2
0
mirror of https://github.com/edk2-porting/linux-next.git synced 2024-12-27 22:53:55 +08:00
Commit Graph

783560 Commits

Author SHA1 Message Date
Eric Dumazet
f74c371fe7 Input: mousedev - add a schedule point in mousedev_write()
syzbot was able to trigger rcu stalls by calling write()
with large number of bytes.

Add a cond_resched() in the loop to avoid this.

Link: https://lkml.org/lkml/2018/8/23/1106
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot+9436b02171ac0894d33e@syzkaller.appspotmail.com
Reviewed-by: Paul E. McKenney <paulmck@linux.ibm.com>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
2018-10-04 17:42:26 -07:00
Greg Kroah-Hartman
befad944e2 amdgpu and two core fixes
-----BEGIN PGP SIGNATURE-----
 
 iQIcBAABAgAGBQJbtphfAAoJEAx081l5xIa+OwYP/1dmnns1njRhGP7DAL4+/5GH
 U/LXZtHRhWKMdQOPyCyzZ0xBTPGG1utrTEphdGbYoHIM3yhpWXMmazQlfwmM2S0+
 6F5ca0M5f4YKo8up/a8Tn215J5gf8LpoyzhSXaau9kbb2yfusmgB6ZRZOltGgW04
 CKnERuvUDwfaHlNBADfcRGK1BzPVNBESzDJ4DhdYtmVSNlMjJ1bqvjjqqIUcNfP3
 ifcbOcm6G+efSqSM9s55XbQml5pgeBKLvS2N27tIZp/2Y1HaIbBeWGGxJLcQpzDP
 h1lEMmQl7Z81iVqAxFnHSzwEQ5YrxMKWOX9108MlYjDOYa6K3Q81tzOjMr8z3pGv
 9Lfq1YCd6rwQ9H7UCwOuO9yvVGqgmEpT6kxVZaiEVFBwAgh7RsYSMwsD4npjKwHK
 VYbuSXPN+BBcObqJTlZz3zOqTngtImUGX1xaqHgOTSCksBLtToBAL2KkvJeNrctr
 4zTzsS9Rkce5hSMTzkh6mm0yzh74V9SnwAzhbS+UEEtPufE9u1BpOHeRYMeI95PV
 cQnTj9zY5KcfeZjPURtOO2lCBzHDpTDSl+wIIXAJSwsX/FdksA/2B22vOqJbn4Zd
 70M673sOg0FxE5wyCSNSiBs0Iq9oz5/cGDKzRJ1u4mh/KbQJ3y8nGQJamA4TafCM
 rRZwcKXRHkPa+D6eSiw5
 =slnZ
 -----END PGP SIGNATURE-----

Merge tag 'drm-fixes-2018-10-05' of git://anongit.freedesktop.org/drm/drm

Dave writes:
  "amdgpu and two core fixes

   Two fixes for amdgpu:
   one corrects a use of process->mm
   one fix for display code race condition that can result in a crash

   Two core fixes:
   One for a use-after-free in the leasing code
   One for a cma/fbdev crash."

* tag 'drm-fixes-2018-10-05' of git://anongit.freedesktop.org/drm/drm:
  drm/amdkfd: Fix incorrect use of process->mm
  drm/amd/display: Signal hw_done() after waiting for flip_done()
  drm/cma-helper: Fix crash in fbdev error path
  drm: fix use-after-free read in drm_mode_create_lease_ioctl()
2018-10-04 17:23:58 -07:00
Dave Airlie
bdf800c6fd Merge branch 'drm-fixes-4.19' of git://people.freedesktop.org/~agd5f/linux into drm-fixes
- Fix an ordering issue in DC with respect to atomic flips that could result
  in a crash
- Fix incorrect use of process->mm in KFD

Signed-off-by: Dave Airlie <airlied@redhat.com>
From: Alex Deucher <alexdeucher@gmail.com>
Link: https://patchwork.freedesktop.org/patch/msgid/1538668374-22334-1-git-send-email-alexander.deucher@amd.com
2018-10-05 08:39:35 +10:00
Dave Airlie
3a9df1e925 drm-misc-fixes for v4.19-rc7:
- Fix use-after-free in drm_mode_create_lease_ioctl()
 - Fix crash in fbdev error path.
 -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCgAdFiEEuXvWqAysSYEJGuVH/lWMcqZwE8MFAlu10UMACgkQ/lWMcqZw
 E8MlrQ//ZvtyKwv9XUuhM0PBwctAldQp3iKk5poNVsmdThhP7fdeM91DvMpOJoZl
 BNZJAEXqZfWYwIbKEbVmRcOUr6YlgPnHQxpJDeuQxedjuB+aWUKCfn4FCPxh5WC6
 Wl7WEDijDehvhj3rIETrCt0o3zaOPIw8FhO0ZsshRsIOrDs3Zai2VqU/rK1t8IkJ
 ss0YsaYcQ9Bwo4a8xkD3I6ctnkll6uwdA3tbf+GRVrfo1dDFC6GIWhVoMIONb890
 nXzxLh/KcimuTRYW1rLtfyf0hAihY8ZT7WKTHD0QM7fxzsFA37zZsAb7rSyfc5Pf
 Z0lhwQS0UTOJ+ZvQCiOeX9Qd4+9cdpNO7qoRMy3stk4lb2s0Sv/2Ui46yya8jWp1
 rE0C9j1ngk8MCxQe4BzIOeVK7sjzIgdRqGx9C35H4W56Gh9VuFDyZCFJjcB3m+sh
 0D3aYkrqMw17gkirJS0TtMzCDSxkiXuAope6NFvSwbUO3BDVkfHZUhDLlXRWrd3l
 6ZCg3gSdyIvNCW+r0T1AckdgvkJGwJkc+WtuRDGZKZT7WNu9hyXyCSGcoG27jLYM
 gvT8NVMF3wok5rKuRryirCKNiaWJAm8KUMIoG4XqDXKioeI1I8f7+Qk5G73GOkPi
 FwdWrEAhn/s6J31ahJoD65wt07lxI2Ax2uoqUYDhHLa8mVXt3mI=
 =Dorz
 -----END PGP SIGNATURE-----

Merge tag 'drm-misc-fixes-2018-10-04' of git://anongit.freedesktop.org/drm/drm-misc into drm-fixes

drm-misc-fixes for v4.19-rc7:
- Fix use-after-free in drm_mode_create_lease_ioctl()
- Fix crash in fbdev error path.

Signed-off-by: Dave Airlie <airlied@redhat.com>

From: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/13b2c3ac-9a96-710e-ceb9-890af164f10e@linux.intel.com
2018-10-05 08:39:04 +10:00
Ido Schimmel
471b83bd8b team: Forbid enslaving team device to itself
team's ndo_add_slave() acquires 'team->lock' and later tries to open the
newly enslaved device via dev_open(). This emits a 'NETDEV_UP' event
that causes the VLAN driver to add VLAN 0 on the team device. team's
ndo_vlan_rx_add_vid() will also try to acquire 'team->lock' and
deadlock.

Fix this by checking early at the enslavement function that a team
device is not being enslaved to itself.

A similar check was added to the bond driver in commit 09a89c219b
("bonding: disallow enslaving a bond to itself").

WARNING: possible recursive locking detected
4.18.0-rc7+ #176 Not tainted
--------------------------------------------
syz-executor4/6391 is trying to acquire lock:
(____ptrval____) (&team->lock){+.+.}, at: team_vlan_rx_add_vid+0x3b/0x1e0 drivers/net/team/team.c:1868

but task is already holding lock:
(____ptrval____) (&team->lock){+.+.}, at: team_add_slave+0xdb/0x1c30 drivers/net/team/team.c:1947

other info that might help us debug this:
 Possible unsafe locking scenario:

       CPU0
       ----
  lock(&team->lock);
  lock(&team->lock);

 *** DEADLOCK ***

 May be due to missing lock nesting notation

2 locks held by syz-executor4/6391:
 #0: (____ptrval____) (rtnl_mutex){+.+.}, at: rtnl_lock net/core/rtnetlink.c:77 [inline]
 #0: (____ptrval____) (rtnl_mutex){+.+.}, at: rtnetlink_rcv_msg+0x412/0xc30 net/core/rtnetlink.c:4662
 #1: (____ptrval____) (&team->lock){+.+.}, at: team_add_slave+0xdb/0x1c30 drivers/net/team/team.c:1947

stack backtrace:
CPU: 1 PID: 6391 Comm: syz-executor4 Not tainted 4.18.0-rc7+ #176
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1c9/0x2b4 lib/dump_stack.c:113
 print_deadlock_bug kernel/locking/lockdep.c:1765 [inline]
 check_deadlock kernel/locking/lockdep.c:1809 [inline]
 validate_chain kernel/locking/lockdep.c:2405 [inline]
 __lock_acquire.cold.64+0x1fb/0x486 kernel/locking/lockdep.c:3435
 lock_acquire+0x1e4/0x540 kernel/locking/lockdep.c:3924
 __mutex_lock_common kernel/locking/mutex.c:757 [inline]
 __mutex_lock+0x176/0x1820 kernel/locking/mutex.c:894
 mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:909
 team_vlan_rx_add_vid+0x3b/0x1e0 drivers/net/team/team.c:1868
 vlan_add_rx_filter_info+0x14a/0x1d0 net/8021q/vlan_core.c:210
 __vlan_vid_add net/8021q/vlan_core.c:278 [inline]
 vlan_vid_add+0x63e/0x9d0 net/8021q/vlan_core.c:308
 vlan_device_event.cold.12+0x2a/0x2f net/8021q/vlan.c:381
 notifier_call_chain+0x180/0x390 kernel/notifier.c:93
 __raw_notifier_call_chain kernel/notifier.c:394 [inline]
 raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401
 call_netdevice_notifiers_info+0x3f/0x90 net/core/dev.c:1735
 call_netdevice_notifiers net/core/dev.c:1753 [inline]
 dev_open+0x173/0x1b0 net/core/dev.c:1433
 team_port_add drivers/net/team/team.c:1219 [inline]
 team_add_slave+0xa8b/0x1c30 drivers/net/team/team.c:1948
 do_set_master+0x1c9/0x220 net/core/rtnetlink.c:2248
 do_setlink+0xba4/0x3e10 net/core/rtnetlink.c:2382
 rtnl_setlink+0x2a9/0x400 net/core/rtnetlink.c:2636
 rtnetlink_rcv_msg+0x46e/0xc30 net/core/rtnetlink.c:4665
 netlink_rcv_skb+0x172/0x440 net/netlink/af_netlink.c:2455
 rtnetlink_rcv+0x1c/0x20 net/core/rtnetlink.c:4683
 netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline]
 netlink_unicast+0x5a0/0x760 net/netlink/af_netlink.c:1343
 netlink_sendmsg+0xa18/0xfd0 net/netlink/af_netlink.c:1908
 sock_sendmsg_nosec net/socket.c:642 [inline]
 sock_sendmsg+0xd5/0x120 net/socket.c:652
 ___sys_sendmsg+0x7fd/0x930 net/socket.c:2126
 __sys_sendmsg+0x11d/0x290 net/socket.c:2164
 __do_sys_sendmsg net/socket.c:2173 [inline]
 __se_sys_sendmsg net/socket.c:2171 [inline]
 __x64_sys_sendmsg+0x78/0xb0 net/socket.c:2171
 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x456b29
Code: fd b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f9706bf8c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007f9706bf96d4 RCX: 0000000000456b29
RDX: 0000000000000000 RSI: 0000000020000240 RDI: 0000000000000004
RBP: 00000000009300a0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 00000000004d3548 R14: 00000000004c8227 R15: 0000000000000000

Fixes: 87002b03ba ("net: introduce vlan_vid_[add/del] and use them instead of direct [add/kill]_vid ndo calls")
Signed-off-by: Ido Schimmel <idosch@mellanox.com>
Reported-and-tested-by: syzbot+bd051aba086537515cdb@syzkaller.appspotmail.com
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-10-04 13:55:40 -07:00
Yu Zhao
f7b2a56e1f net/usb: cancel pending work when unbinding smsc75xx
Cancel pending work before freeing smsc75xx private data structure
during binding. This fixes the following crash in the driver:

BUG: unable to handle kernel NULL pointer dereference at 0000000000000050
IP: mutex_lock+0x2b/0x3f
<snipped>
Workqueue: events smsc75xx_deferred_multicast_write [smsc75xx]
task: ffff8caa83e85700 task.stack: ffff948b80518000
RIP: 0010:mutex_lock+0x2b/0x3f
<snipped>
Call Trace:
 smsc75xx_deferred_multicast_write+0x40/0x1af [smsc75xx]
 process_one_work+0x18d/0x2fc
 worker_thread+0x1a2/0x269
 ? pr_cont_work+0x58/0x58
 kthread+0xfa/0x10a
 ? pr_cont_work+0x58/0x58
 ? rcu_read_unlock_sched_notrace+0x48/0x48
 ret_from_fork+0x22/0x40

Signed-off-by: Yu Zhao <yuzhao@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-10-04 13:51:30 -07:00
David S. Miller
9e15ff7b89 Just three small fixes:
* fix use-after-free in regulatory code
  * fix rx-mgmt key flag in AP mode (mac80211)
  * fix wireless extensions compat code memory leak
 -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCgAdFiEEH1e1rEeCd0AIMq6MB8qZga/fl8QFAlu2bEUACgkQB8qZga/f
 l8RAgw/7BfRpm3Kr7XW919naGkt/pQeJxUcuF9YggBpTCrp/DSLQYsjOBE5DyS/m
 728oPD8jEDehUHasWKsbG7wit1S7ImExCHTPim8C1mbABhbqdhwD4ceUvBO7RYi2
 p0+yN8X8z5D0qruMrNwhtxdE8iV9bBgmY6u1jubpJFkKLPf2euZyroH40b879CIn
 aHqB42GNJCdwO2UFaPDH2cdx5DFWrDlfA1LGbrbuzrXMBfNGWYgen2JJH/5iDOyU
 1rVXk/pUpVffp0Zde+66NtyCxxC0+hQwrTczEKXICb5qoWJpz6kugFGGO1oDQgdp
 AbM7KNrV712h/qwTEnC1NG0KUXgocpwWIuf/cuTow0vGUJSl+O2pLS/3GLOwH2du
 1u/FF4LiBc4NFXmWBPMN3LUN+Ica0/YWSbVwcv2c4guemV1EOGinlbFc+tnoue7M
 fpLkQJUYCiEVFRXGWVaSl0Hr6z+zwgfa8qHYN2yq1qyB0dYHryYiVhgKLV7yisCm
 RNy1hmVuV7rMsL3f4iUq/2xnL3U8qK1+19Mr+i58/kU4Tx2jMkWj0kivRdgYX4EN
 XcBhJzWXrb3yMldACrCji6iRnrFMqg7osyEgFiMLMl4cZfs057+qsrJyR5xajVOi
 Ws+hj3a1LukJ1nIhou4uOLAt9D7ohuJojQq6D2GLeBwfGPNkz4E=
 =QyWK
 -----END PGP SIGNATURE-----

Merge tag 'mac80211-for-davem-2018-10-04' of git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211

Johannes Berg says:

====================
Just three small fixes:
 * fix use-after-free in regulatory code
 * fix rx-mgmt key flag in AP mode (mac80211)
 * fix wireless extensions compat code memory leak
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
2018-10-04 13:47:39 -07:00
Tejun Heo
479adb89a9 cgroup: Fix dom_cgrp propagation when enabling threaded mode
A cgroup which is already a threaded domain may be converted into a
threaded cgroup if the prerequisite conditions are met.  When this
happens, all threaded descendant should also have their ->dom_cgrp
updated to the new threaded domain cgroup.  Unfortunately, this
propagation was missing leading to the following failure.

  # cd /sys/fs/cgroup/unified
  # cat cgroup.subtree_control    # show that no controllers are enabled

  # mkdir -p mycgrp/a/b/c
  # echo threaded > mycgrp/a/b/cgroup.type

  At this point, the hierarchy looks as follows:

      mycgrp [d]
	  a [dt]
	      b [t]
		  c [inv]

  Now let's make node "a" threaded (and thus "mycgrp" s made "domain threaded"):

  # echo threaded > mycgrp/a/cgroup.type

  By this point, we now have a hierarchy that looks as follows:

      mycgrp [dt]
	  a [t]
	      b [t]
		  c [inv]

  But, when we try to convert the node "c" from "domain invalid" to
  "threaded", we get ENOTSUP on the write():

  # echo threaded > mycgrp/a/b/c/cgroup.type
  sh: echo: write error: Operation not supported

This patch fixes the problem by

* Moving the opencoded ->dom_cgrp save and restoration in
  cgroup_enable_threaded() into cgroup_{save|restore}_control() so
  that mulitple cgroups can be handled.

* Updating all threaded descendants' ->dom_cgrp to point to the new
  dom_cgrp when enabling threaded mode.

Signed-off-by: Tejun Heo <tj@kernel.org>
Reported-and-tested-by: "Michael Kerrisk (man-pages)" <mtk.manpages@gmail.com>
Reported-by: Amin Jamali <ajamali@pivotal.io>
Reported-by: Joao De Almeida Pereira <jpereira@pivotal.io>
Link: https://lore.kernel.org/r/CAKgNAkhHYCMn74TCNiMJ=ccLd7DcmXSbvw3CbZ1YREeG7iJM5g@mail.gmail.com
Fixes: 454000adaa ("cgroup: introduce cgroup->dom_cgrp and threaded css_set handling")
Cc: stable@vger.kernel.org # v4.14+
2018-10-04 13:28:08 -07:00
Greg Kroah-Hartman
010bd965f9 overlayfs fixes for 4.19-rc7
-----BEGIN PGP SIGNATURE-----
 
 iHUEABYIAB0WIQSQHSd0lITzzeNWNm3h3BK/laaZPAUCW7YOCQAKCRDh3BK/laaZ
 PAmGAQC1/3+mkfHXqyDx+zv4f7A348ZULW26EWFWwMwlEljWowD+PlRFBgUu5v5c
 194mCApZU7hl6o0u07aijjz6m81e6QE=
 =dM89
 -----END PGP SIGNATURE-----

Merge tag 'ovl-fixes-4.19-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/vfs

Miklos writes:
  "overlayfs fixes for 4.19-rc7

   This update fixes a couple of regressions in the stacked file update
   added in this cycle, as well as some older bugs uncovered by
   syzkaller.

   There's also one trivial naming change that touches other parts of
   the fs subsystem."

* tag 'ovl-fixes-4.19-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/vfs:
  ovl: fix format of setxattr debug
  ovl: fix access beyond unterminated strings
  ovl: make symbol 'ovl_aops' static
  vfs: swap names of {do,vfs}_clone_file_range()
  ovl: fix freeze protection bypass in ovl_clone_file_range()
  ovl: fix freeze protection bypass in ovl_write_iter()
  ovl: fix memory leak on unlink of indexed file
2018-10-04 13:24:38 -07:00
Mike Snitzer
5d07384a66 dm cache: fix resize crash if user doesn't reload cache table
A reload of the cache's DM table is needed during resize because
otherwise a crash will occur when attempting to access smq policy
entries associated with the portion of the cache that was recently
extended.

The reason is cache-size based data structures in the policy will not be
resized, the only way to safely extend the cache is to allow for a
proper cache policy initialization that occurs when the cache table is
loaded.  For example the smq policy's space_init(), init_allocator(),
calc_hotspot_params() must be sized based on the extended cache size.

The fix for this is to disallow cache resizes of this pattern:
1) suspend "cache" target's device
2) resize the fast device used for the cache
3) resume "cache" target's device

Instead, the last step must be a full reload of the cache's DM table.

Fixes: 66a636356 ("dm cache: add stochastic-multi-queue (smq) policy")
Cc: stable@vger.kernel.org
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
2018-10-04 15:20:52 -04:00
Joe Thornber
4561ffca88 dm cache metadata: ignore hints array being too small during resize
Commit fd2fa9541 ("dm cache metadata: save in-core policy_hint_size to
on-disk superblock") enabled previously written policy hints to be
used after a cache is reactivated.  But in doing so the cache
metadata's hint array was left exposed to out of bounds access because
on resize the metadata's on-disk hint array wasn't ever extended.

Fix this by ignoring that there are no on-disk hints associated with the
newly added cache blocks.  An expanded on-disk hint array is later
rewritten upon the next clean shutdown of the cache.

Fixes: fd2fa9541 ("dm cache metadata: save in-core policy_hint_size to on-disk superblock")
Cc: stable@vger.kernel.org
Signed-off-by: Joe Thornber <ejt@redhat.com>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
2018-10-04 15:20:51 -04:00
Rafael J. Wysocki
69e445ab8b PM / core: Clear the direct_complete flag on errors
If __device_suspend() runs asynchronously (in which case the device
passed to it is in dpm_suspended_list at that point) and it returns
early on an error or pending wakeup, and the power.direct_complete
flag has been set for the device already, the subsequent
device_resume() will be confused by that and it will call
pm_runtime_enable() incorrectly, as runtime PM has not been
disabled for the device by __device_suspend().

To avoid that, clear power.direct_complete if __device_suspend()
is not going to disable runtime PM for the device before returning.

Fixes: aae4518b31 (PM / sleep: Mechanism to avoid resuming runtime-suspended devices unnecessarily)
Reported-by: Al Cooper <alcooperx@gmail.com>
Tested-by: Al Cooper <alcooperx@gmail.com>
Reviewed-by: Ulf Hansson <ulf.hansson@linaro.org>
Cc: 3.16+ <stable@vger.kernel.org> # 3.16+
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
2018-10-04 19:39:31 +02:00
David S. Miller
b576eddb5d Merge branch 'mlxsw-fixes'
Ido Schimmel says:

====================
mlxsw: Couple of fixes

First patch works around an hardware issue in Spectrum-2 where a field
indicating the event type is always set to the same value. Since there
are only two event types and they are reported using different queues,
we can use the queue number to derive the event type.

Second patch prevents a router interface (RIF) leakage when a VLAN
device is deleted from on top a bridge device.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
2018-10-04 09:53:03 -07:00
Ido Schimmel
c360867ec4 mlxsw: spectrum: Delete RIF when VLAN device is removed
In commit 602b74eda8 ("mlxsw: spectrum_switchdev: Do not leak RIFs
when removing bridge") I handled the case where RIFs created for VLAN
devices were not properly cleaned up when their real device (a bridge)
was removed.

However, I forgot to handle the case of the VLAN device itself being
removed. Do so now when the VLAN device is being unlinked from its real
device.

Fixes: 99f44bb352 ("mlxsw: spectrum: Enable L3 interfaces on top of bridge devices")
Signed-off-by: Ido Schimmel <idosch@mellanox.com>
Reviewed-by: Jiri Pirko <jiri@mellanox.com>
Reported-by: Artem Shvorin <art@qrator.net>
Tested-by: Artem Shvorin <art@qrator.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-10-04 09:53:03 -07:00
Nir Dotan
f3c84a8e3e mlxsw: pci: Derive event type from event queue number
Due to a hardware issue in Spectrum-2, the field event_type of the event
queue element (EQE) has become reserved. It was used to distinguish between
command interface completion events and completion events.

Use queue number to determine event type, as command interface completion
events are always received on EQ0 and mlxsw driver maps completion events
to EQ1.

Fixes: c3ab435466 ("mlxsw: spectrum: Extend to support Spectrum-2 ASIC")
Signed-off-by: Nir Dotan <nird@mellanox.com>
Reviewed-by: Jiri Pirko <jiri@mellanox.com>
Signed-off-by: Ido Schimmel <idosch@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-10-04 09:53:03 -07:00
Greg Kroah-Hartman
ac0657edb1 Merge branch 'fixes' of git://git.armlinux.org.uk/~rmk/linux-arm
Russell writes:
  "A couple of small ARM fixes from Stefan and Thomas:
   - Adding the io_pgetevents syscall
   - Fixing a bounds check in pci_ioremap_io()"

* 'fixes' of git://git.armlinux.org.uk/~rmk/linux-arm:
  ARM: 8799/1: mm: fix pci_ioremap_io() offset check
  ARM: 8787/1: wire up io_pgetevents syscall
2018-10-04 09:48:10 -07:00
Greg Kroah-Hartman
10be83cc64 drm exynos, tda9950 and intel fixes
-----BEGIN PGP SIGNATURE-----
 
 iQIcBAABAgAGBQJbtZxeAAoJEAx081l5xIa+1KEQAJmSBltsNgJR+wnttTNVdfmI
 COnkhFC6bzBcVWzpf978xAHHRdBb/2FpPtG6w6KHeREV2FXZD/LVJm8MDjibivBg
 8CANk1H6vJ40PdYRBBL6fjrVi/8ydoD7PAT5fWTFH5lbF2jJqH1T5AMatHE29nPa
 wpKZUk4mp6QhABIAsl85W8kw5UjXMdIiC75Qujvd6q5H7gj4Zkd3QdNnCtmnk00x
 N44x1hc8DxVNZyGBbPQhfhjzNy/X5+8xtHGznKTRVngYpjX+LslHOZQELhpEa88P
 c4AaI3jz+f6RFc6zekkW76aWQ0EVKIuedWUzmRFLqvsaLndMXIPfRqNnyj1CEoSN
 bN645tNJuHM5QYCTThJWuZsb+nXdV0tblCD8R4W/DHQkzWNt23hE9TqPAiz8Bw0A
 8li9bLYfDjuhOBsFhkZRKYvuNCiuTF44sw8D4QfWHCAj9k6v+tRReRktuqX7rVT0
 VActmPNSOkZUO4Y2imT8WrvvdG/BG0vzbSTk0auJm/RvBMS0FUUxQyUl02cy9Fv4
 kjRY6Ge9nLk8Y3TqMDfMB57oOQ/p7op5TmlsvKV6VcmREfMO7mvYim6EXUjmAtad
 kxUbjjPGIEE1A+aUIyofyMQuMEs9qxdb/GnxHsUu9rRhRxwluxjkAPEQeJ1jFtjc
 bmc78U3C9k90MJzOdpOR
 =gF5o
 -----END PGP SIGNATURE-----

Merge tag 'drm-fixes-2018-10-04' of git://anongit.freedesktop.org/drm/drm

Dave writes:
  "drm exynos, tda9950 and intel fixes

   3 i915 fixes:
     compressed error handling zlib fix
     compiler warning cleanup
     and a minor code cleanup

   2 tda9950:
     Two fixes for the HDMI CEC

   1 exynos:
     A fix required for IOMMU interaction."

* tag 'drm-fixes-2018-10-04' of git://anongit.freedesktop.org/drm/drm:
  drm/i915: Handle incomplete Z_FINISH for compressed error states
  drm/i915: Avoid compiler warning for maybe unused gu_misc_iir
  drm/i915: Do not redefine the has_csr parameter.
  drm/exynos: Use selected dma_dev default iommu domain instead of a fake one
  drm/i2c: tda9950: set MAX_RETRIES for errors only
  drm/i2c: tda9950: fix timeout counter check
2018-10-04 09:18:44 -07:00
Greg Kroah-Hartman
1b0350c355 XFS fixes for 4.19-rc6
Accumlated regression and bug fixes for 4.19-rc6, including:
 
 o make iomap correctly mark dirty pages for sub-page block sizes
 o fix regression in handling extent-to-btree format conversion errors
 o fix torn log wrap detection for new logs
 o various corrupt inode detection fixes
 o various delalloc state fixes
 o cleanup all the missed transaction cancel cases missed from changes merged
   in 4.19-rc1
 o fix lockdep false positive on transaction allocation
 o fix locking and reference counting on buffer log items
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQIcBAABAgAGBQJbtVyHAAoJEK3oKUf0dfodc8YP/1hT+TdXZDBVPo9kXQwmrnra
 8P1J8IEuGj851PwYQobUhifdDh4eQ+PpcYEIfqTSGhtjTg7cqyQOvTo4uUKHLn50
 8mFXQb6JrAFYnjGjorOCde+lpoQrtj3oKASscs7RaL/W1RNffY74UGdiE0yOJnJs
 9IC7TpJT4ZzAgYBgC61whfYWmszLmRuKlVZWgXrM8hkMqliHdfrXeZk7MXTeiflz
 Q5+9eVnCCgTtC0TWgVAkFMvlZs7UtNMWIIn6zt+HQLB7Vms6q4ArpIT+fF45njwG
 94tyTcFT0AcIJ8OIi5i85fOXcDGjTFFf554Yf80PlWGlk3SbXPHFQao/ItDA4S1Z
 eCl2eurUOXlNXKuyzWoV5KjOBiiBicbOwl6eX0K996cGehhEdFOvBihvAGjJy5rm
 c4plTTy6bhYKZWr3JLuaPDlNWDMr/P/aUkiq9tFXyaMmVKNeyxd6UKzIokl5uUfi
 Ycik4Ik8zRgpFEUx5Clvb2W5qH9pqpR0WcFhrcj0mDnJa10TpBWesA0g2F+hM0Jc
 0mSuGxfQeJk7tuVcvsBpPNzgVEPKabvnYbOlGK7HvCSOPRkg0Fhmj+iJK721ccVl
 Ltiz0Y485eAGLKn9kOWKr47A5GAAFpuK29OrD2a8XizHPZ3Sr2CG5X1jI0gtMb8n
 BiBAxO6dojRQATDuTI6w
 =5ylA
 -----END PGP SIGNATURE-----

Merge tag 'xfs-fixes-for-4.19-rc6' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux

Dave writes:
  "XFS fixes for 4.19-rc6

   Accumlated regression and bug fixes for 4.19-rc6, including:

   o make iomap correctly mark dirty pages for sub-page block sizes
   o fix regression in handling extent-to-btree format conversion errors
   o fix torn log wrap detection for new logs
   o various corrupt inode detection fixes
   o various delalloc state fixes
   o cleanup all the missed transaction cancel cases missed from changes merged
     in 4.19-rc1
   o fix lockdep false positive on transaction allocation
   o fix locking and reference counting on buffer log items"

* tag 'xfs-fixes-for-4.19-rc6' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux:
  xfs: fix error handling in xfs_bmap_extents_to_btree
  iomap: set page dirty after partial delalloc on mkwrite
  xfs: remove invalid log recovery first/last cycle check
  xfs: validate inode di_forkoff
  xfs: skip delalloc COW blocks in xfs_reflink_end_cow
  xfs: don't treat unknown di_flags2 as corruption in scrub
  xfs: remove duplicated include from alloc.c
  xfs: don't bring in extents in xfs_bmap_punch_delalloc_range
  xfs: fix transaction leak in xfs_reflink_allocate_cow()
  xfs: avoid lockdep false positives in xfs_trans_alloc
  xfs: refactor xfs_buf_log_item reference count handling
  xfs: clean up xfs_trans_brelse()
  xfs: don't unlock invalidated buf on aborted tx commit
  xfs: remove last of unnecessary xfs_defer_cancel() callers
  xfs: don't crash the vfs on a garbage inline symlink
2018-10-04 09:17:38 -07:00
Greg Kroah-Hartman
d2467adb66 A Single RISC-V Fix for 4.19-rc7
This tag contains a single patch that managed to get lost in the
 shuffle, which explains why it's so late.  This single line has been
 floating around in various patch sets for months, and fixes our DMA32
 region.
 -----BEGIN PGP SIGNATURE-----
 
 iQJHBAABCAAxFiEEAM520YNJYN/OiG3470yhUCzLq0EFAluzzHITHHBhbG1lckBk
 YWJiZWx0LmNvbQAKCRDvTKFQLMurQSrQD/4rizKPzKVMVUEMV0fWM9rSJ2mr130W
 O8JGz1l8PtlPum6Fjhy3UHbLlZ/36D23vdf2qv10Zlwj5WquUH2J3dWL4wSh5yTY
 NsM/Ehg03glLY15Nf6L3QSA2Jw+0vEqj/WAaGASdZvEfc7zwlP62jqDWGUMjUdR8
 w9aG3AED4d9gnOxaPgUwDFHP0VdsBWLr546QOhefScMk9FUlKCjENn7IPVHzBqRc
 7V0ILlENbUOrCd/zQIptjXYiEb59YNLsXUEFyqjWU2Ey+PwUiHFBduUexB1+cQC1
 z87E7ZWQ5HM2P9Xp1E4fw0kAxmni2XjeAnNJjfjK/nFv98bPbwyasP3N8eldk98R
 O6FAcLdqNP4xjeOpmF821JkM6eTNXefxh63dRCtUjrh1qTnYMnrERikz/C/LRLWu
 6vWBrUiJYpNsl6HRmCLwZXp6IG1VulD1OkSoAQK6HlJUzD0Gc7pwwXuCKSvpziDd
 JCN3ZHelSgrHaGseSTkn8icJTP2mP6MCzSDfSBcngwj4nMFBrCJir7eb3dGUW57k
 sKbp/cYmbGIfcoz+vNBlxOSbl1IJRND0cc1HNIwANJXbllfair78CLqd2DiHZwMJ
 HW5l3Pi9KkQwet7sMQoqOTcmkdyaq5/m51wFT1pRrwqQjy5oipiYPhIqw+N06zXL
 tDrkUlaYA+aE3A==
 =QoXG
 -----END PGP SIGNATURE-----

Merge tag 'riscv-for-linus-4.19-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/palmer/riscv-linux

Palmer writes:
  "A Single RISC-V Fix for 4.19-rc7

   This tag contains a single patch that managed to get lost in the
   shuffle, which explains why it's so late.  This single line has been
   floating around in various patch sets for months, and fixes our DMA32
   region."

* tag 'riscv-for-linus-4.19-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/palmer/riscv-linux:
  RISCV: Fix end PFN for low memory
2018-10-04 09:16:11 -07:00
Arnd Bergmann
3f4258bbe0 NXP/FSL SoC driver fixes for v4.19 round 2
- Fix crash of qman_portal by deferring its probe if qman is not probed
 -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCgAdFiEEhb3UXAyxp6UQ0v6khtxQDvusFVQFAluypMcACgkQhtxQDvus
 FVQvKA/+Kc4IDHyidEgcbdNwjZNkp4eHXKSwtCdMstrEquQ7tOqmxCaEnC9izTBy
 wW6XF91ez4DJkQDgxrN1fJN512yTN0v6D7Jq+VclrrGfcT2f1xnNRf33r6957csc
 9hOp7S1hkeHZfCRtMZrjwIRgzWtlfH+XcRne/USE/enQ0GmTKThhv2rngH2hnAxP
 cqW+ult+jyL+m5i+hpzIZUjSMio4w8Z+K/QEwhlfy63nh2oYc8Zpvql5EYq1oFgd
 c0JWA1/DM/dbBiWRZVfjvjw1ZDnkJpYIJDmJYfNz3k4IJJlUYPWM4RrSRn1+yYl9
 wg/zZ3a0NlCskn32KlIwE0m1zLLVEjFam+3a7EiIFh98gBGQ5eeIpZ8UAqyc6zLi
 4etMYtt6+kUt7x2nsZ1GQrQXembt4TUBf70HMBLz85TaCg6z98PRsYyGRq1vKnj4
 sAk8aiCHOsnlqHpKt403U8wUABRAr8m+xGI2D8MSTdzbQnDftf8eqKrLS2qtnlSi
 4R3jkBiaszV8O6FdRC8+3VmtaOx/PCGh8Odo3GitDLQBdB1AkFdmIxJBJDcST/Cp
 CWAmxJsPIS4PUGJupeIALsJF8rFHiwn5uVxsNRKxpL1xpDD6mwxLSn+LOHQT8fD3
 PGhhngQD8ky9nKqL+gckpu/QfjiBrJNeUD6pvhRJc1cI+7ue/nM=
 =qVf2
 -----END PGP SIGNATURE-----

Merge tag 'soc-fsl-fix-v4.19-2' of git://git.kernel.org/pub/scm/linux/kernel/git/leo/linux into fixes

NXP/FSL SoC driver fixes for v4.19 round 2

- Fix crash of qman_portal by deferring its probe if qman is not probed

* tag 'soc-fsl-fix-v4.19-2' of git://git.kernel.org/pub/scm/linux/kernel/git/leo/linux:
  soc: fsl: qman_portals: defer probe after qman's probe
  soc: fsl: qbman: add APIs to retrieve the probing status
  soc: fsl: qe: Fix copy/paste bug in ucc_get_tdm_sync_shift()
  soc: fsl: qbman: qman: avoid allocating from non existing gen_pool
  ARM: dts: BCM63xx: Fix incorrect interrupt specifiers
  MAINTAINERS: update the Annapurna Labs maintainer email
  ARM: dts: sun8i: drop A64 HDMI PHY fallback compatible from R40 DT
  ARM: dts: at91: sama5d2_ptc_ek: fix nand pinctrl

Signed-off-by: Arnd Bergmann <arnd@arndb.de>
2018-10-04 18:01:20 +02:00
Felix Kuehling
11b29c9e25 drm/amdkfd: Fix incorrect use of process->mm
This mm_struct pointer should never be dereferenced. If running in
a user thread, just use current->mm. If running in a kernel worker
use get_task_mm to get a safe reference to the mm_struct.

Reviewed-by: Oded Gabbay <oded.gabbay@gmail.com>
Acked-by: Christian König <christian.koenig@amd.com>
Signed-off-by: Felix Kuehling <Felix.Kuehling@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
2018-10-04 11:37:25 -04:00
Arnd Bergmann
30a0af8826 i.MX fixes for 4.19, round 2:
- i.MX53 QSB board stops working when cpufreq driver is enabled,
    because the default OPP table has the maximum CPU frequency at
    1.2GHz, while the board is only capable of running 1GHz.  Fix up
    the OPP table for the board to get it work with cpufreq driver.
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQEcBAABAgAGBQJbtCuVAAoJEFBXWFqHsHzOHDEH/RXzkCIZCmvVhdXIQDa/PC7b
 GupBi+UJE2iQMS3Z3RNYnZQ2yK8zq7AZNIjZtR7/8dm6ALFjXMGvfj19Cs0wThdt
 VQ3g7FyS76lwvb2sVl6yGZTOcZfn7nIwFC9NNfY1FSt87QXKBPG0UmnMpCxR7m+1
 V1d0T3y0WejpRigtzGJZJwibkOFoKy8HbAn09BBzyE+eRnNcXSp6NunIr+82AGgo
 yA3rtcoDXD997wXMUUgnFzh0VjqH5wrrbMtplWOFpDtKEFxwiHGOjWsIm6S2xi/8
 SKkk13M+GBHtPR0ygTtRngV1TF0z0kTdArhS/GGGTzWbpZ5sri5khyCfNP+i0LA=
 =xyJS
 -----END PGP SIGNATURE-----

Merge tag 'imx-fixes-4.19-2' of git://git.kernel.org/pub/scm/linux/kernel/git/shawnguo/linux into fixes

i.MX fixes for 4.19, round 2:
 - i.MX53 QSB board stops working when cpufreq driver is enabled,
   because the default OPP table has the maximum CPU frequency at
   1.2GHz, while the board is only capable of running 1GHz.  Fix up
   the OPP table for the board to get it work with cpufreq driver.

* tag 'imx-fixes-4.19-2' of git://git.kernel.org/pub/scm/linux/kernel/git/shawnguo/linux:
  ARM: dts: imx53-qsb: disable 1.2GHz OPP

Signed-off-by: Arnd Bergmann <arnd@arndb.de>
2018-10-04 17:34:53 +02:00
Shirish S
987bf11644 drm/amd/display: Signal hw_done() after waiting for flip_done()
In amdgpu_dm_commit_tail(), wait until flip_done() is signaled before
we signal hw_done().

[Why]

This is to temporarily address a paging error that occurs when a
nonblocking commit contends with another commit, particularly in a
mirrored display configuration where at least 2 CRTCs are updated.
The error occurs in drm_atomic_helper_wait_for_flip_done(), when we
attempt to access the contents of new_crtc_state->commit.

Here's the sequence for a mirrored 2 display setup (irrelevant steps
left out for clarity):

**THREAD 1**                        | **THREAD 2**
                                    |
Initialize atomic state for flip    |
                                    |
Queue worker                        |
                                   ...

                                    | Do work for flip
                                    |
                                    | Signal hw_done() on CRTC 1
                                    | Signal hw_done() on CRTC 2
                                    |
                                    | Wait for flip_done() on CRTC 1

                                <---- **PREEMPTED BY THREAD 1**

Initialize atomic state for cursor  |
update (1)                          |
                                    |
Do cursor update work on both CRTCs |
                                    |
Clear atomic state (2)              |
**DONE**                            |
                                   ...
                                    |
                                    | Wait for flip_done() on CRTC 2
                                    | *ERROR*
                                    |

The issue starts with (1). When the atomic state is initialized, the
current CRTC states are duplicated to be the new_crtc_states, and
referenced to be the old_crtc_states. (The new_crtc_states are to be
filled with update data.)

Some things to note:

* Due to the mirrored configuration, the cursor updates on both CRTCs.

* At this point, the pflip IRQ has already been handled, and flip_done
  signaled on all CRTCs. The cursor commit can therefore continue.

* The old_crtc_states used by the cursor update are the **same states**
  as the new_crtc_states used by the flip worker.

At (2), the old_crtc_state is freed (*), and the cursor commit
completes. We then context switch back to the flip worker, where we
attempt to access the new_crtc_state->commit object. This is
problematic, as this state has already been freed.

(*) Technically, 'state->crtcs[i].state' is freed, which was made to
    reference old_crtc_state in drm_atomic_helper_swap_state()

[How]

By moving hw_done() after wait_for_flip_done(), we're guaranteed that
the new_crtc_state (from the flip worker's perspective) still exists.
This is because any other commit will be blocked, waiting for the
hw_done() signal.

Note that both the i915 and imx drivers have this sequence flipped
already, masking this problem.

Signed-off-by: Shirish S <shirish.s@amd.com>
Signed-off-by: Leo Li <sunpeng.li@amd.com>
Reviewed-by: Harry Wentland <harry.wentland@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
2018-10-04 11:21:03 -04:00
Paolo Bonzini
7e7126846c kvm: nVMX: fix entry with pending interrupt if APICv is enabled
Commit b5861e5cf2 introduced a check on
the interrupt-window and NMI-window CPU execution controls in order to
inject an external interrupt vmexit before the first guest instruction
executes.  However, when APIC virtualization is enabled the host does not
need a vmexit in order to inject an interrupt at the next interrupt window;
instead, it just places the interrupt vector in RVI and the processor will
inject it as soon as possible.  Therefore, on machines with APICv it is
not enough to check the CPU execution controls: the same scenario can also
happen if RVI>vPPR.

Fixes: b5861e5cf2
Reviewed-by: Nikita Leshchenko <nikita.leshchenko@oracle.com>
Cc: Sean Christopherson <sean.j.christopherson@intel.com>
Cc: Liran Alon <liran.alon@oracle.com>
Cc: Radim Krčmář <rkrcmar@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2018-10-04 17:10:40 +02:00
Miklos Szeredi
1a8f8d2a44 ovl: fix format of setxattr debug
Format has a typo: it was meant to be "%.*s", not "%*s".  But at some point
callers grew nonprintable values as well, so use "%*pE" instead with a
maximized length.

Reported-by: Amir Goldstein <amir73il@gmail.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Fixes: 3a1e819b4e ("ovl: store file handle of lower inode on copy up")
Cc: <stable@vger.kernel.org> # v4.12
2018-10-04 14:49:10 +02:00
Amir Goldstein
601350ff58 ovl: fix access beyond unterminated strings
KASAN detected slab-out-of-bounds access in printk from overlayfs,
because string format used %*s instead of %.*s.

> BUG: KASAN: slab-out-of-bounds in string+0x298/0x2d0 lib/vsprintf.c:604
> Read of size 1 at addr ffff8801c36c66ba by task syz-executor2/27811
>
> CPU: 0 PID: 27811 Comm: syz-executor2 Not tainted 4.19.0-rc5+ #36
...
>  printk+0xa7/0xcf kernel/printk/printk.c:1996
>  ovl_lookup_index.cold.15+0xe8/0x1f8 fs/overlayfs/namei.c:689

Reported-by: syzbot+376cea2b0ef340db3dd4@syzkaller.appspotmail.com
Signed-off-by: Amir Goldstein <amir73il@gmail.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Fixes: 359f392ca5 ("ovl: lookup index entry for copy up origin")
Cc: <stable@vger.kernel.org> # v4.13
2018-10-04 14:49:10 +02:00
Paolo Bonzini
2cf7ea9f40 KVM: VMX: hide flexpriority from guest when disabled at the module level
As of commit 8d860bbeed ("kvm: vmx: Basic APIC virtualization controls
have three settings"), KVM will disable VIRTUALIZE_APIC_ACCESSES when
a nested guest writes APIC_BASE MSR and kvm-intel.flexpriority=0,
whereas previously KVM would allow a nested guest to enable
VIRTUALIZE_APIC_ACCESSES so long as it's supported in hardware.  That is,
KVM now advertises VIRTUALIZE_APIC_ACCESSES to a guest but doesn't
(always) allow setting it when kvm-intel.flexpriority=0, and may even
initially allow the control and then clear it when the nested guest
writes APIC_BASE MSR, which is decidedly odd even if it doesn't cause
functional issues.

Hide the control completely when the module parameter is cleared.

reported-by: Sean Christopherson <sean.j.christopherson@intel.com>
Fixes: 8d860bbeed ("kvm: vmx: Basic APIC virtualization controls have three settings")
Cc: Jim Mattson <jmattson@google.com>
Cc: stable@vger.kernel.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2018-10-04 13:40:44 +02:00
Sean Christopherson
fd6b6d9b82 KVM: VMX: check for existence of secondary exec controls before accessing
Return early from vmx_set_virtual_apic_mode() if the processor doesn't
support VIRTUALIZE_APIC_ACCESSES or VIRTUALIZE_X2APIC_MODE, both of
which reside in SECONDARY_VM_EXEC_CONTROL.  This eliminates warnings
due to VMWRITEs to SECONDARY_VM_EXEC_CONTROL (VMCS field 401e) failing
on processors without secondary exec controls.

Remove the similar check for TPR shadowing as it is incorporated in the
flexpriority_enabled check and the APIC-related code in
vmx_update_msr_bitmap() is further gated by VIRTUALIZE_X2APIC_MODE.

Reported-by: Gerhard Wiesinger <redhat@wiesinger.com>
Fixes: 8d860bbeed ("kvm: vmx: Basic APIC virtualization controls have three settings")
Cc: Jim Mattson <jmattson@google.com>
Cc: stable@vger.kernel.org
Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2018-10-04 13:40:21 +02:00
Andy Lutomirski
02e425668f x86/vdso: Fix vDSO syscall fallback asm constraint regression
When I added the missing memory outputs, I failed to update the
index of the first argument (ebx) on 32-bit builds, which broke the
fallbacks.  Somehow I must have screwed up my testing or gotten
lucky.

Add another test to cover gettimeofday() as well.

Signed-off-by: Andy Lutomirski <luto@kernel.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: stable@vger.kernel.org
Fixes: 715bd9d12f ("x86/vdso: Fix asm constraints on vDSO syscall fallbacks")
Link: http://lkml.kernel.org/r/21bd45ab04b6d838278fa5bebfa9163eceffa13c.1538608971.git.luto@kernel.org
Signed-off-by: Ingo Molnar <mingo@kernel.org>
2018-10-04 08:17:50 +02:00
Kai-Heng Feng
709ae62e8e ALSA: hda/realtek - Cannot adjust speaker's volume on Dell XPS 27 7760
The issue is the same as commit dd9aa335c8 ("ALSA: hda/realtek - Can't
adjust speaker's volume on a Dell AIO"), the output requires to connect
to a node with Amp-out capability.

Applying the same fixup ALC298_FIXUP_SPK_VOLUME can fix the issue.

BugLink: https://bugs.launchpad.net/bugs/1775068
Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2018-10-04 07:50:48 +02:00
Paul Mackerras
6579804c43 KVM: PPC: Book3S HV: Avoid crash from THP collapse during radix page fault
Commit 71d29f43b6 ("KVM: PPC: Book3S HV: Don't use compound_order to
determine host mapping size", 2018-09-11) added a call to 
__find_linux_pte() and a dereference of the returned PTE pointer to the
radix page fault path in the common case where the page is normal
system memory.  Previously, __find_linux_pte() was only called for
mappings to physical addresses which don't have a page struct (e.g.
memory-mapped I/O) or where the page struct is marked as reserved
memory.

This exposes us to the possibility that the returned PTE pointer
could be NULL, for example in the case of a concurrent THP collapse
operation.  Dereferencing the returned NULL pointer causes a host
crash.

To fix this, we check for NULL, and if it is NULL, we retry the
operation by returning to the guest, with the expectation that it
will generate the same page fault again (unless of course it has
been fixed up by another CPU in the meantime).

Fixes: 71d29f43b6 ("KVM: PPC: Book3S HV: Don't use compound_order to determine host mapping size")
Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
2018-10-04 14:51:11 +10:00
Dave Airlie
d8938c981f Merge branch 'drm-tda9950-fixes' of git://git.armlinux.org.uk/~rmk/linux-arm into drm-fixes
two tda9950 fixes.

Signed-off-by: Dave Airlie <airlied@redhat.com>
From: Russell King <rmk@armlinux.org.uk>
Link: https://patchwork.freedesktop.org/patch/msgid/20181001162948.GA9508@rmk-PC.armlinux.org.uk
2018-10-04 10:32:14 +10:00
Dave Airlie
659c9370e5 There's one fix for our zlib incomlete Z_FINISH on our error state handling
, plus a compilation warning fix and a tiny code clean up.
 -----BEGIN PGP SIGNATURE-----
 
 iQEcBAABAgAGBQJbtSZlAAoJEPpiX2QO6xPKolQH/iFFZ359UuEzjj+mB7i5seYL
 L3c3iT4m7ZIIjcI6Y1kne/EQ7ipRAzpvDBSx8/3GD+4GqgJczeTbHrUqTqFkPwPo
 sReoEUwEgMOMdy0suydMwx71iw5PRJ0BUp4YiB38Dx8IG7BGLyYP46jP7wCpkGxs
 j9h2Y3M2sUPwqcQBbdLU66cRgWxrPBKkypdv77Sziel4j+8y5gCjtPKAO92KurgJ
 uNdHREn0Dx/X0iDUVPpsIPHnBQZWjbf3c/v8Hn+zdzlElfJhpQDdeuFeSG2w9sVr
 3nRhnl9ZHj5m7V7nWDTzeCk1+QHBLHLOQfSK+MoKGFnI1jznF9yfWjZHKDile4Y=
 =4FHj
 -----END PGP SIGNATURE-----

Merge tag 'drm-intel-fixes-2018-10-03' of git://anongit.freedesktop.org/drm/drm-intel into drm-fixes

There's one fix for our zlib incomlete Z_FINISH on our error state handling,
plus a compilation warning fix and a tiny code clean up.

Signed-off-by: Dave Airlie <airlied@redhat.com>

From: Rodrigo Vivi <rodrigo.vivi@intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20181003202840.GA23560@intel.com
2018-10-04 10:07:20 +10:00
Greg Kroah-Hartman
cec4de302c Merge gitolite.kernel.org:/pub/scm/linux/kernel/git/davem/net
David writes:
  "Networking fixes:
   1) Prefix length validation in xfrm layer, from Steffen Klassert.

   2) TX status reporting fix in mac80211, from Andrei Otcheretianski.

   3) Fix hangs due to TX_DROP in mac80211, from Bob Copeland.

   4) Fix DMA error regression in b43, from Larry Finger.

   5) Add input validation to xenvif_set_hash_mapping(), from Jan Beulich.

   6) SMMU unmapping fix in hns driver, from Yunsheng Lin.

   7) Bluetooh crash in unpairing on SMP, from Matias Karhumaa.

   8) WoL handling fixes in the phy layer, from Heiner Kallweit.

   9) Fix deadlock in bonding, from Mahesh Bandewar.

   10) Fill ttl inherit infor in vxlan driver, from Hangbin Liu.

   11) Fix TX timeouts during netpoll, from Michael Chan.

   12) RXRPC layer fixes from David Howells.

   13) Another batch of ndo_poll_controller() removals to deal with
       excessive resource consumption during load.  From Eric Dumazet.

   14) Fix a specific TIPC failure secnario, from LUU Duc Canh.

   15) Really disable clocks in r8169 during suspend so that low
       power states can actually be reached.

   16) Fix SYN backlog lockdep issue in tcp and dccp, from Eric Dumazet.

   17) Fix RCU locking in netpoll SKB send, which shows up in bonding,
       from Dave Jones.

   18) Fix TX stalls in r8169, from Heiner Kallweit.

   19) Fix locksup in nfp due to control message storms, from Jakub
       Kicinski.

   20) Various rmnet bug fixes from Subash Abhinov Kasiviswanathan and
       Sean Tranchetti.

   21) Fix use after free in ip_cmsg_recv_dstaddr(), from Eric Dumazet."

* gitolite.kernel.org:/pub/scm/linux/kernel/git/davem/net: (122 commits)
  ixgbe: check return value of napi_complete_done()
  sctp: fix fall-through annotation
  r8169: always autoneg on resume
  ipv4: fix use-after-free in ip_cmsg_recv_dstaddr()
  net: qualcomm: rmnet: Fix incorrect allocation flag in receive path
  net: qualcomm: rmnet: Fix incorrect allocation flag in transmit
  net: qualcomm: rmnet: Skip processing loopback packets
  net: systemport: Fix wake-up interrupt race during resume
  rtnl: limit IFLA_NUM_TX_QUEUES and IFLA_NUM_RX_QUEUES to 4096
  bonding: fix warning message
  inet: make sure to grab rcu_read_lock before using ireq->ireq_opt
  nfp: avoid soft lockups under control message storm
  declance: Fix continuation with the adapter identification message
  net: fec: fix rare tx timeout
  r8169: fix network stalls due to missing bit TXCFG_AUTO_FIFO
  tun: napi flags belong to tfile
  tun: initialize napi_mutex unconditionally
  tun: remove unused parameters
  bond: take rcu lock in netpoll_send_skb_on_dev
  rtnetlink: Fail dump if target netnsid is invalid
  ...
2018-10-03 16:09:11 -07:00
Song Liu
4233cfe6ec ixgbe: check return value of napi_complete_done()
The NIC driver should only enable interrupts when napi_complete_done()
returns true. This patch adds the check for ixgbe.

Cc: stable@vger.kernel.org # 4.10+
Suggested-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Song Liu <songliubraving@fb.com>
Tested-by: Andrew Bowers <andrewx.bowers@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-10-03 14:40:32 -07:00
Greg Kroah-Hartman
95773dc086 linux-kselftest-4.19-rc7
This fixes update for 4.19-rc7 consists one fix to rseq test to prevent
 it from seg-faulting when compiled with -fpie.
 -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCgAdFiEEPZKym/RZuOCGeA/kCwJExA0NQxwFAlu00osACgkQCwJExA0N
 Qxx9kxAAlpBmezLtggexIXXTJiiiKV0VHiqUtQhgsEcPdNO28G9FDTWErh+4QBc5
 oEgveIKYgpVy5hfPgw2SK1qzdwowlA0dHcgQYiOPs6GBEhh8nDCQjMj9KMfpV7dT
 9FxCCZS+d6YLmVELxHlCAe0e2Am5KShk2IiEweBqIhQbJCEXwl3/MwAm3Az3/S8u
 ZNqAt8TuU5HMrF4FkmzDIluDpNXcfQbw4xVPxBcR+ddvIiAYhc+o+NV935ecRzmX
 lY7i8tmmCcHVv1jluIhcjo2CsY+GDS3dn3xXGTpkjd5s0aSXuM9NmtuGaF7jJ5X9
 37vZGR3GyZI/x8ATP2N2/YIL8mF0eiMH2Mdq2Twuj+fYXWbjfUPmxxuJKpGMvtLV
 0NlyPBTKxn5zDmdSu8YZlBcQBAiBHJFMt/mdwalt+xLlQKTaYFzM3flM6QTKGO85
 sdBsfncbZa05T53EMuhS177LKe7PMLZByUFWd2FNMeyUHKI4INobB4ILsjbgCJiu
 010dF5aVsSWNN8tt2+amQ8nzmosB3muycW9SI6f93WqC3u88NlwgTeS3tOmUEQaA
 UpEPbioAstYnOujHY+gEapRVA5g+HQs/sW3LU0c5+szjWLbWPLZmoiAuztiWFatS
 MWBmF/q8j9mnkYpyrtT/tep84sC8hcZnuyEnM9ta+vvWzcPTozQ=
 =Gew9
 -----END PGP SIGNATURE-----

Merge tag 'linux-kselftest-4.19-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest

Shuah writes:
  "kselftest fixes for 4.19-rc7

   This fixes update for 4.19-rc7 consists one fix to rseq test to
   prevent it from seg-faulting when compiled with -fpie."

* tag 'linux-kselftest-4.19-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest:
  rseq/selftests: fix parametrized test with -fpie
2018-10-03 11:06:49 -07:00
Gustavo A. R. Silva
2cc543f5cd sctp: fix fall-through annotation
Replace "fallthru" with a proper "fall through" annotation.

This fix is part of the ongoing efforts to enabling
-Wimplicit-fallthrough

Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-10-03 09:33:13 -07:00
Chris Wilson
4c9613ce55 drm/i915: Handle incomplete Z_FINISH for compressed error states
The final call to zlib_deflate(Z_FINISH) may require more output
space to be allocated and so needs to re-invoked. Failure to do so in
the current code leads to incomplete zlib streams (albeit intact due to
the use of Z_SYNC_FLUSH) resulting in the occasional short object
capture.

v2: Check against overrunning our pre-allocated page array
v3: Drop Z_SYNC_FLUSH entirely

Testcase: igt/i915-error-capture.js
Fixes: 0a97015d45 ("drm/i915: Compress GPU objects in error state")
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Cc: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
Cc: <stable@vger.kernel.org> # v4.10+
Cc: Tvrtko Ursulin <tvrtko.ursulin@intel.com>
Reviewed-by: Tvrtko Ursulin <tvrtko.ursulin@intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20181003082422.23214-1-chris@chris-wilson.co.uk
(cherry picked from commit 83bc0f5b43)
Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
2018-10-03 08:02:42 -07:00
Greg Kroah-Hartman
6bebe37927 media fixes for v4.19-rc6
-----BEGIN PGP SIGNATURE-----
 
 iQIcBAABAgAGBQJbtJxBAAoJEAhfPr2O5OEVIxkP/A/e1+gC/ANcXjz8MaTMF3yJ
 4EiM8VZxDdiwVJyoWDylKHCSyW99sgUiVbYykESkl3CRmo3FA+1BHH4Z7azYvRp9
 DYC5VlY3xZa3PQGxqpljiuhKdE8PsAJqHQm8X3QIzeyi1JAYrE2/BaySy3RBo/o8
 jWnd2g1qJ8+rShsyMHbDOli1T9g04xmNsQh6TJBZlXeM6OW+z0/hoXl/TmsrG4Jq
 kwx8NlLvBE6CpLcblNUX/hzEfvoZLcY05poPDTiTcfRnmRhnBQC2GOYmy06SF9NV
 gUIrWH2c4zQ5OJJ3gNkvnoY7UjnC/FuPiAIzfLJdJkmB20Y6FUBvjRuOMSY+0zp3
 HU8rVvKs527cfQli0MJL1f/XLiFZAE0SXHYU838iAprim4MGlGR2vgF/6g7aI1Wg
 W9hHRnWHIgvMdz6Dnt/IzIMDzIvTVvi+oRq5Wq5092fWwMPwlnQHbqBq7wB7bCIe
 AvHFtuxhNQihb4HzYbrDrtGvEaSRFMGLLQTcecJZjrwQMEDcgj9qao40t2m2TpyA
 bgRAN4qga1b5zqONGMgysWPRw1plXvj5ox6yLIMDWwmaLihkNz6ZVDU+8AvUZLbo
 +uqW/6IP0G1PUwZ/op3AlgVwRt4cL/Yf63L5P15nOxsJa32ubLDnmCTHt4PAuX3J
 B2oL2YLfVqf68RSFN/u+
 =GVL4
 -----END PGP SIGNATURE-----

Merge tag 'media/v4.19-3' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media

Mauro writes:
  "media fixes for v4.19-rc6"

* tag 'media/v4.19-3' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media:
  media: v4l: event: Prevent freeing event subscriptions while accessed
2018-10-03 04:23:46 -07:00
Greg Kroah-Hartman
5b372600cc Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid
Jiri writes:
  "HID fixes:
   - hantick touchpad fix from Anisse Astier
   - device ID addition for Ice Lake mobile from Srinivas Pandruvada
   - touchscreen resume fix for certain i2c-hid driven devices from Hans
     de Goede"

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid:
  HID: intel-ish-hid: Enable Ice Lake mobile
  HID: i2c-hid: Remove RESEND_REPORT_DESCR quirk and its handling
  HID: i2c-hid: disable runtime PM operations on hantick touchpad
2018-10-03 04:22:30 -07:00
Greg Kroah-Hartman
73dec82d8d Merge branch 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
Al writes:
  "xattrs regression fix from Andreas; sat in -next for quite a while."

* 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs:
  sysfs: Do not return POSIX ACL xattrs via listxattr
2018-10-03 04:21:23 -07:00
Sakari Ailus
ad608fbcf1 media: v4l: event: Prevent freeing event subscriptions while accessed
The event subscriptions are added to the subscribed event list while
holding a spinlock, but that lock is subsequently released while still
accessing the subscription object. This makes it possible to unsubscribe
the event --- and freeing the subscription object's memory --- while
the subscription object is simultaneously accessed.

Prevent this by adding a mutex to serialise the event subscription and
unsubscription. This also gives a guarantee to the callback ops that the
add op has returned before the del op is called.

This change also results in making the elems field less special:
subscriptions are only added to the event list once they are fully
initialised.

Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Reviewed-by: Hans Verkuil <hans.verkuil@cisco.com>
Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Cc: stable@vger.kernel.org # for 4.14 and up
Fixes: c3b5b0241f ("V4L/DVB: V4L: Events: Add backend")
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
2018-10-03 06:32:51 -04:00
Guenter Roeck
e4a02ed2aa locking/ww_mutex: Fix runtime warning in the WW mutex selftest
If CONFIG_WW_MUTEX_SELFTEST=y is enabled, booting an image
in an arm64 virtual machine results in the following
traceback if 8 CPUs are enabled:

  DEBUG_LOCKS_WARN_ON(__owner_task(owner) != current)
  WARNING: CPU: 2 PID: 537 at kernel/locking/mutex.c:1033 __mutex_unlock_slowpath+0x1a8/0x2e0
  ...
  Call trace:
   __mutex_unlock_slowpath()
   ww_mutex_unlock()
   test_cycle_work()
   process_one_work()
   worker_thread()
   kthread()
   ret_from_fork()

If requesting b_mutex fails with -EDEADLK, the error variable
is reassigned to the return value from calling ww_mutex_lock
on a_mutex again. If this call fails, a_mutex is not locked.
It is, however, unconditionally unlocked subsequently, causing
the reported warning. Fix the problem by using two error variables.

With this change, the selftest still fails as follows:

  cyclic deadlock not resolved, ret[7/8] = -35

However, the traceback is gone.

Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Cc: Chris Wilson <chris@chris-wilson.co.uk>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Will Deacon <will.deacon@arm.com>
Fixes: d1b42b800e ("locking/ww_mutex: Add kselftests for resolving ww_mutex cyclic deadlocks")
Link: http://lkml.kernel.org/r/1538516929-9734-1-git-send-email-linux@roeck-us.net
Signed-off-by: Ingo Molnar <mingo@kernel.org>
2018-10-03 08:56:31 +02:00
Dave Airlie
77d981b16f Use default iommu domain instead of fake one
- This patch makes it to reuse default IOMMU domain instead of
   allocating a fake IOMMU domain, and allows some design changes
   for enhancement of IOMMU framework[1] without breaking Exynos DRM.
 
 [1] https://www.spinics.net/lists/arm-kernel/msg676098.html
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQIcBAABAgAGBQJbsYFzAAoJEFc4NIkMQxK4lxsP/1EbVvEq0BhjYLo6CcGA099B
 jFv9PPgcCKw8e0lSZ2Hxs+OsNF8lXD8ylxwzmXOSKPo9EtMGtHs+0dMTJfeZvmqZ
 NSM4WkJmqjAFl4fsTZzRzaWbM0++F/AelO6V6wX9jaNb7rOr9AKtA7lDKyFuqlKq
 4m36fvyxOm5V0uUgV6yphtSBE02tnjCc+fwlZCDzQ/vsneS163FJTSWZ+JZ1ES34
 pSUMaPyIgM09I7wBCzNMYKIqfzkygzpu0DHJsG6HCW86ypDCtOkOMM44Abr1mmfo
 d5l9SrreHom17ghBflRJsdsGd7um8nRKqbvgQ2wyd1pCl62RqPK0y5bvXW2UkuQK
 CdB4lZP1JeuKjeFTy16R5I0JMTZQMdLVd2eeQZRfm7gKxb4RI5TxO9ddCDVnwQXy
 p37ee/wz8Rbq8+5oeXGy0IYXXl0lrAPdTXSTOz/w0T0iNvZkg6XCWcheVvsqowj/
 aPy4wpPg/TXRB9294JUNFQYMZmPs7IrzwSLNxKh9LaTxy+TIznhl2AYUXsMfpuz1
 vjzyRaBiBC48K7W+z5eelHitgfbXO26AfA3M4PmwZdrvGcvjTxyun9l95rY0cN3/
 2LA4nfdbhWDH0FAnInec5K1U63y1oypIHnZjm1nfAh+T4oacSCpGinEXtEYJF6mF
 YGdRK5F7oZ8msZwa6AkV
 =S0+P
 -----END PGP SIGNATURE-----

Merge tag 'exynos-drm-fixes-for-v4.19-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/daeinki/drm-exynos into drm-fixes

Use default iommu domain instead of fake one
- This patch makes it to reuse default IOMMU domain instead of
  allocating a fake IOMMU domain, and allows some design changes
  for enhancement of IOMMU framework[1] without breaking Exynos DRM.

[1] https://www.spinics.net/lists/arm-kernel/msg676098.html

Signed-off-by: Dave Airlie <airlied@redhat.com>

From: Inki Dae <inki.dae@samsung.com>
Link: https://patchwork.freedesktop.org/patch/msgid/1538360696-23579-1-git-send-email-inki.dae@samsung.com
2018-10-03 16:31:16 +10:00
Nathan Chancellor
88296bd42b x86/cpu/amd: Remove unnecessary parentheses
Clang warns when multiple pairs of parentheses are used for a single
conditional statement.

arch/x86/kernel/cpu/amd.c:925:14: warning: equality comparison with
extraneous parentheses [-Wparentheses-equality]
        if ((c->x86 == 6)) {
             ~~~~~~~^~~~
arch/x86/kernel/cpu/amd.c:925:14: note: remove extraneous parentheses
around the comparison to silence this warning
        if ((c->x86 == 6)) {
            ~       ^   ~
arch/x86/kernel/cpu/amd.c:925:14: note: use '=' to turn this equality
comparison into an assignment
        if ((c->x86 == 6)) {
                    ^~
                    =
1 warning generated.

Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Link: http://lkml.kernel.org/r/20181002224511.14929-1-natechancellor@gmail.com
Link: https://github.com/ClangBuiltLinux/linux/issues/187
Signed-off-by: Ingo Molnar <mingo@kernel.org>
2018-10-03 08:27:47 +02:00
Andy Lutomirski
4f16656401 x86/vdso: Only enable vDSO retpolines when enabled and supported
When I fixed the vDSO build to use inline retpolines, I messed up
the Makefile logic and made it unconditional.  It should have
depended on CONFIG_RETPOLINE and on the availability of compiler
support.  This broke the build on some older compilers.

Reported-by: nikola.ciprich@linuxbox.cz
Signed-off-by: Andy Lutomirski <luto@kernel.org>
Cc: Borislav Petkov <bp@alien8.de>
Cc: David Woodhouse <dwmw2@infradead.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Matt Rickard <matt@softrans.com.au>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: jason.vas.dias@gmail.com
Cc: stable@vger.kernel.org
Fixes: 2e549b2ee0 ("x86/vdso: Fix vDSO build if a retpoline is emitted")
Link: http://lkml.kernel.org/r/08a1f29f2c238dd1f493945e702a521f8a5aa3ae.1538540801.git.luto@kernel.org
Signed-off-by: Ingo Molnar <mingo@kernel.org>
2018-10-03 08:26:14 +02:00
Alex Xu (Hello71)
9003b36949 r8169: always autoneg on resume
This affects at least versions 25 and 33, so assume all cards are broken
and just renegotiate by default.

Fixes: 10bc6a6042 ("r8169: fix autoneg issue on resume with RTL8168E")
Signed-off-by: Alex Xu (Hello71) <alex_y_xu@yahoo.ca>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-10-02 22:33:43 -07:00
Eric Dumazet
64199fc0a4 ipv4: fix use-after-free in ip_cmsg_recv_dstaddr()
Caching ip_hdr(skb) before a call to pskb_may_pull() is buggy,
do not do it.

Fixes: 2efd4fca70 ("ip: in cmsg IP(V6)_ORIGDSTADDR call pskb_may_pull")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Willem de Bruijn <willemb@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Acked-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-10-02 22:32:05 -07:00
David S. Miller
b9f1bcb220 mlx5-fixes-2018-10-01
-----BEGIN PGP SIGNATURE-----
 
 iQEcBAABAgAGBQJbsmA5AAoJEEg/ir3gV/o+Bg0IAM4qUD878349YufTxlNI3usz
 pPyRYLFfh+f3oTjGWxZ4SlAzMsCVnGDWMKFBj33qnJen1YcMxD2DriTIStQfOHkE
 EpErxxMa70YFY2VyvD6Gt/Xfw9Q4ZGrp9j4tNnXVBMVT+EDhui/OpHFlpgoLtpLk
 A8pxPRkbQNdql4OWOLwVpFJoleB0mJp4+ed+z743z4ectBfY0Iqx6Yyk1TRUzLfB
 o/cUV02M33Fi8XjjZ59crPrIc4r0iUcPDcd5+8i2WtOkfbFod9s1Dg4GMNbGpcFn
 RPJX9A+XilMPCJNM8YhwcS2JxX8Y2XwUjBDbspx0RHX3HZY22SjuN2i5p1GZnLo=
 =pu43
 -----END PGP SIGNATURE-----

Merge tag 'mlx5-fixes-2018-10-01' of git://git.kernel.org/pub/scm/linux/kernel/git/saeed/linux

Saeed Mahameed says:

====================
Mellanox, mlx5 fixes 2018-10-01

This pull request includes some fixes to mlx5 driver,
Please pull and let me know if there's any problem.

For -stable v4.11:
"6e0a4a23c59a ('net/mlx5: E-Switch, Fix out of bound access when setting vport rate')"

For -stable v4.18:
"98d6627c372a ('net/mlx5e: Set vlan masks for all offloaded TC rules')"
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
2018-10-02 22:20:24 -07:00
David S. Miller
31c73cb5e2 Merge branch 'rmnet-fixes'
Subash Abhinov Kasiviswanathan says:

====================
net: qualcomm: rmnet: Updates 2018-10-02

This series is a set of small fixes for rmnet driver

Patch 1 is a fix for a scenario reported by syzkaller
Patch 2 & 3 are fixes for incorrect allocation flags
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
2018-10-02 22:16:00 -07:00