Headline
CVE-2018-20961
In the Linux kernel before 4.16.4, a double free vulnerability in the f_midi_set_alt function of drivers/usb/gadget/function/f_midi.c in the f_midi driver may allow attackers to cause a denial of service or possibly have unspecified other impact.
commit b42b71cd28f213cf4688b9891e66b57bdb6eefe8 Author: Greg Kroah-Hartman Date: Tue Apr 24 09:43:11 2018 +0200 Linux 4.16.4 commit c5e5e481dc28eec0119dd69046080c85df1048eb Author: Greg Thelen Date: Fri Apr 20 14:55:42 2018 -0700 writeback: safer lock nesting commit 2e898e4c0a3897ccd434adac5abb8330194f527b upstream. lock_page_memcg()/unlock_page_memcg() use spin_lock_irqsave/restore() if the page’s memcg is undergoing move accounting, which occurs when a process leaves its memcg for a new one that has memory.move_charge_at_immigrate set. unlocked_inode_to_wb_begin,end() use spin_lock_irq/spin_unlock_irq() if the given inode is switching writeback domains. Switches occur when enough writes are issued from a new domain. This existing pattern is thus suspicious: lock_page_memcg(page); unlocked_inode_to_wb_begin(inode, &locked); … unlocked_inode_to_wb_end(inode, locked); unlock_page_memcg(page); If both inode switch and process memcg migration are both in-flight then unlocked_inode_to_wb_end() will unconditionally enable interrupts while still holding the lock_page_memcg() irq spinlock. This suggests the possibility of deadlock if an interrupt occurs before unlock_page_memcg(). truncate __cancel_dirty_page lock_page_memcg unlocked_inode_to_wb_begin unlocked_inode_to_wb_end end_page_writeback test_clear_page_writeback lock_page_memcg unlock_page_memcg Due to configuration limitations this deadlock is not currently possible because we don’t mix cgroup writeback (a cgroupv2 feature) and memory.move_charge_at_immigrate (a cgroupv1 feature). If the kernel is hacked to always claim inode switching and memcg moving_account, then this script triggers lockup in less than a minute: cd /mnt/cgroup/memory mkdir a b echo 1 > a/memory.move_charge_at_immigrate echo 1 > b/memory.move_charge_at_immigrate ( echo $BASHPID > a/cgroup.procs while true; do dd if=/dev/zero of=/mnt/big bs=1M count=256 done ) & while true; do sync done & sleep 1h & SLEEP=$! while true; do echo $SLEEP > a/cgroup.procs echo $SLEEP > b/cgroup.procs done The deadlock does not seem possible, so it’s debatable if there’s any reason to modify the kernel. I suggest we should to prevent future surprises. And Wang Long said “this deadlock occurs three times in our environment", so there’s more reason to apply this, even to stable. Stable 4.4 has minor conflicts applying this patch. For a clean 4.4 patch see "[PATCH for-4.4] writeback: safer lock nesting” https://lkml.org/lkml/2018/4/11/146 Wang Long said “this deadlock occurs three times in our environment” [[email protected]: v4] Link: http://lkml.kernel.org/r/[email protected] [[email protected]: comment tweaks, struct initialization simplification] Change-Id: Ibb773e8045852978f6207074491d262f1b3fb613 Link: http://lkml.kernel.org/r/[email protected] Fixes: 682aa8e1a6a1 (“writeback: implement unlocked_inode_to_wb transaction and use it for stat updates”) Signed-off-by: Greg Thelen Reported-by: Wang Long Acked-by: Wang Long Acked-by: Michal Hocko Reviewed-by: Andrew Morton Cc: Johannes Weiner Cc: Tejun Heo Cc: Nicholas Piggin Cc: [v4.2+] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds [natechancellor: Adjust context due to lack of b93b016313b3b] Signed-off-by: Nathan Chancellor Signed-off-by: Greg Kroah-Hartman commit b74dc8c00232ca556cdf3c6ae2dc2140f279cf89 Author: Jiri Kosina Date: Thu Apr 19 09:25:15 2018 +0200 HID: i2c-hid: fix inverted return value from i2c_hid_command() commit b658912cb023cd6f8e46963d29779903d3c10538 upstream. i2c_hid_command() returns non-zero in error cases (the actual errno). Error handling in for I2C_HID_QUIRK_RESEND_REPORT_DESCR case in i2c_hid_resume() had the check inverted; fix that. Fixes: 3e83eda467 (“HID: i2c-hid: Fix resume issue on Raydium touchscreen device”) Reported-by: Dan Carpenter Signed-off-by: Jiri Kosina Cc: Aaron Ma Signed-off-by: Greg Kroah-Hartman commit 92496da88e471ec52a2ba8920b09403d86ee3ddd Author: Weinan Li Date: Fri Feb 23 14:46:45 2018 +0800 drm/i915/gvt: init mmio by lri command in vgpu inhibit context commit cd7e61b93d068a80bfe6cb55bf00f17332d831a1 upstream. There is one issue relates to Coarse Power Gating(CPG) on KBL NUC in GVT-g, vgpu can’t get the correct default context by updating the registers before inhibit context submission. It always get back the hardware default value unless the inhibit context submission happened before the 1st time forcewake put. With this wrong default context, vgpu will run with incorrect state and meet unknown issues. The solution is initialize these mmios by adding lri command in ring buffer of the inhibit context, then gpu hardware has no chance to go down RC6 when lri commands are right being executed, and then vgpu can get correct default context for further use. v3: - fix code fault, use ‘for’ to loop through mmio render list(Zhenyu) v4: - save the count of engine mmio need to be restored for inhibit context and refine some comments. (Kevin) v5: - code rebase Cc: Kevin Tian Cc: Zhenyu Wang Signed-off-by: Weinan Li Signed-off-by: Zhenyu Wang Signed-off-by: Changbin Du Signed-off-by: Greg Kroah-Hartman commit 9fe5617e62cfcf3796245e994769c85138af1093 Author: Matthew Wilcox Date: Fri Apr 20 14:56:20 2018 -0700 mm/filemap.c: fix NULL pointer in page_cache_tree_insert() commit abc1be13fd113ddef5e2d807a466286b864caed3 upstream. f2fs specifies the __GFP_ZERO flag for allocating some of its pages. Unfortunately, the page cache also uses the mapping’s GFP flags for allocating radix tree nodes. It always masked off the __GFP_HIGHMEM flag, and masks off __GFP_ZERO in some paths, but not all. That causes radix tree nodes to be allocated with a NULL list_head, which causes backtraces like: __list_del_entry+0x30/0xd0 list_lru_del+0xac/0x1ac page_cache_tree_insert+0xd8/0x110 The __GFP_DMA and __GFP_DMA32 flags would also be able to sneak through if they are ever used. Fix them all by using GFP_RECLAIM_MASK at the innermost location, and remove it from earlier in the callchain. Link: http://lkml.kernel.org/r/[email protected] Fixes: 449dd6984d0e (“mm: keep page cache radix tree nodes in check”) Signed-off-by: Matthew Wilcox Reported-by: Chris Fries Debugged-by: Minchan Kim Acked-by: Johannes Weiner Acked-by: Michal Hocko Reviewed-by: Jan Kara Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 8eb1a9398fda88a7f8f5759725e731dda7f3d36d Author: Ian Kent Date: Fri Apr 20 14:55:59 2018 -0700 autofs: mount point create should honour passed in mode commit 1e6306652ba18723015d1b4967fe9de55f042499 upstream. The autofs file system mkdir inode operation blindly sets the created directory mode to S_IFDIR | 0555, ingoring the passed in mode, which can cause selinux dac_override denials. But the function also checks if the caller is the daemon (as no-one else should be able to do anything here) so there’s no point in not honouring the passed in mode, allowing the daemon to set appropriate mode when required. Link: http://lkml.kernel.org/r/[email protected] Signed-off-by: Ian Kent Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 86d04eb7ecf1dec069e52e0e82f68943703fa08a Author: Dave Jiang Date: Thu Apr 19 13:39:43 2018 -0700 device-dax: allow MAP_SYNC to succeed commit ef8423022324cf79bd1b41d8707c766461e7e555 upstream. MAP_SYNC is a nop for device-dax. Allow MAP_SYNC to succeed on device-dax to eliminate special casing between device-dax and fs-dax as to when the flag can be specified. Device-dax users already implicitly assume that they do not need to call fsync(), and this enables them to explicitly check for this capability. Cc: Fixes: b6fb293f2497 (“mm: Define MAP_SYNC and VM_SYNC flags”) Signed-off-by: Dave Jiang Reviewed-by: Dan Williams Signed-off-by: Dan Williams Signed-off-by: Greg Kroah-Hartman commit e5872ce01019ccd9cb383a1463366e0b5a443960 Author: Dan Williams Date: Mon Apr 9 12:34:24 2018 -0700 libnvdimm, dimm: handle EACCES failures from label reads commit e7c5a571a8d6a266aee9ca3f3f26e5afe3717eca upstream. The new support for the standard _LSR and _LSW methods neglected to also update the nvdimm_init_config_data() and nvdimm_set_config_data() to return the translated error code from failed commands. This precision is necessary because the locked status that was previously returned on ND_CMD_GET_CONFIG_SIZE commands is now returned on ND_CMD_{GET,SET}_CONFIG_DATA commands. If the kernel misses this indication it can inadvertently fall back to label-less mode when it should otherwise avoid all access to locked regions. Cc: Fixes: 4b27db7e26cd (“acpi, nfit: add support for the _LSI, _LSR, and…”) Signed-off-by: Dan Williams Signed-off-by: Greg Kroah-Hartman commit f27f9d4eb535521d42694b00d3e7f5a70956eb29 Author: Al Viro Date: Thu Apr 19 22:03:08 2018 -0400 Don’t leak MNT_INTERNAL away from internal mounts commit 16a34adb9392b2fe4195267475ab5b472e55292c upstream. We want it only for the stuff created by SB_KERNMOUNT mounts, *not* for their copies. As it is, creating a deep stack of bindings of /proc/*/ns/* somewhere in a new namespace and exiting yields a stack overflow. Cc: [email protected] Reported-by: Alexander Aring Bisected-by: Kirill Tkhai Tested-by: Kirill Tkhai Tested-by: Alexander Aring Signed-off-by: Al Viro Signed-off-by: Greg Kroah-Hartman commit 68a8025a3b5558c9b1603fb6da130dad294696ce Author: Al Viro Date: Tue Apr 3 01:15:46 2018 -0400 rpc_pipefs: fix double-dput() commit 4a3877c4cedd95543f8726b0a98743ed8db0c0fb upstream. if we ever hit rpc_gssd_dummy_depopulate() dentry passed to it has refcount equal to 1. __rpc_rmpipe() drops it and dput() done after that hits an already freed dentry. Cc: [email protected] Signed-off-by: Al Viro Signed-off-by: Greg Kroah-Hartman commit 7a372c7c91d67f707eca4c83f0ac3b73694d7d2f Author: Al Viro Date: Tue Apr 3 00:13:17 2018 -0400 orangefs_kill_sb(): deal with allocation failures commit 659038428cb43a66e3eff71e2c845c9de3611a98 upstream. orangefs_fill_sb() might’ve failed to allocate ORANGEFS_SB(s); don’t oops in that case. Cc: [email protected] Signed-off-by: Al Viro Signed-off-by: Greg Kroah-Hartman commit a10ddc761df5c0b5b5cec8df80152d72f3e948b1 Author: Al Viro Date: Mon Apr 2 23:50:31 2018 -0400 hypfs_kill_super(): deal with failed allocations commit a24cd490739586a7d2da3549a1844e1d7c4f4fc4 upstream. hypfs_fill_super() might fail to allocate sbi; hypfs_kill_super() should not oops on that. Cc: [email protected] Signed-off-by: Al Viro Signed-off-by: Greg Kroah-Hartman commit efc16dc36d488d193cfb2456d6ae28695141f2f3 Author: Al Viro Date: Mon Apr 2 23:56:44 2018 -0400 jffs2_kill_sb(): deal with failed allocations commit c66b23c2840446a82c389e4cb1a12eb2a71fa2e4 upstream. jffs2_fill_super() might fail to allocate jffs2_sb_info; jffs2_kill_sb() must survive that. Cc: [email protected] Signed-off-by: Al Viro Signed-off-by: Greg Kroah-Hartman commit 211a36ec7c4e37263db342860a9163c54b3dc999 Author: Ville Syrjälä Date: Wed Feb 14 21:23:23 2018 +0200 drm/i915: Correctly handle limited range YCbCr data on VLV/CHV commit 5deae9191130db6b617c94fb261804597cf9b508 upstream. Turns out the VLV/CHV fixed function sprite CSC expects full range data as input. We’ve been feeding it limited range data to it all along. To expand the data out to full range we’ll use the color correction registers (brightness, contrast, and saturation). On CHV pipe B we were actually doing the right thing already because we progammed the custom CSC matrix to do expect limited range input. Now that well pre-expand the data out with the color correction unit, we need to change the CSC matrix to operate with full range input instead. This should make the sprite output of the other pipes match the sprite output of pipe B reasonably well. Looking at the resulting pipe CRCs, there can be a slight difference in the output, but as I don’t know the formula used by the fixed function CSC of the other pipes, I don’t think it’s worth the effort to try to match the output exactly. It might not even be possible due to difference in internal precision etc. One slight caveat here is that the color correction registers are single bufferred, so we should really be updating them during vblank, but we still don’t have a mechanism for that, so just toss in another FIXME. v2: Rebase v3: s/bri/brightness/ s/con/contrast/ (Shashank) v4: Clarify the constants and math (Shashank) Cc: Harry Wentland Cc: Daniel Vetter Cc: Daniel Stone Cc: Russell King - ARM Linux Cc: Ilia Mirkin Cc: Hans Verkuil Cc: Shashank Sharma Cc: Uma Shankar Cc: Jyri Sarha Cc: “Tang, Jun” Reported-by: “Tang, Jun” Cc: [email protected] Fixes: 7f1f3851feb0 (“drm/i915: sprite support for ValleyView v4”) Reviewed-by: Shashank Sharma Signed-off-by: Ville Syrjälä Link: https://patchwork.freedesktop.org/patch/msgid/[email protected] Signed-off-by: Greg Kroah-Hartman commit f4e3f00a34469de495310d86863ce35d9acb275a Author: Imre Deak Date: Thu Mar 22 16:36:42 2018 +0200 drm/i915: Fix hibernation with ACPI S0 target state commit 300efa9eea451bdcf3b5a1eb292222e06e85bb2c upstream. After commit dd9f31c7a3887950cbd0d49eb9d43f7a1518a356 Author: Imre Deak Date: Wed Aug 16 17:46:07 2017 +0300 drm/i915/gen9+: Set same power state before hibernation image save/restore during hibernation/suspend the power domain functionality got disabled, after which resume could leave it incorrectly disabled if the ACPI target state was S0 during suspend and i915 was not loaded by the loader kernel. This was caused by not considering if we resumed from hibernation as the condition for power domains reiniting. Fix this by simply tracking if we suspended power domains during system suspend and reinit power domains accordingly during resume. This will result in reiniting power domains always when resuming from hibernation, regardless of the platform and whether or not i915 is loaded by the loader kernel. The reason we didn’t catch this earlier is that the enabled/disabled state of power domains during PMSG_FREEZE/PMSG_QUIESCE is platform and kernel config dependent: on my SKL the target state is S4 during PMSG_FREEZE and (with the driver loaded in the loader kernel) S0 during PMSG_QUIESCE. On the reporter’s machine it’s S0 during PMSG_FREEZE but (contrary to this) power domains are not initialized during PMSG_QUIESCE since i915 is not loaded in the loader kernel, or it’s loaded but without the DMC firmware being available. Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=105196 Reported-and-tested-by: [email protected] Fixes: dd9f31c7a388 (“drm/i915/gen9+: Set same power state before hibernation image save/restore”) Cc: [email protected] Cc: Ville Syrjälä Cc: Signed-off-by: Imre Deak Reviewed-by: Ville Syrjälä Link: https://patchwork.freedesktop.org/patch/msgid/[email protected] (cherry picked from commit 0f90603c33bdf6575cfdc81edd53f3f13ba166fb) Signed-off-by: Joonas Lahtinen Signed-off-by: Greg Kroah-Hartman commit b7116e86a534aa3ee774d71f95c13f2b8ed02a1e Author: Daniel Kurtz Date: Fri Apr 6 16:07:59 2018 -0600 mmc: sdhci-pci: Only do AMD tuning for HS200 commit 300ad8992913025b4294d4fc37b6bfff4a8b7ad1 upstream. Commit c31165d7400b (“mmc: sdhci-pci: Add support for HS200 tuning mode on AMD, eMMC-4.5.1”) added a HS200 tuning method for use with AMD SDHCI controllers. As described in the commit subject, this tuning is specific for HS200. However, as implemented, this method is used for all host timings, because platform_execute_tuning, if it exists, is called unconditionally by sdhci_execute_tuning(). This breaks tuning when using the AMD controller with, for example, a DDR50 SD card. Instead, we can implement an amd execute_tuning wrapper callback, and then conditionally do the HS200 specific tuning for HS200, and otherwise call back to the standard sdhci_execute_tuning(). Signed-off-by: Daniel Kurtz Acked-by: Shyam Sundar S K Acked-by: Adrian Hunter Fixes: c31165d7400b (“mmc: sdhci-pci: Add support for HS200 tuning mode on AMD, eMMC-4.5.1”) Cc: [email protected] # v4.11+ Signed-off-by: Ulf Hansson Signed-off-by: Greg Kroah-Hartman commit 69b4bf69f36b0320b94a250351cc611e97e926fc Author: Amir Goldstein Date: Wed Apr 4 23:42:18 2018 +0300 fanotify: fix logic of events on child commit 54a307ba8d3cd00a3902337ffaae28f436eeb1a4 upstream. When event on child inodes are sent to the parent inode mark and parent inode mark was not marked with FAN_EVENT_ON_CHILD, the event will not be delivered to the listener process. However, if the same process also has a mount mark, the event to the parent inode will be delivered regadless of the mount mark mask. This behavior is incorrect in the case where the mount mark mask does not contain the specific event type. For example, the process adds a mark on a directory with mask FAN_MODIFY (without FAN_EVENT_ON_CHILD) and a mount mark with mask FAN_CLOSE_NOWRITE (without FAN_ONDIR). A modify event on a file inside that directory (and inside that mount) should not create a FAN_MODIFY event, because neither of the marks requested to get that event on the file. Fixes: 1968f5eed54c (“fanotify: use both marks when possible”) Cc: stable Signed-off-by: Amir Goldstein Signed-off-by: Jan Kara Signed-off-by: Greg Kroah-Hartman commit 47b6e5b549a7c57def999c2ac9d928a22b9bf594 Author: Jan Kara Date: Thu Apr 12 17:22:23 2018 +0200 udf: Fix leak of UTF-16 surrogates into encoded strings commit 44f06ba8297c7e9dfd0e49b40cbe119113cca094 upstream. OSTA UDF specification does not mention whether the CS0 charset in case of two bytes per character encoding should be treated in UTF-16 or UCS-2. The sample code in the standard does not treat UTF-16 surrogates in any special way but on systems such as Windows which work in UTF-16 internally, filenames would be treated as being in UTF-16 effectively. In Linux it is more difficult to handle characters outside of Base Multilingual plane (beyond 0xffff) as NLS framework works with 2-byte characters only. Just make sure we don’t leak UTF-16 surrogates into the resulting string when loading names from the filesystem for now. CC: [email protected] # >= v4.6 Reported-by: Mingye Wang Signed-off-by: Jan Kara Signed-off-by: Greg Kroah-Hartman commit 999e92eb36349868a99324719016783309b8e505 Author: Michael Ellerman Date: Mon Apr 16 23:25:19 2018 +1000 powerpc/lib: Fix off-by-one in alternate feature patching commit b8858581febb050688e276b956796bc4a78299ed upstream. When we patch an alternate feature section, we have to adjust any relative branches that branch out of the alternate section. But currently we have a bug if we have a branch that points to past the last instruction of the alternate section, eg: FTR_SECTION_ELSE 1: b 2f or 6,6,6 2: ALT_FTR_SECTION_END(…) nop This will result in a relative branch at 1 with a target that equals the end of the alternate section. That branch does not need adjusting when it’s moved to the non-else location. Currently we do adjust it, resulting in a branch that goes off into the link-time location of the else section, which is junk. The fix is to not patch branches that have a target == end of the alternate section. Fixes: d20fe50a7b3c (“KVM: PPC: Book3S HV: Branch inside feature section”) Fixes: 9b1a735de64c (“powerpc: Add logic to patch alternative feature sections”) Cc: [email protected] # v2.6.27+ Signed-off-by: Michael Ellerman Signed-off-by: Greg Kroah-Hartman commit 37a712b4ddf012dec426b3dd2a13d5a17dd3820f Author: Benjamin Herrenschmidt Date: Wed Apr 11 15:17:59 2018 +1000 powerpc/xive: Fix trying to “push” an already active pool VP commit b32e56e5a87a1f9243db92bc7a5df0ffb4627cfb upstream. When setting up a CPU, we “push” (activate) a pool VP for it. However it’s an error to do so if it already has an active pool VP. This happens when doing soft CPU hotplug on powernv since we don’t tear down the CPU on unplug. The HW flags the error which gets captured by the diagnostics. Fix this by making sure to “pull” out any already active pool first. Fixes: 243e25112d06 (“powerpc/xive: Native exploitation of the XIVE interrupt controller”) Cc: [email protected] # v4.12+ Signed-off-by: Benjamin Herrenschmidt Signed-off-by: Michael Ellerman Signed-off-by: Greg Kroah-Hartman commit 0b883271af504a02da964a5edba0126a089befdb Author: Michael Neuling Date: Wed Apr 11 13:37:58 2018 +1000 powerpc/eeh: Fix enabling bridge MMIO windows commit 13a83eac373c49c0a081cbcd137e79210fe78acd upstream. On boot we save the configuration space of PCIe bridges. We do this so when we get an EEH event and everything gets reset that we can restore them. Unfortunately we save this state before we’ve enabled the MMIO space on the bridges. Hence if we have to reset the bridge when we come back MMIO is not enabled and we end up taking an PE freeze when the driver starts accessing again. This patch forces the memory/MMIO and bus mastering on when restoring bridges on EEH. Ideally we’d do this correctly by saving the configuration space writes later, but that will have to come later in a larger EEH rewrite. For now we have this simple fix. The original bug can be triggered on a boston machine by doing: echo 0x8000000000000000 > /sys/kernel/debug/powerpc/PCI0001/err_injct_outbound On boston, this PHB has a PCIe switch on it. Without this patch, you’ll see two EEH events, 1 expected and 1 the failure we are fixing here. The second EEH event causes the anything under the PHB to disappear (i.e. the i40e eth). With this patch, only 1 EEH event occurs and devices properly recover. Fixes: 652defed4875 (“powerpc/eeh: Check PCIe link after reset”) Cc: [email protected] # v3.11+ Reported-by: Pridhiviraj Paidipeddi Signed-off-by: Michael Neuling Acked-by: Russell Currey Signed-off-by: Michael Ellerman Signed-off-by: Greg Kroah-Hartman commit 051db3956541f9433451256616a018fd7b8f940f Author: Matt Redfearn Date: Tue Apr 17 16:40:00 2018 +0100 MIPS: memset.S: Fix clobber of v1 in last_fixup commit c96eebf07692e53bf4dd5987510d8b550e793598 upstream. The label .Llast_fixup\@ is jumped to on page fault within the final byte set loop of memset (on < MIPSR6 architectures). For some reason, in this fault handler, the v1 register is randomly set to a2 & STORMASK. This clobbers v1 for the calling function. This can be observed with the following test code: static int __init __attribute__((optimize(“O0”))) test_clear_user(void) { register int t asm(“v1”); char *test; int j, k; pr_info(“\n\n\nTesting clear_user\n”); test = vmalloc(PAGE_SIZE); for (j = 256; j < 512; j++) { t = 0xa5a5a5a5; if ((k = clear_user(test + PAGE_SIZE - 256, j)) != j - 256) { pr_err("clear_user (%px %d) returned %d\n", test + PAGE_SIZE - 256, j, k); } if (t != 0xa5a5a5a5) { pr_err("v1 was clobbered to 0x%x!\n", t); } } return 0; } late_initcall(test_clear_user); Which demonstrates that v1 is indeed clobbered (MIPS64): Testing clear_user v1 was clobbered to 0x1! v1 was clobbered to 0x2! v1 was clobbered to 0x3! v1 was clobbered to 0x4! v1 was clobbered to 0x5! v1 was clobbered to 0x6! v1 was clobbered to 0x7! Since the number of bytes that could not be set is already contained in a2, the andi placing a value in v1 is not necessary and actively harmful in clobbering v1. Reported-by: James Hogan Signed-off-by: Matt Redfearn Cc: Ralf Baechle Cc: [email protected] Cc: [email protected] Patchwork: https://patchwork.linux-mips.org/patch/19109/ Signed-off-by: James Hogan Signed-off-by: Greg Kroah-Hartman commit 2d2aa734dcc24ae9531872432620d1bee27c4eb0 Author: Matt Redfearn Date: Tue Apr 17 15:52:21 2018 +0100 MIPS: memset.S: Fix return of __clear_user from Lpartial_fixup commit daf70d89f80c6e1772233da9e020114b1254e7e0 upstream. The __clear_user function is defined to return the number of bytes that could not be cleared. From the underlying memset / bzero implementation this means setting register a2 to that number on return. Currently if a page fault is triggered within the memset_partial block, the value loaded into a2 on return is meaningless. The label .Lpartial_fixup\@ is jumped to on page fault. In order to work out how many bytes failed to copy, the exception handler should find how many bytes left in the partial block (andi a2, STORMASK), add that to the partial block end address (a2), and subtract the faulting address to get the remainder. Currently it incorrectly subtracts the partial block start address (t1), which has additionally been clobbered to generate a jump target in memset_partial. Fix this by adding the block end address instead. This issue was found with the following test code: int j, k; for (j = 0; j < 512; j++) { if ((k = clear_user(NULL, j)) != j) { pr_err("clear_user (NULL %d) returned %d\n", j, k); } } Which now passes on Creator Ci40 (MIPS32) and Cavium Octeon II (MIPS64). Suggested-by: James Hogan Signed-off-by: Matt Redfearn Cc: Ralf Baechle Cc: [email protected] Cc: [email protected] Patchwork: https://patchwork.linux-mips.org/patch/19108/ Signed-off-by: James Hogan Signed-off-by: Greg Kroah-Hartman commit 88939e53b0c175c81308dc03d571d2331f671075 Author: Matt Redfearn Date: Thu Mar 29 10:28:23 2018 +0100 MIPS: memset.S: EVA & fault support for small_memset commit 8a8158c85e1e774a44fbe81106fa41138580dfd1 upstream. The MIPS kernel memset / bzero implementation includes a small_memset branch which is used when the region to be set is smaller than a long (4 bytes on 32bit, 8 bytes on 64bit). The current small_memset implementation uses a simple store byte loop to write the destination. There are 2 issues with this implementation: 1. When EVA mode is active, user and kernel address spaces may overlap. Currently the use of the sb instruction means kernel mode addressing is always used and an intended write to userspace may actually overwrite some critical kernel data. 2. If the write triggers a page fault, for example by calling __clear_user(NULL, 2), instead of gracefully handling the fault, an OOPS is triggered. Fix these issues by replacing the sb instruction with the EX() macro, which will emit EVA compatible instuctions as required. Additionally implement a fault fixup for small_memset which sets a2 to the number of bytes that could not be cleared (as defined by __clear_user). Reported-by: Chuanhua Lei Signed-off-by: Matt Redfearn Cc: Ralf Baechle Cc: [email protected] Cc: [email protected] Patchwork: https://patchwork.linux-mips.org/patch/18975/ Signed-off-by: James Hogan Signed-off-by: Greg Kroah-Hartman commit 1d0d9058215e75533f01fbb3db93621f142e1a3d Author: Matt Redfearn Date: Tue Apr 17 16:40:01 2018 +0100 MIPS: uaccess: Add micromips clobbers to bzero invocation commit b3d7e55c3f886493235bfee08e1e5a4a27cbcce8 upstream. The micromips implementation of bzero additionally clobbers registers t7 & t8. Specify this in the clobbers list when invoking bzero. Fixes: 26c5e07d1478 (“MIPS: microMIPS: Optimise ‘memset’ core library function.”) Reported-by: James Hogan Signed-off-by: Matt Redfearn Cc: Ralf Baechle Cc: [email protected] Cc: # 3.10+ Patchwork: https://patchwork.linux-mips.org/patch/19110/ Signed-off-by: James Hogan Signed-off-by: Greg Kroah-Hartman commit 010068656bec9d22eea696bc9a2ca36129a60e43 Author: Heiko Carstens Date: Fri Apr 13 14:04:24 2018 +0200 s390: add support for IBM z14 Model ZR1 commit 451239eb3d397bd197a79cc3aab943da41ba0905 upstream. Just add the new machine type number to the two places that matter. Cc: # v4.14+ Signed-off-by: Heiko Carstens Signed-off-by: Martin Schwidefsky Signed-off-by: Greg Kroah-Hartman commit 73b46af38e8e323c311d102f73bb2a3e332566cc Author: Aaron Armstrong Skomra Date: Wed Apr 4 14:24:11 2018 -0700 HID: wacom: bluetooth: send exit report for recent Bluetooth devices commit 619d3a2922ce623ca2eca443cc936810d328317c upstream. The code path for recent Bluetooth devices omits an exit report which resets all the values of the device. Fixes: 4922cd26f0 (“HID: wacom: Support 2nd-gen Intuos Pro’s Bluetooth classic interface”) Cc: # 4.11 Signed-off-by: Aaron Armstrong Skomra Reviewed-by: Ping Cheng Signed-off-by: Jiri Kosina Signed-off-by: Greg Kroah-Hartman commit 6bfcef16fb90665a565a24ae45737cc01ffad234 Author: Rodrigo Rivas Costa Date: Fri Apr 6 01:09:36 2018 +0200 HID: hidraw: Fix crash on HIDIOCGFEATURE with a destroyed device commit a955358d54695e4ad9f7d6489a7ac4d69a8fc711 upstream. Doing `ioctl(HIDIOCGFEATURE)` in a tight loop on a hidraw device and then disconnecting the device, or unloading the driver, can cause a NULL pointer dereference. When a hidraw device is destroyed it sets 0 to `dev->exist`. Most functions check ‘dev->exist’ before doing its work, but `hidraw_get_report()` was missing that check. Cc: [email protected] Signed-off-by: Rodrigo Rivas Costa Signed-off-by: Jiri Kosina Signed-off-by: Greg Kroah-Hartman commit 3bca55081843dcdbbd6ad1045c9b6aecbcaea053 Author: Dmitry Torokhov Date: Tue Apr 3 10:52:20 2018 -0700 HID: input: fix battery level reporting on BT mice commit 2e210bbb7429cdcf1a1a3ad00c1bf98bd9bf2452 upstream. The commit 581c4484769e (“HID: input: map digitizer battery usage”) assumed that devices having input (qas opposed to feature) report for battery strength would report the data on their own, without the need to be polled by the kernel; unfortunately it is not so. Many wireless mice do not send unsolicited reports with battery strength data and have to be polled explicitly. As a complication, stylus devices on digitizers are not normally connected to the base and thus can not be polled - the base can only determine battery strength in the stylus when it is in proximity. To solve this issue, we add a special flag that tells the kernel to avoid polling the device (and expect unsolicited reports) and set it when report field with physical usage of digitizer stylus (HID_DG_STYLUS). Unless this flag is set, and we have not seen the unsolicited reports, the kernel will attempt to poll the device when userspace attempts to read “capacity” and “state” attributes of power_supply object corresponding to the devices battery. Fixes: 581c4484769e (“HID: input: map digitizer battery usage”) Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=198095 Cc: [email protected] Reported-and-tested-by: Martin van Es Signed-off-by: Dmitry Torokhov Signed-off-by: Jiri Kosina Signed-off-by: Greg Kroah-Hartman commit bbdd53af5489d9fc352aab7fe5a4c8dc34b4fb5d Author: Aaron Ma Date: Mon Apr 9 15:41:31 2018 +0800 HID: i2c-hid: Fix resume issue on Raydium touchscreen device commit 3e83eda467050f13fa69d888993458b76e733de9 upstream. When Rayd touchscreen resumed from S3, it issues too many errors like: i2c_hid i2c-RAYD0001:00: i2c_hid_get_input: incomplete report (58/5442) And all the report data are corrupted, touchscreen is unresponsive. Fix this by re-sending report description command after resume. Add device ID as a quirk. Cc: [email protected] Signed-off-by: Aaron Ma Signed-off-by: Jiri Kosina Signed-off-by: Greg Kroah-Hartman commit e21e58679d3e9db0258106ffd3c8db76e66c5e6e Author: Theodore Ts’o Date: Wed Apr 11 16:32:17 2018 -0400 random: add new ioctl RNDRESEEDCRNG commit d848e5f8e1ebdb227d045db55fe4f825e82965fa upstream. Add a new ioctl which forces the the crng to be reseeded. Signed-off-by: Theodore Ts’o Cc: [email protected] Signed-off-by: Greg Kroah-Hartman commit 6efa23d5851f1702a3cddbdde63607ea6588b665 Author: Theodore Ts’o Date: Thu Apr 12 00:50:45 2018 -0400 random: crng_reseed() should lock the crng instance that it is modifying commit 0bb29a849a6433b72e249eea7695477b02056e94 upstream. Reported-by: Jann Horn Fixes: 1e7f583af67b (“random: make /dev/urandom scalable for silly…”) Cc: [email protected] # 4.8+ Signed-off-by: Theodore Ts’o Reviewed-by: Jann Horn Signed-off-by: Greg Kroah-Hartman commit 89b59f050347d376c2ace8b1ceb908a218cfdc2e Author: Theodore Ts’o Date: Wed Apr 11 14:58:27 2018 -0400 random: use a different mixing algorithm for add_device_randomness() commit dc12baacb95f205948f64dc936a47d89ee110117 upstream. add_device_randomness() use of crng_fast_load() was highly problematic. Some callers of add_device_randomness() can pass in a large amount of static information. This would immediately promote the crng_init state from 0 to 1, without really doing much to initialize the primary_crng’s internal state with something even vaguely unpredictable. Since we don’t have the speed constraints of add_interrupt_randomness(), we can do a better job mixing in the what unpredictability a device driver or architecture maintainer might see fit to give us, and do it in a way which does not bump the crng_init_cnt variable. Also, since add_device_randomness() doesn’t bump any entropy accounting in crng_init state 0, mix the device randomness into the input_pool entropy pool as well. This is related to CVE-2018-1108. Reported-by: Jann Horn Fixes: ee7998c50c26 (“random: do not ignore early device randomness”) Cc: [email protected] # 4.13+ Signed-off-by: Theodore Ts’o Signed-off-by: Greg Kroah-Hartman commit cd8d7a5778a4abf76ee8fe8f1bfcf78976029f8d Author: Theodore Ts’o Date: Wed Apr 11 13:27:52 2018 -0400 random: fix crng_ready() test commit 43838a23a05fbd13e47d750d3dfd77001536dd33 upstream. The crng_init variable has three states: 0: The CRNG is not initialized at all 1: The CRNG has a small amount of entropy, hopefully good enough for early-boot, non-cryptographical use cases 2: The CRNG is fully initialized and we are sure it is safe for cryptographic use cases. The crng_ready() function should only return true once we are in the last state. This addresses CVE-2018-1108. Reported-by: Jann Horn Fixes: e192be9d9a30 (“random: replace non-blocking pool…”) Cc: [email protected] # 4.8+ Signed-off-by: Theodore Ts’o Reviewed-by: Jann Horn Signed-off-by: Greg Kroah-Hartman commit ab5860f5ce700bc4becc4d6abf01cc380c7ffe85 Author: Hui Wang Date: Thu Apr 19 13:29:05 2018 +0800 ALSA: hda/realtek - adjust the location of one mic commit a3dafb2200bf3c13905a088e82ae11f1eb275a83 upstream. There are two front mics on this machine, if we don’t adjust the location for one of them, they will have the same mixer name, pulseaudio can’t handle this situation. After applying this FIXUP, they will have different mixer name, then pulseaudio can handle them correctly. Cc: Signed-off-by: Hui Wang Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 667f3e47229683c9af079d7633a8deaddb44623f Author: Hui Wang Date: Thu Apr 19 13:29:04 2018 +0800 ALSA: hda/realtek - set PINCFG_HEADSET_MIC to parse_flags commit 3ce0d5aa265bcc0a4b281cb0cabf92491276101b upstream. Otherwise, the pin will be regarded as microphone, and the jack name is "Mic Phantom", it is always on in the pulseaudio even nothing is plugged into the jack. So the UI is confusing to users since the microphone always shows up in the UI even there is no microphone plugged. After adding this flag, the jack name is “Headset Mic Phantom", then the pulseaudio can handle its detection correctly. Fixes: f0ba9d699e5c (“ALSA: hda/realtek - Fix Dell headset Mic can’t record”) Cc: Signed-off-by: Hui Wang Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 1798e3019c297751026029a62f09f24c2eff0c5e Author: David Wang Date: Mon Apr 16 17:48:09 2018 +0800 ALSA: hda - New VIA controller suppor no-snoop path commit af52f9982e410edac21ca4b49563053ffc9da1eb upstream. This patch is used to tell kernel that new VIA HDAC controller also support no-snoop path. [ minor coding style fix by tiwai ] Signed-off-by: David Wang Cc: Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 96e48682446474add6afee63e7c06432f5ec7165 Author: Takashi Iwai Date: Thu Apr 19 18:16:15 2018 +0200 ALSA: rawmidi: Fix missing input substream checks in compat ioctls commit 8a56ef4f3ffba9ebf4967b61ef600b0a7ba10f11 upstream. Some rawmidi compat ioctls lack of the input substream checks (although they do check only for rfile->output). This many eventually lead to an Oops as NULL substream is passed to the rawmidi core functions. Fix it by adding the proper checks before each function call. The bug was spotted by syzkaller. Reported-by: [email protected] Cc: Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit c2795504efef3171260095e13c42452e37066f4e Author: Fabián Inostroza Date: Thu Apr 12 00:37:35 2018 -0300 ALSA: line6: Use correct endpoint type for midi output commit 7ecb46e9ee9af18e304eb9e7d6804c59a408e846 upstream. Sending MIDI messages to a PODxt through the USB connection shows “usb_submit_urb failed” in dmesg and the message is not received by the POD. The error is caused because in the funcion send_midi_async() in midi.c there is a call to usb_sndbulkpipe() for endpoint 3 OUT, but the PODxt USB descriptor shows that this endpoint it’s an interrupt endpoint. Patch tested with PODxt only. [ The bug has been present from the very beginning in the staging driver time, but Fixes below points to the commit moving to sound/ directory so that the fix can be cleanly applied – tiwai ] Fixes: 61864d844c29 (“ALSA: move line6 usb driver into sound/usb”) Signed-off-by: Fabián Inostroza Cc: Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 7e0ff1ba3e2920956ad3a94ee8dba46c3235aa03 Author: Paul Parsons Date: Sat Apr 2 12:32:30 2016 +0100 drm/radeon: Fix PCIe lane width calculation commit 85e290d92b4b794d0c758c53007eb4248d385386 upstream. Two years ago I tried an AMD Radeon E8860 embedded GPU with the drm driver. The dmesg output included driver warnings about an invalid PCIe lane width. Tracking the problem back led to si_set_pcie_lane_width_in_smc(). The calculation of the lane widths via ATOM_PPLIB_PCIE_LINK_WIDTH_MASK and ATOM_PPLIB_PCIE_LINK_WIDTH_SHIFT macros did not increment the resulting value, per the comment in pptable.h (“lanes - 1”), and per usage elsewhere. Applying the increment silenced the warnings. The code has not changed since, so either my analysis was incorrect or the bug has gone unnoticed. Hence submitting this as an RFC. Acked-by: Christian König Acked-by: Chunming Zhou Signed-off-by: Paul Parsons Signed-off-by: Alex Deucher Cc: [email protected] Signed-off-by: Greg Kroah-Hartman commit 1ab5ee72f63351599c686f4bc806ca113edca0a7 Author: Nico Sneck Date: Sat Apr 7 15:13:04 2018 +0000 drm/radeon: add PX quirk for Asus K73TK commit b1550359d1eb392ee54f7cf47cffcfe0a602f6a7 upstream. With this the dGPU turns on correctly. Signed-off-by: Nico Sneck Signed-off-by: Alex Deucher Cc: [email protected] Signed-off-by: Greg Kroah-Hartman commit 912211ddce268f3519d0836f548308ede9a11a4f Author: Marc Zyngier Date: Tue Feb 20 13:01:18 2018 +0000 drm/rockchip: Clear all interrupts before requesting the IRQ commit 5f9e93fed4d45e9a8f84728aff1a8f2ab8922902 upstream. Calling request_irq() followed by disable_irq() is usually a bad idea, specially if the interrupt can be pending, and you’re not yet in a position to handle it. This is exactly what happens on my kevin system when rebooting in a second kernel using kexec: Some interrupt is left pending from the previous kernel, and we take it too early, before disable_irq() could do anything. Let’s clear the pending interrupts as we initialize the HW, and move the interrupt request after that point. This ensures that we’re in a sane state when the interrupt is requested. Cc: [email protected] Signed-off-by: Marc Zyngier [adapted to recent rockchip-drm changes] Signed-off-by: Heiko Stuebner Link: https://patchwork.freedesktop.org/patch/msgid/[email protected] Signed-off-by: Greg Kroah-Hartman commit f2aa1510178605c509bc623d91aa3df23a30a6f7 Author: Alex Deucher Date: Tue Apr 3 12:54:33 2018 -0500 drm/amdgpu/si: implement get/set pcie_lanes asic callback commit 20ca25e86c56f5490bdc80318f4fc06466e4c21b upstream. Required for dpm setup on some asics. Fixes a NULL dereference on asics that require it. Acked-by: Christian König Bug: https://bugs.freedesktop.org/show_bug.cgi?id=102553 Tested-by: Abel Garcia Dorta Signed-off-by: Alex Deucher Cc: [email protected] Signed-off-by: Greg Kroah-Hartman commit e17bb21827bd4a3c08246d51421033393b54f910 Author: Alex Deucher Date: Mon Apr 2 12:29:26 2018 -0500 drm/amdgpu: Fix PCIe lane width calculation commit 41212e2fe72b26ded7ed78224d9eab720c2891e2 upstream. The calculation of the lane widths via ATOM_PPLIB_PCIE_LINK_WIDTH_MASK and ATOM_PPLIB_PCIE_LINK_WIDTH_SHIFT macros did not increment the resulting value, per the comment in pptable.h (“lanes - 1”), and per usage elsewhere. Port of the radeon fix to amdgpu. Acked-by: Christian König Acked-by: Chunming Zhou Bug: https://bugs.freedesktop.org/show_bug.cgi?id=102553 Signed-off-by: Alex Deucher Cc: [email protected] Signed-off-by: Greg Kroah-Hartman commit 49d52e9ef94092d15107e0dfa5c38e9ebf1c312c Author: Alex Deucher Date: Tue Mar 27 15:53:52 2018 -0500 drm/amdgpu/sdma: fix mask in emit_pipeline_sync commit 4a8e06f7aad797e92413a3042d09d3b385fa1fda upstream. Needs to be a 32 bit mask. Acked-by: Huang Rui Reviewed-by: Christian König Signed-off-by: Alex Deucher Cc: [email protected] Signed-off-by: Greg Kroah-Hartman commit ae06904414b54a517fcca70116233719c89b022e Author: Bas Nieuwenhuizen Date: Wed Jan 31 13:58:55 2018 +0100 drm/amdgpu: Fix always_valid bos multiple LRU insertions. commit a20ee0b1f8b42e2568f3a4408003d22b2dfcc706 upstream. If these bos are evicted and are in the validated list things blow up, so do not put them in there. Notably, that tries to add the bo to the LRU twice, which results in a BUG_ON in ttm_bo.c. While for the bo_list an alternative would be to not allow always valid bos in there, that does not work for the user fence. v2: Fixed whitespace issue pointed out by checkpatch.pl Signed-off-by: Bas Nieuwenhuizen Reviewed-by: Christian König Signed-off-by: Alex Deucher Cc: [email protected] Signed-off-by: Greg Kroah-Hartman commit 8a431ad0d1c31de345efa6f8366193fd1efb55b3 Author: Alex Deucher Date: Wed Mar 21 21:05:46 2018 -0500 drm/amdgpu: Add an ATPX quirk for hybrid laptop commit 13b40935cf64f59b93cf1c716a2033488e5a228c upstream. _PR3 doesn’t seem to work properly, use ATPX instead. Bug: https://bugs.freedesktop.org/show_bug.cgi?id=104064 Reviewed-by: Huang Rui Signed-off-by: Alex Deucher Cc: [email protected] Signed-off-by: Greg Kroah-Hartman commit 2e1c4ed5ae1fee7283c79735bb4870ca36d88d8e Author: Igor Pylypiv Date: Tue Mar 6 23:47:25 2018 -0800 watchdog: f71808e_wdt: Fix WD_EN register read commit 977f6f68331f94bb72ad84ee96b7b87ce737d89d upstream. F71808FG_FLAG_WD_EN defines bit position, not a bitmask Signed-off-by: Igor Pylypiv Reviewed-by: Guenter Roeck Signed-off-by: Guenter Roeck Signed-off-by: Wim Van Sebroeck Cc: stable Signed-off-by: Greg Kroah-Hartman commit 525398643e51065ae209f17884bd0d695b6cb59b Author: Sean Wang Date: Thu Mar 1 11:27:50 2018 +0800 dt-bindings: clock: mediatek: add binding for fixed-factor clock axisel_d4 commit 55a5fcafe3a94e8a0777bb993d09107d362258d2 upstream. Just add binding for a fixed-factor clock axisel_d4, which would be referenced by PWM devices on MT7623 or MT2701 SoC. Cc: [email protected] Fixes: 1de9b21633d6 (“clk: mediatek: Add dt-bindings for MT2701 clocks”) Signed-off-by: Sean Wang Reviewed-by: Rob Herring Cc: Mark Rutland Cc: [email protected] Signed-off-by: Stephen Boyd Signed-off-by: Greg Kroah-Hartman commit 7c4670cf7122bc66ee12a1a0ba2ed70ab70f223b Author: Mikhail Lappo Date: Fri Feb 2 16:17:46 2018 -0200 thermal: imx: Fix race condition in imx_thermal_probe() commit cf1ba1d73a33944d8c1a75370a35434bf146b8a7 upstream. When device boots with T > T_trip_1 and requests interrupt, the race condition takes place. The interrupt comes before THERMAL_DEVICE_ENABLED is set. This leads to an attempt to reading sensor value from irq and disabling the sensor, based on the data->mode field, which expected to be THERMAL_DEVICE_ENABLED, but still stays as THERMAL_DEVICE_DISABLED. Afher this issue sensor is never re-enabled, as the driver state is wrong. Fix this problem by setting the ‘data’ members prior to requesting the interrupts. Fixes: 37713a1e8e4c (“thermal: imx: implement thermal alarm interrupt handling”) Cc: Signed-off-by: Mikhail Lappo Signed-off-by: Fabio Estevam Reviewed-by: Philipp Zabel Acked-by: Dong Aisheng Signed-off-by: Zhang Rui Signed-off-by: Greg Kroah-Hartman commit c1d2f1eac9a935c21c38d1680ec4c22200cfcb78 Author: Sean Wang Date: Fri Mar 2 16:49:14 2018 +0800 pwm: mediatek: Improve precision in rate calculation commit 04c0a4e00dc11fedc0b0a8593adcf0f4310505d4 upstream. Add a way that turning resolution from in nanosecond into in picosecond to improve noticeably almost 4.5% precision. It’s necessary to hold the new resolution with type u64 and thus related operations on u64 are applied instead in those rate calculations. And the patch has a dependency on [1]. [1] http://lists.infradead.org/pipermail/linux-mediatek/2018-March/012225.html Cc: [email protected] Fixes: caf065f8fd58 (“pwm: Add MediaTek PWM support”) Signed-off-by: Sean Wang Signed-off-by: Thierry Reding Signed-off-by: Greg Kroah-Hartman commit 95d476598b0828c44ced99d9c95c135092b9d612 Author: Sean Wang Date: Thu Mar 1 16:19:12 2018 +0800 pwm: mediatek: Fix up PWM4 and PWM5 malfunction on MT7623 commit 360cc036563db27881ce08049f69138438f2ddd0 upstream. Since the offset for both registers, PWMDWIDTH and PWMTHRES, used to control PWM4 or PWM5 are distinct from the other PWMs, whose wrong programming on PWM hardware causes waveform cannot be output as expected. Thus, the patch adds the extra condition for fixing up the weird case to let PWM4 or PWM5 able to work on MT7623. v1 -> v2: use pwm45_fixup naming instead of pwm45_quirk v2 -> v3: add more tags for Reviewed-by, Fixes, and Cc stable Cc: [email protected] Fixes: caf065f8fd58 (“pwm: Add MediaTek PWM support”) Signed-off-by: Sean Wang Reviewed-by: Matthias Brugger Cc: Zhi Mao Cc: John Crispin Cc: Matthias Brugger Signed-off-by: Thierry Reding Signed-off-by: Greg Kroah-Hartman commit af3f8a7fc27a1883d7643701166ea8dd94832edf Author: Ryo Kodama Date: Fri Mar 9 20:24:21 2018 +0900 pwm: rcar: Fix a condition to prevent mismatch value setting to duty commit 6225f9c64b40bc8a22503e9cda70f55d7a9dd3c6 upstream. This patch fixes an issue that is possible to set mismatch value to duty for R-Car PWM if we input the following commands: # cd /sys/class/pwm// # echo 0 > export # cd pwm0 # echo 30 > period # echo 30 > duty_cycle # echo 0 > duty_cycle # cat duty_cycle 0 # echo 1 > enable --> Then, the actual duty_cycle is 30, not 0. So, this patch adds a condition into rcar_pwm_config() to fix this issue. Signed-off-by: Ryo Kodama [shimoda: revise the commit log and add Fixes and Cc tags] Fixes: ed6c1476bf7f (“pwm: Add support for R-Car PWM Timer”) Cc: Cc: # v4.4+ Signed-off-by: Yoshihiro Shimoda Signed-off-by: Thierry Reding Signed-off-by: Greg Kroah-Hartman commit 80aa5cf5b0016ecb94ed7466fa9277f215ea0cd7 Author: Dmitry Osipenko Date: Wed Jan 10 16:59:42 2018 +0300 clk: tegra: Mark HCLK, SCLK and EMC as critical commit 2dcabf053c6ecde46f7aa3612c5a57fb8bd185c4 upstream. Machine dies if HCLK, SCLK or EMC is disabled. Hence mark these clocks as critical. Signed-off-by: Dmitry Osipenko Acked-by: Peter De Schrijver Cc: # v4.16 Signed-off-by: Thierry Reding Signed-off-by: Greg Kroah-Hartman commit 8da7199d662cacb78462c5bd1d499efa8759d225 Author: Boris Brezillon Date: Thu Mar 22 10:11:30 2018 +0100 clk: bcm2835: De-assert/assert PLL reset signal when appropriate commit 753872373b599384ac7df809aa61ea12d1c4d5d1 upstream. In order to enable a PLL, not only the PLL has to be powered up and locked, but you also have to de-assert the reset signal. The last part was missing. Add it so PLLs that were not enabled by the FW/bootloader can be enabled from Linux. Fixes: 41691b8862e2 (“clk: bcm2835: Add support for programming the audio domain clocks”) Cc: Signed-off-by: Boris Brezillon Reviewed-by: Eric Anholt Signed-off-by: Stephen Boyd Signed-off-by: Greg Kroah-Hartman commit c2e8a9955da241c1ffa5bf6b3733b9d02d424515 Author: Sean Wang Date: Thu Mar 1 11:27:51 2018 +0800 clk: mediatek: fix PWM clock source by adding a fixed-factor clock commit 89cd7aec21af26fd0c117bfc4bfc781724f201de upstream. The clock for which all PWM devices on MT7623 or MT2701 actually depending on has to be divided by four from its parent clock axi_sel in the clock path prior to PWM devices. Consequently, adding a fixed-factor clock axisel_d4 as one-fourth of clock axi_sel allows that PWM devices can have the correct resolution calculation. Cc: [email protected] Fixes: e9862118272a (“clk: mediatek: Add MT2701 clock support”) Signed-off-by: Sean Wang Signed-off-by: Stephen Boyd Signed-off-by: Greg Kroah-Hartman commit 4f3f4551f54196910cdf53644dbd5d7dc3689f0b Author: Arnd Bergmann Date: Fri Feb 16 16:27:47 2018 +0100 clk: fix false-positive Wmaybe-uninitialized warning commit ce33f284935e08229046b30635e6aadcbab02b53 upstream. When we build this driver with on x86-32, gcc produces a false-positive warning: drivers/clk/renesas/clk-sh73a0.c: In function ‘sh73a0_cpg_clocks_init’: drivers/clk/renesas/clk-sh73a0.c:155:10: error: ‘parent_name’ may be used uninitialized in this function [-Werror=maybe-uninitialized] return clk_register_fixed_factor(NULL, name, parent_name, 0, We can work around that warning by adding a fake initialization, I tried and failed to come up with any better workaround. This is currently one of few remaining warnings for a 4.14.y randconfig build, so it would be good to also have it backported at least to that version. Older versions have more randconfig warnings, so we might not care. I had not noticed this earlier, because one patch in my randconfig test tree removes the '-ffreestanding’ option on x86-32, and that avoids the warning. The -ffreestanding flag was originally global but moved into arch/i386 by Andi Kleen in commit 6edfba1b33c7 ("[PATCH] x86_64: Don’t define string functions to builtin”) as a 'temporary workaround’. Like many temporary hacks, this turned out to be rather long-lived, from all I can tell we still need a simple fix to asm/string_32.h before it can be removed, but I’m not sure about how to best do that. Cc: [email protected] Cc: Andi Kleen Signed-off-by: Arnd Bergmann Acked-by: Geert Uytterhoeven Signed-off-by: Stephen Boyd Signed-off-by: Greg Kroah-Hartman commit 8c9510d027a01da162d1faacc96fed7d78a57944 Author: Richard Genoud Date: Tue Mar 13 16:27:02 2018 +0100 clk: mvebu: armada-38x: add support for missing clocks commit 6a4a4595804548e173f0763a0e7274a3521c59a9 upstream. Clearfog boards can come with a CPU clocked at 1600MHz (commercial) or 1333MHz (industrial). They have also some dip-switches to select a different clock (666, 800, 1066, 1200). The funny thing is that the recovery button is on the MPP34 fq selector. So, when booting an industrial board with this button down, the frequency 666MHz is selected (and the kernel didn’t boot). This patch add all the missing clocks. The only mode I didn’t test is 2GHz (uboot found 4294MHz instead :/ ). Fixes: 0e85aeced4d6 (“clk: mvebu: add clock support for Armada 380/385”) Cc: # 3.16.x: 9593f4f56cf5: clk: mvebu: armada-38x: add support for 1866MHz variants Cc: # 3.16.x Signed-off-by: Richard Genoud Acked-by: Gregory CLEMENT Signed-off-by: Stephen Boyd Signed-off-by: Greg Kroah-Hartman commit 5b790023eb8270c05b447ebbc2270c00b9dd6a01 Author: Sinan Kaya Date: Tue Apr 10 14:44:21 2018 -0500 PCI: Mark Broadcom HT1100 and HT2000 Root Port Extended Tags as broken commit 1b30dfd376e28e7f37eda5e2033f6823cdda222b upstream. Per PCIe r3.1, sec 2.2.6.2 and 7.8.4, a Requester may not use 8-bit Tags unless its Extended Tag Field Enable is set, but all Receivers/Completers must handle 8-bit Tags correctly regardless of their Extended Tag Field Enable. Some devices do not handle 8-bit Tags as Completers, so add a quirk for them. If we find such a device, we disable Extended Tags for the entire hierarchy to make peer-to-peer DMA possible. The Broadcom HT1100/HT2000/HT2100 seems to have issues with handling 8-bit tags. Mark it as broken. This fixes Xorg hangs and unresponsive keyboards with errors like this: radeon 0000:06:00.0: GPU lockup (current fence id 0x000000000000000e last fence id 0x0000000000000 [drm:r600_ring_test [radeon]] *ERROR* radeon: ring 0 test failed (scratch(0x8504)=0xCAFEDEAD) [drm:r600_resume [radeon]] *ERROR* r600 startup failed on resume Fixes: 60db3a4d8cc9 (“PCI: Enable PCIe Extended Tags if supported”) Link: https://bugzilla.kernel.org/show_bug.cgi?id=196197 Signed-off-by: Sinan Kaya Signed-off-by: Bjorn Helgaas CC: [email protected] # v4.11: 62ce94a7a5a5 PCI: Mark Broadcom HT2100 Root Port Extended Tags as broken CC: [email protected] # v4.11 Signed-off-by: Greg Kroah-Hartman commit 0edc19e0c3850e1bc9facb13f2fd37a7e04fea02 Author: Ravi Bangoria Date: Thu Mar 15 13:57:55 2018 +0530 trace_uprobe: Use %lx to display offset commit 18d45b11d96e6f9b3814960a1394083a3d6b7f74 upstream. tu->offset is unsigned long, not a pointer, thus %lx should be used to print it, not the %px. Link: http://lkml.kernel.org/r/[email protected] Cc: [email protected] Acked-by: Masami Hiramatsu Fixes: 0e4d819d0893 (“trace_uprobe: Display correct offset in uprobe_events”) Suggested-by: Kees Cook Signed-off-by: Ravi Bangoria Signed-off-by: Steven Rostedt (VMware) Signed-off-by: Greg Kroah-Hartman commit 0c04975852a65307a909db6f235166c10301c950 Author: Charlene Liu Date: Fri Apr 6 23:03:12 2018 -0400 drm/amd/display: HDMI has no sound after Panel power off/on commit af2ac326087da632e9580f65205f4cc4205caf85 upstream. Signed-off-by: Charlene Liu Reviewed-by: Krunoslav Kovac Acked-by: Harry Wentland Cc: [email protected] Signed-off-by: Alex Deucher Signed-off-by: Greg Kroah-Hartman commit 5c4bda4c2ff768e52e55e86f6993b8bc20ae3ddd Author: Harry Wentland Date: Thu Apr 12 10:51:52 2018 -0400 Revert "drm/amd/display: disable CRTCs with NULL FB on their primary plane (V2)" commit 1cb19e8267a57c5174da09e0d52d1477baceccca upstream. This seems to cause flickering and lock-ups for a wide range of users. Revert until we’ve found a proper fix for the flickering and lock-ups. This reverts commit 36cc549d59864b7161f0e23d710c1c4d1b9cf022. Cc: Shirish S Cc: Alex Deucher Cc: [email protected] Reviewed-by: Michel Dänzer Signed-off-by: Harry Wentland Signed-off-by: Alex Deucher Signed-off-by: Greg Kroah-Hartman commit 89248a4a1f098400bdc4ea6ebcd831ed9f3c2e8f Author: Harry Wentland Date: Thu Apr 12 10:51:51 2018 -0400 Revert "drm/amd/display: fix dereferencing possible ERR_PTR()" commit 1bc8ffbd71380661c5bc9cd65649bb0cf3d0cf09 upstream. This reverts commit cd2d6c92a8e39d7e50a5af9fcc67d07e6a89e91d. Cc: Shirish S Cc: Alex Deucher Cc: [email protected] Reviewed-by: Michel Dänzer Signed-off-by: Harry Wentland Signed-off-by: Alex Deucher Signed-off-by: Greg Kroah-Hartman commit b42a321adc7281d4091e1caa3d6a4237957a0934 Author: Masaharu Hayakawa Date: Tue Apr 3 23:57:03 2018 +0200 mmc: tmio: Fix error handling when issuing CMD23 commit fc167daff581c01ebce8695e9618231cae3561a1 upstream. If an error was detected when CMD23 was issued, command sequence should be terminated with errors and CMD23 should be issued after retuning. Fixes: 8b22c3c18be5 (“mmc: tmio: add CMD23 support”) Signed-off-by: Masaharu Hayakawa Signed-off-by: Wolfram Sang Cc: # 4.13+ Signed-off-by: Ulf Hansson Signed-off-by: Greg Kroah-Hartman commit 7809401a616f108e7d7a7fc44dc04426a5ca9ff4 Author: Alex Smith Date: Wed Mar 28 18:00:43 2018 -0300 mmc: jz4740: Fix race condition in IRQ mask update commit a04f0017c22453613d5f423326b190c61e3b4f98 upstream. A spinlock is held while updating the internal copy of the IRQ mask, but not while writing it to the actual IMASK register. After the lock is released, an IRQ can occur before the IMASK register is written. If handling this IRQ causes the mask to be changed, when the handler returns back to the middle of the first mask update, a stale value will be written to the mask register. If this causes an IRQ to become unmasked that cannot have its status cleared by writing a 1 to it in the IREG register, e.g. the SDIO IRQ, then we can end up stuck with the same IRQ repeatedly being fired but not handled. Normally the MMC IRQ handler attempts to clear any unexpected IRQs by writing IREG, but for those that cannot be cleared in this way then the IRQ will just repeatedly fire. This was resulting in lockups after a while of using Wi-Fi on the CI20 (GitHub issue #19). Resolve by holding the spinlock until after the IMASK register has been updated. Cc: [email protected] Link: https://github.com/MIPS/CI20_linux/issues/19 Fixes: 61bfbdb85687 (“MMC: Add support for the controller on JZ4740 SoCs.”) Tested-by: Mathieu Malaterre Signed-off-by: Alex Smith Signed-off-by: Ulf Hansson Signed-off-by: Greg Kroah-Hartman commit 723bee23e8ba89b2208b8f85634775bf838a43c4 Author: Alexander Kappner Date: Wed Mar 28 15:18:31 2018 -0700 mmc: core: Prevent bus reference leak in mmc_blk_init() commit d0a0852b9f81cf5f793bf2eae7336ed40a1a1815 upstream. Upon module load, mmc_block allocates a bus with bus_registeri() in mmc_blk_init(). This reference never gets freed during module unload, which leads to subsequent re-insertions of the module fails and a WARN() splat is triggered. Fix the bug by dropping the reference for the bus in mmc_blk_exit(). Signed-off-by: Alexander Kappner Fixes: 97548575bef3 (“mmc: block: Convert RPMB to a character device”) Cc: Reviewed-by: Shawn Lin Signed-off-by: Ulf Hansson Signed-off-by: Greg Kroah-Hartman commit 36a5a8a9d522b712324636d4c6ff97079fa85b87 Author: Lu Baolu Date: Sat Feb 24 13:42:27 2018 +0800 iommu/vt-d: Fix a potential memory leak commit bbe4b3af9d9e3172fb9aa1f8dcdfaedcb381fc64 upstream. A memory block was allocated in intel_svm_bind_mm() but never freed in a failure path. This patch fixes this by free it to avoid memory leakage. Cc: Ashok Raj Cc: Jacob Pan Cc: # v4.4+ Signed-off-by: Lu Baolu Fixes: 2f26e0a9c9860 (‘iommu/vt-d: Add basic SVM PASID support’) Signed-off-by: Joerg Roedel Signed-off-by: Greg Kroah-Hartman commit 6e53a4e580182793673c37ba9cd87731ff2329fe Author: Krzysztof Mazur Date: Wed Nov 15 11:12:39 2017 +0100 um: Use POSIX ucontext_t instead of struct ucontext commit 4d1a535b8ec5e74b42dfd9dc809142653b2597f6 upstream. glibc 2.26 removed the ‘struct ucontext’ to “improve” POSIX compliance and break programs, including User Mode Linux. Fix User Mode Linux by using POSIX ucontext_t. This fixes: arch/um/os-Linux/signal.c: In function 'hard_handler’: arch/um/os-Linux/signal.c:163:22: error: dereferencing pointer to incomplete type ‘struct ucontext’ mcontext_t *mc = &uc->uc_mcontext; arch/x86/um/stub_segv.c: In function 'stub_segv_handler’: arch/x86/um/stub_segv.c:16:13: error: dereferencing pointer to incomplete type ‘struct ucontext’ &uc->uc_mcontext); Cc: [email protected] Signed-off-by: Krzysztof Mazur Signed-off-by: Richard Weinberger Signed-off-by: Greg Kroah-Hartman commit e4801adc4d07ff9aded8a468a983ffafe8d32c5e Author: Jason A. Donenfeld Date: Thu Dec 14 03:23:37 2017 +0100 um: Compile with modern headers commit 530ba6c7cb3c22435a4d26de47037bb6f86a5329 upstream. Recent libcs have gotten a bit more strict, so we actually need to include the right headers and use the right types. This enables UML to compile again. Signed-off-by: Jason A. Donenfeld Cc: [email protected] Signed-off-by: Richard Weinberger Signed-off-by: Greg Kroah-Hartman commit 15ecf44787134f7948c23ad5ad31b449c9e51fd7 Author: Steven Rostedt (VMware) Date: Mon Apr 2 10:33:56 2018 -0400 ring-buffer: Check if memory is available before allocation commit 2a872fa4e9c8adc79c830e4009e1cc0c013a9d8a upstream. The ring buffer is made up of a link list of pages. When making the ring buffer bigger, it will allocate all the pages it needs before adding to the ring buffer, and if it fails, it frees them and returns an error. This makes increasing the ring buffer size an all or nothing action. When this was first created, the pages were allocated with "NORETRY". This was to not cause any Out-Of-Memory (OOM) actions from allocating the ring buffer. But NORETRY was too strict, as the ring buffer would fail to expand even when there’s memory available, but was taken up in the page cache. Commit 848618857d253 (“tracing/ring_buffer: Try harder to allocate”) changed the allocating from NORETRY to RETRY_MAYFAIL. The RETRY_MAYFAIL would allocate from the page cache, but if there was no memory available, it would simple fail the allocation and not trigger an OOM. This worked fine, but had one problem. As the ring buffer would allocate one page at a time, it could take up all memory in the system before it failed to allocate and free that memory. If the allocation is happening and the ring buffer allocates all memory and then tries to take more than available, its allocation will not trigger an OOM, but if there’s any allocation that happens someplace else, that could trigger an OOM, even though once the ring buffer’s allocation fails, it would free up all the previous memory it tried to allocate, and allow other memory allocations to succeed. Commit d02bd27bd33dd (“mm/page_alloc.c: calculate ‘available’ memory in a separate function”) separated out si_mem_availble() as a separate function that could be used to see how much memory is available in the system. Using this function to make sure that the ring buffer could be allocated before it tries to allocate pages we can avoid allocating all memory in the system and making it vulnerable to OOMs if other allocations are taking place. Link: http://lkml.kernel.org/r/[email protected] CC: [email protected] Cc: [email protected] Fixes: 848618857d253 (“tracing/ring_buffer: Try harder to allocate”) Requires: d02bd27bd33dd (“mm/page_alloc.c: calculate ‘available’ memory in a separate function”) Reported-by: Zhaoyang Huang Tested-by: Joel Fernandes Signed-off-by: Steven Rostedt (VMware) Signed-off-by: Greg Kroah-Hartman commit bbe03f938f56659a52dffe6acd43b43acdba0702 Author: Dan Williams Date: Wed Mar 21 21:22:34 2018 -0700 nfit: skip region registration for incomplete control regions commit 0731de476a37c33485af82d64041c9d193208df8 upstream. Per the ACPI specification the only functional purpose for a DIMM Control Region to be mapped into the system physical address space, from an OSPM perspective, is to support block-apertures. However, there are some BIOSen that publish DIMM Control Region SPA entries for pre-boot environment consumption. Undo the kernel policy of generating disabled ‘ndblk’ regions when this configuration is detected. Cc: Fixes: 1f7df6f88b92 ("libnvdimm, nfit: regions (block-data-window…)") Reviewed-by: Toshi Kani Signed-off-by: Dan Williams Signed-off-by: Greg Kroah-Hartman commit e041107f06517666cd1a859506e133ee40677a4c Author: Dan Williams Date: Mon Apr 2 16:40:04 2018 -0700 nfit, address-range-scrub: fix scrub in-progress reporting commit 78727137fdf49edf9f731bde79d7189067b4047a upstream. There is a small window whereby ARS scan requests can schedule work that userspace will miss when polling scrub_show. Hold the init_mutex lock over calls to report the status to close this potential escape. Also, make sure that requests to cancel the ARS workqueue are treated as an idle event. Cc: Cc: Vishal Verma Fixes: 37b137ff8c83 (“nfit, libnvdimm: allow an ARS scrub…”) Reviewed-by: Dave Jiang Signed-off-by: Dan Williams Signed-off-by: Greg Kroah-Hartman commit c4d2d2ea3fb8829522cea10a5573cb9b372b356c Author: Steven Rostedt (VMware) Date: Tue Apr 3 14:38:53 2018 -0400 vsprintf: Do not preprocess non-dereferenced pointers for bprintf (%px and %pK) commit 1e6338cfb50e244c445ad7d891b35385bd0ee757 upstream. Commit 841a915d20c7b2 (“printf: Do not have bprintf dereference pointers”) would preprocess various pointers that are dereferenced in the bprintf() because the recording and printing are done at two different times. Some pointers stayed dereferenced in the ring buffer because user space could handle them (namely “%pS” and friends). Pointers that are not dereferenced should not be processed immediately but instead just saved directly. Cc: [email protected] Fixes: 841a915d20c7b2 (“printf: Do not have bprintf dereference pointers”) Signed-off-by: Steven Rostedt (VMware) Signed-off-by: Greg Kroah-Hartman commit 02250bcc9b86a24a5c26531edc2505918720201d Author: Dan Williams Date: Fri Apr 6 16:37:21 2018 -0700 libnvdimm, namespace: use a safe lookup for dimm device name commit 4f8672201b7e7ed4f5f6c3cf6dcd080648580582 upstream. The following NULL dereference results from incorrectly assuming that ndd is valid in this print: struct nvdimm_drvdata *ndd = to_ndd(&nd_region->mapping[i]); /* * Give up if we don’t find an instance of a uuid at each * position (from 0 to nd_region->ndr_mappings - 1), or if we * find a dimm with two instances of the same uuid. */ dev_err(&nd_region->dev, "%s missing label for %pUb\n", dev_name(ndd->dev), nd_label->uuid); BUG: unable to handle kernel NULL pointer dereference at 0000000000000000 IP: nd_region_register_namespaces+0xd67/0x13c0 [libnvdimm] PGD 0 P4D 0 Oops: 0000 [#1] SMP PTI CPU: 43 PID: 673 Comm: kworker/u609:10 Not tainted 4.16.0-rc4+ #1 […] RIP: 0010:nd_region_register_namespaces+0xd67/0x13c0 [libnvdimm] […] Call Trace: ? devres_add+0x2f/0x40 ? devm_kmalloc+0x52/0x60 ? nd_region_activate+0x9c/0x320 [libnvdimm] nd_region_probe+0x94/0x260 [libnvdimm] ? kernfs_add_one+0xe4/0x130 nvdimm_bus_probe+0x63/0x100 [libnvdimm] Switch to using the nvdimm device directly. Fixes: 0e3b0d123c8f (“libnvdimm, namespace: allow multiple pmem…”) Cc: Reported-by: Dave Jiang Signed-off-by: Dan Williams Signed-off-by: Greg Kroah-Hartman commit af5bb27195ef623d3de2eedd9baaf1b225e6b566 Author: Dan Williams Date: Fri Apr 6 11:25:38 2018 -0700 libnvdimm, dimm: fix dpa reservation vs uninitialized label area commit c31898c8c711f2bbbcaebe802a55827e288d875a upstream. At initialization time the ‘dimm’ driver caches a copy of the memory device’s label area and reserves address space for each of the namespaces defined. However, as can be seen below, the reservation occurs even when the index blocks are invalid: nvdimm nmem0: nvdimm_init_config_data: len: 131072 rc: 0 nvdimm nmem0: config data size: 131072 nvdimm nmem0: __nd_label_validate: nsindex0 labelsize 1 invalid nvdimm nmem0: __nd_label_validate: nsindex1 labelsize 1 invalid nvdimm nmem0: : pmem-6025e505: 0x1000000000 @ 0xf50000000 reserve <-- bad Gate dpa reservation on the presence of valid index blocks. Cc: Fixes: 4a826c83db4e (“libnvdimm: namespace indices: read and validate”) Reported-by: Krzysztof Rusocki Signed-off-by: Dan Williams Signed-off-by: Greg Kroah-Hartman commit cc76ab2e932cc9633f40bb265784269cc2c9e4ab Author: Chris Chiu Date: Tue Mar 20 15:36:40 2018 +0800 tpm: self test failure should not cause suspend to fail commit 0803d7befa15cab5717d667a97a66214d2a4c083 upstream. The Acer Acer Veriton X4110G has a TPM device detected as: tpm_tis 00:0b: 1.2 TPM (device-id 0xFE, rev-id 71) After the first S3 suspend, the following error appears during resume: tpm tpm0: A TPM error(38) occurred continue selftest Any following S3 suspend attempts will now fail with this error: tpm tpm0: Error (38) sending savestate before suspend PM: Device 00:0b failed to suspend: error 38 Error 38 is TPM_ERR_INVALID_POSTINIT which means the TPM is not in the correct state. This indicates that the platform BIOS is not sending the usual TPM_Startup command during S3 resume. >From this point onwards, all TPM commands will fail. The same issue was previously reported on Foxconn 6150BK8MC and Sony Vaio TX3. The platform behaviour seems broken here, but we should not break suspend/resume because of this. When the unexpected TPM state is encountered, set a flag to skip the affected TPM_SaveState command on later suspends. Cc: [email protected] Signed-off-by: Chris Chiu Signed-off-by: Daniel Drake Link: http://lkml.kernel.org/r/CAB4CAwfSCvj1cudi+MWaB5g2Z67d9DwY1o475YOZD64ma23UiQ@mail.gmail.com Link: https://lkml.org/lkml/2011/3/28/192 Link: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=591031 Reviewed-by: Jarkko Sakkinen Signed-off-by: Jarkko Sakkinen Signed-off-by: Greg Kroah-Hartman commit a14986d6fb0374ac20aa1ca6317cd8f9373cc600 Author: Frederic Barrat Date: Tue Apr 3 15:54:02 2018 +0200 cxl: Fix possible deadlock when processing page faults from cxllib commit ad7b4e8022b9864c075fe71e1328b1d25cad82f6 upstream. cxllib_handle_fault() is called by an external driver when it needs to have the host resolve page faults for a buffer. The buffer can cover several pages and VMAs. The function iterates over all the pages used by the buffer, based on the page size of the VMA. To ensure some stability while processing the faults, the thread T1 grabs the mm->mmap_sem semaphore with read access (R1). However, when processing a page fault for a single page, one of the underlying functions, copro_handle_mm_fault(), also grabs the same semaphore with read access (R2). So the thread T1 takes the semaphore twice. If another thread T2 tries to access the semaphore in write mode W1 (say, because it wants to allocate memory and calls ‘brk’), then that thread T2 will have to wait because there’s a reader (R1). If the thread T1 is processing a new page at that time, it won’t get an automatic grant at R2, because there’s now a writer thread waiting (T2). And we have a deadlock. The timeline is: 1. thread T1 owns the semaphore with read access R1 2. thread T2 requests write access W1 and waits 3. thread T1 requests read access R2 and waits The fix is for the thread T1 to release the semaphore R1 once it got the information it needs from the current VMA. The address space/VMAs could evolve while T1 iterates over the full buffer, but in the unlikely case where T1 misses a page, the external driver will raise a new page fault when retrying the memory access. Fixes: 3ced8d730063 (“cxl: Export library to support IBM XSL”) Cc: [email protected] # 4.13+ Signed-off-by: Frederic Barrat Signed-off-by: Michael Ellerman Signed-off-by: Greg Kroah-Hartman commit 64ba4ae7a5acc6a1c81f4734b9ad1e0378e31e5e Author: Maxime Jayat Date: Thu Feb 22 12:39:55 2018 +0100 dmaengine: at_xdmac: fix rare residue corruption commit c5637476bbf9bb86c7f0413b8f4822a73d8d2d07 upstream. Despite the efforts made to correctly read the NDA and CUBC registers, the order in which the registers are read could sometimes lead to an inconsistent state. Re-using the timeline from the comments, this following timing of registers reads could lead to reading NDA with value “@desc2” and CUBC with value "MAX desc1": INITD -------- ------------ |____________________| _______________________ _______________ NDA @desc2 \/ @desc3 _______________________/\_______________ __________ ___________ _______________ CUBC 0 \/ MAX desc1 \/ MAX desc2 __________/\___________/\_______________ | | | | Events:(1)(2) (3)(4) (1) check_nda = @desc2 (2) initd = 1 (3) cur_ubc = MAX desc1 (4) cur_nda = @desc2 This is allowed by the condition ((check_nda == cur_nda) && initd), despite cur_ubc and cur_nda being in the precise state we don’t want. This error leads to incorrect residue computation. Fix it by inversing the order in which CUBC and INITD are read. This makes sure that NDA and CUBC are always read together either _before_ INITD goes to 0 or _after_ it is back at 1. The case where NDA is read before INITD is at 0 and CUBC is read after INITD is back at 1 will be rejected by check_nda and cur_nda being different. Fixes: 53398f488821 (“dmaengine: at_xdmac: fix residue corruption”) Cc: [email protected] Signed-off-by: Maxime Jayat Acked-by: Ludovic Desroches Signed-off-by: Vinod Koul Signed-off-by: Greg Kroah-Hartman commit f389283c5d7417add05382dcf6aa7a3c9aa561da Author: Heinz Mauelshagen Date: Fri Mar 16 23:01:59 2018 +0100 dm raid: fix nosync status commit 880bcce0dcc3172fe865352b492c41d85290cb8d upstream. Fix a race for “nosync” activations providing “aa…” device health characters and “0/N” sync ratio rather than “AA…” and "N/N". Occurs when status for the raid set is retrieved during resume before the MD sync thread starts and clears the MD_RECOVERY_NEEDED flag. Cc: [email protected] # 4.16+ Signed-off-by: Heinz Mauelshagen Signed-off-by: Mike Snitzer Signed-off-by: Greg Kroah-Hartman commit 21c228ac428701f0b3051da250d9a25a2d16ec0d Author: Andrew Morton Date: Tue Mar 13 15:06:45 2018 -0700 drivers/infiniband/ulp/srpt/ib_srpt.c: fix build with gcc-4.4.4 commit 06892cc190550807d332c95a0114c7e175584012 upstream. gcc-4.4.4 has issues with initialization of anonymous unions: drivers/infiniband/ulp/srpt/ib_srpt.c: In function 'srpt_zerolength_write’: drivers/infiniband/ulp/srpt/ib_srpt.c:854: error: unknown field ‘wr_cqe’ specified in initializer drivers/infiniband/ulp/srpt/ib_srpt.c:854: warning: initialization makes integer from pointer without a cast Work aound this. Fixes: 2a78cb4db487 (“IB/srpt: Fix an out-of-bounds stack access in srpt_zerolength_write()") Cc: Bart Van Assche Cc: Christoph Hellwig Cc: Jason Gunthorpe Cc: Signed-off-by: Andrew Morton Signed-off-by: Doug Ledford Signed-off-by: Greg Kroah-Hartman commit b56b41533299adc0f69b57efb040c4e5ab0e6b4c Author: Andrew Morton Date: Tue Mar 13 14:51:57 2018 -0700 drivers/infiniband/core/verbs.c: fix build with gcc-4.4.4 commit 6ee687735e745eafae9e6b93d1ea70bc52e7ad07 upstream. gcc-4.4.4 has issues with initialization of anonymous unions. drivers/infiniband/core/verbs.c: In function '__ib_drain_sq’: drivers/infiniband/core/verbs.c:2204: error: unknown field ‘wr_cqe’ specified in initializer drivers/infiniband/core/verbs.c:2204: warning: initialization makes integer from pointer without a cast Work around this. Fixes: a1ae7d0345edd5 (“RDMA/core: Avoid that ib_drain_qp() triggers an out-of-bounds stack access”) Cc: Bart Van Assche Cc: Steve Wise Cc: Sagi Grimberg Cc: Jason Gunthorpe Cc: Signed-off-by: Andrew Morton Signed-off-by: Doug Ledford Signed-off-by: Greg Kroah-Hartman commit 21be334beccbbffd6656fff1cdddeed0a58e1ef6 Author: Bart Van Assche Date: Thu Mar 1 14:00:30 2018 -0800 IB/srpt: Fix an out-of-bounds stack access in srpt_zerolength_write() commit 2a78cb4db487372152bed2055c038f9634d595e8 upstream. Avoid triggering an out-of-bounds stack access by changing the type of ‘wr’ from ib_send_wr into ib_rdma_wr. This patch fixes the following KASAN bug report: BUG: KASAN: stack-out-of-bounds in rxe_post_send+0x7a9/0x9a0 [rdma_rxe] Read of size 8 at addr ffff880068197a48 by task kworker/2:1/44 Workqueue: ib_cm cm_work_handler [ib_cm] Call Trace: dump_stack+0x8e/0xcd print_address_description+0x6f/0x280 kasan_report+0x25a/0x380 __asan_load8+0x54/0x90 rxe_post_send+0x7a9/0x9a0 [rdma_rxe] srpt_zerolength_write+0xf0/0x180 [ib_srpt] srpt_cm_rtu_recv+0x68/0x110 [ib_srpt] srpt_rdma_cm_handler+0xbb/0x15b [ib_srpt] cma_ib_handler+0x1aa/0x4a0 [rdma_cm] cm_process_work+0x30/0x100 [ib_cm] cm_work_handler+0xa86/0x351b [ib_cm] process_one_work+0x475/0x9f0 worker_thread+0x69/0x690 kthread+0x1ad/0x1d0 ret_from_fork+0x3a/0x50 Fixes: aaf45bd83eba (“IB/srpt: Detect session shutdown reliably”) Signed-off-by: Bart Van Assche Cc: Christoph Hellwig Cc: [email protected] Signed-off-by: Jason Gunthorpe Signed-off-by: Greg Kroah-Hartman commit 2341d2417eb585c54b2b23e1e8a0e85ce959fa04 Author: Bart Van Assche Date: Mon Feb 12 09:50:25 2018 -0800 IB/srp: Fix completion vector assignment algorithm commit 3a148896b24adf8688dc0c59af54531931677a40 upstream. Ensure that cv_end is equal to ibdev->num_comp_vectors for the NUMA node with the highest index. This patch improves spreading of RDMA channels over completion vectors and thereby improves performance, especially on systems with only a single NUMA node. This patch drops support for the comp_vector login parameter by ignoring the value of that parameter since I have not found a good way to combine support for that parameter and automatic spreading of RDMA channels over completion vectors. Fixes: d92c0da71a35 (“IB/srp: Add multichannel support”) Reported-by: Alexander Schmid Signed-off-by: Bart Van Assche Cc: Alexander Schmid Cc: [email protected] Signed-off-by: Jason Gunthorpe Signed-off-by: Greg Kroah-Hartman commit 638f0fe89d54749b6ed034de544d01c3f8e57412 Author: Bart Van Assche Date: Fri Feb 23 14:09:24 2018 -0800 IB/srp: Fix srp_abort() commit e68088e78d82920632eba112b968e49d588d02a2 upstream. Before commit e494f6a72839 ("[SCSI] improved eh timeout handler”) it did not really matter whether or not abort handlers like srp_abort() called .scsi_done() when returning another value than SUCCESS. Since that commit however this matters. Hence only call .scsi_done() when returning SUCCESS. Signed-off-by: Bart Van Assche Cc: [email protected] Signed-off-by: Jason Gunthorpe Signed-off-by: Greg Kroah-Hartman commit 927324e35539a6fef7202346f1dfe03cfbb63e11 Author: Takashi Iwai Date: Sat Apr 7 11:48:58 2018 +0200 ALSA: pcm: Fix endless loop for XRUN recovery in OSS emulation commit e15dc99dbb9cf99f6432e8e3c0b3a8f7a3403a86 upstream. The commit 02a5d6925cd3 (“ALSA: pcm: Avoid potential races between OSS ioctls and read/write”) split the PCM preparation code to a locked version, and it added a sanity check of runtime->oss.prepare flag along with the change. This leaded to an endless loop when the stream gets XRUN: namely, snd_pcm_oss_write3() and co call snd_pcm_oss_prepare() without setting runtime->oss.prepare flag and the loop continues until the PCM state reaches to another one. As the function is supposed to execute the preparation unconditionally, drop the invalid state check there. The bug was triggered by syzkaller. Fixes: 02a5d6925cd3 (“ALSA: pcm: Avoid potential races between OSS ioctls and read/write”) Reported-by: [email protected] Reported-by: [email protected] Reported-by: [email protected] Cc: Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit bfb9c474ebfad3851602c7ed6175b7ba651eac62 Author: Takashi Iwai Date: Mon Apr 2 22:41:43 2018 +0200 ALSA: pcm: Fix UAF at PCM release via PCM timer access commit a820ccbe21e8ce8e86c39cd1d3bc8c7d1cbb949b upstream. The PCM runtime object is created and freed dynamically at PCM stream open / close time. This is tracked via substream->runtime, and it’s cleared at snd_pcm_detach_substream(). The runtime object assignment is protected by PCM open_mutex, so for all PCM operations, it’s safely handled. However, each PCM substream provides also an ALSA timer interface, and user-space can access to this while closing a PCM substream. This may eventually lead to a UAF, as snd_pcm_timer_resolution() tries to access the runtime while clearing it in other side. Fortunately, it’s the only concurrent access from the PCM timer, and it merely reads runtime->timer_resolution field. So, we can avoid the race by reordering kfree() and wrapping the substream->runtime clearance with the corresponding timer lock. Reported-by: [email protected] Cc: Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit ee7294f190c5ef3b4d13800655a96bb28716ddcf Author: Takashi Iwai Date: Tue Mar 27 14:32:23 2018 +0200 ALSA: pcm: Fix mutex unbalance in OSS emulation ioctls commit f6d297df4dd47ef949540e4a201230d0c5308325 upstream. The previous fix 40cab6e88cb0 (“ALSA: pcm: Return -EBUSY for OSS ioctls changing busy streams”) introduced some mutex unbalance; the check of runtime->oss.rw_ref was inserted in a wrong place after the mutex lock. This patch fixes the inconsistency by rewriting with the helper functions to lock/unlock parameters with the stream check. Fixes: 40cab6e88cb0 (“ALSA: pcm: Return -EBUSY for OSS ioctls changing busy streams”) Reported-by: Dan Carpenter Cc: Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit d014fa8f8ae64a641535ed74b59e975935e37211 Author: Takashi Iwai Date: Fri Mar 23 08:03:26 2018 +0100 ALSA: pcm: Return -EBUSY for OSS ioctls changing busy streams commit 40cab6e88cb0b6c56d3f30b7491a20e803f948f6 upstream. OSS PCM stream management isn’t modal but it allows ioctls issued at any time for changing the parameters. In the previous hardening patch (“ALSA: pcm: Avoid potential races between OSS ioctls and read/write”), we covered these races and prevent the corruption by protecting the concurrent accesses via params_lock mutex. However, this means that some ioctls that try to change the stream parameter (e.g. channels or format) would be blocked until the read/write finishes, and it may take really long. Basically changing the parameter while reading/writing is an invalid operation, hence it’s even more user-friendly from the API POV if it returns -EBUSY in such a situation. This patch adds such checks in the relevant ioctls with the addition of read/write access refcount. Cc: Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 337cdfb45e9bbd19a82b0c082c76a627d60ba745 Author: Takashi Iwai Date: Thu Mar 22 18:10:14 2018 +0100 ALSA: pcm: Avoid potential races between OSS ioctls and read/write commit 02a5d6925cd34c3b774bdb8eefb057c40a30e870 upstream. Although we apply the params_lock mutex to the whole read and write operations as well as snd_pcm_oss_change_params(), we may still face some races. First off, the params_lock is taken inside the read and write loop. This is intentional for avoiding the too long locking, but it allows the in-between parameter change, which might lead to invalid pointers. We check the readiness of the stream and set up via snd_pcm_oss_make_ready() at the beginning of read and write, but it’s called only once, by assuming that it remains ready in the rest. Second, many ioctls that may change the actual parameters (i.e. setting runtime->oss.params=1) aren’t protected, hence they can be processed in a half-baked state. This patch is an attempt to plug these holes. The stream readiness check is moved inside the read/write inner loop, so that the stream is always set up in a proper state before further processing. Also, each ioctl that may change the parameter is wrapped with the params_lock for avoiding the races. The issues were triggered by syzkaller in a few different scenarios, particularly the one below appearing as GPF in loopback_pos_update. Reported-by: [email protected] Cc: Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 03e19286b7f3aa830a07d05efc2df47efb060d4c Author: Chuck Lever Date: Mon Mar 19 14:23:16 2018 -0400 xprtrdma: Fix corner cases when handling device removal commit 25524288631fc5b7d33259fca1e0dc38146be5d6 upstream. Michal Kalderon has found some corner cases around device unload with active NFS mounts that I didn’t have the imagination to test when xprtrdma device removal was added last year. - The ULP device removal handler is responsible for deallocating the PD. That wasn’t clear to me initially, and my own testing suggested it was not necessary, but that is incorrect. - The transport destruction path can no longer assume that there is a valid ID. - When destroying a transport, ensure that ib_free_cq() is not invoked on a CQ that was already released. Reported-by: Michal Kalderon Fixes: bebd031866ca (“xprtrdma: Support unplugging an HCA from …”) Signed-off-by: Chuck Lever Cc: [email protected] # v4.12+ Signed-off-by: Anna Schumaker Signed-off-by: Greg Kroah-Hartman commit fef573a1e06a8312070749200a38f11ac31efc8b Author: Chuck Lever Date: Wed Feb 28 15:30:27 2018 -0500 xprtrdma: Fix latency regression on NUMA NFS/RDMA clients commit 6720a89933739cb8dec748cd253f7c8df2c0ae4d upstream. With v4.15, on one of my NFS/RDMA clients I measured a nearly doubling in the latency of small read and write system calls. There was no change in server round trip time. The extra latency appears in the whole RPC execution path. “git bisect” settled on commit ccede7598588 (“xprtrdma: Spread reply processing over more CPUs”) . After some experimentation, I found that leaving the WQ bound and allowing the scheduler to pick the dispatch CPU seems to eliminate the long latencies, and it does not introduce any new regressions. The fix is implemented by reverting only the part of commit ccede7598588 (“xprtrdma: Spread reply processing over more CPUs”) that dispatches RPC replies specifically on the CPU where the matching RPC call was made. Interestingly, saving the CPU number and later queuing reply processing there was effective _only_ for a NFS READ and WRITE request. On my NUMA client, in-kernel RPC reply processing for asynchronous RPCs was dispatched on the same CPU where the RPC call was made, as expected. However synchronous RPCs seem to get their reply dispatched on some other CPU than where the call was placed, every time. Fixes: ccede7598588 ("xprtrdma: Spread reply processing over … ") Signed-off-by: Chuck Lever Cc: [email protected] # v4.15+ Signed-off-by: Anna Schumaker Signed-off-by: Greg Kroah-Hartman commit 5e2f3f316fff518eb982c7ba1a6e3187779e5163 Author: Bart Van Assche Date: Thu Mar 1 14:00:28 2018 -0800 RDMA/core: Avoid that ib_drain_qp() triggers an out-of-bounds stack access commit a1ae7d0345edd593d6725d3218434d903a0af95d upstream. This patch fixes the following KASAN complaint: ================================================================== BUG: KASAN: stack-out-of-bounds in rxe_post_send+0x77d/0x9b0 [rdma_rxe] Read of size 8 at addr ffff880061aef860 by task 01/1080 CPU: 2 PID: 1080 Comm: 01 Not tainted 4.16.0-rc3-dbg+ #2 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.0.0-prebuilt.qemu-project.org 04/01/2014 Call Trace: dump_stack+0x85/0xc7 print_address_description+0x65/0x270 kasan_report+0x231/0x350 rxe_post_send+0x77d/0x9b0 [rdma_rxe] __ib_drain_sq+0x1ad/0x250 [ib_core] ib_drain_qp+0x9/0x30 [ib_core] srp_destroy_qp+0x51/0x70 [ib_srp] srp_free_ch_ib+0xfc/0x380 [ib_srp] srp_create_target+0x1071/0x19e0 [ib_srp] kernfs_fop_write+0x180/0x210 __vfs_write+0xb1/0x2e0 vfs_write+0xf6/0x250 SyS_write+0x99/0x110 do_syscall_64+0xee/0x2b0 entry_SYSCALL_64_after_hwframe+0x42/0xb7 The buggy address belongs to the page: page:ffffea000186bbc0 count:0 mapcount:0 mapping:0000000000000000 index:0x0 flags: 0x4000000000000000() raw: 4000000000000000 0000000000000000 0000000000000000 00000000ffffffff raw: 0000000000000000 ffffea000186bbe0 0000000000000000 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff880061aef700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff880061aef780: 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 >ffff880061aef800: f2 f2 f2 f2 f2 f2 f2 00 00 00 00 00 f2 f2 f2 f2 ^ ffff880061aef880: f2 f2 f2 00 00 00 00 00 00 00 00 00 00 00 f2 f2 ffff880061aef900: f2 f2 f2 00 00 00 00 00 00 00 00 00 00 00 00 00 ================================================================== Fixes: 765d67748bcf (“IB: new common API for draining queues”) Signed-off-by: Bart Van Assche Cc: Steve Wise Cc: Sagi Grimberg Cc: [email protected] Signed-off-by: Jason Gunthorpe Signed-off-by: Greg Kroah-Hartman commit 8ca41b8fe4374f0e2b8e23cc5739ee53b551046e Author: Bart Van Assche Date: Thu Mar 1 14:00:29 2018 -0800 RDMA/rxe: Fix an out-of-bounds read commit a6544a624c3ff92a64e4aca3931fa064607bd3da upstream. This patch avoids that KASAN reports the following when the SRP initiator calls srp_post_send(): ================================================================== BUG: KASAN: stack-out-of-bounds in rxe_post_send+0x5c4/0x980 [rdma_rxe] Read of size 8 at addr ffff880066606e30 by task 02-mq/1074 CPU: 2 PID: 1074 Comm: 02-mq Not tainted 4.16.0-rc3-dbg+ #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.0.0-prebuilt.qemu-project.org 04/01/2014 Call Trace: dump_stack+0x85/0xc7 print_address_description+0x65/0x270 kasan_report+0x231/0x350 rxe_post_send+0x5c4/0x980 [rdma_rxe] srp_post_send.isra.16+0x149/0x190 [ib_srp] srp_queuecommand+0x94d/0x1670 [ib_srp] scsi_dispatch_cmd+0x1c2/0x550 [scsi_mod] scsi_queue_rq+0x843/0xa70 [scsi_mod] blk_mq_dispatch_rq_list+0x143/0xac0 blk_mq_do_dispatch_ctx+0x1c5/0x260 blk_mq_sched_dispatch_requests+0x2bf/0x2f0 __blk_mq_run_hw_queue+0xdb/0x160 __blk_mq_delay_run_hw_queue+0xba/0x100 blk_mq_run_hw_queue+0xf2/0x190 blk_mq_sched_insert_request+0x163/0x2f0 blk_execute_rq+0xb0/0x130 scsi_execute+0x14e/0x260 [scsi_mod] scsi_probe_and_add_lun+0x366/0x13d0 [scsi_mod] __scsi_scan_target+0x18a/0x810 [scsi_mod] scsi_scan_target+0x11e/0x130 [scsi_mod] srp_create_target+0x1522/0x19e0 [ib_srp] kernfs_fop_write+0x180/0x210 __vfs_write+0xb1/0x2e0 vfs_write+0xf6/0x250 SyS_write+0x99/0x110 do_syscall_64+0xee/0x2b0 entry_SYSCALL_64_after_hwframe+0x42/0xb7 The buggy address belongs to the page: page:ffffea0001998180 count:0 mapcount:0 mapping:0000000000000000 index:0x0 flags: 0x4000000000000000() raw: 4000000000000000 0000000000000000 0000000000000000 00000000ffffffff raw: dead000000000100 dead000000000200 0000000000000000 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff880066606d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 ffff880066606d80: f1 00 f2 f2 f2 f2 f2 f2 f2 00 00 f2 f2 f2 f2 f2 >ffff880066606e00: f2 00 00 00 00 00 f2 f2 f2 f3 f3 f3 f3 00 00 00 ^ ffff880066606e80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff880066606f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ================================================================== Fixes: 8700e3e7c485 (“Soft RoCE driver”) Signed-off-by: Bart Van Assche Cc: Moni Shoua Cc: [email protected] Signed-off-by: Jason Gunthorpe Signed-off-by: Greg Kroah-Hartman commit c6bf8f42c9dc1b1d8c7767db07bb48f7e16d63b4 Author: Leon Romanovsky Date: Tue Mar 13 15:29:24 2018 +0200 RDMA/mlx5: Protect from NULL pointer derefence commit 4289861d88d6c7b5e4c8cc7fe2ad6cdf0cdfc366 upstream. The mlx5_ib_alloc_implicit_mr() can fail to acquire pages and the returned mr pointer won’t be valid. Ensure that it is not error prior to access. Cc: # 4.10 Fixes: 81713d3788d2 (“IB/mlx5: Add implicit MR support”) Reported-by: Noa Osherovich Signed-off-by: Leon Romanovsky Signed-off-by: Doug Ledford Signed-off-by: Greg Kroah-Hartman commit dad3d955fb5af99a96ede856f5f2ee1c864efde4 Author: Roland Dreier Date: Tue Apr 3 15:33:01 2018 -0700 RDMA/ucma: Don’t allow setting RDMA_OPTION_IB_PATH without an RDMA device commit 8435168d50e66fa5eae01852769d20a36f9e5e83 upstream. Check to make sure that ctx->cm_id->device is set before we use it. Otherwise userspace can trigger a NULL dereference by doing RDMA_USER_CM_CMD_SET_OPTION on an ID that is not bound to a device. Cc: Reported-by: Signed-off-by: Roland Dreier Signed-off-by: Jason Gunthorpe Signed-off-by: Greg Kroah-Hartman commit 002c9842c8132c3c3af4f69b5a17a1b31302340d Author: Mikulas Patocka Date: Sun Aug 13 22:45:08 2017 -0400 dm crypt: limit the number of allocated pages commit 5059353df86e2573ccd9d43fd9d9396dcec47ca2 upstream. dm-crypt consumes an excessive amount memory when the user attempts to zero a dm-crypt device with "blkdiscard -z". The command “blkdiscard -z” calls the BLKZEROOUT ioctl, it goes to the function __blkdev_issue_zeroout, __blkdev_issue_zeroout sends a large amount of write bios that contain the zero page as their payload. For each incoming page, dm-crypt allocates another page that holds the encrypted data, so when processing "blkdiscard -z", dm-crypt tries to allocate the amount of memory that is equal to the size of the device. This can trigger OOM killer or cause system crash. Fix this by limiting the amount of memory that dm-crypt allocates to 2% of total system memory. This limit is system-wide and is divided by the number of active dm-crypt devices and each device receives an equal share. Cc: [email protected] Signed-off-by: Mikulas Patocka Signed-off-by: Mike Snitzer Signed-off-by: Greg Kroah-Hartman commit aa2a38b37f524a6256e3deb665a3e0045f8d968e Author: Mike Snitzer Date: Mon Mar 26 11:49:16 2018 -0400 dm: backfill abnormal IO support to non-splitting IO submission commit 0519c71e8d461ac3ef9a555bb7339243c9128d37 upstream. Otherwise, these abnormal IOs would be sent to the DM target regardless of whether the target advertised support for them. Factor out __process_abnormal_io() from __split_and_process_non_flush() so that discards, write same, etc may be conditionally processed. Fixes: 978e51ba3 (“dm: optimize bio-based NVMe IO submission”) Cc: [email protected] # 4.16 Signed-off-by: Mike Snitzer Signed-off-by: Greg Kroah-Hartman commit 919e7c8da185a2d8d4430a56077b9b2475e2c990 Author: Theodore Ts’o Date: Sun Apr 1 23:21:03 2018 -0400 ext4: force revalidation of directory pointer after seekdir(2) commit e40ff213898502d299351cc2fe1e350cd186f0d3 upstream. A malicious user could force the directory pointer to be in an invalid spot by using seekdir(2). Use the mechanism we already have to notice if the directory has changed since the last time we called ext4_readdir() to force a revalidation of the pointer. Reported-by: [email protected] Signed-off-by: Theodore Ts’o Cc: [email protected] Signed-off-by: Greg Kroah-Hartman commit 047506fc514240eda8e153e08a0d0e73cf864e68 Author: Theodore Ts’o Date: Fri Mar 30 20:04:11 2018 -0400 ext4: add extra checks to ext4_xattr_block_get() commit 54dd0e0a1b255f115f8647fc6fb93273251b01b9 upstream. Add explicit checks in ext4_xattr_block_get() just in case the e_value_offs and e_value_size fields in the the xattr block are corrupted in memory after the buffer_verified bit is set on the xattr block. Signed-off-by: Theodore Ts’o Cc: [email protected] Signed-off-by: Greg Kroah-Hartman commit e89600dc2411982169cc54a0760aaede29b172fb Author: Theodore Ts’o Date: Fri Mar 30 20:00:56 2018 -0400 ext4: add bounds checking to ext4_xattr_find_entry() commit 9496005d6ca4cf8f5ee8f828165a8956872dc59d upstream. Add some paranoia checks to make sure we don’t stray beyond the end of the valid memory region containing ext4 xattr entries while we are scanning for a match. Also rename the function to xattr_find_entry() since it is static and thus only used in fs/ext4/xattr.c Signed-off-by: Theodore Ts’o Cc: [email protected] Signed-off-by: Greg Kroah-Hartman commit 8cefea5589189c1444c8c3a6e01e510230b29077 Author: Theodore Ts’o Date: Fri Mar 30 15:42:25 2018 -0400 ext4: move call to ext4_error() into ext4_xattr_check_block() commit de05ca8526796c7e9f7c7282b7f89a818af19818 upstream. Refactor the call to EXT4_ERROR_INODE() into ext4_xattr_check_block(). This simplifies the code, and fixes a problem where not all callers of ext4_xattr_check_block() were not resulting in ext4_error() getting called when the xattr block is corrupted. Signed-off-by: Theodore Ts’o Cc: [email protected] Signed-off-by: Greg Kroah-Hartman commit adebf4b54f615014f09f90c6eca9499ed2958ea0 Author: Theodore Ts’o Date: Thu Mar 29 22:10:35 2018 -0400 ext4: don’t allow r/w mounts if metadata blocks overlap the superblock commit 18db4b4e6fc31eda838dd1c1296d67dbcb3dc957 upstream. If some metadata block, such as an allocation bitmap, overlaps the superblock, it’s very likely that if the file system is mounted read/write, the results will not be pretty. So disallow r/w mounts for file systems corrupted in this particular way. Signed-off-by: Theodore Ts’o Cc: [email protected] Signed-off-by: Greg Kroah-Hartman commit 114c42aaa63152d31d3c18d5b750de9560f38a63 Author: Theodore Ts’o Date: Thu Mar 29 22:10:31 2018 -0400 ext4: always initialize the crc32c checksum driver commit a45403b51582a87872927a3e0fc0a389c26867f1 upstream. The extended attribute code now uses the crc32c checksum for hashing purposes, so we should just always always initialize it. We also want to prevent NULL pointer dereferences if one of the metadata checksum features is enabled after the file sytsem is originally mounted. This issue has been assigned CVE-2018-1094. https://bugzilla.kernel.org/show_bug.cgi?id=199183 https://bugzilla.redhat.com/show_bug.cgi?id=1560788 Signed-off-by: Theodore Ts’o Cc: [email protected] Signed-off-by: Greg Kroah-Hartman commit 510c85c3f0bcfa6111e866b8f3c1a5a58d42da58 Author: Theodore Ts’o Date: Thu Mar 29 21:56:09 2018 -0400 ext4: fail ext4_iget for root directory if unallocated commit 8e4b5eae5decd9dfe5a4ee369c22028f90ab4c44 upstream. If the root directory has an i_links_count of zero, then when the file system is mounted, then when ext4_fill_super() notices the problem and tries to call iput() the root directory in the error return path, ext4_evict_inode() will try to free the inode on disk, before all of the file system structures are set up, and this will result in an OOPS caused by a NULL pointer dereference. This issue has been assigned CVE-2018-1092. https://bugzilla.kernel.org/show_bug.cgi?id=199179 https://bugzilla.redhat.com/show_bug.cgi?id=1560777 Reported-by: Wen Xu Signed-off-by: Theodore Ts’o Cc: [email protected] Signed-off-by: Greg Kroah-Hartman commit d97c42e8f9bc9054101d04d715ff322379bfa1c9 Author: Eric Biggers Date: Thu Mar 29 14:31:42 2018 -0400 ext4: limit xattr size to INT_MAX commit ce3fd194fcc6fbdc00ce095a852f22df97baa401 upstream. ext4 isn’t validating the sizes of xattrs where the value of the xattr is stored in an external inode. This is problematic because ->e_value_size is a u32, but ext4_xattr_get() returns an int. A very large size is misinterpreted as an error code, which ext4_get_acl() translates into a bogus ERR_PTR() for which IS_ERR() returns false, causing a crash. Fix this by validating that all xattrs are <= INT_MAX bytes. This issue has been assigned CVE-2018-1095. https://bugzilla.kernel.org/show_bug.cgi?id=199185 https://bugzilla.redhat.com/show_bug.cgi?id=1560793 Reported-by: Wen Xu Signed-off-by: Eric Biggers Signed-off-by: Theodore Ts’o Cc: [email protected] Fixes: e50e5129f384 (“ext4: xattr-in-inode support”) Signed-off-by: Greg Kroah-Hartman commit 71da360dfb961edf5e6e52b0c99918197cf8114b Author: Jiri Slaby Date: Thu Mar 22 11:50:26 2018 -0400 ext4: fix offset overflow on 32-bit archs in ext4_iomap_begin() commit fe23cb65c2c394ea306f3714a17d46ab2e6a0af1 upstream. ext4_iomap_begin() has a bug where offset returned in the iomap structure will be truncated to unsigned long size. On 64-bit architectures this is fine but on 32-bit architectures obviously not. Not many places actually use the offset stored in the iomap structure but one of visible failures is in SEEK_HOLE / SEEK_DATA implementation. If we create a file like: dd if=/dev/urandom of=file bs=1k seek=8m count=1 then lseek64("file", 0x100000000ULL, SEEK_DATA) wrongly returns 0x100000000 on unfixed kernel while it should return 0x200000000. Avoid the overflow by proper type cast. Fixes: 545052e9e35a (“ext4: Switch to iomap for SEEK_HOLE / SEEK_DATA”) Signed-off-by: Jiri Slaby Signed-off-by: Jan Kara Signed-off-by: Theodore Ts’o Cc: [email protected] # v4.15 Signed-off-by: Greg Kroah-Hartman commit dac334e0d35520847ca009508b8c49feefc05c0c Author: Eryu Guan Date: Thu Mar 22 11:41:25 2018 -0400 ext4: protect i_disksize update by i_data_sem in direct write path commit 73fdad00b208b139cf43f3163fbc0f67e4c6047c upstream. i_disksize update should be protected by i_data_sem, by either taking the lock explicitly or by using ext4_update_i_disksize() helper. But the i_disksize updates in ext4_direct_IO_write() are not protected at all, which may be racing with i_disksize updates in writeback path in delalloc buffer write path. This is found by code inspection, and I didn’t hit any i_disksize corruption due to this bug. Thanks to Jan Kara for catching this bug and suggesting the fix! Reported-by: Jan Kara Suggested-by: Jan Kara Signed-off-by: Eryu Guan Signed-off-by: Theodore Ts’o Cc: [email protected] Signed-off-by: Greg Kroah-Hartman commit c6a192f4342eeede80ebbdf2d2952155ca271a55 Author: Theodore Ts’o Date: Mon Feb 19 14:16:47 2018 -0500 ext4: don’t update checksum of new initialized bitmaps commit 044e6e3d74a3d7103a0c8a9305dfd94d64000660 upstream. When reading the inode or block allocation bitmap, if the bitmap needs to be initialized, do not update the checksum in the block group descriptor. That’s because we’re not set up to journal those changes. Instead, just set the verified bit on the bitmap block, so that it’s not necessary to validate the checksum. When a block or inode allocation actually happens, at that point the checksum will be calculated, and update of the bg descriptor block will be properly journalled. Signed-off-by: Theodore Ts’o Cc: [email protected] Signed-off-by: Greg Kroah-Hartman commit 1122b746fc972e06f0827582cb6ad72dd1761059 Author: Theodore Ts’o Date: Sun Feb 18 23:45:18 2018 -0500 ext4: pass -ESHUTDOWN code to jbd2 layer commit fb7c02445c497943e7296cd3deee04422b63acb8 upstream. Previously the jbd2 layer assumed that a file system check would be required after a journal abort. In the case of the deliberate file system shutdown, this should not be necessary. Allow the jbd2 layer to distinguish between these two cases by using the ESHUTDOWN errno. Also add proper locking to __journal_abort_soft(). Signed-off-by: Theodore Ts’o Cc: [email protected] Signed-off-by: Greg Kroah-Hartman commit c63dc22a0a1ffa3137758b9f6a0ba530c9adb9f4 Author: Theodore Ts’o Date: Sun Feb 18 23:16:28 2018 -0500 ext4: eliminate sleep from shutdown ioctl commit a6d9946bb925293fda9f5ed6d33d8580b001f006 upstream. The msleep() when processing EXT4_GOING_FLAGS_NOLOGFLUSH was a hack to avoid some races (that are now fixed), but in fact it introduced its own race. Signed-off-by: Theodore Ts’o Cc: [email protected] Signed-off-by: Greg Kroah-Hartman commit 4919f9b141ff349e4ad13ac20f6c2ef7b4386d29 Author: Theodore Ts’o Date: Sun Feb 18 22:07:36 2018 -0500 ext4: shutdown should not prevent get_write_access commit 576d18ed60f5465110087c5e0eb1010de13e374d upstream. The ext4 forced shutdown flag needs to prevent new handles from being started, but it needs to allow existing handles to complete. So the forced shutdown flag should not force ext4_journal_get_write_access to fail. Signed-off-by: Theodore Ts’o Cc: [email protected] Signed-off-by: Greg Kroah-Hartman commit 1d6ae243ea653dac582bb1e376a1b5381c06a7e1 Author: Theodore Ts’o Date: Mon Feb 19 12:22:53 2018 -0500 jbd2: if the journal is aborted then don’t allow update of the log tail commit 85e0c4e89c1b864e763c4e3bb15d0b6d501ad5d9 upstream. This updates the jbd2 superblock unnecessarily, and on an abort we shouldn’t truncate the log. Signed-off-by: Theodore Ts’o Cc: [email protected] Signed-off-by: Greg Kroah-Hartman commit 5df4e53f1d759bcd9fadaeb6e0c6423ec215d516 Author: Mikulas Patocka Date: Wed Mar 21 12:42:25 2018 -0400 block: use 32-bit blk_status_t on Alpha commit 6e2fb22103b99c26ae30a46512abe75526d8e4c9 upstream. Early alpha processors cannot write a single byte or word; they read 8 bytes, modify the value in registers and write back 8 bytes. The type blk_status_t is defined as one byte, it is often written asynchronously by I/O completion routines, this asynchronous modification can corrupt content of nearby bytes if these nearby bytes can be written simultaneously by another CPU. - one example of such corruption is the structure dm_io where “blk_status_t status” is written by an asynchronous completion routine and “atomic_t io_count” is modified synchronously - another example is the structure dm_buffer where “unsigned hold_count” is modified synchronously from process context and “blk_status_t write_error” is modified asynchronously from bio completion routine This patch fixes the bug by changing the type blk_status_t to 32 bits if we are on Alpha and if we are compiling for a processor that doesn’t have the byte-word-extension. Signed-off-by: Mikulas Patocka Cc: [email protected] # 4.13+ Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit f6b3a6ce0e6cd38afb61a5f55a138eb9b46d34e7 Author: Hans de Goede Date: Mon Feb 19 14:20:46 2018 +0100 extcon: intel-cht-wc: Set direction and drv flags for V5 boost GPIO commit ad49aee401dd1997ec71360df6e51a91ad3cf516 upstream. Sometimes (firmware bug?) the V5 boost GPIO is not configured as output by the BIOS, leading to the 5V boost convertor being permanently on, Explicitly set the direction and drv flags rather then inheriting them from the firmware to fix this. Fixes: 585cb239f4de (“extcon: intel-cht-wc: Disable external 5v boost …”) Cc: [email protected] Reviewed-by: Andy Shevchenko Signed-off-by: Hans de Goede Signed-off-by: Chanwoo Choi Signed-off-by: Greg Kroah-Hartman commit 46d52d7c5b8354882f8ce41537a574ea3457dbd4 Author: Theodore Ts’o Date: Sat Feb 25 18:21:33 2017 -0400 random: use a tighter cap in credit_entropy_bits_safe() commit 9f886f4d1d292442b2f22a0a33321eae821bde40 upstream. This fixes a harmless UBSAN where root could potentially end up causing an overflow while bumping the entropy_total field (which is ignored once the entropy pool has been initialized, and this generally is completed during the boot sequence). This is marginal for the stable kernel series, but it’s a really trivial patch, and it fixes UBSAN warning that might cause security folks to get overly excited for no reason. Signed-off-by: Theodore Ts’o Reported-by: Chen Feng Cc: [email protected] Signed-off-by: Greg Kroah-Hartman commit 3c94bfbd8f08c0b5281b78429aaaaa50040940f1 Author: Aniruddha Banerjee Date: Wed Mar 28 19:12:00 2018 +0530 irqchip/gic: Take lock when updating irq type commit aa08192a254d362a4d5317647a81de6996961aef upstream. Most MMIO GIC register accesses use a 1-hot bit scheme that avoids requiring any form of locking. This isn’t true for the GICD_ICFGRn registers, which require a RMW sequence. Unfortunately, we seem to be missing a lock for these particular accesses, which could result in a race condition if changing the trigger type on any two interrupts within the same set of 16 interrupts (and thus controlled by the same CFGR register). Introduce a private lock in the GIC common comde for this particular case, making it cover both GIC implementations in one go. Cc: [email protected] Signed-off-by: Aniruddha Banerjee [maz: updated changelog] Signed-off-by: Marc Zyngier Signed-off-by: Greg Kroah-Hartman commit b03bb1e57736ffbe37b652669e20b99ed96fa992 Author: Mika Westerberg Date: Fri Mar 9 13:17:01 2018 +0300 thunderbolt: Prevent crash when ICM firmware is not running commit ea9d7bb798900096f26c585957d6ad9c532417e6 upstream. On Lenovo ThinkPad Yoga 370 (and possibly some other Lenovo models as well) the Thunderbolt host controller sometimes comes up in such way that the ICM firmware is not running properly. This is most likely an issue in BIOS/firmware but as side-effect driver crashes the kernel due to NULL pointer dereference: BUG: unable to handle kernel NULL pointer dereference at 0000000000000980 IP: pci_write_config_dword+0x5/0x20 Call Trace: pcie2cio_write+0x3b/0x70 [thunderbolt] icm_driver_ready+0x168/0x260 [thunderbolt] ? tb_ctl_start+0x50/0x70 [thunderbolt] tb_domain_add+0x73/0xf0 [thunderbolt] nhi_probe+0x182/0x300 [thunderbolt] local_pci_probe+0x42/0xa0 ? pci_match_device+0xd9/0x100 pci_device_probe+0x146/0x1b0 driver_probe_device+0x315/0x480 … Instead of crashing update the driver to bail out gracefully if we encounter such situation. Fixes: f67cf491175a ("thunderbolt: Add support for Internal Connection Manager (ICM)") Reported-by: Jordan Glover Signed-off-by: Mika Westerberg Acked-by: Yehezkel Bernat Cc: [email protected] Signed-off-by: Greg Kroah-Hartman commit f5b7a541c77ed22a3c9609b38f2d56c77ab1ddfd Author: Mika Westerberg Date: Fri Feb 9 17:29:38 2018 +0300 thunderbolt: Handle connecting device in place of host properly commit 79fae987518a3aa6c3c7b2e3ad5fe1e4080c12bc upstream. If the system is suspended and user disconnects cable to another host and connects it to a Thunderbolt device instead we get a warning from driver core about adding duplicate sysfs attribute and adding the new device fails. Handle this properly so that we first remove the existing XDomain connection before adding new devices. Fixes: d1ff70241a27 (“thunderbolt: Add support for XDomain discovery protocol”) Signed-off-by: Mika Westerberg Reviewed-by: Andy Shevchenko Cc: [email protected] Signed-off-by: Greg Kroah-Hartman commit c9eda168e8ca4a46b7182f7b61ebaadb04d76f4c Author: Mika Westerberg Date: Tue Dec 19 12:44:56 2017 +0300 thunderbolt: Resume control channel after hibernation image is created commit f2a659f7d8d5da803836583aa16df06bdf324252 upstream. The driver misses implementation of PM hook that undoes what ->freeze_noirq() does after the hibernation image is created. This means the control channel is not resumed properly and the Thunderbolt bus becomes useless in later stages of hibernation (when the image is stored or if the operation fails). Fix this by pointing ->thaw_noirq to driver nhi_resume_noirq(). This makes sure the control channel is resumed properly. Fixes: 23dd5bb49d98 (“thunderbolt: Add suspend/hibernate support”) Signed-off-by: Mika Westerberg Reviewed-by: Andy Shevchenko Cc: [email protected] Signed-off-by: Greg Kroah-Hartman commit dc414ae189cc800a63444b51d5a0c18c07b0efdc Author: Mika Westerberg Date: Thu Jan 18 20:27:47 2018 +0300 thunderbolt: Serialize PCIe tunnel creation with PCI rescan commit a03e828915c00ed0ea5aa40647c81472cfa7a984 upstream. We need to make sure a new PCIe tunnel is not created in a middle of previous PCI rescan because otherwise the rescan code might find too much and fail to reconfigure devices properly. This is important when native PCIe hotplug is used. In BIOS assisted hotplug there should be no such issue. Fixes: f67cf491175a ("thunderbolt: Add support for Internal Connection Manager (ICM)") Signed-off-by: Mika Westerberg Reviewed-by: Andy Shevchenko Cc: Bjorn Helgaas Cc: [email protected] Signed-off-by: Greg Kroah-Hartman commit 75dec3bc980aa179fd421ba9a107097fb6968db7 Author: Mika Westerberg Date: Fri Nov 24 17:51:12 2017 +0300 thunderbolt: Wait a bit longer for ICM to authenticate the active NVM commit e4be8c9b6a512e274cb6bbac4ac869d73880a8b3 upstream. Sometimes during cold boot ICM has not yet authenticated the active NVM image leading to timeout and failing the driver probe. Allow ICM to take some more time and increase the timeout to 3 seconds before we give up. While there fix icm_firmware_init() to return the real error code without overwriting it with -ENODEV. Fixes: f67cf491175a ("thunderbolt: Add support for Internal Connection Manager (ICM)") Signed-off-by: Mika Westerberg Reviewed-by: Andy Shevchenko Cc: [email protected] Signed-off-by: Greg Kroah-Hartman commit 0488d22ae76714fa91e007edc54d727f3a551138 Author: Liam Girdwood Date: Tue Mar 27 12:04:04 2018 +0100 ASoC: topology: Fix kcontrol name string handling commit 267e2c6fd7ca3d4076d20f9d52d49dc91addfe9d upstream. Fix the topology kcontrol string handling so that string pointer references are strdup()ed instead of being copied. This fixes issues with kcontrol templates on the stack or ones that are freed. Remember and free the strings too when topology is unloaded. Signed-off-by: Liam Girdwood Signed-off-by: Mark Brown Cc: [email protected] Signed-off-by: Greg Kroah-Hartman commit 28c1acef7e192638055907a7c24515f7aec23cda Author: James Kelly Date: Mon Mar 19 21:29:50 2018 +1100 ASoC: ssm2602: Replace reg_default_raw with reg_default commit a01df75ce737951ad13a08d101306e88c3f57cb2 upstream. SSM2602 driver is broken on recent kernels (at least since 4.9). User space applications such as amixer or alsamixer get EIO when attempting to access codec controls via the relevant IOCTLs. Root cause of these failures is the regcache_hw_init function in drivers/base/regmap/regcache.c, which prevents regmap cache initalization from the reg_defaults_raw element of the regmap_config structure when registers are write only. It also disables the regmap cache entirely when all registers are write only or volatile as is the case for the SSM2602 driver. Using the reg_defaults element of the regmap_config structure rather than the reg_defaults_raw element to initalize the regmap cache avoids the logic in the regcache_hw_init function entirely. It also makes this driver consistent with other ASoC codec drivers, as this driver was the ONLY codec driver that used the reg_defaults_raw element to initalize the cache. Tested on Digilent Zybo Z7 development board which has a SSM2603 codec chip connected to a Xilinx Zynq SoC. Signed-off-by: James Kelly Signed-off-by: Mark Brown Cc: [email protected] Signed-off-by: Greg Kroah-Hartman commit d705c2a82ae84af214def3918e206b773a597a63 Author: Sean Wang Date: Fri Feb 9 02:07:59 2018 +0800 soc: mediatek: fix the mistaken pointer accessed when subdomains are added commit 73ce2ce129783813e1ebc37d2c757fe5e0fab1ef upstream. Fix the pointer to struct scp_subdomian not being moved forward when each sub-domain is expected to be iteratively added through pm_genpd_add_subdomain call. Cc: [email protected] Fixes: 53fddb1a66dd (“soc: mediatek: reduce code duplication of scpsys_probe across all SoCs”) Reported-by: Weiyi Lu Signed-off-by: Sean Wang Signed-off-by: Matthias Brugger Signed-off-by: Greg Kroah-Hartman commit 6488aac9b75286d734004d86cc583c6afc983d3d Author: Aaron Ma Date: Mon Jan 8 10:41:41 2018 +0800 HID: core: Fix size as type u32 commit 6de0b13cc0b4ba10e98a9263d7a83b940720b77a upstream. When size is negative, calling memset will make segment fault. Declare the size as type u32 to keep memset safe. size in struct hid_report is unsigned, fix return type of hid_report_len to u32. Cc: [email protected] Signed-off-by: Aaron Ma Signed-off-by: Jiri Kosina Signed-off-by: Greg Kroah-Hartman commit dd19d2f1bcd73f3e45533df78f8310f3fdd1504e Author: Aaron Ma Date: Sat Feb 3 23:57:15 2018 +0800 HID: Fix hid_report_len usage commit 3064a03b94e60388f0955fcc29f3e8a978d28f75 upstream. Follow the change of return type u32 of hid_report_len, fix all the types of variables those get the return value of hid_report_len to u32, and all other code already uses u32. Cc: [email protected] Signed-off-by: Aaron Ma Signed-off-by: Jiri Kosina Signed-off-by: Greg Kroah-Hartman commit 0ea1574a2243746cba44ae1479c09b0b8701b9a2 Author: Yan, Zheng Date: Mon Mar 26 16:46:39 2018 +0800 ceph: always update atime/mtime/ctime for new inode commit ffdeec7aa41aa61ca4ee68fddf4669df9ce661d1 upstream. For new inode, atime/mtime/ctime are uninitialized. Don’t compare against them. Cc: [email protected] Signed-off-by: “Yan, Zheng” Reviewed-by: Ilya Dryomov Signed-off-by: Ilya Dryomov Signed-off-by: Greg Kroah-Hartman commit 6101b68f1685cf02fc03725c9eb9f25537938dba Author: Michael Ellerman Date: Thu Apr 12 11:35:55 2018 +1000 powerpc/mm/radix: Fix checkstops caused by invalid tlbiel commit 2675c13b293a007b7b7f8229514126bd23df09a7 upstream. In tlbiel_radix_set_isa300() we use the PPC_TLBIEL() macro to construct tlbiel instructions. The instruction takes 5 fields, two of which are registers, and the others are constants. But because it’s constructed with inline asm the compiler doesn’t know that. We got the constraint wrong on the ‘r’ field, using “r” tells the compiler to put the value in a register. The value we then get in the macro is the *register number*, not the value of the field. That means when we mask the register number with 0x1 we get 0 or 1 depending on which register the compiler happens to put the constant in, eg: li r10,1 tlbiel r8,r9,2,0,0 li r7,1 tlbiel r10,r6,0,0,1 If we’re unlucky we might generate an invalid instruction form, for example RIC=0, PRS=1 and R=0, tlbiel r8,r7,0,1,0, this has been observed to cause machine checks: Oops: Machine check, sig: 7 [#1] CPU: 24 PID: 0 Comm: swapper NIP: 00000000000385f4 LR: 000000000100ed00 CTR: 000000000000007f REGS: c00000000110bb40 TRAP: 0200 MSR: 9000000000201003 CR: 48002222 XER: 20040000 CFAR: 00000000000385d0 DAR: 0000000000001c00 DSISR: 00000200 SOFTE: 1 If the machine check happens early in boot while we have MSR_ME=0 it will escalate into a checkstop and kill the box entirely. To fix it we could change the inline asm constraint to “i” which tells the compiler the value is a constant. But a better fix is to just pass a literal 1 into the macro, which bypasses any problems with inline asm constraints. Fixes: d4748276ae14 (“powerpc/64s: Improve local TLB flush for boot and MCE on POWER9”) Cc: [email protected] # v4.16+ Signed-off-by: Michael Ellerman Reviewed-by: Nicholas Piggin Signed-off-by: Greg Kroah-Hartman commit d753ee67b076c3f22cf426114033d09fda8cb348 Author: Nicholas Piggin Date: Tue Apr 10 21:49:33 2018 +1000 powerpc/powernv: Fix OPAL NVRAM driver OPAL_BUSY loops commit 3b8070335f751aac9f1526ae2e012e6f5b8b0f21 upstream. The OPAL NVRAM driver does not sleep in case it gets OPAL_BUSY or OPAL_BUSY_EVENT from firmware, which causes large scheduling latencies, and various lockup errors to trigger (again, BMC reboot can cause it). Fix this by converting it to the standard form OPAL_BUSY loop that sleeps. Fixes: 628daa8d5abf (“powerpc/powernv: Add RTC and NVRAM support plus RTAS fallbacks”) Depends-on: 34dd25de9fe3 (“powerpc/powernv: define a standard delay for OPAL_BUSY type retry loops”) Cc: [email protected] # v3.2+ Signed-off-by: Nicholas Piggin Signed-off-by: Michael Ellerman Signed-off-by: Greg Kroah-Hartman commit 561ea13c1ffc1d7e7a7d634e7ef5f8b697aad7cc Author: Nicholas Piggin Date: Tue Apr 10 21:49:31 2018 +1000 powerpc/powernv: define a standard delay for OPAL_BUSY type retry loops commit 34dd25de9fe3f60bfdb31b473bf04b28262d0896 upstream. This is the start of an effort to tidy up and standardise all the delays. Existing loops have a range of delay/sleep periods from 1ms to 20ms, and some have no delay. They all loop forever except rtc, which times out after 10 retries, and that uses 10ms delays. So use 10ms as our standard delay. The OPAL maintainer agrees 10ms is a reasonable starting point. The idea is to use the same recipe everywhere, once this is proven to work then it will be documented as an OPAL API standard. Then both firmware and OS can agree, and if a particular call needs something else, then that can be documented with reasoning. This is not the end-all of this effort, it’s just a relatively easy change that fixes some existing high latency delays. There should be provision for standardising timeouts and/or interruptible loops where possible, so non-fatal firmware errors don’t cause hangs. Signed-off-by: Nicholas Piggin Signed-off-by: Michael Ellerman Cc: Nathan Chancellor Cc: Guenter Roeck Signed-off-by: Greg Kroah-Hartman commit ac0db0ecc55726867234e114a534ffe3df2809c6 Author: Thiago Jung Bauermann Date: Thu Mar 29 16:05:43 2018 -0300 powerpc/kexec_file: Fix error code when trying to load kdump kernel commit bf8a1abc3ddbd6e9a8312ea7d96e5dd89c140f18 upstream. kexec_file_load() on powerpc doesn’t support kdump kernels yet, so it returns -ENOTSUPP in that case. I’ve recently learned that this errno is internal to the kernel and isn’t supposed to be exposed to userspace. Therefore, change to -EOPNOTSUPP which is defined in an uapi header. This does indeed make kexec-tools happier. Before the patch, on ppc64le: # ~bauermann/src/kexec-tools/build/sbin/kexec -s -p /boot/vmlinuz kexec_file_load failed: Unknown error 524 After the patch: # ~bauermann/src/kexec-tools/build/sbin/kexec -s -p /boot/vmlinuz kexec_file_load failed: Operation not supported Fixes: a0458284f062 ("powerpc: Add support code for kexec_file_load()") Cc: [email protected] # v4.10+ Reported-by: Dave Young Signed-off-by: Thiago Jung Bauermann Reviewed-by: Simon Horman Reviewed-by: Dave Young Signed-off-by: Michael Ellerman Signed-off-by: Greg Kroah-Hartman commit 4c75c8fa8a3b981ba402aec35e5340b9549f2c70 Author: Naveen N. Rao Date: Wed Jan 17 17:52:24 2018 +0530 powerpc/kprobes: Fix call trace due to incorrect preempt count commit e6e133c47e6bd4d5dac05b35d06634a8e5648615 upstream. Michael Ellerman reported the following call trace when running ftracetest: BUG: using __this_cpu_write() in preemptible [00000000] code: ftracetest/6178 caller is opt_pre_handler+0xc4/0x110 CPU: 1 PID: 6178 Comm: ftracetest Not tainted 4.15.0-rc7-gcc6x-gb2cd1df #1 Call Trace: [c0000000f9ec39c0] [c000000000ac4304] dump_stack+0xb4/0x100 (unreliable) [c0000000f9ec3a00] [c00000000061159c] check_preemption_disabled+0x15c/0x170 [c0000000f9ec3a90] [c000000000217e84] opt_pre_handler+0xc4/0x110 [c0000000f9ec3af0] [c00000000004cf68] optimized_callback+0x148/0x170 [c0000000f9ec3b40] [c00000000004d954] optinsn_slot+0xec/0x10000 [c0000000f9ec3e30] [c00000000004bae0] kretprobe_trampoline+0x0/0x10 This is showing up since OPTPROBES is now enabled with CONFIG_PREEMPT. trampoline_probe_handler() considers itself to be a special kprobe handler for kretprobes. In doing so, it expects to be called from kprobe_handler() on a trap, and re-enables preemption before returning a non-zero return value so as to suppress any subsequent processing of the trap by the kprobe_handler(). However, with optprobes, we don’t deal with special handlers (we ignore the return code) and just try to re-enable preemption causing the above trace. To address this, modify trampoline_probe_handler() to not be special. The only additional processing done in kprobe_handler() is to emulate the instruction (in this case, a ‘nop’). We adjust the value of regs->nip for the purpose and delegate the job of re-enabling preemption and resetting current kprobe to the probe handlers (kprobe_handler() or optimized_callback()). Fixes: 8a2d71a3f273 (“powerpc/kprobes: Disable preemption before invoking probe handler for optprobes”) Cc: [email protected] # v4.15+ Reported-by: Michael Ellerman Signed-off-by: Naveen N. Rao Acked-by: Ananth N Mavinakayanahalli Signed-off-by: Michael Ellerman Signed-off-by: Greg Kroah-Hartman commit 54bde5798c937f0699812781283aacab26822ae1 Author: Nicholas Piggin Date: Thu Mar 22 20:41:46 2018 +1000 powerpc/64: Fix smp_wmb barrier definition use use lwsync consistently commit 0bfdf598900fd62869659f360d3387ed80eb71cf upstream. asm/barrier.h is not always included after asm/synch.h, which meant it was missing __SUBARCH_HAS_LWSYNC, so in some files smp_wmb() would be eieio when it should be lwsync. kernel/time/hrtimer.c is one case. __SUBARCH_HAS_LWSYNC is only used in one place, so just fold it in to where it’s used. Previously with my small simulator config, 377 instances of eieio in the tree. After this patch there are 55. Fixes: 46d075be585e (“powerpc: Optimise smp_wmb”) Cc: [email protected] # v2.6.29+ Signed-off-by: Nicholas Piggin Signed-off-by: Michael Ellerman Signed-off-by: Greg Kroah-Hartman commit bc94cbac7fa13103b5b094f6c5a3a6fd6b97536b Author: Paul Mackerras Date: Thu Feb 16 16:03:39 2017 +1100 powerpc/64: Call H_REGISTER_PROC_TBL when running as a HPT guest on POWER9 commit dbfcf3cb9c681aa0c5d0bb46068f98d5b1823dd3 upstream. On POWER9, since commit cc3d2940133d (“powerpc/64: Enable use of radix MMU under hypervisor on POWER9", 2017-01-30), we set both the radix and HPT bits in the client-architecture-support (CAS) vector, which tells the hypervisor that we can do either radix or HPT. According to PAPR, if we use this combination we are promising to do a H_REGISTER_PROC_TBL hcall later on to let the hypervisor know whether we are doing radix or HPT. We currently do this call if we are doing radix but not if we are doing HPT. If the hypervisor is able to support both radix and HPT guests, it would be entitled to defer allocation of the HPT until the H_REGISTER_PROC_TBL call, and to fail any attempts to create HPTEs until the H_REGISTER_PROC_TBL call. Thus we need to do a H_REGISTER_PROC_TBL call when we are doing HPT; otherwise we may crash at boot time. This adds the code to call H_REGISTER_PROC_TBL in this case, before we attempt to create any HPT entries using H_ENTER. Fixes: cc3d2940133d (“powerpc/64: Enable use of radix MMU under hypervisor on POWER9”) Cc: [email protected] # v4.11+ Signed-off-by: Paul Mackerras Reviewed-by: Suraj Jitindar Singh Signed-off-by: Michael Ellerman Signed-off-by: Greg Kroah-Hartman commit 12af91ffeef8cba68b21e15d03520021a7cdb7ff Author: Nicholas Piggin Date: Thu Apr 5 15:50:49 2018 +1000 powerpc/64s: Fix dt_cpu_ftrs to have restore_cpu clear unwanted LPCR bits commit a57ac411832384eb93df4bfed2bf644c4089720e upstream. Presently the dt_cpu_ftrs restore_cpu will only add bits to the LPCR for secondaries, but some bits must be removed (e.g., UPRT for HPT). Not clearing these bits on secondaries causes checkstops when booting with disable_radix. restore_cpu can not just set LPCR, because it is also called by the idle wakeup code which relies on opal_slw_set_reg to restore the value of LPCR, at least on P8 which does not save LPCR to stack in the idle code. Fix this by including a mask of bits to clear from LPCR as well, which is used by restore_cpu. This is a little messy now, but it’s a minimal fix that can be backported. Longer term, the idle SPR save/restore code can be reworked to completely avoid calls to restore_cpu, then restore_cpu would be able to unconditionally set LPCR to match boot processor environment. Fixes: 5a61ef74f269f (“powerpc/64s: Support new device tree binding for discovering CPU features”) Cc: [email protected] # v4.12+ Signed-off-by: Nicholas Piggin Signed-off-by: Michael Ellerman Signed-off-by: Greg Kroah-Hartman commit 9ffa9b9d635c92c8e3fea47bb22b24993ab34b22 Author: Michael Neuling Date: Mon Mar 26 15:17:07 2018 +1100 powerpc/eeh: Fix race with driver un/bind commit f0295e047fcf52ccb42561fb7de6942f5201b676 upstream. The current EEH callbacks can race with a driver unbind. This can result in a backtraces like this: EEH: Frozen PHB#0-PE#1fc detected EEH: PE location: S000009, PHB location: N/A CPU: 2 PID: 2312 Comm: kworker/u258:3 Not tainted 4.15.6-openpower1 #2 Workqueue: nvme-wq nvme_reset_work [nvme] Call Trace: dump_stack+0x9c/0xd0 (unreliable) eeh_dev_check_failure+0x420/0x470 eeh_check_failure+0xa0/0xa4 nvme_reset_work+0x138/0x1414 [nvme] process_one_work+0x1ec/0x328 worker_thread+0x2e4/0x3a8 kthread+0x14c/0x154 ret_from_kernel_thread+0x5c/0xc8 nvme nvme1: Removing after probe failure status: -19 cpu 0x23: Vector: 300 (Data Access) at [c000000ff50f3800] pc: c0080000089a0eb0: nvme_error_detected+0x4c/0x90 [nvme] lr: c000000000026564: eeh_report_error+0xe0/0x110 sp: c000000ff50f3a80 msr: 9000000000009033 dar: 400 dsisr: 40000000 current = 0xc000000ff507c000 paca = 0xc00000000fdc9d80 softe: 0 irq_happened: 0x01 pid = 782, comm = eehd Linux version 4.15.6-openpower1 (smc@smc-desktop) (gcc version 6.4.0 (Buildroot 2017.11.2-00008-g4b6188e)) #2 SM P Tue Feb 27 12:33:27 PST 2018 enter ? for help eeh_report_error+0xe0/0x110 eeh_pe_dev_traverse+0xc0/0xdc eeh_handle_normal_event+0x184/0x4c4 eeh_handle_event+0x30/0x288 eeh_event_handler+0x124/0x170 kthread+0x14c/0x154 ret_from_kernel_thread+0x5c/0xc8 The first part is an EEH (on boot), the second half is the resulting crash. nvme probe starts the nvme_reset_work() worker thread. This worker thread starts touching the device which see a device error (EEH) and hence queues up an event in the powerpc EEH worker thread. nvme_reset_work() then continues and runs nvme_remove_dead_ctrl_work() which results in unbinding the driver from the device and hence releases all resources. At the same time, the EEH worker thread starts doing the EEH .error_detected() driver callback, which no longer works since the resources have been freed. This fixes the problem in the same way the generic PCIe AER code (in drivers/pci/pcie/aer/aerdrv_core.c) does. It makes the EEH code hold the device_lock() while performing the driver EEH callbacks and associated code. This ensures either the callbacks are no longer register, or if they are registered the driver will not be removed from underneath us. This has been broken forever. The EEH call backs were first introduced in 2005 (in 77bd7415610) but it’s not clear if a lock was needed back then. Fixes: 77bd74156101 ("[PATCH] powerpc: PCI Error Recovery: PPC64 core recovery routines”) Cc: [email protected] # v2.6.16+ Signed-off-by: Michael Neuling Reviewed-by: Benjamin Herrenschmidt Signed-off-by: Michael Ellerman Signed-off-by: Greg Kroah-Hartman commit e15d712ed7d8cf6d35e397cd2dbcebebbf476d7c Author: Nicholas Piggin Date: Tue Mar 27 01:02:33 2018 +1000 powerpc/powernv: Handle unknown OPAL errors in opal_nvram_write() commit 741de617661794246f84a21a02fc5e327bffc9ad upstream. opal_nvram_write currently just assumes success if it encounters an error other than OPAL_BUSY or OPAL_BUSY_EVENT. Have it return -EIO on other errors instead. Fixes: 628daa8d5abf (“powerpc/powernv: Add RTC and NVRAM support plus RTAS fallbacks”) Cc: [email protected] # v3.2+ Signed-off-by: Nicholas Piggin Reviewed-by: Vasant Hegde Acked-by: Stewart Smith Signed-off-by: Michael Ellerman Signed-off-by: Greg Kroah-Hartman commit e400e6a8252bd5dfcd76ae783ed43f3a59264c02 Author: Nicholas Piggin Date: Thu Apr 5 15:57:54 2018 +1000 powerpc/64s: Fix pkey support in dt_cpu_ftrs, add CPU_FTR_PKEY bit commit c130153e453cba0f37ad10fa18a1aa9c9a598a59 upstream. The pkey code added a CPU_FTR_PKEY bit, but did not add it to the dt_cpu_ftrs feature set. Although capability is supported by all processors in the base dt_cpu_ftrs set for 64s, it’s a significant and sufficiently well defined feature to make it optional. So add it as a quirk for now, which can be versioned out then controlled by the firmware (once dt_cpu_ftrs gains versioning support). Fixes: cf43d3b26452 (“powerpc: Enable pkey subsystem”) Cc: [email protected] # v4.16+ Cc: Ram Pai Signed-off-by: Nicholas Piggin Signed-off-by: Michael Ellerman Signed-off-by: Greg Kroah-Hartman commit 2c9dacf5bfe1e45d96dfe97cb71d2b717786a7b9 Author: Takashi Iwai Date: Tue Apr 10 19:05:13 2018 +0200 swiotlb: fix unexpected swiotlb_alloc_coherent failures commit 9e7f06c8beee304ee21b791653fefcd713f48b9a upstream. The code refactoring by commit 0176adb00406 (“swiotlb: refactor coherent buffer allocation”) made swiotlb_alloc_buffer almost always failing due to a thinko: namely, the function evaluates the dma_coherent_ok call incorrectly and dealing as if it’s invalid. This ends up with weird errors like iwlwifi probe failure or amdgpu screen flickering. This patch corrects the logic error. Bugzilla: https://bugzilla.suse.com/show_bug.cgi?id=1088658 Bugzilla: https://bugzilla.suse.com/show_bug.cgi?id=1088902 Fixes: 0176adb00406 (“swiotlb: refactor coherent buffer allocation”) Cc: # v4.16+ Signed-off-by: Takashi Iwai Signed-off-by: Christoph Hellwig Cc: Jean Delvare Signed-off-by: Greg Kroah-Hartman commit f8a7eccf97d352de9b5ccf0606f0d13c8a3d5e46 Author: Gustavo A. R. Silva Date: Mon Feb 19 11:11:13 2018 -0600 CIFS: fix sha512 check in cifs_crypto_secmech_release commit 70e80655f58e17a2e38e577e1b4fa7a8c99619a0 upstream. It seems this is a copy-paste error and that the proper variable to use in this particular case is _sha512_ instead of _md5_. Addresses-Coverity-ID: 1465358 (“Copy-paste error”) Fixes: 1c6614d229e7 (“CIFS: add sha512 secmech”) Signed-off-by: Gustavo A. R. Silva Reviewed-by: Aurelien Aptel CC: Stable Signed-off-by: Steve French Signed-off-by: Greg Kroah-Hartman commit 4baf0819b61d677aebd59113ab68c3bafc08d2dc Author: Aurelien Aptel Date: Fri Feb 16 19:19:29 2018 +0100 CIFS: implement v3.11 preauth integrity commit 8bd68c6e47abff34e412a0c68cecb4a36bf0198b upstream. SMB3.11 clients must implement pre-authentification integrity. * new mechanism to certify requests/responses happening before Tree Connect. * supersedes VALIDATE_NEGOTIATE * fixes signing for SMB3.11 Signed-off-by: Aurelien Aptel Signed-off-by: Steve French CC: Stable Reviewed-by: Ronnie Sahlberg Signed-off-by: Greg Kroah-Hartman commit 2d677c0617a1d450f1e61aac3ba7841fb69fdf43 Author: Aurelien Aptel Date: Fri Feb 16 19:19:28 2018 +0100 CIFS: add sha512 secmech commit 5fcd7f3f966f37f3f9a215af4cc1597fe338d0d5 upstream. * prepare for SMB3.11 pre-auth integrity * enable sha512 when SMB311 is enabled in Kconfig * add sha512 as a soft dependency Signed-off-by: Aurelien Aptel Signed-off-by: Steve French CC: Stable Reviewed-by: Ronnie Sahlberg Signed-off-by: Greg Kroah-Hartman commit 2ad7ada35f3142c69d081f5703749a572d4657a8 Author: Aurelien Aptel Date: Fri Feb 16 19:19:27 2018 +0100 CIFS: refactor crypto shash/sdesc allocation&free commit 82fb82be05585426405667dd5f0510aa953ba439 upstream. shash and sdesc and always allocated and freed together. * abstract this in new functions cifs_alloc_hash() and cifs_free_hash(). * make smb2/3 crypto allocation independent from each other. Signed-off-by: Aurelien Aptel Signed-off-by: Steve French Reviewed-by: Ronnie Sahlberg CC: Stable Signed-off-by: Greg Kroah-Hartman commit a64854c5b2bae82d06baf665dd8b7c2fc20e8c94 Author: Jean Delvare Date: Wed Apr 11 18:05:34 2018 +0200 i2c: i801: Restore configuration at shutdown commit f7f6d915a10f7f2bce17e3b1b7d3376562395a28 upstream. On some systems, the BIOS expects certain SMBus register values to match the hardware defaults. Restore these configuration registers at shutdown time to avoid confusing the BIOS. This avoids hard-locking such systems upon reboot. Signed-off-by: Jean Delvare Tested-by: Jason Andryuk Signed-off-by: Wolfram Sang Cc: [email protected] Signed-off-by: Greg Kroah-Hartman commit 8598c72001ad5935f03266f0befc5779567ed933 Author: Jean Delvare Date: Wed Apr 11 18:03:31 2018 +0200 i2c: i801: Save register SMBSLVCMD value only once commit a086bb8317303dd74725dca933b9b29575159382 upstream. Saving the original value of register SMBSLVCMD in i801_enable_host_notify() doesn’t work, because this function is called not only at probe time but also at resume time. Do it in i801_probe() instead, so that the saved value is not overwritten at resume time. Signed-off-by: Jean Delvare Fixes: 22e94bd6779e (“i2c: i801: store and restore the SLVCMD register at load and unload”) Reviewed-by: Benjamin Tissoires Tested-by: Jason Andryuk Signed-off-by: Wolfram Sang Cc: [email protected] # v4.10+ Signed-off-by: Greg Kroah-Hartman commit 0d9717769b126275259688a8bffe7e240454b63b Author: Aaron Ma Date: Mon Jan 8 10:41:40 2018 +0800 HID: i2c-hid: fix size check and type usage commit ac75a041048b8c1f7418e27621ca5efda8571043 upstream. When convert char array with signed int, if the inbuf[x] is negative then upper bits will be set to 1. Fix this by using u8 instead of char. ret_size has to be at least 3, hid_input_report use it after minus 2 bytes. Cc: [email protected] Signed-off-by: Aaron Ma Signed-off-by: Jiri Kosina Signed-off-by: Greg Kroah-Hartman commit 9ee0150d47ce1868b193af67c071a5679f8803c0 Author: Steve French Date: Sat Mar 31 18:13:38 2018 -0500 smb3: Fix root directory when server returns inode number of zero commit 7ea884c77e5c97f1e0a1a422d961d27f78ca2745 upstream. Some servers return inode number zero for the root directory, which causes ls to display incorrect data (missing “.” and “…”). If the server returns zero for the inode number of the root directory, fake an inode number for it. Signed-off-by: Steve French Reviewed-by: Pavel Shilovsky CC: Stable Signed-off-by: Greg Kroah-Hartman commit f0dbaa68627956280a2bae5d1873c2441fe45949 Author: Long Li Date: Fri Mar 30 15:16:36 2018 -0700 cifs: smbd: disconnect transport on RDMA errors commit 21a4e14aaedbc85f203d37e56cb26235b22b43f6 upstream. On RDMA errors, transport should disconnect the RDMA CM connection. This will notify the upper layer, and it will attempt transport reconnect. Signed-off-by: Long Li Signed-off-by: Steve French Reviewed-by: Ronnie Sahlberg CC: Stable Signed-off-by: Greg Kroah-Hartman commit a493112a9f419037ecd85f3e20a51a8d7c4ba420 Author: Long Li Date: Fri Mar 30 15:16:35 2018 -0700 cifs: smbd: avoid reconnect lockup commit 48f238a79f668f8ff013024d83010de551833d7f upstream. During transport reconnect, other processes may have registered memory and blocked on transport. This creates a deadlock situation because the transport resources can’t be freed, and reconnect is blocked. Fix this by returning to upper layer on timeout. Before returning, transport status is set to reconnecting so other processes will release memory registration resources. Upper layer will retry the reconnect. This is not in fast I/O path so setting the timeout to 5 seconds. Signed-off-by: Long Li Signed-off-by: Steve French Reviewed-by: Ronnie Sahlberg CC: Stable Signed-off-by: Greg Kroah-Hartman commit a25429c88fb8c1e43b5a16845bd5bd20791416b3 Author: Steve French Date: Tue Mar 13 02:29:36 2018 -0500 Tree connect for SMB3.1.1 must be signed for non-encrypted shares commit 6188f28bf608ddecc2377663b0f2f709440c19ba upstream. SMB3.1.1 tree connect was only being signed when signing was mandatory but needs to always be signed (for non-guest users). See MS-SMB2 section 3.2.4.1.1 Signed-off-by: Steve French Reviewed-by: Pavel Shilovsky CC: Stable Signed-off-by: Greg Kroah-Hartman commit 92ce78fc78dd299f938e7c40a50e7b28eedf5a96 Author: Ronnie Sahlberg Date: Tue Feb 20 12:45:21 2018 +1100 fix smb3-encryption breakage when CONFIG_DEBUG_SG=y commit 262916bc69faf90104aa784d55e10760a4199594 upstream. We can not use the standard sg_set_buf() fucntion since when CONFIG_DEBUG_SG=y this adds a check that will BUG_ON for cifs.ko when we pass it an object from the stack. Create a new wrapper smb2_sg_set_buf() which avoids doing that particular check and use it for smb3 encryption instead. Signed-off-by: Ronnie Sahlberg Signed-off-by: Steve French CC: Stable Signed-off-by: Greg Kroah-Hartman commit 4c41d9307183961398e4ba20aa79010568f0ea78 Author: Ronnie Sahlberg Date: Tue Feb 13 15:42:30 2018 +1100 cifs: fix memory leak in SMB2_open() commit b7a73c84eb96dabd6bb8e9d7c56f796d83efee8e upstream. Signed-off-by: Ronnie Sahlberg Signed-off-by: Steve French CC: Stable Signed-off-by: Greg Kroah-Hartman commit c3d0f44576923b0106197adf269e6ac377c20df3 Author: Felipe Balbi Date: Mon Mar 26 13:14:47 2018 +0300 usb: dwc3: gadget: never call ->complete() from ->ep_queue() commit c91815b596245fd7da349ecc43c8def670d2269e upstream. This is a requirement which has always existed but, somehow, wasn’t reflected in the documentation and problems weren’t found until now when Tuba Yavuz found a possible deadlock happening between dwc3 and f_hid. She described the situation as follows: spin_lock_irqsave(&hidg->write_spinlock, flags); // first acquire /* we our function has been disabled by host */ if (!hidg->req) { free_ep_req(hidg->in_ep, hidg->req); goto try_again; } […] status = usb_ep_queue(hidg->in_ep, hidg->req, GFP_ATOMIC); => […] => usb_gadget_giveback_request => f_hidg_req_complete => spin_lock_irqsave(&hidg->write_spinlock, flags); // second acquire Note that this happens because dwc3 would call ->complete() on a failed usb_ep_queue() due to failed Start Transfer command. This is, anyway, a theoretical situation because dwc3 currently uses “No Response Update Transfer” command for Bulk and Interrupt endpoints. It’s still good to make this case impossible to happen even if the “No Reponse Update Transfer” command is changed. Reported-by: Tuba Yavuz Signed-off-by: Felipe Balbi Cc: stable Signed-off-by: Greg Kroah-Hartman Signed-off-by: Greg Kroah-Hartman commit 9a5db1f1d652cbb88a5d89822c59ec34d52a6105 Author: Thinh Nguyen Date: Mon Mar 19 13:07:35 2018 -0700 usb: dwc3: pci: Properly cleanup resource commit cabdf83dadfb3d83eec31e0f0638a92dbd716435 upstream. Platform device is allocated before adding resources. Make sure to properly cleanup on error case. Cc: Fixes: f1c7e7108109 ("usb: dwc3: convert to pcim_enable_device()") Signed-off-by: Thinh Nguyen Signed-off-by: Felipe Balbi Signed-off-by: Greg Kroah-Hartman commit 15c8f74fcaf75116598f927f2804c1cd6bf0e69d Author: Roger Quadros Date: Tue Feb 27 12:54:37 2018 +0200 usb: dwc3: prevent setting PRTCAP to OTG from debugfs commit daaecc6541d014dca073473ec8a4120c0babbeb4 upstream. We don’t support PRTCAP == OTG yet, so prevent user from setting it via debugfs. Fixes: 41ce1456e1db (“usb: dwc3: core: make dwc3_set_mode() work properly”) Cc: # v4.12+ Signed-off-by: Roger Quadros Signed-off-by: Felipe Balbi Signed-off-by: Greg Kroah-Hartman commit 547466fa26e6cb9696751cd92c146665ced6765c Author: Zhengjun Xing Date: Wed Mar 21 13:29:42 2018 +0800 USB:fix USB3 devices behind USB3 hubs not resuming at hibernate thaw commit 64627388b50158fd24d6ad88132525b95a5ef573 upstream. USB3 hubs don’t support global suspend. USB3 specification 10.10, Enhanced SuperSpeed hubs only support selective suspend and resume, they do not support global suspend/resume where the hub downstream facing ports states are not affected. When system enters hibernation it first enters freeze process where only the root hub enters suspend, usb_port_suspend() is not called for other devices, and suspend status flags are not set for them. Other devices are expected to suspend globally. Some external USB3 hubs will suspend the downstream facing port at global suspend. These devices won’t be resumed at thaw as the suspend status flag is not set. A USB3 removable hard disk connected through a USB3 hub that won’t resume at thaw will fail to synchronize SCSI cache, return “cmd cmplt err -71” error, and needs a 60 seconds timeout which causing system hang for 60s before the USB host reset the port for the USB3 removable hard disk to recover. Fix this by always calling usb_port_suspend() during freeze for USB3 devices. Signed-off-by: Zhengjun Xing Cc: stable Signed-off-by: Greg Kroah-Hartman commit 786513e10cac3cd45b82668fe50d2e9f033c667b Author: Yavuz, Tuba Date: Fri Mar 23 17:00:38 2018 +0000 USB: gadget: f_midi: fixing a possible double-free in f_midi commit 7fafcfdf6377b18b2a726ea554d6e593ba44349f upstream. It looks like there is a possibility of a double-free vulnerability on an error path of the f_midi_set_alt function in the f_midi driver. If the path is feasible then free_ep_req gets called twice: req->complete = f_midi_complete; err = usb_ep_queue(midi->out_ep, req, GFP_ATOMIC); => … usb_gadget_giveback_request => f_midi_complete (CALLBACK) (inside f_midi_complete, for various cases of status) free_ep_req(ep, req); // first kfree if (err) { ERROR(midi, “%s: couldn’t enqueue request: %d\n", midi->out_ep->name, err); free_ep_req(midi->out_ep, req); // second kfree return err; } The double-free possibility was introduced with commit ad0d1a058eac (“usb: gadget: f_midi: fix leak on failed to enqueue out requests”). Found by MOXCAFE tool. Signed-off-by: Tuba Yavuz Fixes: ad0d1a058eac (“usb: gadget: f_midi: fix leak on failed to enqueue out requests”) Acked-by: Felipe Balbi Cc: stable Signed-off-by: Greg Kroah-Hartman commit 4a64b3932f519eb9acd5d8fd65d06e27ced70f06 Author: Dan Williams Date: Wed Mar 28 10:44:50 2018 -0700 acpi, nfit: rework NVDIMM leaf method detection commit 466d1493ea830789a2f063f478aaed2e324f0d3d upstream. Some BIOSen do not handle 0-byte transfer lengths for the _LSR and _LSW (label storage read/write) methods. This causes Linux to fallback to the deprecated _DSM path, or otherwise disable label support. Introduce acpi_nvdimm_has_method() to detect whether a method is available rather than calling the method, require _LSI and _LSR to be paired, and require read support before enabling write support. Cc: Fixes: 4b27db7e26cd (“acpi, nfit: add support for the _LS…”) Suggested-by: Erik Schmauss Signed-off-by: Dan Williams Signed-off-by: Greg Kroah-Hartman commit ad393296dc75c9cad26aaf019a8a0aa664bed51b Author: Mika Westerberg Date: Mon Feb 12 13:55:23 2018 +0300 ACPI / hotplug / PCI: Check presence of slot itself in get_slot_status() commit 13d3047c81505cc0fb9bdae7810676e70523c8bf upstream. Mike Lothian reported that plugging in a USB-C device does not work properly in his Dell Alienware system. This system has an Intel Alpine Ridge Thunderbolt controller providing USB-C functionality. In these systems the USB controller (xHCI) is hotplugged whenever a device is connected to the port using ACPI-based hotplug. The ACPI description of the root port in question is as follows: Device (RP01) { Name (_ADR, 0x001C0000) Device (PXSX) { Name (_ADR, 0x02) Method (_RMV, 0, NotSerialized) { // … } } Here _ADR 0x02 means device 0, function 2 on the bus under root port (RP01) but that seems to be incorrect because device 0 is the upstream port of the Alpine Ridge PCIe switch and it has no functions other than 0 (the bridge itself). When we get ACPI Notify() to the root port resulting from connecting a USB-C device, Linux tries to read PCI_VENDOR_ID from device 0, function 2 which of course always returns 0xffffffff because there is no such function and we never find the device. In Windows this works fine. Now, since we get ACPI Notify() to the root port and not to the PXSX device we should actually start our scan from there as well and not from the non-existent PXSX device. Fix this by checking presence of the slot itself (function 0) if we fail to do that otherwise. While there use pci_bus_read_dev_vendor_id() in get_slot_status(), which is the recommended way to read Device and Vendor IDs of devices on PCI buses. Link: https://bugzilla.kernel.org/show_bug.cgi?id=198557 Reported-by: Mike Lothian Signed-off-by: Mika Westerberg Signed-off-by: Bjorn Helgaas Reviewed-by: Rafael J. Wysocki Cc: Greg Kroah-Hartman Cc: [email protected] Signed-off-by: Greg Kroah-Hartman commit 13a579991d0d200e841b5f0291ded188a4c281a5 Author: Hans de Goede Date: Mon Mar 19 18:01:45 2018 +0100 ACPI / video: Add quirk to force acpi-video backlight on Samsung 670Z5E commit bbf038618a24d72e2efc19146ef421bb1e1eda1a upstream. Just like many other Samsung models, the 670Z5E needs to use the acpi-video backlight interface rather then the native one for backlight control to work, add a quirk for this. Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1557060 Cc: All applicable Signed-off-by: Hans de Goede Signed-off-by: Rafael J. Wysocki Signed-off-by: Greg Kroah-Hartman commit 320c85dcdc350cfa1f9dc743c956afe91519973c Author: Dan Carpenter Date: Thu Feb 8 10:23:44 2018 +0300 regmap: Fix reversed bounds check in regmap_raw_write() commit f00e71091ab92eba52122332586c6ecaa9cd1a56 upstream. We’re supposed to be checking that “val_len” is not too large but instead we check if it is smaller than the max. The only function affected would be regmap_i2c_smbus_i2c_write() in drivers/base/regmap/regmap-i2c.c. Strangely that function has its own limit check which returns an error if (count >= I2C_SMBUS_BLOCK_MAX) so it doesn’t look like it has ever been able to do anything except return an error. Fixes: c335931ed9d2 (“regmap: Add raw_write/read checks for max_raw_write/read sizes”) Signed-off-by: Dan Carpenter Signed-off-by: Mark Brown Cc: [email protected] Signed-off-by: Greg Kroah-Hartman commit 3f8a27b1bb3627edbbe4c2f7a7626e678e16d9a9 Author: Jason Andryuk Date: Mon Mar 19 12:58:04 2018 -0400 x86/xen: Delay get_cpu_cap until stack canary is established commit 36104cb9012a82e73c32a3b709257766b16bcd1d upstream. Commit 2cc42bac1c79 (“x86-64/Xen: eliminate W+X mappings”) introduced a call to get_cpu_cap, which is fstack-protected. This is works on x86-64 as commit 4f277295e54c (“x86/xen: init %gs very early to avoid page faults with stack protector”) ensures the stack protector is configured, but it it did not cover x86-32. Delay calling get_cpu_cap until after xen_setup_gdt has initialized the stack canary. Without this, a 32bit PV machine crashes early in boot. (XEN) Domain 0 (vcpu#0) crashed on cpu#0: (XEN) ----[ Xen-4.6.6-xc x86_64 debug=n Tainted: C ]---- (XEN) CPU: 0 (XEN) RIP: e019:[<00000000c10362f8>] And the PV kernel IP corresponds to init_scattered_cpuid_features 0xc10362f8 <+24>: mov %gs:0x14,%eax Fixes 2cc42bac1c79 (“x86-64/Xen: eliminate W+X mappings”) Signed-off-by: Jason Andryuk Reviewed-by: Boris Ostrovsky Signed-off-by: Boris Ostrovsky Signed-off-by: Greg Kroah-Hartman commit ba8761d349d671ffd8296082abd3c117030a84de Author: Kieran Bingham Date: Mon Mar 26 09:29:17 2018 -0400 media: vsp1: Fix BRx conditional path in WPF commit 639fa43d59e5a41ca8c55592cd5c1021fea2ab83 upstream. When a BRx is provided by a pipeline, the WPF must determine the master layer. Currently the condition to check this identifies pipe->bru || pipe->num_inputs > 1. The code then moves on to dereference pipe->bru, thus the check fails static analysers on the possibility that pipe->num_inputs could be greater than 1 without pipe->bru being set. The reality is that the pipeline must have a BRx to support more than one input, thus this could never cause a fault - however it also identifies that the num_inputs > 1 check is redundant. Remove the redundant check - and always configure the master layer appropriately when we have a BRx configured in our pipeline. Fixes: 6134148f6098 (“v4l: vsp1: Add support for the BRS entity”) Cc: [email protected] Suggested-by: Mauro Carvalho Chehab Signed-off-by: Kieran Bingham Reviewed-by: Laurent Pinchart Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit e892362d48bea07ef2c97dafd1ee491c1dadbd0d Author: Sakari Ailus Date: Fri Feb 2 05:08:59 2018 -0500 media: vb2: core: Finish buffers at the end of the stream commit 03703ed1debf777ea845aa9b50ba2e80a5e7dd3c upstream. If buffers were prepared or queued and the buffers were released without starting the queue, the finish mem op (corresponding to the prepare mem op) was never called to the buffers. Before commit a136f59c0a1f there was no need to do this as in such a case the prepare mem op had not been called yet. Address the problem by explicitly calling finish mem op when the queue is stopped if the buffer is in either prepared or queued state. Fixes: a136f59c0a1f ("[media] vb2: Move buffer cache synchronisation to prepare from queue”) Cc: [email protected] # for v4.13 and up Signed-off-by: Sakari Ailus Tested-by: Devin Heitmueller Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit 06f0eee0851a4518149deaad6b420bd277c79ab0 Author: Hans Verkuil Date: Mon Feb 12 06:45:32 2018 -0500 media: vivid: check if the cec_adapter is valid commit ed356f110403f6acc64dcbbbfdc38662ab9b06c2 upstream. If CEC is not enabled for the vivid driver, then the adap pointer is NULL and ‘adap->phys_addr’ will fail. Cc: # for v4.12 and up Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit cf0f522b2af92ccd8b016bc7b5d494e01fb422b1 Author: Hans Verkuil Date: Sun Feb 25 06:55:32 2018 -0500 media: atomisp_fops.c: disable atomisp_compat_ioctl32 commit 57e6b6f2303e596a6493078b53be14b789e7b79f upstream. The atomisp_compat_ioctl32() code has problems. This patch disables the compat_ioctl32 support until those issues have been fixed. Contact Sakari or me for more details. Signed-off-by: Hans Verkuil Cc: # for v4.12 and up Signed-off-by: Sakari Ailus Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit 6c96656f8b0d15a000a7dee51d8c3cb540c5d63f Author: Sean Young Date: Tue Mar 6 08:57:57 2018 -0500 media: rc: oops in ir_timer_keyup after device unplug commit 8d4068810d9926250dd2435719a080b889eb44c3 upstream. If there is IR in the raw kfifo when ir_raw_event_unregister() is called, then kthread_stop() causes ir_raw_event_thread to be scheduled, decode some scancodes and re-arm timer_keyup. The timer_keyup then fires when the rc device is long gone. Cc: [email protected] Signed-off-by: Sean Young Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit 2632f27575e9f2f50407b8efc8e5353232352f05 Author: Jarkko Nikula Date: Tue Mar 20 10:27:50 2018 +0200 spi: Fix unregistration of controller with fixed SPI bus number commit 613bd1ea387bb48b7c9a71a0bb451ac15cfbbc01 upstream. Commit 9b61e302210e (spi: Pick spi bus number from Linux idr or spi alias) ceased to unregister SPI buses with fixed bus numbers. Moreover this is visible only if CONFIG_SPI_DEBUG=y is set or when trying to re-register the same SPI controller. rmmod spi_pxa2xx_platform (with CONFIG_SPI_DEBUG=y): [ 26.788362] spi_master spi1: attempting to delete unregistered controller [spi1] modprobe spi_pxa2xx_platform: [ 37.883137] sysfs: cannot create duplicate filename ‘/devices/pci0000:00/0000:00:19.0/pxa2xx-spi.12/spi_master/spi1’ [ 37.894984] CPU: 1 PID: 1467 Comm: modprobe Not tainted 4.16.0-rc4+ #21 [ 37.902384] Call Trace: … [ 38.122680] kobject_add_internal failed for spi1 with -EEXIST, don’t try to register things with the same name in the same directory. [ 38.136154] WARNING: CPU: 1 PID: 1467 at lib/kobject.c:238 kobject_add_internal+0x2a5/0x2f0 … [ 38.513817] pxa2xx-spi pxa2xx-spi.12: problem registering spi master [ 38.521036] pxa2xx-spi: probe of pxa2xx-spi.12 failed with error -17 Fix this by not returning immediately from spi_unregister_controller() if idr_find() doesn’t find controller with given ID/bus number. It finds only those controllers that were registered with dynamic SPI bus numbers. Only conditional cleanup between dynamic and fixed bus numbers is to remove allocated IDR. Fixes: 9b61e302210e (spi: Pick spi bus number from Linux idr or spi alias) Cc: [email protected] Signed-off-by: Jarkko Nikula Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 7387bbc38990c8df393ae4b77f114cd65dcb00d0 Author: Maxime Chevallier Date: Fri Mar 2 15:55:09 2018 +0100 spi: Fix scatterlist elements size in spi_map_buf commit ce99319a182fe766be67f96338386f3ec73e321c upstream. When SPI transfers can be offloaded using DMA, the SPI core need to build a scatterlist to make sure that the buffer to be transferred is dma-able. This patch fixes the scatterlist entry size computation in the case where the maximum acceptable scatterlist entry supported by the DMA controller is less than PAGE_SIZE, when the buffer is vmalloced. For each entry, the actual size is given by the minimum between the desc_len (which is the max buffer size supported by the DMA controller) and the remaining buffer length until we cross a page boundary. Fixes: 65598c13fd66 (“spi: Fix per-page mapping of unaligned vmalloc-ed buffer”) Signed-off-by: Maxime Chevallier Signed-off-by: Mark Brown Cc: [email protected] Signed-off-by: Greg Kroah-Hartman commit d4870729a63e57a7f2f91ec23e7c565b4e8470f9 Author: Eugen Hristev Date: Tue Feb 27 12:25:07 2018 +0200 spi: atmel: init FIFOs before spi enable commit 9581329eff9db72ab4fbb46a594fd7fdda3c51b0 upstream. The datasheet recommends initializing FIFOs before SPI enable. If we do not do it like this, there may be a strange behavior. We noticed that DMA does not work properly with FIFOs if we do not clear them beforehand or enable them before SPIEN. Signed-off-by: Eugen Hristev Acked-by: Nicolas Ferre Signed-off-by: Mark Brown Cc: [email protected] Signed-off-by: Greg Kroah-Hartman commit eac13cb73e4f2f684f4e32cd98a1a6b6856da51d Author: Santiago Esteban Date: Thu Jan 18 15:38:47 2018 +0100 ARM: dts: at91: sama5d4: fix pinctrl compatible string commit 9a06757dcc8509c162ac00488c8c82fc98e04227 upstream. The compatible string is incorrect. Add atmel,sama5d3-pinctrl since it’s the appropriate compatible string. Remove the atmel,at91rm9200-pinctrl compatible string, this fallback is useless, there are too many changes. Signed-off-by: Santiago Esteban Signed-off-by: Ludovic Desroches Cc: [email protected] #v3.18 Signed-off-by: Alexandre Belloni Signed-off-by: Greg Kroah-Hartman commit dc9d1dd6cfe15f718b2062e0b8e579cdf5cb1849 Author: Marek Szyprowski Date: Fri Mar 2 17:07:42 2018 +0100 ARM: dts: exynos: Fix IOMMU support for GScaler devices on Exynos5250 commit 6f4870753f29edf7dc39444246f9e39987b8b158 upstream. The proper name for the property, which assign given device to IOMMU is 'iommus’, not 'iommu’. Fix incorrect name and let all GScaler devices to be properly handled when IOMMU support is enabled. Reported-by: Andrzej Hajda Signed-off-by: Marek Szyprowski Fixes: 6cbfdd73a94f (“ARM: dts: add sysmmu nodes for exynos5250”) Cc: # v4.8+ Signed-off-by: Krzysztof Kozlowski Signed-off-by: Greg Kroah-Hartman commit 5ebb45f8fe1f8a5a6bac10ef020c937da3485a96 Author: Nicolas Ferre Date: Tue Mar 13 16:20:05 2018 +0100 ARM: dts: at91: at91sam9g25: fix mux-mask pinctrl property commit e8fd0adf105e132fd84545997bbef3d5edc2c9c1 upstream. There are only 19 PIOB pins having primary names PB0-PB18. Not all of them have a ‘C’ function. So the pinctrl property mask ends up being the same as the other SoC of the at91sam9x5 series. Reported-by: Marek Sieranski Signed-off-by: Nicolas Ferre Cc: # v3.8+ Signed-off-by: Alexandre Belloni Signed-off-by: Greg Kroah-Hartman commit 56f203900fdbc0354a8f59574c58b9b6ec681a47 Author: Sean Wang Date: Fri Feb 23 18:16:26 2018 +0800 arm: dts: mt7623: fix USB initialization fails on bananapi-r2 commit 0629a01920c0f8a3f825361b24863d760610884a upstream. Fix that USB initialization fails as below runtime log is present during booting on bananapi-r2 board by adding missing regulators the USB device requires. Current regulators USB device uses are being updated with the correct ones to reflect real configurations which are all from fixed regulators rather than MT6323 one’s output. xhci-mtk 1a1c0000.usb: 1a1c0000.usb supply vbus not found, using dummy regulator xhci-mtk 1a240000.usb: 1a240000.usb supply vbus not found, using dummy regulator Cc: [email protected] Fixes: f4ff257cd160 (“arm: dts: mt7623: add support for Bananapi R2 (BPI-R2) board”) Signed-off-by: Sean Wang [mb: update kernel log in commit message] Signed-off-by: Matthias Brugger Signed-off-by: Greg Kroah-Hartman commit 8b434767de5cd178ebf08668c3941af407ecfcd4 Author: Marek Szyprowski Date: Wed Mar 21 10:45:05 2018 +0100 ARM: EXYNOS: Fix coupled CPU idle freeze on Exynos4210 commit a7480dbcf983c31d8111f864c848e8a75116a87d upstream. Since commit 04c8b0f82c7d (“irqchip/gic: Make locking a BL_SWITCHER only feature”) coupled CPU idle freezes from time to time on Exynos4210. Later commit 313c8c16ee62 (“PM / CPU: replace raw_notifier with atomic_notifier”) changed the context in which the CPU idle code is executed, what results in fully reproducible freeze all the time. However, almost the same coupled CPU idle code works fine on Exynos3250 regardless of the changes made in the mentioned commits. It turned out that the IPI call used on Exynos4210 is conflicting with the change done in the first mentioned commit in GIC. Fix this by using the same code path as for Exynos3250, instead of the IPI call for synchronization with second CPU core, call dsb_sev() directly. Tested on Exynos4210-based Trats and Origen boards. Signed-off-by: Marek Szyprowski CC: # v4.13+ Acked-by: Marc Zyngier Acked-by: Bartlomiej Zolnierkiewicz Signed-off-by: Krzysztof Kozlowski Signed-off-by: Greg Kroah-Hartman commit e6af7621cb8538ba08328af5c08e4ed8f1a1a559 Author: Marc Zyngier Date: Fri Mar 23 14:57:09 2018 +0000 KVM: arm/arm64: vgic-its: Fix potential overrun in vgic_copy_lpi_list commit 7d8b44c54e0c7c8f688e3a07f17e6083f849f01f upstream. vgic_copy_lpi_list() parses the LPI list and picks LPIs targeting a given vcpu. We allocate the array containing the intids before taking the lpi_list_lock, which means we can have an array size that is not equal to the number of LPIs. This is particularly obvious when looking at the path coming from vgic_enable_lpis, which is not a command, and thus can run in parallel with commands: vcpu 0: vcpu 1: vgic_enable_lpis its_sync_lpi_pending_table vgic_copy_lpi_list intids = kmalloc_array(irq_count) MAPI(lpi targeting vcpu 0) list_for_each_entry(lpi_list_head) intids[i++] = irq->intid; At that stage, we will happily overrun the intids array. Boo. An easy fix is is to break once the array is full. The MAPI command will update the config anyway, and we won’t miss a thing. We also make sure that lpi_list_count is read exactly once, so that further updates of that value will not affect the array bound check. Cc: [email protected] Fixes: ccb1d791ab9e (“KVM: arm64: vgic-its: Fix pending table sync”) Reviewed-by: Andre Przywara Reviewed-by: Eric Auger Signed-off-by: Marc Zyngier Signed-off-by: Greg Kroah-Hartman commit 84bf72e2abd57968c0a76d4a08bccbc36a9dae0d Author: Jerome Brunet Date: Fri Mar 2 14:44:36 2018 +0100 ARM64: dts: meson: reduce odroid-c2 eMMC maximum rate commit c04ffa71ff491220cac28f55237c9aad379a8656 upstream. Different modules maybe installed by the user on the eMMC connector of the odroid-c2. While the red modules are working without an issue, it seems some black modules (apparently Samsung based) are having issue at 200MHz While the tuning algorithm introduced in v4.14 enables high speed modes on every other tested designs, it seems a problem remains for this particular combination of board and eMMC module. Lowering the maximum frequency of the eMMC on this board until we can figure out a better solution. Fixes: d341ca88eead (“mmc: meson-gx: rework tuning function”) Suggested-by: Ellie Reeves Signed-off-by: Jerome Brunet Cc: [email protected] Signed-off-by: Kevin Hilman Signed-off-by: Greg Kroah-Hartman commit 2462ef58ecebc3cd3ac570356d83e956e7c98797 Author: Felipe Balbi Date: Mon Mar 26 13:14:46 2018 +0300 usb: gadget: udc: core: update usb_ep_queue() documentation commit eaa358c7790338d83bb6a31258bdc077de120414 upstream. Mention that ->complete() should never be called from within usb_ep_queue(). Signed-off-by: Felipe Balbi Cc: stable Signed-off-by: Greg Kroah-Hartman commit ede0439fbe0fa2ae4213197eba46ce286b30b544 Author: Chen-Yu Tsai Date: Fri Jan 19 17:25:41 2018 +0800 phy: allwinner: sun4i-usb: poll vbus changes on A23/A33 when driving VBUS commit d7119224bfe6e8efbf821a52db7da9530d790f07 upstream. The AXP223 PMIC, like the AXP221, does not generate VBUS change interrupts when N_VBUSEN is used to drive VBUS for the OTG port on the board. This was not noticed until recently, as most A23/A33 boards use a GPIO pin that does not support interrupts for OTG ID detection. This forces the driver to use polling. However the A33-OlinuXino uses a pin that does support interrupts, so the driver uses them. However the VBUS interrupt never fires, and the driver never gets to update the VBUS status. This results in musb timing out waiting for VBUS to rise. This was worked around for the AXP221 by resorting to polling changes in commit 91d96f06a760 (“phy-sun4i-usb: Add workaround for missing Vbus det interrupts on A31”). This patch adds the A23 and A33 to the list of SoCs that need the workaround. Fixes: fc1f45ed3043 (“phy-sun4i-usb: Add support for the usb-phys on the sun8i-a33 SoC”) Fixes: 123dfdbcfaf5 (“phy-sun4i-usb: Add support for the usb-phys on the sun8i-a23 SoC”) Cc: # 4.3.x: 68dbc2ce77bb phy-sun4i-usb: Use of_match_node to get model specific config data Cc: # 4.3.x: 5cf700ac9d50 phy: phy-sun4i-usb: Fix optional gpios failing probe Cc: # 4.3.x: 04e59a0211ff phy-sun4i-usb: Fix irq free conditions to match request conditions Cc: # 4.3.x: 91d96f06a760 phy-sun4i-usb: Add workaround for missing Vbus det interrupts on A31 Cc: # 4.3.x Signed-off-by: Chen-Yu Tsai Acked-by: Maxime Ripard Signed-off-by: Kishon Vijay Abraham I Signed-off-by: Greg Kroah-Hartman Signed-off-by: Kishon Vijay Abraham I commit 522854d21b1b2858bff7094b0baf55b3c6ee15ad Author: Heinrich Schuchardt Date: Thu Mar 29 10:48:28 2018 -0500 usb: musb: gadget: misplaced out of bounds check commit af6f8529098aeb0e56a68671b450cf74e7a64fcd upstream. musb->endpoints[] has array size MUSB_C_NUM_EPS. We must check array bounds before accessing the array and not afterwards. Signed-off-by: Heinrich Schuchardt Signed-off-by: Bin Liu Cc: stable Signed-off-by: Greg Kroah-Hartman commit 259893c0b01117ed776d3b7be90bdc76ff9a98d5 Author: Vlastimil Babka Date: Fri Apr 13 15:35:38 2018 -0700 mm, slab: reschedule cache_reap() on the same CPU commit a9f2a846f0503e7d729f552e3ccfe2279010fe94 upstream. cache_reap() is initially scheduled in start_cpu_timer() via schedule_delayed_work_on(). But then the next iterations are scheduled via schedule_delayed_work(), i.e. using WORK_CPU_UNBOUND. Thus since commit ef557180447f (“workqueue: schedule WORK_CPU_UNBOUND work on wq_unbound_cpumask CPUs”) there is no guarantee the future iterations will run on the originally intended cpu, although it’s still preferred. I was able to demonstrate this with /sys/module/workqueue/parameters/debug_force_rr_cpu. IIUC, it may also happen due to migrating timers in nohz context. As a result, some cpu’s would be calling cache_reap() more frequently and others never. This patch uses schedule_delayed_work_on() with the current cpu when scheduling the next iteration. Link: http://lkml.kernel.org/r/[email protected] Fixes: ef557180447f (“workqueue: schedule WORK_CPU_UNBOUND work on wq_unbound_cpumask CPUs”) Signed-off-by: Vlastimil Babka Acked-by: Pekka Enberg Acked-by: Christoph Lameter Cc: Joonsoo Kim Cc: David Rientjes Cc: Tejun Heo Cc: Lai Jiangshan Cc: John Stultz Cc: Thomas Gleixner Cc: Stephen Boyd Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit ba1d1726d7afd4aebc038213f096e4fe054729ef Author: Eric Biggers Date: Fri Apr 13 15:35:30 2018 -0700 ipc/shm: fix use-after-free of shm file via remap_file_pages() commit 3f05317d9889ab75c7190dcd39491d2a97921984 upstream. syzbot reported a use-after-free of shm_file_data(file)->file->f_op in shm_get_unmapped_area(), called via sys_remap_file_pages(). Unfortunately it couldn’t generate a reproducer, but I found a bug which I think caused it. When remap_file_pages() is passed a full System V shared memory segment, the memory is first unmapped, then a new map is created using the ->vm_file. Between these steps, the shm ID can be removed and reused for a new shm segment. But, shm_mmap() only checks whether the ID is currently valid before calling the underlying file’s ->mmap(); it doesn’t check whether it was reused. Thus it can use the wrong underlying file, one that was already freed. Fix this by making the “outer” shm file (the one that gets put in ->vm_file) hold a reference to the real shm file, and by making __shm_open() require that the file associated with the shm ID matches the one associated with the “outer” file. Taking the reference to the real shm file is needed to fully solve the problem, since otherwise sfd->file could point to a freed file, which then could be reallocated for the reused shm ID, causing the wrong shm segment to be mapped (and without the required permission checks). Commit 1ac0b6dec656 ("ipc/shm: handle removed segments gracefully in shm_mmap()") almost fixed this bug, but it didn’t go far enough because it didn’t consider the case where the shm ID is reused. The following program usually reproduces this bug: #include #include #include #include int main() { int is_parent = (fork() != 0); srand(getpid()); for (;;) { int id = shmget(0xF00F, 4096, IPC_CREAT|0700); if (is_parent) { void *addr = shmat(id, NULL, 0); usleep(rand() % 50); while (!syscall(__NR_remap_file_pages, addr, 4096, 0, 0, 0)); } else { usleep(rand() % 50); shmctl(id, IPC_RMID, NULL); } } } It causes the following NULL pointer dereference due to a ‘struct file’ being used while it’s being freed. (I couldn’t actually get a KASAN use-after-free splat like in the syzbot report. But I think it’s possible with this bug; it would just take a more extraordinary race…) BUG: unable to handle kernel NULL pointer dereference at 0000000000000058 PGD 0 P4D 0 Oops: 0000 [#1] SMP NOPTI CPU: 9 PID: 258 Comm: syz_ipc Not tainted 4.16.0-05140-gf8cf2f16a7c95 #189 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-20171110_100015-anatol 04/01/2014 RIP: 0010:d_inode include/linux/dcache.h:519 [inline] RIP: 0010:touch_atime+0x25/0xd0 fs/inode.c:1724 […] Call Trace: file_accessed include/linux/fs.h:2063 [inline] shmem_mmap+0x25/0x40 mm/shmem.c:2149 call_mmap include/linux/fs.h:1789 [inline] shm_mmap+0x34/0x80 ipc/shm.c:465 call_mmap include/linux/fs.h:1789 [inline] mmap_region+0x309/0x5b0 mm/mmap.c:1712 do_mmap+0x294/0x4a0 mm/mmap.c:1483 do_mmap_pgoff include/linux/mm.h:2235 [inline] SYSC_remap_file_pages mm/mmap.c:2853 [inline] SyS_remap_file_pages+0x232/0x310 mm/mmap.c:2769 do_syscall_64+0x64/0x1a0 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x42/0xb7 [[email protected]: add comment] Link: http://lkml.kernel.org/r/[email protected] Link: http://lkml.kernel.org/r/[email protected] Reported-by: syzbot+d11f321e7f1923157eac80aa990b446596f46439@syzkaller.appspotmail.com Fixes: c8d78c1823f4 (“mm: replace remap_file_pages() syscall with emulation”) Signed-off-by: Eric Biggers Acked-by: Kirill A. Shutemov Acked-by: Davidlohr Bueso Cc: Manfred Spraul Cc: “Eric W . Biederman” Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit a401cbb69959821dfd14b0ea3bda3f00f8fea0c9 Author: Takashi Iwai Date: Fri Apr 13 15:35:13 2018 -0700 resource: fix integer overflow at reallocation commit 60bb83b81169820c691fbfa33a6a4aef32aa4b0b upstream. We’ve got a bug report indicating a kernel panic at booting on an x86-32 system, and it turned out to be the invalid PCI resource assigned after reallocation. __find_resource() first aligns the resource start address and resets the end address with start+size-1 accordingly, then checks whether it’s contained. Here the end address may overflow the integer, although resource_contains() still returns true because the function validates only start and end address. So this ends up with returning an invalid resource (start > end). There was already an attempt to cover such a problem in the commit 47ea91b4052d (“Resource: fix wrong resource window calculation”), but this case is an overseen one. This patch adds the validity check of the newly calculated resource for avoiding the integer overflow problem. Bugzilla: http://bugzilla.opensuse.org/show_bug.cgi?id=1086739 Link: http://lkml.kernel.org/r/[email protected] Fixes: 23c570a67448 (“resource: ability to resize an allocated resource”) Signed-off-by: Takashi Iwai Reported-by: Michael Henders Tested-by: Michael Henders Reviewed-by: Andrew Morton Cc: Ram Pai Cc: Bjorn Helgaas Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 5b6d58346ceba23663bf25f136527995c137013c Author: Andrew Morton Date: Tue Apr 10 16:34:41 2018 -0700 fs/reiserfs/journal.c: add missing resierfs_warning() arg commit 9ad553abe66f8be3f4755e9fa0a6ba137ce76341 upstream. One use of the reiserfs_warning() macro in journal_init_dev() is missing a parameter, causing the following warning: REISERFS warning (device loop0): journal_init_dev: Cannot open '%s’: %i journal_init_dev: This also causes a WARN_ONCE() warning in the vsprintf code, and then a panic if panic_on_warn is set. Please remove unsupported %/ in format string WARNING: CPU: 1 PID: 4480 at lib/vsprintf.c:2138 format_decode+0x77f/0x830 lib/vsprintf.c:2138 Kernel panic - not syncing: panic_on_warn set … Just add another string argument to the macro invocation. Addresses https://syzkaller.appspot.com/bug?id=0627d4551fdc39bf1ef5d82cd9eef587047f7718 Link: http://lkml.kernel.org/r/[email protected] Signed-off-by: Randy Dunlap Reported-by: Tested-by: Randy Dunlap Acked-by: Jeff Mahoney Cc: Alexander Viro Cc: Jan Kara Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 790f13833eb401c7d911afbfc06eddfb8e3a2724 Author: Kees Cook Date: Tue Apr 10 16:32:44 2018 -0700 task_struct: only use anon struct under randstruct plugin commit 2cfe0d3009418a132b93d78642a8059a38fe5944 upstream. The original intent for always adding the anonymous struct in task_struct was to make sure we had compiler coverage. However, this caused pathological padding of 40 bytes at the start of task_struct. Instead, move the anonymous struct to being only used when struct layout randomization is enabled. Link: http://lkml.kernel.org/r/20180327213609.GA2964@beast Fixes: 29e48ce87f1e (“task_struct: Allow randomized”) Signed-off-by: Kees Cook Reported-by: Peter Zijlstra Cc: Peter Zijlstra Cc: Ingo Molnar Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit a7140c36665ffe78c3da8865c039a517ca1a715a Author: Naoya Horiguchi Date: Thu Apr 5 16:23:05 2018 -0700 mm: hwpoison: disable memory error handling on 1GB hugepage commit 31286a8484a85e8b4e91ddb0f5415aee8a416827 upstream. Recently the following BUG was reported: Injecting memory failure for pfn 0x3c0000 at process virtual address 0x7fe300000000 Memory failure: 0x3c0000: recovery action for huge page: Recovered BUG: unable to handle kernel paging request at ffff8dfcc0003000 IP: gup_pgd_range+0x1f0/0xc20 PGD 17ae72067 P4D 17ae72067 PUD 0 Oops: 0000 [#1] SMP PTI … CPU: 3 PID: 5467 Comm: hugetlb_1gb Not tainted 4.15.0-rc8-mm1-abc+ #3 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.9.3-1.fc25 04/01/2014 You can easily reproduce this by calling madvise(MADV_HWPOISON) twice on a 1GB hugepage. This happens because get_user_pages_fast() is not aware of a migration entry on pud that was created in the 1st madvise() event. I think that conversion to pud-aligned migration entry is working, but other MM code walking over page table isn’t prepared for it. We need some time and effort to make all this work properly, so this patch avoids the reported bug by just disabling error handling for 1GB hugepage. [[email protected]: v2] Link: http://lkml.kernel.org/r/[email protected] Link: http://lkml.kernel.org/r/[email protected] Signed-off-by: Naoya Horiguchi Acked-by: Michal Hocko Reviewed-by: Andrew Morton Reviewed-by: Mike Kravetz Acked-by: Punit Agrawal Tested-by: Michael Ellerman Cc: Anshuman Khandual Cc: “Aneesh Kumar K.V” Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 8ed34360e0a760a9c0e8884f2404efe33e3e2d4c Author: Jérôme Glisse Date: Tue Apr 10 16:28:27 2018 -0700 mm/hmm: hmm_pfns_bad() was accessing wrong struct commit c719547f032d4610c7a20900baacae26d0b1ff3e upstream. The private field of mm_walk struct point to an hmm_vma_walk struct and not to the hmm_range struct desired. Fix to get proper struct pointer. Link: http://lkml.kernel.org/r/[email protected] Signed-off-by: Jérôme Glisse Cc: Evgeny Baskakov Cc: Ralph Campbell Cc: Mark Hairgrove Cc: John Hubbard Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 25df8b83e867dcfb660123e9589ebf6f094fcdd3 Author: Jérôme Glisse Date: Tue Apr 10 16:28:15 2018 -0700 mm/hmm: fix header file if/else/endif maze commit b28b08de436a638c82d0cf3dcdbdbad055baf1fc upstream. The #if/#else/#endif for IS_ENABLED(CONFIG_HMM) were wrong. Because of this after multiple include there was multiple definition of both hmm_mm_init() and hmm_mm_destroy() leading to build failure if HMM was enabled (CONFIG_HMM set). Link: http://lkml.kernel.org/r/[email protected] Signed-off-by: Jérôme Glisse Acked-by: Balbir Singh Cc: Andrew Morton Cc: Ralph Campbell Cc: John Hubbard Cc: Evgeny Baskakov Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 74cbffba615f57e59e677609a4be76a347f0d28f Author: Claudio Imbrenda Date: Tue Apr 10 16:29:41 2018 -0700 mm/ksm.c: fix inconsistent accounting of zero pages commit a38c015f3156895b07e71d4e4414289f8a3b2745 upstream. When using KSM with use_zero_pages, we replace anonymous pages containing only zeroes with actual zero pages, which are not anonymous. We need to do proper accounting of the mm counters, otherwise we will get wrong values in /proc and a BUG message in dmesg when tearing down the mm. Link: http://lkml.kernel.org/r/[email protected] Fixes: e86c59b1b1 (“mm/ksm: improve deduplication of zero pages with colouring”) Signed-off-by: Claudio Imbrenda Reviewed-by: Andrew Morton Cc: Andrea Arcangeli Cc: Minchan Kim Cc: Kirill A. Shutemov Cc: Hugh Dickins Cc: Christian Borntraeger Cc: Gerald Schaefer Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 58010b2e8aa9f09f8dbdc5f6614bd4a3de6cf935 Author: Richard Weinberger Date: Sat Mar 3 11:45:54 2018 +0100 ubi: Reject MLC NAND commit b5094b7f135be34630e3ea8a98fa215715d0f29d upstream. While UBI and UBIFS seem to work at first sight with MLC NAND, you will most likely lose all your data upon a power-cut or due to read/write disturb. In order to protect users from bad surprises, refuse to attach to MLC NAND. Cc: [email protected] Signed-off-by: Richard Weinberger Acked-by: Boris Brezillon Acked-by: Artem Bityutskiy Signed-off-by: Greg Kroah-Hartman commit bd62cebba2c3b248e3e0f4b28aeab2356a90dede Author: Romain Izard Date: Mon Jan 29 11:18:20 2018 +0100 ubi: Fix error for write access commit 78a8dfbabbece22bee58ac4cb26cab10e7a19c5d upstream. When opening a device with write access, ubiblock_open returns an error code. Currently, this error code is -EPERM, but this is not the right value. The open function for other block devices returns -EROFS when opening read-only devices with FMODE_WRITE set. When used with dm-verity, the veritysetup userspace tool is expecting EROFS, and refuses to use the ubiblock device. Use -EROFS for ubiblock as well. As a result, veritysetup accepts the ubiblock device as valid. Cc: [email protected] Fixes: 9d54c8a33eec (UBI: R/O block driver on top of UBI volumes) Signed-off-by: Romain Izard Signed-off-by: Richard Weinberger Signed-off-by: Greg Kroah-Hartman commit 3f2fdd3d4a4c109a28cc0fddf0006cb01ccde594 Author: Richard Weinberger Date: Wed Jan 17 23:15:57 2018 +0100 ubi: fastmap: Don’t flush fastmap work on detach commit 29b7a6fa1ec07e8480b0d9caf635a4498a438bf4 upstream. At this point UBI volumes have already been free()'ed and fastmap can no longer access these data structures. Reported-by: Martin Townsend Fixes: 74cdaf24004a (“UBI: Fastmap: Fix memory leaks while closing the WL sub-system”) Cc: [email protected] Signed-off-by: Richard Weinberger Signed-off-by: Greg Kroah-Hartman commit 89a099cb9ea196986dee98599bcb9ece11775ef4 Author: Richard Weinberger Date: Wed Jan 17 19:12:42 2018 +0100 ubifs: Check ubifs_wbuf_sync() return code commit aac17948a7ce01fb60b9ee6cf902967a47b3ce26 upstream. If ubifs_wbuf_sync() fails we must not write a master node with the dirty marker cleared. Otherwise it is possible that in case of an IO error while syncing we mark the filesystem as clean and UBIFS refuses to recover upon next mount. Cc: Fixes: 1e51764a3c2a (“UBIFS: add new flash file system”) Signed-off-by: Richard Weinberger Signed-off-by: Greg Kroah-Hartman commit a591f53a9f6fedebdd2403df6660233a6b4c2eb7 Author: Gregory CLEMENT Date: Wed Apr 4 16:44:44 2018 +0200 cpufreq: armada-37xx: Fix clock leak commit bbcc328561040292f7d6796954d478e4a2335e6f upstream. There was no clk_put() balancing the clk_get(). This commit fixes it. Fixes: 92ce45fb875d (cpufreq: Add DVFS support for Armada 37xx) Cc: 4.16+ # 4.16+ Reported-by: Thomas Petazzoni Signed-off-by: Gregory CLEMENT Acked-by: Viresh Kumar Signed-off-by: Rafael J. Wysocki Signed-off-by: Greg Kroah-Hartman commit 4c05fe72225420eaf99fc7f9182b9168a0a69f43 Author: George Cherian Date: Fri Mar 23 03:30:31 2018 -0700 cpufreq: CPPC: Use transition_delay_us depending transition_latency commit 3d41386d556db9f720e00de3e11e45f39cb5071c upstream. With commit e948bc8fbee0 (cpufreq: Cap the default transition delay value to 10 ms) the cpufreq was not honouring the delay passed via ACPI (PCCT). Due to which on ARM based platforms using CPPC the cpufreq governor tries to change the frequency of CPUs faster than expected. This leads to continuous error messages like the following. " ACPI CPPC: PCC check channel failed. Status=0 " Earlier (without above commit) the default transition delay was taken form the value passed from PCCT. Use the same value provided by PCCT to set the transition_delay_us. Fixes: e948bc8fbee0 (cpufreq: Cap the default transition delay value to 10 ms) Signed-off-by: George Cherian Cc: 4.14+ # 4.14+ Signed-off-by: Rafael J. Wysocki Signed-off-by: Greg Kroah-Hartman commit 26696cdda301830a16511391a3b1515c9b3b17fb Author: Hans de Goede Date: Fri Mar 16 21:28:07 2018 +0100 Bluetooth: hci_bcm: Add irq_polarity module option commit e09070c51b280567695022237e57c428e548b355 upstream. Add irq_polarity module option for easier troubleshooting of irq-polarity issues. Cc: [email protected] Signed-off-by: Hans de Goede Signed-off-by: Marcel Holtmann Signed-off-by: Greg Kroah-Hartman
Related news
The KVM implementation in the Linux kernel through 4.20.5 has an Information Leak.
kernel drivers before version 4.17-rc1 are vulnerable to a weakness in the Linux kernel's implementation of random seed data. Programs, early in the boot sequence, could use the data allocated for the seed before it was sufficiently generated.
The ext4_xattr_check_entries function in fs/ext4/xattr.c in the Linux kernel through 4.15.15 does not properly validate xattr sizes, which causes misinterpretation of a size as an error code, and consequently allows attackers to cause a denial of service (get_acl NULL pointer dereference and system crash) via a crafted ext4 image.
The ext4_fill_super function in fs/ext4/super.c in the Linux kernel through 4.15.15 does not always initialize the crc32c checksum driver, which allows attackers to cause a denial of service (ext4_xattr_inode_hash NULL pointer dereference and system crash) via a crafted ext4 image.