[PATCH 4.14 002/115] platform/x86: sony-laptop: Fix unintentional fall-through

[Greg Kroah-Hartman]

From: Gustavo A. R. Silva 

commit 1cbd7a64959d33e7a2a1fa2bf36a62b350a9fcbd upstream.

It seems that the default case should return AE_CTRL_TERMINATE, instead
of falling through to case ACPI_RESOURCE_TYPE_END_TAG and returning AE_OK;
otherwise the line of code at the end of the function is unreachable and
makes no sense:

return AE_CTRL_TERMINATE;

This fix is based on the following thread of discussion:

https://lore.kernel.org/patchwork/patch/959782/

Fixes: 33a04454527e ("sony-laptop: Add SNY6001 device handling (sonypi 
reimplementation)")
Cc: sta...@vger.kernel.org
Signed-off-by: Gustavo A. R. Silva 
Reviewed-by: Kees Cook 
Signed-off-by: Andy Shevchenko 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/platform/x86/sony-laptop.c |8 +---
 1 file changed, 5 insertions(+), 3 deletions(-)

--- a/drivers/platform/x86/sony-laptop.c
+++ b/drivers/platform/x86/sony-laptop.c
@@ -4422,14 +4422,16 @@ sony_pic_read_possible_resource(struct a
}
return AE_OK;
}
+
+   case ACPI_RESOURCE_TYPE_END_TAG:
+   return AE_OK;
+
default:
dprintk("Resource %d isn't an IRQ nor an IO port\n",
resource->type);
+   return AE_CTRL_TERMINATE;
 
-   case ACPI_RESOURCE_TYPE_END_TAG:
-   return AE_OK;
}
-   return AE_CTRL_TERMINATE;
 }
 
 static int sony_pic_possible_resources(struct acpi_device *device)

[PATCH 4.9 26/51] gpu: ipu-v3: dp: fix CSC handling

[Greg Kroah-Hartman]

[ Upstream commit d4fad0a426c6e26f48c9a7cdd21a7fe9c198d645 ]

Initialize the flow input colorspaces to unknown and reset to that value
when the channel gets disabled. This avoids the state getting mixed up
with a previous mode.

Also keep the CSC settings for the background flow intact when disabling
the foreground flow.

Root-caused-by: Jonathan Marek 
Signed-off-by: Lucas Stach 
Signed-off-by: Philipp Zabel 
Signed-off-by: Sasha Levin 
---
 drivers/gpu/ipu-v3/ipu-dp.c | 12 +---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/drivers/gpu/ipu-v3/ipu-dp.c b/drivers/gpu/ipu-v3/ipu-dp.c
index 98686edbcdbb0..33de3a1bac49f 100644
--- a/drivers/gpu/ipu-v3/ipu-dp.c
+++ b/drivers/gpu/ipu-v3/ipu-dp.c
@@ -195,7 +195,8 @@ int ipu_dp_setup_channel(struct ipu_dp *dp,
ipu_dp_csc_init(flow, flow->foreground.in_cs, flow->out_cs,
DP_COM_CONF_CSC_DEF_BOTH);
} else {
-   if (flow->foreground.in_cs == flow->out_cs)
+   if (flow->foreground.in_cs == IPUV3_COLORSPACE_UNKNOWN ||
+   flow->foreground.in_cs == flow->out_cs)
/*
 * foreground identical to output, apply color
 * conversion on background
@@ -261,6 +262,8 @@ void ipu_dp_disable_channel(struct ipu_dp *dp)
struct ipu_dp_priv *priv = flow->priv;
u32 reg, csc;
 
+   dp->in_cs = IPUV3_COLORSPACE_UNKNOWN;
+
if (!dp->foreground)
return;
 
@@ -268,8 +271,9 @@ void ipu_dp_disable_channel(struct ipu_dp *dp)
 
reg = readl(flow->base + DP_COM_CONF);
csc = reg & DP_COM_CONF_CSC_DEF_MASK;
-   if (csc == DP_COM_CONF_CSC_DEF_FG)
-   reg &= ~DP_COM_CONF_CSC_DEF_MASK;
+   reg &= ~DP_COM_CONF_CSC_DEF_MASK;
+   if (csc == DP_COM_CONF_CSC_DEF_BOTH || csc == DP_COM_CONF_CSC_DEF_BG)
+   reg |= DP_COM_CONF_CSC_DEF_BG;
 
reg &= ~DP_COM_CONF_FG_EN;
writel(reg, flow->base + DP_COM_CONF);
@@ -350,6 +354,8 @@ int ipu_dp_init(struct ipu_soc *ipu, struct device *dev, 
unsigned long base)
mutex_init(>mutex);
 
for (i = 0; i < IPUV3_NUM_FLOWS; i++) {
+   priv->flow[i].background.in_cs = IPUV3_COLORSPACE_UNKNOWN;
+   priv->flow[i].foreground.in_cs = IPUV3_COLORSPACE_UNKNOWN;
priv->flow[i].foreground.foreground = true;
priv->flow[i].base = priv->base + ipu_dp_flow_base[i];
priv->flow[i].priv = priv;
-- 
2.20.1

[PATCH 4.14 017/115] nl80211: Add NL80211_FLAG_CLEAR_SKB flag for other NL commands

[Greg Kroah-Hartman]

[ Upstream commit d6db02a88a4aaa1cd7105137c67ddec7f3bdbc05 ]

This commit adds NL80211_FLAG_CLEAR_SKB flag to other NL commands
that carry key data to ensure they do not stick around on heap
after the SKB is freed.

Also introduced this flag for NL80211_CMD_VENDOR as there are sub
commands which configure the keys.

Signed-off-by: Sunil Dutt 
Signed-off-by: Johannes Berg 
Signed-off-by: Sasha Levin 
---
 net/wireless/nl80211.c | 18 --
 1 file changed, 12 insertions(+), 6 deletions(-)

diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index 46e9812d13c02..c1a2ad050e617 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -12761,7 +12761,8 @@ static const struct genl_ops nl80211_ops[] = {
.policy = nl80211_policy,
.flags = GENL_UNS_ADMIN_PERM,
.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
- NL80211_FLAG_NEED_RTNL,
+ NL80211_FLAG_NEED_RTNL |
+ NL80211_FLAG_CLEAR_SKB,
},
{
.cmd = NL80211_CMD_DEAUTHENTICATE,
@@ -12812,7 +12813,8 @@ static const struct genl_ops nl80211_ops[] = {
.policy = nl80211_policy,
.flags = GENL_UNS_ADMIN_PERM,
.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
- NL80211_FLAG_NEED_RTNL,
+ NL80211_FLAG_NEED_RTNL |
+ NL80211_FLAG_CLEAR_SKB,
},
{
.cmd = NL80211_CMD_UPDATE_CONNECT_PARAMS,
@@ -12820,7 +12822,8 @@ static const struct genl_ops nl80211_ops[] = {
.policy = nl80211_policy,
.flags = GENL_ADMIN_PERM,
.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
- NL80211_FLAG_NEED_RTNL,
+ NL80211_FLAG_NEED_RTNL |
+ NL80211_FLAG_CLEAR_SKB,
},
{
.cmd = NL80211_CMD_DISCONNECT,
@@ -12849,7 +12852,8 @@ static const struct genl_ops nl80211_ops[] = {
.policy = nl80211_policy,
.flags = GENL_UNS_ADMIN_PERM,
.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
- NL80211_FLAG_NEED_RTNL,
+ NL80211_FLAG_NEED_RTNL |
+ NL80211_FLAG_CLEAR_SKB,
},
{
.cmd = NL80211_CMD_DEL_PMKSA,
@@ -13201,7 +13205,8 @@ static const struct genl_ops nl80211_ops[] = {
.policy = nl80211_policy,
.flags = GENL_UNS_ADMIN_PERM,
.internal_flags = NL80211_FLAG_NEED_WIPHY |
- NL80211_FLAG_NEED_RTNL,
+ NL80211_FLAG_NEED_RTNL |
+ NL80211_FLAG_CLEAR_SKB,
},
{
.cmd = NL80211_CMD_SET_QOS_MAP,
@@ -13256,7 +13261,8 @@ static const struct genl_ops nl80211_ops[] = {
.doit = nl80211_set_pmk,
.policy = nl80211_policy,
.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
- NL80211_FLAG_NEED_RTNL,
+ NL80211_FLAG_NEED_RTNL |
+ NL80211_FLAG_CLEAR_SKB,
},
{
.cmd = NL80211_CMD_DEL_PMK,
-- 
2.20.1

[PATCH 4.14 018/115] s390/3270: fix lockdep false positive on view->lock

[Greg Kroah-Hartman]

[ Upstream commit 5712f3301a12c0c3de9cc423484496b0464f2faf ]

The spinlock in the raw3270_view structure is used by con3270, tty3270
and fs3270 in different ways. For con3270 the lock can be acquired in
irq context, for tty3270 and fs3270 the highest context is bh.

Lockdep sees the view->lock as a single class and if the 3270 driver
is used for the console the following message is generated:

WARNING: inconsistent lock state
5.1.0-rc3-05157-g5c168033979d #12 Not tainted

inconsistent {IN-HARDIRQ-W} -> {HARDIRQ-ON-W} usage.
swapper/0/1 [HC0[0]:SC1[1]:HE1:SE0] takes:
(ptrval) (&(>lock)->rlock){?.-.}, at: tty3270_update+0x7c/0x330

Introduce a lockdep subclass for the view lock to distinguish bh from
irq locks.

Signed-off-by: Martin Schwidefsky 

Signed-off-by: Sasha Levin 
---
 drivers/s390/char/con3270.c | 2 +-
 drivers/s390/char/fs3270.c  | 3 ++-
 drivers/s390/char/raw3270.c | 3 ++-
 drivers/s390/char/raw3270.h | 4 +++-
 drivers/s390/char/tty3270.c | 3 ++-
 5 files changed, 10 insertions(+), 5 deletions(-)

diff --git a/drivers/s390/char/con3270.c b/drivers/s390/char/con3270.c
index be3e3c1206c24..1868ff803f439 100644
--- a/drivers/s390/char/con3270.c
+++ b/drivers/s390/char/con3270.c
@@ -629,7 +629,7 @@ con3270_init(void)
 (void (*)(unsigned long)) con3270_read_tasklet,
 (unsigned long) condev->read);
 
-   raw3270_add_view(>view, _fn, 1);
+   raw3270_add_view(>view, _fn, 1, RAW3270_VIEW_LOCK_IRQ);
 
INIT_LIST_HEAD(>freemem);
for (i = 0; i < CON3270_STRING_PAGES; i++) {
diff --git a/drivers/s390/char/fs3270.c b/drivers/s390/char/fs3270.c
index c4518168fd02c..4f73a38c7cbd2 100644
--- a/drivers/s390/char/fs3270.c
+++ b/drivers/s390/char/fs3270.c
@@ -463,7 +463,8 @@ fs3270_open(struct inode *inode, struct file *filp)
 
init_waitqueue_head(>wait);
fp->fs_pid = get_pid(task_pid(current));
-   rc = raw3270_add_view(>view, _fn, minor);
+   rc = raw3270_add_view(>view, _fn, minor,
+ RAW3270_VIEW_LOCK_BH);
if (rc) {
fs3270_free_view(>view);
goto out;
diff --git a/drivers/s390/char/raw3270.c b/drivers/s390/char/raw3270.c
index 5d4f053d7c38c..0f47fec35acc0 100644
--- a/drivers/s390/char/raw3270.c
+++ b/drivers/s390/char/raw3270.c
@@ -919,7 +919,7 @@ raw3270_deactivate_view(struct raw3270_view *view)
  * Add view to device with minor "minor".
  */
 int
-raw3270_add_view(struct raw3270_view *view, struct raw3270_fn *fn, int minor)
+raw3270_add_view(struct raw3270_view *view, struct raw3270_fn *fn, int minor, 
int subclass)
 {
unsigned long flags;
struct raw3270 *rp;
@@ -941,6 +941,7 @@ raw3270_add_view(struct raw3270_view *view, struct 
raw3270_fn *fn, int minor)
view->cols = rp->cols;
view->ascebc = rp->ascebc;
spin_lock_init(>lock);
+   lockdep_set_subclass(>lock, subclass);
list_add(>list, >view_list);
rc = 0;
spin_unlock_irqrestore(get_ccwdev_lock(rp->cdev), flags);
diff --git a/drivers/s390/char/raw3270.h b/drivers/s390/char/raw3270.h
index 114ca7cbf8897..3afaa35f73513 100644
--- a/drivers/s390/char/raw3270.h
+++ b/drivers/s390/char/raw3270.h
@@ -150,6 +150,8 @@ struct raw3270_fn {
 struct raw3270_view {
struct list_head list;
spinlock_t lock;
+#define RAW3270_VIEW_LOCK_IRQ  0
+#define RAW3270_VIEW_LOCK_BH   1
atomic_t ref_count;
struct raw3270 *dev;
struct raw3270_fn *fn;
@@ -158,7 +160,7 @@ struct raw3270_view {
unsigned char *ascebc;  /* ascii -> ebcdic table */
 };
 
-int raw3270_add_view(struct raw3270_view *, struct raw3270_fn *, int);
+int raw3270_add_view(struct raw3270_view *, struct raw3270_fn *, int, int);
 int raw3270_activate_view(struct raw3270_view *);
 void raw3270_del_view(struct raw3270_view *);
 void raw3270_deactivate_view(struct raw3270_view *);
diff --git a/drivers/s390/char/tty3270.c b/drivers/s390/char/tty3270.c
index e5ebe2fbee235..401688bf8fd37 100644
--- a/drivers/s390/char/tty3270.c
+++ b/drivers/s390/char/tty3270.c
@@ -978,7 +978,8 @@ static int tty3270_install(struct tty_driver *driver, 
struct tty_struct *tty)
return PTR_ERR(tp);
 
rc = raw3270_add_view(>view, _fn,
- tty->index + RAW3270_FIRSTMINOR);
+ tty->index + RAW3270_FIRSTMINOR,
+ RAW3270_VIEW_LOCK_BH);
if (rc) {
tty3270_free_view(tp);
return rc;
-- 
2.20.1

[PATCH 4.14 000/115] 4.14.120-stable review

[Greg Kroah-Hartman]

This is the start of the stable review cycle for the 4.14.120 release.
There are 115 patches in this series, all will be posted as a response
to this one.  If anyone has any issues with these being applied, please
let me know.

Responses should be made by Fri 17 May 2019 09:04:39 AM UTC.
Anything received after that time might be too late.

The whole patch series can be found in one patch at:

https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.14.120-rc1.gz
or in the git tree and branch at:

git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git 
linux-4.14.y
and the diffstat can be found below.

thanks,

greg k-h

-
Pseudo-Shortlog of commits:

Greg Kroah-Hartman 
Linux 4.14.120-rc1

Laurentiu Tudor 
powerpc/booke64: set RI in default MSR

Russell Currey 
powerpc/powernv/idle: Restore IAMR after idle

Dan Carpenter 
drivers/virt/fsl_hypervisor.c: prevent integer overflow in ioctl

Dan Carpenter 
drivers/virt/fsl_hypervisor.c: dereferencing error pointers in ioctl

Parthasarathy Bhuvaragan 
tipc: fix hanging clients using poll with EPOLLOUT flag

Stephen Suryaputra 
vrf: sit mtu should not be updated when vrf netdev is the link

Hangbin Liu 
vlan: disable SIOCSHWTSTAMP in container

YueHaibing 
packet: Fix error path in packet_init

Christophe Leroy 
net: ucc_geth - fix Oops when changing number of buffers in the ring

Thomas Bogendoerfer 
net: seeq: fix crash caused by not set dev.parent

Corentin Labbe 
net: ethernet: stmmac: dwmac-sun8i: enable support of unicast filtering

YueHaibing 
net: dsa: Fix error cleanup path in dsa_init_module

David Ahern 
ipv4: Fix raw socket lookup for local traffic

Hangbin Liu 
fib_rules: return 0 directly if an exactly same rule exists when NLM_F_EXCL 
not supplied

Laurentiu Tudor 
dpaa_eth: fix SG frame cleanup

Tobin C. Harding 
bridge: Fix error path for kobject_init_and_add()

Jarod Wilson 
bonding: fix arp_validate toggling in active-backup mode

Breno Leitao 
powerpc/64s: Include cpu header

Nigel Croxon 
Don't jump to compute_result state from check_result state

Gustavo A. R. Silva 
rtlwifi: rtl8723ae: Fix missing break in switch statement

Petr Štetiar 
mwl8k: Fix rate_idx underflow

Wei Yongjun 
cw1200: fix missing unlock on error in cw1200_hw_scan()

Masami Hiramatsu 
x86/kprobes: Avoid kretprobe recursion bug

Dan Carpenter 
nfc: nci: Potential off by one in ->pipes[] array

Dan Carpenter 
NFC: nci: Add some bounds checking in nci_hci_cmd_received()

Ido Schimmel 
mlxsw: core: Do not use WQ_MEM_RECLAIM for mlxsw workqueue

Ido Schimmel 
mlxsw: core: Do not use WQ_MEM_RECLAIM for mlxsw ordered workqueue

Ido Schimmel 
mlxsw: core: Do not use WQ_MEM_RECLAIM for EMAD workqueue

Ido Schimmel 
mlxsw: spectrum_switchdev: Add MDB entries in prepare phase

Andy Duan 
net: fec: manage ahb clock in runtime pm

Jan Kara 
mm/memory.c: fix modifying of page protection by insert_pfn()

Jun Xiao 
net: hns: Fix WARNING when hns modules installed

Sebastian Andrzej Siewior 
x86/fpu: Don't export __kernel_fpu_{begin,end}()

Ronnie Sahlberg 
cifs: fix memory leak in SMB2_read

Damian Kos 
drm/rockchip: fix for mailbox read validation.

Florian Westphal 
netfilter: nf_tables: warn when expr implements only one of 
activate/deactivate

KT Liao 
Input: elan_i2c - add hardware ID for multiple Lenovo laptops

Erik Schmauss 
ACPICA: Namespace: remove address node from global list after method 
termination

Matteo Croce 
gtp: change NET_UDP_TUNNEL dependency to select

Cong Wang 
net_sched: fix two more memory leaks in cls_tcindex

Max Filippov 
xtensa: xtfpga.dtsi: fix dtc warnings about SPI

Alexey Brodkin 
devres: Align data[] to ARCH_KMALLOC_MINALIGN

Nicolas Pitre 
vt: always call notifier with the console lock held

Heinrich Schuchardt 
arm64: dts: marvell: armada-ap806: reserve PSCI area

Adit Ranadive 
RDMA/vmw_pvrdma: Return the correct opcode when creating WR

Enric Balletbo i Serra 
drm/rockchip: psr: do not dereference encoder before it is null checked.

Jerome Brunet 
leds: pwm: silently error out on EPROBE_DEFER

Nicholas Piggin 
powerpc: remove old GCC version checks

Dmitry Eremin-Solenikov 
crypto: testmgr - add AES-CFB tests

Marc Zyngier 
arm64: KVM: Make VHE Stage-2 TLB invalidation operations non-interruptible

Martin Schwidefsky 
mm: introduce mm_[p4d|pud|pmd]_folded

Alistair Strachan 
x86/vdso: Pass --eh-frame-hdr to the linker

Omar Sandoval 
Btrfs: fix missing delayed iputs on unmount

Thierry Reding 
net: stmmac: Move debugfs init/exit to ->probe()/->remove()

Lubomir Rintel 
staging: olpc_dcon: add a missing dependency

Arnd Bergmann 
scsi: raid_attrs: fix unused variable warning

Chris Wilson 
drm/i915: Downgrade Gen9 Plane WM latency error

Steven Rostedt (VMware) 

[PATCH 4.14 023/115] KVM: fix spectrev1 gadgets

[Greg Kroah-Hartman]

[ Upstream commit 1d487e9bf8ba66a7174c56a0029c54b1eca8f99c ]

These were found with smatch, and then generalized when applicable.

Signed-off-by: Paolo Bonzini 
Signed-off-by: Sasha Levin 
---
 arch/x86/kvm/lapic.c |  4 +++-
 include/linux/kvm_host.h | 10 ++
 virt/kvm/irqchip.c   |  5 +++--
 virt/kvm/kvm_main.c  |  6 --
 4 files changed, 16 insertions(+), 9 deletions(-)

diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c
index f7c34184342a5..053e4937af0cb 100644
--- a/arch/x86/kvm/lapic.c
+++ b/arch/x86/kvm/lapic.c
@@ -133,6 +133,7 @@ static inline bool kvm_apic_map_get_logical_dest(struct 
kvm_apic_map *map,
if (offset <= max_apic_id) {
u8 cluster_size = min(max_apic_id - offset + 1, 16U);
 
+   offset = array_index_nospec(offset, map->max_apic_id + 
1);
*cluster = >phys_map[offset];
*mask = dest_id & (0x >> (16 - cluster_size));
} else {
@@ -829,7 +830,8 @@ static inline bool kvm_apic_map_get_dest_lapic(struct kvm 
*kvm,
if (irq->dest_id > map->max_apic_id) {
*bitmap = 0;
} else {
-   *dst = >phys_map[irq->dest_id];
+   u32 dest_id = array_index_nospec(irq->dest_id, 
map->max_apic_id + 1);
+   *dst = >phys_map[dest_id];
*bitmap = 1;
}
return true;
diff --git a/include/linux/kvm_host.h b/include/linux/kvm_host.h
index 753c16633bac5..026615e242d8e 100644
--- a/include/linux/kvm_host.h
+++ b/include/linux/kvm_host.h
@@ -27,6 +27,7 @@
 #include 
 #include 
 #include 
+#include 
 #include 
 
 #include 
@@ -483,10 +484,10 @@ static inline struct kvm_io_bus *kvm_get_bus(struct kvm 
*kvm, enum kvm_bus idx)
 
 static inline struct kvm_vcpu *kvm_get_vcpu(struct kvm *kvm, int i)
 {
-   /* Pairs with smp_wmb() in kvm_vm_ioctl_create_vcpu, in case
-* the caller has read kvm->online_vcpus before (as is the case
-* for kvm_for_each_vcpu, for example).
-*/
+   int num_vcpus = atomic_read(>online_vcpus);
+   i = array_index_nospec(i, num_vcpus);
+
+   /* Pairs with smp_wmb() in kvm_vm_ioctl_create_vcpu.  */
smp_rmb();
return kvm->vcpus[i];
 }
@@ -570,6 +571,7 @@ void kvm_put_kvm(struct kvm *kvm);
 
 static inline struct kvm_memslots *__kvm_memslots(struct kvm *kvm, int as_id)
 {
+   as_id = array_index_nospec(as_id, KVM_ADDRESS_SPACE_NUM);
return srcu_dereference_check(kvm->memslots[as_id], >srcu,
lockdep_is_held(>slots_lock) ||
!refcount_read(>users_count));
diff --git a/virt/kvm/irqchip.c b/virt/kvm/irqchip.c
index b1286c4e07122..0bd0683640bdf 100644
--- a/virt/kvm/irqchip.c
+++ b/virt/kvm/irqchip.c
@@ -144,18 +144,19 @@ static int setup_routing_entry(struct kvm *kvm,
 {
struct kvm_kernel_irq_routing_entry *ei;
int r;
+   u32 gsi = array_index_nospec(ue->gsi, KVM_MAX_IRQ_ROUTES);
 
/*
 * Do not allow GSI to be mapped to the same irqchip more than once.
 * Allow only one to one mapping between GSI and non-irqchip routing.
 */
-   hlist_for_each_entry(ei, >map[ue->gsi], link)
+   hlist_for_each_entry(ei, >map[gsi], link)
if (ei->type != KVM_IRQ_ROUTING_IRQCHIP ||
ue->type != KVM_IRQ_ROUTING_IRQCHIP ||
ue->u.irqchip.irqchip == ei->irqchip.irqchip)
return -EINVAL;
 
-   e->gsi = ue->gsi;
+   e->gsi = gsi;
e->type = ue->type;
r = kvm_set_routing_entry(kvm, e, ue);
if (r)
diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
index a373c60ef1c06..b91716b1b428e 100644
--- a/virt/kvm/kvm_main.c
+++ b/virt/kvm/kvm_main.c
@@ -2886,12 +2886,14 @@ static int kvm_ioctl_create_device(struct kvm *kvm,
struct kvm_device_ops *ops = NULL;
struct kvm_device *dev;
bool test = cd->flags & KVM_CREATE_DEVICE_TEST;
+   int type;
int ret;
 
if (cd->type >= ARRAY_SIZE(kvm_device_ops_table))
return -ENODEV;
 
-   ops = kvm_device_ops_table[cd->type];
+   type = array_index_nospec(cd->type, ARRAY_SIZE(kvm_device_ops_table));
+   ops = kvm_device_ops_table[type];
if (ops == NULL)
return -ENODEV;
 
@@ -2906,7 +2908,7 @@ static int kvm_ioctl_create_device(struct kvm *kvm,
dev->kvm = kvm;
 
mutex_lock(>lock);
-   ret = ops->create(dev, cd->type);
+   ret = ops->create(dev, type);
if (ret < 0) {
mutex_unlock(>lock);
kfree(dev);
-- 
2.20.1

[PATCH 4.14 024/115] KVM: x86: avoid misreporting level-triggered irqs as edge-triggered in tracing

[Greg Kroah-Hartman]

[ Upstream commit 7a223e06b1a411cef6c4cd7a9b9a33c8d225b10e ]

In __apic_accept_irq() interface trig_mode is int and actually on some code
paths it is set above u8:

kvm_apic_set_irq() extracts it from 'struct kvm_lapic_irq' where trig_mode
is u16. This is done on purpose as e.g. kvm_set_msi_irq() sets it to
(1 << 15) & e->msi.data

kvm_apic_local_deliver sets it to reg & (1 << 15).

Fix the immediate issue by making 'tm' into u16. We may also want to adjust
__apic_accept_irq() interface and use proper sizes for vector, level,
trig_mode but this is not urgent.

Signed-off-by: Vitaly Kuznetsov 
Signed-off-by: Paolo Bonzini 
Signed-off-by: Sasha Levin 
---
 arch/x86/kvm/trace.h | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/arch/x86/kvm/trace.h b/arch/x86/kvm/trace.h
index 9807c314c4788..3bf41413ab151 100644
--- a/arch/x86/kvm/trace.h
+++ b/arch/x86/kvm/trace.h
@@ -438,13 +438,13 @@ TRACE_EVENT(kvm_apic_ipi,
 );
 
 TRACE_EVENT(kvm_apic_accept_irq,
-   TP_PROTO(__u32 apicid, __u16 dm, __u8 tm, __u8 vec),
+   TP_PROTO(__u32 apicid, __u16 dm, __u16 tm, __u8 vec),
TP_ARGS(apicid, dm, tm, vec),
 
TP_STRUCT__entry(
__field(__u32,  apicid  )
__field(__u16,  dm  )
-   __field(__u8,   tm  )
+   __field(__u16,  tm  )
__field(__u8,   vec )
),
 
-- 
2.20.1

[PATCH 4.14 031/115] MIPS: perf: ath79: Fix perfcount IRQ assignment

[Greg Kroah-Hartman]

[ Upstream commit a1e8783db8e0d58891681bc1e6d9ada66eae8e20 ]

Currently it's not possible to use perf on ath79 due to genirq flags
mismatch happening on static virtual IRQ 13 which is used for
performance counters hardware IRQ 5.

On TP-Link Archer C7v5:

   CPU0
  2:  0  MIPS   2  ath9k
  4:318  MIPS   4  1900.eth
  7:  55034  MIPS   7  timer
  8:   1236  MISC   3  ttyS0
 12:  0  INTC   1  ehci_hcd:usb1
 13:  0  gpio-ath79   2  keys
 14:  0  gpio-ath79   5  keys
 15: 31  AR724X PCI1  ath10k_pci

 $ perf top
 genirq: Flags mismatch irq 13. 00014c83 (mips_perf_pmu) vs. 2003 (keys)

On TP-Link Archer C7v4:

 CPU0
  4:  0  MIPS   4  1900.eth
  5:   7135  MIPS   5  1a00.eth
  7:  98379  MIPS   7  timer
  8: 30  MISC   3  ttyS0
 12:  90028  INTC   0  ath9k
 13:   5520  INTC   1  ehci_hcd:usb1
 14:   4623  INTC   2  ehci_hcd:usb2
 15:  32844  AR724X PCI1  ath10k_pci
 16:  0  gpio-ath79  16  keys
 23:  0  gpio-ath79  23  keys

 $ perf top
 genirq: Flags mismatch irq 13. 00014c80 (mips_perf_pmu) vs. 0080 
(ehci_hcd:usb1)

This problem is happening, because currently statically assigned virtual
IRQ 13 for performance counters is not claimed during the initialization
of MIPS PMU during the bootup, so the IRQ subsystem doesn't know, that
this interrupt isn't available for further use.

So this patch fixes the issue by simply booking hardware IRQ 5 for MIPS PMU.

Tested-by: Kevin 'ldir' Darbyshire-Bryant 
Signed-off-by: Petr Štetiar 
Acked-by: John Crispin 
Acked-by: Marc Zyngier 
Signed-off-by: Paul Burton 
Cc: linux-m...@vger.kernel.org
Cc: Ralf Baechle 
Cc: James Hogan 
Cc: Thomas Gleixner 
Cc: Jason Cooper 
Signed-off-by: Sasha Levin 
---
 arch/mips/ath79/setup.c  |  6 --
 drivers/irqchip/irq-ath79-misc.c | 11 +++
 2 files changed, 11 insertions(+), 6 deletions(-)

diff --git a/arch/mips/ath79/setup.c b/arch/mips/ath79/setup.c
index 26a058d58d37b..c7c31e2148136 100644
--- a/arch/mips/ath79/setup.c
+++ b/arch/mips/ath79/setup.c
@@ -183,12 +183,6 @@ const char *get_system_type(void)
return ath79_sys_type;
 }
 
-int get_c0_perfcount_int(void)
-{
-   return ATH79_MISC_IRQ(5);
-}
-EXPORT_SYMBOL_GPL(get_c0_perfcount_int);
-
 unsigned int get_c0_compare_int(void)
 {
return CP0_LEGACY_COMPARE_IRQ;
diff --git a/drivers/irqchip/irq-ath79-misc.c b/drivers/irqchip/irq-ath79-misc.c
index aa72907846360..0390603170b40 100644
--- a/drivers/irqchip/irq-ath79-misc.c
+++ b/drivers/irqchip/irq-ath79-misc.c
@@ -22,6 +22,15 @@
 #define AR71XX_RESET_REG_MISC_INT_ENABLE   4
 
 #define ATH79_MISC_IRQ_COUNT   32
+#define ATH79_MISC_PERF_IRQ5
+
+static int ath79_perfcount_irq;
+
+int get_c0_perfcount_int(void)
+{
+   return ath79_perfcount_irq;
+}
+EXPORT_SYMBOL_GPL(get_c0_perfcount_int);
 
 static void ath79_misc_irq_handler(struct irq_desc *desc)
 {
@@ -113,6 +122,8 @@ static void __init ath79_misc_intc_domain_init(
 {
void __iomem *base = domain->host_data;
 
+   ath79_perfcount_irq = irq_create_mapping(domain, ATH79_MISC_PERF_IRQ);
+
/* Disable and clear all interrupts */
__raw_writel(0, base + AR71XX_RESET_REG_MISC_INT_ENABLE);
__raw_writel(0, base + AR71XX_RESET_REG_MISC_INT_STATUS);
-- 
2.20.1

[PATCH 4.14 032/115] s390: ctcm: fix ctcm_new_device error return code

[Greg Kroah-Hartman]

[ Upstream commit 27b141fc234a3670d21bd742c35d7205d03cbb3a ]

clang points out that the return code from this function is
undefined for one of the error paths:

../drivers/s390/net/ctcm_main.c:1595:7: warning: variable 'result' is used 
uninitialized whenever 'if' condition is true
  [-Wsometimes-uninitialized]
if (priv->channel[direction] == NULL) {
^~~~
../drivers/s390/net/ctcm_main.c:1638:9: note: uninitialized use occurs here
return result;
   ^~
../drivers/s390/net/ctcm_main.c:1595:3: note: remove the 'if' if its condition 
is always false
if (priv->channel[direction] == NULL) {
^~~
../drivers/s390/net/ctcm_main.c:1539:12: note: initialize the variable 'result' 
to silence this warning
int result;
  ^

Make it return -ENODEV here, as in the related failure cases.
gcc has a known bug in underreporting some of these warnings
when it has already eliminated the assignment of the return code
based on some earlier optimization step.

Reviewed-by: Nathan Chancellor 
Signed-off-by: Arnd Bergmann 
Signed-off-by: Julian Wiedmann 
Signed-off-by: David S. Miller 
Signed-off-by: Sasha Levin 
---
 drivers/s390/net/ctcm_main.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/s390/net/ctcm_main.c b/drivers/s390/net/ctcm_main.c
index 26363e0816fe4..fbe35c2ac8981 100644
--- a/drivers/s390/net/ctcm_main.c
+++ b/drivers/s390/net/ctcm_main.c
@@ -1594,6 +1594,7 @@ static int ctcm_new_device(struct ccwgroup_device *cgdev)
if (priv->channel[direction] == NULL) {
if (direction == CTCM_WRITE)
channel_free(priv->channel[CTCM_READ]);
+   result = -ENODEV;
goto out_dev;
}
priv->channel[direction]->netdev = dev;
-- 
2.20.1

[PATCH 4.14 026/115] mm: fix inactive list balancing between NUMA nodes and cgroups

[Greg Kroah-Hartman]

[ Upstream commit 3b991208b897f52507168374033771a984b947b1 ]

During !CONFIG_CGROUP reclaim, we expand the inactive list size if it's
thrashing on the node that is about to be reclaimed.  But when cgroups
are enabled, we suddenly ignore the node scope and use the cgroup scope
only.  The result is that pressure bleeds between NUMA nodes depending
on whether cgroups are merely compiled into Linux.  This behavioral
difference is unexpected and undesirable.

When the refault adaptivity of the inactive list was first introduced,
there were no statistics at the lruvec level - the intersection of node
and memcg - so it was better than nothing.

But now that we have that infrastructure, use lruvec_page_state() to
make the list balancing decision always NUMA aware.

[han...@cmpxchg.org: fix bisection hole]
  Link: http://lkml.kernel.org/r/20190417155241.gb23...@cmpxchg.org
Link: http://lkml.kernel.org/r/20190412144438.2645-1-han...@cmpxchg.org
Fixes: 2a2e48854d70 ("mm: vmscan: fix IO/refault regression in cache workingset 
transition")
Signed-off-by: Johannes Weiner 
Reviewed-by: Shakeel Butt 
Cc: Roman Gushchin 
Cc: Michal Hocko 
Signed-off-by: Andrew Morton 
Signed-off-by: Linus Torvalds 
Signed-off-by: Sasha Levin 
---
 mm/vmscan.c | 29 +
 1 file changed, 9 insertions(+), 20 deletions(-)

diff --git a/mm/vmscan.c b/mm/vmscan.c
index 99837e931f531..7b140c967bca6 100644
--- a/mm/vmscan.c
+++ b/mm/vmscan.c
@@ -2120,7 +2120,6 @@ static void shrink_active_list(unsigned long nr_to_scan,
  *   10TB 32032GB
  */
 static bool inactive_list_is_low(struct lruvec *lruvec, bool file,
-struct mem_cgroup *memcg,
 struct scan_control *sc, bool actual_reclaim)
 {
enum lru_list active_lru = file * LRU_FILE + LRU_ACTIVE;
@@ -2141,16 +2140,12 @@ static bool inactive_list_is_low(struct lruvec *lruvec, 
bool file,
inactive = lruvec_lru_size(lruvec, inactive_lru, sc->reclaim_idx);
active = lruvec_lru_size(lruvec, active_lru, sc->reclaim_idx);
 
-   if (memcg)
-   refaults = memcg_page_state(memcg, WORKINGSET_ACTIVATE);
-   else
-   refaults = node_page_state(pgdat, WORKINGSET_ACTIVATE);
-
/*
 * When refaults are being observed, it means a new workingset
 * is being established. Disable active list protection to get
 * rid of the stale workingset quickly.
 */
+   refaults = lruvec_page_state(lruvec, WORKINGSET_ACTIVATE);
if (file && actual_reclaim && lruvec->refaults != refaults) {
inactive_ratio = 0;
} else {
@@ -2171,12 +2166,10 @@ static bool inactive_list_is_low(struct lruvec *lruvec, 
bool file,
 }
 
 static unsigned long shrink_list(enum lru_list lru, unsigned long nr_to_scan,
-struct lruvec *lruvec, struct mem_cgroup 
*memcg,
-struct scan_control *sc)
+struct lruvec *lruvec, struct scan_control *sc)
 {
if (is_active_lru(lru)) {
-   if (inactive_list_is_low(lruvec, is_file_lru(lru),
-memcg, sc, true))
+   if (inactive_list_is_low(lruvec, is_file_lru(lru), sc, true))
shrink_active_list(nr_to_scan, lruvec, sc, lru);
return 0;
}
@@ -2276,7 +2269,7 @@ static void get_scan_count(struct lruvec *lruvec, struct 
mem_cgroup *memcg,
 * anonymous pages on the LRU in eligible zones.
 * Otherwise, the small LRU gets thrashed.
 */
-   if (!inactive_list_is_low(lruvec, false, memcg, sc, 
false) &&
+   if (!inactive_list_is_low(lruvec, false, sc, false) &&
lruvec_lru_size(lruvec, LRU_INACTIVE_ANON, 
sc->reclaim_idx)
>> sc->priority) {
scan_balance = SCAN_ANON;
@@ -2294,7 +2287,7 @@ static void get_scan_count(struct lruvec *lruvec, struct 
mem_cgroup *memcg,
 * lruvec even if it has plenty of old anonymous pages unless the
 * system is under heavy pressure.
 */
-   if (!inactive_list_is_low(lruvec, true, memcg, sc, false) &&
+   if (!inactive_list_is_low(lruvec, true, sc, false) &&
lruvec_lru_size(lruvec, LRU_INACTIVE_FILE, sc->reclaim_idx) >> 
sc->priority) {
scan_balance = SCAN_FILE;
goto out;
@@ -2447,7 +2440,7 @@ static void shrink_node_memcg(struct pglist_data *pgdat, 
struct mem_cgroup *memc
nr[lru] -= nr_to_scan;
 
nr_reclaimed += shrink_list(lru, nr_to_scan,
-   lruvec, memcg, sc);
+   lruvec, sc);
}

[PATCH 4.14 027/115] init: initialize jump labels before command line option parsing

[Greg Kroah-Hartman]

[ Upstream commit 6041186a32585fc7a1d0f6cfe2f138b05fdc3c82 ]

When a module option, or core kernel argument, toggles a static-key it
requires jump labels to be initialized early.  While x86, PowerPC, and
ARM64 arrange for jump_label_init() to be called before parse_args(),
ARM does not.

  Kernel command line: rdinit=/sbin/init page_alloc.shuffle=1 panic=-1 
console=ttyAMA0,115200 page_alloc.shuffle=1
  [ cut here ]
  WARNING: CPU: 0 PID: 0 at ./include/linux/jump_label.h:303
  page_alloc_shuffle+0x12c/0x1ac
  static_key_enable(): static key 'page_alloc_shuffle_key+0x0/0x4' used
  before call to jump_label_init()
  Modules linked in:
  CPU: 0 PID: 0 Comm: swapper Not tainted
  5.1.0-rc4-next-20190410-3-g3367c36ce744 #1
  Hardware name: ARM Integrator/CP (Device Tree)
  [] (unwind_backtrace) from [] (show_stack+0x10/0x18)
  [] (show_stack) from [] (dump_stack+0x18/0x24)
  [] (dump_stack) from [] (__warn+0xe0/0x108)
  [] (__warn) from [] (warn_slowpath_fmt+0x44/0x6c)
  [] (warn_slowpath_fmt) from []
  (page_alloc_shuffle+0x12c/0x1ac)
  [] (page_alloc_shuffle) from [] (shuffle_store+0x28/0x48)
  [] (shuffle_store) from [] (parse_args+0x1f4/0x350)
  [] (parse_args) from [] (start_kernel+0x1c0/0x488)

Move the fallback call to jump_label_init() to occur before
parse_args().

The redundant calls to jump_label_init() in other archs are left intact
in case they have static key toggling use cases that are even earlier
than option parsing.

Link: 
http://lkml.kernel.org/r/155544804466.1032396.13418949511615676665.st...@dwillia2-desk3.amr.corp.intel.com
Signed-off-by: Dan Williams 
Reported-by: Guenter Roeck 
Reviewed-by: Kees Cook 
Cc: Mathieu Desnoyers 
Cc: Thomas Gleixner 
Cc: Mike Rapoport 
Cc: Russell King 
Signed-off-by: Andrew Morton 
Signed-off-by: Linus Torvalds 
Signed-off-by: Sasha Levin 
---
 init/main.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/init/main.c b/init/main.c
index 3d3d79c5a2324..51067e2db509d 100644
--- a/init/main.c
+++ b/init/main.c
@@ -550,6 +550,8 @@ asmlinkage __visible void __init start_kernel(void)
page_alloc_init();
 
pr_notice("Kernel command line: %s\n", boot_command_line);
+   /* parameters may set static keys */
+   jump_label_init();
parse_early_param();
after_dashes = parse_args("Booting kernel",
  static_command_line, __start___param,
@@ -559,8 +561,6 @@ asmlinkage __visible void __init start_kernel(void)
parse_args("Setting init args", after_dashes, NULL, 0, -1, -1,
   NULL, set_init_arg);
 
-   jump_label_init();
-
/*
 * These use large bootmem allocations and must precede
 * kmem_cache_init()
-- 
2.20.1

[PATCH 4.14 030/115] netfilter: ctnetlink: dont use conntrack/expect object addresses as id

[Greg Kroah-Hartman]

[ Upstream commit 3c79107631db1f7fd32cf3f7368e4672004a3010 ]

else, we leak the addresses to userspace via ctnetlink events
and dumps.

Compute an ID on demand based on the immutable parts of nf_conn struct.

Another advantage compared to using an address is that there is no
immediate re-use of the same ID in case the conntrack entry is freed and
reallocated again immediately.

Fixes: 3583240249ef ("[NETFILTER]: nf_conntrack_expect: kill unique ID")
Fixes: 7f85f914721f ("[NETFILTER]: nf_conntrack: kill unique ID")
Signed-off-by: Florian Westphal 
Signed-off-by: Pablo Neira Ayuso 
Signed-off-by: Sasha Levin 
---
 include/net/netfilter/nf_conntrack.h |  2 ++
 net/netfilter/nf_conntrack_core.c| 35 
 net/netfilter/nf_conntrack_netlink.c | 34 +++
 3 files changed, 66 insertions(+), 5 deletions(-)

diff --git a/include/net/netfilter/nf_conntrack.h 
b/include/net/netfilter/nf_conntrack.h
index 792c3f6d30ce8..93bbae8f96414 100644
--- a/include/net/netfilter/nf_conntrack.h
+++ b/include/net/netfilter/nf_conntrack.h
@@ -315,6 +315,8 @@ struct nf_conn *nf_ct_tmpl_alloc(struct net *net,
 gfp_t flags);
 void nf_ct_tmpl_free(struct nf_conn *tmpl);
 
+u32 nf_ct_get_id(const struct nf_conn *ct);
+
 static inline void
 nf_ct_set(struct sk_buff *skb, struct nf_conn *ct, enum ip_conntrack_info info)
 {
diff --git a/net/netfilter/nf_conntrack_core.c 
b/net/netfilter/nf_conntrack_core.c
index 06520bf30f294..fa49a627b6816 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -25,6 +25,7 @@
 #include 
 #include 
 #include 
+#include 
 #include 
 #include 
 #include 
@@ -300,6 +301,40 @@ nf_ct_invert_tuple(struct nf_conntrack_tuple *inverse,
 }
 EXPORT_SYMBOL_GPL(nf_ct_invert_tuple);
 
+/* Generate a almost-unique pseudo-id for a given conntrack.
+ *
+ * intentionally doesn't re-use any of the seeds used for hash
+ * table location, we assume id gets exposed to userspace.
+ *
+ * Following nf_conn items do not change throughout lifetime
+ * of the nf_conn after it has been committed to main hash table:
+ *
+ * 1. nf_conn address
+ * 2. nf_conn->ext address
+ * 3. nf_conn->master address (normally NULL)
+ * 4. tuple
+ * 5. the associated net namespace
+ */
+u32 nf_ct_get_id(const struct nf_conn *ct)
+{
+   static __read_mostly siphash_key_t ct_id_seed;
+   unsigned long a, b, c, d;
+
+   net_get_random_once(_id_seed, sizeof(ct_id_seed));
+
+   a = (unsigned long)ct;
+   b = (unsigned long)ct->master ^ net_hash_mix(nf_ct_net(ct));
+   c = (unsigned long)ct->ext;
+   d = (unsigned long)siphash(>tuplehash, sizeof(ct->tuplehash),
+  _id_seed);
+#ifdef CONFIG_64BIT
+   return siphash_4u64((u64)a, (u64)b, (u64)c, (u64)d, _id_seed);
+#else
+   return siphash_4u32((u32)a, (u32)b, (u32)c, (u32)d, _id_seed);
+#endif
+}
+EXPORT_SYMBOL_GPL(nf_ct_get_id);
+
 static void
 clean_from_lists(struct nf_conn *ct)
 {
diff --git a/net/netfilter/nf_conntrack_netlink.c 
b/net/netfilter/nf_conntrack_netlink.c
index 48dab1403b2c7..c781c9a1a697f 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -29,6 +29,7 @@
 #include 
 #include 
 #include 
+#include 
 
 #include 
 #include 
@@ -445,7 +446,9 @@ static int ctnetlink_dump_ct_seq_adj(struct sk_buff *skb, 
struct nf_conn *ct)
 
 static int ctnetlink_dump_id(struct sk_buff *skb, const struct nf_conn *ct)
 {
-   if (nla_put_be32(skb, CTA_ID, htonl((unsigned long)ct)))
+   __be32 id = (__force __be32)nf_ct_get_id(ct);
+
+   if (nla_put_be32(skb, CTA_ID, id))
goto nla_put_failure;
return 0;
 
@@ -1179,8 +1182,9 @@ static int ctnetlink_del_conntrack(struct net *net, 
struct sock *ctnl,
ct = nf_ct_tuplehash_to_ctrack(h);
 
if (cda[CTA_ID]) {
-   u_int32_t id = ntohl(nla_get_be32(cda[CTA_ID]));
-   if (id != (u32)(unsigned long)ct) {
+   __be32 id = nla_get_be32(cda[CTA_ID]);
+
+   if (id != (__force __be32)nf_ct_get_id(ct)) {
nf_ct_put(ct);
return -ENOENT;
}
@@ -2521,6 +2525,25 @@ static int ctnetlink_exp_dump_mask(struct sk_buff *skb,
 
 static const union nf_inet_addr any_addr;
 
+static __be32 nf_expect_get_id(const struct nf_conntrack_expect *exp)
+{
+   static __read_mostly siphash_key_t exp_id_seed;
+   unsigned long a, b, c, d;
+
+   net_get_random_once(_id_seed, sizeof(exp_id_seed));
+
+   a = (unsigned long)exp;
+   b = (unsigned long)exp->helper;
+   c = (unsigned long)exp->master;
+   d = (unsigned long)siphash(>tuple, sizeof(exp->tuple), 
_id_seed);
+
+#ifdef CONFIG_64BIT
+   return (__force __be32)siphash_4u64((u64)a, (u64)b, (u64)c, (u64)d, 
_id_seed);
+#else
+   return (__force __be32)siphash_4u32((u32)a, (u32)b, (u32)c, (u32)d, 
_id_seed);
+#endif
+}
+
 static int
 

[PATCH 4.14 036/115] drm/imx: dont skip DP channel disable for background plane

[Greg Kroah-Hartman]

[ Upstream commit 7bcde275eb1d0ac8793c77c7e666a886eb16633d ]

In order to make sure that the plane color space gets reset correctly.

Signed-off-by: Lucas Stach 
Signed-off-by: Philipp Zabel 
Signed-off-by: Sasha Levin 
---
 drivers/gpu/drm/imx/ipuv3-crtc.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/imx/ipuv3-crtc.c b/drivers/gpu/drm/imx/ipuv3-crtc.c
index d976391dfa31c..957fbf8c55ebc 100644
--- a/drivers/gpu/drm/imx/ipuv3-crtc.c
+++ b/drivers/gpu/drm/imx/ipuv3-crtc.c
@@ -79,7 +79,7 @@ static void ipu_crtc_disable_planes(struct ipu_crtc *ipu_crtc,
if (disable_partial)
ipu_plane_disable(ipu_crtc->plane[1], true);
if (disable_full)
-   ipu_plane_disable(ipu_crtc->plane[0], false);
+   ipu_plane_disable(ipu_crtc->plane[0], true);
 }
 
 static void ipu_crtc_atomic_disable(struct drm_crtc *crtc,
-- 
2.20.1

[PATCH 4.14 008/115] libnvdimm/namespace: Fix a potential NULL pointer dereference

[Greg Kroah-Hartman]

[ Upstream commit 55c1fc0af29a6c1b92f217b7eb7581a882e0c07c ]

In case kmemdup fails, the fix goes to blk_err to avoid NULL
pointer dereference.

Signed-off-by: Kangjie Lu 
Signed-off-by: Dan Williams 
Signed-off-by: Sasha Levin 
---
 drivers/nvdimm/namespace_devs.c | 5 -
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/drivers/nvdimm/namespace_devs.c b/drivers/nvdimm/namespace_devs.c
index 50b01d3eadd9c..e3f228af59d1e 100644
--- a/drivers/nvdimm/namespace_devs.c
+++ b/drivers/nvdimm/namespace_devs.c
@@ -2234,9 +2234,12 @@ struct device *create_namespace_blk(struct nd_region 
*nd_region,
if (!nsblk->uuid)
goto blk_err;
memcpy(name, nd_label->name, NSLABEL_NAME_LEN);
-   if (name[0])
+   if (name[0]) {
nsblk->alt_name = kmemdup(name, NSLABEL_NAME_LEN,
GFP_KERNEL);
+   if (!nsblk->alt_name)
+   goto blk_err;
+   }
res = nsblk_add_resource(nd_region, ndd, nsblk,
__le64_to_cpu(nd_label->dpa));
if (!res)
-- 
2.20.1

[PATCH 4.14 034/115] selftests/net: correct the return value for run_netsocktests

[Greg Kroah-Hartman]

[ Upstream commit 30c04d796b693e22405c38e9b78e9a364e4c77e6 ]

The run_netsocktests will be marked as passed regardless the actual test
result from the ./socket:

selftests: net: run_netsocktests


running socket test

[FAIL]
ok 1..6 selftests: net: run_netsocktests [PASS]

This is because the test script itself has been successfully executed.
Fix this by exit 1 when the test failed.

Signed-off-by: Po-Hsu Lin 
Signed-off-by: David S. Miller 
Signed-off-by: Sasha Levin 
---
 tools/testing/selftests/net/run_netsocktests | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tools/testing/selftests/net/run_netsocktests 
b/tools/testing/selftests/net/run_netsocktests
index b093f39c298c3..14e41faf2c574 100755
--- a/tools/testing/selftests/net/run_netsocktests
+++ b/tools/testing/selftests/net/run_netsocktests
@@ -7,7 +7,7 @@ echo ""
 ./socket
 if [ $? -ne 0 ]; then
echo "[FAIL]"
+   exit 1
 else
echo "[PASS]"
 fi
-
-- 
2.20.1

[PATCH 4.14 011/115] HID: input: add mapping for "Toggle Display" key

[Greg Kroah-Hartman]

[ Upstream commit c01908a14bf735b871170092807c618bb9dae654 ]

According to HUT 1.12 usage 0xb5 from the generic desktop page is reserved
for switching between external and internal display, so let's add the
mapping.

Signed-off-by: Dmitry Torokhov 
Signed-off-by: Sasha Levin 
---
 drivers/hid/hid-input.c | 8 
 1 file changed, 8 insertions(+)

diff --git a/drivers/hid/hid-input.c b/drivers/hid/hid-input.c
index f736bdf774dd8..d723185de3ba2 100644
--- a/drivers/hid/hid-input.c
+++ b/drivers/hid/hid-input.c
@@ -677,6 +677,14 @@ static void hidinput_configure_usage(struct hid_input 
*hidinput, struct hid_fiel
break;
}
 
+   if ((usage->hid & 0xf0) == 0xb0) {  /* SC - Display */
+   switch (usage->hid & 0xf) {
+   case 0x05: map_key_clear(KEY_SWITCHVIDEOMODE); break;
+   default: goto ignore;
+   }
+   break;
+   }
+
/*
 * Some lazy vendors declare 255 usages for System Control,
 * leading to the creation of ABS_X|Y axis and too many others.
-- 
2.20.1

[PATCH 4.14 010/115] HID: input: add mapping for keyboard Brightness Up/Down/Toggle keys

[Greg Kroah-Hartman]

[ Upstream commit 7975a1d6a7afeb3eb61c971a153d24dd8fa032f3 ]

According to HUTRR73 usages 0x79, 0x7a and 0x7c from the consumer page
correspond to Brightness Up/Down/Toggle keys, so let's add the mappings.

Signed-off-by: Dmitry Torokhov 
Signed-off-by: Sasha Levin 
---
 drivers/hid/hid-input.c | 4 
 1 file changed, 4 insertions(+)

diff --git a/drivers/hid/hid-input.c b/drivers/hid/hid-input.c
index 693cd19e9dd40..f736bdf774dd8 100644
--- a/drivers/hid/hid-input.c
+++ b/drivers/hid/hid-input.c
@@ -886,6 +886,10 @@ static void hidinput_configure_usage(struct hid_input 
*hidinput, struct hid_fiel
case 0x074: map_key_clear(KEY_BRIGHTNESS_MAX);  break;
case 0x075: map_key_clear(KEY_BRIGHTNESS_AUTO); break;
 
+   case 0x079: map_key_clear(KEY_KBDILLUMUP);  break;
+   case 0x07a: map_key_clear(KEY_KBDILLUMDOWN);break;
+   case 0x07c: map_key_clear(KEY_KBDILLUMTOGGLE);  break;
+
case 0x082: map_key_clear(KEY_VIDEO_NEXT);  break;
case 0x083: map_key_clear(KEY_LAST);break;
case 0x084: map_key_clear(KEY_ENTER);   break;
-- 
2.20.1

[PATCH 4.14 041/115] sparc64: Make corrupted user stacks more debuggable.

[Greg Kroah-Hartman]

[ Upstream commit 5b4fc3882a649c9411dd0dcad2ddb78e911d340e ]

Right now if we get a corrupted user stack frame we do a
do_exit(SIGILL) which is not helpful.

If under a debugger, this behavior causes the inferior process to
exit.  So the register and other state cannot be examined at the time
of the event.

Instead, conditionally log a rate limited kernel log message and then
force a SIGSEGV.

With bits and ideas borrowed (as usual) from powerpc.

Signed-off-by: David S. Miller 
Signed-off-by: Sasha Levin 
---
 arch/sparc/include/asm/switch_to_64.h |  3 ++-
 arch/sparc/kernel/process_64.c| 25 +++--
 arch/sparc/kernel/rtrap_64.S  |  1 +
 arch/sparc/kernel/signal32.c  | 12 ++--
 arch/sparc/kernel/signal_64.c |  6 +-
 5 files changed, 37 insertions(+), 10 deletions(-)

diff --git a/arch/sparc/include/asm/switch_to_64.h 
b/arch/sparc/include/asm/switch_to_64.h
index 4ff29b1406a9b..b1d4e2e3210fb 100644
--- a/arch/sparc/include/asm/switch_to_64.h
+++ b/arch/sparc/include/asm/switch_to_64.h
@@ -67,6 +67,7 @@ do {  save_and_clear_fpu();   
\
 } while(0)
 
 void synchronize_user_stack(void);
-void fault_in_user_windows(void);
+struct pt_regs;
+void fault_in_user_windows(struct pt_regs *);
 
 #endif /* __SPARC64_SWITCH_TO_64_H */
diff --git a/arch/sparc/kernel/process_64.c b/arch/sparc/kernel/process_64.c
index 318efd784a0b3..5640131e2abf3 100644
--- a/arch/sparc/kernel/process_64.c
+++ b/arch/sparc/kernel/process_64.c
@@ -36,6 +36,7 @@
 #include 
 #include 
 #include 
+#include 
 
 #include 
 #include 
@@ -528,7 +529,12 @@ static void stack_unaligned(unsigned long sp)
force_sig_info(SIGBUS, , current);
 }
 
-void fault_in_user_windows(void)
+static const char uwfault32[] = KERN_INFO \
+   "%s[%d]: bad register window fault: SP %08lx (orig_sp %08lx) TPC %08lx 
O7 %08lx\n";
+static const char uwfault64[] = KERN_INFO \
+   "%s[%d]: bad register window fault: SP %016lx (orig_sp %016lx) TPC 
%08lx O7 %016lx\n";
+
+void fault_in_user_windows(struct pt_regs *regs)
 {
struct thread_info *t = current_thread_info();
unsigned long window;
@@ -541,9 +547,9 @@ void fault_in_user_windows(void)
do {
struct reg_window *rwin = >reg_window[window];
int winsize = sizeof(struct reg_window);
-   unsigned long sp;
+   unsigned long sp, orig_sp;
 
-   sp = t->rwbuf_stkptrs[window];
+   orig_sp = sp = t->rwbuf_stkptrs[window];
 
if (test_thread_64bit_stack(sp))
sp += STACK_BIAS;
@@ -554,8 +560,16 @@ void fault_in_user_windows(void)
stack_unaligned(sp);
 
if (unlikely(copy_to_user((char __user *)sp,
- rwin, winsize)))
+ rwin, winsize))) {
+   if (show_unhandled_signals)
+   printk_ratelimited(is_compat_task() ?
+  uwfault32 : 
uwfault64,
+  current->comm, 
current->pid,
+  sp, orig_sp,
+  regs->tpc,
+  
regs->u_regs[UREG_I7]);
goto barf;
+   }
} while (window--);
}
set_thread_wsaved(0);
@@ -563,8 +577,7 @@ void fault_in_user_windows(void)
 
 barf:
set_thread_wsaved(window + 1);
-   user_exit();
-   do_exit(SIGILL);
+   force_sig(SIGSEGV, current);
 }
 
 asmlinkage long sparc_do_fork(unsigned long clone_flags,
diff --git a/arch/sparc/kernel/rtrap_64.S b/arch/sparc/kernel/rtrap_64.S
index 0b21042ab181b..ad88d60bb740c 100644
--- a/arch/sparc/kernel/rtrap_64.S
+++ b/arch/sparc/kernel/rtrap_64.S
@@ -30,6 +30,7 @@ __handle_preemption:
 wrpr   %g0, RTRAP_PSTATE_IRQOFF, %pstate
 
 __handle_user_windows:
+   add %sp, PTREGS_OFF, %o0
callfault_in_user_windows
 wrpr   %g0, RTRAP_PSTATE, %pstate
ba,pt   %xcc, __handle_preemption_continue
diff --git a/arch/sparc/kernel/signal32.c b/arch/sparc/kernel/signal32.c
index 5c572de64c748..879f8d86bc21c 100644
--- a/arch/sparc/kernel/signal32.c
+++ b/arch/sparc/kernel/signal32.c
@@ -442,7 +442,11 @@ static int setup_frame32(struct ksignal *ksig, struct 
pt_regs *regs,
get_sigframe(ksig, regs, sigframe_size);

if (invalid_frame_pointer(sf, sigframe_size)) {
-   do_exit(SIGILL);
+   

[PATCH 4.14 009/115] HID: input: add mapping for Expose/Overview key

[Greg Kroah-Hartman]

[ Upstream commit 96dd86871e1fffbc39e4fa61c9c75ec54ee9af0f ]

According to HUTRR77 usage 0x29f from the consumer page is reserved for
the Desktop application to present all running user’s application windows.
Linux defines KEY_SCALE to request Compiz Scale (Expose) mode, so let's
add the mapping.

Signed-off-by: Dmitry Torokhov 
Signed-off-by: Sasha Levin 
---
 drivers/hid/hid-input.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/hid/hid-input.c b/drivers/hid/hid-input.c
index 1aa7d268686b9..693cd19e9dd40 100644
--- a/drivers/hid/hid-input.c
+++ b/drivers/hid/hid-input.c
@@ -1017,6 +1017,8 @@ static void hidinput_configure_usage(struct hid_input 
*hidinput, struct hid_fiel
case 0x2cb: map_key_clear(KEY_KBDINPUTASSIST_ACCEPT);   break;
case 0x2cc: map_key_clear(KEY_KBDINPUTASSIST_CANCEL);   break;
 
+   case 0x29f: map_key_clear(KEY_SCALE);   break;
+
default: map_key_clear(KEY_UNKNOWN);
}
break;
-- 
2.20.1

[PATCH 4.14 051/115] media: adv7842: when the EDID is cleared, unconfigure CEC as well

[Greg Kroah-Hartman]

[ Upstream commit ab83203e181015b099720aff43ffabc1812e0fb3 ]

When there is no EDID the CEC adapter should be unconfigured as
well. So call cec_phys_addr_invalidate() when this happens.

Signed-off-by: Hans Verkuil 
Cc:   # for v4.18 and up
Signed-off-by: Mauro Carvalho Chehab 
Signed-off-by: Sasha Levin 
---
 drivers/media/i2c/adv7842.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/drivers/media/i2c/adv7842.c b/drivers/media/i2c/adv7842.c
index f9c23173c9fa0..dcce8d030e5db 100644
--- a/drivers/media/i2c/adv7842.c
+++ b/drivers/media/i2c/adv7842.c
@@ -799,8 +799,10 @@ static int edid_write_hdmi_segment(struct v4l2_subdev *sd, 
u8 port)
/* Disable I2C access to internal EDID ram from HDMI DDC ports */
rep_write_and_or(sd, 0x77, 0xf3, 0x00);
 
-   if (!state->hdmi_edid.present)
+   if (!state->hdmi_edid.present) {
+   cec_phys_addr_invalidate(state->cec_adap);
return 0;
+   }
 
pa = cec_get_edid_phys_addr(edid, 256, _loc);
err = cec_phys_addr_validate(pa, , NULL);
-- 
2.20.1

[PATCH 4.14 043/115] bcache: correct dirty data statistics

[Greg Kroah-Hartman]

[ Upstream commit 2e17a262a2371d38d2ec03614a2675a32cef9912 ]

When bcache device is clean, dirty keys may still exist after
journal replay, so we need to count these dirty keys even
device in clean status, otherwise after writeback, the amount
of dirty data would be incorrect.

Signed-off-by: Tang Junhui 
Cc: sta...@vger.kernel.org
Signed-off-by: Coly Li 
Signed-off-by: Jens Axboe 
Signed-off-by: Sasha Levin 
---
 drivers/md/bcache/super.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/md/bcache/super.c b/drivers/md/bcache/super.c
index fe6e4c319b7cf..9e875aba41b9b 100644
--- a/drivers/md/bcache/super.c
+++ b/drivers/md/bcache/super.c
@@ -1045,12 +1045,13 @@ int bch_cached_dev_attach(struct cached_dev *dc, struct 
cache_set *c,
}
 
if (BDEV_STATE(>sb) == BDEV_STATE_DIRTY) {
-   bch_sectors_dirty_init(>disk);
atomic_set(>has_dirty, 1);
atomic_inc(>count);
bch_writeback_queue(dc);
}
 
+   bch_sectors_dirty_init(>disk);
+
bch_cached_dev_run(dc);
bcache_device_link(>disk, c, "bdev");
 
-- 
2.20.1

[PATCH 4.14 045/115] IB/rxe: Revise the ib_wr_opcode enum

[Greg Kroah-Hartman]

[ Upstream commit 9a59739bd01f77db6fbe2955a4fce165f0f43568 ]

This enum has become part of the uABI, as both RXE and the
ib_uverbs_post_send() command expect userspace to supply values from this
enum. So it should be properly placed in include/uapi/rdma.

In userspace this enum is called 'enum ibv_wr_opcode' as part of
libibverbs.h. That enum defines different values for IB_WR_LOCAL_INV,
IB_WR_SEND_WITH_INV, and IB_WR_LSO. These were introduced (incorrectly, it
turns out) into libiberbs in 2015.

The kernel has changed its mind on the numbering for several of the IB_WC
values over the years, but has remained stable on IB_WR_LOCAL_INV and
below.

Based on this we can conclude that there is no real user space user of the
values beyond IB_WR_ATOMIC_FETCH_AND_ADD, as they have never worked via
rdma-core. This is confirmed by inspection, only rxe uses the kernel enum
and implements the latter operations. rxe has clearly never worked with
these attributes from userspace. Other drivers that support these opcodes
implement the functionality without calling out to the kernel.

To make IB_WR_SEND_WITH_INV and related work for RXE in userspace we
choose to renumber the IB_WR enum in the kernel to match the uABI that
userspace has bee using since before Soft RoCE was merged. This is an
overall simpler configuration for the whole software stack, and obviously
can't break anything existing.

Reported-by: Seth Howell 
Tested-by: Seth Howell 
Fixes: 8700e3e7c485 ("Soft RoCE driver")
Cc: 
Signed-off-by: Jason Gunthorpe 
Signed-off-by: Sasha Levin 
---
 include/rdma/ib_verbs.h   | 34 ++-
 include/uapi/rdma/ib_user_verbs.h | 20 +-
 2 files changed, 39 insertions(+), 15 deletions(-)

diff --git a/include/rdma/ib_verbs.h b/include/rdma/ib_verbs.h
index 5a24b4c700e59..9e76b2410d03f 100644
--- a/include/rdma/ib_verbs.h
+++ b/include/rdma/ib_verbs.h
@@ -1251,21 +1251,27 @@ struct ib_qp_attr {
 };
 
 enum ib_wr_opcode {
-   IB_WR_RDMA_WRITE,
-   IB_WR_RDMA_WRITE_WITH_IMM,
-   IB_WR_SEND,
-   IB_WR_SEND_WITH_IMM,
-   IB_WR_RDMA_READ,
-   IB_WR_ATOMIC_CMP_AND_SWP,
-   IB_WR_ATOMIC_FETCH_AND_ADD,
-   IB_WR_LSO,
-   IB_WR_SEND_WITH_INV,
-   IB_WR_RDMA_READ_WITH_INV,
-   IB_WR_LOCAL_INV,
-   IB_WR_REG_MR,
-   IB_WR_MASKED_ATOMIC_CMP_AND_SWP,
-   IB_WR_MASKED_ATOMIC_FETCH_AND_ADD,
+   /* These are shared with userspace */
+   IB_WR_RDMA_WRITE = IB_UVERBS_WR_RDMA_WRITE,
+   IB_WR_RDMA_WRITE_WITH_IMM = IB_UVERBS_WR_RDMA_WRITE_WITH_IMM,
+   IB_WR_SEND = IB_UVERBS_WR_SEND,
+   IB_WR_SEND_WITH_IMM = IB_UVERBS_WR_SEND_WITH_IMM,
+   IB_WR_RDMA_READ = IB_UVERBS_WR_RDMA_READ,
+   IB_WR_ATOMIC_CMP_AND_SWP = IB_UVERBS_WR_ATOMIC_CMP_AND_SWP,
+   IB_WR_ATOMIC_FETCH_AND_ADD = IB_UVERBS_WR_ATOMIC_FETCH_AND_ADD,
+   IB_WR_LSO = IB_UVERBS_WR_TSO,
+   IB_WR_SEND_WITH_INV = IB_UVERBS_WR_SEND_WITH_INV,
+   IB_WR_RDMA_READ_WITH_INV = IB_UVERBS_WR_RDMA_READ_WITH_INV,
+   IB_WR_LOCAL_INV = IB_UVERBS_WR_LOCAL_INV,
+   IB_WR_MASKED_ATOMIC_CMP_AND_SWP =
+   IB_UVERBS_WR_MASKED_ATOMIC_CMP_AND_SWP,
+   IB_WR_MASKED_ATOMIC_FETCH_AND_ADD =
+   IB_UVERBS_WR_MASKED_ATOMIC_FETCH_AND_ADD,
+
+   /* These are kernel only and can not be issued by userspace */
+   IB_WR_REG_MR = 0x20,
IB_WR_REG_SIG_MR,
+
/* reserve values for low level drivers' internal use.
 * These values will not be used at all in the ib core layer.
 */
diff --git a/include/uapi/rdma/ib_user_verbs.h 
b/include/uapi/rdma/ib_user_verbs.h
index e0e83a105953a..e11b4def8630f 100644
--- a/include/uapi/rdma/ib_user_verbs.h
+++ b/include/uapi/rdma/ib_user_verbs.h
@@ -751,10 +751,28 @@ struct ib_uverbs_sge {
__u32 lkey;
 };
 
+enum ib_uverbs_wr_opcode {
+   IB_UVERBS_WR_RDMA_WRITE = 0,
+   IB_UVERBS_WR_RDMA_WRITE_WITH_IMM = 1,
+   IB_UVERBS_WR_SEND = 2,
+   IB_UVERBS_WR_SEND_WITH_IMM = 3,
+   IB_UVERBS_WR_RDMA_READ = 4,
+   IB_UVERBS_WR_ATOMIC_CMP_AND_SWP = 5,
+   IB_UVERBS_WR_ATOMIC_FETCH_AND_ADD = 6,
+   IB_UVERBS_WR_LOCAL_INV = 7,
+   IB_UVERBS_WR_BIND_MW = 8,
+   IB_UVERBS_WR_SEND_WITH_INV = 9,
+   IB_UVERBS_WR_TSO = 10,
+   IB_UVERBS_WR_RDMA_READ_WITH_INV = 11,
+   IB_UVERBS_WR_MASKED_ATOMIC_CMP_AND_SWP = 12,
+   IB_UVERBS_WR_MASKED_ATOMIC_FETCH_AND_ADD = 13,
+   /* Review enum ib_wr_opcode before modifying this */
+};
+
 struct ib_uverbs_send_wr {
__u64 wr_id;
__u32 num_sge;
-   __u32 opcode;
+   __u32 opcode;   /* see enum ib_uverbs_wr_opcode */
__u32 send_flags;
union {
__u32 imm_data;
-- 
2.20.1

[PATCH 4.14 012/115] libnvdimm/btt: Fix a kmemdup failure check

[Greg Kroah-Hartman]

[ Upstream commit 486fa92df4707b5df58d6508728bdb9321a59766 ]

In case kmemdup fails, the fix releases resources and returns to
avoid the NULL pointer dereference.

Signed-off-by: Aditya Pakki 
Signed-off-by: Dan Williams 
Signed-off-by: Sasha Levin 
---
 drivers/nvdimm/btt_devs.c | 18 +-
 1 file changed, 13 insertions(+), 5 deletions(-)

diff --git a/drivers/nvdimm/btt_devs.c b/drivers/nvdimm/btt_devs.c
index d58925295aa79..e610dd890263b 100644
--- a/drivers/nvdimm/btt_devs.c
+++ b/drivers/nvdimm/btt_devs.c
@@ -190,14 +190,15 @@ static struct device *__nd_btt_create(struct nd_region 
*nd_region,
return NULL;
 
nd_btt->id = ida_simple_get(_region->btt_ida, 0, 0, GFP_KERNEL);
-   if (nd_btt->id < 0) {
-   kfree(nd_btt);
-   return NULL;
-   }
+   if (nd_btt->id < 0)
+   goto out_nd_btt;
 
nd_btt->lbasize = lbasize;
-   if (uuid)
+   if (uuid) {
uuid = kmemdup(uuid, 16, GFP_KERNEL);
+   if (!uuid)
+   goto out_put_id;
+   }
nd_btt->uuid = uuid;
dev = _btt->dev;
dev_set_name(dev, "btt%d.%d", nd_region->id, nd_btt->id);
@@ -212,6 +213,13 @@ static struct device *__nd_btt_create(struct nd_region 
*nd_region,
return NULL;
}
return dev;
+
+out_put_id:
+   ida_simple_remove(_region->btt_ida, nd_btt->id);
+
+out_nd_btt:
+   kfree(nd_btt);
+   return NULL;
 }
 
 struct device *nd_btt_create(struct nd_region *nd_region)
-- 
2.20.1

RE: [PATCH V2 1/2] soc: imx: Add SCU SoC info driver support

[Anson Huang]

> -Original Message-
> From: Daniel Baluta [mailto:daniel.bal...@gmail.com]
> Sent: Wednesday, May 15, 2019 7:47 PM
> To: Anson Huang 
> Cc: catalin.mari...@arm.com; will.dea...@arm.com;
> shawn...@kernel.org; s.ha...@pengutronix.de; ker...@pengutronix.de;
> feste...@gmail.com; agr...@kernel.org; maxime.rip...@bootlin.com;
> o...@lixom.net; horms+rene...@verge.net.au;
> ja...@amarulasolutions.com; bjorn.anders...@linaro.org; Leonard Crestez
> ; marc.w.gonza...@free.fr;
> dingu...@kernel.org; enric.balle...@collabora.com;
> l.st...@pengutronix.de; Abel Vesa ; r...@kernel.org;
> linux-arm-ker...@lists.infradead.org; linux-kernel@vger.kernel.org; dl-linux-
> imx 
> Subject: Re: [PATCH V2 1/2] soc: imx: Add SCU SoC info driver support
> 
> Hi Anson,
> 
> Since you are going to send a new version for this please consider my
> comment inline.
> 
> 
> 
> > +static u32 imx8qxp_soc_revision(void) {
> > +   struct imx_sc_msg_misc_get_soc_id msg;
> > +   struct imx_sc_rpc_msg *hdr = 
> > +   u32 rev = 0;
> 
> No need to initialize this here.
> 
> > +   int ret;
> > +
> > +   hdr->ver = IMX_SC_RPC_VERSION;
> > +   hdr->svc = IMX_SC_RPC_SVC_MISC;
> > +   hdr->func = IMX_SC_MISC_FUNC_GET_CONTROL;
> > +   hdr->size = 3;
> > +
> > +   msg.data.send.control = IMX_SC_C_ID;
> > +   msg.data.send.resource = IMX_SC_R_SYSTEM;
> > +
> > +   ret = imx_scu_call_rpc(soc_ipc_handle, , true);
> > +   if (ret) {
> > +   dev_err(_scu_soc_pdev->dev,
> > +   "get soc info failed, ret %d\n", ret);
> > +   /* return 0 means getting revision failed */
> 
> Just return 0 here. No need for rev.

OK, thanks.

Anson.

> > +   return rev;
> > +   }
> > +

[PATCH 4.14 066/115] arm64: KVM: Make VHE Stage-2 TLB invalidation operations non-interruptible

[Greg Kroah-Hartman]

[ Upstream commit c987876a80e7bcb98a839f10dca9ce7fda4feced ]

Contrary to the non-VHE version of the TLB invalidation helpers, the VHE
code  has interrupts enabled, meaning that we can take an interrupt in
the middle of such a sequence, and start running something else with
HCR_EL2.TGE cleared.

That's really not a good idea.

Take the heavy-handed option and disable interrupts in
__tlb_switch_to_guest_vhe, restoring them in __tlb_switch_to_host_vhe.
The latter also gain an ISB in order to make sure that TGE really has
taken effect.

Cc: sta...@vger.kernel.org
Acked-by: Christoffer Dall 
Reviewed-by: James Morse 
Signed-off-by: Marc Zyngier 
Signed-off-by: Will Deacon 
Signed-off-by: Sasha Levin 
---
 arch/arm64/kvm/hyp/tlb.c | 35 +--
 1 file changed, 25 insertions(+), 10 deletions(-)

diff --git a/arch/arm64/kvm/hyp/tlb.c b/arch/arm64/kvm/hyp/tlb.c
index 73464a96c3657..db23c6e5c885c 100644
--- a/arch/arm64/kvm/hyp/tlb.c
+++ b/arch/arm64/kvm/hyp/tlb.c
@@ -15,13 +15,18 @@
  * along with this program.  If not, see .
  */
 
+#include 
+
 #include 
 #include 
 
-static void __hyp_text __tlb_switch_to_guest_vhe(struct kvm *kvm)
+static void __hyp_text __tlb_switch_to_guest_vhe(struct kvm *kvm,
+unsigned long *flags)
 {
u64 val;
 
+   local_irq_save(*flags);
+
/*
 * With VHE enabled, we have HCR_EL2.{E2H,TGE} = {1,1}, and
 * most TLB operations target EL2/EL0. In order to affect the
@@ -36,7 +41,8 @@ static void __hyp_text __tlb_switch_to_guest_vhe(struct kvm 
*kvm)
isb();
 }
 
-static void __hyp_text __tlb_switch_to_guest_nvhe(struct kvm *kvm)
+static void __hyp_text __tlb_switch_to_guest_nvhe(struct kvm *kvm,
+ unsigned long *flags)
 {
write_sysreg(kvm->arch.vttbr, vttbr_el2);
isb();
@@ -47,7 +53,8 @@ static hyp_alternate_select(__tlb_switch_to_guest,
__tlb_switch_to_guest_vhe,
ARM64_HAS_VIRT_HOST_EXTN);
 
-static void __hyp_text __tlb_switch_to_host_vhe(struct kvm *kvm)
+static void __hyp_text __tlb_switch_to_host_vhe(struct kvm *kvm,
+   unsigned long flags)
 {
/*
 * We're done with the TLB operation, let's restore the host's
@@ -55,9 +62,12 @@ static void __hyp_text __tlb_switch_to_host_vhe(struct kvm 
*kvm)
 */
write_sysreg(0, vttbr_el2);
write_sysreg(HCR_HOST_VHE_FLAGS, hcr_el2);
+   isb();
+   local_irq_restore(flags);
 }
 
-static void __hyp_text __tlb_switch_to_host_nvhe(struct kvm *kvm)
+static void __hyp_text __tlb_switch_to_host_nvhe(struct kvm *kvm,
+unsigned long flags)
 {
write_sysreg(0, vttbr_el2);
 }
@@ -69,11 +79,13 @@ static hyp_alternate_select(__tlb_switch_to_host,
 
 void __hyp_text __kvm_tlb_flush_vmid_ipa(struct kvm *kvm, phys_addr_t ipa)
 {
+   unsigned long flags;
+
dsb(ishst);
 
/* Switch to requested VMID */
kvm = kern_hyp_va(kvm);
-   __tlb_switch_to_guest()(kvm);
+   __tlb_switch_to_guest()(kvm, );
 
/*
 * We could do so much better if we had the VA as well.
@@ -116,36 +128,39 @@ void __hyp_text __kvm_tlb_flush_vmid_ipa(struct kvm *kvm, 
phys_addr_t ipa)
if (!has_vhe() && icache_is_vpipt())
__flush_icache_all();
 
-   __tlb_switch_to_host()(kvm);
+   __tlb_switch_to_host()(kvm, flags);
 }
 
 void __hyp_text __kvm_tlb_flush_vmid(struct kvm *kvm)
 {
+   unsigned long flags;
+
dsb(ishst);
 
/* Switch to requested VMID */
kvm = kern_hyp_va(kvm);
-   __tlb_switch_to_guest()(kvm);
+   __tlb_switch_to_guest()(kvm, );
 
__tlbi(vmalls12e1is);
dsb(ish);
isb();
 
-   __tlb_switch_to_host()(kvm);
+   __tlb_switch_to_host()(kvm, flags);
 }
 
 void __hyp_text __kvm_tlb_flush_local_vmid(struct kvm_vcpu *vcpu)
 {
struct kvm *kvm = kern_hyp_va(kern_hyp_va(vcpu)->kvm);
+   unsigned long flags;
 
/* Switch to requested VMID */
-   __tlb_switch_to_guest()(kvm);
+   __tlb_switch_to_guest()(kvm, );
 
__tlbi(vmalle1);
dsb(nsh);
isb();
 
-   __tlb_switch_to_host()(kvm);
+   __tlb_switch_to_host()(kvm, flags);
 }
 
 void __hyp_text __kvm_flush_vm_context(void)
-- 
2.20.1

[PATCH 4.14 065/115] mm: introduce mm_[p4d|pud|pmd]_folded

[Greg Kroah-Hartman]

[ Upstream commit 1071fc5779d9846fec56a4ff6089ab08cac1ab72 ]

Add three architecture overrideable functions to test if the
p4d, pud, or pmd layer of a page table is folded or not.

Acked-by: Kirill A. Shutemov 
Signed-off-by: Martin Schwidefsky 
Signed-off-by: Sasha Levin 
---
 include/asm-generic/pgtable.h | 16 
 1 file changed, 16 insertions(+)

diff --git a/include/asm-generic/pgtable.h b/include/asm-generic/pgtable.h
index f00421dfacbd0..0c21014a38f23 100644
--- a/include/asm-generic/pgtable.h
+++ b/include/asm-generic/pgtable.h
@@ -1081,4 +1081,20 @@ static inline bool arch_has_pfn_modify_check(void)
 #endif
 #endif
 
+/*
+ * On some architectures it depends on the mm if the p4d/pud or pmd
+ * layer of the page table hierarchy is folded or not.
+ */
+#ifndef mm_p4d_folded
+#define mm_p4d_folded(mm)  __is_defined(__PAGETABLE_P4D_FOLDED)
+#endif
+
+#ifndef mm_pud_folded
+#define mm_pud_folded(mm)  __is_defined(__PAGETABLE_PUD_FOLDED)
+#endif
+
+#ifndef mm_pmd_folded
+#define mm_pmd_folded(mm)  __is_defined(__PAGETABLE_PMD_FOLDED)
+#endif
+
 #endif /* _ASM_GENERIC_PGTABLE_H */
-- 
2.20.1

[PATCH 4.14 071/115] RDMA/vmw_pvrdma: Return the correct opcode when creating WR

[Greg Kroah-Hartman]

[ Upstream commit 6325e01b6cdf4636b721cf7259c1616e3cf28ce2 ]

Since the IB_WR_REG_MR opcode value changed, let's set the PVRDMA device
opcodes explicitly.

Reported-by: Ruishuang Wang 
Fixes: 9a59739bd01f ("IB/rxe: Revise the ib_wr_opcode enum")
Cc: sta...@vger.kernel.org
Reviewed-by: Bryan Tan 
Reviewed-by: Ruishuang Wang 
Reviewed-by: Vishnu Dasa 
Signed-off-by: Adit Ranadive 
Signed-off-by: Jason Gunthorpe 
Signed-off-by: Sasha Levin 
---
 drivers/infiniband/hw/vmw_pvrdma/pvrdma.h| 35 +++-
 drivers/infiniband/hw/vmw_pvrdma/pvrdma_qp.c |  6 
 include/uapi/rdma/vmw_pvrdma-abi.h   |  1 +
 3 files changed, 41 insertions(+), 1 deletion(-)

diff --git a/drivers/infiniband/hw/vmw_pvrdma/pvrdma.h 
b/drivers/infiniband/hw/vmw_pvrdma/pvrdma.h
index 984aa3484928d..4463e1c1a764e 100644
--- a/drivers/infiniband/hw/vmw_pvrdma/pvrdma.h
+++ b/drivers/infiniband/hw/vmw_pvrdma/pvrdma.h
@@ -407,7 +407,40 @@ static inline enum ib_qp_state pvrdma_qp_state_to_ib(enum 
pvrdma_qp_state state)
 
 static inline enum pvrdma_wr_opcode ib_wr_opcode_to_pvrdma(enum ib_wr_opcode 
op)
 {
-   return (enum pvrdma_wr_opcode)op;
+   switch (op) {
+   case IB_WR_RDMA_WRITE:
+   return PVRDMA_WR_RDMA_WRITE;
+   case IB_WR_RDMA_WRITE_WITH_IMM:
+   return PVRDMA_WR_RDMA_WRITE_WITH_IMM;
+   case IB_WR_SEND:
+   return PVRDMA_WR_SEND;
+   case IB_WR_SEND_WITH_IMM:
+   return PVRDMA_WR_SEND_WITH_IMM;
+   case IB_WR_RDMA_READ:
+   return PVRDMA_WR_RDMA_READ;
+   case IB_WR_ATOMIC_CMP_AND_SWP:
+   return PVRDMA_WR_ATOMIC_CMP_AND_SWP;
+   case IB_WR_ATOMIC_FETCH_AND_ADD:
+   return PVRDMA_WR_ATOMIC_FETCH_AND_ADD;
+   case IB_WR_LSO:
+   return PVRDMA_WR_LSO;
+   case IB_WR_SEND_WITH_INV:
+   return PVRDMA_WR_SEND_WITH_INV;
+   case IB_WR_RDMA_READ_WITH_INV:
+   return PVRDMA_WR_RDMA_READ_WITH_INV;
+   case IB_WR_LOCAL_INV:
+   return PVRDMA_WR_LOCAL_INV;
+   case IB_WR_REG_MR:
+   return PVRDMA_WR_FAST_REG_MR;
+   case IB_WR_MASKED_ATOMIC_CMP_AND_SWP:
+   return PVRDMA_WR_MASKED_ATOMIC_CMP_AND_SWP;
+   case IB_WR_MASKED_ATOMIC_FETCH_AND_ADD:
+   return PVRDMA_WR_MASKED_ATOMIC_FETCH_AND_ADD;
+   case IB_WR_REG_SIG_MR:
+   return PVRDMA_WR_REG_SIG_MR;
+   default:
+   return PVRDMA_WR_ERROR;
+   }
 }
 
 static inline enum ib_wc_status pvrdma_wc_status_to_ib(
diff --git a/drivers/infiniband/hw/vmw_pvrdma/pvrdma_qp.c 
b/drivers/infiniband/hw/vmw_pvrdma/pvrdma_qp.c
index d7162f2b7979a..4d9c99dd366b1 100644
--- a/drivers/infiniband/hw/vmw_pvrdma/pvrdma_qp.c
+++ b/drivers/infiniband/hw/vmw_pvrdma/pvrdma_qp.c
@@ -695,6 +695,12 @@ int pvrdma_post_send(struct ib_qp *ibqp, struct ib_send_wr 
*wr,
wr->opcode == IB_WR_RDMA_WRITE_WITH_IMM)
wqe_hdr->ex.imm_data = wr->ex.imm_data;
 
+   if (unlikely(wqe_hdr->opcode == PVRDMA_WR_ERROR)) {
+   *bad_wr = wr;
+   ret = -EINVAL;
+   goto out;
+   }
+
switch (qp->ibqp.qp_type) {
case IB_QPT_GSI:
case IB_QPT_UD:
diff --git a/include/uapi/rdma/vmw_pvrdma-abi.h 
b/include/uapi/rdma/vmw_pvrdma-abi.h
index 912ea1556a0b0..fd801c7be1204 100644
--- a/include/uapi/rdma/vmw_pvrdma-abi.h
+++ b/include/uapi/rdma/vmw_pvrdma-abi.h
@@ -76,6 +76,7 @@ enum pvrdma_wr_opcode {
PVRDMA_WR_MASKED_ATOMIC_FETCH_AND_ADD,
PVRDMA_WR_BIND_MW,
PVRDMA_WR_REG_SIG_MR,
+   PVRDMA_WR_ERROR,
 };
 
 enum pvrdma_wc_status {
-- 
2.20.1

[PATCH 4.14 064/115] x86/vdso: Pass --eh-frame-hdr to the linker

[Greg Kroah-Hartman]

[ Upstream commit cd01544a268ad8ee5b1dfe42c4393f1095f86879 ]

Commit

  379d98ddf413 ("x86: vdso: Use $LD instead of $CC to link")

accidentally broke unwinding from userspace, because ld would strip the
.eh_frame sections when linking.

Originally, the compiler would implicitly add --eh-frame-hdr when
invoking the linker, but when this Makefile was converted from invoking
ld via the compiler, to invoking it directly (like vmlinux does),
the flag was missed. (The EH_FRAME section is important for the VDSO
shared libraries, but not for vmlinux.)

Fix the problem by explicitly specifying --eh-frame-hdr, which restores
parity with the old method.

See relevant bug reports for additional info:

  https://bugzilla.kernel.org/show_bug.cgi?id=201741
  https://bugzilla.redhat.com/show_bug.cgi?id=1659295

Fixes: 379d98ddf413 ("x86: vdso: Use $LD instead of $CC to link")
Reported-by: Florian Weimer 
Reported-by: Carlos O'Donell 
Reported-by: "H. J. Lu" 
Signed-off-by: Alistair Strachan 
Signed-off-by: Borislav Petkov 
Tested-by: Laura Abbott 
Cc: Andy Lutomirski 
Cc: Carlos O'Donell 
Cc: "H. Peter Anvin" 
Cc: Ingo Molnar 
Cc: Joel Fernandes 
Cc: kernel-t...@android.com
Cc: Laura Abbott 
Cc: stable 
Cc: Thomas Gleixner 
Cc: X86 ML 
Link: https://lkml.kernel.org/r/20181214223637.35954-1-astrac...@google.com
Signed-off-by: Sasha Levin 
---
 arch/x86/entry/vdso/Makefile | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/arch/x86/entry/vdso/Makefile b/arch/x86/entry/vdso/Makefile
index 839015f1b0de0..ab7f730cf7f22 100644
--- a/arch/x86/entry/vdso/Makefile
+++ b/arch/x86/entry/vdso/Makefile
@@ -182,7 +182,8 @@ quiet_cmd_vdso = VDSO$@
 sh $(srctree)/$(src)/checkundef.sh '$(NM)' '$@'
 
 VDSO_LDFLAGS = -shared $(call ld-option, --hash-style=both) \
-   $(call ld-option, --build-id) -Bsymbolic
+   $(call ld-option, --build-id) $(call ld-option, --eh-frame-hdr) \
+   -Bsymbolic
 GCOV_PROFILE := n
 
 #
-- 
2.20.1

[PATCH 4.14 068/115] powerpc: remove old GCC version checks

[Greg Kroah-Hartman]

[ Upstream commit f2910f0e6835339e6ce82cef22fa15718b7e3bfa ]

GCC 4.6 is the minimum supported now.

Signed-off-by: Nicholas Piggin 
Reviewed-by: Joel Stanley 
Signed-off-by: Michael Ellerman 
Signed-off-by: Sasha Levin 
---
 arch/powerpc/Makefile | 31 ++-
 1 file changed, 2 insertions(+), 29 deletions(-)

diff --git a/arch/powerpc/Makefile b/arch/powerpc/Makefile
index 7452e50f4d1f8..0f04c878113ef 100644
--- a/arch/powerpc/Makefile
+++ b/arch/powerpc/Makefile
@@ -396,36 +396,9 @@ archprepare: checkbin
 # to stdout and these checks are run even on install targets.
 TOUT   := .tmp_gas_check
 
-# Check gcc and binutils versions:
-# - gcc-3.4 and binutils-2.14 are a fatal combination
-# - Require gcc 4.0 or above on 64-bit
-# - gcc-4.2.0 has issues compiling modules on 64-bit
+# Check toolchain versions:
+# - gcc-4.6 is the minimum kernel-wide version so nothing required.
 checkbin:
-   @if test "$(cc-name)" != "clang" \
-   && test "$(cc-version)" = "0304" ; then \
-   if ! /bin/echo mftb 5 | $(AS) -v -mppc -many -o $(TOUT) 
>/dev/null 2>&1 ; then \
-   echo -n '*** ${VERSION}.${PATCHLEVEL} kernels no longer 
build '; \
-   echo 'correctly with gcc-3.4 and your version of 
binutils.'; \
-   echo '*** Please upgrade your binutils or downgrade 
your gcc'; \
-   false; \
-   fi ; \
-   fi
-   @if test "$(cc-name)" != "clang" \
-   && test "$(cc-version)" -lt "0400" \
-   && test "x${CONFIG_PPC64}" = "xy" ; then \
-echo -n "Sorry, GCC v4.0 or above is required to build " ; \
-echo "the 64-bit powerpc kernel." ; \
-false ; \
-fi
-   @if test "$(cc-name)" != "clang" \
-   && test "$(cc-fullversion)" = "040200" \
-   && test "x${CONFIG_MODULES}${CONFIG_PPC64}" = "xyy" ; then \
-   echo -n '*** GCC-4.2.0 cannot compile the 64-bit powerpc ' ; \
-   echo 'kernel with modules enabled.' ; \
-   echo -n '*** Please use a different GCC version or ' ; \
-   echo 'disable kernel modules' ; \
-   false ; \
-   fi
@if test "x${CONFIG_CPU_LITTLE_ENDIAN}" = "xy" \
&& $(LD) --version | head -1 | grep ' 2\.24$$' >/dev/null ; then \
echo -n '*** binutils 2.24 miscompiles weak symbols ' ; \
-- 
2.20.1

Applied "spi: tegra114: add support for HW CS timing" to the spi tree

[Mark Brown]

The patch

   spi: tegra114: add support for HW CS timing

has been applied to the spi tree at

   https://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi.git for-5.3

All being well this means that it will be integrated into the linux-next
tree (usually sometime in the next 24 hours) and sent to Linus during
the next merge window (or sooner if it is a bug fix), however if
problems are discovered then the patch may be dropped or reverted.  

You may get further e-mails resulting from automated or manual testing
and review of the tree, please engage with people reporting problems and
send followup patches addressing any issues that are reported if needed.

If any updates are required or you are submitting further changes they
should be sent as incremental updates against current git, existing
patches will not be replaced.

Please add any relevant lists and maintainers to the CCs when replying
to this mail.

Thanks,
Mark

>From 9b76ef39b7fbc2ddb0869725f9745a402d93cce5 Mon Sep 17 00:00:00 2001
From: Sowjanya Komatineni 
Date: Mon, 13 May 2019 22:03:54 -0700
Subject: [PATCH] spi: tegra114: add support for HW CS timing

This patch implements set_cs_timing SPI controller method to allow
SPI client driver to configure device specific SPI CS timings.

Signed-off-by: Sowjanya Komatineni 
Signed-off-by: Mark Brown 
---
 drivers/spi/spi-tegra114.c | 48 --
 1 file changed, 46 insertions(+), 2 deletions(-)

diff --git a/drivers/spi/spi-tegra114.c b/drivers/spi/spi-tegra114.c
index 0cb0932d32fd..e59ff7c1cee6 100644
--- a/drivers/spi/spi-tegra114.c
+++ b/drivers/spi/spi-tegra114.c
@@ -95,8 +95,10 @@
(reg = (((val) & 0x1) << ((cs) * 8 + 5)) |  \
((reg) & ~(1 << ((cs) * 8 + 5
 #define SPI_SET_CYCLES_BETWEEN_PACKETS(reg, cs, val)   \
-   (reg = (((val) & 0xF) << ((cs) * 8)) |  \
-   ((reg) & ~(0xF << ((cs) * 8
+   (reg = (((val) & 0x1F) << ((cs) * 8)) | \
+   ((reg) & ~(0x1F << ((cs) * 8
+#define MAX_SETUP_HOLD_CYCLES  16
+#define MAX_INACTIVE_CYCLES32
 
 #define SPI_TRANS_STATUS   0x010
 #define SPI_BLK_CNT(val)   (((val) >> 0) & 0x)
@@ -206,6 +208,8 @@ struct tegra_spi_data {
u32 command1_reg;
u32 dma_control_reg;
u32 def_command1_reg;
+   u32 spi_cs_timing1;
+   u32 spi_cs_timing2;
 
struct completion   xfer_completion;
struct spi_transfer *curr_xfer;
@@ -723,6 +727,43 @@ static void tegra_spi_deinit_dma_param(struct 
tegra_spi_data *tspi,
dma_release_channel(dma_chan);
 }
 
+static void tegra_spi_set_hw_cs_timing(struct spi_device *spi, u8 setup_dly,
+  u8 hold_dly, u8 inactive_dly)
+{
+   struct tegra_spi_data *tspi = spi_master_get_devdata(spi->master);
+   u32 setup_hold;
+   u32 spi_cs_timing;
+   u32 inactive_cycles;
+   u8 cs_state;
+
+   setup_dly = min_t(u8, setup_dly, MAX_SETUP_HOLD_CYCLES);
+   hold_dly = min_t(u8, hold_dly, MAX_SETUP_HOLD_CYCLES);
+   if (setup_dly && hold_dly) {
+   setup_hold = SPI_SETUP_HOLD(setup_dly - 1, hold_dly - 1);
+   spi_cs_timing = SPI_CS_SETUP_HOLD(tspi->spi_cs_timing1,
+ spi->chip_select,
+ setup_hold);
+   if (tspi->spi_cs_timing1 != spi_cs_timing) {
+   tspi->spi_cs_timing1 = spi_cs_timing;
+   tegra_spi_writel(tspi, spi_cs_timing, SPI_CS_TIMING1);
+   }
+   }
+
+   inactive_cycles = min_t(u8, inactive_dly, MAX_INACTIVE_CYCLES);
+   if (inactive_cycles)
+   inactive_cycles--;
+   cs_state = inactive_cycles ? 0 : 1;
+   spi_cs_timing = tspi->spi_cs_timing2;
+   SPI_SET_CS_ACTIVE_BETWEEN_PACKETS(spi_cs_timing, spi->chip_select,
+ cs_state);
+   SPI_SET_CYCLES_BETWEEN_PACKETS(spi_cs_timing, spi->chip_select,
+  inactive_cycles);
+   if (tspi->spi_cs_timing2 != spi_cs_timing) {
+   tspi->spi_cs_timing2 = spi_cs_timing;
+   tegra_spi_writel(tspi, spi_cs_timing, SPI_CS_TIMING2);
+   }
+}
+
 static u32 tegra_spi_setup_transfer_one(struct spi_device *spi,
struct spi_transfer *t,
bool is_first_of_msg,
@@ -1232,6 +1273,7 @@ static int tegra_spi_probe(struct platform_device *pdev)
master->bits_per_word_mask = SPI_BPW_RANGE_MASK(4, 32);
master->setup = tegra_spi_setup;
   

[PATCH 4.14 070/115] drm/rockchip: psr: do not dereference encoder before it is null checked.

[Greg Kroah-Hartman]

[ Upstream commit 4eda776c3cefcb1f01b2d85bd8753f67606282b5 ]

'encoder' is dereferenced before it is null sanity checked, hence we
potentially have a null pointer dereference bug. Instead, initialise
drm_drv from encoder->dev->dev_private after we are sure 'encoder' is
not null.

Fixes: 5182c1a556d7f ("drm/rockchip: add an common abstracted PSR driver")
Cc: sta...@vger.kernel.org
Signed-off-by: Enric Balletbo i Serra 
Signed-off-by: Heiko Stuebner 
Link: 
https://patchwork.freedesktop.org/patch/msgid/20181013105654.11827-1-enric.balle...@collabora.com
Signed-off-by: Sasha Levin 
---
 drivers/gpu/drm/rockchip/rockchip_drm_psr.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/rockchip/rockchip_drm_psr.c 
b/drivers/gpu/drm/rockchip/rockchip_drm_psr.c
index a553e182ff538..32e7dba2bf5ea 100644
--- a/drivers/gpu/drm/rockchip/rockchip_drm_psr.c
+++ b/drivers/gpu/drm/rockchip/rockchip_drm_psr.c
@@ -221,13 +221,15 @@ EXPORT_SYMBOL(rockchip_drm_psr_flush_all);
 int rockchip_drm_psr_register(struct drm_encoder *encoder,
void (*psr_set)(struct drm_encoder *, bool enable))
 {
-   struct rockchip_drm_private *drm_drv = encoder->dev->dev_private;
+   struct rockchip_drm_private *drm_drv;
struct psr_drv *psr;
unsigned long flags;
 
if (!encoder || !psr_set)
return -EINVAL;
 
+   drm_drv = encoder->dev->dev_private;
+
psr = kzalloc(sizeof(struct psr_drv), GFP_KERNEL);
if (!psr)
return -ENOMEM;
-- 
2.20.1

[PATCH 4.14 053/115] i2c: omap: Enable for ARCH_K3

[Greg Kroah-Hartman]

[ Upstream commit 5b277402deac0691226a947df71c581686bd4020 ]

Allow I2C_OMAP to be built for K3 platforms.

Signed-off-by: Vignesh R 
Reviewed-by: Grygorii Strashko 
Signed-off-by: Wolfram Sang 
Signed-off-by: Sasha Levin 
---
 drivers/i2c/busses/Kconfig | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/i2c/busses/Kconfig b/drivers/i2c/busses/Kconfig
index 45a3f3ca29b38..75ea367ffd833 100644
--- a/drivers/i2c/busses/Kconfig
+++ b/drivers/i2c/busses/Kconfig
@@ -759,7 +759,7 @@ config I2C_OCORES
 
 config I2C_OMAP
tristate "OMAP I2C adapter"
-   depends on ARCH_OMAP
+   depends on ARCH_OMAP || ARCH_K3
default y if MACH_OMAP_H3 || MACH_OMAP_OSK
help
  If you say yes to this option, support will be included for the
-- 
2.20.1

[PATCH 4.14 014/115] mac80211: fix unaligned access in mesh table hash function

[Greg Kroah-Hartman]

[ Upstream commit 40586e3fc400c00c11151804dcdc93f8c831c808 ]

The pointer to the last four bytes of the address is not guaranteed to be
aligned, so we need to use __get_unaligned_cpu32 here

Signed-off-by: Felix Fietkau 
Signed-off-by: Johannes Berg 
Signed-off-by: Sasha Levin 
---
 net/mac80211/mesh_pathtbl.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/mac80211/mesh_pathtbl.c b/net/mac80211/mesh_pathtbl.c
index 1ce068865629b..1300220912051 100644
--- a/net/mac80211/mesh_pathtbl.c
+++ b/net/mac80211/mesh_pathtbl.c
@@ -23,7 +23,7 @@ static void mesh_path_free_rcu(struct mesh_table *tbl, struct 
mesh_path *mpath);
 static u32 mesh_table_hash(const void *addr, u32 len, u32 seed)
 {
/* Use last four bytes of hw addr as hash index */
-   return jhash_1word(*(u32 *)(addr+2), seed);
+   return jhash_1word(__get_unaligned_cpu32((u8 *)addr + 2), seed);
 }
 
 static const struct rhashtable_params mesh_rht_params = {
-- 
2.20.1

[PATCH 4.14 054/115] drm/i915: Disable LP3 watermarks on all SNB machines

[Greg Kroah-Hartman]

[ Upstream commit 03981c6ebec4fc7056b9b45f847393aeac90d060 ]

I have a Thinkpad X220 Tablet in my hands that is losing vblank
interrupts whenever LP3 watermarks are used.

If I nudge the latency value written to the WM3 register just
by one in either direction the problem disappears. That to me
suggests that the punit will not enter the corrsponding
powersave mode (MPLL shutdown IIRC) unless the latency value
in the register matches exactly what we read from SSKPD. Ie.
it's not really a latency value but rather just a cookie
by which the punit can identify the desired power saving state.
On HSW/BDW this was changed such that we actually just write
the WM level number into those bits, which makes much more
sense given the observed behaviour.

We could try to handle this by disallowing LP3 watermarks
only when vblank interrupts are enabled but we'd first have
to prove that only vblank interrupts are affected, which
seems unlikely. Also we can't grab the wm mutex from the
vblank enable/disable hooks because those are called with
various spinlocks held. Thus we'd have to redesigne the
watermark locking. So to play it safe and keep the code
simple we simply disable LP3 watermarks on all SNB machines.

To do that we simply zero out the latency values for
watermark level 3, and we adjust the watermark computation
to check for that. The behaviour now matches that of the
g4x/vlv/skl wm code in the presence of a zeroed latency
value.

v2: s/USHRT_MAX/U32_MAX/ for consistency with the types (Chris)

Cc: sta...@vger.kernel.org
Cc: Chris Wilson 
Acked-by: Chris Wilson 
Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=101269
Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=103713
Signed-off-by: Ville Syrjälä 
Link: 
https://patchwork.freedesktop.org/patch/msgid/20181114173440.6730-1-ville.syrj...@linux.intel.com
Signed-off-by: Sasha Levin 
---
 drivers/gpu/drm/i915/intel_pm.c | 41 -
 1 file changed, 40 insertions(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/i915/intel_pm.c b/drivers/gpu/drm/i915/intel_pm.c
index 87cccb5f8c5da..96a5237741e0c 100644
--- a/drivers/gpu/drm/i915/intel_pm.c
+++ b/drivers/gpu/drm/i915/intel_pm.c
@@ -2471,6 +2471,9 @@ static uint32_t ilk_compute_pri_wm(const struct 
intel_crtc_state *cstate,
uint32_t method1, method2;
int cpp;
 
+   if (mem_value == 0)
+   return U32_MAX;
+
if (!intel_wm_plane_visible(cstate, pstate))
return 0;
 
@@ -2500,6 +2503,9 @@ static uint32_t ilk_compute_spr_wm(const struct 
intel_crtc_state *cstate,
uint32_t method1, method2;
int cpp;
 
+   if (mem_value == 0)
+   return U32_MAX;
+
if (!intel_wm_plane_visible(cstate, pstate))
return 0;
 
@@ -2523,6 +2529,9 @@ static uint32_t ilk_compute_cur_wm(const struct 
intel_crtc_state *cstate,
 {
int cpp;
 
+   if (mem_value == 0)
+   return U32_MAX;
+
if (!intel_wm_plane_visible(cstate, pstate))
return 0;
 
@@ -2981,6 +2990,34 @@ static void snb_wm_latency_quirk(struct drm_i915_private 
*dev_priv)
intel_print_wm_latency(dev_priv, "Cursor", dev_priv->wm.cur_latency);
 }
 
+static void snb_wm_lp3_irq_quirk(struct drm_i915_private *dev_priv)
+{
+   /*
+* On some SNB machines (Thinkpad X220 Tablet at least)
+* LP3 usage can cause vblank interrupts to be lost.
+* The DEIIR bit will go high but it looks like the CPU
+* never gets interrupted.
+*
+* It's not clear whether other interrupt source could
+* be affected or if this is somehow limited to vblank
+* interrupts only. To play it safe we disable LP3
+* watermarks entirely.
+*/
+   if (dev_priv->wm.pri_latency[3] == 0 &&
+   dev_priv->wm.spr_latency[3] == 0 &&
+   dev_priv->wm.cur_latency[3] == 0)
+   return;
+
+   dev_priv->wm.pri_latency[3] = 0;
+   dev_priv->wm.spr_latency[3] = 0;
+   dev_priv->wm.cur_latency[3] = 0;
+
+   DRM_DEBUG_KMS("LP3 watermarks disabled due to potential for lost 
interrupts\n");
+   intel_print_wm_latency(dev_priv, "Primary", dev_priv->wm.pri_latency);
+   intel_print_wm_latency(dev_priv, "Sprite", dev_priv->wm.spr_latency);
+   intel_print_wm_latency(dev_priv, "Cursor", dev_priv->wm.cur_latency);
+}
+
 static void ilk_setup_wm_latency(struct drm_i915_private *dev_priv)
 {
intel_read_wm_latency(dev_priv, dev_priv->wm.pri_latency);
@@ -2997,8 +3034,10 @@ static void ilk_setup_wm_latency(struct drm_i915_private 
*dev_priv)
intel_print_wm_latency(dev_priv, "Sprite", dev_priv->wm.spr_latency);
intel_print_wm_latency(dev_priv, "Cursor", dev_priv->wm.cur_latency);
 
-   if (IS_GEN6(dev_priv))
+   if (IS_GEN6(dev_priv)) {
snb_wm_latency_quirk(dev_priv);
+   snb_wm_lp3_irq_quirk(dev_priv);
+   }
 }
 
 static void skl_setup_wm_latency(struct 

Applied "spi: tegra114: add support for hw based cs" to the spi tree

[Mark Brown]

The patch

   spi: tegra114: add support for hw based cs

has been applied to the spi tree at

   https://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi.git for-5.3

All being well this means that it will be integrated into the linux-next
tree (usually sometime in the next 24 hours) and sent to Linus during
the next merge window (or sooner if it is a bug fix), however if
problems are discovered then the patch may be dropped or reverted.  

You may get further e-mails resulting from automated or manual testing
and review of the tree, please engage with people reporting problems and
send followup patches addressing any issues that are reported if needed.

If any updates are required or you are submitting further changes they
should be sent as incremental updates against current git, existing
patches will not be replaced.

Please add any relevant lists and maintainers to the CCs when replying
to this mail.

Thanks,
Mark

>From 1bf9f3c9232d08651aa6990001e7b042c95303dc Mon Sep 17 00:00:00 2001
From: Sowjanya Komatineni 
Date: Mon, 13 May 2019 22:03:53 -0700
Subject: [PATCH] spi: tegra114: add support for hw based cs

Tegra SPI controller supports both HW and SW based CS control
for SPI transfers.

This patch adds support for HW based CS control where CS is driven
to active state during the transfer and is driven inactive at the
end of the transfer directly by the HW.

This patch enables the use of HW based CS only for single transfers
without cs_change request.

Signed-off-by: Sowjanya Komatineni 
Signed-off-by: Mark Brown 
---
 drivers/spi/spi-tegra114.c | 39 ++
 1 file changed, 27 insertions(+), 12 deletions(-)

diff --git a/drivers/spi/spi-tegra114.c b/drivers/spi/spi-tegra114.c
index f47417dd9edb..0cb0932d32fd 100644
--- a/drivers/spi/spi-tegra114.c
+++ b/drivers/spi/spi-tegra114.c
@@ -193,6 +193,7 @@ struct tegra_spi_data {
unsigneddma_buf_size;
unsignedmax_buf_size;
boolis_curr_dma_xfer;
+   booluse_hw_based_cs;
 
struct completion   rx_dma_complete;
struct completion   tx_dma_complete;
@@ -723,7 +724,9 @@ static void tegra_spi_deinit_dma_param(struct 
tegra_spi_data *tspi,
 }
 
 static u32 tegra_spi_setup_transfer_one(struct spi_device *spi,
-   struct spi_transfer *t, bool is_first_of_msg)
+   struct spi_transfer *t,
+   bool is_first_of_msg,
+   bool is_single_xfer)
 {
struct tegra_spi_data *tspi = spi_master_get_devdata(spi->master);
u32 speed = t->speed_hz;
@@ -780,11 +783,17 @@ static u32 tegra_spi_setup_transfer_one(struct spi_device 
*spi,
if (spi->cs_gpiod)
gpiod_set_value(spi->cs_gpiod, 1);
 
-   command1 |= SPI_CS_SW_HW;
-   if (spi->mode & SPI_CS_HIGH)
-   command1 |= SPI_CS_SW_VAL;
-   else
-   command1 &= ~SPI_CS_SW_VAL;
+   if (is_single_xfer && !(t->cs_change)) {
+   tspi->use_hw_based_cs = true;
+   command1 &= ~(SPI_CS_SW_HW | SPI_CS_SW_VAL);
+   } else {
+   tspi->use_hw_based_cs = false;
+   command1 |= SPI_CS_SW_HW;
+   if (spi->mode & SPI_CS_HIGH)
+   command1 |= SPI_CS_SW_VAL;
+   else
+   command1 &= ~SPI_CS_SW_VAL;
+   }
 
tegra_spi_writel(tspi, 0, SPI_COMMAND2);
} else {
@@ -905,11 +914,14 @@ static void tegra_spi_transfer_end(struct spi_device *spi)
if (spi->cs_gpiod)
gpiod_set_value(spi->cs_gpiod, 0);
 
-   if (cs_val)
-   tspi->command1_reg |= SPI_CS_SW_VAL;
-   else
-   tspi->command1_reg &= ~SPI_CS_SW_VAL;
-   tegra_spi_writel(tspi, tspi->command1_reg, SPI_COMMAND1);
+   if (!tspi->use_hw_based_cs) {
+   if (cs_val)
+   tspi->command1_reg |= SPI_CS_SW_VAL;
+   else
+   tspi->command1_reg &= ~SPI_CS_SW_VAL;
+   tegra_spi_writel(tspi, tspi->command1_reg, SPI_COMMAND1);
+   }
+
tegra_spi_writel(tspi, tspi->def_command1_reg, SPI_COMMAND1);
 }
 
@@ -936,16 +948,19 @@ static int tegra_spi_transfer_one_message(struct 
spi_master *master,
struct spi_device *spi = msg->spi;
int ret;
bool skip = false;
+   int single_xfer;
 
msg->status = 0;
msg->actual_length = 0;
 
+   single_xfer = list_is_singular(>transfers);
list_for_each_entry(xfer, >transfers, transfer_list) {
u32 cmd1;
 

[PATCH 4.14 080/115] netfilter: nf_tables: warn when expr implements only one of activate/deactivate

[Greg Kroah-Hartman]

[ Upstream commit 0ef235c71755c5f36c50282fcf2d7d08709be344 ]

->destroy is only allowed to free data, or do other cleanups that do not
have side effects on other state, such as visibility to other netlink
requests.

Such things need to be done in ->deactivate.
As a transaction can fail, we need to make sure we can undo such
operations, therefore ->activate() has to be provided too.

So print a warning and refuse registration if expr->ops provides
only one of the two operations.

v2: fix nft_expr_check_ops to not repeat same check twice (Jones Desougi)

Signed-off-by: Florian Westphal 
Signed-off-by: Pablo Neira Ayuso 
Signed-off-by: Sasha Levin 
---
 net/netfilter/nf_tables_api.c | 19 +++
 1 file changed, 19 insertions(+)

diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index c445d57e3a5bc..b149a72190846 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -220,6 +220,18 @@ static int nft_delchain(struct nft_ctx *ctx)
return err;
 }
 
+/* either expr ops provide both activate/deactivate, or neither */
+static bool nft_expr_check_ops(const struct nft_expr_ops *ops)
+{
+   if (!ops)
+   return true;
+
+   if (WARN_ON_ONCE((!ops->activate ^ !ops->deactivate)))
+   return false;
+
+   return true;
+}
+
 static void nft_rule_expr_activate(const struct nft_ctx *ctx,
   struct nft_rule *rule)
 {
@@ -1724,6 +1736,9 @@ static int nf_tables_delchain(struct net *net, struct 
sock *nlsk,
  */
 int nft_register_expr(struct nft_expr_type *type)
 {
+   if (!nft_expr_check_ops(type->ops))
+   return -EINVAL;
+
nfnl_lock(NFNL_SUBSYS_NFTABLES);
if (type->family == NFPROTO_UNSPEC)
list_add_tail_rcu(>list, _tables_expressions);
@@ -1873,6 +1888,10 @@ static int nf_tables_expr_parse(const struct nft_ctx 
*ctx,
err = PTR_ERR(ops);
goto err1;
}
+   if (!nft_expr_check_ops(ops)) {
+   err = -EINVAL;
+   goto err1;
+   }
} else
ops = type->ops;
 
-- 
2.20.1

[PATCH 4.14 077/115] gtp: change NET_UDP_TUNNEL dependency to select

[Greg Kroah-Hartman]

[ Upstream commit c22da36688d6298f2e546dcc43fdc1ad35036467 ]

Similarly to commit a7603ac1fc8c ("geneve: change NET_UDP_TUNNEL
dependency to select"), GTP has a dependency on NET_UDP_TUNNEL which
makes impossible to compile it if no other protocol depending on
NET_UDP_TUNNEL is selected.

Fix this by changing the depends to a select, and drop NET_IP_TUNNEL from
the select list, as it already depends on NET_UDP_TUNNEL.

Signed-off-by: Matteo Croce 
Signed-off-by: David S. Miller 
Signed-off-by: Sasha Levin 
---
 drivers/net/Kconfig | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/net/Kconfig b/drivers/net/Kconfig
index aba0d652095b0..f3357091e9d18 100644
--- a/drivers/net/Kconfig
+++ b/drivers/net/Kconfig
@@ -212,8 +212,8 @@ config GENEVE
 
 config GTP
tristate "GPRS Tunneling Protocol datapath (GTP-U)"
-   depends on INET && NET_UDP_TUNNEL
-   select NET_IP_TUNNEL
+   depends on INET
+   select NET_UDP_TUNNEL
---help---
  This allows one to create gtp virtual interfaces that provide
  the GPRS Tunneling Protocol datapath (GTP-U). This tunneling protocol
-- 
2.20.1

[PATCH 4.14 078/115] ACPICA: Namespace: remove address node from global list after method termination

[Greg Kroah-Hartman]

[ Upstream commit c5781ffbbd4f742a58263458145fe7f0ac01d9e0 ]

ACPICA commit b233720031a480abd438f2e9c643080929d144c3

ASL operation_regions declare a range of addresses that it uses. In a
perfect world, the range of addresses should be used exclusively by
the AML interpreter. The OS can use this information to decide which
drivers to load so that the AML interpreter and device drivers use
different regions of memory.

During table load, the address information is added to a global
address range list. Each node in this list contains an address range
as well as a namespace node of the operation_region. This list is
deleted at ACPI shutdown.

Unfortunately, ASL operation_regions can be declared inside of control
methods. Although this is not recommended, modern firmware contains
such code. New module level code changes unintentionally removed the
functionality of adding and removing nodes to the global address
range list.

A few months ago, support for adding addresses has been re-
implemented. However, the removal of the address range list was
missed and resulted in some systems to crash due to the address list
containing bogus namespace nodes from operation_regions declared in
control methods. In order to fix the crash, this change removes
dynamic operation_regions after control method termination.

Link: https://github.com/acpica/acpica/commit/b2337200
Link: https://bugzilla.kernel.org/show_bug.cgi?id=202475
Fixes: 4abb951b73ff ("ACPICA: AML interpreter: add region addresses in global 
list during initialization")
Reported-by: Michael J Gruber 
Signed-off-by: Erik Schmauss 
Signed-off-by: Bob Moore 
Cc: 4.20+  # 4.20+
Signed-off-by: Rafael J. Wysocki 
Signed-off-by: Sasha Levin 
---
 drivers/acpi/acpica/nsobject.c | 4 
 1 file changed, 4 insertions(+)

diff --git a/drivers/acpi/acpica/nsobject.c b/drivers/acpi/acpica/nsobject.c
index 707b2aa501e1b..099be64242556 100644
--- a/drivers/acpi/acpica/nsobject.c
+++ b/drivers/acpi/acpica/nsobject.c
@@ -222,6 +222,10 @@ void acpi_ns_detach_object(struct acpi_namespace_node 
*node)
}
}
 
+   if (obj_desc->common.type == ACPI_TYPE_REGION) {
+   acpi_ut_remove_address_range(obj_desc->region.space_id, node);
+   }
+
/* Clear the Node entry in all cases */
 
node->object = NULL;
-- 
2.20.1

[PATCH 4.14 073/115] vt: always call notifier with the console lock held

[Greg Kroah-Hartman]

[ Upstream commit 7e1d226345f89ad5d0216a9092c81386c89b4983 ]

Every invocation of notify_write() and notify_update() is performed
under the console lock, except for one case. Let's fix that.

Signed-off-by: Nicolas Pitre 
Cc: sta...@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman 
Signed-off-by: Sasha Levin 
---
 drivers/tty/vt/vt.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c
index 1fb5e7f409c4a..6ff921cf9a9e4 100644
--- a/drivers/tty/vt/vt.c
+++ b/drivers/tty/vt/vt.c
@@ -2435,8 +2435,8 @@ static int do_con_write(struct tty_struct *tty, const 
unsigned char *buf, int co
}
con_flush(vc, draw_from, draw_to, _x);
console_conditional_schedule();
-   console_unlock();
notify_update(vc);
+   console_unlock();
return n;
 }
 
-- 
2.20.1

Re: [PATCH] staging: Add rtl8821ce PCIe WiFi driver

[Kai-Heng Feng]

at 19:40, Greg KH  wrote:


On Wed, May 15, 2019 at 07:24:01PM +0800, Kai-Heng Feng wrote:

The rtl8821ce can be found on many HP and Lenovo laptops.
Users have been using out-of-tree module for a while,

The new Realtek WiFi driver, rtw88, will support rtl8821ce in 2020 or
later.


Where is that driver, and why is it going to take so long to get merged?


rtw88 is in 5.2 now, but it doesn’t support 8821ce yet.

They plan to add the support in 2020.




296 files changed, 206166 insertions(+)


Ugh, why do we keep having to add the whole mess for every single one of
these devices?


Because Realtek devices are unfortunately ubiquitous so the support is  
better come from kernel.




Why can't we just have a real driver now?


It doesn’t support rtl8821ce yet.

Kai-Heng



thanks,

greg k-h

Applied "spi: tegra114: add support for gpio based CS" to the spi tree

[Mark Brown]

The patch

   spi: tegra114: add support for gpio based CS

has been applied to the spi tree at

   https://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi.git for-5.3

All being well this means that it will be integrated into the linux-next
tree (usually sometime in the next 24 hours) and sent to Linus during
the next merge window (or sooner if it is a bug fix), however if
problems are discovered then the patch may be dropped or reverted.  

You may get further e-mails resulting from automated or manual testing
and review of the tree, please engage with people reporting problems and
send followup patches addressing any issues that are reported if needed.

If any updates are required or you are submitting further changes they
should be sent as incremental updates against current git, existing
patches will not be replaced.

Please add any relevant lists and maintainers to the CCs when replying
to this mail.

Thanks,
Mark

>From 63c1440596ff0a34efec491f41832c2c9ea01857 Mon Sep 17 00:00:00 2001
From: Sowjanya Komatineni 
Date: Mon, 13 May 2019 22:03:52 -0700
Subject: [PATCH] spi: tegra114: add support for gpio based CS

This patch adds support for GPIO based CS control through SPI core
function spi_set_cs.

Signed-off-by: Sowjanya Komatineni 
Signed-off-by: Mark Brown 
---
 drivers/spi/spi-tegra114.c | 13 +
 1 file changed, 13 insertions(+)

diff --git a/drivers/spi/spi-tegra114.c b/drivers/spi/spi-tegra114.c
index b1f31bb16659..f47417dd9edb 100644
--- a/drivers/spi/spi-tegra114.c
+++ b/drivers/spi/spi-tegra114.c
@@ -776,6 +776,10 @@ static u32 tegra_spi_setup_transfer_one(struct spi_device 
*spi,
} else
tegra_spi_writel(tspi, command1, SPI_COMMAND1);
 
+   /* GPIO based chip select control */
+   if (spi->cs_gpiod)
+   gpiod_set_value(spi->cs_gpiod, 1);
+
command1 |= SPI_CS_SW_HW;
if (spi->mode & SPI_CS_HIGH)
command1 |= SPI_CS_SW_VAL;
@@ -864,6 +868,10 @@ static int tegra_spi_setup(struct spi_device *spi)
}
 
spin_lock_irqsave(>lock, flags);
+   /* GPIO based chip select control */
+   if (spi->cs_gpiod)
+   gpiod_set_value(spi->cs_gpiod, 0);
+
val = tspi->def_command1_reg;
if (spi->mode & SPI_CS_HIGH)
val &= ~SPI_CS_POL_INACTIVE(spi->chip_select);
@@ -893,6 +901,10 @@ static void tegra_spi_transfer_end(struct spi_device *spi)
struct tegra_spi_data *tspi = spi_master_get_devdata(spi->master);
int cs_val = (spi->mode & SPI_CS_HIGH) ? 0 : 1;
 
+   /* GPIO based chip select control */
+   if (spi->cs_gpiod)
+   gpiod_set_value(spi->cs_gpiod, 0);
+
if (cs_val)
tspi->command1_reg |= SPI_CS_SW_VAL;
else
@@ -1199,6 +1211,7 @@ static int tegra_spi_probe(struct platform_device *pdev)
master->max_speed_hz = 2500; /* 25MHz */
 
/* the spi->mode bits understood by this driver: */
+   master->use_gpio_descriptors = true;
master->mode_bits = SPI_CPOL | SPI_CPHA | SPI_CS_HIGH | SPI_LSB_FIRST |
SPI_TX_DUAL | SPI_RX_DUAL | SPI_3WIRE;
master->bits_per_word_mask = SPI_BPW_RANGE_MASK(4, 32);
-- 
2.20.1

[PATCH 4.14 082/115] cifs: fix memory leak in SMB2_read

[Greg Kroah-Hartman]

[ Upstream commit 05fd5c2c61732152a6bddc318aae62d7e436629b ]

Commit 088aaf17aa79300cab14dbee2569c58cfafd7d6e introduced a leak where
if SMB2_read() returned an error we would return without freeing the
request buffer.

Cc: Stable 
Signed-off-by: Ronnie Sahlberg 
Reviewed-by: Pavel Shilovsky 
Signed-off-by: Steve French 
Signed-off-by: Sasha Levin 
---
 fs/cifs/smb2pdu.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c
index fd2d199dd413e..7936eac5a38a2 100644
--- a/fs/cifs/smb2pdu.c
+++ b/fs/cifs/smb2pdu.c
@@ -2699,6 +2699,7 @@ SMB2_read(const unsigned int xid, struct cifs_io_parms 
*io_parms,
cifs_dbg(VFS, "Send error in read = %d\n", rc);
}
free_rsp_buf(resp_buftype, rsp_iov.iov_base);
+   cifs_small_buf_release(req);
return rc == -ENODATA ? 0 : rc;
}
 
-- 
2.20.1

[PATCH 4.14 055/115] media: ov5640: fix wrong binning value in exposure calculation

[Greg Kroah-Hartman]

[ Upstream commit c2c3f42df4dd9bb231d756bacb0c897f662c6d3c ]

ov5640_set_mode_exposure_calc() is checking binning value but
binning value read is buggy, fix this.
Rename ov5640_binning_on() to ov5640_get_binning() as per other
similar functions.

Signed-off-by: Hugues Fruchet 
Reviewed-by: Laurent Pinchart 
Reviewed-by: Jacopo Mondi 
Signed-off-by: Sakari Ailus 
Signed-off-by: Mauro Carvalho Chehab 
Signed-off-by: Sasha Levin 
---
 drivers/media/i2c/ov5640.c | 8 
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/drivers/media/i2c/ov5640.c b/drivers/media/i2c/ov5640.c
index 39a2269c0beef..0366c8dc6ecf7 100644
--- a/drivers/media/i2c/ov5640.c
+++ b/drivers/media/i2c/ov5640.c
@@ -1216,7 +1216,7 @@ static int ov5640_set_ae_target(struct ov5640_dev 
*sensor, int target)
return ov5640_write_reg(sensor, OV5640_REG_AEC_CTRL1F, fast_low);
 }
 
-static int ov5640_binning_on(struct ov5640_dev *sensor)
+static int ov5640_get_binning(struct ov5640_dev *sensor)
 {
u8 temp;
int ret;
@@ -1224,8 +1224,8 @@ static int ov5640_binning_on(struct ov5640_dev *sensor)
ret = ov5640_read_reg(sensor, OV5640_REG_TIMING_TC_REG21, );
if (ret)
return ret;
-   temp &= 0xfe;
-   return temp ? 1 : 0;
+
+   return temp & BIT(0);
 }
 
 static int ov5640_set_virtual_channel(struct ov5640_dev *sensor)
@@ -1293,7 +1293,7 @@ static int ov5640_set_mode_exposure_calc(
if (ret < 0)
return ret;
prev_shutter = ret;
-   ret = ov5640_binning_on(sensor);
+   ret = ov5640_get_binning(sensor);
if (ret < 0)
return ret;
if (ret && mode->id != OV5640_MODE_720P_1280_720 &&
-- 
2.20.1

Re: [PATCH v3 0/2] mmc: sdhci-iproc: fixes for HS50 data hold time

[Ulf Hansson]

On Thu, 9 May 2019 at 19:24, Scott Branden  wrote:
>
> This patch series fixes data hold timing issues for various sdhci-iproc
> ip blocks that do not meet the HS50 data hold time.  NO_HISPD bit is set
> in quirks.
>
> Changes from v2:
>  - Added info to commit message as to stable tag selection decision
>as per Adrian Hunter
>
> Changes from v1:
>  - Change fixes tag to Cc: sta...@vger.kernel.org to specify version
>to backport to
>
> Trac Hoang (2):
>   mmc: sdhci-iproc: cygnus: Set NO_HISPD bit to fix HS50 data hold time
> problem
>   mmc: sdhci-iproc: Set NO_HISPD bit to fix HS50 data hold time problem
>
>  drivers/mmc/host/sdhci-iproc.c | 6 --
>  1 file changed, 4 insertions(+), 2 deletions(-)
>
> --
> 2.17.1
>

Applied for fixes, thanks!

Kind regards
Uffe

[PATCH 4.14 088/115] mlxsw: core: Do not use WQ_MEM_RECLAIM for EMAD workqueue

[Greg Kroah-Hartman]

[ Upstream commit a8c133b06183c529c51cd0d54eb57d6b7078370c ]

The EMAD workqueue is used to handle retransmission of EMAD packets that
contain configuration data for the device's firmware.

Given the workers need to allocate these packets and that the code is
not called as part of memory reclaim path, remove the WQ_MEM_RECLAIM
flag.

Fixes: d965465b60ba ("mlxsw: core: Fix possible deadlock")
Signed-off-by: Ido Schimmel 
Acked-by: Jiri Pirko 
Signed-off-by: David S. Miller 
Signed-off-by: Sasha Levin 
---
 drivers/net/ethernet/mellanox/mlxsw/core.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/ethernet/mellanox/mlxsw/core.c 
b/drivers/net/ethernet/mellanox/mlxsw/core.c
index cced009da8699..070fd3f7fadf9 100644
--- a/drivers/net/ethernet/mellanox/mlxsw/core.c
+++ b/drivers/net/ethernet/mellanox/mlxsw/core.c
@@ -600,7 +600,7 @@ static int mlxsw_emad_init(struct mlxsw_core *mlxsw_core)
if (!(mlxsw_core->bus->features & MLXSW_BUS_F_TXRX))
return 0;
 
-   emad_wq = alloc_workqueue("mlxsw_core_emad", WQ_MEM_RECLAIM, 0);
+   emad_wq = alloc_workqueue("mlxsw_core_emad", 0, 0);
if (!emad_wq)
return -ENOMEM;
mlxsw_core->emad_wq = emad_wq;
-- 
2.20.1

[PATCH 4.14 084/115] net: hns: Fix WARNING when hns modules installed

[Greg Kroah-Hartman]

[ Upstream commit c77804be53369dd4c15bfc376cf9b45948194cab ]

Commit 308c6cafde01 ("net: hns: All ports can not work when insmod hns ko
after rmmod.") add phy_stop in hns_nic_init_phy(), In the branch of "net",
this method is effective, but in the branch of "net-next", it will cause
a WARNING when hns modules loaded, reference to commit 2b3e88ea6528 ("net:
phy: improve phy state checking"):

[10.092168] [ cut here ]
[10.092171] called from state READY
[10.092189] WARNING: CPU: 4 PID: 1 at ../drivers/net/phy/phy.c:854
phy_stop+0x90/0xb0
[10.092192] Modules linked in:
[10.092197] CPU: 4 PID:1 Comm:swapper/0 Not tainted 4.20.0-rc7-next-20181220 #1
[10.092200] Hardware name: Huawei TaiShan 2280 /D05, BIOS Hisilicon D05 UEFI
16.12 Release 05/15/2017
[10.092202] pstate: 6005 (nZCv daif -PAN -UAO)
[10.092205] pc : phy_stop+0x90/0xb0
[10.092208] lr : phy_stop+0x90/0xb0
[10.092209] sp : 1159ba90
[10.092212] x29: 1159ba90 x28: 0007
[10.092215] x27: 11180068 x26: 110a5620
[10.092218] x25: 113b6000 x24: 842f96dac000
[10.092221] x23:  x22: 
[10.092223] x21: 841fb8425e18 x20: 801fb3a56438
[10.092226] x19: 801fb3a56000 x18: 
[10.092228] x17:  x16: 
[10.092231] x15: 1122d6c8 x14: 9159b7b7
[10.092234] x13: 1159b7c5 x12: 11245000
[10.092236] x11: 05f5e0ff x10: 1159b750
[10.092239] x9 : ffd0 x8 : 0465
[10.092242] x7 : 112457f8 x6 : 113bd7ce
[10.092245] x5 :  x4 : 
[10.092247] x3 :  x2 : 11245828
[10.092250] x1 : 4b5860bd05871300 x0 : 
[10.092253] Call trace:
[10.092255]  phy_stop+0x90/0xb0
[10.092260]  hns_nic_init_phy+0xf8/0x110
[10.092262]  hns_nic_try_get_ae+0x4c/0x3b0
[10.092264]  hns_nic_dev_probe+0x1fc/0x480
[10.092268]  platform_drv_probe+0x50/0xa0
[10.092271]  really_probe+0x1f4/0x298
[10.092273]  driver_probe_device+0x58/0x108
[10.092275]  __driver_attach+0xdc/0xe0
[10.092278]  bus_for_each_dev+0x74/0xc8
[10.092280]  driver_attach+0x20/0x28
[10.092283]  bus_add_driver+0x1b8/0x228
[10.092285]  driver_register+0x60/0x110
[10.092288]  __platform_driver_register+0x40/0x48
[10.092292]  hns_nic_dev_driver_init+0x18/0x20
[10.092296]  do_one_initcall+0x5c/0x180
[10.092299]  kernel_init_freeable+0x198/0x240
[10.092303]  kernel_init+0x10/0x108
[10.092306]  ret_from_fork+0x10/0x18
[10.092308] ---[ end trace 1396dd0278e397eb ]---

This WARNING occurred because of calling phy_stop before phy_start.

The root cause of the problem in commit '308c6cafde01' is:

Reference to hns_nic_init_phy, the flag phydev->supported is changed after
phy_connect_direct. The flag phydev->supported is 0x6ff when hns modules is
loaded, so will not change Fiber Port power(Reference to marvell.c), which
is power on at default.
Then the flag phydev->supported is changed to 0x6f, so Fiber Port power is
off when removing hns modules.
When hns modules installed again, the flag phydev->supported is default
value 0x6ff, so will not change Fiber Port power(now is off), causing mac
link not up problem.

So the solution is change phy flags before phy_connect_direct.

Fixes: 308c6cafde01 ("net: hns: All ports can not work when insmod hns ko after 
rmmod.")
Signed-off-by: Yonglong Liu 
Signed-off-by: Huazhong Tan 
Signed-off-by: David S. Miller 
Signed-off-by: Sasha Levin 
---
 drivers/net/ethernet/hisilicon/hns/hns_enet.c | 15 ++-
 1 file changed, 6 insertions(+), 9 deletions(-)

diff --git a/drivers/net/ethernet/hisilicon/hns/hns_enet.c 
b/drivers/net/ethernet/hisilicon/hns/hns_enet.c
index 8fd0408178048..b681c07b33fb6 100644
--- a/drivers/net/ethernet/hisilicon/hns/hns_enet.c
+++ b/drivers/net/ethernet/hisilicon/hns/hns_enet.c
@@ -1267,6 +1267,12 @@ int hns_nic_init_phy(struct net_device *ndev, struct 
hnae_handle *h)
if (!h->phy_dev)
return 0;
 
+   phy_dev->supported &= h->if_support;
+   phy_dev->advertising = phy_dev->supported;
+
+   if (h->phy_if == PHY_INTERFACE_MODE_XGMII)
+   phy_dev->autoneg = false;
+
if (h->phy_if != PHY_INTERFACE_MODE_XGMII) {
phy_dev->dev_flags = 0;
 
@@ -1278,15 +1284,6 @@ int hns_nic_init_phy(struct net_device *ndev, struct 
hnae_handle *h)
if (unlikely(ret))
return -ENODEV;
 
-   phy_dev->supported &= h->if_support;
-   phy_dev->advertising = phy_dev->supported;
-
-   if (h->phy_if == PHY_INTERFACE_MODE_XGMII)
-   phy_dev->autoneg = false;
-
-   if (h->phy_if == PHY_INTERFACE_MODE_SGMII)
-   phy_stop(phy_dev);
-
return 0;
 }
 
-- 
2.20.1

[PATCH 4.14 086/115] net: fec: manage ahb clock in runtime pm

[Greg Kroah-Hartman]

[ Upstream commit d7c3a206e6338e4ccdf030719dec028e26a521d5 ]

Some SOC like i.MX6SX clock have some limits:
- ahb clock should be disabled before ipg.
- ahb and ipg clocks are required for MAC MII bus.
So, move the ahb clock to runtime management together with
ipg clock.

Signed-off-by: Fugang Duan 
Signed-off-by: David S. Miller 
Signed-off-by: Sasha Levin 
---
 drivers/net/ethernet/freescale/fec_main.c | 30 ---
 1 file changed, 21 insertions(+), 9 deletions(-)

diff --git a/drivers/net/ethernet/freescale/fec_main.c 
b/drivers/net/ethernet/freescale/fec_main.c
index ce55c8f7f33a4..ad3aabc39cc24 100644
--- a/drivers/net/ethernet/freescale/fec_main.c
+++ b/drivers/net/ethernet/freescale/fec_main.c
@@ -1851,13 +1851,9 @@ static int fec_enet_clk_enable(struct net_device *ndev, 
bool enable)
int ret;
 
if (enable) {
-   ret = clk_prepare_enable(fep->clk_ahb);
-   if (ret)
-   return ret;
-
ret = clk_prepare_enable(fep->clk_enet_out);
if (ret)
-   goto failed_clk_enet_out;
+   return ret;
 
if (fep->clk_ptp) {
mutex_lock(>ptp_clk_mutex);
@@ -1875,7 +1871,6 @@ static int fec_enet_clk_enable(struct net_device *ndev, 
bool enable)
if (ret)
goto failed_clk_ref;
} else {
-   clk_disable_unprepare(fep->clk_ahb);
clk_disable_unprepare(fep->clk_enet_out);
if (fep->clk_ptp) {
mutex_lock(>ptp_clk_mutex);
@@ -1894,8 +1889,6 @@ static int fec_enet_clk_enable(struct net_device *ndev, 
bool enable)
 failed_clk_ptp:
if (fep->clk_enet_out)
clk_disable_unprepare(fep->clk_enet_out);
-failed_clk_enet_out:
-   clk_disable_unprepare(fep->clk_ahb);
 
return ret;
 }
@@ -3455,6 +3448,9 @@ fec_probe(struct platform_device *pdev)
ret = clk_prepare_enable(fep->clk_ipg);
if (ret)
goto failed_clk_ipg;
+   ret = clk_prepare_enable(fep->clk_ahb);
+   if (ret)
+   goto failed_clk_ahb;
 
fep->reg_phy = devm_regulator_get(>dev, "phy");
if (!IS_ERR(fep->reg_phy)) {
@@ -3546,6 +3542,9 @@ fec_probe(struct platform_device *pdev)
pm_runtime_put(>dev);
pm_runtime_disable(>dev);
 failed_regulator:
+   clk_disable_unprepare(fep->clk_ahb);
+failed_clk_ahb:
+   clk_disable_unprepare(fep->clk_ipg);
 failed_clk_ipg:
fec_enet_clk_enable(ndev, false);
 failed_clk:
@@ -3669,6 +3668,7 @@ static int __maybe_unused fec_runtime_suspend(struct 
device *dev)
struct net_device *ndev = dev_get_drvdata(dev);
struct fec_enet_private *fep = netdev_priv(ndev);
 
+   clk_disable_unprepare(fep->clk_ahb);
clk_disable_unprepare(fep->clk_ipg);
 
return 0;
@@ -3678,8 +3678,20 @@ static int __maybe_unused fec_runtime_resume(struct 
device *dev)
 {
struct net_device *ndev = dev_get_drvdata(dev);
struct fec_enet_private *fep = netdev_priv(ndev);
+   int ret;
 
-   return clk_prepare_enable(fep->clk_ipg);
+   ret = clk_prepare_enable(fep->clk_ahb);
+   if (ret)
+   return ret;
+   ret = clk_prepare_enable(fep->clk_ipg);
+   if (ret)
+   goto failed_clk_ipg;
+
+   return 0;
+
+failed_clk_ipg:
+   clk_disable_unprepare(fep->clk_ahb);
+   return ret;
 }
 
 static const struct dev_pm_ops fec_pm_ops = {
-- 
2.20.1

Re: [3/3] Coccinelle: pci_free_consistent: Extend when constraints for two SmPL ellipses

[Markus Elfring]

Am 15.05.19 um 12:19 schrieb Julia Lawall:
>
>
> On Wed, 15 May 2019, Markus Elfring wrote:
>
> On the other hand, I do care about causing false negatives.

 Do you find the missing warning after the addition of such an exclusion
 specification interesting?
>>>
>>> I already suggested how to improve the code.
>>
>> I find that the idea “e2->fld” needs further clarification.
>> Such a SmPL specification will be resolved also to an expression,
>> won't it?
>
> Saving in a local variable doesn't impact the need to free the object.

I suggest to reconsider this view.

Would we like to introduce additional case distinctions for the handling
of reassignments to local variables (as shown in Wen's test case)?


> A field is the most obvious case where the object may not need freeing.

A corresponding resource release should probably be performed by
an other function then.


> But there are many expressions that e2->fld will not match.

Data structure members can eventually belong also to a local variable.
Would they become relevant for further SmPL exclusion specifications?

Regards,
Markus

[PATCH 4.14 056/115] media: ov5640: fix auto controls values when switching to manual mode

[Greg Kroah-Hartman]

[ Upstream commit a8f438c684eaa4cbe6c98828eb996d5ec53e24fb ]

When switching from auto to manual mode, V4L2 core is calling
g_volatile_ctrl() in manual mode in order to get the manual initial value.
Remove the manual mode check/return to not break this behaviour.

Signed-off-by: Hugues Fruchet 
Tested-by: Jacopo Mondi 
Signed-off-by: Sakari Ailus 
Signed-off-by: Mauro Carvalho Chehab 
Signed-off-by: Sasha Levin 
---
 drivers/media/i2c/ov5640.c | 4 
 1 file changed, 4 deletions(-)

diff --git a/drivers/media/i2c/ov5640.c b/drivers/media/i2c/ov5640.c
index 0366c8dc6ecf7..acf5c8a55bbd2 100644
--- a/drivers/media/i2c/ov5640.c
+++ b/drivers/media/i2c/ov5640.c
@@ -1900,16 +1900,12 @@ static int ov5640_g_volatile_ctrl(struct v4l2_ctrl 
*ctrl)
 
switch (ctrl->id) {
case V4L2_CID_AUTOGAIN:
-   if (!ctrl->val)
-   return 0;
val = ov5640_get_gain(sensor);
if (val < 0)
return val;
sensor->ctrls.gain->val = val;
break;
case V4L2_CID_EXPOSURE_AUTO:
-   if (ctrl->val == V4L2_EXPOSURE_MANUAL)
-   return 0;
val = ov5640_get_exposure(sensor);
if (val < 0)
return val;
-- 
2.20.1

[PATCH 4.14 091/115] NFC: nci: Add some bounds checking in nci_hci_cmd_received()

[Greg Kroah-Hartman]

[ Upstream commit d7ee81ad09f072eab1681877fc71ec05f9c1ae92 ]

This is similar to commit 674d9de02aa7 ("NFC: Fix possible memory
corruption when handling SHDLC I-Frame commands").

I'm not totally sure, but I think that commit description may have
overstated the danger.  I was under the impression that this data came
from the firmware?  If you can't trust your networking firmware, then
you're already in trouble.

Anyway, these days we add bounds checking where ever we can and we call
it kernel hardening.  Better safe than sorry.

Fixes: 11f54f228643 ("NFC: nci: Add HCI over NCI protocol support")
Signed-off-by: Dan Carpenter 
Signed-off-by: David S. Miller 
Signed-off-by: Sasha Levin 
---
 net/nfc/nci/hci.c | 8 
 1 file changed, 8 insertions(+)

diff --git a/net/nfc/nci/hci.c b/net/nfc/nci/hci.c
index ddfc52ac1f9b4..c0d323b58e732 100644
--- a/net/nfc/nci/hci.c
+++ b/net/nfc/nci/hci.c
@@ -312,6 +312,10 @@ static void nci_hci_cmd_received(struct nci_dev *ndev, u8 
pipe,
create_info = (struct nci_hci_create_pipe_resp *)skb->data;
dest_gate = create_info->dest_gate;
new_pipe = create_info->pipe;
+   if (new_pipe >= NCI_HCI_MAX_PIPES) {
+   status = NCI_HCI_ANY_E_NOK;
+   goto exit;
+   }
 
/* Save the new created pipe and bind with local gate,
 * the description for skb->data[3] is destination gate id
@@ -336,6 +340,10 @@ static void nci_hci_cmd_received(struct nci_dev *ndev, u8 
pipe,
goto exit;
}
delete_info = (struct nci_hci_delete_pipe_noti *)skb->data;
+   if (delete_info->pipe >= NCI_HCI_MAX_PIPES) {
+   status = NCI_HCI_ANY_E_NOK;
+   goto exit;
+   }
 
ndev->hci_dev->pipes[delete_info->pipe].gate =
NCI_HCI_INVALID_GATE;
-- 
2.20.1

[PATCH 4.14 052/115] fuse: fix possibly missed wake-up after abort

[Greg Kroah-Hartman]

[ Upstream commit 2d84a2d19b6150c6dbac1e6ebad9c82e4c123772 ]

In current fuse_drop_waiting() implementation it's possible that
fuse_wait_aborted() will not be woken up in the unlikely case that
fuse_abort_conn() + fuse_wait_aborted() runs in between checking
fc->connected and calling atomic_dec(>num_waiting).

Do the atomic_dec_and_test() unconditionally, which also provides the
necessary barrier against reordering with the fc->connected check.

The explicit smp_mb() in fuse_wait_aborted() is not actually needed, since
the spin_unlock() in fuse_abort_conn() provides the necessary RELEASE
barrier after resetting fc->connected.  However, this is not a performance
sensitive path, and adding the explicit barrier makes it easier to
document.

Signed-off-by: Miklos Szeredi 
Fixes: b8f95e5d13f5 ("fuse: umount should wait for all requests")
Cc:  #v4.19
Signed-off-by: Sasha Levin 
---
 fs/fuse/dev.c | 12 +---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/fs/fuse/dev.c b/fs/fuse/dev.c
index 770733106d6d4..c934fab444529 100644
--- a/fs/fuse/dev.c
+++ b/fs/fuse/dev.c
@@ -133,9 +133,13 @@ static bool fuse_block_alloc(struct fuse_conn *fc, bool 
for_background)
 
 static void fuse_drop_waiting(struct fuse_conn *fc)
 {
-   if (fc->connected) {
-   atomic_dec(>num_waiting);
-   } else if (atomic_dec_and_test(>num_waiting)) {
+   /*
+* lockess check of fc->connected is okay, because atomic_dec_and_test()
+* provides a memory barrier mached with the one in fuse_wait_aborted()
+* to ensure no wake-up is missed.
+*/
+   if (atomic_dec_and_test(>num_waiting) &&
+   !READ_ONCE(fc->connected)) {
/* wake up aborters */
wake_up_all(>blocked_waitq);
}
@@ -2170,6 +2174,8 @@ EXPORT_SYMBOL_GPL(fuse_abort_conn);
 
 void fuse_wait_aborted(struct fuse_conn *fc)
 {
+   /* matches implicit memory barrier in fuse_drop_waiting() */
+   smp_mb();
wait_event(fc->blocked_waitq, atomic_read(>num_waiting) == 0);
 }
 
-- 
2.20.1

[PATCH 4.14 101/115] dpaa_eth: fix SG frame cleanup

[Greg Kroah-Hartman]

From: Laurentiu Tudor 

[ Upstream commit 17170e6570c082717c142733d9a638bcd20551f8 ]

Fix issue with the entry indexing in the sg frame cleanup code being
off-by-1. This problem showed up when doing some basic iperf tests and
manifested in traffic coming to a halt.

Signed-off-by: Laurentiu Tudor 
Acked-by: Madalin Bucur 
Signed-off-by: David S. Miller 
Signed-off-by: Greg Kroah-Hartman 
---
 drivers/net/ethernet/freescale/dpaa/dpaa_eth.c |2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/net/ethernet/freescale/dpaa/dpaa_eth.c
+++ b/drivers/net/ethernet/freescale/dpaa/dpaa_eth.c
@@ -1639,7 +1639,7 @@ static struct sk_buff *dpaa_cleanup_tx_f
 qm_sg_entry_get_len([0]), dma_dir);
 
/* remaining pages were mapped with skb_frag_dma_map() */
-   for (i = 1; i < nr_frags; i++) {
+   for (i = 1; i <= nr_frags; i++) {
WARN_ON(qm_sg_entry_is_ext([i]));
 
dma_unmap_page(dev, qm_sg_addr([i]),

[PATCH 4.14 096/115] rtlwifi: rtl8723ae: Fix missing break in switch statement

[Greg Kroah-Hartman]

From: Gustavo A. R. Silva 

commit 84242b82d81c54e009a2aaa74d3d9eff70babf56 upstream.

Add missing break statement in order to prevent the code from falling
through to case 0x1025, and erroneously setting rtlhal->oem_id to
RT_CID_819X_ACER when rtlefuse->eeprom_svid is equal to 0x10EC and
none of the cases in switch (rtlefuse->eeprom_smid) match.

This bug was found thanks to the ongoing efforts to enable
-Wimplicit-fallthrough.

Fixes: 238ad2ddf34b ("rtlwifi: rtl8723ae: Clean up the hardware info routine")
Cc: sta...@vger.kernel.org
Signed-off-by: Gustavo A. R. Silva 
Signed-off-by: Kalle Valo 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/net/wireless/realtek/rtlwifi/rtl8723ae/hw.c |1 +
 1 file changed, 1 insertion(+)

--- a/drivers/net/wireless/realtek/rtlwifi/rtl8723ae/hw.c
+++ b/drivers/net/wireless/realtek/rtlwifi/rtl8723ae/hw.c
@@ -1699,6 +1699,7 @@ static void _rtl8723e_read_adapter_info(
rtlhal->oem_id = RT_CID_819X_LENOVO;
break;
}
+   break;
case 0x1025:
rtlhal->oem_id = RT_CID_819X_ACER;
break;

[PATCH 4.14 098/115] powerpc/64s: Include cpu header

[Greg Kroah-Hartman]

From: Breno Leitao 

commit 42e2acde1237878462b028f5a27d9cc5bea7502c upstream.

Current powerpc security.c file is defining functions, as
cpu_show_meltdown(), cpu_show_spectre_v{1,2} and others, that are being
declared at linux/cpu.h header without including the header file that
contains these declarations.

This is being reported by sparse, which thinks that these functions are
static, due to the lack of declaration:

arch/powerpc/kernel/security.c:105:9: warning: symbol 
'cpu_show_meltdown' was not declared. Should it be static?
arch/powerpc/kernel/security.c:139:9: warning: symbol 
'cpu_show_spectre_v1' was not declared. Should it be static?
arch/powerpc/kernel/security.c:161:9: warning: symbol 
'cpu_show_spectre_v2' was not declared. Should it be static?
arch/powerpc/kernel/security.c:209:6: warning: symbol 'stf_barrier' was 
not declared. Should it be static?
arch/powerpc/kernel/security.c:289:9: warning: symbol 
'cpu_show_spec_store_bypass' was not declared. Should it be static?

This patch simply includes the proper header (linux/cpu.h) to match
function definition and declaration.

Signed-off-by: Breno Leitao 
Signed-off-by: Michael Ellerman 
Cc: Joel Stanley 
Cc: Nathan Chancellor 
Cc: Major Hayden 
Signed-off-by: Greg Kroah-Hartman 

---
 arch/powerpc/kernel/security.c |1 +
 1 file changed, 1 insertion(+)

--- a/arch/powerpc/kernel/security.c
+++ b/arch/powerpc/kernel/security.c
@@ -4,6 +4,7 @@
 //
 // Copyright 2018, Michael Ellerman, IBM Corporation.
 
+#include 
 #include 
 #include 
 #include 

[PATCH 4.14 110/115] vrf: sit mtu should not be updated when vrf netdev is the link

[Greg Kroah-Hartman]

From: Stephen Suryaputra 

[ Upstream commit ff6ab32bd4e073976e4d8797b4d514a172cfe6cb ]

VRF netdev mtu isn't typically set and have an mtu of 65536. When the
link of a tunnel is set, the tunnel mtu is changed from 1480 to the link
mtu minus tunnel header. In the case of VRF netdev is the link, then the
tunnel mtu becomes 65516. So, fix it by not setting the tunnel mtu in
this case.

Signed-off-by: Stephen Suryaputra 
Reviewed-by: David Ahern 
Signed-off-by: David S. Miller 
Signed-off-by: Greg Kroah-Hartman 
---
 net/ipv6/sit.c |2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/net/ipv6/sit.c
+++ b/net/ipv6/sit.c
@@ -1070,7 +1070,7 @@ static void ipip6_tunnel_bind_dev(struct
if (!tdev && tunnel->parms.link)
tdev = __dev_get_by_index(tunnel->net, tunnel->parms.link);
 
-   if (tdev) {
+   if (tdev && !netif_is_l3_master(tdev)) {
int t_hlen = tunnel->hlen + sizeof(struct iphdr);
 
dev->hard_header_len = tdev->hard_header_len + sizeof(struct 
iphdr);

[PATCH 4.14 099/115] bonding: fix arp_validate toggling in active-backup mode

[Greg Kroah-Hartman]

From: Jarod Wilson 

[ Upstream commit a9b8a2b39ce65df45687cf9ef648885c2a99fe75 ]

There's currently a problem with toggling arp_validate on and off with an
active-backup bond. At the moment, you can start up a bond, like so:

modprobe bonding mode=1 arp_interval=100 arp_validate=0 
arp_ip_targets=192.168.1.1
ip link set bond0 down
echo "ens4f0" > /sys/class/net/bond0/bonding/slaves
echo "ens4f1" > /sys/class/net/bond0/bonding/slaves
ip link set bond0 up
ip addr add 192.168.1.2/24 dev bond0

Pings to 192.168.1.1 work just fine. Now turn on arp_validate:

echo 1 > /sys/class/net/bond0/bonding/arp_validate

Pings to 192.168.1.1 continue to work just fine. Now when you go to turn
arp_validate off again, the link falls flat on it's face:

echo 0 > /sys/class/net/bond0/bonding/arp_validate
dmesg
...
[133191.911987] bond0: Setting arp_validate to none (0)
[133194.257793] bond0: bond_should_notify_peers: slave ens4f0
[133194.258031] bond0: link status definitely down for interface ens4f0, 
disabling it
[133194.259000] bond0: making interface ens4f1 the new active one
[133197.330130] bond0: link status definitely down for interface ens4f1, 
disabling it
[133197.331191] bond0: now running without any active interface!

The problem lies in bond_options.c, where passing in arp_validate=0
results in bond->recv_probe getting set to NULL. This flies directly in
the face of commit 3fe68df97c7f, which says we need to set recv_probe =
bond_arp_recv, even if we're not using arp_validate. Said commit fixed
this in bond_option_arp_interval_set, but missed that we can get to that
same state in bond_option_arp_validate_set as well.

One solution would be to universally set recv_probe = bond_arp_recv here
as well, but I don't think bond_option_arp_validate_set has any business
touching recv_probe at all, and that should be left to the arp_interval
code, so we can just make things much tidier here.

Fixes: 3fe68df97c7f ("bonding: always set recv_probe to bond_arp_rcv in arp 
monitor")
CC: Jay Vosburgh 
CC: Veaceslav Falico 
CC: Andy Gospodarek 
CC: "David S. Miller" 
CC: net...@vger.kernel.org
Signed-off-by: Jarod Wilson 
Signed-off-by: Jay Vosburgh 
Signed-off-by: David S. Miller 
Signed-off-by: Greg Kroah-Hartman 
---
 drivers/net/bonding/bond_options.c | 7 ---
 1 file changed, 7 deletions(-)

diff --git a/drivers/net/bonding/bond_options.c 
b/drivers/net/bonding/bond_options.c
index 4d5d01cb8141..80867bd8f44c 100644
--- a/drivers/net/bonding/bond_options.c
+++ b/drivers/net/bonding/bond_options.c
@@ -1098,13 +1098,6 @@ static int bond_option_arp_validate_set(struct bonding 
*bond,
 {
netdev_dbg(bond->dev, "Setting arp_validate to %s (%llu)\n",
   newval->string, newval->value);
-
-   if (bond->dev->flags & IFF_UP) {
-   if (!newval->value)
-   bond->recv_probe = NULL;
-   else if (bond->params.arp_interval)
-   bond->recv_probe = bond_arp_rcv;
-   }
bond->params.arp_validate = newval->value;
 
return 0;
-- 
2.20.1

[PATCH 4.14 095/115] mwl8k: Fix rate_idx underflow

[Greg Kroah-Hartman]

From: Petr Štetiar 

commit 6b583201fa219b7b1b6aebd8966c8fd9357ef9f4 upstream.

It was reported on OpenWrt bug tracking system[1], that several users
are affected by the endless reboot of their routers if they configure
5GHz interface with channel 44 or 48.

The reboot loop is caused by the following excessive number of WARN_ON
messages:

 WARNING: CPU: 0 PID: 0 at backports-4.19.23-1/net/mac80211/rx.c:4516
 ieee80211_rx_napi+0x1fc/0xa54 [mac80211]

as the messages are being correctly emitted by the following guard:

 case RX_ENC_LEGACY:
  if (WARN_ON(status->rate_idx >= sband->n_bitrates))

as the rate_idx is in this case erroneously set to 251 (0xfb). This fix
simply converts previously used magic number to proper constant and
guards against substraction which is leading to the currently observed
underflow.

1. https://bugs.openwrt.org/index.php?do=details_id=2218

Fixes: 854783444bab ("mwl8k: properly set receive status rate index on 5 GHz 
receive")
Cc: 
Tested-by: Eubert Bao 
Reported-by: Eubert Bao 
Signed-off-by: Petr Štetiar 
Signed-off-by: Kalle Valo 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/net/wireless/marvell/mwl8k.c |   13 +
 1 file changed, 9 insertions(+), 4 deletions(-)

--- a/drivers/net/wireless/marvell/mwl8k.c
+++ b/drivers/net/wireless/marvell/mwl8k.c
@@ -436,6 +436,9 @@ static const struct ieee80211_rate mwl8k
 #define MWL8K_CMD_UPDATE_STADB 0x1123
 #define MWL8K_CMD_BASTREAM 0x1125
 
+#define MWL8K_LEGACY_5G_RATE_OFFSET \
+   (ARRAY_SIZE(mwl8k_rates_24) - ARRAY_SIZE(mwl8k_rates_50))
+
 static const char *mwl8k_cmd_name(__le16 cmd, char *buf, int bufsize)
 {
u16 command = le16_to_cpu(cmd);
@@ -1011,8 +1014,9 @@ mwl8k_rxd_ap_process(void *_rxd, struct
 
if (rxd->channel > 14) {
status->band = NL80211_BAND_5GHZ;
-   if (!(status->encoding == RX_ENC_HT))
-   status->rate_idx -= 5;
+   if (!(status->encoding == RX_ENC_HT) &&
+   status->rate_idx >= MWL8K_LEGACY_5G_RATE_OFFSET)
+   status->rate_idx -= MWL8K_LEGACY_5G_RATE_OFFSET;
} else {
status->band = NL80211_BAND_2GHZ;
}
@@ -1119,8 +1123,9 @@ mwl8k_rxd_sta_process(void *_rxd, struct
 
if (rxd->channel > 14) {
status->band = NL80211_BAND_5GHZ;
-   if (!(status->encoding == RX_ENC_HT))
-   status->rate_idx -= 5;
+   if (!(status->encoding == RX_ENC_HT) &&
+   status->rate_idx >= MWL8K_LEGACY_5G_RATE_OFFSET)
+   status->rate_idx -= MWL8K_LEGACY_5G_RATE_OFFSET;
} else {
status->band = NL80211_BAND_2GHZ;
}

[PATCH 4.14 111/115] tipc: fix hanging clients using poll with EPOLLOUT flag

[Greg Kroah-Hartman]

From: Parthasarathy Bhuvaragan 

[ Upstream commit ff946833b70e0c7f93de9a3f5b329b5ae2287b38 ]

commit 517d7c79bdb398 ("tipc: fix hanging poll() for stream sockets")
introduced a regression for clients using non-blocking sockets.
After the commit, we send EPOLLOUT event to the client even in
TIPC_CONNECTING state. This causes the subsequent send() to fail
with ENOTCONN, as the socket is still not in TIPC_ESTABLISHED state.

In this commit, we:
- improve the fix for hanging poll() by replacing sk_data_ready()
  with sk_state_change() to wake up all clients.
- revert the faulty updates introduced by commit 517d7c79bdb398
  ("tipc: fix hanging poll() for stream sockets").

Fixes: 517d7c79bdb398 ("tipc: fix hanging poll() for stream sockets")
Signed-off-by: Parthasarathy Bhuvaragan 
Acked-by: Jon Maloy 
Signed-off-by: David S. Miller 
Signed-off-by: Greg Kroah-Hartman 
---
 net/tipc/socket.c |4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/net/tipc/socket.c
+++ b/net/tipc/socket.c
@@ -709,11 +709,11 @@ static unsigned int tipc_poll(struct fil
 
switch (sk->sk_state) {
case TIPC_ESTABLISHED:
-   case TIPC_CONNECTING:
if (!tsk->cong_link_cnt && !tsk_conn_cong(tsk))
mask |= POLLOUT;
/* fall thru' */
case TIPC_LISTEN:
+   case TIPC_CONNECTING:
if (!skb_queue_empty(>sk_receive_queue))
mask |= (POLLIN | POLLRDNORM);
break;
@@ -1588,7 +1588,7 @@ static bool filter_connect(struct tipc_s
return true;
 
/* If empty 'ACK-' message, wake up sleeping connect() */
-   sk->sk_data_ready(sk);
+   sk->sk_state_change(sk);
 
/* 'ACK-' message is neither accepted nor rejected: */
msg_set_dest_droppable(hdr, 1);

[PATCH 4.14 103/115] ipv4: Fix raw socket lookup for local traffic

[Greg Kroah-Hartman]

From: David Ahern 

[ Upstream commit 19e4e768064a87b073a4b4c138b55db70e0cfb9f ]

inet_iif should be used for the raw socket lookup. inet_iif considers
rt_iif which handles the case of local traffic.

As it stands, ping to a local address with the '-I ' option fails
ever since ping was changed to use SO_BINDTODEVICE instead of
cmsg + IP_PKTINFO.

IPv6 works fine.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: David Ahern 
Signed-off-by: David S. Miller 
Signed-off-by: Greg Kroah-Hartman 
---
 net/ipv4/raw.c |4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/net/ipv4/raw.c
+++ b/net/ipv4/raw.c
@@ -174,6 +174,7 @@ static int icmp_filter(const struct sock
 static int raw_v4_input(struct sk_buff *skb, const struct iphdr *iph, int hash)
 {
int sdif = inet_sdif(skb);
+   int dif = inet_iif(skb);
struct sock *sk;
struct hlist_head *head;
int delivered = 0;
@@ -186,8 +187,7 @@ static int raw_v4_input(struct sk_buff *
 
net = dev_net(skb->dev);
sk = __raw_v4_lookup(net, __sk_head(head), iph->protocol,
-iph->saddr, iph->daddr,
-skb->dev->ifindex, sdif);
+iph->saddr, iph->daddr, dif, sdif);
 
while (sk) {
delivered = 1;

[PATCH 4.14 105/115] net: ethernet: stmmac: dwmac-sun8i: enable support of unicast filtering

[Greg Kroah-Hartman]

From: Corentin Labbe 

[ Upstream commit d4c26eb6e721683a0f93e346ce55bc8dc3cbb175 ]

When adding more MAC addresses to a dwmac-sun8i interface, the device goes
directly in promiscuous mode.
This is due to IFF_UNICAST_FLT missing flag.

So since the hardware support unicast filtering, let's add IFF_UNICAST_FLT.

Fixes: 9f93ac8d4085 ("net-next: stmmac: Add dwmac-sun8i")
Signed-off-by: Corentin Labbe 
Signed-off-by: David S. Miller 
Signed-off-by: Greg Kroah-Hartman 
---
 drivers/net/ethernet/stmicro/stmmac/dwmac-sun8i.c |2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/net/ethernet/stmicro/stmmac/dwmac-sun8i.c
+++ b/drivers/net/ethernet/stmicro/stmmac/dwmac-sun8i.c
@@ -858,6 +858,8 @@ static struct mac_device_info *sun8i_dwm
mac->mac = _dwmac_ops;
mac->dma = _dwmac_dma_ops;
 
+   priv->dev->priv_flags |= IFF_UNICAST_FLT;
+
/* The loopback bit seems to be re-set when link change
 * Simply mask it each time
 * Speed 10/100/1000 are set in BIT(2)/BIT(3)

[PATCH 4.14 108/115] packet: Fix error path in packet_init

[Greg Kroah-Hartman]

From: YueHaibing 

[ Upstream commit 36096f2f4fa05f7678bc87397665491700bae757 ]

kernel BUG at lib/list_debug.c:47!
invalid opcode:  [#1
CPU: 0 PID: 12914 Comm: rmmod Tainted: GW 5.1.0+ #47
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 
rel-1.9.3-0-ge2fc41e-prebuilt.qemu-project.org 04/01/2014
RIP: 0010:__list_del_entry_valid+0x53/0x90
Code: 48 8b 32 48 39 fe 75 35 48 8b 50 08 48 39 f2 75 40 b8 01 00 00 00 5d c3 48
89 fe 48 89 c2 48 c7 c7 18 75 fe 82 e8 cb 34 78 ff <0f> 0b 48 89 fe 48 c7 c7 50 
75 fe 82 e8 ba 34 78 ff 0f 0b 48 89 f2
RSP: 0018:c90001c2fe40 EFLAGS: 00010286
RAX: 004e RBX: a0184000 RCX: 
RDX:  RSI: 888237a17788 RDI: 
RBP: c90001c2fe40 R08:  R09: 
R10: c90001c2fe10 R11:  R12: 
R13: c90001c2fe50 R14: a0184000 R15: 
FS:  7f3d83634540() GS:888237a0() knlGS:
CS:  0010 DS:  ES:  CR0: 80050033
CR2: 555c350ea818 CR3: 000231677000 CR4: 06f0
Call Trace:
 unregister_pernet_operations+0x34/0x120
 unregister_pernet_subsys+0x1c/0x30
 packet_exit+0x1c/0x369 [af_packet
 __x64_sys_delete_module+0x156/0x260
 ? lockdep_hardirqs_on+0x133/0x1b0
 ? do_syscall_64+0x12/0x1f0
 do_syscall_64+0x6e/0x1f0
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

When modprobe af_packet, register_pernet_subsys
fails and does a cleanup, ops->list is set to LIST_POISON1,
but the module init is considered to success, then while rmmod it,
BUG() is triggered in __list_del_entry_valid which is called from
unregister_pernet_subsys. This patch fix error handing path in
packet_init to avoid possilbe issue if some error occur.

Reported-by: Hulk Robot 
Signed-off-by: YueHaibing 
Signed-off-by: David S. Miller 
Signed-off-by: Greg Kroah-Hartman 
---
 net/packet/af_packet.c |   25 -
 1 file changed, 20 insertions(+), 5 deletions(-)

--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -4629,14 +4629,29 @@ static void __exit packet_exit(void)
 
 static int __init packet_init(void)
 {
-   int rc = proto_register(_proto, 0);
+   int rc;
 
-   if (rc != 0)
+   rc = proto_register(_proto, 0);
+   if (rc)
goto out;
+   rc = sock_register(_family_ops);
+   if (rc)
+   goto out_proto;
+   rc = register_pernet_subsys(_net_ops);
+   if (rc)
+   goto out_sock;
+   rc = register_netdevice_notifier(_netdev_notifier);
+   if (rc)
+   goto out_pernet;
 
-   sock_register(_family_ops);
-   register_pernet_subsys(_net_ops);
-   register_netdevice_notifier(_netdev_notifier);
+   return 0;
+
+out_pernet:
+   unregister_pernet_subsys(_net_ops);
+out_sock:
+   sock_unregister(PF_PACKET);
+out_proto:
+   proto_unregister(_proto);
 out:
return rc;
 }

[PATCH 4.14 114/115] powerpc/powernv/idle: Restore IAMR after idle

[Greg Kroah-Hartman]

From: Russell Currey 

commit a3f3072db6cad40895c585dce65e36aab997f042 upstream.

Without restoring the IAMR after idle, execution prevention on POWER9
with Radix MMU is overwritten and the kernel can freely execute
userspace without faulting.

This is necessary when returning from any stop state that modifies
user state, as well as hypervisor state.

To test how this fails without this patch, load the lkdtm driver and
do the following:

  $ echo EXEC_USERSPACE > /sys/kernel/debug/provoke-crash/DIRECT

which won't fault, then boot the kernel with powersave=off, where it
will fault. Applying this patch will fix this.

Fixes: 3b10d0095a1e ("powerpc/mm/radix: Prevent kernel execution of user space")
Cc: sta...@vger.kernel.org # v4.10+
Signed-off-by: Russell Currey 
Reviewed-by: Akshay Adiga 
Reviewed-by: Nicholas Piggin 
Signed-off-by: Michael Ellerman 
Signed-off-by: Greg Kroah-Hartman 

---
 arch/powerpc/kernel/idle_book3s.S |   20 
 1 file changed, 20 insertions(+)

--- a/arch/powerpc/kernel/idle_book3s.S
+++ b/arch/powerpc/kernel/idle_book3s.S
@@ -163,6 +163,9 @@ core_idle_lock_held:
bne-core_idle_lock_held
blr
 
+/* Reuse an unused pt_regs slot for IAMR */
+#define PNV_POWERSAVE_IAMR _DAR
+
 /*
  * Pass requested state in r3:
  * r3 - PNV_THREAD_NAP/SLEEP/WINKLE in POWER8
@@ -193,6 +196,12 @@ pnv_powersave_common:
/* Continue saving state */
SAVE_GPR(2, r1)
SAVE_NVGPRS(r1)
+
+BEGIN_FTR_SECTION
+   mfspr   r5, SPRN_IAMR
+   std r5, PNV_POWERSAVE_IAMR(r1)
+END_FTR_SECTION_IFSET(CPU_FTR_ARCH_207S)
+
mfcrr5
std r5,_CCR(r1)
std r1,PACAR1(r13)
@@ -940,6 +949,17 @@ BEGIN_FTR_SECTION
 END_FTR_SECTION_IFSET(CPU_FTR_HVMODE)
REST_NVGPRS(r1)
REST_GPR(2, r1)
+
+BEGIN_FTR_SECTION
+   /* IAMR was saved in pnv_powersave_common() */
+   ld  r5, PNV_POWERSAVE_IAMR(r1)
+   mtspr   SPRN_IAMR, r5
+   /*
+* We don't need an isync here because the upcoming mtmsrd is
+* execution synchronizing.
+*/
+END_FTR_SECTION_IFSET(CPU_FTR_ARCH_207S)
+
ld  r4,PACAKMSR(r13)
ld  r5,_LINK(r1)
ld  r6,_CCR(r1)

[PATCH 4.14 113/115] drivers/virt/fsl_hypervisor.c: prevent integer overflow in ioctl

[Greg Kroah-Hartman]

From: Dan Carpenter 

commit 6a024330650e24556b8a18cc654ad00cfecf6c6c upstream.

The "param.count" value is a u64 thatcomes from the user.  The code
later in the function assumes that param.count is at least one and if
it's not then it leads to an Oops when we dereference the ZERO_SIZE_PTR.

Also the addition can have an integer overflow which would lead us to
allocate a smaller "pages" array than required.  I can't immediately
tell what the possible run times implications are, but it's safest to
prevent the overflow.

Link: http://lkml.kernel.org/r/20181218082129.GE32567@kadam
Fixes: 6db7199407ca ("drivers/virt: introduce Freescale hypervisor management 
driver")
Signed-off-by: Dan Carpenter 
Reviewed-by: Andrew Morton 
Cc: Timur Tabi 
Cc: Mihai Caraman 
Cc: Kumar Gala 
Cc: 
Signed-off-by: Andrew Morton 
Signed-off-by: Linus Torvalds 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/virt/fsl_hypervisor.c |3 +++
 1 file changed, 3 insertions(+)

--- a/drivers/virt/fsl_hypervisor.c
+++ b/drivers/virt/fsl_hypervisor.c
@@ -215,6 +215,9 @@ static long ioctl_memcpy(struct fsl_hv_i
 * hypervisor.
 */
lb_offset = param.local_vaddr & (PAGE_SIZE - 1);
+   if (param.count == 0 ||
+   param.count > U64_MAX - lb_offset - PAGE_SIZE + 1)
+   return -EINVAL;
num_pages = (param.count + lb_offset + PAGE_SIZE - 1) >> PAGE_SHIFT;
 
/* Allocate the buffers we need */

[PATCH 4.14 106/115] net: seeq: fix crash caused by not set dev.parent

[Greg Kroah-Hartman]

From: Thomas Bogendoerfer 

[ Upstream commit 5afcd14cfc7fed1bcc8abcee2cef82732772bfc2 ]

The old MIPS implementation of dma_cache_sync() didn't use the dev argument,
but commit c9eb6172c328 ("dma-mapping: turn dma_cache_sync into a
dma_map_ops method") changed that, so we now need to set dev.parent.

Signed-off-by: Thomas Bogendoerfer 
Signed-off-by: David S. Miller 
Signed-off-by: Greg Kroah-Hartman 
---
 drivers/net/ethernet/seeq/sgiseeq.c |1 +
 1 file changed, 1 insertion(+)

--- a/drivers/net/ethernet/seeq/sgiseeq.c
+++ b/drivers/net/ethernet/seeq/sgiseeq.c
@@ -734,6 +734,7 @@ static int sgiseeq_probe(struct platform
}
 
platform_set_drvdata(pdev, dev);
+   SET_NETDEV_DEV(dev, >dev);
sp = netdev_priv(dev);
 
/* Make private data page aligned */

[PATCH] perf jevents: Remove unused variables

[Zenghui Yu]

Fix gcc warning:

pmu-events/jevents.c: In function ‘save_arch_std_events’:
pmu-events/jevents.c:417:15: warning: unused variable ‘sb’ [-Wunused-variable]
  struct stat *sb = data;
   ^~

Signed-off-by: Zenghui Yu 
---
 tools/perf/pmu-events/jevents.c | 1 -
 1 file changed, 1 deletion(-)

diff --git a/tools/perf/pmu-events/jevents.c b/tools/perf/pmu-events/jevents.c
index 68c92bb..92e60fd 100644
--- a/tools/perf/pmu-events/jevents.c
+++ b/tools/perf/pmu-events/jevents.c
@@ -414,7 +414,6 @@ static int save_arch_std_events(void *data, char *name, 
char *event,
char *metric_name, char *metric_group)
 {
struct event_struct *es;
-   struct stat *sb = data;
 
es = malloc(sizeof(*es));
if (!es)
-- 
1.8.3.1

[PATCH 4.14 100/115] bridge: Fix error path for kobject_init_and_add()

[Greg Kroah-Hartman]

From: "Tobin C. Harding" 

[ Upstream commit bdfad5aec1392b93495b77b864d58d7f101dc1c1 ]

Currently error return from kobject_init_and_add() is not followed by a
call to kobject_put().  This means there is a memory leak.  We currently
set p to NULL so that kfree() may be called on it as a noop, the code is
arguably clearer if we move the kfree() up closer to where it is
called (instead of after goto jump).

Remove a goto label 'err1' and jump to call to kobject_put() in error
return from kobject_init_and_add() fixing the memory leak.  Re-name goto
label 'put_back' to 'err1' now that we don't use err1, following current
nomenclature (err1, err2 ...).  Move call to kfree out of the error
code at bottom of function up to closer to where memory was allocated.
Add comment to clarify call to kfree().

Signed-off-by: Tobin C. Harding 
Signed-off-by: David S. Miller 
Signed-off-by: Greg Kroah-Hartman 
---
 net/bridge/br_if.c |   13 ++---
 1 file changed, 6 insertions(+), 7 deletions(-)

--- a/net/bridge/br_if.c
+++ b/net/bridge/br_if.c
@@ -518,13 +518,15 @@ int br_add_if(struct net_bridge *br, str
call_netdevice_notifiers(NETDEV_JOIN, dev);
 
err = dev_set_allmulti(dev, 1);
-   if (err)
-   goto put_back;
+   if (err) {
+   kfree(p);   /* kobject not yet init'd, manually free */
+   goto err1;
+   }
 
err = kobject_init_and_add(>kobj, _ktype, &(dev->dev.kobj),
   SYSFS_BRIDGE_PORT_ATTR);
if (err)
-   goto err1;
+   goto err2;
 
err = br_sysfs_addif(p);
if (err)
@@ -607,12 +609,9 @@ err3:
sysfs_remove_link(br->ifobj, p->dev->name);
 err2:
kobject_put(>kobj);
-   p = NULL; /* kobject_put frees */
-err1:
dev_set_allmulti(dev, -1);
-put_back:
+err1:
dev_put(dev);
-   kfree(p);
return err;
 }
 

[PATCH 4.19 014/113] HID: input: add mapping for Expose/Overview key

[Greg Kroah-Hartman]

[ Upstream commit 96dd86871e1fffbc39e4fa61c9c75ec54ee9af0f ]

According to HUTRR77 usage 0x29f from the consumer page is reserved for
the Desktop application to present all running user’s application windows.
Linux defines KEY_SCALE to request Compiz Scale (Expose) mode, so let's
add the mapping.

Signed-off-by: Dmitry Torokhov 
Signed-off-by: Sasha Levin 
---
 drivers/hid/hid-input.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/hid/hid-input.c b/drivers/hid/hid-input.c
index e649940e065da..a9892cabe7cd8 100644
--- a/drivers/hid/hid-input.c
+++ b/drivers/hid/hid-input.c
@@ -1026,6 +1026,8 @@ static void hidinput_configure_usage(struct hid_input 
*hidinput, struct hid_fiel
case 0x2cb: map_key_clear(KEY_KBDINPUTASSIST_ACCEPT);   break;
case 0x2cc: map_key_clear(KEY_KBDINPUTASSIST_CANCEL);   break;
 
+   case 0x29f: map_key_clear(KEY_SCALE);   break;
+
default: map_key_clear(KEY_UNKNOWN);
}
break;
-- 
2.20.1

[PATCH 4.19 012/113] acpi/nfit: Always dump _DSM output payload

[Greg Kroah-Hartman]

[ Upstream commit 351f339faa308c1c1461314a18c832239a841ca0 ]

The dynamic-debug statements for command payload output only get emitted
when the command is not ND_CMD_CALL. Move the output payload dumping
ahead of the early return path for ND_CMD_CALL.

Fixes: 31eca76ba2fc9 ("...whitelisted dimm command marshaling mechanism")
Reported-by: Vishal Verma 
Signed-off-by: Dan Williams 
Signed-off-by: Sasha Levin 
---
 drivers/acpi/nfit/core.c | 12 ++--
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/drivers/acpi/nfit/core.c b/drivers/acpi/nfit/core.c
index 925dbc751322a..8340c81b258b7 100644
--- a/drivers/acpi/nfit/core.c
+++ b/drivers/acpi/nfit/core.c
@@ -542,6 +542,12 @@ int acpi_nfit_ctl(struct nvdimm_bus_descriptor *nd_desc, 
struct nvdimm *nvdimm,
goto out;
}
 
+   dev_dbg(dev, "%s cmd: %s output length: %d\n", dimm_name,
+   cmd_name, out_obj->buffer.length);
+   print_hex_dump_debug(cmd_name, DUMP_PREFIX_OFFSET, 4, 4,
+   out_obj->buffer.pointer,
+   min_t(u32, 128, out_obj->buffer.length), true);
+
if (call_pkg) {
call_pkg->nd_fw_size = out_obj->buffer.length;
memcpy(call_pkg->nd_payload + call_pkg->nd_size_in,
@@ -560,12 +566,6 @@ int acpi_nfit_ctl(struct nvdimm_bus_descriptor *nd_desc, 
struct nvdimm *nvdimm,
return 0;
}
 
-   dev_dbg(dev, "%s cmd: %s output length: %d\n", dimm_name,
-   cmd_name, out_obj->buffer.length);
-   print_hex_dump_debug(cmd_name, DUMP_PREFIX_OFFSET, 4, 4,
-   out_obj->buffer.pointer,
-   min_t(u32, 128, out_obj->buffer.length), true);
-
for (i = 0, offset = 0; i < desc->out_num; i++) {
u32 out_size = nd_cmd_out_size(nvdimm, cmd, desc, i, buf,
(u32 *) out_obj->buffer.pointer,
-- 
2.20.1

[PATCH 4.19 010/113] iio: adc: xilinx: fix potential use-after-free on probe

[Greg Kroah-Hartman]

[ Upstream commit 862e4644fd2d7df8998edc65e0963ea2f567bde9 ]

If probe errors out after request_irq(), its error path
does not explicitly cancel the delayed work, which may
have been scheduled by the interrupt handler.

This means the delayed work may still be running when
the core frees the private structure (struct xadc).
This is a potential use-after-free.

Fix by inserting cancel_delayed_work_sync() in the probe
error path.

Signed-off-by: Sven Van Asbroeck 
Signed-off-by: Jonathan Cameron 
Signed-off-by: Sasha Levin 
---
 drivers/iio/adc/xilinx-xadc-core.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/iio/adc/xilinx-xadc-core.c 
b/drivers/iio/adc/xilinx-xadc-core.c
index 1960694e80076..15e1a103f37da 100644
--- a/drivers/iio/adc/xilinx-xadc-core.c
+++ b/drivers/iio/adc/xilinx-xadc-core.c
@@ -1290,6 +1290,7 @@ static int xadc_probe(struct platform_device *pdev)
 
 err_free_irq:
free_irq(xadc->irq, indio_dev);
+   cancel_delayed_work_sync(>zynq_unmask_work);
 err_clk_disable_unprepare:
clk_disable_unprepare(xadc->clk);
 err_free_samplerate_trigger:
-- 
2.20.1

[PATCH 4.19 022/113] mac80211: fix memory accounting with A-MSDU aggregation

[Greg Kroah-Hartman]

[ Upstream commit eb9b64e3a9f8483e6e54f4e03b2ae14ae5db2690 ]

skb->truesize can change due to memory reallocation or when adding extra
fragments. Adjust fq->memory_usage accordingly

Signed-off-by: Felix Fietkau 
Acked-by: Toke Høiland-Jørgensen 
Signed-off-by: Johannes Berg 
Signed-off-by: Sasha Levin 
---
 net/mac80211/tx.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
index 743cde66aaf62..2f726cde9998b 100644
--- a/net/mac80211/tx.c
+++ b/net/mac80211/tx.c
@@ -3185,6 +3185,7 @@ static bool ieee80211_amsdu_aggregate(struct 
ieee80211_sub_if_data *sdata,
u8 max_subframes = sta->sta.max_amsdu_subframes;
int max_frags = local->hw.max_tx_fragments;
int max_amsdu_len = sta->sta.max_amsdu_len;
+   int orig_truesize;
__be16 len;
void *data;
bool ret = false;
@@ -3218,6 +3219,7 @@ static bool ieee80211_amsdu_aggregate(struct 
ieee80211_sub_if_data *sdata,
if (!head)
goto out;
 
+   orig_truesize = head->truesize;
orig_len = head->len;
 
if (skb->len + head->len > max_amsdu_len)
@@ -3272,6 +3274,7 @@ static bool ieee80211_amsdu_aggregate(struct 
ieee80211_sub_if_data *sdata,
*frag_tail = skb;
 
 out_recalc:
+   fq->memory_usage += head->truesize - orig_truesize;
if (head->len != orig_len) {
flow->backlog += head->len - orig_len;
tin->backlog_bytes += head->len - orig_len;
-- 
2.20.1

[PATCH 4.19 020/113] mac80211: Increase MAX_MSG_LEN

[Greg Kroah-Hartman]

[ Upstream commit 78be2d21cc1cd3069c6138dcfecec62583130171 ]

Looks that 100 chars isn't enough for messages, as we keep getting
warnings popping from different places due to message shortening.
Instead of trying to shorten the prints, just increase the buffer size.

Signed-off-by: Andrei Otcheretianski 
Signed-off-by: Luca Coelho 
Signed-off-by: Johannes Berg 
Signed-off-by: Sasha Levin 
---
 net/mac80211/trace_msg.h | 7 ++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/net/mac80211/trace_msg.h b/net/mac80211/trace_msg.h
index 366b9e6f043e2..40141df09f255 100644
--- a/net/mac80211/trace_msg.h
+++ b/net/mac80211/trace_msg.h
@@ -1,4 +1,9 @@
 /* SPDX-License-Identifier: GPL-2.0 */
+/*
+ * Portions of this file
+ * Copyright (C) 2019 Intel Corporation
+ */
+
 #ifdef CONFIG_MAC80211_MESSAGE_TRACING
 
 #if !defined(__MAC80211_MSG_DRIVER_TRACE) || defined(TRACE_HEADER_MULTI_READ)
@@ -11,7 +16,7 @@
 #undef TRACE_SYSTEM
 #define TRACE_SYSTEM mac80211_msg
 
-#define MAX_MSG_LEN100
+#define MAX_MSG_LEN120
 
 DECLARE_EVENT_CLASS(mac80211_msg_event,
TP_PROTO(struct va_format *vaf),
-- 
2.20.1

[PATCH 4.19 027/113] clocksource/drivers/npcm: select TIMER_OF

[Greg Kroah-Hartman]

[ Upstream commit 99834eead2a04e93a120abb112542b87c42ff5e1 ]

When this is disabled, we get a link failure:

drivers/clocksource/timer-npcm7xx.o: In function `npcm7xx_timer_init':
timer-npcm7xx.c:(.init.text+0xf): undefined reference to `timer_of_init'

Fixes: 1c00289ecd12 ("clocksource/drivers/npcm: Add NPCM7xx timer driver")
Signed-off-by: Arnd Bergmann 
Signed-off-by: Daniel Lezcano 
Signed-off-by: Sasha Levin 
---
 drivers/clocksource/Kconfig | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/clocksource/Kconfig b/drivers/clocksource/Kconfig
index c1ddafa4c2994..4d37f018d846c 100644
--- a/drivers/clocksource/Kconfig
+++ b/drivers/clocksource/Kconfig
@@ -136,6 +136,7 @@ config VT8500_TIMER
 config NPCM7XX_TIMER
bool "NPCM7xx timer driver" if COMPILE_TEST
depends on HAS_IOMEM
+   select TIMER_OF
select CLKSRC_MMIO
help
  Enable 24-bit TIMER0 and TIMER1 counters in the NPCM7xx architecture,
-- 
2.20.1

[PATCH 4.19 003/113] platform/x86: thinkpad_acpi: Disable Bluetooth for some machines

[Greg Kroah-Hartman]

From: Jiaxun Yang 

commit f7db839fccf087664e5587966220821289b6a9cb upstream.

Some AMD based ThinkPads have a firmware bug that calling
"GBDC" will cause Bluetooth on Intel wireless cards blocked.

Probe these models by DMI match and disable Bluetooth subdriver
if specified Intel wireless card exist.

Cc: stable  # 4.14+
Signed-off-by: Jiaxun Yang 
Signed-off-by: Andy Shevchenko 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/platform/x86/thinkpad_acpi.c |   72 ++-
 1 file changed, 70 insertions(+), 2 deletions(-)

--- a/drivers/platform/x86/thinkpad_acpi.c
+++ b/drivers/platform/x86/thinkpad_acpi.c
@@ -79,7 +79,7 @@
 #include 
 #include 
 #include 
-#include 
+#include 
 #include 
 #include 
 #include 
@@ -4496,6 +4496,74 @@ static void bluetooth_exit(void)
bluetooth_shutdown();
 }
 
+static const struct dmi_system_id bt_fwbug_list[] __initconst = {
+   {
+   .ident = "ThinkPad E485",
+   .matches = {
+   DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+   DMI_MATCH(DMI_BOARD_NAME, "20KU"),
+   },
+   },
+   {
+   .ident = "ThinkPad E585",
+   .matches = {
+   DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+   DMI_MATCH(DMI_BOARD_NAME, "20KV"),
+   },
+   },
+   {
+   .ident = "ThinkPad A285 - 20MW",
+   .matches = {
+   DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+   DMI_MATCH(DMI_BOARD_NAME, "20MW"),
+   },
+   },
+   {
+   .ident = "ThinkPad A285 - 20MX",
+   .matches = {
+   DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+   DMI_MATCH(DMI_BOARD_NAME, "20MX"),
+   },
+   },
+   {
+   .ident = "ThinkPad A485 - 20MU",
+   .matches = {
+   DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+   DMI_MATCH(DMI_BOARD_NAME, "20MU"),
+   },
+   },
+   {
+   .ident = "ThinkPad A485 - 20MV",
+   .matches = {
+   DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+   DMI_MATCH(DMI_BOARD_NAME, "20MV"),
+   },
+   },
+   {}
+};
+
+static const struct pci_device_id fwbug_cards_ids[] __initconst = {
+   { PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x24F3) },
+   { PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x24FD) },
+   { PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x2526) },
+   {}
+};
+
+
+static int __init have_bt_fwbug(void)
+{
+   /*
+* Some AMD based ThinkPads have a firmware bug that calling
+* "GBDC" will cause bluetooth on Intel wireless cards blocked
+*/
+   if (dmi_check_system(bt_fwbug_list) && 
pci_dev_present(fwbug_cards_ids)) {
+   vdbg_printk(TPACPI_DBG_INIT | TPACPI_DBG_RFKILL,
+   FW_BUG "disable bluetooth subdriver for Intel cards\n");
+   return 1;
+   } else
+   return 0;
+}
+
 static int __init bluetooth_init(struct ibm_init_struct *iibm)
 {
int res;
@@ -4508,7 +4576,7 @@ static int __init bluetooth_init(struct
 
/* bluetooth not supported on 570, 600e/x, 770e, 770x, A21e, A2xm/p,
   G4x, R30, R31, R40e, R50e, T20-22, X20-21 */
-   tp_features.bluetooth = hkey_handle &&
+   tp_features.bluetooth = !have_bt_fwbug() && hkey_handle &&
acpi_evalf(hkey_handle, , "GBDC", "qd");
 
vdbg_printk(TPACPI_DBG_INIT | TPACPI_DBG_RFKILL,

[PATCH 4.19 024/113] libnvdimm/pmem: fix a possible OOB access when read and write pmem

[Greg Kroah-Hartman]

[ Upstream commit 9dc6488e84b0f64df17672271664752488cd6a25 ]

If offset is not zero and length is bigger than PAGE_SIZE,
this will cause to out of boundary access to a page memory

Fixes: 98cc093cba1e ("block, THP: make block_device_operations.rw_page support 
THP")
Co-developed-by: Liang ZhiCheng 
Signed-off-by: Liang ZhiCheng 
Signed-off-by: Li RongQing 
Reviewed-by: Ira Weiny 
Reviewed-by: Jeff Moyer 
Signed-off-by: Dan Williams 
Signed-off-by: Sasha Levin 
---
 drivers/nvdimm/pmem.c | 8 
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/drivers/nvdimm/pmem.c b/drivers/nvdimm/pmem.c
index 1d432c5ed2753..cff027fc26761 100644
--- a/drivers/nvdimm/pmem.c
+++ b/drivers/nvdimm/pmem.c
@@ -113,13 +113,13 @@ static void write_pmem(void *pmem_addr, struct page *page,
 
while (len) {
mem = kmap_atomic(page);
-   chunk = min_t(unsigned int, len, PAGE_SIZE);
+   chunk = min_t(unsigned int, len, PAGE_SIZE - off);
memcpy_flushcache(pmem_addr, mem + off, chunk);
kunmap_atomic(mem);
len -= chunk;
off = 0;
page++;
-   pmem_addr += PAGE_SIZE;
+   pmem_addr += chunk;
}
 }
 
@@ -132,7 +132,7 @@ static blk_status_t read_pmem(struct page *page, unsigned 
int off,
 
while (len) {
mem = kmap_atomic(page);
-   chunk = min_t(unsigned int, len, PAGE_SIZE);
+   chunk = min_t(unsigned int, len, PAGE_SIZE - off);
rem = memcpy_mcsafe(mem + off, pmem_addr, chunk);
kunmap_atomic(mem);
if (rem)
@@ -140,7 +140,7 @@ static blk_status_t read_pmem(struct page *page, unsigned 
int off,
len -= chunk;
off = 0;
page++;
-   pmem_addr += PAGE_SIZE;
+   pmem_addr += chunk;
}
return BLK_STS_OK;
 }
-- 
2.20.1

[PATCH 4.19 028/113] clocksource/drivers/oxnas: Fix OX820 compatible

[Greg Kroah-Hartman]

[ Upstream commit fbc87aa0f7c42dc31f1bac3b2615008cac32 ]

The OX820 compatible is wrong is the driver, fix it.

Fixes: 2ea3401e2a84 ("clocksource/drivers/oxnas: Add OX820 compatible")
Reported-by: Daniel Golle 
Signed-off-by: Neil Armstrong 
Signed-off-by: Daniel Lezcano 
Signed-off-by: Sasha Levin 
---
 drivers/clocksource/timer-oxnas-rps.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/clocksource/timer-oxnas-rps.c 
b/drivers/clocksource/timer-oxnas-rps.c
index eed6feff8b5f2..30c6f4ce672b3 100644
--- a/drivers/clocksource/timer-oxnas-rps.c
+++ b/drivers/clocksource/timer-oxnas-rps.c
@@ -296,4 +296,4 @@ static int __init oxnas_rps_timer_init(struct device_node 
*np)
 TIMER_OF_DECLARE(ox810se_rps,
   "oxsemi,ox810se-rps-timer", oxnas_rps_timer_init);
 TIMER_OF_DECLARE(ox820_rps,
-  "oxsemi,ox820se-rps-timer", oxnas_rps_timer_init);
+  "oxsemi,ox820-rps-timer", oxnas_rps_timer_init);
-- 
2.20.1

[PATCH 4.19 035/113] s390/pkey: add one more argument space for debug feature entry

[Greg Kroah-Hartman]

[ Upstream commit 6b1f16ba730d4c0cda1247568c3a1bf4fa3a2f2f ]

The debug feature entries have been used with up to 5 arguents
(including the pointer to the format string) but there was only
space reserved for 4 arguemnts. So now the registration does
reserve space for 5 times a long value.

This fixes a sometime appearing weired value as the last
value of an debug feature entry like this:

... pkey_sec2protkey zcrypt_send_cprb (cardnr=10 domain=12)
   failed with errno -2143346254

Signed-off-by: Harald Freudenberger 
Reported-by: Christian Rund 
Signed-off-by: Martin Schwidefsky 
Signed-off-by: Sasha Levin 
---
 drivers/s390/crypto/pkey_api.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/s390/crypto/pkey_api.c b/drivers/s390/crypto/pkey_api.c
index 1b4001e0285fe..b16344479959b 100644
--- a/drivers/s390/crypto/pkey_api.c
+++ b/drivers/s390/crypto/pkey_api.c
@@ -45,7 +45,8 @@ static debug_info_t *debug_info;
 
 static void __init pkey_debug_init(void)
 {
-   debug_info = debug_register("pkey", 1, 1, 4 * sizeof(long));
+   /* 5 arguments per dbf entry (including the format string ptr) */
+   debug_info = debug_register("pkey", 1, 1, 5 * sizeof(long));
debug_register_view(debug_info, _sprintf_view);
debug_set_level(debug_info, 3);
 }
-- 
2.20.1

[PATCH 4.19 031/113] vxge: fix return of a freed memblock on a failed dma mapping

[Greg Kroah-Hartman]

[ Upstream commit 0a2c34f18c94b596562bf3d019fceab998b8b584 ]

Currently if a pci dma mapping failure is detected a free'd
memblock address is returned rather than a NULL (that indicates
an error). Fix this by ensuring NULL is returned on this error case.

Addresses-Coverity: ("Use after free")
Fixes: 528f727279ae ("vxge: code cleanup and reorganization")
Signed-off-by: Colin Ian King 
Signed-off-by: David S. Miller 
Signed-off-by: Sasha Levin 
---
 drivers/net/ethernet/neterion/vxge/vxge-config.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/net/ethernet/neterion/vxge/vxge-config.c 
b/drivers/net/ethernet/neterion/vxge/vxge-config.c
index bf4302e45dcd9..28f7656647027 100644
--- a/drivers/net/ethernet/neterion/vxge/vxge-config.c
+++ b/drivers/net/ethernet/neterion/vxge/vxge-config.c
@@ -2365,6 +2365,7 @@ static void *__vxge_hw_blockpool_malloc(struct 
__vxge_hw_device *devh, u32 size,
dma_object->addr))) {
vxge_os_dma_free(devh->pdev, memblock,
_object->acc_handle);
+   memblock = NULL;
goto exit;
}
 
-- 
2.20.1

[PATCH 4.19 005/113] hwmon: (pwm-fan) Disable PWM if fetching cooling data fails

[Greg Kroah-Hartman]

From: Stefan Wahren 

commit 53f1647da3e8fb3e89066798f0fdc045064d353d upstream.

In case pwm_fan_of_get_cooling_data() fails we should disable the PWM
just like in the other error cases.

Fixes: 2e5219c77183 ("hwmon: (pwm-fan) Read PWM FAN configuration from device 
tree")
Cc:  # 4.14+
Reported-by: Guenter Rock 
Signed-off-by: Stefan Wahren 
Signed-off-by: Guenter Roeck 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/hwmon/pwm-fan.c |2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/hwmon/pwm-fan.c
+++ b/drivers/hwmon/pwm-fan.c
@@ -250,7 +250,7 @@ static int pwm_fan_probe(struct platform
 
ret = pwm_fan_of_get_cooling_data(>dev, ctx);
if (ret)
-   return ret;
+   goto err_pwm_disable;
 
ctx->pwm_fan_state = ctx->pwm_fan_max_state;
if (IS_ENABLED(CONFIG_THERMAL)) {

[PATCH 4.19 053/113] drm/sun4i: Fix component unbinding and component master deletion

[Greg Kroah-Hartman]

[ Upstream commit f5a9ed867c83875546c9aadd4ed8e785e9adcc3c ]

For our component-backed driver to be properly removed, we need to
delete the component master in sun4i_drv_remove and make sure to call
component_unbind_all in the master's unbind so that all components are
unbound when the master is.

Fixes: 9026e0d122ac ("drm: Add Allwinner A10 Display Engine support")
Signed-off-by: Paul Kocialkowski 
Signed-off-by: Maxime Ripard 
Link: 
https://patchwork.freedesktop.org/patch/msgid/20190418132727.5128-4-paul.kocialkow...@bootlin.com
Signed-off-by: Sasha Levin 
---
 drivers/gpu/drm/sun4i/sun4i_drv.c | 4 
 1 file changed, 4 insertions(+)

diff --git a/drivers/gpu/drm/sun4i/sun4i_drv.c 
b/drivers/gpu/drm/sun4i/sun4i_drv.c
index 7cac01c72c027..62703630090aa 100644
--- a/drivers/gpu/drm/sun4i/sun4i_drv.c
+++ b/drivers/gpu/drm/sun4i/sun4i_drv.c
@@ -160,6 +160,8 @@ static void sun4i_drv_unbind(struct device *dev)
drm_mode_config_cleanup(drm);
of_reserved_mem_device_release(dev);
drm_dev_put(drm);
+
+   component_unbind_all(dev, NULL);
 }
 
 static const struct component_master_ops sun4i_drv_master_ops = {
@@ -407,6 +409,8 @@ static int sun4i_drv_probe(struct platform_device *pdev)
 
 static int sun4i_drv_remove(struct platform_device *pdev)
 {
+   component_master_del(>dev, _drv_master_ops);
+
return 0;
 }
 
-- 
2.20.1

[PATCH 4.19 049/113] netfilter: nf_tables: prevent shift wrap in nft_chain_parse_hook()

[Greg Kroah-Hartman]

[ Upstream commit 33d1c018179d0a30c39cc5f1682b77867282694b ]

I believe that "hook->num" can be up to UINT_MAX.  Shifting more than
31 bits would is undefined in C but in practice it would lead to shift
wrapping.  That would lead to an array overflow in nf_tables_addchain():

ops->hook   = hook.type->hooks[ops->hooknum];

Fixes: fe19c04ca137 ("netfilter: nf_tables: remove nhooks field from struct 
nft_af_info")
Signed-off-by: Dan Carpenter 
Signed-off-by: Pablo Neira Ayuso 
Signed-off-by: Sasha Levin 
---
 net/netfilter/nf_tables_api.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 1af54119bafc7..f272f9538c44a 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -1496,7 +1496,7 @@ static int nft_chain_parse_hook(struct net *net,
if (IS_ERR(type))
return PTR_ERR(type);
}
-   if (!(type->hook_mask & (1 << hook->num)))
+   if (hook->num > NF_MAX_HOOKS || !(type->hook_mask & (1 << hook->num)))
return -EOPNOTSUPP;
 
if (type->type == NFT_CHAIN_T_NAT &&
-- 
2.20.1

[PATCH 4.19 057/113] drm/imx: dont skip DP channel disable for background plane

[Greg Kroah-Hartman]

[ Upstream commit 7bcde275eb1d0ac8793c77c7e666a886eb16633d ]

In order to make sure that the plane color space gets reset correctly.

Signed-off-by: Lucas Stach 
Signed-off-by: Philipp Zabel 
Signed-off-by: Sasha Levin 
---
 drivers/gpu/drm/imx/ipuv3-crtc.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/imx/ipuv3-crtc.c b/drivers/gpu/drm/imx/ipuv3-crtc.c
index 7d4b710b837ac..11e2dcdd6b18c 100644
--- a/drivers/gpu/drm/imx/ipuv3-crtc.c
+++ b/drivers/gpu/drm/imx/ipuv3-crtc.c
@@ -78,7 +78,7 @@ static void ipu_crtc_disable_planes(struct ipu_crtc *ipu_crtc,
if (disable_partial)
ipu_plane_disable(ipu_crtc->plane[1], true);
if (disable_full)
-   ipu_plane_disable(ipu_crtc->plane[0], false);
+   ipu_plane_disable(ipu_crtc->plane[0], true);
 }
 
 static void ipu_crtc_atomic_disable(struct drm_crtc *crtc,
-- 
2.20.1

Re: [PATCH V3 4/4] arm64/mm: Enable memory hot remove

[Mark Rutland]

Hi Anshuman,

On Tue, May 14, 2019 at 02:30:07PM +0530, Anshuman Khandual wrote:
> Memory removal from an arch perspective involves tearing down two different
> kernel based mappings i.e vmemmap and linear while releasing related page
> table and any mapped pages allocated for given physical memory range to be
> removed.
> 
> Define a common kernel page table tear down helper remove_pagetable() which
> can be used to unmap given kernel virtual address range. In effect it can
> tear down both vmemap or kernel linear mappings. This new helper is called
> from both vmemamp_free() and ___remove_pgd_mapping() during memory removal.
> 
> For linear mapping there are no actual allocated pages which are mapped to
> create the translation. Any pfn on a given entry is derived from physical
> address (__va(PA) --> PA) whose linear translation is to be created. They
> need not be freed as they were never allocated in the first place. But for
> vmemmap which is a real virtual mapping (like vmalloc) physical pages are
> allocated either from buddy or memblock which get mapped in the kernel page
> table. These allocated and mapped pages need to be freed during translation
> tear down. But page table pages need to be freed in both these cases.

As previously discussed, we should only hot-remove memory which was
hot-added, so we shouldn't encounter memory allocated from memblock.

> These mappings need to be differentiated while deciding if a mapped page at
> any level i.e [pte|pmd|pud]_page() should be freed or not. Callers for the
> mapping tear down process should pass on 'sparse_vmap' variable identifying
> kernel vmemmap mappings.

I think that you can simplify the paragraphs above down to:

  The arch code for hot-remove must tear down portions of the linear map
  and vmemmap corresponding to memory being removed. In both cases the
  page tables mapping these regions must be freed, and when sparse
  vmemmap is in use the memory backing the vmemmap must also be freed.

  This patch adds a new remove_pagetable() helper which can be used to
  tear down either region, and calls it from vmemmap_free() and
  ___remove_pgd_mapping(). The sparse_vmap argument determines whether
  the backing memory will be freed.

Could you add a paragraph describing when we can encounter partial
tables (for which we need the p??_none() checks? IIUC that's not just
for cleaning up a failed hot-add, and it would be good to call that out.

> While here update arch_add_mempory() to handle __add_pages() failures by
> just unmapping recently added kernel linear mapping. Now enable memory hot
> remove on arm64 platforms by default with ARCH_ENABLE_MEMORY_HOTREMOVE.

Nit: s/arch_add_mempory/arch_add_memory/.

[...]

> +#if (CONFIG_PGTABLE_LEVELS > 2)
> +static void free_pmd_table(pmd_t *pmdp, pud_t *pudp, unsigned long addr)
> +{
> + struct page *page;
> + int i;
> +
> + for (i = 0; i < PTRS_PER_PMD; i++) {
> + if (!pmd_none(pmdp[i]))
> + return;
> + }
> +
> + page = pud_page(*pudp);
> + pud_clear(pudp);
> + __flush_tlb_kernel_pgtable(addr);
> + free_hotplug_pgtable_page(page);
> +}
> +#else
> +static void free_pmd_table(pmd_t *pmdp, pud_t *pudp, unsigned long addr) { }
> +#endif

Can we fold the check in and remove the ifdeferry? e.g.

static void free_pmd_table(pmd_t *pmdp, pud_t *pudp, unsigned long addr)
{
struct page *page;
int i;

if (CONFIG_PGTABLE_LEVELS <= 2)
return;

...
}

... that would ensure that we always got build coverage here, and
minimize duplication. We do similar in map_kernel() and
early_fixmap_init() today.

Likewise for the other levels.

For arm64, the general policy is to use READ_ONCE() when reading a page
table entry (even if not strictly necessary), so please do so
consistently.

[...]

> +static void
> +remove_pte_table(pmd_t *pmdp, unsigned long addr,
> + unsigned long end, bool sparse_vmap)
> +{
> + struct page *page;
> + pte_t *ptep;
> + unsigned long start = addr;
> +
> + for (; addr < end; addr += PAGE_SIZE) {
> + ptep = pte_offset_kernel(pmdp, addr);
> + if (!pte_present(*ptep))
> + continue;
> +
> + if (sparse_vmap) {
> + page = pte_page(READ_ONCE(*ptep));
> + free_hotplug_page_range(page, PAGE_SIZE);
> + }
> + pte_clear(_mm, addr, ptep);
> + }
> + flush_tlb_kernel_range(start, end);
> +}

Please use a temporary pte variable here, e.g.

static void remove_pte_table(pmd_t *pmdp, unsigned long addr,
 unsigned long end, bool sparse_vmap)
{
unsigned long start = addr;
struct page *page;
pte_t *ptep, pte;

for (; addr < end; addr += PAGE_SIZE) {
ptep = pte_offset_kernel(pmdp, addr);
pte = READ_ONCE(*ptep);

if (!pte_present(pte))
  

[PATCH 4.19 040/113] tools lib traceevent: Fix missing equality check for strcmp

[Greg Kroah-Hartman]

[ Upstream commit f32c2877bcb068a718bb70094cd59ccc29d4d082 ]

There was a missing comparison with 0 when checking if type is "s64" or
"u64". Therefore, the body of the if-statement was entered if "type" was
"u64" or not "s64", which made the first strcmp() redundant since if
type is "u64", it's not "s64".

If type is "s64", the body of the if-statement is not entered but since
the remainder of the function consists of if-statements which will not
be entered if type is "s64", we will just return "val", which is
correct, albeit at the cost of a few more calls to strcmp(), i.e., it
will behave just as if the if-statement was entered.

If type is neither "s64" or "u64", the body of the if-statement will be
entered incorrectly and "val" returned. This means that any type that is
checked after "s64" and "u64" is handled the same way as "s64" and
"u64", i.e., the limiting of "val" to fit in for example "s8" is never
reached.

This was introduced in the kernel tree when the sources were copied from
trace-cmd in commit f7d82350e597 ("tools/events: Add files to create
libtraceevent.a"), and in the trace-cmd repo in 1cdbae6035cei
("Implement typecasting in parser") when the function was introduced,
i.e., it has always behaved the wrong way.

Detected by cppcheck.

Signed-off-by: Rikard Falkeborn 
Reviewed-by: Steven Rostedt (VMware) 
Cc: Tzvetomir Stoyanov 
Fixes: f7d82350e597 ("tools/events: Add files to create libtraceevent.a")
Link: http://lkml.kernel.org/r/20190409091529.2686-1-rikard.falkeb...@gmail.com
Signed-off-by: Arnaldo Carvalho de Melo 
Signed-off-by: Sasha Levin 
---
 tools/lib/traceevent/event-parse.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tools/lib/traceevent/event-parse.c 
b/tools/lib/traceevent/event-parse.c
index 10985d991ed29..6ccfd13d5cf9c 100644
--- a/tools/lib/traceevent/event-parse.c
+++ b/tools/lib/traceevent/event-parse.c
@@ -2192,7 +2192,7 @@ eval_type_str(unsigned long long val, const char *type, 
int pointer)
return val & 0x;
 
if (strcmp(type, "u64") == 0 ||
-   strcmp(type, "s64"))
+   strcmp(type, "s64") == 0)
return val;
 
if (strcmp(type, "s8") == 0)
-- 
2.20.1

Re: mm: use down_read_killable for locking mmap_sem in access_remote_vm

[Matthew Wilcox]

On Wed, May 15, 2019 at 10:38:26AM +0200, Michal Koutný wrote:
> Hi,
> making this holder of mmap_sem killable was for the reasons of /proc/...
> diagnostics was an idea I was pondeering too. However, I think the
> approach of pretending we read 0 bytes is not correct. The API would IMO
> need to be extended to allow pass a result such as EINTR to the end
> caller.
> Why do you think it's safe to return just 0?

_killable_, not _interruptible_.

The return value will never be seen by userspace because it's dead.

[PATCH 4.19 051/113] s390: ctcm: fix ctcm_new_device error return code

[Greg Kroah-Hartman]

[ Upstream commit 27b141fc234a3670d21bd742c35d7205d03cbb3a ]

clang points out that the return code from this function is
undefined for one of the error paths:

../drivers/s390/net/ctcm_main.c:1595:7: warning: variable 'result' is used 
uninitialized whenever 'if' condition is true
  [-Wsometimes-uninitialized]
if (priv->channel[direction] == NULL) {
^~~~
../drivers/s390/net/ctcm_main.c:1638:9: note: uninitialized use occurs here
return result;
   ^~
../drivers/s390/net/ctcm_main.c:1595:3: note: remove the 'if' if its condition 
is always false
if (priv->channel[direction] == NULL) {
^~~
../drivers/s390/net/ctcm_main.c:1539:12: note: initialize the variable 'result' 
to silence this warning
int result;
  ^

Make it return -ENODEV here, as in the related failure cases.
gcc has a known bug in underreporting some of these warnings
when it has already eliminated the assignment of the return code
based on some earlier optimization step.

Reviewed-by: Nathan Chancellor 
Signed-off-by: Arnd Bergmann 
Signed-off-by: Julian Wiedmann 
Signed-off-by: David S. Miller 
Signed-off-by: Sasha Levin 
---
 drivers/s390/net/ctcm_main.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/s390/net/ctcm_main.c b/drivers/s390/net/ctcm_main.c
index 7617d21cb2960..f63c5c871d3dd 100644
--- a/drivers/s390/net/ctcm_main.c
+++ b/drivers/s390/net/ctcm_main.c
@@ -1595,6 +1595,7 @@ static int ctcm_new_device(struct ccwgroup_device *cgdev)
if (priv->channel[direction] == NULL) {
if (direction == CTCM_WRITE)
channel_free(priv->channel[CTCM_READ]);
+   result = -ENODEV;
goto out_dev;
}
priv->channel[direction]->netdev = dev;
-- 
2.20.1

[PATCH 4.19 054/113] selftests/net: correct the return value for run_netsocktests

[Greg Kroah-Hartman]

[ Upstream commit 30c04d796b693e22405c38e9b78e9a364e4c77e6 ]

The run_netsocktests will be marked as passed regardless the actual test
result from the ./socket:

selftests: net: run_netsocktests


running socket test

[FAIL]
ok 1..6 selftests: net: run_netsocktests [PASS]

This is because the test script itself has been successfully executed.
Fix this by exit 1 when the test failed.

Signed-off-by: Po-Hsu Lin 
Signed-off-by: David S. Miller 
Signed-off-by: Sasha Levin 
---
 tools/testing/selftests/net/run_netsocktests | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tools/testing/selftests/net/run_netsocktests 
b/tools/testing/selftests/net/run_netsocktests
index b093f39c298c3..14e41faf2c574 100755
--- a/tools/testing/selftests/net/run_netsocktests
+++ b/tools/testing/selftests/net/run_netsocktests
@@ -7,7 +7,7 @@ echo ""
 ./socket
 if [ $? -ne 0 ]; then
echo "[FAIL]"
+   exit 1
 else
echo "[PASS]"
 fi
-
-- 
2.20.1

[PATCH 4.19 056/113] gpu: ipu-v3: dp: fix CSC handling

[Greg Kroah-Hartman]

[ Upstream commit d4fad0a426c6e26f48c9a7cdd21a7fe9c198d645 ]

Initialize the flow input colorspaces to unknown and reset to that value
when the channel gets disabled. This avoids the state getting mixed up
with a previous mode.

Also keep the CSC settings for the background flow intact when disabling
the foreground flow.

Root-caused-by: Jonathan Marek 
Signed-off-by: Lucas Stach 
Signed-off-by: Philipp Zabel 
Signed-off-by: Sasha Levin 
---
 drivers/gpu/ipu-v3/ipu-dp.c | 12 +---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/drivers/gpu/ipu-v3/ipu-dp.c b/drivers/gpu/ipu-v3/ipu-dp.c
index 9b2b3fa479c46..5e44ff1f20851 100644
--- a/drivers/gpu/ipu-v3/ipu-dp.c
+++ b/drivers/gpu/ipu-v3/ipu-dp.c
@@ -195,7 +195,8 @@ int ipu_dp_setup_channel(struct ipu_dp *dp,
ipu_dp_csc_init(flow, flow->foreground.in_cs, flow->out_cs,
DP_COM_CONF_CSC_DEF_BOTH);
} else {
-   if (flow->foreground.in_cs == flow->out_cs)
+   if (flow->foreground.in_cs == IPUV3_COLORSPACE_UNKNOWN ||
+   flow->foreground.in_cs == flow->out_cs)
/*
 * foreground identical to output, apply color
 * conversion on background
@@ -261,6 +262,8 @@ void ipu_dp_disable_channel(struct ipu_dp *dp, bool sync)
struct ipu_dp_priv *priv = flow->priv;
u32 reg, csc;
 
+   dp->in_cs = IPUV3_COLORSPACE_UNKNOWN;
+
if (!dp->foreground)
return;
 
@@ -268,8 +271,9 @@ void ipu_dp_disable_channel(struct ipu_dp *dp, bool sync)
 
reg = readl(flow->base + DP_COM_CONF);
csc = reg & DP_COM_CONF_CSC_DEF_MASK;
-   if (csc == DP_COM_CONF_CSC_DEF_FG)
-   reg &= ~DP_COM_CONF_CSC_DEF_MASK;
+   reg &= ~DP_COM_CONF_CSC_DEF_MASK;
+   if (csc == DP_COM_CONF_CSC_DEF_BOTH || csc == DP_COM_CONF_CSC_DEF_BG)
+   reg |= DP_COM_CONF_CSC_DEF_BG;
 
reg &= ~DP_COM_CONF_FG_EN;
writel(reg, flow->base + DP_COM_CONF);
@@ -347,6 +351,8 @@ int ipu_dp_init(struct ipu_soc *ipu, struct device *dev, 
unsigned long base)
mutex_init(>mutex);
 
for (i = 0; i < IPUV3_NUM_FLOWS; i++) {
+   priv->flow[i].background.in_cs = IPUV3_COLORSPACE_UNKNOWN;
+   priv->flow[i].foreground.in_cs = IPUV3_COLORSPACE_UNKNOWN;
priv->flow[i].foreground.foreground = true;
priv->flow[i].base = priv->base + ipu_dp_flow_base[i];
priv->flow[i].priv = priv;
-- 
2.20.1

[PATCH RFC] proc/meminfo: add KernelMisc counter

[Konstantin Khlebnikov]

Some kernel memory allocations are not accounted anywhere.
This adds easy-read counter for them by subtracting all tracked kinds.

Signed-off-by: Konstantin Khlebnikov 
---
 Documentation/filesystems/proc.txt |2 ++
 fs/proc/meminfo.c  |   41 +---
 2 files changed, 30 insertions(+), 13 deletions(-)

diff --git a/Documentation/filesystems/proc.txt 
b/Documentation/filesystems/proc.txt
index 66cad5c86171..f11ce167124c 100644
--- a/Documentation/filesystems/proc.txt
+++ b/Documentation/filesystems/proc.txt
@@ -891,6 +891,7 @@ VmallocTotal:   112216 kB
 VmallocUsed:   428 kB
 VmallocChunk:   111088 kB
 Percpu:  62080 kB
+KernelMisc: 212856 kB
 HardwareCorrupted:   0 kB
 AnonHugePages:   49152 kB
 ShmemHugePages:  0 kB
@@ -988,6 +989,7 @@ VmallocTotal: total size of vmalloc memory area
 VmallocChunk: largest contiguous block of vmalloc area which is free
   Percpu: Memory allocated to the percpu allocator used to back percpu
   allocations. This stat excludes the cost of metadata.
+  KernelMisc: All other kinds of kernel memory allocaitons
 
 ..
 
diff --git a/fs/proc/meminfo.c b/fs/proc/meminfo.c
index 568d90e17c17..7bc14716fc5d 100644
--- a/fs/proc/meminfo.c
+++ b/fs/proc/meminfo.c
@@ -38,15 +38,21 @@ static int meminfo_proc_show(struct seq_file *m, void *v)
long cached;
long available;
unsigned long pages[NR_LRU_LISTS];
-   unsigned long sreclaimable, sunreclaim;
+   unsigned long sreclaimable, sunreclaim, misc_reclaimable;
+   unsigned long kernel_stack_kb, page_tables, percpu_pages;
+   unsigned long anon_pages, file_pages, swap_cached;
+   long kernel_misc;
int lru;
 
si_meminfo();
si_swapinfo();
committed = percpu_counter_read_positive(_committed_as);
 
-   cached = global_node_page_state(NR_FILE_PAGES) -
-   total_swapcache_pages() - i.bufferram;
+   anon_pages = global_node_page_state(NR_ANON_MAPPED);
+   file_pages = global_node_page_state(NR_FILE_PAGES);
+   swap_cached = total_swapcache_pages();
+
+   cached = file_pages - swap_cached - i.bufferram;
if (cached < 0)
cached = 0;
 
@@ -56,13 +62,25 @@ static int meminfo_proc_show(struct seq_file *m, void *v)
available = si_mem_available();
sreclaimable = global_node_page_state(NR_SLAB_RECLAIMABLE);
sunreclaim = global_node_page_state(NR_SLAB_UNRECLAIMABLE);
+   misc_reclaimable = global_node_page_state(NR_KERNEL_MISC_RECLAIMABLE);
+   kernel_stack_kb = global_zone_page_state(NR_KERNEL_STACK_KB);
+   page_tables = global_zone_page_state(NR_PAGETABLE);
+   percpu_pages = pcpu_nr_pages();
+
+   /* all other kinds of kernel memory allocations */
+   kernel_misc = i.totalram - i.freeram - anon_pages - file_pages
+ - sreclaimable - sunreclaim - misc_reclaimable
+ - (kernel_stack_kb >> (PAGE_SHIFT - 10))
+ - page_tables - percpu_pages;
+   if (kernel_misc < 0)
+   kernel_misc = 0;
 
show_val_kb(m, "MemTotal:   ", i.totalram);
show_val_kb(m, "MemFree:", i.freeram);
show_val_kb(m, "MemAvailable:   ", available);
show_val_kb(m, "Buffers:", i.bufferram);
show_val_kb(m, "Cached: ", cached);
-   show_val_kb(m, "SwapCached: ", total_swapcache_pages());
+   show_val_kb(m, "SwapCached: ", swap_cached);
show_val_kb(m, "Active: ", pages[LRU_ACTIVE_ANON] +
   pages[LRU_ACTIVE_FILE]);
show_val_kb(m, "Inactive:   ", pages[LRU_INACTIVE_ANON] +
@@ -92,20 +110,16 @@ static int meminfo_proc_show(struct seq_file *m, void *v)
global_node_page_state(NR_FILE_DIRTY));
show_val_kb(m, "Writeback:  ",
global_node_page_state(NR_WRITEBACK));
-   show_val_kb(m, "AnonPages:  ",
-   global_node_page_state(NR_ANON_MAPPED));
+   show_val_kb(m, "AnonPages:  ", anon_pages);
show_val_kb(m, "Mapped: ",
global_node_page_state(NR_FILE_MAPPED));
show_val_kb(m, "Shmem:  ", i.sharedram);
-   show_val_kb(m, "KReclaimable:   ", sreclaimable +
-   global_node_page_state(NR_KERNEL_MISC_RECLAIMABLE));
+   show_val_kb(m, "KReclaimable:   ", sreclaimable + misc_reclaimable);
show_val_kb(m, "Slab:   ", sreclaimable + sunreclaim);
show_val_kb(m, "SReclaimable:   ", sreclaimable);
show_val_kb(m, "SUnreclaim: ", sunreclaim);
-   seq_printf(m, "KernelStack:%8lu kB\n",
-  global_zone_page_state(NR_KERNEL_STACK_KB));
-   show_val_kb(m, "PageTables: ",
-   global_zone_page_state(NR_PAGETABLE));
+   

[PATCH 4.19 069/113] usb: typec: Fix unchecked return value

[Greg Kroah-Hartman]

[ Upstream commit e82adc1074a7356f1158233551df9e86b7ebfb82 ]

Currently there is no check on platform_get_irq() return value
in case it fails, hence never actually reporting any errors and
causing unexpected behavior when using such value as argument
for function regmap_irq_get_virq().

Fix this by adding a proper check, a message error and return
*irq* in case platform_get_irq() fails.

Addresses-Coverity-ID: 1443899 ("Improper use of negative value")
Fixes: d2061f9cc32d ("usb: typec: add driver for Intel Whiskey Cove PMIC USB 
Type-C PHY")
Cc: sta...@vger.kernel.org
Signed-off-by: Gustavo A. R. Silva 
Reviewed-by: Guenter Roeck 
Acked-by: Heikki Krogerus 
Signed-off-by: Greg Kroah-Hartman 
Signed-off-by: Sasha Levin 
---
 drivers/usb/typec/typec_wcove.c | 9 +++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/drivers/usb/typec/typec_wcove.c b/drivers/usb/typec/typec_wcove.c
index 423208e19383c..6770afd407654 100644
--- a/drivers/usb/typec/typec_wcove.c
+++ b/drivers/usb/typec/typec_wcove.c
@@ -615,8 +615,13 @@ static int wcove_typec_probe(struct platform_device *pdev)
wcove->dev = >dev;
wcove->regmap = pmic->regmap;
 
-   irq = regmap_irq_get_virq(pmic->irq_chip_data_chgr,
- platform_get_irq(pdev, 0));
+   irq = platform_get_irq(pdev, 0);
+   if (irq < 0) {
+   dev_err(>dev, "Failed to get IRQ: %d\n", irq);
+   return irq;
+   }
+
+   irq = regmap_irq_get_virq(pmic->irq_chip_data_chgr, irq);
if (irq < 0)
return irq;
 
-- 
2.20.1

[PATCH 4.19 063/113] RDMA/hns: Bugfix for mapping user db

[Greg Kroah-Hartman]

[ Upstream commit 2557fabd6e29f349bfa0ac13f38ac98aa5eafc74 ]

When the maximum send wr delivered by the user is zero, the qp does not
have a sq.

When allocating the sq db buffer to store the user sq pi pointer and map
it to the kernel mode, max_send_wr is used as the trigger condition, while
the kernel does not consider the max_send_wr trigger condition when
mapmping db. It will cause sq record doorbell map fail and create qp fail.

The failed print information as follows:

 hns3 :7d:00.1: Send cmd: tail - 418, opcode - 0x8504, flag - 0x0011, 
retval - 0x
 hns3 :7d:00.1: Send cmd: 0xe59dc000 0x 0x 0x 
0x0116 0x
 hns3 :7d:00.1: sq record doorbell map failed!
 hns3 :7d:00.1: Create RC QP failed

Fixes: 0425e3e6e0c7 ("RDMA/hns: Support flush cqe for hip08 in kernel space")
Signed-off-by: Lijun Ou 
Signed-off-by: Jason Gunthorpe 
Signed-off-by: Sasha Levin 
---
 drivers/infiniband/hw/hns/hns_roce_qp.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/infiniband/hw/hns/hns_roce_qp.c 
b/drivers/infiniband/hw/hns/hns_roce_qp.c
index efb7e961ca651..2fa4fb17f6d3c 100644
--- a/drivers/infiniband/hw/hns/hns_roce_qp.c
+++ b/drivers/infiniband/hw/hns/hns_roce_qp.c
@@ -494,7 +494,7 @@ static int hns_roce_set_kernel_sq_size(struct hns_roce_dev 
*hr_dev,
 
 static int hns_roce_qp_has_sq(struct ib_qp_init_attr *attr)
 {
-   if (attr->qp_type == IB_QPT_XRC_TGT)
+   if (attr->qp_type == IB_QPT_XRC_TGT || !attr->cap.max_send_wr)
return 0;
 
return 1;
-- 
2.20.1

[PATCH 4.19 078/113] net: strparser: partially revert "strparser: Call skb_unclone conditionally"

[Greg Kroah-Hartman]

[ Upstream commit 4a9c2e3746e6151fd5d077259d79ce9ca86d47d7 ]

This reverts the first part of commit 4e485d06bb8c ("strparser: Call
skb_unclone conditionally").  To build a message with multiple
fragments we need our own root of frag_list.  We can't simply
use the frag_list of orig_skb, because it will lead to linking
all orig_skbs together creating very long frag chains, and causing
stack overflow on kfree_skb() (which is called recursively on
the frag_lists).

BUG: stack guard page was hit at d40fad41 (stack is 
29dde9f4..8cce03d5)
kernel stack overflow (double-fault):  [#1] PREEMPT SMP
RIP: 0010:free_one_page+0x2b/0x490

Call Trace:
  __free_pages_ok+0x143/0x2c0
  skb_release_data+0x8e/0x140
  ? skb_release_data+0xad/0x140
  kfree_skb+0x32/0xb0

  [...]

  skb_release_data+0xad/0x140
  ? skb_release_data+0xad/0x140
  kfree_skb+0x32/0xb0
  skb_release_data+0xad/0x140
  ? skb_release_data+0xad/0x140
  kfree_skb+0x32/0xb0
  skb_release_data+0xad/0x140
  ? skb_release_data+0xad/0x140
  kfree_skb+0x32/0xb0
  skb_release_data+0xad/0x140
  ? skb_release_data+0xad/0x140
  kfree_skb+0x32/0xb0
  skb_release_data+0xad/0x140
  __kfree_skb+0xe/0x20
  tcp_disconnect+0xd6/0x4d0
  tcp_close+0xf4/0x430
  ? tcp_check_oom+0xf0/0xf0
  tls_sk_proto_close+0xe4/0x1e0 [tls]
  inet_release+0x36/0x60
  __sock_release+0x37/0xa0
  sock_close+0x11/0x20
  __fput+0xa2/0x1d0
  task_work_run+0x89/0xb0
  exit_to_usermode_loop+0x9a/0xa0
  do_syscall_64+0xc0/0xf0
  entry_SYSCALL_64_after_hwframe+0x44/0xa9

Let's leave the second unclone conditional, as I'm not entirely
sure what is its purpose :)

Fixes: 4e485d06bb8c ("strparser: Call skb_unclone conditionally")
Signed-off-by: Jakub Kicinski 
Reviewed-by: Dirk van der Merwe 
Reviewed-by: Eric Dumazet 
Signed-off-by: David S. Miller 
Signed-off-by: Sasha Levin 
---
 net/strparser/strparser.c | 12 +---
 1 file changed, 5 insertions(+), 7 deletions(-)

diff --git a/net/strparser/strparser.c b/net/strparser/strparser.c
index da1a676860cad..0f4e427928781 100644
--- a/net/strparser/strparser.c
+++ b/net/strparser/strparser.c
@@ -140,13 +140,11 @@ static int __strp_recv(read_descriptor_t *desc, struct 
sk_buff *orig_skb,
/* We are going to append to the frags_list of head.
 * Need to unshare the frag_list.
 */
-   if (skb_has_frag_list(head)) {
-   err = skb_unclone(head, GFP_ATOMIC);
-   if (err) {
-   STRP_STATS_INCR(strp->stats.mem_fail);
-   desc->error = err;
-   return 0;
-   }
+   err = skb_unclone(head, GFP_ATOMIC);
+   if (err) {
+   STRP_STATS_INCR(strp->stats.mem_fail);
+   desc->error = err;
+   return 0;
}
 
if (unlikely(skb_shinfo(head)->frag_list)) {
-- 
2.20.1

[PATCH 4.19 073/113] mlxsw: spectrum_switchdev: Add MDB entries in prepare phase

[Greg Kroah-Hartman]

[ Upstream commit d4d0e40977ac450f32f2db5e4d8e23c9d2578899 ]

The driver cannot guarantee in the prepare phase that it will be able to
write an MDB entry to the device. In case the driver returned success
during the prepare phase, but then failed to add the entry in the commit
phase, a WARNING [1] will be generated by the switchdev core.

Fix this by doing the work in the prepare phase instead.

[1]
[  358.544486] swp12s0: Commit of object (id=2) failed.
[  358.550061] WARNING: CPU: 0 PID: 30 at net/switchdev/switchdev.c:281 
switchdev_port_obj_add_now+0x9b/0xe0
[  358.560754] CPU: 0 PID: 30 Comm: kworker/0:1 Not tainted 
5.0.0-custom-13382-gf2449babf221 #1350
[  358.570472] Hardware name: Mellanox Technologies Ltd. 
MSN2100-CB2FO/SA001017, BIOS 5.6.5 06/07/2016
[  358.580582] Workqueue: events switchdev_deferred_process_work
[  358.587001] RIP: 0010:switchdev_port_obj_add_now+0x9b/0xe0
...
[  358.614109] RSP: 0018:a6b900d6fe18 EFLAGS: 00010286
[  358.619943] RAX:  RBX: 8b00797ff000 RCX: 
[  358.627912] RDX: 8b00b7a1d4c0 RSI: 8b00b7a152e8 RDI: 8b00b7a152e8
[  358.635881] RBP: 8b005c3f5bc0 R08: 022b R09: 
[  358.643850] R10:  R11: a6b900d6fcc8 R12: 
[  358.651819] R13: dead0100 R14: 8b00b65a23c0 R15: 08b00b7a2200
[  358.659790] FS:  () GS:8b00b7a0() 
knlGS:
[  358.668820] CS:  0010 DS:  ES:  CR0: 80050033
[  358.675228] CR2: 7f00aad90de0 CR3: 0001ca80d000 CR4: 001006f0
[  358.683188] Call Trace:
[  358.685918]  switchdev_port_obj_add_deferred+0x13/0x60
[  358.691655]  switchdev_deferred_process+0x6b/0xf0
[  358.696907]  switchdev_deferred_process_work+0xa/0x10
[  358.702548]  process_one_work+0x1f5/0x3f0
[  358.707022]  worker_thread+0x28/0x3c0
[  358.711099]  ? process_one_work+0x3f0/0x3f0
[  358.715768]  kthread+0x10d/0x130
[  358.719369]  ? __kthread_create_on_node+0x180/0x180
[  358.724815]  ret_from_fork+0x35/0x40

Fixes: 3a49b4fde2a1 ("mlxsw: Adding layer 2 multicast support")
Signed-off-by: Ido Schimmel 
Reported-by: Alex Kushnarov 
Tested-by: Alex Kushnarov 
Acked-by: Jiri Pirko 
Signed-off-by: David S. Miller 
Signed-off-by: Sasha Levin 
---
 drivers/net/ethernet/mellanox/mlxsw/spectrum_switchdev.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/ethernet/mellanox/mlxsw/spectrum_switchdev.c 
b/drivers/net/ethernet/mellanox/mlxsw/spectrum_switchdev.c
index af673abdb4823..a4f237f815d1a 100644
--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum_switchdev.c
+++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum_switchdev.c
@@ -1585,7 +1585,7 @@ static int mlxsw_sp_port_mdb_add(struct mlxsw_sp_port 
*mlxsw_sp_port,
u16 fid_index;
int err = 0;
 
-   if (switchdev_trans_ph_prepare(trans))
+   if (switchdev_trans_ph_commit(trans))
return 0;
 
bridge_port = mlxsw_sp_bridge_port_find(mlxsw_sp->bridge, orig_dev);
-- 
2.20.1

[PATCH 4.19 076/113] mlxsw: core: Do not use WQ_MEM_RECLAIM for mlxsw workqueue

[Greg Kroah-Hartman]

[ Upstream commit b442fed1b724af0de087912a5718ddde1b87acbb ]

The workqueue is used to periodically update the networking stack about
activity / statistics of various objects such as neighbours and TC
actions.

It should not be called as part of memory reclaim path, so remove the
WQ_MEM_RECLAIM flag.

Fixes: 3d5479e92087 ("mlxsw: core: Remove deprecated create_workqueue")
Signed-off-by: Ido Schimmel 
Acked-by: Jiri Pirko 
Signed-off-by: David S. Miller 
Signed-off-by: Sasha Levin 
---
 drivers/net/ethernet/mellanox/mlxsw/core.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/ethernet/mellanox/mlxsw/core.c 
b/drivers/net/ethernet/mellanox/mlxsw/core.c
index 7482db0767afb..2e6df5804b356 100644
--- a/drivers/net/ethernet/mellanox/mlxsw/core.c
+++ b/drivers/net/ethernet/mellanox/mlxsw/core.c
@@ -1875,7 +1875,7 @@ static int __init mlxsw_core_module_init(void)
 {
int err;
 
-   mlxsw_wq = alloc_workqueue(mlxsw_core_driver_name, WQ_MEM_RECLAIM, 0);
+   mlxsw_wq = alloc_workqueue(mlxsw_core_driver_name, 0, 0);
if (!mlxsw_wq)
return -ENOMEM;
mlxsw_owq = alloc_ordered_workqueue("%s_ordered", 0,
-- 
2.20.1

[PATCH 4.19 070/113] netfilter: nf_tables: use-after-free in dynamic operations

[Greg Kroah-Hartman]

[ Upstream commit 3f3a390dbd59d236f62cff8e8b20355ef7069e3d ]

Smatch reports:

   net/netfilter/nf_tables_api.c:2167 nf_tables_expr_destroy()
error: dereferencing freed memory 'expr->ops'

net/netfilter/nf_tables_api.c
2162 static void nf_tables_expr_destroy(const struct nft_ctx *ctx,
2163   struct nft_expr *expr)
2164 {
2165if (expr->ops->destroy)
2166expr->ops->destroy(ctx, expr);

--> 2167module_put(expr->ops->type->owner);
   ^
2168 }

Smatch says there are three functions which free expr->ops.

Fixes: b8e204006340 ("netfilter: nft_compat: use .release_ops and remove list 
of extension")
Reported-by: Dan Carpenter 
Signed-off-by: Pablo Neira Ayuso 
Signed-off-by: Sasha Levin 
---
 net/netfilter/nf_tables_api.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index f272f9538c44a..ef7ff13a7b992 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -2113,9 +2113,11 @@ static int nf_tables_newexpr(const struct nft_ctx *ctx,
 static void nf_tables_expr_destroy(const struct nft_ctx *ctx,
   struct nft_expr *expr)
 {
+   const struct nft_expr_type *type = expr->ops->type;
+
if (expr->ops->destroy)
expr->ops->destroy(ctx, expr);
-   module_put(expr->ops->type->owner);
+   module_put(type->owner);
 }
 
 struct nft_expr *nft_expr_init(const struct nft_ctx *ctx,
-- 
2.20.1

[PATCH 4.19 085/113] Dont jump to compute_result state from check_result state

[Greg Kroah-Hartman]

From: Nigel Croxon 

commit 4f4fd7c5798bbdd5a03a60f6269cf1177fbd11ef upstream.

Changing state from check_state_check_result to
check_state_compute_result not only is unsafe but also doesn't
appear to serve a valid purpose.  A raid6 check should only be
pushing out extra writes if doing repair and a mis-match occurs.
The stripe dev management will already try and do repair writes
for failing sectors.

This patch makes the raid6 check_state_check_result handling
work more like raid5's.  If somehow too many failures for a
check, just quit the check operation for the stripe.  When any
checks pass, don't try and use check_state_compute_result for
a purpose it isn't needed for and is unsafe for.  Just mark the
stripe as in sync for passing its parity checks and let the
stripe dev read/write code and the bad blocks list do their
job handling I/O errors.

Repro steps from Xiao:

These are the steps to reproduce this problem:
1. redefined OPT_MEDIUM_ERR_ADDR to 12000 in scsi_debug.c
2. insmod scsi_debug.ko dev_size_mb=11000  max_luns=1 num_tgts=1
3. mdadm --create /dev/md127 --level=6 --raid-devices=5 /dev/sde1 /dev/sde2 
/dev/sde3 /dev/sde5 /dev/sde6
sde is the disk created by scsi_debug
4. echo "2" >/sys/module/scsi_debug/parameters/opts
5. raid-check

It panic:
[ 4854.730899] md: data-check of RAID array md127
[ 4854.857455] sd 5:0:0:0: [sdr] tag#80 FAILED Result: hostbyte=DID_OK 
driverbyte=DRIVER_SENSE
[ 4854.859246] sd 5:0:0:0: [sdr] tag#80 Sense Key : Medium Error [current]
[ 4854.860694] sd 5:0:0:0: [sdr] tag#80 Add. Sense: Unrecovered read error
[ 4854.862207] sd 5:0:0:0: [sdr] tag#80 CDB: Read(10) 28 00 00 00 2d 88 00 04 
00 00
[ 4854.864196] print_req_error: critical medium error, dev sdr, sector 11656 
flags 0
[ 4854.867409] sd 5:0:0:0: [sdr] tag#100 FAILED Result: hostbyte=DID_OK 
driverbyte=DRIVER_SENSE
[ 4854.869469] sd 5:0:0:0: [sdr] tag#100 Sense Key : Medium Error [current]
[ 4854.871206] sd 5:0:0:0: [sdr] tag#100 Add. Sense: Unrecovered read error
[ 4854.872858] sd 5:0:0:0: [sdr] tag#100 CDB: Read(10) 28 00 00 00 2e e0 00 00 
08 00
[ 4854.874587] print_req_error: critical medium error, dev sdr, sector 12000 
flags 4000
[ 4854.876456] sd 5:0:0:0: [sdr] tag#101 FAILED Result: hostbyte=DID_OK 
driverbyte=DRIVER_SENSE
[ 4854.878552] sd 5:0:0:0: [sdr] tag#101 Sense Key : Medium Error [current]
[ 4854.880278] sd 5:0:0:0: [sdr] tag#101 Add. Sense: Unrecovered read error
[ 4854.881846] sd 5:0:0:0: [sdr] tag#101 CDB: Read(10) 28 00 00 00 2e e8 00 00 
08 00
[ 4854.883691] print_req_error: critical medium error, dev sdr, sector 12008 
flags 4000
[ 4854.893927] sd 5:0:0:0: [sdr] tag#166 FAILED Result: hostbyte=DID_OK 
driverbyte=DRIVER_SENSE
[ 4854.896002] sd 5:0:0:0: [sdr] tag#166 Sense Key : Medium Error [current]
[ 4854.897561] sd 5:0:0:0: [sdr] tag#166 Add. Sense: Unrecovered read error
[ 4854.899110] sd 5:0:0:0: [sdr] tag#166 CDB: Read(10) 28 00 00 00 2e e0 00 00 
10 00
[ 4854.900989] print_req_error: critical medium error, dev sdr, sector 12000 
flags 0
[ 4854.902757] md/raid:md127: read error NOT corrected!! (sector 9952 on sdr1).
[ 4854.904375] md/raid:md127: read error NOT corrected!! (sector 9960 on sdr1).
[ 4854.906201] [ cut here ]
[ 4854.907341] kernel BUG at drivers/md/raid5.c:4190!

raid5.c:4190 above is this BUG_ON:

handle_parity_checks6()
...
BUG_ON(s->uptodate < disks - 1); /* We don't need Q to recover */

Cc:  # v3.16+
OriginalAuthor: David Jeffery 
Cc: Xiao Ni 
Tested-by: David Jeffery 
Signed-off-by: David Jeffy 
Signed-off-by: Nigel Croxon 
Signed-off-by: Song Liu 
Signed-off-by: Jens Axboe 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/md/raid5.c |   19 ---
 1 file changed, 4 insertions(+), 15 deletions(-)

--- a/drivers/md/raid5.c
+++ b/drivers/md/raid5.c
@@ -4221,26 +4221,15 @@ static void handle_parity_checks6(struct
case check_state_check_result:
sh->check_state = check_state_idle;
 
+   if (s->failed > 1)
+   break;
/* handle a successful check operation, if parity is correct
 * we are done.  Otherwise update the mismatch count and repair
 * parity if !MD_RECOVERY_CHECK
 */
if (sh->ops.zero_sum_result == 0) {
-   /* both parities are correct */
-   if (!s->failed)
-   set_bit(STRIPE_INSYNC, >state);
-   else {
-   /* in contrast to the raid5 case we can validate
-* parity, but still have a failure to write
-* back
-*/
-   sh->check_state = check_state_compute_result;
-   /* Returning at this point means that we may go
-* off and bring p and/or q uptodate again so
-

[PATCH 4.19 082/113] cw1200: fix missing unlock on error in cw1200_hw_scan()

[Greg Kroah-Hartman]

From: Wei Yongjun 

commit 51c8d24101c79ffce3e79137e2cee5dfeb956dd7 upstream.

Add the missing unlock before return from function cw1200_hw_scan()
in the error handling case.

Fixes: 4f68ef64cd7f ("cw1200: Fix concurrency use-after-free bugs in 
cw1200_hw_scan()")
Signed-off-by: Wei Yongjun 
Acked-by: Jia-Ju Bai 
Signed-off-by: Kalle Valo 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/net/wireless/st/cw1200/scan.c |5 -
 1 file changed, 4 insertions(+), 1 deletion(-)

--- a/drivers/net/wireless/st/cw1200/scan.c
+++ b/drivers/net/wireless/st/cw1200/scan.c
@@ -84,8 +84,11 @@ int cw1200_hw_scan(struct ieee80211_hw *
 
frame.skb = ieee80211_probereq_get(hw, priv->vif->addr, NULL, 0,
req->ie_len);
-   if (!frame.skb)
+   if (!frame.skb) {
+   mutex_unlock(>conf_mutex);
+   up(>scan.lock);
return -ENOMEM;
+   }
 
if (req->ie_len)
skb_put_data(frame.skb, req->ie, req->ie_len);

[PATCH 4.19 081/113] x86/kprobes: Avoid kretprobe recursion bug

[Greg Kroah-Hartman]

[ Upstream commit b191fa96ea6dc00d331dcc28c1f7db5e075693a0 ]

Avoid kretprobe recursion loop bg by setting a dummy
kprobes to current_kprobe per-CPU variable.

This bug has been introduced with the asm-coded trampoline
code, since previously it used another kprobe for hooking
the function return placeholder (which only has a nop) and
trampoline handler was called from that kprobe.

This revives the old lost kprobe again.

With this fix, we don't see deadlock anymore.

And you can see that all inner-called kretprobe are skipped.

  event_1  235   0
  event_219375   19612

The 1st column is recorded count and the 2nd is missed count.
Above shows (event_1 rec) + (event_2 rec) ~= (event_2 missed)
(some difference are here because the counter is racy)

Reported-by: Andrea Righi 
Tested-by: Andrea Righi 
Signed-off-by: Masami Hiramatsu 
Acked-by: Steven Rostedt 
Cc: Linus Torvalds 
Cc: Mathieu Desnoyers 
Cc: Peter Zijlstra 
Cc: Thomas Gleixner 
Cc: sta...@vger.kernel.org
Fixes: c9becf58d935 ("[PATCH] kretprobe: kretprobe-booster")
Link: http://lkml.kernel.org/r/155094064889.6137.972160690963039.stgit@devbox
Signed-off-by: Ingo Molnar 
Signed-off-by: Sasha Levin 
---
 arch/x86/kernel/kprobes/core.c | 22 --
 1 file changed, 20 insertions(+), 2 deletions(-)

diff --git a/arch/x86/kernel/kprobes/core.c b/arch/x86/kernel/kprobes/core.c
index acb901b43ce4d..544bc2dfe4082 100644
--- a/arch/x86/kernel/kprobes/core.c
+++ b/arch/x86/kernel/kprobes/core.c
@@ -749,11 +749,16 @@ asm(
 NOKPROBE_SYMBOL(kretprobe_trampoline);
 STACK_FRAME_NON_STANDARD(kretprobe_trampoline);
 
+static struct kprobe kretprobe_kprobe = {
+   .addr = (void *)kretprobe_trampoline,
+};
+
 /*
  * Called from kretprobe_trampoline
  */
 __visible __used void *trampoline_handler(struct pt_regs *regs)
 {
+   struct kprobe_ctlblk *kcb;
struct kretprobe_instance *ri = NULL;
struct hlist_head *head, empty_rp;
struct hlist_node *tmp;
@@ -763,6 +768,17 @@ __visible __used void *trampoline_handler(struct pt_regs 
*regs)
void *frame_pointer;
bool skipped = false;
 
+   preempt_disable();
+
+   /*
+* Set a dummy kprobe for avoiding kretprobe recursion.
+* Since kretprobe never run in kprobe handler, kprobe must not
+* be running at this point.
+*/
+   kcb = get_kprobe_ctlblk();
+   __this_cpu_write(current_kprobe, _kprobe);
+   kcb->kprobe_status = KPROBE_HIT_ACTIVE;
+
INIT_HLIST_HEAD(_rp);
kretprobe_hash_lock(current, , );
/* fixup registers */
@@ -838,10 +854,9 @@ __visible __used void *trampoline_handler(struct pt_regs 
*regs)
orig_ret_address = (unsigned long)ri->ret_addr;
if (ri->rp && ri->rp->handler) {
__this_cpu_write(current_kprobe, >rp->kp);
-   get_kprobe_ctlblk()->kprobe_status = KPROBE_HIT_ACTIVE;
ri->ret_addr = correct_ret_addr;
ri->rp->handler(ri, regs);
-   __this_cpu_write(current_kprobe, NULL);
+   __this_cpu_write(current_kprobe, _kprobe);
}
 
recycle_rp_inst(ri, _rp);
@@ -857,6 +872,9 @@ __visible __used void *trampoline_handler(struct pt_regs 
*regs)
 
kretprobe_hash_unlock(current, );
 
+   __this_cpu_write(current_kprobe, NULL);
+   preempt_enable();
+
hlist_for_each_entry_safe(ri, tmp, _rp, hlist) {
hlist_del(>hlist);
kfree(ri);
-- 
2.20.1

[PATCH 4.19 097/113] net: ucc_geth - fix Oops when changing number of buffers in the ring

[Greg Kroah-Hartman]

From: Christophe Leroy 

[ Upstream commit ee0df19305d9fabd9479b785918966f6e25b733b ]

When changing the number of buffers in the RX ring while the interface
is running, the following Oops is encountered due to the new number
of buffers being taken into account immediately while their allocation
is done when opening the device only.

[   69.882706] Unable to handle kernel paging request for data at address 
0xf100
[   69.890172] Faulting instruction address: 0xc033e164
[   69.895122] Oops: Kernel access of bad area, sig: 11 [#1]
[   69.900494] BE PREEMPT CMPCPRO
[   69.907120] CPU: 0 PID: 0 Comm: swapper Not tainted 
4.14.115-6-g179ade8ce3-dirty #269
[   69.915956] task: c0684310 task.stack: c06da000
[   69.920470] NIP:  c033e164 LR: c02e44d0 CTR: c02e41fc
[   69.925504] REGS: dfff1e20 TRAP: 0300   Not tainted  
(4.14.115-6-g179ade8ce3-dirty)
[   69.934161] MSR:  9032   CR: 22004428  XER: 2000
[   69.940869] DAR: f100 DSISR: 2000
[   69.940869] GPR00: c0352d70 dfff1ed0 c0684310 f0a4 0040 dfff1f68 
 001f
[   69.940869] GPR08: df53f410 1cc00040 0021 c0781640 42004424 100c82b6 
f0a4 df53f5b0
[   69.940869] GPR16: df53f6c0 c05daf84 0040  0040 c0782be4 
 0001
[   69.940869] GPR24:  df53f400 01b0 df53f410 df53f000 003f 
df708220 1cc00044
[   69.978348] NIP [c033e164] skb_put+0x0/0x5c
[   69.982528] LR [c02e44d0] ucc_geth_poll+0x2d4/0x3f8
[   69.987384] Call Trace:
[   69.989830] [dfff1ed0] [c02e4554] ucc_geth_poll+0x358/0x3f8 (unreliable)
[   69.996522] [dfff1f20] [c0352d70] net_rx_action+0x248/0x30c
[   70.002099] [dfff1f80] [c04e93e4] __do_softirq+0xfc/0x310
[   70.007492] [dfff1fe0] [c0021124] irq_exit+0xd0/0xd4
[   70.012458] [dfff1ff0] [c000e7e0] call_do_irq+0x24/0x3c
[   70.017683] [c06dbe80] [c0006bac] do_IRQ+0x64/0xc4
[   70.022474] [c06dbea0] [c001097c] ret_from_except+0x0/0x14
[   70.027964] --- interrupt: 501 at rcu_idle_exit+0x84/0x90
[   70.027964] LR = rcu_idle_exit+0x74/0x90
[   70.037585] [c06dbf60] [2000] 0x2000 (unreliable)
[   70.042984] [c06dbf80] [c004bb0c] do_idle+0xb4/0x11c
[   70.047945] [c06dbfa0] [c004bd14] cpu_startup_entry+0x18/0x1c
[   70.053682] [c06dbfb0] [c05fb034] start_kernel+0x370/0x384
[   70.059153] [c06dbff0] [3438] 0x3438
[   70.063062] Instruction dump:
[   70.066023] 38a0 3880 90010014 4bfff015 80010014 7c0803a6 3123 
7c691910
[   70.073767] 38210010 4e800020 3860 4e800020 <80e3005c> 80c30098 3107 
7d083910
[   70.081690] ---[ end trace be7ccd9c1e1a9f12 ]---

This patch forbids the modification of the number of buffers in the
ring while the interface is running.

Fixes: ac421852b3a0 ("ucc_geth: add ethtool support")
Signed-off-by: Christophe Leroy 
Signed-off-by: David S. Miller 
Signed-off-by: Greg Kroah-Hartman 
---
 drivers/net/ethernet/freescale/ucc_geth_ethtool.c |8 +++-
 1 file changed, 3 insertions(+), 5 deletions(-)

--- a/drivers/net/ethernet/freescale/ucc_geth_ethtool.c
+++ b/drivers/net/ethernet/freescale/ucc_geth_ethtool.c
@@ -252,14 +252,12 @@ uec_set_ringparam(struct net_device *net
return -EINVAL;
}
 
+   if (netif_running(netdev))
+   return -EBUSY;
+
ug_info->bdRingLenRx[queue] = ring->rx_pending;
ug_info->bdRingLenTx[queue] = ring->tx_pending;
 
-   if (netif_running(netdev)) {
-   /* FIXME: restart automatically */
-   netdev_info(netdev, "Please re-open the interface\n");
-   }
-
return ret;
 }
 

Re: [PATCH V2 1/2] soc: imx: Add SCU SoC info driver support

[Daniel Baluta]

Hi Anson,

Since you are going to send a new version for this please consider my
comment inline.



> +static u32 imx8qxp_soc_revision(void)
> +{
> +   struct imx_sc_msg_misc_get_soc_id msg;
> +   struct imx_sc_rpc_msg *hdr = 
> +   u32 rev = 0;

No need to initialize this here.

> +   int ret;
> +
> +   hdr->ver = IMX_SC_RPC_VERSION;
> +   hdr->svc = IMX_SC_RPC_SVC_MISC;
> +   hdr->func = IMX_SC_MISC_FUNC_GET_CONTROL;
> +   hdr->size = 3;
> +
> +   msg.data.send.control = IMX_SC_C_ID;
> +   msg.data.send.resource = IMX_SC_R_SYSTEM;
> +
> +   ret = imx_scu_call_rpc(soc_ipc_handle, , true);
> +   if (ret) {
> +   dev_err(_scu_soc_pdev->dev,
> +   "get soc info failed, ret %d\n", ret);
> +   /* return 0 means getting revision failed */

Just return 0 here. No need for rev.
> +   return rev;
> +   }
> +

[PATCH 4.19 046/113] selftests: netfilter: check icmp pkttoobig errors are set as related

[Greg Kroah-Hartman]

[ Upstream commit becf2319f320cae43e20cf179cc51a355a0deb5f ]

When an icmp error such as pkttoobig is received, conntrack checks
if the "inner" header (header of packet that did not fit link mtu)
is matches an existing connection, and, if so, sets that packet as
being related to the conntrack entry it found.

It was recently reported that this "related" setting also works
if the inner header is from another, different connection (i.e.,
artificial/forged icmp error).

Add a test, followup patch will add additional "inner dst matches
outer dst in reverse direction" check before setting related state.

Link: https://www.synacktiv.com/posts/systems/icmp-reachable.html
Signed-off-by: Florian Westphal 
Signed-off-by: Pablo Neira Ayuso 
Signed-off-by: Sasha Levin 
---
 tools/testing/selftests/netfilter/Makefile|   2 +-
 .../netfilter/conntrack_icmp_related.sh   | 283 ++
 2 files changed, 284 insertions(+), 1 deletion(-)
 create mode 100755 tools/testing/selftests/netfilter/conntrack_icmp_related.sh

diff --git a/tools/testing/selftests/netfilter/Makefile 
b/tools/testing/selftests/netfilter/Makefile
index c9ff2b47bd1ca..a37cb1192c6a6 100644
--- a/tools/testing/selftests/netfilter/Makefile
+++ b/tools/testing/selftests/netfilter/Makefile
@@ -1,6 +1,6 @@
 # SPDX-License-Identifier: GPL-2.0
 # Makefile for netfilter selftests
 
-TEST_PROGS := nft_trans_stress.sh nft_nat.sh
+TEST_PROGS := nft_trans_stress.sh nft_nat.sh conntrack_icmp_related.sh
 
 include ../lib.mk
diff --git a/tools/testing/selftests/netfilter/conntrack_icmp_related.sh 
b/tools/testing/selftests/netfilter/conntrack_icmp_related.sh
new file mode 100755
index 0..b48e1833bc896
--- /dev/null
+++ b/tools/testing/selftests/netfilter/conntrack_icmp_related.sh
@@ -0,0 +1,283 @@
+#!/bin/bash
+#
+# check that ICMP df-needed/pkttoobig icmp are set are set as related
+# state
+#
+# Setup is:
+#
+# nsclient1 -> nsrouter1 -> nsrouter2 -> nsclient2
+# MTU 1500, except for nsrouter2 <-> nsclient2 link (1280).
+# ping nsclient2 from nsclient1, checking that conntrack did set RELATED
+# 'fragmentation needed' icmp packet.
+#
+# In addition, nsrouter1 will perform IP masquerading, i.e. also
+# check the icmp errors are propagated to the correct host as per
+# nat of "established" icmp-echo "connection".
+
+# Kselftest framework requirement - SKIP code is 4.
+ksft_skip=4
+ret=0
+
+nft --version > /dev/null 2>&1
+if [ $? -ne 0 ];then
+   echo "SKIP: Could not run test without nft tool"
+   exit $ksft_skip
+fi
+
+ip -Version > /dev/null 2>&1
+if [ $? -ne 0 ];then
+   echo "SKIP: Could not run test without ip tool"
+   exit $ksft_skip
+fi
+
+cleanup() {
+   for i in 1 2;do ip netns del nsclient$i;done
+   for i in 1 2;do ip netns del nsrouter$i;done
+}
+
+ipv4() {
+echo -n 192.168.$1.2
+}
+
+ipv6 () {
+echo -n dead:$1::2
+}
+
+check_counter()
+{
+   ns=$1
+   name=$2
+   expect=$3
+   local lret=0
+
+   cnt=$(ip netns exec $ns nft list counter inet filter "$name" | grep -q 
"$expect")
+   if [ $? -ne 0 ]; then
+   echo "ERROR: counter $name in $ns has unexpected value 
(expected $expect)" 1>&2
+   ip netns exec $ns nft list counter inet filter "$name" 1>&2
+   lret=1
+   fi
+
+   return $lret
+}
+
+check_unknown()
+{
+   expect="packets 0 bytes 0"
+   for n in nsclient1 nsclient2 nsrouter1 nsrouter2; do
+   check_counter $n "unknown" "$expect"
+   if [ $? -ne 0 ] ;then
+   return 1
+   fi
+   done
+
+   return 0
+}
+
+for n in nsclient1 nsclient2 nsrouter1 nsrouter2; do
+  ip netns add $n
+  ip -net $n link set lo up
+done
+
+DEV=veth0
+ip link add $DEV netns nsclient1 type veth peer name eth1 netns nsrouter1
+DEV=veth0
+ip link add $DEV netns nsclient2 type veth peer name eth1 netns nsrouter2
+
+DEV=veth0
+ip link add $DEV netns nsrouter1 type veth peer name eth2 netns nsrouter2
+
+DEV=veth0
+for i in 1 2; do
+ip -net nsclient$i link set $DEV up
+ip -net nsclient$i addr add $(ipv4 $i)/24 dev $DEV
+ip -net nsclient$i addr add $(ipv6 $i)/64 dev $DEV
+done
+
+ip -net nsrouter1 link set eth1 up
+ip -net nsrouter1 link set veth0 up
+
+ip -net nsrouter2 link set eth1 up
+ip -net nsrouter2 link set eth2 up
+
+ip -net nsclient1 route add default via 192.168.1.1
+ip -net nsclient1 -6 route add default via dead:1::1
+
+ip -net nsclient2 route add default via 192.168.2.1
+ip -net nsclient2 route add default via dead:2::1
+
+i=3
+ip -net nsrouter1 addr add 192.168.1.1/24 dev eth1
+ip -net nsrouter1 addr add 192.168.3.1/24 dev veth0
+ip -net nsrouter1 addr add dead:1::1/64 dev eth1
+ip -net nsrouter1 addr add dead:3::1/64 dev veth0
+ip -net nsrouter1 route add default via 192.168.3.10
+ip -net nsrouter1 -6 route add default via dead:3::10
+
+ip -net nsrouter2 addr add 192.168.2.1/24 dev eth1
+ip -net nsrouter2 addr add 192.168.3.10/24 dev eth2
+ip -net nsrouter2 addr