[PATCH 4.14 082/109] scsi: core: scsi_get_device_flags_keyed(): Always return device flags

[Greg Kroah-Hartman]

4.14-stable review patch.  If anyone has any objections, please let me know.

--

From: Bart Van Assche 


[ Upstream commit a44c9d36509c83cf64f33b93f6ab2e63822c01eb ]

Since scsi_get_device_flags_keyed() callers do not check whether or not
the returned value is an error code, change that function such that it
returns a flags value even if the 'key' argument is invalid.  Note:
since commit 28a0bc4120d3 ("scsi: sd: Implement blacklist option for
WRITE SAME w/ UNMAP") bit 31 is a valid device information flag so
checking whether bit 31 is set in the return value is not sufficient to
tell the difference between an error code and a flags value.

Signed-off-by: Bart Van Assche 
Cc: Christoph Hellwig 
Cc: Hannes Reinecke 
Cc: Johannes Thumshirn 
Signed-off-by: Martin K. Petersen 
Signed-off-by: Sasha Levin 
Signed-off-by: Greg Kroah-Hartman 
---
 drivers/scsi/scsi_devinfo.c |7 +--
 1 file changed, 1 insertion(+), 6 deletions(-)

--- a/drivers/scsi/scsi_devinfo.c
+++ b/drivers/scsi/scsi_devinfo.c
@@ -595,17 +595,12 @@ int scsi_get_device_flags_keyed(struct s
int key)
 {
struct scsi_dev_info_list *devinfo;
-   int err;
 
devinfo = scsi_dev_info_list_find(vendor, model, key);
if (!IS_ERR(devinfo))
return devinfo->flags;
 
-   err = PTR_ERR(devinfo);
-   if (err != -ENOENT)
-   return err;
-
-   /* nothing found, return nothing */
+   /* key or device not found: return nothing */
if (key != SCSI_DEVINFO_GLOBAL)
return 0;
 

[PATCH 4.14 073/109] perf annotate: Fix objdump comment parsing for Intel mov dissassembly

[Greg Kroah-Hartman]

4.14-stable review patch.  If anyone has any objections, please let me know.

--

From: Thomas Richter 


[ Upstream commit 35a8a148d8c1ee9e5ae18f9565a880490f816f89 ]

The command 'perf annotate' parses the output of objdump and also
investigates the comments produced by objdump. For example the
output of objdump produces (on x86):

23eee:  4c 8b 3d 13 01 21 00 mov 0x210113(%rip),%r15
# 234008 

and the function mov__parse() is called to investigate the complete
line. Mov__parse() breaks this line into several parts and finally
calls function comment__symbol() to parse the data after the comment
character '#'. Comment__symbol() expects a hexadecimal address followed
by a symbol in '<' and '>' brackets.

However the 2nd parameter given to function comment__symbol()
always points to the comment character '#'. The address parsing
always returns 0 because the character '#' is not a digit and
strtoull() fails without being noticed.

Fix this by advancing the second parameter to function comment__symbol()
by one byte before invocation and add an error check after strtoull()
has been called.

Signed-off-by: Thomas Richter 
Reviewed-by: Hendrik Brueckner 
Acked-by: Ravi Bangoria 
Cc: Heiko Carstens 
Cc: Martin Schwidefsky 
Fixes: 6de783b6f50f ("perf annotate: Resolve symbols using objdump comment")
Link: http://lkml.kernel.org/r/20171128075632.72182-1-tmri...@linux.vnet.ibm.com
Signed-off-by: Arnaldo Carvalho de Melo 
Signed-off-by: Sasha Levin 
Signed-off-by: Greg Kroah-Hartman 
---
 tools/perf/util/annotate.c |8 +---
 1 file changed, 5 insertions(+), 3 deletions(-)

--- a/tools/perf/util/annotate.c
+++ b/tools/perf/util/annotate.c
@@ -323,6 +323,8 @@ static int comment__symbol(char *raw, ch
return 0;
 
*addrp = strtoull(comment, , 16);
+   if (endptr == comment)
+   return 0;
name = strchr(endptr, '<');
if (name == NULL)
return -1;
@@ -436,8 +438,8 @@ static int mov__parse(struct arch *arch,
return 0;
 
comment = ltrim(comment);
-   comment__symbol(ops->source.raw, comment, >source.addr, 
>source.name);
-   comment__symbol(ops->target.raw, comment, >target.addr, 
>target.name);
+   comment__symbol(ops->source.raw, comment + 1, >source.addr, 
>source.name);
+   comment__symbol(ops->target.raw, comment + 1, >target.addr, 
>target.name);
 
return 0;
 
@@ -481,7 +483,7 @@ static int dec__parse(struct arch *arch
return 0;
 
comment = ltrim(comment);
-   comment__symbol(ops->target.raw, comment, >target.addr, 
>target.name);
+   comment__symbol(ops->target.raw, comment + 1, >target.addr, 
>target.name);
 
return 0;
 }

Re: [virtio-dev] [pci PATCH v7 2/5] virtio_pci: Add support for unmanaged SR-IOV on virtio_pci devices

[Alexander Duyck]

On Fri, Mar 16, 2018 at 9:34 AM, Michael S. Tsirkin  wrote:
> On Thu, Mar 15, 2018 at 11:42:41AM -0700, Alexander Duyck wrote:
>> From: Alexander Duyck 
>>
>> Hardware-realized virtio_pci devices can implement SR-IOV, so this
>> patch enables its use. The device in question is an upcoming Intel
>> NIC that implements both a virtio_net PF and virtio_net VFs. These
>> are hardware realizations of what has been up to now been a software
>> interface.
>>
>> The device in question has the following 4-part PCI IDs:
>>
>> PF: vendor: 1af4 device: 1041 subvendor: 8086 subdevice: 15fe
>> VF: vendor: 1af4 device: 1041 subvendor: 8086 subdevice: 05fe
>>
>> The patch currently needs no check for device ID, because the callback
>> will never be made for devices that do not assert the capability or
>> when run on a platform incapable of SR-IOV.
>>
>> One reason for this patch is because the hardware requires the
>> vendor ID of a VF to be the same as the vendor ID of the PF that
>> created it. So it seemed logical to simply have a fully-functioning
>> virtio_net PF create the VFs. This patch makes that possible.
>>
>> Reviewed-by: Christoph Hellwig 
>> Signed-off-by: Mark Rustad 
>> Signed-off-by: Alexander Duyck 
>
> So if and when virtio PFs can manage the VFs, then we can
> add a feature bit for that?
> Seems reasonable.

Yes. If nothing else you may not even need a feature bit depending on
how things go. One of the reasons why Mark called out the
subvendor/subdevice was because that might be able to be used to
identify the specific hardware that is providing the SR-IOV feature so
in the future if it is added to virtio itself then you could exclude
devices like this by just limiting things based on subvendor/subdevice
IDs.

> Also, I am guessing that hardware implementations will want
> to add things like stong memory barriers - I guess we
> will add new feature bits for that too down the road?

That piece I don't have visibility into at this time. Perhaps Dan
might have more visibility into future plans on what this might need.

Thanks.

- Alex

Re: [RFC 0/3] seccomp trap to userspace

[Christian Brauner]

On Fri, Mar 16, 2018 at 09:01:47AM -0700, Andy Lutomirski wrote:
> 
> 
> > On Mar 16, 2018, at 7:47 AM, Christian Brauner 
> >  wrote:
> > 
> >> On Fri, Mar 16, 2018 at 12:46:55AM +, Andy Lutomirski wrote:
> 
> 
> I bet I confused everyone with a blatant typo:
> 
> >> 
> >> Hmm, I think we have to be very careful to avoid nasty races.  I think
> >> the correct approach is to notice the signal and send a message to the
> >> listener that a signal is pending but to take no additional action.
> >> If the handler ends up completing the syscall with a successful
> >> return, we don't want to replace it with -EINTR.  IOW the code looks
> >> kind of like:
> >> 
> >> send_to_listener("hey I got a signal");
> 
> That should be “hey I got a syscall”.   D’oh!

Ha ok, that's what led me to believe that listener != handler and I was
trying to make sense of thise. :)

Thanks!
Christian

> 
> >> wait_ret = wait_interruptible for the listener to reply;
> >> if (wait_ret == -EINTR) {
> > 
> > Hm, so from the pseudo-code it looks like: The handler would inform the
> > listener that it received a signal (either from the syscall requester or
> > from somewhere else) and then wait for the listener to reply to that
> > message.  This would allow the listener to decide what action it wants
> > the handler to take based on the signal, i.e. either cancel the request
> > or retry?  The comment makes it sound like that the handler doesn't
> > really wait on the listener when it receives a signal it simply moves
> > on.
> 
> It keeps waiting killably but not interruptibly. 
> 
> > So no "taking no additional action" here means not have the handler
> > decide to abort but the listener?
> 
> If by “handler” you mean kernel, then yes. 
> 
> There’s no userspace syscall handler involved. From the kernel’s perspective, 
> a syscall is never still in progress when a signal handler is invoked — we 
> only actually invoke syscall handlers in prepare_exit_to_usermode() or the 
> non-x86 equivalent and the functions it calls. While a syscall is running, 
> the kernel might notice that a signal is pending and do one of a few things:
> 
> 1. Just keep going. Not all syscalls can be interrupted. 
> 
> 2. Try to finish early. If a send() call has already sent some but not all 
> data, it can stop waiting and return the number of bytes sent.
> 
> 3. Abort with -EINTR.
> 
> 4. Abort with -ERESTARTSYS or one of its relatives. These fiddle with user 
> registers in a somewhat unpleasant way to pretend that the syscall never 
> actually happened.  This works for syscalls that wait with an absolute 
> timeout, for example. 
> 
> 5. Set up restart_syscall() magic, rewrite regs so it looks like the user was 
> about to call restart_syscall() when the signal happened, and abort. 
> 
> In all cases, the signal is dealt with afterwards. This could result in 
> changing regs to call the handler or in simply returning. 
> 
> 1-3 should work fully in seccomp. The only issue is that the kernel doesn’t 
> know *which* to do, nor can the kernel force the listener to abort cleanly, 
> so I think we have  no real choice but to let the listener decide. 
> 
> 4 could be supported just like 1-3. 5 is awful, and I don’t think we should 
> support it for user listeners. 

[PATCH 4.14 031/109] HID: elo: clear BTN_LEFT mapping

[Greg Kroah-Hartman]

4.14-stable review patch.  If anyone has any objections, please let me know.

--

From: Jiri Kosina 


[ Upstream commit 9abd04af951e5734c9d5cfee9b49790844b734cf ]

ELO devices have one Button usage in GenDesk field, which makes hid-input map
it to BTN_LEFT; that confuses userspace, which then considers the device to be
a mouse/touchpad instead of touchscreen.

Fix that by unmapping BTN_LEFT and keeping only BTN_TOUCH in place.

Signed-off-by: Jiri Kosina 
Signed-off-by: Sasha Levin 
Signed-off-by: Greg Kroah-Hartman 
---
 drivers/hid/hid-elo.c |6 ++
 1 file changed, 6 insertions(+)

--- a/drivers/hid/hid-elo.c
+++ b/drivers/hid/hid-elo.c
@@ -42,6 +42,12 @@ static int elo_input_configured(struct h
 {
struct input_dev *input = hidinput->input;
 
+   /*
+* ELO devices have one Button usage in GenDesk field, which makes
+* hid-input map it to BTN_LEFT; that confuses userspace, which then
+* considers the device to be a mouse/touchpad instead of touchscreen.
+*/
+   clear_bit(BTN_LEFT, input->keybit);
set_bit(BTN_TOUCH, input->keybit);
set_bit(ABS_PRESSURE, input->absbit);
input_set_abs_params(input, ABS_PRESSURE, 0, 256, 0, 0);

Re: [PATCH 2/2] kprobe: fix: Add ftrace_ops_assist_func to kprobe blacklist

[Steven Rostedt]

On Fri, 16 Mar 2018 12:28:59 -0400 (EDT)
Mathieu Desnoyers  wrote:

> > We probably didn't discuss it (as there was a lot to discuss, and this
> > was probably overshadowed by that). But yes, you should not probe
> > ftrace called functions. That is guaranteed to crash and that crash is
> > not a bug, but a feature.  
> 
> Are you really arguing that crashing the kernel from an ABI visible from
> userspace (even if it's only root user) is not a bug ? You are joking right ?
> Is there an EXPERIMENTAL config option that people need to select in order to
> make sure those ftrace interfaces don't end up on production systems ?

No I'm not. And yes there is. Disable kprobes. kprobes is much more
dangerous than ftrace, and its kprobes that is crashing not ftrace.

Heck we have "echo c > /proc/sysrq-trigger"

So yes, you can easily crash the kernel via root. If you can load a
module, you can crash the kernel. There's a thousand ways to crash a
kernel. This is why most of the fuzzer testing is done as non-root,
because doing it as root will do more than just crash the system, it may
corrupt it enough that you can no longer boot it.

I see below you are doing fuzzing testing too as root. Hopefully you
limit those tests because yes, things can get really bad.

> 
> > 
> > The ftrace and ring buffer files should be blacklisted from being
> > probed. Perhaps the entire directory.  
> 
> All code reachable from a kprobe handler should be blacklisted from
> kprobes, yes.

The problem is that that list constantly changes. There's been cases we
try to prevent things called by nmi do not get called, but it ended up
being every helper utility can be called in that context.

> 
> > 
> > Anyway, I don't see this as much of an urgent matter, as it's one of
> > those "Patient: Doc, it hurts when I do this. Doc: Don't do that"
> > cases. And there's a lot of urgent issues that currently need to be
> > dealt with.  
> 
> OK, short-term we'll remove everything related to ftrace functions
> from our CI fuzzer coverage. Arguably, the fact that a root user can
> crash the kernel through tracefs files is not that great security-wise
> though.

Note, probes are not a normal API. I test the hell out of the other
ftrace interfaces and if it blows up I fix it. But adding probes into
random parts of the kernel is very dangerous, and not something I care
to test. And sure, if you are worried about root killing the system,
disable kprobes.


> 
> Considering that our current focus is to test the kprobe instrumentation
> layer (and not ftrace per se), we will move our fuzzer to the LTTng ABI
> instead, which should take care of removing crashes introduced by ftrace
> from our fuzzing results.

Yes, kprobes are dangerous. I'm not saying it shouldn't be fixed, I'm
saying that I don't have time to fix it now, but would be happy to
accept patches if someone else does so.

-- Steve

[PATCH 4.14 038/109] typec: tcpm: fusb302: Resolve out of order messaging events

[Greg Kroah-Hartman]

4.14-stable review patch.  If anyone has any objections, please let me know.

--

From: Adam Thomson 


[ Upstream commit ab69f61321140ff632d560775bc226259a78dfa2 ]

The expectation in the FUSB302 driver is that a TX_SUCCESS event
should occur after a message has been sent, but before a GCRCSENT
event is raised to indicate successful receipt of a message from
the partner. However in some circumstances it is possible to see
the hardware raise a GCRCSENT event before a TX_SUCCESS event
is raised. The upshot of this is that the GCRCSENT handling portion
of code ends up reporting the GoodCRC message to TCPM because the
TX_SUCCESS event hasn't yet arrived to trigger a consumption of it.
When TX_SUCCESS is then raised by the chip it ends up consuming the
actual message that was meant for TCPM, and this incorrect sequence
results in a hard reset from TCPM.

To avoid this problem, this commit updates the message reading
code to check whether a GoodCRC message was received or not. Based
on this check it will either report that the previous transmission
has completed or it will pass the msg data to TCPM for futher
processing. This way the incorrect ordering of the events no longer
matters.

Signed-off-by: Adam Thomson 
Reviewed-by: Guenter Roeck 
Acked-by: Heikki Krogerus 
Signed-off-by: Greg Kroah-Hartman 
Signed-off-by: Sasha Levin 
Signed-off-by: Greg Kroah-Hartman 
---
 drivers/staging/typec/fusb302/fusb302.c |   21 +
 1 file changed, 17 insertions(+), 4 deletions(-)

--- a/drivers/staging/typec/fusb302/fusb302.c
+++ b/drivers/staging/typec/fusb302/fusb302.c
@@ -1552,6 +1552,21 @@ static int fusb302_pd_read_message(struc
fusb302_log(chip, "PD message header: %x", msg->header);
fusb302_log(chip, "PD message len: %d", len);
 
+   /*
+* Check if we've read off a GoodCRC message. If so then indicate to
+* TCPM that the previous transmission has completed. Otherwise we pass
+* the received message over to TCPM for processing.
+*
+* We make this check here instead of basing the reporting decision on
+* the IRQ event type, as it's possible for the chip to report the
+* TX_SUCCESS and GCRCSENT events out of order on occasion, so we need
+* to check the message type to ensure correct reporting to TCPM.
+*/
+   if ((!len) && (pd_header_type_le(msg->header) == PD_CTRL_GOOD_CRC))
+   tcpm_pd_transmit_complete(chip->tcpm_port, TCPC_TX_SUCCESS);
+   else
+   tcpm_pd_receive(chip->tcpm_port, msg);
+
return ret;
 }
 
@@ -1659,13 +1674,12 @@ static irqreturn_t fusb302_irq_intn(int
 
if (interrupta & FUSB_REG_INTERRUPTA_TX_SUCCESS) {
fusb302_log(chip, "IRQ: PD tx success");
-   /* read out the received good CRC */
ret = fusb302_pd_read_message(chip, _msg);
if (ret < 0) {
-   fusb302_log(chip, "cannot read in GCRC, ret=%d", ret);
+   fusb302_log(chip,
+   "cannot read in PD message, ret=%d", ret);
goto done;
}
-   tcpm_pd_transmit_complete(chip->tcpm_port, TCPC_TX_SUCCESS);
}
 
if (interrupta & FUSB_REG_INTERRUPTA_HARDRESET) {
@@ -1686,7 +1700,6 @@ static irqreturn_t fusb302_irq_intn(int
"cannot read in PD message, ret=%d", ret);
goto done;
}
-   tcpm_pd_receive(chip->tcpm_port, _msg);
}
 done:
mutex_unlock(>lock);

[PATCH 4.14 040/109] sched: Stop switched_to_rt() from sending IPIs to offline CPUs

[Greg Kroah-Hartman]

4.14-stable review patch.  If anyone has any objections, please let me know.

--

From: "Paul E. McKenney" 


[ Upstream commit 2fe2582649aa2355f79acddb86bd4d6c5363eb63 ]

The rcutorture test suite occasionally provokes a splat due to invoking
rt_mutex_lock() which needs to boost the priority of a task currently
sitting on a runqueue that belongs to an offline CPU:

WARNING: CPU: 0 PID: 12 at 
/home/paulmck/public_git/linux-rcu/arch/x86/kernel/smp.c:128 
native_smp_send_reschedule+0x37/0x40
Modules linked in:
CPU: 0 PID: 12 Comm: rcub/7 Not tainted 4.14.0-rc4+ #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 
Ubuntu-1.8.2-1ubuntu1 04/01/2014
task: 9ed3de5f8cc0 task.stack: bbf80012c000
RIP: 0010:native_smp_send_reschedule+0x37/0x40
RSP: 0018:bbf80012fd10 EFLAGS: 00010082
RAX: 002f RBX: 9ed3dd9cb300 RCX: 0004
RDX: 8004 RSI: 0086 RDI: 
RBP: bbf80012fd10 R08: 0009da7a R09: 7b9d
R10: 0001 R11: bb57c2cd R12: 000d
R13: 9ed3de5f8cc0 R14: 0061 R15: 9ed3ded59200
FS:  () GS:9ed3dea0() knlGS:
CS:  0010 DS:  ES:  CR0: 80050033
CR2: 080686f0 CR3: 1b9e CR4: 06f0
Call Trace:
 resched_curr+0x61/0xd0
 switched_to_rt+0x8f/0xa0
 rt_mutex_setprio+0x25c/0x410
 task_blocks_on_rt_mutex+0x1b3/0x1f0
 rt_mutex_slowlock+0xa9/0x1e0
 rt_mutex_lock+0x29/0x30
 rcu_boost_kthread+0x127/0x3c0
 kthread+0x104/0x140
 ? rcu_report_unblock_qs_rnp+0x90/0x90
 ? kthread_create_on_node+0x40/0x40
 ret_from_fork+0x22/0x30
Code: f0 00 0f 92 c0 84 c0 74 14 48 8b 05 34 74 c5 00 be fd 00 00 00 ff 90 a0 
00 00 00 5d c3 89 fe 48 c7 c7 a0 c6 fc b9 e8 d5 b5 06 00 <0f> ff 5d c3 0f 1f 44 
00 00 8b 05 a2 d1 13 02 85 c0 75 38 55 48

But the target task's priority has already been adjusted, so the only
purpose of switched_to_rt() invoking resched_curr() is to wake up the
CPU running some task that needs to be preempted by the boosted task.
But the CPU is offline, which presumably means that the task must be
migrated to some other CPU, and that this other CPU will undertake any
needed preemption at the time of migration.  Because the runqueue lock
is held when resched_curr() is invoked, we know that the boosted task
cannot go anywhere, so it is not necessary to invoke resched_curr()
in this particular case.

This commit therefore makes switched_to_rt() refrain from invoking
resched_curr() when the target CPU is offline.

Signed-off-by: Paul E. McKenney 
Cc: Ingo Molnar 
Cc: Peter Zijlstra 
Signed-off-by: Sasha Levin 
Signed-off-by: Greg Kroah-Hartman 
---
 kernel/sched/rt.c |2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/kernel/sched/rt.c
+++ b/kernel/sched/rt.c
@@ -2218,7 +2218,7 @@ static void switched_to_rt(struct rq *rq
if (p->nr_cpus_allowed > 1 && rq->rt.overloaded)
queue_push_tasks(rq);
 #endif /* CONFIG_SMP */
-   if (p->prio < rq->curr->prio)
+   if (p->prio < rq->curr->prio && cpu_online(cpu_of(rq)))
resched_curr(rq);
}
 }

Re: [PATCH 0/2] irqchip/gic*: Complain about the use of IRQ_TYPE_NONE

[Robin Murphy]

On 16/03/18 16:39, Marc Zyngier wrote:

On 16/03/18 16:19, Robin Murphy wrote:

On 16/03/18 14:55, Marc Zyngier wrote:

Grepping through the dts files, the documentation, and reviewing
patches, one can only notice the use of IRQ_TYPE_NONE in interrupt
specifiers. At least for the GIC, this doesn't mean anything. The
unsuspecting driver will end-up with whatever was there before, and
there is a 50% probability that it is not what it wants.

I'd love to fix it myself, but I also have a 50% probability of
getting it wrong. In order to make the user aware they are walking on
thin ice, let's add some warnings. Hopefully, they'll be annoying
enough that people will fix their firmware. Croudsourcing debugging...


I guess there's also the alternative nuclear option of breaking their
build ;)

Robin.

->8-
diff --git a/include/dt-bindings/interrupt-controller/irq.h
b/include/dt-bindings/interrupt-controller/irq.h
index a8b310555f14..de79af80d01e 100644
--- a/include/dt-bindings/interrupt-controller/irq.h
+++ b/include/dt-bindings/interrupt-controller/irq.h
@@ -10,7 +10,7 @@
   #ifndef _DT_BINDINGS_INTERRUPT_CONTROLLER_IRQ_H
   #define _DT_BINDINGS_INTERRUPT_CONTROLLER_IRQ_H

-#define IRQ_TYPE_NONE  0
+#define IRQ_TYPE_NONE  "This is nonsense and needs fixing"
   #define IRQ_TYPE_EDGE_RISING 1
   #define IRQ_TYPE_EDGE_FALLING2
   #define IRQ_TYPE_EDGE_BOTH   (IRQ_TYPE_EDGE_FALLING | IRQ_TYPE_EDGE_RISING)



What really annoys me with this patch is that you haven't put a SoB on it...


On a more serious note, though, it dawns on me that this might be 
something DTC could realistically scream about for us, although I guess 
not all irqchip bindings include a type specifier so it would probably 
need to special-case known ones.


Robin.

[PATCH 4.14 019/109] usb: usbmon: Read text within supplied buffer size

[Greg Kroah-Hartman]

4.14-stable review patch.  If anyone has any objections, please let me know.

--

From: Pete Zaitcev 

commit a5f596830e27e15f7a0ecd6be55e433d776986d8 upstream.

This change fixes buffer overflows and silent data corruption with the
usbmon device driver text file read operations.

Signed-off-by: Fredrik Noring 
Signed-off-by: Pete Zaitcev 
Cc: stable 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/usb/mon/mon_text.c |  124 +++--
 1 file changed, 77 insertions(+), 47 deletions(-)

--- a/drivers/usb/mon/mon_text.c
+++ b/drivers/usb/mon/mon_text.c
@@ -85,6 +85,8 @@ struct mon_reader_text {
 
wait_queue_head_t wait;
int printf_size;
+   size_t printf_offset;
+   size_t printf_togo;
char *printf_buf;
struct mutex printf_lock;
 
@@ -376,75 +378,103 @@ err_alloc:
return rc;
 }
 
-/*
- * For simplicity, we read one record in one system call and throw out
- * what does not fit. This means that the following does not work:
- *   dd if=/dbg/usbmon/0t bs=10
- * Also, we do not allow seeks and do not bother advancing the offset.
- */
+static ssize_t mon_text_copy_to_user(struct mon_reader_text *rp,
+char __user * const buf, const size_t nbytes)
+{
+   const size_t togo = min(nbytes, rp->printf_togo);
+
+   if (copy_to_user(buf, >printf_buf[rp->printf_offset], togo))
+   return -EFAULT;
+   rp->printf_togo -= togo;
+   rp->printf_offset += togo;
+   return togo;
+}
+
+/* ppos is not advanced since the llseek operation is not permitted. */
 static ssize_t mon_text_read_t(struct file *file, char __user *buf,
-   size_t nbytes, loff_t *ppos)
+size_t nbytes, loff_t *ppos)
 {
struct mon_reader_text *rp = file->private_data;
struct mon_event_text *ep;
struct mon_text_ptr ptr;
+   ssize_t ret;
 
-   ep = mon_text_read_wait(rp, file);
-   if (IS_ERR(ep))
-   return PTR_ERR(ep);
mutex_lock(>printf_lock);
-   ptr.cnt = 0;
-   ptr.pbuf = rp->printf_buf;
-   ptr.limit = rp->printf_size;
-
-   mon_text_read_head_t(rp, , ep);
-   mon_text_read_statset(rp, , ep);
-   ptr.cnt += snprintf(ptr.pbuf + ptr.cnt, ptr.limit - ptr.cnt,
-   " %d", ep->length);
-   mon_text_read_data(rp, , ep);
 
-   if (copy_to_user(buf, rp->printf_buf, ptr.cnt))
-   ptr.cnt = -EFAULT;
+   if (rp->printf_togo == 0) {
+
+   ep = mon_text_read_wait(rp, file);
+   if (IS_ERR(ep)) {
+   mutex_unlock(>printf_lock);
+   return PTR_ERR(ep);
+   }
+   ptr.cnt = 0;
+   ptr.pbuf = rp->printf_buf;
+   ptr.limit = rp->printf_size;
+
+   mon_text_read_head_t(rp, , ep);
+   mon_text_read_statset(rp, , ep);
+   ptr.cnt += snprintf(ptr.pbuf + ptr.cnt, ptr.limit - ptr.cnt,
+   " %d", ep->length);
+   mon_text_read_data(rp, , ep);
+
+   rp->printf_togo = ptr.cnt;
+   rp->printf_offset = 0;
+
+   kmem_cache_free(rp->e_slab, ep);
+   }
+
+   ret = mon_text_copy_to_user(rp, buf, nbytes);
mutex_unlock(>printf_lock);
-   kmem_cache_free(rp->e_slab, ep);
-   return ptr.cnt;
+   return ret;
 }
 
+/* ppos is not advanced since the llseek operation is not permitted. */
 static ssize_t mon_text_read_u(struct file *file, char __user *buf,
-   size_t nbytes, loff_t *ppos)
+size_t nbytes, loff_t *ppos)
 {
struct mon_reader_text *rp = file->private_data;
struct mon_event_text *ep;
struct mon_text_ptr ptr;
+   ssize_t ret;
 
-   ep = mon_text_read_wait(rp, file);
-   if (IS_ERR(ep))
-   return PTR_ERR(ep);
mutex_lock(>printf_lock);
-   ptr.cnt = 0;
-   ptr.pbuf = rp->printf_buf;
-   ptr.limit = rp->printf_size;
 
-   mon_text_read_head_u(rp, , ep);
-   if (ep->type == 'E') {
-   mon_text_read_statset(rp, , ep);
-   } else if (ep->xfertype == USB_ENDPOINT_XFER_ISOC) {
-   mon_text_read_isostat(rp, , ep);
-   mon_text_read_isodesc(rp, , ep);
-   } else if (ep->xfertype == USB_ENDPOINT_XFER_INT) {
-   mon_text_read_intstat(rp, , ep);
-   } else {
-   mon_text_read_statset(rp, , ep);
+   if (rp->printf_togo == 0) {
+
+   ep = mon_text_read_wait(rp, file);
+   if (IS_ERR(ep)) {
+   mutex_unlock(>printf_lock);
+   return PTR_ERR(ep);
+   }
+   ptr.cnt = 0;
+   ptr.pbuf = rp->printf_buf;
+   ptr.limit = rp->printf_size;
+
+   mon_text_read_head_u(rp, , ep);
+

[PATCH 4.14 002/109] net: phy: Restore phy_resume() locking assumption

[Greg Kroah-Hartman]

4.14-stable review patch.  If anyone has any objections, please let me know.

--

From: Andrew Lunn 

commit 9c2c2e62df3fa30fb13fbeb7512a4eede729383b upstream.

commit f5e64032a799 ("net: phy: fix resume handling") changes the
locking semantics for phy_resume() such that the caller now needs to
hold the phy mutex. Not all call sites were adopted to this new
semantic, resulting in warnings from the added
WARN_ON(!mutex_is_locked(>lock)).  Rather than change the
semantics, add a __phy_resume() and restore the old behavior of
phy_resume().

Reported-by: Heiner Kallweit 
Fixes: f5e64032a799 ("net: phy: fix resume handling")
Signed-off-by: Andrew Lunn 
Reviewed-by: Florian Fainelli 
Signed-off-by: David S. Miller 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/net/phy/phy.c|2 +-
 drivers/net/phy/phy_device.c |   18 +-
 include/linux/phy.h  |1 +
 3 files changed, 15 insertions(+), 6 deletions(-)

--- a/drivers/net/phy/phy.c
+++ b/drivers/net/phy/phy.c
@@ -841,7 +841,7 @@ void phy_start(struct phy_device *phydev
break;
case PHY_HALTED:
/* if phy was suspended, bring the physical link up again */
-   phy_resume(phydev);
+   __phy_resume(phydev);
 
/* make sure interrupts are re-enabled for the PHY */
if (phy_interrupt_is_valid(phydev)) {
--- a/drivers/net/phy/phy_device.c
+++ b/drivers/net/phy/phy_device.c
@@ -135,9 +135,7 @@ static int mdio_bus_phy_resume(struct de
if (!mdio_bus_phy_may_suspend(phydev))
goto no_resume;
 
-   mutex_lock(>lock);
ret = phy_resume(phydev);
-   mutex_unlock(>lock);
if (ret < 0)
return ret;
 
@@ -1028,9 +1026,7 @@ int phy_attach_direct(struct net_device
if (err)
goto error;
 
-   mutex_lock(>lock);
phy_resume(phydev);
-   mutex_unlock(>lock);
phy_led_triggers_register(phydev);
 
return err;
@@ -1156,7 +1152,7 @@ int phy_suspend(struct phy_device *phyde
 }
 EXPORT_SYMBOL(phy_suspend);
 
-int phy_resume(struct phy_device *phydev)
+int __phy_resume(struct phy_device *phydev)
 {
struct phy_driver *phydrv = to_phy_driver(phydev->mdio.dev.driver);
int ret = 0;
@@ -1173,6 +1169,18 @@ int phy_resume(struct phy_device *phydev
 
return ret;
 }
+EXPORT_SYMBOL(__phy_resume);
+
+int phy_resume(struct phy_device *phydev)
+{
+   int ret;
+
+   mutex_lock(>lock);
+   ret = __phy_resume(phydev);
+   mutex_unlock(>lock);
+
+   return ret;
+}
 EXPORT_SYMBOL(phy_resume);
 
 int phy_loopback(struct phy_device *phydev, bool enable)
--- a/include/linux/phy.h
+++ b/include/linux/phy.h
@@ -817,6 +817,7 @@ void phy_device_remove(struct phy_device
 int phy_init_hw(struct phy_device *phydev);
 int phy_suspend(struct phy_device *phydev);
 int phy_resume(struct phy_device *phydev);
+int __phy_resume(struct phy_device *phydev);
 int phy_loopback(struct phy_device *phydev, bool enable);
 struct phy_device *phy_attach(struct net_device *dev, const char *bus_id,
  phy_interface_t interface);

[PATCH 4.14 020/109] usb: gadget: f_fs: Fix use-after-free in ffs_fs_kill_sb()

[Greg Kroah-Hartman]

4.14-stable review patch.  If anyone has any objections, please let me know.

--

From: Xinyong 

commit 1a087f032111a88e826877449dfb93ceb22b78b9 upstream.

When I debug a kernel crash issue in funcitonfs, found ffs_data.ref
overflowed, While functionfs is unmounting, ffs_data is put twice.

Commit 43938613c6fd ("drivers, usb: convert ffs_data.ref from atomic_t to
refcount_t") can avoid refcount overflow, but that is risk some situations.
So no need put ffs data in ffs_fs_kill_sb, already put in ffs_data_closed.

The issue can be reproduced in Mediatek mt6763 SoC, ffs for ADB device.
KASAN enabled configuration reports use-after-free errro.

BUG: KASAN: use-after-free in refcount_dec_and_test+0x14/0xe0 at addr 
ffc0579386a0
Read of size 4 by task umount/4650

BUG kmalloc-512 (Tainted: PW  O   ): kasan: bad access detected
-

INFO: Allocated in ffs_fs_mount+0x194/0x844 age=22856 cpu=2 pid=566
alloc_debug_processing+0x1ac/0x1e8
___slab_alloc.constprop.63+0x640/0x648
__slab_alloc.isra.57.constprop.62+0x24/0x34
kmem_cache_alloc_trace+0x1a8/0x2bc
ffs_fs_mount+0x194/0x844
mount_fs+0x6c/0x1d0
vfs_kern_mount+0x50/0x1b4
do_mount+0x258/0x1034
INFO: Freed in ffs_data_put+0x25c/0x320 age=0 cpu=3 pid=4650
free_debug_processing+0x22c/0x434
__slab_free+0x2d8/0x3a0
kfree+0x254/0x264
ffs_data_put+0x25c/0x320
ffs_data_closed+0x124/0x15c
ffs_fs_kill_sb+0xb8/0x110
deactivate_locked_super+0x6c/0x98
deactivate_super+0xb0/0xbc
INFO: Object 0xffc057938600 @offset=1536 fp=0x  (null)
..
Call trace:
[] dump_backtrace+0x0/0x250
[] show_stack+0x14/0x1c
[] dump_stack+0xa0/0xc8
[] print_trailer+0x158/0x260
[] object_err+0x3c/0x40
[] kasan_report_error+0x2a8/0x754
[] kasan_report+0x5c/0x60
[] __asan_load4+0x70/0x88
[] refcount_dec_and_test+0x14/0xe0
[] ffs_data_put+0x80/0x320
[] ffs_fs_kill_sb+0xc8/0x110
[] deactivate_locked_super+0x6c/0x98
[] deactivate_super+0xb0/0xbc
[] cleanup_mnt+0x64/0xec
[] __cleanup_mnt+0x10/0x18
[] task_work_run+0xcc/0x124
[] do_notify_resume+0x60/0x70
[] work_pending+0x10/0x14

Cc: sta...@vger.kernel.org
Signed-off-by: Xinyong 
Signed-off-by: Felipe Balbi 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/usb/gadget/function/f_fs.c |1 -
 1 file changed, 1 deletion(-)

--- a/drivers/usb/gadget/function/f_fs.c
+++ b/drivers/usb/gadget/function/f_fs.c
@@ -1539,7 +1539,6 @@ ffs_fs_kill_sb(struct super_block *sb)
if (sb->s_fs_info) {
ffs_release_dev(sb->s_fs_info);
ffs_data_closed(sb->s_fs_info);
-   ffs_data_put(sb->s_fs_info);
}
 }
 

Re: arm64 kvm built with clang doesn't boot

[Nick Desaulniers]

+ Sami (Google), Takahiro (Linaro)

Just so I fully understand the problem enough to articulate it, we'd be
looking for the compiler to keep the jump tables for speed (I would guess
-fno-jump-tables would emit an if-else chain) but only emit relative jumps
(not absolute jumps)?

> Perhaps Nick can comment on whether something like
-fno-absolute-addressing would be feasible in clang.

Checked with some of my LLVM friends.  They mentioned that this is tricky
because you need to move the addresses of the jump table from a data
section back into the text section.

Looks like LLVM has an interesting method
`shouldPutJumpTableInFunctionSection` [0]. Unfortunately, it gets
overridden for ELF to always return false. [1]

It looks like there's also a flag `no-jump-tables` [2].  Looks like Sami
has used this in the past in kvm. [3]

It's still probably possible to add this to LLVM, so I can pursue that with
LLVM devs.

> But just for the reference, I'm using 4.16-rc4 with a patch to fix SMCCC
issues that you mentioned.

Is this in regards to: commit "arm64: Add ARM_SMCCC_ARCH_WORKAROUND_1 BP
hardening support"? Has anyone tried to upstream a fix for this?  We
probably want to be very explicit with register widths here.

[0]
https://github.com/llvm-mirror/llvm/blob/a5bd54307b1adacb3df297b9b8010979b9afa4d7/lib/Target/TargetLoweringObjectFile.cpp#L280
[1]
https://github.com/llvm-mirror/llvm/blob/e7676fec11b02e4b698b5ffc99e1901246a7bf66/lib/CodeGen/TargetLoweringObjectFileImpl.cpp#L494
[2]
https://github.com/llvm-mirror/llvm/blob/11f5adb29bf90bc1a40b8bb512afcff4b1ac0f56/lib/Transforms/Utils/SimplifyCFG.cpp#L5233
[3] https://patchwork.kernel.org/patch/10060301/

--
Thanks,
~Nick Desaulniers

[PATCH 4.9 40/86] Revert "x86/retpoline: Simplify vmexit_fill_RSB()"

[Greg Kroah-Hartman]

4.9-stable review patch.  If anyone has any objections, please let me know.

--

From: David Woodhouse 

commit d1c99108af3c5992640aa2afa7d2e88c3775c06e upstream.

This reverts commit 1dde7415e99933bb7293d6b2843752cbdb43ec11. By putting
the RSB filling out of line and calling it, we waste one RSB slot for
returning from the function itself, which means one fewer actual function
call we can make if we're doing the Skylake abomination of call-depth
counting.

It also changed the number of RSB stuffings we do on vmexit from 32,
which was correct, to 16. Let's just stop with the bikeshedding; it
didn't actually *fix* anything anyway.

Signed-off-by: David Woodhouse 
Acked-by: Thomas Gleixner 
Cc: Linus Torvalds 
Cc: Peter Zijlstra 
Cc: arjan.van.de@intel.com
Cc: b...@alien8.de
Cc: dave.han...@intel.com
Cc: jmatt...@google.com
Cc: karah...@amazon.de
Cc: k...@vger.kernel.org
Cc: pbonz...@redhat.com
Cc: rkrc...@redhat.com
Link: 
http://lkml.kernel.org/r/1519037457-7643-4-git-send-email-d...@amazon.co.uk
Signed-off-by: Ingo Molnar 
Signed-off-by: Greg Kroah-Hartman 

---
 arch/x86/entry/entry_32.S |3 -
 arch/x86/entry/entry_64.S |3 -
 arch/x86/include/asm/asm-prototypes.h |3 -
 arch/x86/include/asm/nospec-branch.h  |   70 ++
 arch/x86/lib/Makefile |1 
 arch/x86/lib/retpoline.S  |   56 ---
 6 files changed, 65 insertions(+), 71 deletions(-)

--- a/arch/x86/entry/entry_32.S
+++ b/arch/x86/entry/entry_32.S
@@ -237,8 +237,7 @@ ENTRY(__switch_to_asm)
 * exist, overwrite the RSB with entries which capture
 * speculative execution to prevent attack.
 */
-   /* Clobbers %ebx */
-   FILL_RETURN_BUFFER RSB_CLEAR_LOOPS, X86_FEATURE_RSB_CTXSW
+   FILL_RETURN_BUFFER %ebx, RSB_CLEAR_LOOPS, X86_FEATURE_RSB_CTXSW
 #endif
 
/* restore callee-saved registers */
--- a/arch/x86/entry/entry_64.S
+++ b/arch/x86/entry/entry_64.S
@@ -331,8 +331,7 @@ ENTRY(__switch_to_asm)
 * exist, overwrite the RSB with entries which capture
 * speculative execution to prevent attack.
 */
-   /* Clobbers %rbx */
-   FILL_RETURN_BUFFER RSB_CLEAR_LOOPS, X86_FEATURE_RSB_CTXSW
+   FILL_RETURN_BUFFER %r12, RSB_CLEAR_LOOPS, X86_FEATURE_RSB_CTXSW
 #endif
 
/* restore callee-saved registers */
--- a/arch/x86/include/asm/asm-prototypes.h
+++ b/arch/x86/include/asm/asm-prototypes.h
@@ -37,7 +37,4 @@ INDIRECT_THUNK(dx)
 INDIRECT_THUNK(si)
 INDIRECT_THUNK(di)
 INDIRECT_THUNK(bp)
-asmlinkage void __fill_rsb(void);
-asmlinkage void __clear_rsb(void);
-
 #endif /* CONFIG_RETPOLINE */
--- a/arch/x86/include/asm/nospec-branch.h
+++ b/arch/x86/include/asm/nospec-branch.h
@@ -8,6 +8,50 @@
 #include 
 #include 
 
+/*
+ * Fill the CPU return stack buffer.
+ *
+ * Each entry in the RSB, if used for a speculative 'ret', contains an
+ * infinite 'pause; lfence; jmp' loop to capture speculative execution.
+ *
+ * This is required in various cases for retpoline and IBRS-based
+ * mitigations for the Spectre variant 2 vulnerability. Sometimes to
+ * eliminate potentially bogus entries from the RSB, and sometimes
+ * purely to ensure that it doesn't get empty, which on some CPUs would
+ * allow predictions from other (unwanted!) sources to be used.
+ *
+ * We define a CPP macro such that it can be used from both .S files and
+ * inline assembly. It's possible to do a .macro and then include that
+ * from C via asm(".include ") but let's not go there.
+ */
+
+#define RSB_CLEAR_LOOPS32  /* To forcibly overwrite all 
entries */
+#define RSB_FILL_LOOPS 16  /* To avoid underflow */
+
+/*
+ * Google experimented with loop-unrolling and this turned out to be
+ * the optimal version — two calls, each with their own speculation
+ * trap should their return address end up getting used, in a loop.
+ */
+#define __FILL_RETURN_BUFFER(reg, nr, sp)  \
+   mov $(nr/2), reg;   \
+771:   \
+   call772f;   \
+773:   /* speculation trap */  \
+   pause;  \
+   lfence; \
+   jmp 773b;   \
+772:   \
+   call774f;   \
+775:   /* speculation trap */  \
+   pause;  \
+   lfence; \
+   jmp 775b;   \
+774:   \
+   dec reg;\
+   jnz 771b;   \
+   add $(BITS_PER_LONG/8) * nr, 

[PATCH -next 20/22] net: socket: add __compat_sys_getsockopt() helper; remove in-kernel call to compat syscall

[Dominik Brodowski]

Using the net-internal helper __compat_sys_getsockopt() allows us to avoid
the internal calls to the compat_sys_getsockopt() syscall.

Cc: David S. Miller 
Cc: net...@vger.kernel.org
Signed-off-by: Dominik Brodowski 
---
 net/compat.c | 16 
 1 file changed, 12 insertions(+), 4 deletions(-)

diff --git a/net/compat.c b/net/compat.c
index 75bfcbbb2e3e..cdf5b0c1b962 100644
--- a/net/compat.c
+++ b/net/compat.c
@@ -509,8 +509,9 @@ int compat_sock_get_timestampns(struct sock *sk, struct 
timespec __user *usersta
 }
 EXPORT_SYMBOL(compat_sock_get_timestampns);
 
-COMPAT_SYSCALL_DEFINE5(getsockopt, int, fd, int, level, int, optname,
-  char __user *, optval, int __user *, optlen)
+static int __compat_sys_getsockopt(int fd, int level, int optname,
+  char __user *optval,
+  int __user *optlen)
 {
int err;
struct socket *sock = sockfd_lookup(fd, );
@@ -536,6 +537,12 @@ COMPAT_SYSCALL_DEFINE5(getsockopt, int, fd, int, level, 
int, optname,
return err;
 }
 
+COMPAT_SYSCALL_DEFINE5(getsockopt, int, fd, int, level, int, optname,
+  char __user *, optval, int __user *, optlen)
+{
+   return __compat_sys_getsockopt(fd, level, optname, optval, optlen);
+}
+
 struct compat_group_req {
__u32gr_interface;
struct __kernel_sockaddr_storage gr_group
@@ -874,8 +881,9 @@ COMPAT_SYSCALL_DEFINE2(socketcall, int, call, u32 __user *, 
args)
  compat_ptr(a[3]), a[4]);
break;
case SYS_GETSOCKOPT:
-   ret = compat_sys_getsockopt(a0, a1, a[2],
-   compat_ptr(a[3]), compat_ptr(a[4]));
+   ret = __compat_sys_getsockopt(a0, a1, a[2],
+ compat_ptr(a[3]),
+ compat_ptr(a[4]));
break;
case SYS_SENDMSG:
ret = compat_sys_sendmsg(a0, compat_ptr(a1), a[2]);
-- 
2.16.2

[PATCH 4.9 38/86] nospec: Kill array_index_nospec_mask_check()

[Greg Kroah-Hartman]

4.9-stable review patch.  If anyone has any objections, please let me know.

--

From: Dan Williams 

commit 1d91c1d2c80cb70e2e553845e278b87a960c04da upstream.

There are multiple problems with the dynamic sanity checking in
array_index_nospec_mask_check():

* It causes unnecessary overhead in the 32-bit case since integer sized
  @index values will no longer cause the check to be compiled away like
  in the 64-bit case.

* In the 32-bit case it may trigger with user controllable input when
  the expectation is that should only trigger during development of new
  kernel enabling.

* The macro reuses the input parameter in multiple locations which is
  broken if someone passes an expression like 'index++' to
  array_index_nospec().

Reported-by: Linus Torvalds 
Signed-off-by: Dan Williams 
Cc: Andy Lutomirski 
Cc: Arjan van de Ven 
Cc: Borislav Petkov 
Cc: Dave Hansen 
Cc: David Woodhouse 
Cc: Greg Kroah-Hartman 
Cc: Josh Poimboeuf 
Cc: Peter Zijlstra 
Cc: Thomas Gleixner 
Cc: Will Deacon 
Cc: linux-a...@vger.kernel.org
Link: 
http://lkml.kernel.org/r/151881604278.17395.6605847763178076520.st...@dwillia2-desk3.amr.corp.intel.com
Signed-off-by: Ingo Molnar 
Signed-off-by: Greg Kroah-Hartman 

---
 include/linux/nospec.h |   22 +-
 1 file changed, 1 insertion(+), 21 deletions(-)

--- a/include/linux/nospec.h
+++ b/include/linux/nospec.h
@@ -30,26 +30,6 @@ static inline unsigned long array_index_
 #endif
 
 /*
- * Warn developers about inappropriate array_index_nospec() usage.
- *
- * Even if the CPU speculates past the WARN_ONCE branch, the
- * sign bit of @index is taken into account when generating the
- * mask.
- *
- * This warning is compiled out when the compiler can infer that
- * @index and @size are less than LONG_MAX.
- */
-#define array_index_mask_nospec_check(index, size) 
\
-({ 
\
-   if (WARN_ONCE(index > LONG_MAX || size > LONG_MAX,  
\
-   "array_index_nospec() limited to range of [0, LONG_MAX]\n"))
\
-   _mask = 0;  
\
-   else
\
-   _mask = array_index_mask_nospec(index, size);   
\
-   _mask;  
\
-})
-
-/*
  * array_index_nospec - sanitize an array index after a bounds check
  *
  * For a code sequence like:
@@ -67,7 +47,7 @@ static inline unsigned long array_index_
 ({ \
typeof(index) _i = (index); \
typeof(size) _s = (size);   \
-   unsigned long _mask = array_index_mask_nospec_check(_i, _s);\
+   unsigned long _mask = array_index_mask_nospec(_i, _s);  \
\
BUILD_BUG_ON(sizeof(_i) > sizeof(long));\
BUILD_BUG_ON(sizeof(_s) > sizeof(long));\

[PATCH 4.9 39/86] nospec: Include dependency

[Greg Kroah-Hartman]

4.9-stable review patch.  If anyone has any objections, please let me know.

--

From: Dan Williams 

commit eb6174f6d1be16b19cfa43dac296bfed003ce1a6 upstream.

The nospec.h header expects the per-architecture header file
 to optionally define array_index_mask_nospec(). Include
that dependency to prevent inadvertent fallback to the default
array_index_mask_nospec() implementation.

The default implementation may not provide a full mitigation
on architectures that perform data value speculation.

Reported-by: Christian Borntraeger 
Signed-off-by: Dan Williams 
Cc: Andy Lutomirski 
Cc: Arjan van de Ven 
Cc: Borislav Petkov 
Cc: Dave Hansen 
Cc: David Woodhouse 
Cc: Greg Kroah-Hartman 
Cc: Josh Poimboeuf 
Cc: Linus Torvalds 
Cc: Peter Zijlstra 
Cc: Thomas Gleixner 
Cc: Will Deacon 
Cc: linux-a...@vger.kernel.org
Link: 
http://lkml.kernel.org/r/151881605404.17395.1341935530792574707.st...@dwillia2-desk3.amr.corp.intel.com
Signed-off-by: Ingo Molnar 
Signed-off-by: Greg Kroah-Hartman 

---
 include/linux/nospec.h |1 +
 1 file changed, 1 insertion(+)

--- a/include/linux/nospec.h
+++ b/include/linux/nospec.h
@@ -5,6 +5,7 @@
 
 #ifndef _LINUX_NOSPEC_H
 #define _LINUX_NOSPEC_H
+#include 
 
 /**
  * array_index_mask_nospec() - generate a ~0 mask when index < size, 0 
otherwise

[PATCH -next 06/22] net: socket: add __sys_connect() helper; remove in-kernel call to syscall

[Dominik Brodowski]

Using the net-internal helper __sys_connect() allows us to avoid the
internal calls to the sys_connect() syscall.

Cc: David S. Miller 
Cc: net...@vger.kernel.org
Signed-off-by: Dominik Brodowski 
---
 include/linux/socket.h |  2 ++
 net/compat.c   |  2 +-
 net/socket.c   | 11 ---
 3 files changed, 11 insertions(+), 4 deletions(-)

diff --git a/include/linux/socket.h b/include/linux/socket.h
index e9cee272da13..7daa344d7320 100644
--- a/include/linux/socket.h
+++ b/include/linux/socket.h
@@ -365,5 +365,7 @@ extern int __sys_accept4(int fd, struct sockaddr __user 
*upeer_sockaddr,
 int __user *upeer_addrlen, int flags);
 extern int __sys_socket(int family, int type, int protocol);
 extern int __sys_bind(int fd, struct sockaddr __user *umyaddr, int addrlen);
+extern int __sys_connect(int fd, struct sockaddr __user *uservaddr,
+int addrlen);
 
 #endif /* _LINUX_SOCKET_H */
diff --git a/net/compat.c b/net/compat.c
index bba555b1d863..7ab6352268f3 100644
--- a/net/compat.c
+++ b/net/compat.c
@@ -817,7 +817,7 @@ COMPAT_SYSCALL_DEFINE2(socketcall, int, call, u32 __user *, 
args)
ret = __sys_bind(a0, compat_ptr(a1), a[2]);
break;
case SYS_CONNECT:
-   ret = sys_connect(a0, compat_ptr(a1), a[2]);
+   ret = __sys_connect(a0, compat_ptr(a1), a[2]);
break;
case SYS_LISTEN:
ret = sys_listen(a0, a1);
diff --git a/net/socket.c b/net/socket.c
index 291cdae97341..64bdfdf6c6e7 100644
--- a/net/socket.c
+++ b/net/socket.c
@@ -1633,8 +1633,7 @@ SYSCALL_DEFINE3(accept, int, fd, struct sockaddr __user 
*, upeer_sockaddr,
  * include the -EINPROGRESS status for such sockets.
  */
 
-SYSCALL_DEFINE3(connect, int, fd, struct sockaddr __user *, uservaddr,
-   int, addrlen)
+int __sys_connect(int fd, struct sockaddr __user *uservaddr, int addrlen)
 {
struct socket *sock;
struct sockaddr_storage address;
@@ -1660,6 +1659,12 @@ SYSCALL_DEFINE3(connect, int, fd, struct sockaddr __user 
*, uservaddr,
return err;
 }
 
+SYSCALL_DEFINE3(connect, int, fd, struct sockaddr __user *, uservaddr,
+   int, addrlen)
+{
+   return __sys_connect(fd, uservaddr, addrlen);
+}
+
 /*
  * Get the local address ('name') of a socket object. Move the obtained
  * name to user space.
@@ -2479,7 +2484,7 @@ SYSCALL_DEFINE2(socketcall, int, call, unsigned long 
__user *, args)
err = __sys_bind(a0, (struct sockaddr __user *)a1, a[2]);
break;
case SYS_CONNECT:
-   err = sys_connect(a0, (struct sockaddr __user *)a1, a[2]);
+   err = __sys_connect(a0, (struct sockaddr __user *)a1, a[2]);
break;
case SYS_LISTEN:
err = sys_listen(a0, a1);
-- 
2.16.2

[PATCH 4.9 37/86] ALSA: hda: add dock and led support for HP ProBook 640 G2

[Greg Kroah-Hartman]

4.9-stable review patch.  If anyone has any objections, please let me know.

--

From: Dennis Wassenberg 

commit 099fd6ca0ad25bc19c5ade2ea4b25b8fadaa11b3 upstream.

This patch adds missing initialisation for HP 2013 UltraSlim Dock
Line-In/Out PINs and activates keyboard mute/micmute leds
for HP ProBook 640 G2

Signed-off-by: Dennis Wassenberg 
Cc: 
Signed-off-by: Takashi Iwai 
Signed-off-by: Greg Kroah-Hartman 

---
 sound/pci/hda/patch_conexant.c |1 +
 1 file changed, 1 insertion(+)

--- a/sound/pci/hda/patch_conexant.c
+++ b/sound/pci/hda/patch_conexant.c
@@ -850,6 +850,7 @@ static const struct snd_pci_quirk cxt506
SND_PCI_QUIRK(0x1025, 0x054f, "Acer Aspire 4830T", 
CXT_FIXUP_ASPIRE_DMIC),
SND_PCI_QUIRK(0x103c, 0x8079, "HP EliteBook 840 G3", CXT_FIXUP_HP_DOCK),
SND_PCI_QUIRK(0x103c, 0x807C, "HP EliteBook 820 G3", CXT_FIXUP_HP_DOCK),
+   SND_PCI_QUIRK(0x103c, 0x80FD, "HP ProBook 640 G2", CXT_FIXUP_HP_DOCK),
SND_PCI_QUIRK(0x103c, 0x8174, "HP Spectre x360", CXT_FIXUP_HP_SPECTRE),
SND_PCI_QUIRK(0x103c, 0x8115, "HP Z1 Gen3", CXT_FIXUP_HP_GATE_MIC),
SND_PCI_QUIRK(0x1043, 0x138d, "Asus", CXT_FIXUP_HEADPHONE_MIC_PIN),

[PATCH 4.9 33/86] ALSA: hda/realtek - Make dock sound work on ThinkPad L570

[Greg Kroah-Hartman]

4.9-stable review patch.  If anyone has any objections, please let me know.

--

From: Dennis Wassenberg 

commit e4c07b3b66b7d6a24c2fe3b1ddeff5cd9b378b3a upstream.

One version of Lenovo Thinkpad T570 did not use ALC298
(like other Kaby Lake devices). Instead it uses ALC292.
In order to make the Lenovo dock working with that codec
the dock quirk for ALC292 will be used.

Signed-off-by: Dennis Wassenberg 
Cc: 
Signed-off-by: Takashi Iwai 
Signed-off-by: Greg Kroah-Hartman 

---
 sound/pci/hda/patch_realtek.c |1 +
 1 file changed, 1 insertion(+)

--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -5801,6 +5801,7 @@ static const struct snd_pci_quirk alc269
SND_PCI_QUIRK(0x17aa, 0x2245, "Thinkpad T470", 
ALC298_FIXUP_TPT470_DOCK),
SND_PCI_QUIRK(0x17aa, 0x2246, "Thinkpad", ALC298_FIXUP_TPT470_DOCK),
SND_PCI_QUIRK(0x17aa, 0x2247, "Thinkpad", ALC298_FIXUP_TPT470_DOCK),
+   SND_PCI_QUIRK(0x17aa, 0x2249, "Thinkpad", ALC292_FIXUP_TPT460),
SND_PCI_QUIRK(0x17aa, 0x224b, "Thinkpad", ALC298_FIXUP_TPT470_DOCK),
SND_PCI_QUIRK(0x17aa, 0x224c, "Thinkpad", ALC298_FIXUP_TPT470_DOCK),
SND_PCI_QUIRK(0x17aa, 0x224d, "Thinkpad", ALC298_FIXUP_TPT470_DOCK),

[PATCH 4.9 36/86] ALSA: hda: add dock and led support for HP EliteBook 820 G3

[Greg Kroah-Hartman]

4.9-stable review patch.  If anyone has any objections, please let me know.

--

From: Dennis Wassenberg 

commit aea808172018ca01abf53db808323aed23281835 upstream.

This patch adds missing initialisation for HP 2013 UltraSlim Dock
Line-In/Out PINs and activates keyboard mute/micmute leds
for HP EliteBook 820 G3

Signed-off-by: Dennis Wassenberg 
Cc: 
Signed-off-by: Takashi Iwai 
Signed-off-by: Greg Kroah-Hartman 

---
 sound/pci/hda/patch_conexant.c |1 +
 1 file changed, 1 insertion(+)

--- a/sound/pci/hda/patch_conexant.c
+++ b/sound/pci/hda/patch_conexant.c
@@ -849,6 +849,7 @@ static const struct snd_pci_quirk cxt506
SND_PCI_QUIRK(0x1025, 0x054c, "Acer Aspire 3830TG", 
CXT_FIXUP_ASPIRE_DMIC),
SND_PCI_QUIRK(0x1025, 0x054f, "Acer Aspire 4830T", 
CXT_FIXUP_ASPIRE_DMIC),
SND_PCI_QUIRK(0x103c, 0x8079, "HP EliteBook 840 G3", CXT_FIXUP_HP_DOCK),
+   SND_PCI_QUIRK(0x103c, 0x807C, "HP EliteBook 820 G3", CXT_FIXUP_HP_DOCK),
SND_PCI_QUIRK(0x103c, 0x8174, "HP Spectre x360", CXT_FIXUP_HP_SPECTRE),
SND_PCI_QUIRK(0x103c, 0x8115, "HP Z1 Gen3", CXT_FIXUP_HP_GATE_MIC),
SND_PCI_QUIRK(0x1043, 0x138d, "Asus", CXT_FIXUP_HEADPHONE_MIC_PIN),

[PATCH 4.4 50/63] x86/module: Detect and skip invalid relocations

[Greg Kroah-Hartman]

4.4-stable review patch.  If anyone has any objections, please let me know.

--

From: Josh Poimboeuf 

commit eda9cec4c9a12208a6f69fbe68f72a6311d50032 upstream.

There have been some cases where external tooling (e.g., kpatch-build)
creates a corrupt relocation which targets the wrong address.  This is a
silent failure which can corrupt memory in unexpected places.

On x86, the bytes of data being overwritten by relocations are always
initialized to zero beforehand.  Use that knowledge to add sanity checks
to detect such cases before they corrupt memory.

Signed-off-by: Josh Poimboeuf 
Cc: Linus Torvalds 
Cc: Peter Zijlstra 
Cc: Thomas Gleixner 
Cc: j...@kernel.org
Cc: live-patch...@vger.kernel.org
Link: 
http://lkml.kernel.org/r/37450d6c6225e54db107fba447ce9e56e5f758e9.1509713553.git.jpoim...@redhat.com
[ Restructured the messages, as it's unclear whether the relocation or the 
target is corrupted. ]
Signed-off-by: Ingo Molnar 
Cc: Matthias Kaehlcke 
Signed-off-by: Greg Kroah-Hartman 

---
 arch/x86/kernel/module.c |   13 +
 1 file changed, 13 insertions(+)

--- a/arch/x86/kernel/module.c
+++ b/arch/x86/kernel/module.c
@@ -170,19 +170,27 @@ int apply_relocate_add(Elf64_Shdr *sechd
case R_X86_64_NONE:
break;
case R_X86_64_64:
+   if (*(u64 *)loc != 0)
+   goto invalid_relocation;
*(u64 *)loc = val;
break;
case R_X86_64_32:
+   if (*(u32 *)loc != 0)
+   goto invalid_relocation;
*(u32 *)loc = val;
if (val != *(u32 *)loc)
goto overflow;
break;
case R_X86_64_32S:
+   if (*(s32 *)loc != 0)
+   goto invalid_relocation;
*(s32 *)loc = val;
if ((s64)val != *(s32 *)loc)
goto overflow;
break;
case R_X86_64_PC32:
+   if (*(u32 *)loc != 0)
+   goto invalid_relocation;
val -= (u64)loc;
*(u32 *)loc = val;
 #if 0
@@ -198,6 +206,11 @@ int apply_relocate_add(Elf64_Shdr *sechd
}
return 0;
 
+invalid_relocation:
+   pr_err("x86/modules: Skipping invalid relocation target, existing value 
is nonzero for type %d, loc %p, val %Lx\n",
+  (int)ELF64_R_TYPE(rel[i].r_info), loc, val);
+   return -ENOEXEC;
+
 overflow:
pr_err("overflow in relocation type %d val %Lx\n",
   (int)ELF64_R_TYPE(rel[i].r_info), val);

[PATCH 4.4 49/63] Revert "ARM: dts: LogicPD Torpedo: Fix I2C1 pinmux"

[Greg Kroah-Hartman]

4.4-stable review patch.  If anyone has any objections, please let me know.

--

From: Greg Kroah-Hartman 

This reverts commit c86bfc7b7b01c4b98c29a39bd60e61fa8e337ebf which was
commit 74402055a2d3ec998a1ded599e86185a27d9bbf4 upstream.

The backport merged incorrectly, so I'm dropping it.

Reported-by: Ben Hutchings 
Cc: Adam Ford 
Cc: Tony Lindgren 
Signed-off-by: Greg Kroah-Hartman 


---
 arch/arm/boot/dts/logicpd-torpedo-som.dtsi |8 
 1 file changed, 8 deletions(-)

--- a/arch/arm/boot/dts/logicpd-torpedo-som.dtsi
+++ b/arch/arm/boot/dts/logicpd-torpedo-som.dtsi
@@ -90,8 +90,6 @@
 };
 
  {
-   pinctrl-names = "default";
-   pinctrl-0 = <_pins>;
clock-frequency = <260>;
 
twl: twl@48 {
@@ -148,12 +146,6 @@
OMAP3630_CORE2_IOPAD(0x25da, PIN_INPUT_PULLUP | 
MUX_MODE2)   /* etk_ctl.sdmmc3_cmd */
>;
};
-   i2c1_pins: pinmux_i2c1_pins {
-   pinctrl-single,pins = <
-   OMAP3_CORE1_IOPAD(0x21ba, PIN_INPUT | MUX_MODE0)
/* i2c1_scl.i2c1_scl */
-   OMAP3_CORE1_IOPAD(0x21bc, PIN_INPUT | MUX_MODE0)
/* i2c1_sda.i2c1_sda */
-   >;
-   };
 };
 
 #include "twl4030.dtsi"

[PATCH 4.4 52/63] serial: sh-sci: prevent lockup on full TTY buffers

[Greg Kroah-Hartman]

4.4-stable review patch.  If anyone has any objections, please let me know.

--

From: Ulrich Hecht 

commit 7842055bfce4bf0170d0f61df8b2add8399697be upstream.

When the TTY buffers fill up to the configured maximum, a system lockup
occurs:

[  598.820128] INFO: rcu_preempt detected stalls on CPUs/tasks:
[  598.825796]  0-...!: (1 GPs behind) idle=5a6/2/0 softirq=1974/1974 fqs=1
[  598.832577]  (detected by 3, t=62517 jiffies, g=296, c=295, q=126)
[  598.838755] Task dump for CPU 0:
[  598.841977] swapper/0   R  running task0 0  0 0x0022
[  598.849023] Call trace:
[  598.851476]  __switch_to+0x98/0xb0
[  598.854870](null)

This can be prevented by doing a dummy read of the RX data register.

This issue affects both HSCIF and SCIF ports. Reported for R-Car H3 ES2.0;
reproduced and fixed on H3 ES1.1. Probably affects other R-Car platforms
as well.

Reported-by: Yoshihiro Shimoda 
Signed-off-by: Ulrich Hecht 
Reviewed-by: Geert Uytterhoeven 
Cc: stable 
Tested-by: Nguyen Viet Dung 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/tty/serial/sh-sci.c |2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/tty/serial/sh-sci.c
+++ b/drivers/tty/serial/sh-sci.c
@@ -847,6 +847,8 @@ static void sci_receive_chars(struct uar
/* Tell the rest of the system the news. New characters! */
tty_flip_buffer_push(tport);
} else {
+   /* TTY buffers full; read from RX reg to prevent lockup */
+   serial_port_in(port, SCxRDR);
serial_port_in(port, SCxSR); /* dummy read */
sci_clear_SCxSR(port, SCxSR_RDxF_CLEAR(port));
}

[PATCH 4.4 19/63] bcache: dont attach backing with duplicate UUID

[Greg Kroah-Hartman]

4.4-stable review patch.  If anyone has any objections, please let me know.

--

From: Michael Lyle 

commit 86755b7a96faed57f910f9e6b8061e019ac1ec08 upstream.

This can happen e.g. during disk cloning.

This is an incomplete fix: it does not catch duplicate UUIDs earlier
when things are still unattached.  It does not unregister the device.
Further changes to cope better with this are planned but conflict with
Coly's ongoing improvements to handling device errors.  In the meantime,
one can manually stop the device after this has happened.

Attempts to attach a duplicate device result in:

[  136.372404] loop: module loaded
[  136.424461] bcache: register_bdev() registered backing device loop0
[  136.424464] bcache: bch_cached_dev_attach() Tried to attach loop0 but 
duplicate UUID already attached

My test procedure is:

  dd if=/dev/sdb1 of=imgfile bs=1024 count=262144
  losetup -f imgfile

Signed-off-by: Michael Lyle 
Reviewed-by: Tang Junhui 
Cc: 
Signed-off-by: Jens Axboe 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/md/bcache/super.c |   11 +++
 1 file changed, 11 insertions(+)

--- a/drivers/md/bcache/super.c
+++ b/drivers/md/bcache/super.c
@@ -935,6 +935,7 @@ int bch_cached_dev_attach(struct cached_
uint32_t rtime = cpu_to_le32(get_seconds());
struct uuid_entry *u;
char buf[BDEVNAME_SIZE];
+   struct cached_dev *exist_dc, *t;
 
bdevname(dc->bdev, buf);
 
@@ -958,6 +959,16 @@ int bch_cached_dev_attach(struct cached_
return -EINVAL;
}
 
+   /* Check whether already attached */
+   list_for_each_entry_safe(exist_dc, t, >cached_devs, list) {
+   if (!memcmp(dc->sb.uuid, exist_dc->sb.uuid, 16)) {
+   pr_err("Tried to attach %s but duplicate UUID already 
attached",
+   buf);
+
+   return -EINVAL;
+   }
+   }
+
u = uuid_find(c, dc->sb.uuid);
 
if (u &&

Re: arc_usr_cmpxchg and preemption

[Alexey Brodkin]

Hi Peter, Vineet,

On Wed, 2018-03-14 at 18:53 +0100, Peter Zijlstra wrote:
> On Wed, Mar 14, 2018 at 09:58:19AM -0700, Vineet Gupta wrote:
> 
> > Well it is broken wrt the semantics the syscall is supposed to provide.
> > Preemption disabling is what prevents a concurrent thread from coming in and
> > modifying the same location (Imagine a variable which is being cmpxchg
> > concurrently by 2 threads).
> > 
> > One approach is to do it the MIPS way, emulate the llsc flag - set it under
> > preemption disabled section and clear it in switch_to
> 
> *shudder*... just catch the -EFAULT, force the write fault and retry.

More I look at this initially quite simple thing more it looks like
a can of worms...

> Something like:
> 
> int sys_cmpxchg(u32 __user *user_ptr, u32 old, u32 new)
> {

That functions is supposed to return old value stored in memory.
At least that's how it is used in case of ARC and M68K.

Remember there's already libc that relies on that established API
and we cannot just change it... even though it might be a good idea.
For example return "errno" and pass old value via pointer in an argument.
But now I guess it's better to use what we have now.

>   u32 val;
>   int ret;
> 
> again:
>   ret = 0;
> 
>   preempt_disable();
>   val = get_user(user_ptr);

What if get_user() fails?
In Peter's implementation we will return 0, in Vineet's
we will return -EFAULT... and who knows what kind of unexpected behavior happens
further down the line in user-space... so I think it would be safer to kill
the process then.

And that's my take:
-->8
int sys_cmpxchg(u32 __user *user_ptr, u32 old, u32 new)
{
u32 val;
int ret;

again:
ret = 0;

preempt_disable();

ret = get_user(val, user_ptr);
if(ret == -EFAULT) {
struct page *page;

preempt_enable();
ret = get_user_pages_fast((unsigned long)user_ptr, 1, 1, );
if (ret < 0) {
force_sig(SIGSEGV, current);
return ret;
}

put_page(page);
goto again;
}

if (val == old)
ret = put_user(new, user_ptr);

preempt_enable();

if (ret == -EFAULT) {
struct page *page;

ret = get_user_pages_fast((unsigned long)user_ptr, 1, 1, );
if (ret < 0) {
force_sig(SIGSEGV, current);
return ret;
}

put_page(page);
goto again;
}

return ret;
}
-->8

-Alexey

[PATCH 4.4 20/63] x86/MCE: Serialize sysfs changes

[Greg Kroah-Hartman]

4.4-stable review patch.  If anyone has any objections, please let me know.

--

From: Seunghun Han 

commit b3b7c4795ccab5be71f080774c45bbbcc75c2aaf upstream.

The check_interval file in

  /sys/devices/system/machinecheck/machinecheck

directory is a global timer value for MCE polling. If it is changed by one
CPU, mce_restart() broadcasts the event to other CPUs to delete and restart
the MCE polling timer and __mcheck_cpu_init_timer() reinitializes the
mce_timer variable.

If more than one CPU writes a specific value to the check_interval file
concurrently, mce_timer is not protected from such concurrent accesses and
all kinds of explosions happen. Since only root can write to those sysfs
variables, the issue is not a big deal security-wise.

However, concurrent writes to these configuration variables is void of
reason so the proper thing to do is to serialize the access with a mutex.

Boris:

 - Make store_int_with_restart() use device_store_ulong() to filter out
   negative intervals
 - Limit min interval to 1 second
 - Correct locking
 - Massage commit message

Signed-off-by: Seunghun Han 
Signed-off-by: Borislav Petkov 
Signed-off-by: Thomas Gleixner 
Cc: Greg Kroah-Hartman 
Cc: Tony Luck 
Cc: linux-edac 
Cc: sta...@vger.kernel.org
Link: http://lkml.kernel.org/r/20180302202706.9434-1-kkama...@gmail.com
Signed-off-by: Greg Kroah-Hartman 

---
 arch/x86/kernel/cpu/mcheck/mce.c |   22 +-
 1 file changed, 21 insertions(+), 1 deletion(-)

--- a/arch/x86/kernel/cpu/mcheck/mce.c
+++ b/arch/x86/kernel/cpu/mcheck/mce.c
@@ -60,6 +60,9 @@ static DEFINE_MUTEX(mce_chrdev_read_mute
smp_load_acquire(&(p)); \
 })
 
+/* sysfs synchronization */
+static DEFINE_MUTEX(mce_sysfs_mutex);
+
 #define CREATE_TRACE_POINTS
 #include 
 
@@ -2220,6 +2223,7 @@ static ssize_t set_ignore_ce(struct devi
if (kstrtou64(buf, 0, ) < 0)
return -EINVAL;
 
+   mutex_lock(_sysfs_mutex);
if (mca_cfg.ignore_ce ^ !!new) {
if (new) {
/* disable ce features */
@@ -2232,6 +2236,8 @@ static ssize_t set_ignore_ce(struct devi
on_each_cpu(mce_enable_ce, (void *)1, 1);
}
}
+   mutex_unlock(_sysfs_mutex);
+
return size;
 }
 
@@ -2244,6 +2250,7 @@ static ssize_t set_cmci_disabled(struct
if (kstrtou64(buf, 0, ) < 0)
return -EINVAL;
 
+   mutex_lock(_sysfs_mutex);
if (mca_cfg.cmci_disabled ^ !!new) {
if (new) {
/* disable cmci */
@@ -2255,6 +2262,8 @@ static ssize_t set_cmci_disabled(struct
on_each_cpu(mce_enable_ce, NULL, 1);
}
}
+   mutex_unlock(_sysfs_mutex);
+
return size;
 }
 
@@ -2262,8 +2271,19 @@ static ssize_t store_int_with_restart(st
  struct device_attribute *attr,
  const char *buf, size_t size)
 {
-   ssize_t ret = device_store_int(s, attr, buf, size);
+   unsigned long old_check_interval = check_interval;
+   ssize_t ret = device_store_ulong(s, attr, buf, size);
+
+   if (check_interval == old_check_interval)
+   return ret;
+
+   if (check_interval < 1)
+   check_interval = 1;
+
+   mutex_lock(_sysfs_mutex);
mce_restart();
+   mutex_unlock(_sysfs_mutex);
+
return ret;
 }
 

[PATCH 4.4 10/63] drm/amdgpu: Notify sbios device ready before send request

[Greg Kroah-Hartman]

4.4-stable review patch.  If anyone has any objections, please let me know.

--

From: Rex Zhu 

commit 1bced75f4ab04bec55aecb57d99435dc6d0ae5a0 upstream.

it is required if a platform supports PCIe root complex
core voltage reduction. After receiving this notification,
SBIOS can apply default PCIe root complex power policy.

Reviewed-by: Alex Deucher 
Signed-off-by: Rex Zhu 
Signed-off-by: Alex Deucher 
Cc: sta...@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c |3 +++
 1 file changed, 3 insertions(+)

--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c
@@ -585,6 +585,9 @@ int amdgpu_acpi_pcie_performance_request
size_t size;
u32 retry = 3;
 
+   if (amdgpu_acpi_pcie_notify_device_ready(adev))
+   return -EINVAL;
+
/* Get the device handle */
handle = ACPI_HANDLE(>pdev->dev);
if (!handle)

[PATCH 3.18 04/25] x86/MCE: Serialize sysfs changes

[Greg Kroah-Hartman]

3.18-stable review patch.  If anyone has any objections, please let me know.

--

From: Seunghun Han 

commit b3b7c4795ccab5be71f080774c45bbbcc75c2aaf upstream.

The check_interval file in

  /sys/devices/system/machinecheck/machinecheck

directory is a global timer value for MCE polling. If it is changed by one
CPU, mce_restart() broadcasts the event to other CPUs to delete and restart
the MCE polling timer and __mcheck_cpu_init_timer() reinitializes the
mce_timer variable.

If more than one CPU writes a specific value to the check_interval file
concurrently, mce_timer is not protected from such concurrent accesses and
all kinds of explosions happen. Since only root can write to those sysfs
variables, the issue is not a big deal security-wise.

However, concurrent writes to these configuration variables is void of
reason so the proper thing to do is to serialize the access with a mutex.

Boris:

 - Make store_int_with_restart() use device_store_ulong() to filter out
   negative intervals
 - Limit min interval to 1 second
 - Correct locking
 - Massage commit message

Signed-off-by: Seunghun Han 
Signed-off-by: Borislav Petkov 
Signed-off-by: Thomas Gleixner 
Cc: Greg Kroah-Hartman 
Cc: Tony Luck 
Cc: linux-edac 
Cc: sta...@vger.kernel.org
Link: http://lkml.kernel.org/r/20180302202706.9434-1-kkama...@gmail.com
Signed-off-by: Greg Kroah-Hartman 

---
 arch/x86/kernel/cpu/mcheck/mce.c |   22 +-
 1 file changed, 21 insertions(+), 1 deletion(-)

--- a/arch/x86/kernel/cpu/mcheck/mce.c
+++ b/arch/x86/kernel/cpu/mcheck/mce.c
@@ -56,6 +56,9 @@ static DEFINE_MUTEX(mce_chrdev_read_mute
  rcu_read_lock_sched_held() || \
  lockdep_is_held(_chrdev_read_mutex))
 
+/* sysfs synchronization */
+static DEFINE_MUTEX(mce_sysfs_mutex);
+
 #define CREATE_TRACE_POINTS
 #include 
 
@@ -2183,6 +2186,7 @@ static ssize_t set_ignore_ce(struct devi
if (kstrtou64(buf, 0, ) < 0)
return -EINVAL;
 
+   mutex_lock(_sysfs_mutex);
if (mca_cfg.ignore_ce ^ !!new) {
if (new) {
/* disable ce features */
@@ -2195,6 +2199,8 @@ static ssize_t set_ignore_ce(struct devi
on_each_cpu(mce_enable_ce, (void *)1, 1);
}
}
+   mutex_unlock(_sysfs_mutex);
+
return size;
 }
 
@@ -2207,6 +2213,7 @@ static ssize_t set_cmci_disabled(struct
if (kstrtou64(buf, 0, ) < 0)
return -EINVAL;
 
+   mutex_lock(_sysfs_mutex);
if (mca_cfg.cmci_disabled ^ !!new) {
if (new) {
/* disable cmci */
@@ -2218,6 +2225,8 @@ static ssize_t set_cmci_disabled(struct
on_each_cpu(mce_enable_ce, NULL, 1);
}
}
+   mutex_unlock(_sysfs_mutex);
+
return size;
 }
 
@@ -2225,8 +2234,19 @@ static ssize_t store_int_with_restart(st
  struct device_attribute *attr,
  const char *buf, size_t size)
 {
-   ssize_t ret = device_store_int(s, attr, buf, size);
+   unsigned long old_check_interval = check_interval;
+   ssize_t ret = device_store_ulong(s, attr, buf, size);
+
+   if (check_interval == old_check_interval)
+   return ret;
+
+   if (check_interval < 1)
+   check_interval = 1;
+
+   mutex_lock(_sysfs_mutex);
mce_restart();
+   mutex_unlock(_sysfs_mutex);
+
return ret;
 }
 

[PATCH 3.18 03/25] Input: matrix_keypad - fix race when disabling interrupts

[Greg Kroah-Hartman]

3.18-stable review patch.  If anyone has any objections, please let me know.

--

From: Zhang Bo 

commit ea4f7bd2aca9f68470e9aac0fc9432fd180b1fe7 upstream.

If matrix_keypad_stop() is executing and the keypad interrupt is triggered,
disable_row_irqs() may be called by both matrix_keypad_interrupt() and
matrix_keypad_stop() at the same time, causing interrupts to be disabled
twice and the keypad being "stuck" after resuming.

Take lock when setting keypad->stopped to ensure that ISR will not race
with matrix_keypad_stop() disabling interrupts.

Signed-off-by: Zhang Bo 
Cc: sta...@vger.kernel.org
Signed-off-by: Dmitry Torokhov 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/input/keyboard/matrix_keypad.c |4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/drivers/input/keyboard/matrix_keypad.c
+++ b/drivers/input/keyboard/matrix_keypad.c
@@ -216,8 +216,10 @@ static void matrix_keypad_stop(struct in
 {
struct matrix_keypad *keypad = input_get_drvdata(dev);
 
+   spin_lock_irq(>lock);
keypad->stopped = true;
-   mb();
+   spin_unlock_irq(>lock);
+
flush_work(>work.work);
/*
 * matrix_keypad_scan() will leave IRQs enabled;

RE: [PATCH v5 0/2] Remove false-positive VLAs when using max()

[David Laight]

From: Linus Torvalds
> Sent: 16 March 2018 17:29
> On Fri, Mar 16, 2018 at 4:47 AM, Florian Weimer  wrote:
> >
> > If you want to catch stack frames which have unbounded size,
> > -Werror=stack-usage=1000 or -Werror=vla-larger-than=1000 (with the constant
> > adjusted as needed) might be the better approach.
> 
> No, we want to catch *variable* stack sizes.
> 
> Does "-Werror=vla-larger-than=0" perhaps work for that? No, because
> the stupid compiler says that is "meaningless".
> 
> And no, using "-Werror=vla-larger-than=1" doesn't work either, because
> the moronic compiler continues to think that "vla" is about the
> _type_, not the code:
> 
>t.c: In function ‘test’:
>t.c:6:6: error: argument to variable-length array is too large
> [-Werror=vla-larger-than=]
>  int array[(1,100)];
> 
> Gcc people are crazy.
> 
> Is there really no way to just say "shut up about the stupid _syntax_
> issue that is entirely irrelevant, and give us the _code_ issue".

I looked at the generated code for one of the constant sized VLA that
the compiler barfed at.
It seemed to subtract constants from %sp separately for the VLA.
So it looks like the compiler treats them as VLA even though it
knows the size.
That is probably missing optimisation.

David

[PATCH 4.14 036/109] drm/amdgpu: fix get_max_engine_clock_in_mhz

[Greg Kroah-Hartman]

4.14-stable review patch.  If anyone has any objections, please let me know.

--

From: Felix Kuehling 


[ Upstream commit a9efcc19161e20623c285fac967a32842972cebe ]

Use proper powerplay function. This fixes OpenCL initialization
problems.

Signed-off-by: Felix Kuehling 
Acked-by: Oded Gabbay 
Signed-off-by: Oded Gabbay 
Signed-off-by: Sasha Levin 
Signed-off-by: Greg Kroah-Hartman 
---
 drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.c |7 +--
 1 file changed, 5 insertions(+), 2 deletions(-)

--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.c
@@ -265,6 +265,9 @@ uint32_t get_max_engine_clock_in_mhz(str
 {
struct amdgpu_device *adev = (struct amdgpu_device *)kgd;
 
-   /* The sclk is in quantas of 10kHz */
-   return adev->pm.dpm.dyn_state.max_clock_voltage_on_ac.sclk / 100;
+   /* the sclk is in quantas of 10kHz */
+   if (amdgpu_sriov_vf(adev))
+   return adev->clock.default_sclk / 100;
+
+   return amdgpu_dpm_get_sclk(adev, false) / 100;
 }

[PATCH 4.14 037/109] staging: rtl8822be: fix missing null check on dev_alloc_skb return

[Greg Kroah-Hartman]

4.14-stable review patch.  If anyone has any objections, please let me know.

--

From: Colin Ian King 


[ Upstream commit 3eb23426e1749a0483bc4c9b18e51f657569e3ed ]

dev_alloc_skb can potentially return NULL, so add a null check to
avoid a null pointer dereference on skb

Detected by CoverityScan, CID#1454558 ("Dereference on null return")

Fixes: 7e5b796cde7e ("staging: r8822be: Add the driver code")
Signed-off-by: Colin Ian King 
Acked-by: Larry Finger 
Signed-off-by: Greg Kroah-Hartman 
Signed-off-by: Sasha Levin 
Signed-off-by: Greg Kroah-Hartman 
---
 drivers/staging/rtlwifi/rtl8822be/fw.c |2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/staging/rtlwifi/rtl8822be/fw.c
+++ b/drivers/staging/rtlwifi/rtl8822be/fw.c
@@ -464,6 +464,8 @@ bool rtl8822b_halmac_cb_write_data_rsvd_
int count;
 
skb = dev_alloc_skb(size);
+   if (!skb)
+   return false;
memcpy((u8 *)skb_put(skb, size), buf, size);
 
if (!_rtl8822be_send_bcn_or_cmd_packet(rtlpriv->hw, skb, BEACON_QUEUE))

[PATCH 4.14 005/109] ASoC: sgtl5000: Fix suspend/resume

[Greg Kroah-Hartman]

4.14-stable review patch.  If anyone has any objections, please let me know.

--

From: Fabio Estevam 

commit a8992973edbb2555e956b90f6fe97c4bc14d761d upstream.

Commit 8419caa72702 ("ASoC: sgtl5000: Do not disable regulators in
SND_SOC_BIAS_OFF") causes the sgtl5000 to fail after a suspend/resume
sequence:

Playing WAVE '/media/a2002011001-e02.wav' : Signed 16 bit Little
Endian, Rate 44100 Hz, Stereo
aplay: pcm_write:2051: write error: Input/output error

The problem is caused by the fact that the aforementioned commit
dropped the cache handling, so re-introduce the register map
resync to fix the problem.

Suggested-by: Mark Brown 
Signed-off-by: Fabio Estevam 
Signed-off-by: Mark Brown 
Cc: 
Signed-off-by: Greg Kroah-Hartman 

---
 sound/soc/codecs/sgtl5000.c |   11 +++
 1 file changed, 11 insertions(+)

--- a/sound/soc/codecs/sgtl5000.c
+++ b/sound/soc/codecs/sgtl5000.c
@@ -871,15 +871,26 @@ static int sgtl5000_pcm_hw_params(struct
 static int sgtl5000_set_bias_level(struct snd_soc_codec *codec,
   enum snd_soc_bias_level level)
 {
+   struct sgtl5000_priv *sgtl = snd_soc_codec_get_drvdata(codec);
+   int ret;
+
switch (level) {
case SND_SOC_BIAS_ON:
case SND_SOC_BIAS_PREPARE:
case SND_SOC_BIAS_STANDBY:
+   regcache_cache_only(sgtl->regmap, false);
+   ret = regcache_sync(sgtl->regmap);
+   if (ret) {
+   regcache_cache_only(sgtl->regmap, true);
+   return ret;
+   }
+
snd_soc_update_bits(codec, SGTL5000_CHIP_ANA_POWER,
SGTL5000_REFTOP_POWERUP,
SGTL5000_REFTOP_POWERUP);
break;
case SND_SOC_BIAS_OFF:
+   regcache_cache_only(sgtl->regmap, true);
snd_soc_update_bits(codec, SGTL5000_CHIP_ANA_POWER,
SGTL5000_REFTOP_POWERUP, 0);
break;

[PATCH 4.14 046/109] rtc: brcmstb-waketimer: fix error handling in brcmstb_waketmr_probe()

[Greg Kroah-Hartman]

4.14-stable review patch.  If anyone has any objections, please let me know.

--

From: Alexey Khoroshilov 


[ Upstream commit f2eef045de9defbc6fc6b72b17f0941cbe26c81d ]

brcmstb_waketmr_probe() does not disable timer->clk on error paths.

Found by Linux Driver Verification project (linuxtesting.org).

Fixes: c4f07ecee22e ("rtc: brcmstb-waketimer: Add Broadcom STB wake-timer")
Signed-off-by: Alexey Khoroshilov 
Reviewed-by: Florian Fainelli 
Signed-off-by: Alexandre Belloni 
Signed-off-by: Sasha Levin 
Signed-off-by: Greg Kroah-Hartman 
---
 drivers/rtc/rtc-brcmstb-waketimer.c |   15 ---
 1 file changed, 12 insertions(+), 3 deletions(-)

--- a/drivers/rtc/rtc-brcmstb-waketimer.c
+++ b/drivers/rtc/rtc-brcmstb-waketimer.c
@@ -253,7 +253,7 @@ static int brcmstb_waketmr_probe(struct
ret = devm_request_irq(dev, timer->irq, brcmstb_waketmr_irq, 0,
   "brcmstb-waketimer", timer);
if (ret < 0)
-   return ret;
+   goto err_clk;
 
timer->reboot_notifier.notifier_call = brcmstb_waketmr_reboot;
register_reboot_notifier(>reboot_notifier);
@@ -262,12 +262,21 @@ static int brcmstb_waketmr_probe(struct
 _waketmr_ops, THIS_MODULE);
if (IS_ERR(timer->rtc)) {
dev_err(dev, "unable to register device\n");
-   unregister_reboot_notifier(>reboot_notifier);
-   return PTR_ERR(timer->rtc);
+   ret = PTR_ERR(timer->rtc);
+   goto err_notifier;
}
 
dev_info(dev, "registered, with irq %d\n", timer->irq);
 
+   return 0;
+
+err_notifier:
+   unregister_reboot_notifier(>reboot_notifier);
+
+err_clk:
+   if (timer->clk)
+   clk_disable_unprepare(timer->clk);
+
return ret;
 }
 

[PATCH 4.14 030/109] HID: multitouch: Only look at non touch fields in first packet of a frame

[Greg Kroah-Hartman]

4.14-stable review patch.  If anyone has any objections, please let me know.

--

From: Hans de Goede 


[ Upstream commit 55746d28d66860bccaae20a67b55b9d5db7c14af ]

Devices in "single finger hybrid mode" will send one report per finger,
on some devices only the first report of such a multi-packet frame will
contain a value for BTN_LEFT, in subsequent reports (if multiple fingers
are down) the value is always 0, causing hid-mt to report BTN_LEFT going
1 - 0 - 1 - 0 when pressing a clickpad and putting down a second finger.
This happens for example on USB 0603:0002 mt touchpads.

This commit fixes this by only reporting non touch fields for the first
packet of a (possibly) multi-packet frame.

Signed-off-by: Hans de Goede 
Reviewed-by: Benjamin Tissoires 
Signed-off-by: Jiri Kosina 
Signed-off-by: Sasha Levin 
Signed-off-by: Greg Kroah-Hartman 
---
 drivers/hid/hid-multitouch.c |   17 +++--
 1 file changed, 15 insertions(+), 2 deletions(-)

--- a/drivers/hid/hid-multitouch.c
+++ b/drivers/hid/hid-multitouch.c
@@ -738,9 +738,11 @@ static int mt_touch_event(struct hid_dev
 }
 
 static void mt_process_mt_event(struct hid_device *hid, struct hid_field 
*field,
-   struct hid_usage *usage, __s32 value)
+   struct hid_usage *usage, __s32 value,
+   bool first_packet)
 {
struct mt_device *td = hid_get_drvdata(hid);
+   __s32 cls = td->mtclass.name;
__s32 quirks = td->mtclass.quirks;
struct input_dev *input = field->hidinput->input;
 
@@ -794,6 +796,15 @@ static void mt_process_mt_event(struct h
break;
 
default:
+   /*
+* For Win8 PTP touchpads we should only look at
+* non finger/touch events in the first_packet of
+* a (possible) multi-packet frame.
+*/
+   if ((cls == MT_CLS_WIN_8 || cls == MT_CLS_WIN_8_DUAL) &&
+   !first_packet)
+   return;
+
if (usage->type)
input_event(input, usage->type, usage->code,
value);
@@ -813,6 +824,7 @@ static void mt_touch_report(struct hid_d
 {
struct mt_device *td = hid_get_drvdata(hid);
struct hid_field *field;
+   bool first_packet;
unsigned count;
int r, n;
 
@@ -831,6 +843,7 @@ static void mt_touch_report(struct hid_d
td->num_expected = value;
}
 
+   first_packet = td->num_received == 0;
for (r = 0; r < report->maxfield; r++) {
field = report->field[r];
count = field->report_count;
@@ -840,7 +853,7 @@ static void mt_touch_report(struct hid_d
 
for (n = 0; n < count; n++)
mt_process_mt_event(hid, field, >usage[n],
-   field->value[n]);
+   field->value[n], first_packet);
}
 
if (td->num_received >= td->num_expected)

[PATCH 4.14 032/109] iwlwifi: mvm: rs: dont override the rate history in the search cycle

[Greg Kroah-Hartman]

4.14-stable review patch.  If anyone has any objections, please let me know.

--

From: Emmanuel Grumbach 


[ Upstream commit 992172e3aec19e5b0ea5b757ba40a146b9282d1e ]

When we are in a search cycle, we try different combinations
of parameters. Those combinations are called 'columns'.
When we switch to a new column, we first need to check if
this column has a suitable rate, if not, we can't try it.
This means we must not erase the statistics we gathered
for the previous column until we are sure that we are
indeed switching column.

The code that tries to switch to a new column first sets
a whole bunch of things for the new column, and only then
checks that we can find suitable rates in that column.
While doing that, the code mistakenly erased the rate
statistics. This code was right until
struct iwl_scale_tbl_info grew up for TPC.

Fix this to make sure we don't erase the rate statistics
until we are sure that we can indeed switch to the new
column.

Note that this bug is really harmless since it causes a
change in the behavior only when we can't find any rate
in the new column which should really not happen. In the
case we do find a suitable we reset the rate statistics
a few lines later anyway.

Signed-off-by: Emmanuel Grumbach 
Signed-off-by: Luca Coelho 
Signed-off-by: Sasha Levin 
Signed-off-by: Greg Kroah-Hartman 
---
 drivers/net/wireless/intel/iwlwifi/mvm/rs.c |4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

--- a/drivers/net/wireless/intel/iwlwifi/mvm/rs.c
+++ b/drivers/net/wireless/intel/iwlwifi/mvm/rs.c
@@ -1881,12 +1881,10 @@ static int rs_switch_to_column(struct iw
struct rs_rate *rate = _tbl->rate;
const struct rs_tx_column *column = _tx_columns[col_id];
const struct rs_tx_column *curr_column = _tx_columns[tbl->column];
-   u32 sz = (sizeof(struct iwl_scale_tbl_info) -
- (sizeof(struct iwl_rate_scale_data) * IWL_RATE_COUNT));
unsigned long rate_mask = 0;
u32 rate_idx = 0;
 
-   memcpy(search_tbl, tbl, sz);
+   memcpy(search_tbl, tbl, offsetof(struct iwl_scale_tbl_info, win));
 
rate->sgi = column->sgi;
rate->ant = column->ant;

[PATCH 4.14 077/109] mwifiex: cfg80211: do not change virtual interface during scan processing

[Greg Kroah-Hartman]

4.14-stable review patch.  If anyone has any objections, please let me know.

--

From: Limin Zhu 


[ Upstream commit c61cfe49f0f0f0d1f8b56d0b045838d597e8c3a3 ]

(1) Change virtual interface operation in cfg80211 process reset and
reinitilize private data structure.
(2) Scan result event processed in main process will dereference private
data structure concurrently, ocassionly crash the kernel.

The cornel case could be trigger by below steps:
(1) wpa_cli mlan0 scan
(2) ./hostapd mlan0.conf

Cfg80211 asynchronous scan procedure is not all the time operated
under rtnl lock, here we add the protect to serialize the cfg80211
scan and change_virtual interface operation.

Signed-off-by: Limin Zhu 
Signed-off-by: Xinming Hu 
Signed-off-by: Kalle Valo 
Signed-off-by: Sasha Levin 
Signed-off-by: Greg Kroah-Hartman 
---
 drivers/net/wireless/marvell/mwifiex/cfg80211.c |6 ++
 1 file changed, 6 insertions(+)

--- a/drivers/net/wireless/marvell/mwifiex/cfg80211.c
+++ b/drivers/net/wireless/marvell/mwifiex/cfg80211.c
@@ -1116,6 +1116,12 @@ mwifiex_cfg80211_change_virtual_intf(str
struct mwifiex_private *priv = mwifiex_netdev_get_priv(dev);
enum nl80211_iftype curr_iftype = dev->ieee80211_ptr->iftype;
 
+   if (priv->scan_request) {
+   mwifiex_dbg(priv->adapter, ERROR,
+   "change virtual interface: scan in process\n");
+   return -EBUSY;
+   }
+
switch (curr_iftype) {
case NL80211_IFTYPE_ADHOC:
switch (type) {

[PATCH 4.14 056/109] clk: ti: clkctrl: add support for retrying failed init

[Greg Kroah-Hartman]

4.14-stable review patch.  If anyone has any objections, please let me know.

--

From: Tero Kristo 


[ Upstream commit 729e13bf58e643b9accd2a14c55b555958702fb0 ]

In case the clkctrl node contains assigned-clock-* entries, registering
the provider can fail with -EPROBE_DEFER. In this case, add the
provider to the retry_init clock list so it will be cleaned up later.

Signed-off-by: Tero Kristo 
Acked-by: Stephen Boyd 
Signed-off-by: Sasha Levin 
Signed-off-by: Greg Kroah-Hartman 
---
 drivers/clk/ti/clkctrl.c |   12 +++-
 1 file changed, 11 insertions(+), 1 deletion(-)

--- a/drivers/clk/ti/clkctrl.c
+++ b/drivers/clk/ti/clkctrl.c
@@ -400,6 +400,12 @@ _ti_clkctrl_setup_subclks(struct omap_cl
}
 }
 
+static void __init _clkctrl_add_provider(void *data,
+struct device_node *np)
+{
+   of_clk_add_hw_provider(np, _ti_omap4_clkctrl_xlate, data);
+}
+
 static void __init _ti_omap4_clkctrl_setup(struct device_node *node)
 {
struct omap_clkctrl_provider *provider;
@@ -411,6 +417,7 @@ static void __init _ti_omap4_clkctrl_set
struct omap_clkctrl_clk *clkctrl_clk;
const __be32 *addrp;
u32 addr;
+   int ret;
 
addrp = of_get_address(node, 0, NULL, NULL);
addr = (u32)of_translate_address(node, addrp);
@@ -485,7 +492,10 @@ static void __init _ti_omap4_clkctrl_set
reg_data++;
}
 
-   of_clk_add_hw_provider(node, _ti_omap4_clkctrl_xlate, provider);
+   ret = of_clk_add_hw_provider(node, _ti_omap4_clkctrl_xlate, provider);
+   if (ret == -EPROBE_DEFER)
+   ti_clk_retry_init(node, provider, _clkctrl_add_provider);
+
return;
 
 cleanup:

[PATCH 4.14 055/109] leds: pm8058: Silence pointer to integer size warning

[Greg Kroah-Hartman]

4.14-stable review patch.  If anyone has any objections, please let me know.

--

From: Bjorn Andersson 


[ Upstream commit 8f52df50d9366f770a894d14ef724e5e04574e98 ]

The pointer returned by of_device_get_match_data() doesn't have the same
size as u32 on 64-bit architectures, causing a compile warning when
compile-testing the driver on such platform.

Cast the return value of of_device_get_match_data() to unsigned long and
then to u32 to silence this warning.

Fixes: 7f866986e705 ("leds: add PM8058 LEDs driver")
Signed-off-by: Bjorn Andersson 
Reviewed-by: Linus Walleij 
Acked-by: Pavel Machek 
Signed-off-by: Lee Jones 
Signed-off-by: Sasha Levin 
Signed-off-by: Greg Kroah-Hartman 
---
 drivers/leds/leds-pm8058.c |2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/leds/leds-pm8058.c
+++ b/drivers/leds/leds-pm8058.c
@@ -106,7 +106,7 @@ static int pm8058_led_probe(struct platf
if (!led)
return -ENOMEM;
 
-   led->ledtype = (u32)of_device_get_match_data(>dev);
+   led->ledtype = (u32)(unsigned long)of_device_get_match_data(>dev);
 
map = dev_get_regmap(pdev->dev.parent, NULL);
if (!map) {

[PATCH 4.14 053/109] userns: Dont fail follow_automount based on s_user_ns

[Greg Kroah-Hartman]

4.14-stable review patch.  If anyone has any objections, please let me know.

--

From: "Eric W. Biederman" 


[ Upstream commit bbc3e471011417598e598707486f5d8814ec9c01 ]

When vfs_submount was added the test to limit automounts from
filesystems that with s_user_ns != _user_ns accidentially left
in follow_automount.  The test was never about any security concerns
and was always about how do we implement this for filesystems whose
s_user_ns != _user_ns.

At the moment this check makes no difference as there are no
filesystems that both set FS_USERNS_MOUNT and implement d_automount.

Remove this check now while I am thinking about it so there will not
be odd booby traps for someone who does want to make this combination
work.

vfs_submount still needs improvements to allow this combination to work,
and vfs_submount contains a check that presents a warning.

The autofs4 filesystem could be modified to set FS_USERNS_MOUNT and it would
need not work on this code path, as userspace performs the mounts.

Fixes: 93faccbbfa95 ("fs: Better permission checking for submounts")
Fixes: aeaa4a79ff6a ("fs: Call d_automount with the filesystems creds")
Acked-by:  Ian Kent 
Signed-off-by: "Eric W. Biederman" 
Signed-off-by: Sasha Levin 
Signed-off-by: Greg Kroah-Hartman 
---
 fs/namei.c |3 ---
 1 file changed, 3 deletions(-)

--- a/fs/namei.c
+++ b/fs/namei.c
@@ -1133,9 +1133,6 @@ static int follow_automount(struct path
path->dentry->d_inode)
return -EISDIR;
 
-   if (path->dentry->d_sb->s_user_ns != _user_ns)
-   return -EACCES;
-
nd->total_link_count++;
if (nd->total_link_count >= 40)
return -ELOOP;

[PATCH 4.14 057/109] power: supply: ab8500_charger: Fix an error handling path

[Greg Kroah-Hartman]

4.14-stable review patch.  If anyone has any objections, please let me know.

--

From: Christophe JAILLET 


[ Upstream commit bf59fddde1c3eab89eb8dca8f3d3dc097887d2bb ]

'ret' is know to be 0 at this point, because it has not been updated by the
the previous call to 'abx500_mask_and_set_register_interruptible()'.

Fix it by updating 'ret' before checking if an error occurred.

Fixes: 84edbeeab67c ("ab8500-charger: AB8500 charger driver")
Signed-off-by: Christophe JAILLET 
Signed-off-by: Sebastian Reichel 
Signed-off-by: Sasha Levin 
Signed-off-by: Greg Kroah-Hartman 
---
 drivers/power/supply/ab8500_charger.c |2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/power/supply/ab8500_charger.c
+++ b/drivers/power/supply/ab8500_charger.c
@@ -3218,7 +3218,7 @@ static int ab8500_charger_init_hw_regist
}
 
/* Enable backup battery charging */
-   abx500_mask_and_set_register_interruptible(di->dev,
+   ret = abx500_mask_and_set_register_interruptible(di->dev,
AB8500_RTC, AB8500_RTC_CTRL_REG,
RTC_BUP_CH_ENA, RTC_BUP_CH_ENA);
if (ret < 0)

[PATCH 4.15 125/128] ima: relax requiring a file signature for new files with zero length

[Greg Kroah-Hartman]

4.15-stable review patch.  If anyone has any objections, please let me know.

--

From: Mimi Zohar 


[ Upstream commit b7e27bc1d42e8e0cc58b602b529c25cd0071b336 ]

Custom policies can require file signatures based on LSM labels.  These
files are normally created and only afterwards labeled, requiring them
to be signed.

Instead of requiring file signatures based on LSM labels, entire
filesystems could require file signatures.  In this case, we need the
ability of writing new files without requiring file signatures.

The definition of a "new" file was originally defined as any file with
a length of zero.  Subsequent patches redefined a "new" file to be based
on the FILE_CREATE open flag.  By combining the open flag with a file
size of zero, this patch relaxes the file signature requirement.

Fixes: 1ac202e978e1 ima: accept previously set IMA_NEW_FILE
Signed-off-by: Mimi Zohar 
Signed-off-by: Sasha Levin 
Signed-off-by: Greg Kroah-Hartman 
---
 security/integrity/ima/ima_appraise.c |3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/security/integrity/ima/ima_appraise.c
+++ b/security/integrity/ima/ima_appraise.c
@@ -223,7 +223,8 @@ int ima_appraise_measurement(enum ima_ho
if (opened & FILE_CREATED)
iint->flags |= IMA_NEW_FILE;
if ((iint->flags & IMA_NEW_FILE) &&
-   !(iint->flags & IMA_DIGSIG_REQUIRED))
+   (!(iint->flags & IMA_DIGSIG_REQUIRED) ||
+(inode->i_size == 0)))
status = INTEGRITY_PASS;
goto out;
}

[PATCH 4.15 109/128] net: sched: drop qdisc_reset from dev_graft_qdisc

[Greg Kroah-Hartman]

4.15-stable review patch.  If anyone has any objections, please let me know.

--

From: John Fastabend 


[ Upstream commit 7bbde83b1860c28a1cc35516352c4e7e5172c29a ]

In qdisc_graft_qdisc a "new" qdisc is attached and the 'qdisc_destroy'
operation is called on the old qdisc. The destroy operation will wait
a rcu grace period and call qdisc_rcu_free(). At which point
gso_cpu_skb is free'd along with all stats so no need to zero stats
and gso_cpu_skb from the graft operation itself.

Further after dropping the qdisc locks we can not continue to call
qdisc_reset before waiting an rcu grace period so that the qdisc is
detached from all cpus. By removing the qdisc_reset() here we get
the correct property of waiting an rcu grace period and letting the
qdisc_destroy operation clean up the qdisc correctly.

Note, a refcnt greater than 1 would cause the destroy operation to
be aborted however if this ever happened the reference to the qdisc
would be lost and we would have a memory leak.

Signed-off-by: John Fastabend 
Signed-off-by: David S. Miller 
Signed-off-by: Sasha Levin 
Signed-off-by: Greg Kroah-Hartman 
---
 net/sched/sch_generic.c |   28 +++-
 1 file changed, 19 insertions(+), 9 deletions(-)

--- a/net/sched/sch_generic.c
+++ b/net/sched/sch_generic.c
@@ -762,10 +762,6 @@ struct Qdisc *dev_graft_qdisc(struct net
root_lock = qdisc_lock(oqdisc);
spin_lock_bh(root_lock);
 
-   /* Prune old scheduler */
-   if (oqdisc && refcount_read(>refcnt) <= 1)
-   qdisc_reset(oqdisc);
-
/* ... and graft new one */
if (qdisc == NULL)
qdisc = _qdisc;
@@ -916,6 +912,16 @@ static bool some_qdisc_is_busy(struct ne
return false;
 }
 
+static void dev_qdisc_reset(struct net_device *dev,
+   struct netdev_queue *dev_queue,
+   void *none)
+{
+   struct Qdisc *qdisc = dev_queue->qdisc_sleeping;
+
+   if (qdisc)
+   qdisc_reset(qdisc);
+}
+
 /**
  * dev_deactivate_many - deactivate transmissions on several devices
  * @head: list of devices to deactivate
@@ -926,7 +932,6 @@ static bool some_qdisc_is_busy(struct ne
 void dev_deactivate_many(struct list_head *head)
 {
struct net_device *dev;
-   bool sync_needed = false;
 
list_for_each_entry(dev, head, close_list) {
netdev_for_each_tx_queue(dev, dev_deactivate_queue,
@@ -936,20 +941,25 @@ void dev_deactivate_many(struct list_hea
 _qdisc);
 
dev_watchdog_down(dev);
-   sync_needed |= !dev->dismantle;
}
 
/* Wait for outstanding qdisc-less dev_queue_xmit calls.
 * This is avoided if all devices are in dismantle phase :
 * Caller will call synchronize_net() for us
 */
-   if (sync_needed)
-   synchronize_net();
+   synchronize_net();
 
/* Wait for outstanding qdisc_run calls. */
-   list_for_each_entry(dev, head, close_list)
+   list_for_each_entry(dev, head, close_list) {
while (some_qdisc_is_busy(dev))
yield();
+   /* The new qdisc is assigned at this point so we can safely
+* unwind stale skb lists and qdisc statistics
+*/
+   netdev_for_each_tx_queue(dev, dev_qdisc_reset, NULL);
+   if (dev_ingress_queue(dev))
+   dev_qdisc_reset(dev, dev_ingress_queue(dev), NULL);
+   }
 }
 
 void dev_deactivate(struct net_device *dev)

[PATCH 4.15 085/128] pinctrl: sh-pfc: r8a7791: Add can_clk function

[Greg Kroah-Hartman]

4.15-stable review patch.  If anyone has any objections, please let me know.

--

From: Fabrizio Castro 


[ Upstream commit 57eec02caee60332b8052615e7257f932ae07abc ]

This patch adds can_clk function to r8a7743/r8a7791 which is cleaner,
and allows for independent configuration.
We keep the can_clk* pins definitions from within can0_groups and
can1_groups for uniformity and backwards compatibility.

Signed-off-by: Fabrizio Castro 
Reviewed-by: Ramesh Shanmugasundaram 
Signed-off-by: Geert Uytterhoeven 
Signed-off-by: Sasha Levin 
Signed-off-by: Greg Kroah-Hartman 
---
 drivers/pinctrl/sh-pfc/pfc-r8a7791.c |   22 +-
 1 file changed, 21 insertions(+), 1 deletion(-)

--- a/drivers/pinctrl/sh-pfc/pfc-r8a7791.c
+++ b/drivers/pinctrl/sh-pfc/pfc-r8a7791.c
@@ -4826,6 +4826,10 @@ static const char * const can0_groups[]
"can0_data_d",
"can0_data_e",
"can0_data_f",
+   /*
+* Retained for backwards compatibility, use can_clk_groups in new
+* designs.
+*/
"can_clk",
"can_clk_b",
"can_clk_c",
@@ -4837,6 +4841,21 @@ static const char * const can1_groups[]
"can1_data_b",
"can1_data_c",
"can1_data_d",
+   /*
+* Retained for backwards compatibility, use can_clk_groups in new
+* designs.
+*/
+   "can_clk",
+   "can_clk_b",
+   "can_clk_c",
+   "can_clk_d",
+};
+
+/*
+ * can_clk_groups allows for independent configuration, use can_clk function
+ * in new designs.
+ */
+static const char * const can_clk_groups[] = {
"can_clk",
"can_clk_b",
"can_clk_c",
@@ -5308,7 +5327,7 @@ static const char * const vin2_groups[]
 };
 
 static const struct {
-   struct sh_pfc_function common[56];
+   struct sh_pfc_function common[57];
struct sh_pfc_function r8a779x[2];
 } pinmux_functions = {
.common = {
@@ -5316,6 +5335,7 @@ static const struct {
SH_PFC_FUNCTION(avb),
SH_PFC_FUNCTION(can0),
SH_PFC_FUNCTION(can1),
+   SH_PFC_FUNCTION(can_clk),
SH_PFC_FUNCTION(du),
SH_PFC_FUNCTION(du0),
SH_PFC_FUNCTION(du1),

[PATCH 4.15 116/128] mac80211_hwsim: enforce PS_MANUAL_POLL to be set after PS_ENABLED

[Greg Kroah-Hartman]

4.15-stable review patch.  If anyone has any objections, please let me know.

--

From: Adiel Aloni 


[ Upstream commit e16ea4bb516bc21ea2202f2107718b29218bea59 ]

Enforce using PS_MANUAL_POLL in ps hwsim debugfs to trigger a poll,
only if PS_ENABLED was set before.
This is required due to commit c9491367b759 ("mac80211: always update the
PM state of a peer on MGMT / DATA frames") that enforces the ap to
check only mgmt/data frames ps bit, and then update station's power save
accordingly.
When sending only ps-poll (control frame) the ap will not be aware that
the station entered power save.
Setting ps enable before triggering ps_poll, will send NDP with PM bit
enabled first.

Signed-off-by: Adiel Aloni 
Signed-off-by: Luca Coelho 
Signed-off-by: Johannes Berg 
Signed-off-by: Sasha Levin 
Signed-off-by: Greg Kroah-Hartman 
---
 drivers/net/wireless/mac80211_hwsim.c |   17 +++--
 1 file changed, 11 insertions(+), 6 deletions(-)

--- a/drivers/net/wireless/mac80211_hwsim.c
+++ b/drivers/net/wireless/mac80211_hwsim.c
@@ -729,16 +729,21 @@ static int hwsim_fops_ps_write(void *dat
val != PS_MANUAL_POLL)
return -EINVAL;
 
-   old_ps = data->ps;
-   data->ps = val;
-
-   local_bh_disable();
if (val == PS_MANUAL_POLL) {
+   if (data->ps != PS_ENABLED)
+   return -EINVAL;
+   local_bh_disable();
ieee80211_iterate_active_interfaces_atomic(
data->hw, IEEE80211_IFACE_ITER_NORMAL,
hwsim_send_ps_poll, data);
-   data->ps_poll_pending = true;
-   } else if (old_ps == PS_DISABLED && val != PS_DISABLED) {
+   local_bh_enable();
+   return 0;
+   }
+   old_ps = data->ps;
+   data->ps = val;
+
+   local_bh_disable();
+   if (old_ps == PS_DISABLED && val != PS_DISABLED) {
ieee80211_iterate_active_interfaces_atomic(
data->hw, IEEE80211_IFACE_ITER_NORMAL,
hwsim_send_nullfunc_ps, data);

[PATCH 4.15 119/128] ASoC: nuc900: Fix a loop timeout test

[Greg Kroah-Hartman]

4.15-stable review patch.  If anyone has any objections, please let me know.

--

From: Dan Carpenter 


[ Upstream commit 65a12b3aafed5fc59f4ce41b22b752b1729e6701 ]

We should be finishing the loop with timeout set to zero but because
this is a post-op we finish with timeout == -1.

Fixes: 1082e2703a2d ("ASoC: NUC900/audio: add nuc900 audio driver support")
Signed-off-by: Dan Carpenter 
Signed-off-by: Mark Brown 
Signed-off-by: Sasha Levin 
Signed-off-by: Greg Kroah-Hartman 
---
 sound/soc/nuc900/nuc900-ac97.c |4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/sound/soc/nuc900/nuc900-ac97.c
+++ b/sound/soc/nuc900/nuc900-ac97.c
@@ -67,7 +67,7 @@ static unsigned short nuc900_ac97_read(s
 
/* polling the AC_R_FINISH */
while (!(AUDIO_READ(nuc900_audio->mmio + ACTL_ACCON) & AC_R_FINISH)
-   && timeout--)
+   && --timeout)
mdelay(1);
 
if (!timeout) {
@@ -121,7 +121,7 @@ static void nuc900_ac97_write(struct snd
 
/* polling the AC_W_FINISH */
while ((AUDIO_READ(nuc900_audio->mmio + ACTL_ACCON) & AC_W_FINISH)
-   && timeout--)
+   && --timeout)
mdelay(1);
 
if (!timeout)

[PATCH 4.15 113/128] powerpc/64: Dont trace irqs-off at interrupt return to soft-disabled context

[Greg Kroah-Hartman]

4.15-stable review patch.  If anyone has any objections, please let me know.

--

From: Nicholas Piggin 


[ Upstream commit acb1feab320e38588fccc568e3767761f494976f ]

When an interrupt is returning to a soft-disabled context (which can
happen for non-maskable interrupts or synchronous interrupts), it goes
through the motions of soft-disabling again, including calling
TRACE_DISABLE_INTS (i.e., trace_hardirqs_off()).

This is not necessary, because we must already be soft-disabled in the
interrupt context, it also may be causing crashes in the irq tracing
code to re-enter as an nmi. Replace it with a warning to ensure that
soft-interrupts are still disabled.

Fixes: 7c0482e3d055 ("powerpc/irq: Fix another case of lazy IRQ state getting 
out of sync")
Signed-off-by: Nicholas Piggin 
Signed-off-by: Michael Ellerman 
Signed-off-by: Sasha Levin 
Signed-off-by: Greg Kroah-Hartman 
---
 arch/powerpc/kernel/entry_64.S |   10 +++---
 1 file changed, 7 insertions(+), 3 deletions(-)

--- a/arch/powerpc/kernel/entry_64.S
+++ b/arch/powerpc/kernel/entry_64.S
@@ -939,9 +939,13 @@ END_FTR_SECTION_IFSET(CPU_FTR_HAS_PPR)
beq 1f
rlwinm  r7,r7,0,~PACA_IRQ_HARD_DIS
stb r7,PACAIRQHAPPENED(r13)
-1: li  r0,0
-   stb r0,PACASOFTIRQEN(r13);
-   TRACE_DISABLE_INTS
+1:
+#if defined(CONFIG_TRACE_IRQFLAGS) && defined(CONFIG_BUG)
+   /* The interrupt should not have soft enabled. */
+   lbz r7,PACASOFTIRQEN(r13)
+1: tdnei   r7,0
+   EMIT_BUG_ENTRY 1b,__FILE__,__LINE__,BUGFLAG_WARNING
+#endif
b   .Ldo_restore
 
/*

[PATCH v12 0/9] Add io{read|write}64 to io-64-atomic headers

[Logan Gunthorpe]

This is v12 of my cleanup series to push a number of instances of people
defining their own io{read|write}64 functions into common headers seing
they don't exist in non-64bit systems. This series adds inline functions to the
io-64-nonatomic headers and then cleans up the drivers that defined their
own copies.

This cleanup was originally requested by Greg after he reviewed my
Switchtec NTB code. And I hope someone can pick it up or at least give
feedback on it soon as it's been around relatively unchanged for a few
cycles now and I'm getting a bit tired of resubmitting it with little to
no interest.

Thanks,

Logan

--

Changes since v11:
- Rebased onto v4.16-rc5
- Added a patch (0001) to fix some old and new sparse warnings
  that the kbuild robot warned about this cycle. The latest version
  of sparse was required to reproduce these.
- Added a patch (0002) to add io{read|write}64 to parisc which the kbuild
  robot also found errors for this cycle

Changes since v10:
- Rebased onto v4.16-rc4, this droped the drm/tilcdc patch which was
  picked up by that tree and is already in 4.16.

Changes since v9:
- Rebased onto v4.15-rc6
- Fixed a couple of issues in the new version of the CAAM patch as
  pointed out by Horia

Changes since v8:
- Rebased onto v4.15-rc2, as a result rewrote patch 7 seeing someone did
  some similar cleanup in that area.
- Added a patch to clean up the Switchtec NTB driver which landed in
  v4.15-rc1

Changes since v7:
- Fix minor nits from Andy Shevchenko
- Rebased onto v4.14-rc1

Changes since v6:
 ** none **

Changes since v5:
- Added a fix to the tilcdc driver to ensure it doesn't use the
  non-atomic operation. (This includes adding io{read|write}64[be]_is_nonatomic
  defines).

Changes since v4:
- Add functions so the powerpc implementation of iomap.c compiles. (As
  noticed by Horia)

Changes since v3:

- I noticed powerpc didn't use the appropriate functions seeing
  readq/writeq were not defined when iomap.h was included. Thus I've
  included a patch to adjust this
- Fixed some mistakes with a couple of the defines in io-64-nonatomic*
  headers
- Fixed a typo noticed by Horia.

(earlier versions were drastically different)

--

Logan Gunthorpe (9):
  iomap: Fix sparse endian check warnings
  parisc: iomap: introduce io{read|write}64
  powerpc: io.h: move iomap.h include so that it can use readq/writeq
defs
  powerpc: iomap.c: introduce io{read|write}64_{lo_hi|hi_lo}
  iomap: introduce io{read|write}64_{lo_hi|hi_lo}
  io-64-nonatomic: add io{read|write}64[be]{_lo_hi|_hi_lo} macros
  ntb: ntb_hw_intel: use io-64-nonatomic instead of in-driver hacks
  crypto: caam: cleanup CONFIG_64BIT ifdefs when using io{read|write}64
  ntb: ntb_hw_switchtec: Cleanup 64bit IO defines to use the common
header

 arch/parisc/include/asm/io.h   |   9 +++
 arch/parisc/lib/iomap.c|  64 +++
 arch/powerpc/include/asm/io.h  |   6 +-
 arch/powerpc/kernel/iomap.c|  40 +
 drivers/crypto/caam/regs.h |  30 +--
 drivers/ntb/hw/intel/ntb_hw_intel.c|  30 +--
 drivers/ntb/hw/mscc/ntb_hw_switchtec.c |  36 +
 include/asm-generic/iomap.h|  26 --
 include/linux/io-64-nonatomic-hi-lo.h  |  64 +++
 include/linux/io-64-nonatomic-lo-hi.h  |  64 +++
 lib/iomap.c| 143 -
 11 files changed, 412 insertions(+), 100 deletions(-)

--
2.11.0

[PATCH v12 3/9] powerpc: io.h: move iomap.h include so that it can use readq/writeq defs

[Logan Gunthorpe]

Subsequent patches in this series makes use of the readq and writeq
defines in iomap.h. However, as is, they get missed on the powerpc
platform seeing the include comes before the define. This patch
moves the include down to fix this.

Signed-off-by: Logan Gunthorpe 
Acked-by: Michael Ellerman 
Reviewed-by: Andy Shevchenko 
Cc: Benjamin Herrenschmidt 
Cc: Paul Mackerras 
Cc: Michael Ellerman 
Cc: Nicholas Piggin 
Cc: Suresh Warrier 
Cc: "Oliver O'Halloran" 
---
 arch/powerpc/include/asm/io.h | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/arch/powerpc/include/asm/io.h b/arch/powerpc/include/asm/io.h
index 422f99cf9924..af074923d598 100644
--- a/arch/powerpc/include/asm/io.h
+++ b/arch/powerpc/include/asm/io.h
@@ -33,8 +33,6 @@ extern struct pci_dev *isa_bridge_pcidev;
 #include 
 #include 
 
-#include 
-
 #ifdef CONFIG_PPC64
 #include 
 #endif
@@ -663,6 +661,8 @@ static inline void name at  
\
 #define writel_relaxed(v, addr)writel(v, addr)
 #define writeq_relaxed(v, addr)writeq(v, addr)
 
+#include 
+
 #ifdef CONFIG_PPC32
 #define mmiowb()
 #else
-- 
2.11.0

[PATCH v12 8/9] crypto: caam: cleanup CONFIG_64BIT ifdefs when using io{read|write}64

[Logan Gunthorpe]

Clean up the extra ifdefs which defined the wr_reg64 and rd_reg64
functions in non-64bit cases in favour of the new common
io-64-nonatomic-lo-hi header.

To be consistent with CAAM engine HW spec: in case of 64-bit registers,
irrespective of device endianness, the lower address should be read from
/ written to first, followed by the upper address. Indeed the I/O
accessors in CAAM driver currently don't follow the spec, however this
is a good opportunity to fix the code.

Signed-off-by: Logan Gunthorpe 
Reviewed-by: Horia Geantă 
Cc: Andy Shevchenko 
Cc: Dan Douglass 
Cc: Herbert Xu 
Cc: "David S. Miller" 
---
 drivers/crypto/caam/regs.h | 30 +++---
 1 file changed, 3 insertions(+), 27 deletions(-)

diff --git a/drivers/crypto/caam/regs.h b/drivers/crypto/caam/regs.h
index fee363865d88..f887b371040f 100644
--- a/drivers/crypto/caam/regs.h
+++ b/drivers/crypto/caam/regs.h
@@ -10,7 +10,7 @@
 
 #include 
 #include 
-#include 
+#include 
 
 /*
  * Architecture-specific register access methods
@@ -136,10 +136,9 @@ static inline void clrsetbits_32(void __iomem *reg, u32 
clear, u32 set)
  *base + 0x : least-significant 32 bits
  *base + 0x0004 : most-significant 32 bits
  */
-#ifdef CONFIG_64BIT
 static inline void wr_reg64(void __iomem *reg, u64 data)
 {
-   if (caam_little_end)
+   if (!caam_imx && caam_little_end)
iowrite64(data, reg);
else
iowrite64be(data, reg);
@@ -147,35 +146,12 @@ static inline void wr_reg64(void __iomem *reg, u64 data)
 
 static inline u64 rd_reg64(void __iomem *reg)
 {
-   if (caam_little_end)
+   if (!caam_imx && caam_little_end)
return ioread64(reg);
else
return ioread64be(reg);
 }
 
-#else /* CONFIG_64BIT */
-static inline void wr_reg64(void __iomem *reg, u64 data)
-{
-   if (!caam_imx && caam_little_end) {
-   wr_reg32((u32 __iomem *)(reg) + 1, data >> 32);
-   wr_reg32((u32 __iomem *)(reg), data);
-   } else {
-   wr_reg32((u32 __iomem *)(reg), data >> 32);
-   wr_reg32((u32 __iomem *)(reg) + 1, data);
-   }
-}
-
-static inline u64 rd_reg64(void __iomem *reg)
-{
-   if (!caam_imx && caam_little_end)
-   return ((u64)rd_reg32((u32 __iomem *)(reg) + 1) << 32 |
-   (u64)rd_reg32((u32 __iomem *)(reg)));
-
-   return ((u64)rd_reg32((u32 __iomem *)(reg)) << 32 |
-   (u64)rd_reg32((u32 __iomem *)(reg) + 1));
-}
-#endif /* CONFIG_64BIT  */
-
 static inline u64 cpu_to_caam_dma64(dma_addr_t value)
 {
if (caam_imx)
-- 
2.11.0

[PATCH 4.15 103/128] staging: fsl-dpaa2/eth: Fix access to FAS field

[Greg Kroah-Hartman]

4.15-stable review patch.  If anyone has any objections, please let me know.

--

From: Ioana Radulescu 


[ Upstream commit 54ce891779888e85a2db04942dbaadd3f40fe223 ]

Commit 4b2d9fe87950 ("staging: fsl-dpaa2/eth: Extra headroom in RX
buffers") removes the software annotation (SWA) area from the RX
buffer layout, as it's not used by anyone, but fails to update the
macros for accessing hardware annotation (HWA) fields, which is
right after the SWA in the buffer headroom.

This may lead to some frame annotation status fields (e.g. indication
if L3/L4 checksum is valid) to be read incorrectly.

Turn the accessor macros into inline functions and add a bool param
to specify if SWA is present or not.

Fixes: 4b2d9fe87950 ("staging: fsl-dpaa2/eth: Extra headroom in RX buffers")

Signed-off-by: Ioana Radulescu 
Signed-off-by: Greg Kroah-Hartman 
Signed-off-by: Sasha Levin 
Signed-off-by: Greg Kroah-Hartman 
---
 drivers/staging/fsl-dpaa2/ethernet/dpaa2-eth.c |8 
 drivers/staging/fsl-dpaa2/ethernet/dpaa2-eth.h |   13 +
 2 files changed, 13 insertions(+), 8 deletions(-)

--- a/drivers/staging/fsl-dpaa2/ethernet/dpaa2-eth.c
+++ b/drivers/staging/fsl-dpaa2/ethernet/dpaa2-eth.c
@@ -249,7 +249,7 @@ static void dpaa2_eth_rx(struct dpaa2_et
vaddr = dpaa2_iova_to_virt(priv->iommu_domain, addr);
dma_unmap_single(dev, addr, DPAA2_ETH_RX_BUF_SIZE, DMA_FROM_DEVICE);
 
-   fas = dpaa2_get_fas(vaddr);
+   fas = dpaa2_get_fas(vaddr, false);
prefetch(fas);
buf_data = vaddr + dpaa2_fd_get_offset(fd);
prefetch(buf_data);
@@ -385,7 +385,7 @@ static int build_sg_fd(struct dpaa2_eth_
 * on TX confirmation. We are clearing FAS (Frame Annotation Status)
 * field from the hardware annotation area
 */
-   fas = dpaa2_get_fas(sgt_buf);
+   fas = dpaa2_get_fas(sgt_buf, true);
memset(fas, 0, DPAA2_FAS_SIZE);
 
sgt = (struct dpaa2_sg_entry *)(sgt_buf + priv->tx_data_offset);
@@ -458,7 +458,7 @@ static int build_single_fd(struct dpaa2_
 * on TX confirmation. We are clearing FAS (Frame Annotation Status)
 * field from the hardware annotation area
 */
-   fas = dpaa2_get_fas(buffer_start);
+   fas = dpaa2_get_fas(buffer_start, true);
memset(fas, 0, DPAA2_FAS_SIZE);
 
/* Store a backpointer to the skb at the beginning of the buffer
@@ -510,7 +510,7 @@ static void free_tx_fd(const struct dpaa
 
fd_addr = dpaa2_fd_get_addr(fd);
skbh = dpaa2_iova_to_virt(priv->iommu_domain, fd_addr);
-   fas = dpaa2_get_fas(skbh);
+   fas = dpaa2_get_fas(skbh, true);
 
if (fd_format == dpaa2_fd_single) {
skb = *skbh;
--- a/drivers/staging/fsl-dpaa2/ethernet/dpaa2-eth.h
+++ b/drivers/staging/fsl-dpaa2/ethernet/dpaa2-eth.h
@@ -153,10 +153,15 @@ struct dpaa2_fas {
 #define DPAA2_FAS_SIZE (sizeof(struct dpaa2_fas))
 
 /* Accessors for the hardware annotation fields that we use */
-#define dpaa2_get_hwa(buf_addr) \
-   ((void *)(buf_addr) + DPAA2_ETH_SWA_SIZE)
-#define dpaa2_get_fas(buf_addr) \
-   (struct dpaa2_fas *)(dpaa2_get_hwa(buf_addr) + DPAA2_FAS_OFFSET)
+static inline void *dpaa2_get_hwa(void *buf_addr, bool swa)
+{
+   return buf_addr + (swa ? DPAA2_ETH_SWA_SIZE : 0);
+}
+
+static inline struct dpaa2_fas *dpaa2_get_fas(void *buf_addr, bool swa)
+{
+   return dpaa2_get_hwa(buf_addr, swa) + DPAA2_FAS_OFFSET;
+}
 
 /* Error and status bits in the frame annotation status word */
 /* Debug frame, otherwise supposed to be discarded */

[PATCH 4.15 088/128] perf annotate: Fix objdump comment parsing for Intel mov dissassembly

[Greg Kroah-Hartman]

4.15-stable review patch.  If anyone has any objections, please let me know.

--

From: Thomas Richter 


[ Upstream commit 35a8a148d8c1ee9e5ae18f9565a880490f816f89 ]

The command 'perf annotate' parses the output of objdump and also
investigates the comments produced by objdump. For example the
output of objdump produces (on x86):

23eee:  4c 8b 3d 13 01 21 00 mov 0x210113(%rip),%r15
# 234008 

and the function mov__parse() is called to investigate the complete
line. Mov__parse() breaks this line into several parts and finally
calls function comment__symbol() to parse the data after the comment
character '#'. Comment__symbol() expects a hexadecimal address followed
by a symbol in '<' and '>' brackets.

However the 2nd parameter given to function comment__symbol()
always points to the comment character '#'. The address parsing
always returns 0 because the character '#' is not a digit and
strtoull() fails without being noticed.

Fix this by advancing the second parameter to function comment__symbol()
by one byte before invocation and add an error check after strtoull()
has been called.

Signed-off-by: Thomas Richter 
Reviewed-by: Hendrik Brueckner 
Acked-by: Ravi Bangoria 
Cc: Heiko Carstens 
Cc: Martin Schwidefsky 
Fixes: 6de783b6f50f ("perf annotate: Resolve symbols using objdump comment")
Link: http://lkml.kernel.org/r/20171128075632.72182-1-tmri...@linux.vnet.ibm.com
Signed-off-by: Arnaldo Carvalho de Melo 
Signed-off-by: Sasha Levin 
Signed-off-by: Greg Kroah-Hartman 
---
 tools/perf/util/annotate.c |8 +---
 1 file changed, 5 insertions(+), 3 deletions(-)

--- a/tools/perf/util/annotate.c
+++ b/tools/perf/util/annotate.c
@@ -322,6 +322,8 @@ static int comment__symbol(char *raw, ch
return 0;
 
*addrp = strtoull(comment, , 16);
+   if (endptr == comment)
+   return 0;
name = strchr(endptr, '<');
if (name == NULL)
return -1;
@@ -435,8 +437,8 @@ static int mov__parse(struct arch *arch,
return 0;
 
comment = ltrim(comment);
-   comment__symbol(ops->source.raw, comment, >source.addr, 
>source.name);
-   comment__symbol(ops->target.raw, comment, >target.addr, 
>target.name);
+   comment__symbol(ops->source.raw, comment + 1, >source.addr, 
>source.name);
+   comment__symbol(ops->target.raw, comment + 1, >target.addr, 
>target.name);
 
return 0;
 
@@ -480,7 +482,7 @@ static int dec__parse(struct arch *arch
return 0;
 
comment = ltrim(comment);
-   comment__symbol(ops->target.raw, comment, >target.addr, 
>target.name);
+   comment__symbol(ops->target.raw, comment + 1, >target.addr, 
>target.name);
 
return 0;
 }

[PATCH 4.15 086/128] pinctrl: sh-pfc: r8a7795-es1: Fix MOD_SEL1 bit[25:24] to 0x3 when using STP_ISEN_1_D

[Greg Kroah-Hartman]

4.15-stable review patch.  If anyone has any objections, please let me know.

--

From: Takeshi Kihara 


[ Upstream commit b16cd900de7911f96af17327a081a2141a0b763f ]

This patch fixes the implementation incorrect of MOD_SEL1 bit[25:24]
value when STP_ISEN_1_D pin function is selected for IPSR16 bit[27:24].

This is a correction to the incorrect implementation of MOD_SEL register
pin assignment for R8A7795 SoC specification of R-Car Gen3 Hardware
User's Manual Rev.0.51E.

Fixes: 0b0ffc96dbe30fa9 ("pinctrl: sh-pfc: Initial R8A7795 PFC support)
Signed-off-by: Takeshi Kihara 
Signed-off-by: Yoshihiro Kaneko 
Signed-off-by: Geert Uytterhoeven 
Signed-off-by: Sasha Levin 
Signed-off-by: Greg Kroah-Hartman 
---
 drivers/pinctrl/sh-pfc/pfc-r8a7795-es1.c |2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/pinctrl/sh-pfc/pfc-r8a7795-es1.c
+++ b/drivers/pinctrl/sh-pfc/pfc-r8a7795-es1.c
@@ -1397,7 +1397,7 @@ static const u16 pinmux_data[] = {
PINMUX_IPSR_MSEL(IP16_27_24,AUDIO_CLKOUT_B, SEL_ADG_1),
PINMUX_IPSR_MSEL(IP16_27_24,SSI_SCK2_B, SEL_SSI_1),
PINMUX_IPSR_MSEL(IP16_27_24,TS_SDEN1_D, SEL_TSIF1_3),
-   PINMUX_IPSR_MSEL(IP16_27_24,STP_ISEN_1_D,   SEL_SSP1_1_2),
+   PINMUX_IPSR_MSEL(IP16_27_24,STP_ISEN_1_D,   SEL_SSP1_1_3),
PINMUX_IPSR_MSEL(IP16_27_24,STP_OPWM_0_E,   SEL_SSP1_0_4),
PINMUX_IPSR_MSEL(IP16_27_24,RIF3_D0_B,  SEL_DRIF3_1),
PINMUX_IPSR_MSEL(IP16_27_24,TCLK2_B,
SEL_TIMER_TMU_1),

[PATCH 4.15 087/128] perf annotate: Fix unnecessary memory allocation for s390x

[Greg Kroah-Hartman]

4.15-stable review patch.  If anyone has any objections, please let me know.

--

From: Thomas Richter 


[ Upstream commit 36c263607d36c6a3788c09301d9f5fe35404048a ]

This patch fixes a bug introduced with commit d9f8dfa9baf9 ("perf
annotate s390: Implement jump types for perf annotate").

'perf annotate' displays annotated assembler output by reading output of
command objdump and parsing the disassembled lines. For each shown
mnemonic this function sequence is executed:

  disasm_line__new()
  |
  +--> disasm_line__init_ins()
   |
   +--> ins__find()
|
+--> arch->associate_instruction_ops()

The s390x specific function assigned to function pointer
associate_instruction_ops refers to function s390__associate_ins_ops().

This function checks for supported mnemonics and assigns a NULL pointer
to unsupported mnemonics.  However even the NULL pointer is added to the
architecture dependend instruction array.

This leads to an extremely large architecture instruction array
(due to array resize logic in function arch__grow_instructions()).

Depending on the objdump output being parsed the array can end up
with several ten-thousand elements.

This patch checks if a mnemonic is supported and only adds supported
ones into the architecture instruction array. The array does not contain
elements with NULL pointers anymore.

Before the patch (With some debug printf output):

[root@s35lp76 perf]# time ./perf annotate --stdio > /tmp/xxxbb

real8m49.679s
user7m13.008s
sys 0m1.649s
[root@s35lp76 perf]# fgrep '__ins__find sorted:1 nr_instructions:'
/tmp/xxxbb | tail -1
__ins__find sorted:1 nr_instructions:87433 ins:0x341583c0
[root@s35lp76 perf]#

The number of different s390x branch/jump/call/return instructions
entered into the array is 87433.

After the patch (With some printf debug output:)

[root@s35lp76 perf]# time ./perf annotate --stdio > /tmp/xxxaa

real1m24.553s
user0m0.587s
sys 0m1.530s
[root@s35lp76 perf]# fgrep '__ins__find sorted:1 nr_instructions:'
/tmp/xxxaa | tail -1
__ins__find sorted:1 nr_instructions:56 ins:0x3f406570
[root@s35lp76 perf]#

The number of different s390x branch/jump/call/return instructions
entered into the array is 56 which is sensible.

Signed-off-by: Thomas Richter 
Reviewed-by: Hendrik Brueckner 
Acked-by: Ravi Bangoria 
Cc: Heiko Carstens 
Cc: Martin Schwidefsky 
Link: http://lkml.kernel.org/r/20171124094637.8-1-tmri...@linux.vnet.ibm.com
Signed-off-by: Arnaldo Carvalho de Melo 
Signed-off-by: Sasha Levin 
Signed-off-by: Greg Kroah-Hartman 
---
 tools/perf/arch/s390/annotate/instructions.c |3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/tools/perf/arch/s390/annotate/instructions.c
+++ b/tools/perf/arch/s390/annotate/instructions.c
@@ -18,7 +18,8 @@ static struct ins_ops *s390__associate_i
if (!strcmp(name, "br"))
ops = _ops;
 
-   arch__associate_ins_ops(arch, name, ops);
+   if (ops)
+   arch__associate_ins_ops(arch, name, ops);
return ops;
 }
 

[PATCH 4.15 061/128] ARM: dts: am335x-pepper: Fix the audio CODECs reset pin

[Greg Kroah-Hartman]

4.15-stable review patch.  If anyone has any objections, please let me know.

--

From: "Andrew F. Davis" 


[ Upstream commit e153db03c6b7a035c797bcdf35262586f003ee93 ]

The correct DT property for specifying a GPIO used for reset
is "reset-gpios", fix this here.

Fixes: 4341881d0562 ("ARM: dts: Add devicetree for Gumstix Pepper board")

Signed-off-by: Andrew F. Davis 
Signed-off-by: Tony Lindgren 
Signed-off-by: Sasha Levin 
Signed-off-by: Greg Kroah-Hartman 
---
 arch/arm/boot/dts/am335x-pepper.dts |2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/arm/boot/dts/am335x-pepper.dts
+++ b/arch/arm/boot/dts/am335x-pepper.dts
@@ -139,7 +139,7 @@
 _codec {
status = "okay";
 
-   gpio-reset = < 16 GPIO_ACTIVE_LOW>;
+   reset-gpios = < 16 GPIO_ACTIVE_LOW>;
AVDD-supply = <_reg>;
IOVDD-supply = <_reg>;
DRVDD-supply = <_reg>;

[PATCH 4.15 063/128] mtd: nand: ifc: update bufnum mask for ver >= 2.0.0

[Greg Kroah-Hartman]

4.15-stable review patch.  If anyone has any objections, please let me know.

--

From: Jagdish Gediya 


[ Upstream commit bccb06c353af3764ca86d9da47652458e6c2eb41 ]

Bufnum mask is used to calculate page position in the internal SRAM.

As IFC version 2.0.0 has 16KB of internal SRAM as compared to older
versions which had 8KB. Hence bufnum mask needs to be updated.

Signed-off-by: Jagdish Gediya 
Signed-off-by: Prabhakar Kushwaha 
Signed-off-by: Boris Brezillon 
Signed-off-by: Sasha Levin 
Signed-off-by: Greg Kroah-Hartman 
---
 drivers/mtd/nand/fsl_ifc_nand.c |7 +++
 1 file changed, 7 insertions(+)

--- a/drivers/mtd/nand/fsl_ifc_nand.c
+++ b/drivers/mtd/nand/fsl_ifc_nand.c
@@ -916,6 +916,13 @@ static int fsl_ifc_chip_init(struct fsl_
if (ctrl->version >= FSL_IFC_VERSION_1_1_0)
fsl_ifc_sram_init(priv);
 
+   /*
+* As IFC version 2.0.0 has 16KB of internal SRAM as compared to older
+* versions which had 8KB. Hence bufnum mask needs to be updated.
+*/
+   if (ctrl->version >= FSL_IFC_VERSION_2_0_0)
+   priv->bufnum_mask = (priv->bufnum_mask * 2) + 1;
+
return 0;
 }
 

[PATCH 4.15 031/128] KVM: PPC: Book3S HV: Avoid shifts by negative amounts

[Greg Kroah-Hartman]

4.15-stable review patch.  If anyone has any objections, please let me know.

--

From: Paul Mackerras 


[ Upstream commit cda2eaa35948893d70145490d5d6ded546fc3bc6 ]

The kvmppc_hpte_page_shifts function decodes the actual and base page
sizes for a HPTE, returning -1 if it doesn't recognize the page size
encoding.  This then gets used as a shift amount in various places,
which is undefined behaviour.  This was reported by Coverity.

In fact this should never occur, since we should only get HPTEs in the
HPT which have a recognized page size encoding.  The only place where
this might not be true is in the call to kvmppc_actual_pgsz() near the
beginning of kvmppc_do_h_enter(), where we are validating the HPTE
value passed in from the guest.

So to fix this and eliminate the undefined behaviour, we make
kvmppc_hpte_page_shifts return 0 for unrecognized page size encodings,
and make kvmppc_actual_pgsz() detect that case and return 0 for the
page size, which will then cause kvmppc_do_h_enter() to return an
error and refuse to insert any HPTE with an unrecognized page size
encoding.

To ensure that we don't get undefined behaviour in compute_tlbie_rb(),
we take the 4k page size path for any unrecognized page size encoding.
This should never be hit in practice because it is only used on HPTE
values which have previously been checked for having a recognized
page size encoding.

Signed-off-by: Paul Mackerras 
Signed-off-by: Sasha Levin 
Signed-off-by: Greg Kroah-Hartman 
---
 arch/powerpc/include/asm/kvm_book3s_64.h | 14 +-
 1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/arch/powerpc/include/asm/kvm_book3s_64.h 
b/arch/powerpc/include/asm/kvm_book3s_64.h
index 735cfa35298a..998f7b7aaa9e 100644
--- a/arch/powerpc/include/asm/kvm_book3s_64.h
+++ b/arch/powerpc/include/asm/kvm_book3s_64.h
@@ -122,13 +122,13 @@ static inline int kvmppc_hpte_page_shifts(unsigned long 
h, unsigned long l)
lphi = (l >> 16) & 0xf;
switch ((l >> 12) & 0xf) {
case 0:
-   return !lphi ? 24 : -1; /* 16MB */
+   return !lphi ? 24 : 0;  /* 16MB */
break;
case 1:
return 16;  /* 64kB */
break;
case 3:
-   return !lphi ? 34 : -1; /* 16GB */
+   return !lphi ? 34 : 0;  /* 16GB */
break;
case 7:
return (16 << 8) + 12;  /* 64kB in 4kB */
@@ -140,7 +140,7 @@ static inline int kvmppc_hpte_page_shifts(unsigned long h, 
unsigned long l)
return (24 << 8) + 12;  /* 16MB in 4kB */
break;
}
-   return -1;
+   return 0;
 }
 
 static inline int kvmppc_hpte_base_page_shift(unsigned long h, unsigned long l)
@@ -159,7 +159,11 @@ static inline int kvmppc_hpte_actual_page_shift(unsigned 
long h, unsigned long l
 
 static inline unsigned long kvmppc_actual_pgsz(unsigned long v, unsigned long 
r)
 {
-   return 1ul << kvmppc_hpte_actual_page_shift(v, r);
+   int shift = kvmppc_hpte_actual_page_shift(v, r);
+
+   if (shift)
+   return 1ul << shift;
+   return 0;
 }
 
 static inline int kvmppc_pgsize_lp_encoding(int base_shift, int actual_shift)
@@ -232,7 +236,7 @@ static inline unsigned long compute_tlbie_rb(unsigned long 
v, unsigned long r,
va_low ^= v >> (SID_SHIFT_1T - 16);
va_low &= 0x7ff;
 
-   if (b_pgshift == 12) {
+   if (b_pgshift <= 12) {
if (a_pgshift > 12) {
sllp = (a_pgshift == 16) ? 5 : 4;
rb |= sllp << 5;/*  AP field */
-- 
2.16.2

[PATCH 4.15 003/128] ASoC: sgtl5000: Fix suspend/resume

[Greg Kroah-Hartman]

4.15-stable review patch.  If anyone has any objections, please let me know.

--

From: Fabio Estevam 

commit a8992973edbb2555e956b90f6fe97c4bc14d761d upstream.

Commit 8419caa72702 ("ASoC: sgtl5000: Do not disable regulators in
SND_SOC_BIAS_OFF") causes the sgtl5000 to fail after a suspend/resume
sequence:

Playing WAVE '/media/a2002011001-e02.wav' : Signed 16 bit Little
Endian, Rate 44100 Hz, Stereo
aplay: pcm_write:2051: write error: Input/output error

The problem is caused by the fact that the aforementioned commit
dropped the cache handling, so re-introduce the register map
resync to fix the problem.

Suggested-by: Mark Brown 
Signed-off-by: Fabio Estevam 
Signed-off-by: Mark Brown 
Cc: 
Signed-off-by: Greg Kroah-Hartman 

---
 sound/soc/codecs/sgtl5000.c |   11 +++
 1 file changed, 11 insertions(+)

--- a/sound/soc/codecs/sgtl5000.c
+++ b/sound/soc/codecs/sgtl5000.c
@@ -871,15 +871,26 @@ static int sgtl5000_pcm_hw_params(struct
 static int sgtl5000_set_bias_level(struct snd_soc_codec *codec,
   enum snd_soc_bias_level level)
 {
+   struct sgtl5000_priv *sgtl = snd_soc_codec_get_drvdata(codec);
+   int ret;
+
switch (level) {
case SND_SOC_BIAS_ON:
case SND_SOC_BIAS_PREPARE:
case SND_SOC_BIAS_STANDBY:
+   regcache_cache_only(sgtl->regmap, false);
+   ret = regcache_sync(sgtl->regmap);
+   if (ret) {
+   regcache_cache_only(sgtl->regmap, true);
+   return ret;
+   }
+
snd_soc_update_bits(codec, SGTL5000_CHIP_ANA_POWER,
SGTL5000_REFTOP_POWERUP,
SGTL5000_REFTOP_POWERUP);
break;
case SND_SOC_BIAS_OFF:
+   regcache_cache_only(sgtl->regmap, true);
snd_soc_update_bits(codec, SGTL5000_CHIP_ANA_POWER,
SGTL5000_REFTOP_POWERUP, 0);
break;

[PATCH 4.15 029/128] spi: imx: Fix failure path leak on GPIO request error correctly

[Greg Kroah-Hartman]

4.15-stable review patch.  If anyone has any objections, please let me know.

--

From: Trent Piepho 


[ Upstream commit 8197f489f4c4398391746a377c10501076b05168 ]

In commit 974488e4ce1e ("spi: imx: Fix failure path leak on GPIO request
error"), spi_bitbang_start() was moved later in the probe sequence.  But
this doesn't work, as spi_bitbang_start() has to be called before
requesting GPIOs because the GPIO data in the spi master is populated when
the master is registed, and that doesn't happen until spi_bitbang_start()
is called.  The default only works if one uses one CS.

So add a failure path call to spi_bitbang_stop() to fix the leak.

CC: Shawn Guo 
CC: Sascha Hauer 
CC: Fabio Estevam 
CC: Mark Brown 
CC: Oleksij Rempel 
Signed-off-by: Trent Piepho 
Reviewed-by: Oleksij Rempel 
Signed-off-by: Mark Brown 
Signed-off-by: Sasha Levin 
Signed-off-by: Greg Kroah-Hartman 
---
 drivers/spi/spi-imx.c | 11 +--
 1 file changed, 5 insertions(+), 6 deletions(-)

diff --git a/drivers/spi/spi-imx.c b/drivers/spi/spi-imx.c
index 40390d31a93b..6f57592a7f95 100644
--- a/drivers/spi/spi-imx.c
+++ b/drivers/spi/spi-imx.c
@@ -1622,6 +1622,11 @@ static int spi_imx_probe(struct platform_device *pdev)
spi_imx->devtype_data->intctrl(spi_imx, 0);
 
master->dev.of_node = pdev->dev.of_node;
+   ret = spi_bitbang_start(_imx->bitbang);
+   if (ret) {
+   dev_err(>dev, "bitbang start failed with %d\n", ret);
+   goto out_clk_put;
+   }
 
/* Request GPIO CS lines, if any */
if (!spi_imx->slave_mode && master->cs_gpios) {
@@ -1640,12 +1645,6 @@ static int spi_imx_probe(struct platform_device *pdev)
}
}
 
-   ret = spi_bitbang_start(_imx->bitbang);
-   if (ret) {
-   dev_err(>dev, "bitbang start failed with %d\n", ret);
-   goto out_clk_put;
-   }
-
dev_info(>dev, "probed\n");
 
clk_disable(spi_imx->clk_ipg);
-- 
2.16.2

[PATCH v3] ata: add Amiga Gayle PATA controller driver

[Bartlomiej Zolnierkiewicz]

Add Amiga Gayle PATA controller driver. It enables libata support
for the on-board IDE interfaces on some Amiga models (A600, A1200,
A4000 and A4000T) and also for IDE interfaces on the Zorro expansion
bus (M-Tech E-Matrix 530 expansion card).

Thanks to John Paul Adrian Glaubitz and Michael Schmitz for help
with testing the driver.

Tested-by: John Paul Adrian Glaubitz 
Cc: Michael Schmitz 
Cc: Geert Uytterhoeven 
Cc: Philippe Ombredanne 
Cc: Andy Shevchenko 
Signed-off-by: Bartlomiej Zolnierkiewicz 
---
v3:
- fix minor issues reported by Andy

v2:
- clarify license version (it should be GPL 2.0)
- use SPDX header

 drivers/ata/Kconfig  |   12 ++
 drivers/ata/Makefile |1 
 drivers/ata/pata_gayle.c |  219 +++
 3 files changed, 232 insertions(+)

Index: b/drivers/ata/Kconfig
===
--- a/drivers/ata/Kconfig   2018-03-16 17:01:47.051581322 +0100
+++ b/drivers/ata/Kconfig   2018-03-16 17:01:47.027581322 +0100
@@ -954,6 +954,18 @@ config PATA_FALCON
 
  If unsure, say N.
 
+config PATA_GAYLE
+   tristate "Amiga Gayle PATA support"
+   depends on M68K && AMIGA
+   help
+ This option enables support for the on-board IDE
+ interfaces on some Amiga models (A600, A1200,
+ A4000 and A4000T) and also for IDE interfaces on
+ the Zorro expansion bus (M-Tech E-Matrix 530
+ expansion card).
+
+ If unsure, say N.
+
 config PATA_ISAPNP
tristate "ISA Plug and Play PATA support"
depends on ISAPNP
Index: b/drivers/ata/Makefile
===
--- a/drivers/ata/Makefile  2018-03-16 17:01:47.051581322 +0100
+++ b/drivers/ata/Makefile  2018-03-16 17:01:47.035581322 +0100
@@ -97,6 +97,7 @@ obj-$(CONFIG_PATA_WINBOND)+= pata_sl82c
 # SFF PIO only
 obj-$(CONFIG_PATA_CMD640_PCI)  += pata_cmd640.o
 obj-$(CONFIG_PATA_FALCON)  += pata_falcon.o
+obj-$(CONFIG_PATA_GAYLE)   += pata_gayle.o
 obj-$(CONFIG_PATA_ISAPNP)  += pata_isapnp.o
 obj-$(CONFIG_PATA_IXP4XX_CF)   += pata_ixp4xx_cf.o
 obj-$(CONFIG_PATA_MPIIX)   += pata_mpiix.o
Index: b/drivers/ata/pata_gayle.c
===
--- /dev/null   1970-01-01 00:00:00.0 +
+++ b/drivers/ata/pata_gayle.c  2018-03-16 17:05:31.972718374 +0100
@@ -0,0 +1,219 @@
+// SPDX-License-Identifier: GPL-2.0
+
+/*
+ * Amiga Gayle PATA controller driver
+ *
+ * Copyright (c) 2018 Samsung Electronics Co., Ltd.
+ * http://www.samsung.com
+ *
+ * Based on gayle.c:
+ *
+ * Created 12 Jul 1997 by Geert Uytterhoeven
+ */
+
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+
+#include 
+#include 
+#include 
+#include 
+#include 
+
+#define DRV_NAME "pata_gayle"
+#define DRV_VERSION "0.1.0"
+
+#define GAYLE_CONTROL  0x101a
+
+static struct scsi_host_template pata_gayle_sht = {
+   ATA_PIO_SHT(DRV_NAME),
+};
+
+/* FIXME: is this needed? */
+static unsigned int pata_gayle_data_xfer(struct ata_queued_cmd *qc,
+unsigned char *buf,
+unsigned int buflen, int rw)
+{
+   struct ata_device *dev = qc->dev;
+   struct ata_port *ap = dev->link->ap;
+   void __iomem *data_addr = ap->ioaddr.data_addr;
+   unsigned int words = buflen >> 1;
+
+   /* Transfer multiple of 2 bytes */
+   if (rw == READ)
+   raw_insw((u16 *)data_addr, (u16 *)buf, words);
+   else
+   raw_outsw((u16 *)data_addr, (u16 *)buf, words);
+
+   /* Transfer trailing byte, if any. */
+   if (unlikely(buflen & 0x01)) {
+   unsigned char pad[2] = { };
+
+   /* Point buf to the tail of buffer */
+   buf += buflen - 1;
+
+   if (rw == READ) {
+   raw_insw((u16 *)data_addr, (u16 *)pad, 1);
+   *buf = pad[0];
+   } else {
+   pad[0] = *buf;
+   raw_outsw((u16 *)data_addr, (u16 *)pad, 1);
+   }
+   words++;
+   }
+
+   return words << 1;
+}
+
+/*
+ * Provide our own set_mode() as we don't want to change anything that has
+ * already been configured..
+ */
+static int pata_gayle_set_mode(struct ata_link *link,
+  struct ata_device **unused)
+{
+   struct ata_device *dev;
+
+   ata_for_each_dev(dev, link, ENABLED) {
+   /* We don't really care */
+   dev->pio_mode = dev->xfer_mode = XFER_PIO_0;
+   dev->xfer_shift = ATA_SHIFT_PIO;
+   dev->flags |= ATA_DFLAG_PIO;
+   

[PATCH 4.15 018/128] usb: usbmon: Read text within supplied buffer size

[Greg Kroah-Hartman]

4.15-stable review patch.  If anyone has any objections, please let me know.

--

From: Pete Zaitcev 

commit a5f596830e27e15f7a0ecd6be55e433d776986d8 upstream.

This change fixes buffer overflows and silent data corruption with the
usbmon device driver text file read operations.

Signed-off-by: Fredrik Noring 
Signed-off-by: Pete Zaitcev 
Cc: stable 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/usb/mon/mon_text.c |  124 +++--
 1 file changed, 77 insertions(+), 47 deletions(-)

--- a/drivers/usb/mon/mon_text.c
+++ b/drivers/usb/mon/mon_text.c
@@ -85,6 +85,8 @@ struct mon_reader_text {
 
wait_queue_head_t wait;
int printf_size;
+   size_t printf_offset;
+   size_t printf_togo;
char *printf_buf;
struct mutex printf_lock;
 
@@ -376,75 +378,103 @@ err_alloc:
return rc;
 }
 
-/*
- * For simplicity, we read one record in one system call and throw out
- * what does not fit. This means that the following does not work:
- *   dd if=/dbg/usbmon/0t bs=10
- * Also, we do not allow seeks and do not bother advancing the offset.
- */
+static ssize_t mon_text_copy_to_user(struct mon_reader_text *rp,
+char __user * const buf, const size_t nbytes)
+{
+   const size_t togo = min(nbytes, rp->printf_togo);
+
+   if (copy_to_user(buf, >printf_buf[rp->printf_offset], togo))
+   return -EFAULT;
+   rp->printf_togo -= togo;
+   rp->printf_offset += togo;
+   return togo;
+}
+
+/* ppos is not advanced since the llseek operation is not permitted. */
 static ssize_t mon_text_read_t(struct file *file, char __user *buf,
-   size_t nbytes, loff_t *ppos)
+size_t nbytes, loff_t *ppos)
 {
struct mon_reader_text *rp = file->private_data;
struct mon_event_text *ep;
struct mon_text_ptr ptr;
+   ssize_t ret;
 
-   ep = mon_text_read_wait(rp, file);
-   if (IS_ERR(ep))
-   return PTR_ERR(ep);
mutex_lock(>printf_lock);
-   ptr.cnt = 0;
-   ptr.pbuf = rp->printf_buf;
-   ptr.limit = rp->printf_size;
-
-   mon_text_read_head_t(rp, , ep);
-   mon_text_read_statset(rp, , ep);
-   ptr.cnt += snprintf(ptr.pbuf + ptr.cnt, ptr.limit - ptr.cnt,
-   " %d", ep->length);
-   mon_text_read_data(rp, , ep);
 
-   if (copy_to_user(buf, rp->printf_buf, ptr.cnt))
-   ptr.cnt = -EFAULT;
+   if (rp->printf_togo == 0) {
+
+   ep = mon_text_read_wait(rp, file);
+   if (IS_ERR(ep)) {
+   mutex_unlock(>printf_lock);
+   return PTR_ERR(ep);
+   }
+   ptr.cnt = 0;
+   ptr.pbuf = rp->printf_buf;
+   ptr.limit = rp->printf_size;
+
+   mon_text_read_head_t(rp, , ep);
+   mon_text_read_statset(rp, , ep);
+   ptr.cnt += snprintf(ptr.pbuf + ptr.cnt, ptr.limit - ptr.cnt,
+   " %d", ep->length);
+   mon_text_read_data(rp, , ep);
+
+   rp->printf_togo = ptr.cnt;
+   rp->printf_offset = 0;
+
+   kmem_cache_free(rp->e_slab, ep);
+   }
+
+   ret = mon_text_copy_to_user(rp, buf, nbytes);
mutex_unlock(>printf_lock);
-   kmem_cache_free(rp->e_slab, ep);
-   return ptr.cnt;
+   return ret;
 }
 
+/* ppos is not advanced since the llseek operation is not permitted. */
 static ssize_t mon_text_read_u(struct file *file, char __user *buf,
-   size_t nbytes, loff_t *ppos)
+size_t nbytes, loff_t *ppos)
 {
struct mon_reader_text *rp = file->private_data;
struct mon_event_text *ep;
struct mon_text_ptr ptr;
+   ssize_t ret;
 
-   ep = mon_text_read_wait(rp, file);
-   if (IS_ERR(ep))
-   return PTR_ERR(ep);
mutex_lock(>printf_lock);
-   ptr.cnt = 0;
-   ptr.pbuf = rp->printf_buf;
-   ptr.limit = rp->printf_size;
 
-   mon_text_read_head_u(rp, , ep);
-   if (ep->type == 'E') {
-   mon_text_read_statset(rp, , ep);
-   } else if (ep->xfertype == USB_ENDPOINT_XFER_ISOC) {
-   mon_text_read_isostat(rp, , ep);
-   mon_text_read_isodesc(rp, , ep);
-   } else if (ep->xfertype == USB_ENDPOINT_XFER_INT) {
-   mon_text_read_intstat(rp, , ep);
-   } else {
-   mon_text_read_statset(rp, , ep);
+   if (rp->printf_togo == 0) {
+
+   ep = mon_text_read_wait(rp, file);
+   if (IS_ERR(ep)) {
+   mutex_unlock(>printf_lock);
+   return PTR_ERR(ep);
+   }
+   ptr.cnt = 0;
+   ptr.pbuf = rp->printf_buf;
+   ptr.limit = rp->printf_size;
+
+   mon_text_read_head_u(rp, , ep);
+

[PATCH 4.15 016/128] usbip: vudc: fix null pointer dereference on udc->lock

[Greg Kroah-Hartman]

4.15-stable review patch.  If anyone has any objections, please let me know.

--

From: Colin Ian King 

commit df3334c223a033f562645712e832ca4cbb326bbf upstream.

Currently the driver attempts to spin lock on udc->lock before a NULL
pointer check is performed on udc, hence there is a potential null
pointer dereference on udc->lock.  Fix this by moving the null check
on udc before the lock occurs.

Fixes: ea6873a45a22 ("usbip: vudc: Add SysFS infrastructure for VUDC")
Signed-off-by: Colin Ian King 
Acked-by: Shuah Khan 
Reviewed-by: Krzysztof Opasiak 
Cc: stable 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/usb/usbip/vudc_sysfs.c |8 ++--
 1 file changed, 6 insertions(+), 2 deletions(-)

--- a/drivers/usb/usbip/vudc_sysfs.c
+++ b/drivers/usb/usbip/vudc_sysfs.c
@@ -105,10 +105,14 @@ static ssize_t store_sockfd(struct devic
if (rv != 0)
return -EINVAL;
 
+   if (!udc) {
+   dev_err(dev, "no device");
+   return -ENODEV;
+   }
spin_lock_irqsave(>lock, flags);
/* Don't export what we don't have */
-   if (!udc || !udc->driver || !udc->pullup) {
-   dev_err(dev, "no device or gadget not bound");
+   if (!udc->driver || !udc->pullup) {
+   dev_err(dev, "gadget not bound");
ret = -ENODEV;
goto unlock;
}

Re: [PATCH 5/8] trace_uprobe: Support SDT markers having reference count (semaphore)

[Oleg Nesterov]

On 03/15, Steven Rostedt wrote:
>
> On Tue, 13 Mar 2018 18:26:00 +0530
> Ravi Bangoria  wrote:
>
> > +static void sdt_increment_ref_ctr(struct trace_uprobe *tu)
> > +{
> > +   struct uprobe_map_info *info;
> > +   struct vm_area_struct *vma;
> > +   unsigned long vaddr;
> > +
> > +   uprobe_start_dup_mmap();
>
> Please add a comment here that this function ups the mm ref count for
> each info returned. Otherwise it's hard to know what that mmput() below
> matches.

You meant uprobe_build_map_info(), not uprobe_start_dup_mmap().

Yes, and if it gets more callers perhaps we should move this mmput() into
uprobe_free_map_info()...

Oleg.


--- x/kernel/events/uprobes.c
+++ x/kernel/events/uprobes.c
@@ -714,6 +714,7 @@ struct map_info {
 static inline struct map_info *free_map_info(struct map_info *info)
 {
struct map_info *next = info->next;
+   mmput(info->mm);
kfree(info);
return next;
 }
@@ -783,8 +784,11 @@ build_map_info(struct address_space *map
 
goto again;
  out:
-   while (prev)
-   prev = free_map_info(prev);
+   while (prev) {
+   info = prev;
+   prev = prev->next;
+   kfree(info);
+   }
return curr;
 }
 
@@ -834,7 +838,6 @@ register_for_each_vma(struct uprobe *upr
  unlock:
up_write(>mmap_sem);
  free:
-   mmput(mm);
info = free_map_info(info);
}
  out:

[RT PATCH 1/2 v2] kernel/cpu_chill: use schedule_hrtimeout()

[Sebastian Andrzej Siewior]

If a task calls cpu_chill() and gets woken up by a regular or spurious
wakeup and has a signal pending, then it exits the sleep loop in
do_nanosleep() and sets up the restart block. If restart->nanosleep.type is
not TI_NONE then this results in accessing a stale user pointer from a
previously interrupted syscall and a copy to user based on the stale
pointer or a BUG() when 'type' is not supported in nanosleep_copyout().

Instead all this trouble, use schedule_hrtimeout().

Cc: stable...@vger.kernel.org
Signed-off-by: Sebastian Andrzej Siewior 
---
 kernel/time/hrtimer.c | 9 -
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/kernel/time/hrtimer.c b/kernel/time/hrtimer.c
index 6c77643eaf02..c0efc22ba635 100644
--- a/kernel/time/hrtimer.c
+++ b/kernel/time/hrtimer.c
@@ -1873,14 +1873,13 @@ COMPAT_SYSCALL_DEFINE2(nanosleep, struct 
compat_timespec __user *, rqtp,
  */
 void cpu_chill(void)
 {
-   struct timespec64 tu = {
-   .tv_nsec = NSEC_PER_MSEC,
-   };
+   ktime_t chill_time;
unsigned int freeze_flag = current->flags & PF_NOFREEZE;
 
+   chill_time = ktime_set(0, NSEC_PER_MSEC);
+   set_current_state(TASK_UNINTERRUPTIBLE);
current->flags |= PF_NOFREEZE;
-   __hrtimer_nanosleep(, HRTIMER_MODE_REL_HARD, CLOCK_MONOTONIC,
-   TASK_UNINTERRUPTIBLE);
+   schedule_hrtimeout(_time, HRTIMER_MODE_REL_HARD);
if (!freeze_flag)
current->flags &= ~PF_NOFREEZE;
 }
-- 
2.16.2

[PATCH v3 10/18] net: qla3xxx: Eliminate duplicate barriers on weakly-ordered archs

[Sinan Kaya]

Code includes wmb() followed by writel(). writel() already has a
barrier on some architectures like arm64.

This ends up CPU observing two barriers back to back before executing
the register write.

Since code already has an explicit barrier call, changing writel() to
writel_relaxed().

Signed-off-by: Sinan Kaya 
---
 drivers/net/ethernet/qlogic/qla3xxx.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/net/ethernet/qlogic/qla3xxx.c 
b/drivers/net/ethernet/qlogic/qla3xxx.c
index 9e5264d..0e71b74 100644
--- a/drivers/net/ethernet/qlogic/qla3xxx.c
+++ b/drivers/net/ethernet/qlogic/qla3xxx.c
@@ -1858,8 +1858,8 @@ static void ql_update_small_bufq_prod_index(struct 
ql3_adapter *qdev)
qdev->small_buf_release_cnt -= 8;
}
wmb();
-   writel(qdev->small_buf_q_producer_index,
-   _regs->CommonRegs.rxSmallQProducerIndex);
+   writel_relaxed(qdev->small_buf_q_producer_index,
+  _regs->CommonRegs.rxSmallQProducerIndex);
}
 }
 
-- 
2.7.4

[PATCH 4.14 067/109] scsi: ses: dont ask for diagnostic pages repeatedly during probe

[Greg Kroah-Hartman]

4.14-stable review patch.  If anyone has any objections, please let me know.

--

From: Li Dongyang 


[ Upstream commit 9c0a50022b8ac7e863e6ec8342fa476fe5d1d75c ]

We are testing if there is a match with the ses device in a loop by
calling ses_match_to_enclosure(), which will issue scsi receive
diagnostics commands to the ses device for every device on the same
host.  On one of our boxes with 840 disks, it takes a long time to load
the driver:

[root@g1b-oss06 ~]# time modprobe ses

real40m48.247s
user0m0.001s
sys 0m0.196s

With the patch:

[root@g1b-oss06 ~]# time modprobe ses

real0m17.915s
user0m0.008s
sys 0m0.053s

Note that we still need to refresh page 10 when we see a new disk to
create the link.

Signed-off-by: Li Dongyang 
Tested-by: Jason Ozolins 
Signed-off-by: Martin K. Petersen 
Signed-off-by: Sasha Levin 
Signed-off-by: Greg Kroah-Hartman 
---
 drivers/scsi/ses.c |   11 +++
 1 file changed, 7 insertions(+), 4 deletions(-)

--- a/drivers/scsi/ses.c
+++ b/drivers/scsi/ses.c
@@ -615,13 +615,16 @@ static void ses_enclosure_data_process(s
 }
 
 static void ses_match_to_enclosure(struct enclosure_device *edev,
-  struct scsi_device *sdev)
+  struct scsi_device *sdev,
+  int refresh)
 {
+   struct scsi_device *edev_sdev = to_scsi_device(edev->edev.parent);
struct efd efd = {
.addr = 0,
};
 
-   ses_enclosure_data_process(edev, to_scsi_device(edev->edev.parent), 0);
+   if (refresh)
+   ses_enclosure_data_process(edev, edev_sdev, 0);
 
if (scsi_is_sas_rphy(sdev->sdev_target->dev.parent))
efd.addr = sas_get_address(sdev);
@@ -652,7 +655,7 @@ static int ses_intf_add(struct device *c
struct enclosure_device *prev = NULL;
 
while ((edev = enclosure_find(>host->shost_gendev, prev)) 
!= NULL) {
-   ses_match_to_enclosure(edev, sdev);
+   ses_match_to_enclosure(edev, sdev, 1);
prev = edev;
}
return -ENODEV;
@@ -768,7 +771,7 @@ page2_not_supported:
shost_for_each_device(tmp_sdev, sdev->host) {
if (tmp_sdev->lun != 0 || scsi_device_enclosure(tmp_sdev))
continue;
-   ses_match_to_enclosure(edev, tmp_sdev);
+   ses_match_to_enclosure(edev, tmp_sdev, 0);
}
 
return 0;

Re: [Intel-wired-lan] [PATCH v3 09/18] fm10k: Eliminate duplicate barriers on weakly-ordered archs

[Alexander Duyck]

On Fri, Mar 16, 2018 at 9:16 AM, Sinan Kaya  wrote:
> Code includes wmb() followed by writel(). writel() already has a
> barrier on some architectures like arm64.
>
> This ends up CPU observing two barriers back to back before executing
> the register write.
>
> Since code already has an explicit barrier call, changing writel() to
> writel_relaxed().
>
> Signed-off-by: Sinan Kaya 

You can update the writel call in fm10k_tx_map as well.

Of the drivers updated in drivers/net/ethernet/intel/* it looks like
this is the only one that still requires any additional changes.

Thanks.

- Alex

[PATCH 4.14 101/109] mmc: mmc_test: Ensure command queue is disabled for testing

[Greg Kroah-Hartman]

4.14-stable review patch.  If anyone has any objections, please let me know.

--

From: Adrian Hunter 


[ Upstream commit 23a185254ace8e63dc4ca36e0315aed9440ae749 ]

mmc_test disables the command queue because none of the tests use the
command queue. However the Reset Test will re-enable it, so disable it in
that case too.

Fixes: 9d4579a85c84 ("mmc: mmc_test: Disable Command Queue while mmc_test is 
used")
Signed-off-by: Adrian Hunter 
Signed-off-by: Ulf Hansson 
Signed-off-by: Sasha Levin 
Signed-off-by: Greg Kroah-Hartman 
---
 drivers/mmc/core/mmc_test.c |   11 +--
 1 file changed, 9 insertions(+), 2 deletions(-)

--- a/drivers/mmc/core/mmc_test.c
+++ b/drivers/mmc/core/mmc_test.c
@@ -2328,10 +2328,17 @@ static int mmc_test_reset(struct mmc_tes
int err;
 
err = mmc_hw_reset(host);
-   if (!err)
+   if (!err) {
+   /*
+* Reset will re-enable the card's command queue, but tests
+* expect it to be disabled.
+*/
+   if (card->ext_csd.cmdq_en)
+   mmc_cmdq_disable(card);
return RESULT_OK;
-   else if (err == -EOPNOTSUPP)
+   } else if (err == -EOPNOTSUPP) {
return RESULT_UNSUP_HOST;
+   }
 
return RESULT_FAIL;
 }

Re: [PATCH 1/2] dt: bindings: fpga: add lattice machxo2 slave spi binding description

[Moritz Fischer]

On Fri, Mar 16, 2018 at 04:54:28PM +0100, Paolo Pisati wrote:
> Add dt binding documentation details for Lattice MachXO2 FPGA configuration
> over Slave SPI interface.
> 
> Signed-off-by: Paolo Pisati 
> Acked-by: Rob Herring 
Acked-by: Moritz Fischer 
> ---
>  .../bindings/fpga/lattice-machxo2-spi.txt  | 29 
> ++
>  1 file changed, 29 insertions(+)
>  create mode 100644 
> Documentation/devicetree/bindings/fpga/lattice-machxo2-spi.txt
> 
> diff --git a/Documentation/devicetree/bindings/fpga/lattice-machxo2-spi.txt 
> b/Documentation/devicetree/bindings/fpga/lattice-machxo2-spi.txt
> new file mode 100644
> index 000..a8c362e
> --- /dev/null
> +++ b/Documentation/devicetree/bindings/fpga/lattice-machxo2-spi.txt
> @@ -0,0 +1,29 @@
> +Lattice MachXO2 Slave SPI FPGA Manager
> +
> +Lattice MachXO2 FPGAs support a method of loading the bitstream over
> +'slave SPI' interface.
Nit: a 'slave SPI'
> +
> +See 'MachXO2ProgrammingandConfigurationUsageGuide.pdf' on www.latticesemi.com
> +
> +Required properties:
> +- compatible: should contain "lattice,machxo2-slave-spi"
> +- reg: spi chip select of the FPGA
> +
> +Example for full FPGA configuration:
> +
> + fpga-region0 {
> + compatible = "fpga-region";
> + fpga-mgr = <_mgr_spi>;
> + #address-cells = <0x1>;
> + #size-cells = <0x1>;
> + };
> +
> + spi1: spi@2000 {
> +...
> +
> + fpga_mgr_spi: fpga-mgr@0 {
> + compatible = "lattice,machxo2-slave-spi";
> + spi-max-frequency = <800>;
> + reg = <0>;
> + };
> + };
> -- 
> 2.7.4
> 

Thanks,

Moritz

[PATCH 4.14 065/109] dmaengine: amba-pl08x: Use vchan_terminate_vdesc() instead of desc_free

[Greg Kroah-Hartman]

4.14-stable review patch.  If anyone has any objections, please let me know.

--

From: Peter Ujfalusi 


[ Upstream commit 47d71bc75d072ce25c1063aa629e55e1cfb961b2 ]

To avoid race with vchan_complete, use the race free way to terminate
running transfer.

Implement the device_synchronize callback to make sure that the terminated
descriptor is freed.

Signed-off-by: Peter Ujfalusi 
Reviewed-by: Linus Walleij 
Signed-off-by: Vinod Koul 
Signed-off-by: Sasha Levin 
Signed-off-by: Greg Kroah-Hartman 
---
 drivers/dma/amba-pl08x.c |   11 ++-
 1 file changed, 10 insertions(+), 1 deletion(-)

--- a/drivers/dma/amba-pl08x.c
+++ b/drivers/dma/amba-pl08x.c
@@ -2182,7 +2182,7 @@ static int pl08x_terminate_all(struct dm
}
/* Dequeue jobs and free LLIs */
if (plchan->at) {
-   pl08x_desc_free(>at->vd);
+   vchan_terminate_vdesc(>at->vd);
plchan->at = NULL;
}
/* Dequeue jobs not yet fired as well */
@@ -2193,6 +2193,13 @@ static int pl08x_terminate_all(struct dm
return 0;
 }
 
+static void pl08x_synchronize(struct dma_chan *chan)
+{
+   struct pl08x_dma_chan *plchan = to_pl08x_chan(chan);
+
+   vchan_synchronize(>vc);
+}
+
 static int pl08x_pause(struct dma_chan *chan)
 {
struct pl08x_dma_chan *plchan = to_pl08x_chan(chan);
@@ -2773,6 +2780,7 @@ static int pl08x_probe(struct amba_devic
pl08x->memcpy.device_pause = pl08x_pause;
pl08x->memcpy.device_resume = pl08x_resume;
pl08x->memcpy.device_terminate_all = pl08x_terminate_all;
+   pl08x->memcpy.device_synchronize = pl08x_synchronize;
pl08x->memcpy.src_addr_widths = PL80X_DMA_BUSWIDTHS;
pl08x->memcpy.dst_addr_widths = PL80X_DMA_BUSWIDTHS;
pl08x->memcpy.directions = BIT(DMA_MEM_TO_MEM);
@@ -2802,6 +2810,7 @@ static int pl08x_probe(struct amba_devic
pl08x->slave.device_pause = pl08x_pause;
pl08x->slave.device_resume = pl08x_resume;
pl08x->slave.device_terminate_all = pl08x_terminate_all;
+   pl08x->slave.device_synchronize = pl08x_synchronize;
pl08x->slave.src_addr_widths = PL80X_DMA_BUSWIDTHS;
pl08x->slave.dst_addr_widths = PL80X_DMA_BUSWIDTHS;
pl08x->slave.directions =

[PATCH 4.14 075/109] drm/amdgpu:fix virtual dce bug

[Greg Kroah-Hartman]

4.14-stable review patch.  If anyone has any objections, please let me know.

--

From: Monk Liu 


[ Upstream commit 129d65c18ecfb249aceb540c31fdaf79bd5a11ff ]

this fix the issue that access memory after freed
after driver unloaded.

Signed-off-by: Monk Liu 
Acked-by: Alex Deucher 
Signed-off-by: Alex Deucher 
Signed-off-by: Sasha Levin 
Signed-off-by: Greg Kroah-Hartman 
---
 drivers/gpu/drm/amd/amdgpu/dce_virtual.c |4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/drivers/gpu/drm/amd/amdgpu/dce_virtual.c
+++ b/drivers/gpu/drm/amd/amdgpu/dce_virtual.c
@@ -437,6 +437,8 @@ static int dce_virtual_sw_fini(void *han
drm_kms_helper_poll_fini(adev->ddev);
 
drm_mode_config_cleanup(adev->ddev);
+   /* clear crtcs pointer to avoid dce irq finish routine access freed 
data */
+   memset(adev->mode_info.crtcs, 0, sizeof(adev->mode_info.crtcs[0]) * 
AMDGPU_MAX_CRTCS);
adev->mode_info.mode_config_initialized = false;
return 0;
 }
@@ -723,7 +725,7 @@ static void dce_virtual_set_crtc_vblank_
int crtc,
enum 
amdgpu_interrupt_state state)
 {
-   if (crtc >= adev->mode_info.num_crtc) {
+   if (crtc >= adev->mode_info.num_crtc || !adev->mode_info.crtcs[crtc]) {
DRM_DEBUG("invalid crtc %d\n", crtc);
return;
}

[PATCH 4.14 080/109] spi: sun6i: disable/unprepare clocks on remove

[Greg Kroah-Hartman]

4.14-stable review patch.  If anyone has any objections, please let me know.

--

From: Tobias Jordan 


[ Upstream commit 2d9bbd02c54094ceffa555143b0d68cd06504d63 ]

sun6i_spi_probe() uses sun6i_spi_runtime_resume() to prepare/enable
clocks, so sun6i_spi_remove() should use sun6i_spi_runtime_suspend() to
disable/unprepare them if we're not suspended.
Replacing pm_runtime_disable() by pm_runtime_force_suspend() will ensure
that sun6i_spi_runtime_suspend() is called if needed.

Found by Linux Driver Verification project (linuxtesting.org).

Fixes: 3558fe900e8af (spi: sunxi: Add Allwinner A31 SPI controller driver)
Signed-off-by: Tobias Jordan 
Acked-by: Maxime Ripard 
Signed-off-by: Mark Brown 
Signed-off-by: Sasha Levin 
Signed-off-by: Greg Kroah-Hartman 
---
 drivers/spi/spi-sun6i.c |2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/spi/spi-sun6i.c
+++ b/drivers/spi/spi-sun6i.c
@@ -541,7 +541,7 @@ err_free_master:
 
 static int sun6i_spi_remove(struct platform_device *pdev)
 {
-   pm_runtime_disable(>dev);
+   pm_runtime_force_suspend(>dev);
 
return 0;
 }

Re: [PATCH net] netlink: avoid a double skb free in genlmsg_mcast()

[David Miller]

From: Nicolas Dichtel 
Date: Wed, 14 Mar 2018 21:10:23 +0100

> nlmsg_multicast() consumes always the skb, thus the original skb must be
> freed only when this function is called with a clone.
> 
> Fixes: cb9f7a9a5c96 ("netlink: ensure to loop over all netns in 
> genlmsg_multicast_allns()")
> Reported-by: Ben Hutchings 
> Signed-off-by: Nicolas Dichtel 

Yeah these "clone until final send" loops can be tricky to manage.

Good catch, applied and queued up for -stable, thanks.

[PATCH 4.14 052/109] mtd: nand: ifc: update bufnum mask for ver >= 2.0.0

[Greg Kroah-Hartman]

4.14-stable review patch.  If anyone has any objections, please let me know.

--

From: Jagdish Gediya 


[ Upstream commit bccb06c353af3764ca86d9da47652458e6c2eb41 ]

Bufnum mask is used to calculate page position in the internal SRAM.

As IFC version 2.0.0 has 16KB of internal SRAM as compared to older
versions which had 8KB. Hence bufnum mask needs to be updated.

Signed-off-by: Jagdish Gediya 
Signed-off-by: Prabhakar Kushwaha 
Signed-off-by: Boris Brezillon 
Signed-off-by: Sasha Levin 
Signed-off-by: Greg Kroah-Hartman 
---
 drivers/mtd/nand/fsl_ifc_nand.c |7 +++
 1 file changed, 7 insertions(+)

--- a/drivers/mtd/nand/fsl_ifc_nand.c
+++ b/drivers/mtd/nand/fsl_ifc_nand.c
@@ -916,6 +916,13 @@ static int fsl_ifc_chip_init(struct fsl_
if (ctrl->version >= FSL_IFC_VERSION_1_1_0)
fsl_ifc_sram_init(priv);
 
+   /*
+* As IFC version 2.0.0 has 16KB of internal SRAM as compared to older
+* versions which had 8KB. Hence bufnum mask needs to be updated.
+*/
+   if (ctrl->version >= FSL_IFC_VERSION_2_0_0)
+   priv->bufnum_mask = (priv->bufnum_mask * 2) + 1;
+
return 0;
 }
 

[PATCH 4.14 054/109] xfrm: Fix xfrm_replay_overflow_offload_esn

[Greg Kroah-Hartman]

4.14-stable review patch.  If anyone has any objections, please let me know.

--

From: Yossef Efraim 


[ Upstream commit 0ba23a211360af7b6658e4fcfc571970bbbacc55 ]

In case of wrap around, replay_esn->oseq_hi is not updated
before it is tested for it's actual value, leading function
to fail with overflow indication and packets being dropped.

This patch updates replay_esn->oseq_hi in the right place.

Fixes: d7dbefc45cf5 ("xfrm: Add xfrm_replay_overflow functions for offloading")
Signed-off-by: Yossef Efraim 
Signed-off-by: Steffen Klassert 
Signed-off-by: Sasha Levin 
Signed-off-by: Greg Kroah-Hartman 
---
 net/xfrm/xfrm_replay.c |3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

--- a/net/xfrm/xfrm_replay.c
+++ b/net/xfrm/xfrm_replay.c
@@ -666,7 +666,7 @@ static int xfrm_replay_overflow_offload_
if (unlikely(oseq < replay_esn->oseq)) {
XFRM_SKB_CB(skb)->seq.output.hi = ++oseq_hi;
xo->seq.hi = oseq_hi;
-
+   replay_esn->oseq_hi = oseq_hi;
if (replay_esn->oseq_hi == 0) {
replay_esn->oseq--;
replay_esn->oseq_hi--;
@@ -678,7 +678,6 @@ static int xfrm_replay_overflow_offload_
}
 
replay_esn->oseq = oseq;
-   replay_esn->oseq_hi = oseq_hi;
 
if (xfrm_aevent_is_on(net))
x->repl->notify(x, XFRM_REPLAY_UPDATE);

[PATCH 4.14 059/109] drm/etnaviv: make THERMAL selectable

[Greg Kroah-Hartman]

4.14-stable review patch.  If anyone has any objections, please let me know.

--

From: Philipp Zabel 


[ Upstream commit 49b82c389d2a40eaef1355aaa35868b367aec9d1 ]

The etnaviv driver causes a link failure if it is built-in but THERMAL
is built as a module:

  drivers/gpu/drm/etnaviv/etnaviv_gpu.o: In function `etnaviv_gpu_bind':
  etnaviv_gpu.c:(.text+0x4c4): undefined reference to 
`thermal_of_cooling_device_register'
  etnaviv_gpu.c:(.text+0x600): undefined reference to 
`thermal_cooling_device_unregister'
  drivers/gpu/drm/etnaviv/etnaviv_gpu.o: In function `etnaviv_gpu_unbind':
  etnaviv_gpu.c:(.text+0x2aac): undefined reference to 
`thermal_cooling_device_unregister'

Adding a Kconfig dependency on THERMAL || !THERMAL to avoid this causes
a dependency loop on x86_64:

  drivers/gpu/drm/tve200/Kconfig:1:error: recursive dependency detected!
  For a resolution refer to Documentation/kbuild/kconfig-language.txt
  subsection "Kconfig recursive dependency limitations"
  drivers/gpu/drm/tve200/Kconfig:1:   symbol DRM_TVE200 depends on CMA
  For a resolution refer to Documentation/kbuild/kconfig-language.txt
  subsection "Kconfig recursive dependency limitations"
  mm/Kconfig:489: symbol CMA is selected by DRM_ETNAVIV
  For a resolution refer to Documentation/kbuild/kconfig-language.txt
  subsection "Kconfig recursive dependency limitations"
  drivers/gpu/drm/etnaviv/Kconfig:2:  symbol DRM_ETNAVIV depends on THERMAL
  For a resolution refer to Documentation/kbuild/kconfig-language.txt
  subsection "Kconfig recursive dependency limitations"
  drivers/thermal/Kconfig:5:  symbol THERMAL is selected by ACPI_VIDEO
  For a resolution refer to Documentation/kbuild/kconfig-language.txt
  subsection "Kconfig recursive dependency limitations"
  drivers/acpi/Kconfig:189:   symbol ACPI_VIDEO is selected by 
BACKLIGHT_CLASS_DEVICE
  For a resolution refer to Documentation/kbuild/kconfig-language.txt
  subsection "Kconfig recursive dependency limitations"
  drivers/video/backlight/Kconfig:158:symbol BACKLIGHT_CLASS_DEVICE is 
selected by DRM_PARADE_PS8622
  For a resolution refer to Documentation/kbuild/kconfig-language.txt
  subsection "Kconfig recursive dependency limitations"
  drivers/gpu/drm/bridge/Kconfig:62:  symbol DRM_PARADE_PS8622 depends on 
DRM_BRIDGE
  For a resolution refer to Documentation/kbuild/kconfig-language.txt
  subsection "Kconfig recursive dependency limitations"
  drivers/gpu/drm/bridge/Kconfig:1:   symbol DRM_BRIDGE is selected by 
DRM_TVE200

To work around this, add a new option DRM_ETNAVIV_THERMAL to optionally
enable thermal throttling support and make DRM_ETNAVIV select THERMAL
at the same time.

Reported-by: Stephen Rothwell 
Signed-off-by: Philipp Zabel 
Signed-off-by: Lucas Stach 
Signed-off-by: Sasha Levin 
Signed-off-by: Greg Kroah-Hartman 
---
 drivers/gpu/drm/etnaviv/Kconfig   |9 +
 drivers/gpu/drm/etnaviv/etnaviv_gpu.c |8 +---
 2 files changed, 14 insertions(+), 3 deletions(-)

--- a/drivers/gpu/drm/etnaviv/Kconfig
+++ b/drivers/gpu/drm/etnaviv/Kconfig
@@ -6,6 +6,7 @@ config DRM_ETNAVIV
depends on MMU
select SHMEM
select SYNC_FILE
+   select THERMAL if DRM_ETNAVIV_THERMAL
select TMPFS
select IOMMU_API
select IOMMU_SUPPORT
@@ -15,6 +16,14 @@ config DRM_ETNAVIV
help
  DRM driver for Vivante GPUs.
 
+config DRM_ETNAVIV_THERMAL
+   bool "enable ETNAVIV thermal throttling"
+   depends on DRM_ETNAVIV
+   default y
+   help
+ Compile in support for thermal throttling.
+ Say Y unless you want to risk burning your SoC.
+
 config DRM_ETNAVIV_REGISTER_LOGGING
bool "enable ETNAVIV register logging"
depends on DRM_ETNAVIV
--- a/drivers/gpu/drm/etnaviv/etnaviv_gpu.c
+++ b/drivers/gpu/drm/etnaviv/etnaviv_gpu.c
@@ -1622,7 +1622,7 @@ static int etnaviv_gpu_bind(struct devic
struct etnaviv_gpu *gpu = dev_get_drvdata(dev);
int ret;
 
-   if (IS_ENABLED(CONFIG_THERMAL)) {
+   if (IS_ENABLED(CONFIG_DRM_ETNAVIV_THERMAL)) {
gpu->cooling = thermal_of_cooling_device_register(dev->of_node,
(char *)dev_name(dev), gpu, _ops);
if (IS_ERR(gpu->cooling))
@@ -1635,7 +1635,8 @@ static int etnaviv_gpu_bind(struct devic
ret = etnaviv_gpu_clk_enable(gpu);
 #endif
if (ret < 0) {
-   thermal_cooling_device_unregister(gpu->cooling);
+   if (IS_ENABLED(CONFIG_DRM_ETNAVIV_THERMAL))
+   thermal_cooling_device_unregister(gpu->cooling);
return ret;
}
 
@@ -1692,7 +1693,8 @@ static void etnaviv_gpu_unbind(struct de
 
gpu->drm = NULL;
 
-   thermal_cooling_device_unregister(gpu->cooling);
+   if 

Re: [PATCH][next] crypto: x86/des3_ede: make array des3_ede_skciphers static

[Herbert Xu]

On Mon, Mar 05, 2018 at 02:18:00PM +0100, Colin King wrote:
> From: Colin Ian King 
> 
> The array des3_ede_skciphers is local to the source and does not need
> to be in global scope, so make it static.
> 
> Cleans up sparse warning:
> arch/x86/crypto/des3_ede_glue.c:407:21: warning: symbol
> 'des3_ede_skciphers' was not declared. Should it be static?
> 
> Signed-off-by: Colin Ian King 

This patch no longer applies because it's already been merged
from someone else.

Thanks,
-- 
Email: Herbert Xu 
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

[PATCH 4.14 009/109] xhci: Fix front USB ports on ASUS PRIME B350M-A

[Greg Kroah-Hartman]

4.14-stable review patch.  If anyone has any objections, please let me know.

--

From: Kai-Heng Feng 

commit 191edc5e2e515aab1075a3f0ef23599e80be5f59 upstream.

When a USB device gets plugged on ASUS PRIME B350M-A's front ports, the
xHC stops working:
[  549.114587] xhci_hcd :02:00.0: WARN: xHC CMD_RUN timeout
[  549.114608] suspend_common(): xhci_pci_suspend+0x0/0xc0 returns -110
[  549.114638] xhci_hcd :02:00.0: can't suspend (hcd_pci_runtime_suspend 
returned -110)

Delay before running xHC command CMD_RUN can workaround the issue.

Use a new quirk to make the delay only targets to the affected xHC.

Signed-off-by: Kai-Heng Feng 
Signed-off-by: Mathias Nyman 
Cc: stable 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/usb/host/xhci-pci.c |3 +++
 drivers/usb/host/xhci.c |3 +++
 drivers/usb/host/xhci.h |1 +
 3 files changed, 7 insertions(+)

--- a/drivers/usb/host/xhci-pci.c
+++ b/drivers/usb/host/xhci-pci.c
@@ -134,6 +134,9 @@ static void xhci_pci_quirks(struct devic
if (pdev->vendor == PCI_VENDOR_ID_AMD && usb_amd_find_chipset_info())
xhci->quirks |= XHCI_AMD_PLL_FIX;
 
+   if (pdev->vendor == PCI_VENDOR_ID_AMD && pdev->device == 0x43bb)
+   xhci->quirks |= XHCI_SUSPEND_DELAY;
+
if (pdev->vendor == PCI_VENDOR_ID_AMD)
xhci->quirks |= XHCI_TRUST_TX_LENGTH;
 
--- a/drivers/usb/host/xhci.c
+++ b/drivers/usb/host/xhci.c
@@ -887,6 +887,9 @@ int xhci_suspend(struct xhci_hcd *xhci,
clear_bit(HCD_FLAG_POLL_RH, >shared_hcd->flags);
del_timer_sync(>shared_hcd->rh_timer);
 
+   if (xhci->quirks & XHCI_SUSPEND_DELAY)
+   usleep_range(1000, 1500);
+
spin_lock_irq(>lock);
clear_bit(HCD_FLAG_HW_ACCESSIBLE, >flags);
clear_bit(HCD_FLAG_HW_ACCESSIBLE, >shared_hcd->flags);
--- a/drivers/usb/host/xhci.h
+++ b/drivers/usb/host/xhci.h
@@ -1830,6 +1830,7 @@ struct xhci_hcd {
 #define XHCI_LIMIT_ENDPOINT_INTERVAL_7 (1 << 26)
 /* Reserved. It was XHCI_U2_DISABLE_WAKE */
 #define XHCI_ASMEDIA_MODIFY_FLOWCONTROL(1 << 28)
+#define XHCI_SUSPEND_DELAY (1 << 30)
 
unsigned intnum_active_eps;
unsigned intlimit_active_eps;

Re: [PATCH v2 00/36] remove in-kernel syscall invocations (part 1)

[Linus Torvalds]

On Fri, Mar 16, 2018 at 7:20 AM, Al Viro  wrote:
> On Fri, Mar 16, 2018 at 01:54:23AM -0700, Christoph Hellwig wrote:
>>
>> A lot of the issues here is that the initramfs / do_mount code
>> is written as if it was user space code, but in kernel space.  E.g.
>> using file desriptors etc.

Yeah, some of it could probably pass a 'struct filp *' around instead.

So there are definitely things we could do once we no longer use the
raw system calls anyway.

> ... and I still wonder if it would make more sense to kick that crap
> out into userland.

Oh, no, let's not do that. Even if we were to still maintain control
of user space, it would mean yet another nasty special case for the
compiler and linker scripts and for our initrd generation.

And if we were to spin it out entirely (aka udevd and friends), it
would become one of those nasty situations where there's some *very*
odd code that we need to keep compatibility with because you might run
a new kernel and some old "pre-init user code" stuff.

I'd much rather just make it look more like kernel code.

And maybe remove some code entirely. Christ, we still have the logic
in there to change *floppies* if the ramdisk doesn't fit on a single
floppy disk.  Does it work? Probably not, since presumably it hasn't
been used in ages. But it's still there.

So some of the ioctl's etc are due to insanely old legacy cases.

 Linus

[PATCH 4.14 015/109] staging: android: ashmem: Fix lockdep issue during llseek

[Greg Kroah-Hartman]

4.14-stable review patch.  If anyone has any objections, please let me know.

--

From: Joel Fernandes 

commit cb57469c9573f6018cd1302953dd45d6e05aba7b upstream.

ashmem_mutex create a chain of dependencies like so:

(1)
mmap syscall ->
  mmap_sem ->  (acquired)
  ashmem_mmap
  ashmem_mutex (try to acquire)
  (block)

(2)
llseek syscall ->
  ashmem_llseek ->
  ashmem_mutex ->  (acquired)
  inode_lock ->
  inode->i_rwsem (try to acquire)
  (block)

(3)
getdents ->
  iterate_dir ->
  inode_lock ->
  inode->i_rwsem   (acquired)
  copy_to_user ->
  mmap_sem (try to acquire)

There is a lock ordering created between mmap_sem and inode->i_rwsem
causing a lockdep splat [2] during a syzcaller test, this patch fixes
the issue by unlocking the mutex earlier. Functionally that's Ok since
we don't need to protect vfs_llseek.

[1] https://patchwork.kernel.org/patch/10185031/
[2] https://lkml.org/lkml/2018/1/10/48

Acked-by: Todd Kjos 
Cc: Arve Hjonnevag 
Cc: sta...@vger.kernel.org
Reported-by: syzbot+8ec30bb7bf1a981a2...@syzkaller.appspotmail.com
Signed-off-by: Joel Fernandes 
Acked-by: Greg Hackmann 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/staging/android/ashmem.c |   15 +++
 1 file changed, 7 insertions(+), 8 deletions(-)

--- a/drivers/staging/android/ashmem.c
+++ b/drivers/staging/android/ashmem.c
@@ -334,24 +334,23 @@ static loff_t ashmem_llseek(struct file
mutex_lock(_mutex);
 
if (asma->size == 0) {
-   ret = -EINVAL;
-   goto out;
+   mutex_unlock(_mutex);
+   return -EINVAL;
}
 
if (!asma->file) {
-   ret = -EBADF;
-   goto out;
+   mutex_unlock(_mutex);
+   return -EBADF;
}
 
+   mutex_unlock(_mutex);
+
ret = vfs_llseek(asma->file, offset, origin);
if (ret < 0)
-   goto out;
+   return ret;
 
/** Copy f_pos from backing file, since f_ops->llseek() sets it */
file->f_pos = asma->file->f_pos;
-
-out:
-   mutex_unlock(_mutex);
return ret;
 }
 

[PATCH 4.14 017/109] usbip: vudc: fix null pointer dereference on udc->lock

[Greg Kroah-Hartman]

4.14-stable review patch.  If anyone has any objections, please let me know.

--

From: Colin Ian King 

commit df3334c223a033f562645712e832ca4cbb326bbf upstream.

Currently the driver attempts to spin lock on udc->lock before a NULL
pointer check is performed on udc, hence there is a potential null
pointer dereference on udc->lock.  Fix this by moving the null check
on udc before the lock occurs.

Fixes: ea6873a45a22 ("usbip: vudc: Add SysFS infrastructure for VUDC")
Signed-off-by: Colin Ian King 
Acked-by: Shuah Khan 
Reviewed-by: Krzysztof Opasiak 
Cc: stable 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/usb/usbip/vudc_sysfs.c |8 ++--
 1 file changed, 6 insertions(+), 2 deletions(-)

--- a/drivers/usb/usbip/vudc_sysfs.c
+++ b/drivers/usb/usbip/vudc_sysfs.c
@@ -117,10 +117,14 @@ static ssize_t store_sockfd(struct devic
if (rv != 0)
return -EINVAL;
 
+   if (!udc) {
+   dev_err(dev, "no device");
+   return -ENODEV;
+   }
spin_lock_irqsave(>lock, flags);
/* Don't export what we don't have */
-   if (!udc || !udc->driver || !udc->pullup) {
-   dev_err(dev, "no device or gadget not bound");
+   if (!udc->driver || !udc->pullup) {
+   dev_err(dev, "gadget not bound");
ret = -ENODEV;
goto unlock;
}

[PATCH 4.14 016/109] USB: storage: Add JMicron bridge 152d:2567 to unusual_devs.h

[Greg Kroah-Hartman]

4.14-stable review patch.  If anyone has any objections, please let me know.

--

From: Teijo Kinnunen 

commit 5126a504b63d82785eaece3a9c30c660b313785a upstream.

This USB-SATA controller seems to be similar with JMicron bridge
152d:2566 already on the list. Adding it here fixes "Invalid
field in cdb" errors.

Signed-off-by: Teijo Kinnunen 
Cc: sta...@vger.kernel.org
Acked-by: Alan Stern 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/usb/storage/unusual_devs.h |7 +++
 1 file changed, 7 insertions(+)

--- a/drivers/usb/storage/unusual_devs.h
+++ b/drivers/usb/storage/unusual_devs.h
@@ -2137,6 +2137,13 @@ UNUSUAL_DEV(  0x152d, 0x2566, 0x0114, 0x
USB_SC_DEVICE, USB_PR_DEVICE, NULL,
US_FL_BROKEN_FUA ),
 
+/* Reported by Teijo Kinnunen  */
+UNUSUAL_DEV(  0x152d, 0x2567, 0x0117, 0x0117,
+   "JMicron",
+   "USB to ATA/ATAPI Bridge",
+   USB_SC_DEVICE, USB_PR_DEVICE, NULL,
+   US_FL_BROKEN_FUA ),
+
 /* Reported-by George Cherian  */
 UNUSUAL_DEV(0x152d, 0x9561, 0x, 0x,
"JMicron",

[PATCH 4.14 018/109] usb: quirks: add control message delay for 1b1c:1b20

[Greg Kroah-Hartman]

4.14-stable review patch.  If anyone has any objections, please let me know.

--

From: Danilo Krummrich 

commit cb88a0588717ba6c756cb5972d75766b273a6817 upstream.

Corsair Strafe RGB keyboard does not respond to usb control messages
sometimes and hence generates timeouts.

Commit de3af5bf259d ("usb: quirks: add delay init quirk for Corsair
Strafe RGB keyboard") tried to fix those timeouts by adding
USB_QUIRK_DELAY_INIT.

Unfortunately, even with this quirk timeouts of usb_control_msg()
can still be seen, but with a lower frequency (approx. 1 out of 15):

[   29.103520] usb 1-8: string descriptor 0 read error: -110
[   34.363097] usb 1-8: can't set config #1, error -110

Adding further delays to different locations where usb control
messages are issued just moves the timeouts to other locations,
e.g.:

[   35.400533] usbhid 1-8:1.0: can't add hid device: -110
[   35.401014] usbhid: probe of 1-8:1.0 failed with error -110

The only way to reliably avoid those issues is having a pause after
each usb control message. In approx. 200 boot cycles no more timeouts
were seen.

Addionaly, keep USB_QUIRK_DELAY_INIT as it turned out to be necessary
to have the delay in hub_port_connect() after hub_port_init().

The overall boot time seems not to be influenced by these additional
delays, even on fast machines and lightweight distributions.

Fixes: de3af5bf259d ("usb: quirks: add delay init quirk for Corsair Strafe RGB 
keyboard")
Cc: sta...@vger.kernel.org
Signed-off-by: Danilo Krummrich 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/usb/core/message.c |4 
 drivers/usb/core/quirks.c  |3 ++-
 include/linux/usb/quirks.h |3 +++
 3 files changed, 9 insertions(+), 1 deletion(-)

--- a/drivers/usb/core/message.c
+++ b/drivers/usb/core/message.c
@@ -150,6 +150,10 @@ int usb_control_msg(struct usb_device *d
 
ret = usb_internal_control_msg(dev, pipe, dr, data, size, timeout);
 
+   /* Linger a bit, prior to the next control message. */
+   if (dev->quirks & USB_QUIRK_DELAY_CTRL_MSG)
+   msleep(200);
+
kfree(dr);
 
return ret;
--- a/drivers/usb/core/quirks.c
+++ b/drivers/usb/core/quirks.c
@@ -229,7 +229,8 @@ static const struct usb_device_id usb_qu
{ USB_DEVICE(0x1b1c, 0x1b13), .driver_info = USB_QUIRK_DELAY_INIT },
 
/* Corsair Strafe RGB */
-   { USB_DEVICE(0x1b1c, 0x1b20), .driver_info = USB_QUIRK_DELAY_INIT },
+   { USB_DEVICE(0x1b1c, 0x1b20), .driver_info = USB_QUIRK_DELAY_INIT |
+ USB_QUIRK_DELAY_CTRL_MSG },
 
/* Corsair K70 LUX */
{ USB_DEVICE(0x1b1c, 0x1b36), .driver_info = USB_QUIRK_DELAY_INIT },
--- a/include/linux/usb/quirks.h
+++ b/include/linux/usb/quirks.h
@@ -57,4 +57,7 @@
  */
 #define USB_QUIRK_LINEAR_FRAME_INTR_BINTERVAL  BIT(11)
 
+/* Device needs a pause after every control message. */
+#define USB_QUIRK_DELAY_CTRL_MSG   BIT(13)
+
 #endif /* __LINUX_USB_QUIRKS_H */

Re: [PATCH v3] hugetlbfs: check for pgoff value overflow

[Michal Hocko]

On Fri 16-03-18 09:19:07, Mike Kravetz wrote:
> On 03/16/2018 03:17 AM, Michal Hocko wrote:
> > On Thu 08-03-18 16:27:26, Mike Kravetz wrote:
> > 
> > OK, looks good to me. Hairy but seems to be the easiest way around this.
> > Acked-by: Michal Hocko 
> > 
> 
> >> +/*
> >> + * Mask used when checking the page offset value passed in via system
> >> + * calls.  This value will be converted to a loff_t which is signed.
> >> + * Therefore, we want to check the upper PAGE_SHIFT + 1 bits of the
> >> + * value.  The extra bit (- 1 in the shift value) is to take the sign
> >> + * bit into account.
> >> + */
> >> +#define PGOFF_LOFFT_MAX (PAGE_MASK << (BITS_PER_LONG - (2 * PAGE_SHIFT) - 
> >> 1))
> 
> Thanks Michal,
> 
> However, kbuild found a problem with this definition on certain configs.
> Consider a config where,
> BITS_PER_LONG = 32 (32bit config)
> PAGE_SHIFT = 16 (64K pages)
> This results in the negative shift value.
> Not something I would not immediately think of, but a valid config.

Well, 64K pages on 32b doesn't sound even remotely sane to me but what
ever.

> The definition has been changed to,
> #define PGOFF_LOFFT_MAX \
>   (((1UL << (PAGE_SHIFT + 1)) - 1) <<  (BITS_PER_LONG - (PAGE_SHIFT + 1)))
> 
> as discussed here,
> http://lkml.kernel.org/r/432fb2a3-b729-9c3a-7d60-890b8f9b1...@oracle.com

This looks more wild but seems correct as well. You can keep my acked-by

Thanks!
-- 
Michal Hocko
SUSE Labs

Re: [PATCH] security: Fix IMA Kconfig for dependencies on ARM64

[Mimi Zohar]

On Thu, 2018-03-15 at 10:29 -0700, James Bottomley wrote:
> On Thu, 2018-03-15 at 13:14 -0400, Mimi Zohar wrote:
> > On Thu, 2018-03-15 at 10:08 -0700, James Bottomley wrote:
> > > 
> > > On Thu, 2018-03-15 at 12:19 -0400, Mimi Zohar wrote:
> > 
> > > 
> > > > 
> > > > If EFI is extending the TPM, will the events be added to the TPM
> > > > event log or to the IMA measurement list?
> > > 
> > > I'm not proposing any changes to the tpm_pcr_extend API.  At the
> > > moment it does an extend without logging, so that's what it will do
> > > in the EFI driver case as well.  That means logging is still the
> > > responsibility of the caller.
> > 
> > Does EFI support extending multiple TPM banks?
> 
> The specs are here:
> 
> https://trustedcomputinggroup.org/tcg-efi-protocol-specification/
> 
> As I said, I'm not planning to change the tpm_pcr_.. API.  At the
> moment for a TPM2 we extend all banks in the tpm_pcr_extend() API, so
> that's what we'll continue to do ... including extending the sha256
> banks with the sha1 hash, which seems to be our current practice.

Thanks, what you're planning on doing is a lot clearer now.

Mimi

Re: [PATCH v3 2/2] media: ov2680: Add Omnivision OV2680 sensor driver

[Rui Miguel Silva]

Hi Sakari,
On Fri 16 Mar 2018 at 16:10, Sakari Ailus wrote:
On Thu, Mar 15, 2018 at 09:29:33AM +, Rui Miguel Silva 
wrote:

Hi,
On Wed 14 Mar 2018 at 19:39, kbuild test robot wrote:
> Hi Rui,
> 
> I love your patch! Yet something to improve:
> 
> [auto build test ERROR on v4.16-rc4]

> [cannot apply to next-20180314]
> [if your patch is applied to the wrong git tree, please drop 
> us a note

> to help improve the system]
> 
> url: 
> https://github.com/0day-ci/linux/commits/Rui-Miguel-Silva/media-Introduce-Omnivision-OV2680-driver/20180315-020617

> config: sh-allmodconfig (attached as .config)
> compiler: sh4-linux-gnu-gcc (Debian 7.2.0-11) 7.2.0
> reproduce:
> wget
> https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross
> -O ~/bin/make.cross
> chmod +x ~/bin/make.cross
> # save the attached .config to linux build tree
> make.cross ARCH=sh
> 
> All errors (new ones prefixed by >>):
> 
>drivers/media/i2c/ov2680.c: In function 'ov2680_set_fmt':
> > > drivers/media/i2c/ov2680.c:713:9: error: implicit 
> > > declaration of

> > > function 'v4l2_find_nearest_size'; did you mean
> > > 'v4l2_find_nearest_format'?
> > > [-Werror=implicit-function-declaration]
>  mode = v4l2_find_nearest_size(ov2680_mode_data,
> ^~
> v4l2_find_nearest_format

As requested by maintainer this series depend on this patch 
[0], which
introduce this macro. I am not sure of the status of that patch 
though.


No need to worry about that, the sensor driver will just be 
merged after
the dependencies are in. Mauro said he'd handle the pull request 
early next

week.


Great, Many thanks for everything.

---
Cheers,
Rui

Re: uprobes misses breakpoint insertion into VM_WRITE mappings

[Oleg Nesterov]

On 03/15, Mathieu Desnoyers wrote:
>
> Hi,
>
> Erica has been working on extending test-cases for uprobes, and found
> something unexpected:
>
> Since commit e40cfce626a5 "uprobes: Restrict valid_vma(false) to skip 
> VM_SHARED vmas"
> uprobes does not insert breakpoints into mappings mprotect'd as writeable.

Not really, VM_WRITE was illegal from the very beginning, this commit only
affects the "is_register == false" case.

> This issue can be reproduced by compiling a library without PIC (not using 
> GOT),
> and then concurrently:
>
> A) Load the library (dynamic loader mprotect the code as writeable to do
>the relocations, and then mprotect as executable),
>
> B) Enable a uprobe through perf.
>
> (it is a race window between the two mprotect syscalls)
>
> It appears that the following restriction in valid_vma() is responsible
> for this behavior:
>
> if (is_register)
> flags |= VM_WRITE;
>
> I don't figure a clear explanation for this flag based on the function
> comment nor the commit changelog. Any idea on whether this is really
> needed ?

Because we do not want to modify the writable area. If nothing else, this
can break the application which writes to the page we are going to replace.

> Note that on uprobes unregister, it allows removing a breakpoint event
> on a writeable mapping,

Yes. Because a probed apllication can do mprotect() after the kernel installs
the breakpoint. And we have to remove this breakpoint in any case, even if
this is unsafe too.

Oleg.

[PATCH 4.9 47/86] watchdog: hpwdt: SMBIOS check

[Greg Kroah-Hartman]

4.9-stable review patch.  If anyone has any objections, please let me know.

--

From: Jerry Hoemann 

commit c42cbe41727a138905a28f8e0b00c147be77ee93 upstream.

This corrects:
commit cce78da76601 ("watchdog: hpwdt: Add check for UEFI bits")

The test on HPE SMBIOS extension type 219 record "Misc Features"
bits for UEFI support is incorrect.  The definition of the Misc Features
bits in the HPE SMBIOS OEM Extensions specification (and related
firmware) was changed to use a different pair of bits to
represent UEFI supported.  Howerver, a corresponding change
to Linux was missed.

Current code/platform work because the iCRU test is working.
But purpose of cce78da766 is to ensure correct functionality
on future systems where iCRU isn't supported.

Signed-off-by: Jerry Hoemann 
Reviewed-by: Guenter Roeck 
Signed-off-by: Guenter Roeck 
Signed-off-by: Wim Van Sebroeck 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/watchdog/hpwdt.c |2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/watchdog/hpwdt.c
+++ b/drivers/watchdog/hpwdt.c
@@ -700,7 +700,7 @@ static void dmi_find_icru(const struct d
smbios_proliant_ptr = (struct smbios_proliant_info *) dm;
if (smbios_proliant_ptr->misc_features & 0x01)
is_icru = 1;
-   if (smbios_proliant_ptr->misc_features & 0x408)
+   if (smbios_proliant_ptr->misc_features & 0x1400)
is_uefi = 1;
}
 }

[PATCH 4.9 51/86] ARM: omap2: hide omap3_save_secure_ram on non-OMAP3 builds

[Greg Kroah-Hartman]

4.9-stable review patch.  If anyone has any objections, please let me know.

--

From: Arnd Bergmann 

commit 863204cfdae98626a92535ac928ad79f4d6b74ff upstream.

In configurations without CONFIG_OMAP3 but with secure RAM support,
we now run into a link failure:

arch/arm/mach-omap2/omap-secure.o: In function `omap3_save_secure_ram':
omap-secure.c:(.text+0x130): undefined reference to `save_secure_ram_context'

The omap3_save_secure_ram() function is only called from the OMAP34xx
power management code, so we can simply hide that function in the
appropriate #ifdef.

Fixes: d09220a887f7 ("ARM: OMAP2+: Fix SRAM virt to phys translation for 
save_secure_ram_context")
Acked-by: Tony Lindgren 
Tested-by: Dan Murphy 
Signed-off-by: Arnd Bergmann 
Signed-off-by: Greg Kroah-Hartman 

---
 arch/arm/mach-omap2/omap-secure.c |2 ++
 1 file changed, 2 insertions(+)

--- a/arch/arm/mach-omap2/omap-secure.c
+++ b/arch/arm/mach-omap2/omap-secure.c
@@ -73,6 +73,7 @@ phys_addr_t omap_secure_ram_mempool_base
return omap_secure_memblock_base;
 }
 
+#if defined(CONFIG_ARCH_OMAP3) && defined(CONFIG_PM)
 u32 omap3_save_secure_ram(void __iomem *addr, int size)
 {
u32 ret;
@@ -91,6 +92,7 @@ u32 omap3_save_secure_ram(void __iomem *
 
return ret;
 }
+#endif
 
 /**
  * rx51_secure_dispatcher: Routine to dispatch secure PPA API calls

[PATCH 4.9 80/86] usb: quirks: add control message delay for 1b1c:1b20

[Greg Kroah-Hartman]

4.9-stable review patch.  If anyone has any objections, please let me know.

--

From: Danilo Krummrich 

commit cb88a0588717ba6c756cb5972d75766b273a6817 upstream.

Corsair Strafe RGB keyboard does not respond to usb control messages
sometimes and hence generates timeouts.

Commit de3af5bf259d ("usb: quirks: add delay init quirk for Corsair
Strafe RGB keyboard") tried to fix those timeouts by adding
USB_QUIRK_DELAY_INIT.

Unfortunately, even with this quirk timeouts of usb_control_msg()
can still be seen, but with a lower frequency (approx. 1 out of 15):

[   29.103520] usb 1-8: string descriptor 0 read error: -110
[   34.363097] usb 1-8: can't set config #1, error -110

Adding further delays to different locations where usb control
messages are issued just moves the timeouts to other locations,
e.g.:

[   35.400533] usbhid 1-8:1.0: can't add hid device: -110
[   35.401014] usbhid: probe of 1-8:1.0 failed with error -110

The only way to reliably avoid those issues is having a pause after
each usb control message. In approx. 200 boot cycles no more timeouts
were seen.

Addionaly, keep USB_QUIRK_DELAY_INIT as it turned out to be necessary
to have the delay in hub_port_connect() after hub_port_init().

The overall boot time seems not to be influenced by these additional
delays, even on fast machines and lightweight distributions.

Fixes: de3af5bf259d ("usb: quirks: add delay init quirk for Corsair Strafe RGB 
keyboard")
Cc: sta...@vger.kernel.org
Signed-off-by: Danilo Krummrich 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/usb/core/message.c |4 
 drivers/usb/core/quirks.c  |3 ++-
 include/linux/usb/quirks.h |3 +++
 3 files changed, 9 insertions(+), 1 deletion(-)

--- a/drivers/usb/core/message.c
+++ b/drivers/usb/core/message.c
@@ -148,6 +148,10 @@ int usb_control_msg(struct usb_device *d
 
ret = usb_internal_control_msg(dev, pipe, dr, data, size, timeout);
 
+   /* Linger a bit, prior to the next control message. */
+   if (dev->quirks & USB_QUIRK_DELAY_CTRL_MSG)
+   msleep(200);
+
kfree(dr);
 
return ret;
--- a/drivers/usb/core/quirks.c
+++ b/drivers/usb/core/quirks.c
@@ -229,7 +229,8 @@ static const struct usb_device_id usb_qu
{ USB_DEVICE(0x1b1c, 0x1b13), .driver_info = USB_QUIRK_DELAY_INIT },
 
/* Corsair Strafe RGB */
-   { USB_DEVICE(0x1b1c, 0x1b20), .driver_info = USB_QUIRK_DELAY_INIT },
+   { USB_DEVICE(0x1b1c, 0x1b20), .driver_info = USB_QUIRK_DELAY_INIT |
+ USB_QUIRK_DELAY_CTRL_MSG },
 
/* Corsair K70 LUX */
{ USB_DEVICE(0x1b1c, 0x1b36), .driver_info = USB_QUIRK_DELAY_INIT },
--- a/include/linux/usb/quirks.h
+++ b/include/linux/usb/quirks.h
@@ -56,4 +56,7 @@
  */
 #define USB_QUIRK_LINEAR_FRAME_INTR_BINTERVAL  BIT(11)
 
+/* Device needs a pause after every control message. */
+#define USB_QUIRK_DELAY_CTRL_MSG   BIT(13)
+
 #endif /* __LINUX_USB_QUIRKS_H */

[PATCH 4.9 79/86] usbip: vudc: fix null pointer dereference on udc->lock

[Greg Kroah-Hartman]

4.9-stable review patch.  If anyone has any objections, please let me know.

--

From: Colin Ian King 

commit df3334c223a033f562645712e832ca4cbb326bbf upstream.

Currently the driver attempts to spin lock on udc->lock before a NULL
pointer check is performed on udc, hence there is a potential null
pointer dereference on udc->lock.  Fix this by moving the null check
on udc before the lock occurs.

Fixes: ea6873a45a22 ("usbip: vudc: Add SysFS infrastructure for VUDC")
Signed-off-by: Colin Ian King 
Acked-by: Shuah Khan 
Reviewed-by: Krzysztof Opasiak 
Cc: stable 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/usb/usbip/vudc_sysfs.c |8 ++--
 1 file changed, 6 insertions(+), 2 deletions(-)

--- a/drivers/usb/usbip/vudc_sysfs.c
+++ b/drivers/usb/usbip/vudc_sysfs.c
@@ -117,10 +117,14 @@ static ssize_t store_sockfd(struct devic
if (rv != 0)
return -EINVAL;
 
+   if (!udc) {
+   dev_err(dev, "no device");
+   return -ENODEV;
+   }
spin_lock_irqsave(>lock, flags);
/* Don't export what we don't have */
-   if (!udc || !udc->driver || !udc->pullup) {
-   dev_err(dev, "no device or gadget not bound");
+   if (!udc->driver || !udc->pullup) {
+   dev_err(dev, "gadget not bound");
ret = -ENODEV;
goto unlock;
}

[PATCH 4.9 77/86] staging: android: ashmem: Fix lockdep issue during llseek

[Greg Kroah-Hartman]

4.9-stable review patch.  If anyone has any objections, please let me know.

--

From: Joel Fernandes 

commit cb57469c9573f6018cd1302953dd45d6e05aba7b upstream.

ashmem_mutex create a chain of dependencies like so:

(1)
mmap syscall ->
  mmap_sem ->  (acquired)
  ashmem_mmap
  ashmem_mutex (try to acquire)
  (block)

(2)
llseek syscall ->
  ashmem_llseek ->
  ashmem_mutex ->  (acquired)
  inode_lock ->
  inode->i_rwsem (try to acquire)
  (block)

(3)
getdents ->
  iterate_dir ->
  inode_lock ->
  inode->i_rwsem   (acquired)
  copy_to_user ->
  mmap_sem (try to acquire)

There is a lock ordering created between mmap_sem and inode->i_rwsem
causing a lockdep splat [2] during a syzcaller test, this patch fixes
the issue by unlocking the mutex earlier. Functionally that's Ok since
we don't need to protect vfs_llseek.

[1] https://patchwork.kernel.org/patch/10185031/
[2] https://lkml.org/lkml/2018/1/10/48

Acked-by: Todd Kjos 
Cc: Arve Hjonnevag 
Cc: sta...@vger.kernel.org
Reported-by: syzbot+8ec30bb7bf1a981a2...@syzkaller.appspotmail.com
Signed-off-by: Joel Fernandes 
Acked-by: Greg Hackmann 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/staging/android/ashmem.c |   15 +++
 1 file changed, 7 insertions(+), 8 deletions(-)

--- a/drivers/staging/android/ashmem.c
+++ b/drivers/staging/android/ashmem.c
@@ -343,24 +343,23 @@ static loff_t ashmem_llseek(struct file
mutex_lock(_mutex);
 
if (asma->size == 0) {
-   ret = -EINVAL;
-   goto out;
+   mutex_unlock(_mutex);
+   return -EINVAL;
}
 
if (!asma->file) {
-   ret = -EBADF;
-   goto out;
+   mutex_unlock(_mutex);
+   return -EBADF;
}
 
+   mutex_unlock(_mutex);
+
ret = vfs_llseek(asma->file, offset, origin);
if (ret < 0)
-   goto out;
+   return ret;
 
/** Copy f_pos from backing file, since f_ops->llseek() sets it */
file->f_pos = asma->file->f_pos;
-
-out:
-   mutex_unlock(_mutex);
return ret;
 }
 

[PATCH 4.9 65/86] ubi: Fix race condition between ubi volume creation and udev

[Greg Kroah-Hartman]

4.9-stable review patch.  If anyone has any objections, please let me know.

--

From: Clay McClure 

commit a51a0c8d213594bc094cb8e54aad0cb6d7f7b9a6 upstream.

Similar to commit 714fb87e8bc0 ("ubi: Fix race condition between ubi
device creation and udev"), we should make the volume active before
registering it.

Signed-off-by: Clay McClure 
Cc: 
Signed-off-by: Richard Weinberger 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/mtd/ubi/vmt.c |   15 ++-
 1 file changed, 10 insertions(+), 5 deletions(-)

--- a/drivers/mtd/ubi/vmt.c
+++ b/drivers/mtd/ubi/vmt.c
@@ -265,6 +265,12 @@ int ubi_create_volume(struct ubi_device
vol->last_eb_bytes = vol->usable_leb_size;
}
 
+   /* Make volume "available" before it becomes accessible via sysfs */
+   spin_lock(>volumes_lock);
+   ubi->volumes[vol_id] = vol;
+   ubi->vol_count += 1;
+   spin_unlock(>volumes_lock);
+
/* Register character device for the volume */
cdev_init(>cdev, _vol_cdev_operations);
vol->cdev.owner = THIS_MODULE;
@@ -304,11 +310,6 @@ int ubi_create_volume(struct ubi_device
if (err)
goto out_sysfs;
 
-   spin_lock(>volumes_lock);
-   ubi->volumes[vol_id] = vol;
-   ubi->vol_count += 1;
-   spin_unlock(>volumes_lock);
-
ubi_volume_notify(ubi, vol, UBI_VOLUME_ADDED);
self_check_volumes(ubi);
return err;
@@ -328,6 +329,10 @@ out_sysfs:
 out_cdev:
cdev_del(>cdev);
 out_mapping:
+   spin_lock(>volumes_lock);
+   ubi->volumes[vol_id] = NULL;
+   ubi->vol_count -= 1;
+   spin_unlock(>volumes_lock);
if (do_free)
ubi_eba_destroy_table(eba_tbl);
 out_acc:

[PATCH 4.9 67/86] NFS: Fix an incorrect type in struct nfs_direct_req

[Greg Kroah-Hartman]

4.9-stable review patch.  If anyone has any objections, please let me know.

--

From: Trond Myklebust 

commit d9ee65539d3eabd9ade46cca1780e3309ad0f907 upstream.

The start offset needs to be of type loff_t.

Fixed: 5fadeb47dcc5c ("nfs: count DIO good bytes correctly with mirroring")
Cc: sta...@vger.kernel.org # v4.0+
Signed-off-by: Trond Myklebust 
Signed-off-by: Greg Kroah-Hartman 

---
 fs/nfs/direct.c |2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/fs/nfs/direct.c
+++ b/fs/nfs/direct.c
@@ -86,10 +86,10 @@ struct nfs_direct_req {
struct nfs_direct_mirror mirrors[NFS_PAGEIO_DESCRIPTOR_MIRROR_MAX];
int mirror_count;
 
+   loff_t  io_start;   /* Start offset for I/O */
ssize_t count,  /* bytes actually processed */
max_count,  /* max expected count */
bytes_left, /* bytes left to be sent */
-   io_start,   /* start of IO */
error;  /* any reported error */
struct completion   completion; /* wait for i/o completion */
 

Re: [linux-sunxi] [PATCH v4 4/9] pinctrl: sunxi: add support for the Allwinner H6 main pin controller

[Andre Przywara]

Hi,

On 16/03/18 14:02, Icenowy Zheng wrote:
> The Allwinner H6 SoC has two pin controllers, one main controller
> (called CPUX-PORT in user manual) and one controller in CPUs power
> domain (called CPUS-PORT in user manual).
> 
> This commit introduces support for the main pin controller on H6.
> 
> The pin bank A and B are not wired out and hidden from the SoC's
> documents, however it's shown that the "ATE" (an AC200 chip
> co-packaged with the H6 die) is connected to the main SoC die via these
> pin banks. The information about these banks is just copied from the BSP
> pinctrl driver, but re-formatted to fit the mainline pinctrl driver
> format. The GPIO functions are dropped, as they're impossible to use --
> except a GPIO only pin (PB20) which might be the IRQ of ATE.
> 
> Signed-off-by: Icenowy Zheng 
> Acked-by: Rob Herring 

As mentioned before, I checked every single pin against the manual and
this looks correct to me.

Reviewed-by: Andre Przywara 

Thanks!
Andre.

[PATCH -next 04/22] net: socket: add __sys_socket() helper; remove in-kernel call to syscall

[Dominik Brodowski]

Using the net-internal helper __sys_socket() allows us to avoid the
internal calls to the sys_socket() syscall.

Cc: David S. Miller 
Cc: net...@vger.kernel.org
Signed-off-by: Dominik Brodowski 
---
 include/linux/socket.h | 1 +
 net/compat.c   | 2 +-
 net/socket.c   | 9 +++--
 3 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/include/linux/socket.h b/include/linux/socket.h
index 6a9840271676..f8d040434a13 100644
--- a/include/linux/socket.h
+++ b/include/linux/socket.h
@@ -363,5 +363,6 @@ extern int __sys_sendto(int fd, void __user *buff, size_t 
len,
int addr_len);
 extern int __sys_accept4(int fd, struct sockaddr __user *upeer_sockaddr,
 int __user *upeer_addrlen, int flags);
+extern int __sys_socket(int family, int type, int protocol);
 
 #endif /* _LINUX_SOCKET_H */
diff --git a/net/compat.c b/net/compat.c
index 0ff9f7451b6f..5b3b74c5812e 100644
--- a/net/compat.c
+++ b/net/compat.c
@@ -811,7 +811,7 @@ COMPAT_SYSCALL_DEFINE2(socketcall, int, call, u32 __user *, 
args)
 
switch (call) {
case SYS_SOCKET:
-   ret = sys_socket(a0, a1, a[2]);
+   ret = __sys_socket(a0, a1, a[2]);
break;
case SYS_BIND:
ret = sys_bind(a0, compat_ptr(a1), a[2]);
diff --git a/net/socket.c b/net/socket.c
index 45f6ea0d57a5..07f379e50def 100644
--- a/net/socket.c
+++ b/net/socket.c
@@ -1332,7 +1332,7 @@ int sock_create_kern(struct net *net, int family, int 
type, int protocol, struct
 }
 EXPORT_SYMBOL(sock_create_kern);
 
-SYSCALL_DEFINE3(socket, int, family, int, type, int, protocol)
+int __sys_socket(int family, int type, int protocol)
 {
int retval;
struct socket *sock;
@@ -1359,6 +1359,11 @@ SYSCALL_DEFINE3(socket, int, family, int, type, int, 
protocol)
return sock_map_fd(sock, flags & (O_CLOEXEC | O_NONBLOCK));
 }
 
+SYSCALL_DEFINE3(socket, int, family, int, type, int, protocol)
+{
+   return __sys_socket(family, type, protocol);
+}
+
 /*
  * Create a pair of connected sockets.
  */
@@ -2463,7 +2468,7 @@ SYSCALL_DEFINE2(socketcall, int, call, unsigned long 
__user *, args)
 
switch (call) {
case SYS_SOCKET:
-   err = sys_socket(a0, a1, a[2]);
+   err = __sys_socket(a0, a1, a[2]);
break;
case SYS_BIND:
err = sys_bind(a0, (struct sockaddr __user *)a1, a[2]);
-- 
2.16.2

[PATCH -next 09/22] net: socket: add __sys_getpeername() helper; remove in-kernel call to syscall

[Dominik Brodowski]

Using the net-internal helper __sys_getpeername() allows us to avoid the
internal calls to the sys_getpeername() syscall.

Cc: David S. Miller 
Cc: net...@vger.kernel.org
Signed-off-by: Dominik Brodowski 
---
 include/linux/socket.h |  2 ++
 net/compat.c   |  2 +-
 net/socket.c   | 14 ++
 3 files changed, 13 insertions(+), 5 deletions(-)

diff --git a/include/linux/socket.h b/include/linux/socket.h
index ef0226a61b03..9ba003e92fea 100644
--- a/include/linux/socket.h
+++ b/include/linux/socket.h
@@ -370,5 +370,7 @@ extern int __sys_connect(int fd, struct sockaddr __user 
*uservaddr,
 extern int __sys_listen(int fd, int backlog);
 extern int __sys_getsockname(int fd, struct sockaddr __user *usockaddr,
 int __user *usockaddr_len);
+extern int __sys_getpeername(int fd, struct sockaddr __user *usockaddr,
+int __user *usockaddr_len);
 
 #endif /* _LINUX_SOCKET_H */
diff --git a/net/compat.c b/net/compat.c
index efd28d02608c..74017f618eb1 100644
--- a/net/compat.c
+++ b/net/compat.c
@@ -829,7 +829,7 @@ COMPAT_SYSCALL_DEFINE2(socketcall, int, call, u32 __user *, 
args)
ret = __sys_getsockname(a0, compat_ptr(a1), compat_ptr(a[2]));
break;
case SYS_GETPEERNAME:
-   ret = sys_getpeername(a0, compat_ptr(a1), compat_ptr(a[2]));
+   ret = __sys_getpeername(a0, compat_ptr(a1), compat_ptr(a[2]));
break;
case SYS_SOCKETPAIR:
ret = sys_socketpair(a0, a1, a[2], compat_ptr(a[3]));
diff --git a/net/socket.c b/net/socket.c
index b61e0d20f37b..007fb9483279 100644
--- a/net/socket.c
+++ b/net/socket.c
@@ -1712,8 +1712,8 @@ SYSCALL_DEFINE3(getsockname, int, fd, struct sockaddr 
__user *, usockaddr,
  * name to user space.
  */
 
-SYSCALL_DEFINE3(getpeername, int, fd, struct sockaddr __user *, usockaddr,
-   int __user *, usockaddr_len)
+int __sys_getpeername(int fd, struct sockaddr __user *usockaddr,
+ int __user *usockaddr_len)
 {
struct socket *sock;
struct sockaddr_storage address;
@@ -1738,6 +1738,12 @@ SYSCALL_DEFINE3(getpeername, int, fd, struct sockaddr 
__user *, usockaddr,
return err;
 }
 
+SYSCALL_DEFINE3(getpeername, int, fd, struct sockaddr __user *, usockaddr,
+   int __user *, usockaddr_len)
+{
+   return __sys_getpeername(fd, usockaddr, usockaddr_len);
+}
+
 /*
  * Send a datagram to a given address. We move the address into kernel
  * space and check the user space data area is readable before invoking
@@ -2511,8 +2517,8 @@ SYSCALL_DEFINE2(socketcall, int, call, unsigned long 
__user *, args)
break;
case SYS_GETPEERNAME:
err =
-   sys_getpeername(a0, (struct sockaddr __user *)a1,
-   (int __user *)a[2]);
+   __sys_getpeername(a0, (struct sockaddr __user *)a1,
+ (int __user *)a[2]);
break;
case SYS_SOCKETPAIR:
err = sys_socketpair(a0, a1, a[2], (int __user *)a[3]);
-- 
2.16.2

[PATCH -next 00/22] remove in-kernel syscall invocations (part 2 == netdev)

[Dominik Brodowski]

Here is another series of patches which reduce the number of syscall
invocations from within the kernel. This series is focused solely on
the net/ part of the kernel and get rids of syscall and compat_syscall
invocations from within the kernel completely. It is also available at

https://git.kernel.org/pub/scm/linux/kernel/git/brodo/linux.git 
syscalls-net-next

The rationale of this change is described in patch 1 of part 1[*] as follows:

The syscall entry points to the kernel defined by SYSCALL_DEFINEx()
and COMPAT_SYSCALL_DEFINEx() should only be called from userspace
through kernel entry points, but not from the kernel itself. This
will allow cleanups and optimizations to the entry paths *and* to
the parts of the kernel code which currently need to pretend to be
userspace in order to make use of syscalls.

At present, these patches are based on v4.16-rc5; there is one trivial
conflict against net-next. Dave, I presume that you prefer to take them
through net-next? If you want to, I can re-base them against net-next.
If you prefer otherwise, though, I can route them as part of my whole
syscall series.

Thanks,
Dominik

[*] The cover letter for v2 is available at
http://lkml.kernel.org/r/20180315190529.20943-1-li...@dominikbrodowski.net ;
the whole patchset -- in its current, slightly modified form -- is 
available at
at https://git.kernel.org/pub/scm/linux/kernel/git/brodo/linux.git 
syscalls-next

Dominik Brodowski (22):
  net: socket: add __sys_recvfrom() helper; remove in-kernel call to
syscall
  net: socket: add __sys_sendto() helper; remove in-kernel call to
syscall
  net: socket: add __sys_accept4() helper; remove in-kernel call to
syscall
  net: socket: add __sys_socket() helper; remove in-kernel call to
syscall
  net: socket: add __sys_bind() helper; remove in-kernel call to syscall
  net: socket: add __sys_connect() helper; remove in-kernel call to
syscall
  net: socket: add __sys_listen() helper; remove in-kernel call to
syscall
  net: socket: add __sys_getsockname() helper; remove in-kernel call to
syscall
  net: socket: add __sys_getpeername() helper; remove in-kernel call to
syscall
  net: socket: add __sys_socketpair() helper; remove in-kernel call to
syscall
  net: socket: add __sys_shutdown() helper; remove in-kernel call to
syscall
  net: socket: add __sys_setsockopt() helper; remove in-kernel call to
syscall
  net: socket: add __sys_getsockopt() helper; remove in-kernel call to
syscall
  net: socket: add do_sys_recvmmsg() helper; remove in-kernel call to
syscall
  net: socket: move check for forbid_cmsg_compat to __sys_...msg()
  net: socket: replace calls to sys_send() with __sys_sendto()
  net: socket: replace call to sys_recv() with __sys_recvfrom()
  net: socket: add __compat_sys_recvfrom() helper; remove in-kernel call
to compat syscall
  net: socket: add __compat_sys_setsockopt() helper; remove in-kernel
call to compat syscall
  net: socket: add __compat_sys_getsockopt() helper; remove in-kernel
call to compat syscall
  net: socket: add __compat_sys_recvmmsg() helper; remove in-kernel call
to compat syscall
  net: socket: add __compat_sys_...msg() helpers; remove in-kernel calls
to compat syscalls

 include/linux/socket.h |  37 +++-
 net/compat.c   | 136 +++-
 net/socket.c   | 234 ++---
 3 files changed, 291 insertions(+), 116 deletions(-)

-- 
2.16.2

[PATCH -next 14/22] net: socket: add do_sys_recvmmsg() helper; remove in-kernel call to syscall

[Dominik Brodowski]

Using the net-internal helper do_sys_recvmmsg() allows us to avoid the
internal calls to the sys_getsockopt() syscall.

Cc: David S. Miller 
Cc: net...@vger.kernel.org
Signed-off-by: Dominik Brodowski 
---
 net/socket.c | 17 -
 1 file changed, 12 insertions(+), 5 deletions(-)

diff --git a/net/socket.c b/net/socket.c
index a05289b1f863..72cdaaeccb85 100644
--- a/net/socket.c
+++ b/net/socket.c
@@ -2445,9 +2445,9 @@ int __sys_recvmmsg(int fd, struct mmsghdr __user *mmsg, 
unsigned int vlen,
return datagrams;
 }
 
-SYSCALL_DEFINE5(recvmmsg, int, fd, struct mmsghdr __user *, mmsg,
-   unsigned int, vlen, unsigned int, flags,
-   struct timespec __user *, timeout)
+static long do_sys_recvmmsg(int fd, struct mmsghdr __user *mmsg,
+   unsigned int vlen, unsigned int flags,
+   struct timespec __user *timeout)
 {
int datagrams;
struct timespec timeout_sys;
@@ -2470,6 +2470,13 @@ SYSCALL_DEFINE5(recvmmsg, int, fd, struct mmsghdr __user 
*, mmsg,
return datagrams;
 }
 
+SYSCALL_DEFINE5(recvmmsg, int, fd, struct mmsghdr __user *, mmsg,
+   unsigned int, vlen, unsigned int, flags,
+   struct timespec __user *, timeout)
+{
+   return do_sys_recvmmsg(fd, mmsg, vlen, flags, timeout);
+}
+
 #ifdef __ARCH_WANT_SYS_SOCKETCALL
 /* Argument list sizes for sys_socketcall */
 #define AL(x) ((x) * sizeof(unsigned long))
@@ -2582,8 +2589,8 @@ SYSCALL_DEFINE2(socketcall, int, call, unsigned long 
__user *, args)
err = sys_recvmsg(a0, (struct user_msghdr __user *)a1, a[2]);
break;
case SYS_RECVMMSG:
-   err = sys_recvmmsg(a0, (struct mmsghdr __user *)a1, a[2], a[3],
-  (struct timespec __user *)a[4]);
+   err = do_sys_recvmmsg(a0, (struct mmsghdr __user *)a1, a[2],
+ a[3], (struct timespec __user *)a[4]);
break;
case SYS_ACCEPT4:
err = __sys_accept4(a0, (struct sockaddr __user *)a1,
-- 
2.16.2