Re: [PATCH v5] mmc: sdhci-omap: Don't finish_mrq() on a command error during tuning

[kbuild test robot]

Hi Faiz,

Thank you for the patch! Perhaps something to improve:

[auto build test WARNING on ulf.hansson-mmc/next]
[also build test WARNING on v5.1-rc2 next-20190329]
[if your patch is applied to the wrong git tree, please drop us a note to help 
improve the system]

url:
https://github.com/0day-ci/linux/commits/Faiz-Abbas/mmc-sdhci-omap-Don-t-finish_mrq-on-a-command-error-during-tuning/20190330-093057
base:   git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc.git next
reproduce:
# apt-get install sparse
make ARCH=x86_64 allmodconfig
make C=1 CF='-fdiagnostic-prefix -D__CHECK_ENDIAN__'


sparse warnings: (new ones prefixed by >>)

   drivers/mmc/host/sdhci-omap.c:386:31: sparse: expression using sizeof(void)
   drivers/mmc/host/sdhci-omap.c:386:31: sparse: expression using sizeof(void)
>> drivers/mmc/host/sdhci-omap.c:847:16: sparse: incorrect type in initializer 
>> (different signedness) @@expected unsigned int ( *irq )( ... ) @@got 
>> int enunsigned int ( *irq )( ... ) @@
   drivers/mmc/host/sdhci-omap.c:847:16:expected unsigned int ( *irq )( ... 
)
   drivers/mmc/host/sdhci-omap.c:847:16:got int enum irqreturn ( * 
)( ... )
   include/linux/device.h:688:13: sparse: undefined identifier 
'__builtin_mul_overflow'
   include/linux/device.h:688:13: sparse: call with no type!

vim +847 drivers/mmc/host/sdhci-omap.c

   836  
   837  static struct sdhci_ops sdhci_omap_ops = {
   838  .set_clock = sdhci_omap_set_clock,
   839  .set_power = sdhci_omap_set_power,
   840  .enable_dma = sdhci_omap_enable_dma,
   841  .get_max_clock = sdhci_pltfm_clk_get_max_clock,
   842  .get_min_clock = sdhci_omap_get_min_clock,
   843  .set_bus_width = sdhci_omap_set_bus_width,
   844  .platform_send_init_74_clocks = sdhci_omap_init_74_clocks,
   845  .reset = sdhci_omap_reset,
   846  .set_uhs_signaling = sdhci_omap_set_uhs_signaling,
 > 847  .irq = sdhci_omap_irq,
   848  };
   849  

---
0-DAY kernel test infrastructureOpen Source Technology Center
https://lists.01.org/pipermail/kbuild-all   Intel Corporation

Re: [PATCH AUTOSEL 4.19 40/57] kvm: properly check debugfs dentry before using it

[Greg Kroah-Hartman]

On Fri, Mar 29, 2019 at 09:28:33PM -0400, Sasha Levin wrote:
> From: Greg Kroah-Hartman 
> 
> [ Upstream commit 8ed0579c12b2fe56a1fac2f712f58fc26c1dc49b ]
> 
> debugfs can now report an error code if something went wrong instead of
> just NULL.  So if the return value is to be used as a "real" dentry, it
> needs to be checked if it is an error before dereferencing it.
> 
> This is now happening because of ff9fb72bc077 ("debugfs: return error
> values, not NULL").  syzbot has found a way to trigger multiple debugfs
> files attempting to be created, which fails, and then the error code
> gets passed to dentry_path_raw() which obviously does not like it.
> 
> Reported-by: Eric Biggers 
> Reported-and-tested-by: syzbot+7857962b4d45e602b...@syzkaller.appspotmail.com
> Cc: "Radim Krčmář" 
> Cc: k...@vger.kernel.org
> Acked-by: Paolo Bonzini 
> Signed-off-by: Greg Kroah-Hartman 
> Signed-off-by: Linus Torvalds 
> Signed-off-by: Sasha Levin 
> ---
>  virt/kvm/kvm_main.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
> index c436d95fd7aa..fb74f994cb63 100644
> --- a/virt/kvm/kvm_main.c
> +++ b/virt/kvm/kvm_main.c
> @@ -3912,7 +3912,7 @@ static void kvm_uevent_notify_change(unsigned int type, 
> struct kvm *kvm)
>   }
>   add_uevent_var(env, "PID=%d", kvm->userspace_pid);
>  
> - if (kvm->debugfs_dentry) {
> + if (!IS_ERR_OR_NULL(kvm->debugfs_dentry)) {
>   char *tmp, *p = kmalloc(PATH_MAX, GFP_KERNEL);
>  
>   if (p) {
> -- 
> 2.19.1
> 

Same thing here, this was a 5.0-only thing, no need for it to be
backported, please drop it from all trees.

thanks,

greg k-h

[PATCH] mm: Fix build warning

[Aneesh Kumar K.V]

mm/debug.c: In function ‘dump_mm’:
include/linux/kern_levels.h:5:18: warning: format ‘%llx’ expects argument of 
type ‘long long unsigned int’, but argument 19 has type ‘long int’ [-Wformat=]
  ~~~^

Signed-off-by: Aneesh Kumar K.V 
---
 mm/debug.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/mm/debug.c b/mm/debug.c
index c0b31b6c3877..c134e76918dc 100644
--- a/mm/debug.c
+++ b/mm/debug.c
@@ -137,7 +137,7 @@ void dump_mm(const struct mm_struct *mm)
"mmap_base %lu mmap_legacy_base %lu highest_vm_end %lu\n"
"pgd %px mm_users %d mm_count %d pgtables_bytes %lu map_count 
%d\n"
"hiwater_rss %lx hiwater_vm %lx total_vm %lx locked_vm %lx\n"
-   "pinned_vm %llx data_vm %lx exec_vm %lx stack_vm %lx\n"
+   "pinned_vm %lx data_vm %lx exec_vm %lx stack_vm %lx\n"
"start_code %lx end_code %lx start_data %lx end_data %lx\n"
"start_brk %lx brk %lx start_stack %lx\n"
"arg_start %lx arg_end %lx env_start %lx env_end %lx\n"
-- 
2.20.1

Re: [PATCH 2/4] pid: add pidfd_open()

[Daniel Colascione]

On Thu, Mar 28, 2019 at 3:38 AM Christian Brauner  wrote:
>
> > All that said, thanks for the work on this once again. My intention is
> > just that we don't end up with an API that could have been done better
> > and be cleaner to use for potential users in the coming years.
>
> Thanks for your input on all of this. I still don't find multiplexers in
> the style of seccomp()/fsconfig()/keyctl() to be a problem since they
> deal with a specific task. They are very much different from ioctl()s in
> that regard. But since Joel, you, and Daniel found the pidctl() approach
> not very nice I dropped it. The interface needs to be satisfactory for
> all of us especially since Android and other system managers will be the
> main consumers.

Thanks.

> So let's split this into pidfd_open(pid_t pid, unsigned int flags) which
> allows to cleanly get pidfds independent procfs and do the translation
> to procpidfds in an ioctl() as we've discussed in prior threads. This

I sustain my objection to adding an ioctl. Compared to a system call,
an ioctl has a more rigid interface, greater susceptibility to
programmer error (due to the same ioctl control code potentially doing
different things for different file types), longer path length, and
more awkward filtering/monitoring/auditing/tracing. We've discussed
this issue at length before, and I thought we all agreed to use system
calls, not ioctl, for core kernel functionality. So why is an ioctl
suddenly back on the table? The way I see it, an ioctl has no
advantages except for 1) conserving system call numbers, which are not
scarce, and 2) avoiding the system call number coordination problem
(and the coordination problem isn't a factor for core kernel code). I
don't understand everyone's reluctance to add new system calls. What
am I missing? Why would we give up all the advantages that a system
call gives us?

I also don't understand Andy's argument on the other thread that an
ioctl is okay if it's an "operation on an FD" --- *most* system calls
are operations on FDs. We don't have an ioctl for sendmsg(2) and it's
an "operation on an FD".

Re: linux-next: Fixes tag needs some work in the tty.current tree

[Stephen Rothwell]

Hi Greg,

On Fri, 29 Mar 2019 20:47:18 +0100 Greg KH  wrote:
>
> Is there a script somewhere that I can use to run on my tree before I
> push it out, much like I do now for the signed-off-by checks?

Attached is what I use ...
-- 
Cheers,
Stephen Rothwell


check_fixes
Description: application/shellscript


pgpHPEiTQMvIG.pgp
Description: OpenPGP digital signature

linux-next: Fixes tag needs some work in the ext3 tree

[Stephen Rothwell]

Hi Jan,

In commit

  47d92aa5d33a ("quota: fix a problem about transfer quota")

Fixes tag

  Fixes: 7b9ca4c61("quota: Reduce contention on dq_data_lock")

has these problem(s):

  - missing space between the SHA1 and the subject
  - SHA1 should be at least 12 digits long
Can be fixed by setting core.abbrev to 12 (or more) or (for git v2.11
or later) just making sure it is not set (or set to "auto").

-- 
Cheers,
Stephen Rothwell


pgpDE569VK2EF.pgp
Description: OpenPGP digital signature

Re: [PATCH] kbuild: fix warning "overriding recipe for target 'Makefile'"

[Masahiro Yamada]

On Tue, Mar 26, 2019 at 3:46 PM Masahiro Yamada
 wrote:
>
> If you do "make Makefile" with GNU Make 3.x, the following warning
> is displayed:
>
>   $ make Makefile
>   Makefile:165: warning: overriding recipe for target 'Makefile'
>   Makefile:51: warning: ignoring old recipe for target 'Makefile'
>   make[1]: Nothing to be done for 'Makefile'.
>   make: Nothing to be done for 'Makefile'.
>
> Signed-off-by: Masahiro Yamada 
> ---

Applied to linux-kbuild.



>
>  Makefile | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/Makefile b/Makefile
> index 70fc778..1b361bd 100644
> --- a/Makefile
> +++ b/Makefile
> @@ -161,7 +161,7 @@ ifeq ($(need-sub-make),1)
>
>  PHONY += $(MAKECMDGOALS) sub-make
>
> -$(filter-out _all sub-make $(CURDIR)/Makefile, $(MAKECMDGOALS)) _all: 
> sub-make
> +$(filter-out _all sub-make $(lastword $(MAKEFILE_LIST)), $(MAKECMDGOALS)) 
> _all: sub-make
> @:
>
>  # Invoke a second make in the output directory, passing relevant variables
> --
> 2.7.4
>


-- 
Best Regards
Masahiro Yamada

Re: [PATCH] kbuild: move RETPOLINE flags below config-targets

[Masahiro Yamada]

On Tue, Mar 26, 2019 at 3:11 PM Masahiro Yamada
 wrote:
>
> When you run a "make *config" target, the retpoline compiler flags
> are evaluated for nothing because the code is located above the
> 'ifeq ($(config-targets),1)'.
>
> Move it a bit below to avoid unneeded computation in the Kconfig stage.
>
> Signed-off-by: Masahiro Yamada 
> ---

Applied to linux-kbuild.


>
>  Makefile | 18 +-
>  1 file changed, 9 insertions(+), 9 deletions(-)
>
> diff --git a/Makefile b/Makefile
> index 1b361bd..66a8e04 100644
> --- a/Makefile
> +++ b/Makefile
> @@ -519,15 +519,6 @@ KBUILD_AFLAGS  += $(CLANG_FLAGS)
>  export CLANG_FLAGS
>  endif
>
> -RETPOLINE_CFLAGS_GCC := -mindirect-branch=thunk-extern 
> -mindirect-branch-register
> -RETPOLINE_VDSO_CFLAGS_GCC := -mindirect-branch=thunk-inline 
> -mindirect-branch-register
> -RETPOLINE_CFLAGS_CLANG := -mretpoline-external-thunk
> -RETPOLINE_VDSO_CFLAGS_CLANG := -mretpoline
> -RETPOLINE_CFLAGS := $(call cc-option,$(RETPOLINE_CFLAGS_GCC),$(call 
> cc-option,$(RETPOLINE_CFLAGS_CLANG)))
> -RETPOLINE_VDSO_CFLAGS := $(call 
> cc-option,$(RETPOLINE_VDSO_CFLAGS_GCC),$(call 
> cc-option,$(RETPOLINE_VDSO_CFLAGS_CLANG)))
> -export RETPOLINE_CFLAGS
> -export RETPOLINE_VDSO_CFLAGS
> -
>  # The expansion should be delayed until arch/$(SRCARCH)/Makefile is included.
>  # Some architectures define CROSS_COMPILE in arch/$(SRCARCH)/Makefile.
>  # CC_VERSION_TEXT is referenced from Kconfig (so it needs export),
> @@ -624,6 +615,15 @@ ifdef CONFIG_FUNCTION_TRACER
>CC_FLAGS_FTRACE := -pg
>  endif
>
> +RETPOLINE_CFLAGS_GCC := -mindirect-branch=thunk-extern 
> -mindirect-branch-register
> +RETPOLINE_VDSO_CFLAGS_GCC := -mindirect-branch=thunk-inline 
> -mindirect-branch-register
> +RETPOLINE_CFLAGS_CLANG := -mretpoline-external-thunk
> +RETPOLINE_VDSO_CFLAGS_CLANG := -mretpoline
> +RETPOLINE_CFLAGS := $(call cc-option,$(RETPOLINE_CFLAGS_GCC),$(call 
> cc-option,$(RETPOLINE_CFLAGS_CLANG)))
> +RETPOLINE_VDSO_CFLAGS := $(call 
> cc-option,$(RETPOLINE_VDSO_CFLAGS_GCC),$(call 
> cc-option,$(RETPOLINE_VDSO_CFLAGS_CLANG)))
> +export RETPOLINE_CFLAGS
> +export RETPOLINE_VDSO_CFLAGS
> +
>  # The arch Makefile can set ARCH_{CPP,A,C}FLAGS to override the default
>  # values of the respective KBUILD_* variables
>  ARCH_CPPFLAGS :=
> --
> 2.7.4
>


-- 
Best Regards
Masahiro Yamada

Re: [PATCH] Remove SPDX "WITH Linux-syscall-note" from kernel-space headers

[Masahiro Yamada]

On Sat, Mar 30, 2019 at 1:54 PM Masahiro Yamada
 wrote:
>
> The "WITH Linux-syscall-note" should be added to headers exported to
> the user-space.
>
> Some kernel-space headers have "WITH Linux-syscall-note", which seems
> a mistake.
>
> [1] arch/x86/include/asm/hyperv-tlfs.h
>
> 5a4858032217 ("x86/hyper-v: move hyperv.h out of uapi") moved this file
> out of uapi, but missed to update the SPDX License tag.
>
> [2] include/asm-generic/shmparam.h
>
> 76ce2a80a28e ("Rename include/{uapi => }/asm-generic/shmparam.h really")
> moved this file out of uapi, but missed to update the SPDX License tag.
>
> [3] include/linux/qcom-geni-se.h
>
> eddac5af0654 ("soc: qcom: Add GENI based QUP Wrapper driver") added this
> file, but I do now see a good reason why its license tag must include


This is a fatal typo, which makes the meaning opposite.

"I do now see ..." -> "I do not see ..."





> "WITH Linux-syscall-note".
>
> Signed-off-by: Masahiro Yamada 
> ---
>
>  arch/x86/include/asm/hyperv-tlfs.h | 2 +-
>  include/asm-generic/shmparam.h | 2 +-
>  include/linux/qcom-geni-se.h   | 2 +-
>  3 files changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/arch/x86/include/asm/hyperv-tlfs.h 
> b/arch/x86/include/asm/hyperv-tlfs.h
> index 2bdbbbc..cdf44aa 100644
> --- a/arch/x86/include/asm/hyperv-tlfs.h
> +++ b/arch/x86/include/asm/hyperv-tlfs.h
> @@ -1,4 +1,4 @@
> -/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */
> +/* SPDX-License-Identifier: GPL-2.0 */
>
>  /*
>   * This file contains definitions from Hyper-V Hypervisor Top-Level 
> Functional
> diff --git a/include/asm-generic/shmparam.h b/include/asm-generic/shmparam.h
> index 8b78c0b..b8f9035 100644
> --- a/include/asm-generic/shmparam.h
> +++ b/include/asm-generic/shmparam.h
> @@ -1,4 +1,4 @@
> -/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */
> +/* SPDX-License-Identifier: GPL-2.0 */
>  #ifndef __ASM_GENERIC_SHMPARAM_H
>  #define __ASM_GENERIC_SHMPARAM_H
>
> diff --git a/include/linux/qcom-geni-se.h b/include/linux/qcom-geni-se.h
> index 3bcd67f..dd46494 100644
> --- a/include/linux/qcom-geni-se.h
> +++ b/include/linux/qcom-geni-se.h
> @@ -1,4 +1,4 @@
> -/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */
> +/* SPDX-License-Identifier: GPL-2.0 */
>  /*
>   * Copyright (c) 2017-2018, The Linux Foundation. All rights reserved.
>   */
> --
> 2.7.4
>


-- 
Best Regards
Masahiro Yamada

Re: [PATCH] iommu/amd: Reserve exclusion range in iova-domain

[Stuart Hayes]

Tested on a Dell PowerEdge R7425 system on which this problem is easily 
reproducible.

Tested-by: Stuart Hayes 

[PATCH] Remove SPDX "WITH Linux-syscall-note" from kernel-space headers

[Masahiro Yamada]

The "WITH Linux-syscall-note" should be added to headers exported to
the user-space.

Some kernel-space headers have "WITH Linux-syscall-note", which seems
a mistake.

[1] arch/x86/include/asm/hyperv-tlfs.h

5a4858032217 ("x86/hyper-v: move hyperv.h out of uapi") moved this file
out of uapi, but missed to update the SPDX License tag.

[2] include/asm-generic/shmparam.h

76ce2a80a28e ("Rename include/{uapi => }/asm-generic/shmparam.h really")
moved this file out of uapi, but missed to update the SPDX License tag.

[3] include/linux/qcom-geni-se.h

eddac5af0654 ("soc: qcom: Add GENI based QUP Wrapper driver") added this
file, but I do now see a good reason why its license tag must include
"WITH Linux-syscall-note".

Signed-off-by: Masahiro Yamada 
---

 arch/x86/include/asm/hyperv-tlfs.h | 2 +-
 include/asm-generic/shmparam.h | 2 +-
 include/linux/qcom-geni-se.h   | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/arch/x86/include/asm/hyperv-tlfs.h 
b/arch/x86/include/asm/hyperv-tlfs.h
index 2bdbbbc..cdf44aa 100644
--- a/arch/x86/include/asm/hyperv-tlfs.h
+++ b/arch/x86/include/asm/hyperv-tlfs.h
@@ -1,4 +1,4 @@
-/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */
+/* SPDX-License-Identifier: GPL-2.0 */
 
 /*
  * This file contains definitions from Hyper-V Hypervisor Top-Level Functional
diff --git a/include/asm-generic/shmparam.h b/include/asm-generic/shmparam.h
index 8b78c0b..b8f9035 100644
--- a/include/asm-generic/shmparam.h
+++ b/include/asm-generic/shmparam.h
@@ -1,4 +1,4 @@
-/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */
+/* SPDX-License-Identifier: GPL-2.0 */
 #ifndef __ASM_GENERIC_SHMPARAM_H
 #define __ASM_GENERIC_SHMPARAM_H
 
diff --git a/include/linux/qcom-geni-se.h b/include/linux/qcom-geni-se.h
index 3bcd67f..dd46494 100644
--- a/include/linux/qcom-geni-se.h
+++ b/include/linux/qcom-geni-se.h
@@ -1,4 +1,4 @@
-/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */
+/* SPDX-License-Identifier: GPL-2.0 */
 /*
  * Copyright (c) 2017-2018, The Linux Foundation. All rights reserved.
  */
-- 
2.7.4

Re: [PATCH] iommu/amd: Reserve exclusion range in iova-domain

[Stuart Hayes]

Tested on a Dell PowerEdge R7425 system on which this problem is easily 
reproducible.

Tested-by: Stuart Hayes 

Please i need your help

[Mrs. Aisha]

Dear Friend,

I came across your e-mail contact prior a private search while in need of your 
assistance. My name is Aisha  Gaddafi a single Mother and a Widow with three 
Children. I am the only biological Daughter of late Libyan President (Late 
Colonel Muammar Gaddafi).

I have an investment funds worth Twenty Seven Million Five Hundred Thousand 
United State Dollar ($27.500.000.00) and i need an investment Manager/Partner 
and because of the asylum status i will authorize you the ownership of the 
funds, however, I am interested in you for investment project assistance in 
your country, may be from there, we can build a business relationship in the 
near future.

I am willing to negotiate investment/business profit sharing ratio with you 
base on the future investment earning profits. If you are willing to handle 
this project kindly reply urgent to enable me provide you more information 
about the investment funds. Your Urgent Reply Will Be Appreciated Please Reply 
me in my box. 

Best Regards
Mrs Aisha Gaddafi

Re: [RFC][PATCH 0/4 v2] sycalls: Remove args i and n from syscall_get_arguments()

[Palmer Dabbelt]

On Fri, 29 Mar 2019 10:40:45 PDT (-0700), rost...@goodmis.org wrote:

On Fri, 29 Mar 2019 10:24:58 -0700
Linus Torvalds  wrote:


The whole series looks fine to me.


Great! I may just send a pull request to you, after some fixes (see
below).



I still suspect that we should just remove the syscall_set_arguments()
thing entirely, but even without that, the cleanup of the calling
convention is at least an improvement.


I'll keep it around for now, but this should go as a warning to Dmitry,
to get something using it soon, or they may be dropped.

Also, Dmitry found a few bugs with the current
syscall_set/get_arguments() on some of the archs (riscv and csky). Which
I'll add at the front of this series and update my changes to keep the
same logic.


Thanks.  I'm happy to have you take the RISC-V fix through your tree.



Then I'll post a non RFC version.

-- Steve

Re: [PATCH] rcu: tree_stall: Correctly unlock root node in rcu_check_gp_start_stall

[Neeraj Upadhyay]

On 3/30/19 2:57 AM, Paul E. McKenney wrote:

On Fri, Mar 29, 2019 at 07:52:15PM +0530, Neeraj Upadhyay wrote:



On 3/29/19 6:58 PM, Mukesh Ojha wrote:


On 3/29/2019 4:57 PM, Neeraj Upadhyay wrote:

Only unlock the root node, if current node (rnp) is not
root node.

Signed-off-by: Neeraj Upadhyay 





---
   kernel/rcu/tree_stall.h | 4 +++-
   1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/kernel/rcu/tree_stall.h b/kernel/rcu/tree_stall.h
index f65a73a..0651833 100644
--- a/kernel/rcu/tree_stall.h
+++ b/kernel/rcu/tree_stall.h



why this is showing as under tree_stall.h while it is under
"kernel/rcu/tree.c"


It's moved in 
https://git.kernel.org/pub/scm/linux/kernel/git/paulmck/linux-rcu.git/commit/?h=dev=10462d6f58fb6dbde7563e9343505d98d5bfba3d

Please see linux-rcu dev tree for other changes, which moves code to
this file.


Thanks
Neeraj




@@ -630,7 +630,9 @@ static void rcu_check_gp_start_stall(struct
rcu_node *rnp, struct rcu_data *rdp,
   time_before(j, rcu_state.gp_req_activity + gpssdelay) ||
   time_before(j, rcu_state.gp_activity + gpssdelay) ||
   atomic_xchg(, 1)) {
-    raw_spin_unlock_rcu_node(rnp_root); /* irqs remain disabled. */
+    if (rnp_root != rnp)
+    /* irqs remain disabled. */
+    raw_spin_unlock_rcu_node(rnp_root);


Looks good as it will balance the lock .if it is the root_node,
which was not there earlier, and unlock was happening without any
lock on root.

Reviewed-by: Mukesh Ojha 


Applied, again thank you both!

In both cases, I updated the commit log, so please check to make sure
that I didn't mess anything up.

Thanx, Paul



Thanks Paul. One minor comment on 
https://git.kernel.org/pub/scm/linux/kernel/git/paulmck/linux-rcu.git/commit/?h=dev=ec6530e763046b6bb1f4c2c2aed49ebc68aae2a0 



"it clearly does not make sense to release
both rnp->lock and rnp->lock"

should be rnp->lock and rnp_root->lock



Thanks
Neeraj


Cheers,
-Mukesh


   raw_spin_unlock_irqrestore_rcu_node(rnp, flags);
   return;
   }


--
QUALCOMM INDIA, on behalf of Qualcomm Innovation Center, Inc. is a
member of the Code Aurora Forum, hosted by The Linux Foundation





--
QUALCOMM INDIA, on behalf of Qualcomm Innovation Center, Inc. is a
member of the Code Aurora Forum, hosted by The Linux Foundation

Re: [PATCH 5/6] acpi/cppc: Add support for optional CPPC registers

[Pandruvada, Srinivas]

On Fri, 2019-03-29 at 20:18 +, Ghannam, Yazen wrote:
> > -Original Message-
> > From: linux-acpi-ow...@vger.kernel.org <
> > linux-acpi-ow...@vger.kernel.org> On Behalf Of Pandruvada, Srinivas
> > Sent: Wednesday, March 27, 2019 10:48 AM
> > To: linux-kernel@vger.kernel.org; de...@acpica.org; Natarajan,
> > Janakarajan ; linux-
> > a...@vger.kernel.org; linux...@vger.kernel.org
> > Cc: Ghannam, Yazen ; l...@kernel.org; 
> > viresh.ku...@linaro.org; Moore, Robert
> > ; Schmauss, Erik ;
> > r...@rjwysocki.net
> > Subject: Re: [PATCH 5/6] acpi/cppc: Add support for optional CPPC
> > registers
> > 
> > On Fri, 2019-03-22 at 20:26 +, Natarajan, Janakarajan wrote:
> > > From: Yazen Ghannam 
> > > 
> > > Newer AMD processors support a subset of the optional CPPC
> > > registers.
> > > Create show, store and helper routines for supported CPPC
> > > registers.
> > > 
> > > Signed-off-by: Yazen Ghannam 
> > > [ carved out into a patch, cleaned up, productized ]
> > > Signed-off-by: Janakarajan Natarajan <
> > > janakarajan.natara...@amd.com>
> > > 
> > 
> > [..]
> > 
> > > + /* desired_perf is the only mandatory value in perf_ctrls */
> > > + if (cpc_read(cpu, desired_reg, ))
> > > + ret = -EFAULT;
> > > +
> > > + if (CPC_SUPPORTED(max_reg) && cpc_read(cpu, max_reg, ))
> > > + ret = -EFAULT;
> > > +
> > 
> > We should create and use different macro other than CPPC_SUPPORTED.
> > CPC_SUPPORTED doesn't validate the correctness of object type for a
> > field. For example "Maximum Performance Register" can only be
> > buffer
> > not integer. In this way invalid field definitions can be ignored.
> > 
> 
> So create something like "CPPC_SUPPORTED_BUFFER" for buffer-only
> registers?
> 
> And then buffer/integer registers will continue to use
> "CPPC_SUPPORTED".
> 
> These seem to be the only two cases at this time. Is this okay?
Yes.

Thanks,
Srinivas

> 
> Thanks,
> Yazen
> 
> > 
> > > + if (CPC_SUPPORTED(min_reg) && cpc_read(cpu, min_reg, ))
> > > + ret = -EFAULT;
> > > +
> > > + if (CPC_SUPPORTED(energy_reg) && cpc_read(cpu, energy_reg,
> > > ))
> > > + ret = -EFAULT;
> > > +
> > > + if (CPC_SUPPORTED(auto_sel_enable_reg) &&
> > > + cpc_read(cpu, auto_sel_enable_reg, _sel_enable))
> > > + ret = -EFAULT;
> > > +
> > 
> > Here it is fine to use CPC_SUPPORTED as the "Autonomous Selection
> > Enable" can be both integer and buffer.
> > 
> > Thanks,
> > Srinivas
> 
> 


smime.p7s
Description: S/MIME cryptographic signature

Compliment of the day to you Dear Friend.

[mcompola]

Compliment of the day to you Dear Friend.

Dear Friend.

  I am Mrs.M Compola. am sending this brief letter to solicit your
partnership to transfer $5 million US Dollars. I shall send you
more information and procedures when I receive positive response from
you.


Mrs M Compola

Re: [PATCH] Convert struct pid count to refcount_t

[Joel Fernandes]

On Thu, Mar 28, 2019 at 10:37:07AM -0700, Paul E. McKenney wrote:
> On Thu, Mar 28, 2019 at 05:26:42PM +0100, Oleg Nesterov wrote:
> > On 03/28, Jann Horn wrote:
> > >
> > > Since we're just talking about RCU stuff now, adding Paul McKenney to
> > > the thread.
> > 
> > Since you added Paul let me add more confusion to this thread ;)
> 
> Woo-hoo!!!  More confusion!  Bring it on!!!  ;-)

Nice to take part in the confusion fun too!!! ;-)

> > There were some concerns about the lack of barriers in put_pid(), but I 
> > can't
> > find that old discussion and I forgot the result of that discussion...
> > 
> > Paul, could you confirm that this code
> > 
> > CPU_0   CPU_1
> > 
> > X = 1;  if (READ_ONCE(Y))
> > mb();   X = 2;
> > Y = 1;  BUG_ON(X != 2);
> > 
> > 
> > is correct? I think it is, control dependency pairs with mb(), right?
> 
> The BUG_ON() is supposed to happen at the end of time, correct?
> As written, there is (in the strict sense) a data race between the load
> of X in the BUG_ON() and CPU_0's store to X.  In a less strict sense,
> you could of course argue that this data race is harmless, especially
> if X is a single byte.  But the more I talk to compiler writers, the
> less comfortable I become with data races in general.  :-/
> 
> So I would also feel better if the "Y = 1" was WRITE_ONCE().
> 
> On the other hand, this is a great opportunity to try out Alan Stern's
> prototype plain-accesses patch to the Linux Kernel Memory Model (LKMM)!
> 
> https://lkml.kernel.org/r/pine.lnx.4.44l0.1903191459270.1593-200...@iolanthe.rowland.org
> 
> Also adding Alan on CC.
> 
> Here is what I believe is the litmus test that your are interested in:
> 
> 
> C OlegNesterov-put_pid
> 
> {}
> 
> P0(int *x, int *y)
> {
>   *x = 1;
>   smp_mb();
>   *y = 1;
> }
> 
> P1(int *x, int *y)
> {
>   int r1;
> 
>   r1 = READ_ONCE(*y);
>   if (r1)
>   *x = 2;
> }
> 
> exists (1:r1=1 /\ ~x=2)
> 
> 
> Running this through herd with Alan's patch detects the data race
> and says that the undesired outcome is allowed:
> 
>   $ herd7  -conf linux-kernel.cfg /tmp/OlegNesterov-put_pid.litmus 
>   Test OlegNesterov-put_pid Allowed
>   States 3
>   1:r1=0; x=1;
>   1:r1=1; x=1;
>   1:r1=1; x=2;
>   Ok
>   Witnesses
>   Positive: 1 Negative: 2
>   Flag data-race
>   Condition exists (1:r1=1 /\ not (x=2))
>   Observation OlegNesterov-put_pid Sometimes 1 2
>   Time OlegNesterov-put_pid 0.00
>   Hash=a3e0043ad753effa860fea37eeba0a76
> 
> Using WRITE_ONCE() for P0()'s store to y still allows this outcome,
> although it does remove the "Flag data-race".
> 
> Using WRITE_ONCE() for both P0()'s store to y and P1()'s store to x
> gets rid of both the "Flag data-race" and the undesired outcome:
> 
>   $ herd7  -conf linux-kernel.cfg /tmp/OlegNesterov-put_pid-WO-WO.litmus 
>   Test OlegNesterov-put_pid-WO-WO Allowed
>   States 2
>   1:r1=0; x=1;
>   1:r1=1; x=2;
>   No
>   Witnesses
>   Positive: 0 Negative: 2
>   Condition exists (1:r1=1 /\ not (x=2))
>   Observation OlegNesterov-put_pid-WO-WO Never 0 2
>   Time OlegNesterov-put_pid-WO-WO 0.01
>   Hash=6e1643e3c5e4739b590bde0a8e8a918e
> 
> Here is the corresponding litmus test, in case I messed something up:
> 
> 
> C OlegNesterov-put_pid-WO-WO
> 
> {}
> 
> P0(int *x, int *y)
> {
>   *x = 1;
>   smp_mb();
>   WRITE_ONCE(*y, 1);
> }
> 
> P1(int *x, int *y)
> {
>   int r1;
> 
>   r1 = READ_ONCE(*y);
>   if (r1)
>   WRITE_ONCE(*x, 2);
> }
> 
> exists (1:r1=1 /\ ~x=2)

I ran the above examples too. Its a bit confusing to me why the WRITE_ONCE in
P0() is required, and why would the READ_ONCE / WRITE_ONCE in P1() not be
sufficient to prevent the exists condition. Shouldn't the compiler know that,
in P0(), it should not reorder the store to y=1 before the x=1 because there
is an explicit barrier between the 2 stores? Looks me to me like a broken
compiler :-|. 

So I would have expected the following litmus to result in Never, but it
doesn't with Alan's patch:

P0(int *x, int *y)
{
*x = 1;
smp_mb();
*y = 1;
}

P1(int *x, int *y)
{
int r1;

r1 = READ_ONCE(*y);
if (r1)
WRITE_ONCE(*x, 2);
}

exists (1:r1=1 /\ ~x=2)

> 
> 
> > If not, then put_pid() needs atomic_read_acquire() as it was proposed in 
> > that
> > discussion.
> 
> Good point, let's try with smp_load_acquire() in P1():
> 
>   $ herd7  -conf linux-kernel.cfg /tmp/OlegNesterov-put_pid-WO-sla.litmus 
>   Test OlegNesterov-put_pid-WO-sla Allowed
>   States 2

[PATCH v2 2/2] clk:mmp: clk-mix.c fix divide-by-zero

[nixiaoming]

The _get_div() function has a branch with a return value of 0
Add a check on the return value of _get_div() to avoid divide-by-zero

Signed-off-by: nixiaoming 
Reviewed-by: Mukesh Ojha 
---
 drivers/clk/mmp/clk-mix.c | 6 ++
 1 file changed, 6 insertions(+)

diff --git a/drivers/clk/mmp/clk-mix.c b/drivers/clk/mmp/clk-mix.c
index 90814b2..6ed5ad7 100644
--- a/drivers/clk/mmp/clk-mix.c
+++ b/drivers/clk/mmp/clk-mix.c
@@ -245,6 +245,9 @@ static int mmp_clk_mix_determine_rate(struct clk_hw *hw,
div_val_max = _get_maxdiv(mix);
for (j = 0; j < div_val_max; j++) {
div = _get_div(mix, j);
+   /* avoid divide-by-zero */
+   if (!div)
+   continue;
mix_rate = parent_rate / div;
gap = abs(mix_rate - req->rate);
if (!parent_best || gap < gap_best) {
@@ -341,6 +344,9 @@ static unsigned long mmp_clk_mix_recalc_rate(struct clk_hw 
*hw,
shift = mix->reg_info.shift_div;
 
div = _get_div(mix, MMP_CLK_BITS_GET_VAL(mux_div, width, shift));
+   /* avoid divide-by-zero */
+   if (!div)
+   return -EINVAL;
 
return parent_rate / div;
 }
-- 
1.8.5.6

[PATCH v2 1/2] clk:Fix divide-by-zero in divider_ro_round_rate_parent

[nixiaoming]

In the function divider_recalc_rate() The judgment of the return value of
_get_div() indicates that the return value of _get_div() may be 0.
In order to avoid the divide-by-zero error, add check the return value
of _get_div() in the divider_ro_round_rate_parent()

Signed-off-by: nixiaoming 
---
 drivers/clk/clk-divider.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/clk/clk-divider.c b/drivers/clk/clk-divider.c
index e5a1726..f4bf7a4 100644
--- a/drivers/clk/clk-divider.c
+++ b/drivers/clk/clk-divider.c
@@ -347,6 +347,9 @@ long divider_ro_round_rate_parent(struct clk_hw *hw, struct 
clk_hw *parent,
int div;
 
div = _get_div(table, val, flags, width);
+   /* avoid divide-by-zero */
+   if (!div)
+   return -EINVAL;
 
/* Even a read-only clock can propagate a rate change */
if (clk_hw_get_flags(hw) & CLK_SET_RATE_PARENT) {
-- 
1.8.5.6

RE: [PATCH] clk:mmp: clk-mix.c fix divide-by-zero

[Nixiaoming]

On 3/30/2019 6:48 AM Stephen Boyd wrote:
>Quoting nixiaoming (2019-03-29 04:46:00)
>> The _get_div function has a branch with a return value of 0
>> Add a check on the return value of _get_div to avoid divide-by-zero
>> 
>> Signed-off-by: nixiaoming 
>
>Similar questions apply here as they do on the generic divider patch you
>sent.
>
_get_div() in both files is a different function, with a divide-by-zero problem
I will organize it into a patch set later.

>> ---
>>  drivers/clk/mmp/clk-mix.c | 4 
>>  1 file changed, 4 insertions(+)
>> 
>> diff --git a/drivers/clk/mmp/clk-mix.c b/drivers/clk/mmp/clk-mix.c
>> index 90814b2..9d152c2 100644
>> --- a/drivers/clk/mmp/clk-mix.c
>> +++ b/drivers/clk/mmp/clk-mix.c
>> @@ -245,6 +245,8 @@ static int mmp_clk_mix_determine_rate(struct clk_hw *hw,
>> div_val_max = _get_maxdiv(mix);
>> for (j = 0; j < div_val_max; j++) {
>> div = _get_div(mix, j);
>> +   if (!div) /* avoid divide-by-zero */
>
>Why can't we return 1 for the divider value here?

I personally understand that an exception or skip should be thrown after 
dividing by 0.
Directly modified to other values, I am not sure whether it affects the logic
My logical understanding of this code is not clear enough, I still need your 
guidance.
>
>> +   continue;
>> mix_rate = parent_rate / div;
>> gap = abs(mix_rate - req->rate);
>> if (!parent_best || gap < gap_best) {
>> @@ -341,6 +343,8 @@ static unsigned long mmp_clk_mix_recalc_rate(struct 
>> clk_hw *hw,
>> shift = mix->reg_info.shift_div;
>>  
>> div = _get_div(mix, MMP_CLK_BITS_GET_VAL(mux_div, width, shift));
>> +   if (!div) /* avoid divide-by-zero */
>
>Same question.
I personally understand that an exception or skip should be thrown after 
dividing by 0.
Directly modified to other values, I am not sure whether it affects the logic
My logical understanding of this code is not clear enough, I still need your 
guidance.
>
>> +   return -EINVAL;
>>  
>> return parent_rate / div;
>>  }
>

Re: [PATCH] signal: don't silently convert SI_USER signals to non-current pidfd

[Christian Brauner]

On Sat, Mar 30, 2019 at 03:12:32AM +0100, Jann Horn wrote:
> The current sys_pidfd_send_signal() silently turns signals with explicit
> SI_USER context that are sent to non-current tasks into signals with
> kernel-generated siginfo.
> This is unlike do_rt_sigqueueinfo(), which returns -EPERM in this case.
> If a user actually wants to send a signal with kernel-provided siginfo,
> they can do that with pidfd_send_signal(pidfd, sig, NULL, 0); so allowing
> this case is unnecessary.
> 
> Instead of silently replacing the siginfo, just bail out with an error;
> this is consistent with other interfaces and avoids special-casing behavior
> based on security checks.
> 
> Fixes: 3eb39f47934f ("signal: add pidfd_send_signal() syscall")
> Signed-off-by: Jann Horn 

Reviewed-by: Christian Brauner 

As discussed in
https://lore.kernel.org/lkml/20190330012229.yt3hecmgaj2r6...@brauner.io
targeting this for a 5.1 rc.

> ---
>  kernel/signal.c | 13 -
>  1 file changed, 4 insertions(+), 9 deletions(-)
> 
> diff --git a/kernel/signal.c b/kernel/signal.c
> index b7953934aa99..f98448cf2def 100644
> --- a/kernel/signal.c
> +++ b/kernel/signal.c
> @@ -3605,16 +3605,11 @@ SYSCALL_DEFINE4(pidfd_send_signal, int, pidfd, int, 
> sig,
>   if (unlikely(sig != kinfo.si_signo))
>   goto err;
>  
> + /* Only allow sending arbitrary signals to yourself. */
> + ret = -EPERM;
>   if ((task_pid(current) != pid) &&
> - (kinfo.si_code >= 0 || kinfo.si_code == SI_TKILL)) {
> - /* Only allow sending arbitrary signals to yourself. */
> - ret = -EPERM;
> - if (kinfo.si_code != SI_USER)
> - goto err;
> -
> - /* Turn this into a regular kill signal. */
> - prepare_kill_siginfo(sig, );
> - }
> + (kinfo.si_code >= 0 || kinfo.si_code == SI_TKILL))
> + goto err;
>   } else {
>   prepare_kill_siginfo(sig, );
>   }
> -- 
> 2.21.0.392.gf8f6787159e-goog
> 

[PATCH] signal: don't silently convert SI_USER signals to non-current pidfd

[Jann Horn]

The current sys_pidfd_send_signal() silently turns signals with explicit
SI_USER context that are sent to non-current tasks into signals with
kernel-generated siginfo.
This is unlike do_rt_sigqueueinfo(), which returns -EPERM in this case.
If a user actually wants to send a signal with kernel-provided siginfo,
they can do that with pidfd_send_signal(pidfd, sig, NULL, 0); so allowing
this case is unnecessary.

Instead of silently replacing the siginfo, just bail out with an error;
this is consistent with other interfaces and avoids special-casing behavior
based on security checks.

Fixes: 3eb39f47934f ("signal: add pidfd_send_signal() syscall")
Signed-off-by: Jann Horn 
---
 kernel/signal.c | 13 -
 1 file changed, 4 insertions(+), 9 deletions(-)

diff --git a/kernel/signal.c b/kernel/signal.c
index b7953934aa99..f98448cf2def 100644
--- a/kernel/signal.c
+++ b/kernel/signal.c
@@ -3605,16 +3605,11 @@ SYSCALL_DEFINE4(pidfd_send_signal, int, pidfd, int, sig,
if (unlikely(sig != kinfo.si_signo))
goto err;
 
+   /* Only allow sending arbitrary signals to yourself. */
+   ret = -EPERM;
if ((task_pid(current) != pid) &&
-   (kinfo.si_code >= 0 || kinfo.si_code == SI_TKILL)) {
-   /* Only allow sending arbitrary signals to yourself. */
-   ret = -EPERM;
-   if (kinfo.si_code != SI_USER)
-   goto err;
-
-   /* Turn this into a regular kill signal. */
-   prepare_kill_siginfo(sig, );
-   }
+   (kinfo.si_code >= 0 || kinfo.si_code == SI_TKILL))
+   goto err;
} else {
prepare_kill_siginfo(sig, );
}
-- 
2.21.0.392.gf8f6787159e-goog

RE: [PATCH] clk:Fix divide by 0 error in divider_ro_round_rate_parent

[Nixiaoming]

On 3/30/2019 6:42 AM Stephen Boyd wrote:
>Quoting nixiaoming (2019-03-29 02:05:24)
>> In the function divider_recalc_rate The judgment of the return value of
>
>Please write divider_recalc_rate() with parenthesis to show it's a
>function.
>
>> _get_div indicates that the return value of _get_div may be 0.
>
>__get_div()
Thank you for your guidance, I will correct it later in the patch.

>> In order to avoid the divide-by-zero error, add check the return value
>> of _get_div in the divider_ro_round_rate_parent
>> 
>> Signed-off-by: nixiaoming 
>
>Is this your name? nixiaoming? Or is it written some other way?

Chinese name 倪小明
>> ---
>>  drivers/clk/clk-divider.c | 2 ++
>>  1 file changed, 2 insertions(+)
>> 
>> diff --git a/drivers/clk/clk-divider.c b/drivers/clk/clk-divider.c
>> index e5a1726..0854e3e 100644
>> --- a/drivers/clk/clk-divider.c
>> +++ b/drivers/clk/clk-divider.c
>> @@ -347,6 +347,8 @@ long divider_ro_round_rate_parent(struct clk_hw *hw, 
>> struct clk_hw *parent,
>> int div;
>>  
>> div = _get_div(table, val, flags, width);
>> +   if (!div) /* avoid divide-by-zero */
>> +   return -EINVAL;
>
>How does _get_div() return 0? What is the value of 'flags' here when
>this goes wrong?

divider_ro_round_rate_parent() and divider_recalc_rate() are functions
 of the EXPORT_SYMBOL_GPL attribute

If _get_div() can return 0 in the argument of divider_recalc_rate()
Then should be able to return 0 in divider_ro_round_rate_parent()

>
>>  
>> /* Even a read-only clock can propagate a rate change */
>> if (clk_hw_get_flags(hw) & CLK_SET_RATE_PARENT) {
>> -- 
>> 1.8.5.6
>> 
>
>Wow that's a 5 year old version of git!
>
>

Re: [PATCH v2 4/5] signal: PIDFD_SIGNAL_TID threads via pidfds

[Christian Brauner]

On Sat, Mar 30, 2019 at 02:34:16AM +0100, Christian Brauner wrote:
> On Sat, Mar 30, 2019 at 02:22:29AM +0100, Christian Brauner wrote:
> > On Sat, Mar 30, 2019 at 02:06:34AM +0100, Jann Horn wrote:
> > > On Fri, Mar 29, 2019 at 4:54 PM Christian Brauner  
> > > wrote:
> > > > With the addition of pidfd_open() it is possible for users to reference 
> > > > a
> > > > specific thread by doing:
> > > >
> > > > int pidfd = pidfd_open(, 0);
> > > >
> > > > This means we can extend pidfd_send_signal() to signal a specific 
> > > > thread.
> > > > As promised in the commit for pidfd_send_signal() [1] the extension is
> > > > based on a flag argument, i.e. the scope of the signal delivery is 
> > > > based on
> > > > the flag argument, not on the type of file descriptor.
> > > > To this end the flag PIDFD_SIGNAL_TID is added. With this change we now
> > > > cover most of the functionality of all the other signal sending 
> > > > functions
> > > > combined:
> > > [...]
> > > > diff --git a/include/uapi/linux/wait.h b/include/uapi/linux/wait.h
> > > > index d6c7c0701997..b72f0ef84fe5 100644
> > > > --- a/include/uapi/linux/wait.h
> > > > +++ b/include/uapi/linux/wait.h
> > > [...]
> > > > +/* Flags to pass to pidfd_send_signal */
> > > > +#define PIDFD_SIGNAL_TID 1 /* Send signal to specific thread */
> > > 
> > > nit: s/1/1U/; the flags argument is an `unsigned int`
> > 
> > Will change.
> > 
> > > 
> > > >  #endif /* _UAPI_LINUX_WAIT_H */
> > > > diff --git a/kernel/signal.c b/kernel/signal.c
> > > > index eb97d0cc6ef7..9f93da85b2b9 100644
> > > > --- a/kernel/signal.c
> > > > +++ b/kernel/signal.c
> > > [...]
> > > > +static int pidfd_send_signal_specific(struct pid *pid, int sig,
> > > > + struct kernel_siginfo *info)
> > > > +{
> > > > +   struct task_struct *p;
> > > > +   int error = -ESRCH;
> > > > +
> > > > +   rcu_read_lock();
> > > > +   p = pid_task(pid, PIDTYPE_PID);
> > > > +   if (p)
> > > > +   error = __do_send_specific(p, sig, info);
> > > > +   rcu_read_unlock();
> > > > +
> > > > +   return error;
> > > > +}
> > > > +
> > > >  /**
> > > > - * sys_pidfd_send_signal - send a signal to a process through a task 
> > > > file
> > > > - *  descriptor
> > > > + * sys_pidfd_send_signal - send a signal to a process through a pidfd
> > > > +
> > > >   * @pidfd:  the file descriptor of the process
> > > >   * @sig:signal to be sent
> > > >   * @info:   the signal info
> > > >   * @flags:  future flags to be passed
> > > 
> > > nit: comment is outdated, it isn't "future flags" anymore
> > 
> > Will remove.
> > 
> > > 
> > > [...]
> > > > + *   rt_tgsigqueueinfo(, , , )
> > > > + * - pidfd_send_signal(, , , PIDFD_SIGNAL_TID);
> > > > + *   which is equivalent to
> > > > + *   rt_tgsigqueueinfo(, , , )
> > > > + *
> > > >   * In order to extend the syscall to threads and process groups the 
> > > > @flags
> > > >   * argument should be used. In essence, the @flags argument will 
> > > > determine
> > > >   * what is signaled and not the file descriptor itself. Put in other 
> > > > words,
> > > 
> > > nit: again, outdated comment about @flags
> > 
> > Will update.
> > 
> > > 
> > > [...]
> > > > @@ -3626,43 +3695,16 @@ SYSCALL_DEFINE4(pidfd_send_signal, int, pidfd, 
> > > > int, sig,
> > > > prepare_kill_siginfo(sig, );
> > > > }
> > > >
> > > > -   ret = kill_pid_info(sig, , pid);
> > > > +   if (flags & PIDFD_SIGNAL_TID)
> > > > +   ret = pidfd_send_signal_specific(pid, sig, );
> > > > +   else
> > > > +   ret = kill_pid_info(sig, , pid);
> > > 
> > > nit: maybe give pidfd_send_signal_specific() and kill_pid_info() the
> > > same signatures, since they perform similar operations with the same
> > > argument types?
> > 
> > Yes, let's do
> > pidfd_send_signal_specific.(pid, sig, );
> > kill_pid_info..(pid, sig, );
> > 
> > so it matches the argument order of the syscalls itself too.
> 
> Strike that. We should do:
> pidfd_send_signal_specific.(sig, , pid);
> kill_pid_info..(sig, , pid);
> 
> because kill_pid_info() is called in multiple places so we would
> needlessly shovle code around.
> 
> > 
> > > 
> > > Something that was already kinda weird in the existing code, but is
> > > getting worse with TIDs is the handling of SI_USER with siginfo.
> > 
> > Right, that's what we discussed earlier.
> > 
> > > Copying context lines from above here:
> > > 
> > > if (info) {
> > > ret = copy_siginfo_from_user_any(, info);
> > > if (unlikely(ret))
> > > goto err;
> > > ret = -EINVAL;
> > > if (unlikely(sig != kinfo.si_signo))
> > > goto err;
> > > if ((task_pid(current) != pid) &&
> > > (kinfo.si_code >= 0 || kinfo.si_code == SI_TKILL)) {
> > > /* Only 

[PATCH AUTOSEL 4.19 21/57] compiler.h: update definition of unreachable()

[Sasha Levin]

From: "ndesaulni...@google.com" 

[ Upstream commit fe0640eb30b7da261ae84d252ed9ed3c7e68dfd8 ]

Fixes the objtool warning seen with Clang:
arch/x86/mm/fault.o: warning: objtool: no_context()+0x220: unreachable
instruction

Fixes commit 815f0ddb346c ("include/linux/compiler*.h: make compiler-*.h
mutually exclusive")

Josh noted that the fallback definition was meant to work around a
pre-gcc-4.6 bug. GCC still needs to work around
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=82365, so compiler-gcc.h
defines its own version of unreachable().  Clang and ICC can use this
shared definition.

Link: https://github.com/ClangBuiltLinux/linux/issues/204
Suggested-by: Andy Lutomirski 
Suggested-by: Josh Poimboeuf 
Tested-by: Nathan Chancellor 
Signed-off-by: Nick Desaulniers 
Signed-off-by: Miguel Ojeda 
Signed-off-by: Sasha Levin 
---
 include/linux/compiler.h | 5 -
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/include/linux/compiler.h b/include/linux/compiler.h
index 269d376f5a11..81c2238b884c 100644
--- a/include/linux/compiler.h
+++ b/include/linux/compiler.h
@@ -124,7 +124,10 @@ void ftrace_likely_update(struct ftrace_likely_data *f, 
int val,
 # define ASM_UNREACHABLE
 #endif
 #ifndef unreachable
-# define unreachable() do { annotate_reachable(); do { } while (1); } while (0)
+# define unreachable() do {\
+   annotate_unreachable(); \
+   __builtin_unreachable();\
+} while (0)
 #endif
 
 /*
-- 
2.19.1

[PATCH AUTOSEL 4.19 14/57] HID: i2c-hid: override HID descriptors for certain devices

[Sasha Levin]

From: Julian Sax 

[ Upstream commit 9ee3e06610fdb8a601cde59c92089fb6c1deb4aa ]

A particular touchpad (SIPODEV SP1064) refuses to supply the HID
descriptors. This patch provides the framework for overriding these
descriptors based on DMI data. It also includes the descriptors for
said touchpad, which were extracted by listening to the traffic of the
windows filter driver, as well as the DMI data for the laptops known
to use this device.

Relevant Bug: https://bugzilla.redhat.com/show_bug.cgi?id=1526312

Cc: Hans de Goede 
Reported-and-tested-by: ahorm...@gmx.net
Reported-and-tested-by: Bruno Jesus 
Reported-and-tested-by: Dietrich 
Reported-and-tested-by: kloxd...@yahoo.com
Signed-off-by: Julian Sax 
Reviewed-by: Benjamin Tissoires 
Signed-off-by: Jiri Kosina 
Signed-off-by: Sasha Levin 
---
 drivers/hid/i2c-hid/Makefile  |   3 +
 .../hid/i2c-hid/{i2c-hid.c => i2c-hid-core.c} |  56 ++-
 drivers/hid/i2c-hid/i2c-hid-dmi-quirks.c  | 376 ++
 drivers/hid/i2c-hid/i2c-hid.h |  20 +
 4 files changed, 437 insertions(+), 18 deletions(-)
 rename drivers/hid/i2c-hid/{i2c-hid.c => i2c-hid-core.c} (96%)
 create mode 100644 drivers/hid/i2c-hid/i2c-hid-dmi-quirks.c
 create mode 100644 drivers/hid/i2c-hid/i2c-hid.h

diff --git a/drivers/hid/i2c-hid/Makefile b/drivers/hid/i2c-hid/Makefile
index 832d8f9aaba2..099e1ce2f234 100644
--- a/drivers/hid/i2c-hid/Makefile
+++ b/drivers/hid/i2c-hid/Makefile
@@ -3,3 +3,6 @@
 #
 
 obj-$(CONFIG_I2C_HID)  += i2c-hid.o
+
+i2c-hid-objs   =  i2c-hid-core.o
+i2c-hid-$(CONFIG_DMI)  += i2c-hid-dmi-quirks.o
diff --git a/drivers/hid/i2c-hid/i2c-hid.c b/drivers/hid/i2c-hid/i2c-hid-core.c
similarity index 96%
rename from drivers/hid/i2c-hid/i2c-hid.c
rename to drivers/hid/i2c-hid/i2c-hid-core.c
index 88daa388e1f6..3cde7c1b9c33 100644
--- a/drivers/hid/i2c-hid/i2c-hid.c
+++ b/drivers/hid/i2c-hid/i2c-hid-core.c
@@ -43,6 +43,7 @@
 #include 
 
 #include "../hid-ids.h"
+#include "i2c-hid.h"
 
 /* quirks to control the device */
 #define I2C_HID_QUIRK_SET_PWR_WAKEUP_DEV   BIT(0)
@@ -687,6 +688,7 @@ static int i2c_hid_parse(struct hid_device *hid)
char *rdesc;
int ret;
int tries = 3;
+   char *use_override;
 
i2c_hid_dbg(ihid, "entering %s\n", __func__);
 
@@ -705,26 +707,37 @@ static int i2c_hid_parse(struct hid_device *hid)
if (ret)
return ret;
 
-   rdesc = kzalloc(rsize, GFP_KERNEL);
+   use_override = i2c_hid_get_dmi_hid_report_desc_override(client->name,
+   );
 
-   if (!rdesc) {
-   dbg_hid("couldn't allocate rdesc memory\n");
-   return -ENOMEM;
-   }
+   if (use_override) {
+   rdesc = use_override;
+   i2c_hid_dbg(ihid, "Using a HID report descriptor override\n");
+   } else {
+   rdesc = kzalloc(rsize, GFP_KERNEL);
+
+   if (!rdesc) {
+   dbg_hid("couldn't allocate rdesc memory\n");
+   return -ENOMEM;
+   }
 
-   i2c_hid_dbg(ihid, "asking HID report descriptor\n");
+   i2c_hid_dbg(ihid, "asking HID report descriptor\n");
 
-   ret = i2c_hid_command(client, _report_descr_cmd, rdesc, rsize);
-   if (ret) {
-   hid_err(hid, "reading report descriptor failed\n");
-   kfree(rdesc);
-   return -EIO;
+   ret = i2c_hid_command(client, _report_descr_cmd,
+ rdesc, rsize);
+   if (ret) {
+   hid_err(hid, "reading report descriptor failed\n");
+   kfree(rdesc);
+   return -EIO;
+   }
}
 
i2c_hid_dbg(ihid, "Report Descriptor: %*ph\n", rsize, rdesc);
 
ret = hid_parse_report(hid, rdesc, rsize);
-   kfree(rdesc);
+   if (!use_override)
+   kfree(rdesc);
+
if (ret) {
dbg_hid("parsing report descriptor failed\n");
return ret;
@@ -851,12 +864,19 @@ static int i2c_hid_fetch_hid_descriptor(struct i2c_hid 
*ihid)
int ret;
 
/* i2c hid fetch using a fixed descriptor size (30 bytes) */
-   i2c_hid_dbg(ihid, "Fetching the HID descriptor\n");
-   ret = i2c_hid_command(client, _descr_cmd, ihid->hdesc_buffer,
-   sizeof(struct i2c_hid_desc));
-   if (ret) {
-   dev_err(>dev, "hid_descr_cmd failed\n");
-   return -ENODEV;
+   if (i2c_hid_get_dmi_i2c_hid_desc_override(client->name)) {
+   i2c_hid_dbg(ihid, "Using a HID descriptor override\n");
+   ihid->hdesc =
+   *i2c_hid_get_dmi_i2c_hid_desc_override(client->name);
+   } else {
+   i2c_hid_dbg(ihid, "Fetching the HID descriptor\n");
+   ret = 

[PATCH AUTOSEL 4.19 05/57] 9p: do not trust pdu content for stat item size

[Sasha Levin]

From: Gertjan Halkes 

[ Upstream commit 2803cf4379ed252894f046cb8812a48db35294e3 ]

v9fs_dir_readdir() could deadloop if a struct was sent with a size set
to -2

Link: 
http://lkml.kernel.org/r/1536134432-11997-1-git-send-email-asmad...@codewreck.org
Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=88021
Signed-off-by: Gertjan Halkes 
Signed-off-by: Dominique Martinet 
Signed-off-by: Sasha Levin 
---
 fs/9p/vfs_dir.c   | 8 +++-
 net/9p/protocol.c | 3 ++-
 2 files changed, 5 insertions(+), 6 deletions(-)

diff --git a/fs/9p/vfs_dir.c b/fs/9p/vfs_dir.c
index 48db9a9f13f9..cb6c4031af55 100644
--- a/fs/9p/vfs_dir.c
+++ b/fs/9p/vfs_dir.c
@@ -105,7 +105,6 @@ static int v9fs_dir_readdir(struct file *file, struct 
dir_context *ctx)
int err = 0;
struct p9_fid *fid;
int buflen;
-   int reclen = 0;
struct p9_rdir *rdir;
struct kvec kvec;
 
@@ -138,11 +137,10 @@ static int v9fs_dir_readdir(struct file *file, struct 
dir_context *ctx)
while (rdir->head < rdir->tail) {
err = p9stat_read(fid->clnt, rdir->buf + rdir->head,
  rdir->tail - rdir->head, );
-   if (err) {
+   if (err <= 0) {
p9_debug(P9_DEBUG_VFS, "returned %d\n", err);
return -EIO;
}
-   reclen = st.size+2;
 
over = !dir_emit(ctx, st.name, strlen(st.name),
 v9fs_qid2ino(), dt_type());
@@ -150,8 +148,8 @@ static int v9fs_dir_readdir(struct file *file, struct 
dir_context *ctx)
if (over)
return 0;
 
-   rdir->head += reclen;
-   ctx->pos += reclen;
+   rdir->head += err;
+   ctx->pos += err;
}
}
 }
diff --git a/net/9p/protocol.c b/net/9p/protocol.c
index ee32bbf12675..b4d80c533f89 100644
--- a/net/9p/protocol.c
+++ b/net/9p/protocol.c
@@ -571,9 +571,10 @@ int p9stat_read(struct p9_client *clnt, char *buf, int 
len, struct p9_wstat *st)
if (ret) {
p9_debug(P9_DEBUG_9P, "<<< p9stat_read failed: %d\n", ret);
trace_9p_protocol_dump(clnt, _pdu);
+   return ret;
}
 
-   return ret;
+   return fake_pdu.offset;
 }
 EXPORT_SYMBOL(p9stat_read);
 
-- 
2.19.1

[PATCH AUTOSEL 4.19 17/57] usbip: fix vhci_hcd controller counting

[Sasha Levin]

From: Maciej Żenczykowski 

[ Upstream commit e0a2e73e501c77037c8756137e87b12c7c3c9793 ]

Without this usbip fails on a machine with devices
that lexicographically come after vhci_hcd.

ie.
  $ ls -l /sys/devices/platform
  ...
  drwxr-xr-x. 4 root root0 Sep 19 16:21 serial8250
  -rw-r--r--. 1 root root 4096 Sep 19 23:50 uevent
  drwxr-xr-x. 6 root root0 Sep 20 13:15 vhci_hcd.0
  drwxr-xr-x. 4 root root0 Sep 19 16:22 w83627hf.656

Because it detects 'w83627hf.656' as another vhci_hcd controller,
and then fails to be able to talk to it.

Note: this doesn't actually fix usbip's support for multiple
controllers... that's still broken for other reasons
("vhci_hcd.0" is hardcoded in a string macro), but is enough to
actually make it work on the above machine.

See also:
  https://bugzilla.redhat.com/show_bug.cgi?id=1631148

Cc: Jonathan Dieter 
Cc: Valentina Manea 
Cc: Shuah Khan 
Cc: linux-...@vger.kernel.org
Signed-off-by: Maciej Żenczykowski 
Acked-by: Shuah Khan (Samsung OSG) 
Tested-by: Jonathan Dieter 
Signed-off-by: Greg Kroah-Hartman 
Signed-off-by: Sasha Levin 
---
 tools/usb/usbip/libsrc/vhci_driver.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tools/usb/usbip/libsrc/vhci_driver.c 
b/tools/usb/usbip/libsrc/vhci_driver.c
index 4204359c9fee..8159fd98680b 100644
--- a/tools/usb/usbip/libsrc/vhci_driver.c
+++ b/tools/usb/usbip/libsrc/vhci_driver.c
@@ -150,7 +150,7 @@ static int get_nports(struct udev_device *hc_device)
 
 static int vhci_hcd_filter(const struct dirent *dirent)
 {
-   return strcmp(dirent->d_name, "vhci_hcd") >= 0;
+   return !strncmp(dirent->d_name, "vhci_hcd.", 9);
 }
 
 static int get_ncontrollers(void)
-- 
2.19.1

[PATCH AUTOSEL 4.19 11/57] powerpc/pseries: Remove prrn_work workqueue

[Sasha Levin]

From: Nathan Fontenot 

[ Upstream commit cd24e457fd8b2d087d9236700c8d2957054598bf ]

When a PRRN event is received we are already running in a worker
thread. Instead of spawning off another worker thread on the prrn_work
workqueue to handle the PRRN event we can just call the PRRN handler
routine directly.

With this update we can also pass the scope variable for the PRRN
event directly to the handler instead of it being a global variable.

This patch fixes the following oops mnessage we are seeing in PRRN testing:

  Oops: Bad kernel stack pointer, sig: 6 [#1]
  SMP NR_CPUS=2048 NUMA pSeries
  Modules linked in: nfsv3 nfs_acl rpcsec_gss_krb5 auth_rpcgss nfsv4 
dns_resolver nfs lockd grace sunrpc fscache binfmt_misc reiserfs vfat fat 
rpadlpar_io(X) rpaphp(X) tcp_diag udp_diag inet_diag unix_diag af_packet_diag 
netlink_diag af_packet xfs libcrc32c dm_service_time ibmveth(X) ses enclosure 
scsi_transport_sas rtc_generic btrfs xor raid6_pq sd_mod ibmvscsi(X) 
scsi_transport_srp ipr(X) libata sg dm_multipath dm_mod scsi_dh_rdac 
scsi_dh_emc scsi_dh_alua scsi_mod autofs4
  Supported: Yes, External 
54
  CPU: 7 PID: 18967 Comm: kworker/u96:0 Tainted: G X 
4.4.126-94.22-default #1
  Workqueue: pseries hotplug workque pseries_hp_work_fn
  task: c00775367790 ti: c0001ebd4000 task.ti: c0070d14
  NIP:  LR: 1fb3d050 CTR: 
  REGS: c0001ebd7d40 TRAP: 0700   Tainted: G X  
(4.4.126-94.22-default)
  MSR: 800102081000 <41,VEC,ME5  CR: 2802  XER: 20040018   4
  CFAR: 1fb3d084 40 419   13
  GPR00: 400010007 1400 00041fffe200
  GPR04: 00805 1fb15fa8 00050500
  GPR08: 0001f40040001  05:5200040002
  GPR12: 5c7a05400 c00e89f8 1ed9f668
  GPR16: 1fbeff9441fbeff94 1fb545e4 00600060
  GPR20: 4  
  GPR24: 540001fb3c000  1fb1b040
  GPR28: 1fb2400041fb440d8 0008 
  NIP [] 5 (null)
  LR [1fb3d050] 031fb3d050
  Call Trace:4
  Instruction dump:  4   5:47 122
    X4XX     
    X5XX  6000 6000 6000 6000
  ---[ end trace aa5627b04a7d9d6b ]---   
3NMI watchdog: BUG: soft lockup - CPU#27 stuck for 23s! [kworker/27:0:13903]
  Modules linked in: nfsv3 nfs_acl rpcsec_gss_krb5 auth_rpcgss nfsv4 
dns_resolver nfs lockd grace sunrpc fscache binfmt_misc reiserfs vfat fat 
rpadlpar_io(X) rpaphp(X) tcp_diag udp_diag inet_diag unix_diag af_packet_diag 
netlink_diag af_packet xfs libcrc32c dm_service_time ibmveth(X) ses enclosure 
scsi_transport_sas rtc_generic btrfs xor raid6_pq sd_mod ibmvscsi(X) 
scsi_transport_srp ipr(X) libata sg dm_multipath dm_mod scsi_dh_rdac 
scsi_dh_emc scsi_dh_alua scsi_mod autofs4
  Supported: Yes, External
  CPU: 27 PID: 13903 Comm: kworker/27:0 Tainted: G  D  X 
4.4.126-94.22-default #1
  Workqueue: events prrn_work_fn
  task: c00747cfa390 ti: c0074712c000 task.ti: c0074712c000
  NIP: c08002a8 LR: c0090770 CTR: 0032e088
  REGS: c0074712f7b0 TRAP: 0901   Tainted: G  D  X  
(4.4.126-94.22-default)
  MSR: 80019033   CR: 22482044  XER: 2004
  CFAR: c08002c4 SOFTE: 1
  GPR00: c0090770 c0074712fa30 c0f09800 c0fa1928 
6:02
  GPR04: c00775f5e000 fffe 0001 c0f42db8
  GPR08: 0001 8007  
  GPR12: 800621008318 c7a14400
  NIP [c08002a8] _raw_spin_lock+0x68/0xd0
  LR [c0090770] mobility_rtas_call+0x50/0x100
  Call Trace:595
  [c0074712fa60] [c0090770] mobility_rtas_call+0x50/0x100
  [c0074712faf0] [c0090b08] pseries_devicetree_update+0xf8/0x530
  [c0074712fc20] [c0031ba4] prrn_work_fn+0x34/0x50
  [c0074712fc40] [c00e0390] process_one_work+0x1a0/0x4e0
  [c0074712fcd0] [c00e0870] worker_thread+0x1a0/0x6105:57   2
  [c0074712fd80] [c00e8b18] kthread+0x128/0x150
  [c0074712fe30] [c00096f8] ret_from_kernel_thread+0x5c/0x64
  Instruction dump:
  2c09 40c20010 7d40192d 40c2fff0 7c2004ac 2fa9 40de0018 5:540030   3
  e8010010 ebe1fff8 7c0803a6 4e800020 <7c210b78> e92d 89290009 792affe3

Signed-off-by: John Allen 
Signed-off-by: Haren Myneni 
Signed-off-by: Nathan Fontenot 
Signed-off-by: Michael Ellerman 

[PATCH AUTOSEL 4.19 19/57] HID: usbhid: Add quirk for Redragon/Dragonrise Seymur 2

[Sasha Levin]

From: Kai-Heng Feng 

[ Upstream commit ce9d58d3eafcb2d452a69bdcc1c5f8b8ff640de5 ]

Redragon Seymur 2 stops working since commit 190d7f02ce8e ("HID: input:
do not increment usages when a duplicate is found").

Use quirk HID_QUIRK_INCREMENT_USAGE_ON_DUPLICATE suggested by the commit
can solve the issue.

Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=200995
BugLink: https://bugs.launchpad.net/bugs/1793846
Signed-off-by: Kai-Heng Feng 
Reviewed-by: Benjamin Tissoires 
Signed-off-by: Jiri Kosina 
Signed-off-by: Sasha Levin 
---
 drivers/hid/hid-ids.h| 1 +
 drivers/hid/hid-quirks.c | 1 +
 2 files changed, 2 insertions(+)

diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h
index b7870e7e41d4..97d33b8ed36c 100644
--- a/drivers/hid/hid-ids.h
+++ b/drivers/hid/hid-ids.h
@@ -348,6 +348,7 @@
 #define USB_DEVICE_ID_DMI_ENC  0x5fab
 
 #define USB_VENDOR_ID_DRAGONRISE   0x0079
+#define USB_DEVICE_ID_REDRAGON_SEYMUR2 0x0006
 #define USB_DEVICE_ID_DRAGONRISE_WIIU  0x1800
 #define USB_DEVICE_ID_DRAGONRISE_PS3   0x1801
 #define USB_DEVICE_ID_DRAGONRISE_DOLPHINBAR0x1803
diff --git a/drivers/hid/hid-quirks.c b/drivers/hid/hid-quirks.c
index 77316f022c5a..94088c0ed68a 100644
--- a/drivers/hid/hid-quirks.c
+++ b/drivers/hid/hid-quirks.c
@@ -70,6 +70,7 @@ static const struct hid_device_id hid_quirks[] = {
{ HID_USB_DEVICE(USB_VENDOR_ID_DMI, USB_DEVICE_ID_DMI_ENC), 
HID_QUIRK_NOGET },
{ HID_USB_DEVICE(USB_VENDOR_ID_DRACAL_RAPHNET, 
USB_DEVICE_ID_RAPHNET_2NES2SNES), HID_QUIRK_MULTI_INPUT },
{ HID_USB_DEVICE(USB_VENDOR_ID_DRACAL_RAPHNET, 
USB_DEVICE_ID_RAPHNET_4NES4SNES), HID_QUIRK_MULTI_INPUT },
+   { HID_USB_DEVICE(USB_VENDOR_ID_DRAGONRISE, 
USB_DEVICE_ID_REDRAGON_SEYMUR2), HID_QUIRK_INCREMENT_USAGE_ON_DUPLICATE },
{ HID_USB_DEVICE(USB_VENDOR_ID_DRAGONRISE, 
USB_DEVICE_ID_DRAGONRISE_DOLPHINBAR), HID_QUIRK_MULTI_INPUT },
{ HID_USB_DEVICE(USB_VENDOR_ID_DRAGONRISE, 
USB_DEVICE_ID_DRAGONRISE_GAMECUBE1), HID_QUIRK_MULTI_INPUT },
{ HID_USB_DEVICE(USB_VENDOR_ID_DRAGONRISE, 
USB_DEVICE_ID_DRAGONRISE_PS3), HID_QUIRK_MULTI_INPUT },
-- 
2.19.1

[PATCH AUTOSEL 4.19 06/57] 9p locks: add mount option for lock retry interval

[Sasha Levin]

From: Dinu-Razvan Chis-Serban 

[ Upstream commit 5e172f75e51e3de1b4274146d9b990f803cb5c2a ]

The default P9_LOCK_TIMEOUT can be too long for some users exporting
a local file system to a guest VM (30s), make this configurable at
mount time.

Link: 
http://lkml.kernel.org/r/1536295827-3181-1-git-send-email-asmad...@codewreck.org
Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=195727
Signed-off-by: Dinu-Razvan Chis-Serban 
Signed-off-by: Dominique Martinet 
Signed-off-by: Sasha Levin 
---
 fs/9p/v9fs.c | 21 +
 fs/9p/v9fs.h |  1 +
 fs/9p/vfs_file.c |  6 +-
 3 files changed, 27 insertions(+), 1 deletion(-)

diff --git a/fs/9p/v9fs.c b/fs/9p/v9fs.c
index 89bac3d2f05b..619128b55837 100644
--- a/fs/9p/v9fs.c
+++ b/fs/9p/v9fs.c
@@ -61,6 +61,8 @@ enum {
Opt_cache_loose, Opt_fscache, Opt_mmap,
/* Access options */
Opt_access, Opt_posixacl,
+   /* Lock timeout option */
+   Opt_locktimeout,
/* Error token */
Opt_err
 };
@@ -80,6 +82,7 @@ static const match_table_t tokens = {
{Opt_cachetag, "cachetag=%s"},
{Opt_access, "access=%s"},
{Opt_posixacl, "posixacl"},
+   {Opt_locktimeout, "locktimeout=%u"},
{Opt_err, NULL}
 };
 
@@ -187,6 +190,7 @@ static int v9fs_parse_options(struct v9fs_session_info 
*v9ses, char *opts)
 #ifdef CONFIG_9P_FSCACHE
v9ses->cachetag = NULL;
 #endif
+   v9ses->session_lock_timeout = P9_LOCK_TIMEOUT;
 
if (!opts)
return 0;
@@ -359,6 +363,23 @@ static int v9fs_parse_options(struct v9fs_session_info 
*v9ses, char *opts)
 #endif
break;
 
+   case Opt_locktimeout:
+   r = match_int([0], );
+   if (r < 0) {
+   p9_debug(P9_DEBUG_ERROR,
+"integer field, but no integer?\n");
+   ret = r;
+   continue;
+   }
+   if (option < 1) {
+   p9_debug(P9_DEBUG_ERROR,
+"locktimeout must be a greater than 
zero integer.\n");
+   ret = -EINVAL;
+   continue;
+   }
+   v9ses->session_lock_timeout = (long)option * HZ;
+   break;
+
default:
continue;
}
diff --git a/fs/9p/v9fs.h b/fs/9p/v9fs.h
index 982e017acadb..129e5243a6bf 100644
--- a/fs/9p/v9fs.h
+++ b/fs/9p/v9fs.h
@@ -116,6 +116,7 @@ struct v9fs_session_info {
struct p9_client *clnt; /* 9p client */
struct list_head slist; /* list of sessions registered with v9fs */
struct rw_semaphore rename_sem;
+   long session_lock_timeout; /* retry interval for blocking locks */
 };
 
 /* cache_validity flags */
diff --git a/fs/9p/vfs_file.c b/fs/9p/vfs_file.c
index c87e6d6ec069..05454a7e22dc 100644
--- a/fs/9p/vfs_file.c
+++ b/fs/9p/vfs_file.c
@@ -154,6 +154,7 @@ static int v9fs_file_do_lock(struct file *filp, int cmd, 
struct file_lock *fl)
uint8_t status = P9_LOCK_ERROR;
int res = 0;
unsigned char fl_type;
+   struct v9fs_session_info *v9ses;
 
fid = filp->private_data;
BUG_ON(fid == NULL);
@@ -189,6 +190,8 @@ static int v9fs_file_do_lock(struct file *filp, int cmd, 
struct file_lock *fl)
if (IS_SETLKW(cmd))
flock.flags = P9_LOCK_FLAGS_BLOCK;
 
+   v9ses = v9fs_inode2v9ses(file_inode(filp));
+
/*
 * if its a blocked request and we get P9_LOCK_BLOCKED as the status
 * for lock request, keep on trying
@@ -202,7 +205,8 @@ static int v9fs_file_do_lock(struct file *filp, int cmd, 
struct file_lock *fl)
break;
if (status == P9_LOCK_BLOCKED && !IS_SETLKW(cmd))
break;
-   if (schedule_timeout_interruptible(P9_LOCK_TIMEOUT) != 0)
+   if (schedule_timeout_interruptible(v9ses->session_lock_timeout)
+   != 0)
break;
/*
 * p9_client_lock_dotl overwrites flock.client_id with the
-- 
2.19.1

[PATCH AUTOSEL 4.19 18/57] ACPI / SBS: Fix GPE storm on recent MacBookPro's

[Sasha Levin]

From: Ronald Tschalär 

[ Upstream commit ca1721c5bee77105829cbd7baab8ee0eab85b06d ]

On Apple machines, plugging-in or unplugging the power triggers a GPE
for the EC. Since these machines expose an SBS device, this GPE ends
up triggering the acpi_sbs_callback(). This in turn tries to get the
status of the SBS charger. However, on MBP13,* and MBP14,* machines,
performing the smbus-read operation to get the charger's status triggers
the EC's GPE again. The result is an endless re-triggering and handling
of that GPE, consuming significant CPU resources (> 50% in irq).

In the end this is quite similar to commit 3031cddea633 (ACPI / SBS:
Don't assume the existence of an SBS charger), except that on the above
machines a status of all 1's is returned. And like there, we just want
ignore the charger here.

Link: https://bugzilla.kernel.org/show_bug.cgi?id=198169
Signed-off-by: Ronald Tschalär 
Signed-off-by: Rafael J. Wysocki 
Signed-off-by: Sasha Levin 
---
 drivers/acpi/sbs.c | 8 ++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/drivers/acpi/sbs.c b/drivers/acpi/sbs.c
index 295b59271189..96c5e27967f4 100644
--- a/drivers/acpi/sbs.c
+++ b/drivers/acpi/sbs.c
@@ -441,9 +441,13 @@ static int acpi_ac_get_present(struct acpi_sbs *sbs)
 
/*
 * The spec requires that bit 4 always be 1. If it's not set, assume
-* that the implementation doesn't support an SBS charger
+* that the implementation doesn't support an SBS charger.
+*
+* And on some MacBooks a status of 0x is always returned, no
+* matter whether the charger is plugged in or not, which is also
+* wrong, so ignore the SBS charger for those too.
 */
-   if (!((status >> 4) & 0x1))
+   if (!((status >> 4) & 0x1) || status == 0x)
return -ENODEV;
 
sbs->charger_present = (status >> 15) & 0x1;
-- 
2.19.1

[PATCH AUTOSEL 4.19 07/57] ASoC: Fix UBSAN warning at snd_soc_get/put_volsw_sx()

[Sasha Levin]

From: Rohit kumar 

[ Upstream commit ae7d1247d8673ebfd686b17e759d4be391165368 ]

In functions snd_soc_get_volsw_sx() or snd_soc_put_volsw_sx(),
if the result of (min + max) is negative, then fls() returns
signed integer with value as 32. This leads to signed integer
overflow as complete operation is considered as signed integer.

UBSAN: Undefined behaviour in sound/soc/soc-ops.c:382:50
signed integer overflow:
-2147483648 - 1 cannot be represented in type 'int'
Call trace:
[] __dump_stack lib/dump_stack.c:15 [inline]
[] dump_stack+0xec/0x158 lib/dump_stack.c:51
[] ubsan_epilogue+0x18/0x50 lib/ubsan.c:164
[] handle_overflow+0xf8/0x130 lib/ubsan.c:195
[] __ubsan_handle_sub_overflow+0x34/0x44 lib/ubsan.c:211
[] snd_soc_get_volsw_sx+0x1a8/0x1f8 sound/soc/soc-ops.c:382

Typecast the operation to unsigned int to fix the issue.

Signed-off-by: Rohit kumar 
Signed-off-by: Mark Brown 
Signed-off-by: Sasha Levin 
---
 sound/soc/soc-ops.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/sound/soc/soc-ops.c b/sound/soc/soc-ops.c
index 592efb370c44..f4dc3d445aae 100644
--- a/sound/soc/soc-ops.c
+++ b/sound/soc/soc-ops.c
@@ -373,7 +373,7 @@ int snd_soc_get_volsw_sx(struct snd_kcontrol *kcontrol,
unsigned int rshift = mc->rshift;
int max = mc->max;
int min = mc->min;
-   unsigned int mask = (1 << (fls(min + max) - 1)) - 1;
+   unsigned int mask = (1U << (fls(min + max) - 1)) - 1;
unsigned int val;
int ret;
 
@@ -418,7 +418,7 @@ int snd_soc_put_volsw_sx(struct snd_kcontrol *kcontrol,
unsigned int rshift = mc->rshift;
int max = mc->max;
int min = mc->min;
-   unsigned int mask = (1 << (fls(min + max) - 1)) - 1;
+   unsigned int mask = (1U << (fls(min + max) - 1)) - 1;
int err = 0;
unsigned int val, val_mask, val2 = 0;
 
-- 
2.19.1

[PATCH AUTOSEL 4.19 03/57] rsi: improve kernel thread handling to fix kernel panic

[Sasha Levin]

From: Siva Rebbagondla 

[ Upstream commit 4c62764d0fc21a34ffc44eec1210038c3a2e4473 ]

While running regressions, observed below kernel panic when sdio disconnect
called. This is because of, kthread_stop() is taking care of
wait_for_completion() by default. When wait_for_completion triggered
in kthread_stop and as it was done already, giving kernel panic.
Hence, removing redundant wait_for_completion() from rsi_kill_thread().

... skipping ...
BUG: unable to handle kernel NULL pointer dereference at   (null)
IP: [] exit_creds+0x1f/0x50
PGD 0
Oops: 0002 [#1] SMP
CPU: 0 PID: 6502 Comm: rmmod Tainted: G  OE   4.15.9-Generic #154-Ubuntu
Hardware name: Dell Inc. Edge Gateway 3003/ , BIOS 01.00.00 04/17/2017
Stack:
88007392e600 880075847dc0 8108160a 
88007392e600 880075847de8 810a484b 880076127000
88003cd3a800 880074f12a00 880075847e28 c09bed15
Call Trace:
[] __put_task_struct+0x5a/0x140
[] kthread_stop+0x10b/0x110
[] rsi_disconnect+0x2f5/0x300 [ven_rsi_sdio]
[] ? __pm_runtime_resume+0x5b/0x80
[] sdio_bus_remove+0x38/0x100
[] __device_release_driver+0xa4/0x150
[] driver_detach+0xb5/0xc0
[] bus_remove_driver+0x55/0xd0
[] driver_unregister+0x2c/0x50
[] sdio_unregister_driver+0x1a/0x20
[] rsi_module_exit+0x15/0x30 [ven_rsi_sdio]
[] SyS_delete_module+0x1b8/0x210
[] entry_SYSCALL_64_fastpath+0x1c/0xbb

Signed-off-by: Siva Rebbagondla 
Signed-off-by: Kalle Valo 
Signed-off-by: Sasha Levin 
---
 drivers/net/wireless/rsi/rsi_common.h | 1 -
 1 file changed, 1 deletion(-)

diff --git a/drivers/net/wireless/rsi/rsi_common.h 
b/drivers/net/wireless/rsi/rsi_common.h
index d9ff3b8be86e..60f1f286b030 100644
--- a/drivers/net/wireless/rsi/rsi_common.h
+++ b/drivers/net/wireless/rsi/rsi_common.h
@@ -75,7 +75,6 @@ static inline int rsi_kill_thread(struct rsi_thread *handle)
atomic_inc(>thread_done);
rsi_set_event(>event);
 
-   wait_for_completion(>completion);
return kthread_stop(handle->task);
 }
 
-- 
2.19.1

[PATCH AUTOSEL 4.19 16/57] ARM: samsung: Limit SAMSUNG_PM_CHECK config option to non-Exynos platforms

[Sasha Levin]

From: Bartlomiej Zolnierkiewicz 

[ Upstream commit 6862fdf2201ab67cd962dbf0643d37db909f4860 ]

"S3C2410 PM Suspend Memory CRC" feature (controlled by
SAMSUNG_PM_CHECK config option) is incompatible with highmem
(uses phys_to_virt() instead of proper mapping) which is used by
the majority of Exynos boards. The issue manifests itself in OOPS
on affected boards, i.e. on Odroid-U3 I got the following one:

Unable to handle kernel paging request at virtual address f000
pgd = 1c0f9bb4
[f000] *pgd=
Internal error: Oops: 5 [#1] PREEMPT SMP ARM
[] (crc32_le) from [] (s3c_pm_makecheck+0x34/0x54)
[] (s3c_pm_makecheck) from [] (s3c_pm_run_res+0x74/0x8c)
[] (s3c_pm_run_res) from [] (s3c_pm_run_res+0x44/0x8c)
[] (s3c_pm_run_res) from [] 
(exynos_suspend_enter+0x64/0x148)
[] (exynos_suspend_enter) from [] 
(suspend_devices_and_enter+0x9ec/0xe74)
[] (suspend_devices_and_enter) from [] 
(pm_suspend+0x770/0xc04)
[] (pm_suspend) from [] (state_store+0x6c/0xcc)
[] (state_store) from [] (kobj_attr_store+0x14/0x20)
[] (kobj_attr_store) from [] (sysfs_kf_write+0x4c/0x50)
[] (sysfs_kf_write) from [] (kernfs_fop_write+0xfc/0x1e4)
[] (kernfs_fop_write) from [] (__vfs_write+0x2c/0x140)
[] (__vfs_write) from [] (vfs_write+0xa4/0x160)
[] (vfs_write) from [] (ksys_write+0x40/0x8c)
[] (ksys_write) from [] (ret_fast_syscall+0x0/0x28)

Add PLAT_S3C24XX, ARCH_S3C64XX and ARCH_S5PV210 dependencies to
SAMSUNG_PM_CHECK config option to hide it on Exynos platforms.

Signed-off-by: Bartlomiej Zolnierkiewicz 
Signed-off-by: Krzysztof Kozlowski 
Signed-off-by: Sasha Levin 
---
 arch/arm/plat-samsung/Kconfig | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/arm/plat-samsung/Kconfig b/arch/arm/plat-samsung/Kconfig
index b600e38364eb..377ff9cda667 100644
--- a/arch/arm/plat-samsung/Kconfig
+++ b/arch/arm/plat-samsung/Kconfig
@@ -256,7 +256,7 @@ config S3C_PM_DEBUG_LED_SMDK
 
 config SAMSUNG_PM_CHECK
bool "S3C2410 PM Suspend Memory CRC"
-   depends on PM
+   depends on PM && (PLAT_S3C24XX || ARCH_S3C64XX || ARCH_S5PV210)
select CRC32
help
  Enable the PM code's memory area checksum over sleep. This option
-- 
2.19.1

[PATCH AUTOSEL 4.19 02/57] gpio: pxa: handle corner case of unprobed device

[Sasha Levin]

From: Robert Jarzmik 

[ Upstream commit 9ce3ebe973bf4073426f35f282c6b955ed802765 ]

In the corner case where the gpio driver probe fails, for whatever
reason, the suspend and resume handlers will still be called as they
have to be registered as syscore operations. This applies as well when
no probe was called while the driver has been built in the kernel.

Nicolas tracked this in :
https://bugzilla.kernel.org/show_bug.cgi?id=200905

Therefore, add a failsafe in these function, and test if a proper probe
succeeded and the driver is functional.

Signed-off-by: Robert Jarzmik 
Reported-by: Nicolas Chauvet 
Signed-off-by: Linus Walleij 
Signed-off-by: Sasha Levin 
---
 drivers/gpio/gpio-pxa.c | 6 ++
 1 file changed, 6 insertions(+)

diff --git a/drivers/gpio/gpio-pxa.c b/drivers/gpio/gpio-pxa.c
index eb27fa76e8fc..bcc6be4a5cb2 100644
--- a/drivers/gpio/gpio-pxa.c
+++ b/drivers/gpio/gpio-pxa.c
@@ -777,6 +777,9 @@ static int pxa_gpio_suspend(void)
struct pxa_gpio_bank *c;
int gpio;
 
+   if (!pchip)
+   return 0;
+
for_each_gpio_bank(gpio, c, pchip) {
c->saved_gplr = readl_relaxed(c->regbase + GPLR_OFFSET);
c->saved_gpdr = readl_relaxed(c->regbase + GPDR_OFFSET);
@@ -795,6 +798,9 @@ static void pxa_gpio_resume(void)
struct pxa_gpio_bank *c;
int gpio;
 
+   if (!pchip)
+   return;
+
for_each_gpio_bank(gpio, c, pchip) {
/* restore level with set/clear */
writel_relaxed(c->saved_gplr, c->regbase + GPSR_OFFSET);
-- 
2.19.1

[PATCH AUTOSEL 4.19 09/57] netfilter: xt_cgroup: shrink size of v2 path

[Sasha Levin]

From: Pablo Neira Ayuso 

[ Upstream commit 0d704967f4a49cc2212350b3e4a8231f8b4283ed ]

cgroup v2 path field is PATH_MAX which is too large, this is placing too
much pressure on memory allocation for people with many rules doing
cgroup v1 classid matching, side effects of this are bug reports like:

https://bugzilla.kernel.org/show_bug.cgi?id=200639

This patch registers a new revision that shrinks the cgroup path to 512
bytes, which is the same approach we follow in similar extensions that
have a path field.

Cc: Tejun Heo 
Signed-off-by: Pablo Neira Ayuso 
Acked-by: Tejun Heo 
Signed-off-by: Sasha Levin 
---
 include/uapi/linux/netfilter/xt_cgroup.h | 16 ++
 net/netfilter/xt_cgroup.c| 72 
 2 files changed, 88 insertions(+)

diff --git a/include/uapi/linux/netfilter/xt_cgroup.h 
b/include/uapi/linux/netfilter/xt_cgroup.h
index e96dfa1b34f7..b74e370d6133 100644
--- a/include/uapi/linux/netfilter/xt_cgroup.h
+++ b/include/uapi/linux/netfilter/xt_cgroup.h
@@ -22,4 +22,20 @@ struct xt_cgroup_info_v1 {
void*priv __attribute__((aligned(8)));
 };
 
+#define XT_CGROUP_PATH_MAX 512
+
+struct xt_cgroup_info_v2 {
+   __u8has_path;
+   __u8has_classid;
+   __u8invert_path;
+   __u8invert_classid;
+   union {
+   charpath[XT_CGROUP_PATH_MAX];
+   __u32   classid;
+   };
+
+   /* kernel internal data */
+   void*priv __attribute__((aligned(8)));
+};
+
 #endif /* _UAPI_XT_CGROUP_H */
diff --git a/net/netfilter/xt_cgroup.c b/net/netfilter/xt_cgroup.c
index 5d92e1781980..5cb1ecb29ea4 100644
--- a/net/netfilter/xt_cgroup.c
+++ b/net/netfilter/xt_cgroup.c
@@ -68,6 +68,38 @@ static int cgroup_mt_check_v1(const struct xt_mtchk_param 
*par)
return 0;
 }
 
+static int cgroup_mt_check_v2(const struct xt_mtchk_param *par)
+{
+   struct xt_cgroup_info_v2 *info = par->matchinfo;
+   struct cgroup *cgrp;
+
+   if ((info->invert_path & ~1) || (info->invert_classid & ~1))
+   return -EINVAL;
+
+   if (!info->has_path && !info->has_classid) {
+   pr_info("xt_cgroup: no path or classid specified\n");
+   return -EINVAL;
+   }
+
+   if (info->has_path && info->has_classid) {
+   pr_info_ratelimited("path and classid specified\n");
+   return -EINVAL;
+   }
+
+   info->priv = NULL;
+   if (info->has_path) {
+   cgrp = cgroup_get_from_path(info->path);
+   if (IS_ERR(cgrp)) {
+   pr_info_ratelimited("invalid path, errno=%ld\n",
+   PTR_ERR(cgrp));
+   return -EINVAL;
+   }
+   info->priv = cgrp;
+   }
+
+   return 0;
+}
+
 static bool
 cgroup_mt_v0(const struct sk_buff *skb, struct xt_action_param *par)
 {
@@ -99,6 +131,24 @@ static bool cgroup_mt_v1(const struct sk_buff *skb, struct 
xt_action_param *par)
info->invert_classid;
 }
 
+static bool cgroup_mt_v2(const struct sk_buff *skb, struct xt_action_param 
*par)
+{
+   const struct xt_cgroup_info_v2 *info = par->matchinfo;
+   struct sock_cgroup_data *skcd = >sk->sk_cgrp_data;
+   struct cgroup *ancestor = info->priv;
+   struct sock *sk = skb->sk;
+
+   if (!sk || !sk_fullsock(sk) || !net_eq(xt_net(par), sock_net(sk)))
+   return false;
+
+   if (ancestor)
+   return cgroup_is_descendant(sock_cgroup_ptr(skcd), ancestor) ^
+   info->invert_path;
+   else
+   return (info->classid == sock_cgroup_classid(skcd)) ^
+   info->invert_classid;
+}
+
 static void cgroup_mt_destroy_v1(const struct xt_mtdtor_param *par)
 {
struct xt_cgroup_info_v1 *info = par->matchinfo;
@@ -107,6 +157,14 @@ static void cgroup_mt_destroy_v1(const struct 
xt_mtdtor_param *par)
cgroup_put(info->priv);
 }
 
+static void cgroup_mt_destroy_v2(const struct xt_mtdtor_param *par)
+{
+   struct xt_cgroup_info_v2 *info = par->matchinfo;
+
+   if (info->priv)
+   cgroup_put(info->priv);
+}
+
 static struct xt_match cgroup_mt_reg[] __read_mostly = {
{
.name   = "cgroup",
@@ -134,6 +192,20 @@ static struct xt_match cgroup_mt_reg[] __read_mostly = {
  (1 << NF_INET_POST_ROUTING) |
  (1 << NF_INET_LOCAL_IN),
},
+   {
+   .name   = "cgroup",
+   .revision   = 2,
+   .family = NFPROTO_UNSPEC,
+   .checkentry = cgroup_mt_check_v2,
+   .match  = cgroup_mt_v2,
+   .matchsize  = sizeof(struct xt_cgroup_info_v2),
+   .usersize   = offsetof(struct xt_cgroup_info_v2, priv),
+   .destroy= 

[PATCH AUTOSEL 4.19 30/57] ALSA: hda: fix front speakers on Huawei MBXP

[Sasha Levin]

From: Ayman Bagabas 

[ Upstream commit 8ac51bbc4cfec4ef08b03bef24b31e2d50ef8b37 ]

This patch solves bug 200501 'Only 2 of 4 speakers playing sound.'
It enables the front speakers on Huawei Matebook X Pro laptops.
These laptops come with Dolby Atmos sound system and these pins
configuration enables the front speakers.

Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=200501
Reviewed-by: Andy Shevchenko 
Reviewed-by: Takashi Iwai 
Signed-off-by: Ayman Bagabas 
Signed-off-by: Takashi Iwai 
Signed-off-by: Sasha Levin 
---
 sound/pci/hda/patch_realtek.c | 18 ++
 1 file changed, 18 insertions(+)

diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
index 877293149e3a..61d91b2f3994 100644
--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -5602,6 +5602,7 @@ enum {
ALC298_FIXUP_TPT470_DOCK,
ALC255_FIXUP_DUMMY_LINEOUT_VERB,
ALC255_FIXUP_DELL_HEADSET_MIC,
+   ALC256_FIXUP_HUAWEI_MBXP_PINS,
ALC295_FIXUP_HP_X360,
ALC221_FIXUP_HP_HEADSET_MIC,
ALC285_FIXUP_LENOVO_HEADPHONE_NOISE,
@@ -5884,6 +5885,22 @@ static const struct hda_fixup alc269_fixups[] = {
.chained = true,
.chain_id = ALC269_FIXUP_HEADSET_MIC
},
+   [ALC256_FIXUP_HUAWEI_MBXP_PINS] = {
+   .type = HDA_FIXUP_PINS,
+   .v.pins = (const struct hda_pintbl[]) {
+   {0x12, 0x90a60130},
+   {0x13, 0x4000},
+   {0x14, 0x90170110},
+   {0x18, 0x41f0},
+   {0x19, 0x04a11040},
+   {0x1a, 0x41f0},
+   {0x1b, 0x90170112},
+   {0x1d, 0x40759a05},
+   {0x1e, 0x41f0},
+   {0x21, 0x04211020},
+   { }
+   },
+   },
[ALC269_FIXUP_ASUS_X101_FUNC] = {
.type = HDA_FIXUP_FUNC,
.v.func = alc269_fixup_x101_headset_mic,
@@ -6812,6 +6829,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = {
SND_PCI_QUIRK(0x17aa, 0x511f, "Thinkpad", ALC298_FIXUP_TPT470_DOCK),
SND_PCI_QUIRK(0x17aa, 0x3bf8, "Quanta FL1", ALC269_FIXUP_PCM_44K),
SND_PCI_QUIRK(0x17aa, 0x9e54, "LENOVO NB", ALC269_FIXUP_LENOVO_EAPD),
+   SND_PCI_QUIRK(0x19e5, 0x3204, "Huawei MBXP", 
ALC256_FIXUP_HUAWEI_MBXP_PINS),
SND_PCI_QUIRK(0x1b7d, 0xa831, "Ordissimo EVE2 ", 
ALC269VB_FIXUP_ORDISSIMO_EVE2), /* Also known as Malata PC-B1303 */
 
 #if 0
-- 
2.19.1

[PATCH AUTOSEL 4.19 29/57] drm/ttm: Fix bo_global and mem_global kfree error

[Sasha Levin]

From: Trigger Huang 

[ Upstream commit 30f33126feca0fe16df9e9302ffc28a953e2eb37 ]

ttm_bo_glob and ttm_mem_glob are defined as structure instance, while
not allocated by kzalloc, so kfree should not be invoked to release
them anymore. Otherwise, it will cause the following kernel BUG when
unloading amdgpu module

[   48.419294] kernel BUG at /build/linux-5s7Xkn/linux-4.15.0/mm/slub.c:3894!
[   48.419352] invalid opcode:  [#1] SMP PTI
[   48.419387] Modules linked in: amdgpu(OE-) amdchash(OE) amdttm(OE) 
amd_sched(OE) amdkcl(OE) amd_iommu_v2 drm_kms_helper drm i2c_algo_bit 
fb_sys_fops syscopyarea sysfillrect sysimgblt snd_hda_codec_generic 
snd_hda_intel snd_hda_codec snd_hda_core snd_hwdep kvm_intel kvm irqbypass 
crct10dif_pclmul crc32_pclmul ghash_clmulni_intel snd_pcm snd_seq_midi 
snd_seq_midi_event snd_rawmidi pcbc snd_seq snd_seq_device snd_timer 
aesni_intel snd soundcore joydev aes_x86_64 crypto_simd glue_helper cryptd 
input_leds mac_hid serio_raw binfmt_misc nfsd auth_rpcgss nfs_acl lockd grace 
sunrpc sch_fq_codel parport_pc ppdev lp parport ip_tables x_tables autofs4 
8139too psmouse i2c_piix4 8139cp mii floppy pata_acpi
[   48.419782] CPU: 1 PID: 1281 Comm: modprobe Tainted: G   OE
4.15.0-20-generic #21-Ubuntu
[   48.419838] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 
Ubuntu-1.8.2-1ubuntu1 04/01/2014
[   48.419901] RIP: 0010:kfree+0x137/0x180
[   48.419934] RSP: 0018:b02101273bf8 EFLAGS: 00010246
[   48.419974] RAX: eee1418ad7e0 RBX: c075f100 RCX: 8fed7fca7ed0
[   48.420025] RDX:  RSI: 0003440e RDI: 2240
[   48.420073] RBP: b02101273c10 R08: 0010 R09: 8fed7ffd3680
[   48.420121] R10: eee1418ad7c0 R11: 8fed7ffd3000 R12: c075e2c0
[   48.420169] R13: c074ec10 R14: 8fed73063900 R15: 8fed737428e8
[   48.420216] FS:  7fdc912ec540() GS:8fed7fc8() 
knlGS:
[   48.420267] CS:  0010 DS:  ES:  CR0: 80050033
[   48.420308] CR2: 55fa40c30060 CR3: 00023470a006 CR4: 003606e0
[   48.420358] DR0:  DR1:  DR2: 
[   48.420405] DR3:  DR6: fffe0ff0 DR7: 0400
[   48.420452] Call Trace:
[   48.420485]  ttm_bo_global_kobj_release+0x20/0x30 [amdttm]
[   48.420528]  kobject_release+0x6a/0x180
[   48.420562]  kobject_put+0x28/0x50
[   48.420595]  ttm_bo_global_release+0x36/0x50 [amdttm]
[   48.420636]  amdttm_bo_device_release+0x119/0x180 [amdttm]
[   48.420678]  ? amdttm_bo_clean_mm+0xa6/0xf0 [amdttm]
[   48.420760]  amdgpu_ttm_fini+0xc9/0x180 [amdgpu]
[   48.420821]  amdgpu_bo_fini+0x12/0x40 [amdgpu]
[   48.420889]  gmc_v9_0_sw_fini+0x40/0x50 [amdgpu]
[   48.420947]  amdgpu_device_fini+0x36f/0x4c0 [amdgpu]
[   48.421007]  amdgpu_driver_unload_kms+0xb4/0x150 [amdgpu]
[   48.421058]  drm_dev_unregister+0x46/0xf0 [drm]
[   48.421102]  drm_dev_unplug+0x12/0x70 [drm]

Signed-off-by: Trigger Huang 
Reviewed-by: Christian König 
Signed-off-by: Alex Deucher 
Signed-off-by: Sasha Levin 
---
 drivers/gpu/drm/ttm/ttm_bo.c | 1 -
 drivers/gpu/drm/ttm/ttm_memory.c | 9 -
 2 files changed, 10 deletions(-)

diff --git a/drivers/gpu/drm/ttm/ttm_bo.c b/drivers/gpu/drm/ttm/ttm_bo.c
index 7c484729f9b2..268f5a3b3122 100644
--- a/drivers/gpu/drm/ttm/ttm_bo.c
+++ b/drivers/gpu/drm/ttm/ttm_bo.c
@@ -1445,7 +1445,6 @@ static void ttm_bo_global_kobj_release(struct kobject 
*kobj)
container_of(kobj, struct ttm_bo_global, kobj);
 
__free_page(glob->dummy_read_page);
-   kfree(glob);
 }
 
 void ttm_bo_global_release(struct drm_global_reference *ref)
diff --git a/drivers/gpu/drm/ttm/ttm_memory.c b/drivers/gpu/drm/ttm/ttm_memory.c
index 450387c92b63..df73d5ff84a8 100644
--- a/drivers/gpu/drm/ttm/ttm_memory.c
+++ b/drivers/gpu/drm/ttm/ttm_memory.c
@@ -216,14 +216,6 @@ static ssize_t ttm_mem_global_store(struct kobject *kobj,
return size;
 }
 
-static void ttm_mem_global_kobj_release(struct kobject *kobj)
-{
-   struct ttm_mem_global *glob =
-   container_of(kobj, struct ttm_mem_global, kobj);
-
-   kfree(glob);
-}
-
 static struct attribute *ttm_mem_global_attrs[] = {
_mem_global_lower_mem_limit,
NULL
@@ -235,7 +227,6 @@ static const struct sysfs_ops ttm_mem_global_ops = {
 };
 
 static struct kobj_type ttm_mem_glob_kobj_type = {
-   .release = _mem_global_kobj_release,
.sysfs_ops = _mem_global_ops,
.default_attrs = ttm_mem_global_attrs,
 };
-- 
2.19.1

[PATCH AUTOSEL 4.19 28/57] nvme-pci: fix conflicting p2p resource adds

[Sasha Levin]

From: Keith Busch 

[ Upstream commit 9fe5c59ff6a1e5e26a39b75489a1420e7eaaf0b1 ]

The nvme pci driver had been adding its CMB resource to the P2P DMA
subsystem everytime on on a controller reset. This results in the
following warning:

[ cut here ]
nvme :00:03.0: Conflicting mapping in same section
WARNING: CPU: 7 PID: 81 at kernel/memremap.c:155 
devm_memremap_pages+0xa6/0x380
...
Call Trace:
 pci_p2pdma_add_resource+0x153/0x370
 nvme_reset_work+0x28c/0x17b1 [nvme]
 ? add_timer+0x107/0x1e0
 ? dequeue_entity+0x81/0x660
 ? dequeue_entity+0x3b0/0x660
 ? pick_next_task_fair+0xaf/0x610
 ? __switch_to+0xbc/0x410
 process_one_work+0x1cf/0x350
 worker_thread+0x215/0x3d0
 ? process_one_work+0x350/0x350
 kthread+0x107/0x120
 ? kthread_park+0x80/0x80
 ret_from_fork+0x1f/0x30
---[ end trace f7ea76ac6ee72727 ]---
nvme nvme0: failed to register the CMB

This patch fixes this by registering the CMB with P2P only once.

Signed-off-by: Keith Busch 
Reviewed-by: Logan Gunthorpe 
Signed-off-by: Christoph Hellwig 
Signed-off-by: Jens Axboe 
Signed-off-by: Sasha Levin 
---
 drivers/nvme/host/pci.c | 5 -
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c
index 7b9ef8e734e7..dca87cb485e9 100644
--- a/drivers/nvme/host/pci.c
+++ b/drivers/nvme/host/pci.c
@@ -1649,6 +1649,9 @@ static void nvme_map_cmb(struct nvme_dev *dev)
struct pci_dev *pdev = to_pci_dev(dev->dev);
int bar;
 
+   if (dev->cmb_size)
+   return;
+
dev->cmbsz = readl(dev->bar + NVME_REG_CMBSZ);
if (!dev->cmbsz)
return;
@@ -2133,7 +2136,6 @@ static void nvme_pci_disable(struct nvme_dev *dev)
 {
struct pci_dev *pdev = to_pci_dev(dev->dev);
 
-   nvme_release_cmb(dev);
pci_free_irq_vectors(pdev);
 
if (pci_is_enabled(pdev)) {
@@ -2585,6 +2587,7 @@ static void nvme_remove(struct pci_dev *pdev)
nvme_stop_ctrl(>ctrl);
nvme_remove_namespaces(>ctrl);
nvme_dev_disable(dev, true);
+   nvme_release_cmb(dev);
nvme_free_host_mem(dev);
nvme_dev_remove_admin(dev);
nvme_free_queues(dev, 0);
-- 
2.19.1

[PATCH AUTOSEL 4.19 40/57] kvm: properly check debugfs dentry before using it

[Sasha Levin]

From: Greg Kroah-Hartman 

[ Upstream commit 8ed0579c12b2fe56a1fac2f712f58fc26c1dc49b ]

debugfs can now report an error code if something went wrong instead of
just NULL.  So if the return value is to be used as a "real" dentry, it
needs to be checked if it is an error before dereferencing it.

This is now happening because of ff9fb72bc077 ("debugfs: return error
values, not NULL").  syzbot has found a way to trigger multiple debugfs
files attempting to be created, which fails, and then the error code
gets passed to dentry_path_raw() which obviously does not like it.

Reported-by: Eric Biggers 
Reported-and-tested-by: syzbot+7857962b4d45e602b...@syzkaller.appspotmail.com
Cc: "Radim Krčmář" 
Cc: k...@vger.kernel.org
Acked-by: Paolo Bonzini 
Signed-off-by: Greg Kroah-Hartman 
Signed-off-by: Linus Torvalds 
Signed-off-by: Sasha Levin 
---
 virt/kvm/kvm_main.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
index c436d95fd7aa..fb74f994cb63 100644
--- a/virt/kvm/kvm_main.c
+++ b/virt/kvm/kvm_main.c
@@ -3912,7 +3912,7 @@ static void kvm_uevent_notify_change(unsigned int type, 
struct kvm *kvm)
}
add_uevent_var(env, "PID=%d", kvm->userspace_pid);
 
-   if (kvm->debugfs_dentry) {
+   if (!IS_ERR_OR_NULL(kvm->debugfs_dentry)) {
char *tmp, *p = kmalloc(PATH_MAX, GFP_KERNEL);
 
if (p) {
-- 
2.19.1

[PATCH AUTOSEL 4.19 33/57] blk-mq: protect debugfs_create_files() from failures

[Sasha Levin]

From: Greg Kroah-Hartman 

[ Upstream commit 36991ca68db9dd43bac7f3519f080ee3939263ef ]

If debugfs were to return a non-NULL error for a debugfs call, using
that pointer later in debugfs_create_files() would crash.

Fix that by properly checking the pointer before referencing it.

Reported-by: Michal Hocko 
Reported-and-tested-by: syzbot+b382ba6a802a3d242...@syzkaller.appspotmail.com
Reported-by: Tetsuo Handa 
Signed-off-by: Greg Kroah-Hartman 
Signed-off-by: Sasha Levin 
---
 block/blk-mq-debugfs.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/block/blk-mq-debugfs.c b/block/blk-mq-debugfs.c
index cb1e6cf7ac48..9dc3a0896462 100644
--- a/block/blk-mq-debugfs.c
+++ b/block/blk-mq-debugfs.c
@@ -806,6 +806,9 @@ static const struct blk_mq_debugfs_attr 
blk_mq_debugfs_ctx_attrs[] = {
 static bool debugfs_create_files(struct dentry *parent, void *data,
 const struct blk_mq_debugfs_attr *attr)
 {
+   if (IS_ERR_OR_NULL(parent))
+   return false;
+
d_inode(parent)->i_private = data;
 
for (; attr->name; attr++) {
-- 
2.19.1

[PATCH AUTOSEL 4.19 44/57] lkdtm: Add tests for NULL pointer dereference

[Sasha Levin]

From: Christophe Leroy 

[ Upstream commit 59a12205d3c32aee4c13ca36889fdf7cfed31126 ]

Introduce lkdtm tests for NULL pointer dereference: check access or exec
at NULL address, since these errors tend to be reported differently from
the general fault error text. For example from x86:

pr_alert("BUG: unable to handle kernel %s at %px\n",
address < PAGE_SIZE ? "NULL pointer dereference" : "paging request",
(void *)address);

Signed-off-by: Christophe Leroy 
Signed-off-by: Kees Cook 
Signed-off-by: Sasha Levin 
---
 drivers/misc/lkdtm/core.c  |  2 ++
 drivers/misc/lkdtm/lkdtm.h |  2 ++
 drivers/misc/lkdtm/perms.c | 18 ++
 3 files changed, 22 insertions(+)

diff --git a/drivers/misc/lkdtm/core.c b/drivers/misc/lkdtm/core.c
index 2154d1bfd18b..07caaa2cfe1e 100644
--- a/drivers/misc/lkdtm/core.c
+++ b/drivers/misc/lkdtm/core.c
@@ -152,7 +152,9 @@ static const struct crashtype crashtypes[] = {
CRASHTYPE(EXEC_VMALLOC),
CRASHTYPE(EXEC_RODATA),
CRASHTYPE(EXEC_USERSPACE),
+   CRASHTYPE(EXEC_NULL),
CRASHTYPE(ACCESS_USERSPACE),
+   CRASHTYPE(ACCESS_NULL),
CRASHTYPE(WRITE_RO),
CRASHTYPE(WRITE_RO_AFTER_INIT),
CRASHTYPE(WRITE_KERN),
diff --git a/drivers/misc/lkdtm/lkdtm.h b/drivers/misc/lkdtm/lkdtm.h
index 9e513dcfd809..8c3f2e6af256 100644
--- a/drivers/misc/lkdtm/lkdtm.h
+++ b/drivers/misc/lkdtm/lkdtm.h
@@ -45,7 +45,9 @@ void lkdtm_EXEC_KMALLOC(void);
 void lkdtm_EXEC_VMALLOC(void);
 void lkdtm_EXEC_RODATA(void);
 void lkdtm_EXEC_USERSPACE(void);
+void lkdtm_EXEC_NULL(void);
 void lkdtm_ACCESS_USERSPACE(void);
+void lkdtm_ACCESS_NULL(void);
 
 /* lkdtm_refcount.c */
 void lkdtm_REFCOUNT_INC_OVERFLOW(void);
diff --git a/drivers/misc/lkdtm/perms.c b/drivers/misc/lkdtm/perms.c
index fa54add6375a..62f76d506f04 100644
--- a/drivers/misc/lkdtm/perms.c
+++ b/drivers/misc/lkdtm/perms.c
@@ -164,6 +164,11 @@ void lkdtm_EXEC_USERSPACE(void)
vm_munmap(user_addr, PAGE_SIZE);
 }
 
+void lkdtm_EXEC_NULL(void)
+{
+   execute_location(NULL, CODE_AS_IS);
+}
+
 void lkdtm_ACCESS_USERSPACE(void)
 {
unsigned long user_addr, tmp = 0;
@@ -195,6 +200,19 @@ void lkdtm_ACCESS_USERSPACE(void)
vm_munmap(user_addr, PAGE_SIZE);
 }
 
+void lkdtm_ACCESS_NULL(void)
+{
+   unsigned long tmp;
+   unsigned long *ptr = (unsigned long *)NULL;
+
+   pr_info("attempting bad read at %px\n", ptr);
+   tmp = *ptr;
+   tmp += 0xc0dec0de;
+
+   pr_info("attempting bad write at %px\n", ptr);
+   *ptr = tmp;
+}
+
 void __init lkdtm_perms_init(void)
 {
/* Make sure we can write to __ro_after_init values during __init */
-- 
2.19.1

[PATCH AUTOSEL 4.19 37/57] net: ip6_gre: fix possible NULL pointer dereference in ip6erspan_set_version

[Sasha Levin]

From: Lorenzo Bianconi 

[ Upstream commit efcc9bcaf77c07df01371a7c34e50424c291f3ac ]

Fix a possible NULL pointer dereference in ip6erspan_set_version checking
nlattr data pointer

kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault:  [#1] PREEMPT SMP KASAN
CPU: 1 PID: 7549 Comm: syz-executor432 Not tainted 5.0.0-rc6-next-20190218
#37
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
RIP: 0010:ip6erspan_set_version+0x5c/0x350 net/ipv6/ip6_gre.c:1726
Code: 07 38 d0 7f 08 84 c0 0f 85 9f 02 00 00 49 8d bc 24 b0 00 00 00 c6 43
54 01 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f
85 9a 02 00 00 4d 8b ac 24 b0 00 00 00 4d 85 ed 0f
RSP: 0018:888089ed7168 EFLAGS: 00010202
RAX: dc00 RBX: 8880869d6e58 RCX: 
RDX: 0016 RSI: 862736b4 RDI: 00b0
RBP: 888089ed7180 R08: 111010d3adcb R09: 8880869d6e58
R10: ed1010d3add5 R11: 8880869d6eaf R12: 
R13: 8931f8c0 R14: 862825d0 R15: 8880869d6e58
FS:  00b3d880() GS:8880ae90() knlGS:
CS:  0010 DS:  ES:  CR0: 80050033
CR2: 2184 CR3: 92cc5000 CR4: 001406e0
DR0:  DR1:  DR2: 
DR3:  DR6: fffe0ff0 DR7: 0400
Call Trace:
  ip6erspan_newlink+0x66/0x7b0 net/ipv6/ip6_gre.c:2210
  __rtnl_newlink+0x107b/0x16c0 net/core/rtnetlink.c:3176
  rtnl_newlink+0x69/0xa0 net/core/rtnetlink.c:3234
  rtnetlink_rcv_msg+0x465/0xb00 net/core/rtnetlink.c:5192
  netlink_rcv_skb+0x17a/0x460 net/netlink/af_netlink.c:2485
  rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:5210
  netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline]
  netlink_unicast+0x536/0x720 net/netlink/af_netlink.c:1336
  netlink_sendmsg+0x8ae/0xd70 net/netlink/af_netlink.c:1925
  sock_sendmsg_nosec net/socket.c:621 [inline]
  sock_sendmsg+0xdd/0x130 net/socket.c:631
  ___sys_sendmsg+0x806/0x930 net/socket.c:2136
  __sys_sendmsg+0x105/0x1d0 net/socket.c:2174
  __do_sys_sendmsg net/socket.c:2183 [inline]
  __se_sys_sendmsg net/socket.c:2181 [inline]
  __x64_sys_sendmsg+0x78/0xb0 net/socket.c:2181
  do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290
  entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x440159
Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7
48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:7fffa69156e8 EFLAGS: 0246 ORIG_RAX: 002e
RAX: ffda RBX: 004002c8 RCX: 00440159
RDX:  RSI: 20001340 RDI: 0003
RBP: 006ca018 R08: 0001 R09: 004002c8
R10: 0011 R11: 0246 R12: 004019e0
R13: 00401a70 R14:  R15: 
Modules linked in:
---[ end trace 09f8a7d13b4faaa1 ]---
RIP: 0010:ip6erspan_set_version+0x5c/0x350 net/ipv6/ip6_gre.c:1726
Code: 07 38 d0 7f 08 84 c0 0f 85 9f 02 00 00 49 8d bc 24 b0 00 00 00 c6 43
54 01 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f
85 9a 02 00 00 4d 8b ac 24 b0 00 00 00 4d 85 ed 0f
RSP: 0018:888089ed7168 EFLAGS: 00010202
RAX: dc00 RBX: 8880869d6e58 RCX: 
RDX: 0016 RSI: 862736b4 RDI: 00b0
RBP: 888089ed7180 R08: 111010d3adcb R09: 8880869d6e58
R10: ed1010d3add5 R11: 8880869d6eaf R12: 
R13: 8931f8c0 R14: 862825d0 R15: 8880869d6e58
FS:  00b3d880() GS:8880ae90() knlGS:
CS:  0010 DS:  ES:  CR0: 80050033
CR2: 2184 CR3: 92cc5000 CR4: 001406e0
DR0:  DR1:  DR2: 
DR3:  DR6: fffe0ff0 DR7: 0400

Fixes: 4974d5f678ab ("net: ip6_gre: initialize erspan_ver just for erspan 
tunnels")
Reported-and-tested-by: syzbot+30191cf1057abd306...@syzkaller.appspotmail.com
Signed-off-by: Lorenzo Bianconi 
Reviewed-by: Greg Rose 
Signed-off-by: David S. Miller 

Signed-off-by: Sasha Levin 
---
 net/ipv6/ip6_gre.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c
index faed98dab913..97994698ffbc 100644
--- a/net/ipv6/ip6_gre.c
+++ b/net/ipv6/ip6_gre.c
@@ -1738,6 +1738,9 @@ static int ip6erspan_tap_validate(struct nlattr *tb[], 
struct nlattr *data[],
 static void ip6erspan_set_version(struct nlattr *data[],
  struct __ip6_tnl_parm *parms)
 {
+   if (!data)
+   return;
+
parms->erspan_ver = 1;
if (data[IFLA_GRE_ERSPAN_VER])
parms->erspan_ver = nla_get_u8(data[IFLA_GRE_ERSPAN_VER]);
-- 
2.19.1

[PATCH AUTOSEL 4.19 41/57] soc/tegra: pmc: Drop locking from tegra_powergate_is_powered()

[Sasha Levin]

From: Dmitry Osipenko 

[ Upstream commit b6e1fd17a38bd1d97c11d69fd3207b3ef9bfa4b3 ]

This fixes splats like the one below if CONFIG_DEBUG_ATOMIC_SLEEP=y
and machine (Tegra30) booted with SMP=n or all secondary CPU's are put
offline. Locking isn't needed because it protects atomic operation.

BUG: sleeping function called from invalid context at kernel/locking/mutex.c:254
in_atomic(): 1, irqs_disabled(): 128, pid: 0, name: swapper/0
CPU: 0 PID: 0 Comm: swapper/0 Tainted: G C
4.18.0-next-20180821-00180-gc3ebb6544e44-dirty #823
Hardware name: NVIDIA Tegra SoC (Flattened Device Tree)
[] (unwind_backtrace) from [] (show_stack+0x20/0x24)
[] (show_stack) from [] (dump_stack+0x94/0xa8)
[] (dump_stack) from [] (___might_sleep+0x13c/0x174)
[] (___might_sleep) from [] (__might_sleep+0x70/0xa8)
[] (__might_sleep) from [] (mutex_lock+0x2c/0x70)
[] (mutex_lock) from [] 
(tegra_powergate_is_powered+0x44/0xa8)
[] (tegra_powergate_is_powered) from [] 
(tegra30_cpu_rail_off_ready+0x30/0x74)
[] (tegra30_cpu_rail_off_ready) from [] 
(tegra30_idle_lp2+0xa0/0x108)
[] (tegra30_idle_lp2) from [] 
(cpuidle_enter_state+0x140/0x540)
[] (cpuidle_enter_state) from [] (cpuidle_enter+0x40/0x4c)
[] (cpuidle_enter) from [] (call_cpuidle+0x30/0x48)
[] (call_cpuidle) from [] (do_idle+0x238/0x28c)
[] (do_idle) from [] (cpu_startup_entry+0x28/0x2c)
[] (cpu_startup_entry) from [] (rest_init+0xd8/0xdc)
[] (rest_init) from [] (start_kernel+0x41c/0x430)

Signed-off-by: Dmitry Osipenko 
Acked-by: Jon Hunter 
Signed-off-by: Thierry Reding 
Signed-off-by: Sasha Levin 
---
 drivers/soc/tegra/pmc.c | 8 +---
 1 file changed, 1 insertion(+), 7 deletions(-)

diff --git a/drivers/soc/tegra/pmc.c b/drivers/soc/tegra/pmc.c
index ed71a4c9c8b2..4b452f36f054 100644
--- a/drivers/soc/tegra/pmc.c
+++ b/drivers/soc/tegra/pmc.c
@@ -524,16 +524,10 @@ EXPORT_SYMBOL(tegra_powergate_power_off);
  */
 int tegra_powergate_is_powered(unsigned int id)
 {
-   int status;
-
if (!tegra_powergate_is_valid(id))
return -EINVAL;
 
-   mutex_lock(>powergates_lock);
-   status = tegra_powergate_state(id);
-   mutex_unlock(>powergates_lock);
-
-   return status;
+   return tegra_powergate_state(id);
 }
 
 /**
-- 
2.19.1

[PATCH AUTOSEL 4.19 43/57] lkdtm: Print real addresses

[Sasha Levin]

From: Christophe Leroy 

[ Upstream commit 4c411157a42f122051ae3469bee0b5cabe89e139 ]

Today, when doing a lkdtm test before the readiness of the
random generator, (ptrval) is printed instead of the address
at which it perform the fault:

[ 1597.337030] lkdtm: Performing direct entry EXEC_USERSPACE
[ 1597.337142] lkdtm: attempting ok execution at (ptrval)
[ 1597.337398] lkdtm: attempting bad execution at (ptrval)
[ 1597.337460] kernel tried to execute user page (77858000) -exploit attempt? 
(uid: 0)
[ 1597.344769] Unable to handle kernel paging request for instruction fetch
[ 1597.351392] Faulting instruction address: 0x77858000
[ 1597.356312] Oops: Kernel access of bad area, sig: 11 [#1]

If the lkdtm test is done later on, it prints an hashed address.

In both cases this is pointless. The purpose of the test is to
ensure the kernel generates an Oops at the expected address,
so real addresses needs to be printed. This patch fixes that.

Signed-off-by: Christophe Leroy 
Signed-off-by: Kees Cook 
Signed-off-by: Sasha Levin 
---
 drivers/misc/lkdtm/perms.c | 18 +-
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/drivers/misc/lkdtm/perms.c b/drivers/misc/lkdtm/perms.c
index 53b85c9d16b8..fa54add6375a 100644
--- a/drivers/misc/lkdtm/perms.c
+++ b/drivers/misc/lkdtm/perms.c
@@ -47,7 +47,7 @@ static noinline void execute_location(void *dst, bool write)
 {
void (*func)(void) = dst;
 
-   pr_info("attempting ok execution at %p\n", do_nothing);
+   pr_info("attempting ok execution at %px\n", do_nothing);
do_nothing();
 
if (write == CODE_WRITE) {
@@ -55,7 +55,7 @@ static noinline void execute_location(void *dst, bool write)
flush_icache_range((unsigned long)dst,
   (unsigned long)dst + EXEC_SIZE);
}
-   pr_info("attempting bad execution at %p\n", func);
+   pr_info("attempting bad execution at %px\n", func);
func();
 }
 
@@ -66,14 +66,14 @@ static void execute_user_location(void *dst)
/* Intentionally crossing kernel/user memory boundary. */
void (*func)(void) = dst;
 
-   pr_info("attempting ok execution at %p\n", do_nothing);
+   pr_info("attempting ok execution at %px\n", do_nothing);
do_nothing();
 
copied = access_process_vm(current, (unsigned long)dst, do_nothing,
   EXEC_SIZE, FOLL_WRITE);
if (copied < EXEC_SIZE)
return;
-   pr_info("attempting bad execution at %p\n", func);
+   pr_info("attempting bad execution at %px\n", func);
func();
 }
 
@@ -82,7 +82,7 @@ void lkdtm_WRITE_RO(void)
/* Explicitly cast away "const" for the test. */
unsigned long *ptr = (unsigned long *)
 
-   pr_info("attempting bad rodata write at %p\n", ptr);
+   pr_info("attempting bad rodata write at %px\n", ptr);
*ptr ^= 0xabcd1234;
 }
 
@@ -100,7 +100,7 @@ void lkdtm_WRITE_RO_AFTER_INIT(void)
return;
}
 
-   pr_info("attempting bad ro_after_init write at %p\n", ptr);
+   pr_info("attempting bad ro_after_init write at %px\n", ptr);
*ptr ^= 0xabcd1234;
 }
 
@@ -112,7 +112,7 @@ void lkdtm_WRITE_KERN(void)
size = (unsigned long)do_overwritten - (unsigned long)do_nothing;
ptr = (unsigned char *)do_overwritten;
 
-   pr_info("attempting bad %zu byte write at %p\n", size, ptr);
+   pr_info("attempting bad %zu byte write at %px\n", size, ptr);
memcpy(ptr, (unsigned char *)do_nothing, size);
flush_icache_range((unsigned long)ptr, (unsigned long)(ptr + size));
 
@@ -185,11 +185,11 @@ void lkdtm_ACCESS_USERSPACE(void)
 
ptr = (unsigned long *)user_addr;
 
-   pr_info("attempting bad read at %p\n", ptr);
+   pr_info("attempting bad read at %px\n", ptr);
tmp = *ptr;
tmp += 0xc0dec0de;
 
-   pr_info("attempting bad write at %p\n", ptr);
+   pr_info("attempting bad write at %px\n", ptr);
*ptr = tmp;
 
vm_munmap(user_addr, PAGE_SIZE);
-- 
2.19.1

[PATCH AUTOSEL 4.19 42/57] ext4: prohibit fstrim in norecovery mode

[Sasha Levin]

From: "Darrick J. Wong" 

[ Upstream commit 18915b5873f07e5030e6fb108a050fa7c71c59fb ]

The ext4 fstrim implementation uses the block bitmaps to find free space
that can be discarded.  If we haven't replayed the journal, the bitmaps
will be stale and we absolutely *cannot* use stale metadata to zap the
underlying storage.

Signed-off-by: Darrick J. Wong 
Signed-off-by: Theodore Ts'o 
Signed-off-by: Sasha Levin 
---
 fs/ext4/ioctl.c | 7 +++
 1 file changed, 7 insertions(+)

diff --git a/fs/ext4/ioctl.c b/fs/ext4/ioctl.c
index 2e76fb55d94a..5f24fdc140ad 100644
--- a/fs/ext4/ioctl.c
+++ b/fs/ext4/ioctl.c
@@ -999,6 +999,13 @@ long ext4_ioctl(struct file *filp, unsigned int cmd, 
unsigned long arg)
if (!blk_queue_discard(q))
return -EOPNOTSUPP;
 
+   /*
+* We haven't replayed the journal, so we cannot use our
+* block-bitmap-guided storage zapping commands.
+*/
+   if (test_opt(sb, NOLOAD) && ext4_has_feature_journal(sb))
+   return -EROFS;
+
if (copy_from_user(, (struct fstrim_range __user *)arg,
sizeof(range)))
return -EFAULT;
-- 
2.19.1

[PATCH AUTOSEL 4.19 38/57] iommu/dmar: Fix buffer overflow during PCI bus notification

[Sasha Levin]

From: Julia Cartwright 

[ Upstream commit cffaaf0c816238c45cd2d06913476c83eb50f682 ]

Commit 57384592c433 ("iommu/vt-d: Store bus information in RMRR PCI
device path") changed the type of the path data, however, the change in
path type was not reflected in size calculations.  Update to use the
correct type and prevent a buffer overflow.

This bug manifests in systems with deep PCI hierarchies, and can lead to
an overflow of the static allocated buffer (dmar_pci_notify_info_buf),
or can lead to overflow of slab-allocated data.

   BUG: KASAN: global-out-of-bounds in dmar_alloc_pci_notify_info+0x1d5/0x2e0
   Write of size 1 at addr 90445d80 by task swapper/0/1
   CPU: 0 PID: 1 Comm: swapper/0 Tainted: GW   
4.14.87-rt49-02406-gd0a0e96 #1
   Call Trace:
? dump_stack+0x46/0x59
? print_address_description+0x1df/0x290
? dmar_alloc_pci_notify_info+0x1d5/0x2e0
? kasan_report+0x256/0x340
? dmar_alloc_pci_notify_info+0x1d5/0x2e0
? e820__memblock_setup+0xb0/0xb0
? dmar_dev_scope_init+0x424/0x48f
? __down_write_common+0x1ec/0x230
? dmar_dev_scope_init+0x48f/0x48f
? dmar_free_unused_resources+0x109/0x109
? cpumask_next+0x16/0x20
? __kmem_cache_create+0x392/0x430
? kmem_cache_create+0x135/0x2f0
? e820__memblock_setup+0xb0/0xb0
? intel_iommu_init+0x170/0x1848
? _raw_spin_unlock_irqrestore+0x32/0x60
? migrate_enable+0x27a/0x5b0
? sched_setattr+0x20/0x20
? migrate_disable+0x1fc/0x380
? task_rq_lock+0x170/0x170
? try_to_run_init_process+0x40/0x40
? locks_remove_file+0x85/0x2f0
? dev_prepare_static_identity_mapping+0x78/0x78
? rt_spin_unlock+0x39/0x50
? lockref_put_or_lock+0x2a/0x40
? dput+0x128/0x2f0
? __rcu_read_unlock+0x66/0x80
? __fput+0x250/0x300
? __rcu_read_lock+0x1b/0x30
? mntput_no_expire+0x38/0x290
? e820__memblock_setup+0xb0/0xb0
? pci_iommu_init+0x25/0x63
? pci_iommu_init+0x25/0x63
? do_one_initcall+0x7e/0x1c0
? initcall_blacklisted+0x120/0x120
? kernel_init_freeable+0x27b/0x307
? rest_init+0xd0/0xd0
? kernel_init+0xf/0x120
? rest_init+0xd0/0xd0
? ret_from_fork+0x1f/0x40
   The buggy address belongs to the variable:
dmar_pci_notify_info_buf+0x40/0x60

Fixes: 57384592c433 ("iommu/vt-d: Store bus information in RMRR PCI device 
path")
Signed-off-by: Julia Cartwright 
Signed-off-by: Joerg Roedel 
Signed-off-by: Sasha Levin 
---
 drivers/iommu/dmar.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/iommu/dmar.c b/drivers/iommu/dmar.c
index d9c748b6f9e4..7f9824b0609e 100644
--- a/drivers/iommu/dmar.c
+++ b/drivers/iommu/dmar.c
@@ -144,7 +144,7 @@ dmar_alloc_pci_notify_info(struct pci_dev *dev, unsigned 
long event)
for (tmp = dev; tmp; tmp = tmp->bus->self)
level++;
 
-   size = sizeof(*info) + level * sizeof(struct acpi_dmar_pci_path);
+   size = sizeof(*info) + level * sizeof(info->path[0]);
if (size <= sizeof(dmar_pci_notify_info_buf)) {
info = (struct dmar_pci_notify_info *)dmar_pci_notify_info_buf;
} else {
-- 
2.19.1

[PATCH AUTOSEL 4.14 13/37] ACPI / SBS: Fix GPE storm on recent MacBookPro's

[Sasha Levin]

From: Ronald Tschalär 

[ Upstream commit ca1721c5bee77105829cbd7baab8ee0eab85b06d ]

On Apple machines, plugging-in or unplugging the power triggers a GPE
for the EC. Since these machines expose an SBS device, this GPE ends
up triggering the acpi_sbs_callback(). This in turn tries to get the
status of the SBS charger. However, on MBP13,* and MBP14,* machines,
performing the smbus-read operation to get the charger's status triggers
the EC's GPE again. The result is an endless re-triggering and handling
of that GPE, consuming significant CPU resources (> 50% in irq).

In the end this is quite similar to commit 3031cddea633 (ACPI / SBS:
Don't assume the existence of an SBS charger), except that on the above
machines a status of all 1's is returned. And like there, we just want
ignore the charger here.

Link: https://bugzilla.kernel.org/show_bug.cgi?id=198169
Signed-off-by: Ronald Tschalär 
Signed-off-by: Rafael J. Wysocki 
Signed-off-by: Sasha Levin 
---
 drivers/acpi/sbs.c | 8 ++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/drivers/acpi/sbs.c b/drivers/acpi/sbs.c
index a2428e9462dd..3c092f07d7e3 100644
--- a/drivers/acpi/sbs.c
+++ b/drivers/acpi/sbs.c
@@ -441,9 +441,13 @@ static int acpi_ac_get_present(struct acpi_sbs *sbs)
 
/*
 * The spec requires that bit 4 always be 1. If it's not set, assume
-* that the implementation doesn't support an SBS charger
+* that the implementation doesn't support an SBS charger.
+*
+* And on some MacBooks a status of 0x is always returned, no
+* matter whether the charger is plugged in or not, which is also
+* wrong, so ignore the SBS charger for those too.
 */
-   if (!((status >> 4) & 0x1))
+   if (!((status >> 4) & 0x1) || status == 0x)
return -ENODEV;
 
sbs->charger_present = (status >> 15) & 0x1;
-- 
2.19.1

[PATCH AUTOSEL 4.14 14/37] KVM: nVMX: restore host state in nested_vmx_vmexit for VMFail

[Sasha Levin]

From: Sean Christopherson 

[ Upstream commit bd18bffca35397214ae68d85cf7203aca25c3c1d ]

A VMEnter that VMFails (as opposed to VMExits) does not touch host
state beyond registers that are explicitly noted in the VMFail path,
e.g. EFLAGS.  Host state does not need to be loaded because VMFail
is only signaled for consistency checks that occur before the CPU
starts to load guest state, i.e. there is no need to restore any
state as nothing has been modified.  But in the case where a VMFail
is detected by hardware and not by KVM (due to deferring consistency
checks to hardware), KVM has already loaded some amount of guest
state.  Luckily, "loaded" only means loaded to KVM's software model,
i.e. vmcs01 has not been modified.  So, unwind our software model to
the pre-VMEntry host state.

Not restoring host state in this VMFail path leads to a variety of
failures because we end up with stale data in vcpu->arch, e.g. CR0,
CR4, EFER, etc... will all be out of sync relative to vmcs01.  Any
significant delta in the stale data is all but guaranteed to crash
L1, e.g. emulation of SMEP, SMAP, UMIP, WP, etc... will be wrong.

An alternative to this "soft" reload would be to load host state from
vmcs12 as if we triggered a VMExit (as opposed to VMFail), but that is
wildly inconsistent with respect to the VMX architecture, e.g. an L1
VMM with separate VMExit and VMFail paths would explode.

Note that this approach does not mean KVM is 100% accurate with
respect to VMX hardware behavior, even at an architectural level
(the exact order of consistency checks is microarchitecture specific).
But 100% emulation accuracy isn't the goal (with this patch), rather
the goal is to be consistent in the information delivered to L1, e.g.
a VMExit should not fall-through VMENTER, and a VMFail should not jump
to HOST_RIP.

This technically reverts commit "5af4157388ad (KVM: nVMX: Fix mmu
context after VMLAUNCH/VMRESUME failure)", but retains the core
aspects of that patch, just in an open coded form due to the need to
pull state from vmcs01 instead of vmcs12.  Restoring host state
resolves a variety of issues introduced by commit "4f350c6dbcb9
(kvm: nVMX: Handle deferred early VMLAUNCH/VMRESUME failure properly)",
which remedied the incorrect behavior of treating VMFail like VMExit
but in doing so neglected to restore arch state that had been modified
prior to attempting nested VMEnter.

A sample failure that occurs due to stale vcpu.arch state is a fault
of some form while emulating an LGDT (due to emulated UMIP) from L1
after a failed VMEntry to L3, in this case when running the KVM unit
test test_tpr_threshold_values in L1.  L0 also hits a WARN in this
case due to a stale arch.cr4.UMIP.

L1:
  BUG: unable to handle kernel paging request at c9663b9e
  PGD 276512067 P4D 276512067 PUD 276513067 PMD 274efa067 PTE 800271de2163
  Oops: 0009 [#1] SMP
  CPU: 5 PID: 12495 Comm: qemu-system-x86 Tainted: GW 
4.18.0-rc2+ #2
  Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015
  RIP: 0010:native_load_gdt+0x0/0x10

  ...

  Call Trace:
   load_fixmap_gdt+0x22/0x30
   __vmx_load_host_state+0x10e/0x1c0 [kvm_intel]
   vmx_switch_vmcs+0x2d/0x50 [kvm_intel]
   nested_vmx_vmexit+0x222/0x9c0 [kvm_intel]
   vmx_handle_exit+0x246/0x15a0 [kvm_intel]
   kvm_arch_vcpu_ioctl_run+0x850/0x1830 [kvm]
   kvm_vcpu_ioctl+0x3a1/0x5c0 [kvm]
   do_vfs_ioctl+0x9f/0x600
   ksys_ioctl+0x66/0x70
   __x64_sys_ioctl+0x16/0x20
   do_syscall_64+0x4f/0x100
   entry_SYSCALL_64_after_hwframe+0x44/0xa9

L0:
  WARNING: CPU: 2 PID: 3529 at arch/x86/kvm/vmx.c:6618 handle_desc+0x28/0x30 
[kvm_intel]
  ...
  CPU: 2 PID: 3529 Comm: qemu-system-x86 Not tainted 4.17.2-coffee+ #76
  Hardware name: Intel Corporation Kabylake Client platform/KBL S
  RIP: 0010:handle_desc+0x28/0x30 [kvm_intel]

  ...

  Call Trace:
   kvm_arch_vcpu_ioctl_run+0x863/0x1840 [kvm]
   kvm_vcpu_ioctl+0x3a1/0x5c0 [kvm]
   do_vfs_ioctl+0x9f/0x5e0
   ksys_ioctl+0x66/0x70
   __x64_sys_ioctl+0x16/0x20
   do_syscall_64+0x49/0xf0
   entry_SYSCALL_64_after_hwframe+0x44/0xa9

Fixes: 5af4157388ad (KVM: nVMX: Fix mmu context after VMLAUNCH/VMRESUME failure)
Fixes: 4f350c6dbcb9 (kvm: nVMX: Handle deferred early VMLAUNCH/VMRESUME failure 
properly)
Cc: Jim Mattson 
Cc: Krish Sadhukhan 
Cc: Paolo Bonzini 
Cc: Radim KrÄmář 
Cc: Wanpeng Li 
Signed-off-by: Sean Christopherson 
Signed-off-by: Paolo Bonzini 
Signed-off-by: Sasha Levin 
---
 arch/x86/kvm/vmx.c | 173 +++--
 1 file changed, 153 insertions(+), 20 deletions(-)

diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
index 229d5e39f5c0..28faf781e6fd 100644
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -11860,24 +11860,6 @@ static void prepare_vmcs12(struct kvm_vcpu *vcpu, 
struct vmcs12 *vmcs12,
kvm_clear_interrupt_queue(vcpu);
 }
 
-static void load_vmcs12_mmu_host_state(struct kvm_vcpu *vcpu,
-   struct vmcs12 *vmcs12)
-{
-   u32 

[PATCH AUTOSEL 4.14 02/37] rsi: improve kernel thread handling to fix kernel panic

[Sasha Levin]

From: Siva Rebbagondla 

[ Upstream commit 4c62764d0fc21a34ffc44eec1210038c3a2e4473 ]

While running regressions, observed below kernel panic when sdio disconnect
called. This is because of, kthread_stop() is taking care of
wait_for_completion() by default. When wait_for_completion triggered
in kthread_stop and as it was done already, giving kernel panic.
Hence, removing redundant wait_for_completion() from rsi_kill_thread().

... skipping ...
BUG: unable to handle kernel NULL pointer dereference at   (null)
IP: [] exit_creds+0x1f/0x50
PGD 0
Oops: 0002 [#1] SMP
CPU: 0 PID: 6502 Comm: rmmod Tainted: G  OE   4.15.9-Generic #154-Ubuntu
Hardware name: Dell Inc. Edge Gateway 3003/ , BIOS 01.00.00 04/17/2017
Stack:
88007392e600 880075847dc0 8108160a 
88007392e600 880075847de8 810a484b 880076127000
88003cd3a800 880074f12a00 880075847e28 c09bed15
Call Trace:
[] __put_task_struct+0x5a/0x140
[] kthread_stop+0x10b/0x110
[] rsi_disconnect+0x2f5/0x300 [ven_rsi_sdio]
[] ? __pm_runtime_resume+0x5b/0x80
[] sdio_bus_remove+0x38/0x100
[] __device_release_driver+0xa4/0x150
[] driver_detach+0xb5/0xc0
[] bus_remove_driver+0x55/0xd0
[] driver_unregister+0x2c/0x50
[] sdio_unregister_driver+0x1a/0x20
[] rsi_module_exit+0x15/0x30 [ven_rsi_sdio]
[] SyS_delete_module+0x1b8/0x210
[] entry_SYSCALL_64_fastpath+0x1c/0xbb

Signed-off-by: Siva Rebbagondla 
Signed-off-by: Kalle Valo 
Signed-off-by: Sasha Levin 
---
 drivers/net/wireless/rsi/rsi_common.h | 1 -
 1 file changed, 1 deletion(-)

diff --git a/drivers/net/wireless/rsi/rsi_common.h 
b/drivers/net/wireless/rsi/rsi_common.h
index e579d694d13c..21986ba56a3c 100644
--- a/drivers/net/wireless/rsi/rsi_common.h
+++ b/drivers/net/wireless/rsi/rsi_common.h
@@ -74,7 +74,6 @@ static inline int rsi_kill_thread(struct rsi_thread *handle)
atomic_inc(>thread_done);
rsi_set_event(>event);
 
-   wait_for_completion(>completion);
return kthread_stop(handle->task);
 }
 
-- 
2.19.1

[PATCH AUTOSEL 4.14 15/37] compiler.h: update definition of unreachable()

[Sasha Levin]

From: "ndesaulni...@google.com" 

[ Upstream commit fe0640eb30b7da261ae84d252ed9ed3c7e68dfd8 ]

Fixes the objtool warning seen with Clang:
arch/x86/mm/fault.o: warning: objtool: no_context()+0x220: unreachable
instruction

Fixes commit 815f0ddb346c ("include/linux/compiler*.h: make compiler-*.h
mutually exclusive")

Josh noted that the fallback definition was meant to work around a
pre-gcc-4.6 bug. GCC still needs to work around
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=82365, so compiler-gcc.h
defines its own version of unreachable().  Clang and ICC can use this
shared definition.

Link: https://github.com/ClangBuiltLinux/linux/issues/204
Suggested-by: Andy Lutomirski 
Suggested-by: Josh Poimboeuf 
Tested-by: Nathan Chancellor 
Signed-off-by: Nick Desaulniers 
Signed-off-by: Miguel Ojeda 
Signed-off-by: Sasha Levin 
---
 include/linux/compiler.h | 5 -
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/include/linux/compiler.h b/include/linux/compiler.h
index a704d032713b..67c3934fb9ed 100644
--- a/include/linux/compiler.h
+++ b/include/linux/compiler.h
@@ -119,7 +119,10 @@ void ftrace_likely_update(struct ftrace_likely_data *f, 
int val,
 # define ASM_UNREACHABLE
 #endif
 #ifndef unreachable
-# define unreachable() do { annotate_reachable(); do { } while (1); } while (0)
+# define unreachable() do {\
+   annotate_unreachable(); \
+   __builtin_unreachable();\
+} while (0)
 #endif
 
 /*
-- 
2.19.1

[PATCH AUTOSEL 4.14 04/37] 9p locks: add mount option for lock retry interval

[Sasha Levin]

From: Dinu-Razvan Chis-Serban 

[ Upstream commit 5e172f75e51e3de1b4274146d9b990f803cb5c2a ]

The default P9_LOCK_TIMEOUT can be too long for some users exporting
a local file system to a guest VM (30s), make this configurable at
mount time.

Link: 
http://lkml.kernel.org/r/1536295827-3181-1-git-send-email-asmad...@codewreck.org
Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=195727
Signed-off-by: Dinu-Razvan Chis-Serban 
Signed-off-by: Dominique Martinet 
Signed-off-by: Sasha Levin 
---
 fs/9p/v9fs.c | 21 +
 fs/9p/v9fs.h |  1 +
 fs/9p/vfs_file.c |  6 +-
 3 files changed, 27 insertions(+), 1 deletion(-)

diff --git a/fs/9p/v9fs.c b/fs/9p/v9fs.c
index 8fb89ddc6cc7..c52f10efdc9c 100644
--- a/fs/9p/v9fs.c
+++ b/fs/9p/v9fs.c
@@ -61,6 +61,8 @@ enum {
Opt_cache_loose, Opt_fscache, Opt_mmap,
/* Access options */
Opt_access, Opt_posixacl,
+   /* Lock timeout option */
+   Opt_locktimeout,
/* Error token */
Opt_err
 };
@@ -80,6 +82,7 @@ static const match_table_t tokens = {
{Opt_cachetag, "cachetag=%s"},
{Opt_access, "access=%s"},
{Opt_posixacl, "posixacl"},
+   {Opt_locktimeout, "locktimeout=%u"},
{Opt_err, NULL}
 };
 
@@ -187,6 +190,7 @@ static int v9fs_parse_options(struct v9fs_session_info 
*v9ses, char *opts)
 #ifdef CONFIG_9P_FSCACHE
v9ses->cachetag = NULL;
 #endif
+   v9ses->session_lock_timeout = P9_LOCK_TIMEOUT;
 
if (!opts)
return 0;
@@ -360,6 +364,23 @@ static int v9fs_parse_options(struct v9fs_session_info 
*v9ses, char *opts)
 #endif
break;
 
+   case Opt_locktimeout:
+   r = match_int([0], );
+   if (r < 0) {
+   p9_debug(P9_DEBUG_ERROR,
+"integer field, but no integer?\n");
+   ret = r;
+   continue;
+   }
+   if (option < 1) {
+   p9_debug(P9_DEBUG_ERROR,
+"locktimeout must be a greater than 
zero integer.\n");
+   ret = -EINVAL;
+   continue;
+   }
+   v9ses->session_lock_timeout = (long)option * HZ;
+   break;
+
default:
continue;
}
diff --git a/fs/9p/v9fs.h b/fs/9p/v9fs.h
index 982e017acadb..129e5243a6bf 100644
--- a/fs/9p/v9fs.h
+++ b/fs/9p/v9fs.h
@@ -116,6 +116,7 @@ struct v9fs_session_info {
struct p9_client *clnt; /* 9p client */
struct list_head slist; /* list of sessions registered with v9fs */
struct rw_semaphore rename_sem;
+   long session_lock_timeout; /* retry interval for blocking locks */
 };
 
 /* cache_validity flags */
diff --git a/fs/9p/vfs_file.c b/fs/9p/vfs_file.c
index af8cac975a74..89e69904976a 100644
--- a/fs/9p/vfs_file.c
+++ b/fs/9p/vfs_file.c
@@ -154,6 +154,7 @@ static int v9fs_file_do_lock(struct file *filp, int cmd, 
struct file_lock *fl)
uint8_t status = P9_LOCK_ERROR;
int res = 0;
unsigned char fl_type;
+   struct v9fs_session_info *v9ses;
 
fid = filp->private_data;
BUG_ON(fid == NULL);
@@ -189,6 +190,8 @@ static int v9fs_file_do_lock(struct file *filp, int cmd, 
struct file_lock *fl)
if (IS_SETLKW(cmd))
flock.flags = P9_LOCK_FLAGS_BLOCK;
 
+   v9ses = v9fs_inode2v9ses(file_inode(filp));
+
/*
 * if its a blocked request and we get P9_LOCK_BLOCKED as the status
 * for lock request, keep on trying
@@ -202,7 +205,8 @@ static int v9fs_file_do_lock(struct file *filp, int cmd, 
struct file_lock *fl)
break;
if (status == P9_LOCK_BLOCKED && !IS_SETLKW(cmd))
break;
-   if (schedule_timeout_interruptible(P9_LOCK_TIMEOUT) != 0)
+   if (schedule_timeout_interruptible(v9ses->session_lock_timeout)
+   != 0)
break;
/*
 * p9_client_lock_dotl overwrites flock.client_id with the
-- 
2.19.1

[PATCH AUTOSEL 4.14 18/37] nvme-pci: fix conflicting p2p resource adds

[Sasha Levin]

From: Keith Busch 

[ Upstream commit 9fe5c59ff6a1e5e26a39b75489a1420e7eaaf0b1 ]

The nvme pci driver had been adding its CMB resource to the P2P DMA
subsystem everytime on on a controller reset. This results in the
following warning:

[ cut here ]
nvme :00:03.0: Conflicting mapping in same section
WARNING: CPU: 7 PID: 81 at kernel/memremap.c:155 
devm_memremap_pages+0xa6/0x380
...
Call Trace:
 pci_p2pdma_add_resource+0x153/0x370
 nvme_reset_work+0x28c/0x17b1 [nvme]
 ? add_timer+0x107/0x1e0
 ? dequeue_entity+0x81/0x660
 ? dequeue_entity+0x3b0/0x660
 ? pick_next_task_fair+0xaf/0x610
 ? __switch_to+0xbc/0x410
 process_one_work+0x1cf/0x350
 worker_thread+0x215/0x3d0
 ? process_one_work+0x350/0x350
 kthread+0x107/0x120
 ? kthread_park+0x80/0x80
 ret_from_fork+0x1f/0x30
---[ end trace f7ea76ac6ee72727 ]---
nvme nvme0: failed to register the CMB

This patch fixes this by registering the CMB with P2P only once.

Signed-off-by: Keith Busch 
Reviewed-by: Logan Gunthorpe 
Signed-off-by: Christoph Hellwig 
Signed-off-by: Jens Axboe 
Signed-off-by: Sasha Levin 
---
 drivers/nvme/host/pci.c | 5 -
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c
index 06355ca832db..ae03a5b70324 100644
--- a/drivers/nvme/host/pci.c
+++ b/drivers/nvme/host/pci.c
@@ -1546,6 +1546,9 @@ static void __iomem *nvme_map_cmb(struct nvme_dev *dev)
void __iomem *cmb;
int bar;
 
+   if (dev->cmb_size)
+   return;
+
dev->cmbsz = readl(dev->bar + NVME_REG_CMBSZ);
if (!(NVME_CMB_SZ(dev->cmbsz)))
return NULL;
@@ -2034,7 +2037,6 @@ static void nvme_pci_disable(struct nvme_dev *dev)
 {
struct pci_dev *pdev = to_pci_dev(dev->dev);
 
-   nvme_release_cmb(dev);
pci_free_irq_vectors(pdev);
 
if (pci_is_enabled(pdev)) {
@@ -2434,6 +2436,7 @@ static void nvme_remove(struct pci_dev *pdev)
nvme_stop_ctrl(>ctrl);
nvme_remove_namespaces(>ctrl);
nvme_dev_disable(dev, true);
+   nvme_release_cmb(dev);
nvme_free_host_mem(dev);
nvme_dev_remove_admin(dev);
nvme_free_queues(dev, 0);
-- 
2.19.1

[PATCH AUTOSEL 4.14 03/37] 9p: do not trust pdu content for stat item size

[Sasha Levin]

From: Gertjan Halkes 

[ Upstream commit 2803cf4379ed252894f046cb8812a48db35294e3 ]

v9fs_dir_readdir() could deadloop if a struct was sent with a size set
to -2

Link: 
http://lkml.kernel.org/r/1536134432-11997-1-git-send-email-asmad...@codewreck.org
Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=88021
Signed-off-by: Gertjan Halkes 
Signed-off-by: Dominique Martinet 
Signed-off-by: Sasha Levin 
---
 fs/9p/vfs_dir.c   | 8 +++-
 net/9p/protocol.c | 3 ++-
 2 files changed, 5 insertions(+), 6 deletions(-)

diff --git a/fs/9p/vfs_dir.c b/fs/9p/vfs_dir.c
index 48db9a9f13f9..cb6c4031af55 100644
--- a/fs/9p/vfs_dir.c
+++ b/fs/9p/vfs_dir.c
@@ -105,7 +105,6 @@ static int v9fs_dir_readdir(struct file *file, struct 
dir_context *ctx)
int err = 0;
struct p9_fid *fid;
int buflen;
-   int reclen = 0;
struct p9_rdir *rdir;
struct kvec kvec;
 
@@ -138,11 +137,10 @@ static int v9fs_dir_readdir(struct file *file, struct 
dir_context *ctx)
while (rdir->head < rdir->tail) {
err = p9stat_read(fid->clnt, rdir->buf + rdir->head,
  rdir->tail - rdir->head, );
-   if (err) {
+   if (err <= 0) {
p9_debug(P9_DEBUG_VFS, "returned %d\n", err);
return -EIO;
}
-   reclen = st.size+2;
 
over = !dir_emit(ctx, st.name, strlen(st.name),
 v9fs_qid2ino(), dt_type());
@@ -150,8 +148,8 @@ static int v9fs_dir_readdir(struct file *file, struct 
dir_context *ctx)
if (over)
return 0;
 
-   rdir->head += reclen;
-   ctx->pos += reclen;
+   rdir->head += err;
+   ctx->pos += err;
}
}
 }
diff --git a/net/9p/protocol.c b/net/9p/protocol.c
index 9743837aebc6..766d1ef4640a 100644
--- a/net/9p/protocol.c
+++ b/net/9p/protocol.c
@@ -570,9 +570,10 @@ int p9stat_read(struct p9_client *clnt, char *buf, int 
len, struct p9_wstat *st)
if (ret) {
p9_debug(P9_DEBUG_9P, "<<< p9stat_read failed: %d\n", ret);
trace_9p_protocol_dump(clnt, _pdu);
+   return ret;
}
 
-   return ret;
+   return fake_pdu.offset;
 }
 EXPORT_SYMBOL(p9stat_read);
 
-- 
2.19.1

[PATCH AUTOSEL 4.14 23/37] kvm: properly check debugfs dentry before using it

[Sasha Levin]

From: Greg Kroah-Hartman 

[ Upstream commit 8ed0579c12b2fe56a1fac2f712f58fc26c1dc49b ]

debugfs can now report an error code if something went wrong instead of
just NULL.  So if the return value is to be used as a "real" dentry, it
needs to be checked if it is an error before dereferencing it.

This is now happening because of ff9fb72bc077 ("debugfs: return error
values, not NULL").  syzbot has found a way to trigger multiple debugfs
files attempting to be created, which fails, and then the error code
gets passed to dentry_path_raw() which obviously does not like it.

Reported-by: Eric Biggers 
Reported-and-tested-by: syzbot+7857962b4d45e602b...@syzkaller.appspotmail.com
Cc: "Radim Krčmář" 
Cc: k...@vger.kernel.org
Acked-by: Paolo Bonzini 
Signed-off-by: Greg Kroah-Hartman 
Signed-off-by: Linus Torvalds 
Signed-off-by: Sasha Levin 
---
 virt/kvm/kvm_main.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
index 66cc315efa6d..cf6a86631267 100644
--- a/virt/kvm/kvm_main.c
+++ b/virt/kvm/kvm_main.c
@@ -3911,7 +3911,7 @@ static void kvm_uevent_notify_change(unsigned int type, 
struct kvm *kvm)
}
add_uevent_var(env, "PID=%d", kvm->userspace_pid);
 
-   if (kvm->debugfs_dentry) {
+   if (!IS_ERR_OR_NULL(kvm->debugfs_dentry)) {
char *tmp, *p = kmalloc(PATH_MAX, GFP_KERNEL);
 
if (p) {
-- 
2.19.1

[PATCH AUTOSEL 4.14 17/37] kernel: hung_task.c: disable on suspend

[Sasha Levin]

From: Vitaly Kuznetsov 

[ Upstream commit a1c6ca3c6de763459a6e93b644ec6518c890ba1c ]

It is possible to observe hung_task complaints when system goes to
suspend-to-idle state:

 # echo freeze > /sys/power/state

 PM: Syncing filesystems ... done.
 Freezing user space processes ... (elapsed 0.001 seconds) done.
 OOM killer disabled.
 Freezing remaining freezable tasks ... (elapsed 0.002 seconds) done.
 sd 0:0:0:0: [sda] Synchronizing SCSI cache
 INFO: task bash:1569 blocked for more than 120 seconds.
   Not tainted 4.19.0-rc3_+ #687
 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
 bashD0  1569604 0x
 Call Trace:
  ? __schedule+0x1fe/0x7e0
  schedule+0x28/0x80
  suspend_devices_and_enter+0x4ac/0x750
  pm_suspend+0x2c0/0x310

Register a PM notifier to disable the detector on suspend and re-enable
back on wakeup.

Signed-off-by: Vitaly Kuznetsov 
Signed-off-by: Rafael J. Wysocki 
Signed-off-by: Sasha Levin 
---
 kernel/hung_task.c | 30 +-
 1 file changed, 29 insertions(+), 1 deletion(-)

diff --git a/kernel/hung_task.c b/kernel/hung_task.c
index f9aaf4994062..2e4869fa66c9 100644
--- a/kernel/hung_task.c
+++ b/kernel/hung_task.c
@@ -15,6 +15,7 @@
 #include 
 #include 
 #include 
+#include 
 #include 
 #include 
 #include 
@@ -232,6 +233,28 @@ void reset_hung_task_detector(void)
 }
 EXPORT_SYMBOL_GPL(reset_hung_task_detector);
 
+static bool hung_detector_suspended;
+
+static int hungtask_pm_notify(struct notifier_block *self,
+ unsigned long action, void *hcpu)
+{
+   switch (action) {
+   case PM_SUSPEND_PREPARE:
+   case PM_HIBERNATION_PREPARE:
+   case PM_RESTORE_PREPARE:
+   hung_detector_suspended = true;
+   break;
+   case PM_POST_SUSPEND:
+   case PM_POST_HIBERNATION:
+   case PM_POST_RESTORE:
+   hung_detector_suspended = false;
+   break;
+   default:
+   break;
+   }
+   return NOTIFY_OK;
+}
+
 /*
  * kthread which checks for tasks stuck in D state
  */
@@ -246,7 +269,8 @@ static int watchdog(void *dummy)
long t = hung_timeout_jiffies(hung_last_checked, timeout);
 
if (t <= 0) {
-   if (!atomic_xchg(_hung_task, 0))
+   if (!atomic_xchg(_hung_task, 0) &&
+   !hung_detector_suspended)
check_hung_uninterruptible_tasks(timeout);
hung_last_checked = jiffies;
continue;
@@ -260,6 +284,10 @@ static int watchdog(void *dummy)
 static int __init hung_task_init(void)
 {
atomic_notifier_chain_register(_notifier_list, _block);
+
+   /* Disable hung task detector on suspend */
+   pm_notifier(hungtask_pm_notify, 0);
+
watchdog_task = kthread_run(watchdog, NULL, "khungtaskd");
 
return 0;
-- 
2.19.1

[PATCH AUTOSEL 4.14 19/37] blk-mq: protect debugfs_create_files() from failures

[Sasha Levin]

From: Greg Kroah-Hartman 

[ Upstream commit 36991ca68db9dd43bac7f3519f080ee3939263ef ]

If debugfs were to return a non-NULL error for a debugfs call, using
that pointer later in debugfs_create_files() would crash.

Fix that by properly checking the pointer before referencing it.

Reported-by: Michal Hocko 
Reported-and-tested-by: syzbot+b382ba6a802a3d242...@syzkaller.appspotmail.com
Reported-by: Tetsuo Handa 
Signed-off-by: Greg Kroah-Hartman 
Signed-off-by: Sasha Levin 
---
 block/blk-mq-debugfs.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/block/blk-mq-debugfs.c b/block/blk-mq-debugfs.c
index d95439154556..da0453277f7f 100644
--- a/block/blk-mq-debugfs.c
+++ b/block/blk-mq-debugfs.c
@@ -791,6 +791,9 @@ static const struct blk_mq_debugfs_attr 
blk_mq_debugfs_ctx_attrs[] = {
 static bool debugfs_create_files(struct dentry *parent, void *data,
 const struct blk_mq_debugfs_attr *attr)
 {
+   if (IS_ERR_OR_NULL(parent))
+   return false;
+
d_inode(parent)->i_private = data;
 
for (; attr->name; attr++) {
-- 
2.19.1

[PATCH AUTOSEL 4.14 25/37] ext4: prohibit fstrim in norecovery mode

[Sasha Levin]

From: "Darrick J. Wong" 

[ Upstream commit 18915b5873f07e5030e6fb108a050fa7c71c59fb ]

The ext4 fstrim implementation uses the block bitmaps to find free space
that can be discarded.  If we haven't replayed the journal, the bitmaps
will be stale and we absolutely *cannot* use stale metadata to zap the
underlying storage.

Signed-off-by: Darrick J. Wong 
Signed-off-by: Theodore Ts'o 
Signed-off-by: Sasha Levin 
---
 fs/ext4/ioctl.c | 7 +++
 1 file changed, 7 insertions(+)

diff --git a/fs/ext4/ioctl.c b/fs/ext4/ioctl.c
index 7917cc89ab21..3dbf4e414706 100644
--- a/fs/ext4/ioctl.c
+++ b/fs/ext4/ioctl.c
@@ -940,6 +940,13 @@ long ext4_ioctl(struct file *filp, unsigned int cmd, 
unsigned long arg)
if (!blk_queue_discard(q))
return -EOPNOTSUPP;
 
+   /*
+* We haven't replayed the journal, so we cannot use our
+* block-bitmap-guided storage zapping commands.
+*/
+   if (test_opt(sb, NOLOAD) && ext4_has_feature_journal(sb))
+   return -EROFS;
+
if (copy_from_user(, (struct fstrim_range __user *)arg,
sizeof(range)))
return -EFAULT;
-- 
2.19.1

[PATCH AUTOSEL 4.14 16/37] cifs: fallback to older infolevels on findfirst queryinfo retry

[Sasha Levin]

From: Steve French 

[ Upstream commit 3b7960caceafdfc2cdfe2850487f8d091eb41144 ]

In cases where queryinfo fails, we have cases in cifs (vers=1.0)
where with backupuid mounts we retry the query info with findfirst.
This doesn't work to some NetApp servers which don't support
WindowsXP (and later) infolevel 261 (SMB_FIND_FILE_ID_FULL_DIR_INFO)
so in this case use other info levels (in this case it will usually
be level 257, SMB_FIND_FILE_DIRECTORY_INFO).

(Also fixes some indentation)

See kernel bugzilla 201435

Signed-off-by: Steve French 
Signed-off-by: Sasha Levin 
---
 fs/cifs/inode.c | 67 +++--
 1 file changed, 37 insertions(+), 30 deletions(-)

diff --git a/fs/cifs/inode.c b/fs/cifs/inode.c
index a90a637ae79a..6fd4a6a75234 100644
--- a/fs/cifs/inode.c
+++ b/fs/cifs/inode.c
@@ -779,43 +779,50 @@ cifs_get_inode_info(struct inode **inode, const char 
*full_path,
} else if ((rc == -EACCES) && backup_cred(cifs_sb) &&
   (strcmp(server->vals->version_string, SMB1_VERSION_STRING)
  == 0)) {
-   /*
-* For SMB2 and later the backup intent flag is already
-* sent if needed on open and there is no path based
-* FindFirst operation to use to retry with
-*/
+   /*
+* For SMB2 and later the backup intent flag is already
+* sent if needed on open and there is no path based
+* FindFirst operation to use to retry with
+*/
 
-   srchinf = kzalloc(sizeof(struct cifs_search_info),
-   GFP_KERNEL);
-   if (srchinf == NULL) {
-   rc = -ENOMEM;
-   goto cgii_exit;
-   }
+   srchinf = kzalloc(sizeof(struct cifs_search_info),
+   GFP_KERNEL);
+   if (srchinf == NULL) {
+   rc = -ENOMEM;
+   goto cgii_exit;
+   }
 
-   srchinf->endOfSearch = false;
+   srchinf->endOfSearch = false;
+   if (tcon->unix_ext)
+   srchinf->info_level = SMB_FIND_FILE_UNIX;
+   else if ((tcon->ses->capabilities &
+tcon->ses->server->vals->cap_nt_find) == 0)
+   srchinf->info_level = SMB_FIND_FILE_INFO_STANDARD;
+   else if (cifs_sb->mnt_cifs_flags & CIFS_MOUNT_SERVER_INUM)
srchinf->info_level = SMB_FIND_FILE_ID_FULL_DIR_INFO;
+   else /* no srvino useful for fallback to some netapp */
+   srchinf->info_level = SMB_FIND_FILE_DIRECTORY_INFO;
 
-   srchflgs = CIFS_SEARCH_CLOSE_ALWAYS |
-   CIFS_SEARCH_CLOSE_AT_END |
-   CIFS_SEARCH_BACKUP_SEARCH;
+   srchflgs = CIFS_SEARCH_CLOSE_ALWAYS |
+   CIFS_SEARCH_CLOSE_AT_END |
+   CIFS_SEARCH_BACKUP_SEARCH;
 
-   rc = CIFSFindFirst(xid, tcon, full_path,
-   cifs_sb, NULL, srchflgs, srchinf, false);
-   if (!rc) {
-   data =
-   (FILE_ALL_INFO *)srchinf->srch_entries_start;
+   rc = CIFSFindFirst(xid, tcon, full_path,
+   cifs_sb, NULL, srchflgs, srchinf, false);
+   if (!rc) {
+   data = (FILE_ALL_INFO *)srchinf->srch_entries_start;
 
-   cifs_dir_info_to_fattr(,
-   (FILE_DIRECTORY_INFO *)data, cifs_sb);
-   fattr.cf_uniqueid = le64_to_cpu(
-   ((SEARCH_ID_FULL_DIR_INFO *)data)->UniqueId);
-   validinum = true;
+   cifs_dir_info_to_fattr(,
+   (FILE_DIRECTORY_INFO *)data, cifs_sb);
+   fattr.cf_uniqueid = le64_to_cpu(
+   ((SEARCH_ID_FULL_DIR_INFO *)data)->UniqueId);
+   validinum = true;
 
-   cifs_buf_release(srchinf->ntwrk_buf_start);
-   }
-   kfree(srchinf);
-   if (rc)
-   goto cgii_exit;
+   cifs_buf_release(srchinf->ntwrk_buf_start);
+   }
+   kfree(srchinf);
+   if (rc)
+   goto cgii_exit;
} else
goto cgii_exit;
 
-- 
2.19.1

[PATCH AUTOSEL 4.14 27/37] lkdtm: Add tests for NULL pointer dereference

[Sasha Levin]

From: Christophe Leroy 

[ Upstream commit 59a12205d3c32aee4c13ca36889fdf7cfed31126 ]

Introduce lkdtm tests for NULL pointer dereference: check access or exec
at NULL address, since these errors tend to be reported differently from
the general fault error text. For example from x86:

pr_alert("BUG: unable to handle kernel %s at %px\n",
address < PAGE_SIZE ? "NULL pointer dereference" : "paging request",
(void *)address);

Signed-off-by: Christophe Leroy 
Signed-off-by: Kees Cook 
Signed-off-by: Sasha Levin 
---
 drivers/misc/lkdtm.h   |  2 ++
 drivers/misc/lkdtm_core.c  |  2 ++
 drivers/misc/lkdtm_perms.c | 18 ++
 3 files changed, 22 insertions(+)

diff --git a/drivers/misc/lkdtm.h b/drivers/misc/lkdtm.h
index 687a0dbbe199..614612325332 100644
--- a/drivers/misc/lkdtm.h
+++ b/drivers/misc/lkdtm.h
@@ -45,7 +45,9 @@ void lkdtm_EXEC_KMALLOC(void);
 void lkdtm_EXEC_VMALLOC(void);
 void lkdtm_EXEC_RODATA(void);
 void lkdtm_EXEC_USERSPACE(void);
+void lkdtm_EXEC_NULL(void);
 void lkdtm_ACCESS_USERSPACE(void);
+void lkdtm_ACCESS_NULL(void);
 
 /* lkdtm_refcount.c */
 void lkdtm_REFCOUNT_INC_OVERFLOW(void);
diff --git a/drivers/misc/lkdtm_core.c b/drivers/misc/lkdtm_core.c
index 981b3ef71e47..199271708aed 100644
--- a/drivers/misc/lkdtm_core.c
+++ b/drivers/misc/lkdtm_core.c
@@ -220,7 +220,9 @@ struct crashtype crashtypes[] = {
CRASHTYPE(EXEC_VMALLOC),
CRASHTYPE(EXEC_RODATA),
CRASHTYPE(EXEC_USERSPACE),
+   CRASHTYPE(EXEC_NULL),
CRASHTYPE(ACCESS_USERSPACE),
+   CRASHTYPE(ACCESS_NULL),
CRASHTYPE(WRITE_RO),
CRASHTYPE(WRITE_RO_AFTER_INIT),
CRASHTYPE(WRITE_KERN),
diff --git a/drivers/misc/lkdtm_perms.c b/drivers/misc/lkdtm_perms.c
index fa54add6375a..62f76d506f04 100644
--- a/drivers/misc/lkdtm_perms.c
+++ b/drivers/misc/lkdtm_perms.c
@@ -164,6 +164,11 @@ void lkdtm_EXEC_USERSPACE(void)
vm_munmap(user_addr, PAGE_SIZE);
 }
 
+void lkdtm_EXEC_NULL(void)
+{
+   execute_location(NULL, CODE_AS_IS);
+}
+
 void lkdtm_ACCESS_USERSPACE(void)
 {
unsigned long user_addr, tmp = 0;
@@ -195,6 +200,19 @@ void lkdtm_ACCESS_USERSPACE(void)
vm_munmap(user_addr, PAGE_SIZE);
 }
 
+void lkdtm_ACCESS_NULL(void)
+{
+   unsigned long tmp;
+   unsigned long *ptr = (unsigned long *)NULL;
+
+   pr_info("attempting bad read at %px\n", ptr);
+   tmp = *ptr;
+   tmp += 0xc0dec0de;
+
+   pr_info("attempting bad write at %px\n", ptr);
+   *ptr = tmp;
+}
+
 void __init lkdtm_perms_init(void)
 {
/* Make sure we can write to __ro_after_init values during __init */
-- 
2.19.1

[PATCH AUTOSEL 4.14 24/37] soc/tegra: pmc: Drop locking from tegra_powergate_is_powered()

[Sasha Levin]

From: Dmitry Osipenko 

[ Upstream commit b6e1fd17a38bd1d97c11d69fd3207b3ef9bfa4b3 ]

This fixes splats like the one below if CONFIG_DEBUG_ATOMIC_SLEEP=y
and machine (Tegra30) booted with SMP=n or all secondary CPU's are put
offline. Locking isn't needed because it protects atomic operation.

BUG: sleeping function called from invalid context at kernel/locking/mutex.c:254
in_atomic(): 1, irqs_disabled(): 128, pid: 0, name: swapper/0
CPU: 0 PID: 0 Comm: swapper/0 Tainted: G C
4.18.0-next-20180821-00180-gc3ebb6544e44-dirty #823
Hardware name: NVIDIA Tegra SoC (Flattened Device Tree)
[] (unwind_backtrace) from [] (show_stack+0x20/0x24)
[] (show_stack) from [] (dump_stack+0x94/0xa8)
[] (dump_stack) from [] (___might_sleep+0x13c/0x174)
[] (___might_sleep) from [] (__might_sleep+0x70/0xa8)
[] (__might_sleep) from [] (mutex_lock+0x2c/0x70)
[] (mutex_lock) from [] 
(tegra_powergate_is_powered+0x44/0xa8)
[] (tegra_powergate_is_powered) from [] 
(tegra30_cpu_rail_off_ready+0x30/0x74)
[] (tegra30_cpu_rail_off_ready) from [] 
(tegra30_idle_lp2+0xa0/0x108)
[] (tegra30_idle_lp2) from [] 
(cpuidle_enter_state+0x140/0x540)
[] (cpuidle_enter_state) from [] (cpuidle_enter+0x40/0x4c)
[] (cpuidle_enter) from [] (call_cpuidle+0x30/0x48)
[] (call_cpuidle) from [] (do_idle+0x238/0x28c)
[] (do_idle) from [] (cpu_startup_entry+0x28/0x2c)
[] (cpu_startup_entry) from [] (rest_init+0xd8/0xdc)
[] (rest_init) from [] (start_kernel+0x41c/0x430)

Signed-off-by: Dmitry Osipenko 
Acked-by: Jon Hunter 
Signed-off-by: Thierry Reding 
Signed-off-by: Sasha Levin 
---
 drivers/soc/tegra/pmc.c | 8 +---
 1 file changed, 1 insertion(+), 7 deletions(-)

diff --git a/drivers/soc/tegra/pmc.c b/drivers/soc/tegra/pmc.c
index 7e9ef3431bea..2422ed56895a 100644
--- a/drivers/soc/tegra/pmc.c
+++ b/drivers/soc/tegra/pmc.c
@@ -521,16 +521,10 @@ EXPORT_SYMBOL(tegra_powergate_power_off);
  */
 int tegra_powergate_is_powered(unsigned int id)
 {
-   int status;
-
if (!tegra_powergate_is_valid(id))
return -EINVAL;
 
-   mutex_lock(>powergates_lock);
-   status = tegra_powergate_state(id);
-   mutex_unlock(>powergates_lock);
-
-   return status;
+   return tegra_powergate_state(id);
 }
 
 /**
-- 
2.19.1

[PATCH AUTOSEL 4.9 09/21] ACPI / SBS: Fix GPE storm on recent MacBookPro's

[Sasha Levin]

From: Ronald Tschalär 

[ Upstream commit ca1721c5bee77105829cbd7baab8ee0eab85b06d ]

On Apple machines, plugging-in or unplugging the power triggers a GPE
for the EC. Since these machines expose an SBS device, this GPE ends
up triggering the acpi_sbs_callback(). This in turn tries to get the
status of the SBS charger. However, on MBP13,* and MBP14,* machines,
performing the smbus-read operation to get the charger's status triggers
the EC's GPE again. The result is an endless re-triggering and handling
of that GPE, consuming significant CPU resources (> 50% in irq).

In the end this is quite similar to commit 3031cddea633 (ACPI / SBS:
Don't assume the existence of an SBS charger), except that on the above
machines a status of all 1's is returned. And like there, we just want
ignore the charger here.

Link: https://bugzilla.kernel.org/show_bug.cgi?id=198169
Signed-off-by: Ronald Tschalär 
Signed-off-by: Rafael J. Wysocki 
Signed-off-by: Sasha Levin 
---
 drivers/acpi/sbs.c | 8 ++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/drivers/acpi/sbs.c b/drivers/acpi/sbs.c
index ad0b13ad4bbb..4a76000bcf7a 100644
--- a/drivers/acpi/sbs.c
+++ b/drivers/acpi/sbs.c
@@ -443,9 +443,13 @@ static int acpi_ac_get_present(struct acpi_sbs *sbs)
 
/*
 * The spec requires that bit 4 always be 1. If it's not set, assume
-* that the implementation doesn't support an SBS charger
+* that the implementation doesn't support an SBS charger.
+*
+* And on some MacBooks a status of 0x is always returned, no
+* matter whether the charger is plugged in or not, which is also
+* wrong, so ignore the SBS charger for those too.
 */
-   if (!((status >> 4) & 0x1))
+   if (!((status >> 4) & 0x1) || status == 0x)
return -ENODEV;
 
sbs->charger_present = (status >> 15) & 0x1;
-- 
2.19.1

[PATCH AUTOSEL 4.9 02/21] rsi: improve kernel thread handling to fix kernel panic

[Sasha Levin]

From: Siva Rebbagondla 

[ Upstream commit 4c62764d0fc21a34ffc44eec1210038c3a2e4473 ]

While running regressions, observed below kernel panic when sdio disconnect
called. This is because of, kthread_stop() is taking care of
wait_for_completion() by default. When wait_for_completion triggered
in kthread_stop and as it was done already, giving kernel panic.
Hence, removing redundant wait_for_completion() from rsi_kill_thread().

... skipping ...
BUG: unable to handle kernel NULL pointer dereference at   (null)
IP: [] exit_creds+0x1f/0x50
PGD 0
Oops: 0002 [#1] SMP
CPU: 0 PID: 6502 Comm: rmmod Tainted: G  OE   4.15.9-Generic #154-Ubuntu
Hardware name: Dell Inc. Edge Gateway 3003/ , BIOS 01.00.00 04/17/2017
Stack:
88007392e600 880075847dc0 8108160a 
88007392e600 880075847de8 810a484b 880076127000
88003cd3a800 880074f12a00 880075847e28 c09bed15
Call Trace:
[] __put_task_struct+0x5a/0x140
[] kthread_stop+0x10b/0x110
[] rsi_disconnect+0x2f5/0x300 [ven_rsi_sdio]
[] ? __pm_runtime_resume+0x5b/0x80
[] sdio_bus_remove+0x38/0x100
[] __device_release_driver+0xa4/0x150
[] driver_detach+0xb5/0xc0
[] bus_remove_driver+0x55/0xd0
[] driver_unregister+0x2c/0x50
[] sdio_unregister_driver+0x1a/0x20
[] rsi_module_exit+0x15/0x30 [ven_rsi_sdio]
[] SyS_delete_module+0x1b8/0x210
[] entry_SYSCALL_64_fastpath+0x1c/0xbb

Signed-off-by: Siva Rebbagondla 
Signed-off-by: Kalle Valo 
Signed-off-by: Sasha Levin 
---
 drivers/net/wireless/rsi/rsi_common.h | 1 -
 1 file changed, 1 deletion(-)

diff --git a/drivers/net/wireless/rsi/rsi_common.h 
b/drivers/net/wireless/rsi/rsi_common.h
index d3fbe33d2324..a13f08fd8690 100644
--- a/drivers/net/wireless/rsi/rsi_common.h
+++ b/drivers/net/wireless/rsi/rsi_common.h
@@ -75,7 +75,6 @@ static inline int rsi_kill_thread(struct rsi_thread *handle)
atomic_inc(>thread_done);
rsi_set_event(>event);
 
-   wait_for_completion(>completion);
return kthread_stop(handle->task);
 }
 
-- 
2.19.1

[PATCH AUTOSEL 4.9 01/21] gpio: pxa: handle corner case of unprobed device

[Sasha Levin]

From: Robert Jarzmik 

[ Upstream commit 9ce3ebe973bf4073426f35f282c6b955ed802765 ]

In the corner case where the gpio driver probe fails, for whatever
reason, the suspend and resume handlers will still be called as they
have to be registered as syscore operations. This applies as well when
no probe was called while the driver has been built in the kernel.

Nicolas tracked this in :
https://bugzilla.kernel.org/show_bug.cgi?id=200905

Therefore, add a failsafe in these function, and test if a proper probe
succeeded and the driver is functional.

Signed-off-by: Robert Jarzmik 
Reported-by: Nicolas Chauvet 
Signed-off-by: Linus Walleij 
Signed-off-by: Sasha Levin 
---
 drivers/gpio/gpio-pxa.c | 6 ++
 1 file changed, 6 insertions(+)

diff --git a/drivers/gpio/gpio-pxa.c b/drivers/gpio/gpio-pxa.c
index 7a6305884f97..32d22bdf7164 100644
--- a/drivers/gpio/gpio-pxa.c
+++ b/drivers/gpio/gpio-pxa.c
@@ -774,6 +774,9 @@ static int pxa_gpio_suspend(void)
struct pxa_gpio_bank *c;
int gpio;
 
+   if (!pchip)
+   return 0;
+
for_each_gpio_bank(gpio, c, pchip) {
c->saved_gplr = readl_relaxed(c->regbase + GPLR_OFFSET);
c->saved_gpdr = readl_relaxed(c->regbase + GPDR_OFFSET);
@@ -792,6 +795,9 @@ static void pxa_gpio_resume(void)
struct pxa_gpio_bank *c;
int gpio;
 
+   if (!pchip)
+   return;
+
for_each_gpio_bank(gpio, c, pchip) {
/* restore level with set/clear */
writel_relaxed(c->saved_gplr, c->regbase + GPSR_OFFSET);
-- 
2.19.1

[PATCH AUTOSEL 4.9 03/21] 9p: do not trust pdu content for stat item size

[Sasha Levin]

From: Gertjan Halkes 

[ Upstream commit 2803cf4379ed252894f046cb8812a48db35294e3 ]

v9fs_dir_readdir() could deadloop if a struct was sent with a size set
to -2

Link: 
http://lkml.kernel.org/r/1536134432-11997-1-git-send-email-asmad...@codewreck.org
Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=88021
Signed-off-by: Gertjan Halkes 
Signed-off-by: Dominique Martinet 
Signed-off-by: Sasha Levin 
---
 fs/9p/vfs_dir.c   | 8 +++-
 net/9p/protocol.c | 3 ++-
 2 files changed, 5 insertions(+), 6 deletions(-)

diff --git a/fs/9p/vfs_dir.c b/fs/9p/vfs_dir.c
index 48db9a9f13f9..cb6c4031af55 100644
--- a/fs/9p/vfs_dir.c
+++ b/fs/9p/vfs_dir.c
@@ -105,7 +105,6 @@ static int v9fs_dir_readdir(struct file *file, struct 
dir_context *ctx)
int err = 0;
struct p9_fid *fid;
int buflen;
-   int reclen = 0;
struct p9_rdir *rdir;
struct kvec kvec;
 
@@ -138,11 +137,10 @@ static int v9fs_dir_readdir(struct file *file, struct 
dir_context *ctx)
while (rdir->head < rdir->tail) {
err = p9stat_read(fid->clnt, rdir->buf + rdir->head,
  rdir->tail - rdir->head, );
-   if (err) {
+   if (err <= 0) {
p9_debug(P9_DEBUG_VFS, "returned %d\n", err);
return -EIO;
}
-   reclen = st.size+2;
 
over = !dir_emit(ctx, st.name, strlen(st.name),
 v9fs_qid2ino(), dt_type());
@@ -150,8 +148,8 @@ static int v9fs_dir_readdir(struct file *file, struct 
dir_context *ctx)
if (over)
return 0;
 
-   rdir->head += reclen;
-   ctx->pos += reclen;
+   rdir->head += err;
+   ctx->pos += err;
}
}
 }
diff --git a/net/9p/protocol.c b/net/9p/protocol.c
index 145f80518064..7f1b45c082c9 100644
--- a/net/9p/protocol.c
+++ b/net/9p/protocol.c
@@ -570,9 +570,10 @@ int p9stat_read(struct p9_client *clnt, char *buf, int 
len, struct p9_wstat *st)
if (ret) {
p9_debug(P9_DEBUG_9P, "<<< p9stat_read failed: %d\n", ret);
trace_9p_protocol_dump(clnt, _pdu);
+   return ret;
}
 
-   return ret;
+   return fake_pdu.offset;
 }
 EXPORT_SYMBOL(p9stat_read);
 
-- 
2.19.1

[PATCH AUTOSEL 4.14 26/37] lkdtm: Print real addresses

[Sasha Levin]

From: Christophe Leroy 

[ Upstream commit 4c411157a42f122051ae3469bee0b5cabe89e139 ]

Today, when doing a lkdtm test before the readiness of the
random generator, (ptrval) is printed instead of the address
at which it perform the fault:

[ 1597.337030] lkdtm: Performing direct entry EXEC_USERSPACE
[ 1597.337142] lkdtm: attempting ok execution at (ptrval)
[ 1597.337398] lkdtm: attempting bad execution at (ptrval)
[ 1597.337460] kernel tried to execute user page (77858000) -exploit attempt? 
(uid: 0)
[ 1597.344769] Unable to handle kernel paging request for instruction fetch
[ 1597.351392] Faulting instruction address: 0x77858000
[ 1597.356312] Oops: Kernel access of bad area, sig: 11 [#1]

If the lkdtm test is done later on, it prints an hashed address.

In both cases this is pointless. The purpose of the test is to
ensure the kernel generates an Oops at the expected address,
so real addresses needs to be printed. This patch fixes that.

Signed-off-by: Christophe Leroy 
Signed-off-by: Kees Cook 
Signed-off-by: Sasha Levin 
---
 drivers/misc/lkdtm_perms.c | 18 +-
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/drivers/misc/lkdtm_perms.c b/drivers/misc/lkdtm_perms.c
index 53b85c9d16b8..fa54add6375a 100644
--- a/drivers/misc/lkdtm_perms.c
+++ b/drivers/misc/lkdtm_perms.c
@@ -47,7 +47,7 @@ static noinline void execute_location(void *dst, bool write)
 {
void (*func)(void) = dst;
 
-   pr_info("attempting ok execution at %p\n", do_nothing);
+   pr_info("attempting ok execution at %px\n", do_nothing);
do_nothing();
 
if (write == CODE_WRITE) {
@@ -55,7 +55,7 @@ static noinline void execute_location(void *dst, bool write)
flush_icache_range((unsigned long)dst,
   (unsigned long)dst + EXEC_SIZE);
}
-   pr_info("attempting bad execution at %p\n", func);
+   pr_info("attempting bad execution at %px\n", func);
func();
 }
 
@@ -66,14 +66,14 @@ static void execute_user_location(void *dst)
/* Intentionally crossing kernel/user memory boundary. */
void (*func)(void) = dst;
 
-   pr_info("attempting ok execution at %p\n", do_nothing);
+   pr_info("attempting ok execution at %px\n", do_nothing);
do_nothing();
 
copied = access_process_vm(current, (unsigned long)dst, do_nothing,
   EXEC_SIZE, FOLL_WRITE);
if (copied < EXEC_SIZE)
return;
-   pr_info("attempting bad execution at %p\n", func);
+   pr_info("attempting bad execution at %px\n", func);
func();
 }
 
@@ -82,7 +82,7 @@ void lkdtm_WRITE_RO(void)
/* Explicitly cast away "const" for the test. */
unsigned long *ptr = (unsigned long *)
 
-   pr_info("attempting bad rodata write at %p\n", ptr);
+   pr_info("attempting bad rodata write at %px\n", ptr);
*ptr ^= 0xabcd1234;
 }
 
@@ -100,7 +100,7 @@ void lkdtm_WRITE_RO_AFTER_INIT(void)
return;
}
 
-   pr_info("attempting bad ro_after_init write at %p\n", ptr);
+   pr_info("attempting bad ro_after_init write at %px\n", ptr);
*ptr ^= 0xabcd1234;
 }
 
@@ -112,7 +112,7 @@ void lkdtm_WRITE_KERN(void)
size = (unsigned long)do_overwritten - (unsigned long)do_nothing;
ptr = (unsigned char *)do_overwritten;
 
-   pr_info("attempting bad %zu byte write at %p\n", size, ptr);
+   pr_info("attempting bad %zu byte write at %px\n", size, ptr);
memcpy(ptr, (unsigned char *)do_nothing, size);
flush_icache_range((unsigned long)ptr, (unsigned long)(ptr + size));
 
@@ -185,11 +185,11 @@ void lkdtm_ACCESS_USERSPACE(void)
 
ptr = (unsigned long *)user_addr;
 
-   pr_info("attempting bad read at %p\n", ptr);
+   pr_info("attempting bad read at %px\n", ptr);
tmp = *ptr;
tmp += 0xc0dec0de;
 
-   pr_info("attempting bad write at %p\n", ptr);
+   pr_info("attempting bad write at %px\n", ptr);
*ptr = tmp;
 
vm_munmap(user_addr, PAGE_SIZE);
-- 
2.19.1

[PATCH AUTOSEL 4.9 07/21] HID: i2c-hid: override HID descriptors for certain devices

[Sasha Levin]

From: Julian Sax 

[ Upstream commit 9ee3e06610fdb8a601cde59c92089fb6c1deb4aa ]

A particular touchpad (SIPODEV SP1064) refuses to supply the HID
descriptors. This patch provides the framework for overriding these
descriptors based on DMI data. It also includes the descriptors for
said touchpad, which were extracted by listening to the traffic of the
windows filter driver, as well as the DMI data for the laptops known
to use this device.

Relevant Bug: https://bugzilla.redhat.com/show_bug.cgi?id=1526312

Cc: Hans de Goede 
Reported-and-tested-by: ahorm...@gmx.net
Reported-and-tested-by: Bruno Jesus 
Reported-and-tested-by: Dietrich 
Reported-and-tested-by: kloxd...@yahoo.com
Signed-off-by: Julian Sax 
Reviewed-by: Benjamin Tissoires 
Signed-off-by: Jiri Kosina 
Signed-off-by: Sasha Levin 
---
 drivers/hid/i2c-hid/Makefile  |   3 +
 .../hid/i2c-hid/{i2c-hid.c => i2c-hid-core.c} |  56 ++-
 drivers/hid/i2c-hid/i2c-hid-dmi-quirks.c  | 376 ++
 drivers/hid/i2c-hid/i2c-hid.h |  20 +
 4 files changed, 437 insertions(+), 18 deletions(-)
 rename drivers/hid/i2c-hid/{i2c-hid.c => i2c-hid-core.c} (96%)
 create mode 100644 drivers/hid/i2c-hid/i2c-hid-dmi-quirks.c
 create mode 100644 drivers/hid/i2c-hid/i2c-hid.h

diff --git a/drivers/hid/i2c-hid/Makefile b/drivers/hid/i2c-hid/Makefile
index 832d8f9aaba2..099e1ce2f234 100644
--- a/drivers/hid/i2c-hid/Makefile
+++ b/drivers/hid/i2c-hid/Makefile
@@ -3,3 +3,6 @@
 #
 
 obj-$(CONFIG_I2C_HID)  += i2c-hid.o
+
+i2c-hid-objs   =  i2c-hid-core.o
+i2c-hid-$(CONFIG_DMI)  += i2c-hid-dmi-quirks.o
diff --git a/drivers/hid/i2c-hid/i2c-hid.c b/drivers/hid/i2c-hid/i2c-hid-core.c
similarity index 96%
rename from drivers/hid/i2c-hid/i2c-hid.c
rename to drivers/hid/i2c-hid/i2c-hid-core.c
index ce2b80009c19..850527d5fab1 100644
--- a/drivers/hid/i2c-hid/i2c-hid.c
+++ b/drivers/hid/i2c-hid/i2c-hid-core.c
@@ -42,6 +42,7 @@
 #include 
 
 #include "../hid-ids.h"
+#include "i2c-hid.h"
 
 /* quirks to control the device */
 #define I2C_HID_QUIRK_SET_PWR_WAKEUP_DEV   BIT(0)
@@ -724,6 +725,7 @@ static int i2c_hid_parse(struct hid_device *hid)
char *rdesc;
int ret;
int tries = 3;
+   char *use_override;
 
i2c_hid_dbg(ihid, "entering %s\n", __func__);
 
@@ -742,26 +744,37 @@ static int i2c_hid_parse(struct hid_device *hid)
if (ret)
return ret;
 
-   rdesc = kzalloc(rsize, GFP_KERNEL);
+   use_override = i2c_hid_get_dmi_hid_report_desc_override(client->name,
+   );
 
-   if (!rdesc) {
-   dbg_hid("couldn't allocate rdesc memory\n");
-   return -ENOMEM;
-   }
+   if (use_override) {
+   rdesc = use_override;
+   i2c_hid_dbg(ihid, "Using a HID report descriptor override\n");
+   } else {
+   rdesc = kzalloc(rsize, GFP_KERNEL);
 
-   i2c_hid_dbg(ihid, "asking HID report descriptor\n");
+   if (!rdesc) {
+   dbg_hid("couldn't allocate rdesc memory\n");
+   return -ENOMEM;
+   }
 
-   ret = i2c_hid_command(client, _report_descr_cmd, rdesc, rsize);
-   if (ret) {
-   hid_err(hid, "reading report descriptor failed\n");
-   kfree(rdesc);
-   return -EIO;
+   i2c_hid_dbg(ihid, "asking HID report descriptor\n");
+
+   ret = i2c_hid_command(client, _report_descr_cmd,
+ rdesc, rsize);
+   if (ret) {
+   hid_err(hid, "reading report descriptor failed\n");
+   kfree(rdesc);
+   return -EIO;
+   }
}
 
i2c_hid_dbg(ihid, "Report Descriptor: %*ph\n", rsize, rdesc);
 
ret = hid_parse_report(hid, rdesc, rsize);
-   kfree(rdesc);
+   if (!use_override)
+   kfree(rdesc);
+
if (ret) {
dbg_hid("parsing report descriptor failed\n");
return ret;
@@ -899,12 +912,19 @@ static int i2c_hid_fetch_hid_descriptor(struct i2c_hid 
*ihid)
int ret;
 
/* i2c hid fetch using a fixed descriptor size (30 bytes) */
-   i2c_hid_dbg(ihid, "Fetching the HID descriptor\n");
-   ret = i2c_hid_command(client, _descr_cmd, ihid->hdesc_buffer,
-   sizeof(struct i2c_hid_desc));
-   if (ret) {
-   dev_err(>dev, "hid_descr_cmd failed\n");
-   return -ENODEV;
+   if (i2c_hid_get_dmi_i2c_hid_desc_override(client->name)) {
+   i2c_hid_dbg(ihid, "Using a HID descriptor override\n");
+   ihid->hdesc =
+   *i2c_hid_get_dmi_i2c_hid_desc_override(client->name);
+   } else {
+   i2c_hid_dbg(ihid, "Fetching the HID descriptor\n");
+   ret = 

[PATCH AUTOSEL 4.9 17/21] lkdtm: Add tests for NULL pointer dereference

[Sasha Levin]

From: Christophe Leroy 

[ Upstream commit 59a12205d3c32aee4c13ca36889fdf7cfed31126 ]

Introduce lkdtm tests for NULL pointer dereference: check access or exec
at NULL address, since these errors tend to be reported differently from
the general fault error text. For example from x86:

pr_alert("BUG: unable to handle kernel %s at %px\n",
address < PAGE_SIZE ? "NULL pointer dereference" : "paging request",
(void *)address);

Signed-off-by: Christophe Leroy 
Signed-off-by: Kees Cook 
Signed-off-by: Sasha Levin 
---
 drivers/misc/lkdtm.h   |  2 ++
 drivers/misc/lkdtm_core.c  |  2 ++
 drivers/misc/lkdtm_perms.c | 18 ++
 3 files changed, 22 insertions(+)

diff --git a/drivers/misc/lkdtm.h b/drivers/misc/lkdtm.h
index fdf954c2107f..6abc97b245e4 100644
--- a/drivers/misc/lkdtm.h
+++ b/drivers/misc/lkdtm.h
@@ -40,7 +40,9 @@ void lkdtm_EXEC_KMALLOC(void);
 void lkdtm_EXEC_VMALLOC(void);
 void lkdtm_EXEC_RODATA(void);
 void lkdtm_EXEC_USERSPACE(void);
+void lkdtm_EXEC_NULL(void);
 void lkdtm_ACCESS_USERSPACE(void);
+void lkdtm_ACCESS_NULL(void);
 
 /* lkdtm_rodata.c */
 void lkdtm_rodata_do_nothing(void);
diff --git a/drivers/misc/lkdtm_core.c b/drivers/misc/lkdtm_core.c
index b2989f2d3126..035e51bea450 100644
--- a/drivers/misc/lkdtm_core.c
+++ b/drivers/misc/lkdtm_core.c
@@ -214,7 +214,9 @@ struct crashtype crashtypes[] = {
CRASHTYPE(EXEC_VMALLOC),
CRASHTYPE(EXEC_RODATA),
CRASHTYPE(EXEC_USERSPACE),
+   CRASHTYPE(EXEC_NULL),
CRASHTYPE(ACCESS_USERSPACE),
+   CRASHTYPE(ACCESS_NULL),
CRASHTYPE(WRITE_RO),
CRASHTYPE(WRITE_RO_AFTER_INIT),
CRASHTYPE(WRITE_KERN),
diff --git a/drivers/misc/lkdtm_perms.c b/drivers/misc/lkdtm_perms.c
index 45f1c0f96612..1a9dcdaa95f0 100644
--- a/drivers/misc/lkdtm_perms.c
+++ b/drivers/misc/lkdtm_perms.c
@@ -160,6 +160,11 @@ void lkdtm_EXEC_USERSPACE(void)
vm_munmap(user_addr, PAGE_SIZE);
 }
 
+void lkdtm_EXEC_NULL(void)
+{
+   execute_location(NULL, CODE_AS_IS);
+}
+
 void lkdtm_ACCESS_USERSPACE(void)
 {
unsigned long user_addr, tmp = 0;
@@ -191,6 +196,19 @@ void lkdtm_ACCESS_USERSPACE(void)
vm_munmap(user_addr, PAGE_SIZE);
 }
 
+void lkdtm_ACCESS_NULL(void)
+{
+   unsigned long tmp;
+   unsigned long *ptr = (unsigned long *)NULL;
+
+   pr_info("attempting bad read at %px\n", ptr);
+   tmp = *ptr;
+   tmp += 0xc0dec0de;
+
+   pr_info("attempting bad write at %px\n", ptr);
+   *ptr = tmp;
+}
+
 void __init lkdtm_perms_init(void)
 {
/* Make sure we can write to __ro_after_init values during __init */
-- 
2.19.1

[PATCH AUTOSEL 4.9 20/21] lib/div64.c: off by one in shift

[Sasha Levin]

From: Stanislaw Gruszka 

[ Upstream commit cdc94a37493135e355dfc0b0e086d84e3eadb50d ]

fls counts bits starting from 1 to 32 (returns 0 for zero argument).  If
we add 1 we shift right one bit more and loose precision from divisor,
what cause function incorect results with some numbers.

Corrected code was tested in user-space, see bugzilla:
   https://bugzilla.kernel.org/show_bug.cgi?id=202391

Link: 
http://lkml.kernel.org/r/1548686944-11891-1-git-send-email-sgrus...@redhat.com
Fixes: 658716d19f8f ("div64_u64(): improve precision on 32bit platforms")
Signed-off-by: Stanislaw Gruszka 
Reported-by: Siarhei Volkau 
Tested-by: Siarhei Volkau 
Acked-by: Oleg Nesterov 
Signed-off-by: Andrew Morton 
Signed-off-by: Linus Torvalds 
Signed-off-by: Sasha Levin 
---
 lib/div64.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/div64.c b/lib/div64.c
index 7f345259c32f..c1c1a4c36dd5 100644
--- a/lib/div64.c
+++ b/lib/div64.c
@@ -102,7 +102,7 @@ u64 div64_u64_rem(u64 dividend, u64 divisor, u64 *remainder)
quot = div_u64_rem(dividend, divisor, );
*remainder = rem32;
} else {
-   int n = 1 + fls(high);
+   int n = fls(high);
quot = div_u64(dividend >> n, divisor >> n);
 
if (quot != 0)
@@ -140,7 +140,7 @@ u64 div64_u64(u64 dividend, u64 divisor)
if (high == 0) {
quot = div_u64(dividend, divisor);
} else {
-   int n = 1 + fls(high);
+   int n = fls(high);
quot = div_u64(dividend >> n, divisor >> n);
 
if (quot != 0)
-- 
2.19.1

[PATCH AUTOSEL 4.4 03/16] 9p locks: add mount option for lock retry interval

[Sasha Levin]

From: Dinu-Razvan Chis-Serban 

[ Upstream commit 5e172f75e51e3de1b4274146d9b990f803cb5c2a ]

The default P9_LOCK_TIMEOUT can be too long for some users exporting
a local file system to a guest VM (30s), make this configurable at
mount time.

Link: 
http://lkml.kernel.org/r/1536295827-3181-1-git-send-email-asmad...@codewreck.org
Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=195727
Signed-off-by: Dinu-Razvan Chis-Serban 
Signed-off-by: Dominique Martinet 
Signed-off-by: Sasha Levin 
---
 fs/9p/v9fs.c | 21 +
 fs/9p/v9fs.h |  1 +
 fs/9p/vfs_file.c |  6 +-
 3 files changed, 27 insertions(+), 1 deletion(-)

diff --git a/fs/9p/v9fs.c b/fs/9p/v9fs.c
index 6caca025019d..1e9bb8db7b48 100644
--- a/fs/9p/v9fs.c
+++ b/fs/9p/v9fs.c
@@ -59,6 +59,8 @@ enum {
Opt_cache_loose, Opt_fscache, Opt_mmap,
/* Access options */
Opt_access, Opt_posixacl,
+   /* Lock timeout option */
+   Opt_locktimeout,
/* Error token */
Opt_err
 };
@@ -78,6 +80,7 @@ static const match_table_t tokens = {
{Opt_cachetag, "cachetag=%s"},
{Opt_access, "access=%s"},
{Opt_posixacl, "posixacl"},
+   {Opt_locktimeout, "locktimeout=%u"},
{Opt_err, NULL}
 };
 
@@ -126,6 +129,7 @@ static int v9fs_parse_options(struct v9fs_session_info 
*v9ses, char *opts)
 #ifdef CONFIG_9P_FSCACHE
v9ses->cachetag = NULL;
 #endif
+   v9ses->session_lock_timeout = P9_LOCK_TIMEOUT;
 
if (!opts)
return 0;
@@ -298,6 +302,23 @@ static int v9fs_parse_options(struct v9fs_session_info 
*v9ses, char *opts)
 #endif
break;
 
+   case Opt_locktimeout:
+   r = match_int([0], );
+   if (r < 0) {
+   p9_debug(P9_DEBUG_ERROR,
+"integer field, but no integer?\n");
+   ret = r;
+   continue;
+   }
+   if (option < 1) {
+   p9_debug(P9_DEBUG_ERROR,
+"locktimeout must be a greater than 
zero integer.\n");
+   ret = -EINVAL;
+   continue;
+   }
+   v9ses->session_lock_timeout = (long)option * HZ;
+   break;
+
default:
continue;
}
diff --git a/fs/9p/v9fs.h b/fs/9p/v9fs.h
index 6877050384a1..3775f275ede3 100644
--- a/fs/9p/v9fs.h
+++ b/fs/9p/v9fs.h
@@ -116,6 +116,7 @@ struct v9fs_session_info {
struct list_head slist; /* list of sessions registered with v9fs */
struct backing_dev_info bdi;
struct rw_semaphore rename_sem;
+   long session_lock_timeout; /* retry interval for blocking locks */
 };
 
 /* cache_validity flags */
diff --git a/fs/9p/vfs_file.c b/fs/9p/vfs_file.c
index 62ce8b4a7e5f..373cc50544e9 100644
--- a/fs/9p/vfs_file.c
+++ b/fs/9p/vfs_file.c
@@ -154,6 +154,7 @@ static int v9fs_file_do_lock(struct file *filp, int cmd, 
struct file_lock *fl)
uint8_t status = P9_LOCK_ERROR;
int res = 0;
unsigned char fl_type;
+   struct v9fs_session_info *v9ses;
 
fid = filp->private_data;
BUG_ON(fid == NULL);
@@ -189,6 +190,8 @@ static int v9fs_file_do_lock(struct file *filp, int cmd, 
struct file_lock *fl)
if (IS_SETLKW(cmd))
flock.flags = P9_LOCK_FLAGS_BLOCK;
 
+   v9ses = v9fs_inode2v9ses(file_inode(filp));
+
/*
 * if its a blocked request and we get P9_LOCK_BLOCKED as the status
 * for lock request, keep on trying
@@ -202,7 +205,8 @@ static int v9fs_file_do_lock(struct file *filp, int cmd, 
struct file_lock *fl)
break;
if (status == P9_LOCK_BLOCKED && !IS_SETLKW(cmd))
break;
-   if (schedule_timeout_interruptible(P9_LOCK_TIMEOUT) != 0)
+   if (schedule_timeout_interruptible(v9ses->session_lock_timeout)
+   != 0)
break;
/*
 * p9_client_lock_dotl overwrites flock.client_id with the
-- 
2.19.1

[PATCH AUTOSEL 4.9 18/21] ARM: 8839/1: kprobe: make patch_lock a raw_spinlock_t

[Sasha Levin]

From: Yang Shi 

[ Upstream commit 143c2a89e0e5fda6c6fd08d7bc1126438c19ae90 ]

When running kprobe on -rt kernel, the below bug is caught:

|BUG: sleeping function called from invalid context at 
kernel/locking/rtmutex.c:931
|in_atomic(): 1, irqs_disabled(): 128, pid: 14, name: migration/0
|Preemption disabled at:[<802f2b98>] cpu_stopper_thread+0xc0/0x140
|CPU: 0 PID: 14 Comm: migration/0 Tainted: G O 4.8.3-rt2 #1
|Hardware name: Freescale LS1021A
|[<8025a43c>] (___might_sleep)
|[<80b5b324>] (rt_spin_lock)
|[<80b5c31c>] (__patch_text_real)
|[<80b5c3ac>] (patch_text_stop_machine)
|[<802f2920>] (multi_cpu_stop)

Since patch_text_stop_machine() is called in stop_machine() which
disables IRQ, sleepable lock should be not used in this atomic context,
 so replace patch_lock to raw lock.

Signed-off-by: Yang Shi 
Signed-off-by: Sebastian Andrzej Siewior 
Reviewed-by: Arnd Bergmann 
Signed-off-by: Russell King 
Signed-off-by: Sasha Levin 
---
 arch/arm/kernel/patch.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/arch/arm/kernel/patch.c b/arch/arm/kernel/patch.c
index 69bda1a5707e..1f665acaa6a9 100644
--- a/arch/arm/kernel/patch.c
+++ b/arch/arm/kernel/patch.c
@@ -15,7 +15,7 @@ struct patch {
unsigned int insn;
 };
 
-static DEFINE_SPINLOCK(patch_lock);
+static DEFINE_RAW_SPINLOCK(patch_lock);
 
 static void __kprobes *patch_map(void *addr, int fixmap, unsigned long *flags)
__acquires(_lock)
@@ -32,7 +32,7 @@ static void __kprobes *patch_map(void *addr, int fixmap, 
unsigned long *flags)
return addr;
 
if (flags)
-   spin_lock_irqsave(_lock, *flags);
+   raw_spin_lock_irqsave(_lock, *flags);
else
__acquire(_lock);
 
@@ -47,7 +47,7 @@ static void __kprobes patch_unmap(int fixmap, unsigned long 
*flags)
clear_fixmap(fixmap);
 
if (flags)
-   spin_unlock_irqrestore(_lock, *flags);
+   raw_spin_unlock_irqrestore(_lock, *flags);
else
__release(_lock);
 }
-- 
2.19.1

[PATCH AUTOSEL 3.18 04/10] serial: uartps: console_setup() can't be placed to init section

[Sasha Levin]

From: Michal Simek 

[ Upstream commit 4bb1ce2350a598502b23088b169e16b43d4bc639 ]

When console device is rebinded, console_setup() is called again.
But marking it as __init means that function will be clear after boot is
complete. If console device is binded again console_setup() is not found
and error "Unable to handle kernel paging request at virtual address"
is reported.

Signed-off-by: Michal Simek 
Signed-off-by: Greg Kroah-Hartman 
Signed-off-by: Sasha Levin 
---
 drivers/tty/serial/xilinx_uartps.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/tty/serial/xilinx_uartps.c 
b/drivers/tty/serial/xilinx_uartps.c
index df28ef14382b..892446cc28fa 100644
--- a/drivers/tty/serial/xilinx_uartps.c
+++ b/drivers/tty/serial/xilinx_uartps.c
@@ -1120,7 +1120,7 @@ static void cdns_uart_console_write(struct console *co, 
const char *s,
  *
  * Return: 0 on success, negative errno otherwise.
  */
-static int __init cdns_uart_console_setup(struct console *co, char *options)
+static int cdns_uart_console_setup(struct console *co, char *options)
 {
struct uart_port *port = _uart_port[co->index];
int baud = 9600;
-- 
2.19.1

[PATCH AUTOSEL 3.18 03/10] 9p locks: add mount option for lock retry interval

[Sasha Levin]

From: Dinu-Razvan Chis-Serban 

[ Upstream commit 5e172f75e51e3de1b4274146d9b990f803cb5c2a ]

The default P9_LOCK_TIMEOUT can be too long for some users exporting
a local file system to a guest VM (30s), make this configurable at
mount time.

Link: 
http://lkml.kernel.org/r/1536295827-3181-1-git-send-email-asmad...@codewreck.org
Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=195727
Signed-off-by: Dinu-Razvan Chis-Serban 
Signed-off-by: Dominique Martinet 
Signed-off-by: Sasha Levin 
---
 fs/9p/v9fs.c | 21 +
 fs/9p/v9fs.h |  1 +
 fs/9p/vfs_file.c |  6 +-
 3 files changed, 27 insertions(+), 1 deletion(-)

diff --git a/fs/9p/v9fs.c b/fs/9p/v9fs.c
index 6894b085f0ee..4f02d1db6e27 100644
--- a/fs/9p/v9fs.c
+++ b/fs/9p/v9fs.c
@@ -59,6 +59,8 @@ enum {
Opt_cache_loose, Opt_fscache, Opt_mmap,
/* Access options */
Opt_access, Opt_posixacl,
+   /* Lock timeout option */
+   Opt_locktimeout,
/* Error token */
Opt_err
 };
@@ -78,6 +80,7 @@ static const match_table_t tokens = {
{Opt_cachetag, "cachetag=%s"},
{Opt_access, "access=%s"},
{Opt_posixacl, "posixacl"},
+   {Opt_locktimeout, "locktimeout=%u"},
{Opt_err, NULL}
 };
 
@@ -126,6 +129,7 @@ static int v9fs_parse_options(struct v9fs_session_info 
*v9ses, char *opts)
 #ifdef CONFIG_9P_FSCACHE
v9ses->cachetag = NULL;
 #endif
+   v9ses->session_lock_timeout = P9_LOCK_TIMEOUT;
 
if (!opts)
return 0;
@@ -298,6 +302,23 @@ static int v9fs_parse_options(struct v9fs_session_info 
*v9ses, char *opts)
 #endif
break;
 
+   case Opt_locktimeout:
+   r = match_int([0], );
+   if (r < 0) {
+   p9_debug(P9_DEBUG_ERROR,
+"integer field, but no integer?\n");
+   ret = r;
+   continue;
+   }
+   if (option < 1) {
+   p9_debug(P9_DEBUG_ERROR,
+"locktimeout must be a greater than 
zero integer.\n");
+   ret = -EINVAL;
+   continue;
+   }
+   v9ses->session_lock_timeout = (long)option * HZ;
+   break;
+
default:
continue;
}
diff --git a/fs/9p/v9fs.h b/fs/9p/v9fs.h
index 099c7712631c..5e748e716b36 100644
--- a/fs/9p/v9fs.h
+++ b/fs/9p/v9fs.h
@@ -117,6 +117,7 @@ struct v9fs_session_info {
struct list_head slist; /* list of sessions registered with v9fs */
struct backing_dev_info bdi;
struct rw_semaphore rename_sem;
+   long session_lock_timeout; /* retry interval for blocking locks */
 };
 
 /* cache_validity flags */
diff --git a/fs/9p/vfs_file.c b/fs/9p/vfs_file.c
index 5594505e6e73..1d32409e5a19 100644
--- a/fs/9p/vfs_file.c
+++ b/fs/9p/vfs_file.c
@@ -152,6 +152,7 @@ static int v9fs_file_do_lock(struct file *filp, int cmd, 
struct file_lock *fl)
uint8_t status;
int res = 0;
unsigned char fl_type;
+   struct v9fs_session_info *v9ses;
 
fid = filp->private_data;
BUG_ON(fid == NULL);
@@ -187,6 +188,8 @@ static int v9fs_file_do_lock(struct file *filp, int cmd, 
struct file_lock *fl)
if (IS_SETLKW(cmd))
flock.flags = P9_LOCK_FLAGS_BLOCK;
 
+   v9ses = v9fs_inode2v9ses(file_inode(filp));
+
/*
 * if its a blocked request and we get P9_LOCK_BLOCKED as the status
 * for lock request, keep on trying
@@ -200,7 +203,8 @@ static int v9fs_file_do_lock(struct file *filp, int cmd, 
struct file_lock *fl)
break;
if (status == P9_LOCK_BLOCKED && !IS_SETLKW(cmd))
break;
-   if (schedule_timeout_interruptible(P9_LOCK_TIMEOUT) != 0)
+   if (schedule_timeout_interruptible(v9ses->session_lock_timeout)
+   != 0)
break;
}
 
-- 
2.19.1

[PATCH AUTOSEL 3.18 01/10] rsi: improve kernel thread handling to fix kernel panic

[Sasha Levin]

From: Siva Rebbagondla 

[ Upstream commit 4c62764d0fc21a34ffc44eec1210038c3a2e4473 ]

While running regressions, observed below kernel panic when sdio disconnect
called. This is because of, kthread_stop() is taking care of
wait_for_completion() by default. When wait_for_completion triggered
in kthread_stop and as it was done already, giving kernel panic.
Hence, removing redundant wait_for_completion() from rsi_kill_thread().

... skipping ...
BUG: unable to handle kernel NULL pointer dereference at   (null)
IP: [] exit_creds+0x1f/0x50
PGD 0
Oops: 0002 [#1] SMP
CPU: 0 PID: 6502 Comm: rmmod Tainted: G  OE   4.15.9-Generic #154-Ubuntu
Hardware name: Dell Inc. Edge Gateway 3003/ , BIOS 01.00.00 04/17/2017
Stack:
88007392e600 880075847dc0 8108160a 
88007392e600 880075847de8 810a484b 880076127000
88003cd3a800 880074f12a00 880075847e28 c09bed15
Call Trace:
[] __put_task_struct+0x5a/0x140
[] kthread_stop+0x10b/0x110
[] rsi_disconnect+0x2f5/0x300 [ven_rsi_sdio]
[] ? __pm_runtime_resume+0x5b/0x80
[] sdio_bus_remove+0x38/0x100
[] __device_release_driver+0xa4/0x150
[] driver_detach+0xb5/0xc0
[] bus_remove_driver+0x55/0xd0
[] driver_unregister+0x2c/0x50
[] sdio_unregister_driver+0x1a/0x20
[] rsi_module_exit+0x15/0x30 [ven_rsi_sdio]
[] SyS_delete_module+0x1b8/0x210
[] entry_SYSCALL_64_fastpath+0x1c/0xbb

Signed-off-by: Siva Rebbagondla 
Signed-off-by: Kalle Valo 
Signed-off-by: Sasha Levin 
---
 drivers/net/wireless/rsi/rsi_common.h | 1 -
 1 file changed, 1 deletion(-)

diff --git a/drivers/net/wireless/rsi/rsi_common.h 
b/drivers/net/wireless/rsi/rsi_common.h
index d3fbe33d2324..a13f08fd8690 100644
--- a/drivers/net/wireless/rsi/rsi_common.h
+++ b/drivers/net/wireless/rsi/rsi_common.h
@@ -75,7 +75,6 @@ static inline int rsi_kill_thread(struct rsi_thread *handle)
atomic_inc(>thread_done);
rsi_set_event(>event);
 
-   wait_for_completion(>completion);
return kthread_stop(handle->task);
 }
 
-- 
2.19.1

[PATCH AUTOSEL 3.18 07/10] iommu/dmar: Fix buffer overflow during PCI bus notification

[Sasha Levin]

From: Julia Cartwright 

[ Upstream commit cffaaf0c816238c45cd2d06913476c83eb50f682 ]

Commit 57384592c433 ("iommu/vt-d: Store bus information in RMRR PCI
device path") changed the type of the path data, however, the change in
path type was not reflected in size calculations.  Update to use the
correct type and prevent a buffer overflow.

This bug manifests in systems with deep PCI hierarchies, and can lead to
an overflow of the static allocated buffer (dmar_pci_notify_info_buf),
or can lead to overflow of slab-allocated data.

   BUG: KASAN: global-out-of-bounds in dmar_alloc_pci_notify_info+0x1d5/0x2e0
   Write of size 1 at addr 90445d80 by task swapper/0/1
   CPU: 0 PID: 1 Comm: swapper/0 Tainted: GW   
4.14.87-rt49-02406-gd0a0e96 #1
   Call Trace:
? dump_stack+0x46/0x59
? print_address_description+0x1df/0x290
? dmar_alloc_pci_notify_info+0x1d5/0x2e0
? kasan_report+0x256/0x340
? dmar_alloc_pci_notify_info+0x1d5/0x2e0
? e820__memblock_setup+0xb0/0xb0
? dmar_dev_scope_init+0x424/0x48f
? __down_write_common+0x1ec/0x230
? dmar_dev_scope_init+0x48f/0x48f
? dmar_free_unused_resources+0x109/0x109
? cpumask_next+0x16/0x20
? __kmem_cache_create+0x392/0x430
? kmem_cache_create+0x135/0x2f0
? e820__memblock_setup+0xb0/0xb0
? intel_iommu_init+0x170/0x1848
? _raw_spin_unlock_irqrestore+0x32/0x60
? migrate_enable+0x27a/0x5b0
? sched_setattr+0x20/0x20
? migrate_disable+0x1fc/0x380
? task_rq_lock+0x170/0x170
? try_to_run_init_process+0x40/0x40
? locks_remove_file+0x85/0x2f0
? dev_prepare_static_identity_mapping+0x78/0x78
? rt_spin_unlock+0x39/0x50
? lockref_put_or_lock+0x2a/0x40
? dput+0x128/0x2f0
? __rcu_read_unlock+0x66/0x80
? __fput+0x250/0x300
? __rcu_read_lock+0x1b/0x30
? mntput_no_expire+0x38/0x290
? e820__memblock_setup+0xb0/0xb0
? pci_iommu_init+0x25/0x63
? pci_iommu_init+0x25/0x63
? do_one_initcall+0x7e/0x1c0
? initcall_blacklisted+0x120/0x120
? kernel_init_freeable+0x27b/0x307
? rest_init+0xd0/0xd0
? kernel_init+0xf/0x120
? rest_init+0xd0/0xd0
? ret_from_fork+0x1f/0x40
   The buggy address belongs to the variable:
dmar_pci_notify_info_buf+0x40/0x60

Fixes: 57384592c433 ("iommu/vt-d: Store bus information in RMRR PCI device 
path")
Signed-off-by: Julia Cartwright 
Signed-off-by: Joerg Roedel 
Signed-off-by: Sasha Levin 
---
 drivers/iommu/dmar.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/iommu/dmar.c b/drivers/iommu/dmar.c
index 6b78e131f6dd..f6a42ea14ef1 100644
--- a/drivers/iommu/dmar.c
+++ b/drivers/iommu/dmar.c
@@ -134,7 +134,7 @@ dmar_alloc_pci_notify_info(struct pci_dev *dev, unsigned 
long event)
for (tmp = dev; tmp; tmp = tmp->bus->self)
level++;
 
-   size = sizeof(*info) + level * sizeof(struct acpi_dmar_pci_path);
+   size = sizeof(*info) + level * sizeof(info->path[0]);
if (size <= sizeof(dmar_pci_notify_info_buf)) {
info = (struct dmar_pci_notify_info *)dmar_pci_notify_info_buf;
} else {
-- 
2.19.1

Re: [PATCH v2 4/5] signal: PIDFD_SIGNAL_TID threads via pidfds

[Christian Brauner]

On Sat, Mar 30, 2019 at 02:22:29AM +0100, Christian Brauner wrote:
> On Sat, Mar 30, 2019 at 02:06:34AM +0100, Jann Horn wrote:
> > On Fri, Mar 29, 2019 at 4:54 PM Christian Brauner  
> > wrote:
> > > With the addition of pidfd_open() it is possible for users to reference a
> > > specific thread by doing:
> > >
> > > int pidfd = pidfd_open(, 0);
> > >
> > > This means we can extend pidfd_send_signal() to signal a specific thread.
> > > As promised in the commit for pidfd_send_signal() [1] the extension is
> > > based on a flag argument, i.e. the scope of the signal delivery is based 
> > > on
> > > the flag argument, not on the type of file descriptor.
> > > To this end the flag PIDFD_SIGNAL_TID is added. With this change we now
> > > cover most of the functionality of all the other signal sending functions
> > > combined:
> > [...]
> > > diff --git a/include/uapi/linux/wait.h b/include/uapi/linux/wait.h
> > > index d6c7c0701997..b72f0ef84fe5 100644
> > > --- a/include/uapi/linux/wait.h
> > > +++ b/include/uapi/linux/wait.h
> > [...]
> > > +/* Flags to pass to pidfd_send_signal */
> > > +#define PIDFD_SIGNAL_TID 1 /* Send signal to specific thread */
> > 
> > nit: s/1/1U/; the flags argument is an `unsigned int`
> 
> Will change.
> 
> > 
> > >  #endif /* _UAPI_LINUX_WAIT_H */
> > > diff --git a/kernel/signal.c b/kernel/signal.c
> > > index eb97d0cc6ef7..9f93da85b2b9 100644
> > > --- a/kernel/signal.c
> > > +++ b/kernel/signal.c
> > [...]
> > > +static int pidfd_send_signal_specific(struct pid *pid, int sig,
> > > + struct kernel_siginfo *info)
> > > +{
> > > +   struct task_struct *p;
> > > +   int error = -ESRCH;
> > > +
> > > +   rcu_read_lock();
> > > +   p = pid_task(pid, PIDTYPE_PID);
> > > +   if (p)
> > > +   error = __do_send_specific(p, sig, info);
> > > +   rcu_read_unlock();
> > > +
> > > +   return error;
> > > +}
> > > +
> > >  /**
> > > - * sys_pidfd_send_signal - send a signal to a process through a task file
> > > - *  descriptor
> > > + * sys_pidfd_send_signal - send a signal to a process through a pidfd
> > > +
> > >   * @pidfd:  the file descriptor of the process
> > >   * @sig:signal to be sent
> > >   * @info:   the signal info
> > >   * @flags:  future flags to be passed
> > 
> > nit: comment is outdated, it isn't "future flags" anymore
> 
> Will remove.
> 
> > 
> > [...]
> > > + *   rt_tgsigqueueinfo(, , , )
> > > + * - pidfd_send_signal(, , , PIDFD_SIGNAL_TID);
> > > + *   which is equivalent to
> > > + *   rt_tgsigqueueinfo(, , , )
> > > + *
> > >   * In order to extend the syscall to threads and process groups the 
> > > @flags
> > >   * argument should be used. In essence, the @flags argument will 
> > > determine
> > >   * what is signaled and not the file descriptor itself. Put in other 
> > > words,
> > 
> > nit: again, outdated comment about @flags
> 
> Will update.
> 
> > 
> > [...]
> > > @@ -3626,43 +3695,16 @@ SYSCALL_DEFINE4(pidfd_send_signal, int, pidfd, 
> > > int, sig,
> > > prepare_kill_siginfo(sig, );
> > > }
> > >
> > > -   ret = kill_pid_info(sig, , pid);
> > > +   if (flags & PIDFD_SIGNAL_TID)
> > > +   ret = pidfd_send_signal_specific(pid, sig, );
> > > +   else
> > > +   ret = kill_pid_info(sig, , pid);
> > 
> > nit: maybe give pidfd_send_signal_specific() and kill_pid_info() the
> > same signatures, since they perform similar operations with the same
> > argument types?
> 
> Yes, let's do
> pidfd_send_signal_specific.(pid, sig, );
> kill_pid_info..(pid, sig, );
> 
> so it matches the argument order of the syscalls itself too.

Strike that. We should do:
pidfd_send_signal_specific.(sig, , pid);
kill_pid_info..(sig, , pid);

because kill_pid_info() is called in multiple places so we would
needlessly shovle code around.

> 
> > 
> > Something that was already kinda weird in the existing code, but is
> > getting worse with TIDs is the handling of SI_USER with siginfo.
> 
> Right, that's what we discussed earlier.
> 
> > Copying context lines from above here:
> > 
> > if (info) {
> > ret = copy_siginfo_from_user_any(, info);
> > if (unlikely(ret))
> > goto err;
> > ret = -EINVAL;
> > if (unlikely(sig != kinfo.si_signo))
> > goto err;
> > if ((task_pid(current) != pid) &&
> > (kinfo.si_code >= 0 || kinfo.si_code == SI_TKILL)) {
> > /* Only allow sending arbitrary signals to 
> > yourself. */
> > ret = -EPERM;
> > if (kinfo.si_code != SI_USER)
> > goto err;
> > /* Turn this into a regular kill signal. */
> > prepare_kill_siginfo(sig, );
> > }
> > } else {
> 

[PATCH AUTOSEL 4.4 07/16] ACPI / SBS: Fix GPE storm on recent MacBookPro's

[Sasha Levin]

From: Ronald Tschalär 

[ Upstream commit ca1721c5bee77105829cbd7baab8ee0eab85b06d ]

On Apple machines, plugging-in or unplugging the power triggers a GPE
for the EC. Since these machines expose an SBS device, this GPE ends
up triggering the acpi_sbs_callback(). This in turn tries to get the
status of the SBS charger. However, on MBP13,* and MBP14,* machines,
performing the smbus-read operation to get the charger's status triggers
the EC's GPE again. The result is an endless re-triggering and handling
of that GPE, consuming significant CPU resources (> 50% in irq).

In the end this is quite similar to commit 3031cddea633 (ACPI / SBS:
Don't assume the existence of an SBS charger), except that on the above
machines a status of all 1's is returned. And like there, we just want
ignore the charger here.

Link: https://bugzilla.kernel.org/show_bug.cgi?id=198169
Signed-off-by: Ronald Tschalär 
Signed-off-by: Rafael J. Wysocki 
Signed-off-by: Sasha Levin 
---
 drivers/acpi/sbs.c | 8 ++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/drivers/acpi/sbs.c b/drivers/acpi/sbs.c
index cb3dedb1beae..b133dac8a7f2 100644
--- a/drivers/acpi/sbs.c
+++ b/drivers/acpi/sbs.c
@@ -443,9 +443,13 @@ static int acpi_ac_get_present(struct acpi_sbs *sbs)
 
/*
 * The spec requires that bit 4 always be 1. If it's not set, assume
-* that the implementation doesn't support an SBS charger
+* that the implementation doesn't support an SBS charger.
+*
+* And on some MacBooks a status of 0x is always returned, no
+* matter whether the charger is plugged in or not, which is also
+* wrong, so ignore the SBS charger for those too.
 */
-   if (!((status >> 4) & 0x1))
+   if (!((status >> 4) & 0x1) || status == 0x)
return -ENODEV;
 
sbs->charger_present = (status >> 15) & 0x1;
-- 
2.19.1

[PATCH AUTOSEL 3.18 05/10] ARM: samsung: Limit SAMSUNG_PM_CHECK config option to non-Exynos platforms

[Sasha Levin]

From: Bartlomiej Zolnierkiewicz 

[ Upstream commit 6862fdf2201ab67cd962dbf0643d37db909f4860 ]

"S3C2410 PM Suspend Memory CRC" feature (controlled by
SAMSUNG_PM_CHECK config option) is incompatible with highmem
(uses phys_to_virt() instead of proper mapping) which is used by
the majority of Exynos boards. The issue manifests itself in OOPS
on affected boards, i.e. on Odroid-U3 I got the following one:

Unable to handle kernel paging request at virtual address f000
pgd = 1c0f9bb4
[f000] *pgd=
Internal error: Oops: 5 [#1] PREEMPT SMP ARM
[] (crc32_le) from [] (s3c_pm_makecheck+0x34/0x54)
[] (s3c_pm_makecheck) from [] (s3c_pm_run_res+0x74/0x8c)
[] (s3c_pm_run_res) from [] (s3c_pm_run_res+0x44/0x8c)
[] (s3c_pm_run_res) from [] 
(exynos_suspend_enter+0x64/0x148)
[] (exynos_suspend_enter) from [] 
(suspend_devices_and_enter+0x9ec/0xe74)
[] (suspend_devices_and_enter) from [] 
(pm_suspend+0x770/0xc04)
[] (pm_suspend) from [] (state_store+0x6c/0xcc)
[] (state_store) from [] (kobj_attr_store+0x14/0x20)
[] (kobj_attr_store) from [] (sysfs_kf_write+0x4c/0x50)
[] (sysfs_kf_write) from [] (kernfs_fop_write+0xfc/0x1e4)
[] (kernfs_fop_write) from [] (__vfs_write+0x2c/0x140)
[] (__vfs_write) from [] (vfs_write+0xa4/0x160)
[] (vfs_write) from [] (ksys_write+0x40/0x8c)
[] (ksys_write) from [] (ret_fast_syscall+0x0/0x28)

Add PLAT_S3C24XX, ARCH_S3C64XX and ARCH_S5PV210 dependencies to
SAMSUNG_PM_CHECK config option to hide it on Exynos platforms.

Signed-off-by: Bartlomiej Zolnierkiewicz 
Signed-off-by: Krzysztof Kozlowski 
Signed-off-by: Sasha Levin 
---
 arch/arm/plat-samsung/Kconfig | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/arm/plat-samsung/Kconfig b/arch/arm/plat-samsung/Kconfig
index 9bd2776e7d05..2c3cf321f933 100644
--- a/arch/arm/plat-samsung/Kconfig
+++ b/arch/arm/plat-samsung/Kconfig
@@ -287,7 +287,7 @@ config S3C_PM_DEBUG_LED_SMDK
 
 config SAMSUNG_PM_CHECK
bool "S3C2410 PM Suspend Memory CRC"
-   depends on PM
+   depends on PM && (PLAT_S3C24XX || ARCH_S3C64XX || ARCH_S5PV210)
select CRC32
help
  Enable the PM code's memory area checksum over sleep. This option
-- 
2.19.1

[PATCH AUTOSEL 3.18 02/10] 9p: do not trust pdu content for stat item size

[Sasha Levin]

From: Gertjan Halkes 

[ Upstream commit 2803cf4379ed252894f046cb8812a48db35294e3 ]

v9fs_dir_readdir() could deadloop if a struct was sent with a size set
to -2

Link: 
http://lkml.kernel.org/r/1536134432-11997-1-git-send-email-asmad...@codewreck.org
Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=88021
Signed-off-by: Gertjan Halkes 
Signed-off-by: Dominique Martinet 
Signed-off-by: Sasha Levin 
---
 fs/9p/vfs_dir.c   | 8 +++-
 net/9p/protocol.c | 3 ++-
 2 files changed, 5 insertions(+), 6 deletions(-)

diff --git a/fs/9p/vfs_dir.c b/fs/9p/vfs_dir.c
index cfe4cf6486af..fa7d1c3536e6 100644
--- a/fs/9p/vfs_dir.c
+++ b/fs/9p/vfs_dir.c
@@ -104,7 +104,6 @@ static int v9fs_dir_readdir(struct file *file, struct 
dir_context *ctx)
int err = 0;
struct p9_fid *fid;
int buflen;
-   int reclen = 0;
struct p9_rdir *rdir;
 
p9_debug(P9_DEBUG_VFS, "name %pD\n", file);
@@ -129,11 +128,10 @@ static int v9fs_dir_readdir(struct file *file, struct 
dir_context *ctx)
while (rdir->head < rdir->tail) {
err = p9stat_read(fid->clnt, rdir->buf + rdir->head,
  rdir->tail - rdir->head, );
-   if (err) {
+   if (err <= 0) {
p9_debug(P9_DEBUG_VFS, "returned %d\n", err);
return -EIO;
}
-   reclen = st.size+2;
 
over = !dir_emit(ctx, st.name, strlen(st.name),
 v9fs_qid2ino(), dt_type());
@@ -141,8 +139,8 @@ static int v9fs_dir_readdir(struct file *file, struct 
dir_context *ctx)
if (over)
return 0;
 
-   rdir->head += reclen;
-   ctx->pos += reclen;
+   rdir->head += err;
+   ctx->pos += err;
}
}
 }
diff --git a/net/9p/protocol.c b/net/9p/protocol.c
index bceb6999614f..66613837b287 100644
--- a/net/9p/protocol.c
+++ b/net/9p/protocol.c
@@ -578,9 +578,10 @@ int p9stat_read(struct p9_client *clnt, char *buf, int 
len, struct p9_wstat *st)
if (ret) {
p9_debug(P9_DEBUG_9P, "<<< p9stat_read failed: %d\n", ret);
trace_9p_protocol_dump(clnt, _pdu);
+   return ret;
}
 
-   return ret;
+   return fake_pdu.offset;
 }
 EXPORT_SYMBOL(p9stat_read);
 
-- 
2.19.1

[PATCH AUTOSEL 4.4 06/16] ARM: samsung: Limit SAMSUNG_PM_CHECK config option to non-Exynos platforms

[Sasha Levin]

From: Bartlomiej Zolnierkiewicz 

[ Upstream commit 6862fdf2201ab67cd962dbf0643d37db909f4860 ]

"S3C2410 PM Suspend Memory CRC" feature (controlled by
SAMSUNG_PM_CHECK config option) is incompatible with highmem
(uses phys_to_virt() instead of proper mapping) which is used by
the majority of Exynos boards. The issue manifests itself in OOPS
on affected boards, i.e. on Odroid-U3 I got the following one:

Unable to handle kernel paging request at virtual address f000
pgd = 1c0f9bb4
[f000] *pgd=
Internal error: Oops: 5 [#1] PREEMPT SMP ARM
[] (crc32_le) from [] (s3c_pm_makecheck+0x34/0x54)
[] (s3c_pm_makecheck) from [] (s3c_pm_run_res+0x74/0x8c)
[] (s3c_pm_run_res) from [] (s3c_pm_run_res+0x44/0x8c)
[] (s3c_pm_run_res) from [] 
(exynos_suspend_enter+0x64/0x148)
[] (exynos_suspend_enter) from [] 
(suspend_devices_and_enter+0x9ec/0xe74)
[] (suspend_devices_and_enter) from [] 
(pm_suspend+0x770/0xc04)
[] (pm_suspend) from [] (state_store+0x6c/0xcc)
[] (state_store) from [] (kobj_attr_store+0x14/0x20)
[] (kobj_attr_store) from [] (sysfs_kf_write+0x4c/0x50)
[] (sysfs_kf_write) from [] (kernfs_fop_write+0xfc/0x1e4)
[] (kernfs_fop_write) from [] (__vfs_write+0x2c/0x140)
[] (__vfs_write) from [] (vfs_write+0xa4/0x160)
[] (vfs_write) from [] (ksys_write+0x40/0x8c)
[] (ksys_write) from [] (ret_fast_syscall+0x0/0x28)

Add PLAT_S3C24XX, ARCH_S3C64XX and ARCH_S5PV210 dependencies to
SAMSUNG_PM_CHECK config option to hide it on Exynos platforms.

Signed-off-by: Bartlomiej Zolnierkiewicz 
Signed-off-by: Krzysztof Kozlowski 
Signed-off-by: Sasha Levin 
---
 arch/arm/plat-samsung/Kconfig | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/arm/plat-samsung/Kconfig b/arch/arm/plat-samsung/Kconfig
index 57729b915003..b9396dcf836d 100644
--- a/arch/arm/plat-samsung/Kconfig
+++ b/arch/arm/plat-samsung/Kconfig
@@ -255,7 +255,7 @@ config S3C_PM_DEBUG_LED_SMDK
 
 config SAMSUNG_PM_CHECK
bool "S3C2410 PM Suspend Memory CRC"
-   depends on PM
+   depends on PM && (PLAT_S3C24XX || ARCH_S3C64XX || ARCH_S5PV210)
select CRC32
help
  Enable the PM code's memory area checksum over sleep. This option
-- 
2.19.1

[PATCH AUTOSEL 4.4 04/16] f2fs: fix to do sanity check with current segment number

[Sasha Levin]

From: Chao Yu 

[ Upstream commit 042be0f849e5fc24116d0afecfaf926eed5cac63 ]

https://bugzilla.kernel.org/show_bug.cgi?id=200219

Reproduction way:
- mount image
- run poc code
- umount image

F2FS-fs (loop1): Bitmap was wrongly set, blk:15364
[ cut here ]
kernel BUG at /home/yuchao/git/devf2fs/segment.c:2061!
invalid opcode:  [#1] PREEMPT SMP
CPU: 2 PID: 17686 Comm: umount Tainted: GW  O  4.18.0-rc2+ #39
Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
EIP: update_sit_entry+0x459/0x4e0 [f2fs]
Code: e8 1c b5 fd ff 0f 0b 0f 0b 8b 45 e4 c7 44 24 08 9c 7a 6c f8 c7 44 24 04 
bc 4a 6c f8 89 44 24 0c 8b 06 89 04 24 e8 f7 b4 fd ff <0f> 0b 8b 45 e4 0f b6 d2 
89 54 24 10 c7 44 24 08 60 7a 6c f8 c7 44
EAX: 0032 EBX: 00f8 ECX: 0002 EDX: 0001
ESI: d7177000 EDI: f520fe68 EBP: d6477c6c ESP: d6477c34
DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068 EFLAGS: 00010282
CR0: 80050033 CR2: b7fbe000 CR3: 2a99b3c0 CR4: 000406f0
Call Trace:
 f2fs_allocate_data_block+0x124/0x580 [f2fs]
 do_write_page+0x78/0x150 [f2fs]
 f2fs_do_write_node_page+0x25/0xa0 [f2fs]
 __write_node_page+0x2bf/0x550 [f2fs]
 f2fs_sync_node_pages+0x60e/0x6d0 [f2fs]
 ? sync_inode_metadata+0x2f/0x40
 ? f2fs_write_checkpoint+0x28f/0x7d0 [f2fs]
 ? up_write+0x1e/0x80
 f2fs_write_checkpoint+0x2a9/0x7d0 [f2fs]
 ? mark_held_locks+0x5d/0x80
 ? _raw_spin_unlock_irq+0x27/0x50
 kill_f2fs_super+0x68/0x90 [f2fs]
 deactivate_locked_super+0x3d/0x70
 deactivate_super+0x40/0x60
 cleanup_mnt+0x39/0x70
 __cleanup_mnt+0x10/0x20
 task_work_run+0x81/0xa0
 exit_to_usermode_loop+0x59/0xa7
 do_fast_syscall_32+0x1f5/0x22c
 entry_SYSENTER_32+0x53/0x86
EIP: 0xb7f95c51
Code: c1 1e f7 ff ff 89 e5 8b 55 08 85 d2 8b 81 64 cd ff ff 74 02 89 02 5d c3 
8b 0c 24 c3 8b 1c 24 c3 90 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 
8d 76 00 58 b8 77 00 00 00 cd 80 90 8d 76
EAX:  EBX: 0871ab90 ECX: bfb2cd00 EDX: 
ESI:  EDI: 0871ab90 EBP: 0871ab90 ESP: bfb2cd7c
DS: 007b ES: 007b FS:  GS: 0033 SS: 007b EFLAGS: 0246
Modules linked in: f2fs(O) crc32_generic bnep rfcomm bluetooth ecdh_generic 
snd_intel8x0 snd_ac97_codec ac97_bus snd_pcm snd_seq_midi snd_seq_midi_event 
snd_rawmidi snd_seq pcbc joydev aesni_intel snd_seq_device aes_i586 snd_timer 
crypto_simd snd cryptd soundcore mac_hid serio_raw video i2c_piix4 parport_pc 
ppdev lp parport hid_generic psmouse usbhid hid e1000 [last unloaded: f2fs]
---[ end trace d423f83982cfcdc5 ]---

The reason is, different log headers using the same segment, once
one log's next block address is used by another log, it will cause
panic as above.

Main area: 24 segs, 24 secs 24 zones
  - COLD  data: 0, 0, 0
  - WARM  data: 1, 1, 1
  - HOT   data: 20, 20, 20
  - Dir   dnode: 22, 22, 22
  - File   dnode: 22, 22, 22
  - Indir nodes: 21, 21, 21

So this patch adds sanity check to detect such condition to avoid
this issue.

Signed-off-by: Chao Yu 

Signed-off-by: Jaegeuk Kim 

Signed-off-by: Sasha Levin 
---
 fs/f2fs/super.c | 34 +-
 1 file changed, 33 insertions(+), 1 deletion(-)

diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c
index dbd7adff8b5a..bd0dfaecfac3 100644
--- a/fs/f2fs/super.c
+++ b/fs/f2fs/super.c
@@ -1143,7 +1143,7 @@ int sanity_check_ckpt(struct f2fs_sb_info *sbi)
unsigned int segment_count_main;
unsigned int cp_pack_start_sum, cp_payload;
block_t user_block_count;
-   int i;
+   int i, j;
 
total = le32_to_cpu(raw_super->segment_count);
fsmeta = le32_to_cpu(raw_super->segment_count_ckpt);
@@ -1184,11 +1184,43 @@ int sanity_check_ckpt(struct f2fs_sb_info *sbi)
if (le32_to_cpu(ckpt->cur_node_segno[i]) >= main_segs ||
le16_to_cpu(ckpt->cur_node_blkoff[i]) >= blocks_per_seg)
return 1;
+   for (j = i + 1; j < NR_CURSEG_NODE_TYPE; j++) {
+   if (le32_to_cpu(ckpt->cur_node_segno[i]) ==
+   le32_to_cpu(ckpt->cur_node_segno[j])) {
+   f2fs_msg(sbi->sb, KERN_ERR,
+   "Node segment (%u, %u) has the same "
+   "segno: %u", i, j,
+   le32_to_cpu(ckpt->cur_node_segno[i]));
+   return 1;
+   }
+   }
}
for (i = 0; i < NR_CURSEG_DATA_TYPE; i++) {
if (le32_to_cpu(ckpt->cur_data_segno[i]) >= main_segs ||
le16_to_cpu(ckpt->cur_data_blkoff[i]) >= blocks_per_seg)
return 1;
+   for (j = i + 1; j < NR_CURSEG_DATA_TYPE; j++) {
+   if (le32_to_cpu(ckpt->cur_data_segno[i]) ==
+   le32_to_cpu(ckpt->cur_data_segno[j])) {
+   f2fs_msg(sbi->sb, KERN_ERR,
+   "Data segment (%u, 

[PATCH AUTOSEL 4.4 05/16] serial: uartps: console_setup() can't be placed to init section

[Sasha Levin]

From: Michal Simek 

[ Upstream commit 4bb1ce2350a598502b23088b169e16b43d4bc639 ]

When console device is rebinded, console_setup() is called again.
But marking it as __init means that function will be clear after boot is
complete. If console device is binded again console_setup() is not found
and error "Unable to handle kernel paging request at virtual address"
is reported.

Signed-off-by: Michal Simek 
Signed-off-by: Greg Kroah-Hartman 
Signed-off-by: Sasha Levin 
---
 drivers/tty/serial/xilinx_uartps.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/tty/serial/xilinx_uartps.c 
b/drivers/tty/serial/xilinx_uartps.c
index 4f2f4aca8d2e..06efcef1b495 100644
--- a/drivers/tty/serial/xilinx_uartps.c
+++ b/drivers/tty/serial/xilinx_uartps.c
@@ -1145,7 +1145,7 @@ static void cdns_uart_console_write(struct console *co, 
const char *s,
  *
  * Return: 0 on success, negative errno otherwise.
  */
-static int __init cdns_uart_console_setup(struct console *co, char *options)
+static int cdns_uart_console_setup(struct console *co, char *options)
 {
struct uart_port *port = _uart_port[co->index];
int baud = 9600;
-- 
2.19.1

[PATCH AUTOSEL 4.4 02/16] 9p: do not trust pdu content for stat item size

[Sasha Levin]

From: Gertjan Halkes 

[ Upstream commit 2803cf4379ed252894f046cb8812a48db35294e3 ]

v9fs_dir_readdir() could deadloop if a struct was sent with a size set
to -2

Link: 
http://lkml.kernel.org/r/1536134432-11997-1-git-send-email-asmad...@codewreck.org
Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=88021
Signed-off-by: Gertjan Halkes 
Signed-off-by: Dominique Martinet 
Signed-off-by: Sasha Levin 
---
 fs/9p/vfs_dir.c   | 8 +++-
 net/9p/protocol.c | 3 ++-
 2 files changed, 5 insertions(+), 6 deletions(-)

diff --git a/fs/9p/vfs_dir.c b/fs/9p/vfs_dir.c
index 7d889f56b8e7..05769219d2c2 100644
--- a/fs/9p/vfs_dir.c
+++ b/fs/9p/vfs_dir.c
@@ -105,7 +105,6 @@ static int v9fs_dir_readdir(struct file *file, struct 
dir_context *ctx)
int err = 0;
struct p9_fid *fid;
int buflen;
-   int reclen = 0;
struct p9_rdir *rdir;
struct kvec kvec;
 
@@ -138,11 +137,10 @@ static int v9fs_dir_readdir(struct file *file, struct 
dir_context *ctx)
while (rdir->head < rdir->tail) {
err = p9stat_read(fid->clnt, rdir->buf + rdir->head,
  rdir->tail - rdir->head, );
-   if (err) {
+   if (err <= 0) {
p9_debug(P9_DEBUG_VFS, "returned %d\n", err);
return -EIO;
}
-   reclen = st.size+2;
 
over = !dir_emit(ctx, st.name, strlen(st.name),
 v9fs_qid2ino(), dt_type());
@@ -150,8 +148,8 @@ static int v9fs_dir_readdir(struct file *file, struct 
dir_context *ctx)
if (over)
return 0;
 
-   rdir->head += reclen;
-   ctx->pos += reclen;
+   rdir->head += err;
+   ctx->pos += err;
}
}
 }
diff --git a/net/9p/protocol.c b/net/9p/protocol.c
index 145f80518064..7f1b45c082c9 100644
--- a/net/9p/protocol.c
+++ b/net/9p/protocol.c
@@ -570,9 +570,10 @@ int p9stat_read(struct p9_client *clnt, char *buf, int 
len, struct p9_wstat *st)
if (ret) {
p9_debug(P9_DEBUG_9P, "<<< p9stat_read failed: %d\n", ret);
trace_9p_protocol_dump(clnt, _pdu);
+   return ret;
}
 
-   return ret;
+   return fake_pdu.offset;
 }
 EXPORT_SYMBOL(p9stat_read);
 
-- 
2.19.1

[PATCH AUTOSEL 4.4 16/16] include/linux/swap.h: use offsetof() instead of custom __swapoffset macro

[Sasha Levin]

From: Pi-Hsun Shih 

[ Upstream commit a4046c06be50a4f01d435aa7fe57514818e6cc82 ]

Use offsetof() to calculate offset of a field to take advantage of
compiler built-in version when possible, and avoid UBSAN warning when
compiling with Clang:

  UBSAN: Undefined behaviour in mm/swapfile.c:3010:38
  member access within null pointer of type 'union swap_header'
  CPU: 6 PID: 1833 Comm: swapon Tainted: G S4.19.23 #43
  Call trace:
   dump_backtrace+0x0/0x194
   show_stack+0x20/0x2c
   __dump_stack+0x20/0x28
   dump_stack+0x70/0x94
   ubsan_epilogue+0x14/0x44
   ubsan_type_mismatch_common+0xf4/0xfc
   __ubsan_handle_type_mismatch_v1+0x34/0x54
   __se_sys_swapon+0x654/0x1084
   __arm64_sys_swapon+0x1c/0x24
   el0_svc_common+0xa8/0x150
   el0_svc_compat_handler+0x2c/0x38
   el0_svc_compat+0x8/0x18

Link: http://lkml.kernel.org/r/20190312081902.223764-1-pih...@chromium.org
Signed-off-by: Pi-Hsun Shih 
Acked-by: Michal Hocko 
Reviewed-by: Andrew Morton 
Signed-off-by: Andrew Morton 
Signed-off-by: Linus Torvalds 
Signed-off-by: Sasha Levin 
---
 include/linux/swap.h | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/include/linux/swap.h b/include/linux/swap.h
index d8ca2eaa3a8b..0a0b7529dae4 100644
--- a/include/linux/swap.h
+++ b/include/linux/swap.h
@@ -135,9 +135,9 @@ struct swap_extent {
 /*
  * Max bad pages in the new format..
  */
-#define __swapoffset(x) ((unsigned long)&((union swap_header *)0)->x)
 #define MAX_SWAP_BADPAGES \
-   ((__swapoffset(magic.magic) - __swapoffset(info.badpages)) / 
sizeof(int))
+   ((offsetof(union swap_header, magic.magic) - \
+ offsetof(union swap_header, info.badpages)) / sizeof(int))
 
 enum {
SWP_USED= (1 << 0), /* is slot in swap_info[] used? */
-- 
2.19.1

[PATCH AUTOSEL 3.18 10/10] include/linux/swap.h: use offsetof() instead of custom __swapoffset macro

[Sasha Levin]

From: Pi-Hsun Shih 

[ Upstream commit a4046c06be50a4f01d435aa7fe57514818e6cc82 ]

Use offsetof() to calculate offset of a field to take advantage of
compiler built-in version when possible, and avoid UBSAN warning when
compiling with Clang:

  UBSAN: Undefined behaviour in mm/swapfile.c:3010:38
  member access within null pointer of type 'union swap_header'
  CPU: 6 PID: 1833 Comm: swapon Tainted: G S4.19.23 #43
  Call trace:
   dump_backtrace+0x0/0x194
   show_stack+0x20/0x2c
   __dump_stack+0x20/0x28
   dump_stack+0x70/0x94
   ubsan_epilogue+0x14/0x44
   ubsan_type_mismatch_common+0xf4/0xfc
   __ubsan_handle_type_mismatch_v1+0x34/0x54
   __se_sys_swapon+0x654/0x1084
   __arm64_sys_swapon+0x1c/0x24
   el0_svc_common+0xa8/0x150
   el0_svc_compat_handler+0x2c/0x38
   el0_svc_compat+0x8/0x18

Link: http://lkml.kernel.org/r/20190312081902.223764-1-pih...@chromium.org
Signed-off-by: Pi-Hsun Shih 
Acked-by: Michal Hocko 
Reviewed-by: Andrew Morton 
Signed-off-by: Andrew Morton 
Signed-off-by: Linus Torvalds 
Signed-off-by: Sasha Levin 
---
 include/linux/swap.h | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/include/linux/swap.h b/include/linux/swap.h
index 1dc0e886227d..054cddb52482 100644
--- a/include/linux/swap.h
+++ b/include/linux/swap.h
@@ -143,9 +143,9 @@ struct swap_extent {
 /*
  * Max bad pages in the new format..
  */
-#define __swapoffset(x) ((unsigned long)&((union swap_header *)0)->x)
 #define MAX_SWAP_BADPAGES \
-   ((__swapoffset(magic.magic) - __swapoffset(info.badpages)) / 
sizeof(int))
+   ((offsetof(union swap_header, magic.magic) - \
+ offsetof(union swap_header, info.badpages)) / sizeof(int))
 
 enum {
SWP_USED= (1 << 0), /* is slot in swap_info[] used? */
-- 
2.19.1

[PATCH AUTOSEL 3.18 09/10] lib/div64.c: off by one in shift

[Sasha Levin]

From: Stanislaw Gruszka 

[ Upstream commit cdc94a37493135e355dfc0b0e086d84e3eadb50d ]

fls counts bits starting from 1 to 32 (returns 0 for zero argument).  If
we add 1 we shift right one bit more and loose precision from divisor,
what cause function incorect results with some numbers.

Corrected code was tested in user-space, see bugzilla:
   https://bugzilla.kernel.org/show_bug.cgi?id=202391

Link: 
http://lkml.kernel.org/r/1548686944-11891-1-git-send-email-sgrus...@redhat.com
Fixes: 658716d19f8f ("div64_u64(): improve precision on 32bit platforms")
Signed-off-by: Stanislaw Gruszka 
Reported-by: Siarhei Volkau 
Tested-by: Siarhei Volkau 
Acked-by: Oleg Nesterov 
Signed-off-by: Andrew Morton 
Signed-off-by: Linus Torvalds 
Signed-off-by: Sasha Levin 
---
 lib/div64.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/div64.c b/lib/div64.c
index 4382ad7e..ce76dc3d674e 100644
--- a/lib/div64.c
+++ b/lib/div64.c
@@ -100,7 +100,7 @@ u64 div64_u64_rem(u64 dividend, u64 divisor, u64 *remainder)
quot = div_u64_rem(dividend, divisor, );
*remainder = rem32;
} else {
-   int n = 1 + fls(high);
+   int n = fls(high);
quot = div_u64(dividend >> n, divisor >> n);
 
if (quot != 0)
@@ -138,7 +138,7 @@ u64 div64_u64(u64 dividend, u64 divisor)
if (high == 0) {
quot = div_u64(dividend, divisor);
} else {
-   int n = 1 + fls(high);
+   int n = fls(high);
quot = div_u64(dividend >> n, divisor >> n);
 
if (quot != 0)
-- 
2.19.1

[PATCH AUTOSEL 4.4 12/16] ext4: prohibit fstrim in norecovery mode

[Sasha Levin]

From: "Darrick J. Wong" 

[ Upstream commit 18915b5873f07e5030e6fb108a050fa7c71c59fb ]

The ext4 fstrim implementation uses the block bitmaps to find free space
that can be discarded.  If we haven't replayed the journal, the bitmaps
will be stale and we absolutely *cannot* use stale metadata to zap the
underlying storage.

Signed-off-by: Darrick J. Wong 
Signed-off-by: Theodore Ts'o 
Signed-off-by: Sasha Levin 
---
 fs/ext4/ioctl.c | 7 +++
 1 file changed, 7 insertions(+)

diff --git a/fs/ext4/ioctl.c b/fs/ext4/ioctl.c
index bcd7c4788903..e44e3cd738b6 100644
--- a/fs/ext4/ioctl.c
+++ b/fs/ext4/ioctl.c
@@ -599,6 +599,13 @@ long ext4_ioctl(struct file *filp, unsigned int cmd, 
unsigned long arg)
if (!blk_queue_discard(q))
return -EOPNOTSUPP;
 
+   /*
+* We haven't replayed the journal, so we cannot use our
+* block-bitmap-guided storage zapping commands.
+*/
+   if (test_opt(sb, NOLOAD) && ext4_has_feature_journal(sb))
+   return -EROFS;
+
if (copy_from_user(, (struct fstrim_range __user *)arg,
sizeof(range)))
return -EFAULT;
-- 
2.19.1

[PATCH AUTOSEL 4.4 10/16] crypto: sha512/arm - fix crash bug in Thumb2 build

[Sasha Levin]

From: Ard Biesheuvel 

[ Upstream commit c64316502008064c158fa40cc250665e461b0f2a ]

The SHA512 code we adopted from the OpenSSL project uses a rather
peculiar way to take the address of the round constant table: it
takes the address of the sha256_block_data_order() routine, and
substracts a constant known quantity to arrive at the base of the
table, which is emitted by the same assembler code right before
the routine's entry point.

However, recent versions of binutils have helpfully changed the
behavior of references emitted via an ADR instruction when running
in Thumb2 mode: it now takes the Thumb execution mode bit into
account, which is bit 0 af the address. This means the produced
table address also has bit 0 set, and so we end up with an address
value pointing 1 byte past the start of the table, which results
in crashes such as

  Unable to handle kernel paging request at virtual address bf825000
  pgd = 42f44b11
  [bf825000] *pgd=8040206003, *pmd=5f1bd003, *pte=
  Internal error: Oops: 207 [#1] PREEMPT SMP THUMB2
  Modules linked in: sha256_arm(+) sha1_arm_ce sha1_arm ...
  CPU: 7 PID: 396 Comm: cryptomgr_test Not tainted 5.0.0-rc6+ #144
  Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015
  PC is at sha256_block_data_order+0xaaa/0xb30 [sha256_arm]
  LR is at __this_module+0x17fd/0xe800 [sha256_arm]
  pc : []lr : []psr: 800b0033
  sp : ebc8bbe8  ip : faaabe1c  fp : 2fdd3433
  r10: 4c5f1692  r9 : e43037df  r8 : b04b0a5a
  r7 : c369d722  r6 : 39c3693e  r5 : 7a013189  r4 : 1580d26b
  r3 : 8762a9b0  r2 : eea9c2cd  r1 : 3e9ab536  r0 : 1dea4ae7
  Flags: Nzcv  IRQs on  FIQs on  Mode SVC_32  ISA Thumb  Segment user
  Control: 70c5383d  Table: 6b8467c0  DAC: dbadc0de
  Process cryptomgr_test (pid: 396, stack limit = 0x69e1fe23)
  Stack: (0xebc8bbe8 to 0xebc8c000)
  ...
  unwind: Unknown symbol address bf820bca
  unwind: Index not found bf820bca
  Code: 441a ea80 40f9 440a (f85e) 3b04
  ---[ end trace e560cce92700ef8a ]---

Given that this affects older kernels as well, in case they are built
with a recent toolchain, apply a minimal backportable fix, which is
to emit another non-code label at the start of the routine, and
reference that instead. (This is similar to the current upstream state
of this file in OpenSSL)

Signed-off-by: Ard Biesheuvel 
Signed-off-by: Herbert Xu 
Signed-off-by: Sasha Levin 
---
 arch/arm/crypto/sha512-armv4.pl   | 3 ++-
 arch/arm/crypto/sha512-core.S_shipped | 3 ++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/arch/arm/crypto/sha512-armv4.pl b/arch/arm/crypto/sha512-armv4.pl
index a2b11a844357..5fe336420bcf 100644
--- a/arch/arm/crypto/sha512-armv4.pl
+++ b/arch/arm/crypto/sha512-armv4.pl
@@ -267,10 +267,11 @@ WORD64(0x5fcb6fab,0x3ad6faec, 0x6c44198c,0x4a475817)
 .globalsha512_block_data_order
 .type  sha512_block_data_order,%function
 sha512_block_data_order:
+.Lsha512_block_data_order:
 #if __ARM_ARCH__<7
sub r3,pc,#8@ sha512_block_data_order
 #else
-   adr r3,sha512_block_data_order
+   adr r3,.Lsha512_block_data_order
 #endif
 #if __ARM_MAX_ARCH__>=7 && !defined(__KERNEL__)
ldr r12,.LOPENSSL_armcap
diff --git a/arch/arm/crypto/sha512-core.S_shipped 
b/arch/arm/crypto/sha512-core.S_shipped
index 3694c4d4ca2b..de9bd7f55242 100644
--- a/arch/arm/crypto/sha512-core.S_shipped
+++ b/arch/arm/crypto/sha512-core.S_shipped
@@ -134,10 +134,11 @@ WORD64(0x5fcb6fab,0x3ad6faec, 0x6c44198c,0x4a475817)
 .globalsha512_block_data_order
 .type  sha512_block_data_order,%function
 sha512_block_data_order:
+.Lsha512_block_data_order:
 #if __ARM_ARCH__<7
sub r3,pc,#8@ sha512_block_data_order
 #else
-   adr r3,sha512_block_data_order
+   adr r3,.Lsha512_block_data_order
 #endif
 #if __ARM_MAX_ARCH__>=7 && !defined(__KERNEL__)
ldr r12,.LOPENSSL_armcap
-- 
2.19.1

[PATCH AUTOSEL 3.18 06/10] ACPI / SBS: Fix GPE storm on recent MacBookPro's

[Sasha Levin]

From: Ronald Tschalär 

[ Upstream commit ca1721c5bee77105829cbd7baab8ee0eab85b06d ]

On Apple machines, plugging-in or unplugging the power triggers a GPE
for the EC. Since these machines expose an SBS device, this GPE ends
up triggering the acpi_sbs_callback(). This in turn tries to get the
status of the SBS charger. However, on MBP13,* and MBP14,* machines,
performing the smbus-read operation to get the charger's status triggers
the EC's GPE again. The result is an endless re-triggering and handling
of that GPE, consuming significant CPU resources (> 50% in irq).

In the end this is quite similar to commit 3031cddea633 (ACPI / SBS:
Don't assume the existence of an SBS charger), except that on the above
machines a status of all 1's is returned. And like there, we just want
ignore the charger here.

Link: https://bugzilla.kernel.org/show_bug.cgi?id=198169
Signed-off-by: Ronald Tschalär 
Signed-off-by: Rafael J. Wysocki 
Signed-off-by: Sasha Levin 
---
 drivers/acpi/sbs.c | 8 ++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/drivers/acpi/sbs.c b/drivers/acpi/sbs.c
index f23179e84128..0c268600a334 100644
--- a/drivers/acpi/sbs.c
+++ b/drivers/acpi/sbs.c
@@ -439,9 +439,13 @@ static int acpi_ac_get_present(struct acpi_sbs *sbs)
 
/*
 * The spec requires that bit 4 always be 1. If it's not set, assume
-* that the implementation doesn't support an SBS charger
+* that the implementation doesn't support an SBS charger.
+*
+* And on some MacBooks a status of 0x is always returned, no
+* matter whether the charger is plugged in or not, which is also
+* wrong, so ignore the SBS charger for those too.
 */
-   if (!((status >> 4) & 0x1))
+   if (!((status >> 4) & 0x1) || status == 0x)
return -ENODEV;
 
sbs->charger_present = (status >> 15) & 0x1;
-- 
2.19.1

[PATCH AUTOSEL 4.4 08/16] cifs: fallback to older infolevels on findfirst queryinfo retry

[Sasha Levin]

From: Steve French 

[ Upstream commit 3b7960caceafdfc2cdfe2850487f8d091eb41144 ]

In cases where queryinfo fails, we have cases in cifs (vers=1.0)
where with backupuid mounts we retry the query info with findfirst.
This doesn't work to some NetApp servers which don't support
WindowsXP (and later) infolevel 261 (SMB_FIND_FILE_ID_FULL_DIR_INFO)
so in this case use other info levels (in this case it will usually
be level 257, SMB_FIND_FILE_DIRECTORY_INFO).

(Also fixes some indentation)

See kernel bugzilla 201435

Signed-off-by: Steve French 
Signed-off-by: Sasha Levin 
---
 fs/cifs/inode.c | 69 +++--
 1 file changed, 38 insertions(+), 31 deletions(-)

diff --git a/fs/cifs/inode.c b/fs/cifs/inode.c
index 5c3187df9ab9..d8bd8dd36211 100644
--- a/fs/cifs/inode.c
+++ b/fs/cifs/inode.c
@@ -759,43 +759,50 @@ cifs_get_inode_info(struct inode **inode, const char 
*full_path,
} else if ((rc == -EACCES) && backup_cred(cifs_sb) &&
   (strcmp(server->vals->version_string, SMB1_VERSION_STRING)
  == 0)) {
-   /*
-* For SMB2 and later the backup intent flag is already
-* sent if needed on open and there is no path based
-* FindFirst operation to use to retry with
-*/
-
-   srchinf = kzalloc(sizeof(struct cifs_search_info),
-   GFP_KERNEL);
-   if (srchinf == NULL) {
-   rc = -ENOMEM;
-   goto cgii_exit;
-   }
+   /*
+* For SMB2 and later the backup intent flag is already
+* sent if needed on open and there is no path based
+* FindFirst operation to use to retry with
+*/
+
+   srchinf = kzalloc(sizeof(struct cifs_search_info),
+   GFP_KERNEL);
+   if (srchinf == NULL) {
+   rc = -ENOMEM;
+   goto cgii_exit;
+   }
 
-   srchinf->endOfSearch = false;
+   srchinf->endOfSearch = false;
+   if (tcon->unix_ext)
+   srchinf->info_level = SMB_FIND_FILE_UNIX;
+   else if ((tcon->ses->capabilities &
+tcon->ses->server->vals->cap_nt_find) == 0)
+   srchinf->info_level = SMB_FIND_FILE_INFO_STANDARD;
+   else if (cifs_sb->mnt_cifs_flags & CIFS_MOUNT_SERVER_INUM)
srchinf->info_level = SMB_FIND_FILE_ID_FULL_DIR_INFO;
+   else /* no srvino useful for fallback to some netapp */
+   srchinf->info_level = SMB_FIND_FILE_DIRECTORY_INFO;
 
-   srchflgs = CIFS_SEARCH_CLOSE_ALWAYS |
-   CIFS_SEARCH_CLOSE_AT_END |
-   CIFS_SEARCH_BACKUP_SEARCH;
+   srchflgs = CIFS_SEARCH_CLOSE_ALWAYS |
+   CIFS_SEARCH_CLOSE_AT_END |
+   CIFS_SEARCH_BACKUP_SEARCH;
 
-   rc = CIFSFindFirst(xid, tcon, full_path,
-   cifs_sb, NULL, srchflgs, srchinf, false);
-   if (!rc) {
-   data =
-   (FILE_ALL_INFO *)srchinf->srch_entries_start;
+   rc = CIFSFindFirst(xid, tcon, full_path,
+   cifs_sb, NULL, srchflgs, srchinf, false);
+   if (!rc) {
+   data = (FILE_ALL_INFO *)srchinf->srch_entries_start;
 
-   cifs_dir_info_to_fattr(,
-   (FILE_DIRECTORY_INFO *)data, cifs_sb);
-   fattr.cf_uniqueid = le64_to_cpu(
-   ((SEARCH_ID_FULL_DIR_INFO *)data)->UniqueId);
-   validinum = true;
+   cifs_dir_info_to_fattr(,
+   (FILE_DIRECTORY_INFO *)data, cifs_sb);
+   fattr.cf_uniqueid = le64_to_cpu(
+   ((SEARCH_ID_FULL_DIR_INFO *)data)->UniqueId);
+   validinum = true;
 
-   cifs_buf_release(srchinf->ntwrk_buf_start);
-   }
-   kfree(srchinf);
-   if (rc)
-   goto cgii_exit;
+   cifs_buf_release(srchinf->ntwrk_buf_start);
+   }
+   kfree(srchinf);
+   if (rc)
+   goto cgii_exit;
} else
goto cgii_exit;
 
-- 
2.19.1

[PATCH AUTOSEL 4.4 13/16] ARM: 8839/1: kprobe: make patch_lock a raw_spinlock_t

[Sasha Levin]

From: Yang Shi 

[ Upstream commit 143c2a89e0e5fda6c6fd08d7bc1126438c19ae90 ]

When running kprobe on -rt kernel, the below bug is caught:

|BUG: sleeping function called from invalid context at 
kernel/locking/rtmutex.c:931
|in_atomic(): 1, irqs_disabled(): 128, pid: 14, name: migration/0
|Preemption disabled at:[<802f2b98>] cpu_stopper_thread+0xc0/0x140
|CPU: 0 PID: 14 Comm: migration/0 Tainted: G O 4.8.3-rt2 #1
|Hardware name: Freescale LS1021A
|[<8025a43c>] (___might_sleep)
|[<80b5b324>] (rt_spin_lock)
|[<80b5c31c>] (__patch_text_real)
|[<80b5c3ac>] (patch_text_stop_machine)
|[<802f2920>] (multi_cpu_stop)

Since patch_text_stop_machine() is called in stop_machine() which
disables IRQ, sleepable lock should be not used in this atomic context,
 so replace patch_lock to raw lock.

Signed-off-by: Yang Shi 
Signed-off-by: Sebastian Andrzej Siewior 
Reviewed-by: Arnd Bergmann 
Signed-off-by: Russell King 
Signed-off-by: Sasha Levin 
---
 arch/arm/kernel/patch.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/arch/arm/kernel/patch.c b/arch/arm/kernel/patch.c
index 69bda1a5707e..1f665acaa6a9 100644
--- a/arch/arm/kernel/patch.c
+++ b/arch/arm/kernel/patch.c
@@ -15,7 +15,7 @@ struct patch {
unsigned int insn;
 };
 
-static DEFINE_SPINLOCK(patch_lock);
+static DEFINE_RAW_SPINLOCK(patch_lock);
 
 static void __kprobes *patch_map(void *addr, int fixmap, unsigned long *flags)
__acquires(_lock)
@@ -32,7 +32,7 @@ static void __kprobes *patch_map(void *addr, int fixmap, 
unsigned long *flags)
return addr;
 
if (flags)
-   spin_lock_irqsave(_lock, *flags);
+   raw_spin_lock_irqsave(_lock, *flags);
else
__acquire(_lock);
 
@@ -47,7 +47,7 @@ static void __kprobes patch_unmap(int fixmap, unsigned long 
*flags)
clear_fixmap(fixmap);
 
if (flags)
-   spin_unlock_irqrestore(_lock, *flags);
+   raw_spin_unlock_irqrestore(_lock, *flags);
else
__release(_lock);
 }
-- 
2.19.1

[PATCH AUTOSEL 4.9 19/21] appletalk: Fix use-after-free in atalk_proc_exit

[Sasha Levin]

From: YueHaibing 

[ Upstream commit 6377f787aeb945cae7abbb6474798de129e1f3ac ]

KASAN report this:

BUG: KASAN: use-after-free in pde_subdir_find+0x12d/0x150 fs/proc/generic.c:71
Read of size 8 at addr 8881f41fe5b0 by task syz-executor.0/2806

CPU: 0 PID: 2806 Comm: syz-executor.0 Not tainted 5.0.0-rc7+ #45
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 
04/01/2014
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0xfa/0x1ce lib/dump_stack.c:113
 print_address_description+0x65/0x270 mm/kasan/report.c:187
 kasan_report+0x149/0x18d mm/kasan/report.c:317
 pde_subdir_find+0x12d/0x150 fs/proc/generic.c:71
 remove_proc_entry+0xe8/0x420 fs/proc/generic.c:667
 atalk_proc_exit+0x18/0x820 [appletalk]
 atalk_exit+0xf/0x5a [appletalk]
 __do_sys_delete_module kernel/module.c:1018 [inline]
 __se_sys_delete_module kernel/module.c:961 [inline]
 __x64_sys_delete_module+0x3dc/0x5e0 kernel/module.c:961
 do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x462e99
Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 
89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 
c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:7fb2de6b9c58 EFLAGS: 0246 ORIG_RAX: 00b0
RAX: ffda RBX: 0073bf00 RCX: 00462e99
RDX:  RSI:  RDI: 21c0
RBP: 0002 R08:  R09: 
R10:  R11: 0246 R12: 7fb2de6ba6bc
R13: 004bccaa R14: 006f6bc8 R15: 

Allocated by task 2806:
 set_track mm/kasan/common.c:85 [inline]
 __kasan_kmalloc.constprop.3+0xa0/0xd0 mm/kasan/common.c:496
 slab_post_alloc_hook mm/slab.h:444 [inline]
 slab_alloc_node mm/slub.c:2739 [inline]
 slab_alloc mm/slub.c:2747 [inline]
 kmem_cache_alloc+0xcf/0x250 mm/slub.c:2752
 kmem_cache_zalloc include/linux/slab.h:730 [inline]
 __proc_create+0x30f/0xa20 fs/proc/generic.c:408
 proc_mkdir_data+0x47/0x190 fs/proc/generic.c:469
 0xc10c01bb
 0xc10c0166
 do_one_initcall+0xfa/0x5ca init/main.c:887
 do_init_module+0x204/0x5f6 kernel/module.c:3460
 load_module+0x66b2/0x8570 kernel/module.c:3808
 __do_sys_finit_module+0x238/0x2a0 kernel/module.c:3902
 do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 2806:
 set_track mm/kasan/common.c:85 [inline]
 __kasan_slab_free+0x130/0x180 mm/kasan/common.c:458
 slab_free_hook mm/slub.c:1409 [inline]
 slab_free_freelist_hook mm/slub.c:1436 [inline]
 slab_free mm/slub.c:2986 [inline]
 kmem_cache_free+0xa6/0x2a0 mm/slub.c:3002
 pde_put+0x6e/0x80 fs/proc/generic.c:647
 remove_proc_entry+0x1d3/0x420 fs/proc/generic.c:684
 0xc10c031c
 0xc10c0166
 do_one_initcall+0xfa/0x5ca init/main.c:887
 do_init_module+0x204/0x5f6 kernel/module.c:3460
 load_module+0x66b2/0x8570 kernel/module.c:3808
 __do_sys_finit_module+0x238/0x2a0 kernel/module.c:3902
 do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

The buggy address belongs to the object at 8881f41fe500
 which belongs to the cache proc_dir_entry of size 256
The buggy address is located 176 bytes inside of
 256-byte region [8881f41fe500, 8881f41fe600)
The buggy address belongs to the page:
page:ea0007d07f80 count:1 mapcount:0 mapping:8881f6e69a00 index:0x0
flags: 0x2fffc000200(slab)
raw: 02fffc000200 dead0100 dead0200 8881f6e69a00
raw:  800c000c 0001 
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 8881f41fe480: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
 8881f41fe500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>8881f41fe580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ^
 8881f41fe600: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
 8881f41fe680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb

It should check the return value of atalk_proc_init fails,
otherwise atalk_exit will trgger use-after-free in pde_subdir_find
while unload the module.This patch fix error cleanup path of atalk_init

Reported-by: Hulk Robot 
Signed-off-by: YueHaibing 
Signed-off-by: David S. Miller 
Signed-off-by: Sasha Levin 
---
 include/linux/atalk.h|  2 +-
 net/appletalk/atalk_proc.c   |  2 +-
 net/appletalk/ddp.c  | 37 ++--
 net/appletalk/sysctl_net_atalk.c |  5 -
 4 files changed, 37 insertions(+), 9 deletions(-)

diff --git a/include/linux/atalk.h b/include/linux/atalk.h
index 73fd8b7e9534..716d53799d1f 100644
--- a/include/linux/atalk.h
+++ b/include/linux/atalk.h
@@ -150,7 +150,7 @@ extern int sysctl_aarp_retransmit_limit;
 extern int sysctl_aarp_resolve_time;
 
 #ifdef CONFIG_SYSCTL
-extern void 

[PATCH AUTOSEL 4.9 08/21] ARM: samsung: Limit SAMSUNG_PM_CHECK config option to non-Exynos platforms

[Sasha Levin]

From: Bartlomiej Zolnierkiewicz 

[ Upstream commit 6862fdf2201ab67cd962dbf0643d37db909f4860 ]

"S3C2410 PM Suspend Memory CRC" feature (controlled by
SAMSUNG_PM_CHECK config option) is incompatible with highmem
(uses phys_to_virt() instead of proper mapping) which is used by
the majority of Exynos boards. The issue manifests itself in OOPS
on affected boards, i.e. on Odroid-U3 I got the following one:

Unable to handle kernel paging request at virtual address f000
pgd = 1c0f9bb4
[f000] *pgd=
Internal error: Oops: 5 [#1] PREEMPT SMP ARM
[] (crc32_le) from [] (s3c_pm_makecheck+0x34/0x54)
[] (s3c_pm_makecheck) from [] (s3c_pm_run_res+0x74/0x8c)
[] (s3c_pm_run_res) from [] (s3c_pm_run_res+0x44/0x8c)
[] (s3c_pm_run_res) from [] 
(exynos_suspend_enter+0x64/0x148)
[] (exynos_suspend_enter) from [] 
(suspend_devices_and_enter+0x9ec/0xe74)
[] (suspend_devices_and_enter) from [] 
(pm_suspend+0x770/0xc04)
[] (pm_suspend) from [] (state_store+0x6c/0xcc)
[] (state_store) from [] (kobj_attr_store+0x14/0x20)
[] (kobj_attr_store) from [] (sysfs_kf_write+0x4c/0x50)
[] (sysfs_kf_write) from [] (kernfs_fop_write+0xfc/0x1e4)
[] (kernfs_fop_write) from [] (__vfs_write+0x2c/0x140)
[] (__vfs_write) from [] (vfs_write+0xa4/0x160)
[] (vfs_write) from [] (ksys_write+0x40/0x8c)
[] (ksys_write) from [] (ret_fast_syscall+0x0/0x28)

Add PLAT_S3C24XX, ARCH_S3C64XX and ARCH_S5PV210 dependencies to
SAMSUNG_PM_CHECK config option to hide it on Exynos platforms.

Signed-off-by: Bartlomiej Zolnierkiewicz 
Signed-off-by: Krzysztof Kozlowski 
Signed-off-by: Sasha Levin 
---
 arch/arm/plat-samsung/Kconfig | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/arm/plat-samsung/Kconfig b/arch/arm/plat-samsung/Kconfig
index e8229b9fee4a..3265b8f86069 100644
--- a/arch/arm/plat-samsung/Kconfig
+++ b/arch/arm/plat-samsung/Kconfig
@@ -258,7 +258,7 @@ config S3C_PM_DEBUG_LED_SMDK
 
 config SAMSUNG_PM_CHECK
bool "S3C2410 PM Suspend Memory CRC"
-   depends on PM
+   depends on PM && (PLAT_S3C24XX || ARCH_S3C64XX || ARCH_S5PV210)
select CRC32
help
  Enable the PM code's memory area checksum over sleep. This option
-- 
2.19.1

[PATCH AUTOSEL 4.9 21/21] include/linux/swap.h: use offsetof() instead of custom __swapoffset macro

[Sasha Levin]

From: Pi-Hsun Shih 

[ Upstream commit a4046c06be50a4f01d435aa7fe57514818e6cc82 ]

Use offsetof() to calculate offset of a field to take advantage of
compiler built-in version when possible, and avoid UBSAN warning when
compiling with Clang:

  UBSAN: Undefined behaviour in mm/swapfile.c:3010:38
  member access within null pointer of type 'union swap_header'
  CPU: 6 PID: 1833 Comm: swapon Tainted: G S4.19.23 #43
  Call trace:
   dump_backtrace+0x0/0x194
   show_stack+0x20/0x2c
   __dump_stack+0x20/0x28
   dump_stack+0x70/0x94
   ubsan_epilogue+0x14/0x44
   ubsan_type_mismatch_common+0xf4/0xfc
   __ubsan_handle_type_mismatch_v1+0x34/0x54
   __se_sys_swapon+0x654/0x1084
   __arm64_sys_swapon+0x1c/0x24
   el0_svc_common+0xa8/0x150
   el0_svc_compat_handler+0x2c/0x38
   el0_svc_compat+0x8/0x18

Link: http://lkml.kernel.org/r/20190312081902.223764-1-pih...@chromium.org
Signed-off-by: Pi-Hsun Shih 
Acked-by: Michal Hocko 
Reviewed-by: Andrew Morton 
Signed-off-by: Andrew Morton 
Signed-off-by: Linus Torvalds 
Signed-off-by: Sasha Levin 
---
 include/linux/swap.h | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/include/linux/swap.h b/include/linux/swap.h
index 55ff5593c193..2228907d08ff 100644
--- a/include/linux/swap.h
+++ b/include/linux/swap.h
@@ -135,9 +135,9 @@ struct swap_extent {
 /*
  * Max bad pages in the new format..
  */
-#define __swapoffset(x) ((unsigned long)&((union swap_header *)0)->x)
 #define MAX_SWAP_BADPAGES \
-   ((__swapoffset(magic.magic) - __swapoffset(info.badpages)) / 
sizeof(int))
+   ((offsetof(union swap_header, magic.magic) - \
+ offsetof(union swap_header, info.badpages)) / sizeof(int))
 
 enum {
SWP_USED= (1 << 0), /* is slot in swap_info[] used? */
-- 
2.19.1

[PATCH AUTOSEL 4.4 15/16] lib/div64.c: off by one in shift

[Sasha Levin]

From: Stanislaw Gruszka 

[ Upstream commit cdc94a37493135e355dfc0b0e086d84e3eadb50d ]

fls counts bits starting from 1 to 32 (returns 0 for zero argument).  If
we add 1 we shift right one bit more and loose precision from divisor,
what cause function incorect results with some numbers.

Corrected code was tested in user-space, see bugzilla:
   https://bugzilla.kernel.org/show_bug.cgi?id=202391

Link: 
http://lkml.kernel.org/r/1548686944-11891-1-git-send-email-sgrus...@redhat.com
Fixes: 658716d19f8f ("div64_u64(): improve precision on 32bit platforms")
Signed-off-by: Stanislaw Gruszka 
Reported-by: Siarhei Volkau 
Tested-by: Siarhei Volkau 
Acked-by: Oleg Nesterov 
Signed-off-by: Andrew Morton 
Signed-off-by: Linus Torvalds 
Signed-off-by: Sasha Levin 
---
 lib/div64.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/div64.c b/lib/div64.c
index 62a698a432bc..75b8521c2146 100644
--- a/lib/div64.c
+++ b/lib/div64.c
@@ -100,7 +100,7 @@ u64 div64_u64_rem(u64 dividend, u64 divisor, u64 *remainder)
quot = div_u64_rem(dividend, divisor, );
*remainder = rem32;
} else {
-   int n = 1 + fls(high);
+   int n = fls(high);
quot = div_u64(dividend >> n, divisor >> n);
 
if (quot != 0)
@@ -138,7 +138,7 @@ u64 div64_u64(u64 dividend, u64 divisor)
if (high == 0) {
quot = div_u64(dividend, divisor);
} else {
-   int n = 1 + fls(high);
+   int n = fls(high);
quot = div_u64(dividend >> n, divisor >> n);
 
if (quot != 0)
-- 
2.19.1

[PATCH AUTOSEL 4.9 10/21] cifs: fallback to older infolevels on findfirst queryinfo retry

[Sasha Levin]

From: Steve French 

[ Upstream commit 3b7960caceafdfc2cdfe2850487f8d091eb41144 ]

In cases where queryinfo fails, we have cases in cifs (vers=1.0)
where with backupuid mounts we retry the query info with findfirst.
This doesn't work to some NetApp servers which don't support
WindowsXP (and later) infolevel 261 (SMB_FIND_FILE_ID_FULL_DIR_INFO)
so in this case use other info levels (in this case it will usually
be level 257, SMB_FIND_FILE_DIRECTORY_INFO).

(Also fixes some indentation)

See kernel bugzilla 201435

Signed-off-by: Steve French 
Signed-off-by: Sasha Levin 
---
 fs/cifs/inode.c | 67 +++--
 1 file changed, 37 insertions(+), 30 deletions(-)

diff --git a/fs/cifs/inode.c b/fs/cifs/inode.c
index 57c938ffeb6e..a8a2fc9ae056 100644
--- a/fs/cifs/inode.c
+++ b/fs/cifs/inode.c
@@ -771,43 +771,50 @@ cifs_get_inode_info(struct inode **inode, const char 
*full_path,
} else if ((rc == -EACCES) && backup_cred(cifs_sb) &&
   (strcmp(server->vals->version_string, SMB1_VERSION_STRING)
  == 0)) {
-   /*
-* For SMB2 and later the backup intent flag is already
-* sent if needed on open and there is no path based
-* FindFirst operation to use to retry with
-*/
+   /*
+* For SMB2 and later the backup intent flag is already
+* sent if needed on open and there is no path based
+* FindFirst operation to use to retry with
+*/
 
-   srchinf = kzalloc(sizeof(struct cifs_search_info),
-   GFP_KERNEL);
-   if (srchinf == NULL) {
-   rc = -ENOMEM;
-   goto cgii_exit;
-   }
+   srchinf = kzalloc(sizeof(struct cifs_search_info),
+   GFP_KERNEL);
+   if (srchinf == NULL) {
+   rc = -ENOMEM;
+   goto cgii_exit;
+   }
 
-   srchinf->endOfSearch = false;
+   srchinf->endOfSearch = false;
+   if (tcon->unix_ext)
+   srchinf->info_level = SMB_FIND_FILE_UNIX;
+   else if ((tcon->ses->capabilities &
+tcon->ses->server->vals->cap_nt_find) == 0)
+   srchinf->info_level = SMB_FIND_FILE_INFO_STANDARD;
+   else if (cifs_sb->mnt_cifs_flags & CIFS_MOUNT_SERVER_INUM)
srchinf->info_level = SMB_FIND_FILE_ID_FULL_DIR_INFO;
+   else /* no srvino useful for fallback to some netapp */
+   srchinf->info_level = SMB_FIND_FILE_DIRECTORY_INFO;
 
-   srchflgs = CIFS_SEARCH_CLOSE_ALWAYS |
-   CIFS_SEARCH_CLOSE_AT_END |
-   CIFS_SEARCH_BACKUP_SEARCH;
+   srchflgs = CIFS_SEARCH_CLOSE_ALWAYS |
+   CIFS_SEARCH_CLOSE_AT_END |
+   CIFS_SEARCH_BACKUP_SEARCH;
 
-   rc = CIFSFindFirst(xid, tcon, full_path,
-   cifs_sb, NULL, srchflgs, srchinf, false);
-   if (!rc) {
-   data =
-   (FILE_ALL_INFO *)srchinf->srch_entries_start;
+   rc = CIFSFindFirst(xid, tcon, full_path,
+   cifs_sb, NULL, srchflgs, srchinf, false);
+   if (!rc) {
+   data = (FILE_ALL_INFO *)srchinf->srch_entries_start;
 
-   cifs_dir_info_to_fattr(,
-   (FILE_DIRECTORY_INFO *)data, cifs_sb);
-   fattr.cf_uniqueid = le64_to_cpu(
-   ((SEARCH_ID_FULL_DIR_INFO *)data)->UniqueId);
-   validinum = true;
+   cifs_dir_info_to_fattr(,
+   (FILE_DIRECTORY_INFO *)data, cifs_sb);
+   fattr.cf_uniqueid = le64_to_cpu(
+   ((SEARCH_ID_FULL_DIR_INFO *)data)->UniqueId);
+   validinum = true;
 
-   cifs_buf_release(srchinf->ntwrk_buf_start);
-   }
-   kfree(srchinf);
-   if (rc)
-   goto cgii_exit;
+   cifs_buf_release(srchinf->ntwrk_buf_start);
+   }
+   kfree(srchinf);
+   if (rc)
+   goto cgii_exit;
} else
goto cgii_exit;
 
-- 
2.19.1

[PATCH AUTOSEL 4.4 14/16] appletalk: Fix use-after-free in atalk_proc_exit

[Sasha Levin]

From: YueHaibing 

[ Upstream commit 6377f787aeb945cae7abbb6474798de129e1f3ac ]

KASAN report this:

BUG: KASAN: use-after-free in pde_subdir_find+0x12d/0x150 fs/proc/generic.c:71
Read of size 8 at addr 8881f41fe5b0 by task syz-executor.0/2806

CPU: 0 PID: 2806 Comm: syz-executor.0 Not tainted 5.0.0-rc7+ #45
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 
04/01/2014
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0xfa/0x1ce lib/dump_stack.c:113
 print_address_description+0x65/0x270 mm/kasan/report.c:187
 kasan_report+0x149/0x18d mm/kasan/report.c:317
 pde_subdir_find+0x12d/0x150 fs/proc/generic.c:71
 remove_proc_entry+0xe8/0x420 fs/proc/generic.c:667
 atalk_proc_exit+0x18/0x820 [appletalk]
 atalk_exit+0xf/0x5a [appletalk]
 __do_sys_delete_module kernel/module.c:1018 [inline]
 __se_sys_delete_module kernel/module.c:961 [inline]
 __x64_sys_delete_module+0x3dc/0x5e0 kernel/module.c:961
 do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x462e99
Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 
89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 
c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:7fb2de6b9c58 EFLAGS: 0246 ORIG_RAX: 00b0
RAX: ffda RBX: 0073bf00 RCX: 00462e99
RDX:  RSI:  RDI: 21c0
RBP: 0002 R08:  R09: 
R10:  R11: 0246 R12: 7fb2de6ba6bc
R13: 004bccaa R14: 006f6bc8 R15: 

Allocated by task 2806:
 set_track mm/kasan/common.c:85 [inline]
 __kasan_kmalloc.constprop.3+0xa0/0xd0 mm/kasan/common.c:496
 slab_post_alloc_hook mm/slab.h:444 [inline]
 slab_alloc_node mm/slub.c:2739 [inline]
 slab_alloc mm/slub.c:2747 [inline]
 kmem_cache_alloc+0xcf/0x250 mm/slub.c:2752
 kmem_cache_zalloc include/linux/slab.h:730 [inline]
 __proc_create+0x30f/0xa20 fs/proc/generic.c:408
 proc_mkdir_data+0x47/0x190 fs/proc/generic.c:469
 0xc10c01bb
 0xc10c0166
 do_one_initcall+0xfa/0x5ca init/main.c:887
 do_init_module+0x204/0x5f6 kernel/module.c:3460
 load_module+0x66b2/0x8570 kernel/module.c:3808
 __do_sys_finit_module+0x238/0x2a0 kernel/module.c:3902
 do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 2806:
 set_track mm/kasan/common.c:85 [inline]
 __kasan_slab_free+0x130/0x180 mm/kasan/common.c:458
 slab_free_hook mm/slub.c:1409 [inline]
 slab_free_freelist_hook mm/slub.c:1436 [inline]
 slab_free mm/slub.c:2986 [inline]
 kmem_cache_free+0xa6/0x2a0 mm/slub.c:3002
 pde_put+0x6e/0x80 fs/proc/generic.c:647
 remove_proc_entry+0x1d3/0x420 fs/proc/generic.c:684
 0xc10c031c
 0xc10c0166
 do_one_initcall+0xfa/0x5ca init/main.c:887
 do_init_module+0x204/0x5f6 kernel/module.c:3460
 load_module+0x66b2/0x8570 kernel/module.c:3808
 __do_sys_finit_module+0x238/0x2a0 kernel/module.c:3902
 do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

The buggy address belongs to the object at 8881f41fe500
 which belongs to the cache proc_dir_entry of size 256
The buggy address is located 176 bytes inside of
 256-byte region [8881f41fe500, 8881f41fe600)
The buggy address belongs to the page:
page:ea0007d07f80 count:1 mapcount:0 mapping:8881f6e69a00 index:0x0
flags: 0x2fffc000200(slab)
raw: 02fffc000200 dead0100 dead0200 8881f6e69a00
raw:  800c000c 0001 
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 8881f41fe480: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
 8881f41fe500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>8881f41fe580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ^
 8881f41fe600: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
 8881f41fe680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb

It should check the return value of atalk_proc_init fails,
otherwise atalk_exit will trgger use-after-free in pde_subdir_find
while unload the module.This patch fix error cleanup path of atalk_init

Reported-by: Hulk Robot 
Signed-off-by: YueHaibing 
Signed-off-by: David S. Miller 
Signed-off-by: Sasha Levin 
---
 include/linux/atalk.h|  2 +-
 net/appletalk/atalk_proc.c   |  2 +-
 net/appletalk/ddp.c  | 37 ++--
 net/appletalk/sysctl_net_atalk.c |  5 -
 4 files changed, 37 insertions(+), 9 deletions(-)

diff --git a/include/linux/atalk.h b/include/linux/atalk.h
index 73fd8b7e9534..716d53799d1f 100644
--- a/include/linux/atalk.h
+++ b/include/linux/atalk.h
@@ -150,7 +150,7 @@ extern int sysctl_aarp_retransmit_limit;
 extern int sysctl_aarp_resolve_time;
 
 #ifdef CONFIG_SYSCTL
-extern void 

[PATCH AUTOSEL 4.9 05/21] f2fs: fix to do sanity check with current segment number

[Sasha Levin]

From: Chao Yu 

[ Upstream commit 042be0f849e5fc24116d0afecfaf926eed5cac63 ]

https://bugzilla.kernel.org/show_bug.cgi?id=200219

Reproduction way:
- mount image
- run poc code
- umount image

F2FS-fs (loop1): Bitmap was wrongly set, blk:15364
[ cut here ]
kernel BUG at /home/yuchao/git/devf2fs/segment.c:2061!
invalid opcode:  [#1] PREEMPT SMP
CPU: 2 PID: 17686 Comm: umount Tainted: GW  O  4.18.0-rc2+ #39
Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
EIP: update_sit_entry+0x459/0x4e0 [f2fs]
Code: e8 1c b5 fd ff 0f 0b 0f 0b 8b 45 e4 c7 44 24 08 9c 7a 6c f8 c7 44 24 04 
bc 4a 6c f8 89 44 24 0c 8b 06 89 04 24 e8 f7 b4 fd ff <0f> 0b 8b 45 e4 0f b6 d2 
89 54 24 10 c7 44 24 08 60 7a 6c f8 c7 44
EAX: 0032 EBX: 00f8 ECX: 0002 EDX: 0001
ESI: d7177000 EDI: f520fe68 EBP: d6477c6c ESP: d6477c34
DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068 EFLAGS: 00010282
CR0: 80050033 CR2: b7fbe000 CR3: 2a99b3c0 CR4: 000406f0
Call Trace:
 f2fs_allocate_data_block+0x124/0x580 [f2fs]
 do_write_page+0x78/0x150 [f2fs]
 f2fs_do_write_node_page+0x25/0xa0 [f2fs]
 __write_node_page+0x2bf/0x550 [f2fs]
 f2fs_sync_node_pages+0x60e/0x6d0 [f2fs]
 ? sync_inode_metadata+0x2f/0x40
 ? f2fs_write_checkpoint+0x28f/0x7d0 [f2fs]
 ? up_write+0x1e/0x80
 f2fs_write_checkpoint+0x2a9/0x7d0 [f2fs]
 ? mark_held_locks+0x5d/0x80
 ? _raw_spin_unlock_irq+0x27/0x50
 kill_f2fs_super+0x68/0x90 [f2fs]
 deactivate_locked_super+0x3d/0x70
 deactivate_super+0x40/0x60
 cleanup_mnt+0x39/0x70
 __cleanup_mnt+0x10/0x20
 task_work_run+0x81/0xa0
 exit_to_usermode_loop+0x59/0xa7
 do_fast_syscall_32+0x1f5/0x22c
 entry_SYSENTER_32+0x53/0x86
EIP: 0xb7f95c51
Code: c1 1e f7 ff ff 89 e5 8b 55 08 85 d2 8b 81 64 cd ff ff 74 02 89 02 5d c3 
8b 0c 24 c3 8b 1c 24 c3 90 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 
8d 76 00 58 b8 77 00 00 00 cd 80 90 8d 76
EAX:  EBX: 0871ab90 ECX: bfb2cd00 EDX: 
ESI:  EDI: 0871ab90 EBP: 0871ab90 ESP: bfb2cd7c
DS: 007b ES: 007b FS:  GS: 0033 SS: 007b EFLAGS: 0246
Modules linked in: f2fs(O) crc32_generic bnep rfcomm bluetooth ecdh_generic 
snd_intel8x0 snd_ac97_codec ac97_bus snd_pcm snd_seq_midi snd_seq_midi_event 
snd_rawmidi snd_seq pcbc joydev aesni_intel snd_seq_device aes_i586 snd_timer 
crypto_simd snd cryptd soundcore mac_hid serio_raw video i2c_piix4 parport_pc 
ppdev lp parport hid_generic psmouse usbhid hid e1000 [last unloaded: f2fs]
---[ end trace d423f83982cfcdc5 ]---

The reason is, different log headers using the same segment, once
one log's next block address is used by another log, it will cause
panic as above.

Main area: 24 segs, 24 secs 24 zones
  - COLD  data: 0, 0, 0
  - WARM  data: 1, 1, 1
  - HOT   data: 20, 20, 20
  - Dir   dnode: 22, 22, 22
  - File   dnode: 22, 22, 22
  - Indir nodes: 21, 21, 21

So this patch adds sanity check to detect such condition to avoid
this issue.

Signed-off-by: Chao Yu 

Signed-off-by: Jaegeuk Kim 

Signed-off-by: Sasha Levin 
---
 fs/f2fs/super.c | 34 +-
 1 file changed, 33 insertions(+), 1 deletion(-)

diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c
index 83a96334dc07..4ebe69572475 100644
--- a/fs/f2fs/super.c
+++ b/fs/f2fs/super.c
@@ -1489,7 +1489,7 @@ int sanity_check_ckpt(struct f2fs_sb_info *sbi)
unsigned int segment_count_main;
unsigned int cp_pack_start_sum, cp_payload;
block_t user_block_count;
-   int i;
+   int i, j;
 
total = le32_to_cpu(raw_super->segment_count);
fsmeta = le32_to_cpu(raw_super->segment_count_ckpt);
@@ -1530,11 +1530,43 @@ int sanity_check_ckpt(struct f2fs_sb_info *sbi)
if (le32_to_cpu(ckpt->cur_node_segno[i]) >= main_segs ||
le16_to_cpu(ckpt->cur_node_blkoff[i]) >= blocks_per_seg)
return 1;
+   for (j = i + 1; j < NR_CURSEG_NODE_TYPE; j++) {
+   if (le32_to_cpu(ckpt->cur_node_segno[i]) ==
+   le32_to_cpu(ckpt->cur_node_segno[j])) {
+   f2fs_msg(sbi->sb, KERN_ERR,
+   "Node segment (%u, %u) has the same "
+   "segno: %u", i, j,
+   le32_to_cpu(ckpt->cur_node_segno[i]));
+   return 1;
+   }
+   }
}
for (i = 0; i < NR_CURSEG_DATA_TYPE; i++) {
if (le32_to_cpu(ckpt->cur_data_segno[i]) >= main_segs ||
le16_to_cpu(ckpt->cur_data_blkoff[i]) >= blocks_per_seg)
return 1;
+   for (j = i + 1; j < NR_CURSEG_DATA_TYPE; j++) {
+   if (le32_to_cpu(ckpt->cur_data_segno[i]) ==
+   le32_to_cpu(ckpt->cur_data_segno[j])) {
+   f2fs_msg(sbi->sb, KERN_ERR,
+   "Data segment (%u,