Re: [PATCH] mmc: dw_mmc-k3: Fix DDR52 mode by setting required clock divisor

[Ryan Grachek]

On Wed, Apr 4, 2018 at 7:51 PM, Shawn Lin  wrote:
> [+ Zhangfei Gao who added support for hi6220]
>
> On 2018/4/4 23:31, Ryan Grachek wrote:
>>
>> On Tue, Apr 3, 2018 at 6:31 AM, Shawn Lin > > wrote:
>>
>> On 2018/3/30 2:24, oscardagrach wrote:
>>
>> Need at least one line commit body.
>>
>> Signed-off-by: oscardagrach > >
>>
>> ---
>>drivers/mmc/host/dw_mmc-k3.c | 10 --
>>1 file changed, 8 insertions(+), 2 deletions(-)
>>
>> diff --git a/drivers/mmc/host/dw_mmc-k3.c
>> b/drivers/mmc/host/dw_mmc-k3.c
>> index 89cdb3d533bb..efc546cb4db8 100644
>> --- a/drivers/mmc/host/dw_mmc-k3.c
>> +++ b/drivers/mmc/host/dw_mmc-k3.c
>> @@ -194,8 +194,14 @@ static void dw_mci_hi6220_set_ios(struct
>> dw_mci *host, struct mmc_ios *ios)
>>  int ret;
>>  unsigned int clock;
>>- clock = (ios->clock <= 2500) ? 2500 : ios->clock;
>> -
>> +   /* CLKDIV must be 1 for DDR52/8-bit mode */
>> +   if (ios->bus_width == MMC_BUS_WIDTH_8 &&
>> +   ios->timing == MMC_TIMING_MMC_DDR52) {
>> +   mci_writel(host, CLKDIV, 0x1);
>> +   clock = ios->clock;
>> +   } else {
>> +   clock = (ios->clock <= 2500) ? 2500 :
>> ios->clock;
>> +   }
>>
>>
>> I undertand DDR52/8-bit need CLKDIV fixed 1, but shouldn't the
>> following
>> change is more sensible?
>>
>> if (ios->bus_width == MMC_BUS_WIDTH_8 && ios->timing ==
>> MMC_TIMING_MMC_DDR52)
>>  clock = ios->clock * 2;
>> else
>>  clock = (ios->clock <= 2500) ? 2500 : ios->clock;
>>
>>
>> The reason is ios->clock is 52MHz and you could claim 104MHz from the
>> clock provider and let dw_mmc core take care of the divder to be 1.
>> Otherwise, you just force it to be DDR52/8-bit with a clk rate of
>> 26MHz.
>>
>>
>>  ret = clk_set_rate(host->biu_clk, clock);
>>  if (ret)
>>  dev_warn(host->dev, "failed to set rate
>> %uHz\n", clock);
>>
>>
>>
>
> For future wise, please use plain mode mail, but not HTML format.
>
>> Your feedback is correct. I see the Rockchip dwmmc driver has a similar
>> implementation. After applying your suggested changes, however, my board
>> reports "dwmmc_k3 f723d000.dwmmc0: failed to set rate 10400Hz"
>> during intialization of eMMC. In addition, I do not see CLKDIV being
>> set to 1. clk_set_rate fails and I wonder if this is out-of-scope of
>> the driver.
>>
>> If I set CLKDIV where I did prior, with your changes, the device fails
>> to set the clock and falls back to 52 MHz (26 MHz) and works fine, but
>> again, CLKDIV is reported as 0 (even though it is 1.) One thing of
>> interest to note is when I manually set the clock by doing:
>> (echo 10400 > /sys/kernel/debug/mmc0/clock) the device reports back
>> 'mmc_host mmc0: Bus speed (slot 0) = 19840Hz (slot req 10400Hz,
>>   actual 9920HZ div = 1)' which works reliably and clk_set_rate does
>> not report any error.
>>
>
> When looking closely into the code, at least dw_mci_hi6220_set_ios
> goes wrong with the bus_hz, since it should be ciu_clk but not biu_clk.
> "b" stands for bus, and "c" stands for card IMHO, however bus_hz
> describs the clock to the card, provided by controller. Does the
> following patch help?
>
>
> diff --git a/drivers/mmc/host/dw_mmc-k3.c b/drivers/mmc/host/dw_mmc-k3.c
> index 89cdb3d..9e78cf2 100644
> --- a/drivers/mmc/host/dw_mmc-k3.c
> +++ b/drivers/mmc/host/dw_mmc-k3.c
> @@ -194,13 +194,21 @@ static void dw_mci_hi6220_set_ios(struct dw_mci *host,
> struct mmc_ios *ios)
> int ret;
> unsigned int clock;
>
> -   clock = (ios->clock <= 2500) ? 2500 : ios->clock;
> +   if (ios->bus_width == MMC_BUS_WIDTH_8 &&
> +   ios->timing == MMC_TIMING_MMC_DDR52)
> +   clock = ios->clock * 2;
> +   else
> +   clock = (ios->clock <= 2500) ? 2500 : ios->clock;
>
> -   ret = clk_set_rate(host->biu_clk, clock);
> +   ret = clk_set_rate(host->ciu_clk, clock);
> if (ret)
> dev_warn(host->dev, "failed to set rate %uHz\n", clock);
>
> -   host->bus_hz = clk_get_rate(host->biu_clk);
> +   clock = clk_get_rate(host->ciu_clk);
> +   if (clock != host->bus_hz) {
> +   host->bus_hz = clock;
> +   host->current_speed = 0;
> +   }
>
>  }
>
>
>> I am not sure where to begin debugging these clock issues and welcome
>> any feedback.
>
>

The change results in the following:
'dwmmc_k3 f723e000.dwmmc1: failed to set rate 2500Hz'
'dwmmc_k3 f723d000.dwmmc0: failed to set rate 2500Hz'
'dwmmc_k3 

Re: [PATCH] mmc: dw_mmc-k3: Fix DDR52 mode by setting required clock divisor

[Ryan Grachek]

On Wed, Apr 4, 2018 at 7:51 PM, Shawn Lin  wrote:
> [+ Zhangfei Gao who added support for hi6220]
>
> On 2018/4/4 23:31, Ryan Grachek wrote:
>>
>> On Tue, Apr 3, 2018 at 6:31 AM, Shawn Lin > > wrote:
>>
>> On 2018/3/30 2:24, oscardagrach wrote:
>>
>> Need at least one line commit body.
>>
>> Signed-off-by: oscardagrach > >
>>
>> ---
>>drivers/mmc/host/dw_mmc-k3.c | 10 --
>>1 file changed, 8 insertions(+), 2 deletions(-)
>>
>> diff --git a/drivers/mmc/host/dw_mmc-k3.c
>> b/drivers/mmc/host/dw_mmc-k3.c
>> index 89cdb3d533bb..efc546cb4db8 100644
>> --- a/drivers/mmc/host/dw_mmc-k3.c
>> +++ b/drivers/mmc/host/dw_mmc-k3.c
>> @@ -194,8 +194,14 @@ static void dw_mci_hi6220_set_ios(struct
>> dw_mci *host, struct mmc_ios *ios)
>>  int ret;
>>  unsigned int clock;
>>- clock = (ios->clock <= 2500) ? 2500 : ios->clock;
>> -
>> +   /* CLKDIV must be 1 for DDR52/8-bit mode */
>> +   if (ios->bus_width == MMC_BUS_WIDTH_8 &&
>> +   ios->timing == MMC_TIMING_MMC_DDR52) {
>> +   mci_writel(host, CLKDIV, 0x1);
>> +   clock = ios->clock;
>> +   } else {
>> +   clock = (ios->clock <= 2500) ? 2500 :
>> ios->clock;
>> +   }
>>
>>
>> I undertand DDR52/8-bit need CLKDIV fixed 1, but shouldn't the
>> following
>> change is more sensible?
>>
>> if (ios->bus_width == MMC_BUS_WIDTH_8 && ios->timing ==
>> MMC_TIMING_MMC_DDR52)
>>  clock = ios->clock * 2;
>> else
>>  clock = (ios->clock <= 2500) ? 2500 : ios->clock;
>>
>>
>> The reason is ios->clock is 52MHz and you could claim 104MHz from the
>> clock provider and let dw_mmc core take care of the divder to be 1.
>> Otherwise, you just force it to be DDR52/8-bit with a clk rate of
>> 26MHz.
>>
>>
>>  ret = clk_set_rate(host->biu_clk, clock);
>>  if (ret)
>>  dev_warn(host->dev, "failed to set rate
>> %uHz\n", clock);
>>
>>
>>
>
> For future wise, please use plain mode mail, but not HTML format.
>
>> Your feedback is correct. I see the Rockchip dwmmc driver has a similar
>> implementation. After applying your suggested changes, however, my board
>> reports "dwmmc_k3 f723d000.dwmmc0: failed to set rate 10400Hz"
>> during intialization of eMMC. In addition, I do not see CLKDIV being
>> set to 1. clk_set_rate fails and I wonder if this is out-of-scope of
>> the driver.
>>
>> If I set CLKDIV where I did prior, with your changes, the device fails
>> to set the clock and falls back to 52 MHz (26 MHz) and works fine, but
>> again, CLKDIV is reported as 0 (even though it is 1.) One thing of
>> interest to note is when I manually set the clock by doing:
>> (echo 10400 > /sys/kernel/debug/mmc0/clock) the device reports back
>> 'mmc_host mmc0: Bus speed (slot 0) = 19840Hz (slot req 10400Hz,
>>   actual 9920HZ div = 1)' which works reliably and clk_set_rate does
>> not report any error.
>>
>
> When looking closely into the code, at least dw_mci_hi6220_set_ios
> goes wrong with the bus_hz, since it should be ciu_clk but not biu_clk.
> "b" stands for bus, and "c" stands for card IMHO, however bus_hz
> describs the clock to the card, provided by controller. Does the
> following patch help?
>
>
> diff --git a/drivers/mmc/host/dw_mmc-k3.c b/drivers/mmc/host/dw_mmc-k3.c
> index 89cdb3d..9e78cf2 100644
> --- a/drivers/mmc/host/dw_mmc-k3.c
> +++ b/drivers/mmc/host/dw_mmc-k3.c
> @@ -194,13 +194,21 @@ static void dw_mci_hi6220_set_ios(struct dw_mci *host,
> struct mmc_ios *ios)
> int ret;
> unsigned int clock;
>
> -   clock = (ios->clock <= 2500) ? 2500 : ios->clock;
> +   if (ios->bus_width == MMC_BUS_WIDTH_8 &&
> +   ios->timing == MMC_TIMING_MMC_DDR52)
> +   clock = ios->clock * 2;
> +   else
> +   clock = (ios->clock <= 2500) ? 2500 : ios->clock;
>
> -   ret = clk_set_rate(host->biu_clk, clock);
> +   ret = clk_set_rate(host->ciu_clk, clock);
> if (ret)
> dev_warn(host->dev, "failed to set rate %uHz\n", clock);
>
> -   host->bus_hz = clk_get_rate(host->biu_clk);
> +   clock = clk_get_rate(host->ciu_clk);
> +   if (clock != host->bus_hz) {
> +   host->bus_hz = clock;
> +   host->current_speed = 0;
> +   }
>
>  }
>
>
>> I am not sure where to begin debugging these clock issues and welcome
>> any feedback.
>
>

The change results in the following:
'dwmmc_k3 f723e000.dwmmc1: failed to set rate 2500Hz'
'dwmmc_k3 f723d000.dwmmc0: failed to set rate 2500Hz'
'dwmmc_k3 f723f000.dwmmc2: failed to set rate 2500Hz'

and later on:
'dwmmc_k3 

[PATCH 4.15 07/72] ALSA: usb-audio: Add native DSD support for TEAC UD-301

[Greg Kroah-Hartman]

4.15-stable review patch.  If anyone has any objections, please let me know.

--

From: Nobutaka Okabe 

commit b00214865d65100163574ba250008f182cf90869 upstream.

Add native DSD support quirk for TEAC UD-301 DAC,
by adding the PID/VID 0644:804a.

Signed-off-by: Nobutaka Okabe 
Cc: 
Signed-off-by: Takashi Iwai 
Signed-off-by: Greg Kroah-Hartman 

---
 sound/usb/quirks.c |1 +
 1 file changed, 1 insertion(+)

--- a/sound/usb/quirks.c
+++ b/sound/usb/quirks.c
@@ -1171,6 +1171,7 @@ static bool is_teac_dsd_dac(unsigned int
switch (id) {
case USB_ID(0x0644, 0x8043): /* TEAC UD-501/UD-503/NT-503 */
case USB_ID(0x0644, 0x8044): /* Esoteric D-05X */
+   case USB_ID(0x0644, 0x804a): /* TEAC UD-301 */
return true;
}
return false;

[PATCH 4.15 07/72] ALSA: usb-audio: Add native DSD support for TEAC UD-301

[Greg Kroah-Hartman]

4.15-stable review patch.  If anyone has any objections, please let me know.

--

From: Nobutaka Okabe 

commit b00214865d65100163574ba250008f182cf90869 upstream.

Add native DSD support quirk for TEAC UD-301 DAC,
by adding the PID/VID 0644:804a.

Signed-off-by: Nobutaka Okabe 
Cc: 
Signed-off-by: Takashi Iwai 
Signed-off-by: Greg Kroah-Hartman 

---
 sound/usb/quirks.c |1 +
 1 file changed, 1 insertion(+)

--- a/sound/usb/quirks.c
+++ b/sound/usb/quirks.c
@@ -1171,6 +1171,7 @@ static bool is_teac_dsd_dac(unsigned int
switch (id) {
case USB_ID(0x0644, 0x8043): /* TEAC UD-501/UD-503/NT-503 */
case USB_ID(0x0644, 0x8044): /* Esoteric D-05X */
+   case USB_ID(0x0644, 0x804a): /* TEAC UD-301 */
return true;
}
return false;

Re: Looking for way to program external MMU from userspace (or viable alternative)

[Alan Cox]

> The current kernel driver code looks up the physical address of a page of
> user-allocated memory by traversing the page table, and then writing the
> physical address to the external MMU. If we were to move the driver to
> userspace, this procedure would require exposing the physical address to
> user space, which insecure and thus a no-go.
> 
> What possibilities are there for programming the MMU from a userspace
> driver?

If you want to be secure none.

That's not to say you can't keep most of the code in user space but
you'll need the DMA and MMU manager to be kernel side because you have to
trust it.

Even if you use something like VT-D, you've then got to program the IOMMU
and that has to be done in kernel for the same obvious reasons. Look at
VFIO.. maybe that helps.

Alan

Re: Looking for way to program external MMU from userspace (or viable alternative)

[Alan Cox]

> The current kernel driver code looks up the physical address of a page of
> user-allocated memory by traversing the page table, and then writing the
> physical address to the external MMU. If we were to move the driver to
> userspace, this procedure would require exposing the physical address to
> user space, which insecure and thus a no-go.
> 
> What possibilities are there for programming the MMU from a userspace
> driver?

If you want to be secure none.

That's not to say you can't keep most of the code in user space but
you'll need the DMA and MMU manager to be kernel side because you have to
trust it.

Even if you use something like VT-D, you've then got to program the IOMMU
and that has to be done in kernel for the same obvious reasons. Look at
VFIO.. maybe that helps.

Alan

[PATCH] dp83640: Ensure against premature access to PHY registers after reset

[Esben Haabendal]

From: Esben Haabendal 

Signed-off-by: Esben Haabendal 
---
 drivers/net/phy/dp83640.c | 17 +
 1 file changed, 17 insertions(+)

diff --git a/drivers/net/phy/dp83640.c b/drivers/net/phy/dp83640.c
index 654f42d00092..48403170096a 100644
--- a/drivers/net/phy/dp83640.c
+++ b/drivers/net/phy/dp83640.c
@@ -1207,6 +1207,22 @@ static void dp83640_remove(struct phy_device *phydev)
kfree(dp83640);
 }
 
+static int dp83640_soft_reset(struct phy_device *phydev)
+{
+   int ret;
+
+   ret = genphy_soft_reset(phydev);
+   if (ret < 0)
+   return ret;
+
+   /* From DP83640 datasheet: "Software driver code must wait 3 us
+* following a software reset before allowing further serial MII
+* operations with the DP83640." */
+   udelay(3);
+
+   return 0;
+}
+
 static int dp83640_config_init(struct phy_device *phydev)
 {
struct dp83640_private *dp83640 = phydev->priv;
@@ -1501,6 +1517,7 @@ static struct phy_driver dp83640_driver = {
.flags  = PHY_HAS_INTERRUPT,
.probe  = dp83640_probe,
.remove = dp83640_remove,
+   .soft_reset = dp83640_soft_reset,
.config_init= dp83640_config_init,
.ack_interrupt  = dp83640_ack_interrupt,
.config_intr= dp83640_config_intr,
-- 
2.16.3

[PATCH] dp83640: Ensure against premature access to PHY registers after reset

[Esben Haabendal]

From: Esben Haabendal 

Signed-off-by: Esben Haabendal 
---
 drivers/net/phy/dp83640.c | 17 +
 1 file changed, 17 insertions(+)

diff --git a/drivers/net/phy/dp83640.c b/drivers/net/phy/dp83640.c
index 654f42d00092..48403170096a 100644
--- a/drivers/net/phy/dp83640.c
+++ b/drivers/net/phy/dp83640.c
@@ -1207,6 +1207,22 @@ static void dp83640_remove(struct phy_device *phydev)
kfree(dp83640);
 }
 
+static int dp83640_soft_reset(struct phy_device *phydev)
+{
+   int ret;
+
+   ret = genphy_soft_reset(phydev);
+   if (ret < 0)
+   return ret;
+
+   /* From DP83640 datasheet: "Software driver code must wait 3 us
+* following a software reset before allowing further serial MII
+* operations with the DP83640." */
+   udelay(3);
+
+   return 0;
+}
+
 static int dp83640_config_init(struct phy_device *phydev)
 {
struct dp83640_private *dp83640 = phydev->priv;
@@ -1501,6 +1517,7 @@ static struct phy_driver dp83640_driver = {
.flags  = PHY_HAS_INTERRUPT,
.probe  = dp83640_probe,
.remove = dp83640_remove,
+   .soft_reset = dp83640_soft_reset,
.config_init= dp83640_config_init,
.ack_interrupt  = dp83640_ack_interrupt,
.config_intr= dp83640_config_intr,
-- 
2.16.3

[PATCH 4.15 08/72] ALSA: pcm: Use dma_bytes as size parameter in dma_mmap_coherent()

[Greg Kroah-Hartman]

4.15-stable review patch.  If anyone has any objections, please let me know.

--

From: Stefan Roese 

commit 9066ae7ff5d89c0b5daa271e2d573540097a94fa upstream.

When trying to use the driver (e.g. aplay *.wav), the 4MiB DMA buffer
will get mmapp'ed in 16KiB chunks. But this fails with the 2nd 16KiB
area, as the page offset is outside of the VMA range (size), which is
currently used as size parameter in snd_pcm_lib_default_mmap(). By
using the DMA buffer size (dma_bytes) instead, the complete DMA buffer
can be mmapp'ed and the issue is fixed.

This issue was detected on an ARM platform (TI AM57xx) using the RME
HDSP MADI PCIe soundcard.

Fixes: 657b1989dacf ("ALSA: pcm - Use dma_mmap_coherent() if available")
Signed-off-by: Stefan Roese 
Cc: 
Signed-off-by: Takashi Iwai 
Signed-off-by: Greg Kroah-Hartman 

---
 sound/core/pcm_native.c |2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/sound/core/pcm_native.c
+++ b/sound/core/pcm_native.c
@@ -3422,7 +3422,7 @@ int snd_pcm_lib_default_mmap(struct snd_
 area,
 substream->runtime->dma_area,
 substream->runtime->dma_addr,
-area->vm_end - area->vm_start);
+substream->runtime->dma_bytes);
 #endif /* CONFIG_X86 */
/* mmap with fault handler */
area->vm_ops = _pcm_vm_ops_data_fault;

[PATCH 4.15 08/72] ALSA: pcm: Use dma_bytes as size parameter in dma_mmap_coherent()

[Greg Kroah-Hartman]

4.15-stable review patch.  If anyone has any objections, please let me know.

--

From: Stefan Roese 

commit 9066ae7ff5d89c0b5daa271e2d573540097a94fa upstream.

When trying to use the driver (e.g. aplay *.wav), the 4MiB DMA buffer
will get mmapp'ed in 16KiB chunks. But this fails with the 2nd 16KiB
area, as the page offset is outside of the VMA range (size), which is
currently used as size parameter in snd_pcm_lib_default_mmap(). By
using the DMA buffer size (dma_bytes) instead, the complete DMA buffer
can be mmapp'ed and the issue is fixed.

This issue was detected on an ARM platform (TI AM57xx) using the RME
HDSP MADI PCIe soundcard.

Fixes: 657b1989dacf ("ALSA: pcm - Use dma_mmap_coherent() if available")
Signed-off-by: Stefan Roese 
Cc: 
Signed-off-by: Takashi Iwai 
Signed-off-by: Greg Kroah-Hartman 

---
 sound/core/pcm_native.c |2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/sound/core/pcm_native.c
+++ b/sound/core/pcm_native.c
@@ -3422,7 +3422,7 @@ int snd_pcm_lib_default_mmap(struct snd_
 area,
 substream->runtime->dma_area,
 substream->runtime->dma_addr,
-area->vm_end - area->vm_start);
+substream->runtime->dma_bytes);
 #endif /* CONFIG_X86 */
/* mmap with fault handler */
area->vm_ops = _pcm_vm_ops_data_fault;

[PATCH v3] ARM: sun8i: v40: enable USB host ports for Banana Pi M2 Berry

[Icenowy Zheng]

Banana Pi M2 Berry has an on-board USB Hub that provides 4 USB Type-A
ports, and it's connected to the USB1 port of the SoC.

Enable it.

Signed-off-by: Icenowy Zheng 
---
Changes in v3:
- Dropped OHCI node and added hub model comment in EHCI.

 arch/arm/boot/dts/sun8i-v40-bananapi-m2-berry.dts | 10 ++
 1 file changed, 10 insertions(+)

diff --git a/arch/arm/boot/dts/sun8i-v40-bananapi-m2-berry.dts 
b/arch/arm/boot/dts/sun8i-v40-bananapi-m2-berry.dts
index a26d72c3f9b5..35859d8f3267 100644
--- a/arch/arm/boot/dts/sun8i-v40-bananapi-m2-berry.dts
+++ b/arch/arm/boot/dts/sun8i-v40-bananapi-m2-berry.dts
@@ -87,6 +87,11 @@
};
 };
 
+ {
+   /* Terminus Tech FE 1.1s 4-port USB 2.0 hub here */
+   status = "okay";
+};
+
  {
status = "okay";
 
@@ -170,3 +175,8 @@
pinctrl-0 = <_pb_pins>;
status = "okay";
 };
+
+ {
+   usb1_vbus-supply = <_vcc5v0>;
+   status = "okay";
+};
-- 
2.15.1

[PATCH v3] net: thunderx: rework mac addresses list to u64 array

[Vadim Lomovtsev]

From: Vadim Lomovtsev 

It is too expensive to pass u64 values via linked list, instead
allocate array for them by overall number of mac addresses from netdev.

This eventually removes multiple kmalloc() calls, aviod memory
fragmentation and allow to put single null check on kmalloc
return value in order to prevent a potential null pointer dereference.

Addresses-Coverity-ID: 1467429 ("Dereference null return value")
Fixes: 37c3347eb247 ("net: thunderx: add ndo_set_rx_mode callback 
implementation for VF")
Reported-by: Dan Carpenter 
Signed-off-by: Vadim Lomovtsev 
---
Changes from v1 to v2:
 - C99 syntax: update xcast_addr_list struct field mc[0] -> mc[];
Changes from v2 to v3:
 - update commit description with 'Reported-by: Dan Carpenter';
 - update size calculations for mc list to offsetof() call
   instead of explicit arithmetic;
---
 drivers/net/ethernet/cavium/thunder/nic.h|  7 +-
 drivers/net/ethernet/cavium/thunder/nicvf_main.c | 28 +---
 2 files changed, 11 insertions(+), 24 deletions(-)

diff --git a/drivers/net/ethernet/cavium/thunder/nic.h 
b/drivers/net/ethernet/cavium/thunder/nic.h
index 5fc46c5a4f36..448d1fafc827 100644
--- a/drivers/net/ethernet/cavium/thunder/nic.h
+++ b/drivers/net/ethernet/cavium/thunder/nic.h
@@ -265,14 +265,9 @@ struct nicvf_drv_stats {
 
 struct cavium_ptp;
 
-struct xcast_addr {
-   struct list_head list;
-   u64  addr;
-};
-
 struct xcast_addr_list {
-   struct list_head list;
int  count;
+   u64  mc[];
 };
 
 struct nicvf_work {
diff --git a/drivers/net/ethernet/cavium/thunder/nicvf_main.c 
b/drivers/net/ethernet/cavium/thunder/nicvf_main.c
index 1e9a31fef729..7d9e58533a83 100644
--- a/drivers/net/ethernet/cavium/thunder/nicvf_main.c
+++ b/drivers/net/ethernet/cavium/thunder/nicvf_main.c
@@ -1929,7 +1929,7 @@ static void nicvf_set_rx_mode_task(struct work_struct 
*work_arg)
  work.work);
struct nicvf *nic = container_of(vf_work, struct nicvf, rx_mode_work);
union nic_mbx mbx = {};
-   struct xcast_addr *xaddr, *next;
+   u8 idx = 0;
 
if (!vf_work)
return;
@@ -1956,16 +1956,10 @@ static void nicvf_set_rx_mode_task(struct work_struct 
*work_arg)
/* check if we have any specific MACs to be added to PF DMAC filter */
if (vf_work->mc) {
/* now go through kernel list of MACs and add them one by one */
-   list_for_each_entry_safe(xaddr, next,
-_work->mc->list, list) {
+   for (idx = 0; idx < vf_work->mc->count; idx++) {
mbx.xcast.msg = NIC_MBOX_MSG_ADD_MCAST;
-   mbx.xcast.data.mac = xaddr->addr;
+   mbx.xcast.data.mac = vf_work->mc->mc[idx];
nicvf_send_msg_to_pf(nic, );
-
-   /* after receiving ACK from PF release memory */
-   list_del(>list);
-   kfree(xaddr);
-   vf_work->mc->count--;
}
kfree(vf_work->mc);
}
@@ -1996,17 +1990,15 @@ static void nicvf_set_rx_mode(struct net_device *netdev)
mode |= BGX_XCAST_MCAST_FILTER;
/* here we need to copy mc addrs */
if (netdev_mc_count(netdev)) {
-   struct xcast_addr *xaddr;
-
-   mc_list = kmalloc(sizeof(*mc_list), GFP_ATOMIC);
-   INIT_LIST_HEAD(_list->list);
+   mc_list = kmalloc(offsetof(typeof(*mc_list),
+  
mc[netdev_mc_count(netdev)]),
+ GFP_ATOMIC);
+   if (unlikely(!mc_list))
+   return;
+   mc_list->count = 0;
netdev_hw_addr_list_for_each(ha, >mc) {
-   xaddr = kmalloc(sizeof(*xaddr),
-   GFP_ATOMIC);
-   xaddr->addr =
+   mc_list->mc[mc_list->count] =
ether_addr_to_u64(ha->addr);
-   list_add_tail(>list,
- _list->list);
mc_list->count++;
}
}
-- 
2.14.3

[PATCH v3] ARM: sun8i: v40: enable USB host ports for Banana Pi M2 Berry

[Icenowy Zheng]

Banana Pi M2 Berry has an on-board USB Hub that provides 4 USB Type-A
ports, and it's connected to the USB1 port of the SoC.

Enable it.

Signed-off-by: Icenowy Zheng 
---
Changes in v3:
- Dropped OHCI node and added hub model comment in EHCI.

 arch/arm/boot/dts/sun8i-v40-bananapi-m2-berry.dts | 10 ++
 1 file changed, 10 insertions(+)

diff --git a/arch/arm/boot/dts/sun8i-v40-bananapi-m2-berry.dts 
b/arch/arm/boot/dts/sun8i-v40-bananapi-m2-berry.dts
index a26d72c3f9b5..35859d8f3267 100644
--- a/arch/arm/boot/dts/sun8i-v40-bananapi-m2-berry.dts
+++ b/arch/arm/boot/dts/sun8i-v40-bananapi-m2-berry.dts
@@ -87,6 +87,11 @@
};
 };
 
+ {
+   /* Terminus Tech FE 1.1s 4-port USB 2.0 hub here */
+   status = "okay";
+};
+
  {
status = "okay";
 
@@ -170,3 +175,8 @@
pinctrl-0 = <_pb_pins>;
status = "okay";
 };
+
+ {
+   usb1_vbus-supply = <_vcc5v0>;
+   status = "okay";
+};
-- 
2.15.1

[PATCH v3] net: thunderx: rework mac addresses list to u64 array

[Vadim Lomovtsev]

From: Vadim Lomovtsev 

It is too expensive to pass u64 values via linked list, instead
allocate array for them by overall number of mac addresses from netdev.

This eventually removes multiple kmalloc() calls, aviod memory
fragmentation and allow to put single null check on kmalloc
return value in order to prevent a potential null pointer dereference.

Addresses-Coverity-ID: 1467429 ("Dereference null return value")
Fixes: 37c3347eb247 ("net: thunderx: add ndo_set_rx_mode callback 
implementation for VF")
Reported-by: Dan Carpenter 
Signed-off-by: Vadim Lomovtsev 
---
Changes from v1 to v2:
 - C99 syntax: update xcast_addr_list struct field mc[0] -> mc[];
Changes from v2 to v3:
 - update commit description with 'Reported-by: Dan Carpenter';
 - update size calculations for mc list to offsetof() call
   instead of explicit arithmetic;
---
 drivers/net/ethernet/cavium/thunder/nic.h|  7 +-
 drivers/net/ethernet/cavium/thunder/nicvf_main.c | 28 +---
 2 files changed, 11 insertions(+), 24 deletions(-)

diff --git a/drivers/net/ethernet/cavium/thunder/nic.h 
b/drivers/net/ethernet/cavium/thunder/nic.h
index 5fc46c5a4f36..448d1fafc827 100644
--- a/drivers/net/ethernet/cavium/thunder/nic.h
+++ b/drivers/net/ethernet/cavium/thunder/nic.h
@@ -265,14 +265,9 @@ struct nicvf_drv_stats {
 
 struct cavium_ptp;
 
-struct xcast_addr {
-   struct list_head list;
-   u64  addr;
-};
-
 struct xcast_addr_list {
-   struct list_head list;
int  count;
+   u64  mc[];
 };
 
 struct nicvf_work {
diff --git a/drivers/net/ethernet/cavium/thunder/nicvf_main.c 
b/drivers/net/ethernet/cavium/thunder/nicvf_main.c
index 1e9a31fef729..7d9e58533a83 100644
--- a/drivers/net/ethernet/cavium/thunder/nicvf_main.c
+++ b/drivers/net/ethernet/cavium/thunder/nicvf_main.c
@@ -1929,7 +1929,7 @@ static void nicvf_set_rx_mode_task(struct work_struct 
*work_arg)
  work.work);
struct nicvf *nic = container_of(vf_work, struct nicvf, rx_mode_work);
union nic_mbx mbx = {};
-   struct xcast_addr *xaddr, *next;
+   u8 idx = 0;
 
if (!vf_work)
return;
@@ -1956,16 +1956,10 @@ static void nicvf_set_rx_mode_task(struct work_struct 
*work_arg)
/* check if we have any specific MACs to be added to PF DMAC filter */
if (vf_work->mc) {
/* now go through kernel list of MACs and add them one by one */
-   list_for_each_entry_safe(xaddr, next,
-_work->mc->list, list) {
+   for (idx = 0; idx < vf_work->mc->count; idx++) {
mbx.xcast.msg = NIC_MBOX_MSG_ADD_MCAST;
-   mbx.xcast.data.mac = xaddr->addr;
+   mbx.xcast.data.mac = vf_work->mc->mc[idx];
nicvf_send_msg_to_pf(nic, );
-
-   /* after receiving ACK from PF release memory */
-   list_del(>list);
-   kfree(xaddr);
-   vf_work->mc->count--;
}
kfree(vf_work->mc);
}
@@ -1996,17 +1990,15 @@ static void nicvf_set_rx_mode(struct net_device *netdev)
mode |= BGX_XCAST_MCAST_FILTER;
/* here we need to copy mc addrs */
if (netdev_mc_count(netdev)) {
-   struct xcast_addr *xaddr;
-
-   mc_list = kmalloc(sizeof(*mc_list), GFP_ATOMIC);
-   INIT_LIST_HEAD(_list->list);
+   mc_list = kmalloc(offsetof(typeof(*mc_list),
+  
mc[netdev_mc_count(netdev)]),
+ GFP_ATOMIC);
+   if (unlikely(!mc_list))
+   return;
+   mc_list->count = 0;
netdev_hw_addr_list_for_each(ha, >mc) {
-   xaddr = kmalloc(sizeof(*xaddr),
-   GFP_ATOMIC);
-   xaddr->addr =
+   mc_list->mc[mc_list->count] =
ether_addr_to_u64(ha->addr);
-   list_add_tail(>list,
- _list->list);
mc_list->count++;
}
}
-- 
2.14.3

[PATCH 4.15 00/72] 4.15.16-stable review

[Greg Kroah-Hartman]

This is the start of the stable review cycle for the 4.15.16 release.
There are 72 patches in this series, all will be posted as a response
to this one.  If anyone has any issues with these being applied, please
let me know.

Responses should be made by Sun Apr  8 08:43:10 UTC 2018.
Anything received after that time might be too late.

The whole patch series can be found in one patch at:

https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.15.16-rc1.gz
or in the git tree and branch at:

git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git 
linux-4.15.y
and the diffstat can be found below.

thanks,

greg k-h

-
Pseudo-Shortlog of commits:

Greg Kroah-Hartman 
Linux 4.15.16-rc1

Greg Kroah-Hartman 
Revert "ip6_vti: adjust vti mtu according to mtu of lower device"

Greg Kroah-Hartman 
Revert "cpufreq: Fix governor module removal race"

Greg Kroah-Hartman 
Revert "ARM: dts: omap3-n900: Fix the audio CODEC's reset pin"

Greg Kroah-Hartman 
Revert "ARM: dts: am335x-pepper: Fix the audio CODEC's reset pin"

Mikulas Patocka 
Fix slab name "biovec-(1<<(21-12))"

Matthias Brugger 
net: hns: Fix ethtool private flags

Keerthy 
ARM: dts: DRA76-EVM: Set powerhold property for tps65917

Mike Frysinger 
vt: change SGR 21 to follow the standards

Ondrej Zary 
Input: i8042 - enable MUX on Sony VAIO VGN-CS series to fix touchpad

Dennis Wassenberg 
Input: i8042 - add Lenovo ThinkPad L460 to i8042 reset list

Masaki Ota 
Input: ALPS - fix TrackStick detection on Thinkpad L570 and Latitude 7370

Gaku Inami 
Revert "base: arch_topology: fix section mismatch build warnings"

Frank Mori Hess 
staging: comedi: ni_mio_common: ack ai fifo error interrupts.

Liu Bo 
Btrfs: fix unexpected cow in run_delalloc_nocow

Eric Biggers 
crypto: x86/cast5-avx - fix ECB encryption when long sg follows short one

Leonard Crestez 
crypto: arm,arm64 - Fix random regeneration of S_shipped

Maciej S. Szmigiero 
crypto: ccp - return an actual key size from RSA max_size callback

Rui Miguel Silva 
crypto: caam - Fix null dereference at error path

Herbert Xu 
crypto: ahash - Fix early termination in hash walk

LEROY Christophe 
crypto: talitos - fix IPsec cipher in length

Conor McLoughlin 
crypto: testmgr - Fix incorrect values in PKCS#1 test vector

Gregory CLEMENT 
crypto: inside-secure - fix clock management

LEROY Christophe 
crypto: talitos - don't persistently map req_ctx->hw_context and 
req_ctx->buf

Herbert Xu 
crypto: lrw - Free rctx->ext with kzfree

Alexander Gerasiov 
parport_pc: Add support for WCH CH382L PCI-E single parallel port card.

Oliver Neukum 
media: usbtv: prevent double free in error case

Kees Cook 
/dev/mem: Avoid overwriting "err" in read_mem()

Colin Ian King 
mei: remove dev_err message on an unsupported ioctl

Joel Stanley 
serial: 8250: Add Nuvoton NPCM UART

Johan Hovold 
USB: serial: cp210x: add ELDAT Easywave RX09 id

Clemens Werther 
USB: serial: ftdi_sio: add support for Harman FirmwareHubEmulator

Major Hayden 
USB: serial: ftdi_sio: add RT Systems VX-8 cable

Omar Sandoval 
bitmap: fix memset optimization on big-endian systems

Dhinakaran Pandiyan 
drm/i915/dp: Write to SET_POWER dpcd to enable MST hub.

Szymon Janc 
Bluetooth: Fix missing encryption refresh on Security Request

Arnd Bergmann 
phy: qcom-ufs: add MODULE_LICENSE tag

Florian Westphal 
netfilter: x_tables: add and use xt_check_proc_name

Paolo Abeni 
netfilter: drop template ct when conntrack is skipped.

Paolo Abeni 
l2tp: fix races with ipv4-mapped ipv6 addresses

Florian Westphal 
netfilter: bridge: ebt_among: add more missing match size checks

Michal Hocko 
netfilter: x_tables: make allocation less aggressive

Dennis Zhou 
percpu: add __GFP_NORETRY semantics to the percpu balancing path

Steffen Klassert 

[PATCH 4.15 00/72] 4.15.16-stable review

[Greg Kroah-Hartman]

This is the start of the stable review cycle for the 4.15.16 release.
There are 72 patches in this series, all will be posted as a response
to this one.  If anyone has any issues with these being applied, please
let me know.

Responses should be made by Sun Apr  8 08:43:10 UTC 2018.
Anything received after that time might be too late.

The whole patch series can be found in one patch at:

https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.15.16-rc1.gz
or in the git tree and branch at:

git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git 
linux-4.15.y
and the diffstat can be found below.

thanks,

greg k-h

-
Pseudo-Shortlog of commits:

Greg Kroah-Hartman 
Linux 4.15.16-rc1

Greg Kroah-Hartman 
Revert "ip6_vti: adjust vti mtu according to mtu of lower device"

Greg Kroah-Hartman 
Revert "cpufreq: Fix governor module removal race"

Greg Kroah-Hartman 
Revert "ARM: dts: omap3-n900: Fix the audio CODEC's reset pin"

Greg Kroah-Hartman 
Revert "ARM: dts: am335x-pepper: Fix the audio CODEC's reset pin"

Mikulas Patocka 
Fix slab name "biovec-(1<<(21-12))"

Matthias Brugger 
net: hns: Fix ethtool private flags

Keerthy 
ARM: dts: DRA76-EVM: Set powerhold property for tps65917

Mike Frysinger 
vt: change SGR 21 to follow the standards

Ondrej Zary 
Input: i8042 - enable MUX on Sony VAIO VGN-CS series to fix touchpad

Dennis Wassenberg 
Input: i8042 - add Lenovo ThinkPad L460 to i8042 reset list

Masaki Ota 
Input: ALPS - fix TrackStick detection on Thinkpad L570 and Latitude 7370

Gaku Inami 
Revert "base: arch_topology: fix section mismatch build warnings"

Frank Mori Hess 
staging: comedi: ni_mio_common: ack ai fifo error interrupts.

Liu Bo 
Btrfs: fix unexpected cow in run_delalloc_nocow

Eric Biggers 
crypto: x86/cast5-avx - fix ECB encryption when long sg follows short one

Leonard Crestez 
crypto: arm,arm64 - Fix random regeneration of S_shipped

Maciej S. Szmigiero 
crypto: ccp - return an actual key size from RSA max_size callback

Rui Miguel Silva 
crypto: caam - Fix null dereference at error path

Herbert Xu 
crypto: ahash - Fix early termination in hash walk

LEROY Christophe 
crypto: talitos - fix IPsec cipher in length

Conor McLoughlin 
crypto: testmgr - Fix incorrect values in PKCS#1 test vector

Gregory CLEMENT 
crypto: inside-secure - fix clock management

LEROY Christophe 
crypto: talitos - don't persistently map req_ctx->hw_context and 
req_ctx->buf

Herbert Xu 
crypto: lrw - Free rctx->ext with kzfree

Alexander Gerasiov 
parport_pc: Add support for WCH CH382L PCI-E single parallel port card.

Oliver Neukum 
media: usbtv: prevent double free in error case

Kees Cook 
/dev/mem: Avoid overwriting "err" in read_mem()

Colin Ian King 
mei: remove dev_err message on an unsupported ioctl

Joel Stanley 
serial: 8250: Add Nuvoton NPCM UART

Johan Hovold 
USB: serial: cp210x: add ELDAT Easywave RX09 id

Clemens Werther 
USB: serial: ftdi_sio: add support for Harman FirmwareHubEmulator

Major Hayden 
USB: serial: ftdi_sio: add RT Systems VX-8 cable

Omar Sandoval 
bitmap: fix memset optimization on big-endian systems

Dhinakaran Pandiyan 
drm/i915/dp: Write to SET_POWER dpcd to enable MST hub.

Szymon Janc 
Bluetooth: Fix missing encryption refresh on Security Request

Arnd Bergmann 
phy: qcom-ufs: add MODULE_LICENSE tag

Florian Westphal 
netfilter: x_tables: add and use xt_check_proc_name

Paolo Abeni 
netfilter: drop template ct when conntrack is skipped.

Paolo Abeni 
l2tp: fix races with ipv4-mapped ipv6 addresses

Florian Westphal 
netfilter: bridge: ebt_among: add more missing match size checks

Michal Hocko 
netfilter: x_tables: make allocation less aggressive

Dennis Zhou 
percpu: add __GFP_NORETRY semantics to the percpu balancing path

Steffen Klassert 
xfrm: Refuse to insert 32 bit userspace socket policies on 64 bit systems

Greg Hackmann 
net: xfrm: use preempt-safe this_cpu_read() in ipcomp_alloc_tfms()

Eric Dumazet 
ipv6: fix possible deadlock in rt6_age_examine_exception()

Roland Dreier 
RDMA/ucma: Introduce safer rdma_addr_size() variants

Leon Romanovsky 
RDMA/ucma: Check that device exists prior to accessing it

Leon Romanovsky 
RDMA/ucma: Check that device is connected prior to access it

Jason Gunthorpe 
RDMA/rdma_cm: Fix use after free race with process_one_req

Leon Romanovsky 
RDMA/ucma: Ensure that CM_ID exists prior to access it

Leon Romanovsky 
RDMA/ucma: Fix use-after-free access in ucma_close

Leon Romanovsky 
RDMA/ucma: Check AF family prior resolving address

Florian Westphal 
xfrm_user: uncoditionally validate esn replay attribute struct

Richard Narron 
partitions/msdos: Unable to mount UFS 44bsd partitions

Nicholas Piggin 
powerpc/64s: Fix i-side SLB miss bad address handler 

[PATCH 4.15 25/72] RDMA/ucma: Check that device is connected prior to access it

[Greg Kroah-Hartman]

4.15-stable review patch.  If anyone has any objections, please let me know.

--

From: Leon Romanovsky 

commit 4b658d1bbc16605330694bb3ef2570c465ef383d upstream.

Add missing check that device is connected prior to access it.

[   55.358652] BUG: KASAN: null-ptr-deref in rdma_init_qp_attr+0x4a/0x2c0
[   55.359389] Read of size 8 at addr 00b0 by task qp/618
[   55.360255]
[   55.360432] CPU: 1 PID: 618 Comm: qp Not tainted 
4.16.0-rc1-00071-gcaf61b1b8b88 #91
[   55.361693] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 
rel-1.11.0-0-g63451fca13-prebuilt.qemu-project.org 04/01/2014
[   55.363264] Call Trace:
[   55.363833]  dump_stack+0x5c/0x77
[   55.364215]  kasan_report+0x163/0x380
[   55.364610]  ? rdma_init_qp_attr+0x4a/0x2c0
[   55.365238]  rdma_init_qp_attr+0x4a/0x2c0
[   55.366410]  ucma_init_qp_attr+0x111/0x200
[   55.366846]  ? ucma_notify+0xf0/0xf0
[   55.367405]  ? _get_random_bytes+0xea/0x1b0
[   55.367846]  ? urandom_read+0x2f0/0x2f0
[   55.368436]  ? kmem_cache_alloc_trace+0xd2/0x1e0
[   55.369104]  ? refcount_inc_not_zero+0x9/0x60
[   55.369583]  ? refcount_inc+0x5/0x30
[   55.370155]  ? rdma_create_id+0x215/0x240
[   55.370937]  ? _copy_to_user+0x4f/0x60
[   55.371620]  ? mem_cgroup_commit_charge+0x1f5/0x290
[   55.372127]  ? _copy_from_user+0x5e/0x90
[   55.372720]  ucma_write+0x174/0x1f0
[   55.373090]  ? ucma_close_id+0x40/0x40
[   55.373805]  ? __lru_cache_add+0xa8/0xd0
[   55.374403]  __vfs_write+0xc4/0x350
[   55.374774]  ? kernel_read+0xa0/0xa0
[   55.375173]  ? fsnotify+0x899/0x8f0
[   55.375544]  ? fsnotify_unmount_inodes+0x170/0x170
[   55.376689]  ? __fsnotify_update_child_dentry_flags+0x30/0x30
[   55.377522]  ? handle_mm_fault+0x174/0x320
[   55.378169]  vfs_write+0xf7/0x280
[   55.378864]  SyS_write+0xa1/0x120
[   55.379270]  ? SyS_read+0x120/0x120
[   55.379643]  ? mm_fault_error+0x180/0x180
[   55.380071]  ? task_work_run+0x7d/0xd0
[   55.380910]  ? __task_pid_nr_ns+0x120/0x140
[   55.381366]  ? SyS_read+0x120/0x120
[   55.381739]  do_syscall_64+0xeb/0x250
[   55.382143]  entry_SYSCALL_64_after_hwframe+0x21/0x86
[   55.382841] RIP: 0033:0x7fc2ef803e99
[   55.383227] RSP: 002b:7fffcc5f3be8 EFLAGS: 0217 ORIG_RAX: 
0001
[   55.384173] RAX: ffda RBX:  RCX: 7fc2ef803e99
[   55.386145] RDX: 0057 RSI: 2080 RDI: 0003
[   55.388418] RBP: 7fffcc5f3c00 R08:  R09: 
[   55.390542] R10:  R11: 0217 R12: 00400480
[   55.392916] R13: 7fffcc5f3cf0 R14:  R15: 
[   55.521088] Code: e5 4d 1e ff 48 89 df 44 0f b6 b3 b8 01 00 00 e8 65 50 1e 
ff 4c 8b 2b 49
8d bd b0 00 00 00 e8 56 50 1e ff 41 0f b6 c6 48 c1 e0 04 <49> 03 85 b0 00 00 00 
48 8d 78 08
48 89 04 24 e8 3a 4f 1e ff 48
[   55.525980] RIP: rdma_init_qp_attr+0x52/0x2c0 RSP: 8801e2c2f9d8
[   55.532648] CR2: 00b0
[   55.534396] ---[ end trace 70cee64090251c0b ]---

Fixes: 75216638572f ("RDMA/cma: Export rdma cm interface to userspace")
Fixes: d541e45500bd ("IB/core: Convert ah_attr from OPA to IB when copying to 
user")
Reported-by: 
Signed-off-by: Leon Romanovsky 
Signed-off-by: Jason Gunthorpe 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/infiniband/core/ucma.c |5 +
 1 file changed, 5 insertions(+)

--- a/drivers/infiniband/core/ucma.c
+++ b/drivers/infiniband/core/ucma.c
@@ -1165,6 +1165,11 @@ static ssize_t ucma_init_qp_attr(struct
if (IS_ERR(ctx))
return PTR_ERR(ctx);
 
+   if (!ctx->cm_id->device) {
+   ret = -EINVAL;
+   goto out;
+   }
+
resp.qp_attr_mask = 0;
memset(_attr, 0, sizeof qp_attr);
qp_attr.qp_state = cmd.qp_state;

[PATCH 4.15 27/72] RDMA/ucma: Introduce safer rdma_addr_size() variants

[Greg Kroah-Hartman]

4.15-stable review patch.  If anyone has any objections, please let me know.

--

From: Roland Dreier 

commit 84652aefb347297aa08e91e283adf7b18f77c2d5 upstream.

There are several places in the ucma ABI where userspace can pass in a
sockaddr but set the address family to AF_IB.  When that happens,
rdma_addr_size() will return a size bigger than sizeof struct sockaddr_in6,
and the ucma kernel code might end up copying past the end of a buffer
not sized for a struct sockaddr_ib.

Fix this by introducing new variants

int rdma_addr_size_in6(struct sockaddr_in6 *addr);
int rdma_addr_size_kss(struct __kernel_sockaddr_storage *addr);

that are type-safe for the types used in the ucma ABI and return 0 if the
size computed is bigger than the size of the type passed in.  We can use
these new variants to check what size userspace has passed in before
copying any addresses.

Reported-by: 
Signed-off-by: Roland Dreier 
Signed-off-by: Jason Gunthorpe 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/infiniband/core/addr.c |   16 
 drivers/infiniband/core/ucma.c |   34 +-
 include/rdma/ib_addr.h |2 ++
 3 files changed, 35 insertions(+), 17 deletions(-)

--- a/drivers/infiniband/core/addr.c
+++ b/drivers/infiniband/core/addr.c
@@ -207,6 +207,22 @@ int rdma_addr_size(struct sockaddr *addr
 }
 EXPORT_SYMBOL(rdma_addr_size);
 
+int rdma_addr_size_in6(struct sockaddr_in6 *addr)
+{
+   int ret = rdma_addr_size((struct sockaddr *) addr);
+
+   return ret <= sizeof(*addr) ? ret : 0;
+}
+EXPORT_SYMBOL(rdma_addr_size_in6);
+
+int rdma_addr_size_kss(struct __kernel_sockaddr_storage *addr)
+{
+   int ret = rdma_addr_size((struct sockaddr *) addr);
+
+   return ret <= sizeof(*addr) ? ret : 0;
+}
+EXPORT_SYMBOL(rdma_addr_size_kss);
+
 static struct rdma_addr_client self;
 
 void rdma_addr_register_client(struct rdma_addr_client *client)
--- a/drivers/infiniband/core/ucma.c
+++ b/drivers/infiniband/core/ucma.c
@@ -632,6 +632,9 @@ static ssize_t ucma_bind_ip(struct ucma_
if (copy_from_user(, inbuf, sizeof(cmd)))
return -EFAULT;
 
+   if (!rdma_addr_size_in6())
+   return -EINVAL;
+
ctx = ucma_get_ctx(file, cmd.id);
if (IS_ERR(ctx))
return PTR_ERR(ctx);
@@ -645,22 +648,21 @@ static ssize_t ucma_bind(struct ucma_fil
 int in_len, int out_len)
 {
struct rdma_ucm_bind cmd;
-   struct sockaddr *addr;
struct ucma_context *ctx;
int ret;
 
if (copy_from_user(, inbuf, sizeof(cmd)))
return -EFAULT;
 
-   addr = (struct sockaddr *) 
-   if (cmd.reserved || !cmd.addr_size || (cmd.addr_size != 
rdma_addr_size(addr)))
+   if (cmd.reserved || !cmd.addr_size ||
+   cmd.addr_size != rdma_addr_size_kss())
return -EINVAL;
 
ctx = ucma_get_ctx(file, cmd.id);
if (IS_ERR(ctx))
return PTR_ERR(ctx);
 
-   ret = rdma_bind_addr(ctx->cm_id, addr);
+   ret = rdma_bind_addr(ctx->cm_id, (struct sockaddr *) );
ucma_put_ctx(ctx);
return ret;
 }
@@ -670,23 +672,22 @@ static ssize_t ucma_resolve_ip(struct uc
   int in_len, int out_len)
 {
struct rdma_ucm_resolve_ip cmd;
-   struct sockaddr *src, *dst;
struct ucma_context *ctx;
int ret;
 
if (copy_from_user(, inbuf, sizeof(cmd)))
return -EFAULT;
 
-   src = (struct sockaddr *) _addr;
-   dst = (struct sockaddr *) _addr;
-   if (!rdma_addr_size(src) || !rdma_addr_size(dst))
+   if (!rdma_addr_size_in6(_addr) ||
+   !rdma_addr_size_in6(_addr))
return -EINVAL;
 
ctx = ucma_get_ctx(file, cmd.id);
if (IS_ERR(ctx))
return PTR_ERR(ctx);
 
-   ret = rdma_resolve_addr(ctx->cm_id, src, dst, cmd.timeout_ms);
+   ret = rdma_resolve_addr(ctx->cm_id, (struct sockaddr *) _addr,
+   (struct sockaddr *) _addr, 
cmd.timeout_ms);
ucma_put_ctx(ctx);
return ret;
 }
@@ -696,24 +697,23 @@ static ssize_t ucma_resolve_addr(struct
 int in_len, int out_len)
 {
struct rdma_ucm_resolve_addr cmd;
-   struct sockaddr *src, *dst;
struct ucma_context *ctx;
int ret;
 
if (copy_from_user(, inbuf, sizeof(cmd)))
return -EFAULT;
 
-   src = (struct sockaddr *) _addr;
-   dst = (struct sockaddr *) _addr;
-   if (cmd.reserved || (cmd.src_size && (cmd.src_size != 
rdma_addr_size(src))) ||
-   !cmd.dst_size || (cmd.dst_size != rdma_addr_size(dst)))
+   if (cmd.reserved ||
+   (cmd.src_size && (cmd.src_size != 
rdma_addr_size_kss(_addr))) ||
+   !cmd.dst_size 

[PATCH 4.15 25/72] RDMA/ucma: Check that device is connected prior to access it

[Greg Kroah-Hartman]

4.15-stable review patch.  If anyone has any objections, please let me know.

--

From: Leon Romanovsky 

commit 4b658d1bbc16605330694bb3ef2570c465ef383d upstream.

Add missing check that device is connected prior to access it.

[   55.358652] BUG: KASAN: null-ptr-deref in rdma_init_qp_attr+0x4a/0x2c0
[   55.359389] Read of size 8 at addr 00b0 by task qp/618
[   55.360255]
[   55.360432] CPU: 1 PID: 618 Comm: qp Not tainted 
4.16.0-rc1-00071-gcaf61b1b8b88 #91
[   55.361693] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 
rel-1.11.0-0-g63451fca13-prebuilt.qemu-project.org 04/01/2014
[   55.363264] Call Trace:
[   55.363833]  dump_stack+0x5c/0x77
[   55.364215]  kasan_report+0x163/0x380
[   55.364610]  ? rdma_init_qp_attr+0x4a/0x2c0
[   55.365238]  rdma_init_qp_attr+0x4a/0x2c0
[   55.366410]  ucma_init_qp_attr+0x111/0x200
[   55.366846]  ? ucma_notify+0xf0/0xf0
[   55.367405]  ? _get_random_bytes+0xea/0x1b0
[   55.367846]  ? urandom_read+0x2f0/0x2f0
[   55.368436]  ? kmem_cache_alloc_trace+0xd2/0x1e0
[   55.369104]  ? refcount_inc_not_zero+0x9/0x60
[   55.369583]  ? refcount_inc+0x5/0x30
[   55.370155]  ? rdma_create_id+0x215/0x240
[   55.370937]  ? _copy_to_user+0x4f/0x60
[   55.371620]  ? mem_cgroup_commit_charge+0x1f5/0x290
[   55.372127]  ? _copy_from_user+0x5e/0x90
[   55.372720]  ucma_write+0x174/0x1f0
[   55.373090]  ? ucma_close_id+0x40/0x40
[   55.373805]  ? __lru_cache_add+0xa8/0xd0
[   55.374403]  __vfs_write+0xc4/0x350
[   55.374774]  ? kernel_read+0xa0/0xa0
[   55.375173]  ? fsnotify+0x899/0x8f0
[   55.375544]  ? fsnotify_unmount_inodes+0x170/0x170
[   55.376689]  ? __fsnotify_update_child_dentry_flags+0x30/0x30
[   55.377522]  ? handle_mm_fault+0x174/0x320
[   55.378169]  vfs_write+0xf7/0x280
[   55.378864]  SyS_write+0xa1/0x120
[   55.379270]  ? SyS_read+0x120/0x120
[   55.379643]  ? mm_fault_error+0x180/0x180
[   55.380071]  ? task_work_run+0x7d/0xd0
[   55.380910]  ? __task_pid_nr_ns+0x120/0x140
[   55.381366]  ? SyS_read+0x120/0x120
[   55.381739]  do_syscall_64+0xeb/0x250
[   55.382143]  entry_SYSCALL_64_after_hwframe+0x21/0x86
[   55.382841] RIP: 0033:0x7fc2ef803e99
[   55.383227] RSP: 002b:7fffcc5f3be8 EFLAGS: 0217 ORIG_RAX: 
0001
[   55.384173] RAX: ffda RBX:  RCX: 7fc2ef803e99
[   55.386145] RDX: 0057 RSI: 2080 RDI: 0003
[   55.388418] RBP: 7fffcc5f3c00 R08:  R09: 
[   55.390542] R10:  R11: 0217 R12: 00400480
[   55.392916] R13: 7fffcc5f3cf0 R14:  R15: 
[   55.521088] Code: e5 4d 1e ff 48 89 df 44 0f b6 b3 b8 01 00 00 e8 65 50 1e 
ff 4c 8b 2b 49
8d bd b0 00 00 00 e8 56 50 1e ff 41 0f b6 c6 48 c1 e0 04 <49> 03 85 b0 00 00 00 
48 8d 78 08
48 89 04 24 e8 3a 4f 1e ff 48
[   55.525980] RIP: rdma_init_qp_attr+0x52/0x2c0 RSP: 8801e2c2f9d8
[   55.532648] CR2: 00b0
[   55.534396] ---[ end trace 70cee64090251c0b ]---

Fixes: 75216638572f ("RDMA/cma: Export rdma cm interface to userspace")
Fixes: d541e45500bd ("IB/core: Convert ah_attr from OPA to IB when copying to 
user")
Reported-by: 
Signed-off-by: Leon Romanovsky 
Signed-off-by: Jason Gunthorpe 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/infiniband/core/ucma.c |5 +
 1 file changed, 5 insertions(+)

--- a/drivers/infiniband/core/ucma.c
+++ b/drivers/infiniband/core/ucma.c
@@ -1165,6 +1165,11 @@ static ssize_t ucma_init_qp_attr(struct
if (IS_ERR(ctx))
return PTR_ERR(ctx);
 
+   if (!ctx->cm_id->device) {
+   ret = -EINVAL;
+   goto out;
+   }
+
resp.qp_attr_mask = 0;
memset(_attr, 0, sizeof qp_attr);
qp_attr.qp_state = cmd.qp_state;

[PATCH 4.15 27/72] RDMA/ucma: Introduce safer rdma_addr_size() variants

[Greg Kroah-Hartman]

4.15-stable review patch.  If anyone has any objections, please let me know.

--

From: Roland Dreier 

commit 84652aefb347297aa08e91e283adf7b18f77c2d5 upstream.

There are several places in the ucma ABI where userspace can pass in a
sockaddr but set the address family to AF_IB.  When that happens,
rdma_addr_size() will return a size bigger than sizeof struct sockaddr_in6,
and the ucma kernel code might end up copying past the end of a buffer
not sized for a struct sockaddr_ib.

Fix this by introducing new variants

int rdma_addr_size_in6(struct sockaddr_in6 *addr);
int rdma_addr_size_kss(struct __kernel_sockaddr_storage *addr);

that are type-safe for the types used in the ucma ABI and return 0 if the
size computed is bigger than the size of the type passed in.  We can use
these new variants to check what size userspace has passed in before
copying any addresses.

Reported-by: 
Signed-off-by: Roland Dreier 
Signed-off-by: Jason Gunthorpe 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/infiniband/core/addr.c |   16 
 drivers/infiniband/core/ucma.c |   34 +-
 include/rdma/ib_addr.h |2 ++
 3 files changed, 35 insertions(+), 17 deletions(-)

--- a/drivers/infiniband/core/addr.c
+++ b/drivers/infiniband/core/addr.c
@@ -207,6 +207,22 @@ int rdma_addr_size(struct sockaddr *addr
 }
 EXPORT_SYMBOL(rdma_addr_size);
 
+int rdma_addr_size_in6(struct sockaddr_in6 *addr)
+{
+   int ret = rdma_addr_size((struct sockaddr *) addr);
+
+   return ret <= sizeof(*addr) ? ret : 0;
+}
+EXPORT_SYMBOL(rdma_addr_size_in6);
+
+int rdma_addr_size_kss(struct __kernel_sockaddr_storage *addr)
+{
+   int ret = rdma_addr_size((struct sockaddr *) addr);
+
+   return ret <= sizeof(*addr) ? ret : 0;
+}
+EXPORT_SYMBOL(rdma_addr_size_kss);
+
 static struct rdma_addr_client self;
 
 void rdma_addr_register_client(struct rdma_addr_client *client)
--- a/drivers/infiniband/core/ucma.c
+++ b/drivers/infiniband/core/ucma.c
@@ -632,6 +632,9 @@ static ssize_t ucma_bind_ip(struct ucma_
if (copy_from_user(, inbuf, sizeof(cmd)))
return -EFAULT;
 
+   if (!rdma_addr_size_in6())
+   return -EINVAL;
+
ctx = ucma_get_ctx(file, cmd.id);
if (IS_ERR(ctx))
return PTR_ERR(ctx);
@@ -645,22 +648,21 @@ static ssize_t ucma_bind(struct ucma_fil
 int in_len, int out_len)
 {
struct rdma_ucm_bind cmd;
-   struct sockaddr *addr;
struct ucma_context *ctx;
int ret;
 
if (copy_from_user(, inbuf, sizeof(cmd)))
return -EFAULT;
 
-   addr = (struct sockaddr *) 
-   if (cmd.reserved || !cmd.addr_size || (cmd.addr_size != 
rdma_addr_size(addr)))
+   if (cmd.reserved || !cmd.addr_size ||
+   cmd.addr_size != rdma_addr_size_kss())
return -EINVAL;
 
ctx = ucma_get_ctx(file, cmd.id);
if (IS_ERR(ctx))
return PTR_ERR(ctx);
 
-   ret = rdma_bind_addr(ctx->cm_id, addr);
+   ret = rdma_bind_addr(ctx->cm_id, (struct sockaddr *) );
ucma_put_ctx(ctx);
return ret;
 }
@@ -670,23 +672,22 @@ static ssize_t ucma_resolve_ip(struct uc
   int in_len, int out_len)
 {
struct rdma_ucm_resolve_ip cmd;
-   struct sockaddr *src, *dst;
struct ucma_context *ctx;
int ret;
 
if (copy_from_user(, inbuf, sizeof(cmd)))
return -EFAULT;
 
-   src = (struct sockaddr *) _addr;
-   dst = (struct sockaddr *) _addr;
-   if (!rdma_addr_size(src) || !rdma_addr_size(dst))
+   if (!rdma_addr_size_in6(_addr) ||
+   !rdma_addr_size_in6(_addr))
return -EINVAL;
 
ctx = ucma_get_ctx(file, cmd.id);
if (IS_ERR(ctx))
return PTR_ERR(ctx);
 
-   ret = rdma_resolve_addr(ctx->cm_id, src, dst, cmd.timeout_ms);
+   ret = rdma_resolve_addr(ctx->cm_id, (struct sockaddr *) _addr,
+   (struct sockaddr *) _addr, 
cmd.timeout_ms);
ucma_put_ctx(ctx);
return ret;
 }
@@ -696,24 +697,23 @@ static ssize_t ucma_resolve_addr(struct
 int in_len, int out_len)
 {
struct rdma_ucm_resolve_addr cmd;
-   struct sockaddr *src, *dst;
struct ucma_context *ctx;
int ret;
 
if (copy_from_user(, inbuf, sizeof(cmd)))
return -EFAULT;
 
-   src = (struct sockaddr *) _addr;
-   dst = (struct sockaddr *) _addr;
-   if (cmd.reserved || (cmd.src_size && (cmd.src_size != 
rdma_addr_size(src))) ||
-   !cmd.dst_size || (cmd.dst_size != rdma_addr_size(dst)))
+   if (cmd.reserved ||
+   (cmd.src_size && (cmd.src_size != 
rdma_addr_size_kss(_addr))) ||
+   !cmd.dst_size || (cmd.dst_size != 
rdma_addr_size_kss(_addr)))
return -EINVAL;
 
ctx = ucma_get_ctx(file, cmd.id);
if (IS_ERR(ctx))

[PATCH 4.15 28/72] ipv6: fix possible deadlock in rt6_age_examine_exception()

[Greg Kroah-Hartman]

4.15-stable review patch.  If anyone has any objections, please let me know.

--

From: Eric Dumazet 

commit 1bfa26ff8c4b7512f4e4efa6df211239223033d4 upstream.

syzbot reported a LOCKDEP splat [1] in rt6_age_examine_exception()

rt6_age_examine_exception() is called while rt6_exception_lock is held.
This lock is the lower one in the lock hierarchy, thus we can not
call dst_neigh_lookup() function, as it can fallback to neigh_create()

We should instead do a pure RCU lookup. As a bonus we avoid
a pair of atomic operations on neigh refcount.

[1]

WARNING: possible circular locking dependency detected
4.16.0-rc4+ #277 Not tainted

syz-executor7/4015 is trying to acquire lock:
 (>lock){++--}, at: [<416dce19>] __ipv6_dev_mc_dec+0x45/0x350 
net/ipv6/mcast.c:928

but task is already holding lock:
 (>lock){++-.}, at: [] neigh_ifdown+0x3d/0x250 
net/core/neighbour.c:292

which lock already depends on the new lock.

the existing dependency chain (in reverse order) is:

-> #3 (>lock){++-.}:
   __raw_write_lock_bh include/linux/rwlock_api_smp.h:203 [inline]
   _raw_write_lock_bh+0x31/0x40 kernel/locking/spinlock.c:312
   __neigh_create+0x87e/0x1d90 net/core/neighbour.c:528
   neigh_create include/net/neighbour.h:315 [inline]
   ip6_neigh_lookup+0x9a7/0xba0 net/ipv6/route.c:228
   dst_neigh_lookup include/net/dst.h:405 [inline]
   rt6_age_examine_exception net/ipv6/route.c:1609 [inline]
   rt6_age_exceptions+0x381/0x660 net/ipv6/route.c:1645
   fib6_age+0xfb/0x140 net/ipv6/ip6_fib.c:2033
   fib6_clean_node+0x389/0x580 net/ipv6/ip6_fib.c:1919
   fib6_walk_continue+0x46c/0x8a0 net/ipv6/ip6_fib.c:1845
   fib6_walk+0x91/0xf0 net/ipv6/ip6_fib.c:1893
   fib6_clean_tree+0x1e6/0x340 net/ipv6/ip6_fib.c:1970
   __fib6_clean_all+0x1f4/0x3a0 net/ipv6/ip6_fib.c:1986
   fib6_clean_all net/ipv6/ip6_fib.c:1997 [inline]
   fib6_run_gc+0x16b/0x3c0 net/ipv6/ip6_fib.c:2053
   ndisc_netdev_event+0x3c2/0x4a0 net/ipv6/ndisc.c:1781
   notifier_call_chain+0x136/0x2c0 kernel/notifier.c:93
   __raw_notifier_call_chain kernel/notifier.c:394 [inline]
   raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401
   call_netdevice_notifiers_info+0x32/0x70 net/core/dev.c:1707
   call_netdevice_notifiers net/core/dev.c:1725 [inline]
   __dev_notify_flags+0x262/0x430 net/core/dev.c:6960
   dev_change_flags+0xf5/0x140 net/core/dev.c:6994
   devinet_ioctl+0x126a/0x1ac0 net/ipv4/devinet.c:1080
   inet_ioctl+0x184/0x310 net/ipv4/af_inet.c:919
   sock_do_ioctl+0xef/0x390 net/socket.c:957
   sock_ioctl+0x36b/0x610 net/socket.c:1081
   vfs_ioctl fs/ioctl.c:46 [inline]
   do_vfs_ioctl+0x1b1/0x1520 fs/ioctl.c:686
   SYSC_ioctl fs/ioctl.c:701 [inline]
   SyS_ioctl+0x8f/0xc0 fs/ioctl.c:692
   do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287
   entry_SYSCALL_64_after_hwframe+0x42/0xb7

-> #2 (rt6_exception_lock){+.-.}:
   __raw_spin_lock_bh include/linux/spinlock_api_smp.h:135 [inline]
   _raw_spin_lock_bh+0x31/0x40 kernel/locking/spinlock.c:168
   spin_lock_bh include/linux/spinlock.h:315 [inline]
   rt6_flush_exceptions+0x21/0x210 net/ipv6/route.c:1367
   fib6_del_route net/ipv6/ip6_fib.c:1677 [inline]
   fib6_del+0x624/0x12c0 net/ipv6/ip6_fib.c:1761
   __ip6_del_rt+0xc7/0x120 net/ipv6/route.c:2980
   ip6_del_rt+0x132/0x1a0 net/ipv6/route.c:2993
   __ipv6_dev_ac_dec+0x3b1/0x600 net/ipv6/anycast.c:332
   ipv6_dev_ac_dec net/ipv6/anycast.c:345 [inline]
   ipv6_sock_ac_close+0x2b4/0x3e0 net/ipv6/anycast.c:200
   inet6_release+0x48/0x70 net/ipv6/af_inet6.c:433
   sock_release+0x8d/0x1e0 net/socket.c:594
   sock_close+0x16/0x20 net/socket.c:1149
   __fput+0x327/0x7e0 fs/file_table.c:209
   fput+0x15/0x20 fs/file_table.c:243
   task_work_run+0x199/0x270 kernel/task_work.c:113
   exit_task_work include/linux/task_work.h:22 [inline]
   do_exit+0x9bb/0x1ad0 kernel/exit.c:865
   do_group_exit+0x149/0x400 kernel/exit.c:968
   get_signal+0x73a/0x16d0 kernel/signal.c:2469
   do_signal+0x90/0x1e90 arch/x86/kernel/signal.c:809
   exit_to_usermode_loop+0x258/0x2f0 arch/x86/entry/common.c:162
   prepare_exit_to_usermode arch/x86/entry/common.c:196 [inline]
   syscall_return_slowpath arch/x86/entry/common.c:265 [inline]
   do_syscall_64+0x6ec/0x940 arch/x86/entry/common.c:292
   entry_SYSCALL_64_after_hwframe+0x42/0xb7

-> #1 (&(>tb6_lock)->rlock){+.-.}:
   __raw_spin_lock_bh include/linux/spinlock_api_smp.h:135 [inline]
   _raw_spin_lock_bh+0x31/0x40 kernel/locking/spinlock.c:168
   spin_lock_bh include/linux/spinlock.h:315 [inline]
   __ip6_ins_rt+0x56/0x90 net/ipv6/route.c:1007
   ip6_route_add+0x141/0x190 net/ipv6/route.c:2955
   addrconf_prefix_route+0x44f/0x620 net/ipv6/addrconf.c:2359
   fixup_permanent_addr net/ipv6/addrconf.c:3368 

[PATCH 4.15 28/72] ipv6: fix possible deadlock in rt6_age_examine_exception()

[Greg Kroah-Hartman]

4.15-stable review patch.  If anyone has any objections, please let me know.

--

From: Eric Dumazet 

commit 1bfa26ff8c4b7512f4e4efa6df211239223033d4 upstream.

syzbot reported a LOCKDEP splat [1] in rt6_age_examine_exception()

rt6_age_examine_exception() is called while rt6_exception_lock is held.
This lock is the lower one in the lock hierarchy, thus we can not
call dst_neigh_lookup() function, as it can fallback to neigh_create()

We should instead do a pure RCU lookup. As a bonus we avoid
a pair of atomic operations on neigh refcount.

[1]

WARNING: possible circular locking dependency detected
4.16.0-rc4+ #277 Not tainted

syz-executor7/4015 is trying to acquire lock:
 (>lock){++--}, at: [<416dce19>] __ipv6_dev_mc_dec+0x45/0x350 
net/ipv6/mcast.c:928

but task is already holding lock:
 (>lock){++-.}, at: [] neigh_ifdown+0x3d/0x250 
net/core/neighbour.c:292

which lock already depends on the new lock.

the existing dependency chain (in reverse order) is:

-> #3 (>lock){++-.}:
   __raw_write_lock_bh include/linux/rwlock_api_smp.h:203 [inline]
   _raw_write_lock_bh+0x31/0x40 kernel/locking/spinlock.c:312
   __neigh_create+0x87e/0x1d90 net/core/neighbour.c:528
   neigh_create include/net/neighbour.h:315 [inline]
   ip6_neigh_lookup+0x9a7/0xba0 net/ipv6/route.c:228
   dst_neigh_lookup include/net/dst.h:405 [inline]
   rt6_age_examine_exception net/ipv6/route.c:1609 [inline]
   rt6_age_exceptions+0x381/0x660 net/ipv6/route.c:1645
   fib6_age+0xfb/0x140 net/ipv6/ip6_fib.c:2033
   fib6_clean_node+0x389/0x580 net/ipv6/ip6_fib.c:1919
   fib6_walk_continue+0x46c/0x8a0 net/ipv6/ip6_fib.c:1845
   fib6_walk+0x91/0xf0 net/ipv6/ip6_fib.c:1893
   fib6_clean_tree+0x1e6/0x340 net/ipv6/ip6_fib.c:1970
   __fib6_clean_all+0x1f4/0x3a0 net/ipv6/ip6_fib.c:1986
   fib6_clean_all net/ipv6/ip6_fib.c:1997 [inline]
   fib6_run_gc+0x16b/0x3c0 net/ipv6/ip6_fib.c:2053
   ndisc_netdev_event+0x3c2/0x4a0 net/ipv6/ndisc.c:1781
   notifier_call_chain+0x136/0x2c0 kernel/notifier.c:93
   __raw_notifier_call_chain kernel/notifier.c:394 [inline]
   raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401
   call_netdevice_notifiers_info+0x32/0x70 net/core/dev.c:1707
   call_netdevice_notifiers net/core/dev.c:1725 [inline]
   __dev_notify_flags+0x262/0x430 net/core/dev.c:6960
   dev_change_flags+0xf5/0x140 net/core/dev.c:6994
   devinet_ioctl+0x126a/0x1ac0 net/ipv4/devinet.c:1080
   inet_ioctl+0x184/0x310 net/ipv4/af_inet.c:919
   sock_do_ioctl+0xef/0x390 net/socket.c:957
   sock_ioctl+0x36b/0x610 net/socket.c:1081
   vfs_ioctl fs/ioctl.c:46 [inline]
   do_vfs_ioctl+0x1b1/0x1520 fs/ioctl.c:686
   SYSC_ioctl fs/ioctl.c:701 [inline]
   SyS_ioctl+0x8f/0xc0 fs/ioctl.c:692
   do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287
   entry_SYSCALL_64_after_hwframe+0x42/0xb7

-> #2 (rt6_exception_lock){+.-.}:
   __raw_spin_lock_bh include/linux/spinlock_api_smp.h:135 [inline]
   _raw_spin_lock_bh+0x31/0x40 kernel/locking/spinlock.c:168
   spin_lock_bh include/linux/spinlock.h:315 [inline]
   rt6_flush_exceptions+0x21/0x210 net/ipv6/route.c:1367
   fib6_del_route net/ipv6/ip6_fib.c:1677 [inline]
   fib6_del+0x624/0x12c0 net/ipv6/ip6_fib.c:1761
   __ip6_del_rt+0xc7/0x120 net/ipv6/route.c:2980
   ip6_del_rt+0x132/0x1a0 net/ipv6/route.c:2993
   __ipv6_dev_ac_dec+0x3b1/0x600 net/ipv6/anycast.c:332
   ipv6_dev_ac_dec net/ipv6/anycast.c:345 [inline]
   ipv6_sock_ac_close+0x2b4/0x3e0 net/ipv6/anycast.c:200
   inet6_release+0x48/0x70 net/ipv6/af_inet6.c:433
   sock_release+0x8d/0x1e0 net/socket.c:594
   sock_close+0x16/0x20 net/socket.c:1149
   __fput+0x327/0x7e0 fs/file_table.c:209
   fput+0x15/0x20 fs/file_table.c:243
   task_work_run+0x199/0x270 kernel/task_work.c:113
   exit_task_work include/linux/task_work.h:22 [inline]
   do_exit+0x9bb/0x1ad0 kernel/exit.c:865
   do_group_exit+0x149/0x400 kernel/exit.c:968
   get_signal+0x73a/0x16d0 kernel/signal.c:2469
   do_signal+0x90/0x1e90 arch/x86/kernel/signal.c:809
   exit_to_usermode_loop+0x258/0x2f0 arch/x86/entry/common.c:162
   prepare_exit_to_usermode arch/x86/entry/common.c:196 [inline]
   syscall_return_slowpath arch/x86/entry/common.c:265 [inline]
   do_syscall_64+0x6ec/0x940 arch/x86/entry/common.c:292
   entry_SYSCALL_64_after_hwframe+0x42/0xb7

-> #1 (&(>tb6_lock)->rlock){+.-.}:
   __raw_spin_lock_bh include/linux/spinlock_api_smp.h:135 [inline]
   _raw_spin_lock_bh+0x31/0x40 kernel/locking/spinlock.c:168
   spin_lock_bh include/linux/spinlock.h:315 [inline]
   __ip6_ins_rt+0x56/0x90 net/ipv6/route.c:1007
   ip6_route_add+0x141/0x190 net/ipv6/route.c:2955
   addrconf_prefix_route+0x44f/0x620 net/ipv6/addrconf.c:2359
   fixup_permanent_addr net/ipv6/addrconf.c:3368 [inline]
   

[PATCH 4.15 32/72] netfilter: x_tables: make allocation less aggressive

[Greg Kroah-Hartman]

4.15-stable review patch.  If anyone has any objections, please let me know.

--

From: Michal Hocko 

commit 0537250fdc6c876ed4cbbe874c739aebef493ee2 upstream.

syzbot has noticed that xt_alloc_table_info can allocate a lot of memory.
This is an admin only interface but an admin in a namespace is sufficient
as well.  eacd86ca3b03 ("net/netfilter/x_tables.c: use kvmalloc() in
xt_alloc_table_info()") has changed the opencoded kmalloc->vmalloc
fallback into kvmalloc.  It has dropped __GFP_NORETRY on the way because
vmalloc has simply never fully supported __GFP_NORETRY semantic.  This is
still the case because e.g.  page tables backing the vmalloc area are
hardcoded GFP_KERNEL.

Revert back to __GFP_NORETRY as a poors man defence against excessively
large allocation request here.  We will not rule out the OOM killer
completely but __GFP_NORETRY should at least stop the large request in
most cases.

[a...@linux-foundation.org: coding-style fixes]
Fixes: eacd86ca3b03 ("net/netfilter/x_tables.c: use kvmalloc() in 
xt_alloc_tableLink: 
http://lkml.kernel.org/r/20180130140104.ge21...@dhcp22.suse.cz
Signed-off-by: Michal Hocko 
Acked-by: Florian Westphal 
Reviewed-by: Andrew Morton 
Cc: David S. Miller 
Signed-off-by: Andrew Morton 
Signed-off-by: Pablo Neira Ayuso 
Signed-off-by: Greg Kroah-Hartman 

---
 net/netfilter/x_tables.c |7 ++-
 1 file changed, 6 insertions(+), 1 deletion(-)

--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -1008,7 +1008,12 @@ struct xt_table_info *xt_alloc_table_inf
if ((size >> PAGE_SHIFT) + 2 > totalram_pages)
return NULL;
 
-   info = kvmalloc(sz, GFP_KERNEL);
+   /* __GFP_NORETRY is not fully supported by kvmalloc but it should
+* work reasonably well if sz is too large and bail out rather
+* than shoot all processes down before realizing there is nothing
+* more to reclaim.
+*/
+   info = kvmalloc(sz, GFP_KERNEL | __GFP_NORETRY);
if (!info)
return NULL;
 

[PATCH 4.15 32/72] netfilter: x_tables: make allocation less aggressive

[Greg Kroah-Hartman]

4.15-stable review patch.  If anyone has any objections, please let me know.

--

From: Michal Hocko 

commit 0537250fdc6c876ed4cbbe874c739aebef493ee2 upstream.

syzbot has noticed that xt_alloc_table_info can allocate a lot of memory.
This is an admin only interface but an admin in a namespace is sufficient
as well.  eacd86ca3b03 ("net/netfilter/x_tables.c: use kvmalloc() in
xt_alloc_table_info()") has changed the opencoded kmalloc->vmalloc
fallback into kvmalloc.  It has dropped __GFP_NORETRY on the way because
vmalloc has simply never fully supported __GFP_NORETRY semantic.  This is
still the case because e.g.  page tables backing the vmalloc area are
hardcoded GFP_KERNEL.

Revert back to __GFP_NORETRY as a poors man defence against excessively
large allocation request here.  We will not rule out the OOM killer
completely but __GFP_NORETRY should at least stop the large request in
most cases.

[a...@linux-foundation.org: coding-style fixes]
Fixes: eacd86ca3b03 ("net/netfilter/x_tables.c: use kvmalloc() in 
xt_alloc_tableLink: 
http://lkml.kernel.org/r/20180130140104.ge21...@dhcp22.suse.cz
Signed-off-by: Michal Hocko 
Acked-by: Florian Westphal 
Reviewed-by: Andrew Morton 
Cc: David S. Miller 
Signed-off-by: Andrew Morton 
Signed-off-by: Pablo Neira Ayuso 
Signed-off-by: Greg Kroah-Hartman 

---
 net/netfilter/x_tables.c |7 ++-
 1 file changed, 6 insertions(+), 1 deletion(-)

--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -1008,7 +1008,12 @@ struct xt_table_info *xt_alloc_table_inf
if ((size >> PAGE_SHIFT) + 2 > totalram_pages)
return NULL;
 
-   info = kvmalloc(sz, GFP_KERNEL);
+   /* __GFP_NORETRY is not fully supported by kvmalloc but it should
+* work reasonably well if sz is too large and bail out rather
+* than shoot all processes down before realizing there is nothing
+* more to reclaim.
+*/
+   info = kvmalloc(sz, GFP_KERNEL | __GFP_NORETRY);
if (!info)
return NULL;
 

[PATCH 4.15 31/72] percpu: add __GFP_NORETRY semantics to the percpu balancing path

[Greg Kroah-Hartman]

4.15-stable review patch.  If anyone has any objections, please let me know.

--

From: Dennis Zhou 

commit 47504ee04b9241548ae2c28be7d0b01cff3b7aa6 upstream.

Percpu memory using the vmalloc area based chunk allocator lazily
populates chunks by first requesting the full virtual address space
required for the chunk and subsequently adding pages as allocations come
through. To ensure atomic allocations can succeed, a workqueue item is
used to maintain a minimum number of empty pages. In certain scenarios,
such as reported in [1], it is possible that physical memory becomes
quite scarce which can result in either a rather long time spent trying
to find free pages or worse, a kernel panic.

This patch adds support for __GFP_NORETRY and __GFP_NOWARN passing them
through to the underlying allocators. This should prevent any
unnecessary panics potentially caused by the workqueue item. The passing
of gfp around is as additional flags rather than a full set of flags.
The next patch will change these to caller passed semantics.

V2:
Added const modifier to gfp flags in the balance path.
Removed an extra whitespace.

[1] https://lkml.org/lkml/2018/2/12/551

Signed-off-by: Dennis Zhou 
Suggested-by: Daniel Borkmann 
Reported-by: syzbot+adb03f3f0bb57ce3a...@syzkaller.appspotmail.com
Acked-by: Christoph Lameter 
Signed-off-by: Tejun Heo 
Signed-off-by: Greg Kroah-Hartman 

---
 mm/percpu-km.c |8 
 mm/percpu-vm.c |   18 +++---
 mm/percpu.c|   45 -
 3 files changed, 43 insertions(+), 28 deletions(-)

--- a/mm/percpu-km.c
+++ b/mm/percpu-km.c
@@ -34,7 +34,7 @@
 #include 
 
 static int pcpu_populate_chunk(struct pcpu_chunk *chunk,
-  int page_start, int page_end)
+  int page_start, int page_end, gfp_t gfp)
 {
return 0;
 }
@@ -45,18 +45,18 @@ static void pcpu_depopulate_chunk(struct
/* nada */
 }
 
-static struct pcpu_chunk *pcpu_create_chunk(void)
+static struct pcpu_chunk *pcpu_create_chunk(gfp_t gfp)
 {
const int nr_pages = pcpu_group_sizes[0] >> PAGE_SHIFT;
struct pcpu_chunk *chunk;
struct page *pages;
int i;
 
-   chunk = pcpu_alloc_chunk();
+   chunk = pcpu_alloc_chunk(gfp);
if (!chunk)
return NULL;
 
-   pages = alloc_pages(GFP_KERNEL, order_base_2(nr_pages));
+   pages = alloc_pages(gfp | GFP_KERNEL, order_base_2(nr_pages));
if (!pages) {
pcpu_free_chunk(chunk);
return NULL;
--- a/mm/percpu-vm.c
+++ b/mm/percpu-vm.c
@@ -37,7 +37,7 @@ static struct page **pcpu_get_pages(void
lockdep_assert_held(_alloc_mutex);
 
if (!pages)
-   pages = pcpu_mem_zalloc(pages_size);
+   pages = pcpu_mem_zalloc(pages_size, 0);
return pages;
 }
 
@@ -73,18 +73,21 @@ static void pcpu_free_pages(struct pcpu_
  * @pages: array to put the allocated pages into, indexed by pcpu_page_idx()
  * @page_start: page index of the first page to be allocated
  * @page_end: page index of the last page to be allocated + 1
+ * @gfp: allocation flags passed to the underlying allocator
  *
  * Allocate pages [@page_start,@page_end) into @pages for all units.
  * The allocation is for @chunk.  Percpu core doesn't care about the
  * content of @pages and will pass it verbatim to pcpu_map_pages().
  */
 static int pcpu_alloc_pages(struct pcpu_chunk *chunk,
-   struct page **pages, int page_start, int page_end)
+   struct page **pages, int page_start, int page_end,
+   gfp_t gfp)
 {
-   const gfp_t gfp = GFP_KERNEL | __GFP_HIGHMEM;
unsigned int cpu, tcpu;
int i;
 
+   gfp |= GFP_KERNEL | __GFP_HIGHMEM;
+
for_each_possible_cpu(cpu) {
for (i = page_start; i < page_end; i++) {
struct page **pagep = [pcpu_page_idx(cpu, i)];
@@ -262,6 +265,7 @@ static void pcpu_post_map_flush(struct p
  * @chunk: chunk of interest
  * @page_start: the start page
  * @page_end: the end page
+ * @gfp: allocation flags passed to the underlying memory allocator
  *
  * For each cpu, populate and map pages [@page_start,@page_end) into
  * @chunk.
@@ -270,7 +274,7 @@ static void pcpu_post_map_flush(struct p
  * pcpu_alloc_mutex, does GFP_KERNEL allocation.
  */
 static int pcpu_populate_chunk(struct pcpu_chunk *chunk,
-  int page_start, int page_end)
+  int page_start, int page_end, gfp_t gfp)
 {
struct page **pages;
 
@@ -278,7 +282,7 @@ static int pcpu_populate_chunk(struct pc
if (!pages)
return -ENOMEM;
 
-   if (pcpu_alloc_pages(chunk, pages, page_start, page_end))
+   if (pcpu_alloc_pages(chunk, pages, 

[PATCH 4.15 31/72] percpu: add __GFP_NORETRY semantics to the percpu balancing path

[Greg Kroah-Hartman]

4.15-stable review patch.  If anyone has any objections, please let me know.

--

From: Dennis Zhou 

commit 47504ee04b9241548ae2c28be7d0b01cff3b7aa6 upstream.

Percpu memory using the vmalloc area based chunk allocator lazily
populates chunks by first requesting the full virtual address space
required for the chunk and subsequently adding pages as allocations come
through. To ensure atomic allocations can succeed, a workqueue item is
used to maintain a minimum number of empty pages. In certain scenarios,
such as reported in [1], it is possible that physical memory becomes
quite scarce which can result in either a rather long time spent trying
to find free pages or worse, a kernel panic.

This patch adds support for __GFP_NORETRY and __GFP_NOWARN passing them
through to the underlying allocators. This should prevent any
unnecessary panics potentially caused by the workqueue item. The passing
of gfp around is as additional flags rather than a full set of flags.
The next patch will change these to caller passed semantics.

V2:
Added const modifier to gfp flags in the balance path.
Removed an extra whitespace.

[1] https://lkml.org/lkml/2018/2/12/551

Signed-off-by: Dennis Zhou 
Suggested-by: Daniel Borkmann 
Reported-by: syzbot+adb03f3f0bb57ce3a...@syzkaller.appspotmail.com
Acked-by: Christoph Lameter 
Signed-off-by: Tejun Heo 
Signed-off-by: Greg Kroah-Hartman 

---
 mm/percpu-km.c |8 
 mm/percpu-vm.c |   18 +++---
 mm/percpu.c|   45 -
 3 files changed, 43 insertions(+), 28 deletions(-)

--- a/mm/percpu-km.c
+++ b/mm/percpu-km.c
@@ -34,7 +34,7 @@
 #include 
 
 static int pcpu_populate_chunk(struct pcpu_chunk *chunk,
-  int page_start, int page_end)
+  int page_start, int page_end, gfp_t gfp)
 {
return 0;
 }
@@ -45,18 +45,18 @@ static void pcpu_depopulate_chunk(struct
/* nada */
 }
 
-static struct pcpu_chunk *pcpu_create_chunk(void)
+static struct pcpu_chunk *pcpu_create_chunk(gfp_t gfp)
 {
const int nr_pages = pcpu_group_sizes[0] >> PAGE_SHIFT;
struct pcpu_chunk *chunk;
struct page *pages;
int i;
 
-   chunk = pcpu_alloc_chunk();
+   chunk = pcpu_alloc_chunk(gfp);
if (!chunk)
return NULL;
 
-   pages = alloc_pages(GFP_KERNEL, order_base_2(nr_pages));
+   pages = alloc_pages(gfp | GFP_KERNEL, order_base_2(nr_pages));
if (!pages) {
pcpu_free_chunk(chunk);
return NULL;
--- a/mm/percpu-vm.c
+++ b/mm/percpu-vm.c
@@ -37,7 +37,7 @@ static struct page **pcpu_get_pages(void
lockdep_assert_held(_alloc_mutex);
 
if (!pages)
-   pages = pcpu_mem_zalloc(pages_size);
+   pages = pcpu_mem_zalloc(pages_size, 0);
return pages;
 }
 
@@ -73,18 +73,21 @@ static void pcpu_free_pages(struct pcpu_
  * @pages: array to put the allocated pages into, indexed by pcpu_page_idx()
  * @page_start: page index of the first page to be allocated
  * @page_end: page index of the last page to be allocated + 1
+ * @gfp: allocation flags passed to the underlying allocator
  *
  * Allocate pages [@page_start,@page_end) into @pages for all units.
  * The allocation is for @chunk.  Percpu core doesn't care about the
  * content of @pages and will pass it verbatim to pcpu_map_pages().
  */
 static int pcpu_alloc_pages(struct pcpu_chunk *chunk,
-   struct page **pages, int page_start, int page_end)
+   struct page **pages, int page_start, int page_end,
+   gfp_t gfp)
 {
-   const gfp_t gfp = GFP_KERNEL | __GFP_HIGHMEM;
unsigned int cpu, tcpu;
int i;
 
+   gfp |= GFP_KERNEL | __GFP_HIGHMEM;
+
for_each_possible_cpu(cpu) {
for (i = page_start; i < page_end; i++) {
struct page **pagep = [pcpu_page_idx(cpu, i)];
@@ -262,6 +265,7 @@ static void pcpu_post_map_flush(struct p
  * @chunk: chunk of interest
  * @page_start: the start page
  * @page_end: the end page
+ * @gfp: allocation flags passed to the underlying memory allocator
  *
  * For each cpu, populate and map pages [@page_start,@page_end) into
  * @chunk.
@@ -270,7 +274,7 @@ static void pcpu_post_map_flush(struct p
  * pcpu_alloc_mutex, does GFP_KERNEL allocation.
  */
 static int pcpu_populate_chunk(struct pcpu_chunk *chunk,
-  int page_start, int page_end)
+  int page_start, int page_end, gfp_t gfp)
 {
struct page **pages;
 
@@ -278,7 +282,7 @@ static int pcpu_populate_chunk(struct pc
if (!pages)
return -ENOMEM;
 
-   if (pcpu_alloc_pages(chunk, pages, page_start, page_end))
+   if (pcpu_alloc_pages(chunk, pages, page_start, page_end, gfp))
return -ENOMEM;
 
if (pcpu_map_pages(chunk, pages, page_start, page_end)) {
@@ 

Re: x86/dma conversion for v4.17-rc1 breaks sound / sst-acpi (commit 6e4bf5867783)

[Pierre-Louis Bossart]

On 04/05/2018 08:14 PM, Mark Brown wrote:

On Thu, Apr 05, 2018 at 10:56:57PM +0200, Dominik Brodowski wrote:

Christoph,

unfortunately, commit 6e4bf5867783 breaks sound on my Dell XPS13, see the
dmesg diff between fec777c385b6 and 6e4bf5867783:

Adding Vinod and Pierre from Intel in case they have any ideas here.
Which model of XPS13 is this (2015?)?
No clear idea, but this patch is odd. It claims to replace a dma_ops 
structure by an equivalent one but the

callbacks for alloc/free are different.

-void *x86_swiotlb_alloc_coherent(struct device *hwdev, size_t size,
-                    dma_addr_t *dma_handle, gfp_t flags,
-                    unsigned long attrs)
-{
-    void *vaddr;
-
-    /*
-     * Don't print a warning when the first allocation attempt fails.
-     * swiotlb_alloc_coherent() will print a warning when the DMA
-     * memory allocation ultimately failed.
-     */
-    flags |= __GFP_NOWARN;
-
-    vaddr = dma_direct_alloc(hwdev, size, dma_handle, flags, attrs);
-    if (vaddr)
-        return vaddr;
-
-    return swiotlb_alloc_coherent(hwdev, size, dma_handle, flags);
-}
-
-void x86_swiotlb_free_coherent(struct device *dev, size_t size,
-                  void *vaddr, dma_addr_t dma_addr,
-                  unsigned long attrs)
-{
-    if (is_swiotlb_buffer(dma_to_phys(dev, dma_addr)))
-        swiotlb_free_coherent(dev, size, vaddr, dma_addr);
-    else
-        dma_direct_free(dev, size, vaddr, dma_addr, attrs);
-}




-sst-acpi INT3438:00: DesignWare DMA Controller, 8 channels
-haswell-pcm-audio haswell-pcm-audio: Direct firmware load for 
intel/IntcPP01.bin failed with error -2
-haswell-pcm-audio haswell-pcm-audio: fw image intel/IntcPP01.bin not 
available(-2)
-haswell-pcm-audio haswell-pcm-audio: FW loaded, mailbox readback FW info: type 
01, - version: 00.00, build 77, source commit id: 
876ac6906f31a43b6772b23c7c983ce9dcb18a19
-broadwell-audio broadwell-audio: snd-soc-dummy-dai <-> System Pin mapping ok
-broadwell-audio broadwell-audio: snd-soc-dummy-dai <-> Offload0 Pin mapping ok
-broadwell-audio broadwell-audio: snd-soc-dummy-dai <-> Offload1 Pin mapping ok
-broadwell-audio broadwell-audio: snd-soc-dummy-dai <-> Loopback Pin mapping ok
-broadwell-audio broadwell-audio: rt286-aif1 <-> snd-soc-dummy-dai mapping ok
-input: broadwell-rt286 Headset as 
/devices/pci:00/INT3438:00/broadwell-audio/sound/card1/input15
+broadwell-audio broadwell-audio: ASoC: CPU DAI System Pin not registered
So it seems that sst-acpi is unhappy with this patch. Any ideas?
Thanks,
Dominik

Re: x86/dma conversion for v4.17-rc1 breaks sound / sst-acpi (commit 6e4bf5867783)

[Pierre-Louis Bossart]

On 04/05/2018 08:14 PM, Mark Brown wrote:

On Thu, Apr 05, 2018 at 10:56:57PM +0200, Dominik Brodowski wrote:

Christoph,

unfortunately, commit 6e4bf5867783 breaks sound on my Dell XPS13, see the
dmesg diff between fec777c385b6 and 6e4bf5867783:

Adding Vinod and Pierre from Intel in case they have any ideas here.
Which model of XPS13 is this (2015?)?
No clear idea, but this patch is odd. It claims to replace a dma_ops 
structure by an equivalent one but the

callbacks for alloc/free are different.

-void *x86_swiotlb_alloc_coherent(struct device *hwdev, size_t size,
-                    dma_addr_t *dma_handle, gfp_t flags,
-                    unsigned long attrs)
-{
-    void *vaddr;
-
-    /*
-     * Don't print a warning when the first allocation attempt fails.
-     * swiotlb_alloc_coherent() will print a warning when the DMA
-     * memory allocation ultimately failed.
-     */
-    flags |= __GFP_NOWARN;
-
-    vaddr = dma_direct_alloc(hwdev, size, dma_handle, flags, attrs);
-    if (vaddr)
-        return vaddr;
-
-    return swiotlb_alloc_coherent(hwdev, size, dma_handle, flags);
-}
-
-void x86_swiotlb_free_coherent(struct device *dev, size_t size,
-                  void *vaddr, dma_addr_t dma_addr,
-                  unsigned long attrs)
-{
-    if (is_swiotlb_buffer(dma_to_phys(dev, dma_addr)))
-        swiotlb_free_coherent(dev, size, vaddr, dma_addr);
-    else
-        dma_direct_free(dev, size, vaddr, dma_addr, attrs);
-}




-sst-acpi INT3438:00: DesignWare DMA Controller, 8 channels
-haswell-pcm-audio haswell-pcm-audio: Direct firmware load for 
intel/IntcPP01.bin failed with error -2
-haswell-pcm-audio haswell-pcm-audio: fw image intel/IntcPP01.bin not 
available(-2)
-haswell-pcm-audio haswell-pcm-audio: FW loaded, mailbox readback FW info: type 
01, - version: 00.00, build 77, source commit id: 
876ac6906f31a43b6772b23c7c983ce9dcb18a19
-broadwell-audio broadwell-audio: snd-soc-dummy-dai <-> System Pin mapping ok
-broadwell-audio broadwell-audio: snd-soc-dummy-dai <-> Offload0 Pin mapping ok
-broadwell-audio broadwell-audio: snd-soc-dummy-dai <-> Offload1 Pin mapping ok
-broadwell-audio broadwell-audio: snd-soc-dummy-dai <-> Loopback Pin mapping ok
-broadwell-audio broadwell-audio: rt286-aif1 <-> snd-soc-dummy-dai mapping ok
-input: broadwell-rt286 Headset as 
/devices/pci:00/INT3438:00/broadwell-audio/sound/card1/input15
+broadwell-audio broadwell-audio: ASoC: CPU DAI System Pin not registered
So it seems that sst-acpi is unhappy with this patch. Any ideas?
Thanks,
Dominik

[PATCH 4.15 33/72] netfilter: bridge: ebt_among: add more missing match size checks

[Greg Kroah-Hartman]

4.15-stable review patch.  If anyone has any objections, please let me know.

--

From: Florian Westphal 

commit c8d70a700a5b486bfa8e5a7d33d805389f6e59f9 upstream.

ebt_among is special, it has a dynamic match size and is exempt
from the central size checks.

commit c4585a2823edf ("bridge: ebt_among: add missing match size checks")
added validation for pool size, but missed fact that the macros
ebt_among_wh_src/dst can already return out-of-bound result because
they do not check value of wh_src/dst_ofs (an offset) vs. the size
of the match that userspace gave to us.

v2:
check that offset has correct alignment.
Paolo Abeni points out that we should also check that src/dst
wormhash arrays do not overlap, and src + length lines up with
start of dst (or vice versa).
v3: compact wormhash_sizes_valid() part

NB: Fixes tag is intentionally wrong, this bug exists from day
one when match was added for 2.6 kernel. Tag is there so stable
maintainers will notice this one too.

Tested with same rules from the earlier patch.

Fixes: c4585a2823edf ("bridge: ebt_among: add missing match size checks")
Reported-by: 
Signed-off-by: Florian Westphal 
Reviewed-by: Eric Dumazet 
Signed-off-by: Pablo Neira Ayuso 
Signed-off-by: Greg Kroah-Hartman 

---
 net/bridge/netfilter/ebt_among.c |   34 ++
 1 file changed, 34 insertions(+)

--- a/net/bridge/netfilter/ebt_among.c
+++ b/net/bridge/netfilter/ebt_among.c
@@ -177,6 +177,28 @@ static bool poolsize_invalid(const struc
return w && w->poolsize >= (INT_MAX / sizeof(struct 
ebt_mac_wormhash_tuple));
 }
 
+static bool wormhash_offset_invalid(int off, unsigned int len)
+{
+   if (off == 0) /* not present */
+   return false;
+
+   if (off < (int)sizeof(struct ebt_among_info) ||
+   off % __alignof__(struct ebt_mac_wormhash))
+   return true;
+
+   off += sizeof(struct ebt_mac_wormhash);
+
+   return off > len;
+}
+
+static bool wormhash_sizes_valid(const struct ebt_mac_wormhash *wh, int a, int 
b)
+{
+   if (a == 0)
+   a = sizeof(struct ebt_among_info);
+
+   return ebt_mac_wormhash_size(wh) + a == b;
+}
+
 static int ebt_among_mt_check(const struct xt_mtchk_param *par)
 {
const struct ebt_among_info *info = par->matchinfo;
@@ -189,6 +211,10 @@ static int ebt_among_mt_check(const stru
if (expected_length > em->match_size)
return -EINVAL;
 
+   if (wormhash_offset_invalid(info->wh_dst_ofs, em->match_size) ||
+   wormhash_offset_invalid(info->wh_src_ofs, em->match_size))
+   return -EINVAL;
+
wh_dst = ebt_among_wh_dst(info);
if (poolsize_invalid(wh_dst))
return -EINVAL;
@@ -201,6 +227,14 @@ static int ebt_among_mt_check(const stru
if (poolsize_invalid(wh_src))
return -EINVAL;
 
+   if (info->wh_src_ofs < info->wh_dst_ofs) {
+   if (!wormhash_sizes_valid(wh_src, info->wh_src_ofs, 
info->wh_dst_ofs))
+   return -EINVAL;
+   } else {
+   if (!wormhash_sizes_valid(wh_dst, info->wh_dst_ofs, 
info->wh_src_ofs))
+   return -EINVAL;
+   }
+
expected_length += ebt_mac_wormhash_size(wh_src);
 
if (em->match_size != EBT_ALIGN(expected_length)) {

[PATCH 4.15 33/72] netfilter: bridge: ebt_among: add more missing match size checks

[Greg Kroah-Hartman]

4.15-stable review patch.  If anyone has any objections, please let me know.

--

From: Florian Westphal 

commit c8d70a700a5b486bfa8e5a7d33d805389f6e59f9 upstream.

ebt_among is special, it has a dynamic match size and is exempt
from the central size checks.

commit c4585a2823edf ("bridge: ebt_among: add missing match size checks")
added validation for pool size, but missed fact that the macros
ebt_among_wh_src/dst can already return out-of-bound result because
they do not check value of wh_src/dst_ofs (an offset) vs. the size
of the match that userspace gave to us.

v2:
check that offset has correct alignment.
Paolo Abeni points out that we should also check that src/dst
wormhash arrays do not overlap, and src + length lines up with
start of dst (or vice versa).
v3: compact wormhash_sizes_valid() part

NB: Fixes tag is intentionally wrong, this bug exists from day
one when match was added for 2.6 kernel. Tag is there so stable
maintainers will notice this one too.

Tested with same rules from the earlier patch.

Fixes: c4585a2823edf ("bridge: ebt_among: add missing match size checks")
Reported-by: 
Signed-off-by: Florian Westphal 
Reviewed-by: Eric Dumazet 
Signed-off-by: Pablo Neira Ayuso 
Signed-off-by: Greg Kroah-Hartman 

---
 net/bridge/netfilter/ebt_among.c |   34 ++
 1 file changed, 34 insertions(+)

--- a/net/bridge/netfilter/ebt_among.c
+++ b/net/bridge/netfilter/ebt_among.c
@@ -177,6 +177,28 @@ static bool poolsize_invalid(const struc
return w && w->poolsize >= (INT_MAX / sizeof(struct 
ebt_mac_wormhash_tuple));
 }
 
+static bool wormhash_offset_invalid(int off, unsigned int len)
+{
+   if (off == 0) /* not present */
+   return false;
+
+   if (off < (int)sizeof(struct ebt_among_info) ||
+   off % __alignof__(struct ebt_mac_wormhash))
+   return true;
+
+   off += sizeof(struct ebt_mac_wormhash);
+
+   return off > len;
+}
+
+static bool wormhash_sizes_valid(const struct ebt_mac_wormhash *wh, int a, int 
b)
+{
+   if (a == 0)
+   a = sizeof(struct ebt_among_info);
+
+   return ebt_mac_wormhash_size(wh) + a == b;
+}
+
 static int ebt_among_mt_check(const struct xt_mtchk_param *par)
 {
const struct ebt_among_info *info = par->matchinfo;
@@ -189,6 +211,10 @@ static int ebt_among_mt_check(const stru
if (expected_length > em->match_size)
return -EINVAL;
 
+   if (wormhash_offset_invalid(info->wh_dst_ofs, em->match_size) ||
+   wormhash_offset_invalid(info->wh_src_ofs, em->match_size))
+   return -EINVAL;
+
wh_dst = ebt_among_wh_dst(info);
if (poolsize_invalid(wh_dst))
return -EINVAL;
@@ -201,6 +227,14 @@ static int ebt_among_mt_check(const stru
if (poolsize_invalid(wh_src))
return -EINVAL;
 
+   if (info->wh_src_ofs < info->wh_dst_ofs) {
+   if (!wormhash_sizes_valid(wh_src, info->wh_src_ofs, 
info->wh_dst_ofs))
+   return -EINVAL;
+   } else {
+   if (!wormhash_sizes_valid(wh_dst, info->wh_dst_ofs, 
info->wh_src_ofs))
+   return -EINVAL;
+   }
+
expected_length += ebt_mac_wormhash_size(wh_src);
 
if (em->match_size != EBT_ALIGN(expected_length)) {

[PATCH 4.15 34/72] l2tp: fix races with ipv4-mapped ipv6 addresses

[Greg Kroah-Hartman]

4.15-stable review patch.  If anyone has any objections, please let me know.

--

From: Paolo Abeni 

commit b954f94023dcc61388c8384f0f14eb8e42c863c5 upstream.

The l2tp_tunnel_create() function checks for v4mapped ipv6
sockets and cache that flag, so that l2tp core code can
reusing it at xmit time.

If the socket is provided by the userspace, the connection
status of the tunnel sockets can change between the tunnel
creation and the xmit call, so that syzbot is able to
trigger the following splat:

BUG: KASAN: use-after-free in ip6_dst_idev include/net/ip6_fib.h:192
[inline]
BUG: KASAN: use-after-free in ip6_xmit+0x1f76/0x2260
net/ipv6/ip6_output.c:264
Read of size 8 at addr 8801bd949318 by task syz-executor4/23448

CPU: 0 PID: 23448 Comm: syz-executor4 Not tainted 4.16.0-rc4+ #65
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
  __dump_stack lib/dump_stack.c:17 [inline]
  dump_stack+0x194/0x24d lib/dump_stack.c:53
  print_address_description+0x73/0x250 mm/kasan/report.c:256
  kasan_report_error mm/kasan/report.c:354 [inline]
  kasan_report+0x23c/0x360 mm/kasan/report.c:412
  __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433
  ip6_dst_idev include/net/ip6_fib.h:192 [inline]
  ip6_xmit+0x1f76/0x2260 net/ipv6/ip6_output.c:264
  inet6_csk_xmit+0x2fc/0x580 net/ipv6/inet6_connection_sock.c:139
  l2tp_xmit_core net/l2tp/l2tp_core.c:1053 [inline]
  l2tp_xmit_skb+0x105f/0x1410 net/l2tp/l2tp_core.c:1148
  pppol2tp_sendmsg+0x470/0x670 net/l2tp/l2tp_ppp.c:341
  sock_sendmsg_nosec net/socket.c:630 [inline]
  sock_sendmsg+0xca/0x110 net/socket.c:640
  ___sys_sendmsg+0x767/0x8b0 net/socket.c:2046
  __sys_sendmsg+0xe5/0x210 net/socket.c:2080
  SYSC_sendmsg net/socket.c:2091 [inline]
  SyS_sendmsg+0x2d/0x50 net/socket.c:2087
  do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287
  entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x453e69
RSP: 002b:7f819593cc68 EFLAGS: 0246 ORIG_RAX: 002e
RAX: ffda RBX: 7f819593d6d4 RCX: 00453e69
RDX: 0081 RSI: 2037ffc8 RDI: 0004
RBP: 0072bea0 R08:  R09: 
R10:  R11: 0246 R12: 
R13: 04c3 R14: 006f72e8 R15: 

This change addresses the issues:
* explicitly checking for TCP_ESTABLISHED for user space provided sockets
* dropping the v4mapped flag usage - it can become outdated - and
  explicitly invoking ipv6_addr_v4mapped() instead

The issue is apparently there since ancient times.

v1 -> v2: (many thanks to Guillaume)
 - with csum issue introduced in v1
 - replace pr_err with pr_debug
 - fix build issue with IPV6 disabled
 - move l2tp_sk_is_v4mapped in l2tp_core.c

v2 -> v3:
 - don't update inet_daddr for v4mapped address, unneeded
 - drop rendundant check at creation time

Reported-and-tested-by: syzbot+92fa328176eb07e4a...@syzkaller.appspotmail.com
Fixes: 3557baabf280 ("[L2TP]: PPP over L2TP driver core")
Signed-off-by: Paolo Abeni 
Signed-off-by: David S. Miller 
Signed-off-by: Greg Kroah-Hartman 

---
 net/l2tp/l2tp_core.c |   38 ++
 net/l2tp/l2tp_core.h |3 ---
 2 files changed, 18 insertions(+), 23 deletions(-)

--- a/net/l2tp/l2tp_core.c
+++ b/net/l2tp/l2tp_core.c
@@ -111,6 +111,13 @@ struct l2tp_net {
spinlock_t l2tp_session_hlist_lock;
 };
 
+#if IS_ENABLED(CONFIG_IPV6)
+static bool l2tp_sk_is_v6(struct sock *sk)
+{
+   return sk->sk_family == PF_INET6 &&
+  !ipv6_addr_v4mapped(>sk_v6_daddr);
+}
+#endif
 
 static inline struct l2tp_tunnel *l2tp_tunnel(struct sock *sk)
 {
@@ -1058,7 +1065,7 @@ static int l2tp_xmit_core(struct l2tp_se
/* Queue the packet to IP for output */
skb->ignore_df = 1;
 #if IS_ENABLED(CONFIG_IPV6)
-   if (tunnel->sock->sk_family == PF_INET6 && !tunnel->v4mapped)
+   if (l2tp_sk_is_v6(tunnel->sock))
error = inet6_csk_xmit(tunnel->sock, skb, NULL);
else
 #endif
@@ -1121,6 +1128,15 @@ int l2tp_xmit_skb(struct l2tp_session *s
goto out_unlock;
}
 
+   /* The user-space may change the connection status for the user-space
+* provided socket at run time: we must check it under the socket lock
+*/
+   if (tunnel->fd >= 0 && sk->sk_state != TCP_ESTABLISHED) {
+   kfree_skb(skb);
+   ret = NET_XMIT_DROP;
+   goto out_unlock;
+   }
+
/* Get routing info from the tunnel socket */
skb_dst_drop(skb);
skb_dst_set(skb, dst_clone(__sk_dst_check(sk, 0)));
@@ -1140,7 +1156,7 @@ int l2tp_xmit_skb(struct l2tp_session *s
 
/* Calculate UDP checksum if configured to do so */
 #if IS_ENABLED(CONFIG_IPV6)
-   if (sk->sk_family == PF_INET6 && !tunnel->v4mapped)
+   

[PATCH 4.15 34/72] l2tp: fix races with ipv4-mapped ipv6 addresses

[Greg Kroah-Hartman]

4.15-stable review patch.  If anyone has any objections, please let me know.

--

From: Paolo Abeni 

commit b954f94023dcc61388c8384f0f14eb8e42c863c5 upstream.

The l2tp_tunnel_create() function checks for v4mapped ipv6
sockets and cache that flag, so that l2tp core code can
reusing it at xmit time.

If the socket is provided by the userspace, the connection
status of the tunnel sockets can change between the tunnel
creation and the xmit call, so that syzbot is able to
trigger the following splat:

BUG: KASAN: use-after-free in ip6_dst_idev include/net/ip6_fib.h:192
[inline]
BUG: KASAN: use-after-free in ip6_xmit+0x1f76/0x2260
net/ipv6/ip6_output.c:264
Read of size 8 at addr 8801bd949318 by task syz-executor4/23448

CPU: 0 PID: 23448 Comm: syz-executor4 Not tainted 4.16.0-rc4+ #65
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
  __dump_stack lib/dump_stack.c:17 [inline]
  dump_stack+0x194/0x24d lib/dump_stack.c:53
  print_address_description+0x73/0x250 mm/kasan/report.c:256
  kasan_report_error mm/kasan/report.c:354 [inline]
  kasan_report+0x23c/0x360 mm/kasan/report.c:412
  __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433
  ip6_dst_idev include/net/ip6_fib.h:192 [inline]
  ip6_xmit+0x1f76/0x2260 net/ipv6/ip6_output.c:264
  inet6_csk_xmit+0x2fc/0x580 net/ipv6/inet6_connection_sock.c:139
  l2tp_xmit_core net/l2tp/l2tp_core.c:1053 [inline]
  l2tp_xmit_skb+0x105f/0x1410 net/l2tp/l2tp_core.c:1148
  pppol2tp_sendmsg+0x470/0x670 net/l2tp/l2tp_ppp.c:341
  sock_sendmsg_nosec net/socket.c:630 [inline]
  sock_sendmsg+0xca/0x110 net/socket.c:640
  ___sys_sendmsg+0x767/0x8b0 net/socket.c:2046
  __sys_sendmsg+0xe5/0x210 net/socket.c:2080
  SYSC_sendmsg net/socket.c:2091 [inline]
  SyS_sendmsg+0x2d/0x50 net/socket.c:2087
  do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287
  entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x453e69
RSP: 002b:7f819593cc68 EFLAGS: 0246 ORIG_RAX: 002e
RAX: ffda RBX: 7f819593d6d4 RCX: 00453e69
RDX: 0081 RSI: 2037ffc8 RDI: 0004
RBP: 0072bea0 R08:  R09: 
R10:  R11: 0246 R12: 
R13: 04c3 R14: 006f72e8 R15: 

This change addresses the issues:
* explicitly checking for TCP_ESTABLISHED for user space provided sockets
* dropping the v4mapped flag usage - it can become outdated - and
  explicitly invoking ipv6_addr_v4mapped() instead

The issue is apparently there since ancient times.

v1 -> v2: (many thanks to Guillaume)
 - with csum issue introduced in v1
 - replace pr_err with pr_debug
 - fix build issue with IPV6 disabled
 - move l2tp_sk_is_v4mapped in l2tp_core.c

v2 -> v3:
 - don't update inet_daddr for v4mapped address, unneeded
 - drop rendundant check at creation time

Reported-and-tested-by: syzbot+92fa328176eb07e4a...@syzkaller.appspotmail.com
Fixes: 3557baabf280 ("[L2TP]: PPP over L2TP driver core")
Signed-off-by: Paolo Abeni 
Signed-off-by: David S. Miller 
Signed-off-by: Greg Kroah-Hartman 

---
 net/l2tp/l2tp_core.c |   38 ++
 net/l2tp/l2tp_core.h |3 ---
 2 files changed, 18 insertions(+), 23 deletions(-)

--- a/net/l2tp/l2tp_core.c
+++ b/net/l2tp/l2tp_core.c
@@ -111,6 +111,13 @@ struct l2tp_net {
spinlock_t l2tp_session_hlist_lock;
 };
 
+#if IS_ENABLED(CONFIG_IPV6)
+static bool l2tp_sk_is_v6(struct sock *sk)
+{
+   return sk->sk_family == PF_INET6 &&
+  !ipv6_addr_v4mapped(>sk_v6_daddr);
+}
+#endif
 
 static inline struct l2tp_tunnel *l2tp_tunnel(struct sock *sk)
 {
@@ -1058,7 +1065,7 @@ static int l2tp_xmit_core(struct l2tp_se
/* Queue the packet to IP for output */
skb->ignore_df = 1;
 #if IS_ENABLED(CONFIG_IPV6)
-   if (tunnel->sock->sk_family == PF_INET6 && !tunnel->v4mapped)
+   if (l2tp_sk_is_v6(tunnel->sock))
error = inet6_csk_xmit(tunnel->sock, skb, NULL);
else
 #endif
@@ -1121,6 +1128,15 @@ int l2tp_xmit_skb(struct l2tp_session *s
goto out_unlock;
}
 
+   /* The user-space may change the connection status for the user-space
+* provided socket at run time: we must check it under the socket lock
+*/
+   if (tunnel->fd >= 0 && sk->sk_state != TCP_ESTABLISHED) {
+   kfree_skb(skb);
+   ret = NET_XMIT_DROP;
+   goto out_unlock;
+   }
+
/* Get routing info from the tunnel socket */
skb_dst_drop(skb);
skb_dst_set(skb, dst_clone(__sk_dst_check(sk, 0)));
@@ -1140,7 +1156,7 @@ int l2tp_xmit_skb(struct l2tp_session *s
 
/* Calculate UDP checksum if configured to do so */
 #if IS_ENABLED(CONFIG_IPV6)
-   if (sk->sk_family == PF_INET6 && !tunnel->v4mapped)
+   if (l2tp_sk_is_v6(sk))
udp6_set_csum(udp_get_no_check6_tx(sk),

[PATCH 4.15 40/72] bitmap: fix memset optimization on big-endian systems

[Greg Kroah-Hartman]

4.15-stable review patch.  If anyone has any objections, please let me know.

--

From: Omar Sandoval 

commit 21035965f60b0502fc6537b232839389bb4ce664 upstream.

Commit 2a98dc028f91 ("include/linux/bitmap.h: turn bitmap_set and
bitmap_clear into memset when possible") introduced an optimization to
bitmap_{set,clear}() which uses memset() when the start and length are
constants aligned to a byte.

This is wrong on big-endian systems; our bitmaps are arrays of unsigned
long, so bit n is not at byte n / 8 in memory.  This was caught by the
Btrfs selftests, but the bitmap selftests also fail when run on a
big-endian machine.

We can still use memset if the start and length are aligned to an
unsigned long, so do that on big-endian.  The same problem applies to
the memcmp in bitmap_equal(), so fix it there, too.

Fixes: 2a98dc028f91 ("include/linux/bitmap.h: turn bitmap_set and bitmap_clear 
into memset when possible")
Fixes: 2c6deb01525a ("bitmap: use memcmp optimisation in more situations")
Cc: sta...@kernel.org
Reported-by: "Erhard F." 
Cc: Matthew Wilcox 
Cc: Rasmus Villemoes 
Cc: Andrew Morton 
Cc: Arnd Bergmann 
Signed-off-by: Omar Sandoval 
Signed-off-by: Linus Torvalds 
Signed-off-by: Greg Kroah-Hartman 

---
 include/linux/bitmap.h |   22 +-
 1 file changed, 17 insertions(+), 5 deletions(-)

--- a/include/linux/bitmap.h
+++ b/include/linux/bitmap.h
@@ -271,12 +271,20 @@ static inline void bitmap_complement(uns
__bitmap_complement(dst, src, nbits);
 }
 
+#ifdef __LITTLE_ENDIAN
+#define BITMAP_MEM_ALIGNMENT 8
+#else
+#define BITMAP_MEM_ALIGNMENT (8 * sizeof(unsigned long))
+#endif
+#define BITMAP_MEM_MASK (BITMAP_MEM_ALIGNMENT - 1)
+
 static inline int bitmap_equal(const unsigned long *src1,
const unsigned long *src2, unsigned int nbits)
 {
if (small_const_nbits(nbits))
return !((*src1 ^ *src2) & BITMAP_LAST_WORD_MASK(nbits));
-   if (__builtin_constant_p(nbits & 7) && IS_ALIGNED(nbits, 8))
+   if (__builtin_constant_p(nbits & BITMAP_MEM_MASK) &&
+   IS_ALIGNED(nbits, BITMAP_MEM_ALIGNMENT))
return !memcmp(src1, src2, nbits / 8);
return __bitmap_equal(src1, src2, nbits);
 }
@@ -327,8 +335,10 @@ static __always_inline void bitmap_set(u
 {
if (__builtin_constant_p(nbits) && nbits == 1)
__set_bit(start, map);
-   else if (__builtin_constant_p(start & 7) && IS_ALIGNED(start, 8) &&
-__builtin_constant_p(nbits & 7) && IS_ALIGNED(nbits, 8))
+   else if (__builtin_constant_p(start & BITMAP_MEM_MASK) &&
+IS_ALIGNED(start, BITMAP_MEM_ALIGNMENT) &&
+__builtin_constant_p(nbits & BITMAP_MEM_MASK) &&
+IS_ALIGNED(nbits, BITMAP_MEM_ALIGNMENT))
memset((char *)map + start / 8, 0xff, nbits / 8);
else
__bitmap_set(map, start, nbits);
@@ -339,8 +349,10 @@ static __always_inline void bitmap_clear
 {
if (__builtin_constant_p(nbits) && nbits == 1)
__clear_bit(start, map);
-   else if (__builtin_constant_p(start & 7) && IS_ALIGNED(start, 8) &&
-__builtin_constant_p(nbits & 7) && IS_ALIGNED(nbits, 8))
+   else if (__builtin_constant_p(start & BITMAP_MEM_MASK) &&
+IS_ALIGNED(start, BITMAP_MEM_ALIGNMENT) &&
+__builtin_constant_p(nbits & BITMAP_MEM_MASK) &&
+IS_ALIGNED(nbits, BITMAP_MEM_ALIGNMENT))
memset((char *)map + start / 8, 0, nbits / 8);
else
__bitmap_clear(map, start, nbits);

[PATCH 4.15 37/72] phy: qcom-ufs: add MODULE_LICENSE tag

[Greg Kroah-Hartman]

4.15-stable review patch.  If anyone has any objections, please let me know.

--

From: Arnd Bergmann 

commit 59fba0869acae06ff594dd7e9808ed673f53538a upstream.

While the specific UFS PHY drivers (14nm and 20nm) have a module
license, the common base module does not, leading to a Kbuild
failure:

WARNING: modpost: missing MODULE_LICENSE() in 
drivers/phy/qualcomm/phy-qcom-ufs.o
FATAL: modpost: GPL-incompatible module phy-qcom-ufs.ko uses GPL-only symbol 
'clk_enable'

This adds a module description and license tag to fix the build.
I added both Yaniv and Vivek as authors here, as Yaniv sent the initial
submission, while Vivek did most of the work since.

Signed-off-by: Arnd Bergmann 
Acked-by: Bjorn Andersson 
Signed-off-by: Kishon Vijay Abraham I 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/phy/qualcomm/phy-qcom-ufs.c |5 +
 1 file changed, 5 insertions(+)

--- a/drivers/phy/qualcomm/phy-qcom-ufs.c
+++ b/drivers/phy/qualcomm/phy-qcom-ufs.c
@@ -675,3 +675,8 @@ int ufs_qcom_phy_power_off(struct phy *g
return 0;
 }
 EXPORT_SYMBOL_GPL(ufs_qcom_phy_power_off);
+
+MODULE_AUTHOR("Yaniv Gardi ");
+MODULE_AUTHOR("Vivek Gautam ");
+MODULE_DESCRIPTION("Universal Flash Storage (UFS) QCOM PHY");
+MODULE_LICENSE("GPL v2");

[PATCH 4.15 40/72] bitmap: fix memset optimization on big-endian systems

[Greg Kroah-Hartman]

4.15-stable review patch.  If anyone has any objections, please let me know.

--

From: Omar Sandoval 

commit 21035965f60b0502fc6537b232839389bb4ce664 upstream.

Commit 2a98dc028f91 ("include/linux/bitmap.h: turn bitmap_set and
bitmap_clear into memset when possible") introduced an optimization to
bitmap_{set,clear}() which uses memset() when the start and length are
constants aligned to a byte.

This is wrong on big-endian systems; our bitmaps are arrays of unsigned
long, so bit n is not at byte n / 8 in memory.  This was caught by the
Btrfs selftests, but the bitmap selftests also fail when run on a
big-endian machine.

We can still use memset if the start and length are aligned to an
unsigned long, so do that on big-endian.  The same problem applies to
the memcmp in bitmap_equal(), so fix it there, too.

Fixes: 2a98dc028f91 ("include/linux/bitmap.h: turn bitmap_set and bitmap_clear 
into memset when possible")
Fixes: 2c6deb01525a ("bitmap: use memcmp optimisation in more situations")
Cc: sta...@kernel.org
Reported-by: "Erhard F." 
Cc: Matthew Wilcox 
Cc: Rasmus Villemoes 
Cc: Andrew Morton 
Cc: Arnd Bergmann 
Signed-off-by: Omar Sandoval 
Signed-off-by: Linus Torvalds 
Signed-off-by: Greg Kroah-Hartman 

---
 include/linux/bitmap.h |   22 +-
 1 file changed, 17 insertions(+), 5 deletions(-)

--- a/include/linux/bitmap.h
+++ b/include/linux/bitmap.h
@@ -271,12 +271,20 @@ static inline void bitmap_complement(uns
__bitmap_complement(dst, src, nbits);
 }
 
+#ifdef __LITTLE_ENDIAN
+#define BITMAP_MEM_ALIGNMENT 8
+#else
+#define BITMAP_MEM_ALIGNMENT (8 * sizeof(unsigned long))
+#endif
+#define BITMAP_MEM_MASK (BITMAP_MEM_ALIGNMENT - 1)
+
 static inline int bitmap_equal(const unsigned long *src1,
const unsigned long *src2, unsigned int nbits)
 {
if (small_const_nbits(nbits))
return !((*src1 ^ *src2) & BITMAP_LAST_WORD_MASK(nbits));
-   if (__builtin_constant_p(nbits & 7) && IS_ALIGNED(nbits, 8))
+   if (__builtin_constant_p(nbits & BITMAP_MEM_MASK) &&
+   IS_ALIGNED(nbits, BITMAP_MEM_ALIGNMENT))
return !memcmp(src1, src2, nbits / 8);
return __bitmap_equal(src1, src2, nbits);
 }
@@ -327,8 +335,10 @@ static __always_inline void bitmap_set(u
 {
if (__builtin_constant_p(nbits) && nbits == 1)
__set_bit(start, map);
-   else if (__builtin_constant_p(start & 7) && IS_ALIGNED(start, 8) &&
-__builtin_constant_p(nbits & 7) && IS_ALIGNED(nbits, 8))
+   else if (__builtin_constant_p(start & BITMAP_MEM_MASK) &&
+IS_ALIGNED(start, BITMAP_MEM_ALIGNMENT) &&
+__builtin_constant_p(nbits & BITMAP_MEM_MASK) &&
+IS_ALIGNED(nbits, BITMAP_MEM_ALIGNMENT))
memset((char *)map + start / 8, 0xff, nbits / 8);
else
__bitmap_set(map, start, nbits);
@@ -339,8 +349,10 @@ static __always_inline void bitmap_clear
 {
if (__builtin_constant_p(nbits) && nbits == 1)
__clear_bit(start, map);
-   else if (__builtin_constant_p(start & 7) && IS_ALIGNED(start, 8) &&
-__builtin_constant_p(nbits & 7) && IS_ALIGNED(nbits, 8))
+   else if (__builtin_constant_p(start & BITMAP_MEM_MASK) &&
+IS_ALIGNED(start, BITMAP_MEM_ALIGNMENT) &&
+__builtin_constant_p(nbits & BITMAP_MEM_MASK) &&
+IS_ALIGNED(nbits, BITMAP_MEM_ALIGNMENT))
memset((char *)map + start / 8, 0, nbits / 8);
else
__bitmap_clear(map, start, nbits);

[PATCH 4.15 37/72] phy: qcom-ufs: add MODULE_LICENSE tag

[Greg Kroah-Hartman]

4.15-stable review patch.  If anyone has any objections, please let me know.

--

From: Arnd Bergmann 

commit 59fba0869acae06ff594dd7e9808ed673f53538a upstream.

While the specific UFS PHY drivers (14nm and 20nm) have a module
license, the common base module does not, leading to a Kbuild
failure:

WARNING: modpost: missing MODULE_LICENSE() in 
drivers/phy/qualcomm/phy-qcom-ufs.o
FATAL: modpost: GPL-incompatible module phy-qcom-ufs.ko uses GPL-only symbol 
'clk_enable'

This adds a module description and license tag to fix the build.
I added both Yaniv and Vivek as authors here, as Yaniv sent the initial
submission, while Vivek did most of the work since.

Signed-off-by: Arnd Bergmann 
Acked-by: Bjorn Andersson 
Signed-off-by: Kishon Vijay Abraham I 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/phy/qualcomm/phy-qcom-ufs.c |5 +
 1 file changed, 5 insertions(+)

--- a/drivers/phy/qualcomm/phy-qcom-ufs.c
+++ b/drivers/phy/qualcomm/phy-qcom-ufs.c
@@ -675,3 +675,8 @@ int ufs_qcom_phy_power_off(struct phy *g
return 0;
 }
 EXPORT_SYMBOL_GPL(ufs_qcom_phy_power_off);
+
+MODULE_AUTHOR("Yaniv Gardi ");
+MODULE_AUTHOR("Vivek Gautam ");
+MODULE_DESCRIPTION("Universal Flash Storage (UFS) QCOM PHY");
+MODULE_LICENSE("GPL v2");

[PATCH 4.15 36/72] netfilter: x_tables: add and use xt_check_proc_name

[Greg Kroah-Hartman]

4.15-stable review patch.  If anyone has any objections, please let me know.

--

From: Florian Westphal 

commit b1d0a5d0cba4597c0394997b2d5fced3e3841b4e upstream.

recent and hashlimit both create /proc files, but only check that
name is 0 terminated.

This can trigger WARN() from procfs when name is "" or "/".
Add helper for this and then use it for both.

Cc: Eric Dumazet 
Reported-by: Eric Dumazet 
Reported-by: 
Signed-off-by: Florian Westphal 
Signed-off-by: Pablo Neira Ayuso 
Signed-off-by: Greg Kroah-Hartman 

---
 include/linux/netfilter/x_tables.h |2 ++
 net/netfilter/x_tables.c   |   30 ++
 net/netfilter/xt_hashlimit.c   |   16 ++--
 net/netfilter/xt_recent.c  |6 +++---
 4 files changed, 45 insertions(+), 9 deletions(-)

--- a/include/linux/netfilter/x_tables.h
+++ b/include/linux/netfilter/x_tables.h
@@ -285,6 +285,8 @@ unsigned int *xt_alloc_entry_offsets(uns
 bool xt_find_jump_offset(const unsigned int *offsets,
 unsigned int target, unsigned int size);
 
+int xt_check_proc_name(const char *name, unsigned int size);
+
 int xt_check_match(struct xt_mtchk_param *, unsigned int size, u_int8_t proto,
   bool inv_proto);
 int xt_check_target(struct xt_tgchk_param *, unsigned int size, u_int8_t proto,
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -423,6 +423,36 @@ textify_hooks(char *buf, size_t size, un
return buf;
 }
 
+/**
+ * xt_check_proc_name - check that name is suitable for /proc file creation
+ *
+ * @name: file name candidate
+ * @size: length of buffer
+ *
+ * some x_tables modules wish to create a file in /proc.
+ * This function makes sure that the name is suitable for this
+ * purpose, it checks that name is NUL terminated and isn't a 'special'
+ * name, like "..".
+ *
+ * returns negative number on error or 0 if name is useable.
+ */
+int xt_check_proc_name(const char *name, unsigned int size)
+{
+   if (name[0] == '\0')
+   return -EINVAL;
+
+   if (strnlen(name, size) == size)
+   return -ENAMETOOLONG;
+
+   if (strcmp(name, ".") == 0 ||
+   strcmp(name, "..") == 0 ||
+   strchr(name, '/'))
+   return -EINVAL;
+
+   return 0;
+}
+EXPORT_SYMBOL(xt_check_proc_name);
+
 int xt_check_match(struct xt_mtchk_param *par,
   unsigned int size, u_int8_t proto, bool inv_proto)
 {
--- a/net/netfilter/xt_hashlimit.c
+++ b/net/netfilter/xt_hashlimit.c
@@ -915,8 +915,9 @@ static int hashlimit_mt_check_v1(const s
struct hashlimit_cfg3 cfg = {};
int ret;
 
-   if (info->name[sizeof(info->name) - 1] != '\0')
-   return -EINVAL;
+   ret = xt_check_proc_name(info->name, sizeof(info->name));
+   if (ret)
+   return ret;
 
ret = cfg_copy(, (void *)>cfg, 1);
 
@@ -933,8 +934,9 @@ static int hashlimit_mt_check_v2(const s
struct hashlimit_cfg3 cfg = {};
int ret;
 
-   if (info->name[sizeof(info->name) - 1] != '\0')
-   return -EINVAL;
+   ret = xt_check_proc_name(info->name, sizeof(info->name));
+   if (ret)
+   return ret;
 
ret = cfg_copy(, (void *)>cfg, 2);
 
@@ -948,9 +950,11 @@ static int hashlimit_mt_check_v2(const s
 static int hashlimit_mt_check(const struct xt_mtchk_param *par)
 {
struct xt_hashlimit_mtinfo3 *info = par->matchinfo;
+   int ret;
 
-   if (info->name[sizeof(info->name) - 1] != '\0')
-   return -EINVAL;
+   ret = xt_check_proc_name(info->name, sizeof(info->name));
+   if (ret)
+   return ret;
 
return hashlimit_mt_check_common(par, >hinfo, >cfg,
 info->name, 3);
--- a/net/netfilter/xt_recent.c
+++ b/net/netfilter/xt_recent.c
@@ -361,9 +361,9 @@ static int recent_mt_check(const struct
info->hit_count, XT_RECENT_MAX_NSTAMPS - 1);
return -EINVAL;
}
-   if (info->name[0] == '\0' ||
-   strnlen(info->name, XT_RECENT_NAME_LEN) == XT_RECENT_NAME_LEN)
-   return -EINVAL;
+   ret = xt_check_proc_name(info->name, sizeof(info->name));
+   if (ret)
+   return ret;
 
if (ip_pkt_list_tot && info->hit_count < ip_pkt_list_tot)
nstamp_mask = roundup_pow_of_two(ip_pkt_list_tot) - 1;

[PATCH 4.15 36/72] netfilter: x_tables: add and use xt_check_proc_name

[Greg Kroah-Hartman]

4.15-stable review patch.  If anyone has any objections, please let me know.

--

From: Florian Westphal 

commit b1d0a5d0cba4597c0394997b2d5fced3e3841b4e upstream.

recent and hashlimit both create /proc files, but only check that
name is 0 terminated.

This can trigger WARN() from procfs when name is "" or "/".
Add helper for this and then use it for both.

Cc: Eric Dumazet 
Reported-by: Eric Dumazet 
Reported-by: 
Signed-off-by: Florian Westphal 
Signed-off-by: Pablo Neira Ayuso 
Signed-off-by: Greg Kroah-Hartman 

---
 include/linux/netfilter/x_tables.h |2 ++
 net/netfilter/x_tables.c   |   30 ++
 net/netfilter/xt_hashlimit.c   |   16 ++--
 net/netfilter/xt_recent.c  |6 +++---
 4 files changed, 45 insertions(+), 9 deletions(-)

--- a/include/linux/netfilter/x_tables.h
+++ b/include/linux/netfilter/x_tables.h
@@ -285,6 +285,8 @@ unsigned int *xt_alloc_entry_offsets(uns
 bool xt_find_jump_offset(const unsigned int *offsets,
 unsigned int target, unsigned int size);
 
+int xt_check_proc_name(const char *name, unsigned int size);
+
 int xt_check_match(struct xt_mtchk_param *, unsigned int size, u_int8_t proto,
   bool inv_proto);
 int xt_check_target(struct xt_tgchk_param *, unsigned int size, u_int8_t proto,
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -423,6 +423,36 @@ textify_hooks(char *buf, size_t size, un
return buf;
 }
 
+/**
+ * xt_check_proc_name - check that name is suitable for /proc file creation
+ *
+ * @name: file name candidate
+ * @size: length of buffer
+ *
+ * some x_tables modules wish to create a file in /proc.
+ * This function makes sure that the name is suitable for this
+ * purpose, it checks that name is NUL terminated and isn't a 'special'
+ * name, like "..".
+ *
+ * returns negative number on error or 0 if name is useable.
+ */
+int xt_check_proc_name(const char *name, unsigned int size)
+{
+   if (name[0] == '\0')
+   return -EINVAL;
+
+   if (strnlen(name, size) == size)
+   return -ENAMETOOLONG;
+
+   if (strcmp(name, ".") == 0 ||
+   strcmp(name, "..") == 0 ||
+   strchr(name, '/'))
+   return -EINVAL;
+
+   return 0;
+}
+EXPORT_SYMBOL(xt_check_proc_name);
+
 int xt_check_match(struct xt_mtchk_param *par,
   unsigned int size, u_int8_t proto, bool inv_proto)
 {
--- a/net/netfilter/xt_hashlimit.c
+++ b/net/netfilter/xt_hashlimit.c
@@ -915,8 +915,9 @@ static int hashlimit_mt_check_v1(const s
struct hashlimit_cfg3 cfg = {};
int ret;
 
-   if (info->name[sizeof(info->name) - 1] != '\0')
-   return -EINVAL;
+   ret = xt_check_proc_name(info->name, sizeof(info->name));
+   if (ret)
+   return ret;
 
ret = cfg_copy(, (void *)>cfg, 1);
 
@@ -933,8 +934,9 @@ static int hashlimit_mt_check_v2(const s
struct hashlimit_cfg3 cfg = {};
int ret;
 
-   if (info->name[sizeof(info->name) - 1] != '\0')
-   return -EINVAL;
+   ret = xt_check_proc_name(info->name, sizeof(info->name));
+   if (ret)
+   return ret;
 
ret = cfg_copy(, (void *)>cfg, 2);
 
@@ -948,9 +950,11 @@ static int hashlimit_mt_check_v2(const s
 static int hashlimit_mt_check(const struct xt_mtchk_param *par)
 {
struct xt_hashlimit_mtinfo3 *info = par->matchinfo;
+   int ret;
 
-   if (info->name[sizeof(info->name) - 1] != '\0')
-   return -EINVAL;
+   ret = xt_check_proc_name(info->name, sizeof(info->name));
+   if (ret)
+   return ret;
 
return hashlimit_mt_check_common(par, >hinfo, >cfg,
 info->name, 3);
--- a/net/netfilter/xt_recent.c
+++ b/net/netfilter/xt_recent.c
@@ -361,9 +361,9 @@ static int recent_mt_check(const struct
info->hit_count, XT_RECENT_MAX_NSTAMPS - 1);
return -EINVAL;
}
-   if (info->name[0] == '\0' ||
-   strnlen(info->name, XT_RECENT_NAME_LEN) == XT_RECENT_NAME_LEN)
-   return -EINVAL;
+   ret = xt_check_proc_name(info->name, sizeof(info->name));
+   if (ret)
+   return ret;
 
if (ip_pkt_list_tot && info->hit_count < ip_pkt_list_tot)
nstamp_mask = roundup_pow_of_two(ip_pkt_list_tot) - 1;

Re: [PATCH v6 3/9] pinctrl: actions: Add Actions S900 pinctrl driver

[Andy Shevchenko]

On Tue, Apr 3, 2018 at 8:00 PM, Manivannan Sadhasivam
 wrote:

>> > +static const struct pinconf_ops owl_pinconf_ops = {
>> > +   .is_generic = true,
>> > +   .pin_config_get = owl_pin_config_get,
>> > +   .pin_config_set = owl_pin_config_set,
>> > +   .pin_config_group_get = owl_group_config_get,
>> > +   .pin_config_group_set = owl_group_config_set
>>
>> It's still good idea to leave comma here...

> I'm confused. What is the criteria for removing/keeping comma for last member
> of struct? I followed your gpio driver suggestion.

Just a common sense and experience are talking here: from time to time
some structures are being expanded and in some cases it requires to
update users. The comma just reduces a possible burden on this
expansion.
This is common pattern used in kernel.

>> > +};
>> > +
>> > +static struct pinctrl_desc owl_pinctrl_desc = {
>> > +   .pctlops = _pinctrl_ops,
>> > +   .pmxops = _pinmux_ops,
>> > +   .confops = _pinconf_ops,
>> > +   .owner = THIS_MODULE
>>
>> ...and here, and in all similar places.
>>
>> > +};

-- 
With Best Regards,
Andy Shevchenko

Re: [PATCH v6 3/9] pinctrl: actions: Add Actions S900 pinctrl driver

[Andy Shevchenko]

On Tue, Apr 3, 2018 at 8:00 PM, Manivannan Sadhasivam
 wrote:

>> > +static const struct pinconf_ops owl_pinconf_ops = {
>> > +   .is_generic = true,
>> > +   .pin_config_get = owl_pin_config_get,
>> > +   .pin_config_set = owl_pin_config_set,
>> > +   .pin_config_group_get = owl_group_config_get,
>> > +   .pin_config_group_set = owl_group_config_set
>>
>> It's still good idea to leave comma here...

> I'm confused. What is the criteria for removing/keeping comma for last member
> of struct? I followed your gpio driver suggestion.

Just a common sense and experience are talking here: from time to time
some structures are being expanded and in some cases it requires to
update users. The comma just reduces a possible burden on this
expansion.
This is common pattern used in kernel.

>> > +};
>> > +
>> > +static struct pinctrl_desc owl_pinctrl_desc = {
>> > +   .pctlops = _pinctrl_ops,
>> > +   .pmxops = _pinmux_ops,
>> > +   .confops = _pinconf_ops,
>> > +   .owner = THIS_MODULE
>>
>> ...and here, and in all similar places.
>>
>> > +};

-- 
With Best Regards,
Andy Shevchenko

[PATCH 4.15 42/72] USB: serial: ftdi_sio: add support for Harman FirmwareHubEmulator

[Greg Kroah-Hartman]

4.15-stable review patch.  If anyone has any objections, please let me know.

--

From: Clemens Werther 

commit 6555ad13a01952c16485c82a52ad1f3e07e34b3a upstream.

Add device id for Harman FirmwareHubEmulator to make the device
auto-detectable by the driver.

Signed-off-by: Clemens Werther 
Cc: stable 
Signed-off-by: Johan Hovold 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/usb/serial/ftdi_sio.c |1 +
 drivers/usb/serial/ftdi_sio_ids.h |6 ++
 2 files changed, 7 insertions(+)

--- a/drivers/usb/serial/ftdi_sio.c
+++ b/drivers/usb/serial/ftdi_sio.c
@@ -932,6 +932,7 @@ static const struct usb_device_id id_tab
{ USB_DEVICE(FTDI_VID, FTDI_SCIENCESCOPE_LS_LOGBOOK_PID) },
{ USB_DEVICE(FTDI_VID, FTDI_SCIENCESCOPE_HS_LOGBOOK_PID) },
{ USB_DEVICE(FTDI_VID, FTDI_CINTERION_MC55I_PID) },
+   { USB_DEVICE(FTDI_VID, FTDI_FHE_PID) },
{ USB_DEVICE(FTDI_VID, FTDI_DOTEC_PID) },
{ USB_DEVICE(QIHARDWARE_VID, MILKYMISTONE_JTAGSERIAL_PID),
.driver_info = (kernel_ulong_t)_jtag_quirk },
--- a/drivers/usb/serial/ftdi_sio_ids.h
+++ b/drivers/usb/serial/ftdi_sio_ids.h
@@ -1445,6 +1445,12 @@
 #define FTDI_CINTERION_MC55I_PID   0xA951
 
 /*
+ * Product: FirmwareHubEmulator
+ * Manufacturer: Harman Becker Automotive Systems
+ */
+#define FTDI_FHE_PID   0xA9A0
+
+/*
  * Product: Comet Caller ID decoder
  * Manufacturer: Crucible Technologies
  */

[PATCH 4.15 42/72] USB: serial: ftdi_sio: add support for Harman FirmwareHubEmulator

[Greg Kroah-Hartman]

4.15-stable review patch.  If anyone has any objections, please let me know.

--

From: Clemens Werther 

commit 6555ad13a01952c16485c82a52ad1f3e07e34b3a upstream.

Add device id for Harman FirmwareHubEmulator to make the device
auto-detectable by the driver.

Signed-off-by: Clemens Werther 
Cc: stable 
Signed-off-by: Johan Hovold 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/usb/serial/ftdi_sio.c |1 +
 drivers/usb/serial/ftdi_sio_ids.h |6 ++
 2 files changed, 7 insertions(+)

--- a/drivers/usb/serial/ftdi_sio.c
+++ b/drivers/usb/serial/ftdi_sio.c
@@ -932,6 +932,7 @@ static const struct usb_device_id id_tab
{ USB_DEVICE(FTDI_VID, FTDI_SCIENCESCOPE_LS_LOGBOOK_PID) },
{ USB_DEVICE(FTDI_VID, FTDI_SCIENCESCOPE_HS_LOGBOOK_PID) },
{ USB_DEVICE(FTDI_VID, FTDI_CINTERION_MC55I_PID) },
+   { USB_DEVICE(FTDI_VID, FTDI_FHE_PID) },
{ USB_DEVICE(FTDI_VID, FTDI_DOTEC_PID) },
{ USB_DEVICE(QIHARDWARE_VID, MILKYMISTONE_JTAGSERIAL_PID),
.driver_info = (kernel_ulong_t)_jtag_quirk },
--- a/drivers/usb/serial/ftdi_sio_ids.h
+++ b/drivers/usb/serial/ftdi_sio_ids.h
@@ -1445,6 +1445,12 @@
 #define FTDI_CINTERION_MC55I_PID   0xA951
 
 /*
+ * Product: FirmwareHubEmulator
+ * Manufacturer: Harman Becker Automotive Systems
+ */
+#define FTDI_FHE_PID   0xA9A0
+
+/*
  * Product: Comet Caller ID decoder
  * Manufacturer: Crucible Technologies
  */

[PATCH 4.15 18/72] powerpc/64s: Fix i-side SLB miss bad address handler saving nonvolatile GPRs

[Greg Kroah-Hartman]

4.15-stable review patch.  If anyone has any objections, please let me know.

--

From: Nicholas Piggin 

commit 52396500f97c53860164debc7d4f759077853423 upstream.

The SLB bad address handler's trap number fixup does not preserve the
low bit that indicates nonvolatile GPRs have not been saved. This
leads save_nvgprs to skip saving them, and subsequent functions and
return from interrupt will think they are saved.

This causes kernel branch-to-garbage debugging to not have correct
registers, can also cause userspace to have its registers clobbered
after a segfault.

Fixes: f0f558b131db ("powerpc/mm: Preserve CFAR value on SLB miss caused by 
access to bogus address")
Cc: sta...@vger.kernel.org # v4.9+
Signed-off-by: Nicholas Piggin 
Signed-off-by: Michael Ellerman 
Signed-off-by: Greg Kroah-Hartman 

---
 arch/powerpc/kernel/exceptions-64s.S |2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/powerpc/kernel/exceptions-64s.S
+++ b/arch/powerpc/kernel/exceptions-64s.S
@@ -706,7 +706,7 @@ EXC_COMMON_BEGIN(bad_addr_slb)
ld  r3, PACA_EXSLB+EX_DAR(r13)
std r3, _DAR(r1)
beq cr6, 2f
-   li  r10, 0x480  /* fix trap number for I-SLB miss */
+   li  r10, 0x481  /* fix trap number for I-SLB miss */
std r10, _TRAP(r1)
 2: bl  save_nvgprs
addir3, r1, STACK_FRAME_OVERHEAD

[PATCH 4.15 18/72] powerpc/64s: Fix i-side SLB miss bad address handler saving nonvolatile GPRs

[Greg Kroah-Hartman]

4.15-stable review patch.  If anyone has any objections, please let me know.

--

From: Nicholas Piggin 

commit 52396500f97c53860164debc7d4f759077853423 upstream.

The SLB bad address handler's trap number fixup does not preserve the
low bit that indicates nonvolatile GPRs have not been saved. This
leads save_nvgprs to skip saving them, and subsequent functions and
return from interrupt will think they are saved.

This causes kernel branch-to-garbage debugging to not have correct
registers, can also cause userspace to have its registers clobbered
after a segfault.

Fixes: f0f558b131db ("powerpc/mm: Preserve CFAR value on SLB miss caused by 
access to bogus address")
Cc: sta...@vger.kernel.org # v4.9+
Signed-off-by: Nicholas Piggin 
Signed-off-by: Michael Ellerman 
Signed-off-by: Greg Kroah-Hartman 

---
 arch/powerpc/kernel/exceptions-64s.S |2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/powerpc/kernel/exceptions-64s.S
+++ b/arch/powerpc/kernel/exceptions-64s.S
@@ -706,7 +706,7 @@ EXC_COMMON_BEGIN(bad_addr_slb)
ld  r3, PACA_EXSLB+EX_DAR(r13)
std r3, _DAR(r1)
beq cr6, 2f
-   li  r10, 0x480  /* fix trap number for I-SLB miss */
+   li  r10, 0x481  /* fix trap number for I-SLB miss */
std r10, _TRAP(r1)
 2: bl  save_nvgprs
addir3, r1, STACK_FRAME_OVERHEAD

[PATCH 4.15 44/72] serial: 8250: Add Nuvoton NPCM UART

[Greg Kroah-Hartman]

4.15-stable review patch.  If anyone has any objections, please let me know.

--

From: Joel Stanley 

commit f597fbce38d230af95384f4a04e0a13a1d0ad45d upstream.

The Nuvoton UART is almost compatible with the 8250 driver when probed
via the 8250_of driver, however it requires some extra configuration
at startup.

Reviewed-by: Rob Herring 
Signed-off-by: Joel Stanley 
Cc: stable 
Signed-off-by: Greg Kroah-Hartman 

---
 Documentation/devicetree/bindings/serial/8250.txt |1 
 drivers/tty/serial/8250/8250_of.c |1 
 drivers/tty/serial/8250/8250_port.c   |   33 ++
 include/uapi/linux/serial_core.h  |3 ++
 4 files changed, 38 insertions(+)

--- a/Documentation/devicetree/bindings/serial/8250.txt
+++ b/Documentation/devicetree/bindings/serial/8250.txt
@@ -24,6 +24,7 @@ Required properties:
- "ti,da830-uart"
- "aspeed,ast2400-vuart"
- "aspeed,ast2500-vuart"
+   - "nuvoton,npcm750-uart"
- "serial" if the port type is unknown.
 - reg : offset and length of the register set for the device.
 - interrupts : should contain uart interrupt.
--- a/drivers/tty/serial/8250/8250_of.c
+++ b/drivers/tty/serial/8250/8250_of.c
@@ -316,6 +316,7 @@ static const struct of_device_id of_plat
{ .compatible = "mrvl,mmp-uart",
.data = (void *)PORT_XSCALE, },
{ .compatible = "ti,da830-uart", .data = (void *)PORT_DA830, },
+   { .compatible = "nuvoton,npcm750-uart", .data = (void *)PORT_NPCM, },
{ /* end of list */ },
 };
 MODULE_DEVICE_TABLE(of, of_platform_serial_table);
--- a/drivers/tty/serial/8250/8250_port.c
+++ b/drivers/tty/serial/8250/8250_port.c
@@ -47,6 +47,10 @@
 #define UART_EXAR_SLEEP0x8b/* Sleep mode */
 #define UART_EXAR_DVID 0x8d/* Device identification */
 
+/* Nuvoton NPCM timeout register */
+#define UART_NPCM_TOR  7
+#define UART_NPCM_TOIE BIT(7)  /* Timeout Interrupt Enable */
+
 /*
  * Debugging.
  */
@@ -293,6 +297,15 @@ static const struct serial8250_config ua
  UART_FCR_CLEAR_RCVR | UART_FCR_CLEAR_XMIT,
.flags  = UART_CAP_FIFO,
},
+   [PORT_NPCM] = {
+   .name   = "Nuvoton 16550",
+   .fifo_size  = 16,
+   .tx_loadsz  = 16,
+   .fcr= UART_FCR_ENABLE_FIFO | UART_FCR_R_TRIG_10 |
+ UART_FCR_CLEAR_RCVR | UART_FCR_CLEAR_XMIT,
+   .rxtrig_bytes   = {1, 4, 8, 14},
+   .flags  = UART_CAP_FIFO,
+   },
 };
 
 /* Uart divisor latch read */
@@ -2161,6 +2174,15 @@ int serial8250_do_startup(struct uart_po
UART_DA830_PWREMU_MGMT_FREE);
}
 
+   if (port->type == PORT_NPCM) {
+   /*
+* Nuvoton calls the scratch register 'UART_TOR' (timeout
+* register). Enable it, and set TIOC (timeout interrupt
+* comparator) to be 0x20 for correct operation.
+*/
+   serial_port_out(port, UART_NPCM_TOR, UART_NPCM_TOIE | 0x20);
+   }
+
 #ifdef CONFIG_SERIAL_8250_RSA
/*
 * If this is an RSA port, see if we can kick it up to the
@@ -2483,6 +2505,15 @@ static unsigned int xr17v35x_get_divisor
return quot_16 >> 4;
 }
 
+/* Nuvoton NPCM UARTs have a custom divisor calculation */
+static unsigned int npcm_get_divisor(struct uart_8250_port *up,
+   unsigned int baud)
+{
+   struct uart_port *port = >port;
+
+   return DIV_ROUND_CLOSEST(port->uartclk, 16 * baud + 2) - 2;
+}
+
 static unsigned int serial8250_get_divisor(struct uart_8250_port *up,
   unsigned int baud,
   unsigned int *frac)
@@ -2503,6 +2534,8 @@ static unsigned int serial8250_get_divis
quot = 0x8002;
else if (up->port.type == PORT_XR17V35X)
quot = xr17v35x_get_divisor(up, baud, frac);
+   else if (up->port.type == PORT_NPCM)
+   quot = npcm_get_divisor(up, baud);
else
quot = uart_get_divisor(port, baud);
 
--- a/include/uapi/linux/serial_core.h
+++ b/include/uapi/linux/serial_core.h
@@ -76,6 +76,9 @@
 #define PORT_SUNZILOG  38
 #define PORT_SUNSAB39
 
+/* Nuvoton UART */
+#define PORT_NPCM  40
+
 /* Intel EG20 */
 #define PORT_PCH_8LINE 44
 #define PORT_PCH_2LINE 45

[PATCH 4.15 44/72] serial: 8250: Add Nuvoton NPCM UART

[Greg Kroah-Hartman]

4.15-stable review patch.  If anyone has any objections, please let me know.

--

From: Joel Stanley 

commit f597fbce38d230af95384f4a04e0a13a1d0ad45d upstream.

The Nuvoton UART is almost compatible with the 8250 driver when probed
via the 8250_of driver, however it requires some extra configuration
at startup.

Reviewed-by: Rob Herring 
Signed-off-by: Joel Stanley 
Cc: stable 
Signed-off-by: Greg Kroah-Hartman 

---
 Documentation/devicetree/bindings/serial/8250.txt |1 
 drivers/tty/serial/8250/8250_of.c |1 
 drivers/tty/serial/8250/8250_port.c   |   33 ++
 include/uapi/linux/serial_core.h  |3 ++
 4 files changed, 38 insertions(+)

--- a/Documentation/devicetree/bindings/serial/8250.txt
+++ b/Documentation/devicetree/bindings/serial/8250.txt
@@ -24,6 +24,7 @@ Required properties:
- "ti,da830-uart"
- "aspeed,ast2400-vuart"
- "aspeed,ast2500-vuart"
+   - "nuvoton,npcm750-uart"
- "serial" if the port type is unknown.
 - reg : offset and length of the register set for the device.
 - interrupts : should contain uart interrupt.
--- a/drivers/tty/serial/8250/8250_of.c
+++ b/drivers/tty/serial/8250/8250_of.c
@@ -316,6 +316,7 @@ static const struct of_device_id of_plat
{ .compatible = "mrvl,mmp-uart",
.data = (void *)PORT_XSCALE, },
{ .compatible = "ti,da830-uart", .data = (void *)PORT_DA830, },
+   { .compatible = "nuvoton,npcm750-uart", .data = (void *)PORT_NPCM, },
{ /* end of list */ },
 };
 MODULE_DEVICE_TABLE(of, of_platform_serial_table);
--- a/drivers/tty/serial/8250/8250_port.c
+++ b/drivers/tty/serial/8250/8250_port.c
@@ -47,6 +47,10 @@
 #define UART_EXAR_SLEEP0x8b/* Sleep mode */
 #define UART_EXAR_DVID 0x8d/* Device identification */
 
+/* Nuvoton NPCM timeout register */
+#define UART_NPCM_TOR  7
+#define UART_NPCM_TOIE BIT(7)  /* Timeout Interrupt Enable */
+
 /*
  * Debugging.
  */
@@ -293,6 +297,15 @@ static const struct serial8250_config ua
  UART_FCR_CLEAR_RCVR | UART_FCR_CLEAR_XMIT,
.flags  = UART_CAP_FIFO,
},
+   [PORT_NPCM] = {
+   .name   = "Nuvoton 16550",
+   .fifo_size  = 16,
+   .tx_loadsz  = 16,
+   .fcr= UART_FCR_ENABLE_FIFO | UART_FCR_R_TRIG_10 |
+ UART_FCR_CLEAR_RCVR | UART_FCR_CLEAR_XMIT,
+   .rxtrig_bytes   = {1, 4, 8, 14},
+   .flags  = UART_CAP_FIFO,
+   },
 };
 
 /* Uart divisor latch read */
@@ -2161,6 +2174,15 @@ int serial8250_do_startup(struct uart_po
UART_DA830_PWREMU_MGMT_FREE);
}
 
+   if (port->type == PORT_NPCM) {
+   /*
+* Nuvoton calls the scratch register 'UART_TOR' (timeout
+* register). Enable it, and set TIOC (timeout interrupt
+* comparator) to be 0x20 for correct operation.
+*/
+   serial_port_out(port, UART_NPCM_TOR, UART_NPCM_TOIE | 0x20);
+   }
+
 #ifdef CONFIG_SERIAL_8250_RSA
/*
 * If this is an RSA port, see if we can kick it up to the
@@ -2483,6 +2505,15 @@ static unsigned int xr17v35x_get_divisor
return quot_16 >> 4;
 }
 
+/* Nuvoton NPCM UARTs have a custom divisor calculation */
+static unsigned int npcm_get_divisor(struct uart_8250_port *up,
+   unsigned int baud)
+{
+   struct uart_port *port = >port;
+
+   return DIV_ROUND_CLOSEST(port->uartclk, 16 * baud + 2) - 2;
+}
+
 static unsigned int serial8250_get_divisor(struct uart_8250_port *up,
   unsigned int baud,
   unsigned int *frac)
@@ -2503,6 +2534,8 @@ static unsigned int serial8250_get_divis
quot = 0x8002;
else if (up->port.type == PORT_XR17V35X)
quot = xr17v35x_get_divisor(up, baud, frac);
+   else if (up->port.type == PORT_NPCM)
+   quot = npcm_get_divisor(up, baud);
else
quot = uart_get_divisor(port, baud);
 
--- a/include/uapi/linux/serial_core.h
+++ b/include/uapi/linux/serial_core.h
@@ -76,6 +76,9 @@
 #define PORT_SUNZILOG  38
 #define PORT_SUNSAB39
 
+/* Nuvoton UART */
+#define PORT_NPCM  40
+
 /* Intel EG20 */
 #define PORT_PCH_8LINE 44
 #define PORT_PCH_2LINE 45

[PATCH 4.15 45/72] mei: remove dev_err message on an unsupported ioctl

[Greg Kroah-Hartman]

4.15-stable review patch.  If anyone has any objections, please let me know.

--

From: Colin Ian King 

commit bb0829a741792b56c908d7745bc0b2b540293bcc upstream.

Currently the driver spams the kernel log on unsupported ioctls which is
unnecessary as the ioctl returns -ENOIOCTLCMD to indicate this anyway.
I suspect this was originally for debugging purposes but it really is not
required so remove it.

Signed-off-by: Colin Ian King 
Cc: stable 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/misc/mei/main.c |1 -
 1 file changed, 1 deletion(-)

--- a/drivers/misc/mei/main.c
+++ b/drivers/misc/mei/main.c
@@ -507,7 +507,6 @@ static long mei_ioctl(struct file *file,
break;
 
default:
-   dev_err(dev->dev, ": unsupported ioctl %d.\n", cmd);
rets = -ENOIOCTLCMD;
}
 

[PATCH 4.15 45/72] mei: remove dev_err message on an unsupported ioctl

[Greg Kroah-Hartman]

4.15-stable review patch.  If anyone has any objections, please let me know.

--

From: Colin Ian King 

commit bb0829a741792b56c908d7745bc0b2b540293bcc upstream.

Currently the driver spams the kernel log on unsupported ioctls which is
unnecessary as the ioctl returns -ENOIOCTLCMD to indicate this anyway.
I suspect this was originally for debugging purposes but it really is not
required so remove it.

Signed-off-by: Colin Ian King 
Cc: stable 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/misc/mei/main.c |1 -
 1 file changed, 1 deletion(-)

--- a/drivers/misc/mei/main.c
+++ b/drivers/misc/mei/main.c
@@ -507,7 +507,6 @@ static long mei_ioctl(struct file *file,
break;
 
default:
-   dev_err(dev->dev, ": unsupported ioctl %d.\n", cmd);
rets = -ENOIOCTLCMD;
}
 

[PATCH 4.15 47/72] media: usbtv: prevent double free in error case

[Greg Kroah-Hartman]

4.15-stable review patch.  If anyone has any objections, please let me know.

--

From: Oliver Neukum 

commit 50e7044535537b2a54c7ab798cd34c7f6d900bd2 upstream.

Quoting the original report:

It looks like there is a double-free vulnerability in Linux usbtv driver
on an error path of usbtv_probe function. When audio registration fails,
usbtv_video_free function ends up freeing usbtv data structure, which
gets freed the second time under usbtv_video_fail label.

usbtv_audio_fail:

usbtv_video_free(usbtv); =>

   v4l2_device_put(>v4l2_dev);

  => v4l2_device_put

  => kref_put

  => v4l2_device_release

  => usbtv_release (CALLBACK)

 => kfree(usbtv) (1st time)

usbtv_video_fail:

usb_set_intfdata(intf, NULL);

usb_put_dev(usbtv->udev);

kfree(usbtv); (2nd time)

So, as we have refcounting, use it

Reported-by: Yavuz, Tuba 
Signed-off-by: Oliver Neukum 
CC: sta...@vger.kernel.org
Signed-off-by: Hans Verkuil 
Signed-off-by: Mauro Carvalho Chehab 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/media/usb/usbtv/usbtv-core.c |2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/media/usb/usbtv/usbtv-core.c
+++ b/drivers/media/usb/usbtv/usbtv-core.c
@@ -112,6 +112,8 @@ static int usbtv_probe(struct usb_interf
return 0;
 
 usbtv_audio_fail:
+   /* we must not free at this point */
+   usb_get_dev(usbtv->udev);
usbtv_video_free(usbtv);
 
 usbtv_video_fail:

[PATCH 4.15 47/72] media: usbtv: prevent double free in error case

[Greg Kroah-Hartman]

4.15-stable review patch.  If anyone has any objections, please let me know.

--

From: Oliver Neukum 

commit 50e7044535537b2a54c7ab798cd34c7f6d900bd2 upstream.

Quoting the original report:

It looks like there is a double-free vulnerability in Linux usbtv driver
on an error path of usbtv_probe function. When audio registration fails,
usbtv_video_free function ends up freeing usbtv data structure, which
gets freed the second time under usbtv_video_fail label.

usbtv_audio_fail:

usbtv_video_free(usbtv); =>

   v4l2_device_put(>v4l2_dev);

  => v4l2_device_put

  => kref_put

  => v4l2_device_release

  => usbtv_release (CALLBACK)

 => kfree(usbtv) (1st time)

usbtv_video_fail:

usb_set_intfdata(intf, NULL);

usb_put_dev(usbtv->udev);

kfree(usbtv); (2nd time)

So, as we have refcounting, use it

Reported-by: Yavuz, Tuba 
Signed-off-by: Oliver Neukum 
CC: sta...@vger.kernel.org
Signed-off-by: Hans Verkuil 
Signed-off-by: Mauro Carvalho Chehab 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/media/usb/usbtv/usbtv-core.c |2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/media/usb/usbtv/usbtv-core.c
+++ b/drivers/media/usb/usbtv/usbtv-core.c
@@ -112,6 +112,8 @@ static int usbtv_probe(struct usb_interf
return 0;
 
 usbtv_audio_fail:
+   /* we must not free at this point */
+   usb_get_dev(usbtv->udev);
usbtv_video_free(usbtv);
 
 usbtv_video_fail:

[PATCH 4.15 49/72] crypto: lrw - Free rctx->ext with kzfree

[Greg Kroah-Hartman]

4.15-stable review patch.  If anyone has any objections, please let me know.

--

From: Herbert Xu 

commit 8c9bdab21289c211ca1ca6a5f9b7537b4a600a02 upstream.

The buffer rctx->ext contains potentially sensitive data and should
be freed with kzfree.

Cc: 
Fixes: 700cb3f5fe75 ("crypto: lrw - Convert to skcipher")
Reported-by: Dan Carpenter 
Signed-off-by: Herbert Xu 
Signed-off-by: Greg Kroah-Hartman 

---
 crypto/lrw.c |2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/crypto/lrw.c
+++ b/crypto/lrw.c
@@ -313,7 +313,7 @@ static void exit_crypt(struct skcipher_r
rctx->left = 0;
 
if (rctx->ext)
-   kfree(rctx->ext);
+   kzfree(rctx->ext);
 }
 
 static int do_encrypt(struct skcipher_request *req, int err)

[PATCH 4.15 49/72] crypto: lrw - Free rctx->ext with kzfree

[Greg Kroah-Hartman]

4.15-stable review patch.  If anyone has any objections, please let me know.

--

From: Herbert Xu 

commit 8c9bdab21289c211ca1ca6a5f9b7537b4a600a02 upstream.

The buffer rctx->ext contains potentially sensitive data and should
be freed with kzfree.

Cc: 
Fixes: 700cb3f5fe75 ("crypto: lrw - Convert to skcipher")
Reported-by: Dan Carpenter 
Signed-off-by: Herbert Xu 
Signed-off-by: Greg Kroah-Hartman 

---
 crypto/lrw.c |2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/crypto/lrw.c
+++ b/crypto/lrw.c
@@ -313,7 +313,7 @@ static void exit_crypt(struct skcipher_r
rctx->left = 0;
 
if (rctx->ext)
-   kfree(rctx->ext);
+   kzfree(rctx->ext);
 }
 
 static int do_encrypt(struct skcipher_request *req, int err)

[PATCH 4.15 21/72] RDMA/ucma: Check AF family prior resolving address

[Greg Kroah-Hartman]

4.15-stable review patch.  If anyone has any objections, please let me know.

--

From: Leon Romanovsky 

commit 2975d5de6428ff6d9317e9948f0968f7d42e5d74 upstream.

Garbage supplied by user will cause to UCMA module provide zero
memory size for memcpy(), because it wasn't checked, it will
produce unpredictable results in rdma_resolve_addr().

[   42.873814] BUG: KASAN: null-ptr-deref in rdma_resolve_addr+0xc8/0xfb0
[   42.874816] Write of size 28 at addr 00a0 by task resaddr/1044
[   42.876765]
[   42.876960] CPU: 1 PID: 1044 Comm: resaddr Not tainted 
4.16.0-rc1-00057-gaa56a5293d7e #34
[   42.877840] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 
rel-1.11.0-0-g63451fca13-prebuilt.qemu-project.org 04/01/2014
[   42.879691] Call Trace:
[   42.880236]  dump_stack+0x5c/0x77
[   42.880664]  kasan_report+0x163/0x380
[   42.881354]  ? rdma_resolve_addr+0xc8/0xfb0
[   42.881864]  memcpy+0x34/0x50
[   42.882692]  rdma_resolve_addr+0xc8/0xfb0
[   42.883366]  ? deref_stack_reg+0x88/0xd0
[   42.883856]  ? vsnprintf+0x31a/0x770
[   42.884686]  ? rdma_bind_addr+0xc40/0xc40
[   42.885327]  ? num_to_str+0x130/0x130
[   42.885773]  ? deref_stack_reg+0x88/0xd0
[   42.886217]  ? __read_once_size_nocheck.constprop.6+0x10/0x10
[   42.887698]  ? unwind_get_return_address_ptr+0x50/0x50
[   42.888302]  ? replace_slot+0x147/0x170
[   42.889176]  ? delete_node+0x12c/0x340
[   42.890223]  ? __radix_tree_lookup+0xa9/0x160
[   42.891196]  ? ucma_resolve_ip+0xb7/0x110
[   42.891917]  ucma_resolve_ip+0xb7/0x110
[   42.893003]  ? ucma_resolve_addr+0x190/0x190
[   42.893531]  ? _copy_from_user+0x5e/0x90
[   42.894204]  ucma_write+0x174/0x1f0
[   42.895162]  ? ucma_resolve_route+0xf0/0xf0
[   42.896309]  ? dequeue_task_fair+0x67e/0xd90
[   42.897192]  ? put_prev_entity+0x7d/0x170
[   42.897870]  ? ring_buffer_record_is_on+0xd/0x20
[   42.898439]  ? tracing_record_taskinfo_skip+0x20/0x50
[   42.899686]  __vfs_write+0xc4/0x350
[   42.900142]  ? kernel_read+0xa0/0xa0
[   42.900602]  ? firmware_map_remove+0xdf/0xdf
[   42.901135]  ? do_task_dead+0x5d/0x60
[   42.901598]  ? do_exit+0xcc6/0x1220
[   42.902789]  ? __fget+0xa8/0xf0
[   42.903190]  vfs_write+0xf7/0x280
[   42.903600]  SyS_write+0xa1/0x120
[   42.904206]  ? SyS_read+0x120/0x120
[   42.905710]  ? compat_start_thread+0x60/0x60
[   42.906423]  ? SyS_read+0x120/0x120
[   42.908716]  do_syscall_64+0xeb/0x250
[   42.910760]  entry_SYSCALL_64_after_hwframe+0x21/0x86
[   42.912735] RIP: 0033:0x7f138b0afe99
[   42.914734] RSP: 002b:7f138b799e98 EFLAGS: 0287 ORIG_RAX: 
0001
[   42.917134] RAX: ffda RBX:  RCX: 7f138b0afe99
[   42.919487] RDX: 002e RSI: 2c40 RDI: 0004
[   42.922393] RBP: 7f138b799ec0 R08: 7f138b79a700 R09: 
[   42.925266] R10: 7f138b79a700 R11: 0287 R12: 7f138b799fc0
[   42.927570] R13:  R14: 7ffdbae757c0 R15: 7f138b79a9c0
[   42.930047]
[   42.932681] Disabling lock debugging due to kernel taint
[   42.934795] BUG: unable to handle kernel NULL pointer dereference at 
00a0
[   42.936939] IP: memcpy_erms+0x6/0x10
[   42.938864] PGD 8001bea92067 P4D 8001bea92067 PUD 1bea96067 PMD 0
[   42.941576] Oops: 0002 [#1] SMP KASAN PTI
[   42.943952] CPU: 1 PID: 1044 Comm: resaddr Tainted: GB 
4.16.0-rc1-00057-gaa56a5293d7e #34
[   42.946964] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 
rel-1.11.0-0-g63451fca13-prebuilt.qemu-project.org 04/01/2014
[   42.952336] RIP: 0010:memcpy_erms+0x6/0x10
[   42.954707] RSP: 0018:8801c8b479c8 EFLAGS: 00010286
[   42.957227] RAX: 00a0 RBX: 8801c8b47ba0 RCX: 001c
[   42.960543] RDX: 001c RSI: 8801c8b47bbc RDI: 00a0
[   42.963867] RBP: 8801c8b47b60 R08:  R09: ed0039168ed1
[   42.967303] R10: 0001 R11: ed0039168ed0 R12: 8801c8b47bbc
[   42.970685] R13: 00a0 R14: 110039168f4a R15: 
[   42.973631] FS:  7f138b79a700() GS:8801e5d0() 
knlGS:
[   42.976831] CS:  0010 DS:  ES:  CR0: 80050033
[   42.979239] CR2: 00a0 CR3: 0001be908002 CR4: 003606a0
[   42.982060] DR0:  DR1:  DR2: 
[   42.984877] DR3:  DR6: fffe0ff0 DR7: 0400
[   42.988033] Call Trace:
[   42.990487]  rdma_resolve_addr+0xc8/0xfb0
[   42.993202]  ? deref_stack_reg+0x88/0xd0
[   42.996055]  ? vsnprintf+0x31a/0x770
[   42.998707]  ? rdma_bind_addr+0xc40/0xc40
[   43.000985]  ? num_to_str+0x130/0x130
[   43.003410]  ? deref_stack_reg+0x88/0xd0
[   43.006302]  ? __read_once_size_nocheck.constprop.6+0x10/0x10
[   43.008780]  ? unwind_get_return_address_ptr+0x50/0x50
[   43.011178]  ? replace_slot+0x147/0x170
[   43.013517]  ? delete_node+0x12c/0x340
[   

[PATCH 4.15 20/72] xfrm_user: uncoditionally validate esn replay attribute struct

[Greg Kroah-Hartman]

4.15-stable review patch.  If anyone has any objections, please let me know.

--

From: Florian Westphal 

commit d97ca5d714a5334aecadadf696875da40f1fbf3e upstream.

The sanity test added in ecd7918745234 can be bypassed, validation
only occurs if XFRM_STATE_ESN flag is set, but rest of code doesn't care
and just checks if the attribute itself is present.

So always validate.  Alternative is to reject if we have the attribute
without the flag but that would change abi.

Reported-by: syzbot+0ab777c27d2bb7588...@syzkaller.appspotmail.com
Cc: Mathias Krause 
Fixes: ecd7918745234 ("xfrm_user: ensure user supplied esn replay window is 
valid")
Fixes: d8647b79c3b7e ("xfrm: Add user interface for esn and big anti-replay 
windows")
Signed-off-by: Florian Westphal 
Signed-off-by: Steffen Klassert 
Signed-off-by: Greg Kroah-Hartman 

---
 net/xfrm/xfrm_user.c |   21 -
 1 file changed, 8 insertions(+), 13 deletions(-)

--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -121,22 +121,17 @@ static inline int verify_replay(struct x
struct nlattr *rt = attrs[XFRMA_REPLAY_ESN_VAL];
struct xfrm_replay_state_esn *rs;
 
-   if (p->flags & XFRM_STATE_ESN) {
-   if (!rt)
-   return -EINVAL;
-
-   rs = nla_data(rt);
+   if (!rt)
+   return (p->flags & XFRM_STATE_ESN) ? -EINVAL : 0;
 
-   if (rs->bmp_len > XFRMA_REPLAY_ESN_MAX / sizeof(rs->bmp[0]) / 8)
-   return -EINVAL;
+   rs = nla_data(rt);
 
-   if (nla_len(rt) < (int)xfrm_replay_state_esn_len(rs) &&
-   nla_len(rt) != sizeof(*rs))
-   return -EINVAL;
-   }
+   if (rs->bmp_len > XFRMA_REPLAY_ESN_MAX / sizeof(rs->bmp[0]) / 8)
+   return -EINVAL;
 
-   if (!rt)
-   return 0;
+   if (nla_len(rt) < (int)xfrm_replay_state_esn_len(rs) &&
+   nla_len(rt) != sizeof(*rs))
+   return -EINVAL;
 
/* As only ESP and AH support ESN feature. */
if ((p->id.proto != IPPROTO_ESP) && (p->id.proto != IPPROTO_AH))

[PATCH 4.15 21/72] RDMA/ucma: Check AF family prior resolving address

[Greg Kroah-Hartman]

4.15-stable review patch.  If anyone has any objections, please let me know.

--

From: Leon Romanovsky 

commit 2975d5de6428ff6d9317e9948f0968f7d42e5d74 upstream.

Garbage supplied by user will cause to UCMA module provide zero
memory size for memcpy(), because it wasn't checked, it will
produce unpredictable results in rdma_resolve_addr().

[   42.873814] BUG: KASAN: null-ptr-deref in rdma_resolve_addr+0xc8/0xfb0
[   42.874816] Write of size 28 at addr 00a0 by task resaddr/1044
[   42.876765]
[   42.876960] CPU: 1 PID: 1044 Comm: resaddr Not tainted 
4.16.0-rc1-00057-gaa56a5293d7e #34
[   42.877840] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 
rel-1.11.0-0-g63451fca13-prebuilt.qemu-project.org 04/01/2014
[   42.879691] Call Trace:
[   42.880236]  dump_stack+0x5c/0x77
[   42.880664]  kasan_report+0x163/0x380
[   42.881354]  ? rdma_resolve_addr+0xc8/0xfb0
[   42.881864]  memcpy+0x34/0x50
[   42.882692]  rdma_resolve_addr+0xc8/0xfb0
[   42.883366]  ? deref_stack_reg+0x88/0xd0
[   42.883856]  ? vsnprintf+0x31a/0x770
[   42.884686]  ? rdma_bind_addr+0xc40/0xc40
[   42.885327]  ? num_to_str+0x130/0x130
[   42.885773]  ? deref_stack_reg+0x88/0xd0
[   42.886217]  ? __read_once_size_nocheck.constprop.6+0x10/0x10
[   42.887698]  ? unwind_get_return_address_ptr+0x50/0x50
[   42.888302]  ? replace_slot+0x147/0x170
[   42.889176]  ? delete_node+0x12c/0x340
[   42.890223]  ? __radix_tree_lookup+0xa9/0x160
[   42.891196]  ? ucma_resolve_ip+0xb7/0x110
[   42.891917]  ucma_resolve_ip+0xb7/0x110
[   42.893003]  ? ucma_resolve_addr+0x190/0x190
[   42.893531]  ? _copy_from_user+0x5e/0x90
[   42.894204]  ucma_write+0x174/0x1f0
[   42.895162]  ? ucma_resolve_route+0xf0/0xf0
[   42.896309]  ? dequeue_task_fair+0x67e/0xd90
[   42.897192]  ? put_prev_entity+0x7d/0x170
[   42.897870]  ? ring_buffer_record_is_on+0xd/0x20
[   42.898439]  ? tracing_record_taskinfo_skip+0x20/0x50
[   42.899686]  __vfs_write+0xc4/0x350
[   42.900142]  ? kernel_read+0xa0/0xa0
[   42.900602]  ? firmware_map_remove+0xdf/0xdf
[   42.901135]  ? do_task_dead+0x5d/0x60
[   42.901598]  ? do_exit+0xcc6/0x1220
[   42.902789]  ? __fget+0xa8/0xf0
[   42.903190]  vfs_write+0xf7/0x280
[   42.903600]  SyS_write+0xa1/0x120
[   42.904206]  ? SyS_read+0x120/0x120
[   42.905710]  ? compat_start_thread+0x60/0x60
[   42.906423]  ? SyS_read+0x120/0x120
[   42.908716]  do_syscall_64+0xeb/0x250
[   42.910760]  entry_SYSCALL_64_after_hwframe+0x21/0x86
[   42.912735] RIP: 0033:0x7f138b0afe99
[   42.914734] RSP: 002b:7f138b799e98 EFLAGS: 0287 ORIG_RAX: 
0001
[   42.917134] RAX: ffda RBX:  RCX: 7f138b0afe99
[   42.919487] RDX: 002e RSI: 2c40 RDI: 0004
[   42.922393] RBP: 7f138b799ec0 R08: 7f138b79a700 R09: 
[   42.925266] R10: 7f138b79a700 R11: 0287 R12: 7f138b799fc0
[   42.927570] R13:  R14: 7ffdbae757c0 R15: 7f138b79a9c0
[   42.930047]
[   42.932681] Disabling lock debugging due to kernel taint
[   42.934795] BUG: unable to handle kernel NULL pointer dereference at 
00a0
[   42.936939] IP: memcpy_erms+0x6/0x10
[   42.938864] PGD 8001bea92067 P4D 8001bea92067 PUD 1bea96067 PMD 0
[   42.941576] Oops: 0002 [#1] SMP KASAN PTI
[   42.943952] CPU: 1 PID: 1044 Comm: resaddr Tainted: GB 
4.16.0-rc1-00057-gaa56a5293d7e #34
[   42.946964] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 
rel-1.11.0-0-g63451fca13-prebuilt.qemu-project.org 04/01/2014
[   42.952336] RIP: 0010:memcpy_erms+0x6/0x10
[   42.954707] RSP: 0018:8801c8b479c8 EFLAGS: 00010286
[   42.957227] RAX: 00a0 RBX: 8801c8b47ba0 RCX: 001c
[   42.960543] RDX: 001c RSI: 8801c8b47bbc RDI: 00a0
[   42.963867] RBP: 8801c8b47b60 R08:  R09: ed0039168ed1
[   42.967303] R10: 0001 R11: ed0039168ed0 R12: 8801c8b47bbc
[   42.970685] R13: 00a0 R14: 110039168f4a R15: 
[   42.973631] FS:  7f138b79a700() GS:8801e5d0() 
knlGS:
[   42.976831] CS:  0010 DS:  ES:  CR0: 80050033
[   42.979239] CR2: 00a0 CR3: 0001be908002 CR4: 003606a0
[   42.982060] DR0:  DR1:  DR2: 
[   42.984877] DR3:  DR6: fffe0ff0 DR7: 0400
[   42.988033] Call Trace:
[   42.990487]  rdma_resolve_addr+0xc8/0xfb0
[   42.993202]  ? deref_stack_reg+0x88/0xd0
[   42.996055]  ? vsnprintf+0x31a/0x770
[   42.998707]  ? rdma_bind_addr+0xc40/0xc40
[   43.000985]  ? num_to_str+0x130/0x130
[   43.003410]  ? deref_stack_reg+0x88/0xd0
[   43.006302]  ? __read_once_size_nocheck.constprop.6+0x10/0x10
[   43.008780]  ? unwind_get_return_address_ptr+0x50/0x50
[   43.011178]  ? replace_slot+0x147/0x170
[   43.013517]  ? delete_node+0x12c/0x340
[   43.016019]  ? 

[PATCH 4.15 20/72] xfrm_user: uncoditionally validate esn replay attribute struct

[Greg Kroah-Hartman]

4.15-stable review patch.  If anyone has any objections, please let me know.

--

From: Florian Westphal 

commit d97ca5d714a5334aecadadf696875da40f1fbf3e upstream.

The sanity test added in ecd7918745234 can be bypassed, validation
only occurs if XFRM_STATE_ESN flag is set, but rest of code doesn't care
and just checks if the attribute itself is present.

So always validate.  Alternative is to reject if we have the attribute
without the flag but that would change abi.

Reported-by: syzbot+0ab777c27d2bb7588...@syzkaller.appspotmail.com
Cc: Mathias Krause 
Fixes: ecd7918745234 ("xfrm_user: ensure user supplied esn replay window is 
valid")
Fixes: d8647b79c3b7e ("xfrm: Add user interface for esn and big anti-replay 
windows")
Signed-off-by: Florian Westphal 
Signed-off-by: Steffen Klassert 
Signed-off-by: Greg Kroah-Hartman 

---
 net/xfrm/xfrm_user.c |   21 -
 1 file changed, 8 insertions(+), 13 deletions(-)

--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -121,22 +121,17 @@ static inline int verify_replay(struct x
struct nlattr *rt = attrs[XFRMA_REPLAY_ESN_VAL];
struct xfrm_replay_state_esn *rs;
 
-   if (p->flags & XFRM_STATE_ESN) {
-   if (!rt)
-   return -EINVAL;
-
-   rs = nla_data(rt);
+   if (!rt)
+   return (p->flags & XFRM_STATE_ESN) ? -EINVAL : 0;
 
-   if (rs->bmp_len > XFRMA_REPLAY_ESN_MAX / sizeof(rs->bmp[0]) / 8)
-   return -EINVAL;
+   rs = nla_data(rt);
 
-   if (nla_len(rt) < (int)xfrm_replay_state_esn_len(rs) &&
-   nla_len(rt) != sizeof(*rs))
-   return -EINVAL;
-   }
+   if (rs->bmp_len > XFRMA_REPLAY_ESN_MAX / sizeof(rs->bmp[0]) / 8)
+   return -EINVAL;
 
-   if (!rt)
-   return 0;
+   if (nla_len(rt) < (int)xfrm_replay_state_esn_len(rs) &&
+   nla_len(rt) != sizeof(*rs))
+   return -EINVAL;
 
/* As only ESP and AH support ESN feature. */
if ((p->id.proto != IPPROTO_ESP) && (p->id.proto != IPPROTO_AH))

[PATCH 4.15 22/72] RDMA/ucma: Fix use-after-free access in ucma_close

[Greg Kroah-Hartman]

4.15-stable review patch.  If anyone has any objections, please let me know.

--

From: Leon Romanovsky 

commit ed65a4dc22083e73bac599ded6a262318cad7baf upstream.

The error in ucma_create_id() left ctx in the list of contexts belong
to ucma file descriptor. The attempt to close this file descriptor causes
to use-after-free accesses while iterating over such list.

Fixes: 75216638572f ("RDMA/cma: Export rdma cm interface to userspace")
Reported-by: 
Signed-off-by: Leon Romanovsky 
Reviewed-by: Sean Hefty 
Signed-off-by: Jason Gunthorpe 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/infiniband/core/ucma.c |3 +++
 1 file changed, 3 insertions(+)

--- a/drivers/infiniband/core/ucma.c
+++ b/drivers/infiniband/core/ucma.c
@@ -497,6 +497,9 @@ err1:
mutex_lock();
idr_remove(_idr, ctx->id);
mutex_unlock();
+   mutex_lock(>mut);
+   list_del(>list);
+   mutex_unlock(>mut);
kfree(ctx);
return ret;
 }

[PATCH 4.15 22/72] RDMA/ucma: Fix use-after-free access in ucma_close

[Greg Kroah-Hartman]

4.15-stable review patch.  If anyone has any objections, please let me know.

--

From: Leon Romanovsky 

commit ed65a4dc22083e73bac599ded6a262318cad7baf upstream.

The error in ucma_create_id() left ctx in the list of contexts belong
to ucma file descriptor. The attempt to close this file descriptor causes
to use-after-free accesses while iterating over such list.

Fixes: 75216638572f ("RDMA/cma: Export rdma cm interface to userspace")
Reported-by: 
Signed-off-by: Leon Romanovsky 
Reviewed-by: Sean Hefty 
Signed-off-by: Jason Gunthorpe 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/infiniband/core/ucma.c |3 +++
 1 file changed, 3 insertions(+)

--- a/drivers/infiniband/core/ucma.c
+++ b/drivers/infiniband/core/ucma.c
@@ -497,6 +497,9 @@ err1:
mutex_lock();
idr_remove(_idr, ctx->id);
mutex_unlock();
+   mutex_lock(>mut);
+   list_del(>list);
+   mutex_unlock(>mut);
kfree(ctx);
return ret;
 }

[PATCH 4.15 24/72] RDMA/rdma_cm: Fix use after free race with process_one_req

[Greg Kroah-Hartman]

4.15-stable review patch.  If anyone has any objections, please let me know.

--

From: Jason Gunthorpe 

commit 9137108cc3d64ade13e753108ec611a0daed16a0 upstream.

process_one_req() can race with rdma_addr_cancel():

   CPU0 CPU1
    
 process_one_work()
  debug_work_deactivate(work);
  process_one_req()
rdma_addr_cancel()
  mutex_lock();
   set_timeout(>work,..);
  __queue_work()
   debug_work_activate(work);
  mutex_unlock();

   mutex_lock();
[..]
list_del(>list);
   mutex_unlock();
[..]

   // ODEBUG explodes since the work is still queued.
   kfree(req);

Causing ODEBUG to detect the use after free:

ODEBUG: free active (active state 0) object type: work_struct hint: 
process_one_req+0x0/0x6c0 include/net/dst.h:165
WARNING: CPU: 0 PID: 79 at lib/debugobjects.c:291 
debug_print_object+0x166/0x220 lib/debugobjects.c:288
kvm: emulating exchange as write
Kernel panic - not syncing: panic_on_warn set ...

CPU: 0 PID: 79 Comm: kworker/u4:3 Not tainted 4.16.0-rc6+ #361
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 
01/01/2011
Workqueue: ib_addr process_one_req
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x194/0x24d lib/dump_stack.c:53
 panic+0x1e4/0x41c kernel/panic.c:183
 __warn+0x1dc/0x200 kernel/panic.c:547
 report_bug+0x1f4/0x2b0 lib/bug.c:186
 fixup_bug.part.11+0x37/0x80 arch/x86/kernel/traps.c:178
 fixup_bug arch/x86/kernel/traps.c:247 [inline]
 do_error_trap+0x2d7/0x3e0 arch/x86/kernel/traps.c:296
 do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:315
 invalid_op+0x1b/0x40 arch/x86/entry/entry_64.S:986
RIP: 0010:debug_print_object+0x166/0x220 lib/debugobjects.c:288
RSP: :8801d966f210 EFLAGS: 00010086
RAX: dc08 RBX: 0003 RCX: 815acd6e
RDX:  RSI: 11003b2cddf2 RDI: 
RBP: 8801d966f250 R08:  R09: 11003b2cddc8
R10: ed003b2cde71 R11: 86f39a98 R12: 0001
R13: 86f15540 R14: 86408700 R15: 8147c0a0
 __debug_check_no_obj_freed lib/debugobjects.c:745 [inline]
 debug_check_no_obj_freed+0x662/0xf1f lib/debugobjects.c:774
 kfree+0xc7/0x260 mm/slab.c:3799
 process_one_req+0x2e7/0x6c0 drivers/infiniband/core/addr.c:592
 process_one_work+0xc47/0x1bb0 kernel/workqueue.c:2113
 worker_thread+0x223/0x1990 kernel/workqueue.c:2247
 kthread+0x33c/0x400 kernel/kthread.c:238
 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:406

Fixes: 5fff41e1f89d ("IB/core: Fix race condition in resolving IP to MAC")
Reported-by: 
Signed-off-by: Jason Gunthorpe 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/infiniband/core/addr.c |9 +
 1 file changed, 9 insertions(+)

--- a/drivers/infiniband/core/addr.c
+++ b/drivers/infiniband/core/addr.c
@@ -598,6 +598,15 @@ static void process_one_req(struct work_
list_del(>list);
mutex_unlock();
 
+   /*
+* Although the work will normally have been canceled by the
+* workqueue, it can still be requeued as long as it is on the
+* req_list, so it could have been requeued before we grabbed 
+* We need to cancel it after it is removed from req_list to really be
+* sure it is safe to free.
+*/
+   cancel_delayed_work(>work);
+
req->callback(req->status, (struct sockaddr *)>src_addr,
req->addr, req->context);
put_client(req->client);

[PATCH 4.15 24/72] RDMA/rdma_cm: Fix use after free race with process_one_req

[Greg Kroah-Hartman]

4.15-stable review patch.  If anyone has any objections, please let me know.

--

From: Jason Gunthorpe 

commit 9137108cc3d64ade13e753108ec611a0daed16a0 upstream.

process_one_req() can race with rdma_addr_cancel():

   CPU0 CPU1
    
 process_one_work()
  debug_work_deactivate(work);
  process_one_req()
rdma_addr_cancel()
  mutex_lock();
   set_timeout(>work,..);
  __queue_work()
   debug_work_activate(work);
  mutex_unlock();

   mutex_lock();
[..]
list_del(>list);
   mutex_unlock();
[..]

   // ODEBUG explodes since the work is still queued.
   kfree(req);

Causing ODEBUG to detect the use after free:

ODEBUG: free active (active state 0) object type: work_struct hint: 
process_one_req+0x0/0x6c0 include/net/dst.h:165
WARNING: CPU: 0 PID: 79 at lib/debugobjects.c:291 
debug_print_object+0x166/0x220 lib/debugobjects.c:288
kvm: emulating exchange as write
Kernel panic - not syncing: panic_on_warn set ...

CPU: 0 PID: 79 Comm: kworker/u4:3 Not tainted 4.16.0-rc6+ #361
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 
01/01/2011
Workqueue: ib_addr process_one_req
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x194/0x24d lib/dump_stack.c:53
 panic+0x1e4/0x41c kernel/panic.c:183
 __warn+0x1dc/0x200 kernel/panic.c:547
 report_bug+0x1f4/0x2b0 lib/bug.c:186
 fixup_bug.part.11+0x37/0x80 arch/x86/kernel/traps.c:178
 fixup_bug arch/x86/kernel/traps.c:247 [inline]
 do_error_trap+0x2d7/0x3e0 arch/x86/kernel/traps.c:296
 do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:315
 invalid_op+0x1b/0x40 arch/x86/entry/entry_64.S:986
RIP: 0010:debug_print_object+0x166/0x220 lib/debugobjects.c:288
RSP: :8801d966f210 EFLAGS: 00010086
RAX: dc08 RBX: 0003 RCX: 815acd6e
RDX:  RSI: 11003b2cddf2 RDI: 
RBP: 8801d966f250 R08:  R09: 11003b2cddc8
R10: ed003b2cde71 R11: 86f39a98 R12: 0001
R13: 86f15540 R14: 86408700 R15: 8147c0a0
 __debug_check_no_obj_freed lib/debugobjects.c:745 [inline]
 debug_check_no_obj_freed+0x662/0xf1f lib/debugobjects.c:774
 kfree+0xc7/0x260 mm/slab.c:3799
 process_one_req+0x2e7/0x6c0 drivers/infiniband/core/addr.c:592
 process_one_work+0xc47/0x1bb0 kernel/workqueue.c:2113
 worker_thread+0x223/0x1990 kernel/workqueue.c:2247
 kthread+0x33c/0x400 kernel/kthread.c:238
 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:406

Fixes: 5fff41e1f89d ("IB/core: Fix race condition in resolving IP to MAC")
Reported-by: 
Signed-off-by: Jason Gunthorpe 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/infiniband/core/addr.c |9 +
 1 file changed, 9 insertions(+)

--- a/drivers/infiniband/core/addr.c
+++ b/drivers/infiniband/core/addr.c
@@ -598,6 +598,15 @@ static void process_one_req(struct work_
list_del(>list);
mutex_unlock();
 
+   /*
+* Although the work will normally have been canceled by the
+* workqueue, it can still be requeued as long as it is on the
+* req_list, so it could have been requeued before we grabbed 
+* We need to cancel it after it is removed from req_list to really be
+* sure it is safe to free.
+*/
+   cancel_delayed_work(>work);
+
req->callback(req->status, (struct sockaddr *)>src_addr,
req->addr, req->context);
put_client(req->client);

[PATCH 4.15 60/72] staging: comedi: ni_mio_common: ack ai fifo error interrupts.

[Greg Kroah-Hartman]

4.15-stable review patch.  If anyone has any objections, please let me know.

--

From: Frank Mori Hess 

commit e1d9fc04c41840a4688ef6ce90b6dcca157ea4d7 upstream.

Ack ai fifo error interrupts in interrupt handler to clear interrupt
after fifo overflow.  It should prevent lock-ups after the ai fifo
overflows.

Cc:  # v4.2+
Signed-off-by: Frank Mori Hess 
Signed-off-by: Ian Abbott 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/staging/comedi/drivers/ni_mio_common.c |2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/staging/comedi/drivers/ni_mio_common.c
+++ b/drivers/staging/comedi/drivers/ni_mio_common.c
@@ -1284,6 +1284,8 @@ static void ack_a_interrupt(struct comed
ack |= NISTC_INTA_ACK_AI_START;
if (a_status & NISTC_AI_STATUS1_STOP)
ack |= NISTC_INTA_ACK_AI_STOP;
+   if (a_status & NISTC_AI_STATUS1_OVER)
+   ack |= NISTC_INTA_ACK_AI_ERR;
if (ack)
ni_stc_writew(dev, ack, NISTC_INTA_ACK_REG);
 }

[PATCH 4.15 60/72] staging: comedi: ni_mio_common: ack ai fifo error interrupts.

[Greg Kroah-Hartman]

4.15-stable review patch.  If anyone has any objections, please let me know.

--

From: Frank Mori Hess 

commit e1d9fc04c41840a4688ef6ce90b6dcca157ea4d7 upstream.

Ack ai fifo error interrupts in interrupt handler to clear interrupt
after fifo overflow.  It should prevent lock-ups after the ai fifo
overflows.

Cc:  # v4.2+
Signed-off-by: Frank Mori Hess 
Signed-off-by: Ian Abbott 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/staging/comedi/drivers/ni_mio_common.c |2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/staging/comedi/drivers/ni_mio_common.c
+++ b/drivers/staging/comedi/drivers/ni_mio_common.c
@@ -1284,6 +1284,8 @@ static void ack_a_interrupt(struct comed
ack |= NISTC_INTA_ACK_AI_START;
if (a_status & NISTC_AI_STATUS1_STOP)
ack |= NISTC_INTA_ACK_AI_STOP;
+   if (a_status & NISTC_AI_STATUS1_OVER)
+   ack |= NISTC_INTA_ACK_AI_ERR;
if (ack)
ni_stc_writew(dev, ack, NISTC_INTA_ACK_REG);
 }

Re: [GIT PULL 1/3] ARM: SoC device tree updates for 4.17

[Arnd Bergmann]

On Fri, Apr 6, 2018 at 6:24 AM, Linus Torvalds
 wrote:
> On Thu, Apr 5, 2018 at 2:29 PM, Arnd Bergmann  wrote:
>>
>> One clear sign that the branch is indeed bigger than usual: the
>> shortlog+diffstat exceeds the 100KB limit for the linux-arm-kernel
>> mailing list.
>
> I think you replied to the wrong pull request, and meant to reply to
> the DT one..
>
> The platform updates one was not that big.

D'oh. If anyone still needs the original pull request message in the
mailing list archives, I've copied that again below.

  Arnd


The following changes since commit 661e50bc853209e41a5c14a290ca4decc43cbfd1:

  Linux 4.16-rc4 (2018-03-04 14:54:11 -0800)

are available in the git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc.git tags/armsoc-dt

for you to fetch changes up to 518d2f43c358da2072948f64df99b1bd417288dc:

  arm: dts: modify Nuvoton NPCM7xx device tree structure (2018-04-05
11:13:39 +0200)


ARM: SoC device tree updates for 4.17

This is the usual set of changes for device trees, with over 700
non-merged changesets. There is an ongoing set of dtc warning fixes and
the usual bugfixes, cleanups and added device support.

The most interesting bit as usual is support for new machines listed
below:

- The Allwinner H6 makes its debut with the Pine-H64 board, and we get
  two new machines based on its older siblings: the H5 based OrangePi
  Zero+ and the A64 based Teres-I Laptop from Olimex. On the 32-bit side,
  we add The Olimex som204 based on Allwinner A20, and the Banana Pi M2
  Zero development board (based on H2).

- NVIDIA adds support for Tegra194 aka "Xavier", plus their p2972
  development board and p2888 CPU module.

- The Nuvoton npcm750 is a BMC that was newly added, for now we only
  support running on the evaluation board.

- STmicroelectronics stm32 gains support for the stm32mp157c and two
  evaluation boards.

- The Toradex Colibri board family grows a few members based on the
  i.MX6ULL variant.

- The Advantec DMS-BA16 is a Qseven module using the NXP i.MX6
  family of chips.

- The Phytec phyBOARD Mira is a family of industrial boards based on
  i.MX6. For now, four models get added.

- TI am335x based PDU-001 is an industrial embedded machine used for
  traffic monitoring

- The Aspeed platform now supports running on the BMC on the Qualcomm
  Centriq 2400 server

- Samsung Exynos4 based Galaxy S3 is a family of mobile phones Qualcomm
  msm8974 based Galaxy S5 is a rather different phone made by the same
  company.

- The Xilinx Zynq and ZynqMP platforms now gained a lot of dts file
  for the various boards made by Xilinx themselves, as well as the
  Digilent Zybo Z7.

- The ARM Versatile family now supports the "IB2" interface board.

- The Renesas H2 based "Stout" and the H3 based Salvator-X are more
  evaluation boards named after a kind of beer, as most of them are.
  The r8a77980 (V3H) based "Condor" apparently doesn't follow that
  tradition. ;-)

- ROC-RK3328-CC is a simple developement board from the Libre Computer
  Project, based on the Rockchips RK3328 SoC

- Haiku is another development board plus Qseven module based on Rockchips
  RK3368 and made by Theobroma Systems.

Re: [GIT PULL 1/3] ARM: SoC device tree updates for 4.17

[Arnd Bergmann]

On Fri, Apr 6, 2018 at 6:24 AM, Linus Torvalds
 wrote:
> On Thu, Apr 5, 2018 at 2:29 PM, Arnd Bergmann  wrote:
>>
>> One clear sign that the branch is indeed bigger than usual: the
>> shortlog+diffstat exceeds the 100KB limit for the linux-arm-kernel
>> mailing list.
>
> I think you replied to the wrong pull request, and meant to reply to
> the DT one..
>
> The platform updates one was not that big.

D'oh. If anyone still needs the original pull request message in the
mailing list archives, I've copied that again below.

  Arnd


The following changes since commit 661e50bc853209e41a5c14a290ca4decc43cbfd1:

  Linux 4.16-rc4 (2018-03-04 14:54:11 -0800)

are available in the git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc.git tags/armsoc-dt

for you to fetch changes up to 518d2f43c358da2072948f64df99b1bd417288dc:

  arm: dts: modify Nuvoton NPCM7xx device tree structure (2018-04-05
11:13:39 +0200)


ARM: SoC device tree updates for 4.17

This is the usual set of changes for device trees, with over 700
non-merged changesets. There is an ongoing set of dtc warning fixes and
the usual bugfixes, cleanups and added device support.

The most interesting bit as usual is support for new machines listed
below:

- The Allwinner H6 makes its debut with the Pine-H64 board, and we get
  two new machines based on its older siblings: the H5 based OrangePi
  Zero+ and the A64 based Teres-I Laptop from Olimex. On the 32-bit side,
  we add The Olimex som204 based on Allwinner A20, and the Banana Pi M2
  Zero development board (based on H2).

- NVIDIA adds support for Tegra194 aka "Xavier", plus their p2972
  development board and p2888 CPU module.

- The Nuvoton npcm750 is a BMC that was newly added, for now we only
  support running on the evaluation board.

- STmicroelectronics stm32 gains support for the stm32mp157c and two
  evaluation boards.

- The Toradex Colibri board family grows a few members based on the
  i.MX6ULL variant.

- The Advantec DMS-BA16 is a Qseven module using the NXP i.MX6
  family of chips.

- The Phytec phyBOARD Mira is a family of industrial boards based on
  i.MX6. For now, four models get added.

- TI am335x based PDU-001 is an industrial embedded machine used for
  traffic monitoring

- The Aspeed platform now supports running on the BMC on the Qualcomm
  Centriq 2400 server

- Samsung Exynos4 based Galaxy S3 is a family of mobile phones Qualcomm
  msm8974 based Galaxy S5 is a rather different phone made by the same
  company.

- The Xilinx Zynq and ZynqMP platforms now gained a lot of dts file
  for the various boards made by Xilinx themselves, as well as the
  Digilent Zybo Z7.

- The ARM Versatile family now supports the "IB2" interface board.

- The Renesas H2 based "Stout" and the H3 based Salvator-X are more
  evaluation boards named after a kind of beer, as most of them are.
  The r8a77980 (V3H) based "Condor" apparently doesn't follow that
  tradition. ;-)

- ROC-RK3328-CC is a simple developement board from the Libre Computer
  Project, based on the Rockchips RK3328 SoC

- Haiku is another development board plus Qseven module based on Rockchips
  RK3368 and made by Theobroma Systems.

[PATCH 4.15 61/72] Revert "base: arch_topology: fix section mismatch build warnings"

[Greg Kroah-Hartman]

4.15-stable review patch.  If anyone has any objections, please let me know.

--

From: Gaku Inami 

commit 9de9a449482677a75f1edd2049268a7efc40fc96 upstream.

This reverts commit 452562abb5b7 ("base: arch_topology: fix section
mismatch build warnings"). It causes the notifier call hangs in some
use-cases.

In some cases with using maxcpus, some of cpus are booted first and
then the remaining cpus are booted. As an example, some users who want
to realize fast boot up often use the following procedure.

  1) Define all CPUs on device tree (CA57x4 + CA53x4)
  2) Add "maxcpus=4" in bootargs
  3) Kernel boot up with CA57x4
  4) After kernel boot up, CA53x4 is booted from user

When kernel init was finished, CPUFREQ_POLICY_NOTIFIER was not still
unregisterd. This means that "__init init_cpu_capacity_callback()"
will be called after kernel init sequence. To avoid this problem,
it needs to remove __init{,data} annotations by reverting this commit.

Also, this commit was needed to fix kernel compile issue below.
However, this issue was also fixed by another patch: commit 82d8ba717ccb
("arch_topology: Fix section miss match warning due to
free_raw_capacity()") in v4.15 as well.
Whereas commit 452562abb5b7 added all the missing __init annotations,
commit 82d8ba717ccb removed it from free_raw_capacity().

WARNING: vmlinux.o(.text+0x548f24): Section mismatch in reference
from the function init_cpu_capacity_callback() to the variable
.init.text:$x
The function init_cpu_capacity_callback() references
the variable __init $x.
This is often because init_cpu_capacity_callback lacks a __init
annotation or the annotation of $x is wrong.

Fixes: 82d8ba717ccb ("arch_topology: Fix section miss match warning due to 
free_raw_capacity()")
Cc: stable 
Signed-off-by: Gaku Inami 
Reviewed-by: Dietmar Eggemann 
Tested-by: Dietmar Eggemann 
Acked-by: Sudeep Holla 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/base/arch_topology.c |   12 ++--
 1 file changed, 6 insertions(+), 6 deletions(-)

--- a/drivers/base/arch_topology.c
+++ b/drivers/base/arch_topology.c
@@ -175,11 +175,11 @@ bool __init topology_parse_cpu_capacity(
 }
 
 #ifdef CONFIG_CPU_FREQ
-static cpumask_var_t cpus_to_visit __initdata;
-static void __init parsing_done_workfn(struct work_struct *work);
-static __initdata DECLARE_WORK(parsing_done_work, parsing_done_workfn);
+static cpumask_var_t cpus_to_visit;
+static void parsing_done_workfn(struct work_struct *work);
+static DECLARE_WORK(parsing_done_work, parsing_done_workfn);
 
-static int __init
+static int
 init_cpu_capacity_callback(struct notifier_block *nb,
   unsigned long val,
   void *data)
@@ -215,7 +215,7 @@ init_cpu_capacity_callback(struct notifi
return 0;
 }
 
-static struct notifier_block init_cpu_capacity_notifier __initdata = {
+static struct notifier_block init_cpu_capacity_notifier = {
.notifier_call = init_cpu_capacity_callback,
 };
 
@@ -248,7 +248,7 @@ static int __init register_cpufreq_notif
 }
 core_initcall(register_cpufreq_notifier);
 
-static void __init parsing_done_workfn(struct work_struct *work)
+static void parsing_done_workfn(struct work_struct *work)
 {
cpufreq_unregister_notifier(_cpu_capacity_notifier,
 CPUFREQ_POLICY_NOTIFIER);

[PATCH 4.15 61/72] Revert "base: arch_topology: fix section mismatch build warnings"

[Greg Kroah-Hartman]

4.15-stable review patch.  If anyone has any objections, please let me know.

--

From: Gaku Inami 

commit 9de9a449482677a75f1edd2049268a7efc40fc96 upstream.

This reverts commit 452562abb5b7 ("base: arch_topology: fix section
mismatch build warnings"). It causes the notifier call hangs in some
use-cases.

In some cases with using maxcpus, some of cpus are booted first and
then the remaining cpus are booted. As an example, some users who want
to realize fast boot up often use the following procedure.

  1) Define all CPUs on device tree (CA57x4 + CA53x4)
  2) Add "maxcpus=4" in bootargs
  3) Kernel boot up with CA57x4
  4) After kernel boot up, CA53x4 is booted from user

When kernel init was finished, CPUFREQ_POLICY_NOTIFIER was not still
unregisterd. This means that "__init init_cpu_capacity_callback()"
will be called after kernel init sequence. To avoid this problem,
it needs to remove __init{,data} annotations by reverting this commit.

Also, this commit was needed to fix kernel compile issue below.
However, this issue was also fixed by another patch: commit 82d8ba717ccb
("arch_topology: Fix section miss match warning due to
free_raw_capacity()") in v4.15 as well.
Whereas commit 452562abb5b7 added all the missing __init annotations,
commit 82d8ba717ccb removed it from free_raw_capacity().

WARNING: vmlinux.o(.text+0x548f24): Section mismatch in reference
from the function init_cpu_capacity_callback() to the variable
.init.text:$x
The function init_cpu_capacity_callback() references
the variable __init $x.
This is often because init_cpu_capacity_callback lacks a __init
annotation or the annotation of $x is wrong.

Fixes: 82d8ba717ccb ("arch_topology: Fix section miss match warning due to 
free_raw_capacity()")
Cc: stable 
Signed-off-by: Gaku Inami 
Reviewed-by: Dietmar Eggemann 
Tested-by: Dietmar Eggemann 
Acked-by: Sudeep Holla 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/base/arch_topology.c |   12 ++--
 1 file changed, 6 insertions(+), 6 deletions(-)

--- a/drivers/base/arch_topology.c
+++ b/drivers/base/arch_topology.c
@@ -175,11 +175,11 @@ bool __init topology_parse_cpu_capacity(
 }
 
 #ifdef CONFIG_CPU_FREQ
-static cpumask_var_t cpus_to_visit __initdata;
-static void __init parsing_done_workfn(struct work_struct *work);
-static __initdata DECLARE_WORK(parsing_done_work, parsing_done_workfn);
+static cpumask_var_t cpus_to_visit;
+static void parsing_done_workfn(struct work_struct *work);
+static DECLARE_WORK(parsing_done_work, parsing_done_workfn);
 
-static int __init
+static int
 init_cpu_capacity_callback(struct notifier_block *nb,
   unsigned long val,
   void *data)
@@ -215,7 +215,7 @@ init_cpu_capacity_callback(struct notifi
return 0;
 }
 
-static struct notifier_block init_cpu_capacity_notifier __initdata = {
+static struct notifier_block init_cpu_capacity_notifier = {
.notifier_call = init_cpu_capacity_callback,
 };
 
@@ -248,7 +248,7 @@ static int __init register_cpufreq_notif
 }
 core_initcall(register_cpufreq_notifier);
 
-static void __init parsing_done_workfn(struct work_struct *work)
+static void parsing_done_workfn(struct work_struct *work)
 {
cpufreq_unregister_notifier(_cpu_capacity_notifier,
 CPUFREQ_POLICY_NOTIFIER);

[PATCH 4.15 62/72] Input: ALPS - fix TrackStick detection on Thinkpad L570 and Latitude 7370

[Greg Kroah-Hartman]

4.15-stable review patch.  If anyone has any objections, please let me know.

--

From: Masaki Ota 

commit 567b9b549cfa1cbc202762ae97b5385c29ade1e3 upstream.

The primary interface for the touchpad device in Thinkpad L570 is SMBus,
so ALPS overlooked PS2 interface Firmware setting of TrackStick, and
shipped with TrackStick otp bit is disabled.

The address 0xD7 contains device number information, so we can identify
the device by checking this value, but to access it we need to enable
Command mode, and then re-enable the device. Devices shipped in Thinkpad
L570 report either 0x0C or 0x1D as device numbers, if we see them we assume
that the devices are DualPoints.

The same issue exists on Dell Latitude 7370.

Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=196929
Fixes: 646580f793 ("Input: ALPS - fix multi-touch decoding on SS4 plus 
touchpads")
Signed-off-by: Masaki Ota 
Tested-by: Aaron Ma 
Tested-by: Jonathan Liu 
Tested-by: Jaak Ristioja 
Cc: sta...@vger.kernel.org
Signed-off-by: Dmitry Torokhov 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/input/mouse/alps.c |   24 +---
 1 file changed, 21 insertions(+), 3 deletions(-)

--- a/drivers/input/mouse/alps.c
+++ b/drivers/input/mouse/alps.c
@@ -2544,13 +2544,31 @@ static int alps_update_btn_info_ss4_v2(u
 }
 
 static int alps_update_dual_info_ss4_v2(unsigned char otp[][4],
-  struct alps_data *priv)
+   struct alps_data *priv,
+   struct psmouse *psmouse)
 {
bool is_dual = false;
+   int reg_val = 0;
+   struct ps2dev *ps2dev = >ps2dev;
 
-   if (IS_SS4PLUS_DEV(priv->dev_id))
+   if (IS_SS4PLUS_DEV(priv->dev_id)) {
is_dual = (otp[0][0] >> 4) & 0x01;
 
+   if (!is_dual) {
+   /* For support TrackStick of Thinkpad L/E series */
+   if (alps_exit_command_mode(psmouse) == 0 &&
+   alps_enter_command_mode(psmouse) == 0) {
+   reg_val = alps_command_mode_read_reg(psmouse,
+   0xD7);
+   }
+   alps_exit_command_mode(psmouse);
+   ps2_command(ps2dev, NULL, PSMOUSE_CMD_ENABLE);
+
+   if (reg_val == 0x0C || reg_val == 0x1D)
+   is_dual = true;
+   }
+   }
+
if (is_dual)
priv->flags |= ALPS_DUALPOINT |
ALPS_DUALPOINT_WITH_PRESSURE;
@@ -2573,7 +2591,7 @@ static int alps_set_defaults_ss4_v2(stru
 
alps_update_btn_info_ss4_v2(otp, priv);
 
-   alps_update_dual_info_ss4_v2(otp, priv);
+   alps_update_dual_info_ss4_v2(otp, priv, psmouse);
 
return 0;
 }

[PATCH 4.15 62/72] Input: ALPS - fix TrackStick detection on Thinkpad L570 and Latitude 7370

[Greg Kroah-Hartman]

4.15-stable review patch.  If anyone has any objections, please let me know.

--

From: Masaki Ota 

commit 567b9b549cfa1cbc202762ae97b5385c29ade1e3 upstream.

The primary interface for the touchpad device in Thinkpad L570 is SMBus,
so ALPS overlooked PS2 interface Firmware setting of TrackStick, and
shipped with TrackStick otp bit is disabled.

The address 0xD7 contains device number information, so we can identify
the device by checking this value, but to access it we need to enable
Command mode, and then re-enable the device. Devices shipped in Thinkpad
L570 report either 0x0C or 0x1D as device numbers, if we see them we assume
that the devices are DualPoints.

The same issue exists on Dell Latitude 7370.

Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=196929
Fixes: 646580f793 ("Input: ALPS - fix multi-touch decoding on SS4 plus 
touchpads")
Signed-off-by: Masaki Ota 
Tested-by: Aaron Ma 
Tested-by: Jonathan Liu 
Tested-by: Jaak Ristioja 
Cc: sta...@vger.kernel.org
Signed-off-by: Dmitry Torokhov 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/input/mouse/alps.c |   24 +---
 1 file changed, 21 insertions(+), 3 deletions(-)

--- a/drivers/input/mouse/alps.c
+++ b/drivers/input/mouse/alps.c
@@ -2544,13 +2544,31 @@ static int alps_update_btn_info_ss4_v2(u
 }
 
 static int alps_update_dual_info_ss4_v2(unsigned char otp[][4],
-  struct alps_data *priv)
+   struct alps_data *priv,
+   struct psmouse *psmouse)
 {
bool is_dual = false;
+   int reg_val = 0;
+   struct ps2dev *ps2dev = >ps2dev;
 
-   if (IS_SS4PLUS_DEV(priv->dev_id))
+   if (IS_SS4PLUS_DEV(priv->dev_id)) {
is_dual = (otp[0][0] >> 4) & 0x01;
 
+   if (!is_dual) {
+   /* For support TrackStick of Thinkpad L/E series */
+   if (alps_exit_command_mode(psmouse) == 0 &&
+   alps_enter_command_mode(psmouse) == 0) {
+   reg_val = alps_command_mode_read_reg(psmouse,
+   0xD7);
+   }
+   alps_exit_command_mode(psmouse);
+   ps2_command(ps2dev, NULL, PSMOUSE_CMD_ENABLE);
+
+   if (reg_val == 0x0C || reg_val == 0x1D)
+   is_dual = true;
+   }
+   }
+
if (is_dual)
priv->flags |= ALPS_DUALPOINT |
ALPS_DUALPOINT_WITH_PRESSURE;
@@ -2573,7 +2591,7 @@ static int alps_set_defaults_ss4_v2(stru
 
alps_update_btn_info_ss4_v2(otp, priv);
 
-   alps_update_dual_info_ss4_v2(otp, priv);
+   alps_update_dual_info_ss4_v2(otp, priv, psmouse);
 
return 0;
 }

[PATCH 4.15 64/72] Input: i8042 - enable MUX on Sony VAIO VGN-CS series to fix touchpad

[Greg Kroah-Hartman]

4.15-stable review patch.  If anyone has any objections, please let me know.

--

From: Ondrej Zary 

commit 04bb1719c4de94700056241d4c0fe3c1413f5aff upstream.

The touch sensor buttons on Sony VAIO VGN-CS series laptops (e.g.
VGN-CS31S) are a separate PS/2 device. As the MUX is disabled for all
VAIO machines by the nomux blacklist, the data from touch sensor
buttons and touchpad are combined. The protocol used by the buttons is
probably similar to the touchpad protocol (both are Synaptics) so both
devices get enabled. The controller combines the data, creating a mess
which results in random button clicks, touchpad stopping working and
lost sync error messages:
psmouse serio1: TouchPad at isa0060/serio1/input0 lost sync at byte 4
psmouse serio1: TouchPad at isa0060/serio1/input0 lost sync at byte 1
psmouse serio1: TouchPad at isa0060/serio1/input0 lost sync at byte 1
psmouse serio1: TouchPad at isa0060/serio1/input0 lost sync at byte 1
psmouse serio1: TouchPad at isa0060/serio1/input0 lost sync at byte 1
psmouse serio1: issuing reconnect request

Add a new i8042_dmi_forcemux_table whitelist with VGN-CS.
With MUX enabled, touch sensor buttons are detected as separate device
(and left disabled as there's currently no driver), fixing all touchpad
problems.

Signed-off-by: Ondrej Zary 
Cc: sta...@vger.kernel.org
Signed-off-by: Dmitry Torokhov 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/input/serio/i8042-x86ia64io.h |   17 +
 1 file changed, 17 insertions(+)

--- a/drivers/input/serio/i8042-x86ia64io.h
+++ b/drivers/input/serio/i8042-x86ia64io.h
@@ -530,6 +530,20 @@ static const struct dmi_system_id __init
{ }
 };
 
+static const struct dmi_system_id i8042_dmi_forcemux_table[] __initconst = {
+   {
+   /*
+* Sony Vaio VGN-CS series require MUX or the touch sensor
+* buttons will disturb touchpad operation
+*/
+   .matches = {
+   DMI_MATCH(DMI_SYS_VENDOR, "Sony Corporation"),
+   DMI_MATCH(DMI_PRODUCT_NAME, "VGN-CS"),
+   },
+   },
+   { }
+};
+
 /*
  * On some Asus laptops, just running self tests cause problems.
  */
@@ -1170,6 +1184,9 @@ static int __init i8042_platform_init(vo
if (dmi_check_system(i8042_dmi_nomux_table))
i8042_nomux = true;
 
+   if (dmi_check_system(i8042_dmi_forcemux_table))
+   i8042_nomux = false;
+
if (dmi_check_system(i8042_dmi_notimeout_table))
i8042_notimeout = true;
 

[PATCH 4.15 64/72] Input: i8042 - enable MUX on Sony VAIO VGN-CS series to fix touchpad

[Greg Kroah-Hartman]

4.15-stable review patch.  If anyone has any objections, please let me know.

--

From: Ondrej Zary 

commit 04bb1719c4de94700056241d4c0fe3c1413f5aff upstream.

The touch sensor buttons on Sony VAIO VGN-CS series laptops (e.g.
VGN-CS31S) are a separate PS/2 device. As the MUX is disabled for all
VAIO machines by the nomux blacklist, the data from touch sensor
buttons and touchpad are combined. The protocol used by the buttons is
probably similar to the touchpad protocol (both are Synaptics) so both
devices get enabled. The controller combines the data, creating a mess
which results in random button clicks, touchpad stopping working and
lost sync error messages:
psmouse serio1: TouchPad at isa0060/serio1/input0 lost sync at byte 4
psmouse serio1: TouchPad at isa0060/serio1/input0 lost sync at byte 1
psmouse serio1: TouchPad at isa0060/serio1/input0 lost sync at byte 1
psmouse serio1: TouchPad at isa0060/serio1/input0 lost sync at byte 1
psmouse serio1: TouchPad at isa0060/serio1/input0 lost sync at byte 1
psmouse serio1: issuing reconnect request

Add a new i8042_dmi_forcemux_table whitelist with VGN-CS.
With MUX enabled, touch sensor buttons are detected as separate device
(and left disabled as there's currently no driver), fixing all touchpad
problems.

Signed-off-by: Ondrej Zary 
Cc: sta...@vger.kernel.org
Signed-off-by: Dmitry Torokhov 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/input/serio/i8042-x86ia64io.h |   17 +
 1 file changed, 17 insertions(+)

--- a/drivers/input/serio/i8042-x86ia64io.h
+++ b/drivers/input/serio/i8042-x86ia64io.h
@@ -530,6 +530,20 @@ static const struct dmi_system_id __init
{ }
 };
 
+static const struct dmi_system_id i8042_dmi_forcemux_table[] __initconst = {
+   {
+   /*
+* Sony Vaio VGN-CS series require MUX or the touch sensor
+* buttons will disturb touchpad operation
+*/
+   .matches = {
+   DMI_MATCH(DMI_SYS_VENDOR, "Sony Corporation"),
+   DMI_MATCH(DMI_PRODUCT_NAME, "VGN-CS"),
+   },
+   },
+   { }
+};
+
 /*
  * On some Asus laptops, just running self tests cause problems.
  */
@@ -1170,6 +1184,9 @@ static int __init i8042_platform_init(vo
if (dmi_check_system(i8042_dmi_nomux_table))
i8042_nomux = true;
 
+   if (dmi_check_system(i8042_dmi_forcemux_table))
+   i8042_nomux = false;
+
if (dmi_check_system(i8042_dmi_notimeout_table))
i8042_notimeout = true;
 

[PATCH 4.15 65/72] vt: change SGR 21 to follow the standards

[Greg Kroah-Hartman]

4.15-stable review patch.  If anyone has any objections, please let me know.

--

From: Mike Frysinger 

commit 65d9982d7e523a1a8e7c9af012da0d166f72fc56 upstream.

ECMA-48 [1] (aka ISO 6429) has defined SGR 21 as "doubly underlined"
since at least March 1984.  The Linux kernel has treated it as SGR 22
"normal intensity" since it was added in Linux-0.96b in June 1992.
Before that, it was simply ignored.  Other terminal emulators have
either ignored it, or treat it as double underline now.  xterm for
example added support in its 304 release (May 2014) [2] where it was
previously ignoring it.

Changing this behavior shouldn't be an issue:
- It isn't a named capability in ncurses's terminfo database, so no
  script is using libtinfo/libcurses to look this up, or using tput
  to query & output the right sequence.
- Any script assuming SGR 21 will reset intensity in all terminals
  already do not work correctly on non-Linux VTs (including running
  under screen/tmux/etc...).
- If someone has written a script that only runs in the Linux VT, and
  they're using SGR 21 (instead of SGR 22), the output should still
  be readable.

imo it's important to change this as the Linux VT's non-conformance
is sometimes used as an argument for other terminal emulators to not
implement SGR 21 at all, or do so incorrectly.

[1]: https://www.ecma-international.org/publications/standards/Ecma-048.htm
[2]: 
https://github.com/ThomasDickey/xterm-snapshots/commit/2fd29cb98d214cb536bcafbee00bc73b3f1eeb9d

Signed-off-by: Mike Frysinger 
Cc: stable 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/tty/vt/vt.c |6 +-
 1 file changed, 5 insertions(+), 1 deletion(-)

--- a/drivers/tty/vt/vt.c
+++ b/drivers/tty/vt/vt.c
@@ -1354,6 +1354,11 @@ static void csi_m(struct vc_data *vc)
case 3:
vc->vc_italic = 1;
break;
+   case 21:
+   /*
+* No console drivers support double underline, so
+* convert it to a single underline.
+*/
case 4:
vc->vc_underline = 1;
break;
@@ -1389,7 +1394,6 @@ static void csi_m(struct vc_data *vc)
vc->vc_disp_ctrl = 1;
vc->vc_toggle_meta = 1;
break;
-   case 21:
case 22:
vc->vc_intensity = 1;
break;

[PATCH 4.15 65/72] vt: change SGR 21 to follow the standards

[Greg Kroah-Hartman]

4.15-stable review patch.  If anyone has any objections, please let me know.

--

From: Mike Frysinger 

commit 65d9982d7e523a1a8e7c9af012da0d166f72fc56 upstream.

ECMA-48 [1] (aka ISO 6429) has defined SGR 21 as "doubly underlined"
since at least March 1984.  The Linux kernel has treated it as SGR 22
"normal intensity" since it was added in Linux-0.96b in June 1992.
Before that, it was simply ignored.  Other terminal emulators have
either ignored it, or treat it as double underline now.  xterm for
example added support in its 304 release (May 2014) [2] where it was
previously ignoring it.

Changing this behavior shouldn't be an issue:
- It isn't a named capability in ncurses's terminfo database, so no
  script is using libtinfo/libcurses to look this up, or using tput
  to query & output the right sequence.
- Any script assuming SGR 21 will reset intensity in all terminals
  already do not work correctly on non-Linux VTs (including running
  under screen/tmux/etc...).
- If someone has written a script that only runs in the Linux VT, and
  they're using SGR 21 (instead of SGR 22), the output should still
  be readable.

imo it's important to change this as the Linux VT's non-conformance
is sometimes used as an argument for other terminal emulators to not
implement SGR 21 at all, or do so incorrectly.

[1]: https://www.ecma-international.org/publications/standards/Ecma-048.htm
[2]: 
https://github.com/ThomasDickey/xterm-snapshots/commit/2fd29cb98d214cb536bcafbee00bc73b3f1eeb9d

Signed-off-by: Mike Frysinger 
Cc: stable 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/tty/vt/vt.c |6 +-
 1 file changed, 5 insertions(+), 1 deletion(-)

--- a/drivers/tty/vt/vt.c
+++ b/drivers/tty/vt/vt.c
@@ -1354,6 +1354,11 @@ static void csi_m(struct vc_data *vc)
case 3:
vc->vc_italic = 1;
break;
+   case 21:
+   /*
+* No console drivers support double underline, so
+* convert it to a single underline.
+*/
case 4:
vc->vc_underline = 1;
break;
@@ -1389,7 +1394,6 @@ static void csi_m(struct vc_data *vc)
vc->vc_disp_ctrl = 1;
vc->vc_toggle_meta = 1;
break;
-   case 21:
case 22:
vc->vc_intensity = 1;
break;

Re: INFO: task hung in lo_ioctl

[Tetsuo Handa]

Peter Zijlstra wrote:
> On Fri, Apr 06, 2018 at 09:04:18PM +0900, Tetsuo Handa wrote:
> > +   /* Temporary hack for handling lock imbalance. */
> > +   if (__mutex_owner(>lo_ctl_mutex) == current)
> > +   mutex_unlock(>lo_ctl_mutex);
> 
> ARGGH.. you didn't read the comment we put on that?
> 

Commit 5b52330bbfe63b33 ("audit: fix auditd/kernel connection state tracking")
is using __mutex_owner(). ;-)

Of course, regarding loop module, we will be able to add a flag variable
associated with lo->lo_ctl_mutex. But that will be done after we solved
the deadlock problem. I think whether we need to drop lo->lo_ctl_mutex is
not clear. Maybe

-   err = mutex_lock_killable_nested(>lo_ctl_mutex, 1);
+   err = mutex_lock_killable(>lo_ctl_mutex);

on top of this patch and listen to the lockdep?

Commit f028f3b2f987ebc6 ("loop: fix circular locking in loop_clr_fd()") says

  A simple way to silence lockdep could be to mark the lo_ctl_mutex
  in ioctl to be a sub class, but this might mask some other real bugs.

and we are currently hitting a deadlock problem.

Re: INFO: task hung in lo_ioctl

[Tetsuo Handa]

Peter Zijlstra wrote:
> On Fri, Apr 06, 2018 at 09:04:18PM +0900, Tetsuo Handa wrote:
> > +   /* Temporary hack for handling lock imbalance. */
> > +   if (__mutex_owner(>lo_ctl_mutex) == current)
> > +   mutex_unlock(>lo_ctl_mutex);
> 
> ARGGH.. you didn't read the comment we put on that?
> 

Commit 5b52330bbfe63b33 ("audit: fix auditd/kernel connection state tracking")
is using __mutex_owner(). ;-)

Of course, regarding loop module, we will be able to add a flag variable
associated with lo->lo_ctl_mutex. But that will be done after we solved
the deadlock problem. I think whether we need to drop lo->lo_ctl_mutex is
not clear. Maybe

-   err = mutex_lock_killable_nested(>lo_ctl_mutex, 1);
+   err = mutex_lock_killable(>lo_ctl_mutex);

on top of this patch and listen to the lockdep?

Commit f028f3b2f987ebc6 ("loop: fix circular locking in loop_clr_fd()") says

  A simple way to silence lockdep could be to mark the lo_ctl_mutex
  in ioctl to be a sub class, but this might mask some other real bugs.

and we are currently hitting a deadlock problem.

[PATCH 4.15 66/72] ARM: dts: DRA76-EVM: Set powerhold property for tps65917

[Greg Kroah-Hartman]

4.15-stable review patch.  If anyone has any objections, please let me know.

--

From: Keerthy 

commit aac4619d028e2c444ac1217fc2d05b0322079dff upstream.

Set powerhold property for tps65917

Signed-off-by: Keerthy 
Signed-off-by: Tony Lindgren 
Cc: Ben Hutchings 
Signed-off-by: Greg Kroah-Hartman 

---
 arch/arm/boot/dts/dra76-evm.dts |1 +
 1 file changed, 1 insertion(+)

--- a/arch/arm/boot/dts/dra76-evm.dts
+++ b/arch/arm/boot/dts/dra76-evm.dts
@@ -148,6 +148,7 @@
compatible = "ti,tps65917";
reg = <0x58>;
ti,system-power-controller;
+   ti,palmas-override-powerhold;
interrupt-controller;
#interrupt-cells = <2>;
 

[PATCH 4.15 66/72] ARM: dts: DRA76-EVM: Set powerhold property for tps65917

[Greg Kroah-Hartman]

4.15-stable review patch.  If anyone has any objections, please let me know.

--

From: Keerthy 

commit aac4619d028e2c444ac1217fc2d05b0322079dff upstream.

Set powerhold property for tps65917

Signed-off-by: Keerthy 
Signed-off-by: Tony Lindgren 
Cc: Ben Hutchings 
Signed-off-by: Greg Kroah-Hartman 

---
 arch/arm/boot/dts/dra76-evm.dts |1 +
 1 file changed, 1 insertion(+)

--- a/arch/arm/boot/dts/dra76-evm.dts
+++ b/arch/arm/boot/dts/dra76-evm.dts
@@ -148,6 +148,7 @@
compatible = "ti,tps65917";
reg = <0x58>;
ti,system-power-controller;
+   ti,palmas-override-powerhold;
interrupt-controller;
#interrupt-cells = <2>;
 

[PATCH 4.15 67/72] net: hns: Fix ethtool private flags

[Greg Kroah-Hartman]

4.15-stable review patch.  If anyone has any objections, please let me know.

--

From: Matthias Brugger 

commit d61d263c8d82db7c4404a29ebc29674b1c0c05c9 upstream.

The driver implementation returns support for private flags, while
no private flags are present. When asked for the number of private
flags it returns the number of statistic flag names.

Fix this by returning EOPNOTSUPP for not implemented ethtool flags.

Signed-off-by: Matthias Brugger 
Signed-off-by: David S. Miller 
Cc: Ben Hutchings 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/net/ethernet/hisilicon/hns/hns_dsaf_gmac.c |2 +-
 drivers/net/ethernet/hisilicon/hns/hns_dsaf_ppe.c  |2 +-
 drivers/net/ethernet/hisilicon/hns/hns_dsaf_rcb.c  |2 +-
 drivers/net/ethernet/hisilicon/hns/hns_ethtool.c   |4 +++-
 4 files changed, 6 insertions(+), 4 deletions(-)

--- a/drivers/net/ethernet/hisilicon/hns/hns_dsaf_gmac.c
+++ b/drivers/net/ethernet/hisilicon/hns/hns_dsaf_gmac.c
@@ -666,7 +666,7 @@ static void hns_gmac_get_strings(u32 str
 
 static int hns_gmac_get_sset_count(int stringset)
 {
-   if (stringset == ETH_SS_STATS || stringset == ETH_SS_PRIV_FLAGS)
+   if (stringset == ETH_SS_STATS)
return ARRAY_SIZE(g_gmac_stats_string);
 
return 0;
--- a/drivers/net/ethernet/hisilicon/hns/hns_dsaf_ppe.c
+++ b/drivers/net/ethernet/hisilicon/hns/hns_dsaf_ppe.c
@@ -422,7 +422,7 @@ void hns_ppe_update_stats(struct hns_ppe
 
 int hns_ppe_get_sset_count(int stringset)
 {
-   if (stringset == ETH_SS_STATS || stringset == ETH_SS_PRIV_FLAGS)
+   if (stringset == ETH_SS_STATS)
return ETH_PPE_STATIC_NUM;
return 0;
 }
--- a/drivers/net/ethernet/hisilicon/hns/hns_dsaf_rcb.c
+++ b/drivers/net/ethernet/hisilicon/hns/hns_dsaf_rcb.c
@@ -876,7 +876,7 @@ void hns_rcb_get_stats(struct hnae_queue
  */
 int hns_rcb_get_ring_sset_count(int stringset)
 {
-   if (stringset == ETH_SS_STATS || stringset == ETH_SS_PRIV_FLAGS)
+   if (stringset == ETH_SS_STATS)
return HNS_RING_STATIC_REG_NUM;
 
return 0;
--- a/drivers/net/ethernet/hisilicon/hns/hns_ethtool.c
+++ b/drivers/net/ethernet/hisilicon/hns/hns_ethtool.c
@@ -993,8 +993,10 @@ int hns_get_sset_count(struct net_device
cnt--;
 
return cnt;
-   } else {
+   } else if (stringset == ETH_SS_STATS) {
return (HNS_NET_STATS_CNT + ops->get_sset_count(h, stringset));
+   } else {
+   return -EOPNOTSUPP;
}
 }
 

[PATCH 4.15 67/72] net: hns: Fix ethtool private flags

[Greg Kroah-Hartman]

4.15-stable review patch.  If anyone has any objections, please let me know.

--

From: Matthias Brugger 

commit d61d263c8d82db7c4404a29ebc29674b1c0c05c9 upstream.

The driver implementation returns support for private flags, while
no private flags are present. When asked for the number of private
flags it returns the number of statistic flag names.

Fix this by returning EOPNOTSUPP for not implemented ethtool flags.

Signed-off-by: Matthias Brugger 
Signed-off-by: David S. Miller 
Cc: Ben Hutchings 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/net/ethernet/hisilicon/hns/hns_dsaf_gmac.c |2 +-
 drivers/net/ethernet/hisilicon/hns/hns_dsaf_ppe.c  |2 +-
 drivers/net/ethernet/hisilicon/hns/hns_dsaf_rcb.c  |2 +-
 drivers/net/ethernet/hisilicon/hns/hns_ethtool.c   |4 +++-
 4 files changed, 6 insertions(+), 4 deletions(-)

--- a/drivers/net/ethernet/hisilicon/hns/hns_dsaf_gmac.c
+++ b/drivers/net/ethernet/hisilicon/hns/hns_dsaf_gmac.c
@@ -666,7 +666,7 @@ static void hns_gmac_get_strings(u32 str
 
 static int hns_gmac_get_sset_count(int stringset)
 {
-   if (stringset == ETH_SS_STATS || stringset == ETH_SS_PRIV_FLAGS)
+   if (stringset == ETH_SS_STATS)
return ARRAY_SIZE(g_gmac_stats_string);
 
return 0;
--- a/drivers/net/ethernet/hisilicon/hns/hns_dsaf_ppe.c
+++ b/drivers/net/ethernet/hisilicon/hns/hns_dsaf_ppe.c
@@ -422,7 +422,7 @@ void hns_ppe_update_stats(struct hns_ppe
 
 int hns_ppe_get_sset_count(int stringset)
 {
-   if (stringset == ETH_SS_STATS || stringset == ETH_SS_PRIV_FLAGS)
+   if (stringset == ETH_SS_STATS)
return ETH_PPE_STATIC_NUM;
return 0;
 }
--- a/drivers/net/ethernet/hisilicon/hns/hns_dsaf_rcb.c
+++ b/drivers/net/ethernet/hisilicon/hns/hns_dsaf_rcb.c
@@ -876,7 +876,7 @@ void hns_rcb_get_stats(struct hnae_queue
  */
 int hns_rcb_get_ring_sset_count(int stringset)
 {
-   if (stringset == ETH_SS_STATS || stringset == ETH_SS_PRIV_FLAGS)
+   if (stringset == ETH_SS_STATS)
return HNS_RING_STATIC_REG_NUM;
 
return 0;
--- a/drivers/net/ethernet/hisilicon/hns/hns_ethtool.c
+++ b/drivers/net/ethernet/hisilicon/hns/hns_ethtool.c
@@ -993,8 +993,10 @@ int hns_get_sset_count(struct net_device
cnt--;
 
return cnt;
-   } else {
+   } else if (stringset == ETH_SS_STATS) {
return (HNS_NET_STATS_CNT + ops->get_sset_count(h, stringset));
+   } else {
+   return -EOPNOTSUPP;
}
 }
 

[PATCH 4.15 69/72] Revert "ARM: dts: am335x-pepper: Fix the audio CODECs reset pin"

[Greg Kroah-Hartman]

4.15-stable review patch.  If anyone has any objections, please let me know.

--

From: Greg Kroah-Hartman 

This reverts commit cc578825b46e984c19b4a4630d3191d60ff83642 which was
comit e153db03c6b7a035c797bcdf35262586f003ee93 upstream.

It requires a driver that was not merged until 4.16, so remove it from
this stable tree as it is pointless.

Reported-by: Ben Hutchings 
Cc: Andrew F. Davis 
Cc: Tony Lindgren 
Cc: Sasha Levin 
Signed-off-by: Greg Kroah-Hartman 
---
 arch/arm/boot/dts/am335x-pepper.dts |2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/arm/boot/dts/am335x-pepper.dts
+++ b/arch/arm/boot/dts/am335x-pepper.dts
@@ -139,7 +139,7 @@
 _codec {
status = "okay";
 
-   reset-gpios = < 16 GPIO_ACTIVE_LOW>;
+   gpio-reset = < 16 GPIO_ACTIVE_LOW>;
AVDD-supply = <_reg>;
IOVDD-supply = <_reg>;
DRVDD-supply = <_reg>;

[PATCH 4.15 69/72] Revert "ARM: dts: am335x-pepper: Fix the audio CODECs reset pin"

[Greg Kroah-Hartman]

4.15-stable review patch.  If anyone has any objections, please let me know.

--

From: Greg Kroah-Hartman 

This reverts commit cc578825b46e984c19b4a4630d3191d60ff83642 which was
comit e153db03c6b7a035c797bcdf35262586f003ee93 upstream.

It requires a driver that was not merged until 4.16, so remove it from
this stable tree as it is pointless.

Reported-by: Ben Hutchings 
Cc: Andrew F. Davis 
Cc: Tony Lindgren 
Cc: Sasha Levin 
Signed-off-by: Greg Kroah-Hartman 
---
 arch/arm/boot/dts/am335x-pepper.dts |2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/arm/boot/dts/am335x-pepper.dts
+++ b/arch/arm/boot/dts/am335x-pepper.dts
@@ -139,7 +139,7 @@
 _codec {
status = "okay";
 
-   reset-gpios = < 16 GPIO_ACTIVE_LOW>;
+   gpio-reset = < 16 GPIO_ACTIVE_LOW>;
AVDD-supply = <_reg>;
IOVDD-supply = <_reg>;
DRVDD-supply = <_reg>;

Re: drivers/gpu/drm/bridge/sil-sii8620.c:2405: undefined reference to `extcon_unregister_notifier'

[Andrzej Hajda]

On 06.04.2018 12:34, Chanwoo Choi wrote:
> Hi Andrzej,
>
> On 2018년 04월 06일 19:14, Andrzej Hajda wrote:
>> Hi Chanwoo,
>>
>> It looks like something went wrong, sii8620 patch was merged without
>> extcon dependencies.
>> Could you look at it?
> If add the 'select EXTCON' to sii8620's Kconfig, it will be solved.
> Is there other solution?

I wonder if 'imply EXTCON'  wouldn't be better, I will prepare patch for it.

Regards
Andrzej

>
>> Regards
>> Andrzej
>>
>> On 06.04.2018 11:52, kbuild test robot wrote:
>>> tree:   https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 
>>> master
>>> head:   38c23685b273cfb4ccf31a199feccce3bdcb5d83
>>> commit: 688838442147d9dd94c2ef7c2c31a35cf150c5fa drm/bridge/sii8620: use 
>>> micro-USB cable detection logic to detect MHL
>>> date:   4 weeks ago
>>> config: i386-randconfig-x0-04061534 (attached as .config)
>>> compiler: gcc-5 (Debian 5.5.0-3) 5.4.1 20171010
>>> reproduce:
>>> git checkout 688838442147d9dd94c2ef7c2c31a35cf150c5fa
>>> # save the attached .config to linux build tree
>>> make ARCH=i386 
>>>
>>> All errors (new ones prefixed by >>):
>>>
>>>drivers/gpu/drm/bridge/sil-sii8620.o: In function `sii8620_remove':
> drivers/gpu/drm/bridge/sil-sii8620.c:2405: undefined reference to 
> `extcon_unregister_notifier'
>>>drivers/gpu/drm/bridge/sil-sii8620.o: In function `sii8620_extcon_init':
> drivers/gpu/drm/bridge/sil-sii8620.c:2229: undefined reference to 
> `extcon_find_edev_by_node'
> drivers/gpu/drm/bridge/sil-sii8620.c:2241: undefined reference to 
> `extcon_register_notifier'
>>>drivers/gpu/drm/bridge/sil-sii8620.o: In function `sii8620_extcon_work':
> drivers/gpu/drm/bridge/sil-sii8620.c:2189: undefined reference to 
> `extcon_get_state'
>>> vim +2405 drivers/gpu/drm/bridge/sil-sii8620.c
>>>
>>>   2212  
>>>   2213  static int sii8620_extcon_init(struct sii8620 *ctx)
>>>   2214  {
>>>   2215  struct extcon_dev *edev;
>>>   2216  struct device_node *musb, *muic;
>>>   2217  int ret;
>>>   2218  
>>>   2219  /* get micro-USB connector node */
>>>   2220  musb = of_graph_get_remote_node(ctx->dev->of_node, 1, 
>>> -1);
>>>   2221  /* next get micro-USB Interface Controller node */
>>>     muic = of_get_next_parent(musb);
>>>   2223  
>>>   2224  if (!muic) {
>>>   2225  dev_info(ctx->dev, "no extcon found, switching 
>>> to 'always on' mode\n");
>>>   2226  return 0;
>>>   2227  }
>>>   2228  
 2229   edev = extcon_find_edev_by_node(muic);
>>>   2230  of_node_put(muic);
>>>   2231  if (IS_ERR(edev)) {
>>>   2232  if (PTR_ERR(edev) == -EPROBE_DEFER)
>>>   2233  return -EPROBE_DEFER;
>>>   2234  dev_err(ctx->dev, "Invalid or missing 
>>> extcon\n");
>>>   2235  return PTR_ERR(edev);
>>>   2236  }
>>>   2237  
>>>   2238  ctx->extcon = edev;
>>>   2239  ctx->extcon_nb.notifier_call = sii8620_extcon_notifier;
>>>   2240  INIT_WORK(>extcon_wq, sii8620_extcon_work);
 2241   ret = extcon_register_notifier(edev, EXTCON_DISP_MHL, 
 >extcon_nb);
>>>   2242  if (ret) {
>>>   2243  dev_err(ctx->dev, "failed to register notifier 
>>> for MHL\n");
>>>   2244  return ret;
>>>   2245  }
>>>   2246  
>>>   2247  return 0;
>>>   2248  }
>>>   2249  
>>>   2250  static inline struct sii8620 *bridge_to_sii8620(struct 
>>> drm_bridge *bridge)
>>>   2251  {
>>>   2252  return container_of(bridge, struct sii8620, bridge);
>>>   2253  }
>>>   2254  
>>>   2255  static int sii8620_attach(struct drm_bridge *bridge)
>>>   2256  {
>>>   2257  struct sii8620 *ctx = bridge_to_sii8620(bridge);
>>>   2258  
>>>   2259  sii8620_init_rcp_input_dev(ctx);
>>>   2260  
>>>   2261  return sii8620_clear_error(ctx);
>>>   2262  }
>>>   2263  
>>>   2264  static void sii8620_detach(struct drm_bridge *bridge)
>>>   2265  {
>>>   2266  struct sii8620 *ctx = bridge_to_sii8620(bridge);
>>>   2267  
>>>   2268  rc_unregister_device(ctx->rc_dev);
>>>   2269  }
>>>   2270  
>>>   2271  static enum drm_mode_status sii8620_mode_valid(struct 
>>> drm_bridge *bridge,
>>>   2272   const struct 
>>> drm_display_mode *mode)
>>>   2273  {
>>>   2274  struct sii8620 *ctx = bridge_to_sii8620(bridge);
>>>   2275  bool can_pack = ctx->devcap[MHL_DCAP_VID_LINK_MODE] &
>>>   2276  MHL_DCAP_VID_LINK_PPIXEL;
>>>   2277  unsigned int max_pclk = 

[PATCH 4.15 68/72] Fix slab name "biovec-(1<<(21-12))"

[Greg Kroah-Hartman]

4.15-stable review patch.  If anyone has any objections, please let me know.

--

From: Mikulas Patocka 

commit bd5c4facf59648581d2f1692dad7b107bf429954 upstream.

I'm getting a slab named "biovec-(1<<(21-12))". It is caused by unintended
expansion of the macro BIO_MAX_PAGES. This patch renames it to biovec-max.

Signed-off-by: Mikulas Patocka 
Cc: sta...@vger.kernel.org  # v4.14+
Signed-off-by: Jens Axboe 
Signed-off-by: Greg Kroah-Hartman 

---
 block/bio.c |4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/block/bio.c
+++ b/block/bio.c
@@ -43,9 +43,9 @@
  * break badly! cannot be bigger than what you can fit into an
  * unsigned short
  */
-#define BV(x) { .nr_vecs = x, .name = "biovec-"__stringify(x) }
+#define BV(x, n) { .nr_vecs = x, .name = "biovec-"#n }
 static struct biovec_slab bvec_slabs[BVEC_POOL_NR] __read_mostly = {
-   BV(1), BV(4), BV(16), BV(64), BV(128), BV(BIO_MAX_PAGES),
+   BV(1, 1), BV(4, 4), BV(16, 16), BV(64, 64), BV(128, 128), 
BV(BIO_MAX_PAGES, max),
 };
 #undef BV
 

Re: drivers/gpu/drm/bridge/sil-sii8620.c:2405: undefined reference to `extcon_unregister_notifier'

[Andrzej Hajda]

On 06.04.2018 12:34, Chanwoo Choi wrote:
> Hi Andrzej,
>
> On 2018년 04월 06일 19:14, Andrzej Hajda wrote:
>> Hi Chanwoo,
>>
>> It looks like something went wrong, sii8620 patch was merged without
>> extcon dependencies.
>> Could you look at it?
> If add the 'select EXTCON' to sii8620's Kconfig, it will be solved.
> Is there other solution?

I wonder if 'imply EXTCON'  wouldn't be better, I will prepare patch for it.

Regards
Andrzej

>
>> Regards
>> Andrzej
>>
>> On 06.04.2018 11:52, kbuild test robot wrote:
>>> tree:   https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 
>>> master
>>> head:   38c23685b273cfb4ccf31a199feccce3bdcb5d83
>>> commit: 688838442147d9dd94c2ef7c2c31a35cf150c5fa drm/bridge/sii8620: use 
>>> micro-USB cable detection logic to detect MHL
>>> date:   4 weeks ago
>>> config: i386-randconfig-x0-04061534 (attached as .config)
>>> compiler: gcc-5 (Debian 5.5.0-3) 5.4.1 20171010
>>> reproduce:
>>> git checkout 688838442147d9dd94c2ef7c2c31a35cf150c5fa
>>> # save the attached .config to linux build tree
>>> make ARCH=i386 
>>>
>>> All errors (new ones prefixed by >>):
>>>
>>>drivers/gpu/drm/bridge/sil-sii8620.o: In function `sii8620_remove':
> drivers/gpu/drm/bridge/sil-sii8620.c:2405: undefined reference to 
> `extcon_unregister_notifier'
>>>drivers/gpu/drm/bridge/sil-sii8620.o: In function `sii8620_extcon_init':
> drivers/gpu/drm/bridge/sil-sii8620.c:2229: undefined reference to 
> `extcon_find_edev_by_node'
> drivers/gpu/drm/bridge/sil-sii8620.c:2241: undefined reference to 
> `extcon_register_notifier'
>>>drivers/gpu/drm/bridge/sil-sii8620.o: In function `sii8620_extcon_work':
> drivers/gpu/drm/bridge/sil-sii8620.c:2189: undefined reference to 
> `extcon_get_state'
>>> vim +2405 drivers/gpu/drm/bridge/sil-sii8620.c
>>>
>>>   2212  
>>>   2213  static int sii8620_extcon_init(struct sii8620 *ctx)
>>>   2214  {
>>>   2215  struct extcon_dev *edev;
>>>   2216  struct device_node *musb, *muic;
>>>   2217  int ret;
>>>   2218  
>>>   2219  /* get micro-USB connector node */
>>>   2220  musb = of_graph_get_remote_node(ctx->dev->of_node, 1, 
>>> -1);
>>>   2221  /* next get micro-USB Interface Controller node */
>>>     muic = of_get_next_parent(musb);
>>>   2223  
>>>   2224  if (!muic) {
>>>   2225  dev_info(ctx->dev, "no extcon found, switching 
>>> to 'always on' mode\n");
>>>   2226  return 0;
>>>   2227  }
>>>   2228  
 2229   edev = extcon_find_edev_by_node(muic);
>>>   2230  of_node_put(muic);
>>>   2231  if (IS_ERR(edev)) {
>>>   2232  if (PTR_ERR(edev) == -EPROBE_DEFER)
>>>   2233  return -EPROBE_DEFER;
>>>   2234  dev_err(ctx->dev, "Invalid or missing 
>>> extcon\n");
>>>   2235  return PTR_ERR(edev);
>>>   2236  }
>>>   2237  
>>>   2238  ctx->extcon = edev;
>>>   2239  ctx->extcon_nb.notifier_call = sii8620_extcon_notifier;
>>>   2240  INIT_WORK(>extcon_wq, sii8620_extcon_work);
 2241   ret = extcon_register_notifier(edev, EXTCON_DISP_MHL, 
 >extcon_nb);
>>>   2242  if (ret) {
>>>   2243  dev_err(ctx->dev, "failed to register notifier 
>>> for MHL\n");
>>>   2244  return ret;
>>>   2245  }
>>>   2246  
>>>   2247  return 0;
>>>   2248  }
>>>   2249  
>>>   2250  static inline struct sii8620 *bridge_to_sii8620(struct 
>>> drm_bridge *bridge)
>>>   2251  {
>>>   2252  return container_of(bridge, struct sii8620, bridge);
>>>   2253  }
>>>   2254  
>>>   2255  static int sii8620_attach(struct drm_bridge *bridge)
>>>   2256  {
>>>   2257  struct sii8620 *ctx = bridge_to_sii8620(bridge);
>>>   2258  
>>>   2259  sii8620_init_rcp_input_dev(ctx);
>>>   2260  
>>>   2261  return sii8620_clear_error(ctx);
>>>   2262  }
>>>   2263  
>>>   2264  static void sii8620_detach(struct drm_bridge *bridge)
>>>   2265  {
>>>   2266  struct sii8620 *ctx = bridge_to_sii8620(bridge);
>>>   2267  
>>>   2268  rc_unregister_device(ctx->rc_dev);
>>>   2269  }
>>>   2270  
>>>   2271  static enum drm_mode_status sii8620_mode_valid(struct 
>>> drm_bridge *bridge,
>>>   2272   const struct 
>>> drm_display_mode *mode)
>>>   2273  {
>>>   2274  struct sii8620 *ctx = bridge_to_sii8620(bridge);
>>>   2275  bool can_pack = ctx->devcap[MHL_DCAP_VID_LINK_MODE] &
>>>   2276  MHL_DCAP_VID_LINK_PPIXEL;
>>>   2277  unsigned int max_pclk = 

[PATCH 4.15 68/72] Fix slab name "biovec-(1<<(21-12))"

[Greg Kroah-Hartman]

4.15-stable review patch.  If anyone has any objections, please let me know.

--

From: Mikulas Patocka 

commit bd5c4facf59648581d2f1692dad7b107bf429954 upstream.

I'm getting a slab named "biovec-(1<<(21-12))". It is caused by unintended
expansion of the macro BIO_MAX_PAGES. This patch renames it to biovec-max.

Signed-off-by: Mikulas Patocka 
Cc: sta...@vger.kernel.org  # v4.14+
Signed-off-by: Jens Axboe 
Signed-off-by: Greg Kroah-Hartman 

---
 block/bio.c |4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/block/bio.c
+++ b/block/bio.c
@@ -43,9 +43,9 @@
  * break badly! cannot be bigger than what you can fit into an
  * unsigned short
  */
-#define BV(x) { .nr_vecs = x, .name = "biovec-"__stringify(x) }
+#define BV(x, n) { .nr_vecs = x, .name = "biovec-"#n }
 static struct biovec_slab bvec_slabs[BVEC_POOL_NR] __read_mostly = {
-   BV(1), BV(4), BV(16), BV(64), BV(128), BV(BIO_MAX_PAGES),
+   BV(1, 1), BV(4, 4), BV(16, 16), BV(64, 64), BV(128, 128), 
BV(BIO_MAX_PAGES, max),
 };
 #undef BV
 

[PATCH 4.15 52/72] crypto: testmgr - Fix incorrect values in PKCS#1 test vector

[Greg Kroah-Hartman]

4.15-stable review patch.  If anyone has any objections, please let me know.

--

From: Conor McLoughlin 

commit 333e18c5cc74438f8940c7f3a8b3573748a371f9 upstream.

The RSA private key for the first form should have
version, prime1, prime2, exponent1, exponent2, coefficient
values 0.
With non-zero values for prime1,2, exponent 1,2 and coefficient
the Intel QAT driver will assume that values are provided for the
private key second form. This will result in signature verification
failures for modules where QAT device is present and the modules
are signed with rsa,sha256.

Cc: 
Signed-off-by: Giovanni Cabiddu 
Signed-off-by: Conor McLoughlin 
Reviewed-by: Stephan Mueller 
Signed-off-by: Herbert Xu 
Signed-off-by: Greg Kroah-Hartman 

---
 crypto/testmgr.h |6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

--- a/crypto/testmgr.h
+++ b/crypto/testmgr.h
@@ -548,7 +548,7 @@ static const struct akcipher_testvec rsa
 static const struct akcipher_testvec pkcs1pad_rsa_tv_template[] = {
{
.key =
-   "\x30\x82\x03\x1f\x02\x01\x10\x02\x82\x01\x01\x00\xd7\x1e\x77\x82"
+   "\x30\x82\x03\x1f\x02\x01\x00\x02\x82\x01\x01\x00\xd7\x1e\x77\x82"
"\x8c\x92\x31\xe7\x69\x02\xa2\xd5\x5c\x78\xde\xa2\x0c\x8f\xfe\x28"
"\x59\x31\xdf\x40\x9c\x60\x61\x06\xb9\x2f\x62\x40\x80\x76\xcb\x67"
"\x4a\xb5\x59\x56\x69\x17\x07\xfa\xf9\x4c\xbd\x6c\x37\x7a\x46\x7d"
@@ -597,8 +597,8 @@ static const struct akcipher_testvec pkc
"\xfe\xf8\x27\x1b\xd6\x55\x60\x5e\x48\xb7\x6d\x9a\xa8\x37\xf9\x7a"
"\xde\x1b\xcd\x5d\x1a\x30\xd4\xe9\x9e\x5b\x3c\x15\xf8\x9c\x1f\xda"
"\xd1\x86\x48\x55\xce\x83\xee\x8e\x51\xc7\xde\x32\x12\x47\x7d\x46"
-   "\xb8\x35\xdf\x41\x02\x01\x30\x02\x01\x30\x02\x01\x30\x02\x01\x30"
-   "\x02\x01\x30",
+   "\xb8\x35\xdf\x41\x02\x01\x00\x02\x01\x00\x02\x01\x00\x02\x01\x00"
+   "\x02\x01\x00",
.key_len = 804,
/*
 * m is SHA256 hash of following message:

[PATCH 4.15 72/72] Revert "ip6_vti: adjust vti mtu according to mtu of lower device"

[Greg Kroah-Hartman]

4.15-stable review patch.  If anyone has any objections, please let me know.

--

From: Greg Kroah-Hartman 

This reverts commit 813b2dad2cb59d2759f1538e65d56dcccdb18a94 which is
commit 53c81e95df1793933f87748d36070a721f6cb287 upstream.

Ben writes that there are a number of follow-on patches needed to fix
this up, but they get complex to backport, and some custom fixes are
needed, so let's just revert this and wait for a "real" set of patches
to resolve this to be submitted if it is really needed.

Reported-by: Ben Hutchings 
Cc: Petr Vorel 
Cc: Alexey Kodanev 
Cc: David S. Miller 
Cc: Stefano Brivio 
Signed-off-by: Greg Kroah-Hartman 
---
 net/ipv6/ip6_vti.c |   20 
 1 file changed, 20 deletions(-)

--- a/net/ipv6/ip6_vti.c
+++ b/net/ipv6/ip6_vti.c
@@ -626,7 +626,6 @@ static void vti6_link_config(struct ip6_
 {
struct net_device *dev = t->dev;
struct __ip6_tnl_parm *p = >parms;
-   struct net_device *tdev = NULL;
 
memcpy(dev->dev_addr, >laddr, sizeof(struct in6_addr));
memcpy(dev->broadcast, >raddr, sizeof(struct in6_addr));
@@ -639,25 +638,6 @@ static void vti6_link_config(struct ip6_
dev->flags |= IFF_POINTOPOINT;
else
dev->flags &= ~IFF_POINTOPOINT;
-
-   if (p->flags & IP6_TNL_F_CAP_XMIT) {
-   int strict = (ipv6_addr_type(>raddr) &
- (IPV6_ADDR_MULTICAST | IPV6_ADDR_LINKLOCAL));
-   struct rt6_info *rt = rt6_lookup(t->net,
->raddr, >laddr,
-p->link, strict);
-
-   if (rt)
-   tdev = rt->dst.dev;
-   ip6_rt_put(rt);
-   }
-
-   if (!tdev && p->link)
-   tdev = __dev_get_by_index(t->net, p->link);
-
-   if (tdev)
-   dev->mtu = max_t(int, tdev->mtu - dev->hard_header_len,
-IPV6_MIN_MTU);
 }
 
 /**

[PATCH 4.15 52/72] crypto: testmgr - Fix incorrect values in PKCS#1 test vector

[Greg Kroah-Hartman]

4.15-stable review patch.  If anyone has any objections, please let me know.

--

From: Conor McLoughlin 

commit 333e18c5cc74438f8940c7f3a8b3573748a371f9 upstream.

The RSA private key for the first form should have
version, prime1, prime2, exponent1, exponent2, coefficient
values 0.
With non-zero values for prime1,2, exponent 1,2 and coefficient
the Intel QAT driver will assume that values are provided for the
private key second form. This will result in signature verification
failures for modules where QAT device is present and the modules
are signed with rsa,sha256.

Cc: 
Signed-off-by: Giovanni Cabiddu 
Signed-off-by: Conor McLoughlin 
Reviewed-by: Stephan Mueller 
Signed-off-by: Herbert Xu 
Signed-off-by: Greg Kroah-Hartman 

---
 crypto/testmgr.h |6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

--- a/crypto/testmgr.h
+++ b/crypto/testmgr.h
@@ -548,7 +548,7 @@ static const struct akcipher_testvec rsa
 static const struct akcipher_testvec pkcs1pad_rsa_tv_template[] = {
{
.key =
-   "\x30\x82\x03\x1f\x02\x01\x10\x02\x82\x01\x01\x00\xd7\x1e\x77\x82"
+   "\x30\x82\x03\x1f\x02\x01\x00\x02\x82\x01\x01\x00\xd7\x1e\x77\x82"
"\x8c\x92\x31\xe7\x69\x02\xa2\xd5\x5c\x78\xde\xa2\x0c\x8f\xfe\x28"
"\x59\x31\xdf\x40\x9c\x60\x61\x06\xb9\x2f\x62\x40\x80\x76\xcb\x67"
"\x4a\xb5\x59\x56\x69\x17\x07\xfa\xf9\x4c\xbd\x6c\x37\x7a\x46\x7d"
@@ -597,8 +597,8 @@ static const struct akcipher_testvec pkc
"\xfe\xf8\x27\x1b\xd6\x55\x60\x5e\x48\xb7\x6d\x9a\xa8\x37\xf9\x7a"
"\xde\x1b\xcd\x5d\x1a\x30\xd4\xe9\x9e\x5b\x3c\x15\xf8\x9c\x1f\xda"
"\xd1\x86\x48\x55\xce\x83\xee\x8e\x51\xc7\xde\x32\x12\x47\x7d\x46"
-   "\xb8\x35\xdf\x41\x02\x01\x30\x02\x01\x30\x02\x01\x30\x02\x01\x30"
-   "\x02\x01\x30",
+   "\xb8\x35\xdf\x41\x02\x01\x00\x02\x01\x00\x02\x01\x00\x02\x01\x00"
+   "\x02\x01\x00",
.key_len = 804,
/*
 * m is SHA256 hash of following message:

[PATCH 4.15 72/72] Revert "ip6_vti: adjust vti mtu according to mtu of lower device"

[Greg Kroah-Hartman]

4.15-stable review patch.  If anyone has any objections, please let me know.

--

From: Greg Kroah-Hartman 

This reverts commit 813b2dad2cb59d2759f1538e65d56dcccdb18a94 which is
commit 53c81e95df1793933f87748d36070a721f6cb287 upstream.

Ben writes that there are a number of follow-on patches needed to fix
this up, but they get complex to backport, and some custom fixes are
needed, so let's just revert this and wait for a "real" set of patches
to resolve this to be submitted if it is really needed.

Reported-by: Ben Hutchings 
Cc: Petr Vorel 
Cc: Alexey Kodanev 
Cc: David S. Miller 
Cc: Stefano Brivio 
Signed-off-by: Greg Kroah-Hartman 
---
 net/ipv6/ip6_vti.c |   20 
 1 file changed, 20 deletions(-)

--- a/net/ipv6/ip6_vti.c
+++ b/net/ipv6/ip6_vti.c
@@ -626,7 +626,6 @@ static void vti6_link_config(struct ip6_
 {
struct net_device *dev = t->dev;
struct __ip6_tnl_parm *p = >parms;
-   struct net_device *tdev = NULL;
 
memcpy(dev->dev_addr, >laddr, sizeof(struct in6_addr));
memcpy(dev->broadcast, >raddr, sizeof(struct in6_addr));
@@ -639,25 +638,6 @@ static void vti6_link_config(struct ip6_
dev->flags |= IFF_POINTOPOINT;
else
dev->flags &= ~IFF_POINTOPOINT;
-
-   if (p->flags & IP6_TNL_F_CAP_XMIT) {
-   int strict = (ipv6_addr_type(>raddr) &
- (IPV6_ADDR_MULTICAST | IPV6_ADDR_LINKLOCAL));
-   struct rt6_info *rt = rt6_lookup(t->net,
->raddr, >laddr,
-p->link, strict);
-
-   if (rt)
-   tdev = rt->dst.dev;
-   ip6_rt_put(rt);
-   }
-
-   if (!tdev && p->link)
-   tdev = __dev_get_by_index(t->net, p->link);
-
-   if (tdev)
-   dev->mtu = max_t(int, tdev->mtu - dev->hard_header_len,
-IPV6_MIN_MTU);
 }
 
 /**

Re: [GIT PULL 3/3] ARM: SoC driver updates for 4.17

[Arnd Bergmann]

On Fri, Apr 6, 2018 at 6:34 AM, Linus Torvalds
 wrote:
> On Thu, Apr 5, 2018 at 2:23 PM, Arnd Bergmann  wrote:
>>
>> - the ARM CCN driver is moved out of drivers/bus into drivers/perf,
>>   which makes more sense. Similarly, the performance monitoring
>>   portion of the CCI driver are moved the same way and cleaned up
>>   a little more.
>
> This caused a trivial merge with the perf tree.
>
> But since I don't *build* the trivial merge resolution due to it being
> an arm-only file, I wanted to point it out.
>
> Because "not tested" very possibly means "I screwed something silly up
> and didn't notice".
>
> So as trivial as it seemed, it should still be checked.

Looks good to me and it survived the randconfig build tests,
so I assume it's fine.

   Arnd

Re: [GIT PULL 3/3] ARM: SoC driver updates for 4.17

[Arnd Bergmann]

On Fri, Apr 6, 2018 at 6:34 AM, Linus Torvalds
 wrote:
> On Thu, Apr 5, 2018 at 2:23 PM, Arnd Bergmann  wrote:
>>
>> - the ARM CCN driver is moved out of drivers/bus into drivers/perf,
>>   which makes more sense. Similarly, the performance monitoring
>>   portion of the CCI driver are moved the same way and cleaned up
>>   a little more.
>
> This caused a trivial merge with the perf tree.
>
> But since I don't *build* the trivial merge resolution due to it being
> an arm-only file, I wanted to point it out.
>
> Because "not tested" very possibly means "I screwed something silly up
> and didn't notice".
>
> So as trivial as it seemed, it should still be checked.

Looks good to me and it survived the randconfig build tests,
so I assume it's fine.

   Arnd

[PATCH 4.15 70/72] Revert "ARM: dts: omap3-n900: Fix the audio CODECs reset pin"

[Greg Kroah-Hartman]

4.15-stable review patch.  If anyone has any objections, please let me know.

--

From: Greg Kroah-Hartman 

This reverts commit c91a501768717f449acd1c2cff1a8531e486c441 which was
commit 7be4b5dc7ffa9499ac6ef33a5ffa9ff43f9b7057 upstream.

It requires a driver that was not merged until 4.16, so remove it from
this stable tree as it is pointless.

Reported-by: Ben Hutchings 
Cc: Andrew F. Davis 
Cc: Tony Lindgren 
Cc: Sasha Levin 
Signed-off-by: Greg Kroah-Hartman 
---
 arch/arm/boot/dts/omap3-n900.dts |4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/arch/arm/boot/dts/omap3-n900.dts
+++ b/arch/arm/boot/dts/omap3-n900.dts
@@ -558,7 +558,7 @@
tlv320aic3x: tlv320aic3x@18 {
compatible = "ti,tlv320aic3x";
reg = <0x18>;
-   reset-gpios = < 28 GPIO_ACTIVE_LOW>; /* 60 */
+   gpio-reset = < 28 GPIO_ACTIVE_HIGH>; /* 60 */
ai3x-gpio-func = <
0 /* AIC3X_GPIO1_FUNC_DISABLED */
5 /* AIC3X_GPIO2_FUNC_DIGITAL_MIC_INPUT */
@@ -575,7 +575,7 @@
tlv320aic3x_aux: tlv320aic3x@19 {
compatible = "ti,tlv320aic3x";
reg = <0x19>;
-   reset-gpios = < 28 GPIO_ACTIVE_LOW>; /* 60 */
+   gpio-reset = < 28 GPIO_ACTIVE_HIGH>; /* 60 */
 
AVDD-supply = <>;
DRVDD-supply = <>;

[PATCH 4.15 70/72] Revert "ARM: dts: omap3-n900: Fix the audio CODECs reset pin"

[Greg Kroah-Hartman]

4.15-stable review patch.  If anyone has any objections, please let me know.

--

From: Greg Kroah-Hartman 

This reverts commit c91a501768717f449acd1c2cff1a8531e486c441 which was
commit 7be4b5dc7ffa9499ac6ef33a5ffa9ff43f9b7057 upstream.

It requires a driver that was not merged until 4.16, so remove it from
this stable tree as it is pointless.

Reported-by: Ben Hutchings 
Cc: Andrew F. Davis 
Cc: Tony Lindgren 
Cc: Sasha Levin 
Signed-off-by: Greg Kroah-Hartman 
---
 arch/arm/boot/dts/omap3-n900.dts |4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/arch/arm/boot/dts/omap3-n900.dts
+++ b/arch/arm/boot/dts/omap3-n900.dts
@@ -558,7 +558,7 @@
tlv320aic3x: tlv320aic3x@18 {
compatible = "ti,tlv320aic3x";
reg = <0x18>;
-   reset-gpios = < 28 GPIO_ACTIVE_LOW>; /* 60 */
+   gpio-reset = < 28 GPIO_ACTIVE_HIGH>; /* 60 */
ai3x-gpio-func = <
0 /* AIC3X_GPIO1_FUNC_DISABLED */
5 /* AIC3X_GPIO2_FUNC_DIGITAL_MIC_INPUT */
@@ -575,7 +575,7 @@
tlv320aic3x_aux: tlv320aic3x@19 {
compatible = "ti,tlv320aic3x";
reg = <0x19>;
-   reset-gpios = < 28 GPIO_ACTIVE_LOW>; /* 60 */
+   gpio-reset = < 28 GPIO_ACTIVE_HIGH>; /* 60 */
 
AVDD-supply = <>;
DRVDD-supply = <>;

[PATCH 4.15 56/72] crypto: ccp - return an actual key size from RSA max_size callback

[Greg Kroah-Hartman]

4.15-stable review patch.  If anyone has any objections, please let me know.

--

From: Maciej S. Szmigiero 

commit 0a9eb80e643064266868bd2fb2cd608e669309b0 upstream.

rsa-pkcs1pad uses a value returned from a RSA implementation max_size
callback as a size of an input buffer passed to the RSA implementation for
encrypt and sign operations.

CCP RSA implementation uses a hardware input buffer which size depends only
on the current RSA key length, so it should return this key length in
the max_size callback, too.
This also matches what the kernel software RSA implementation does.

Previously, the value returned from this callback was always the maximum
RSA key size the CCP hardware supports.
This resulted in this huge buffer being passed by rsa-pkcs1pad to CCP even
for smaller key sizes and then in a buffer overflow when ccp_run_rsa_cmd()
tried to copy this large input buffer into a RSA key length-sized hardware
input buffer.

Signed-off-by: Maciej S. Szmigiero 
Fixes: ceeec0afd684 ("crypto: ccp - Add support for RSA on the CCP")
Cc: sta...@vger.kernel.org
Acked-by: Gary R Hook 
Signed-off-by: Herbert Xu 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/crypto/ccp/ccp-crypto-rsa.c |7 +++
 1 file changed, 3 insertions(+), 4 deletions(-)

--- a/drivers/crypto/ccp/ccp-crypto-rsa.c
+++ b/drivers/crypto/ccp/ccp-crypto-rsa.c
@@ -60,10 +60,9 @@ static int ccp_rsa_complete(struct crypt
 
 static unsigned int ccp_rsa_maxsize(struct crypto_akcipher *tfm)
 {
-   if (ccp_version() > CCP_VERSION(3, 0))
-   return CCP5_RSA_MAXMOD;
-   else
-   return CCP_RSA_MAXMOD;
+   struct ccp_ctx *ctx = akcipher_tfm_ctx(tfm);
+
+   return ctx->u.rsa.n_len;
 }
 
 static int ccp_rsa_crypt(struct akcipher_request *req, bool encrypt)

[PATCH 4.15 56/72] crypto: ccp - return an actual key size from RSA max_size callback

[Greg Kroah-Hartman]

4.15-stable review patch.  If anyone has any objections, please let me know.

--

From: Maciej S. Szmigiero 

commit 0a9eb80e643064266868bd2fb2cd608e669309b0 upstream.

rsa-pkcs1pad uses a value returned from a RSA implementation max_size
callback as a size of an input buffer passed to the RSA implementation for
encrypt and sign operations.

CCP RSA implementation uses a hardware input buffer which size depends only
on the current RSA key length, so it should return this key length in
the max_size callback, too.
This also matches what the kernel software RSA implementation does.

Previously, the value returned from this callback was always the maximum
RSA key size the CCP hardware supports.
This resulted in this huge buffer being passed by rsa-pkcs1pad to CCP even
for smaller key sizes and then in a buffer overflow when ccp_run_rsa_cmd()
tried to copy this large input buffer into a RSA key length-sized hardware
input buffer.

Signed-off-by: Maciej S. Szmigiero 
Fixes: ceeec0afd684 ("crypto: ccp - Add support for RSA on the CCP")
Cc: sta...@vger.kernel.org
Acked-by: Gary R Hook 
Signed-off-by: Herbert Xu 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/crypto/ccp/ccp-crypto-rsa.c |7 +++
 1 file changed, 3 insertions(+), 4 deletions(-)

--- a/drivers/crypto/ccp/ccp-crypto-rsa.c
+++ b/drivers/crypto/ccp/ccp-crypto-rsa.c
@@ -60,10 +60,9 @@ static int ccp_rsa_complete(struct crypt
 
 static unsigned int ccp_rsa_maxsize(struct crypto_akcipher *tfm)
 {
-   if (ccp_version() > CCP_VERSION(3, 0))
-   return CCP5_RSA_MAXMOD;
-   else
-   return CCP_RSA_MAXMOD;
+   struct ccp_ctx *ctx = akcipher_tfm_ctx(tfm);
+
+   return ctx->u.rsa.n_len;
 }
 
 static int ccp_rsa_crypt(struct akcipher_request *req, bool encrypt)

Re: [PATCH v7 0/2] drm: Add Thine THC63LVD1024 LVDS decoder bridge

[Laurent Pinchart]

Hi Jacopo,

On Friday, 6 April 2018 16:08:05 EEST Jacopo Mondi wrote:
> Hello,
>this series enables HDMI display on V3M Eagle board.
> 
> The series is based on Geert's "renesas-drivers-2018-04-03-v4.16" with
> THC63LVD1024 driver on top (cfr. my in review series:
> "[PATCH v7 0/2]  drm: Add Thine THC63LVD1024 LVDS decoder bridge")

This isn't a good base for development, as you would pull way too many 
dependencies in. Could you please base v8 on top of v4.17-rc1 (or if you get 
to post it before v4.17-rc1 gets merged, you can use Linus' master, as the 
ARM64 DT pull requests for v4.17-rc1 have been merged) ? It will then be ready 
for Simon to pull in his v4.18 branch.

> This series includes some preliminary work from Sergei and Niklas. I have
> reworked the two final patches from Niklas to enable DU first, add the LVDS
> decoder node, and finally add the ADV7511W chip and enable HDMI output.
> 
> A branch for testing is available at:
> git://jmondi.org/linux v3m/renesas-drivers-2018-04-03-v4.16/v7-eagle-dts
> 
> Thanks
>j
> 
> Jacopo Mondi (2):
>   arm64: dts: renesas: eagle: Enable DU
>   arm64: dts: renesas: eagle: Add LVDS decoder
> 
> Niklas Söderlund (2):
>   arm64: dts: renesas: r8a77970: add the LVDS instance
>   arm64: dts: renesas: eagle: Add ADV7511W and HDMI output
> 
> Sergei Shtylyov (3):
>   arm64: dts: renesas: r8a77970: add FCPVD support
>   arm64: dts: renesas: r8a77970: add VSPD support
>   arm64: dts: renesas: r8a77970: add DU support
> 
>  arch/arm64/boot/dts/renesas/r8a77970-eagle.dts | 89 +++
>  arch/arm64/boot/dts/renesas/r8a77970.dtsi  | 73 +
>  2 files changed, 162 insertions(+)
> 

-- 
Regards,

Laurent Pinchart

[PATCH 4.15 58/72] crypto: x86/cast5-avx - fix ECB encryption when long sg follows short one

[Greg Kroah-Hartman]

4.15-stable review patch.  If anyone has any objections, please let me know.

--

From: Eric Biggers 

commit 8f461b1e02ed546fbd0f11611138da67fd85a30f upstream.

With ecb-cast5-avx, if a 128+ byte scatterlist element followed a
shorter one, then the algorithm accidentally encrypted/decrypted only 8
bytes instead of the expected 128 bytes.  Fix it by setting the
encryption/decryption 'fn' correctly.

Fixes: c12ab20b162c ("crypto: cast5/avx - avoid using temporary stack buffers")
Cc:  # v3.8+
Signed-off-by: Eric Biggers 
Signed-off-by: Herbert Xu 
Signed-off-by: Greg Kroah-Hartman 

---
 arch/x86/crypto/cast5_avx_glue.c |3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

--- a/arch/x86/crypto/cast5_avx_glue.c
+++ b/arch/x86/crypto/cast5_avx_glue.c
@@ -66,8 +66,6 @@ static int ecb_crypt(struct blkcipher_de
void (*fn)(struct cast5_ctx *ctx, u8 *dst, const u8 *src);
int err;
 
-   fn = (enc) ? cast5_ecb_enc_16way : cast5_ecb_dec_16way;
-
err = blkcipher_walk_virt(desc, walk);
desc->flags &= ~CRYPTO_TFM_REQ_MAY_SLEEP;
 
@@ -79,6 +77,7 @@ static int ecb_crypt(struct blkcipher_de
 
/* Process multi-block batch */
if (nbytes >= bsize * CAST5_PARALLEL_BLOCKS) {
+   fn = (enc) ? cast5_ecb_enc_16way : cast5_ecb_dec_16way;
do {
fn(ctx, wdst, wsrc);
 

Re: [PATCH v7 0/2] drm: Add Thine THC63LVD1024 LVDS decoder bridge

[Laurent Pinchart]

Hi Jacopo,

On Friday, 6 April 2018 16:08:05 EEST Jacopo Mondi wrote:
> Hello,
>this series enables HDMI display on V3M Eagle board.
> 
> The series is based on Geert's "renesas-drivers-2018-04-03-v4.16" with
> THC63LVD1024 driver on top (cfr. my in review series:
> "[PATCH v7 0/2]  drm: Add Thine THC63LVD1024 LVDS decoder bridge")

This isn't a good base for development, as you would pull way too many 
dependencies in. Could you please base v8 on top of v4.17-rc1 (or if you get 
to post it before v4.17-rc1 gets merged, you can use Linus' master, as the 
ARM64 DT pull requests for v4.17-rc1 have been merged) ? It will then be ready 
for Simon to pull in his v4.18 branch.

> This series includes some preliminary work from Sergei and Niklas. I have
> reworked the two final patches from Niklas to enable DU first, add the LVDS
> decoder node, and finally add the ADV7511W chip and enable HDMI output.
> 
> A branch for testing is available at:
> git://jmondi.org/linux v3m/renesas-drivers-2018-04-03-v4.16/v7-eagle-dts
> 
> Thanks
>j
> 
> Jacopo Mondi (2):
>   arm64: dts: renesas: eagle: Enable DU
>   arm64: dts: renesas: eagle: Add LVDS decoder
> 
> Niklas Söderlund (2):
>   arm64: dts: renesas: r8a77970: add the LVDS instance
>   arm64: dts: renesas: eagle: Add ADV7511W and HDMI output
> 
> Sergei Shtylyov (3):
>   arm64: dts: renesas: r8a77970: add FCPVD support
>   arm64: dts: renesas: r8a77970: add VSPD support
>   arm64: dts: renesas: r8a77970: add DU support
> 
>  arch/arm64/boot/dts/renesas/r8a77970-eagle.dts | 89 +++
>  arch/arm64/boot/dts/renesas/r8a77970.dtsi  | 73 +
>  2 files changed, 162 insertions(+)
> 

-- 
Regards,

Laurent Pinchart

[PATCH 4.15 58/72] crypto: x86/cast5-avx - fix ECB encryption when long sg follows short one

[Greg Kroah-Hartman]

4.15-stable review patch.  If anyone has any objections, please let me know.

--

From: Eric Biggers 

commit 8f461b1e02ed546fbd0f11611138da67fd85a30f upstream.

With ecb-cast5-avx, if a 128+ byte scatterlist element followed a
shorter one, then the algorithm accidentally encrypted/decrypted only 8
bytes instead of the expected 128 bytes.  Fix it by setting the
encryption/decryption 'fn' correctly.

Fixes: c12ab20b162c ("crypto: cast5/avx - avoid using temporary stack buffers")
Cc:  # v3.8+
Signed-off-by: Eric Biggers 
Signed-off-by: Herbert Xu 
Signed-off-by: Greg Kroah-Hartman 

---
 arch/x86/crypto/cast5_avx_glue.c |3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

--- a/arch/x86/crypto/cast5_avx_glue.c
+++ b/arch/x86/crypto/cast5_avx_glue.c
@@ -66,8 +66,6 @@ static int ecb_crypt(struct blkcipher_de
void (*fn)(struct cast5_ctx *ctx, u8 *dst, const u8 *src);
int err;
 
-   fn = (enc) ? cast5_ecb_enc_16way : cast5_ecb_dec_16way;
-
err = blkcipher_walk_virt(desc, walk);
desc->flags &= ~CRYPTO_TFM_REQ_MAY_SLEEP;
 
@@ -79,6 +77,7 @@ static int ecb_crypt(struct blkcipher_de
 
/* Process multi-block batch */
if (nbytes >= bsize * CAST5_PARALLEL_BLOCKS) {
+   fn = (enc) ? cast5_ecb_enc_16way : cast5_ecb_dec_16way;
do {
fn(ctx, wdst, wsrc);
 

[PATCH 4.16 01/31] bitmap: fix memset optimization on big-endian systems

[Greg Kroah-Hartman]

4.16-stable review patch.  If anyone has any objections, please let me know.

--

From: Omar Sandoval 

commit 21035965f60b0502fc6537b232839389bb4ce664 upstream.

Commit 2a98dc028f91 ("include/linux/bitmap.h: turn bitmap_set and
bitmap_clear into memset when possible") introduced an optimization to
bitmap_{set,clear}() which uses memset() when the start and length are
constants aligned to a byte.

This is wrong on big-endian systems; our bitmaps are arrays of unsigned
long, so bit n is not at byte n / 8 in memory.  This was caught by the
Btrfs selftests, but the bitmap selftests also fail when run on a
big-endian machine.

We can still use memset if the start and length are aligned to an
unsigned long, so do that on big-endian.  The same problem applies to
the memcmp in bitmap_equal(), so fix it there, too.

Fixes: 2a98dc028f91 ("include/linux/bitmap.h: turn bitmap_set and bitmap_clear 
into memset when possible")
Fixes: 2c6deb01525a ("bitmap: use memcmp optimisation in more situations")
Cc: sta...@kernel.org
Reported-by: "Erhard F." 
Cc: Matthew Wilcox 
Cc: Rasmus Villemoes 
Cc: Andrew Morton 
Cc: Arnd Bergmann 
Signed-off-by: Omar Sandoval 
Signed-off-by: Linus Torvalds 
Signed-off-by: Greg Kroah-Hartman 

---
 include/linux/bitmap.h |   22 +-
 1 file changed, 17 insertions(+), 5 deletions(-)

--- a/include/linux/bitmap.h
+++ b/include/linux/bitmap.h
@@ -302,12 +302,20 @@ static inline void bitmap_complement(uns
__bitmap_complement(dst, src, nbits);
 }
 
+#ifdef __LITTLE_ENDIAN
+#define BITMAP_MEM_ALIGNMENT 8
+#else
+#define BITMAP_MEM_ALIGNMENT (8 * sizeof(unsigned long))
+#endif
+#define BITMAP_MEM_MASK (BITMAP_MEM_ALIGNMENT - 1)
+
 static inline int bitmap_equal(const unsigned long *src1,
const unsigned long *src2, unsigned int nbits)
 {
if (small_const_nbits(nbits))
return !((*src1 ^ *src2) & BITMAP_LAST_WORD_MASK(nbits));
-   if (__builtin_constant_p(nbits & 7) && IS_ALIGNED(nbits, 8))
+   if (__builtin_constant_p(nbits & BITMAP_MEM_MASK) &&
+   IS_ALIGNED(nbits, BITMAP_MEM_ALIGNMENT))
return !memcmp(src1, src2, nbits / 8);
return __bitmap_equal(src1, src2, nbits);
 }
@@ -358,8 +366,10 @@ static __always_inline void bitmap_set(u
 {
if (__builtin_constant_p(nbits) && nbits == 1)
__set_bit(start, map);
-   else if (__builtin_constant_p(start & 7) && IS_ALIGNED(start, 8) &&
-__builtin_constant_p(nbits & 7) && IS_ALIGNED(nbits, 8))
+   else if (__builtin_constant_p(start & BITMAP_MEM_MASK) &&
+IS_ALIGNED(start, BITMAP_MEM_ALIGNMENT) &&
+__builtin_constant_p(nbits & BITMAP_MEM_MASK) &&
+IS_ALIGNED(nbits, BITMAP_MEM_ALIGNMENT))
memset((char *)map + start / 8, 0xff, nbits / 8);
else
__bitmap_set(map, start, nbits);
@@ -370,8 +380,10 @@ static __always_inline void bitmap_clear
 {
if (__builtin_constant_p(nbits) && nbits == 1)
__clear_bit(start, map);
-   else if (__builtin_constant_p(start & 7) && IS_ALIGNED(start, 8) &&
-__builtin_constant_p(nbits & 7) && IS_ALIGNED(nbits, 8))
+   else if (__builtin_constant_p(start & BITMAP_MEM_MASK) &&
+IS_ALIGNED(start, BITMAP_MEM_ALIGNMENT) &&
+__builtin_constant_p(nbits & BITMAP_MEM_MASK) &&
+IS_ALIGNED(nbits, BITMAP_MEM_ALIGNMENT))
memset((char *)map + start / 8, 0, nbits / 8);
else
__bitmap_clear(map, start, nbits);

[PATCH 4.16 01/31] bitmap: fix memset optimization on big-endian systems

[Greg Kroah-Hartman]

4.16-stable review patch.  If anyone has any objections, please let me know.

--

From: Omar Sandoval 

commit 21035965f60b0502fc6537b232839389bb4ce664 upstream.

Commit 2a98dc028f91 ("include/linux/bitmap.h: turn bitmap_set and
bitmap_clear into memset when possible") introduced an optimization to
bitmap_{set,clear}() which uses memset() when the start and length are
constants aligned to a byte.

This is wrong on big-endian systems; our bitmaps are arrays of unsigned
long, so bit n is not at byte n / 8 in memory.  This was caught by the
Btrfs selftests, but the bitmap selftests also fail when run on a
big-endian machine.

We can still use memset if the start and length are aligned to an
unsigned long, so do that on big-endian.  The same problem applies to
the memcmp in bitmap_equal(), so fix it there, too.

Fixes: 2a98dc028f91 ("include/linux/bitmap.h: turn bitmap_set and bitmap_clear 
into memset when possible")
Fixes: 2c6deb01525a ("bitmap: use memcmp optimisation in more situations")
Cc: sta...@kernel.org
Reported-by: "Erhard F." 
Cc: Matthew Wilcox 
Cc: Rasmus Villemoes 
Cc: Andrew Morton 
Cc: Arnd Bergmann 
Signed-off-by: Omar Sandoval 
Signed-off-by: Linus Torvalds 
Signed-off-by: Greg Kroah-Hartman 

---
 include/linux/bitmap.h |   22 +-
 1 file changed, 17 insertions(+), 5 deletions(-)

--- a/include/linux/bitmap.h
+++ b/include/linux/bitmap.h
@@ -302,12 +302,20 @@ static inline void bitmap_complement(uns
__bitmap_complement(dst, src, nbits);
 }
 
+#ifdef __LITTLE_ENDIAN
+#define BITMAP_MEM_ALIGNMENT 8
+#else
+#define BITMAP_MEM_ALIGNMENT (8 * sizeof(unsigned long))
+#endif
+#define BITMAP_MEM_MASK (BITMAP_MEM_ALIGNMENT - 1)
+
 static inline int bitmap_equal(const unsigned long *src1,
const unsigned long *src2, unsigned int nbits)
 {
if (small_const_nbits(nbits))
return !((*src1 ^ *src2) & BITMAP_LAST_WORD_MASK(nbits));
-   if (__builtin_constant_p(nbits & 7) && IS_ALIGNED(nbits, 8))
+   if (__builtin_constant_p(nbits & BITMAP_MEM_MASK) &&
+   IS_ALIGNED(nbits, BITMAP_MEM_ALIGNMENT))
return !memcmp(src1, src2, nbits / 8);
return __bitmap_equal(src1, src2, nbits);
 }
@@ -358,8 +366,10 @@ static __always_inline void bitmap_set(u
 {
if (__builtin_constant_p(nbits) && nbits == 1)
__set_bit(start, map);
-   else if (__builtin_constant_p(start & 7) && IS_ALIGNED(start, 8) &&
-__builtin_constant_p(nbits & 7) && IS_ALIGNED(nbits, 8))
+   else if (__builtin_constant_p(start & BITMAP_MEM_MASK) &&
+IS_ALIGNED(start, BITMAP_MEM_ALIGNMENT) &&
+__builtin_constant_p(nbits & BITMAP_MEM_MASK) &&
+IS_ALIGNED(nbits, BITMAP_MEM_ALIGNMENT))
memset((char *)map + start / 8, 0xff, nbits / 8);
else
__bitmap_set(map, start, nbits);
@@ -370,8 +380,10 @@ static __always_inline void bitmap_clear
 {
if (__builtin_constant_p(nbits) && nbits == 1)
__clear_bit(start, map);
-   else if (__builtin_constant_p(start & 7) && IS_ALIGNED(start, 8) &&
-__builtin_constant_p(nbits & 7) && IS_ALIGNED(nbits, 8))
+   else if (__builtin_constant_p(start & BITMAP_MEM_MASK) &&
+IS_ALIGNED(start, BITMAP_MEM_ALIGNMENT) &&
+__builtin_constant_p(nbits & BITMAP_MEM_MASK) &&
+IS_ALIGNED(nbits, BITMAP_MEM_ALIGNMENT))
memset((char *)map + start / 8, 0, nbits / 8);
else
__bitmap_clear(map, start, nbits);