Commit Graph

797720 Commits

Author SHA1 Message Date
Linus Torvalds a1b3cf6d94 Merge branch 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
Pull perf fixes from Ingo Molnar:
 "Misc fixes:

   - counter freezing related regression fix

   - uprobes race fix

   - Intel PMU unusual event combination fix

   - .. and diverse tooling fixes"

* 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  uprobes: Fix handle_swbp() vs. unregister() + register() race once more
  perf/x86/intel: Disallow precise_ip on BTS events
  perf/x86/intel: Add generic branch tracing check to intel_pmu_has_bts()
  perf/x86/intel: Move branch tracing setup to the Intel-specific source file
  perf/x86/intel: Fix regression by default disabling perfmon v4 interrupt handling
  perf tools beauty ioctl: Support new ISO7816 commands
  tools uapi asm-generic: Synchronize ioctls.h
  tools arch x86: Update tools's copy of cpufeatures.h
  tools headers uapi: Synchronize i915_drm.h
  perf tools: Restore proper cwd on return from mnt namespace
  tools build feature: Check if get_current_dir_name() is available
  perf tools: Fix crash on synthesizing the unit
2018-11-30 11:31:48 -08:00
Linus Torvalds 8d9f412d51 Merge branch 'efi-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
Pull EFI fix from Ingo Molnar:
 "An arm64 warning fix"

* 'efi-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  efi: Prevent GICv3 WARN() by mapping the memreserve table before first use
2018-11-30 11:29:02 -08:00
Linus Torvalds 575d7d0d6f Merge branch 'core-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
Pull objtool fixes from Ingo Molnar:
 "Two fixes for boundary conditions"

* 'core-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  objtool: Fix segfault in .cold detection with -ffunction-sections
  objtool: Fix double-free in .cold detection error path
2018-11-30 10:57:06 -08:00
Linus Torvalds 5f1ca5c619 Merge branch 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
Pull vfs fixes from Al Viro:
 "Assorted fixes all over the place.

  The iov_iter one is this cycle regression (splice from UDP triggering
  WARN_ON()), the rest is older"

* 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs:
  afs: Use d_instantiate() rather than d_add() and don't d_drop()
  afs: Fix missing net error handling
  afs: Fix validation/callback interaction
  iov_iter: teach csum_and_copy_to_iter() to handle pipe-backed ones
  exportfs: do not read dentry after free
  exportfs: fix 'passing zero to ERR_PTR()' warning
  aio: fix failure to put the file pointer
  sysv: return 'err' instead of 0 in __sysv_write_inode
2018-11-30 10:47:50 -08:00
Linus Torvalds 49afe66143 This includes two more fixes:
- Change idx variable in DO_TRACE macro to __idx to avoid name conflicts.
    A kvm event had "idx" as a parameter and it confused the macro.
 
  - Fix a race where interrupts would be traced when set_graph_function was set.
    The previous patch set increased a race window that tricked the function graph
    tracer to think it should trace interrupts when it really should not have.
    The bug has been there before, but was seldom hit. Only the last patch series
    made it more common.
 -----BEGIN PGP SIGNATURE-----
 
 iIoEABYIADIWIQRRSw7ePDh/lE+zeZMp5XQQmuv6qgUCXACrFhQccm9zdGVkdEBn
 b29kbWlzLm9yZwAKCRAp5XQQmuv6qgUuAP9zZ0+PjDIXrkZATogEsMJ1OZKy5AiK
 mwT7S85/ouOeCQEAi5JUcSfwB0caq2nYB1GKOKNfDH0ffeVR4wNykcYjngM=
 =gjwC
 -----END PGP SIGNATURE-----

Merge tag 'trace-v4.20-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace

Pull more tracing fixes from Steven Rostedt:
 "Two more fixes:

   - Change idx variable in DO_TRACE macro to __idx to avoid name
     conflicts. A kvm event had "idx" as a parameter and it confused the
     macro.

   - Fix a race where interrupts would be traced when set_graph_function
     was set. The previous patch set increased a race window that
     tricked the function graph tracer to think it should trace
     interrupts when it really should not have.

     The bug has been there before, but was seldom hit. Only the last
     patch series made it more common"

* tag 'trace-v4.20-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace:
  tracing/fgraph: Fix set_graph_function from showing interrupts
  tracepoint: Use __idx instead of idx in DO_TRACE macro to make it unique
2018-11-30 10:40:11 -08:00
Linus Torvalds 0f1f692375 While rewriting the function graph tracer, I discovered a design flaw that
was introduced by a patch that tried to fix one bug, but by doing so created
 another bug. As both bugs corrupt the output (but they do not crash the
 kernel), I decided to fix the design such that it could have both bugs
 fixed. The original fix, fixed time reporting of the function graph tracer
 when doing a max_depth of one. This was code that can test how much the
 kernel interferes with userspace. But in doing so, it could corrupt the time
 keeping of the function profiler.
 
 The issue is that the curr_ret_stack variable was being used for two
 different meanings. One was to keep track of the stack pointer on the
 ret_stack (shadow stack used by the function graph tracer), and the other
 use case was the graph call depth.  Although, the two may be closely
 related, where they got updated was the issue that lead to the two different
 bugs that required the two use cases to be updated differently.
 
 The big issue with this fix is that it requires changing each architecture.
 The good news is, I was able to remove a lot of code that was duplicated
 within the architectures and place it into a single location. Then I could
 make the fix in one place.
 
 I pushed this code into linux-next to let it settle over a week, and before
 doing so, I cross compiled all the affected architectures to make sure that
 they built fine.
 
 In the mean time, I also pulled in a patch that fixes the sched_switch
 previous tasks state output, that was not actually correct.
 -----BEGIN PGP SIGNATURE-----
 
 iIoEABYIADIWIQRRSw7ePDh/lE+zeZMp5XQQmuv6qgUCW/4NPhQccm9zdGVkdEBn
 b29kbWlzLm9yZwAKCRAp5XQQmuv6qnWAAQCyUIRLgYImr81eTl52lxNRsULk+aiI
 U29kRFWWU0c40AEA1X9sDF0MgOItbRGfZtnHTZEousXRDaDf4Fge2kF7Egg=
 =liQ0
 -----END PGP SIGNATURE-----

Merge tag 'trace-v4.20-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace

Pull tracing fixes from Steven Rostedt:
 "While rewriting the function graph tracer, I discovered a design flaw
  that was introduced by a patch that tried to fix one bug, but by doing
  so created another bug.

  As both bugs corrupt the output (but they do not crash the kernel), I
  decided to fix the design such that it could have both bugs fixed. The
  original fix, fixed time reporting of the function graph tracer when
  doing a max_depth of one. This was code that can test how much the
  kernel interferes with userspace. But in doing so, it could corrupt
  the time keeping of the function profiler.

  The issue is that the curr_ret_stack variable was being used for two
  different meanings. One was to keep track of the stack pointer on the
  ret_stack (shadow stack used by the function graph tracer), and the
  other use case was the graph call depth. Although, the two may be
  closely related, where they got updated was the issue that lead to the
  two different bugs that required the two use cases to be updated
  differently.

  The big issue with this fix is that it requires changing each
  architecture. The good news is, I was able to remove a lot of code
  that was duplicated within the architectures and place it into a
  single location. Then I could make the fix in one place.

  I pushed this code into linux-next to let it settle over a week, and
  before doing so, I cross compiled all the affected architectures to
  make sure that they built fine.

  In the mean time, I also pulled in a patch that fixes the sched_switch
  previous tasks state output, that was not actually correct"

* tag 'trace-v4.20-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace:
  sched, trace: Fix prev_state output in sched_switch tracepoint
  function_graph: Have profiler use curr_ret_stack and not depth
  function_graph: Reverse the order of pushing the ret_stack and the callback
  function_graph: Move return callback before update of curr_ret_stack
  function_graph: Use new curr_ret_depth to manage depth instead of curr_ret_stack
  function_graph: Make ftrace_push_return_trace() static
  sparc/function_graph: Simplify with function_graph_enter()
  sh/function_graph: Simplify with function_graph_enter()
  s390/function_graph: Simplify with function_graph_enter()
  riscv/function_graph: Simplify with function_graph_enter()
  powerpc/function_graph: Simplify with function_graph_enter()
  parisc: function_graph: Simplify with function_graph_enter()
  nds32: function_graph: Simplify with function_graph_enter()
  MIPS: function_graph: Simplify with function_graph_enter()
  microblaze: function_graph: Simplify with function_graph_enter()
  arm64: function_graph: Simplify with function_graph_enter()
  ARM: function_graph: Simplify with function_graph_enter()
  x86/function_graph: Simplify with function_graph_enter()
  function_graph: Create function_graph_enter() to consolidate architecture code
2018-11-30 09:32:34 -08:00
Linus Torvalds 570a37437c drm: i915 gvt, amdgpu, ast, rcar-du, meson + core fixes.
-----BEGIN PGP SIGNATURE-----
 
 iQIcBAABAgAGBQJcAKgKAAoJEAx081l5xIa+0PgP/A+2bvrs6EgLQHAmdyJtuAzp
 /qeip9RtQG15rmgkzYucRgeTqmIwDHduCJDp7TcJ94Lial2FzBH5o8gRfqcOatgg
 Ury7/MwAOEg4omYxpuRP1qlZkK0wkEZiDT5aWYlYRFZI1+qsL28vdYyA1KflBNLS
 ZbGGB1DOIjtT1NGG4/cMGTd8iGM8cQIDzeKra6ZlTdDA3fARLBrf4bQCuphu7Eqv
 z2n0ZSEmGlvOWEAE4GR3nG3Uu32F6wCKdwWRG+/GLhRRFb8GdXZ3uriZXswdMNwt
 I1pIgHGHcpAGqD6IyHKtoBPlBs1Xs+VL1QwqHkN5hGniF32szBpCKOAPIxhLfJ7w
 S6clk/kauzdlzOI/t31LjKLME9a/mn95wxzridNTv2SmksEmNoNhvsEeXEoMjs2m
 s4CcJTyt5tbRqwXlWQg5DWkBAyNqNI1EkoDJRmefN+rW33m6x79r0RFcv57E8Sbs
 VyaLelyNyOcPm8Tqanko5o9RTQ56sZTNR4aOXVVrxSOBa7iJnK+h/kMeCn8TJDsT
 i8ftCzpco5uycxDgunw+lPoj9rnzuB7i2MgbEb2rOz3Mj8TH/WQnb1YWlUWPejuG
 ClAVjwWJAEy26MdGpMy0XUVtvgJK0h5hvnSA9yXAZjkJzA8LtbV82Nexu2MsEt02
 DiTPOpSgtSyxC4CLZ2G3
 =2Pvh
 -----END PGP SIGNATURE-----

Merge tag 'drm-fixes-2018-11-30' of git://anongit.freedesktop.org/drm/drm

Pull drm fixes from Dave Airlie:
 "This weeks instalment of fixes. Looks fairly like business as usual
  and everything seems to rolling along. There was one MST fix applied
  and reverted in the misc tree, but otherwise nothing too strange in
  here.

  core:
   - incorrect master setting on error fix

  i915:
   - only GVT fixes this week:
      * one MOCS register load
      * rpm lock fix
      * use after free

  rcar-du:
   - regression fix for group start

  amdgpu:
   - DP MST fix
   - GPUVM fix for huge pages
   - RLC fix for vega20

  ast:
   - fix EDID reading stability
   - ioreg free fix

  meson:
   - sleep in irq fix
   - vblank fixes
   - array boundary fix"

* tag 'drm-fixes-2018-11-30' of git://anongit.freedesktop.org/drm/drm:
  drm/ast: fixed reading monitor EDID not stable issue
  drm/ast: Fix incorrect free on ioregs
  Revert "drm/dp_mst: Skip validating ports during destruction, just ref"
  drm/amdgpu: Add delay after enable RLC ucode
  drm/amdgpu: Avoid endless loop in GPUVM fragment processing
  drm/amdgpu: Cast to uint64_t before left shift
  drm/meson: add support for 1080p25 mode
  drm/meson: Fix OOB memory accesses in meson_viu_set_osd_lut()
  drm/meson: Enable fast_io in meson_dw_hdmi_regmap_config
  drm/meson: Fixes for drm_crtc_vblank_on/off support
  drm: set is_master to 0 upon drm_new_set_master() failure
  drm/dp_mst: Skip validating ports during destruction, just ref
  drm: rcar-du: Fix DU3 start/stop on M3-N
  drm/amd/dm: Understand why attaching path/tile properties are needed
  drm/amd/dm: Don't forget to attach MST encoders
  drm/i915/gvt: Avoid use-after-free iterating the gtt list
  drm/i915/gvt: ensure gpu is powered before do i915_gem_gtt_insert
  drm/i915/gvt: not to touch undefined MOCS registers
2018-11-30 09:10:29 -08:00
Linus Torvalds e9eaf72e73 pstore fix:
- Fix corrupted compression due to unlucky size choice with ECC
 -----BEGIN PGP SIGNATURE-----
 Comment: Kees Cook <kees@outflux.net>
 
 iQJKBAABCgA0FiEEpcP2jyKd1g9yPm4TiXL039xtwCYFAlwAcoMWHGtlZXNjb29r
 QGNocm9taXVtLm9yZwAKCRCJcvTf3G3AJjwQD/4t+0AYLLGJKkc+YEXj2aVDPftc
 cjHoNvT4voNTf3UzEsjbegfslg0g9UEAnDSOxlecJs81HYiopFpBQ2RMvYffWH7K
 qhJN9X12Fpop5DYJ7fgJJpNPqmVGY783gMNRA5jgh1SKZhK0yzTIwCElysFMoxKc
 U6cKXfkGwnZggNL3bFjqt5r1tiLVkDQVrfZgqcghrOkROmkF0I1kc+PwxRDkeCYh
 Kk3BtKMHTh3XQoX4Xqkq9bSCACYmfvLg6CuTAzqtw5bpWlgtZ3KcXxDxlbSwNe3X
 8SRr9N0qkUsbiQ/vFXY3PY2l9iI1NSVN0cDldaJ/bagOV7YL0kbQZfM01IEUK0j/
 iPrsv4ELT3w0NTYQCB47x4VOf2pt44OwNAmovAmtg71OwPKXAsFJZ4jCid2Pq4Pr
 esik+vwfroWJb+979WVcpyT9eA1P3BHEhBsl5yJV6jSwhWWBZ670RPRDNcHDol/x
 pJPGfDKTznCxwHqBdycqf1z1YtnD1VwGzd8OkNc183qoLeorew/Zv0VeYOL+6d92
 qVBj3FcKeAuzn6it+trBZ6zbGGH4Nxo68tI2BYiAMQJogxRcVjqJ1dNwoZWjdYNm
 w00jqlItJD0rwE8XAOYBoHg5J1o+/QUyz8dwf4mF2rWjqpBT+YC+Y1V5Xdhxg7D0
 xc0VYYZAYwc3XlR83A==
 =/GIT
 -----END PGP SIGNATURE-----

Merge tag 'pstore-v4.20-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux

Pull pstore fix from Kees Cook:
 "Fix corrupted compression due to unlucky size choice with ECC"

* tag 'pstore-v4.20-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux:
  pstore/ram: Correctly calculate usable PRZ bytes
2018-11-30 09:03:15 -08:00
Linus Torvalds 2b17992f6f First rc pull request
A set of small driver and core code fixes:
 
 - Small series fixing longtime user triggerable bugs in the
   ODP processing inside mlx5 and core code
 
 - Various small driver malfunctions and crashes (use after, free, error
   unwind, implementation bugs)
 
 - A misfunction of the RDMA GID cache that can be triggered by the
   administrator
 -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCgAdFiEEfB7FMLh+8QxL+6i3OG33FX4gmxoFAlwAbPgACgkQOG33FX4g
 mxpMCg/8DMvxyz5byYhLbreKuMCeG8+L5PuvR8myeeA5ycbPUo+HYCFe7fkqpHUH
 tlgLWm0PoMnGh1s8pjD2OvFU2xHAl9tydk1tU8XLBpEjC3XvrD5ZTvd/i2rHdvDy
 hKDGRouU6QnDiNwTR5HrSlqH5OVVZ0K0Oyl3YjAbGItL4xJEEPbiRCWA+SN8tuBl
 mkFEkGr+MKZIDEieatf9KT2cLQbhVbtjG58rTxA1jOVL1ZM+PT0FZ/J7JsQAD2FO
 MVkw2NQrgu/bLiqr2d679rShWRetctap9iYiGna2ftVghCHqXajN477Dv0w01pQu
 5k9JaSPA2j7rGaFql4fyyuHBMqHF+pqwC/p1ExgUpbOTShcibUCIfJbIHhjLVTCl
 sszZculTfCiYnJBiBkSp1G1L784Z6QPnDRacxeHRuV2yUd5MhrW2KCTwk0ZkPV9F
 PKwKCNC90TeD3STUAk0GXouzuZYvqjxDdwiE5ohYgCCR5CNRBS/fdmmRK/PnRb1Y
 ekTYHStoBFT1tkAG5NqAcfKm3qs/tdxlcdo+3sS9n5XWNwyUwUP2buKKnaXu9ACf
 yD3+vDaBCEcGhQXaw6lUm8sTF2P5eD67lMvJiteLJr9dsnk7bUd6+d1sXB3TjJss
 bX5FQx2CwNMnRQ7hKrBqZa3dhCA578Hq0AgmH+1jw/7mD5Ay6Hw=
 =QrHg
 -----END PGP SIGNATURE-----

Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma

Pull rdma fixes from Jason Gunthorpe:
 "This is a bit later than usual for our first -rc but I'm not seeing
  anything worry-some in the RDMA tree right now. Quiet so far this -rc
  cycle, only a few internal driver related bugs and a small series
  fixing ODP bugs found by more advanced testing.

  A set of small driver and core code fixes:

   - Small series fixing longtime user triggerable bugs in the ODP
     processing inside mlx5 and core code

   - Various small driver malfunctions and crashes (use after, free,
     error unwind, implementation bugs)

   - A misfunction of the RDMA GID cache that can be triggered by the
     administrator"

* tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma:
  RDMA/mlx5: Initialize return variable in case pagefault was skipped
  IB/mlx5: Fix page fault handling for MW
  IB/umem: Set correct address to the invalidation function
  IB/mlx5: Skip non-ODP MR when handling a page fault
  RDMA/hns: Bugfix pbl configuration for rereg mr
  iser: set sector for ambiguous mr status errors
  RDMA/rdmavt: Fix rvt_create_ah function signature
  IB/mlx5: Avoid load failure due to unknown link width
  IB/mlx5: Fix XRC QP support after introducing extended atomic
  RDMA/bnxt_re: Avoid accessing the device structure after it is freed
  RDMA/bnxt_re: Fix system hang when registration with L2 driver fails
  RDMA/core: Add GIDs while changing MAC addr only for registered ndev
  RDMA/mlx5: Fix fence type for IB_WR_LOCAL_INV WR
  net/mlx5: Fix XRC SRQ umem valid bits
2018-11-30 08:57:31 -08:00
Steven Rostedt (VMware) 5cf99a0f31 tracing/fgraph: Fix set_graph_function from showing interrupts
The tracefs file set_graph_function is used to only function graph functions
that are listed in that file (or all functions if the file is empty). The
way this is implemented is that the function graph tracer looks at every
function, and if the current depth is zero and the function matches
something in the file then it will trace that function. When other functions
are called, the depth will be greater than zero (because the original
function will be at depth zero), and all functions will be traced where the
depth is greater than zero.

The issue is that when a function is first entered, and the handler that
checks this logic is called, the depth is set to zero. If an interrupt comes
in and a function in the interrupt handler is traced, its depth will be
greater than zero and it will automatically be traced, even if the original
function was not. But because the logic only looks at depth it may trace
interrupts when it should not be.

The recent design change of the function graph tracer to fix other bugs
caused the depth to be zero while the function graph callback handler is
being called for a longer time, widening the race of this happening. This
bug was actually there for a longer time, but because the race window was so
small it seldom happened. The Fixes tag below is for the commit that widen
the race window, because that commit belongs to a series that will also help
fix the original bug.

Cc: stable@kernel.org
Fixes: 39eb456dac ("function_graph: Use new curr_ret_depth to manage depth instead of curr_ret_stack")
Reported-by: Joe Lawrence <joe.lawrence@redhat.com>
Tested-by: Joe Lawrence <joe.lawrence@redhat.com>
Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
2018-11-29 22:09:00 -05:00
Zenghui Yu 0c7a52e4d4 tracepoint: Use __idx instead of idx in DO_TRACE macro to make it unique
After enabling KVM event tracing, almost all of trace_kvm_exit()'s
printk shows

	"kvm_exit: IRQ: ..."

even if the actual exception_type is NOT IRQ.  More specifically,
trace_kvm_exit() is defined in virt/kvm/arm/trace.h by TRACE_EVENT.

This slight problem may have existed after commit e6753f23d9
("tracepoint: Make rcuidle tracepoint callers use SRCU"). There are
two variables in trace_kvm_exit() and __DO_TRACE() which have the
same name, *idx*. Thus the actual value of *idx* will be overwritten
when tracing. Fix it by adding a simple prefix.

Cc: Joel Fernandes <joel@joelfernandes.org>
Cc: Wang Haibin <wanghaibin.wang@huawei.com>
Cc: linux-trace-devel@vger.kernel.org
Cc: stable@vger.kernel.org
Fixes: e6753f23d9 ("tracepoint: Make rcuidle tracepoint callers use SRCU")
Reviewed-by: Joel Fernandes (Google) <joel@joelfernandes.org>
Signed-off-by: Zenghui Yu <yuzenghui@huawei.com>
Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
2018-11-29 22:08:38 -05:00
David Howells 73116df7bb afs: Use d_instantiate() rather than d_add() and don't d_drop()
Use d_instantiate() rather than d_add() and don't d_drop() in
afs_vnode_new_inode().  The dentry shouldn't be removed as it's not
changing its name.

Reported-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2018-11-29 21:08:14 -05:00
David Howells 4584ae96ae afs: Fix missing net error handling
kAFS can be given certain network errors (EADDRNOTAVAIL, EHOSTDOWN and
ERFKILL) that it doesn't handle in its server/address rotation algorithms.
They cause the probing and rotation to abort immediately rather than
rotating.

Fix this by:

 (1) Abstracting out the error prioritisation from the VL and FS rotation
     algorithms into a common function and expand usage into the server
     probing code.

     When multiple errors are available, this code selects the one we'd
     prefer to return.

 (2) Add handling for EADDRNOTAVAIL, EHOSTDOWN and ERFKILL.

Fixes: 0fafdc9f88 ("afs: Fix file locking")
Fixes: 0338747d8454 ("afs: Probe multiple fileservers simultaneously")
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2018-11-29 21:08:14 -05:00
David Howells ae3b7361dc afs: Fix validation/callback interaction
When afs_validate() is called to validate a vnode (inode), there are two
unhandled cases in the fastpath at the top of the function:

 (1) If the vnode is promised (AFS_VNODE_CB_PROMISED is set), the break
     counters match and the data has expired, then there's an implicit case
     in which the vnode needs revalidating.

     This has no consequences since the default "valid = false" set at the
     top of the function happens to do the right thing.

 (2) If the vnode is not promised and it hasn't been deleted
     (AFS_VNODE_DELETED is not set) then there's a default case we're not
     handling in which the vnode is invalid.  If the vnode is invalid, we
     need to bring cb_s_break and cb_v_break up to date before we refetch
     the status.

     As a consequence, once the server loses track of the client
     (ie. sufficient time has passed since we last sent it an operation),
     it will send us a CB.InitCallBackState* operation when we next try to
     talk to it.  This calls afs_init_callback_state() which increments
     afs_server::cb_s_break, but this then doesn't propagate to the
     afs_vnode record.

     The result being that every afs_validate() call thereafter sends a
     status fetch operation to the server.

Clarify and fix this by:

 (A) Setting valid in all the branches rather than initialising it at the
     top so that the compiler catches where we've missed.

 (B) Restructuring the logic in the 'promised' branch so that we set valid
     to false if the callback is due to expire (or has expired) and so that
     the final case is that the vnode is still valid.

 (C) Adding an else-statement that ups cb_s_break and cb_v_break if the
     promised and deleted cases don't match.

Fixes: c435ee3455 ("afs: Overhaul the callback handling")
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2018-11-29 21:08:14 -05:00
Linus Torvalds 94f371cb73 ACPI fix for 4.20-rc5
Fix a recent regression in ACPICA releted to the Generic Serial Bus
 protocol handling and causing it to read or write too little or too
 much data in some cases, so incorrect data may be written to hardware
 as a result (Hans de Goede).
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2
 
 iQIcBAABCAAGBQJcAE+KAAoJEILEb/54YlRxoDQP/RIGQDpBQa9AZ4Z0+t2Ehze7
 4WRXAIDJBbV8wz2VOJz1UFIdNvyBIldUZFs2MAdDpMywhuPorTx4SiHsrhQBwUao
 khwMEGvCwzSuAo1aUC/IF7asUB/JWwVp7RusHvExyIMEH4Ie9ZmFfCD9CffMj3ol
 0dq3EJxpCTWEeZkD7cSFRjfmcEXjsx1OKFY65thg5cJaaiNb9UFNMuOQyEVIDuwS
 Mr/NBvj6VsGEe1rNViJlI2N24NVx9mrkqpOol3SRL3N3g022iQlE9WqaA1NOkiWo
 gTaSifY8QHUCFsoZjTyO0rOxr0emQKIS2A0mRBCNBANdRgq98VkwVjStJCndSrKM
 TXJwiZuw0xDphqBUFoTqycE2wTI2RSKvs/WEGYHI0KsPm5MCjxeiDZYgieSx60P5
 j2V2YtOuB4n0q0gjtrEeCJDqtzXsbEBU6YBB1WuV9e5kdk6hePssLGg++bHn3yKX
 j9cKJFnM1FuS83Mgg+QMOUj9Dh2KBTFMsym3I7YQhkGsl3IzLFHtRDrSpdA6tyxQ
 b/q74xw3HbKqbZg/LZDecE+uYdo2abn9elEIu4wRFllFL0x6YiqXOaKEjSPB6l3s
 rm613/0gMSaAGPDFsSIISAMuqjbNbvvJXU45MXfo6XSZRhwP55lmGyxKYm+FhDRv
 fxz2nZMaaeHgdfLYmgsp
 =F3ad
 -----END PGP SIGNATURE-----

Merge tag 'acpi-4.20-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm

Pull ACPI fix from Rafael Wysocki:
 "Fix a recent regression in ACPICA releted to the Generic Serial Bus
  protocol handling and causing it to read or write too little or too
  much data in some cases, so incorrect data may be written to hardware
  as a result (Hans de Goede)"

* tag 'acpi-4.20-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
  ACPICA: Fix handling of buffer-size in acpi_ex_write_data_to_field()
2018-11-29 15:54:12 -08:00
Linus Torvalds 2f8406891f Power management fixes for 4.20-rc5
- Fix the handling of the "operating-points-v2" property to
    avoid failures if multiple phandles are present in it which
    is legitimate (Viresh Kumar).
 
  - Drop the unnecessary static initialization of the .owner field in
    the ti_opp_supply_driver structure (YueHaibing).
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2
 
 iQIcBAABCAAGBQJcAE74AAoJEILEb/54YlRxE68P/3VlBcgCQv9u6kHhDi3qMEEI
 VcYtzE17ruUDIfV9IvifeOOYNT0/38nFN947f6QRFOxepsRhStDGAl7VHqfdNF63
 17MWlWD8ko+UUtatOCeHfDbVx+8ssXcAMV5VNu3+2PEb3qNh0C/uILlnQdxqWG2H
 YGo1RHrTMC3Hpavt9HPX6j6Q7wXVz397JdakqjPjp4K8cZzZemzTYzLST/KZrYFy
 th+DhIT7SbtB5WRziyVGalb+aMcLyq/CLOviwVn5NJdsoFHPnPQpYxMVdj3gcpTe
 4XHU225/T7KmDUT4arqhSNBB21b0admrQzmJjVrVHy4swK4xbJKkCE64daApBOlK
 rtpGy9/J5trm0H74OTt691yIT8TRwUrY8BwwHUpFbZD/k1wUQqSG35S88JPtpqmF
 W4Hc1dH4ktkW4foYX+9wZwHPEyTEFowx9u1otRZhBXLlCxGQwi1SPm8FyTifnERp
 KDReKDvA52+bNWwN2TuV3AWjv1oCfX2d5kn28ioVDIU8XRO5bKE67InD8HjIidUH
 cQEZ6Vcu9NAKvFia1h0ZeDr39gVvTSJnF7xU1GPI1D9APNvXkGh/Q5Fa9fr9MO8x
 k+KwxbOo6e3vt8qWIDGCjq8sFtPFCST5nMdl00VMo5t/9FBzClH03D4L0vYv6jjN
 5z8sYv/o1Ac5O6Ypw20Y
 =vxO4
 -----END PGP SIGNATURE-----

Merge tag 'pm-4.20-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm

Pull power management fixes from Rafael Wysocki:
 "These fix two issues in the operating performance points (OPP)
  framework.

  Specifics:

   - Fix the handling of the "operating-points-v2" property to avoid
     failures if multiple phandles are present in it which is legitimate
     (Viresh Kumar).

   - Drop the unnecessary static initialization of the .owner field in
     the ti_opp_supply_driver structure (YueHaibing)"

* tag 'pm-4.20-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
  OPP: Fix parsing of multiple phandles in "operating-points-v2" property
  opp: ti-opp-supply: Fix platform_no_drv_owner.cocci warnings
2018-11-29 15:07:30 -08:00
Leon Romanovsky 7bca603a69 RDMA/mlx5: Initialize return variable in case pagefault was skipped
Pagefaults occurred in non-ODP MR are completely valid events, so
initialize return variable to 0.

Fixes: 4d5422a309 ("IB/mlx5: Skip non-ODP MR when handling a page fault")
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
2018-11-29 15:16:45 -07:00
Kees Cook 89d328f637 pstore/ram: Correctly calculate usable PRZ bytes
The actual number of bytes stored in a PRZ is smaller than the
bytes requested by platform data, since there is a header on each
PRZ. Additionally, if ECC is enabled, there are trailing bytes used
as well. Normally this mismatch doesn't matter since PRZs are circular
buffers and the leading "overflow" bytes are just thrown away. However, in
the case of a compressed record, this rather badly corrupts the results.

This corruption was visible with "ramoops.mem_size=204800 ramoops.ecc=1".
Any stored crashes would not be uncompressable (producing a pstorefs
"dmesg-*.enc.z" file), and triggering errors at boot:

  [    2.790759] pstore: crypto_comp_decompress failed, ret = -22!

Backporting this depends on commit 70ad35db33 ("pstore: Convert console
write to use ->write_buf")

Reported-by: Joel Fernandes <joel@joelfernandes.org>
Fixes: b0aad7a99c ("pstore: Add compression support to pstore")
Signed-off-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Joel Fernandes (Google) <joel@joelfernandes.org>
2018-11-29 13:46:43 -08:00
Rafael J. Wysocki c4f7842682 Merge branch 'acpica-fixes'
* acpica-fixes:
  ACPICA: Fix handling of buffer-size in acpi_ex_write_data_to_field()
2018-11-29 21:21:39 +01:00
Linus Torvalds f92a2ebb3d selinux/stable-4.20 PR 20181129
-----BEGIN PGP SIGNATURE-----
 
 iQJIBAABCAAyFiEES0KozwfymdVUl37v6iDy2pc3iXMFAlwAFUUUHHBhdWxAcGF1
 bC1tb29yZS5jb20ACgkQ6iDy2pc3iXM7ThAAw1j+HSBNM4util2Ji5JZKjjThdVe
 ZS1Jji30H51lVl3PNOfIUd9Ep3jLVbQOQ40jFQ2B8LEjjITKQykHtp4p6raYAxbb
 yEJGeVikD+UZ0izHMj05uZRBNY5F09s6y1WGMz8EZ6NdSSQezW0CpBCvKN4FpyKQ
 LgHmW7oRccSBgs5IcW8bCX/aM1p+HsI8N508T8MbO3qDt4/0OU/6OM+NAE19WvYp
 HVrq/BfRgDoQSoz3XxW5bCa7r3GFtxYYtTUjVnqBiRcEk+u67JJ5iJMwiUos1kV3
 94iAedGB1cXL0+qgyyb7eaoemSWL2A8FqTwEOL0VoIvaGzW4HJmioIzYgOGd4ni6
 BzXHIfdDff3DDWZ+g/T0da6znDLJ+R6u9xETAXcQ+g15FZ0F1ZY+3lJGlQvYfIVY
 RGHlWB93NU/Y2vebeqaGDuQOTu8XXJfBBjlHNUi3NQbRZ0ITBduTGpwpyKA6Uuiz
 cqrNt7DECTPJzOAJNeZZ7Flhfto1KQvLnPacWzjv9S8Cj1cJn2uS97QPkEqYQVYe
 b5D2PprAXpP6hPq3+Roxe+tBL1G+9XjStNrL0xPLgbiQvGCcsoD0R1dEZAesyfLO
 ZQGBP+0O/lFyQwn8T3A9QKZRgZFcfVMyOGbQRCUs98XkH0gvbLyfBNzN72aEy0+I
 ADbhCoY7pfs1ZZs=
 =SyQy
 -----END PGP SIGNATURE-----

Merge tag 'selinux-pr-20181129' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux

Pull SELinux fix from Paul Moore:
 "One more SELinux fix for v4.20: add some missing netlink message to
  SELinux permission mappings. The netlink messages were added in v4.19,
  but unfortunately we didn't catch it then because the mechanism to
  catch these things was bypassed.

  In addition to adding the mappings, we're adding some comments to the
  code to hopefully prevent bypasses in the future"

* tag 'selinux-pr-20181129' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux:
  selinux: add support for RTM_NEWCHAIN, RTM_DELCHAIN, and RTM_GETCHAIN
2018-11-29 10:15:06 -08:00
Linus Torvalds 3578f19143 s390 updates for 4.20-rc5
- Add two missing kfree calls on error paths in the vfio-ccw code
 
  - Make sure that all data structures of a mediated vfio-ccw device are
    initialized before registering it
 
  - Fix a sparse warning in vfio-ccw
 
  - A followup patch for the pgtable_bytes accounting, the page table
    downgrade for compat processes missed a mm_dec_nr_pmds()
 
  - Reject sampling requests in the PMU init function of the CPU
    measurement counter facility
 
  - With the vfio AP driver an AP queue needs to be reset on every device
    probe as the alternative driver could have modified the device state
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2
 
 iQEcBAABCAAGBQJb/9clAAoJEDjwexyKj9rgDFIIAMifOGVivY5Dq+PbS2YfVJAS
 QVMN6PZEyOZaLHk9rTxIFTAwaZ6i4i0vw01UOiE91VJkDz49wHenDiwaNELtVQrs
 57FkzbEuAhjKJ6DaWIr7bWgeaBFUlC+Z4mNxXFaNI2olzNncHhDJME7lPI/XoBvu
 zPlWBvliiNiaHAzLBDLw+zx1wyxyYjV+B8ZZ9HtH0xzHm3EOiRWpVsr2TbwePEmd
 yC6fTYoDUSJHZF9eoVZaJ0p1wSa8d6NfTE7a5TZOIv7yZQHWo0/tyN0wzyoWb0Oo
 7volx9/4BjbP7fBIkBN6LMPDNH8itTmrx6wdhekf+tElBj1iOOi27l8rcyTby00=
 =AgxV
 -----END PGP SIGNATURE-----

Merge tag 's390-4.20-3' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux

Pull s390 updates from Martin Schwidefsky:

 - Add two missing kfree calls on error paths in the vfio-ccw code

 - Make sure that all data structures of a mediated vfio-ccw device are
   initialized before registering it

 - Fix a sparse warning in vfio-ccw

 - A followup patch for the pgtable_bytes accounting, the page table
   downgrade for compat processes missed a mm_dec_nr_pmds()

 - Reject sampling requests in the PMU init function of the CPU
   measurement counter facility

 - With the vfio AP driver an AP queue needs to be reset on every device
   probe as the alternative driver could have modified the device state

* tag 's390-4.20-3' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux:
  s390/mm: correct pgtable_bytes on page table downgrade
  s390/zcrypt: reinit ap queue state machine during device probe
  s390/cpum_cf: Reject request for sampling in event initialization
  s390/cio: Fix cleanup when unsupported IDA format is used
  s390/cio: Fix cleanup of pfn_array alloc failure
  vfio: ccw: Register mediated device once all structures are initialized
  s390/cio: make vfio_ccw_io_region static
2018-11-29 10:10:42 -08:00
Linus Torvalds b905e2db5c sound fixes for 4.20-rc5
As a usual pattern, we've got relatively large updates at rc5.
 - A fix for races in ALSA control user elements
 - ASoC DAPM regression due to component refactoring
 - A fix in error handling of ASoC iteration macro
 - ASoC Intel SST Skylake kconfig fix; a new Kconfig will appear as a
   consequence, but in the end it's a good cleanup
 - HD-audio and USB-audio quirks as always
 - Assort of ASoC driver fixes (pcm186x, Intel cht, rockchip, pcm3060,
   rsnd, omap, wm_adsp, qcom, sunxi, stm32)
 -----BEGIN PGP SIGNATURE-----
 
 iQJCBAABCAAsFiEEIXTw5fNLNI7mMiVaLtJE4w1nLE8FAlv+yaEOHHRpd2FpQHN1
 c2UuZGUACgkQLtJE4w1nLE8rJRAAs3PHBkPy5xVd8bTFiWNPiMrts3GWjTMiQbPf
 oQcgfXjJFyAnsdIQlCGwF9dLCVCRQDGUqe1Uf01CCP/0yzY2aXjzNa8SF8Mxt2PZ
 F5AZs8BgQyMKNqHCvyFEUwrPTwhNj3APk19oBdB+lfU7alFf/JNkuBP3cnYASGeJ
 CybHJzRtPr8r12a46olttU7CqGC6twoNG84It6C+gfIvmG4Wqh0nHVVubLXpwCJG
 mDt/fgsCwXDfUD41mNZ2KjIufWWI1SHcHWSCP9xV8W9vcugH1AvD/DkvBp4JpGuG
 92emTcOVJNV3Xg5fOeL3wMmk8YiDtxezdQs0ZWKSDLINo8Q9jvfCHvFGW3fJI85y
 Fwwm8c2s/MYUEfyUyqbdNekFmQ9t4Gt+tjRKMjZhmj1N40CuyFQOC2kx4oF8J15Z
 7U8/eOQ6paUV+E2Tbrui5qsdt3IzV3YAAJwbVPXjqJQ26uxKwgNzd0oO1mGKUX5N
 f5h2EMb3mwCPwsxZR8Bi5NmSpCyUXNKDrUogauPjV1IX8x3vC5TpwrI9IWupUNQu
 oUOsJxc8Mp4qeufspfdaB3m/8nQJ66sxfLTMuagT7Iy007DfLP2V8xyjAbNtxwq4
 yg2/xTxpictFiAQ5h+Ignk96+aSS1VS77XFTVsyq3cYGRtw2ByUtffG1TUlBu9sg
 mAw9P7I=
 =GXsL
 -----END PGP SIGNATURE-----

Merge tag 'sound-4.20-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound

Pull sound fixes from Takashi Iwai:
 "As a usual pattern, we've got relatively large updates at rc5:

   - A fix for races in ALSA control user elements

   - ASoC DAPM regression due to component refactoring

   - A fix in error handling of ASoC iteration macro

   - ASoC Intel SST Skylake kconfig fix; a new Kconfig will appear as a
     consequence, but in the end it's a good cleanup

   - HD-audio and USB-audio quirks as always

   - Assort of ASoC driver fixes (pcm186x, Intel cht, rockchip, pcm3060,
     rsnd, omap, wm_adsp, qcom, sunxi, stm32)"

* tag 'sound-4.20-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound: (34 commits)
  ALSA: usb-audio: Add vendor and product name for Dell WD19 Dock
  ALSA: hda/realtek - Support ALC300
  ALSA: hda/realtek - Add auto-mute quirk for HP Spectre x360 laptop
  ALSA: hda/realtek - fix the pop noise on headphone for lenovo laptops
  ALSA: control: Fix race between adding and removing a user element
  ALSA: sparc: Fix invalid snd_free_pages() at error path
  ALSA: wss: Fix invalid snd_free_pages() at error path
  ALSA: hda/realtek - fix headset mic detection for MSI MS-B171
  ALSA: hda: Add ASRock N68C-S UCC the power_save blacklist
  ALSA: ac97: Fix incorrect bit shift at AC97-SPSA control write
  ASoC: omap-dmic: Add pm_qos handling to avoid overruns with CPU_IDLE
  ASoC: omap-mcpdm: Add pm_qos handling to avoid under/overruns with CPU_IDLE
  ASoC: omap-mcbsp: Fix latency value calculation for pm_qos
  ASoC: acpi: fix: continue searching when machine is ignored
  ASoC: Intel: Skylake: fix Kconfigs, make HDaudio codec optional
  MAINTAINERS: add ASoC maintainers for sound dt-bindings
  ASoC: pcm186x: Fix device reset-registers trigger value
  ASoC: dapm: Recalculate audio map forcely when card instantiated
  ASoC: omap-abe-twl6040: Fix missing audio card caused by deferred probing
  ASoC: pcm3060: Rename output widgets
  ...
2018-11-29 10:03:42 -08:00
Linus Torvalds 9af33b5745 \n
-----BEGIN PGP SIGNATURE-----
 
 iQEzBAABCAAdFiEEq1nRK9aeMoq1VSgcnJ2qBz9kQNkFAlv/mEEACgkQnJ2qBz9k
 QNm0kggA8SckBccdUZqpjxohASx9crp+jJeor2TRYCwyVfqdbDjkCOfv9k7+ddD4
 D1qN/AEudQXPzr/DrjI0W9fnFG957FLo60RQ0aGwsq/3wfmzfMJ0qXIw2tyoqjIH
 VxFecL2f3TKMr5zU9N1QoxJVAMAo5LOGbXO+qNYgTaOJ0EBpw9kxK14ib9JOi+pQ
 CItZkAv4eOWMsA/AaRsWN7AGmsziwcMdoAZYRT2wiWdTmubYn66Negnffq2jVHjP
 /kYlFjNcgpsuTg1AiTM+JlBwctEeLm37PUyimip3cdYwu6HcfNmCHDjEIzN2YphJ
 twzAauTEr0bjNFiNWYraUPVHEcspNw==
 =kKDs
 -----END PGP SIGNATURE-----

Merge tag 'fixes_for_v4.20-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs

Pull ext2 and udf fixes from Jan Kara:
 "Three small ext2 and udf fixes"

* tag 'fixes_for_v4.20-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs:
  ext2: fix potential use after free
  ext2: initialize opts.s_mount_opt as zero before using it
  udf: Allow mounting volumes with incorrect identification strings
2018-11-29 09:56:00 -08:00
Paul Moore 598e1a42e9 selinux: add support for RTM_NEWCHAIN, RTM_DELCHAIN, and RTM_GETCHAIN
Commit 32a4f5ecd7 ("net: sched: introduce chain object to uapi")
added new RTM_* definitions without properly updating SELinux, this
patch adds the necessary SELinux support.

While there was a BUILD_BUG_ON() in the SELinux code to protect from
exactly this case, it was bypassed in the broken commit.  In order to
hopefully prevent this from happening in the future, add additional
comments which provide some instructions on how to resolve the
BUILD_BUG_ON() failures.

Fixes: 32a4f5ecd7 ("net: sched: introduce chain object to uapi")
Cc: <stable@vger.kernel.org> # 4.19
Acked-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Paul Moore <paul@paul-moore.com>
2018-11-29 11:32:02 -05:00
Dave Airlie ebcdcef303 - mst: Don't try to validate ports while destroying them (Lyude)
- Revert: Don't try to validate ports while destroying them (Lyude)
 - core: Don't set device to master unless set_master succeeds (Sergio)
 - meson: Do vblank_on/off on enable/disable (Neil)
 - meson: Use fast_io regmap option to avoid sleeping in irq ctx (Lyude)
 - meson: Don't walk off the end of the OSD EOTF LUTs (Lyude)
 
 Cc: Lyude Paul <lyude@redhat.com>
 Cc: Sergio Correia <sergio@correia.cc>
 Cc: Neil Armstrong <narmstrong@baylibre.com>
 -----BEGIN PGP SIGNATURE-----
 
 iQEzBAABCgAdFiEEfxcpfMSgdnQMs+QqlvcN/ahKBwoFAlv/CEwACgkQlvcN/ahK
 Bwq5ewgAjvVOFwA1hhBH9tdtreAyqjYZV6RjQFxWznMiVbI8JDG95Xr81SORoCgA
 zi/XSX98u3YnV8C1YXfuL3FxMGNV69Jjx4ZNDzybrV5Namkcr8CBf31mx46mjzMP
 4YxfdVEHejlaZEmlm+IK5hJULgwObBwcZL3NmxSh31Uf3EFIIfBIYnE6J5sxLpCu
 y/LpGUTQqiIvT25ZG06rlUkCeFE4aO9PeTP7Ema7FoV7aXl7iO/n790r/9yIdrsD
 ft5Ybuug49cdsSj0jGJuNGcHwHXScN5xHKHN+/BHQySukTyYGgRJQd8X23TiI06F
 BJvU1mRKElfO2JtswGga3uIWgEoXXA==
 =SYWR
 -----END PGP SIGNATURE-----

Merge tag 'drm-misc-fixes-2018-11-28-1' of git://anongit.freedesktop.org/drm/drm-misc into drm-fixes

- mst: Don't try to validate ports while destroying them (Lyude)
- Revert: Don't try to validate ports while destroying them (Lyude)
- core: Don't set device to master unless set_master succeeds (Sergio)
- meson: Do vblank_on/off on enable/disable (Neil)
- meson: Use fast_io regmap option to avoid sleeping in irq ctx (Lyude)
- meson: Don't walk off the end of the OSD EOTF LUTs (Lyude)

Cc: Lyude Paul <lyude@redhat.com>
Cc: Sergio Correia <sergio@correia.cc>
Cc: Neil Armstrong <narmstrong@baylibre.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>

From: Sean Paul <sean@poorly.run>
Link: https://patchwork.freedesktop.org/patch/msgid/20181128212936.GA21379@art_vandelay
2018-11-29 10:11:15 +10:00
Dave Airlie 50c1877127 Merge branch 'drm-fixes-4.20' of git://people.freedesktop.org/~agd5f/linux into drm-fixes
Fixes for 4.20.  Nothing major.
- DC DP MST fix
- GPUVM fix for huge page mapping
- RLC fix for vega20

Signed-off-by: Dave Airlie <airlied@redhat.com>
From: Alex Deucher <alexdeucher@gmail.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20181128195905.2897-1-alexander.deucher@amd.com
2018-11-29 10:08:14 +10:00
Dave Airlie 5c1c86031e Merge tag 'drm-intel-fixes-2018-11-28' of git://anongit.freedesktop.org/drm/drm-intel into drm-fixes
Just gvt-fixes-2018-11-26

""One to correct MOCS registers load on engine list, one for rpm lock
warning fix, and another for use-after-free fix for partial ggtt
list destroy. "

Signed-off-by: Dave Airlie <airlied@redhat.com>
From: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20181128180648.GA17585@jlahtine-desk.ger.corp.intel.com
2018-11-29 09:59:26 +10:00
Dave Airlie c5fbf9ebe0 R-Car DU v4.20 regression fix
-----BEGIN PGP SIGNATURE-----
 
 iQJWBAABCgBAFiEEvZRkio5H7O2/GZsYYiVdKZ4oCyQFAlv7sqoiHGxhdXJlbnQu
 cGluY2hhcnRAaWRlYXNvbmJvYXJkLmNvbQAKCRBiJV0pnigLJOs8D/wPpE41qBLk
 S97doZUPGfb4J5HC+7EqiSyzuQ/f0xYT1bNzKlxeU8FJQtXaph7vsGK9t1N59+/1
 vrqp7sAlKVf6hSaoL85GhWev33oZPtqKL7M6n0a5np5o7unYz+Y68vpPQiAL6MHn
 X4+o9OxEUM8ztuioI5fumtiYhY1fvv19Hhkkgo7FnO8cA48qaf2A6PVrnxM58NJC
 OY2bCHZPKgSp/jPgT8z+ARHo/AZyouBarCruriSLtUSurBm1bSlUCjk83tUUl4TL
 yH4vv4TZ4wprZRg3Xa9NoyPEUSZNkE6Z3Sy1gYldvW6fJEIqRwUXkFB85QOZsmKr
 WgvBbEMJcwQyw0fT4fNZGnuBgTrt0F4vcT86QPom8/499L4RMmMJ5yOA/HQtUclJ
 +yiREv6AB/qmIyBV+w/56+41tUmP+DkdkIf3ryveGjAfS6amVdxrt6nMMPU4ck2x
 FGJUmH+vavgTWO9eA+1bqiK9VUzYY1RUd3xt8tU3cNfhMAbf3g1tGc0mQzueS676
 dLYo9Hy4L+dJhkORB3L4lbcKQPlkzFD0TREn2zmivmG9BHKoVwhOjEk68FpVnkwZ
 P8YHIUze+AntNB4gq27iUx0oI/dVvufAouk98JGv/m17qi+MneySH6J+FovXE8Qu
 1/eSMk1W7UFgjVA57s9D77B/aUCrmePikw==
 =GJBo
 -----END PGP SIGNATURE-----

Merge tag 'du-fixes-20181126' of git://linuxtv.org/pinchartl/media into drm-fixes

R-Car DU v4.20 regression fix

Signed-off-by: Dave Airlie <airlied@redhat.com>

From: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Link: https://patchwork.freedesktop.org/patch/msgid/8134504.ZSXK7gKU4H@avalon
2018-11-29 09:58:40 +10:00
Y.C. Chen 3006256203 drm/ast: fixed reading monitor EDID not stable issue
v1: over-sample data to increase the stability with some specific monitors
v2: refine to avoid infinite loop
v3: remove un-necessary "volatile" declaration

[airlied: fix two checkpatch warnings]

Signed-off-by: Y.C. Chen <yc_chen@aspeedtech.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Link: https://patchwork.freedesktop.org/patch/msgid/1542858988-1127-1-git-send-email-yc_chen@aspeedtech.com
2018-11-29 09:55:55 +10:00
Sam Bobroff dc25ab0676 drm/ast: Fix incorrect free on ioregs
If the platform has no IO space, ioregs is placed next to the already
allocated regs. In this case, it should not be separately freed.

This prevents a kernel warning from __vunmap "Trying to vfree()
nonexistent vm area" when unloading the driver.

Fixes: 0dd68309b9 ("drm/ast: Try to use MMIO registers when PIO isn't supported")

Signed-off-by: Sam Bobroff <sbobroff@linux.ibm.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Dave Airlie <airlied@redhat.com>
2018-11-29 09:41:11 +10:00
Lyude Paul 9765635b30 Revert "drm/dp_mst: Skip validating ports during destruction, just ref"
This reverts commit:

c54c7374ff ("drm/dp_mst: Skip validating ports during destruction, just ref")

ugh.

In drm_dp_destroy_connector_work(), we have a pretty good chance of
freeing the actual struct drm_dp_mst_port. However, after destroying
things we send a hotplug through (*mgr->cbs->hotplug)(mgr) which is
where the problems start.

For i915, this calls all the way down to the fbcon probing helpers,
which start trying to access the port in a modeset.

[   45.062001] ==================================================================
[   45.062112] BUG: KASAN: use-after-free in ex_handler_refcount+0x146/0x180
[   45.062196] Write of size 4 at addr ffff8882b4b70968 by task kworker/3:1/53

[   45.062325] CPU: 3 PID: 53 Comm: kworker/3:1 Kdump: loaded Tainted: G           O      4.20.0-rc4Lyude-Test+ #3
[   45.062442] Hardware name: LENOVO 20BWS1KY00/20BWS1KY00, BIOS JBET71WW (1.35 ) 09/14/2018
[   45.062554] Workqueue: events drm_dp_destroy_connector_work [drm_kms_helper]
[   45.062641] Call Trace:
[   45.062685]  dump_stack+0xbd/0x15a
[   45.062735]  ? dump_stack_print_info.cold.0+0x1b/0x1b
[   45.062801]  ? printk+0x9f/0xc5
[   45.062847]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   45.062909]  ? ex_handler_refcount+0x146/0x180
[   45.062970]  print_address_description+0x71/0x239
[   45.063036]  ? ex_handler_refcount+0x146/0x180
[   45.063095]  kasan_report.cold.5+0x242/0x30b
[   45.063155]  __asan_report_store4_noabort+0x1c/0x20
[   45.063313]  ex_handler_refcount+0x146/0x180
[   45.063371]  ? ex_handler_clear_fs+0xb0/0xb0
[   45.063428]  fixup_exception+0x98/0xd7
[   45.063484]  ? raw_notifier_call_chain+0x20/0x20
[   45.063548]  do_trap+0x6d/0x210
[   45.063605]  ? _GLOBAL__sub_I_65535_1_drm_dp_aux_unregister_devnode+0x2f/0x1c6 [drm_kms_helper]
[   45.063732]  do_error_trap+0xc0/0x170
[   45.063802]  ? _GLOBAL__sub_I_65535_1_drm_dp_aux_unregister_devnode+0x2f/0x1c6 [drm_kms_helper]
[   45.063929]  do_invalid_op+0x3b/0x50
[   45.063997]  ? _GLOBAL__sub_I_65535_1_drm_dp_aux_unregister_devnode+0x2f/0x1c6 [drm_kms_helper]
[   45.064103]  invalid_op+0x14/0x20
[   45.064162] RIP: 0010:_GLOBAL__sub_I_65535_1_drm_dp_aux_unregister_devnode+0x2f/0x1c6 [drm_kms_helper]
[   45.064274] Code: 00 48 c7 c7 80 fe 53 a0 48 89 e5 e8 5b 6f 26 e1 5d c3 48 8d 0e 0f 0b 48 8d 0b 0f 0b 48 8d 0f 0f 0b 48 8d 0f 0f 0b 49 8d 4d 00 <0f> 0b 49 8d 0e 0f 0b 48 8d 08 0f 0b 49 8d 4d 00 0f 0b 48 8d 0b 0f
[   45.064569] RSP: 0018:ffff8882b789ee10 EFLAGS: 00010282
[   45.064637] RAX: ffff8882af47ae70 RBX: ffff8882af47aa60 RCX: ffff8882b4b70968
[   45.064723] RDX: ffff8882af47ae70 RSI: 0000000000000008 RDI: ffff8882b788bdb8
[   45.064808] RBP: ffff8882b789ee28 R08: ffffed1056f13db4 R09: ffffed1056f13db3
[   45.064894] R10: ffffed1056f13db3 R11: ffff8882b789ed9f R12: ffff8882af47ad28
[   45.064980] R13: ffff8882b4b70968 R14: ffff8882acd86728 R15: ffff8882b4b75dc8
[   45.065084]  drm_dp_mst_reset_vcpi_slots+0x12/0x80 [drm_kms_helper]
[   45.065225]  intel_mst_disable_dp+0xda/0x180 [i915]
[   45.065361]  intel_encoders_disable.isra.107+0x197/0x310 [i915]
[   45.065498]  haswell_crtc_disable+0xbe/0x400 [i915]
[   45.065622]  ? i9xx_disable_plane+0x1c0/0x3e0 [i915]
[   45.065750]  intel_atomic_commit_tail+0x74e/0x3e60 [i915]
[   45.065884]  ? intel_pre_plane_update+0xbc0/0xbc0 [i915]
[   45.065968]  ? drm_atomic_helper_swap_state+0x88b/0x1d90 [drm_kms_helper]
[   45.066054]  ? kasan_check_write+0x14/0x20
[   45.066165]  ? i915_gem_track_fb+0x13a/0x330 [i915]
[   45.066277]  ? i915_sw_fence_complete+0xe9/0x140 [i915]
[   45.066406]  ? __i915_sw_fence_complete+0xc50/0xc50 [i915]
[   45.066540]  intel_atomic_commit+0x72e/0xef0 [i915]
[   45.066635]  ? drm_dev_dbg+0x200/0x200 [drm]
[   45.066764]  ? intel_atomic_commit_tail+0x3e60/0x3e60 [i915]
[   45.066898]  ? intel_atomic_commit_tail+0x3e60/0x3e60 [i915]
[   45.067001]  drm_atomic_commit+0xc4/0xf0 [drm]
[   45.067074]  restore_fbdev_mode_atomic+0x562/0x780 [drm_kms_helper]
[   45.067166]  ? drm_fb_helper_debug_leave+0x690/0x690 [drm_kms_helper]
[   45.067249]  ? kasan_check_read+0x11/0x20
[   45.067324]  restore_fbdev_mode+0x127/0x4b0 [drm_kms_helper]
[   45.067364]  ? kasan_check_read+0x11/0x20
[   45.067406]  drm_fb_helper_restore_fbdev_mode_unlocked+0x164/0x200 [drm_kms_helper]
[   45.067462]  ? drm_fb_helper_hotplug_event+0x30/0x30 [drm_kms_helper]
[   45.067508]  ? kasan_check_write+0x14/0x20
[   45.070360]  ? mutex_unlock+0x22/0x40
[   45.073748]  drm_fb_helper_set_par+0xb2/0xf0 [drm_kms_helper]
[   45.075846]  drm_fb_helper_hotplug_event.part.33+0x1cd/0x290 [drm_kms_helper]
[   45.078088]  drm_fb_helper_hotplug_event+0x1c/0x30 [drm_kms_helper]
[   45.082614]  intel_fbdev_output_poll_changed+0x9f/0x140 [i915]
[   45.087069]  drm_kms_helper_hotplug_event+0x67/0x90 [drm_kms_helper]
[   45.089319]  intel_dp_mst_hotplug+0x37/0x50 [i915]
[   45.091496]  drm_dp_destroy_connector_work+0x510/0x6f0 [drm_kms_helper]
[   45.093675]  ? drm_dp_update_payload_part1+0x1220/0x1220 [drm_kms_helper]
[   45.095851]  ? kasan_check_write+0x14/0x20
[   45.098473]  ? kasan_check_read+0x11/0x20
[   45.101155]  ? strscpy+0x17c/0x530
[   45.103808]  ? __switch_to_asm+0x34/0x70
[   45.106456]  ? syscall_return_via_sysret+0xf/0x7f
[   45.109711]  ? read_word_at_a_time+0x20/0x20
[   45.113138]  ? __switch_to_asm+0x40/0x70
[   45.116529]  ? __switch_to_asm+0x34/0x70
[   45.119891]  ? __switch_to_asm+0x40/0x70
[   45.123224]  ? __switch_to_asm+0x34/0x70
[   45.126540]  ? __switch_to_asm+0x34/0x70
[   45.129824]  process_one_work+0x88d/0x15d0
[   45.133172]  ? pool_mayday_timeout+0x850/0x850
[   45.136459]  ? pci_mmcfg_check_reserved+0x110/0x128
[   45.139739]  ? wake_q_add+0xb0/0xb0
[   45.143010]  ? check_preempt_wakeup+0x652/0x1050
[   45.146304]  ? worker_enter_idle+0x29e/0x740
[   45.149589]  ? __schedule+0x1ec0/0x1ec0
[   45.152937]  ? kasan_check_read+0x11/0x20
[   45.156179]  ? _raw_spin_lock_irq+0xa3/0x130
[   45.159382]  ? _raw_read_unlock_irqrestore+0x30/0x30
[   45.162542]  ? kasan_check_write+0x14/0x20
[   45.165657]  worker_thread+0x1a5/0x1470
[   45.168725]  ? set_load_weight+0x2e0/0x2e0
[   45.171755]  ? process_one_work+0x15d0/0x15d0
[   45.174806]  ? __switch_to_asm+0x34/0x70
[   45.177645]  ? __switch_to_asm+0x40/0x70
[   45.180323]  ? __switch_to_asm+0x34/0x70
[   45.182936]  ? __switch_to_asm+0x40/0x70
[   45.185539]  ? __switch_to_asm+0x34/0x70
[   45.188100]  ? __switch_to_asm+0x40/0x70
[   45.190628]  ? __schedule+0x7d4/0x1ec0
[   45.193143]  ? save_stack+0xa9/0xd0
[   45.195632]  ? kasan_check_write+0x10/0x20
[   45.198162]  ? kasan_kmalloc+0xc4/0xe0
[   45.200609]  ? kmem_cache_alloc_trace+0xdd/0x190
[   45.203046]  ? kthread+0x9f/0x3b0
[   45.205470]  ? ret_from_fork+0x35/0x40
[   45.207876]  ? unwind_next_frame+0x43/0x50
[   45.210273]  ? __save_stack_trace+0x82/0x100
[   45.212658]  ? deactivate_slab.isra.67+0x3d4/0x580
[   45.215026]  ? default_wake_function+0x35/0x50
[   45.217399]  ? kasan_check_read+0x11/0x20
[   45.219825]  ? _raw_spin_lock_irqsave+0xae/0x140
[   45.222174]  ? __lock_text_start+0x8/0x8
[   45.224521]  ? replenish_dl_entity.cold.62+0x4f/0x4f
[   45.226868]  ? __kthread_parkme+0x87/0xf0
[   45.229200]  kthread+0x2f7/0x3b0
[   45.231557]  ? process_one_work+0x15d0/0x15d0
[   45.233923]  ? kthread_park+0x120/0x120
[   45.236249]  ret_from_fork+0x35/0x40

[   45.240875] Allocated by task 242:
[   45.243136]  save_stack+0x43/0xd0
[   45.245385]  kasan_kmalloc+0xc4/0xe0
[   45.247597]  kmem_cache_alloc_trace+0xdd/0x190
[   45.249793]  drm_dp_add_port+0x1e0/0x2170 [drm_kms_helper]
[   45.252000]  drm_dp_send_link_address+0x4a7/0x740 [drm_kms_helper]
[   45.254389]  drm_dp_check_and_send_link_address+0x1a7/0x210 [drm_kms_helper]
[   45.256803]  drm_dp_mst_link_probe_work+0x6f/0xb0 [drm_kms_helper]
[   45.259200]  process_one_work+0x88d/0x15d0
[   45.261597]  worker_thread+0x1a5/0x1470
[   45.264038]  kthread+0x2f7/0x3b0
[   45.266371]  ret_from_fork+0x35/0x40

[   45.270937] Freed by task 53:
[   45.273170]  save_stack+0x43/0xd0
[   45.275382]  __kasan_slab_free+0x139/0x190
[   45.277604]  kasan_slab_free+0xe/0x10
[   45.279826]  kfree+0x99/0x1b0
[   45.282044]  drm_dp_free_mst_port+0x4a/0x60 [drm_kms_helper]
[   45.284330]  drm_dp_destroy_connector_work+0x43e/0x6f0 [drm_kms_helper]
[   45.286660]  process_one_work+0x88d/0x15d0
[   45.288934]  worker_thread+0x1a5/0x1470
[   45.291231]  kthread+0x2f7/0x3b0
[   45.293547]  ret_from_fork+0x35/0x40

[   45.298206] The buggy address belongs to the object at ffff8882b4b70968
                which belongs to the cache kmalloc-2k of size 2048
[   45.303047] The buggy address is located 0 bytes inside of
                2048-byte region [ffff8882b4b70968, ffff8882b4b71168)
[   45.308010] The buggy address belongs to the page:
[   45.310477] page:ffffea000ad2dc00 count:1 mapcount:0 mapping:ffff8882c080cf40 index:0x0 compound_mapcount: 0
[   45.313051] flags: 0x8000000000010200(slab|head)
[   45.315635] raw: 8000000000010200 ffffea000aac2808 ffffea000abe8608 ffff8882c080cf40
[   45.318300] raw: 0000000000000000 00000000000d000d 00000001ffffffff 0000000000000000
[   45.320966] page dumped because: kasan: bad access detected

[   45.326312] Memory state around the buggy address:
[   45.329085]  ffff8882b4b70800: fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   45.331845]  ffff8882b4b70880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   45.334584] >ffff8882b4b70900: fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb fb
[   45.337302]                                                           ^
[   45.340061]  ffff8882b4b70980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   45.342910]  ffff8882b4b70a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   45.345748] ==================================================================

So, this definitely isn't a fix that we want. This being said; there's
no real easy fix for this problem because of some of the catch-22's of
the MST helpers current design. For starters; we always need to validate
a port with drm_dp_get_validated_port_ref(), but validation relies on
the lifetime of the port in the actual topology. So once the port is
gone, it can't be validated again.

If we were to try to make the payload helpers not use port validation,
then we'd cause another problem: if the port isn't validated, it could
be freed and we'd just start causing more KASAN issues. There are
already hacks that attempt to workaround this in
drm_dp_mst_destroy_connector_work() by re-initializing the kref so that
it can be used again and it's memory can be freed once the VCPI helpers
finish removing the port's respective payloads. But none of these really
do anything helpful since the port still can't be validated since it's
gone from the topology. Also, that workaround is immensely confusing to
read through.

What really needs to be done in order to fix this is to teach DRM how to
track the lifetime of the structs for MST ports and branch devices
separately from their lifetime in the actual topology. Simply put; this
means having two different krefs-one that removes the port/branch device
from the topology, and one that finally calls kfree(). This would let us
simplify things, since we'd now be able to keep ports around without
having to keep them in the topology at the same time, which is exactly
what we need in order to teach our VCPI helpers to only validate ports
when it's actually necessary without running the risk of trying to use
unallocated memory.

Such a fix is on it's way, but for now let's play it safe and just
revert this. If this bug has been around for well over a year, we can
wait a little while to get an actual proper fix here.

Signed-off-by: Lyude Paul <lyude@redhat.com>
Fixes: c54c7374ff ("drm/dp_mst: Skip validating ports during destruction, just ref")
Cc: Daniel Vetter <daniel@ffwll.ch>
Cc: Sean Paul <sean@poorly.run>
Cc: Jerry Zuo <Jerry.Zuo@amd.com>
Cc: Harry Wentland <Harry.Wentland@amd.com>
Cc: stable@vger.kernel.org # v4.6+
Acked-by: Sean Paul <sean@poorly.run>
Link: https://patchwork.freedesktop.org/patch/msgid/20181128210005.24434-1-lyude@redhat.com
2018-11-28 16:22:17 -05:00
Linus Torvalds 60b548237f Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
Pull networking fixes from David Miller:

 1) ARM64 JIT fixes for subprog handling from Daniel Borkmann.

 2) Various sparc64 JIT bug fixes (fused branch convergance, frame
    pointer usage detection logic, PSEODU call argument handling).

 3) Fix to use BH locking in nf_conncount, from Taehee Yoo.

 4) Fix race of TX skb freeing in ipheth driver, from Bernd Eckstein.

 5) Handle return value of TX NAPI completion properly in lan743x
    driver, from Bryan Whitehead.

 6) MAC filter deletion in i40e driver clears wrong state bit, from
    Lihong Yang.

 7) Fix use after free in rionet driver, from Pan Bian.

* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (53 commits)
  s390/qeth: fix length check in SNMP processing
  net: hisilicon: remove unexpected free_netdev
  rapidio/rionet: do not free skb before reading its length
  i40e: fix kerneldoc for xsk methods
  ixgbe: recognize 1000BaseLX SFP modules as 1Gbps
  i40e: Fix deletion of MAC filters
  igb: fix uninitialized variables
  netfilter: nf_tables: deactivate expressions in rule replecement routine
  lan743x: Enable driver to work with LAN7431
  tipc: fix lockdep warning during node delete
  lan743x: fix return value for lan743x_tx_napi_poll
  net: via: via-velocity: fix spelling mistake "alignement" -> "alignment"
  qed: fix spelling mistake "attnetion" -> "attention"
  net: thunderx: fix NULL pointer dereference in nic_remove
  sctp: increase sk_wmem_alloc when head->truesize is increased
  firestream: fix spelling mistake: "Inititing" -> "Initializing"
  net: phy: add workaround for issue where PHY driver doesn't bind to the device
  usbnet: ipheth: fix potential recvmsg bug and recvmsg bug 2
  sparc: Adjust bpf JIT prologue for PSEUDO calls.
  bpf, doc: add entries of who looks over which jits
  ...
2018-11-28 12:53:48 -08:00
Linus Torvalds b26b2b24b1 Xtensa fixes for v4.20-rc5
- Fix kernel exception on userspace access to a currently disabled
   coprocessor.
 - Fix coprocessor data saving/restoring in configurations with multiple
   coprocessors.
 - Fix ptrace access to coprocessor data on configurations with multiple
   coprocessors with high alignment requirements.
 -----BEGIN PGP SIGNATURE-----
 
 iQJHBAABCAAxFiEEK2eFS5jlMn3N6xfYUfnMkfg/oEQFAlv+9BMTHGpjbXZia2Jj
 QGdtYWlsLmNvbQAKCRBR+cyR+D+gRDhoEACGPL70EorwnapQZKN1QOTUuvxrw/u6
 AQc+Vgi7KWuYYD+otPAhHNTuPdzai6bdrlR9xsyLABgWgFWsVXP9lLCa9frvwXwH
 A0024o+9Gf6KoZfGJ0dOkcd3BwAuRJa32n49Euqyyjb2Qj5Da6fY8js8iT1/tJER
 cSMfAyLS97GJy4fOwXY7xVrafsEEw45ehjQ6DtUGHX6s9zxfdwkfsFf2QpH65oTC
 FHofKcLdz+BAUQe+vdD2VEJjl8YYswdaYau+620dnsI05B8m7m0Gof3aY4ZmmAq3
 fSQxisSfiE1BUlTdlMlnel+S0J1EPv1qDxA+k4/TqV8extB2BlZ2cq0BLE6YUJ6B
 LnZdS7xNrB1+YxM/ckRs4hxfqGrjVtUDg3peBx8b5Aq9TOSNWA0/qbNVI89V+Dzp
 L9aEZgmZGwn1YTFCUJO5unb8QNYvoSOKxwfRlcrYfmF44/UNaiqBaoz3eSsrYEbG
 baQidK/wdnGTTLUhB/KlpZDkFyXZ20c9vN/O7HEpo+rhO1NP726Cn9rU+bSS+rRE
 ezYF5+8WxfsUuGxuXhHq2QiDWLJxeqN+NUf8z/dwBYT0UgAOcH7X/zN/oNIxeD5R
 eplI5DLWZuo2uPq5ALmMWsTlaSClaP1tlJXmn9pHkT3KPRoC+ndkh0hEBFKUS/f7
 9zDrKipT5+Temg==
 =XEua
 -----END PGP SIGNATURE-----

Merge tag 'xtensa-20181128' of git://github.com/jcmvbkbc/linux-xtensa

Pull Xtensa fixes from Max Filippov:

 - fix kernel exception on userspace access to a currently disabled
   coprocessor

 - fix coprocessor data saving/restoring in configurations with multiple
   coprocessors

 - fix ptrace access to coprocessor data on configurations with multiple
   coprocessors with high alignment requirements

* tag 'xtensa-20181128' of git://github.com/jcmvbkbc/linux-xtensa:
  xtensa: fix coprocessor part of ptrace_{get,set}xregs
  xtensa: fix coprocessor context offset definitions
  xtensa: enable coprocessors that are being flushed
2018-11-28 12:51:10 -08:00
shaoyunl ad97d9de45 drm/amdgpu: Add delay after enable RLC ucode
Driver shouldn't try to access any GFX registers until RLC is idle.
During the test, it took 12 seconds for RLC to clear the BUSY bit
in RLC_GPM_STAT register which is un-acceptable for driver.
As per RLC engineer, it would take RLC Ucode less than 10,000 GFXCLK
cycles to finish its critical section. In a lowest 300M enginer clock
setting(default from vbios), 50 us delay is enough.

This commit fix the hang when RLC introduce the work around for XGMI
which requires more cycles to setup more registers than normal

Signed-off-by: shaoyunl <shaoyun.liu@amd.com>
Acked-by: Felix Kuehling <Felix.Kuehling@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
2018-11-28 14:52:44 -05:00
Felix Kuehling 1954db153d drm/amdgpu: Avoid endless loop in GPUVM fragment processing
Don't bounce back to the root level for fragment processing, because
huge pages are not supported at that level. This is unlikely to happen
with the default VM size on Vega, but can be exposed by limiting the
VM size with the amdgpu.vm_size module parameter.

Signed-off-by: Felix Kuehling <Felix.Kuehling@amd.com>
Reviewed-by: Christian König <christian.koenig@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
2018-11-28 14:38:48 -05:00
Felix Kuehling 9ce2b991f7 drm/amdgpu: Cast to uint64_t before left shift
Avoid potential integer overflows with left shift in huge-page mapping
code by casting the operand to uin64_t first.

Signed-off-by: Felix Kuehling <Felix.Kuehling@amd.com>
Reviewed-by: Christian König <christian.koenig@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
2018-11-28 14:38:33 -05:00
David S. Miller d78a5ebd8b Merge branch '1GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/jkirsher/net-queue
Jeff Kirsher says:

====================
Intel Wired LAN Driver Fixes 2018-11-28

This series contains fixes to igb, ixgbe and i40e.

Yunjian Wang from Huawei resolves a variable that could potentially be
NULL before it is used.

Lihong fixes an i40e issue which goes back to 4.17 kernels, where
deleting any of the MAC filters was causing the incorrect syncing for
the PF.

Josh Elsasser caught that there were missing enum values in the link
capabilities for x550 devices, which was preventing link for 1000BaseLX
SFP modules.

Jan fixes the function header comments for XSK methods.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
2018-11-28 11:33:35 -08:00
Julian Wiedmann 9a764c1e59 s390/qeth: fix length check in SNMP processing
The response for a SNMP request can consist of multiple parts, which
the cmd callback stages into a kernel buffer until all parts have been
received. If the callback detects that the staging buffer provides
insufficient space, it bails out with error.
This processing is buggy for the first part of the response - while it
initially checks for a length of 'data_len', it later copies an
additional amount of 'offsetof(struct qeth_snmp_cmd, data)' bytes.

Fix the calculation of 'data_len' for the first part of the response.
This also nicely cleans up the memcpy code.

Fixes: 1da177e4c3 ("Linux-2.6.12-rc2")
Signed-off-by: Julian Wiedmann <jwi@linux.ibm.com>
Reviewed-by: Ursula Braun <ubraun@linux.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-11-28 11:16:54 -08:00
David S. Miller e9d8faf93d Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf
Pablo Neira Ayuso says:

====================
Netfilter fixes for net

The following patchset contains Netfilter fixes for net:

1) Disable BH while holding list spinlock in nf_conncount, from
   Taehee Yoo.

2) List corruption in nf_conncount, also from Taehee.

3) Fix race that results in leaving around an empty list node in
   nf_conncount, from Taehee Yoo.

4) Proper chain handling for inactive chains from the commit path,
   from Florian Westphal. This includes a selftest for this.

5) Do duplicate rule handles when replacing rules, also from Florian.

6) Remove net_exit path in xt_RATEEST that results in splat, from Taehee.

7) Possible use-after-free in nft_compat when releasing extensions.
   From Florian.

8) Memory leak in xt_hashlimit, from Taehee.

9) Call ip_vs_dst_notifier after ipv6_dev_notf, from Xin Long.

10) Fix cttimeout with udplite and gre, from Florian.

11) Preserve oif for IPv6 link-local generated traffic from mangle
    table, from Alin Nastac.

12) Missing error handling in masquerade notifiers, from Taehee Yoo.

13) Use mutex to protect registration/unregistration of masquerade
    extensions in order to prevent a race, from Taehee.

14) Incorrect condition check in tree_nodes_free(), also from Taehee.

15) Fix chain counter leak in rule replacement path, from Taehee.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
2018-11-28 11:02:45 -08:00
Pan Bian c758940158 net: hisilicon: remove unexpected free_netdev
The net device ndev is freed via free_netdev when failing to register
the device. The control flow then jumps to the error handling code
block. ndev is used and freed again. Resulting in a use-after-free bug.

Signed-off-by: Pan Bian <bianpan2016@163.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-11-28 10:41:15 -08:00
Pan Bian cfc435198f rapidio/rionet: do not free skb before reading its length
skb is freed via dev_kfree_skb_any, however, skb->len is read then. This
may result in a use-after-free bug.

Fixes: e6161d6426 ("rapidio/rionet: rework driver initialization and removal")
Signed-off-by: Pan Bian <bianpan2016@163.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-11-28 10:38:48 -08:00
Jan Sokolowski 529eb362a3 i40e: fix kerneldoc for xsk methods
One method, xsk_umem_setup, had an incorrect kernel doc
description, which has been corrected.

Also fixes small typos found in the comments.

Signed-off-by: Jan Sokolowski <jan.sokolowski@intel.com>
Tested-by: Andrew Bowers <andrewx.bowers@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
2018-11-28 08:45:00 -08:00
Linus Torvalds 121b018f8c for-4.20-rc4-tag
-----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCgAdFiEE8rQSAMVO+zA4DBdWxWXV+ddtWDsFAlv9qYgACgkQxWXV+ddt
 WDupPQ/8DdeLZYQG1tlx2Q+X4/tqPVyAzUjguYzbIY7wvSs1zbEEedENsD8E97yC
 So8ooGnP5B6/dqVidLFQBPwTXN59GybYbrDci8qh0DOJTl3+1r8byD9JC+iofrOF
 tltJkZ+eCOQyyqHHzlzw15uNOg48Qzj1oXvTAcE0P6iN5UcvcfwRW/S39pjsn63C
 63zc09XJ1hmJMJTWZo5h3GoD2UvzrwGXPKXNdv/NWkw9sqQbWdjvZFdqKbvY1VeM
 Oa6FPAPErJqEEEePhpDYbyRcnzjJRMs0deLGpGGChGldQxgMO8ILzBwh/KalfzK7
 h7LIuv1EclUqlyv0mXPqg2E/C3n2UMPqQYFsK9Lt+4Y/PkrWA2jx0lSg0fBl3k8c
 7PyiTqPNPNF8LU48tPEnOzJuNPkquOycgdyQOUpHnS43OF5OLIb6tVyjK4eJHRWw
 xtP65M72qM8T65+gsxYcdm0lvIDLidIwFS+2g4ibKU7EwlYkTC9AHFIAyFKTgxeP
 MpkIH90mKhSxOpbq8RICgr2jWcJZYoFQ4soi1oE+bgyjv75PyhJ0eXOprCh/4KZp
 nkXlPy2skkO9gGecyvr51x/opDEjEkObyOjQm2LhhWYvgcnHgW8Zp1jhQKxabHvz
 iZdVIs/agOerpk1d9ZBHhIXOeS2UcE5klqVRAdf961Wobh+HNis=
 =cCvI
 -----END PGP SIGNATURE-----

Merge tag 'for-4.20-rc4-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux

Pull btrfs fixes from David Sterba:
 "Some of these bugs are being hit during testing so we'd like to get
  them merged, otherwise there are usual stability fixes for stable
  trees"

* tag 'for-4.20-rc4-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux:
  btrfs: relocation: set trans to be NULL after ending transaction
  Btrfs: fix race between enabling quotas and subvolume creation
  Btrfs: send, fix infinite loop due to directory rename dependencies
  Btrfs: ensure path name is null terminated at btrfs_control_ioctl
  Btrfs: fix rare chances for data loss when doing a fast fsync
  btrfs: Always try all copies when reading extent buffers
2018-11-28 08:38:20 -08:00
Linus Torvalds 5b26f7180c spi: Fixes for v4.20
A few driver specific fixes here, nothing big or that stands out for
 anyone other than the driver users.
 -----BEGIN PGP SIGNATURE-----
 
 iQFHBAABCgAxFiEEreZoqmdXGLWf4p/qJNaLcl1Uh9AFAlv+uFQTHGJyb29uaWVA
 a2VybmVsLm9yZwAKCRAk1otyXVSH0GN/B/9rkzlaRTNvBepsN3qbDfFotIt2+9T0
 as4tDY5t+C6PWHkKaqezTuKzin+fSOpSQ9n8rx2yc9oddwpelDsqLVxUlxRuN+RB
 C+UBfls7rP3J8AlYaGFor+N+MjiRuWVpfYW0PbFf1kM8l1fmOP7FC7BB76G1Ketu
 3U9DSWeL5YMZq+IIXI3e77f3luq4/bo2DVxNMQ/PL/frbpRIqOVYag5kGFRxYYez
 7rcAo68mOCv/85xdqNZ5u2m+xO/fpSYV+CGFXbYvGPizFIGl9REnw+8DE7EVSCo7
 xsPsMuj/bE0Gr3frPguZ0XFsOyFB+SVxqMQxQt2zKiEDuLtQYTFmhs9h
 =kDIQ
 -----END PGP SIGNATURE-----

Merge tag 'spi-fix-v4.20-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi

Pull spi fixes from Mark Brown:
 "A few driver specific fixes here, nothing big or that stands out for
  anyone other than the driver users.

  The omap2-mcspi fix is for issues that started showing up with a
  change in defconfig in this release to make cpuidle get turned on by
  default"

* tag 'spi-fix-v4.20-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi:
  spi: omap2-mcspi: Add missing suspend and resume calls
  spi: mediatek: use correct mata->xfer_len when in fifo transfer
  spi: uniphier: fix incorrect property items
2018-11-28 08:33:55 -08:00
Josh Elsasser a8bf879af7 ixgbe: recognize 1000BaseLX SFP modules as 1Gbps
Add the two 1000BaseLX enum values to the X550's check for 1Gbps modules,
allowing the core driver code to establish a link over this SFP type.

This is done by the out-of-tree driver but the fix wasn't in mainline.

Fixes: e23f333678 ("ixgbe: Fix 1G and 10G link stability for X550EM_x SFP+”)
Fixes: 6a14ee0cfb ("ixgbe: Add X550 support function pointers")
Signed-off-by: Josh Elsasser <jelsasser@appneta.com>
Tested-by: Andrew Bowers <andrewx.bowers@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
2018-11-28 08:29:49 -08:00
Linus Torvalds d8242d22d5 Bugfixes, many of them reported by syzkaller and mostly predating the
merge window.
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.22 (GNU/Linux)
 
 iQEcBAABAgAGBQJb/nzZAAoJEL/70l94x66DedgH/3i2R6QwurKtOaagak+QKEFV
 Q32PQSFQBzr2BKNPyZhyiiWuIGy0QWZiJ8TZ0od97f+1xZhV++U3uGmiBp7/xr5a
 GArFOUK8tdXKxNZs100nzwAST4EJiEwRIa4OsZlvi71gwSBhnaZ6809DXcelEezh
 9sd+NeLDj+KhUYm90rYs3YvEKnJjKJTCBHG7fnfo59i6aOO5oKnM3LyHP9EHvyqB
 COsZJnXmTIwEL7TuxyCfyFSm/9XaqWGIsSn+wD9Sld80bDo/vb8ACljkqEQ0mhHK
 f0hviNOyRK6qy/uCDZyKYXdEqFphjrY2D+8dNFHcbuGvk3jJG2kiFwI++srPlIk=
 =tnQR
 -----END PGP SIGNATURE-----

Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm

Pull kvm fixes from Paolo Bonzini:
 "Bugfixes, many of them reported by syzkaller and mostly predating the
  merge window"

* tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm:
  kvm: svm: Ensure an IBPB on all affected CPUs when freeing a vmcb
  kvm: mmu: Fix race in emulated page table writes
  KVM: nVMX: vmcs12 revision_id is always VMCS12_REVISION even when copied from eVMCS
  KVM: nVMX: Verify eVMCS revision id match supported eVMCS version on eVMCS VMPTRLD
  KVM: nVMX/nSVM: Fix bug which sets vcpu->arch.tsc_offset to L1 tsc_offset
  x86/kvm/vmx: fix old-style function declaration
  KVM: x86: fix empty-body warnings
  KVM: VMX: Update shared MSRs to be saved/restored on MSR_EFER.LMA changes
  KVM: x86: Fix kernel info-leak in KVM_HC_CLOCK_PAIRING hypercall
  KVM: nVMX: Fix kernel info-leak when enabling KVM_CAP_HYPERV_ENLIGHTENED_VMCS more than once
  svm: Add mutex_lock to protect apic_access_page_done on AMD systems
  KVM: X86: Fix scan ioapic use-before-initialization
  KVM: LAPIC: Fix pv ipis use-before-initialization
  KVM: VMX: re-add ple_gap module parameter
  KVM: PPC: Book3S HV: Fix handling for interrupted H_ENTER_NESTED
2018-11-28 08:29:18 -08:00
Lihong Yang eab077aa84 i40e: Fix deletion of MAC filters
In __i40e_del_filter function, the flag __I40E_MACVLAN_SYNC_PENDING for
the PF state is wrongly set for the VSI. Deleting any of the MAC filters
has caused the incorrect syncing for the PF. Fix it by setting this state
flag to the intended PF.

CC: stable <stable@vger.kernel.org>
Signed-off-by: Lihong Yang <lihong.yang@intel.com>
Tested-by: Andrew Bowers <andrewx.bowers@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
2018-11-28 08:27:47 -08:00
Yunjian Wang e4c39f7926 igb: fix uninitialized variables
This patch fixes the variable 'phy_word' may be used uninitialized.

Signed-off-by: Yunjian Wang <wangyunjian@huawei.com>
Tested-by: Aaron Brown <aaron.f.brown@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
2018-11-28 08:27:47 -08:00
Hui Wang 8159a6a4a7 ALSA: usb-audio: Add vendor and product name for Dell WD19 Dock
Like the Dell WD15 Dock, the WD19 Dock (0bda:402e) doens't provide
useful string for the vendor and product names too. In order to share
the UCM with WD15, here we keep the profile_name same as the WD15.

Signed-off-by: Hui Wang <hui.wang@canonical.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2018-11-28 10:59:49 +01:00
Taehee Yoo ca08987885 netfilter: nf_tables: deactivate expressions in rule replecement routine
There is no expression deactivation call from the rule replacement path,
hence, chain counter is not decremented. A few steps to reproduce the
problem:

   %nft add table ip filter
   %nft add chain ip filter c1
   %nft add chain ip filter c1
   %nft add rule ip filter c1 jump c2
   %nft replace rule ip filter c1 handle 3 accept
   %nft flush ruleset

<jump c2> expression means immediate NFT_JUMP to chain c2.
Reference count of chain c2 is increased when the rule is added.

When rule is deleted or replaced, the reference counter of c2 should be
decreased via nft_rule_expr_deactivate() which calls
nft_immediate_deactivate().

Splat looks like:
[  214.396453] WARNING: CPU: 1 PID: 21 at net/netfilter/nf_tables_api.c:1432 nf_tables_chain_destroy.isra.38+0x2f9/0x3a0 [nf_tables]
[  214.398983] Modules linked in: nf_tables nfnetlink
[  214.398983] CPU: 1 PID: 21 Comm: kworker/1:1 Not tainted 4.20.0-rc2+ #44
[  214.398983] Workqueue: events nf_tables_trans_destroy_work [nf_tables]
[  214.398983] RIP: 0010:nf_tables_chain_destroy.isra.38+0x2f9/0x3a0 [nf_tables]
[  214.398983] Code: 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 8e 00 00 00 48 8b 7b 58 e8 e1 2c 4e c6 48 89 df e8 d9 2c 4e c6 eb 9a <0f> 0b eb 96 0f 0b e9 7e fe ff ff e8 a7 7e 4e c6 e9 a4 fe ff ff e8
[  214.398983] RSP: 0018:ffff8881152874e8 EFLAGS: 00010202
[  214.398983] RAX: 0000000000000001 RBX: ffff88810ef9fc28 RCX: ffff8881152876f0
[  214.398983] RDX: dffffc0000000000 RSI: 1ffff11022a50ede RDI: ffff88810ef9fc78
[  214.398983] RBP: 1ffff11022a50e9d R08: 0000000080000000 R09: 0000000000000000
[  214.398983] R10: 0000000000000000 R11: 0000000000000000 R12: 1ffff11022a50eba
[  214.398983] R13: ffff888114446e08 R14: ffff8881152876f0 R15: ffffed1022a50ed6
[  214.398983] FS:  0000000000000000(0000) GS:ffff888116400000(0000) knlGS:0000000000000000
[  214.398983] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  214.398983] CR2: 00007fab9bb5f868 CR3: 000000012aa16000 CR4: 00000000001006e0
[  214.398983] Call Trace:
[  214.398983]  ? nf_tables_table_destroy.isra.37+0x100/0x100 [nf_tables]
[  214.398983]  ? __kasan_slab_free+0x145/0x180
[  214.398983]  ? nf_tables_trans_destroy_work+0x439/0x830 [nf_tables]
[  214.398983]  ? kfree+0xdb/0x280
[  214.398983]  nf_tables_trans_destroy_work+0x5f5/0x830 [nf_tables]
[ ... ]

Fixes: bb7b40aecb ("netfilter: nf_tables: bogus EBUSY in chain deletions")
Reported by: Christoph Anton Mitterer <calestyo@scientia.net>
Link: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=914505
Link: https://bugzilla.kernel.org/show_bug.cgi?id=201791
Signed-off-by: Taehee Yoo <ap420073@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2018-11-28 10:56:40 +01:00