find backlight node\n");
return;
@@ -125,6 +125,8 @@ static void max8925_backlight_dt_init(st
if (!of_property_read_u32(np, "maxim,max8925-dual-string", &val))
pdata->dual_string = val;

+ of_node_put(np);
+
pdev->dev.platform_data = pdata;
}




2018-07-01 16:15:55

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.18 83/85] udf: Detect incorrect directory size

3.18-stable review patch. If anyone has any objections, please let me know.

------------------

From: Jan Kara <[email protected]>

commit fa65653e575fbd958bdf5fb9c4a71a324e39510d upstream.

Detect when a directory entry is (possibly partially) beyond directory
size and return EIO in that case since it means the filesystem is
corrupted. Otherwise directory operations can further corrupt the
directory and possibly also oops the kernel.

CC: Anatoly Trosinenko <[email protected]>
CC: [email protected]
Reported-and-tested-by: Anatoly Trosinenko <[email protected]>
Signed-off-by: Jan Kara <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
fs/udf/directory.c | 3 +++
1 file changed, 3 insertions(+)

--- a/fs/udf/directory.c
+++ b/fs/udf/directory.c
@@ -151,6 +151,9 @@ struct fileIdentDesc *udf_fileident_read
sizeof(struct fileIdentDesc));
}
}
+ /* Got last entry outside of dir size - fs is corrupted! */
+ if (*nf_pos > dir->i_size)
+ return NULL;
return fi;
}




2018-07-01 16:15:55

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.18 79/85] media: dvb_frontend: fix locking issues at dvb_frontend_get_event()

3.18-stable review patch. If anyone has any objections, please let me know.

------------------

From: Mauro Carvalho Chehab <[email protected]>

commit 76d81243a487c09619822ef8e7201a756e58a87d upstream.

As warned by smatch:
drivers/media/dvb-core/dvb_frontend.c:314 dvb_frontend_get_event() warn: inconsistent returns 'sem:&fepriv->sem'.
Locked on: line 288
line 295
line 306
line 314
Unlocked on: line 303

The lock implementation for get event is wrong, as, if an
interrupt occurs, down_interruptible() will fail, and the
routine will call up() twice when userspace calls the ioctl
again.

The bad code is there since when Linux migrated to git, in
2005.

Cc: [email protected]
Signed-off-by: Mauro Carvalho Chehab <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
drivers/media/dvb-core/dvb_frontend.c | 23 +++++++++++++++--------
1 file changed, 15 insertions(+), 8 deletions(-)

--- a/drivers/media/dvb-core/dvb_frontend.c
+++ b/drivers/media/dvb-core/dvb_frontend.c
@@ -224,8 +224,20 @@ static void dvb_frontend_add_event(struc
wake_up_interruptible (&events->wait_queue);
}

+static int dvb_frontend_test_event(struct dvb_frontend_private *fepriv,
+ struct dvb_fe_events *events)
+{
+ int ret;
+
+ up(&fepriv->sem);
+ ret = events->eventw != events->eventr;
+ down(&fepriv->sem);
+
+ return ret;
+}
+
static int dvb_frontend_get_event(struct dvb_frontend *fe,
- struct dvb_frontend_event *event, int flags)
+ struct dvb_frontend_event *event, int flags)
{
struct dvb_frontend_private *fepriv = fe->frontend_priv;
struct dvb_fe_events *events = &fepriv->events;
@@ -243,13 +255,8 @@ static int dvb_frontend_get_event(struct
if (flags & O_NONBLOCK)
return -EWOULDBLOCK;

- up(&fepriv->sem);
-
- ret = wait_event_interruptible (events->wait_queue,
- events->eventw != events->eventr);
-
- if (down_interruptible (&fepriv->sem))
- return -ERESTARTSYS;
+ ret = wait_event_interruptible(events->wait_queue,
+ dvb_frontend_test_event(fepriv, events));

if (ret < 0)
return ret;



2018-07-01 16:16:03

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.18 72/85] scsi: qla2xxx: Fix setting lower transfer speed if GPSC fails

3.18-stable review patch. If anyone has any objections, please let me know.

------------------

From: Himanshu Madhani <[email protected]>

commit 413c2f33489b134e3cc65d9c3ff7861e8fdfe899 upstream.

This patch prevents driver from setting lower default speed of 1 GB/sec,
if the switch does not support Get Port Speed Capabilities (GPSC)
command. Setting this default speed results into much lower write
performance for large sequential WRITE. This patch modifies driver to
check for gpsc_supported flags and prevents driver from issuing
MBC_SET_PORT_PARAM (001Ah) to set default speed of 1 GB/sec. If driver
does not send this mailbox command, firmware assumes maximum supported
link speed and will operate at the max speed.

Cc: [email protected]
Signed-off-by: Himanshu Madhani <[email protected]>
Reported-by: Eda Zhou <[email protected]>
Reviewed-by: Ewan D. Milne <[email protected]>
Tested-by: Ewan D. Milne <[email protected]>
Signed-off-by: Martin K. Petersen <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
drivers/scsi/qla2xxx/qla_init.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/scsi/qla2xxx/qla_init.c
+++ b/drivers/scsi/qla2xxx/qla_init.c
@@ -3212,7 +3212,8 @@ qla2x00_iidma_fcport(scsi_qla_host_t *vh
return;

if (fcport->fp_speed == PORT_SPEED_UNKNOWN ||
- fcport->fp_speed > ha->link_data_rate)
+ fcport->fp_speed > ha->link_data_rate ||
+ !ha->flags.gpsc_supported)
return;

rval = qla2x00_set_idma_speed(vha, fcport->loop_id, fcport->fp_speed,



2018-07-01 16:16:07

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.18 65/85] mtd: cfi_cmdset_0002: fix SEGV unlocking multiple chips

3.18-stable review patch. If anyone has any objections, please let me know.

------------------

From: Joakim Tjernlund <[email protected]>

commit 5fdfc3dbad099281bf027a353d5786c09408a8e5 upstream.

cfi_ppb_unlock() tries to relock all sectors that were locked before
unlocking the whole chip.
This locking used the chip start address + the FULL offset from the
first flash chip, thereby forming an illegal address. Fix that by using
the chip offset(adr).

Fixes: 1648eaaa1575 ("mtd: cfi_cmdset_0002: Support Persistent Protection Bits (PPB) locking")
Cc: [email protected]
Signed-off-by: Joakim Tjernlund <[email protected]>
Signed-off-by: Boris Brezillon <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
drivers/mtd/chips/cfi_cmdset_0002.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)

--- a/drivers/mtd/chips/cfi_cmdset_0002.c
+++ b/drivers/mtd/chips/cfi_cmdset_0002.c
@@ -2533,7 +2533,7 @@ static int cfi_atmel_unlock(struct mtd_i

struct ppb_lock {
struct flchip *chip;
- loff_t offset;
+ unsigned long adr;
int locked;
};

@@ -2669,7 +2669,7 @@ static int __maybe_unused cfi_ppb_unlock
*/
if ((adr < ofs) || (adr >= (ofs + len))) {
sect[sectors].chip = &cfi->chips[chipnum];
- sect[sectors].offset = offset;
+ sect[sectors].adr = adr;
sect[sectors].locked = do_ppb_xxlock(
map, &cfi->chips[chipnum], adr, 0,
DO_XXLOCK_ONEBLOCK_GETLOCK);
@@ -2713,7 +2713,7 @@ static int __maybe_unused cfi_ppb_unlock
*/
for (i = 0; i < sectors; i++) {
if (sect[i].locked)
- do_ppb_xxlock(map, sect[i].chip, sect[i].offset, 0,
+ do_ppb_xxlock(map, sect[i].chip, sect[i].adr, 0,
DO_XXLOCK_ONEBLOCK_LOCK);
}




2018-07-01 16:17:28

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.18 54/85] branch-check: fix long->int truncation when profiling branches

3.18-stable review patch. If anyone has any objections, please let me know.

------------------

From: Mikulas Patocka <[email protected]>

commit 2026d35741f2c3ece73c11eb7e4a15d7c2df9ebe upstream.

The function __builtin_expect returns long type (see the gcc
documentation), and so do macros likely and unlikely. Unfortunatelly, when
CONFIG_PROFILE_ANNOTATED_BRANCHES is selected, the macros likely and
unlikely expand to __branch_check__ and __branch_check__ truncates the
long type to int. This unintended truncation may cause bugs in various
kernel code (we found a bug in dm-writecache because of it), so it's
better to fix __branch_check__ to return long.

Link: http://lkml.kernel.org/r/alpine.LRH.2.02.1805300818140.24812@file01.intranet.prod.int.rdu2.redhat.com

Cc: Ingo Molnar <[email protected]>
Cc: [email protected]
Fixes: 1f0d69a9fc815 ("tracing: profile likely and unlikely annotations")
Signed-off-by: Mikulas Patocka <[email protected]>
Signed-off-by: Steven Rostedt (VMware) <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
include/linux/compiler.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

--- a/include/linux/compiler.h
+++ b/include/linux/compiler.h
@@ -105,7 +105,7 @@ void ftrace_likely_update(struct ftrace_
#define unlikely_notrace(x) __builtin_expect(!!(x), 0)

#define __branch_check__(x, expect) ({ \
- int ______r; \
+ long ______r; \
static struct ftrace_branch_data \
__attribute__((__aligned__(4))) \
__attribute__((section("_ftrace_annotated_branch"))) \



2018-07-01 18:02:54

by Helge Deller

[permalink] [raw]
Subject: Re: [PATCH 3.18 35/85] parisc: Move setup_profiling_timer() out of init section

Hi Greg,

On 01.07.2018 18:01, Greg Kroah-Hartman wrote:
> 3.18-stable review patch. If anyone has any objections, please let me know.
>
> ------------------
>
> From: Helge Deller <[email protected]>
>
> [ Upstream commit 01f56832cfb6fcc204e7203f46841b6185ebd574 ]

I wonder how this patch and patch #22 ([PATCH 3.18 22/85] parisc: drivers.c: Fix section mismatches)
reached the stable trees?
I haven't tagged upstream commit 01f56832cfb6fcc204e7203f46841b6185ebd574 or
b819439fea305a0bfd6ca23a7994fd1a8847c0d8 for backport.

Anyway, I'd suggest not to apply both.
I haven't tested them in those old kernels....

Helge


> No other architecture has setup_profiling_timer() in the init section,
> thus on parisc we face this section mismatch warning:
> Reference from the function devm_device_add_group() to the function .init.text:setup_profiling_timer()
>
> Signed-off-by: Helge Deller <[email protected]>
> Signed-off-by: Sasha Levin <[email protected]>
> Signed-off-by: Greg Kroah-Hartman <[email protected]>
> ---
> arch/parisc/kernel/smp.c | 3 +--
> 1 file changed, 1 insertion(+), 2 deletions(-)
>
> --- a/arch/parisc/kernel/smp.c
> +++ b/arch/parisc/kernel/smp.c
> @@ -422,8 +422,7 @@ int __cpu_up(unsigned int cpu, struct ta
> }
>
> #ifdef CONFIG_PROC_FS
> -int __init
> -setup_profiling_timer(unsigned int multiplier)
> +int setup_profiling_timer(unsigned int multiplier)
> {
> return -EINVAL;
> }
>
>


2018-07-01 18:38:09

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.18 61/85] powerpc/fadump: Unregister fadump on kexec down path.

3.18-stable review patch. If anyone has any objections, please let me know.

------------------

From: Mahesh Salgaonkar <[email protected]>

commit 722cde76d68e8cc4f3de42e71c82fd40dea4f7b9 upstream.

Unregister fadump on kexec down path otherwise the fadump registration
in new kexec-ed kernel complains that fadump is already registered.
This makes new kernel to continue using fadump registered by previous
kernel which may lead to invalid vmcore generation. Hence this patch
fixes this issue by un-registering fadump in fadump_cleanup() which is
called during kexec path so that new kernel can register fadump with
new valid values.

Fixes: b500afff11f6 ("fadump: Invalidate registration and release reserved memory for general use.")
Cc: [email protected] # v3.4+
Signed-off-by: Mahesh Salgaonkar <[email protected]>
Signed-off-by: Michael Ellerman <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
arch/powerpc/kernel/fadump.c | 3 +++
1 file changed, 3 insertions(+)

--- a/arch/powerpc/kernel/fadump.c
+++ b/arch/powerpc/kernel/fadump.c
@@ -1025,6 +1025,9 @@ void fadump_cleanup(void)
init_fadump_mem_struct(&fdm,
be64_to_cpu(fdm_active->cpu_state_data.destination_address));
fadump_invalidate_dump(&fdm);
+ } else if (fw_dump.dump_registered) {
+ /* Un-register Firmware-assisted dump if it was registered. */
+ fadump_unregister_dump(&fdm);
}
}




2018-07-01 18:38:17

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.18 63/85] mtd: cfi_cmdset_0002: Change write buffer to check correct value

3.18-stable review patch. If anyone has any objections, please let me know.

------------------

From: Tokunori Ikegami <[email protected]>

commit dfeae1073583dc35c33b32150e18b7048bbb37e6 upstream.

For the word write it is checked if the chip has the correct value.
But it is not checked for the write buffer as only checked if ready.
To make sure for the write buffer change to check the value.

It is enough as this patch is only checking the last written word.
Since it is described by data sheets to check the operation status.

Signed-off-by: Tokunori Ikegami <[email protected]>
Reviewed-by: Joakim Tjernlund <[email protected]>
Cc: Chris Packham <[email protected]>
Cc: Brian Norris <[email protected]>
Cc: David Woodhouse <[email protected]>
Cc: Boris Brezillon <[email protected]>
Cc: Marek Vasut <[email protected]>
Cc: Richard Weinberger <[email protected]>
Cc: Cyrille Pitchen <[email protected]>
Cc: [email protected]
Cc: [email protected]
Signed-off-by: Boris Brezillon <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
drivers/mtd/chips/cfi_cmdset_0002.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/mtd/chips/cfi_cmdset_0002.c
+++ b/drivers/mtd/chips/cfi_cmdset_0002.c
@@ -1878,7 +1878,7 @@ static int __xipram do_write_buffer(stru
if (time_after(jiffies, timeo) && !chip_ready(map, adr))
break;

- if (chip_ready(map, adr)) {
+ if (chip_good(map, adr, datum)) {
xip_enable(map, chip, adr);
goto op_done;
}



2018-07-01 18:38:26

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.18 58/85] powerpc/mm/hash: Add missing isync prior to kernel stack SLB switch

3.18-stable review patch. If anyone has any objections, please let me know.

------------------

From: Aneesh Kumar K.V <[email protected]>

commit 91d06971881f71d945910de128658038513d1b24 upstream.

Currently we do not have an isync, or any other context synchronizing
instruction prior to the slbie/slbmte in _switch() that updates the
SLB entry for the kernel stack.

However that is not correct as outlined in the ISA.

>From Power ISA Version 3.0B, Book III, Chapter 11, page 1133:

"Changing the contents of ... the contents of SLB entries ... can
have the side effect of altering the context in which data
addresses and instruction addresses are interpreted, and in which
instructions are executed and data accesses are performed.
...
These side effects need not occur in program order, and therefore
may require explicit synchronization by software.
...
The synchronizing instruction before the context-altering
instruction ensures that all instructions up to and including that
synchronizing instruction are fetched and executed in the context
that existed before the alteration."

And page 1136:

"For data accesses, the context synchronizing instruction before the
slbie, slbieg, slbia, slbmte, tlbie, or tlbiel instruction ensures
that all preceding instructions that access data storage have
completed to a point at which they have reported all exceptions
they will cause."

We're not aware of any bugs caused by this, but it should be fixed
regardless.

Add the missing isync when updating kernel stack SLB entry.

Cc: [email protected]
Signed-off-by: Aneesh Kumar K.V <[email protected]>
[mpe: Flesh out change log with more ISA text & explanation]
Signed-off-by: Michael Ellerman <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
arch/powerpc/kernel/entry_64.S | 1 +
1 file changed, 1 insertion(+)

--- a/arch/powerpc/kernel/entry_64.S
+++ b/arch/powerpc/kernel/entry_64.S
@@ -521,6 +521,7 @@ END_MMU_FTR_SECTION_IFSET(MMU_FTR_1T_SEG
* actually hit this code path.
*/

+ isync
slbie r6
slbie r6 /* Workaround POWER5 < DD2.1 issue */
slbmte r7,r0



2018-07-01 18:38:39

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.18 62/85] ARM: 8764/1: kgdb: fix NUMREGBYTES so that gdb_regs[] is the correct size

3.18-stable review patch. If anyone has any objections, please let me know.

------------------

From: David Rivshin <[email protected]>

commit 76ed0b803a2ab793a1b27d1dfe0de7955282cd34 upstream.

NUMREGBYTES (which is used as the size for gdb_regs[]) is incorrectly
based on DBG_MAX_REG_NUM instead of GDB_MAX_REGS. DBG_MAX_REG_NUM
is the number of total registers, while GDB_MAX_REGS is the number
of 'unsigned longs' it takes to serialize those registers. Since
FP registers require 3 'unsigned longs' each, DBG_MAX_REG_NUM is
smaller than GDB_MAX_REGS.

This causes GDB 8.0 give the following error on connect:
"Truncated register 19 in remote 'g' packet"

This also causes the register serialization/deserialization logic
to overflow gdb_regs[], overwriting whatever follows.

Fixes: 834b2964b7ab ("kgdb,arm: fix register dump")
Cc: <[email protected]> # 2.6.37+
Signed-off-by: David Rivshin <[email protected]>
Acked-by: Rabin Vincent <[email protected]>
Tested-by: Daniel Thompson <[email protected]>
Signed-off-by: Russell King <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
arch/arm/include/asm/kgdb.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/arm/include/asm/kgdb.h
+++ b/arch/arm/include/asm/kgdb.h
@@ -76,7 +76,7 @@ extern int kgdb_fault_expected;

#define KGDB_MAX_NO_CPUS 1
#define BUFMAX 400
-#define NUMREGBYTES (DBG_MAX_REG_NUM << 2)
+#define NUMREGBYTES (GDB_MAX_REGS << 2)
#define NUMCRITREGBYTES (32 << 2)

#define _R0 0



2018-07-01 18:38:53

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.18 59/85] powerpc/ptrace: Fix setting 512B aligned breakpoints with PTRACE_SET_DEBUGREG

3.18-stable review patch. If anyone has any objections, please let me know.

------------------

From: Michael Neuling <[email protected]>

commit 4f7c06e26ec9cf7fe9f0c54dc90079b6a4f4b2c3 upstream.

In commit e2a800beaca1 ("powerpc/hw_brk: Fix off by one error when
validating DAWR region end") we fixed setting the DAWR end point to
its max value via PPC_PTRACE_SETHWDEBUG. Unfortunately we broke
PTRACE_SET_DEBUGREG when setting a 512 byte aligned breakpoint.

PTRACE_SET_DEBUGREG currently sets the length of the breakpoint to
zero (memset() in hw_breakpoint_init()). This worked with
arch_validate_hwbkpt_settings() before the above patch was applied but
is now broken if the breakpoint is 512byte aligned.

This sets the length of the breakpoint to 8 bytes when using
PTRACE_SET_DEBUGREG.

Fixes: e2a800beaca1 ("powerpc/hw_brk: Fix off by one error when validating DAWR region end")
Cc: [email protected] # v3.11+
Signed-off-by: Michael Neuling <[email protected]>
Signed-off-by: Michael Ellerman <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
arch/powerpc/kernel/ptrace.c | 1 +
1 file changed, 1 insertion(+)

--- a/arch/powerpc/kernel/ptrace.c
+++ b/arch/powerpc/kernel/ptrace.c
@@ -1004,6 +1004,7 @@ static int ptrace_set_debugreg(struct ta
/* Create a new breakpoint request if one doesn't exist already */
hw_breakpoint_init(&attr);
attr.bp_addr = hw_brk.address;
+ attr.bp_len = 8;
arch_bp_generic_fields(hw_brk.type,
&attr.bp_type);




2018-07-01 18:39:05

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.18 60/85] powerpc/ptrace: Fix enforcement of DAWR constraints

3.18-stable review patch. If anyone has any objections, please let me know.

------------------

From: Michael Neuling <[email protected]>

commit cd6ef7eebf171bfcba7dc2df719c2a4958775040 upstream.

Back when we first introduced the DAWR, in commit 4ae7ebe9522a
("powerpc: Change hardware breakpoint to allow longer ranges"), we
screwed up the constraint making it a 1024 byte boundary rather than a
512. This makes the check overly permissive. Fortunately GDB is the
only real user and it always did they right thing, so we never
noticed.

This fixes the constraint to 512 bytes.

Fixes: 4ae7ebe9522a ("powerpc: Change hardware breakpoint to allow longer ranges")
Cc: [email protected] # v3.9+
Signed-off-by: Michael Neuling <[email protected]>
Signed-off-by: Michael Ellerman <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
arch/powerpc/kernel/hw_breakpoint.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

--- a/arch/powerpc/kernel/hw_breakpoint.c
+++ b/arch/powerpc/kernel/hw_breakpoint.c
@@ -174,8 +174,8 @@ int arch_validate_hwbkpt_settings(struct
if (cpu_has_feature(CPU_FTR_DAWR)) {
length_max = 512 ; /* 64 doublewords */
/* DAWR region can't cross 512 boundary */
- if ((bp->attr.bp_addr >> 10) !=
- ((bp->attr.bp_addr + bp->attr.bp_len - 1) >> 10))
+ if ((bp->attr.bp_addr >> 9) !=
+ ((bp->attr.bp_addr + bp->attr.bp_len - 1) >> 9))
return -EINVAL;
}
if (info->len >



2018-07-01 18:39:27

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.18 84/85] block: Fix transfer when chunk sectors exceeds max

3.18-stable review patch. If anyone has any objections, please let me know.

------------------

From: Keith Busch <[email protected]>

commit 15bfd21fbc5d35834b9ea383dc458a1f0c9e3434 upstream.

A device may have boundary restrictions where the number of sectors
between boundaries exceeds its max transfer size. In this case, we need
to cap the max size to the smaller of the two limits.

Reported-by: Jitendra Bhivare <[email protected]>
Tested-by: Jitendra Bhivare <[email protected]>
Cc: <[email protected]>
Reviewed-by: Martin K. Petersen <[email protected]>
Signed-off-by: Keith Busch <[email protected]>
Signed-off-by: Jens Axboe <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
include/linux/blkdev.h | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

--- a/include/linux/blkdev.h
+++ b/include/linux/blkdev.h
@@ -919,8 +919,8 @@ static inline unsigned int blk_max_size_
if (!q->limits.chunk_sectors)
return q->limits.max_sectors;

- return q->limits.chunk_sectors -
- (offset & (q->limits.chunk_sectors - 1));
+ return min(q->limits.max_sectors, (unsigned int)(q->limits.chunk_sectors -
+ (offset & (q->limits.chunk_sectors - 1))));
}

static inline unsigned int blk_rq_get_max_sectors(struct request *rq)



2018-07-01 18:39:55

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.18 57/85] fuse: dont keep dead fuse_conn at fuse_fill_super().

3.18-stable review patch. If anyone has any objections, please let me know.

------------------

From: Tetsuo Handa <[email protected]>

commit 543b8f8662fe6d21f19958b666ab0051af9db21a upstream.

syzbot is reporting use-after-free at fuse_kill_sb_blk() [1].
Since sb->s_fs_info field is not cleared after fc was released by
fuse_conn_put() when initialization failed, fuse_kill_sb_blk() finds
already released fc and tries to hold the lock. Fix this by clearing
sb->s_fs_info field after calling fuse_conn_put().

[1] https://syzkaller.appspot.com/bug?id=a07a680ed0a9290585ca424546860464dd9658db

Signed-off-by: Tetsuo Handa <[email protected]>
Reported-by: syzbot <[email protected]>
Fixes: 3b463ae0c626 ("fuse: invalidation reverse calls")
Cc: John Muir <[email protected]>
Cc: Csaba Henk <[email protected]>
Cc: Anand Avati <[email protected]>
Cc: <[email protected]> # v2.6.31
Signed-off-by: Miklos Szeredi <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
fs/fuse/inode.c | 1 +
1 file changed, 1 insertion(+)

--- a/fs/fuse/inode.c
+++ b/fs/fuse/inode.c
@@ -1125,6 +1125,7 @@ static int fuse_fill_super(struct super_
err_put_conn:
fuse_bdi_destroy(fc);
fuse_conn_put(fc);
+ sb->s_fs_info = NULL;
err_fput:
fput(file);
err:



2018-07-01 18:40:41

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.18 85/85] dm thin: handle running out of data space vs concurrent discard

3.18-stable review patch. If anyone has any objections, please let me know.

------------------

From: Mike Snitzer <[email protected]>

commit a685557fbbc3122ed11e8ad3fa63a11ebc5de8c3 upstream.

Discards issued to a DM thin device can complete to userspace (via
fstrim) _before_ the metadata changes associated with the discards is
reflected in the thinp superblock (e.g. free blocks). As such, if a
user constructs a test that loops repeatedly over these steps, block
allocation can fail due to discards not having completed yet:
1) fill thin device via filesystem file
2) remove file
3) fstrim

>From initial report, here:
https://www.redhat.com/archives/dm-devel/2018-April/msg00022.html

"The root cause of this issue is that dm-thin will first remove
mapping and increase corresponding blocks' reference count to prevent
them from being reused before DISCARD bios get processed by the
underlying layers. However. increasing blocks' reference count could
also increase the nr_allocated_this_transaction in struct sm_disk
which makes smd->old_ll.nr_allocated +
smd->nr_allocated_this_transaction bigger than smd->old_ll.nr_blocks.
In this case, alloc_data_block() will never commit metadata to reset
the begin pointer of struct sm_disk, because sm_disk_get_nr_free()
always return an underflow value."

While there is room for improvement to the space-map accounting that
thinp is making use of: the reality is this test is inherently racey and
will result in the previous iteration's fstrim's discard(s) completing
vs concurrent block allocation, via dd, in the next iteration of the
loop.

No amount of space map accounting improvements will be able to allow
user's to use a block before a discard of that block has completed.

So the best we can really do is allow DM thinp to gracefully handle such
aggressive use of all the pool's data by degrading the pool into
out-of-data-space (OODS) mode. We _should_ get that behaviour already
(if space map accounting didn't falsely cause alloc_data_block() to
believe free space was available).. but short of that we handle the
current reality that dm_pool_alloc_data_block() can return -ENOSPC.

Reported-by: Dennis Yang <[email protected]>
Cc: [email protected]
Signed-off-by: Mike Snitzer <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
drivers/md/dm-thin.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)

--- a/drivers/md/dm-thin.c
+++ b/drivers/md/dm-thin.c
@@ -992,6 +992,8 @@ static void schedule_external_copy(struc

static void set_pool_mode(struct pool *pool, enum pool_mode new_mode);

+static void requeue_bios(struct pool *pool);
+
static void check_for_space(struct pool *pool)
{
int r;
@@ -1004,8 +1006,10 @@ static void check_for_space(struct pool
if (r)
return;

- if (nr_free)
+ if (nr_free) {
set_pool_mode(pool, PM_WRITE);
+ requeue_bios(pool);
+ }
}

/*
@@ -1082,7 +1086,10 @@ static int alloc_data_block(struct thin_

r = dm_pool_alloc_data_block(pool->pmd, result);
if (r) {
- metadata_operation_failed(pool, "dm_pool_alloc_data_block", r);
+ if (r == -ENOSPC)
+ set_pool_mode(pool, PM_OUT_OF_DATA_SPACE);
+ else
+ metadata_operation_failed(pool, "dm_pool_alloc_data_block", r);
return r;
}




2018-07-01 18:40:51

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.18 81/85] video: uvesafb: Fix integer overflow in allocation

3.18-stable review patch. If anyone has any objections, please let me know.

------------------

From: Kees Cook <[email protected]>

commit 9f645bcc566a1e9f921bdae7528a01ced5bc3713 upstream.

cmap->len can get close to INT_MAX/2, allowing for an integer overflow in
allocation. This uses kmalloc_array() instead to catch the condition.

Reported-by: Dr Silvio Cesare of InfoSect <[email protected]>
Fixes: 8bdb3a2d7df48 ("uvesafb: the driver core")
Cc: [email protected]
Signed-off-by: Kees Cook <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
drivers/video/fbdev/uvesafb.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/video/fbdev/uvesafb.c
+++ b/drivers/video/fbdev/uvesafb.c
@@ -1059,7 +1059,8 @@ static int uvesafb_setcmap(struct fb_cma
info->cmap.len || cmap->start < info->cmap.start)
return -EINVAL;

- entries = kmalloc(sizeof(*entries) * cmap->len, GFP_KERNEL);
+ entries = kmalloc_array(cmap->len, sizeof(*entries),
+ GFP_KERNEL);
if (!entries)
return -ENOMEM;




2018-07-01 18:41:04

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.18 78/85] media: cx231xx: Add support for AverMedia DVD EZMaker 7

3.18-stable review patch. If anyone has any objections, please let me know.

------------------

From: Kai-Heng Feng <[email protected]>

commit 29e61d6ef061b012d320327af7dbb3990e75be45 upstream.

User reports AverMedia DVD EZMaker 7 can be driven by VIDEO_GRABBER.
Add the device to the id_table to make it work.

BugLink: https://bugs.launchpad.net/bugs/1620762

Cc: [email protected]
Signed-off-by: Kai-Heng Feng <[email protected]>
Signed-off-by: Hans Verkuil <[email protected]>
Signed-off-by: Mauro Carvalho Chehab <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
drivers/media/usb/cx231xx/cx231xx-cards.c | 3 +++
1 file changed, 3 insertions(+)

--- a/drivers/media/usb/cx231xx/cx231xx-cards.c
+++ b/drivers/media/usb/cx231xx/cx231xx-cards.c
@@ -805,6 +805,9 @@ struct usb_device_id cx231xx_id_table[]
.driver_info = CX231XX_BOARD_CNXT_RDE_250},
{USB_DEVICE(0x0572, 0x58A0),
.driver_info = CX231XX_BOARD_CNXT_RDU_250},
+ /* AverMedia DVD EZMaker 7 */
+ {USB_DEVICE(0x07ca, 0xc039),
+ .driver_info = CX231XX_BOARD_CNXT_VIDEO_GRABBER},
{USB_DEVICE(0x2040, 0xb110),
.driver_info = CX231XX_BOARD_HAUPPAUGE_USB2_FM_PAL},
{USB_DEVICE(0x2040, 0xb111),



2018-07-01 18:41:07

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.18 77/85] media: v4l2-compat-ioctl32: prevent go past max size

3.18-stable review patch. If anyone has any objections, please let me know.

------------------

From: Mauro Carvalho Chehab <[email protected]>

commit ea72fbf588ac9c017224dcdaa2019ff52ca56fee upstream.

As warned by smatch:
drivers/media/v4l2-core/v4l2-compat-ioctl32.c:879 put_v4l2_ext_controls32() warn: check for integer overflow 'count'

The access_ok() logic should check for too big arrays too.

Cc: [email protected]
Signed-off-by: Mauro Carvalho Chehab <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
drivers/media/v4l2-core/v4l2-compat-ioctl32.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
+++ b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
@@ -856,7 +856,7 @@ static int put_v4l2_ext_controls32(struc
get_user(kcontrols, &kp->controls))
return -EFAULT;

- if (!count)
+ if (!count || count > (U32_MAX/sizeof(*ucontrols)))
return 0;
if (get_user(p, &up->controls))
return -EFAULT;



2018-07-01 18:41:29

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.18 82/85] xen: Remove unnecessary BUG_ON from __unbind_from_irq()

3.18-stable review patch. If anyone has any objections, please let me know.

------------------

From: Boris Ostrovsky <[email protected]>

commit eef04c7b3786ff0c9cb1019278b6c6c2ea0ad4ff upstream.

Commit 910f8befdf5b ("xen/pirq: fix error path cleanup when binding
MSIs") fixed a couple of errors in error cleanup path of
xen_bind_pirq_msi_to_irq(). This cleanup allowed a call to
__unbind_from_irq() with an unbound irq, which would result in
triggering the BUG_ON there.

Since there is really no reason for the BUG_ON (xen_free_irq() can
operate on unbound irqs) we can remove it.

Reported-by: Ben Hutchings <[email protected]>
Signed-off-by: Boris Ostrovsky <[email protected]>
Cc: [email protected]
Reviewed-by: Juergen Gross <[email protected]>
Signed-off-by: Juergen Gross <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
drivers/xen/events/events_base.c | 2 --
1 file changed, 2 deletions(-)

--- a/drivers/xen/events/events_base.c
+++ b/drivers/xen/events/events_base.c
@@ -636,8 +636,6 @@ static void __unbind_from_irq(unsigned i
xen_irq_info_cleanup(info);
}

- BUG_ON(info_for_irq(irq)->type == IRQT_UNBOUND);
-
xen_free_irq(irq);
}




2018-07-01 18:41:30

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.18 73/85] UBIFS: Fix potential integer overflow in allocation

3.18-stable review patch. If anyone has any objections, please let me know.

------------------

From: Silvio Cesare <[email protected]>

commit 353748a359f1821ee934afc579cf04572406b420 upstream.

There is potential for the size and len fields in ubifs_data_node to be
too large causing either a negative value for the length fields or an
integer overflow leading to an incorrect memory allocation. Likewise,
when the len field is small, an integer underflow may occur.

Signed-off-by: Silvio Cesare <[email protected]>
Fixes: 1e51764a3c2ac ("UBIFS: add new flash file system")
Cc: [email protected]
Signed-off-by: Kees Cook <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
fs/ubifs/journal.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

--- a/fs/ubifs/journal.c
+++ b/fs/ubifs/journal.c
@@ -1101,7 +1101,7 @@ static int recomp_data_node(struct ubifs
int err, len, compr_type, out_len;

out_len = le32_to_cpu(dn->size);
- buf = kmalloc(out_len * WORST_COMPR_FACTOR, GFP_NOFS);
+ buf = kmalloc_array(out_len, WORST_COMPR_FACTOR, GFP_NOFS);
if (!buf)
return -ENOMEM;




2018-07-01 18:41:54

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.18 80/85] nfsd: restrict rd_maxcount to svc_max_payload in nfsd_encode_readdir

3.18-stable review patch. If anyone has any objections, please let me know.

------------------

From: Scott Mayhew <[email protected]>

commit 9c2ece6ef67e9d376f32823086169b489c422ed0 upstream.

nfsd4_readdir_rsize restricts rd_maxcount to svc_max_payload when
estimating the size of the readdir reply, but nfsd_encode_readdir
restricts it to INT_MAX when encoding the reply. This can result in log
messages like "kernel: RPC request reserved 32896 but used 1049444".

Restrict rd_dircount similarly (no reason it should be larger than
svc_max_payload).

Signed-off-by: Scott Mayhew <[email protected]>
Cc: [email protected]
Signed-off-by: J. Bruce Fields <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
fs/nfsd/nfs4xdr.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)

--- a/fs/nfsd/nfs4xdr.c
+++ b/fs/nfsd/nfs4xdr.c
@@ -3358,7 +3358,8 @@ nfsd4_encode_readdir(struct nfsd4_compou
nfserr = nfserr_resource;
goto err_no_verf;
}
- maxcount = min_t(u32, readdir->rd_maxcount, INT_MAX);
+ maxcount = svc_max_payload(resp->rqstp);
+ maxcount = min_t(u32, readdir->rd_maxcount, maxcount);
/*
* Note the rfc defines rd_maxcount as the size of the
* READDIR4resok structure, which includes the verifier above
@@ -3372,7 +3373,7 @@ nfsd4_encode_readdir(struct nfsd4_compou

/* RFC 3530 14.2.24 allows us to ignore dircount when it's 0: */
if (!readdir->rd_dircount)
- readdir->rd_dircount = INT_MAX;
+ readdir->rd_dircount = svc_max_payload(resp->rqstp);

readdir->xdr = xdr;
readdir->rd_maxcount = maxcount;



2018-07-01 18:41:57

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.18 74/85] backlight: as3711_bl: Fix Device Tree node lookup

3.18-stable review patch. If anyone has any objections, please let me know.

------------------

From: Johan Hovold <[email protected]>

commit 4a9c8bb2aca5b5a2a15744333729745dd9903562 upstream.

Fix child-node lookup during probe, which ended up searching the whole
device tree depth-first starting at the parent rather than just matching
on its children.

To make things worse, the parent mfd node was also prematurely freed.

Cc: stable <[email protected]> # 3.10
Fixes: 59eb2b5e57ea ("drivers/video/backlight/as3711_bl.c: add OF support")
Signed-off-by: Johan Hovold <[email protected]>
Acked-by: Daniel Thompson <[email protected]>
Signed-off-by: Lee Jones <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
drivers/video/backlight/as3711_bl.c | 33 +++++++++++++++++++++++----------
1 file changed, 23 insertions(+), 10 deletions(-)

--- a/drivers/video/backlight/as3711_bl.c
+++ b/drivers/video/backlight/as3711_bl.c
@@ -262,10 +262,10 @@ static int as3711_bl_register(struct pla
static int as3711_backlight_parse_dt(struct device *dev)
{
struct as3711_bl_pdata *pdata = dev_get_platdata(dev);
- struct device_node *bl =
- of_find_node_by_name(dev->parent->of_node, "backlight"), *fb;
+ struct device_node *bl, *fb;
int ret;

+ bl = of_get_child_by_name(dev->parent->of_node, "backlight");
if (!bl) {
dev_dbg(dev, "backlight node not found\n");
return -ENODEV;
@@ -279,7 +279,7 @@ static int as3711_backlight_parse_dt(str
if (pdata->su1_max_uA <= 0)
ret = -EINVAL;
if (ret < 0)
- return ret;
+ goto err_put_bl;
}

fb = of_parse_phandle(bl, "su2-dev", 0);
@@ -292,7 +292,7 @@ static int as3711_backlight_parse_dt(str
if (pdata->su2_max_uA <= 0)
ret = -EINVAL;
if (ret < 0)
- return ret;
+ goto err_put_bl;

if (of_find_property(bl, "su2-feedback-voltage", NULL)) {
pdata->su2_feedback = AS3711_SU2_VOLTAGE;
@@ -314,8 +314,10 @@ static int as3711_backlight_parse_dt(str
pdata->su2_feedback = AS3711_SU2_CURR_AUTO;
count++;
}
- if (count != 1)
- return -EINVAL;
+ if (count != 1) {
+ ret = -EINVAL;
+ goto err_put_bl;
+ }

count = 0;
if (of_find_property(bl, "su2-fbprot-lx-sd4", NULL)) {
@@ -334,8 +336,10 @@ static int as3711_backlight_parse_dt(str
pdata->su2_fbprot = AS3711_SU2_GPIO4;
count++;
}
- if (count != 1)
- return -EINVAL;
+ if (count != 1) {
+ ret = -EINVAL;
+ goto err_put_bl;
+ }

count = 0;
if (of_find_property(bl, "su2-auto-curr1", NULL)) {
@@ -355,11 +359,20 @@ static int as3711_backlight_parse_dt(str
* At least one su2-auto-curr* must be specified iff
* AS3711_SU2_CURR_AUTO is used
*/
- if (!count ^ (pdata->su2_feedback != AS3711_SU2_CURR_AUTO))
- return -EINVAL;
+ if (!count ^ (pdata->su2_feedback != AS3711_SU2_CURR_AUTO)) {
+ ret = -EINVAL;
+ goto err_put_bl;
+ }
}

+ of_node_put(bl);
+
return 0;
+
+err_put_bl:
+ of_node_put(bl);
+
+ return ret;
}

static int as3711_backlight_probe(struct platform_device *pdev)



2018-07-01 18:42:07

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.18 76/85] backlight: tps65217_bl: Fix Device Tree node lookup

3.18-stable review patch. If anyone has any objections, please let me know.

------------------

From: Johan Hovold <[email protected]>

commit 2b12dfa124dbadf391cb9a616aaa6b056823bf75 upstream.

Fix child-node lookup during probe, which ended up searching the whole
device tree depth-first starting at the parent rather than just matching
on its children.

This would only cause trouble if the child node is missing while there
is an unrelated node named "backlight" elsewhere in the tree.

Cc: stable <[email protected]> # 3.7
Fixes: eebfdc17cc6c ("backlight: Add TPS65217 WLED driver")
Signed-off-by: Johan Hovold <[email protected]>
Acked-by: Daniel Thompson <[email protected]>
Signed-off-by: Lee Jones <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
drivers/video/backlight/tps65217_bl.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/video/backlight/tps65217_bl.c
+++ b/drivers/video/backlight/tps65217_bl.c
@@ -184,11 +184,11 @@ static struct tps65217_bl_pdata *
tps65217_bl_parse_dt(struct platform_device *pdev)
{
struct tps65217 *tps = dev_get_drvdata(pdev->dev.parent);
- struct device_node *node = of_node_get(tps->dev->of_node);
+ struct device_node *node;
struct tps65217_bl_pdata *pdata, *err;
u32 val;

- node = of_find_node_by_name(node, "backlight");
+ node = of_get_child_by_name(tps->dev->of_node, "backlight");
if (!node)
return ERR_PTR(-ENODEV);




2018-07-01 18:42:29

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.18 56/85] fuse: atomic_o_trunc should truncate pagecache

3.18-stable review patch. If anyone has any objections, please let me know.

------------------

From: Miklos Szeredi <[email protected]>

commit df0e91d488276086bc07da2e389986cae0048c37 upstream.

Fuse has an "atomic_o_trunc" mode, where userspace filesystem uses the
O_TRUNC flag in the OPEN request to truncate the file atomically with the
open.

In this mode there's no need to send a SETATTR request to userspace after
the open, so fuse_do_setattr() checks this mode and returns. But this
misses the important step of truncating the pagecache.

Add the missing parts of truncation to the ATTR_OPEN branch.

Reported-by: Chad Austin <[email protected]>
Fixes: 6ff958edbf39 ("fuse: add atomic open+truncate support")
Signed-off-by: Miklos Szeredi <[email protected]>
Cc: <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
fs/fuse/dir.c | 13 ++++++++++++-
1 file changed, 12 insertions(+), 1 deletion(-)

--- a/fs/fuse/dir.c
+++ b/fs/fuse/dir.c
@@ -1717,8 +1717,19 @@ int fuse_do_setattr(struct dentry *dentr
return err;

if (attr->ia_valid & ATTR_OPEN) {
- if (fc->atomic_o_trunc)
+ /* This is coming from open(..., ... | O_TRUNC); */
+ WARN_ON(!(attr->ia_valid & ATTR_SIZE));
+ WARN_ON(attr->ia_size != 0);
+ if (fc->atomic_o_trunc) {
+ /*
+ * No need to send request to userspace, since actual
+ * truncation has already been done by OPEN. But still
+ * need to truncate page cache.
+ */
+ i_size_write(inode, 0);
+ truncate_pagecache(inode, 0);
return 0;
+ }
file = NULL;
}




2018-07-01 18:42:31

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.18 67/85] mtd: cfi_cmdset_0002: Avoid walking all chips when unlocking.

3.18-stable review patch. If anyone has any objections, please let me know.

------------------

From: Joakim Tjernlund <[email protected]>

commit f1ce87f6080b1dda7e7b1eda3da332add19d87b9 upstream.

cfi_ppb_unlock() walks all flash chips when unlocking sectors,
avoid walking chips unaffected by the unlock operation.

Fixes: 1648eaaa1575 ("mtd: cfi_cmdset_0002: Support Persistent Protection Bits (PPB) locking")
Cc: [email protected]
Signed-off-by: Joakim Tjernlund <[email protected]>
Signed-off-by: Boris Brezillon <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
drivers/mtd/chips/cfi_cmdset_0002.c | 2 ++
1 file changed, 2 insertions(+)

--- a/drivers/mtd/chips/cfi_cmdset_0002.c
+++ b/drivers/mtd/chips/cfi_cmdset_0002.c
@@ -2683,6 +2683,8 @@ static int __maybe_unused cfi_ppb_unlock
i++;

if (adr >> cfi->chipshift) {
+ if (offset >= (ofs + len))
+ break;
adr = 0;
chipnum++;




2018-07-01 18:42:54

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.18 66/85] mtd: cfi_cmdset_0002: Fix unlocking requests crossing a chip boudary

3.18-stable review patch. If anyone has any objections, please let me know.

------------------

From: Joakim Tjernlund <[email protected]>

commit 0cd8116f172eed018907303dbff5c112690eeb91 upstream.

The "sector is in requested range" test used to determine whether
sectors should be re-locked or not is done on a variable that is reset
everytime we cross a chip boundary, which can lead to some blocks being
re-locked while the caller expect them to be unlocked.
Fix the check to make sure this cannot happen.

Fixes: 1648eaaa1575 ("mtd: cfi_cmdset_0002: Support Persistent Protection Bits (PPB) locking")
Cc: [email protected]
Signed-off-by: Joakim Tjernlund <[email protected]>
Signed-off-by: Boris Brezillon <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
drivers/mtd/chips/cfi_cmdset_0002.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/mtd/chips/cfi_cmdset_0002.c
+++ b/drivers/mtd/chips/cfi_cmdset_0002.c
@@ -2667,7 +2667,7 @@ static int __maybe_unused cfi_ppb_unlock
* sectors shall be unlocked, so lets keep their locking
* status at "unlocked" (locked=0) for the final re-locking.
*/
- if ((adr < ofs) || (adr >= (ofs + len))) {
+ if ((offset < ofs) || (offset >= (ofs + len))) {
sect[sectors].chip = &cfi->chips[chipnum];
sect[sectors].adr = adr;
sect[sectors].locked = do_ppb_xxlock(



2018-07-01 18:42:59

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.18 70/85] MIPS: io: Add barrier after register read in inX()

3.18-stable review patch. If anyone has any objections, please let me know.

------------------

From: Huacai Chen <[email protected]>

commit 18f3e95b90b28318ef35910d21c39908de672331 upstream.

While a barrier is present in the outX() functions before the register
write, a similar barrier is missing in the inX() functions after the
register read. This could allow memory accesses following inX() to
observe stale data.

This patch is very similar to commit a1cc7034e33d12dc1 ("MIPS: io: Add
barrier after register read in readX()"). Because war_io_reorder_wmb()
is both used by writeX() and outX(), if readX() need a barrier then so
does inX().

Cc: [email protected]
Signed-off-by: Huacai Chen <[email protected]>
Patchwork: https://patchwork.linux-mips.org/patch/19516/
Signed-off-by: Paul Burton <[email protected]>
Cc: James Hogan <[email protected]>
Cc: [email protected]
Cc: Fuxin Zhang <[email protected]>
Cc: Zhangjin Wu <[email protected]>
Cc: Huacai Chen <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
arch/mips/include/asm/io.h | 2 ++
1 file changed, 2 insertions(+)

--- a/arch/mips/include/asm/io.h
+++ b/arch/mips/include/asm/io.h
@@ -412,6 +412,8 @@ static inline type pfx##in##bwlq##p(unsi
__val = *__addr; \
slow; \
\
+ /* prevent prefetching of coherent DMA data prematurely */ \
+ rmb(); \
return pfx##ioswab##bwlq(__addr, __val); \
}




2018-07-01 18:43:03

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.18 55/85] ipmi:bt: Set the timeout before doing a capabilities check

3.18-stable review patch. If anyone has any objections, please let me know.

------------------

From: Corey Minyard <[email protected]>

commit fe50a7d0393a552e4539da2d31261a59d6415950 upstream.

There was one place where the timeout value for an operation was
not being set, if a capabilities request was done from idle. Move
the timeout value setting to before where that change might be
requested.

IMHO the cause here is the invisible returns in the macros. Maybe
that's a job for later, though.

Reported-by: Nordmark Claes <[email protected]>
Signed-off-by: Corey Minyard <[email protected]>
Cc: [email protected]
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
drivers/char/ipmi/ipmi_bt_sm.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/char/ipmi/ipmi_bt_sm.c
+++ b/drivers/char/ipmi/ipmi_bt_sm.c
@@ -522,11 +522,12 @@ static enum si_sm_result bt_event(struct
if (status & BT_H_BUSY) /* clear a leftover H_BUSY */
BT_CONTROL(BT_H_BUSY);

+ bt->timeout = bt->BT_CAP_req2rsp;
+
/* Read BT capabilities if it hasn't been done yet */
if (!bt->BT_CAP_outreqs)
BT_STATE_CHANGE(BT_STATE_CAPABILITIES_BEGIN,
SI_SM_CALL_WITHOUT_DELAY);
- bt->timeout = bt->BT_CAP_req2rsp;
BT_SI_SM_RETURN(SI_SM_IDLE);

case BT_STATE_XACTION_START:



2018-07-01 18:43:16

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.18 24/85] mac80211: Adjust SAE authentication timeout

3.18-stable review patch. If anyone has any objections, please let me know.

------------------

From: Ilan Peer <[email protected]>

[ Upstream commit 407879b690ba3a6bf29be896d02dad63463bd1c0 ]

The IEEE P802.11-REVmd D1.0 specification updated the SAE authentication
timeout to be 2000 milliseconds (see dot11RSNASAERetransPeriod). Update
the SAE timeout setting accordingly.

While at it, reduce some code duplication in the timeout configuration.

Signed-off-by: Ilan Peer <[email protected]>
Signed-off-by: Luca Coelho <[email protected]>
Signed-off-by: Johannes Berg <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
net/mac80211/mlme.c | 25 ++++++++++++++++++-------
1 file changed, 18 insertions(+), 7 deletions(-)

--- a/net/mac80211/mlme.c
+++ b/net/mac80211/mlme.c
@@ -34,6 +34,7 @@
#define IEEE80211_AUTH_TIMEOUT (HZ / 5)
#define IEEE80211_AUTH_TIMEOUT_LONG (HZ / 2)
#define IEEE80211_AUTH_TIMEOUT_SHORT (HZ / 10)
+#define IEEE80211_AUTH_TIMEOUT_SAE (HZ * 2)
#define IEEE80211_AUTH_MAX_TRIES 3
#define IEEE80211_AUTH_WAIT_ASSOC (HZ * 5)
#define IEEE80211_ASSOC_TIMEOUT (HZ / 5)
@@ -3464,16 +3465,19 @@ static int ieee80211_probe_auth(struct i
}

if (tx_flags == 0) {
- auth_data->timeout = jiffies + IEEE80211_AUTH_TIMEOUT;
- auth_data->timeout_started = true;
- run_again(sdata, auth_data->timeout);
+ if (auth_data->algorithm == WLAN_AUTH_SAE)
+ auth_data->timeout = jiffies +
+ IEEE80211_AUTH_TIMEOUT_SAE;
+ else
+ auth_data->timeout = jiffies + IEEE80211_AUTH_TIMEOUT;
} else {
auth_data->timeout =
round_jiffies_up(jiffies + IEEE80211_AUTH_TIMEOUT_LONG);
- auth_data->timeout_started = true;
- run_again(sdata, auth_data->timeout);
}

+ auth_data->timeout_started = true;
+ run_again(sdata, auth_data->timeout);
+
return 0;
}

@@ -3545,8 +3549,15 @@ void ieee80211_sta_work(struct ieee80211
if (ifmgd->auth_data &&
(ieee80211_is_probe_req(fc) || ieee80211_is_auth(fc))) {
if (status_acked) {
- ifmgd->auth_data->timeout =
- jiffies + IEEE80211_AUTH_TIMEOUT_SHORT;
+ if (ifmgd->auth_data->algorithm ==
+ WLAN_AUTH_SAE)
+ ifmgd->auth_data->timeout =
+ jiffies +
+ IEEE80211_AUTH_TIMEOUT_SAE;
+ else
+ ifmgd->auth_data->timeout =
+ jiffies +
+ IEEE80211_AUTH_TIMEOUT_SHORT;
run_again(sdata, ifmgd->auth_data->timeout);
} else {
ifmgd->auth_data->timeout = jiffies - 1;



2018-07-01 18:43:31

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.18 23/85] kthread, sched/wait: Fix kthread_parkme() wait-loop

3.18-stable review patch. If anyone has any objections, please let me know.

------------------

From: Peter Zijlstra <[email protected]>

[ Upstream commit 741a76b350897604c48fb12beff1c9b77724dc96 ]

Gaurav reported a problem with __kthread_parkme() where a concurrent
try_to_wake_up() could result in competing stores to ->state which,
when the TASK_PARKED store got lost bad things would happen.

The comment near set_current_state() actually mentions this competing
store, but only mentions the case against TASK_RUNNING. This same
store, with different timing, can happen against a subsequent !RUNNING
store.

This normally is not a problem, because as per that same comment, the
!RUNNING state store is inside a condition based wait-loop:

for (;;) {
set_current_state(TASK_UNINTERRUPTIBLE);
if (!need_sleep)
break;
schedule();
}
__set_current_state(TASK_RUNNING);

If we loose the (first) TASK_UNINTERRUPTIBLE store to a previous
(concurrent) wakeup, the schedule() will NO-OP and we'll go around the
loop once more.

The problem here is that the TASK_PARKED store is not inside the
KTHREAD_SHOULD_PARK condition wait-loop.

There is a genuine issue with sleeps that do not have a condition;
this is addressed in a subsequent patch.

Reported-by: Gaurav Kohli <[email protected]>
Signed-off-by: Peter Zijlstra (Intel) <[email protected]>
Reviewed-by: Oleg Nesterov <[email protected]>
Cc: Linus Torvalds <[email protected]>
Cc: Peter Zijlstra <[email protected]>
Cc: Thomas Gleixner <[email protected]>
Signed-off-by: Ingo Molnar <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
kernel/kthread.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)

--- a/kernel/kthread.c
+++ b/kernel/kthread.c
@@ -156,12 +156,13 @@ void *probe_kthread_data(struct task_str

static void __kthread_parkme(struct kthread *self)
{
- __set_current_state(TASK_PARKED);
- while (test_bit(KTHREAD_SHOULD_PARK, &self->flags)) {
+ for (;;) {
+ set_current_state(TASK_PARKED);
+ if (!test_bit(KTHREAD_SHOULD_PARK, &self->flags))
+ break;
if (!test_and_set_bit(KTHREAD_IS_PARKED, &self->flags))
complete(&self->parked);
schedule();
- __set_current_state(TASK_PARKED);
}
clear_bit(KTHREAD_IS_PARKED, &self->flags);
__set_current_state(TASK_RUNNING);



2018-07-01 18:43:49

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.18 22/85] parisc: drivers.c: Fix section mismatches

3.18-stable review patch. If anyone has any objections, please let me know.

------------------

From: Helge Deller <[email protected]>

[ Upstream commit b819439fea305a0bfd6ca23a7994fd1a8847c0d8 ]

Fix two section mismatches in drivers.c:
1) Section mismatch in reference from the function alloc_tree_node() to
the function .init.text:create_tree_node().
2) Section mismatch in reference from the function walk_native_bus() to
the function .init.text:alloc_pa_dev().

Signed-off-by: Helge Deller <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
arch/parisc/kernel/drivers.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)

--- a/arch/parisc/kernel/drivers.c
+++ b/arch/parisc/kernel/drivers.c
@@ -448,7 +448,8 @@ static int match_by_id(struct device * d
* Checks all the children of @parent for a matching @id. If none
* found, it allocates a new device and returns it.
*/
-static struct parisc_device * alloc_tree_node(struct device *parent, char id)
+static struct parisc_device * __init alloc_tree_node(
+ struct device *parent, char id)
{
struct match_id_data d = {
.id = id,
@@ -822,8 +823,8 @@ void walk_lower_bus(struct parisc_device
* devices which are not physically connected (such as extra serial &
* keyboard ports). This problem is not yet solved.
*/
-static void walk_native_bus(unsigned long io_io_low, unsigned long io_io_high,
- struct device *parent)
+static void __init walk_native_bus(unsigned long io_io_low,
+ unsigned long io_io_high, struct device *parent)
{
int i, devices_found = 0;
unsigned long hpa = io_io_low;



2018-07-01 18:43:56

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.18 64/85] mtd: cfi_cmdset_0002: Use right chip in do_ppb_xxlock()

3.18-stable review patch. If anyone has any objections, please let me know.

------------------

From: Joakim Tjernlund <[email protected]>

commit f93aa8c4de307069c270b2d81741961162bead6c upstream.

do_ppb_xxlock() fails to add chip->start when querying for lock status
(and chip_ready test), which caused false status reports.
Fix that by adding adr += chip->start and adjust call sites
accordingly.

Fixes: 1648eaaa1575 ("mtd: cfi_cmdset_0002: Support Persistent Protection Bits (PPB) locking")
Cc: [email protected]
Signed-off-by: Joakim Tjernlund <[email protected]>
Signed-off-by: Boris Brezillon <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
drivers/mtd/chips/cfi_cmdset_0002.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)

--- a/drivers/mtd/chips/cfi_cmdset_0002.c
+++ b/drivers/mtd/chips/cfi_cmdset_0002.c
@@ -2551,8 +2551,9 @@ static int __maybe_unused do_ppb_xxlock(
unsigned long timeo;
int ret;

+ adr += chip->start;
mutex_lock(&chip->mutex);
- ret = get_chip(map, chip, adr + chip->start, FL_LOCKING);
+ ret = get_chip(map, chip, adr, FL_LOCKING);
if (ret) {
mutex_unlock(&chip->mutex);
return ret;
@@ -2570,8 +2571,8 @@ static int __maybe_unused do_ppb_xxlock(

if (thunk == DO_XXLOCK_ONEBLOCK_LOCK) {
chip->state = FL_LOCKING;
- map_write(map, CMD(0xA0), chip->start + adr);
- map_write(map, CMD(0x00), chip->start + adr);
+ map_write(map, CMD(0xA0), adr);
+ map_write(map, CMD(0x00), adr);
} else if (thunk == DO_XXLOCK_ONEBLOCK_UNLOCK) {
/*
* Unlocking of one specific sector is not supported, so we
@@ -2609,7 +2610,7 @@ static int __maybe_unused do_ppb_xxlock(
map_write(map, CMD(0x00), chip->start);

chip->state = FL_READY;
- put_chip(map, chip, adr + chip->start);
+ put_chip(map, chip, adr);
mutex_unlock(&chip->mutex);

return ret;



2018-07-01 18:43:59

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.18 19/85] hexagon: add memset_io() helper

3.18-stable review patch. If anyone has any objections, please let me know.

------------------

From: Arnd Bergmann <[email protected]>

[ Upstream commit a57ab96ef9dde231d4d46edba4d5f73720edc16a ]

We already have memcpy_toio(), but not memset_io(), so let's
add the obvious version to allow building an allmodconfig kernel
without errors like

drivers/gpu/drm/ttm/ttm_bo_util.c: In function 'ttm_bo_move_memcpy':
drivers/gpu/drm/ttm/ttm_bo_util.c:390:3: error: implicit declaration of function 'memset_io' [-Werror=implicit-function-declaration]

Signed-off-by: Arnd Bergmann <[email protected]>
Signed-off-by: Richard Kuo <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
arch/hexagon/include/asm/io.h | 6 ++++++
1 file changed, 6 insertions(+)

--- a/arch/hexagon/include/asm/io.h
+++ b/arch/hexagon/include/asm/io.h
@@ -216,6 +216,12 @@ static inline void memcpy_toio(volatile
memcpy((void *) dst, src, count);
}

+static inline void memset_io(volatile void __iomem *addr, int value,
+ size_t size)
+{
+ memset((void __force *)addr, value, size);
+}
+
#define PCI_IO_ADDR (volatile void __iomem *)

/*



2018-07-01 18:44:13

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.18 53/85] mips: ftrace: fix static function graph tracing

3.18-stable review patch. If anyone has any objections, please let me know.

------------------

From: Matthias Schiffer <[email protected]>

commit 6fb8656646f996d1eef42e6d56203c4915cb9e08 upstream.

ftrace_graph_caller was never run after calling ftrace_trace_function,
breaking the function graph tracer. Fix this, bringing it in line with the
x86 implementation.

While we're at it, also streamline the control flow of _mcount a bit to
reduce the number of branches.

This issue was reported before:
https://www.linux-mips.org/archives/linux-mips/2014-11/msg00295.html

Signed-off-by: Matthias Schiffer <[email protected]>
Tested-by: Matt Redfearn <[email protected]>
Patchwork: https://patchwork.linux-mips.org/patch/18929/
Signed-off-by: Paul Burton <[email protected]>
Cc: [email protected] # v3.17+
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
arch/mips/kernel/mcount.S | 27 ++++++++++++---------------
1 file changed, 12 insertions(+), 15 deletions(-)

--- a/arch/mips/kernel/mcount.S
+++ b/arch/mips/kernel/mcount.S
@@ -116,10 +116,20 @@ ftrace_stub:
NESTED(_mcount, PT_SIZE, ra)
PTR_LA t1, ftrace_stub
PTR_L t2, ftrace_trace_function /* Prepare t2 for (1) */
- bne t1, t2, static_trace
+ beq t1, t2, fgraph_trace
nop

+ MCOUNT_SAVE_REGS
+
+ move a0, ra /* arg1: self return address */
+ jalr t2 /* (1) call *ftrace_trace_function */
+ move a1, AT /* arg2: parent's return address */
+
+ MCOUNT_RESTORE_REGS
+
+fgraph_trace:
#ifdef CONFIG_FUNCTION_GRAPH_TRACER
+ PTR_LA t1, ftrace_stub
PTR_L t3, ftrace_graph_return
bne t1, t3, ftrace_graph_caller
nop
@@ -128,24 +138,11 @@ NESTED(_mcount, PT_SIZE, ra)
bne t1, t3, ftrace_graph_caller
nop
#endif
- b ftrace_stub
-#ifdef CONFIG_32BIT
- addiu sp, sp, 8
-#else
- nop
-#endif
-
-static_trace:
- MCOUNT_SAVE_REGS
-
- move a0, ra /* arg1: self return address */
- jalr t2 /* (1) call *ftrace_trace_function */
- move a1, AT /* arg2: parent's return address */

- MCOUNT_RESTORE_REGS
#ifdef CONFIG_32BIT
addiu sp, sp, 8
#endif
+
.globl ftrace_stub
ftrace_stub:
RETURN_BACK



2018-07-01 18:44:23

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.18 20/85] hexagon: export csum_partial_copy_nocheck

3.18-stable review patch. If anyone has any objections, please let me know.

------------------

From: Arnd Bergmann <[email protected]>

[ Upstream commit 330e261c35dfb969c48f996dbbc8b334b5ee8d9d ]

This is needed to link ipv6 as a loadable module, which in turn happens
in allmodconfig.

Signed-off-by: Arnd Bergmann <[email protected]>
Signed-off-by: Richard Kuo <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
arch/hexagon/lib/checksum.c | 1 +
1 file changed, 1 insertion(+)

--- a/arch/hexagon/lib/checksum.c
+++ b/arch/hexagon/lib/checksum.c
@@ -201,3 +201,4 @@ csum_partial_copy_nocheck(const void *sr
memcpy(dst, src, len);
return csum_partial(dst, len, sum);
}
+EXPORT_SYMBOL(csum_partial_copy_nocheck);



2018-07-01 18:45:27

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.18 48/85] signal/xtensa: Consistenly use SIGBUS in do_unaligned_user

3.18-stable review patch. If anyone has any objections, please let me know.

------------------

From: Eric W. Biederman <[email protected]>

commit 7de712ccc096b81d23cc0a941cd9b8cb3956605d upstream.

While working on changing this code to use force_sig_fault I
discovered that do_unaliged_user is sets si_signo to SIGBUS and passes
SIGSEGV to force_sig_info. Which is just b0rked.

The code is reporting a SIGBUS error so replace the SIGSEGV with SIGBUS.

Cc: Chris Zankel <[email protected]>
Cc: Max Filippov <[email protected]>
Cc: [email protected]
Cc: [email protected]
Acked-by: Max Filippov <[email protected]>
Fixes: 5a0015d62668 ("[PATCH] xtensa: Architecture support for Tensilica Xtensa Part 3")
Signed-off-by: "Eric W. Biederman" <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
arch/xtensa/kernel/traps.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/xtensa/kernel/traps.c
+++ b/arch/xtensa/kernel/traps.c
@@ -280,7 +280,7 @@ do_unaligned_user (struct pt_regs *regs)
info.si_errno = 0;
info.si_code = BUS_ADRALN;
info.si_addr = (void *) regs->excvaddr;
- force_sig_info(SIGSEGV, &info, current);
+ force_sig_info(SIGBUS, &info, current);

}
#endif



2018-07-01 18:45:40

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.18 40/85] btrfs: scrub: Dont use inode pages for device replace

3.18-stable review patch. If anyone has any objections, please let me know.

------------------

From: Qu Wenruo <[email protected]>

commit ac0b4145d662a3b9e34085dea460fb06ede9b69b upstream.

[BUG]
Btrfs can create compressed extent without checksum (even though it
shouldn't), and if we then try to replace device containing such extent,
the result device will contain all the uncompressed data instead of the
compressed one.

Test case already submitted to fstests:
https://patchwork.kernel.org/patch/10442353/

[CAUSE]
When handling compressed extent without checksum, device replace will
goe into copy_nocow_pages() function.

In that function, btrfs will get all inodes referring to this data
extents and then use find_or_create_page() to get pages direct from that
inode.

The problem here is, pages directly from inode are always uncompressed.
And for compressed data extent, they mismatch with on-disk data.
Thus this leads to corrupted compressed data extent written to replace
device.

[FIX]
In this attempt, we could just remove the "optimization" branch, and let
unified scrub_pages() to handle it.

Although scrub_pages() won't bother reusing page cache, it will be a
little slower, but it does the correct csum checking and won't cause
such data corruption caused by "optimization".

Note about the fix: this is the minimal fix that can be backported to
older stable trees without conflicts. The whole callchain from
copy_nocow_pages() can be deleted, and will be in followup patches.

Fixes: ff023aac3119 ("Btrfs: add code to scrub to copy read data to another disk")
CC: [email protected] # 4.4+
Reported-by: James Harvey <[email protected]>
Reviewed-by: James Harvey <[email protected]>
Signed-off-by: Qu Wenruo <[email protected]>
[ remove code removal, add note why ]
Signed-off-by: David Sterba <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
fs/btrfs/scrub.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

--- a/fs/btrfs/scrub.c
+++ b/fs/btrfs/scrub.c
@@ -2207,7 +2207,7 @@ static int scrub_extent(struct scrub_ctx
have_csum = scrub_find_csum(sctx, logical, l, csum);
if (have_csum == 0)
++sctx->stat.no_csum;
- if (sctx->is_dev_replace && !have_csum) {
+ if (0 && sctx->is_dev_replace && !have_csum) {
ret = copy_nocow_pages(sctx, logical, l,
mirror_num,
physical_for_dev_replace);



2018-07-01 18:45:46

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.18 49/85] usb: do not reset if a low-speed or full-speed device timed out

3.18-stable review patch. If anyone has any objections, please let me know.

------------------

From: Maxim Moseychuk <[email protected]>

commit 6e01827ed93947895680fbdad68c072a0f4e2450 upstream.

Some low-speed and full-speed devices (for example, bluetooth)
do not have time to initialize. For them, ETIMEDOUT is a valid error.
We need to give them another try. Otherwise, they will
never be initialized correctly and in dmesg will be messages
"Bluetooth: hci0 command 0x1002 tx timeout" or similars.

Fixes: 264904ccc33c ("usb: retry reset if a device times out")
Cc: stable <[email protected]>
Signed-off-by: Maxim Moseychuk <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
drivers/usb/core/hub.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)

--- a/drivers/usb/core/hub.c
+++ b/drivers/usb/core/hub.c
@@ -4405,7 +4405,9 @@ hub_port_init (struct usb_hub *hub, stru
* reset. But only on the first attempt,
* lest we get into a time out/reset loop
*/
- if (r == 0 || (r == -ETIMEDOUT && retries == 0))
+ if (r == 0 || (r == -ETIMEDOUT &&
+ retries == 0 &&
+ udev->speed > USB_SPEED_FULL))
break;
}
udev->descriptor.bMaxPacketSize0 =



2018-07-01 18:46:00

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.18 46/85] fs/binfmt_misc.c: do not allow offset overflow

3.18-stable review patch. If anyone has any objections, please let me know.

------------------

From: Thadeu Lima de Souza Cascardo <[email protected]>

commit 5cc41e099504b77014358b58567c5ea6293dd220 upstream.

WHen registering a new binfmt_misc handler, it is possible to overflow
the offset to get a negative value, which might crash the system, or
possibly leak kernel data.

Here is a crash log when 2500000000 was used as an offset:

BUG: unable to handle kernel paging request at ffff989cfd6edca0
IP: load_misc_binary+0x22b/0x470 [binfmt_misc]
PGD 1ef3e067 P4D 1ef3e067 PUD 0
Oops: 0000 [#1] SMP NOPTI
Modules linked in: binfmt_misc kvm_intel ppdev kvm irqbypass joydev input_leds serio_raw mac_hid parport_pc qemu_fw_cfg parpy
CPU: 0 PID: 2499 Comm: bash Not tainted 4.15.0-22-generic #24-Ubuntu
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.1-1 04/01/2014
RIP: 0010:load_misc_binary+0x22b/0x470 [binfmt_misc]
Call Trace:
search_binary_handler+0x97/0x1d0
do_execveat_common.isra.34+0x667/0x810
SyS_execve+0x31/0x40
do_syscall_64+0x73/0x130
entry_SYSCALL_64_after_hwframe+0x3d/0xa2

Use kstrtoint instead of simple_strtoul. It will work as the code
already set the delimiter byte to '\0' and we only do it when the field
is not empty.

Tested with offsets -1, 2500000000, UINT_MAX and INT_MAX. Also tested
with examples documented at Documentation/admin-guide/binfmt-misc.rst
and other registrations from packages on Ubuntu.

Link: http://lkml.kernel.org/r/[email protected]
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Thadeu Lima de Souza Cascardo <[email protected]>
Reviewed-by: Andrew Morton <[email protected]>
Cc: Alexander Viro <[email protected]>
Cc: <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Signed-off-by: Linus Torvalds <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
fs/binfmt_misc.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)

--- a/fs/binfmt_misc.c
+++ b/fs/binfmt_misc.c
@@ -334,8 +334,13 @@ static Node *create_entry(const char __u
char *s = strchr(p, del);
if (!s)
goto Einval;
- *s++ = '\0';
- e->offset = simple_strtoul(p, &p, 10);
+ *s = '\0';
+ if (p != s) {
+ int r = kstrtoint(p, 10, &e->offset);
+ if (r != 0 || e->offset < 0)
+ goto Einval;
+ }
+ p = s;
if (*p++)
goto Einval;
e->magic = p;
@@ -356,7 +361,8 @@ static Node *create_entry(const char __u
if (e->mask &&
string_unescape_inplace(e->mask, UNESCAPE_HEX) != e->size)
goto Einval;
- if (e->size + e->offset > BINPRM_BUF_SIZE)
+ if (e->size > BINPRM_BUF_SIZE ||
+ BINPRM_BUF_SIZE - e->size < e->offset)
goto Einval;
} else {
p = strchr(p, del);



2018-07-01 18:46:16

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.18 44/85] libata: Drop SanDisk SD7UB3Q*G1001 NOLPM quirk

3.18-stable review patch. If anyone has any objections, please let me know.

------------------

From: Hans de Goede <[email protected]>

commit 2cfce3a86b64b53f0a70e92a6a659c720c319b45 upstream.

Commit 184add2ca23c ("libata: Apply NOLPM quirk for SanDisk
SD7UB3Q*G1001 SSDs") disabled LPM for SanDisk SD7UB3Q*G1001 SSDs.

This has lead to several reports of users of that SSD where LPM
was working fine and who know have a significantly increased idle
power consumption on their laptops.

Likely there is another problem on the T450s from the original
reporter which gets exposed by the uncore reaching deeper sleep
states (higher PC-states) due to LPM being enabled. The problem as
reported, a hardfreeze about once a day, already did not sound like
it would be caused by LPM and the reports of the SSD working fine
confirm this. The original reporter is ok with dropping the quirk.

A X250 user has reported the same hard freeze problem and for him
the problem went away after unrelated updates, I suspect some GPU
driver stack changes fixed things.

TL;DR: The original reporters problem were triggered by LPM but not
an LPM issue, so drop the quirk for the SSD in question.

BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1583207
Cc: [email protected]
Cc: Richard W.M. Jones <[email protected]>
Cc: Lorenzo Dalrio <[email protected]>
Reported-by: Lorenzo Dalrio <[email protected]>
Signed-off-by: Hans de Goede <[email protected]>
Signed-off-by: Tejun Heo <[email protected]>
Acked-by: "Richard W.M. Jones" <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
drivers/ata/libata-core.c | 3 ---
1 file changed, 3 deletions(-)

--- a/drivers/ata/libata-core.c
+++ b/drivers/ata/libata-core.c
@@ -4248,9 +4248,6 @@ static const struct ata_blacklist_entry
ATA_HORKAGE_ZERO_AFTER_TRIM |
ATA_HORKAGE_NOLPM, },

- /* Sandisk devices which are known to not handle LPM well */
- { "SanDisk SD7UB3Q*G1001", NULL, ATA_HORKAGE_NOLPM, },
-
/* devices that don't properly handle queued TRIM commands */
{ "Micron_M500_*", NULL, ATA_HORKAGE_NO_NCQ_TRIM |
ATA_HORKAGE_ZERO_AFTER_TRIM, },



2018-07-01 18:46:25

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.18 42/85] libata: zpodd: make arrays cdb static, reduces object code size

3.18-stable review patch. If anyone has any objections, please let me know.

------------------

From: Colin Ian King <[email protected]>

commit 795ef788145ed2fa023efdf11e8d5d7bedc21462 upstream.

Don't populate the arrays cdb on the stack, instead make them static.
Makes the object code smaller by 230 bytes:

Before:
text data bss dec hex filename
3797 240 0 4037 fc5 drivers/ata/libata-zpodd.o

After:
text data bss dec hex filename
3407 400 0 3807 edf drivers/ata/libata-zpodd.o

Signed-off-by: Colin Ian King <[email protected]>
Signed-off-by: Tejun Heo <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
drivers/ata/libata-zpodd.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/ata/libata-zpodd.c
+++ b/drivers/ata/libata-zpodd.c
@@ -34,7 +34,7 @@ struct zpodd {
static int eject_tray(struct ata_device *dev)
{
struct ata_taskfile tf;
- const char cdb[] = { GPCMD_START_STOP_UNIT,
+ static const char cdb[] = { GPCMD_START_STOP_UNIT,
0, 0, 0,
0x02, /* LoEj */
0, 0, 0, 0, 0, 0, 0,
@@ -55,7 +55,7 @@ static enum odd_mech_type zpodd_get_mech
unsigned int ret;
struct rm_feature_desc *desc = (void *)(buf + 8);
struct ata_taskfile tf;
- char cdb[] = { GPCMD_GET_CONFIGURATION,
+ static const char cdb[] = { GPCMD_GET_CONFIGURATION,
2, /* only 1 feature descriptor requested */
0, 3, /* 3, removable medium feature */
0, 0, 0,/* reserved */



2018-07-01 18:46:40

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.18 43/85] libata: zpodd: small read overflow in eject_tray()

3.18-stable review patch. If anyone has any objections, please let me know.

------------------

From: Dan Carpenter <[email protected]>

commit 18c9a99bce2a57dfd7e881658703b5d7469cc7b9 upstream.

We read from the cdb[] buffer in ata_exec_internal_sg(). It has to be
ATAPI_CDB_LEN (16) bytes long, but this buffer is only 12 bytes.

Fixes: 213342053db5 ("libata: handle power transition of ODD")
Signed-off-by: Dan Carpenter <[email protected]>
Signed-off-by: Tejun Heo <[email protected]>
Cc: [email protected]
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
drivers/ata/libata-zpodd.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/ata/libata-zpodd.c
+++ b/drivers/ata/libata-zpodd.c
@@ -34,7 +34,7 @@ struct zpodd {
static int eject_tray(struct ata_device *dev)
{
struct ata_taskfile tf;
- static const char cdb[] = { GPCMD_START_STOP_UNIT,
+ static const char cdb[ATAPI_CDB_LEN] = { GPCMD_START_STOP_UNIT,
0, 0, 0,
0x02, /* LoEj */
0, 0, 0, 0, 0, 0, 0,



2018-07-01 18:46:58

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.18 39/85] ext4: fix fencepost error in check for inode count overflow during resize

3.18-stable review patch. If anyone has any objections, please let me know.

------------------

From: Jan Kara <[email protected]>

commit 4f2f76f751433908364ccff82f437a57d0e6e9b7 upstream.

ext4_resize_fs() has an off-by-one bug when checking whether growing of
a filesystem will not overflow inode count. As a result it allows a
filesystem with 8192 inodes per group to grow to 64TB which overflows
inode count to 0 and makes filesystem unusable. Fix it.

Cc: [email protected]
Fixes: 3f8a6411fbada1fa482276591e037f3b1adcf55b
Reported-by: Jaco Kroon <[email protected]>
Signed-off-by: Jan Kara <[email protected]>
Signed-off-by: Theodore Ts'o <[email protected]>
Reviewed-by: Andreas Dilger <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
fs/ext4/resize.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

--- a/fs/ext4/resize.c
+++ b/fs/ext4/resize.c
@@ -1906,7 +1906,7 @@ retry:
return 0;

n_group = ext4_get_group_number(sb, n_blocks_count - 1);
- if (n_group > (0xFFFFFFFFUL / EXT4_INODES_PER_GROUP(sb))) {
+ if (n_group >= (0xFFFFFFFFUL / EXT4_INODES_PER_GROUP(sb))) {
ext4_warning(sb, "resize would cause inodes_count overflow");
return -EINVAL;
}



2018-07-01 18:47:02

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.18 45/85] w1: mxc_w1: Enable clock before calling clk_get_rate() on it

3.18-stable review patch. If anyone has any objections, please let me know.

------------------

From: Stefan Potyra <[email protected]>

commit 955bc61328dc0a297fb3baccd84e9d3aee501ed8 upstream.

According to the API, you may only call clk_get_rate() after actually
enabling it.

Found by Linux Driver Verification project (linuxtesting.org).

Fixes: a5fd9139f74c ("w1: add 1-wire master driver for i.MX27 / i.MX31")
Signed-off-by: Stefan Potyra <[email protected]>
Acked-by: Evgeniy Polyakov <[email protected]>
Cc: stable <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
drivers/w1/masters/mxc_w1.c | 20 +++++++++++++-------
1 file changed, 13 insertions(+), 7 deletions(-)

--- a/drivers/w1/masters/mxc_w1.c
+++ b/drivers/w1/masters/mxc_w1.c
@@ -113,6 +113,10 @@ static int mxc_w1_probe(struct platform_
if (IS_ERR(mdev->clk))
return PTR_ERR(mdev->clk);

+ err = clk_prepare_enable(mdev->clk);
+ if (err)
+ return err;
+
clkrate = clk_get_rate(mdev->clk);
if (clkrate < 10000000)
dev_warn(&pdev->dev,
@@ -126,12 +130,10 @@ static int mxc_w1_probe(struct platform_

res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
mdev->regs = devm_ioremap_resource(&pdev->dev, res);
- if (IS_ERR(mdev->regs))
- return PTR_ERR(mdev->regs);
-
- err = clk_prepare_enable(mdev->clk);
- if (err)
- return err;
+ if (IS_ERR(mdev->regs)) {
+ err = PTR_ERR(mdev->regs);
+ goto out_disable_clk;
+ }

/* Software reset 1-Wire module */
writeb(MXC_W1_RESET_RST, mdev->regs + MXC_W1_RESET);
@@ -147,8 +149,12 @@ static int mxc_w1_probe(struct platform_

err = w1_add_master_device(&mdev->bus_master);
if (err)
- clk_disable_unprepare(mdev->clk);
+ goto out_disable_clk;
+
+ return 0;

+out_disable_clk:
+ clk_disable_unprepare(mdev->clk);
return err;
}




2018-07-01 18:47:18

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.18 41/85] ALSA: hda - Handle kzalloc() failure in snd_hda_attach_pcm_stream()

3.18-stable review patch. If anyone has any objections, please let me know.

------------------

From: Bo Chen <[email protected]>

commit a3aa60d511746bd6c0d0366d4eb90a7998bcde8b upstream.

When 'kzalloc()' fails in 'snd_hda_attach_pcm_stream()', a new pcm instance is
created without setting its operators via 'snd_pcm_set_ops()'. Following
operations on the new pcm instance can trigger kernel null pointer dereferences
and cause kernel oops.

This bug was found with my work on building a gray-box fault-injection tool for
linux-kernel-module binaries. A kernel null pointer dereference was confirmed
from line 'substream->ops->open()' in function 'snd_pcm_open_substream()' in
file 'sound/core/pcm_native.c'.

This patch fixes the bug by calling 'snd_device_free()' in the error handling
path of 'kzalloc()', which removes the new pcm instance from the snd card before
returns with an error code.

Signed-off-by: Bo Chen <[email protected]>
Cc: <[email protected]>
Signed-off-by: Takashi Iwai <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
sound/pci/hda/hda_controller.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)

--- a/sound/pci/hda/hda_controller.c
+++ b/sound/pci/hda/hda_controller.c
@@ -915,8 +915,10 @@ static int azx_attach_pcm_stream(struct
return err;
strlcpy(pcm->name, cpcm->name, sizeof(pcm->name));
apcm = kzalloc(sizeof(*apcm), GFP_KERNEL);
- if (apcm == NULL)
+ if (apcm == NULL) {
+ snd_device_free(chip->card, pcm);
return -ENOMEM;
+ }
apcm->chip = chip;
apcm->pcm = pcm;
apcm->codec = codec;



2018-07-01 18:47:32

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.18 34/85] ARM: davinci: board-dm646x-evm: set VPIF capture card name

3.18-stable review patch. If anyone has any objections, please let me know.

------------------

From: Sekhar Nori <[email protected]>

[ Upstream commit bb7298a7e87cf3430eb62be8746e5d7a07ca9d7c ]

VPIF capture driver expects card name to be set since it
uses it without checking for NULL. The commit which
introduced VPIF display and capture support added card
name only for display, not for capture.

Set it in platform data to probe driver successfully.

While at it, also fix the display card name to something more
appropriate.

Fixes: 85609c1ccda6 ("DaVinci: DM646x - platform changes for vpif capture and display drivers")
Signed-off-by: Sekhar Nori <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
arch/arm/mach-davinci/board-dm646x-evm.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

--- a/arch/arm/mach-davinci/board-dm646x-evm.c
+++ b/arch/arm/mach-davinci/board-dm646x-evm.c
@@ -538,7 +538,7 @@ static struct vpif_display_config dm646x
.outputs = dm6467_ch0_outputs,
.output_count = ARRAY_SIZE(dm6467_ch0_outputs),
},
- .card_name = "DM646x EVM",
+ .card_name = "DM646x EVM Video Display",
};

/**
@@ -696,6 +696,7 @@ static struct vpif_capture_config dm646x
.fid_pol = 0,
},
},
+ .card_name = "DM646x EVM Video Capture",
};

static void __init evm_init_video(void)



2018-07-01 18:48:19

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.18 25/85] drm/omap: fix possible NULL ref issue in tiler_reserve_2d

3.18-stable review patch. If anyone has any objections, please let me know.

------------------

From: Tomi Valkeinen <[email protected]>

[ Upstream commit 6a0f0c55619f0b82a677cab72e77c3444a5eee58 ]

tiler_reserve_2d allocates memory but does not check if it got the
memory. Add the check and return ENOMEM on failure.

Signed-off-by: Tomi Valkeinen <[email protected]>
Link: https://patchwork.freedesktop.org/patch/msgid/[email protected]
Reviewed-by: Emil Velikov <[email protected]>
Reviewed-by: Laurent Pinchart <[email protected]>
Signed-off-by: Sean Paul <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/gpu/drm/omapdrm/omap_dmm_tiler.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)

--- a/drivers/gpu/drm/omapdrm/omap_dmm_tiler.c
+++ b/drivers/gpu/drm/omapdrm/omap_dmm_tiler.c
@@ -356,11 +356,15 @@ int tiler_unpin(struct tiler_block *bloc
struct tiler_block *tiler_reserve_2d(enum tiler_fmt fmt, uint16_t w,
uint16_t h, uint16_t align)
{
- struct tiler_block *block = kzalloc(sizeof(*block), GFP_KERNEL);
+ struct tiler_block *block;
u32 min_align = 128;
int ret;
unsigned long flags;

+ block = kzalloc(sizeof(*block), GFP_KERNEL);
+ if (!block)
+ return ERR_PTR(-ENOMEM);
+
BUG_ON(!validfmt(fmt));

/* convert width/height to slots */



2018-07-01 18:48:32

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.18 09/85] drm/msm: Fix possible null dereference on failure of get_pages()

3.18-stable review patch. If anyone has any objections, please let me know.

------------------

From: Ben Hutchings <[email protected]>

[ Upstream commit 3976626ea3d2011f8fd3f3a47070a8b792018253 ]

Commit 62e3a3e342af changed get_pages() to initialise
msm_gem_object::pages before trying to initialise msm_gem_object::sgt,
so that put_pages() would properly clean up pages in the failure
case.

However, this means that put_pages() now needs to check that
msm_gem_object::sgt is not null before trying to clean it up, and
this check was only applied to part of the cleanup code. Move
it all into the conditional block. (Strictly speaking we don't
need to make the kfree() conditional, but since we can't avoid
checking for null ourselves we may as well do so.)

Fixes: 62e3a3e342af ("drm/msm: fix leak in failed get_pages")
Signed-off-by: Ben Hutchings <[email protected]>
Reviewed-by: Jordan Crouse <[email protected]>
Signed-off-by: Rob Clark <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/gpu/drm/msm/msm_gem.c | 20 +++++++++++---------
1 file changed, 11 insertions(+), 9 deletions(-)

--- a/drivers/gpu/drm/msm/msm_gem.c
+++ b/drivers/gpu/drm/msm/msm_gem.c
@@ -110,17 +110,19 @@ static void put_pages(struct drm_gem_obj
struct msm_gem_object *msm_obj = to_msm_bo(obj);

if (msm_obj->pages) {
- /* For non-cached buffers, ensure the new pages are clean
- * because display controller, GPU, etc. are not coherent:
- */
- if (msm_obj->flags & (MSM_BO_WC|MSM_BO_UNCACHED))
- dma_unmap_sg(obj->dev->dev, msm_obj->sgt->sgl,
- msm_obj->sgt->nents, DMA_BIDIRECTIONAL);
+ if (msm_obj->sgt) {
+ /* For non-cached buffers, ensure the new
+ * pages are clean because display controller,
+ * GPU, etc. are not coherent:
+ */
+ if (msm_obj->flags & (MSM_BO_WC|MSM_BO_UNCACHED))
+ dma_unmap_sg(obj->dev->dev, msm_obj->sgt->sgl,
+ msm_obj->sgt->nents,
+ DMA_BIDIRECTIONAL);

- if (msm_obj->sgt)
sg_free_table(msm_obj->sgt);
-
- kfree(msm_obj->sgt);
+ kfree(msm_obj->sgt);
+ }

if (iommu_present(&platform_bus_type))
drm_gem_put_pages(obj, msm_obj->pages, true, false);



2018-07-01 18:48:35

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.18 07/85] isofs: fix potential memory leak in mount option parsing

3.18-stable review patch. If anyone has any objections, please let me know.

------------------

From: Chengguang Xu <[email protected]>

[ Upstream commit 4f34a5130a471f32f2fe7750769ab4057dc3eaa0 ]

When specifying string type mount option (e.g., iocharset)
several times in a mount, current option parsing may
cause memory leak. Hence, call kfree for previous one
in this case. Meanwhile, check memory allocation result
for it.

Signed-off-by: Chengguang Xu <[email protected]>
Signed-off-by: Jan Kara <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
fs/isofs/inode.c | 3 +++
1 file changed, 3 insertions(+)

--- a/fs/isofs/inode.c
+++ b/fs/isofs/inode.c
@@ -394,7 +394,10 @@ static int parse_options(char *options,
break;
#ifdef CONFIG_JOLIET
case Opt_iocharset:
+ kfree(popt->iocharset);
popt->iocharset = match_strdup(&args[0]);
+ if (!popt->iocharset)
+ return 0;
break;
#endif
case Opt_map_a:



2018-07-01 18:48:41

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.18 30/85] ARM: keystone: fix platform_domain_notifier array overrun

3.18-stable review patch. If anyone has any objections, please let me know.

------------------

From: Russell King <[email protected]>

[ Upstream commit 9954b80b8c0e8abc98e17bba0fccd9876211ceaa ]

platform_domain_notifier contains a variable sized array, which the
pm_clk_notify() notifier treats as a NULL terminated array:

for (con_id = clknb->con_ids; *con_id; con_id++)
pm_clk_add(dev, *con_id);

Omitting the initialiser for con_ids means that the array is zero
sized, and there is no NULL terminator. This leads to pm_clk_notify()
overrunning into what ever structure follows, which may not be NULL.
This leads to an oops:

Unable to handle kernel NULL pointer dereference at virtual address 0000008c
pgd = c0003000
[0000008c] *pgd=80000800004003c, *pmd=00000000c
Internal error: Oops: 206 [#1] PREEMPT SMP ARM
Modules linked in:c
CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.16.0+ #9
Hardware name: Keystone
PC is at strlen+0x0/0x34
LR is at kstrdup+0x18/0x54
pc : [<c0623340>] lr : [<c0111d6c>] psr: 20000013
sp : eec73dc0 ip : eed780c0 fp : 00000001
r10: 00000000 r9 : 00000000 r8 : eed71e10
r7 : 0000008c r6 : 0000008c r5 : 014000c0 r4 : c03a6ff4
r3 : c09445d0 r2 : 00000000 r1 : 014000c0 r0 : 0000008c
Flags: nzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user
Control: 30c5387d Table: 00003000 DAC: fffffffd
Process swapper/0 (pid: 1, stack limit = 0xeec72210)
Stack: (0xeec73dc0 to 0xeec74000)
...
[<c0623340>] (strlen) from [<c0111d6c>] (kstrdup+0x18/0x54)
[<c0111d6c>] (kstrdup) from [<c03a6ff4>] (__pm_clk_add+0x58/0x120)
[<c03a6ff4>] (__pm_clk_add) from [<c03a731c>] (pm_clk_notify+0x64/0xa8)
[<c03a731c>] (pm_clk_notify) from [<c004614c>] (notifier_call_chain+0x44/0x84)
[<c004614c>] (notifier_call_chain) from [<c0046320>] (__blocking_notifier_call_chain+0x48/0x60)
[<c0046320>] (__blocking_notifier_call_chain) from [<c0046350>] (blocking_notifier_call_chain+0x18/0x20)
[<c0046350>] (blocking_notifier_call_chain) from [<c0390234>] (device_add+0x36c/0x534)
[<c0390234>] (device_add) from [<c047fc00>] (of_platform_device_create_pdata+0x70/0xa4)
[<c047fc00>] (of_platform_device_create_pdata) from [<c047fea0>] (of_platform_bus_create+0xf0/0x1ec)
[<c047fea0>] (of_platform_bus_create) from [<c047fff8>] (of_platform_populate+0x5c/0xac)
[<c047fff8>] (of_platform_populate) from [<c08b1f04>] (of_platform_default_populate_init+0x8c/0xa8)
[<c08b1f04>] (of_platform_default_populate_init) from [<c000a78c>] (do_one_initcall+0x3c/0x164)
[<c000a78c>] (do_one_initcall) from [<c087bd9c>] (kernel_init_freeable+0x10c/0x1d0)
[<c087bd9c>] (kernel_init_freeable) from [<c0628db0>] (kernel_init+0x8/0xf0)
[<c0628db0>] (kernel_init) from [<c00090d8>] (ret_from_fork+0x14/0x3c)
Exception stack(0xeec73fb0 to 0xeec73ff8)
3fa0: 00000000 00000000 00000000 00000000
3fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
3fe0: 00000000 00000000 00000000 00000000 00000013 00000000
Code: e3520000 1afffff7 e12fff1e c0801730 (e5d02000)
---[ end trace cafa8f148e262e80 ]---

Fix this by adding the necessary initialiser.

Fixes: fc20ffe1213b ("ARM: keystone: add PM domain support for clock management")
Signed-off-by: Russell King <[email protected]>
Acked-by: Santosh Shilimkar <[email protected]>
Signed-off-by: Olof Johansson <[email protected]>

Signed-off-by: Sasha Levin <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
arch/arm/mach-keystone/pm_domain.c | 1 +
1 file changed, 1 insertion(+)

--- a/arch/arm/mach-keystone/pm_domain.c
+++ b/arch/arm/mach-keystone/pm_domain.c
@@ -59,6 +59,7 @@ static struct dev_pm_domain keystone_pm_

static struct pm_clk_notifier_block platform_domain_notifier = {
.pm_domain = &keystone_pm_domain,
+ .con_ids = { NULL },
};

static struct of_device_id of_keystone_table[] = {



2018-07-01 18:49:44

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.18 03/85] af_key: Always verify length of provided sadb_key

3.18-stable review patch. If anyone has any objections, please let me know.

------------------

From: Kevin Easton <[email protected]>

commit 4b66af2d6356a00e94bcdea3e7fea324e8b5c6f4 upstream.

Key extensions (struct sadb_key) include a user-specified number of key
bits. The kernel uses that number to determine how much key data to copy
out of the message in pfkey_msg2xfrm_state().

The length of the sadb_key message must be verified to be long enough,
even in the case of SADB_X_AALG_NULL. Furthermore, the sadb_key_len value
must be long enough to include both the key data and the struct sadb_key
itself.

Introduce a helper function verify_key_len(), and call it from
parse_exthdrs() where other exthdr types are similarly checked for
correctness.

Signed-off-by: Kevin Easton <[email protected]>
Reported-by: syzbot+5022a34ca5a3d49b84223653fab632dfb7b4cf37@syzkaller.appspotmail.com
Signed-off-by: Steffen Klassert <[email protected]>
Cc: Zubin Mithra <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
net/key/af_key.c | 45 +++++++++++++++++++++++++++++++++++----------
1 file changed, 35 insertions(+), 10 deletions(-)

--- a/net/key/af_key.c
+++ b/net/key/af_key.c
@@ -437,6 +437,24 @@ static int verify_address_len(const void
return 0;
}

+static inline int sadb_key_len(const struct sadb_key *key)
+{
+ int key_bytes = DIV_ROUND_UP(key->sadb_key_bits, 8);
+
+ return DIV_ROUND_UP(sizeof(struct sadb_key) + key_bytes,
+ sizeof(uint64_t));
+}
+
+static int verify_key_len(const void *p)
+{
+ const struct sadb_key *key = p;
+
+ if (sadb_key_len(key) > key->sadb_key_len)
+ return -EINVAL;
+
+ return 0;
+}
+
static inline int pfkey_sec_ctx_len(const struct sadb_x_sec_ctx *sec_ctx)
{
return DIV_ROUND_UP(sizeof(struct sadb_x_sec_ctx) +
@@ -533,16 +551,25 @@ static int parse_exthdrs(struct sk_buff
return -EINVAL;
if (ext_hdrs[ext_type-1] != NULL)
return -EINVAL;
- if (ext_type == SADB_EXT_ADDRESS_SRC ||
- ext_type == SADB_EXT_ADDRESS_DST ||
- ext_type == SADB_EXT_ADDRESS_PROXY ||
- ext_type == SADB_X_EXT_NAT_T_OA) {
+ switch (ext_type) {
+ case SADB_EXT_ADDRESS_SRC:
+ case SADB_EXT_ADDRESS_DST:
+ case SADB_EXT_ADDRESS_PROXY:
+ case SADB_X_EXT_NAT_T_OA:
if (verify_address_len(p))
return -EINVAL;
- }
- if (ext_type == SADB_X_EXT_SEC_CTX) {
+ break;
+ case SADB_X_EXT_SEC_CTX:
if (verify_sec_ctx_len(p))
return -EINVAL;
+ break;
+ case SADB_EXT_KEY_AUTH:
+ case SADB_EXT_KEY_ENCRYPT:
+ if (verify_key_len(p))
+ return -EINVAL;
+ break;
+ default:
+ break;
}
ext_hdrs[ext_type-1] = (void *) p;
}
@@ -1111,14 +1138,12 @@ static struct xfrm_state * pfkey_msg2xfr
key = ext_hdrs[SADB_EXT_KEY_AUTH - 1];
if (key != NULL &&
sa->sadb_sa_auth != SADB_X_AALG_NULL &&
- ((key->sadb_key_bits+7) / 8 == 0 ||
- (key->sadb_key_bits+7) / 8 > key->sadb_key_len * sizeof(uint64_t)))
+ key->sadb_key_bits == 0)
return ERR_PTR(-EINVAL);
key = ext_hdrs[SADB_EXT_KEY_ENCRYPT-1];
if (key != NULL &&
sa->sadb_sa_encrypt != SADB_EALG_NULL &&
- ((key->sadb_key_bits+7) / 8 == 0 ||
- (key->sadb_key_bits+7) / 8 > key->sadb_key_len * sizeof(uint64_t)))
+ key->sadb_key_bits == 0)
return ERR_PTR(-EINVAL);

x = xfrm_state_alloc(net);



2018-07-01 18:50:18

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.18 08/85] scsi: iscsi: respond to netlink with unicast when appropriate

3.18-stable review patch. If anyone has any objections, please let me know.

------------------

From: Chris Leech <[email protected]>

[ Upstream commit af17092810a887178195276255b7b31f8fbe7dbe ]

Instead of always multicasting responses, send a unicast netlink message
directed at the correct pid. This will be needed if we ever want to
support multiple userspace processes interacting with the kernel over
iSCSI netlink simultaneously. Limitations can currently be seen if you
attempt to run multiple iscsistart commands in parallel.

We've fixed up the userspace issues in iscsistart that prevented
multiple instances from running, so now attempts to speed up booting by
bringing up multiple iscsi sessions at once in the initramfs are just
running into misrouted responses that this fixes.

Signed-off-by: Chris Leech <[email protected]>
Reviewed-by: Lee Duncan <[email protected]>
Signed-off-by: Martin K. Petersen <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/scsi/scsi_transport_iscsi.c | 29 ++++++++++++++++++-----------
1 file changed, 18 insertions(+), 11 deletions(-)

--- a/drivers/scsi/scsi_transport_iscsi.c
+++ b/drivers/scsi/scsi_transport_iscsi.c
@@ -2343,6 +2343,12 @@ iscsi_multicast_skb(struct sk_buff *skb,
return nlmsg_multicast(nls, skb, 0, group, gfp);
}

+static int
+iscsi_unicast_skb(struct sk_buff *skb, u32 portid)
+{
+ return nlmsg_unicast(nls, skb, portid);
+}
+
int iscsi_recv_pdu(struct iscsi_cls_conn *conn, struct iscsi_hdr *hdr,
char *data, uint32_t data_size)
{
@@ -2545,14 +2551,11 @@ void iscsi_ping_comp_event(uint32_t host
EXPORT_SYMBOL_GPL(iscsi_ping_comp_event);

static int
-iscsi_if_send_reply(uint32_t group, int seq, int type, int done, int multi,
- void *payload, int size)
+iscsi_if_send_reply(u32 portid, int type, void *payload, int size)
{
struct sk_buff *skb;
struct nlmsghdr *nlh;
int len = nlmsg_total_size(size);
- int flags = multi ? NLM_F_MULTI : 0;
- int t = done ? NLMSG_DONE : type;

skb = alloc_skb(len, GFP_ATOMIC);
if (!skb) {
@@ -2560,10 +2563,9 @@ iscsi_if_send_reply(uint32_t group, int
return -ENOMEM;
}

- nlh = __nlmsg_put(skb, 0, 0, t, (len - sizeof(*nlh)), 0);
- nlh->nlmsg_flags = flags;
+ nlh = __nlmsg_put(skb, 0, 0, type, (len - sizeof(*nlh)), 0);
memcpy(nlmsg_data(nlh), payload, size);
- return iscsi_multicast_skb(skb, group, GFP_ATOMIC);
+ return iscsi_unicast_skb(skb, portid);
}

static int
@@ -3490,6 +3492,7 @@ static int
iscsi_if_recv_msg(struct sk_buff *skb, struct nlmsghdr *nlh, uint32_t *group)
{
int err = 0;
+ u32 portid;
struct iscsi_uevent *ev = nlmsg_data(nlh);
struct iscsi_transport *transport = NULL;
struct iscsi_internal *priv;
@@ -3510,10 +3513,12 @@ iscsi_if_recv_msg(struct sk_buff *skb, s
if (!try_module_get(transport->owner))
return -EINVAL;

+ portid = NETLINK_CB(skb).portid;
+
switch (nlh->nlmsg_type) {
case ISCSI_UEVENT_CREATE_SESSION:
err = iscsi_if_create_session(priv, ep, ev,
- NETLINK_CB(skb).portid,
+ portid,
ev->u.c_session.initial_cmdsn,
ev->u.c_session.cmds_max,
ev->u.c_session.queue_depth);
@@ -3526,7 +3531,7 @@ iscsi_if_recv_msg(struct sk_buff *skb, s
}

err = iscsi_if_create_session(priv, ep, ev,
- NETLINK_CB(skb).portid,
+ portid,
ev->u.c_bound_session.initial_cmdsn,
ev->u.c_bound_session.cmds_max,
ev->u.c_bound_session.queue_depth);
@@ -3684,6 +3689,8 @@ iscsi_if_recv_msg(struct sk_buff *skb, s
static void
iscsi_if_rx(struct sk_buff *skb)
{
+ u32 portid = NETLINK_CB(skb).portid;
+
mutex_lock(&rx_queue_mutex);
while (skb->len >= NLMSG_HDRLEN) {
int err;
@@ -3719,8 +3726,8 @@ iscsi_if_rx(struct sk_buff *skb)
break;
if (ev->type == ISCSI_UEVENT_GET_CHAP && !err)
break;
- err = iscsi_if_send_reply(group, nlh->nlmsg_seq,
- nlh->nlmsg_type, 0, 0, ev, sizeof(*ev));
+ err = iscsi_if_send_reply(portid, nlh->nlmsg_type,
+ ev, sizeof(*ev));
} while (err < 0 && err != -ECONNREFUSED && err != -ESRCH);
skb_pull(skb, rlen);
}



2018-07-01 18:50:30

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.18 02/85] tools build: Fix Makefile(s) to properly invoke tools build

3.18-stable review patch. If anyone has any objections, please let me know.

------------------

From: Jiri Olsa <[email protected]>

commit 16671c1e1cac2dbb995feb4bc55082fd939b5c2c upstream.

Several fixes were needed to allow following builds:
$ make tools/tmon
$ make -C <kernelsrc> tools/perf
$ make -C <kernelsrc>/tools perf

- some of the tools (perf) use same make variables as in
kernel build, unsetting srctree and objtree
- using original $(O) for O variable
- perf build does not follow the descend function setup
invoking it via it's own make rule

I tried the rest of the tools/Makefile targets and they
seem to work now.

Reported-by: Brian Norris <[email protected]>
Signed-off-by: Jiri Olsa <[email protected]>
Cc: Borislav Petkov <[email protected]>
Cc: Brian Norris <[email protected]>
Cc: David Ahern <[email protected]>
Cc: David Howells <[email protected]>
Cc: Michal Marek <[email protected]>
Cc: Namhyung Kim <[email protected]>
Cc: Paul Mackerras <[email protected]>
Cc: Peter Zijlstra <[email protected]>
Cc: Sam Ravnborg <[email protected]>
Cc: [email protected]
Link: http://lkml.kernel.org/r/[email protected]
Signed-off-by: Arnaldo Carvalho de Melo <[email protected]>
Cc: Guenter Roeck <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
Makefile | 5 ++---
tools/Makefile | 12 +++++++++++-
2 files changed, 13 insertions(+), 4 deletions(-)

--- a/Makefile
+++ b/Makefile
@@ -214,7 +214,6 @@ VPATH := $(srctree)$(if $(KBUILD_EXTMOD

export srctree objtree VPATH

-
# SUBARCH tells the usermode build what the underlying arch is. That is set
# first, and if a usermode build is happening, the "ARCH=um" on the command
# line overrides the setting of ARCH below. If a native build is happening,
@@ -1505,11 +1504,11 @@ image_name:
# Clear a bunch of variables before executing the submake
tools/: FORCE
$(Q)mkdir -p $(objtree)/tools
- $(Q)$(MAKE) LDFLAGS= MAKEFLAGS="$(filter --j% -j,$(MAKEFLAGS))" O=$(objtree) subdir=tools -C $(src)/tools/
+ $(Q)$(MAKE) LDFLAGS= MAKEFLAGS="$(filter --j% -j,$(MAKEFLAGS))" O=$(O) subdir=tools -C $(src)/tools/

tools/%: FORCE
$(Q)mkdir -p $(objtree)/tools
- $(Q)$(MAKE) LDFLAGS= MAKEFLAGS="$(filter --j% -j,$(MAKEFLAGS))" O=$(objtree) subdir=tools -C $(src)/tools/ $*
+ $(Q)$(MAKE) LDFLAGS= MAKEFLAGS="$(filter --j% -j,$(MAKEFLAGS))" O=$(O) subdir=tools -C $(src)/tools/ $*

# Single targets
# ---------------------------------------------------------------------------
--- a/tools/Makefile
+++ b/tools/Makefile
@@ -1,3 +1,8 @@
+# Some of the tools (perf) use same make variables
+# as in kernel build.
+export srctree=
+export objtree=
+
include scripts/Makefile.include

help:
@@ -54,8 +59,13 @@ liblockdep: FORCE
libapi: FORCE
$(call descend,lib/api)

+# The perf build does not follow the descend function setup,
+# invoking it via it's own make rule.
+PERF_O = $(if $(O),$(O)/tools/perf,)
+
perf: FORCE
- $(call descend,$@)
+ $(Q)mkdir -p $(PERF_O) .
+ $(Q)$(MAKE) --no-print-directory -C perf O=$(PERF_O) subdir=

selftests: FORCE
$(call descend,testing/$@)



2018-07-01 18:50:47

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.18 05/85] MIPS: io: Add barrier after register read in readX()

3.18-stable review patch. If anyone has any objections, please let me know.

------------------

From: Sinan Kaya <[email protected]>

[ Upstream commit a1cc7034e33d12dc17d13fbcd7d597d552889097 ]

While a barrier is present in the writeX() functions before the register
write, a similar barrier is missing in the readX() functions after the
register read. This could allow memory accesses following readX() to
observe stale data.

Signed-off-by: Sinan Kaya <[email protected]>
Reported-by: Arnd Bergmann <[email protected]>
Cc: Ralf Baechle <[email protected]>
Cc: Paul Burton <[email protected]>
Cc: [email protected]
Patchwork: https://patchwork.linux-mips.org/patch/19069/
[[email protected]: Tidy commit message]
Signed-off-by: James Hogan <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
arch/mips/include/asm/io.h | 2 ++
1 file changed, 2 insertions(+)

--- a/arch/mips/include/asm/io.h
+++ b/arch/mips/include/asm/io.h
@@ -375,6 +375,8 @@ static inline type pfx##read##bwlq(const
BUG(); \
} \
\
+ /* prevent prefetching of coherent DMA data prematurely */ \
+ rmb(); \
return pfx##ioswab##bwlq(__mem, __val); \
}




2018-07-01 18:50:50

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.18 06/85] s390/smsgiucv: disable SMSG on module unload

3.18-stable review patch. If anyone has any objections, please let me know.

------------------

From: Martin Schwidefsky <[email protected]>

[ Upstream commit 760dd0eeaec1689430243ead14e5a429613d8c52 ]

The module exit function of the smsgiucv module uses the incorrect CP
command to disable SMSG messages. The correct command is "SET SMSG OFF".
Use it.

Signed-off-by: Martin Schwidefsky <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/s390/net/smsgiucv.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/s390/net/smsgiucv.c
+++ b/drivers/s390/net/smsgiucv.c
@@ -190,7 +190,7 @@ static struct device_driver smsg_driver

static void __exit smsg_exit(void)
{
- cpcmd("SET SMSG IUCV", NULL, 0, NULL);
+ cpcmd("SET SMSG OFF", NULL, 0, NULL);
device_unregister(smsg_dev);
iucv_unregister(&smsg_handler, 1);
driver_unregister(&smsg_driver);



2018-07-01 18:51:02

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.18 14/85] selftests: ftrace: Add a testcase for multiple actions on trigger

3.18-stable review patch. If anyone has any objections, please let me know.

------------------

From: Masami Hiramatsu <[email protected]>

[ Upstream commit 25aa50e0ca397a5e5d4d6fcecefa8107877d1dd0 ]

Add a testcase for multiple actions with different
parameters on an event trigger, which has been fixed
by commit 192c283e93bd ("tracing: Add action comparisons
when testing matching hist triggers").

Link: http://lkml.kernel.org/r/152292055227.15769.6327959816123227152.stgit@devbox

Reviewed-by: Tom Zanussi <[email protected]>
Tested-by: Tom Zanussi <[email protected]>
Signed-off-by: Masami Hiramatsu <[email protected]>
Signed-off-by: Steven Rostedt (VMware) <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
tools/testing/selftests/ftrace/test.d/trigger/inter-event/trigger-multi-actions-accept.tc | 44 ++++++++++
1 file changed, 44 insertions(+)
create mode 100644 tools/testing/selftests/ftrace/test.d/trigger/inter-event/trigger-multi-actions-accept.tc

--- /dev/null
+++ b/tools/testing/selftests/ftrace/test.d/trigger/inter-event/trigger-multi-actions-accept.tc
@@ -0,0 +1,44 @@
+#!/bin/sh
+# description: event trigger - test multiple actions on hist trigger
+
+
+do_reset() {
+ reset_trigger
+ echo > set_event
+ clear_trace
+}
+
+fail() { #msg
+ do_reset
+ echo $1
+ exit_fail
+}
+
+if [ ! -f set_event ]; then
+ echo "event tracing is not supported"
+ exit_unsupported
+fi
+
+if [ ! -f synthetic_events ]; then
+ echo "synthetic event is not supported"
+ exit_unsupported
+fi
+
+clear_synthetic_events
+reset_tracer
+do_reset
+
+echo "Test multiple actions on hist trigger"
+echo 'wakeup_latency u64 lat; pid_t pid' >> synthetic_events
+TRIGGER1=events/sched/sched_wakeup/trigger
+TRIGGER2=events/sched/sched_switch/trigger
+
+echo 'hist:keys=pid:ts0=common_timestamp.usecs if comm=="cyclictest"' > $TRIGGER1
+echo 'hist:keys=next_pid:wakeup_lat=common_timestamp.usecs-$ts0 if next_comm=="cyclictest"' >> $TRIGGER2
+echo 'hist:keys=next_pid:onmatch(sched.sched_wakeup).wakeup_latency(sched.sched_switch.$wakeup_lat,next_pid) if next_comm=="cyclictest"' >> $TRIGGER2
+echo 'hist:keys=next_pid:onmatch(sched.sched_wakeup).wakeup_latency(sched.sched_switch.$wakeup_lat,prev_pid) if next_comm=="cyclictest"' >> $TRIGGER2
+echo 'hist:keys=next_pid if next_comm=="cyclictest"' >> $TRIGGER2
+
+do_reset
+
+exit 0



2018-07-01 18:51:02

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.18 04/85] fsnotify: fix ignore mask logic in send_to_group()

3.18-stable review patch. If anyone has any objections, please let me know.

------------------

From: Amir Goldstein <[email protected]>

[ Upstream commit 92183a42898dc400b89da35685d1814ac6acd3d8 ]

The ignore mask logic in send_to_group() does not match the logic
in fanotify_should_send_event(). In the latter, a vfsmount mark ignore
mask precedes an inode mark mask and in the former, it does not.

That difference may cause events to be sent to fanotify backend for no
reason. Fix the logic in send_to_group() to match that of
fanotify_should_send_event().

Signed-off-by: Amir Goldstein <[email protected]>
Signed-off-by: Jan Kara <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
fs/notify/fsnotify.c | 25 +++++++++++--------------
1 file changed, 11 insertions(+), 14 deletions(-)

--- a/fs/notify/fsnotify.c
+++ b/fs/notify/fsnotify.c
@@ -135,8 +135,9 @@ static int send_to_group(struct inode *t
const unsigned char *file_name)
{
struct fsnotify_group *group = NULL;
- __u32 inode_test_mask = 0;
- __u32 vfsmount_test_mask = 0;
+ __u32 test_mask = (mask & ~FS_EVENT_ON_CHILD);
+ __u32 marks_mask = 0;
+ __u32 marks_ignored_mask = 0;

if (unlikely(!inode_mark && !vfsmount_mark)) {
BUG();
@@ -156,29 +157,25 @@ static int send_to_group(struct inode *t
/* does the inode mark tell us to do something? */
if (inode_mark) {
group = inode_mark->group;
- inode_test_mask = (mask & ~FS_EVENT_ON_CHILD);
- inode_test_mask &= inode_mark->mask;
- inode_test_mask &= ~inode_mark->ignored_mask;
+ marks_mask |= inode_mark->mask;
+ marks_ignored_mask |= inode_mark->ignored_mask;
}

/* does the vfsmount_mark tell us to do something? */
if (vfsmount_mark) {
- vfsmount_test_mask = (mask & ~FS_EVENT_ON_CHILD);
group = vfsmount_mark->group;
- vfsmount_test_mask &= vfsmount_mark->mask;
- vfsmount_test_mask &= ~vfsmount_mark->ignored_mask;
- if (inode_mark)
- vfsmount_test_mask &= ~inode_mark->ignored_mask;
+ marks_mask |= vfsmount_mark->mask;
+ marks_ignored_mask |= vfsmount_mark->ignored_mask;
}

pr_debug("%s: group=%p to_tell=%p mask=%x inode_mark=%p"
- " inode_test_mask=%x vfsmount_mark=%p vfsmount_test_mask=%x"
+ " vfsmount_mark=%p marks_mask=%x marks_ignored_mask=%x"
" data=%p data_is=%d cookie=%d\n",
- __func__, group, to_tell, mask, inode_mark,
- inode_test_mask, vfsmount_mark, vfsmount_test_mask, data,
+ __func__, group, to_tell, mask, inode_mark, vfsmount_mark,
+ marks_mask, marks_ignored_mask, data,
data_is, cookie);

- if (!inode_test_mask && !vfsmount_test_mask)
+ if (!(test_mask & marks_mask & ~marks_ignored_mask))
return 0;

return group->ops->handle_event(group, to_tell, inode_mark,



2018-07-01 18:51:04

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.18 10/85] parisc: time: Convert read_persistent_clock() to read_persistent_clock64()

3.18-stable review patch. If anyone has any objections, please let me know.

------------------

From: Baolin Wang <[email protected]>

[ Upstream commit f76cdd00ef0e39d880139b074e3b247594dff95a ]

The read_persistent_clock() uses a timespec, which is not year 2038 safe
on 32bit systems. On parisc architecture, we have implemented generic
RTC drivers that can be used to compensate the system suspend time, but
the RTC time can not represent the nanosecond resolution, so this patch
just converts to read_persistent_clock64() with timespec64.

Signed-off-by: Baolin Wang <[email protected]>
Acked-by: Arnd Bergmann <[email protected]>
Signed-off-by: Helge Deller <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
arch/parisc/kernel/time.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/parisc/kernel/time.c
+++ b/arch/parisc/kernel/time.c
@@ -246,7 +246,7 @@ static int __init rtc_init(void)
}
module_init(rtc_init);

-void read_persistent_clock(struct timespec *ts)
+void read_persistent_clock64(struct timespec64 *ts)
{
static struct pdc_tod tod_data;
if (pdc_tod_read(&tod_data) == 0) {



2018-07-01 18:51:07

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.18 13/85] arm64: ptrace: remove addr_limit manipulation

3.18-stable review patch. If anyone has any objections, please let me know.

------------------

From: Mark Rutland <[email protected]>

[ Upstream commit 59275a0c037ed6fabd6354730f1e3104264ab719 ]

We transiently switch to KERNEL_DS in compat_ptrace_gethbpregs() and
compat_ptrace_sethbpregs(), but in either case this is pointless as we
don't perform any uaccess during this window.

let's rip out the redundant addr_limit manipulation.

Acked-by: Catalin Marinas <[email protected]>
Signed-off-by: Mark Rutland <[email protected]>
Cc: Will Deacon <[email protected]>
Signed-off-by: Will Deacon <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
arch/arm64/kernel/ptrace.c | 6 ------
1 file changed, 6 deletions(-)

--- a/arch/arm64/kernel/ptrace.c
+++ b/arch/arm64/kernel/ptrace.c
@@ -945,9 +945,7 @@ static int compat_ptrace_gethbpregs(stru
{
int ret;
u32 kdata;
- mm_segment_t old_fs = get_fs();

- set_fs(KERNEL_DS);
/* Watchpoint */
if (num < 0) {
ret = compat_ptrace_hbp_get(NT_ARM_HW_WATCH, tsk, num, &kdata);
@@ -958,7 +956,6 @@ static int compat_ptrace_gethbpregs(stru
} else {
ret = compat_ptrace_hbp_get(NT_ARM_HW_BREAK, tsk, num, &kdata);
}
- set_fs(old_fs);

if (!ret)
ret = put_user(kdata, data);
@@ -971,7 +968,6 @@ static int compat_ptrace_sethbpregs(stru
{
int ret;
u32 kdata = 0;
- mm_segment_t old_fs = get_fs();

if (num == 0)
return 0;
@@ -980,12 +976,10 @@ static int compat_ptrace_sethbpregs(stru
if (ret)
return ret;

- set_fs(KERNEL_DS);
if (num < 0)
ret = compat_ptrace_hbp_set(NT_ARM_HW_WATCH, tsk, num, &kdata);
else
ret = compat_ptrace_hbp_set(NT_ARM_HW_BREAK, tsk, num, &kdata);
- set_fs(old_fs);

return ret;
}



2018-07-01 18:51:29

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.18 11/85] scsi: isci: Fix infinite loop in while loop

3.18-stable review patch. If anyone has any objections, please let me know.

------------------

From: Colin Ian King <[email protected]>

[ Upstream commit 4bc83b3f272fe8f36450f9c003df49cf07ffe5fd ]

In the case when the phy_mask is bitwise anded with the phy_index bit is
zero the continue statement currently jumps to the next iteration of the
while loop and phy_index is never actually incremented, potentially
causing an infinite loop if phy_index is less than SCI_MAX_PHS. Fix this
by turning the while loop into a for loop.

Signed-off-by: Colin Ian King <[email protected]>
Signed-off-by: Martin K. Petersen <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/scsi/isci/port_config.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)

--- a/drivers/scsi/isci/port_config.c
+++ b/drivers/scsi/isci/port_config.c
@@ -291,7 +291,7 @@ sci_mpc_agent_validate_phy_configuration
* Note: We have not moved the current phy_index so we will actually
* compare the startting phy with itself.
* This is expected and required to add the phy to the port. */
- while (phy_index < SCI_MAX_PHYS) {
+ for (; phy_index < SCI_MAX_PHYS; phy_index++) {
if ((phy_mask & (1 << phy_index)) == 0)
continue;
sci_phy_get_sas_address(&ihost->phys[phy_index],
@@ -311,7 +311,6 @@ sci_mpc_agent_validate_phy_configuration
&ihost->phys[phy_index]);

assigned_phy_mask |= (1 << phy_index);
- phy_index++;
}

}



2018-07-01 19:38:50

by Nathan Chancellor

[permalink] [raw]
Subject: Re: [PATCH 3.18 00/85] 3.18.114-stable review

On Sun, Jul 01, 2018 at 06:01:18PM +0200, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 3.18.114 release.
> There are 85 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Tue Jul 3 15:31:04 UTC 2018.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v3.x/stable-review/patch-3.18.114-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-3.18.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
>

Merged, compiled with -Werror, and installed onto my Pixel XL.

No initial issues noticed in dmesg or general usage.

Thanks,
Nathan

2018-07-02 07:21:52

by Greg Kroah-Hartman

[permalink] [raw]
Subject: Re: [PATCH 3.18 00/85] 3.18.114-stable review

On Sun, Jul 01, 2018 at 12:37:07PM -0700, Nathan Chancellor wrote:
> On Sun, Jul 01, 2018 at 06:01:18PM +0200, Greg Kroah-Hartman wrote:
> > This is the start of the stable review cycle for the 3.18.114 release.
> > There are 85 patches in this series, all will be posted as a response
> > to this one. If anyone has any issues with these being applied, please
> > let me know.
> >
> > Responses should be made by Tue Jul 3 15:31:04 UTC 2018.
> > Anything received after that time might be too late.
> >
> > The whole patch series can be found in one patch at:
> > https://www.kernel.org/pub/linux/kernel/v3.x/stable-review/patch-3.18.114-rc1.gz
> > or in the git tree and branch at:
> > git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-3.18.y
> > and the diffstat can be found below.
> >
> > thanks,
> >
> > greg k-h
> >
>
> Merged, compiled with -Werror, and installed onto my Pixel XL.
>
> No initial issues noticed in dmesg or general usage.

Wonderful, thanks for testing all three of those kernels and letting me
know.

greg k-h

2018-07-02 07:53:11

by Harsh Shandilya

[permalink] [raw]
Subject: Re: [PATCH 3.18 00/85] 3.18.114-stable review



On 1 July 2018 9:31:18 PM IST, Greg Kroah-Hartman <[email protected]> wrote:
>This is the start of the stable review cycle for the 3.18.114 release.
>There are 85 patches in this series, all will be posted as a response
>to this one. If anyone has any issues with these being applied, please
>let me know.
>
>Responses should be made by Tue Jul 3 15:31:04 UTC 2018.
>Anything received after that time might be too late.
>
>The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v3.x/stable-review/patch-3.18.114-rc1.gz
>or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git
>linux-3.18.y
>and the diffstat can be found below.
>
>thanks,
>
>greg k-h

Built and compiled with -Werror for the OnePlus3T, no regressions noticed. Thanks for the update!

2018-07-02 08:37:45

by Greg Kroah-Hartman

[permalink] [raw]
Subject: Re: [PATCH 3.18 00/85] 3.18.114-stable review

On Mon, Jul 02, 2018 at 01:21:02PM +0530, Harsh 'MSF Jarvis' Shandilya wrote:
>
>
> On 1 July 2018 9:31:18 PM IST, Greg Kroah-Hartman <[email protected]> wrote:
> >This is the start of the stable review cycle for the 3.18.114 release.
> >There are 85 patches in this series, all will be posted as a response
> >to this one. If anyone has any issues with these being applied, please
> >let me know.
> >
> >Responses should be made by Tue Jul 3 15:31:04 UTC 2018.
> >Anything received after that time might be too late.
> >
> >The whole patch series can be found in one patch at:
> > https://www.kernel.org/pub/linux/kernel/v3.x/stable-review/patch-3.18.114-rc1.gz
> >or in the git tree and branch at:
> > git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git
> >linux-3.18.y
> >and the diffstat can be found below.
> >
> >thanks,
> >
> >greg k-h
>
> Built and compiled with -Werror for the OnePlus3T, no regressions noticed. Thanks for the update!

Great, thanks for testing and letting me know.

greg k-h

2018-07-02 16:33:01

by Guenter Roeck

[permalink] [raw]
Subject: Re: [PATCH 3.18 00/85] 3.18.114-stable review

On Sun, Jul 01, 2018 at 06:01:18PM +0200, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 3.18.114 release.
> There are 85 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Tue Jul 3 15:31:04 UTC 2018.
> Anything received after that time might be too late.
>
Build results:
total: 138 pass: 138 fail: 0
Qemu test results:
total: 129 pass: 129 fail: 0

Details are available at http://kerneltests.org/builders.

Guenter

2018-07-03 09:19:22

by Greg Kroah-Hartman

[permalink] [raw]
Subject: Re: [PATCH 3.18 35/85] parisc: Move setup_profiling_timer() out of init section

On Sun, Jul 01, 2018 at 06:29:54PM +0200, Helge Deller wrote:
> Hi Greg,
>
> On 01.07.2018 18:01, Greg Kroah-Hartman wrote:
> > 3.18-stable review patch. If anyone has any objections, please let me know.
> >
> > ------------------
> >
> > From: Helge Deller <[email protected]>
> >
> > [ Upstream commit 01f56832cfb6fcc204e7203f46841b6185ebd574 ]
>
> I wonder how this patch and patch #22 ([PATCH 3.18 22/85] parisc: drivers.c: Fix section mismatches)
> reached the stable trees?
> I haven't tagged upstream commit 01f56832cfb6fcc204e7203f46841b6185ebd574 or
> b819439fea305a0bfd6ca23a7994fd1a8847c0d8 for backport.
>
> Anyway, I'd suggest not to apply both.
> I haven't tested them in those old kernels....

Ok, both now dropped, thanks.

greg k-h