[PATCH 4.9 111/172] drm/radeon/si: load special ucode for certain MC configs

[Greg Kroah-Hartman]

4.9-stable review patch. If anyone has any objections, please let me know.

------------------

From: Alex Deucher <alexande...@amd.com>


[ Upstream commit ef736d394e85b1bf1fd65ba5e5257b85f6c82325 ]

Special MC ucode is required for these memory configurations.

Acked-by: Edward O'Callaghan <funfu...@folklore1984.net>
Signed-off-by: Alex Deucher <alexande...@amd.com>
Signed-off-by: Sasha Levin <alexand...@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>
---
drivers/gpu/drm/radeon/si.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)

--- a/drivers/gpu/drm/radeon/si.c
+++ b/drivers/gpu/drm/radeon/si.c
@@ -115,6 +115,8 @@ MODULE_FIRMWARE("radeon/hainan_rlc.bin")
MODULE_FIRMWARE("radeon/hainan_smc.bin");
MODULE_FIRMWARE("radeon/hainan_k_smc.bin");

+MODULE_FIRMWARE("radeon/si58_mc.bin");
+
static u32 si_get_cu_active_bitmap(struct radeon_device *rdev, u32 se, u32 sh);
static void si_pcie_gen3_enable(struct radeon_device *rdev);
static void si_program_aspm(struct radeon_device *rdev);
@@ -1650,6 +1652,7 @@ static int si_init_microcode(struct rade
int err;
int new_fw = 0;
bool new_smc = false;
+ bool si58_fw = false;

DRM_DEBUG("\n");

@@ -1742,6 +1745,10 @@ static int si_init_microcode(struct rade
default: BUG();
}

+ /* this memory configuration requires special firmware */
+ if (((RREG32(MC_SEQ_MISC0) & 0xff000000) >> 24) == 0x58)
+ si58_fw = true;
+
DRM_INFO("Loading %s Microcode\n", new_chip_name);

snprintf(fw_name, sizeof(fw_name), "radeon/%s_pfp.bin", new_chip_name);
@@ -1845,7 +1852,10 @@ static int si_init_microcode(struct rade
}
}

- snprintf(fw_name, sizeof(fw_name), "radeon/%s_mc.bin", new_chip_name);
+ if (si58_fw)
+ snprintf(fw_name, sizeof(fw_name), "radeon/si58_mc.bin");
+ else
+ snprintf(fw_name, sizeof(fw_name), "radeon/%s_mc.bin", new_chip_name);
err = request_firmware(&rdev->mc_fw, fw_name, rdev->dev);
if (err) {
snprintf(fw_name, sizeof(fw_name), "radeon/%s_mc2.bin", chip_name);

[Greg Kroah-Hartman]

4.9-stable review patch. If anyone has any objections, please let me know.

------------------

From: Johannes Thumshirn <jthum...@suse.de>


[ Upstream commit 8667f515952feefebb3c0f8d9a9266c91b101a46 ]

Set the elsiocb contexts to NULL after freeing as others depend on it.

Signed-off-by: Johannes Thumshirn <jthum...@suse.de>
Acked-by: Dick Kennedy <dick.k...@broadcom.com>
Signed-off-by: Martin K. Petersen <martin....@oracle.com>

Signed-off-by: Sasha Levin <alexand...@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>
---

drivers/scsi/lpfc/lpfc_els.c | 2 ++
1 file changed, 2 insertions(+)

--- a/drivers/scsi/lpfc/lpfc_els.c
+++ b/drivers/scsi/lpfc/lpfc_els.c
@@ -3590,12 +3590,14 @@ lpfc_els_free_iocb(struct lpfc_hba *phba
} else {
buf_ptr1 = (struct lpfc_dmabuf *) elsiocb->context2;
lpfc_els_free_data(phba, buf_ptr1);
+ elsiocb->context2 = NULL;
}
}

if (elsiocb->context3) {
buf_ptr = (struct lpfc_dmabuf *) elsiocb->context3;
lpfc_els_free_bpl(phba, buf_ptr);
+ elsiocb->context3 = NULL;
}
lpfc_sli_release_iocbq(phba, elsiocb);
return 0;

[Greg Kroah-Hartman]

4.9-stable review patch. If anyone has any objections, please let me know.

------------------

From: Andrew F. Davis <a...@ti.com>

commit 1c47f7c316de38c30b481e1886cc6352c9efdcc1 upstream.

The three load switches are called SWA1, SWB1, and SWB2. The
node names describing properties for these are expected to be
the same, but due to a typo they are not. Fix this here.

Fixes: d2a2e729a666 ("regulator: tps65086: Add regulator driver for the TPS65086 PMIC")
Reported-by: Steven Kipisz <s-ki...@ti.com>
Signed-off-by: Andrew F. Davis <a...@ti.com>
Tested-by: Steven Kipisz <s-ki...@ti.com>
Signed-off-by: Mark Brown <bro...@kernel.org>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

drivers/regulator/tps65086-regulator.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/regulator/tps65086-regulator.c
+++ b/drivers/regulator/tps65086-regulator.c
@@ -156,8 +156,8 @@ static struct tps65086_regulator regulat
VDOA23_VID_MASK, TPS65086_LDOA3CTRL, BIT(0),
tps65086_ldoa23_ranges, 0, 0),
TPS65086_SWITCH("SWA1", "swa1", SWA1, TPS65086_SWVTT_EN, BIT(5)),
- TPS65086_SWITCH("SWB1", "swa2", SWB1, TPS65086_SWVTT_EN, BIT(6)),
- TPS65086_SWITCH("SWB2", "swa3", SWB2, TPS65086_SWVTT_EN, BIT(7)),
+ TPS65086_SWITCH("SWB1", "swb1", SWB1, TPS65086_SWVTT_EN, BIT(6)),
+ TPS65086_SWITCH("SWB2", "swb2", SWB2, TPS65086_SWVTT_EN, BIT(7)),
TPS65086_SWITCH("VTT", "vtt", VTT, TPS65086_SWVTT_EN, BIT(4)),
};

[Greg Kroah-Hartman]

4.9-stable review patch. If anyone has any objections, please let me know.

------------------

From: Guillaume Nault <g.n...@alphalink.fr>

commit 57377d63547861919ee634b845c7caa38de4a452 upstream.

Holding a reference on session is required before calling
pppol2tp_session_ioctl(). The session could get freed while processing the
ioctl otherwise. Since pppol2tp_session_ioctl() uses the session's socket,
we also need to take a reference on it in l2tp_session_get().

Fixes: fd558d186df2 ("l2tp: Split pppol2tp patch into separate l2tp and ppp parts")
Signed-off-by: Guillaume Nault <g.n...@alphalink.fr>
Signed-off-by: David S. Miller <da...@davemloft.net>
Signed-off-by: Amit Pundir <amit....@linaro.org>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

net/l2tp/l2tp_ppp.c | 15 +++++++++++----
1 file changed, 11 insertions(+), 4 deletions(-)

--- a/net/l2tp/l2tp_ppp.c
+++ b/net/l2tp/l2tp_ppp.c
@@ -1141,11 +1141,18 @@ static int pppol2tp_tunnel_ioctl(struct
if (stats.session_id != 0) {
/* resend to session ioctl handler */
struct l2tp_session *session =
- l2tp_session_find(sock_net(sk), tunnel, stats.session_id);
- if (session != NULL)
- err = pppol2tp_session_ioctl(session, cmd, arg);
- else
+ l2tp_session_get(sock_net(sk), tunnel,
+ stats.session_id, true);
+
+ if (session) {
+ err = pppol2tp_session_ioctl(session, cmd,
+ arg);
+ if (session->deref)
+ session->deref(session);
+ l2tp_session_dec_refcount(session);
+ } else {
err = -EBADR;
+ }
break;
}
#ifdef CONFIG_XFRM

[Greg Kroah-Hartman]

4.9-stable review patch. If anyone has any objections, please let me know.

------------------

From: Serhey Popovych <serhe.p...@gmail.com>


[ Upstream commit 07f615574f8ac499875b21c1142f26308234a92c ]

While commit 73ba57bfae4a ("ipv6: fix backtracking for throw routes")
does good job on error propagation to the fib_rules_lookup()
in fib rules core framework that also corrects throw routes
handling, it does not solve route reference leakage problem
happened when we return -EAGAIN to the fib_rules_lookup()
and leave routing table entry referenced in arg->result.

If rule with matched throw route isn't last matched in the
list we overwrite arg->result losing reference on throw
route stored previously forever.

We also partially revert commit ab997ad40839 ("ipv6: fix the
incorrect return value of throw route") since we never return
routing table entry with dst.error == -EAGAIN when
CONFIG_IPV6_MULTIPLE_TABLES is on. Also there is no point
to check for RTF_REJECT flag since it is always set throw
route.

Fixes: 73ba57bfae4a ("ipv6: fix backtracking for throw routes")
Signed-off-by: Serhey Popovych <serhe.p...@gmail.com>

Signed-off-by: David S. Miller <da...@davemloft.net>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>
---
net/ipv6/fib6_rules.c | 22 ++++++----------------
net/ipv6/ip6_fib.c | 3 +--
2 files changed, 7 insertions(+), 18 deletions(-)

--- a/net/ipv6/fib6_rules.c
+++ b/net/ipv6/fib6_rules.c
@@ -32,7 +32,6 @@ struct fib6_rule {
struct dst_entry *fib6_rule_lookup(struct net *net, struct flowi6 *fl6,
int flags, pol_lookup_t lookup)
{
- struct rt6_info *rt;
struct fib_lookup_arg arg = {
.lookup_ptr = lookup,
.flags = FIB_LOOKUP_NOREF,
@@ -44,21 +43,11 @@ struct dst_entry *fib6_rule_lookup(struc
fib_rules_lookup(net->ipv6.fib6_rules_ops,
flowi6_to_flowi(fl6), flags, &arg);

- rt = arg.result;
+ if (arg.result)
+ return arg.result;

- if (!rt) {
- dst_hold(&net->ipv6.ip6_null_entry->dst);
- return &net->ipv6.ip6_null_entry->dst;
- }
-
- if (rt->rt6i_flags & RTF_REJECT &&
- rt->dst.error == -EAGAIN) {
- ip6_rt_put(rt);
- rt = net->ipv6.ip6_null_entry;
- dst_hold(&rt->dst);
- }
-
- return &rt->dst;
+ dst_hold(&net->ipv6.ip6_null_entry->dst);
+ return &net->ipv6.ip6_null_entry->dst;
}

static int fib6_rule_action(struct fib_rule *rule, struct flowi *flp,
@@ -121,7 +110,8 @@ static int fib6_rule_action(struct fib_r
flp6->saddr = saddr;
}
err = rt->dst.error;
- goto out;
+ if (err != -EAGAIN)
+ goto out;
}
again:
ip6_rt_put(rt);
--- a/net/ipv6/ip6_fib.c
+++ b/net/ipv6/ip6_fib.c
@@ -289,8 +289,7 @@ struct dst_entry *fib6_rule_lookup(struc
struct rt6_info *rt;

rt = lookup(net, net->ipv6.fib6_main_tbl, fl6, flags);
- if (rt->rt6i_flags & RTF_REJECT &&
- rt->dst.error == -EAGAIN) {
+ if (rt->dst.error == -EAGAIN) {
ip6_rt_put(rt);
rt = net->ipv6.ip6_null_entry;
dst_hold(&rt->dst);

[Greg Kroah-Hartman]

4.9-stable review patch. If anyone has any objections, please let me know.

------------------

From: Eugeniu Rosca <ero...@de.adit-jv.com>


[ Upstream commit 79514ef670e9e575a1fe36922268c439d0f0ca8a ]

Commit a47b70ea86bd ("ravb: unmap descriptors when freeing rings") has
introduced the issue seen in [1] reproduced on H3ULCB board.

Fix this by relocating the RX skb ringbuffer free operation, so that
swiotlb page unmapping can be done first. Freeing of aligned TX buffers
is not relevant to the issue seen in [1]. Still, reposition TX free
calls as well, to have all kfree() operations performed consistently
_after_ dma_unmap_*()/dma_free_*().

[1] Console screenshot with the problem reproduced:

salvator-x login: root
root@salvator-x:~# ifconfig eth0 up
Micrel KSZ9031 Gigabit PHY e6800000.ethernet-ffffffff:00: \
attached PHY driver [Micrel KSZ9031 Gigabit PHY] \
(mii_bus:phy_addr=e6800000.ethernet-ffffffff:00, irq=235)
IPv6: ADDRCONF(NETDEV_UP): eth0: link is not ready
root@salvator-x:~#
root@salvator-x:~# ifconfig eth0 down

==================================================================
BUG: KASAN: use-after-free in swiotlb_tbl_unmap_single+0xc4/0x35c
Write of size 1538 at addr ffff8006d884f780 by task ifconfig/1649

CPU: 0 PID: 1649 Comm: ifconfig Not tainted 4.12.0-rc4-00004-g112eb07287d1 #32
Hardware name: Renesas H3ULCB board based on r8a7795 (DT)
Call trace:
[<ffff20000808f11c>] dump_backtrace+0x0/0x3a4
[<ffff20000808f4d4>] show_stack+0x14/0x1c
[<ffff20000865970c>] dump_stack+0xf8/0x150
[<ffff20000831f8b0>] print_address_description+0x7c/0x330
[<ffff200008320010>] kasan_report+0x2e0/0x2f4
[<ffff20000831eac0>] check_memory_region+0x20/0x14c
[<ffff20000831f054>] memcpy+0x48/0x68
[<ffff20000869ed50>] swiotlb_tbl_unmap_single+0xc4/0x35c
[<ffff20000869fcf4>] unmap_single+0x90/0xa4
[<ffff20000869fd14>] swiotlb_unmap_page+0xc/0x14
[<ffff2000080a2974>] __swiotlb_unmap_page+0xcc/0xe4
[<ffff2000088acdb8>] ravb_ring_free+0x514/0x870
[<ffff2000088b25dc>] ravb_close+0x288/0x36c
[<ffff200008aaf8c4>] __dev_close_many+0x14c/0x174
[<ffff200008aaf9b4>] __dev_close+0xc8/0x144
[<ffff200008ac2100>] __dev_change_flags+0xd8/0x194
[<ffff200008ac221c>] dev_change_flags+0x60/0xb0
[<ffff200008ba2dec>] devinet_ioctl+0x484/0x9d4
[<ffff200008ba7b78>] inet_ioctl+0x190/0x194
[<ffff200008a78c44>] sock_do_ioctl+0x78/0xa8
[<ffff200008a7a128>] sock_ioctl+0x110/0x3c4
[<ffff200008365a70>] vfs_ioctl+0x90/0xa0
[<ffff200008365dbc>] do_vfs_ioctl+0x148/0xc38
[<ffff2000083668f0>] SyS_ioctl+0x44/0x74
[<ffff200008083770>] el0_svc_naked+0x24/0x28

The buggy address belongs to the page:
page:ffff7e001b6213c0 count:0 mapcount:0 mapping: (null) index:0x0
flags: 0x4000000000000000()
raw: 4000000000000000 0000000000000000 0000000000000000 00000000ffffffff
raw: 0000000000000000 ffff7e001b6213e0 0000000000000000 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
ffff8006d884f680: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff8006d884f700: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff8006d884f780: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff8006d884f800: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff8006d884f880: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
Disabling lock debugging due to kernel taint
root@salvator-x:~#

Fixes: a47b70ea86bd ("ravb: unmap descriptors when freeing rings")
Signed-off-by: Eugeniu Rosca <ero...@de.adit-jv.com>
Acked-by: Sergei Shtylyov <sergei....@cogentembedded.com>

Signed-off-by: David S. Miller <da...@davemloft.net>

Signed-off-by: Sasha Levin <alexand...@verizon.com>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>
---

drivers/net/ethernet/renesas/ravb_main.c | 24 ++++++++++++------------
1 file changed, 12 insertions(+), 12 deletions(-)

--- a/drivers/net/ethernet/renesas/ravb_main.c
+++ b/drivers/net/ethernet/renesas/ravb_main.c
@@ -229,18 +229,6 @@ static void ravb_ring_free(struct net_de
int ring_size;
int i;

- /* Free RX skb ringbuffer */
- if (priv->rx_skb[q]) {
- for (i = 0; i < priv->num_rx_ring[q]; i++)
- dev_kfree_skb(priv->rx_skb[q][i]);
- }
- kfree(priv->rx_skb[q]);
- priv->rx_skb[q] = NULL;
-
- /* Free aligned TX buffers */
- kfree(priv->tx_align[q]);
- priv->tx_align[q] = NULL;
-
if (priv->rx_ring[q]) {
for (i = 0; i < priv->num_rx_ring[q]; i++) {
struct ravb_ex_rx_desc *desc = &priv->rx_ring[q][i];
@@ -269,6 +257,18 @@ static void ravb_ring_free(struct net_de
priv->tx_ring[q] = NULL;
}

+ /* Free RX skb ringbuffer */
+ if (priv->rx_skb[q]) {
+ for (i = 0; i < priv->num_rx_ring[q]; i++)
+ dev_kfree_skb(priv->rx_skb[q][i]);
+ }
+ kfree(priv->rx_skb[q]);
+ priv->rx_skb[q] = NULL;
+
+ /* Free aligned TX buffers */
+ kfree(priv->tx_align[q]);
+ priv->tx_align[q] = NULL;
+
/* Free TX skb ringbuffer.
* SKBs are freed by ravb_tx_free() call above.
*/

[Greg Kroah-Hartman]

4.9-stable review patch. If anyone has any objections, please let me know.

------------------

From: Zach Ploskey <za...@ploskey.com>


[ Upstream commit cfee5d63767b2e7997c1f36420d008abbe61565c ]

On Ideapad laptops, ACPI event 1 is currently not handled. Many models
log "ideapad_laptop: Unknown event: 1" every 20 seconds or so while
running on battery power. Some convertible laptops receive this event
when switching in and out of tablet mode.

This adds and additional case for event 1 in ideapad_acpi_notify to call
ideapad_input_report(priv, vpc_bit), so that the event is reported to
userspace and we avoid unnecessary logging.

Fixes bug #107481 (https://bugzilla.kernel.org/show_bug.cgi?id=107481)
Fixes bug #65751 (https://bugzilla.kernel.org/show_bug.cgi?id=65751)

Signed-off-by: Zach Ploskey <za...@ploskey.com>
Signed-off-by: Andy Shevchenko <andriy.s...@linux.intel.com>

Signed-off-by: Sasha Levin <alexand...@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>
---

drivers/platform/x86/ideapad-laptop.c | 1 +
1 file changed, 1 insertion(+)

--- a/drivers/platform/x86/ideapad-laptop.c
+++ b/drivers/platform/x86/ideapad-laptop.c
@@ -813,6 +813,7 @@ static void ideapad_acpi_notify(acpi_han
case 8:
case 7:
case 6:
+ case 1:
ideapad_input_report(priv, vpc_bit);
break;
case 5:

[Greg Kroah-Hartman]

4.9-stable review patch. If anyone has any objections, please let me know.

------------------

From: Baolin Wang <baoli...@linaro.org>

commit b3ce3ce02d146841af012d08506b4071db8ffde3 upstream.

When system try to close /dev/usb-ffs/adb/ep0 on one core, at the same
time another core try to attach new UDC, which will cause deadlock as
below scenario. Thus we should release ffs lock before issuing
unregister_gadget_item().

[ 52.642225] c1 ======================================================
[ 52.642228] c1 [ INFO: possible circular locking dependency detected ]
[ 52.642236] c1 4.4.6+ #1 Tainted: G W O
[ 52.642241] c1 -------------------------------------------------------
[ 52.642245] c1 usb ffs open/2808 is trying to acquire lock:
[ 52.642270] c0 (udc_lock){+.+.+.}, at: [<ffffffc00065aeec>]
usb_gadget_unregister_driver+0x3c/0xc8
[ 52.642272] c1 but task is already holding lock:
[ 52.642283] c0 (ffs_lock){+.+.+.}, at: [<ffffffc00066b244>]
ffs_data_clear+0x30/0x140
[ 52.642285] c1 which lock already depends on the new lock.
[ 52.642287] c1
the existing dependency chain (in reverse order) is:
[ 52.642295] c0
-> #1 (ffs_lock){+.+.+.}:
[ 52.642307] c0 [<ffffffc00012340c>] __lock_acquire+0x20f0/0x2238
[ 52.642314] c0 [<ffffffc000123b54>] lock_acquire+0xe4/0x298
[ 52.642322] c0 [<ffffffc000aaf6e8>] mutex_lock_nested+0x7c/0x3cc
[ 52.642328] c0 [<ffffffc00066f7bc>] ffs_func_bind+0x504/0x6e8
[ 52.642334] c0 [<ffffffc000654004>] usb_add_function+0x84/0x184
[ 52.642340] c0 [<ffffffc000658ca4>] configfs_composite_bind+0x264/0x39c
[ 52.642346] c0 [<ffffffc00065b348>] udc_bind_to_driver+0x58/0x11c
[ 52.642352] c0 [<ffffffc00065b49c>] usb_udc_attach_driver+0x90/0xc8
[ 52.642358] c0 [<ffffffc0006598e0>] gadget_dev_desc_UDC_store+0xd4/0x128
[ 52.642369] c0 [<ffffffc0002c14e8>] configfs_write_file+0xd0/0x13c
[ 52.642376] c0 [<ffffffc00023c054>] vfs_write+0xb8/0x214
[ 52.642381] c0 [<ffffffc00023cad4>] SyS_write+0x54/0xb0
[ 52.642388] c0 [<ffffffc000085ff0>] el0_svc_naked+0x24/0x28
[ 52.642395] c0
-> #0 (udc_lock){+.+.+.}:
[ 52.642401] c0 [<ffffffc00011e3d0>] print_circular_bug+0x84/0x2e4
[ 52.642407] c0 [<ffffffc000123454>] __lock_acquire+0x2138/0x2238
[ 52.642412] c0 [<ffffffc000123b54>] lock_acquire+0xe4/0x298
[ 52.642420] c0 [<ffffffc000aaf6e8>] mutex_lock_nested+0x7c/0x3cc
[ 52.642427] c0 [<ffffffc00065aeec>] usb_gadget_unregister_driver+0x3c/0xc8
[ 52.642432] c0 [<ffffffc00065995c>] unregister_gadget_item+0x28/0x44
[ 52.642439] c0 [<ffffffc00066b34c>] ffs_data_clear+0x138/0x140
[ 52.642444] c0 [<ffffffc00066b374>] ffs_data_reset+0x20/0x6c
[ 52.642450] c0 [<ffffffc00066efd0>] ffs_data_closed+0xac/0x12c
[ 52.642454] c0 [<ffffffc00066f070>] ffs_ep0_release+0x20/0x2c
[ 52.642460] c0 [<ffffffc00023dbe4>] __fput+0xb0/0x1f4
[ 52.642466] c0 [<ffffffc00023dd9c>] ____fput+0x20/0x2c
[ 52.642473] c0 [<ffffffc0000ee944>] task_work_run+0xb4/0xe8
[ 52.642482] c0 [<ffffffc0000cd45c>] do_exit+0x360/0xb9c
[ 52.642487] c0 [<ffffffc0000cf228>] do_group_exit+0x4c/0xb0
[ 52.642494] c0 [<ffffffc0000dd3c8>] get_signal+0x380/0x89c
[ 52.642501] c0 [<ffffffc00008a8f0>] do_signal+0x154/0x518
[ 52.642507] c0 [<ffffffc00008af00>] do_notify_resume+0x70/0x78
[ 52.642512] c0 [<ffffffc000085ee8>] work_pending+0x1c/0x20
[ 52.642514] c1
other info that might help us debug this:
[ 52.642517] c1 Possible unsafe locking scenario:
[ 52.642518] c1 CPU0 CPU1
[ 52.642520] c1 ---- ----
[ 52.642525] c0 lock(ffs_lock);
[ 52.642529] c0 lock(udc_lock);
[ 52.642533] c0 lock(ffs_lock);
[ 52.642537] c0 lock(udc_lock);
[ 52.642539] c1
*** DEADLOCK ***
[ 52.642543] c1 1 lock held by usb ffs open/2808:
[ 52.642555] c0 #0: (ffs_lock){+.+.+.}, at: [<ffffffc00066b244>]
ffs_data_clear+0x30/0x140
[ 52.642557] c1 stack backtrace:
[ 52.642563] c1 CPU: 1 PID: 2808 Comm: usb ffs open Tainted: G
[ 52.642565] c1 Hardware name: Spreadtrum SP9860g Board (DT)
[ 52.642568] c1 Call trace:
[ 52.642573] c1 [<ffffffc00008b430>] dump_backtrace+0x0/0x170
[ 52.642577] c1 [<ffffffc00008b5c0>] show_stack+0x20/0x28
[ 52.642583] c1 [<ffffffc000422694>] dump_stack+0xa8/0xe0
[ 52.642587] c1 [<ffffffc00011e548>] print_circular_bug+0x1fc/0x2e4
[ 52.642591] c1 [<ffffffc000123454>] __lock_acquire+0x2138/0x2238
[ 52.642595] c1 [<ffffffc000123b54>] lock_acquire+0xe4/0x298
[ 52.642599] c1 [<ffffffc000aaf6e8>] mutex_lock_nested+0x7c/0x3cc
[ 52.642604] c1 [<ffffffc00065aeec>] usb_gadget_unregister_driver+0x3c/0xc8
[ 52.642608] c1 [<ffffffc00065995c>] unregister_gadget_item+0x28/0x44
[ 52.642613] c1 [<ffffffc00066b34c>] ffs_data_clear+0x138/0x140
[ 52.642618] c1 [<ffffffc00066b374>] ffs_data_reset+0x20/0x6c
[ 52.642621] c1 [<ffffffc00066efd0>] ffs_data_closed+0xac/0x12c
[ 52.642625] c1 [<ffffffc00066f070>] ffs_ep0_release+0x20/0x2c
[ 52.642629] c1 [<ffffffc00023dbe4>] __fput+0xb0/0x1f4
[ 52.642633] c1 [<ffffffc00023dd9c>] ____fput+0x20/0x2c
[ 52.642636] c1 [<ffffffc0000ee944>] task_work_run+0xb4/0xe8
[ 52.642640] c1 [<ffffffc0000cd45c>] do_exit+0x360/0xb9c
[ 52.642644] c1 [<ffffffc0000cf228>] do_group_exit+0x4c/0xb0
[ 52.642647] c1 [<ffffffc0000dd3c8>] get_signal+0x380/0x89c
[ 52.642651] c1 [<ffffffc00008a8f0>] do_signal+0x154/0x518
[ 52.642656] c1 [<ffffffc00008af00>] do_notify_resume+0x70/0x78
[ 52.642659] c1 [<ffffffc000085ee8>] work_pending+0x1c/0x20

Acked-by: Michal Nazarewicz <min...@mina86.com>
Signed-off-by: Baolin Wang <baoli...@linaro.org>
Signed-off-by: Felipe Balbi <felipe...@linux.intel.com>
Cc: Jerry Zhang <zhang...@google.com>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

drivers/usb/gadget/function/f_fs.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)

--- a/drivers/usb/gadget/function/f_fs.c
+++ b/drivers/usb/gadget/function/f_fs.c
@@ -3688,6 +3688,7 @@ static void ffs_closed(struct ffs_data *
{
struct ffs_dev *ffs_obj;
struct f_fs_opts *opts;
+ struct config_item *ci;

ENTER();
ffs_dev_lock();
@@ -3711,8 +3712,11 @@ static void ffs_closed(struct ffs_data *
|| !atomic_read(&opts->func_inst.group.cg_item.ci_kref.refcount))
goto done;

- unregister_gadget_item(ffs_obj->opts->
- func_inst.group.cg_item.ci_parent->ci_parent);
+ ci = opts->func_inst.group.cg_item.ci_parent->ci_parent;
+ ffs_dev_unlock();
+
+ unregister_gadget_item(ci);
+ return;
done:
ffs_dev_unlock();
}

[Greg Kroah-Hartman]

4.9-stable review patch. If anyone has any objections, please let me know.

------------------

From: Eric Dumazet <edum...@google.com>

commit 2638fd0f92d4397884fd991d8f4925cb3f081901 upstream.

Denys provided an awesome KASAN report pointing to an use
after free in xt_TCPMSS

I have provided three patches to fix this issue, either in xt_TCPMSS or
in xt_tcpudp.c. It seems xt_TCPMSS patch has the smallest possible
impact.

Signed-off-by: Eric Dumazet <edum...@google.com>
Reported-by: Denys Fedoryshchenko <nucle...@nuclearcat.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

net/netfilter/xt_TCPMSS.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)

--- a/net/netfilter/xt_TCPMSS.c
+++ b/net/netfilter/xt_TCPMSS.c
@@ -104,7 +104,7 @@ tcpmss_mangle_packet(struct sk_buff *skb
tcph = (struct tcphdr *)(skb_network_header(skb) + tcphoff);
tcp_hdrlen = tcph->doff * 4;

- if (len < tcp_hdrlen)
+ if (len < tcp_hdrlen || tcp_hdrlen < sizeof(struct tcphdr))
return -1;

if (info->mss == XT_TCPMSS_CLAMP_PMTU) {
@@ -152,6 +152,10 @@ tcpmss_mangle_packet(struct sk_buff *skb
if (len > tcp_hdrlen)
return 0;

+ /* tcph->doff has 4 bits, do not wrap it to 0 */
+ if (tcp_hdrlen >= 15 * 4)
+ return 0;
+
/*
* MSS Option not found ?! add it..
*/

[Greg Kroah-Hartman]

4.9-stable review patch. If anyone has any objections, please let me know.

------------------

From: Eran Ben Elisha <era...@mellanox.com>


[ Upstream commit 31a86d137219373c3222ca5f4f912e9a4d8065bb ]

Ethtool channels respond struct was uninitialized when querying device
channel boundaries settings. As a result, unreported fields by the driver
hold garbage. This may cause sending unsupported params to driver.

Fixes: 8bf368620486 ('ethtool: ensure channel counts are within bounds ...')
Signed-off-by: Eran Ben Elisha <era...@mellanox.com>
Signed-off-by: Tariq Toukan <tar...@mellanox.com>
CC: John W. Linville <linv...@tuxdriver.com>

Signed-off-by: David S. Miller <da...@davemloft.net>
Signed-off-by: Sasha Levin <alexand...@verizon.com>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>
---

net/core/ethtool.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

--- a/net/core/ethtool.c
+++ b/net/core/ethtool.c
@@ -1704,7 +1704,7 @@ static noinline_for_stack int ethtool_ge
static noinline_for_stack int ethtool_set_channels(struct net_device *dev,
void __user *useraddr)
{
- struct ethtool_channels channels, max;
+ struct ethtool_channels channels, max = { .cmd = ETHTOOL_GCHANNELS };
u32 max_rx_in_use = 0;

if (!dev->ethtool_ops->set_channels || !dev->ethtool_ops->get_channels)

[Greg Kroah-Hartman]

4.9-stable review patch. If anyone has any objections, please let me know.

------------------

From: Baoquan He <b...@redhat.com>

commit 8eabf42ae5237e6b699aeac687b5b629e3537c8d upstream.

Kernel text KASLR is separated into physical address and virtual
address randomization. And for virtual address randomization, we
only randomiza to get an offset between 16M and KERNEL_IMAGE_SIZE.
So the initial value of 'virt_addr' should be LOAD_PHYSICAL_ADDR,
but not the original kernel loading address 'output'.

The bug will cause kernel boot failure if kernel is loaded at a different
position than the address, 16M, which is decided at compiled time.
Kexec/kdump is such practical case.

To fix it, just assign LOAD_PHYSICAL_ADDR to virt_addr as initial
value.

Tested-by: Dave Young <dyo...@redhat.com>
Signed-off-by: Baoquan He <b...@redhat.com>
Cc: Linus Torvalds <torv...@linux-foundation.org>
Cc: Peter Zijlstra <pet...@infradead.org>
Cc: Thomas Gleixner <tg...@linutronix.de>
Fixes: 8391c73 ("x86/KASLR: Randomize virtual address separately")
Link: http://lkml.kernel.org/r/1498567146-11990-3...@redhat.com
Signed-off-by: Ingo Molnar <mi...@kernel.org>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

arch/x86/boot/compressed/kaslr.c | 3 ---
arch/x86/boot/compressed/misc.c | 4 ++--
arch/x86/boot/compressed/misc.h | 2 --
3 files changed, 2 insertions(+), 7 deletions(-)

--- a/arch/x86/boot/compressed/kaslr.c
+++ b/arch/x86/boot/compressed/kaslr.c
@@ -430,9 +430,6 @@ void choose_random_location(unsigned lon
{
unsigned long random_addr, min_addr;

- /* By default, keep output position unchanged. */
- *virt_addr = *output;
-
if (cmdline_find_option_bool("nokaslr")) {
warn("KASLR disabled: 'nokaslr' on cmdline.");
return;
--- a/arch/x86/boot/compressed/misc.c
+++ b/arch/x86/boot/compressed/misc.c
@@ -338,7 +338,7 @@ asmlinkage __visible void *extract_kerne
unsigned long output_len)
{
const unsigned long kernel_total_size = VO__end - VO__text;
- unsigned long virt_addr = (unsigned long)output;
+ unsigned long virt_addr = LOAD_PHYSICAL_ADDR;

/* Retain x86 boot parameters pointer passed from startup_32/64. */
boot_params = rmode;
@@ -397,7 +397,7 @@ asmlinkage __visible void *extract_kerne
#ifndef CONFIG_RELOCATABLE
if ((unsigned long)output != LOAD_PHYSICAL_ADDR)
error("Destination address does not match LOAD_PHYSICAL_ADDR");
- if ((unsigned long)output != virt_addr)
+ if (virt_addr != LOAD_PHYSICAL_ADDR)
error("Destination virtual address changed when not relocatable");
#endif

--- a/arch/x86/boot/compressed/misc.h
+++ b/arch/x86/boot/compressed/misc.h
@@ -81,8 +81,6 @@ static inline void choose_random_locatio
unsigned long output_size,
unsigned long *virt_addr)
{
- /* No change from existing output location. */
- *virt_addr = *output;
}
#endif

[Greg Kroah-Hartman]

4.9-stable review patch. If anyone has any objections, please let me know.

------------------

From: Johannes Berg <johann...@intel.com>


[ Upstream commit d2941df8fbd9708035d66d889ada4d3d160170ce ]

When an associated station changes its VHT operating mode this
can/will affect the bandwidth it's using, and consequently we
must recalculate the minimum bandwidth we need to use. Failure
to do so can lead to one of two scenarios:
1) we use a too high bandwidth, this is benign
2) we use a too narrow bandwidth, causing rate control and
actual PHY configuration to be out of sync, which can in
turn cause problems/crashes

Signed-off-by: Johannes Berg <johann...@intel.com>
Signed-off-by: Sasha Levin <alexand...@verizon.com>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>
---

net/mac80211/iface.c | 21 +++++++++++++++++++++
net/mac80211/rx.c | 9 +--------
net/mac80211/vht.c | 4 +++-
3 files changed, 25 insertions(+), 9 deletions(-)

--- a/net/mac80211/iface.c
+++ b/net/mac80211/iface.c
@@ -6,6 +6,7 @@
* Copyright (c) 2006 Jiri Benc <jb...@suse.cz>
* Copyright 2008, Johannes Berg <joha...@sipsolutions.net>
* Copyright 2013-2014 Intel Mobile Communications GmbH
+ * Copyright (c) 2016 Intel Deutschland GmbH
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 as
@@ -1307,6 +1308,26 @@ static void ieee80211_iface_work(struct
} else if (ieee80211_is_action(mgmt->frame_control) &&
mgmt->u.action.category == WLAN_CATEGORY_VHT) {
switch (mgmt->u.action.u.vht_group_notif.action_code) {
+ case WLAN_VHT_ACTION_OPMODE_NOTIF: {
+ struct ieee80211_rx_status *status;
+ enum nl80211_band band;
+ u8 opmode;
+
+ status = IEEE80211_SKB_RXCB(skb);
+ band = status->band;
+ opmode = mgmt->u.action.u.vht_opmode_notif.operating_mode;
+
+ mutex_lock(&local->sta_mtx);
+ sta = sta_info_get_bss(sdata, mgmt->sa);
+
+ if (sta)
+ ieee80211_vht_handle_opmode(sdata, sta,
+ opmode,
+ band);
+
+ mutex_unlock(&local->sta_mtx);
+ break;
+ }
case WLAN_VHT_ACTION_GROUPID_MGMT:
ieee80211_process_mu_groups(sdata, mgmt);
break;
--- a/net/mac80211/rx.c
+++ b/net/mac80211/rx.c
@@ -2923,17 +2923,10 @@ ieee80211_rx_h_action(struct ieee80211_r

switch (mgmt->u.action.u.vht_opmode_notif.action_code) {
case WLAN_VHT_ACTION_OPMODE_NOTIF: {
- u8 opmode;
-
/* verify opmode is present */
if (len < IEEE80211_MIN_ACTION_SIZE + 2)
goto invalid;
-
- opmode = mgmt->u.action.u.vht_opmode_notif.operating_mode;
-
- ieee80211_vht_handle_opmode(rx->sdata, rx->sta,
- opmode, status->band);
- goto handled;
+ goto queue;
}
case WLAN_VHT_ACTION_GROUPID_MGMT: {
if (len < IEEE80211_MIN_ACTION_SIZE + 25)
--- a/net/mac80211/vht.c
+++ b/net/mac80211/vht.c
@@ -527,8 +527,10 @@ void ieee80211_vht_handle_opmode(struct

u32 changed = __ieee80211_vht_handle_opmode(sdata, sta, opmode, band);

- if (changed > 0)
+ if (changed > 0) {
+ ieee80211_recalc_min_chandef(sdata);
rate_control_rate_update(local, sband, sta, changed);
+ }
}

void ieee80211_get_vht_mask_from_cap(__le16 vht_cap,

[Greg Kroah-Hartman]

This is the start of the stable review cycle for the 4.9.36 release.
There are 172 patches in this series, all will be posted as a response
to this one. If anyone has any issues with these being applied, please
let me know.

Responses should be made by Wed Jul 5 13:33:25 UTC 2017.
Anything received after that time might be too late.

The whole patch series can be found in one patch at:
kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.9.36-rc1.gz
or in the git tree and branch at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.9.y
and the diffstat can be found below.

thanks,

greg k-h

-------------
Pseudo-Shortlog of commits:

Greg Kroah-Hartman <gre...@linuxfoundation.org>
Linux 4.9.36-rc1

Wanpeng Li <wanpe...@hotmail.com>
KVM: nVMX: Fix exception injection

Radim Krčmář <rkr...@redhat.com>
KVM: x86: zero base3 of unusable segments

Radim Krčmář <rkr...@redhat.com>
KVM: x86/vPMU: fix undefined shift in intel_pmu_refresh()

Ladi Prosek <lpr...@redhat.com>
KVM: x86: fix emulation of RSM and IRET instructions

Mark Salter <msa...@redhat.com>
arm64: fix NULL dereference in have_cpu_die()

Kamal Dasu <kdasu...@gmail.com>
mtd: nand: brcmnand: Check flash #WP pin status before nand erase/program

Jaedon Shin <jaedo...@gmail.com>
i2c: brcmstb: Fix START and STOP conditions

Rafał Miłecki <ra...@milecki.pl>
brcmfmac: avoid writing channel out of allocated array

Arnd Bergmann <ar...@arndb.de>
infiniband: hns: avoid gcc-7.0.1 warning for uninitialized data

Josh Poimboeuf <jpoi...@redhat.com>
objtool: Fix another GCC jump table detection issue

Sudeep Holla <sudeep...@arm.com>
clk: scpi: don't add cpufreq device if the scpi dvfs node is disabled

Dan Carpenter <dan.ca...@oracle.com>
cpufreq: s3c2416: double free on driver init error path

Suravee Suthikulpanit <suravee.su...@amd.com>
iommu/amd: Fix interrupt remapping when disable guest_mode

Pan Bian <bianp...@163.com>
iommu/amd: Fix incorrect error handling in amd_iommu_bind_pasid()

Robin Murphy <robin....@arm.com>
iommu/dma: Don't reserve PCI I/O windows

Robin Murphy <robin....@arm.com>
iommu: Handle default domain attach failure

David Dillow <dil...@google.com>
iommu/vt-d: Don't over-free page table directories

Junxiao Bi <junxi...@oracle.com>
ocfs2: o2hb: revert hb threshold to keep compatible

Andy Lutomirski <lu...@kernel.org>
x86/mm: Fix flush_tlb_page() on Xen

Joerg Roedel <jro...@suse.de>
x86/mpx: Correctly report do_mpx_bt_fault() failures to user-space

Baoquan He <b...@redhat.com>
x86/boot/KASLR: Fix kexec crash due to 'virt_addr' calculation bug

Arnaldo Carvalho de Melo <ac...@redhat.com>
tools arch: Sync arch/x86/lib/memcpy_64.S with the kernel

Doug Berger <ope...@gmail.com>
ARM: 8685/1: ensure memblock-limit is pmd-aligned

Lorenzo Pieralisi <lorenzo....@arm.com>
ARM64/ACPI: Fix BAD_MADT_GICC_ENTRY() macro implementation

Adam Ford <afor...@gmail.com>
ARM: dts: OMAP3: Fix MFG ID EEPROM

Dave Gerlach <d-ge...@ti.com>
ARM: OMAP2+: omap_device: Sync omap_device and pm_runtime after probe defer

Andrew F. Davis <a...@ti.com>
regulator: tps65086: Fix DT node referencing in of_parse_cb

Andrew F. Davis <a...@ti.com>
regulator: tps65086: Fix expected switch DT node names

Johan Hovold <jo...@kernel.org>
spi: fix device-node leaks

Daniel Kurtz <djk...@chromium.org>
spi: When no dma_chan map buffers with spi_master's parent

Matt Fleming <ma...@codeblueprint.co.uk>
sched/loadavg: Avoid loadavg spikes caused by delayed NO_HZ accounting

Eric Anholt <er...@anholt.net>
watchdog: bcm281xx: Fix use of uninitialized spinlock.

Florian Westphal <f...@strlen.de>
netfilter: use skb_to_full_sk in ip_route_me_harder

Dan Carpenter <dan.ca...@oracle.com>
xfrm: Oops on error in pfkey_msg2xfrm_state()

Dan Carpenter <dan.ca...@oracle.com>
xfrm: NULL dereference on allocation failure

Sabrina Dubroca <s...@queasysnail.net>
xfrm: fix stack access out of bounds with CONFIG_XFRM_SUB_POLICY

Ard Biesheuvel <ard.bie...@linaro.org>
mm/vmalloc.c: huge-vmap: fail gracefully on unexpected huge vmap mappings

Eugeniu Rosca <ero...@de.adit-jv.com>
ravb: Fix use-after-free on `ifconfig eth0 down`

Peter Dawson <pete...@gmail.com>
ip6_tunnel, ip6_gre: fix setting of DSCP on encapsulated packets

Xin Long <lucie...@gmail.com>
sctp: check af before verify address in sctp_addr_id2transport

Jack Morgenstein <ja...@dev.mellanox.co.il>
net/mlx4_core: Eliminate warning messages for SRQ_LIMIT under SRIOV

Masami Hiramatsu <mhir...@kernel.org>
perf probe: Fix to probe on gcc generated functions in modules

Parthasarathy Bhuvaragan <parthasarath...@ericsson.com>
tipc: allocate user memory with GFP_KERNEL flag

Karicheri, Muralidharan <m-kari...@ti.com>
net: phy: dp83867: allow RGMII_TXID/RGMII_RXID interface types

Masami Hiramatsu <mhir...@kernel.org>
perf probe: Fix to show correct locations for events on modules

Ivan Vecera <ce...@cera.cz>
be2net: fix MAC addr setting on privileged BE3 VFs

Ivan Vecera <ce...@cera.cz>
be2net: don't delete MAC on close on unprivileged BE3 VFs

Ivan Vecera <ce...@cera.cz>
be2net: fix status check in be_cmd_pmac_add()

Amelie Delaunay <amelie....@st.com>
usb: dwc2: gadget: Fix GUSBCFG.USBTRDTIM value

Heiko Carstens <heiko.c...@de.ibm.com>
s390/ctl_reg: make __ctl_load a full memory barrier

Nikita Yushchenko <nikita...@cogentembedded.com>
swiotlb: ensure that page-sized mappings are page-aligned

Dave Kleikamp <dave.k...@oracle.com>
coredump: Ensure proper size of sparse core files

Shaohua Li <sh...@fb.com>
aio: fix lock dep warning

Jiri Olsa <jo...@redhat.com>
perf/x86: Reject non sampling events with precise_ip

Peter Zijlstra <pet...@infradead.org>
perf/core: Fix sys_perf_event_open() vs. hotplug

Tobias Klauser <tkla...@distanz.ch>
x86/mpx: Use compatible types in comparison to fix sparse error

Len Brown <len....@intel.com>
x86/tsc: Add the Intel Denverton Processor to native_calibrate_tsc()

Felix Fietkau <n...@nbd.name>
mac80211: initialize SMPS field in HT capabilities

Stefan Hajnoczi <stef...@redhat.com>
pmem: return EIO on read_pmem() failure

Rex Zhu <Rex...@amd.com>
drm/amd/powerplay: refine vce dpm update code on Cz.

Rex Zhu <Rex...@amd.com>
drm/amd/powerplay: fix vce cg logic error on CZ/St.

Alex Deucher <alexande...@amd.com>
drm/radeon/si: load special ucode for certain MC configs

Vadim Lomovtsev <Vadim.L...@caviumnetworks.com>
net: thunderx: acpi: fix LMAC initialization

Ard Biesheuvel <ard.bie...@linaro.org>
arm64: assembler: make adr_l work in modules under KASLR

Kevin Hilman <khi...@baylibre.com>
spi: davinci: use dma_mapping_error()

Roberto Sassu <rsa...@suse.de>
scsi: lpfc: avoid double free of resource identifiers

Brendan McGrath <red...@redmandi.dyndns.org>
HID: i2c-hid: Add sleep between POWER ON and RESET

Colin King <colin...@canonical.com>
perf/x86/intel: Use ULL constant to prevent undefined shift behaviour

Johannes Berg <johann...@intel.com>
mac80211: recalculate min channel width on VHT opmode changes

Russell King <rmk+k...@armlinux.org.uk>
net: phy: marvell: fix Marvell 88E1512 used in SGMII mode

Andy Shevchenko <andriy.s...@linux.intel.com>
pinctrl: intel: Set pin direction properly

Prarit Bhargava <pra...@redhat.com>
perf/x86/intel/uncore: Fix hardcoded socket 0 assumption in the Haswell init code

Lucas Stach <l.s...@pengutronix.de>
drm/etnaviv: trick drm_mm into giving out a low IOVA

John Crispin <jo...@phrozen.org>
Documentation: devicetree: change the mediatek ethernet compatible string

Jiri Slaby <jsl...@suse.cz>
kernel/panic.c: add missing \n

Thomas Huth <th...@redhat.com>
ibmveth: Add a proper check for the availability of the checksum features

Balakrishnan Raman <ram...@cumulusnetworks.com>
vxlan: do not age static remote mac entries

Eric Dumazet <edum...@google.com>
ip6_tunnel: must reload ipv6h in ip6ip6_tnl_xmit()

Michael S. Tsirkin <m...@redhat.com>
virtio_net: fix PAGE_SIZE > 64k

Ido Schimmel <ido...@mellanox.com>
mlxsw: spectrum_router: Correctly reallocate adjacency entries

Greg Kurz <gr...@kaod.org>
vfio/spapr: fail tce_iommu_attach_group() when iommu_data is null

Ding Pixel <pd...@amd.com>
drm/amdgpu: check ring being ready before using

Florian Fainelli <f.fai...@gmail.com>
net: dsa: Check return value of phy_connect_direct()

Lendacky, Thomas <Thomas....@amd.com>
amd-xgbe: Check xgbe_init() return code

Zach Ploskey <za...@ploskey.com>
platform/x86: ideapad-laptop: handle ACPI event 1

Jens Axboe <ax...@kernel.dk>
iwlwifi: fix kernel crash when unregistering thermal zone

Eric Farman <far...@linux.vnet.ibm.com>
scsi: virtio_scsi: Reject commands when virtqueue is broken

Vineeth Remanan Pillai <vine...@amazon.com>
xen-netfront: Fix Rx stall during network stress and OOM

Colin Ian King <colin...@canonical.com>
net: sctp: fix array overrun read on sctp_timer_tbl

Stefano Stabellini <sstab...@kernel.org>
swiotlb-xen: update dev_addr after swapping pages

G. Campana <gcam...@quarkslab.com>
virtio_console: fix a crash in config_work_handler

Liu Bo <bo.l...@oracle.com>
Btrfs: fix truncate down when no_holes feature is enabled

Chandan Rajendra <cha...@linux.vnet.ibm.com>
Btrfs: Fix deadlock between direct IO and fast fsync

Eric Dumazet <edum...@google.com>
gianfar: Do not reuse pages from emergency reserve

Jiri Slaby <jsl...@suse.cz>
objtool: Fix IRET's opcode

Daniel Borkmann <dan...@iogearbox.net>
bpf: don't trigger OOM killer under pressure with map alloc

Michael Chan <michae...@broadcom.com>
bnxt_en: Fix "uninitialized variable" bug in TPA code path.

Igor Druzhinin <igor.dr...@citrix.com>
xen-netback: protect resource cleaning on XenBus disconnect

Igor Druzhinin <igor.dr...@citrix.com>
xen-netback: fix memory leaks on XenBus disconnect

Eran Ben Elisha <era...@mellanox.com>
net: ethtool: Initialize buffer when querying device channel settings

Gavin Shan <gws...@linux.vnet.ibm.com>
powerpc/eeh: Enable IO path on permanent error

Florian Fainelli <f.fai...@gmail.com>
net: korina: Fix NAPI versus resources freeing

Zhou Chengming <zhouche...@huawei.com>
perf/x86/intel: Handle exclusive threadid correctly on CPU hotplug

Alvaro G. M <alvaro...@hazent.com>
net: phy: dp83848: add DP83620 PHY support

Alex Deucher <alexande...@amd.com>
drm/amdgpu: add support for new hainan variants

Rex Zhu <Rex...@amd.com>
drm/amdgpu: fix program vce instance logic error.

Quinn Tran <quinn...@cavium.com>
qla2xxx: Fix erroneous invalid handle message

Quinn Tran <quinn...@cavium.com>
qla2xxx: Terminate exchange if corrupted

Johannes Thumshirn <jthum...@suse.de>
scsi: lpfc: Set elsiocb contexts to NULL after freeing it

Julia Lawall <julia....@lip6.fr>
stmmac: add missing of_node_put

Damien Le Moal <damien...@wdc.com>
scsi: sd: Fix wrong DPOFUA disable in sd_read_cache_type

Dmitry Vyukov <dvy...@google.com>
KVM: x86: fix fixing of hypercalls

Juergen Gross <jgr...@suse.com>
xen/blkback: don't free be structure too early

Jerome Brunet <jbr...@baylibre.com>
ARM64: dts: meson-gxbb-odroidc2: fix GbE tx link breakage

jbrunet <jbr...@baylibre.com>
dt: bindings: net: use boolean dt properties for eee broken modes

jbrunet <jbr...@baylibre.com>
net: phy: use boolean dt properties for eee broken modes

jbrunet <jbr...@baylibre.com>
net: phy: fix sign type error in genphy_config_eee_advert

jbrunet <jbr...@baylibre.com>
dt-bindings: net: add EEE capability constants

jbrunet <jbr...@baylibre.com>
net: phy: add an option to disable EEE advertisement

Pavel Belous <pavel.s...@gmail.com>
net: ethtool: add support for 2500BaseT and 5000BaseT link modes

Liam R. Howlett <Liam.H...@Oracle.com>
sparc64: Zero pages on allocation for mondo and error queues.

Liam R. Howlett <Liam.H...@Oracle.com>
sparc64: Handle PIO & MEM non-resumable errors.

Mark Rutland <mark.r...@arm.com>
mm: numa: avoid waiting on freed migrated pages

Guillaume Nault <g.n...@alphalink.fr>
l2tp: take a reference on sessions used in genetlink handlers

Guillaume Nault <g.n...@alphalink.fr>
l2tp: hold session while sending creation notifications

Guillaume Nault <g.n...@alphalink.fr>
l2tp: fix duplicate session creation

Guillaume Nault <g.n...@alphalink.fr>
l2tp: ensure session can't get removed during pppol2tp_session_ioctl()

Guillaume Nault <g.n...@alphalink.fr>
l2tp: fix race in l2tp_recv_common()

Baolin Wang <baoli...@linaro.org>
usb: gadget: f_fs: Fix possibe deadlock

Baoquan He <b...@redhat.com>
x86/mm: Fix boot crash caused by incorrect loop count calculation in sync_global_pgds()

Vallish Vaidyeshwara <val...@amazon.com>
dm thin: do not queue freed thin mapping for next stage processing

Deepak Rawat <dra...@vmware.com>
drm/vmwgfx: Free hash table allocated by cmdbuf managed res mgr

Bartosz Golaszewski <br...@bgdev.pl>
gpiolib: fix filtering out unwanted events

Trond Myklebust <trond.m...@primarydata.com>
NFSv4.1: Fix a race in nfs4_proc_layoutget

Hui Wang <hui....@canonical.com>
ALSA: hda - set input_path bitmap to zero after moving it to new place

Takashi Iwai <ti...@suse.de>
ALSA: hda - Fix endless loop of codec configure

Paul Burton <paul....@imgtec.com>
MIPS: Fix IRQ tracing & lockdep when rescheduling

Paul Burton <paul....@imgtec.com>
MIPS: pm-cps: Drop manual cache-line alignment of ready_count

James Hogan <james...@imgtec.com>
MIPS: Avoid accidental raw backtrace

Karl Beldan <karl....@gmail.com>
MIPS: head: Reorder instructions missing a delay slot

David Rientjes <rien...@google.com>
mm, swap_cgroup: reschedule when neeed in swap_cgroup_swapoff()

Russell Currey <rus...@russell.cc>
drm/ast: Handle configuration without P2A bridge

Juergen Gross <jgr...@suse.com>
xen/blkback: don't use xen_blkif_get() in xen-blkback kthread

Kinglong Mee <kingl...@gmail.com>
NFSv4.x/callback: Create the callback service through svc_create_pooled

Kinglong Mee <kingl...@gmail.com>
NFSv4: fix a reference leak caused WARNING messages

Eric Leblond <er...@regit.org>
netfilter: synproxy: fix conntrackd interaction

Eric Dumazet <edum...@google.com>
netfilter: xt_TCPMSS: add more sanity tests on tcph->doff

Serhey Popovych <serhe.p...@gmail.com>
rtnetlink: add IFLA_GROUP to ifla_policy

Serhey Popovych <serhe.p...@gmail.com>
ipv6: Do not leak throw route references

Bert Kenward <bken...@solarflare.com>
sfc: provide dummy definitions of vswitch functions

Gao Feng <gfree...@vip.163.com>
net: 8021q: Fix one possible panic caused by BUG_ON in free_netdev

Wei Wang <wei...@google.com>
decnet: always not take dst->__refcnt when inserting dst into hash table

Maor Dickman <ma...@mellanox.com>
net/mlx5e: Fix timestamping capabilities reporting

Eli Cohen <e...@mellanox.com>
net/mlx5: Wait for FW readiness before initializing command interface

Or Gerlitz <oger...@mellanox.com>
net/mlx5e: Avoid doing a cleanup call if the profile doesn't have it

Xin Long <lucie...@gmail.com>
sctp: return next obj by passing pos + 1 into sctp_transport_get_idx

Xin Long <lucie...@gmail.com>
ipv6: fix calling in6_ifa_hold incorrectly for dad work

WANG Cong <xiyou.w...@gmail.com>
igmp: add a missing spin_lock_init()

WANG Cong <xiyou.w...@gmail.com>
igmp: acquire pmc lock for ip_mc_clear_src()

Christian Perle <christi...@secunet.com>
proc: snmp6: Use correct type in memset

Tal Gilboa <ta...@mellanox.com>
net/mlx5e: Fix wrong indications in DIM due to counter wraparound

Tal Gilboa <ta...@mellanox.com>
net/mlx5e: Added BW check for DIM decision mechanism

Jia-Ju Bai <baijia...@163.com>
net: tipc: Fix a sleep-in-atomic bug in tipc_msg_reverse

Jia-Ju Bai <baijia...@163.com>
net: caif: Fix a sleep-in-atomic bug in cfpkt_create_pfx

Xin Long <lucie...@gmail.com>
sctp: disable BH in sctp_for_each_endpoint

Krister Johansen <kj...@templeofstupid.com>
Fix an intermittent pr_emerg warning about lo becoming free.

Mateusz Jurczyk <mjur...@google.com>
af_unix: Add sockaddr length checks before accessing sa_family in bind and connect handlers

David Ahern <dsa...@gmail.com>
net: vrf: Make add_fib_rules per network namespace flag

Mintz, Yuval <Yuval...@cavium.com>
net: Zero ifla_vf_info in rtnl_fill_vfinfo()

Mateusz Jurczyk <mjur...@google.com>
decnet: dn_rtmsg: Improve input length sanitization in dnrmg_receive_user_skb

Alexander Potapenko <gli...@google.com>
net: don't call strlen on non-terminated string in dev_set_alias()

Willem de Bruijn <wil...@google.com>
ipv6: release dst on error in ip6_dst_lookup_tail


-------------

Diffstat:

.../devicetree/bindings/net/mediatek-net.txt | 2 +-
Documentation/devicetree/bindings/net/phy.txt | 9 +
.../devicetree/bindings/net/ti,dp83867.txt | 6 +-
Makefile | 4 +-
arch/arm/boot/dts/logicpd-torpedo-som.dtsi | 2 +-
arch/arm/mach-omap2/omap_device.c | 8 +
arch/arm/mm/mmu.c | 8 +-
.../arm64/boot/dts/amlogic/meson-gxbb-odroidc2.dts | 12 +
arch/arm64/include/asm/acpi.h | 6 +-
arch/arm64/include/asm/assembler.h | 36 ++-
arch/arm64/kernel/smp.c | 2 +-
arch/mips/kernel/entry.S | 3 +
arch/mips/kernel/head.S | 2 +-
arch/mips/kernel/pm-cps.c | 9 +-
arch/mips/kernel/traps.c | 2 +
arch/powerpc/kernel/eeh.c | 10 +-
arch/s390/include/asm/ctl_reg.h | 4 +-
arch/sparc/kernel/irq_64.c | 2 +-
arch/sparc/kernel/traps_64.c | 73 ++++++
arch/x86/boot/compressed/kaslr.c | 3 -
arch/x86/boot/compressed/misc.c | 4 +-
arch/x86/boot/compressed/misc.h | 2 -
arch/x86/events/core.c | 4 +
arch/x86/events/intel/core.c | 9 +-
arch/x86/events/intel/uncore_snbep.c | 2 +-
arch/x86/include/asm/kvm_emulate.h | 4 +-
arch/x86/kernel/tsc.c | 1 +
arch/x86/kvm/emulate.c | 16 +-
arch/x86/kvm/pmu_intel.c | 2 +-
arch/x86/kvm/vmx.c | 2 +-
arch/x86/kvm/x86.c | 20 +-
arch/x86/mm/init_64.c | 8 +-
arch/x86/mm/mpx.c | 12 +-
arch/x86/mm/tlb.c | 4 +-
drivers/block/xen-blkback/blkback.c | 3 -
drivers/block/xen-blkback/xenbus.c | 7 +-
drivers/char/virtio_console.c | 2 +-
drivers/clk/clk-scpi.c | 14 +-
drivers/cpufreq/s3c2416-cpufreq.c | 1 -
drivers/gpio/gpiolib.c | 3 +-
drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c | 7 +
drivers/gpu/drm/amd/amdgpu/si_dpm.c | 8 +-
drivers/gpu/drm/amd/amdgpu/vce_v3_0.c | 25 +-
.../drm/amd/powerplay/hwmgr/cz_clockpowergating.c | 4 +-
drivers/gpu/drm/amd/powerplay/hwmgr/cz_hwmgr.c | 24 +-
drivers/gpu/drm/ast/ast_drv.h | 6 +-
drivers/gpu/drm/ast/ast_main.c | 264 +++++++++++++--------
drivers/gpu/drm/ast/ast_post.c | 7 +-
drivers/gpu/drm/etnaviv/etnaviv_mmu.c | 7 +-
drivers/gpu/drm/radeon/si.c | 12 +-
drivers/gpu/drm/vmwgfx/vmwgfx_cmdbuf_res.c | 1 +
drivers/hid/i2c-hid/i2c-hid.c | 9 +
drivers/i2c/busses/i2c-brcmstb.c | 27 ++-
drivers/infiniband/hw/hns/hns_roce_hw_v1.c | 1 +
drivers/iommu/amd_iommu.c | 6 +-
drivers/iommu/amd_iommu_v2.c | 2 +-
drivers/iommu/dma-iommu.c | 3 +-
drivers/iommu/intel-iommu.c | 2 +-
drivers/iommu/iommu.c | 37 ++-
drivers/md/dm-thin.c | 26 +-
drivers/mtd/nand/brcmnand/brcmnand.c | 61 ++++-
drivers/net/ethernet/amd/xgbe/xgbe-dev.c | 4 +-
drivers/net/ethernet/amd/xgbe/xgbe-drv.c | 4 +-
drivers/net/ethernet/broadcom/bnxt/bnxt.c | 2 +-
drivers/net/ethernet/cavium/thunder/thunder_bgx.c | 11 +-
drivers/net/ethernet/emulex/benet/be_cmds.c | 2 +-
drivers/net/ethernet/emulex/benet/be_main.c | 18 +-
drivers/net/ethernet/freescale/gianfar.c | 2 +-
drivers/net/ethernet/ibm/ibmveth.c | 7 +-
drivers/net/ethernet/korina.c | 8 +-
drivers/net/ethernet/mellanox/mlx4/eq.c | 23 +-
drivers/net/ethernet/mellanox/mlx5/core/en.h | 8 +-
.../net/ethernet/mellanox/mlx5/core/en_ethtool.c | 8 +-
drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 3 +-
drivers/net/ethernet/mellanox/mlx5/core/en_rx_am.c | 45 ++--
drivers/net/ethernet/mellanox/mlx5/core/main.c | 14 +-
.../net/ethernet/mellanox/mlxsw/spectrum_router.c | 10 +-
drivers/net/ethernet/renesas/ravb_main.c | 24 +-
drivers/net/ethernet/sfc/falcon.c | 10 +
.../net/ethernet/stmicro/stmmac/stmmac_platform.c | 1 +
drivers/net/phy/dp83848.c | 3 +
drivers/net/phy/dp83867.c | 8 +-
drivers/net/phy/marvell.c | 3 +-
drivers/net/phy/phy.c | 3 +
drivers/net/phy/phy_device.c | 92 ++++++-
drivers/net/virtio_net.c | 10 +-
drivers/net/vrf.c | 36 ++-
drivers/net/vxlan.c | 2 +-
.../broadcom/brcm80211/brcmfmac/cfg80211.c | 32 +--
drivers/net/wireless/intel/iwlwifi/mvm/tt.c | 12 +-
drivers/net/xen-netback/interface.c | 6 +-
drivers/net/xen-netback/xenbus.c | 13 +
drivers/net/xen-netfront.c | 2 +-
drivers/nvdimm/pmem.c | 4 +-
drivers/pinctrl/intel/pinctrl-intel.c | 30 ++-
drivers/platform/x86/ideapad-laptop.c | 1 +
drivers/regulator/tps65086-regulator.c | 10 +-
drivers/scsi/lpfc/lpfc_els.c | 2 +
drivers/scsi/lpfc/lpfc_sli.c | 7 +
drivers/scsi/qla2xxx/qla_def.h | 3 +-
drivers/scsi/qla2xxx/qla_isr.c | 4 +
drivers/scsi/qla2xxx/qla_target.c | 25 +-
drivers/scsi/qla2xxx/qla_target.h | 22 +-
drivers/scsi/sd.c | 3 +-
drivers/scsi/virtio_scsi.c | 11 +-
drivers/spi/spi-davinci.c | 4 +-
drivers/spi/spi.c | 16 +-
drivers/usb/dwc2/gadget.c | 4 +-
drivers/usb/gadget/function/f_fs.c | 8 +-
drivers/vfio/vfio_iommu_spapr_tce.c | 4 +
drivers/watchdog/bcm_kona_wdt.c | 3 +-
drivers/xen/swiotlb-xen.c | 5 +-
fs/aio.c | 6 +-
fs/binfmt_elf.c | 1 +
fs/btrfs/inode.c | 17 +-
fs/coredump.c | 18 ++
fs/nfs/callback.c | 2 +-
fs/nfs/nfs4proc.c | 4 +-
fs/ocfs2/cluster/heartbeat.c | 8 +-
include/linux/bpf.h | 2 +
include/linux/coredump.h | 1 +
include/linux/phy.h | 3 +
include/net/xfrm.h | 10 -
include/uapi/linux/ethtool.h | 4 +-
kernel/bpf/arraymap.c | 18 +-
kernel/bpf/hashtab.c | 22 +-
kernel/bpf/stackmap.c | 20 +-
kernel/bpf/syscall.c | 26 ++
kernel/events/core.c | 70 ++++--
kernel/panic.c | 2 +-
kernel/sched/loadavg.c | 4 +-
lib/swiotlb.c | 6 +-
mm/huge_memory.c | 6 +
mm/swap_cgroup.c | 2 +
mm/vmalloc.c | 14 +-
net/8021q/vlan.c | 3 +-
net/caif/cfpkt_skbuff.c | 6 +-
net/core/dev.c | 3 +-
net/core/dst.c | 14 ++
net/core/ethtool.c | 2 +-
net/core/rtnetlink.c | 5 +-
net/decnet/dn_route.c | 14 +-
net/decnet/netfilter/dn_rtmsg.c | 4 +-
net/dsa/slave.c | 6 +-
net/ipv4/igmp.c | 22 +-
net/ipv4/netfilter.c | 7 +-
net/ipv6/addrconf.c | 6 +-
net/ipv6/fib6_rules.c | 22 +-
net/ipv6/ip6_fib.c | 3 +-
net/ipv6/ip6_gre.c | 16 +-
net/ipv6/ip6_output.c | 6 +-
net/ipv6/ip6_tunnel.c | 23 +-
net/ipv6/proc.c | 2 +-
net/key/af_key.c | 17 +-
net/l2tp/l2tp_core.c | 152 +++++++++---
net/l2tp/l2tp_core.h | 6 +-
net/l2tp/l2tp_eth.c | 10 +-
net/l2tp/l2tp_ip.c | 17 +-
net/l2tp/l2tp_ip6.c | 18 +-
net/l2tp/l2tp_netlink.c | 45 ++--
net/l2tp/l2tp_ppp.c | 75 +++---
net/mac80211/iface.c | 21 ++
net/mac80211/main.c | 13 +-
net/mac80211/rx.c | 9 +-
net/mac80211/vht.c | 4 +-
net/netfilter/nf_conntrack_netlink.c | 4 +
net/netfilter/xt_TCPMSS.c | 6 +-
net/sctp/debug.c | 2 +-
net/sctp/socket.c | 11 +-
net/tipc/discover.c | 4 +-
net/tipc/link.c | 2 +-
net/tipc/msg.c | 18 +-
net/tipc/msg.h | 2 +-
net/tipc/name_distr.c | 2 +-
net/unix/af_unix.c | 7 +-
net/xfrm/xfrm_policy.c | 47 ----
sound/pci/hda/hda_codec.h | 2 +
sound/pci/hda/hda_controller.c | 8 +-
sound/pci/hda/hda_generic.c | 1 +
tools/arch/x86/lib/memcpy_64.S | 2 +-
tools/objtool/arch/x86/decode.c | 2 +-
tools/objtool/builtin-check.c | 15 +-
tools/objtool/elf.c | 12 +
tools/objtool/elf.h | 1 +
tools/perf/util/probe-event.c | 45 ++--
tools/perf/util/probe-finder.c | 15 +-
tools/perf/util/probe-finder.h | 3 +
187 files changed, 1678 insertions(+), 804 deletions(-)

[Greg Kroah-Hartman]

4.9-stable review patch. If anyone has any objections, please let me know.

------------------

From: Christian Perle <christi...@secunet.com>


[ Upstream commit 3500cd73dff48f28f4ba80c171c4c80034d40f76 ]

Reading /proc/net/snmp6 yields bogus values on 32 bit kernels.
Use "u64" instead of "unsigned long" in sizeof().

Fixes: 4a4857b1c81e ("proc: Reduce cache miss in snmp6_seq_show")
Signed-off-by: Christian Perle <christi...@secunet.com>

Signed-off-by: David S. Miller <da...@davemloft.net>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>
---

net/ipv6/proc.c | 2 +-

1 file changed, 1 insertion(+), 1 deletion(-)

--- a/net/ipv6/proc.c
+++ b/net/ipv6/proc.c
@@ -219,7 +219,7 @@ static void snmp6_seq_show_item64(struct
u64 buff64[SNMP_MIB_MAX];
int i;

- memset(buff64, 0, sizeof(unsigned long) * SNMP_MIB_MAX);
+ memset(buff64, 0, sizeof(u64) * SNMP_MIB_MAX);

snmp_get_cpu_field64_batch(buff64, itemlist, mib, syncpoff);
for (i = 0; itemlist[i].name; i++)

[Greg Kroah-Hartman]

4.9-stable review patch. If anyone has any objections, please let me know.

------------------

From: Kamal Dasu <kdasu...@gmail.com>

commit 9d2ee0a60b8bd9bef2a0082c533736d6a7b39873 upstream.

On brcmnand controller v6.x and v7.x, the #WP pin is controlled through
the NAND_WP bit in CS_SELECT register.

The driver currently assumes that toggling the #WP pin is
instantaneously enabling/disabling write-protection, but it actually
takes some time to propagate the new state to the internal NAND chip
logic. This behavior is sometime causing data corruptions when an
erase/program operation is executed before write-protection has really
been disabled.

Fixes: 27c5b17cd1b1 ("mtd: nand: add NAND driver "library" for Broadcom STB NAND controller")
Signed-off-by: Kamal Dasu <kdasu...@gmail.com>
Signed-off-by: Boris Brezillon <boris.b...@free-electrons.com>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

drivers/mtd/nand/brcmnand/brcmnand.c | 61 +++++++++++++++++++++++++++++++++--
1 file changed, 58 insertions(+), 3 deletions(-)

--- a/drivers/mtd/nand/brcmnand/brcmnand.c
+++ b/drivers/mtd/nand/brcmnand/brcmnand.c
@@ -101,6 +101,9 @@ struct brcm_nand_dma_desc {
#define BRCMNAND_MIN_BLOCKSIZE (8 * 1024)
#define BRCMNAND_MIN_DEVSIZE (4ULL * 1024 * 1024)

+#define NAND_CTRL_RDY (INTFC_CTLR_READY | INTFC_FLASH_READY)
+#define NAND_POLL_STATUS_TIMEOUT_MS 100
+
/* Controller feature flags */
enum {
BRCMNAND_HAS_1K_SECTORS = BIT(0),
@@ -765,6 +768,31 @@ enum {
CS_SELECT_AUTO_DEVICE_ID_CFG = BIT(30),
};

+static int bcmnand_ctrl_poll_status(struct brcmnand_controller *ctrl,
+ u32 mask, u32 expected_val,
+ unsigned long timeout_ms)
+{
+ unsigned long limit;
+ u32 val;
+
+ if (!timeout_ms)
+ timeout_ms = NAND_POLL_STATUS_TIMEOUT_MS;
+
+ limit = jiffies + msecs_to_jiffies(timeout_ms);
+ do {
+ val = brcmnand_read_reg(ctrl, BRCMNAND_INTFC_STATUS);
+ if ((val & mask) == expected_val)
+ return 0;
+
+ cpu_relax();
+ } while (time_after(limit, jiffies));
+
+ dev_warn(ctrl->dev, "timeout on status poll (expected %x got %x)\n",
+ expected_val, val & mask);
+
+ return -ETIMEDOUT;
+}
+
static inline void brcmnand_set_wp(struct brcmnand_controller *ctrl, bool en)
{
u32 val = en ? CS_SELECT_NAND_WP : 0;
@@ -1024,12 +1052,39 @@ static void brcmnand_wp(struct mtd_info

if ((ctrl->features & BRCMNAND_HAS_WP) && wp_on == 1) {
static int old_wp = -1;
+ int ret;

if (old_wp != wp) {
dev_dbg(ctrl->dev, "WP %s\n", wp ? "on" : "off");
old_wp = wp;
}
+
+ /*
+ * make sure ctrl/flash ready before and after
+ * changing state of #WP pin
+ */
+ ret = bcmnand_ctrl_poll_status(ctrl, NAND_CTRL_RDY |
+ NAND_STATUS_READY,
+ NAND_CTRL_RDY |
+ NAND_STATUS_READY, 0);
+ if (ret)
+ return;
+
brcmnand_set_wp(ctrl, wp);
+ chip->cmdfunc(mtd, NAND_CMD_STATUS, -1, -1);
+ /* NAND_STATUS_WP 0x00 = protected, 0x80 = not protected */
+ ret = bcmnand_ctrl_poll_status(ctrl,
+ NAND_CTRL_RDY |
+ NAND_STATUS_READY |
+ NAND_STATUS_WP,
+ NAND_CTRL_RDY |
+ NAND_STATUS_READY |
+ (wp ? 0 : NAND_STATUS_WP), 0);
+
+ if (ret)
+ dev_err_ratelimited(&host->pdev->dev,
+ "nand #WP expected %s\n",
+ wp ? "on" : "off");
}
}

@@ -1157,15 +1212,15 @@ static irqreturn_t brcmnand_dma_irq(int
static void brcmnand_send_cmd(struct brcmnand_host *host, int cmd)
{
struct brcmnand_controller *ctrl = host->ctrl;
- u32 intfc;
+ int ret;

dev_dbg(ctrl->dev, "send native cmd %d addr_lo 0x%x\n", cmd,
brcmnand_read_reg(ctrl, BRCMNAND_CMD_ADDRESS));
BUG_ON(ctrl->cmd_pending != 0);
ctrl->cmd_pending = cmd;

- intfc = brcmnand_read_reg(ctrl, BRCMNAND_INTFC_STATUS);
- WARN_ON(!(intfc & INTFC_CTLR_READY));
+ ret = bcmnand_ctrl_poll_status(ctrl, NAND_CTRL_RDY, NAND_CTRL_RDY, 0);
+ WARN_ON(ret);

mb(); /* flush previous writes */
brcmnand_write_reg(ctrl, BRCMNAND_CMD_START,

[Greg Kroah-Hartman]

4.9-stable review patch. If anyone has any objections, please let me know.

------------------

From: Ivan Vecera <ce...@cera.cz>


[ Upstream commit 6d928ae590c8d58cfd5cca997d54394de139cbb7 ]

BE3 VFs without FILTMGMT privilege are not allowed to modify its MAC,
VLAN table and UC/MC lists. So don't try to delete MAC on such VFs.

Cc: Sathya Perla <sathya...@broadcom.com>
Cc: Ajit Khaparde <ajit.k...@broadcom.com>
Cc: Sriharsha Basavapatna <sriharsha....@broadcom.com>
Cc: Somnath Kotur <somnat...@broadcom.com>
Signed-off-by: Ivan Vecera <ce...@cera.cz>

Signed-off-by: David S. Miller <da...@davemloft.net>

Signed-off-by: Sasha Levin <alexand...@verizon.com>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>
---

drivers/net/ethernet/emulex/benet/be_main.c | 6 +++++-

1 file changed, 5 insertions(+), 1 deletion(-)

--- a/drivers/net/ethernet/emulex/benet/be_main.c
+++ b/drivers/net/ethernet/emulex/benet/be_main.c
@@ -3630,7 +3630,11 @@ static void be_rx_qs_destroy(struct be_a

static void be_disable_if_filters(struct be_adapter *adapter)
{
- be_dev_mac_del(adapter, adapter->pmac_id[0]);
+ /* Don't delete MAC on BE3 VFs without FILTMGMT privilege */
+ if (!BEx_chip(adapter) || !be_virtfn(adapter) ||
+ check_privilege(adapter, BE_PRIV_FILTMGMT))
+ be_dev_mac_del(adapter, adapter->pmac_id[0]);
+
be_clear_uc_list(adapter);
be_clear_mc_list(adapter);

[Greg Kroah-Hartman]

4.9-stable review patch. If anyone has any objections, please let me know.

------------------

From: Ard Biesheuvel <ard.bie...@linaro.org>


[ Upstream commit 41c066f2c4d436c535616fe182331766c57838f0 ]

When CONFIG_RANDOMIZE_MODULE_REGION_FULL=y, the offset between loaded
modules and the core kernel may exceed 4 GB, putting symbols exported
by the core kernel out of the reach of the ordinary adrp/add instruction
pairs used to generate relative symbol references. So make the adr_l
macro emit a movz/movk sequence instead when executing in module context.

While at it, remove the pointless special case for the stack pointer.

Acked-by: Mark Rutland <mark.r...@arm.com>
Acked-by: Will Deacon <will....@arm.com>
Signed-off-by: Ard Biesheuvel <ard.bie...@linaro.org>
Signed-off-by: Catalin Marinas <catalin...@arm.com>

Signed-off-by: Sasha Levin <alexand...@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>
---

arch/arm64/include/asm/assembler.h | 36 +++++++++++++++++++++++++++---------
1 file changed, 27 insertions(+), 9 deletions(-)

--- a/arch/arm64/include/asm/assembler.h
+++ b/arch/arm64/include/asm/assembler.h
@@ -155,22 +155,25 @@ lr .req x30 // link register

/*
* Pseudo-ops for PC-relative adr/ldr/str <reg>, <symbol> where
- * <symbol> is within the range +/- 4 GB of the PC.
+ * <symbol> is within the range +/- 4 GB of the PC when running
+ * in core kernel context. In module context, a movz/movk sequence
+ * is used, since modules may be loaded far away from the kernel
+ * when KASLR is in effect.
*/
/*
* @dst: destination register (64 bit wide)
* @sym: name of the symbol
- * @tmp: optional scratch register to be used if <dst> == sp, which
- * is not allowed in an adrp instruction
*/
- .macro adr_l, dst, sym, tmp=
- .ifb \tmp
+ .macro adr_l, dst, sym
+#ifndef MODULE
adrp \dst, \sym
add \dst, \dst, :lo12:\sym
- .else
- adrp \tmp, \sym
- add \dst, \tmp, :lo12:\sym
- .endif
+#else
+ movz \dst, #:abs_g3:\sym
+ movk \dst, #:abs_g2_nc:\sym
+ movk \dst, #:abs_g1_nc:\sym
+ movk \dst, #:abs_g0_nc:\sym
+#endif
.endm

/*
@@ -181,6 +184,7 @@ lr .req x30 // link register
* the address
*/
.macro ldr_l, dst, sym, tmp=
+#ifndef MODULE
.ifb \tmp
adrp \dst, \sym
ldr \dst, [\dst, :lo12:\sym]
@@ -188,6 +192,15 @@ lr .req x30 // link register
adrp \tmp, \sym
ldr \dst, [\tmp, :lo12:\sym]
.endif
+#else
+ .ifb \tmp
+ adr_l \dst, \sym
+ ldr \dst, [\dst]
+ .else
+ adr_l \tmp, \sym
+ ldr \dst, [\tmp]
+ .endif
+#endif
.endm

/*
@@ -197,8 +210,13 @@ lr .req x30 // link register
* while <src> needs to be preserved.
*/
.macro str_l, src, sym, tmp
+#ifndef MODULE
adrp \tmp, \sym
str \src, [\tmp, :lo12:\sym]
+#else
+ adr_l \tmp, \sym
+ str \src, [\tmp]
+#endif
.endm

/*

[Greg Kroah-Hartman]

4.9-stable review patch. If anyone has any objections, please let me know.

------------------

From: Paul Burton <paul....@imgtec.com>

commit 161c51ccb7a6faf45ffe09aa5cf1ad85ccdad503 upstream.

We allocate memory for a ready_count variable per-CPU, which is accessed
via a cached non-coherent TLB mapping to perform synchronisation between
threads within the core using LL/SC instructions. In order to ensure
that the variable is contained within its own data cache line we
allocate 2 lines worth of memory & align the resulting pointer to a line
boundary. This is however unnecessary, since kmalloc is guaranteed to
return memory which is at least cache-line aligned (see
ARCH_DMA_MINALIGN). Stop the redundant manual alignment.

Besides cleaning up the code & avoiding needless work, this has the side
effect of avoiding an arithmetic error found by Bryan on 64 bit systems
due to the 32 bit size of the former dlinesz. This led the ready_count
variable to have its upper 32b cleared erroneously for MIPS64 kernels,
causing problems when ready_count was later used on MIPS64 via cpuidle.

Signed-off-by: Paul Burton <paul....@imgtec.com>
Fixes: 3179d37ee1ed ("MIPS: pm-cps: add PM state entry code for CPS systems")
Reported-by: Bryan O'Donoghue <bryan.o...@imgtec.com>
Reviewed-by: Bryan O'Donoghue <bryan.o...@imgtec.com>
Tested-by: Bryan O'Donoghue <bryan.o...@imgtec.com>
Cc: linux...@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/15383/
Signed-off-by: Ralf Baechle <ra...@linux-mips.org>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

arch/mips/kernel/pm-cps.c | 9 +--------
1 file changed, 1 insertion(+), 8 deletions(-)

--- a/arch/mips/kernel/pm-cps.c
+++ b/arch/mips/kernel/pm-cps.c
@@ -56,7 +56,6 @@ DECLARE_BITMAP(state_support, CPS_PM_STA
* state. Actually per-core rather than per-CPU.
*/
static DEFINE_PER_CPU_ALIGNED(u32*, ready_count);
-static DEFINE_PER_CPU_ALIGNED(void*, ready_count_alloc);

/* Indicates online CPUs coupled with the current CPU */
static DEFINE_PER_CPU_ALIGNED(cpumask_t, online_coupled);
@@ -642,7 +641,6 @@ static int cps_pm_online_cpu(unsigned in
{
enum cps_pm_state state;
unsigned core = cpu_data[cpu].core;
- unsigned dlinesz = cpu_data[cpu].dcache.linesz;
void *entry_fn, *core_rc;

for (state = CPS_PM_NC_WAIT; state < CPS_PM_STATE_COUNT; state++) {
@@ -662,16 +660,11 @@ static int cps_pm_online_cpu(unsigned in
}

if (!per_cpu(ready_count, core)) {
- core_rc = kmalloc(dlinesz * 2, GFP_KERNEL);
+ core_rc = kmalloc(sizeof(u32), GFP_KERNEL);
if (!core_rc) {
pr_err("Failed allocate core %u ready_count\n", core);
return -ENOMEM;
}
- per_cpu(ready_count_alloc, core) = core_rc;
-
- /* Ensure ready_count is aligned to a cacheline boundary */
- core_rc += dlinesz - 1;
- core_rc = (void *)((unsigned long)core_rc & ~(dlinesz - 1));
per_cpu(ready_count, core) = core_rc;
}

[Greg Kroah-Hartman]

4.9-stable review patch. If anyone has any objections, please let me know.

------------------

From: Parthasarathy Bhuvaragan <parthasarath...@ericsson.com>


[ Upstream commit 57d5f64d83ab5b5a5118b1597386dd76eaf4340d ]

Until now, we allocate memory always with GFP_ATOMIC flag.
When the system is under memory pressure and a user tries to send,
the send fails due to low memory. However, the user application
can wait for free memory if we allocate it using GFP_KERNEL flag.

In this commit, we use allocate memory with GFP_KERNEL for all user
allocation.

Reported-by: Rune Torgersen <ru...@innovsys.com>
Acked-by: Jon Maloy <jon....@ericsson.com>
Signed-off-by: Parthasarathy Bhuvaragan <parthasarath...@ericsson.com>

Signed-off-by: David S. Miller <da...@davemloft.net>
Signed-off-by: Sasha Levin <alexand...@verizon.com>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>
---

net/tipc/discover.c | 4 ++--
net/tipc/link.c | 2 +-
net/tipc/msg.c | 16 ++++++++--------

net/tipc/msg.h | 2 +-
net/tipc/name_distr.c | 2 +-

5 files changed, 13 insertions(+), 13 deletions(-)

--- a/net/tipc/discover.c
+++ b/net/tipc/discover.c
@@ -169,7 +169,7 @@ void tipc_disc_rcv(struct net *net, stru

/* Send response, if necessary */
if (respond && (mtyp == DSC_REQ_MSG)) {
- rskb = tipc_buf_acquire(MAX_H_SIZE);
+ rskb = tipc_buf_acquire(MAX_H_SIZE, GFP_ATOMIC);
if (!rskb)
return;
tipc_disc_init_msg(net, rskb, DSC_RESP_MSG, bearer);
@@ -278,7 +278,7 @@ int tipc_disc_create(struct net *net, st
req = kmalloc(sizeof(*req), GFP_ATOMIC);
if (!req)
return -ENOMEM;
- req->buf = tipc_buf_acquire(MAX_H_SIZE);
+ req->buf = tipc_buf_acquire(MAX_H_SIZE, GFP_ATOMIC);
if (!req->buf) {
kfree(req);
return -ENOMEM;
--- a/net/tipc/link.c
+++ b/net/tipc/link.c
@@ -1395,7 +1395,7 @@ tnl:
msg_set_seqno(hdr, seqno++);
pktlen = msg_size(hdr);
msg_set_size(&tnlhdr, pktlen + INT_H_SIZE);
- tnlskb = tipc_buf_acquire(pktlen + INT_H_SIZE);
+ tnlskb = tipc_buf_acquire(pktlen + INT_H_SIZE, GFP_ATOMIC);
if (!tnlskb) {
pr_warn("%sunable to send packet\n", link_co_err);
return;
--- a/net/tipc/msg.c
+++ b/net/tipc/msg.c
@@ -58,12 +58,12 @@ static unsigned int align(unsigned int i
* NOTE: Headroom is reserved to allow prepending of a data link header.
* There may also be unrequested tailroom present at the buffer's end.
*/
-struct sk_buff *tipc_buf_acquire(u32 size)
+struct sk_buff *tipc_buf_acquire(u32 size, gfp_t gfp)
{
struct sk_buff *skb;
unsigned int buf_size = (BUF_HEADROOM + size + 3) & ~3u;

- skb = alloc_skb_fclone(buf_size, GFP_ATOMIC);
+ skb = alloc_skb_fclone(buf_size, gfp);
if (skb) {
skb_reserve(skb, BUF_HEADROOM);
skb_put(skb, size);
@@ -95,7 +95,7 @@ struct sk_buff *tipc_msg_create(uint use
struct tipc_msg *msg;
struct sk_buff *buf;

- buf = tipc_buf_acquire(hdr_sz + data_sz);
+ buf = tipc_buf_acquire(hdr_sz + data_sz, GFP_ATOMIC);
if (unlikely(!buf))
return NULL;

@@ -261,7 +261,7 @@ int tipc_msg_build(struct tipc_msg *mhdr

/* No fragmentation needed? */
if (likely(msz <= pktmax)) {
- skb = tipc_buf_acquire(msz);
+ skb = tipc_buf_acquire(msz, GFP_KERNEL);
if (unlikely(!skb))
return -ENOMEM;
skb_orphan(skb);
@@ -282,7 +282,7 @@ int tipc_msg_build(struct tipc_msg *mhdr
msg_set_importance(&pkthdr, msg_importance(mhdr));

/* Prepare first fragment */
- skb = tipc_buf_acquire(pktmax);
+ skb = tipc_buf_acquire(pktmax, GFP_KERNEL);
if (!skb)
return -ENOMEM;
skb_orphan(skb);
@@ -313,7 +313,7 @@ int tipc_msg_build(struct tipc_msg *mhdr
pktsz = drem + INT_H_SIZE;
else
pktsz = pktmax;
- skb = tipc_buf_acquire(pktsz);
+ skb = tipc_buf_acquire(pktsz, GFP_KERNEL);
if (!skb) {
rc = -ENOMEM;
goto error;
@@ -448,7 +448,7 @@ bool tipc_msg_make_bundle(struct sk_buff
if (msz > (max / 2))
return false;

- _skb = tipc_buf_acquire(max);
+ _skb = tipc_buf_acquire(max, GFP_ATOMIC);
if (!_skb)
return false;

@@ -496,7 +496,7 @@ bool tipc_msg_reverse(u32 own_node, str

/* Never return SHORT header; expand by replacing buffer if necessary */
if (msg_short(hdr)) {
- *skb = tipc_buf_acquire(BASIC_H_SIZE + dlen);
+ *skb = tipc_buf_acquire(BASIC_H_SIZE + dlen, GFP_ATOMIC);
if (!*skb)
goto exit;
memcpy((*skb)->data + BASIC_H_SIZE, msg_data(hdr), dlen);
--- a/net/tipc/msg.h
+++ b/net/tipc/msg.h
@@ -820,7 +820,7 @@ static inline bool msg_is_reset(struct t
return (msg_user(hdr) == LINK_PROTOCOL) && (msg_type(hdr) == RESET_MSG);
}

-struct sk_buff *tipc_buf_acquire(u32 size);
+struct sk_buff *tipc_buf_acquire(u32 size, gfp_t gfp);
bool tipc_msg_validate(struct sk_buff *skb);
bool tipc_msg_reverse(u32 own_addr, struct sk_buff **skb, int err);
void tipc_msg_init(u32 own_addr, struct tipc_msg *m, u32 user, u32 type,
--- a/net/tipc/name_distr.c
+++ b/net/tipc/name_distr.c
@@ -69,7 +69,7 @@ static struct sk_buff *named_prepare_buf
u32 dest)
{
struct tipc_net *tn = net_generic(net, tipc_net_id);
- struct sk_buff *buf = tipc_buf_acquire(INT_H_SIZE + size);
+ struct sk_buff *buf = tipc_buf_acquire(INT_H_SIZE + size, GFP_ATOMIC);
struct tipc_msg *msg;

if (buf != NULL) {

[Greg Kroah-Hartman]

4.9-stable review patch. If anyone has any objections, please let me know.

------------------

From: Ladi Prosek <lpr...@redhat.com>

commit 6ed071f051e12cf7baa1b69d3becb8f232fdfb7b upstream.

On AMD, the effect of set_nmi_mask called by emulate_iret_real and em_rsm
on hflags is reverted later on in x86_emulate_instruction where hflags are
overwritten with ctxt->emul_flags (the kvm_set_hflags call). This manifests
as a hang when rebooting Windows VMs with QEMU, OVMF, and >1 vcpu.

Instead of trying to merge ctxt->emul_flags into vcpu->arch.hflags after
an instruction is emulated, this commit deletes emul_flags altogether and
makes the emulator access vcpu->arch.hflags using two new accessors. This
way all changes, on the emulator side as well as in functions called from
the emulator and accessing vcpu state with emul_to_vcpu, are preserved.

More details on the bug and its manifestation with Windows and OVMF:

It's a KVM bug in the interaction between SMI/SMM and NMI, specific to AMD.
I believe that the SMM part explains why we started seeing this only with
OVMF.

KVM masks and unmasks NMI when entering and leaving SMM. When KVM emulates
the RSM instruction in em_rsm, the set_nmi_mask call doesn't stick because
later on in x86_emulate_instruction we overwrite arch.hflags with
ctxt->emul_flags, effectively reverting the effect of the set_nmi_mask call.
The AMD-specific hflag of interest here is HF_NMI_MASK.

When rebooting the system, Windows sends an NMI IPI to all but the current
cpu to shut them down. Only after all of them are parked in HLT will the
initiating cpu finish the restart. If NMI is masked, other cpus never get
the memo and the initiating cpu spins forever, waiting for
hal!HalpInterruptProcessorsStarted to drop. That's the symptom we observe.

Fixes: a584539b24b8 ("KVM: x86: pass the whole hflags field to emulator and back")
Signed-off-by: Ladi Prosek <lpr...@redhat.com>
Signed-off-by: Paolo Bonzini <pbon...@redhat.com>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

arch/x86/include/asm/kvm_emulate.h | 4 +++-
arch/x86/kvm/emulate.c | 16 +++++++++-------
arch/x86/kvm/x86.c | 15 ++++++++++++---
3 files changed, 24 insertions(+), 11 deletions(-)

--- a/arch/x86/include/asm/kvm_emulate.h
+++ b/arch/x86/include/asm/kvm_emulate.h
@@ -221,6 +221,9 @@ struct x86_emulate_ops {
void (*get_cpuid)(struct x86_emulate_ctxt *ctxt,
u32 *eax, u32 *ebx, u32 *ecx, u32 *edx);
void (*set_nmi_mask)(struct x86_emulate_ctxt *ctxt, bool masked);
+
+ unsigned (*get_hflags)(struct x86_emulate_ctxt *ctxt);
+ void (*set_hflags)(struct x86_emulate_ctxt *ctxt, unsigned hflags);
};

typedef u32 __attribute__((vector_size(16))) sse128_t;
@@ -290,7 +293,6 @@ struct x86_emulate_ctxt {

/* interruptibility state, as a result of execution of STI or MOV SS */
int interruptibility;
- int emul_flags;

bool perm_ok; /* do not check permissions if true */
bool ud; /* inject an #UD if host doesn't support insn */
--- a/arch/x86/kvm/emulate.c
+++ b/arch/x86/kvm/emulate.c
@@ -2543,7 +2543,7 @@ static int em_rsm(struct x86_emulate_ctx
u64 smbase;
int ret;

- if ((ctxt->emul_flags & X86EMUL_SMM_MASK) == 0)
+ if ((ctxt->ops->get_hflags(ctxt) & X86EMUL_SMM_MASK) == 0)
return emulate_ud(ctxt);

/*
@@ -2592,11 +2592,11 @@ static int em_rsm(struct x86_emulate_ctx
return X86EMUL_UNHANDLEABLE;
}

- if ((ctxt->emul_flags & X86EMUL_SMM_INSIDE_NMI_MASK) == 0)
+ if ((ctxt->ops->get_hflags(ctxt) & X86EMUL_SMM_INSIDE_NMI_MASK) == 0)
ctxt->ops->set_nmi_mask(ctxt, false);

- ctxt->emul_flags &= ~X86EMUL_SMM_INSIDE_NMI_MASK;
- ctxt->emul_flags &= ~X86EMUL_SMM_MASK;
+ ctxt->ops->set_hflags(ctxt, ctxt->ops->get_hflags(ctxt) &
+ ~(X86EMUL_SMM_INSIDE_NMI_MASK | X86EMUL_SMM_MASK));
return X86EMUL_CONTINUE;
}

@@ -5312,6 +5312,7 @@ int x86_emulate_insn(struct x86_emulate_
const struct x86_emulate_ops *ops = ctxt->ops;
int rc = X86EMUL_CONTINUE;
int saved_dst_type = ctxt->dst.type;
+ unsigned emul_flags;

ctxt->mem_read.pos = 0;

@@ -5326,6 +5327,7 @@ int x86_emulate_insn(struct x86_emulate_
goto done;
}

+ emul_flags = ctxt->ops->get_hflags(ctxt);
if (unlikely(ctxt->d &
(No64|Undefined|Sse|Mmx|Intercept|CheckPerm|Priv|Prot|String))) {
if ((ctxt->mode == X86EMUL_MODE_PROT64 && (ctxt->d & No64)) ||
@@ -5359,7 +5361,7 @@ int x86_emulate_insn(struct x86_emulate_
fetch_possible_mmx_operand(ctxt, &ctxt->dst);
}

- if (unlikely(ctxt->emul_flags & X86EMUL_GUEST_MASK) && ctxt->intercept) {
+ if (unlikely(emul_flags & X86EMUL_GUEST_MASK) && ctxt->intercept) {
rc = emulator_check_intercept(ctxt, ctxt->intercept,
X86_ICPT_PRE_EXCEPT);
if (rc != X86EMUL_CONTINUE)
@@ -5388,7 +5390,7 @@ int x86_emulate_insn(struct x86_emulate_
goto done;
}

- if (unlikely(ctxt->emul_flags & X86EMUL_GUEST_MASK) && (ctxt->d & Intercept)) {
+ if (unlikely(emul_flags & X86EMUL_GUEST_MASK) && (ctxt->d & Intercept)) {
rc = emulator_check_intercept(ctxt, ctxt->intercept,
X86_ICPT_POST_EXCEPT);
if (rc != X86EMUL_CONTINUE)
@@ -5442,7 +5444,7 @@ int x86_emulate_insn(struct x86_emulate_

special_insn:

- if (unlikely(ctxt->emul_flags & X86EMUL_GUEST_MASK) && (ctxt->d & Intercept)) {
+ if (unlikely(emul_flags & X86EMUL_GUEST_MASK) && (ctxt->d & Intercept)) {
rc = emulator_check_intercept(ctxt, ctxt->intercept,
X86_ICPT_POST_MEMACCESS);
if (rc != X86EMUL_CONTINUE)
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -5154,6 +5154,16 @@ static void emulator_set_nmi_mask(struct
kvm_x86_ops->set_nmi_mask(emul_to_vcpu(ctxt), masked);
}

+static unsigned emulator_get_hflags(struct x86_emulate_ctxt *ctxt)
+{
+ return emul_to_vcpu(ctxt)->arch.hflags;
+}
+
+static void emulator_set_hflags(struct x86_emulate_ctxt *ctxt, unsigned emul_flags)
+{
+ kvm_set_hflags(emul_to_vcpu(ctxt), emul_flags);
+}
+
static const struct x86_emulate_ops emulate_ops = {
.read_gpr = emulator_read_gpr,
.write_gpr = emulator_write_gpr,
@@ -5193,6 +5203,8 @@ static const struct x86_emulate_ops emul
.intercept = emulator_intercept,
.get_cpuid = emulator_get_cpuid,
.set_nmi_mask = emulator_set_nmi_mask,
+ .get_hflags = emulator_get_hflags,
+ .set_hflags = emulator_set_hflags,
};

static void toggle_interruptibility(struct kvm_vcpu *vcpu, u32 mask)
@@ -5245,7 +5257,6 @@ static void init_emulate_ctxt(struct kvm
BUILD_BUG_ON(HF_GUEST_MASK != X86EMUL_GUEST_MASK);
BUILD_BUG_ON(HF_SMM_MASK != X86EMUL_SMM_MASK);
BUILD_BUG_ON(HF_SMM_INSIDE_NMI_MASK != X86EMUL_SMM_INSIDE_NMI_MASK);
- ctxt->emul_flags = vcpu->arch.hflags;

init_decode_cache(ctxt);
vcpu->arch.emulate_regs_need_sync_from_vcpu = false;
@@ -5636,8 +5647,6 @@ restart:
unsigned long rflags = kvm_x86_ops->get_rflags(vcpu);
toggle_interruptibility(vcpu, ctxt->interruptibility);
vcpu->arch.emulate_regs_need_sync_to_vcpu = false;
- if (vcpu->arch.hflags != ctxt->emul_flags)
- kvm_set_hflags(vcpu, ctxt->emul_flags);
kvm_rip_write(vcpu, ctxt->eip);
if (r == EMULATE_DONE)
kvm_vcpu_check_singlestep(vcpu, rflags, &r);

[Greg Kroah-Hartman]

4.9-stable review patch. If anyone has any objections, please let me know.

------------------

From: Mark Salter <msa...@redhat.com>

commit 335d2c2d192266358c5dfa64953a4c162f46e464 upstream.

Commit 5c492c3f5255 ("arm64: smp: Add function to determine if cpus are
stuck in the kernel") added a helper function to determine if die() is
supported in cpu_ops. This function assumes a cpu will have a valid
cpu_ops entry, but that may not be the case for cpu0 is spin-table or
parking protocol is used to boot secondary cpus. In that case, there
is a NULL dereference if have_cpu_die() is called by cpu0. So add a
check for a valid cpu_ops before dereferencing it.

Fixes: 5c492c3f5255 ("arm64: smp: Add function to determine if cpus are stuck in the kernel")
Signed-off-by: Mark Salter <msa...@redhat.com>
Signed-off-by: Will Deacon <will....@arm.com>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

arch/arm64/kernel/smp.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/arm64/kernel/smp.c
+++ b/arch/arm64/kernel/smp.c
@@ -934,7 +934,7 @@ static bool have_cpu_die(void)
#ifdef CONFIG_HOTPLUG_CPU
int any_cpu = raw_smp_processor_id();

- if (cpu_ops[any_cpu]->cpu_die)
+ if (cpu_ops[any_cpu] && cpu_ops[any_cpu]->cpu_die)
return true;
#endif
return false;

[Greg Kroah-Hartman]

4.9-stable review patch. If anyone has any objections, please let me know.

------------------

From: Ivan Vecera <ce...@cera.cz>


[ Upstream commit fe68d8bfe59c561664aa87d827aa4b320eb08895 ]

Return value from be_mcc_notify_wait() contains a base completion status
together with an additional status. The base_status() macro need to be
used to access base status.

Fixes: e3a7ae2 be2net: Changing MAC Address of a VF was broken

Cc: Sathya Perla <sathya...@broadcom.com>
Cc: Ajit Khaparde <ajit.k...@broadcom.com>
Cc: Sriharsha Basavapatna <sriharsha....@broadcom.com>
Cc: Somnath Kotur <somnat...@broadcom.com>
Signed-off-by: Ivan Vecera <ce...@cera.cz>

Signed-off-by: David S. Miller <da...@davemloft.net>
Signed-off-by: Sasha Levin <alexand...@verizon.com>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>
---

drivers/net/ethernet/emulex/benet/be_cmds.c | 2 +-

1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/net/ethernet/emulex/benet/be_cmds.c
+++ b/drivers/net/ethernet/emulex/benet/be_cmds.c
@@ -1118,7 +1118,7 @@ int be_cmd_pmac_add(struct be_adapter *a
err:
mutex_unlock(&adapter->mcc_lock);

- if (status == MCC_STATUS_UNAUTHORIZED_REQUEST)
+ if (base_status(status) == MCC_STATUS_UNAUTHORIZED_REQUEST)
status = -EPERM;

return status;

[Greg Kroah-Hartman]

4.9-stable review patch. If anyone has any objections, please let me know.

------------------

From: Xin Long <lucie...@gmail.com>


[ Upstream commit 912964eacb111551db73429719eb5fadcab0ff8a ]

Commit 6f29a1306131 ("sctp: sctp_addr_id2transport should verify the
addr before looking up assoc") invoked sctp_verify_addr to verify the
addr.

But it didn't check af variable beforehand, once users pass an address
with family = 0 through sockopt, sctp_get_af_specific will return NULL
and NULL pointer dereference will be caused by af->sockaddr_len.

This patch is to fix it by returning NULL if af variable is NULL.

Fixes: 6f29a1306131 ("sctp: sctp_addr_id2transport should verify the addr before looking up assoc")
Signed-off-by: Xin Long <lucie...@gmail.com>
Acked-by: Marcelo Ricardo Leitner <marcelo...@gmail.com>

Signed-off-by: David S. Miller <da...@davemloft.net>
Signed-off-by: Sasha Levin <alexand...@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>
---

net/sctp/socket.c | 2 +-

1 file changed, 1 insertion(+), 1 deletion(-)

--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -239,7 +239,7 @@ static struct sctp_transport *sctp_addr_
union sctp_addr *laddr = (union sctp_addr *)addr;
struct sctp_transport *transport;

- if (sctp_verify_addr(sk, laddr, af->sockaddr_len))
+ if (!af || sctp_verify_addr(sk, laddr, af->sockaddr_len))
return NULL;

addr_asoc = sctp_endpoint_lookup_assoc(sctp_sk(sk)->ep,

[Greg Kroah-Hartman]

4.9-stable review patch. If anyone has any objections, please let me know.

------------------

From: Masami Hiramatsu <mhir...@kernel.org>


[ Upstream commit 613f050d68a8ed3c0b18b9568698908ef7bbc1f7 ]

Fix to probe on gcc generated functions on modules. Since
probing on a module is based on its symbol name, it should
be adjusted on actual symbols.

E.g. without this fix, perf probe shows probe definition
on non-exist symbol as below.

$ perf probe -m build-x86_64/net/netfilter/nf_nat.ko -F in_range*
in_range.isra.12
$ perf probe -m build-x86_64/net/netfilter/nf_nat.ko -D in_range
p:probe/in_range nf_nat:in_range+0

With this fix, perf probe correctly shows a probe on
gcc-generated symbol.

$ perf probe -m build-x86_64/net/netfilter/nf_nat.ko -D in_range
p:probe/in_range nf_nat:in_range.isra.12+0

This also fixes same problem on online module as below.

$ perf probe -m i915 -D assert_plane
p:probe/assert_plane i915:assert_plane.constprop.134+0

Signed-off-by: Masami Hiramatsu <mhir...@kernel.org>
Tested-by: Arnaldo Carvalho de Melo <ac...@redhat.com>
Cc: Jiri Olsa <jo...@redhat.com>
Cc: Namhyung Kim <namh...@kernel.org>
Cc: Peter Zijlstra <pet...@infradead.org>
Link: http://lkml.kernel.org/r/148411450673.9978.14905987549651656075.stgit@devbox
Signed-off-by: Arnaldo Carvalho de Melo <ac...@redhat.com>

Signed-off-by: Sasha Levin <alexand...@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>
---

tools/perf/util/probe-event.c | 45 ++++++++++++++++++++++++++---------------
tools/perf/util/probe-finder.c | 7 ++++--
tools/perf/util/probe-finder.h | 3 ++
3 files changed, 37 insertions(+), 18 deletions(-)

--- a/tools/perf/util/probe-event.c
+++ b/tools/perf/util/probe-event.c
@@ -645,18 +645,31 @@ static int add_exec_to_probe_trace_event
return ret;
}

-static int add_module_to_probe_trace_events(struct probe_trace_event *tevs,
- int ntevs, const char *module)
+static int
+post_process_module_probe_trace_events(struct probe_trace_event *tevs,
+ int ntevs, const char *module,
+ struct debuginfo *dinfo)
{
+ Dwarf_Addr text_offs = 0;
int i, ret = 0;
char *mod_name = NULL;
+ struct map *map;

if (!module)
return 0;

- mod_name = find_module_name(module);
+ map = get_target_map(module, false);
+ if (!map || debuginfo__get_text_offset(dinfo, &text_offs, true) < 0) {
+ pr_warning("Failed to get ELF symbols for %s\n", module);
+ return -EINVAL;
+ }

+ mod_name = find_module_name(module);
for (i = 0; i < ntevs; i++) {
+ ret = post_process_probe_trace_point(&tevs[i].point,
+ map, (unsigned long)text_offs);
+ if (ret < 0)
+ break;
tevs[i].point.module =
strdup(mod_name ? mod_name : module);
if (!tevs[i].point.module) {
@@ -666,6 +679,8 @@ static int add_module_to_probe_trace_eve
}

free(mod_name);
+ map__put(map);
+
return ret;
}

@@ -722,7 +737,7 @@ arch__post_process_probe_trace_events(st
static int post_process_probe_trace_events(struct perf_probe_event *pev,
struct probe_trace_event *tevs,
int ntevs, const char *module,
- bool uprobe)
+ bool uprobe, struct debuginfo *dinfo)
{
int ret;

@@ -730,7 +745,8 @@ static int post_process_probe_trace_even
ret = add_exec_to_probe_trace_events(tevs, ntevs, module);
else if (module)
/* Currently ref_reloc_sym based probe is not for drivers */
- ret = add_module_to_probe_trace_events(tevs, ntevs, module);
+ ret = post_process_module_probe_trace_events(tevs, ntevs,
+ module, dinfo);
else
ret = post_process_kernel_probe_trace_events(tevs, ntevs);

@@ -774,30 +790,27 @@ static int try_to_find_probe_trace_event
}
}

- debuginfo__delete(dinfo);
-
if (ntevs > 0) { /* Succeeded to find trace events */
pr_debug("Found %d probe_trace_events.\n", ntevs);
ret = post_process_probe_trace_events(pev, *tevs, ntevs,
- pev->target, pev->uprobes);
+ pev->target, pev->uprobes, dinfo);
if (ret < 0 || ret == ntevs) {
+ pr_debug("Post processing failed or all events are skipped. (%d)\n", ret);
clear_probe_trace_events(*tevs, ntevs);
zfree(tevs);
+ ntevs = 0;
}
- if (ret != ntevs)
- return ret < 0 ? ret : ntevs;
- ntevs = 0;
- /* Fall through */
}

+ debuginfo__delete(dinfo);
+
if (ntevs == 0) { /* No error but failed to find probe point. */
pr_warning("Probe point '%s' not found.\n",
synthesize_perf_probe_point(&pev->point));
return -ENOENT;
- }
- /* Error path : ntevs < 0 */
- pr_debug("An error occurred in debuginfo analysis (%d).\n", ntevs);
- if (ntevs < 0) {
+ } else if (ntevs < 0) {
+ /* Error path : ntevs < 0 */
+ pr_debug("An error occurred in debuginfo analysis (%d).\n", ntevs);
if (ntevs == -EBADF)
pr_warning("Warning: No dwarf info found in the vmlinux - "
"please rebuild kernel with CONFIG_DEBUG_INFO=y.\n");
--- a/tools/perf/util/probe-finder.c
+++ b/tools/perf/util/probe-finder.c
@@ -1501,7 +1501,8 @@ int debuginfo__find_available_vars_at(st
}

/* For the kernel module, we need a special code to get a DIE */
-static int debuginfo__get_text_offset(struct debuginfo *dbg, Dwarf_Addr *offs)
+int debuginfo__get_text_offset(struct debuginfo *dbg, Dwarf_Addr *offs,
+ bool adjust_offset)
{
int n, i;
Elf32_Word shndx;
@@ -1530,6 +1531,8 @@ static int debuginfo__get_text_offset(st
if (!shdr)
return -ENOENT;
*offs = shdr->sh_addr;
+ if (adjust_offset)
+ *offs -= shdr->sh_offset;
}
}
return 0;
@@ -1545,7 +1548,7 @@ int debuginfo__find_probe_point(struct d
int baseline = 0, lineno = 0, ret = 0;

/* We always need to relocate the address for aranges */
- if (debuginfo__get_text_offset(dbg, &baseaddr) == 0)
+ if (debuginfo__get_text_offset(dbg, &baseaddr, false) == 0)
addr += baseaddr;
/* Find cu die */
if (!dwarf_addrdie(dbg->dbg, (Dwarf_Addr)addr, &cudie)) {
--- a/tools/perf/util/probe-finder.h
+++ b/tools/perf/util/probe-finder.h
@@ -46,6 +46,9 @@ int debuginfo__find_trace_events(struct
int debuginfo__find_probe_point(struct debuginfo *dbg, unsigned long addr,
struct perf_probe_point *ppt);

+int debuginfo__get_text_offset(struct debuginfo *dbg, Dwarf_Addr *offs,
+ bool adjust_offset);
+
/* Find a line range */
int debuginfo__find_line_range(struct debuginfo *dbg, struct line_range *lr);

[Greg Kroah-Hartman]

4.9-stable review patch. If anyone has any objections, please let me know.

------------------

From: Andy Lutomirski <lu...@kernel.org>

commit dbd68d8e84c606673ebbcf15862f8c155fa92326 upstream.

flush_tlb_page() passes a bogus range to flush_tlb_others() and
expects the latter to fix it up. native_flush_tlb_others() has the
fixup but Xen's version doesn't. Move the fixup to
flush_tlb_others().

AFAICS the only real effect is that, without this fix, Xen would
flush everything instead of just the one page on remote vCPUs in
when flush_tlb_page() was called.

Signed-off-by: Andy Lutomirski <lu...@kernel.org>
Reviewed-by: Boris Ostrovsky <boris.o...@oracle.com>
Cc: Andrew Morton <ak...@linux-foundation.org>
Cc: Borislav Petkov <b...@alien8.de>
Cc: Brian Gerst <brg...@gmail.com>
Cc: Dave Hansen <dave....@intel.com>
Cc: Denys Vlasenko <dvla...@redhat.com>
Cc: H. Peter Anvin <h...@zytor.com>
Cc: Josh Poimboeuf <jpoi...@redhat.com>
Cc: Juergen Gross <jgr...@suse.com>
Cc: Konrad Rzeszutek Wilk <konra...@oracle.com>
Cc: Linus Torvalds <torv...@linux-foundation.org>
Cc: Michal Hocko <mho...@suse.com>
Cc: Nadav Amit <na...@vmware.com>
Cc: Peter Zijlstra <pet...@infradead.org>
Cc: Rik van Riel <ri...@redhat.com>
Cc: Thomas Gleixner <tg...@linutronix.de>
Fixes: e7b52ffd45a6 ("x86/flush_tlb: try flush_tlb_single one by one in flush_tlb_range")
Link: http://lkml.kernel.org/r/10ed0e4dfea64daef10b87fb85df17...@kernel.org
Signed-off-by: Ingo Molnar <mi...@kernel.org>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

arch/x86/mm/tlb.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)

--- a/arch/x86/mm/tlb.c
+++ b/arch/x86/mm/tlb.c
@@ -263,8 +263,6 @@ void native_flush_tlb_others(const struc
{
struct flush_tlb_info info;

- if (end == 0)
- end = start + PAGE_SIZE;
info.flush_mm = mm;
info.flush_start = start;
info.flush_end = end;
@@ -393,7 +391,7 @@ void flush_tlb_page(struct vm_area_struc
}

if (cpumask_any_but(mm_cpumask(mm), smp_processor_id()) < nr_cpu_ids)
- flush_tlb_others(mm_cpumask(mm), mm, start, 0UL);
+ flush_tlb_others(mm_cpumask(mm), mm, start, start + PAGE_SIZE);

preempt_enable();
}

[Greg Kroah-Hartman]

4.9-stable review patch. If anyone has any objections, please let me know.

------------------

From: Ivan Vecera <ce...@cera.cz>


[ Upstream commit 34393529163af7163ef8459808e3cf2af7db7f16 ]

During interface opening MAC address stored in netdev->dev_addr is
programmed in the HW with exception of BE3 VFs where the initial
MAC is programmed by parent PF. This is OK when MAC address is not
changed when an interfaces is down. In this case the requested MAC is
stored to netdev->dev_addr and later is stored into HW during opening.
But this is not done for all BE3 VFs so the NIC HW does not know
anything about this change and all traffic is filtered.

This is the case of bonding if fail_over_mac == 0 where the MACs of
the slaves are changed while they are down.

The be2net behavior is too restrictive because if a BE3 VF has
the FILTMGMT privilege then it is able to modify its MAC without
any restriction.

To solve the described problem the driver should take care about these
privileged BE3 VFs so the MAC is programmed during opening. And by
contrast unpriviled BE3 VFs should not be allowed to change its MAC
in any case.

Cc: Sathya Perla <sathya...@broadcom.com>
Cc: Ajit Khaparde <ajit.k...@broadcom.com>
Cc: Sriharsha Basavapatna <sriharsha....@broadcom.com>
Cc: Somnath Kotur <somnat...@broadcom.com>
Signed-off-by: Ivan Vecera <ce...@cera.cz>

Signed-off-by: David S. Miller <da...@davemloft.net>
Signed-off-by: Sasha Levin <alexand...@verizon.com>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>
---

drivers/net/ethernet/emulex/benet/be_main.c | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)

--- a/drivers/net/ethernet/emulex/benet/be_main.c
+++ b/drivers/net/ethernet/emulex/benet/be_main.c
@@ -319,6 +319,13 @@ static int be_mac_addr_set(struct net_de
if (ether_addr_equal(addr->sa_data, adapter->dev_mac))
return 0;

+ /* BE3 VFs without FILTMGMT privilege are not allowed to set its MAC
+ * address
+ */
+ if (BEx_chip(adapter) && be_virtfn(adapter) &&
+ !check_privilege(adapter, BE_PRIV_FILTMGMT))
+ return -EPERM;
+
/* if device is not running, copy MAC to netdev->dev_addr */
if (!netif_running(netdev))
goto done;
@@ -3787,8 +3794,9 @@ static int be_enable_if_filters(struct b
if (status)
return status;

- /* For BE3 VFs, the PF programs the initial MAC address */
- if (!(BEx_chip(adapter) && be_virtfn(adapter))) {
+ /* Don't add MAC on BE3 VFs without FILTMGMT privilege */
+ if (!BEx_chip(adapter) || !be_virtfn(adapter) ||
+ check_privilege(adapter, BE_PRIV_FILTMGMT)) {
status = be_dev_mac_add(adapter, adapter->netdev->dev_addr);
if (status)
return status;

[Greg Kroah-Hartman]

4.9-stable review patch. If anyone has any objections, please let me know.

------------------

From: Sabrina Dubroca <s...@queasysnail.net>

commit 9b3eb54106cf6acd03f07cf0ab01c13676a226c2 upstream.

When CONFIG_XFRM_SUB_POLICY=y, xfrm_dst stores a copy of the flowi for
that dst. Unfortunately, the code that allocates and fills this copy
doesn't care about what type of flowi (flowi, flowi4, flowi6) gets
passed. In multiple code paths (from raw_sendmsg, from TCP when
replying to a FIN, in vxlan, geneve, and gre), the flowi that gets
passed to xfrm is actually an on-stack flowi4, so we end up reading
stuff from the stack past the end of the flowi4 struct.

Since xfrm_dst->origin isn't used anywhere following commit
ca116922afa8 ("xfrm: Eliminate "fl" and "pol" args to
xfrm_bundle_ok()."), just get rid of it. xfrm_dst->partner isn't used
either, so get rid of that too.

Fixes: 9d6ec938019c ("ipv4: Use flowi4 in public route lookup interfaces.")
Signed-off-by: Sabrina Dubroca <s...@queasysnail.net>
Signed-off-by: Steffen Klassert <steffen....@secunet.com>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

include/net/xfrm.h | 10 ----------
net/xfrm/xfrm_policy.c | 47 -----------------------------------------------
2 files changed, 57 deletions(-)

--- a/include/net/xfrm.h
+++ b/include/net/xfrm.h
@@ -944,10 +944,6 @@ struct xfrm_dst {
struct flow_cache_object flo;
struct xfrm_policy *pols[XFRM_POLICY_TYPE_MAX];
int num_pols, num_xfrms;
-#ifdef CONFIG_XFRM_SUB_POLICY
- struct flowi *origin;
- struct xfrm_selector *partner;
-#endif
u32 xfrm_genid;
u32 policy_genid;
u32 route_mtu_cached;
@@ -963,12 +959,6 @@ static inline void xfrm_dst_destroy(stru
dst_release(xdst->route);
if (likely(xdst->u.dst.xfrm))
xfrm_state_put(xdst->u.dst.xfrm);
-#ifdef CONFIG_XFRM_SUB_POLICY
- kfree(xdst->origin);
- xdst->origin = NULL;
- kfree(xdst->partner);
- xdst->partner = NULL;
-#endif
}
#endif

--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -1808,43 +1808,6 @@ free_dst:
goto out;
}

-#ifdef CONFIG_XFRM_SUB_POLICY
-static int xfrm_dst_alloc_copy(void **target, const void *src, int size)
-{
- if (!*target) {
- *target = kmalloc(size, GFP_ATOMIC);
- if (!*target)
- return -ENOMEM;
- }
-
- memcpy(*target, src, size);
- return 0;
-}
-#endif
-
-static int xfrm_dst_update_parent(struct dst_entry *dst,
- const struct xfrm_selector *sel)
-{
-#ifdef CONFIG_XFRM_SUB_POLICY
- struct xfrm_dst *xdst = (struct xfrm_dst *)dst;
- return xfrm_dst_alloc_copy((void **)&(xdst->partner),
- sel, sizeof(*sel));
-#else
- return 0;
-#endif
-}
-
-static int xfrm_dst_update_origin(struct dst_entry *dst,
- const struct flowi *fl)
-{
-#ifdef CONFIG_XFRM_SUB_POLICY
- struct xfrm_dst *xdst = (struct xfrm_dst *)dst;
- return xfrm_dst_alloc_copy((void **)&(xdst->origin), fl, sizeof(*fl));
-#else
- return 0;
-#endif
-}
-
static int xfrm_expand_policies(const struct flowi *fl, u16 family,
struct xfrm_policy **pols,
int *num_pols, int *num_xfrms)
@@ -1916,16 +1879,6 @@ xfrm_resolve_and_create_bundle(struct xf

xdst = (struct xfrm_dst *)dst;
xdst->num_xfrms = err;
- if (num_pols > 1)
- err = xfrm_dst_update_parent(dst, &pols[1]->selector);
- else
- err = xfrm_dst_update_origin(dst, fl);
- if (unlikely(err)) {
- dst_free(dst);
- XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTBUNDLECHECKERROR);
- return ERR_PTR(err);
- }
-
xdst->num_pols = num_pols;
memcpy(xdst->pols, pols, sizeof(struct xfrm_policy *) * num_pols);
xdst->policy_genid = atomic_read(&pols[0]->genid);

[Greg Kroah-Hartman]

4.9-stable review patch. If anyone has any objections, please let me know.

------------------

From: Johan Hovold <jo...@kernel.org>

commit 8324147f38019865b29d03baf28412d2ec0bd828 upstream.

Make sure to release the device-node reference taken in
of_register_spi_device() on errors and when deregistering the device.

Fixes: 284b01897340 ("spi: Add OF binding support for SPI busses")
Signed-off-by: Johan Hovold <jo...@kernel.org>
Signed-off-by: Mark Brown <bro...@kernel.org>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

drivers/spi/spi.c | 8 ++++++--

1 file changed, 6 insertions(+), 2 deletions(-)

--- a/drivers/spi/spi.c
+++ b/drivers/spi/spi.c
@@ -621,8 +621,10 @@ void spi_unregister_device(struct spi_de
if (!spi)
return;

- if (spi->dev.of_node)
+ if (spi->dev.of_node) {
of_node_clear_flag(spi->dev.of_node, OF_POPULATED);
+ of_node_put(spi->dev.of_node);
+ }
if (ACPI_COMPANION(&spi->dev))
acpi_device_clear_enumerated(ACPI_COMPANION(&spi->dev));
device_unregister(&spi->dev);
@@ -1589,11 +1591,13 @@ of_register_spi_device(struct spi_master
if (rc) {
dev_err(&master->dev, "spi_device register error %s\n",
nc->full_name);
- goto err_out;
+ goto err_of_node_put;
}

return spi;

+err_of_node_put:
+ of_node_put(nc);
err_out:
spi_dev_put(spi);
return ERR_PTR(rc);

[Greg Kroah-Hartman]

4.9-stable review patch. If anyone has any objections, please let me know.

------------------

From: Arnd Bergmann <ar...@arndb.de>

commit 5b0ff9a00755d4d9c209033a77f1ed8f3186fe5c upstream.

hns_roce_v1_cq_set_ci() calls roce_set_bit() on an uninitialized field,
which will then change only a few of its bits, causing a warning with
the latest gcc:

infiniband/hw/hns/hns_roce_hw_v1.c: In function 'hns_roce_v1_cq_set_ci':
infiniband/hw/hns/hns_roce_hw_v1.c:1854:23: error: 'doorbell[1]' is used uninitialized in this function [-Werror=uninitialized]
roce_set_bit(doorbell[1], ROCEE_DB_OTHERS_H_ROCEE_DB_OTH_HW_SYNS_S, 1);

The code is actually correct since we always set all bits of the
port_vlan field, but gcc correctly points out that the first
access does contain uninitialized data.

This initializes the field to zero first before setting the
individual bits.

Fixes: 9a4435375cd1 ("IB/hns: Add driver files for hns RoCE driver")
Signed-off-by: Arnd Bergmann <ar...@arndb.de>
Signed-off-by: Doug Ledford <dled...@redhat.com>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

drivers/infiniband/hw/hns/hns_roce_hw_v1.c | 1 +

1 file changed, 1 insertion(+)

--- a/drivers/infiniband/hw/hns/hns_roce_hw_v1.c
+++ b/drivers/infiniband/hw/hns/hns_roce_hw_v1.c
@@ -1267,6 +1267,7 @@ void hns_roce_v1_cq_set_ci(struct hns_ro
u32 doorbell[2];

doorbell[0] = cons_index & ((hr_cq->cq_depth << 1) - 1);
+ doorbell[1] = 0;
roce_set_bit(doorbell[1], ROCEE_DB_OTHERS_H_ROCEE_DB_OTH_HW_SYNS_S, 1);
roce_set_field(doorbell[1], ROCEE_DB_OTHERS_H_ROCEE_DB_OTH_CMD_M,
ROCEE_DB_OTHERS_H_ROCEE_DB_OTH_CMD_S, 3);

[Greg Kroah-Hartman]

4.9-stable review patch. If anyone has any objections, please let me know.

------------------

From: Lorenzo Pieralisi <lorenzo....@arm.com>

commit cb7cf772d83d2d4e6995c5bb9e0fb59aea8f7080 upstream.

The BAD_MADT_GICC_ENTRY() macro checks if a GICC MADT entry passes
muster from an ACPI specification standpoint. Current macro detects the
MADT GICC entry length through ACPI firmware version (it changed from 76
to 80 bytes in the transition from ACPI 5.1 to ACPI 6.0 specification)
but always uses (erroneously) the ACPICA (latest) struct (ie struct
acpi_madt_generic_interrupt - that is 80-bytes long) length to check if
the current GICC entry memory record exceeds the MADT table end in
memory as defined by the MADT table header itself, which may result in
false negatives depending on the ACPI firmware version and how the MADT
entries are laid out in memory (ie on ACPI 5.1 firmware MADT GICC
entries are 76 bytes long, so by adding 80 to a GICC entry start address
in memory the resulting address may well be past the actual MADT end,
triggering a false negative).

Fix the BAD_MADT_GICC_ENTRY() macro by reshuffling the condition checks
and update them to always use the firmware version specific MADT GICC
entry length in order to carry out boundary checks.

Fixes: b6cfb277378e ("ACPI / ARM64: add BAD_MADT_GICC_ENTRY() macro")
Reported-by: Julien Grall <julien...@arm.com>
Acked-by: Will Deacon <will....@arm.com>
Acked-by: Marc Zyngier <marc.z...@arm.com>
Signed-off-by: Lorenzo Pieralisi <lorenzo....@arm.com>
Cc: Julien Grall <julien...@arm.com>
Cc: Hanjun Guo <hanju...@linaro.org>
Cc: Al Stone <ah...@redhat.com>
Signed-off-by: Catalin Marinas <catalin...@arm.com>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

arch/arm64/include/asm/acpi.h | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)

--- a/arch/arm64/include/asm/acpi.h
+++ b/arch/arm64/include/asm/acpi.h
@@ -22,9 +22,9 @@
#define ACPI_MADT_GICC_LENGTH \
(acpi_gbl_FADT.header.revision < 6 ? 76 : 80)

-#define BAD_MADT_GICC_ENTRY(entry, end) \
- (!(entry) || (unsigned long)(entry) + sizeof(*(entry)) > (end) || \
- (entry)->header.length != ACPI_MADT_GICC_LENGTH)
+#define BAD_MADT_GICC_ENTRY(entry, end) \
+ (!(entry) || (entry)->header.length != ACPI_MADT_GICC_LENGTH || \
+ (unsigned long)(entry) + ACPI_MADT_GICC_LENGTH > (end))

/* Basic configuration for ACPI */
#ifdef CONFIG_ACPI

[Greg Kroah-Hartman]

4.9-stable review patch. If anyone has any objections, please let me know.

------------------

From: Junxiao Bi <junxi...@oracle.com>

commit 33496c3c3d7b88dcbe5e55aa01288b05646c6aca upstream.

Configfs is the interface for ocfs2-tools to set configure to kernel and
$configfs_dir/cluster/$clustername/heartbeat/dead_threshold is the one
used to configure heartbeat dead threshold. Kernel has a default value
of it but user can set O2CB_HEARTBEAT_THRESHOLD in /etc/sysconfig/o2cb
to override it.

Commit 45b997737a80 ("ocfs2/cluster: use per-attribute show and store
methods") changed heartbeat dead threshold name while ocfs2-tools did
not, so ocfs2-tools won't set this configurable and the default value is
always used. So revert it.

Fixes: 45b997737a80 ("ocfs2/cluster: use per-attribute show and store methods")
Link: http://lkml.kernel.org/r/1490665245-15374-1-git...@oracle.com
Signed-off-by: Junxiao Bi <junxi...@oracle.com>
Acked-by: Joseph Qi <jiang...@gmail.com>
Cc: Mark Fasheh <mfa...@versity.com>
Cc: Joel Becker <jl...@evilplan.org>
Signed-off-by: Andrew Morton <ak...@linux-foundation.org>
Signed-off-by: Linus Torvalds <torv...@linux-foundation.org>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

fs/ocfs2/cluster/heartbeat.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)

--- a/fs/ocfs2/cluster/heartbeat.c
+++ b/fs/ocfs2/cluster/heartbeat.c
@@ -2242,13 +2242,13 @@ unlock:
spin_unlock(&o2hb_live_lock);
}

-static ssize_t o2hb_heartbeat_group_threshold_show(struct config_item *item,
+static ssize_t o2hb_heartbeat_group_dead_threshold_show(struct config_item *item,
char *page)
{
return sprintf(page, "%u\n", o2hb_dead_threshold);
}

-static ssize_t o2hb_heartbeat_group_threshold_store(struct config_item *item,
+static ssize_t o2hb_heartbeat_group_dead_threshold_store(struct config_item *item,
const char *page, size_t count)
{
unsigned long tmp;
@@ -2297,11 +2297,11 @@ static ssize_t o2hb_heartbeat_group_mode

}

-CONFIGFS_ATTR(o2hb_heartbeat_group_, threshold);
+CONFIGFS_ATTR(o2hb_heartbeat_group_, dead_threshold);
CONFIGFS_ATTR(o2hb_heartbeat_group_, mode);

static struct configfs_attribute *o2hb_heartbeat_group_attrs[] = {
- &o2hb_heartbeat_group_attr_threshold,
+ &o2hb_heartbeat_group_attr_dead_threshold,
&o2hb_heartbeat_group_attr_mode,
NULL,
};

[Greg Kroah-Hartman]

4.9-stable review patch. If anyone has any objections, please let me know.

------------------

From: Shaohua Li <sh...@fb.com>


[ Upstream commit a12f1ae61c489076a9aeb90bddca7722bf330df3 ]

lockdep reports a warnning. file_start_write/file_end_write only
acquire/release the lock for regular files. So checking the files in aio
side too.

[ 453.532141] ------------[ cut here ]------------
[ 453.533011] WARNING: CPU: 1 PID: 1298 at ../kernel/locking/lockdep.c:3514 lock_release+0x434/0x670
[ 453.533011] DEBUG_LOCKS_WARN_ON(depth <= 0)
[ 453.533011] Modules linked in:
[ 453.533011] CPU: 1 PID: 1298 Comm: fio Not tainted 4.9.0+ #964
[ 453.533011] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.9.0-1.fc24 04/01/2014
[ 453.533011] ffff8803a24b7a70 ffffffff8196cffb ffff8803a24b7ae8 0000000000000000
[ 453.533011] ffff8803a24b7ab8 ffffffff81091ee1 ffff8803a5dba700 00000dba00000008
[ 453.533011] ffffed0074496f59 ffff8803a5dbaf54 ffff8803ae0f8488 fffffffffffffdef
[ 453.533011] Call Trace:
[ 453.533011] [<ffffffff8196cffb>] dump_stack+0x67/0x9c
[ 453.533011] [<ffffffff81091ee1>] __warn+0x111/0x130
[ 453.533011] [<ffffffff81091f97>] warn_slowpath_fmt+0x97/0xb0
[ 453.533011] [<ffffffff81091f00>] ? __warn+0x130/0x130
[ 453.533011] [<ffffffff8191b789>] ? blk_finish_plug+0x29/0x60
[ 453.533011] [<ffffffff811205d4>] lock_release+0x434/0x670
[ 453.533011] [<ffffffff8198af94>] ? import_single_range+0xd4/0x110
[ 453.533011] [<ffffffff81322195>] ? rw_verify_area+0x65/0x140
[ 453.533011] [<ffffffff813aa696>] ? aio_write+0x1f6/0x280
[ 453.533011] [<ffffffff813aa6c9>] aio_write+0x229/0x280
[ 453.533011] [<ffffffff813aa4a0>] ? aio_complete+0x640/0x640
[ 453.533011] [<ffffffff8111df20>] ? debug_check_no_locks_freed+0x1a0/0x1a0
[ 453.533011] [<ffffffff8114793a>] ? debug_lockdep_rcu_enabled.part.2+0x1a/0x30
[ 453.533011] [<ffffffff81147985>] ? debug_lockdep_rcu_enabled+0x35/0x40
[ 453.533011] [<ffffffff812a92be>] ? __might_fault+0x7e/0xf0
[ 453.533011] [<ffffffff813ac9bc>] do_io_submit+0x94c/0xb10
[ 453.533011] [<ffffffff813ac2ae>] ? do_io_submit+0x23e/0xb10
[ 453.533011] [<ffffffff813ac070>] ? SyS_io_destroy+0x270/0x270
[ 453.533011] [<ffffffff8111d7b3>] ? mark_held_locks+0x23/0xc0
[ 453.533011] [<ffffffff8100201a>] ? trace_hardirqs_on_thunk+0x1a/0x1c
[ 453.533011] [<ffffffff813acb90>] SyS_io_submit+0x10/0x20
[ 453.533011] [<ffffffff824f96aa>] entry_SYSCALL_64_fastpath+0x18/0xad
[ 453.533011] [<ffffffff81119190>] ? trace_hardirqs_off_caller+0xc0/0x110
[ 453.533011] ---[ end trace b2fbe664d1cc0082 ]---

Cc: Dmitry Monakhov <dmon...@openvz.org>
Cc: Jan Kara <ja...@suse.cz>
Cc: Christoph Hellwig <h...@lst.de>
Cc: Al Viro <vi...@zeniv.linux.org.uk>
Reviewed-by: Christoph Hellwig <h...@lst.de>
Signed-off-by: Shaohua Li <sh...@fb.com>
Signed-off-by: Al Viro <vi...@zeniv.linux.org.uk>
Signed-off-by: Sasha Levin <alexand...@verizon.com>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>
---

fs/aio.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)

--- a/fs/aio.c
+++ b/fs/aio.c
@@ -1085,7 +1085,8 @@ static void aio_complete(struct kiocb *k
* Tell lockdep we inherited freeze protection from submission
* thread.
*/
- __sb_writers_acquired(file_inode(file)->i_sb, SB_FREEZE_WRITE);
+ if (S_ISREG(file_inode(file)->i_mode))
+ __sb_writers_acquired(file_inode(file)->i_sb, SB_FREEZE_WRITE);
file_end_write(file);
}

@@ -1492,7 +1493,8 @@ static ssize_t aio_write(struct kiocb *r
* by telling it the lock got released so that it doesn't
* complain about held lock when we return to userspace.
*/
- __sb_writers_release(file_inode(file)->i_sb, SB_FREEZE_WRITE);
+ if (S_ISREG(file_inode(file)->i_mode))
+ __sb_writers_release(file_inode(file)->i_sb, SB_FREEZE_WRITE);
}
kfree(iovec);
return ret;

[Greg Kroah-Hartman]

4.9-stable review patch. If anyone has any objections, please let me know.

------------------

From: Jaedon Shin <jaedo...@gmail.com>

commit 2de3ec4f1d4ba6ee380478055104eb918bd50cce upstream.

The BSC data buffers to send and receive data are each of size 32 bytes
or 8 bytes 'xfersz' depending on SoC. The problem observed for all the
combined message transfer was if length of data transfer was a multiple
of 'xfersz' a repeated START was being transmitted by BSC driver. Fixed
this by appropriately setting START/STOP conditions for such transfers.

Fixes: dd1aa2524bc5 ("i2c: brcmstb: Add Broadcom settop SoC i2c controller driver")
Signed-off-by: Jaedon Shin <jaedo...@gmail.com>
Acked-by: Kamal Dasu <kdasu...@gmail.com>
Signed-off-by: Wolfram Sang <w...@the-dreams.de>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

drivers/i2c/busses/i2c-brcmstb.c | 27 +++++++++++++++++++++------
1 file changed, 21 insertions(+), 6 deletions(-)

--- a/drivers/i2c/busses/i2c-brcmstb.c
+++ b/drivers/i2c/busses/i2c-brcmstb.c
@@ -465,6 +465,7 @@ static int brcmstb_i2c_xfer(struct i2c_a
u8 *tmp_buf;
int len = 0;
int xfersz = brcmstb_i2c_get_xfersz(dev);
+ u32 cond, cond_per_msg;

if (dev->is_suspended)
return -EBUSY;
@@ -481,10 +482,11 @@ static int brcmstb_i2c_xfer(struct i2c_a
pmsg->buf ? pmsg->buf[0] : '0', pmsg->len);

if (i < (num - 1) && (msgs[i + 1].flags & I2C_M_NOSTART))
- brcmstb_set_i2c_start_stop(dev, ~(COND_START_STOP));
+ cond = ~COND_START_STOP;
else
- brcmstb_set_i2c_start_stop(dev,
- COND_RESTART | COND_NOSTOP);
+ cond = COND_RESTART | COND_NOSTOP;
+
+ brcmstb_set_i2c_start_stop(dev, cond);

/* Send slave address */
if (!(pmsg->flags & I2C_M_NOSTART)) {
@@ -497,13 +499,24 @@ static int brcmstb_i2c_xfer(struct i2c_a
}
}

+ cond_per_msg = cond;
+
/* Perform data transfer */
while (len) {
bytes_to_xfer = min(len, xfersz);

- if (len <= xfersz && i == (num - 1))
- brcmstb_set_i2c_start_stop(dev,
- ~(COND_START_STOP));
+ if (len <= xfersz) {
+ if (i == (num - 1))
+ cond_per_msg = cond_per_msg &
+ ~(COND_RESTART | COND_NOSTOP);
+ else
+ cond_per_msg = cond;
+ } else {
+ cond_per_msg = (cond_per_msg & ~COND_RESTART) |
+ COND_NOSTOP;
+ }
+
+ brcmstb_set_i2c_start_stop(dev, cond_per_msg);

rc = brcmstb_i2c_xfer_bsc_data(dev, tmp_buf,
bytes_to_xfer, pmsg);
@@ -512,6 +525,8 @@ static int brcmstb_i2c_xfer(struct i2c_a

len -= bytes_to_xfer;
tmp_buf += bytes_to_xfer;
+
+ cond_per_msg = COND_NOSTART | COND_NOSTOP;
}
}

[Greg Kroah-Hartman]

4.9-stable review patch. If anyone has any objections, please let me know.

------------------

From: Pan Bian <bianp...@163.com>

commit 73dbd4a4230216b6a5540a362edceae0c9b4876b upstream.

In function amd_iommu_bind_pasid(), the control flow jumps
to label out_free when pasid_state->mm and mm is NULL. And
mmput(mm) is called. In function mmput(mm), mm is
referenced without validation. This will result in a NULL
dereference bug. This patch fixes the bug.

Signed-off-by: Pan Bian <bianp...@163.com>
Fixes: f0aac63b873b ('iommu/amd: Don't hold a reference to mm_struct')
Signed-off-by: Joerg Roedel <jro...@suse.de>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

drivers/iommu/amd_iommu_v2.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/iommu/amd_iommu_v2.c
+++ b/drivers/iommu/amd_iommu_v2.c
@@ -695,9 +695,9 @@ out_clear_state:

out_unregister:
mmu_notifier_unregister(&pasid_state->mn, mm);
+ mmput(mm);

out_free:
- mmput(mm);
free_pasid_state(pasid_state);

out:

[Greg Kroah-Hartman]

4.9-stable review patch. If anyone has any objections, please let me know.

------------------

From: Florian Westphal <f...@strlen.de>

commit 29e09229d9f26129a39462fae0ddabc4d9533989 upstream.

inet_sk(skb->sk) is illegal in case skb is attached to request socket.

Fixes: ca6fb0651883 ("tcp: attach SYNACK messages to request sockets instead of listener")
Reported by: Daniel J Blueman <dan...@quora.org>
Signed-off-by: Florian Westphal <f...@strlen.de>
Tested-by: Daniel J Blueman <dan...@quora.org>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

net/ipv4/netfilter.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)

--- a/net/ipv4/netfilter.c
+++ b/net/ipv4/netfilter.c
@@ -23,7 +23,8 @@ int ip_route_me_harder(struct net *net,
struct rtable *rt;
struct flowi4 fl4 = {};
__be32 saddr = iph->saddr;
- __u8 flags = skb->sk ? inet_sk_flowi_flags(skb->sk) : 0;
+ const struct sock *sk = skb_to_full_sk(skb);
+ __u8 flags = sk ? inet_sk_flowi_flags(sk) : 0;
struct net_device *dev = skb_dst(skb)->dev;
unsigned int hh_len;

@@ -40,7 +41,7 @@ int ip_route_me_harder(struct net *net,
fl4.daddr = iph->daddr;
fl4.saddr = saddr;
fl4.flowi4_tos = RT_TOS(iph->tos);
- fl4.flowi4_oif = skb->sk ? skb->sk->sk_bound_dev_if : 0;
+ fl4.flowi4_oif = sk ? sk->sk_bound_dev_if : 0;
if (!fl4.flowi4_oif)
fl4.flowi4_oif = l3mdev_master_ifindex(dev);
fl4.flowi4_mark = skb->mark;
@@ -61,7 +62,7 @@ int ip_route_me_harder(struct net *net,
xfrm_decode_session(skb, flowi4_to_flowi(&fl4), AF_INET) == 0) {
struct dst_entry *dst = skb_dst(skb);
skb_dst_set(skb, NULL);
- dst = xfrm_lookup(net, dst, flowi4_to_flowi(&fl4), skb->sk, 0);
+ dst = xfrm_lookup(net, dst, flowi4_to_flowi(&fl4), sk, 0);
if (IS_ERR(dst))
return PTR_ERR(dst);
skb_dst_set(skb, dst);

[Greg Kroah-Hartman]

4.9-stable review patch. If anyone has any objections, please let me know.

------------------

From: Stefano Stabellini <sstab...@kernel.org>


[ Upstream commit f1225ee4c8fcf09afaa199b8b1f0450f38b8cd11 ]

In xen_swiotlb_map_page and xen_swiotlb_map_sg_attrs, if the original
page is not suitable, we swap it for another page from the swiotlb
pool.

In these cases, we don't update the previously calculated dma address
for the page before calling xen_dma_map_page. Thus, we end up calling
xen_dma_map_page passing the wrong dev_addr, resulting in
xen_dma_map_page mistakenly assuming that the page is foreign when it is
local.

Fix the bug by updating dev_addr appropriately.

This change has no effect on x86, because xen_dma_map_page is a stub
there.

Signed-off-by: Stefano Stabellini <sstab...@kernel.org>
Signed-off-by: Pooya Keshavarzi <Pooya.Ke...@de.bosch.com>
Tested-by: Pooya Keshavarzi <Pooya.Ke...@de.bosch.com>
Reviewed-by: Boris Ostrovsky <boris.o...@oracle.com>
Signed-off-by: Konrad Rzeszutek Wilk <konra...@oracle.com>
Signed-off-by: Sasha Levin <alexand...@verizon.com>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>
---

drivers/xen/swiotlb-xen.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)

--- a/drivers/xen/swiotlb-xen.c
+++ b/drivers/xen/swiotlb-xen.c
@@ -409,9 +409,9 @@ dma_addr_t xen_swiotlb_map_page(struct d
if (map == SWIOTLB_MAP_ERROR)
return DMA_ERROR_CODE;

+ dev_addr = xen_phys_to_bus(map);
xen_dma_map_page(dev, pfn_to_page(map >> PAGE_SHIFT),
dev_addr, map & ~PAGE_MASK, size, dir, attrs);
- dev_addr = xen_phys_to_bus(map);

/*
* Ensure that the address returned is DMA'ble
@@ -567,13 +567,14 @@ xen_swiotlb_map_sg_attrs(struct device *
sg_dma_len(sgl) = 0;
return 0;
}
+ dev_addr = xen_phys_to_bus(map);
xen_dma_map_page(hwdev, pfn_to_page(map >> PAGE_SHIFT),
dev_addr,
map & ~PAGE_MASK,
sg->length,
dir,
attrs);
- sg->dma_address = xen_phys_to_bus(map);
+ sg->dma_address = dev_addr;
} else {
/* we are not interested in the dma_addr returned by
* xen_dma_map_page, only in the potential cache flushes executed

[Greg Kroah-Hartman]

4.9-stable review patch. If anyone has any objections, please let me know.

------------------

From: Ard Biesheuvel <ard.bie...@linaro.org>

commit 029c54b09599573015a5c18dbe59cbdf42742237 upstream.

Existing code that uses vmalloc_to_page() may assume that any address
for which is_vmalloc_addr() returns true may be passed into
vmalloc_to_page() to retrieve the associated struct page.

This is not un unreasonable assumption to make, but on architectures
that have CONFIG_HAVE_ARCH_HUGE_VMAP=y, it no longer holds, and we need
to ensure that vmalloc_to_page() does not go off into the weeds trying
to dereference huge PUDs or PMDs as table entries.

Given that vmalloc() and vmap() themselves never create huge mappings or
deal with compound pages at all, there is no correct answer in this
case, so return NULL instead, and issue a warning.

When reading /proc/kcore on arm64, you will hit an oops as soon as you
hit the huge mappings used for the various segments that make up the
mapping of vmlinux. With this patch applied, you will no longer hit the
oops, but the kcore contents willl be incorrect (these regions will be
zeroed out)

We are fixing this for kcore specifically, so it avoids vread() for
those regions. At least one other problematic user exists, i.e.,
/dev/kmem, but that is currently broken on arm64 for other reasons.

Link: http://lkml.kernel.org/r/20170609082226.261...@linaro.org
Signed-off-by: Ard Biesheuvel <ard.bie...@linaro.org>
Acked-by: Mark Rutland <mark.r...@arm.com>
Reviewed-by: Laura Abbott <lab...@redhat.com>
Cc: Michal Hocko <mho...@suse.com>
Cc: zhong jiang <zhong...@huawei.com>
Cc: Dave Hansen <dave....@intel.com>

Signed-off-by: Andrew Morton <ak...@linux-foundation.org>
Signed-off-by: Linus Torvalds <torv...@linux-foundation.org>

[ardb: non-trivial backport to v4.9]
Signed-off-by: Ard Biesheuvel <ard.bie...@linaro.org>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>
---

mm/vmalloc.c | 14 ++++++++++++--
1 file changed, 12 insertions(+), 2 deletions(-)

--- a/mm/vmalloc.c
+++ b/mm/vmalloc.c
@@ -244,11 +244,21 @@ struct page *vmalloc_to_page(const void
*/
VIRTUAL_BUG_ON(!is_vmalloc_or_module_addr(vmalloc_addr));

+ /*
+ * Don't dereference bad PUD or PMD (below) entries. This will also
+ * identify huge mappings, which we may encounter on architectures
+ * that define CONFIG_HAVE_ARCH_HUGE_VMAP=y. Such regions will be
+ * identified as vmalloc addresses by is_vmalloc_addr(), but are
+ * not [unambiguously] associated with a struct page, so there is
+ * no correct value to return for them.
+ */
if (!pgd_none(*pgd)) {
pud_t *pud = pud_offset(pgd, addr);
- if (!pud_none(*pud)) {
+ WARN_ON_ONCE(pud_bad(*pud));
+ if (!pud_none(*pud) && !pud_bad(*pud)) {
pmd_t *pmd = pmd_offset(pud, addr);
- if (!pmd_none(*pmd)) {
+ WARN_ON_ONCE(pmd_bad(*pmd));
+ if (!pmd_none(*pmd) && !pmd_bad(*pmd)) {
pte_t *ptep, pte;

ptep = pte_offset_map(pmd, addr);

[Greg Kroah-Hartman]

4.9-stable review patch. If anyone has any objections, please let me know.

------------------

From: Dan Carpenter <dan.ca...@oracle.com>

commit e747f64336fc15e1c823344942923195b800aa1e upstream.

The default error code in pfkey_msg2xfrm_state() is -ENOBUFS. We
added a new call to security_xfrm_state_alloc() which sets "err" to zero
so there several places where we can return ERR_PTR(0) if kmalloc()
fails. The caller is expecting error pointers so it leads to a NULL
dereference.

Fixes: df71837d5024 ("[LSM-IPSec]: Security association restriction.")
Signed-off-by: Dan Carpenter <dan.ca...@oracle.com>
Signed-off-by: Steffen Klassert <steffen....@secunet.com>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

net/key/af_key.c | 1 +

1 file changed, 1 insertion(+)

--- a/net/key/af_key.c
+++ b/net/key/af_key.c
@@ -1135,6 +1135,7 @@ static struct xfrm_state * pfkey_msg2xfr
goto out;
}

+ err = -ENOBUFS;
key = ext_hdrs[SADB_EXT_KEY_AUTH - 1];
if (sa->sadb_sa_auth) {
int keysize = 0;

[Greg Kroah-Hartman]

4.9-stable review patch. If anyone has any objections, please let me know.

------------------

From: Doug Berger <ope...@gmail.com>

commit 9e25ebfe56ece7541cd10a20d715cbdd148a2e06 upstream.

The pmd containing memblock_limit is cleared by prepare_page_table()
which creates the opportunity for early_alloc() to allocate unmapped
memory if memblock_limit is not pmd aligned causing a boot-time hang.

Commit 965278dcb8ab ("ARM: 8356/1: mm: handle non-pmd-aligned end of RAM")
attempted to resolve this problem, but there is a path through the
adjust_lowmem_bounds() routine where if all memory regions start and
end on pmd-aligned addresses the memblock_limit will be set to
arm_lowmem_limit.

Since arm_lowmem_limit can be affected by the vmalloc early parameter,
the value of arm_lowmem_limit may not be pmd-aligned. This commit
corrects this oversight such that memblock_limit is always rounded
down to pmd-alignment.

Fixes: 965278dcb8ab ("ARM: 8356/1: mm: handle non-pmd-aligned end of RAM")
Signed-off-by: Doug Berger <ope...@gmail.com>
Suggested-by: Mark Rutland <mark.r...@arm.com>
Signed-off-by: Russell King <rmk+k...@armlinux.org.uk>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

arch/arm/mm/mmu.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)

--- a/arch/arm/mm/mmu.c
+++ b/arch/arm/mm/mmu.c
@@ -1211,15 +1211,15 @@ void __init adjust_lowmem_bounds(void)

high_memory = __va(arm_lowmem_limit - 1) + 1;

+ if (!memblock_limit)
+ memblock_limit = arm_lowmem_limit;
+
/*
* Round the memblock limit down to a pmd size. This
* helps to ensure that we will allocate memory from the
* last full pmd, which should be mapped.
*/
- if (memblock_limit)
- memblock_limit = round_down(memblock_limit, PMD_SIZE);
- if (!memblock_limit)
- memblock_limit = arm_lowmem_limit;
+ memblock_limit = round_down(memblock_limit, PMD_SIZE);

if (!IS_ENABLED(CONFIG_HIGHMEM) || cache_is_vipt_aliasing()) {
if (memblock_end_of_DRAM() > arm_lowmem_limit) {

[Greg Kroah-Hartman]

4.9-stable review patch. If anyone has any objections, please let me know.

------------------

From: David Dillow <dil...@google.com>

commit f7116e115acdd74bc75a4daf6492b11d43505125 upstream.

dma_pte_free_level() recurses down the IOMMU page tables and frees
directory pages that are entirely contained in the given PFN range.
Unfortunately, it incorrectly calculates the starting address covered
by the PTE under consideration, which can lead to it clearing an entry
that is still in use.

This occurs if we have a scatterlist with an entry that has a length
greater than 1026 MB and is aligned to 2 MB for both the IOMMU and
physical addresses. For example, if __domain_mapping() is asked to map a
two-entry scatterlist with 2 MB and 1028 MB segments to PFN 0xffff80000,
it will ask if dma_pte_free_pagetable() is asked to PFNs from
0xffff80200 to 0xffffc05ff, it will also incorrectly clear the PFNs from
0xffff80000 to 0xffff801ff because of this issue. The current code will
set level_pfn to 0xffff80200, and 0xffff80200-0xffffc01ff fits inside
the range being cleared. Properly setting the level_pfn for the current
level under consideration catches that this PTE is outside of the range
being cleared.

This patch also changes the value passed into dma_pte_free_level() when
it recurses. This only affects the first PTE of the range being cleared,
and is handled by the existing code that ensures we start our cursor no
lower than start_pfn.

This was found when using dma_map_sg() to map large chunks of contiguous
memory, which immediatedly led to faults on the first access of the
erroneously-deleted mappings.

Fixes: 3269ee0bd668 ("intel-iommu: Fix leaks in pagetable freeing")
Reviewed-by: Benjamin Serebrin <sere...@google.com>
Signed-off-by: David Dillow <dil...@google.com>
Signed-off-by: Joerg Roedel <jro...@suse.de>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

drivers/iommu/intel-iommu.c | 2 +-

1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/iommu/intel-iommu.c
+++ b/drivers/iommu/intel-iommu.c
@@ -1144,7 +1144,7 @@ static void dma_pte_free_level(struct dm
if (!dma_pte_present(pte) || dma_pte_superpage(pte))
goto next;

- level_pfn = pfn & level_mask(level - 1);
+ level_pfn = pfn & level_mask(level);
level_pte = phys_to_virt(dma_pte_addr(pte));

if (level > 2)

[Greg Kroah-Hartman]

4.9-stable review patch. If anyone has any objections, please let me know.

------------------

From: Daniel Kurtz <djk...@chromium.org>

commit 88b0aa544af58ce3be125a1845a227264ec9ab89 upstream.

Back before commit 1dccb598df54 ("arm64: simplify dma_get_ops"), for
arm64, devices for which dma_ops were not explicitly set were automatically
configured to use swiotlb_dma_ops, since this was hard-coded as the
global "dma_ops" in arm64_dma_init().

Now that global "dma_ops" has been removed, all devices much have their
dma_ops explicitly set by a call to arch_setup_dma_ops(), otherwise the
device is assigned dummy_dma_ops, and thus calls to map_sg for such a
device will fail (return 0).

Mediatek SPI uses DMA but does not use a dma channel. Support for this
was added by commit c37f45b5f1cd ("spi: support spi without dma channel
to use can_dma()"), which uses the master_spi dev to DMA map buffers.

The master_spi device is not a platform device, rather it is created
in spi_alloc_device(), and therefore its dma_ops are never set.

Therefore, when the mediatek SPI driver when it does DMA (for large SPI
transactions > 32 bytes), SPI will use spi_map_buf()->dma_map_sg() to
map the buffer for use in DMA. But dma_map_sg()->dma_map_sg_attrs() returns
0, because ops->map_sg is dummy_dma_ops->__dummy_map_sg, and hence
spi_map_buf() returns -ENOMEM (-12).

Fix this by using the real spi_master's parent device which should be a
real physical device with DMA properties.

Signed-off-by: Daniel Kurtz <djk...@chromium.org>
Fixes: c37f45b5f1cd ("spi: support spi without dma channel to use can_dma()")
Cc: Leilk Liu <leil...@mediatek.com>
Signed-off-by: Mark Brown <bro...@kernel.org>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

drivers/spi/spi.c | 8 ++++----

1 file changed, 4 insertions(+), 4 deletions(-)

--- a/drivers/spi/spi.c
+++ b/drivers/spi/spi.c
@@ -797,12 +797,12 @@ static int __spi_map_msg(struct spi_mast
if (master->dma_tx)
tx_dev = master->dma_tx->device->dev;
else
- tx_dev = &master->dev;
+ tx_dev = master->dev.parent;

if (master->dma_rx)
rx_dev = master->dma_rx->device->dev;
else
- rx_dev = &master->dev;
+ rx_dev = master->dev.parent;

list_for_each_entry(xfer, &msg->transfers, transfer_list) {
if (!master->can_dma(master, msg->spi, xfer))
@@ -844,12 +844,12 @@ static int __spi_unmap_msg(struct spi_ma
if (master->dma_tx)
tx_dev = master->dma_tx->device->dev;
else
- tx_dev = &master->dev;
+ tx_dev = master->dev.parent;

if (master->dma_rx)
rx_dev = master->dma_rx->device->dev;
else
- rx_dev = &master->dev;
+ rx_dev = master->dev.parent;

list_for_each_entry(xfer, &msg->transfers, transfer_list) {
if (!master->can_dma(master, msg->spi, xfer))

[Greg Kroah-Hartman]

4.9-stable review patch. If anyone has any objections, please let me know.

------------------

From: Suravee Suthikulpanit <suravee.su...@amd.com>

commit 84a21dbdef0b96d773599c33c2afbb002198d303 upstream.

Pass-through devices to VM guest can get updated IRQ affinity
information via irq_set_affinity() when not running in guest mode.
Currently, AMD IOMMU driver in GA mode ignores the updated information
if the pass-through device is setup to use vAPIC regardless of guest_mode.
This could cause invalid interrupt remapping.

Also, the guest_mode bit should be set and cleared only when
SVM updates posted-interrupt interrupt remapping information.

Signed-off-by: Suravee Suthikulpanit <suravee.su...@amd.com>
Cc: Joerg Roedel <jro...@suse.de>
Fixes: d98de49a53e48 ('iommu/amd: Enable vAPIC interrupt remapping mode by default')
Signed-off-by: Joerg Roedel <jro...@suse.de>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

drivers/iommu/amd_iommu.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)

--- a/drivers/iommu/amd_iommu.c
+++ b/drivers/iommu/amd_iommu.c
@@ -3857,11 +3857,9 @@ static void irte_ga_prepare(void *entry,
u8 vector, u32 dest_apicid, int devid)
{
struct irte_ga *irte = (struct irte_ga *) entry;
- struct iommu_dev_data *dev_data = search_dev_data(devid);

irte->lo.val = 0;
irte->hi.val = 0;
- irte->lo.fields_remap.guest_mode = dev_data ? dev_data->use_vapic : 0;
irte->lo.fields_remap.int_type = delivery_mode;
irte->lo.fields_remap.dm = dest_mode;
irte->hi.fields.vector = vector;
@@ -3917,10 +3915,10 @@ static void irte_ga_set_affinity(void *e
struct irte_ga *irte = (struct irte_ga *) entry;
struct iommu_dev_data *dev_data = search_dev_data(devid);

- if (!dev_data || !dev_data->use_vapic) {
+ if (!dev_data || !dev_data->use_vapic ||
+ !irte->lo.fields_remap.guest_mode) {
irte->hi.fields.vector = vector;
irte->lo.fields_remap.destination = dest_apicid;
- irte->lo.fields_remap.guest_mode = 0;
modify_irte_ga(devid, index, irte, NULL);
}
}

[Greg Kroah-Hartman]

4.9-stable review patch. If anyone has any objections, please let me know.

------------------

From: Matt Fleming <ma...@codeblueprint.co.uk>

commit 6e5f32f7a43f45ee55c401c0b9585eb01f9629a8 upstream.

If we crossed a sample window while in NO_HZ we will add LOAD_FREQ to
the pending sample window time on exit, setting the next update not
one window into the future, but two.

This situation on exiting NO_HZ is described by:

this_rq->calc_load_update < jiffies < calc_load_update

In this scenario, what we should be doing is:

this_rq->calc_load_update = calc_load_update [ next window ]

But what we actually do is:

this_rq->calc_load_update = calc_load_update + LOAD_FREQ [ next+1 window ]

This has the effect of delaying load average updates for potentially
up to ~9seconds.

This can result in huge spikes in the load average values due to
per-cpu uninterruptible task counts being out of sync when accumulated
across all CPUs.

It's safe to update the per-cpu active count if we wake between sample
windows because any load that we left in 'calc_load_idle' will have
been zero'd when the idle load was folded in calc_global_load().

This issue is easy to reproduce before,

commit 9d89c257dfb9 ("sched/fair: Rewrite runnable load and utilization average tracking")

just by forking short-lived process pipelines built from ps(1) and
grep(1) in a loop. I'm unable to reproduce the spikes after that
commit, but the bug still seems to be present from code review.

Signed-off-by: Matt Fleming <ma...@codeblueprint.co.uk>
Signed-off-by: Peter Zijlstra (Intel) <pet...@infradead.org>
Cc: Frederic Weisbecker <fwei...@gmail.com>
Cc: Linus Torvalds <torv...@linux-foundation.org>
Cc: Mike Galbraith <efa...@gmx.de>
Cc: Mike Galbraith <umgwana...@gmail.com>
Cc: Morten Rasmussen <morten.r...@arm.com>
Cc: Peter Zijlstra <pet...@infradead.org>
Cc: Thomas Gleixner <tg...@linutronix.de>
Cc: Vincent Guittot <vincent...@linaro.org>
Fixes: commit 5167e8d ("sched/nohz: Rewrite and fix load-avg computation -- again")
Link: http://lkml.kernel.org/r/2017021712073...@codeblueprint.co.uk
Signed-off-by: Ingo Molnar <mi...@kernel.org>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

kernel/sched/loadavg.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

--- a/kernel/sched/loadavg.c
+++ b/kernel/sched/loadavg.c
@@ -201,8 +201,9 @@ void calc_load_exit_idle(void)
struct rq *this_rq = this_rq();

/*
- * If we're still before the sample window, we're done.
+ * If we're still before the pending sample window, we're done.
*/
+ this_rq->calc_load_update = calc_load_update;
if (time_before(jiffies, this_rq->calc_load_update))
return;

@@ -211,7 +212,6 @@ void calc_load_exit_idle(void)
* accounted through the nohz accounting, so skip the entire deal and
* sync up for the next window.
*/
- this_rq->calc_load_update = calc_load_update;
if (time_before(jiffies, this_rq->calc_load_update + 10))
this_rq->calc_load_update += LOAD_FREQ;
}

[Greg Kroah-Hartman]

4.9-stable review patch. If anyone has any objections, please let me know.

------------------

From: Greg Kurz <gr...@kaod.org>


[ Upstream commit bd00fdf198e2da475a2f4265a83686ab42d998a8 ]

The recently added mediated VFIO driver doesn't know about powerpc iommu.
It thus doesn't register a struct iommu_table_group in the iommu group
upon device creation. The iommu_data pointer hence remains null.

This causes a kernel oops when userspace tries to set the iommu type of a
container associated with a mediated device to VFIO_SPAPR_TCE_v2_IOMMU.

[ 82.585440] mtty mtty: MDEV: Registered
[ 87.655522] iommu: Adding device 83b8f4f2-509f-382f-3c1e-e6bfe0fa1001 to group 10
[ 87.655527] vfio_mdev 83b8f4f2-509f-382f-3c1e-e6bfe0fa1001: MDEV: group_id = 10
[ 116.297184] Unable to handle kernel paging request for data at address 0x00000030
[ 116.297389] Faulting instruction address: 0xd000000007870524
[ 116.297465] Oops: Kernel access of bad area, sig: 11 [#1]
[ 116.297611] SMP NR_CPUS=2048
[ 116.297611] NUMA
[ 116.297627] PowerNV
...
[ 116.297954] CPU: 33 PID: 7067 Comm: qemu-system-ppc Not tainted 4.10.0-rc5-mdev-test #8
[ 116.297993] task: c000000e7718b680 task.stack: c000000e77214000
[ 116.298025] NIP: d000000007870524 LR: d000000007870518 CTR: 0000000000000000
[ 116.298064] REGS: c000000e77217990 TRAP: 0300 Not tainted (4.10.0-rc5-mdev-test)
[ 116.298103] MSR: 9000000000009033 <SF,HV,EE,ME,IR,DR,RI,LE>
[ 116.298107] CR: 84004444 XER: 00000000
[ 116.298154] CFAR: c00000000000888c DAR: 0000000000000030 DSISR: 40000000 SOFTE: 1
GPR00: d000000007870518 c000000e77217c10 d00000000787b0ed c000000eed2103c0
GPR04: 0000000000000000 0000000000000000 c000000eed2103e0 0000000f24320000
GPR08: 0000000000000104 0000000000000001 0000000000000000 d0000000078729b0
GPR12: c00000000025b7e0 c00000000fe08400 0000000000000001 000001002d31d100
GPR16: 000001002c22c850 00003ffff315c750 0000000043145680 0000000043141bc0
GPR20: ffffffffffffffed fffffffffffff000 0000000020003b65 d000000007706018
GPR24: c000000f16cf0d98 d000000007706000 c000000003f42980 c000000003f42980
GPR28: c000000f1575ac00 c000000003f429c8 0000000000000000 c000000eed2103c0
[ 116.298504] NIP [d000000007870524] tce_iommu_attach_group+0x10c/0x360 [vfio_iommu_spapr_tce]
[ 116.298555] LR [d000000007870518] tce_iommu_attach_group+0x100/0x360 [vfio_iommu_spapr_tce]
[ 116.298601] Call Trace:
[ 116.298610] [c000000e77217c10] [d000000007870518] tce_iommu_attach_group+0x100/0x360 [vfio_iommu_spapr_tce] (unreliable)
[ 116.298671] [c000000e77217cb0] [d0000000077033a0] vfio_fops_unl_ioctl+0x278/0x3e0 [vfio]
[ 116.298713] [c000000e77217d40] [c0000000002a3ebc] do_vfs_ioctl+0xcc/0x8b0
[ 116.298745] [c000000e77217de0] [c0000000002a4700] SyS_ioctl+0x60/0xc0
[ 116.298782] [c000000e77217e30] [c00000000000b220] system_call+0x38/0xfc
[ 116.298812] Instruction dump:
[ 116.298828] 7d3f4b78 409effc8 3d220000 e9298020 3c800140 38a00018 608480c0 e8690028
[ 116.298869] 4800249d e8410018 7c7f1b79 41820230 <e93e0030> 2fa90000 419e0114 e9090020
[ 116.298914] ---[ end trace 1e10b0ced08b9120 ]---

This patch fixes the oops.

Reported-by: Vaibhav Jain <vai...@linux.vnet.ibm.com>
Signed-off-by: Greg Kurz <gr...@kaod.org>
Signed-off-by: Alex Williamson <alex.wi...@redhat.com>
Signed-off-by: Sasha Levin <alexand...@verizon.com>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>
---

drivers/vfio/vfio_iommu_spapr_tce.c | 4 ++++
1 file changed, 4 insertions(+)

--- a/drivers/vfio/vfio_iommu_spapr_tce.c
+++ b/drivers/vfio/vfio_iommu_spapr_tce.c
@@ -1292,6 +1292,10 @@ static int tce_iommu_attach_group(void *
/* pr_debug("tce_vfio: Attaching group #%u to iommu %p\n",
iommu_group_id(iommu_group), iommu_group); */
table_group = iommu_group_get_iommudata(iommu_group);
+ if (!table_group) {
+ ret = -ENODEV;
+ goto unlock_exit;
+ }

if (tce_groups_attached(container) && (!table_group->ops ||
!table_group->ops->take_ownership ||

[Greg Kroah-Hartman]

4.9-stable review patch. If anyone has any objections, please let me know.

------------------

From: Eric Anholt <er...@anholt.net>

commit fedf266f9955d9a019643cde199a2fd9a0259f6f upstream.

The bcm_kona_wdt_set_resolution_reg() call takes the spinlock, so
initialize it earlier. Fixes a warning at boot with lock debugging
enabled.

Fixes: 6adb730dc208 ("watchdog: bcm281xx: Watchdog Driver")
Signed-off-by: Eric Anholt <er...@anholt.net>
Reviewed-by: Florian Fainelli <f.fai...@gmail.com>
Reviewed-by: Guenter Roeck <li...@roeck-us.net>
Signed-off-by: Guenter Roeck <li...@roeck-us.net>
Signed-off-by: Wim Van Sebroeck <w...@iguana.be>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

drivers/watchdog/bcm_kona_wdt.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/watchdog/bcm_kona_wdt.c
+++ b/drivers/watchdog/bcm_kona_wdt.c
@@ -304,6 +304,8 @@ static int bcm_kona_wdt_probe(struct pla
if (!wdt)
return -ENOMEM;

+ spin_lock_init(&wdt->lock);
+
res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
wdt->base = devm_ioremap_resource(dev, res);
if (IS_ERR(wdt->base))
@@ -316,7 +318,6 @@ static int bcm_kona_wdt_probe(struct pla
return ret;
}

- spin_lock_init(&wdt->lock);
platform_set_drvdata(pdev, wdt);
watchdog_set_drvdata(&bcm_kona_wdt_wdd, wdt);
bcm_kona_wdt_wdd.parent = &pdev->dev;

[Greg Kroah-Hartman]

4.9-stable review patch. If anyone has any objections, please let me know.

------------------

From: Josh Poimboeuf <jpoi...@redhat.com>

commit 5c51f4ae84df0f9df33ac08aa5be50061a8b4242 upstream.

Arnd Bergmann reported a (false positive) objtool warning:

drivers/infiniband/sw/rxe/rxe_resp.o: warning: objtool: rxe_responder()+0xfe: sibling call from callable instruction with changed frame pointer

The issue is in find_switch_table(). It tries to find a switch
statement's jump table by walking backwards from an indirect jump
instruction, looking for a relocation to the .rodata section. In this
case it stopped walking prematurely: the first .rodata relocation it
encountered was for a variable (resp_state_name) instead of a jump
table, so it just assumed there wasn't a jump table.

The fix is to ignore any .rodata relocation which refers to an ELF
object symbol. This works because the jump tables are anonymous and
have no symbols associated with them.

Reported-by: Arnd Bergmann <ar...@arndb.de>
Tested-by: Arnd Bergmann <ar...@arndb.de>
Signed-off-by: Josh Poimboeuf <jpoi...@redhat.com>
Cc: Denys Vlasenko <dvla...@redhat.com>
Cc: Linus Torvalds <torv...@linux-foundation.org>

Cc: Peter Zijlstra <pet...@infradead.org>
Cc: Thomas Gleixner <tg...@linutronix.de>

Fixes: 3732710ff6f2 ("objtool: Improve rare switch jump table pattern detection")
Link: http://lkml.kernel.org/r/20170302225723.3ndbsnl4hkqbne7a@treble
Signed-off-by: Ingo Molnar <mi...@kernel.org>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

tools/objtool/builtin-check.c | 15 ++++++++++++---
tools/objtool/elf.c | 12 ++++++++++++
tools/objtool/elf.h | 1 +
3 files changed, 25 insertions(+), 3 deletions(-)

--- a/tools/objtool/builtin-check.c
+++ b/tools/objtool/builtin-check.c
@@ -757,11 +757,20 @@ static struct rela *find_switch_table(st
insn->jump_dest->offset > orig_insn->offset))
break;

+ /* look for a relocation which references .rodata */
text_rela = find_rela_by_dest_range(insn->sec, insn->offset,
insn->len);
- if (text_rela && text_rela->sym == file->rodata->sym)
- return find_rela_by_dest(file->rodata,
- text_rela->addend);
+ if (!text_rela || text_rela->sym != file->rodata->sym)
+ continue;
+
+ /*
+ * Make sure the .rodata address isn't associated with a
+ * symbol. gcc jump tables are anonymous data.
+ */
+ if (find_symbol_containing(file->rodata, text_rela->addend))
+ continue;
+
+ return find_rela_by_dest(file->rodata, text_rela->addend);
}

return NULL;
--- a/tools/objtool/elf.c
+++ b/tools/objtool/elf.c
@@ -85,6 +85,18 @@ struct symbol *find_symbol_by_offset(str
return NULL;
}

+struct symbol *find_symbol_containing(struct section *sec, unsigned long offset)
+{
+ struct symbol *sym;
+
+ list_for_each_entry(sym, &sec->symbol_list, list)
+ if (sym->type != STT_SECTION &&
+ offset >= sym->offset && offset < sym->offset + sym->len)
+ return sym;
+
+ return NULL;
+}
+
struct rela *find_rela_by_dest_range(struct section *sec, unsigned long offset,
unsigned int len)
{
--- a/tools/objtool/elf.h
+++ b/tools/objtool/elf.h
@@ -79,6 +79,7 @@ struct elf {
struct elf *elf_open(const char *name);
struct section *find_section_by_name(struct elf *elf, const char *name);
struct symbol *find_symbol_by_offset(struct section *sec, unsigned long offset);
+struct symbol *find_symbol_containing(struct section *sec, unsigned long offset);
struct rela *find_rela_by_dest(struct section *sec, unsigned long offset);
struct rela *find_rela_by_dest_range(struct section *sec, unsigned long offset,
unsigned int len);

[Greg Kroah-Hartman]

4.9-stable review patch. If anyone has any objections, please let me know.

------------------

From: Joerg Roedel <jro...@suse.de>

commit 5ed386ec09a5d75bcf073967e55e895c2607a5c3 upstream.

When this function fails it just sends a SIGSEGV signal to
user-space using force_sig(). This signal is missing
essential information about the cause, e.g. the trap_nr or
an error code.

Fix this by propagating the error to the only caller of
mpx_handle_bd_fault(), do_bounds(), which sends the correct
SIGSEGV signal to the process.

Signed-off-by: Joerg Roedel <jro...@suse.de>
Cc: Andy Lutomirski <lu...@kernel.org>

Cc: Borislav Petkov <b...@alien8.de>
Cc: Brian Gerst <brg...@gmail.com>

Cc: Dave Hansen <dave....@linux.intel.com>
Cc: Denys Vlasenko <dvla...@redhat.com>

Cc: H. Peter Anvin <h...@zytor.com>
Cc: Josh Poimboeuf <jpoi...@redhat.com>

Cc: Linus Torvalds <torv...@linux-foundation.org>
Cc: Peter Zijlstra <pet...@infradead.org>
Cc: Thomas Gleixner <tg...@linutronix.de>

Fixes: fe3d197f84319 ('x86, mpx: On-demand kernel allocation of bounds tables')
Link: http://lkml.kernel.org/r/1491488362-27198-1-...@8bytes.org

Signed-off-by: Ingo Molnar <mi...@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

arch/x86/mm/mpx.c | 10 +---------
1 file changed, 1 insertion(+), 9 deletions(-)

--- a/arch/x86/mm/mpx.c
+++ b/arch/x86/mm/mpx.c
@@ -525,15 +525,7 @@ int mpx_handle_bd_fault(void)
if (!kernel_managing_mpx_tables(current->mm))
return -EINVAL;

- if (do_mpx_bt_fault()) {
- force_sig(SIGSEGV, current);
- /*
- * The force_sig() is essentially "handling" this
- * exception, so we do not pass up the error
- * from do_mpx_bt_fault().
- */
- }
- return 0;
+ return do_mpx_bt_fault();
}

/*

[Greg Kroah-Hartman]

4.9-stable review patch. If anyone has any objections, please let me know.

------------------

From: Adam Ford <afor...@gmail.com>

commit 06e1a5cc570703796ff1bd3a712e8e3b15c6bb0d upstream.

The manufacturing information is stored in the EEPROM. This chip
is an AT24C64 not not (nor has it ever been) 24C02. This patch will
correctly address the EEPROM to read the entire contents and not just
256 bytes (of 0xff).

Fixes: 5e3447a29a38 ("ARM: dts: LogicPD Torpedo: Add AT24 EEPROM Support")

Signed-off-by: Adam Ford <afor...@gmail.com>
Signed-off-by: Tony Lindgren <to...@atomide.com>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

arch/arm/boot/dts/logicpd-torpedo-som.dtsi | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/arm/boot/dts/logicpd-torpedo-som.dtsi
+++ b/arch/arm/boot/dts/logicpd-torpedo-som.dtsi
@@ -121,7 +121,7 @@
&i2c3 {
clock-frequency = <400000>;
at24@50 {
- compatible = "at24,24c02";
+ compatible = "atmel,24c64";
readonly;
reg = <0x50>;
};

[Greg Kroah-Hartman]

4.9-stable review patch. If anyone has any objections, please let me know.

------------------

From: Andrew F. Davis <a...@ti.com>

commit 6308f1787fb85bc98b7241a08a9f7f33b47f8b61 upstream.

When we check for additional DT properties in the current node we
use the device_node passed in with the configuration data, this
will not point to the correct DT node, use the one passed in
for this purpose.

Fixes: d2a2e729a666 ("regulator: tps65086: Add regulator driver for the TPS65086 PMIC")
Reported-by: Steven Kipisz <s-ki...@ti.com>
Signed-off-by: Andrew F. Davis <a...@ti.com>
Tested-by: Steven Kipisz <s-ki...@ti.com>
Signed-off-by: Mark Brown <bro...@kernel.org>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

drivers/regulator/tps65086-regulator.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)

--- a/drivers/regulator/tps65086-regulator.c
+++ b/drivers/regulator/tps65086-regulator.c
@@ -161,14 +161,14 @@ static struct tps65086_regulator regulat
TPS65086_SWITCH("VTT", "vtt", VTT, TPS65086_SWVTT_EN, BIT(4)),
};

-static int tps65086_of_parse_cb(struct device_node *dev,
+static int tps65086_of_parse_cb(struct device_node *node,
const struct regulator_desc *desc,
struct regulator_config *config)
{
int ret;

/* Check for 25mV step mode */
- if (of_property_read_bool(config->of_node, "ti,regulator-step-size-25mv")) {
+ if (of_property_read_bool(node, "ti,regulator-step-size-25mv")) {
switch (desc->id) {
case BUCK1:
case BUCK2:
@@ -192,7 +192,7 @@ static int tps65086_of_parse_cb(struct d
}

/* Check for decay mode */
- if (desc->id <= BUCK6 && of_property_read_bool(config->of_node, "ti,regulator-decay")) {
+ if (desc->id <= BUCK6 && of_property_read_bool(node, "ti,regulator-decay")) {
ret = regmap_write_bits(config->regmap,
regulators[desc->id].decay_reg,
regulators[desc->id].decay_mask,

[Greg Kroah-Hartman]

4.9-stable review patch. If anyone has any objections, please let me know.

------------------

From: Dan Carpenter <dan.ca...@oracle.com>

commit a69261e4470d680185a15f748d9cdafb37c57a33 upstream.

The "goto err_armclk;" error path already does a clk_put(s3c_freq->hclk);
so this is a double free.

Fixes: 34ee55075265 ([CPUFREQ] Add S3C2416/S3C2450 cpufreq driver)
Signed-off-by: Dan Carpenter <dan.ca...@oracle.com>
Reviewed-by: Krzysztof Kozlowski <kr...@kernel.org>
Acked-by: Viresh Kumar <viresh...@linaro.org>
Signed-off-by: Rafael J. Wysocki <rafael.j...@intel.com>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

drivers/cpufreq/s3c2416-cpufreq.c | 1 -
1 file changed, 1 deletion(-)

--- a/drivers/cpufreq/s3c2416-cpufreq.c
+++ b/drivers/cpufreq/s3c2416-cpufreq.c
@@ -400,7 +400,6 @@ static int s3c2416_cpufreq_driver_init(s
rate = clk_get_rate(s3c_freq->hclk);
if (rate < 133 * 1000 * 1000) {
pr_err("cpufreq: HCLK not at 133MHz\n");
- clk_put(s3c_freq->hclk);
ret = -EINVAL;
goto err_armclk;
}

[Greg Kroah-Hartman]

4.9-stable review patch. If anyone has any objections, please let me know.

------------------

From: "Karicheri, Muralidharan" <m-kari...@ti.com>


[ Upstream commit 34c55cf2fc75f8bf6ba87df321038c064cf2d426 ]

Currently dp83867 driver returns error if phy interface type
PHY_INTERFACE_MODE_RGMII_RXID is used to set the rx only internal
delay. Similarly issue happens for PHY_INTERFACE_MODE_RGMII_TXID.
Fix this by checking also the interface type if a particular delay
value is missing in the phy dt bindings. Also update the DT document
accordingly.

Signed-off-by: Murali Karicheri <m-kari...@ti.com>
Signed-off-by: Sekhar Nori <nse...@ti.com>

Signed-off-by: David S. Miller <da...@davemloft.net>
Signed-off-by: Sasha Levin <alexand...@verizon.com>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>
---

Documentation/devicetree/bindings/net/ti,dp83867.txt | 6 ++++--
drivers/net/phy/dp83867.c | 8 ++++++--
2 files changed, 10 insertions(+), 4 deletions(-)

--- a/Documentation/devicetree/bindings/net/ti,dp83867.txt
+++ b/Documentation/devicetree/bindings/net/ti,dp83867.txt
@@ -3,9 +3,11 @@
Required properties:
- reg - The ID number for the phy, usually a small integer
- ti,rx-internal-delay - RGMII Receive Clock Delay - see dt-bindings/net/ti-dp83867.h
- for applicable values
+ for applicable values. Required only if interface type is
+ PHY_INTERFACE_MODE_RGMII_ID or PHY_INTERFACE_MODE_RGMII_RXID
- ti,tx-internal-delay - RGMII Transmit Clock Delay - see dt-bindings/net/ti-dp83867.h
- for applicable values
+ for applicable values. Required only if interface type is
+ PHY_INTERFACE_MODE_RGMII_ID or PHY_INTERFACE_MODE_RGMII_TXID
- ti,fifo-depth - Transmitt FIFO depth- see dt-bindings/net/ti-dp83867.h
for applicable values

--- a/drivers/net/phy/dp83867.c
+++ b/drivers/net/phy/dp83867.c
@@ -113,12 +113,16 @@ static int dp83867_of_init(struct phy_de

ret = of_property_read_u32(of_node, "ti,rx-internal-delay",
&dp83867->rx_id_delay);
- if (ret)
+ if (ret &&
+ (phydev->interface == PHY_INTERFACE_MODE_RGMII_ID ||
+ phydev->interface == PHY_INTERFACE_MODE_RGMII_RXID))
return ret;

ret = of_property_read_u32(of_node, "ti,tx-internal-delay",
&dp83867->tx_id_delay);
- if (ret)
+ if (ret &&
+ (phydev->interface == PHY_INTERFACE_MODE_RGMII_ID ||
+ phydev->interface == PHY_INTERFACE_MODE_RGMII_TXID))
return ret;

return of_property_read_u32(of_node, "ti,fifo-depth",

[Greg Kroah-Hartman]

4.9-stable review patch. If anyone has any objections, please let me know.

------------------

From: "Michael S. Tsirkin" <m...@redhat.com>


[ Upstream commit d0fa28f00052391b5df328f502fbbdd4444938b7 ]

I don't have any guests with PAGE_SIZE > 64k but the
code seems to be clearly broken in that case
as PAGE_SIZE / MERGEABLE_BUFFER_ALIGN will need
more than 8 bit and so the code in mergeable_ctx_to_buf_address
does not give us the actual true size.

Cc: John Fastabend <john.fa...@gmail.com>
Signed-off-by: Michael S. Tsirkin <m...@redhat.com>

Signed-off-by: David S. Miller <da...@davemloft.net>
Signed-off-by: Sasha Levin <alexand...@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>
---

drivers/net/virtio_net.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)

--- a/drivers/net/virtio_net.c
+++ b/drivers/net/virtio_net.c
@@ -47,8 +47,16 @@ module_param(gso, bool, 0444);
*/
DECLARE_EWMA(pkt_len, 1, 64)

+/* With mergeable buffers we align buffer address and use the low bits to
+ * encode its true size. Buffer size is up to 1 page so we need to align to
+ * square root of page size to ensure we reserve enough bits to encode the true
+ * size.
+ */
+#define MERGEABLE_BUFFER_MIN_ALIGN_SHIFT ((PAGE_SHIFT + 1) / 2)
+
/* Minimum alignment for mergeable packet buffers. */
-#define MERGEABLE_BUFFER_ALIGN max(L1_CACHE_BYTES, 256)
+#define MERGEABLE_BUFFER_ALIGN max(L1_CACHE_BYTES, \
+ 1 << MERGEABLE_BUFFER_MIN_ALIGN_SHIFT)

#define VIRTNET_DRIVER_VERSION "1.0.0"

[Greg Kroah-Hartman]

4.9-stable review patch. If anyone has any objections, please let me know.

------------------

From: Andy Shevchenko <andriy.s...@linux.intel.com>


[ Upstream commit 17fab473693e8357a9aa6fee4fbed6c13a34bd81 ]

There are two bits in the PADCFG0 register to configure direction, one per
TX/RX buffers.

For now we wrongly assume that the GPIO is always requested before it is being
used, which is not true when the GPIO is used through irqchip. In this case the
GPIO is never requested and we never enable RX buffer for it.

Fix this by setting both bits accordingly.

Reported-by: Jarkko Nikula <jarkko...@linux.intel.com>
Signed-off-by: Andy Shevchenko <andriy.s...@linux.intel.com>
Signed-off-by: Linus Walleij <linus....@linaro.org>

Signed-off-by: Sasha Levin <alexand...@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>
---

drivers/pinctrl/intel/pinctrl-intel.c | 30 +++++++++++++++++++-----------
1 file changed, 19 insertions(+), 11 deletions(-)

--- a/drivers/pinctrl/intel/pinctrl-intel.c
+++ b/drivers/pinctrl/intel/pinctrl-intel.c
@@ -353,6 +353,21 @@ static int intel_pinmux_set_mux(struct p
return 0;
}

+static void __intel_gpio_set_direction(void __iomem *padcfg0, bool input)
+{
+ u32 value;
+
+ value = readl(padcfg0);
+ if (input) {
+ value &= ~PADCFG0_GPIORXDIS;
+ value |= PADCFG0_GPIOTXDIS;
+ } else {
+ value &= ~PADCFG0_GPIOTXDIS;
+ value |= PADCFG0_GPIORXDIS;
+ }
+ writel(value, padcfg0);
+}
+
static int intel_gpio_request_enable(struct pinctrl_dev *pctldev,
struct pinctrl_gpio_range *range,
unsigned pin)
@@ -375,11 +390,11 @@ static int intel_gpio_request_enable(str
/* Disable SCI/SMI/NMI generation */
value &= ~(PADCFG0_GPIROUTIOXAPIC | PADCFG0_GPIROUTSCI);
value &= ~(PADCFG0_GPIROUTSMI | PADCFG0_GPIROUTNMI);
- /* Disable TX buffer and enable RX (this will be input) */
- value &= ~PADCFG0_GPIORXDIS;
- value |= PADCFG0_GPIOTXDIS;
writel(value, padcfg0);

+ /* Disable TX buffer and enable RX (this will be input) */
+ __intel_gpio_set_direction(padcfg0, true);
+
raw_spin_unlock_irqrestore(&pctrl->lock, flags);

return 0;
@@ -392,18 +407,11 @@ static int intel_gpio_set_direction(stru
struct intel_pinctrl *pctrl = pinctrl_dev_get_drvdata(pctldev);
void __iomem *padcfg0;
unsigned long flags;
- u32 value;

raw_spin_lock_irqsave(&pctrl->lock, flags);

padcfg0 = intel_get_padcfg(pctrl, pin, PADCFG0);
-
- value = readl(padcfg0);
- if (input)
- value |= PADCFG0_GPIOTXDIS;
- else
- value &= ~PADCFG0_GPIOTXDIS;
- writel(value, padcfg0);
+ __intel_gpio_set_direction(padcfg0, input);

raw_spin_unlock_irqrestore(&pctrl->lock, flags);

[Greg Kroah-Hartman]

4.9-stable review patch. If anyone has any objections, please let me know.

------------------

From: Guillaume Nault <g.n...@alphalink.fr>

commit 2777e2ab5a9cf2b4524486c6db1517a6ded25261 upstream.

Callers of l2tp_nl_session_find() need to hold a reference on the
returned session since there's no guarantee that it isn't going to
disappear from under them.

Relying on the fact that no l2tp netlink message may be processed
concurrently isn't enough: sessions can be deleted by other means
(e.g. by closing the PPPOL2TP socket of a ppp pseudowire).

l2tp_nl_cmd_session_delete() is a bit special: it runs a callback
function that may require a previous call to session->ref(). In
particular, for ppp pseudowires, the callback is l2tp_session_delete(),
which then calls pppol2tp_session_close() and dereferences the PPPOL2TP
socket. The socket might already be gone at the moment
l2tp_session_delete() calls session->ref(), so we need to take a
reference during the session lookup. So we need to pass the do_ref
variable down to l2tp_session_get() and l2tp_session_get_by_ifname().

Since all callers have to be updated, l2tp_session_find_by_ifname() and
l2tp_nl_session_find() are renamed to reflect their new behaviour.

Fixes: 309795f4bec2 ("l2tp: Add netlink control API for L2TP")
Signed-off-by: Guillaume Nault <g.n...@alphalink.fr>

Signed-off-by: David S. Miller <da...@davemloft.net>

Signed-off-by: Amit Pundir <amit....@linaro.org>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>
---

net/l2tp/l2tp_core.c | 9 +++++++--
net/l2tp/l2tp_core.h | 3 ++-
net/l2tp/l2tp_netlink.c | 39 ++++++++++++++++++++++++++-------------
3 files changed, 35 insertions(+), 16 deletions(-)

--- a/net/l2tp/l2tp_core.c
+++ b/net/l2tp/l2tp_core.c
@@ -356,7 +356,8 @@ EXPORT_SYMBOL_GPL(l2tp_session_get_nth);
/* Lookup a session by interface name.
* This is very inefficient but is only used by management interfaces.
*/
-struct l2tp_session *l2tp_session_find_by_ifname(struct net *net, char *ifname)
+struct l2tp_session *l2tp_session_get_by_ifname(struct net *net, char *ifname,
+ bool do_ref)
{
struct l2tp_net *pn = l2tp_pernet(net);
int hash;
@@ -366,7 +367,11 @@ struct l2tp_session *l2tp_session_find_b
for (hash = 0; hash < L2TP_HASH_SIZE_2; hash++) {
hlist_for_each_entry_rcu(session, &pn->l2tp_session_hlist[hash], global_hlist) {
if (!strcmp(session->ifname, ifname)) {
+ l2tp_session_inc_refcount(session);
+ if (do_ref && session->ref)
+ session->ref(session);
rcu_read_unlock_bh();
+
return session;
}
}
@@ -376,7 +381,7 @@ struct l2tp_session *l2tp_session_find_b

return NULL;
}
-EXPORT_SYMBOL_GPL(l2tp_session_find_by_ifname);
+EXPORT_SYMBOL_GPL(l2tp_session_get_by_ifname);

static int l2tp_session_add_to_tunnel(struct l2tp_tunnel *tunnel,
struct l2tp_session *session)
--- a/net/l2tp/l2tp_core.h
+++ b/net/l2tp/l2tp_core.h
@@ -248,7 +248,8 @@ struct l2tp_session *l2tp_session_find(s
u32 session_id);
struct l2tp_session *l2tp_session_get_nth(struct l2tp_tunnel *tunnel, int nth,
bool do_ref);
-struct l2tp_session *l2tp_session_find_by_ifname(struct net *net, char *ifname);
+struct l2tp_session *l2tp_session_get_by_ifname(struct net *net, char *ifname,
+ bool do_ref);
struct l2tp_tunnel *l2tp_tunnel_find(struct net *net, u32 tunnel_id);
struct l2tp_tunnel *l2tp_tunnel_find_nth(struct net *net, int nth);

--- a/net/l2tp/l2tp_netlink.c
+++ b/net/l2tp/l2tp_netlink.c
@@ -55,7 +55,8 @@ static int l2tp_nl_session_send(struct s
/* Accessed under genl lock */
static const struct l2tp_nl_cmd_ops *l2tp_nl_cmd_ops[__L2TP_PWTYPE_MAX];

-static struct l2tp_session *l2tp_nl_session_find(struct genl_info *info)
+static struct l2tp_session *l2tp_nl_session_get(struct genl_info *info,
+ bool do_ref)
{
u32 tunnel_id;
u32 session_id;
@@ -66,14 +67,15 @@ static struct l2tp_session *l2tp_nl_sess

if (info->attrs[L2TP_ATTR_IFNAME]) {
ifname = nla_data(info->attrs[L2TP_ATTR_IFNAME]);
- session = l2tp_session_find_by_ifname(net, ifname);
+ session = l2tp_session_get_by_ifname(net, ifname, do_ref);
} else if ((info->attrs[L2TP_ATTR_SESSION_ID]) &&
(info->attrs[L2TP_ATTR_CONN_ID])) {
tunnel_id = nla_get_u32(info->attrs[L2TP_ATTR_CONN_ID]);
session_id = nla_get_u32(info->attrs[L2TP_ATTR_SESSION_ID]);
tunnel = l2tp_tunnel_find(net, tunnel_id);
if (tunnel)
- session = l2tp_session_find(net, tunnel, session_id);
+ session = l2tp_session_get(net, tunnel, session_id,
+ do_ref);
}

return session;
@@ -652,7 +654,7 @@ static int l2tp_nl_cmd_session_delete(st
struct l2tp_session *session;
u16 pw_type;

- session = l2tp_nl_session_find(info);
+ session = l2tp_nl_session_get(info, true);
if (session == NULL) {
ret = -ENODEV;
goto out;
@@ -666,6 +668,10 @@ static int l2tp_nl_cmd_session_delete(st
if (l2tp_nl_cmd_ops[pw_type] && l2tp_nl_cmd_ops[pw_type]->session_delete)
ret = (*l2tp_nl_cmd_ops[pw_type]->session_delete)(session);

+ if (session->deref)
+ session->deref(session);
+ l2tp_session_dec_refcount(session);
+
out:
return ret;
}
@@ -675,7 +681,7 @@ static int l2tp_nl_cmd_session_modify(st
int ret = 0;
struct l2tp_session *session;

- session = l2tp_nl_session_find(info);
+ session = l2tp_nl_session_get(info, false);
if (session == NULL) {
ret = -ENODEV;
goto out;
@@ -710,6 +716,8 @@ static int l2tp_nl_cmd_session_modify(st
ret = l2tp_session_notify(&l2tp_nl_family, info,
session, L2TP_CMD_SESSION_MODIFY);

+ l2tp_session_dec_refcount(session);
+
out:
return ret;
}
@@ -805,29 +813,34 @@ static int l2tp_nl_cmd_session_get(struc
struct sk_buff *msg;
int ret;

- session = l2tp_nl_session_find(info);
+ session = l2tp_nl_session_get(info, false);
if (session == NULL) {
ret = -ENODEV;
- goto out;
+ goto err;
}

msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
if (!msg) {
ret = -ENOMEM;
- goto out;
+ goto err_ref;
}

ret = l2tp_nl_session_send(msg, info->snd_portid, info->snd_seq,
0, session, L2TP_CMD_SESSION_GET);
if (ret < 0)
- goto err_out;
+ goto err_ref_msg;

- return genlmsg_unicast(genl_info_net(info), msg, info->snd_portid);
+ ret = genlmsg_unicast(genl_info_net(info), msg, info->snd_portid);

-err_out:
- nlmsg_free(msg);
+ l2tp_session_dec_refcount(session);

-out:
+ return ret;
+
+err_ref_msg:
+ nlmsg_free(msg);
+err_ref:
+ l2tp_session_dec_refcount(session);
+err:
return ret;
}

[Greg Kroah-Hartman]

4.9-stable review patch. If anyone has any objections, please let me know.

------------------

From: Mark Rutland <mark.r...@arm.com>

commit 3c226c637b69104f6b9f1c6ec5b08d7b741b3229 upstream.

In do_huge_pmd_numa_page(), we attempt to handle a migrating thp pmd by
waiting until the pmd is unlocked before we return and retry. However,
we can race with migrate_misplaced_transhuge_page():

// do_huge_pmd_numa_page // migrate_misplaced_transhuge_page()
// Holds 0 refs on page // Holds 2 refs on page

vmf->ptl = pmd_lock(vma->vm_mm, vmf->pmd);
/* ... */
if (pmd_trans_migrating(*vmf->pmd)) {
page = pmd_page(*vmf->pmd);
spin_unlock(vmf->ptl);
ptl = pmd_lock(mm, pmd);
if (page_count(page) != 2)) {
/* roll back */
}
/* ... */
mlock_migrate_page(new_page, page);
/* ... */
spin_unlock(ptl);
put_page(page);
put_page(page); // page freed here
wait_on_page_locked(page);
goto out;
}

This can result in the freed page having its waiters flag set
unexpectedly, which trips the PAGE_FLAGS_CHECK_AT_PREP checks in the
page alloc/free functions. This has been observed on arm64 KVM guests.

We can avoid this by having do_huge_pmd_numa_page() take a reference on
the page before dropping the pmd lock, mirroring what we do in
__migration_entry_wait().

When we hit the race, migrate_misplaced_transhuge_page() will see the
reference and abort the migration, as it may do today in other cases.

Fixes: b8916634b77bffb2 ("mm: Prevent parallel splits during THP migration")
Link: http://lkml.kernel.org/r/1497349722-6731-2-git-...@arm.com
Signed-off-by: Mark Rutland <mark.r...@arm.com>
Signed-off-by: Will Deacon <will....@arm.com>
Acked-by: Steve Capper <steve....@arm.com>
Acked-by: Kirill A. Shutemov <kirill....@linux.intel.com>
Acked-by: Vlastimil Babka <vba...@suse.cz>
Cc: Mel Gorman <mgo...@suse.de>

Signed-off-by: Andrew Morton <ak...@linux-foundation.org>
Signed-off-by: Linus Torvalds <torv...@linux-foundation.org>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

mm/huge_memory.c | 6 ++++++
1 file changed, 6 insertions(+)

--- a/mm/huge_memory.c
+++ b/mm/huge_memory.c
@@ -1227,8 +1227,11 @@ int do_huge_pmd_numa_page(struct fault_e
*/
if (unlikely(pmd_trans_migrating(*fe->pmd))) {
page = pmd_page(*fe->pmd);
+ if (!get_page_unless_zero(page))
+ goto out_unlock;
spin_unlock(fe->ptl);
wait_on_page_locked(page);
+ put_page(page);
goto out;
}

@@ -1260,8 +1263,11 @@ int do_huge_pmd_numa_page(struct fault_e

/* Migration could have started since the pmd_trans_migrating check */
if (!page_locked) {
+ if (!get_page_unless_zero(page))
+ goto out_unlock;
spin_unlock(fe->ptl);
wait_on_page_locked(page);
+ put_page(page);
page_nid = -1;
goto out;
}

[Greg Kroah-Hartman]

4.9-stable review patch. If anyone has any objections, please let me know.

------------------

From: Ido Schimmel <ido...@mellanox.com>


[ Upstream commit a59b7e0246774e28193126fe7fdbbd0ae9c67dcc ]

mlxsw_sp_nexthop_group_mac_update() is called in one of two cases:

1) When the MAC of a nexthop needs to be updated
2) When the size of a nexthop group has changed

In the second case the adjacency entries for the nexthop group need to
be reallocated from the adjacency table. In this case we must write to
the entries the MAC addresses of all the nexthops that should be
offloaded and not only those whose MAC changed. Otherwise, these entries
would be filled with garbage data, resulting in packet loss.

Fixes: a7ff87acd995 ("mlxsw: spectrum_router: Implement next-hop routing")
Signed-off-by: Ido Schimmel <ido...@mellanox.com>
Signed-off-by: Jiri Pirko <ji...@mellanox.com>

Signed-off-by: David S. Miller <da...@davemloft.net>

Signed-off-by: Sasha Levin <alexand...@verizon.com>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>
---

drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)

--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c
+++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c
@@ -1178,7 +1178,8 @@ static int mlxsw_sp_nexthop_mac_update(s

static int
mlxsw_sp_nexthop_group_mac_update(struct mlxsw_sp *mlxsw_sp,
- struct mlxsw_sp_nexthop_group *nh_grp)
+ struct mlxsw_sp_nexthop_group *nh_grp,
+ bool reallocate)
{
u32 adj_index = nh_grp->adj_index; /* base */
struct mlxsw_sp_nexthop *nh;
@@ -1193,7 +1194,7 @@ mlxsw_sp_nexthop_group_mac_update(struct
continue;
}

- if (nh->update) {
+ if (nh->update || reallocate) {
err = mlxsw_sp_nexthop_mac_update(mlxsw_sp,
adj_index, nh);
if (err)
@@ -1254,7 +1255,8 @@ mlxsw_sp_nexthop_group_refresh(struct ml
/* Nothing was added or removed, so no need to reallocate. Just
* update MAC on existing adjacency indexes.
*/
- err = mlxsw_sp_nexthop_group_mac_update(mlxsw_sp, nh_grp);
+ err = mlxsw_sp_nexthop_group_mac_update(mlxsw_sp, nh_grp,
+ false);
if (err) {
dev_warn(mlxsw_sp->bus_info->dev, "Failed to update neigh MAC in adjacency table.\n");
goto set_trap;
@@ -1282,7 +1284,7 @@ mlxsw_sp_nexthop_group_refresh(struct ml
nh_grp->adj_index_valid = 1;
nh_grp->adj_index = adj_index;
nh_grp->ecmp_size = ecmp_size;
- err = mlxsw_sp_nexthop_group_mac_update(mlxsw_sp, nh_grp);
+ err = mlxsw_sp_nexthop_group_mac_update(mlxsw_sp, nh_grp, true);
if (err) {
dev_warn(mlxsw_sp->bus_info->dev, "Failed to update neigh MAC in adjacency table.\n");
goto set_trap;

[Greg Kroah-Hartman]

4.9-stable review patch. If anyone has any objections, please let me know.

------------------

From: Stefan Hajnoczi <stef...@redhat.com>


[ Upstream commit d47d1d27fd6206c18806440f6ebddf51a806be4f ]

The read_pmem() function uses memcpy_mcsafe() on x86 where an EFAULT
error code indicates a failed read. Block I/O should use EIO to
indicate failure. Other pmem code paths (like bad blocks) already use
EIO so let's be consistent.

This fixes compatibility with consumers like btrfs that try to parse the
specific error code rather than treat all errors the same.

Reviewed-by: Jeff Moyer <jmo...@redhat.com>
Signed-off-by: Stefan Hajnoczi <stef...@redhat.com>
Signed-off-by: Dan Williams <dan.j.w...@intel.com>

Signed-off-by: Sasha Levin <alexand...@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>
---

drivers/nvdimm/pmem.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)

--- a/drivers/nvdimm/pmem.c
+++ b/drivers/nvdimm/pmem.c
@@ -87,7 +87,9 @@ static int read_pmem(struct page *page,

rc = memcpy_from_pmem(mem + off, pmem_addr, len);
kunmap_atomic(mem);
- return rc;
+ if (rc)
+ return -EIO;
+ return 0;
}

static int pmem_do_bvec(struct pmem_device *pmem, struct page *page,

[Greg Kroah-Hartman]

4.9-stable review patch. If anyone has any objections, please let me know.

------------------

From: Rex Zhu <Rex...@amd.com>


[ Upstream commit 3731d12dce83d47b357753ffc450ce03f1b49688 ]

can fix Bug 191281: vce ib test failed.

when vce idle, set vce clock gate, so the clock
in vce domain will be disabled.
when need to encode, disable vce clock gate,
enable the clocks to vce engine.

Signed-off-by: Rex Zhu <Rex...@amd.com>
Reviewed-by: Alex Deucher <alexande...@amd.com>
Signed-off-by: Alex Deucher <alexande...@amd.com>

Signed-off-by: Sasha Levin <alexand...@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>
---

drivers/gpu/drm/amd/powerplay/hwmgr/cz_clockpowergating.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/gpu/drm/amd/powerplay/hwmgr/cz_clockpowergating.c
+++ b/drivers/gpu/drm/amd/powerplay/hwmgr/cz_clockpowergating.c
@@ -200,7 +200,7 @@ int cz_dpm_powergate_vce(struct pp_hwmgr
cgs_set_clockgating_state(
hwmgr->device,
AMD_IP_BLOCK_TYPE_VCE,
- AMD_CG_STATE_UNGATE);
+ AMD_CG_STATE_GATE);
cgs_set_powergating_state(
hwmgr->device,
AMD_IP_BLOCK_TYPE_VCE,
@@ -218,7 +218,7 @@ int cz_dpm_powergate_vce(struct pp_hwmgr
cgs_set_clockgating_state(
hwmgr->device,
AMD_IP_BLOCK_TYPE_VCE,
- AMD_PG_STATE_GATE);
+ AMD_PG_STATE_UNGATE);
cz_dpm_update_vce_dpm(hwmgr);
cz_enable_disable_vce_dpm(hwmgr, true);
return 0;

[Greg Kroah-Hartman]

4.9-stable review patch. If anyone has any objections, please let me know.

------------------

From: Nikita Yushchenko <nikita...@cogentembedded.com>


[ Upstream commit 602d9858f07c72eab64f5f00e2fae55f9902cfbe ]

Some drivers do depend on page mappings to be page aligned.

Swiotlb already enforces such alignment for mappings greater than page,
extend that to page-sized mappings as well.

Without this fix, nvme hits BUG() in nvme_setup_prps(), because that routine
assumes page-aligned mappings.

Signed-off-by: Nikita Yushchenko <nikita...@cogentembedded.com>
Reviewed-by: Christoph Hellwig <h...@lst.de>
Reviewed-by: Sagi Grimberg <sa...@grimberg.me>
Signed-off-by: Konrad Rzeszutek Wilk <kon...@kernel.org>

Signed-off-by: Sasha Levin <alexand...@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>
---

lib/swiotlb.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)

--- a/lib/swiotlb.c
+++ b/lib/swiotlb.c
@@ -456,11 +456,11 @@ phys_addr_t swiotlb_tbl_map_single(struc
: 1UL << (BITS_PER_LONG - IO_TLB_SHIFT);

/*
- * For mappings greater than a page, we limit the stride (and
- * hence alignment) to a page size.
+ * For mappings greater than or equal to a page, we limit the stride
+ * (and hence alignment) to a page size.
*/
nslots = ALIGN(size, 1 << IO_TLB_SHIFT) >> IO_TLB_SHIFT;
- if (size > PAGE_SIZE)
+ if (size >= PAGE_SIZE)
stride = (1 << (PAGE_SHIFT - IO_TLB_SHIFT));
else
stride = 1;

[Greg Kroah-Hartman]

4.9-stable review patch. If anyone has any objections, please let me know.

------------------

From: Kevin Hilman <khi...@baylibre.com>


[ Upstream commit c5a2a394835f473ae23931eda5066d3771d7b2f8 ]

The correct error checking for dma_map_single() is to use
dma_mapping_error().

Signed-off-by: Kevin Hilman <khi...@baylibre.com>
Signed-off-by: Mark Brown <bro...@kernel.org>

Signed-off-by: Sasha Levin <alexand...@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>
---

drivers/spi/spi-davinci.c | 4 ++--

1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/spi/spi-davinci.c
+++ b/drivers/spi/spi-davinci.c
@@ -646,7 +646,7 @@ static int davinci_spi_bufs(struct spi_d
buf = t->rx_buf;
t->rx_dma = dma_map_single(&spi->dev, buf,
t->len, DMA_FROM_DEVICE);
- if (!t->rx_dma) {
+ if (dma_mapping_error(&spi->dev, !t->rx_dma)) {
ret = -EFAULT;
goto err_rx_map;
}
@@ -660,7 +660,7 @@ static int davinci_spi_bufs(struct spi_d
buf = (void *)t->tx_buf;
t->tx_dma = dma_map_single(&spi->dev, buf,
t->len, DMA_TO_DEVICE);
- if (!t->tx_dma) {
+ if (dma_mapping_error(&spi->dev, t->tx_dma)) {
ret = -EFAULT;
goto err_tx_map;
}

[Greg Kroah-Hartman]

4.9-stable review patch. If anyone has any objections, please let me know.

------------------

From: Colin King <colin...@canonical.com>


[ Upstream commit ad5013d5699d30ded0cdbbc68b93b2aa28222c6e ]

When x86_pmu.num_counters is 32 the shift of the integer constant 1 is
exceeding 32bit and therefor undefined behaviour.

Fix this by shifting 1ULL instead of 1.

Reported-by: CoverityScan CID#1192105 ("Bad bit shift operation")
Signed-off-by: Colin Ian King <colin...@canonical.com>
Cc: Andi Kleen <a...@linux.intel.com>
Cc: Peter Zijlstra <pet...@infradead.org>
Cc: Kan Liang <kan....@intel.com>
Cc: Stephane Eranian <era...@google.com>
Cc: Alexander Shishkin <alexander...@linux.intel.com>
Link: http://lkml.kernel.org/r/20170111114310.1...@canonical.com
Signed-off-by: Thomas Gleixner <tg...@linutronix.de>

Signed-off-by: Sasha Levin <alexand...@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>
---

arch/x86/events/intel/core.c | 2 +-

1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/x86/events/intel/core.c
+++ b/arch/x86/events/intel/core.c
@@ -3978,7 +3978,7 @@ __init int intel_pmu_init(void)
x86_pmu.num_counters, INTEL_PMC_MAX_GENERIC);
x86_pmu.num_counters = INTEL_PMC_MAX_GENERIC;
}
- x86_pmu.intel_ctrl = (1 << x86_pmu.num_counters) - 1;
+ x86_pmu.intel_ctrl = (1ULL << x86_pmu.num_counters) - 1;

if (x86_pmu.num_counters_fixed > INTEL_PMC_MAX_FIXED) {
WARN(1, KERN_ERR "hw perf events fixed %d > max(%d), clipping!",

[Greg Kroah-Hartman]

4.9-stable review patch. If anyone has any objections, please let me know.

------------------

From: Peter Zijlstra <pet...@infradead.org>


[ Upstream commit 63cae12bce9861cec309798d34701cf3da20bc71 ]

There is problem with installing an event in a task that is 'stuck' on
an offline CPU.

Blocked tasks are not dis-assosciated from offlined CPUs, after all, a
blocked task doesn't run and doesn't require a CPU etc.. Only on
wakeup do we ammend the situation and place the task on a available
CPU.

If we hit such a task with perf_install_in_context() we'll loop until
either that task wakes up or the CPU comes back online, if the task
waking depends on the event being installed, we're stuck.

While looking into this issue, I also spotted another problem, if we
hit a task with perf_install_in_context() that is in the middle of
being migrated, that is we observe the old CPU before sending the IPI,
but run the IPI (on the old CPU) while the task is already running on
the new CPU, things also go sideways.

Rework things to rely on task_curr() -- outside of rq->lock -- which
is rather tricky. Imagine the following scenario where we're trying to
install the first event into our task 't':

CPU0 CPU1 CPU2

(current == t)

t->perf_event_ctxp[] = ctx;
smp_mb();
cpu = task_cpu(t);

switch(t, n);
migrate(t, 2);
switch(p, t);

ctx = t->perf_event_ctxp[]; // must not be NULL

smp_function_call(cpu, ..);

generic_exec_single()
func();
spin_lock(ctx->lock);
if (task_curr(t)) // false

add_event_to_ctx();
spin_unlock(ctx->lock);

perf_event_context_sched_in();
spin_lock(ctx->lock);
// sees event

So its CPU0's store of t->perf_event_ctxp[] that must not go 'missing'.
Because if CPU2's load of that variable were to observe NULL, it would
not try to schedule the ctx and we'd have a task running without its
counter, which would be 'bad'.

As long as we observe !NULL, we'll acquire ctx->lock. If we acquire it
first and not see the event yet, then CPU0 must observe task_curr()
and retry. If the install happens first, then we must see the event on
sched-in and all is well.

I think we can translate the first part (until the 'must not be NULL')
of the scenario to a litmus test like:

C C-peterz

{
}

P0(int *x, int *y)
{
int r1;

WRITE_ONCE(*x, 1);
smp_mb();
r1 = READ_ONCE(*y);
}

P1(int *y, int *z)
{
WRITE_ONCE(*y, 1);
smp_store_release(z, 1);
}

P2(int *x, int *z)
{
int r1;
int r2;

r1 = smp_load_acquire(z);
smp_mb();
r2 = READ_ONCE(*x);
}

exists
(0:r1=0 /\ 2:r1=1 /\ 2:r2=0)

Where:
x is perf_event_ctxp[],
y is our tasks's CPU, and
z is our task being placed on the rq of CPU2.

The P0 smp_mb() is the one added by this patch, ordering the store to
perf_event_ctxp[] from find_get_context() and the load of task_cpu()
in task_function_call().

The smp_store_release/smp_load_acquire model the RCpc locking of the
rq->lock and the smp_mb() of P2 is the context switch switching from
whatever CPU2 was running to our task 't'.

This litmus test evaluates into:

Test C-peterz Allowed
States 7
0:r1=0; 2:r1=0; 2:r2=0;
0:r1=0; 2:r1=0; 2:r2=1;
0:r1=0; 2:r1=1; 2:r2=1;
0:r1=1; 2:r1=0; 2:r2=0;
0:r1=1; 2:r1=0; 2:r2=1;
0:r1=1; 2:r1=1; 2:r2=0;
0:r1=1; 2:r1=1; 2:r2=1;
No
Witnesses
Positive: 0 Negative: 7
Condition exists (0:r1=0 /\ 2:r1=1 /\ 2:r2=0)
Observation C-peterz Never 0 7
Hash=e427f41d9146b2a5445101d3e2fcaa34

And the strong and weak model agree.

Reported-by: Mark Rutland <mark.r...@arm.com>
Tested-by: Mark Rutland <mark.r...@arm.com>

Signed-off-by: Peter Zijlstra (Intel) <pet...@infradead.org>

Cc: Alexander Shishkin <alexander...@linux.intel.com>
Cc: Arnaldo Carvalho de Melo <ac...@kernel.org>
Cc: Arnaldo Carvalho de Melo <ac...@redhat.com>
Cc: Jiri Olsa <jo...@redhat.com>
Cc: Linus Torvalds <torv...@linux-foundation.org>
Cc: Peter Zijlstra <pet...@infradead.org>
Cc: Sebastian Andrzej Siewior <big...@linutronix.de>
Cc: Stephane Eranian <era...@google.com>
Cc: Thomas Gleixner <tg...@linutronix.de>
Cc: Vince Weaver <vincent...@maine.edu>
Cc: Will Deacon <will....@arm.com>
Cc: jeremy...@arm.com
Link: http://lkml.kernel.org/r/2016120913...@twins.programming.kicks-ass.net
Signed-off-by: Ingo Molnar <mi...@kernel.org>

Signed-off-by: Sasha Levin <alexand...@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>
---

kernel/events/core.c | 70 ++++++++++++++++++++++++++++++++++-----------------
1 file changed, 48 insertions(+), 22 deletions(-)

--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -2272,7 +2272,7 @@ static int __perf_install_in_context(vo
struct perf_event_context *ctx = event->ctx;
struct perf_cpu_context *cpuctx = __get_cpu_context(ctx);
struct perf_event_context *task_ctx = cpuctx->task_ctx;
- bool activate = true;
+ bool reprogram = true;
int ret = 0;

raw_spin_lock(&cpuctx->ctx.lock);
@@ -2280,27 +2280,26 @@ static int __perf_install_in_context(vo
raw_spin_lock(&ctx->lock);
task_ctx = ctx;

- /* If we're on the wrong CPU, try again */
- if (task_cpu(ctx->task) != smp_processor_id()) {
- ret = -ESRCH;
- goto unlock;
- }
+ reprogram = (ctx->task == current);

/*
- * If we're on the right CPU, see if the task we target is
- * current, if not we don't have to activate the ctx, a future
- * context switch will do that for us.
+ * If the task is running, it must be running on this CPU,
+ * otherwise we cannot reprogram things.
+ *
+ * If its not running, we don't care, ctx->lock will
+ * serialize against it becoming runnable.
*/
- if (ctx->task != current)
- activate = false;
- else
- WARN_ON_ONCE(cpuctx->task_ctx && cpuctx->task_ctx != ctx);
+ if (task_curr(ctx->task) && !reprogram) {
+ ret = -ESRCH;
+ goto unlock;
+ }

+ WARN_ON_ONCE(reprogram && cpuctx->task_ctx && cpuctx->task_ctx != ctx);
} else if (task_ctx) {
raw_spin_lock(&task_ctx->lock);
}

- if (activate) {
+ if (reprogram) {
ctx_sched_out(ctx, cpuctx, EVENT_TIME);
add_event_to_ctx(event, ctx);
ctx_resched(cpuctx, task_ctx);
@@ -2351,13 +2350,36 @@ perf_install_in_context(struct perf_even
/*
* Installing events is tricky because we cannot rely on ctx->is_active
* to be set in case this is the nr_events 0 -> 1 transition.
+ *
+ * Instead we use task_curr(), which tells us if the task is running.
+ * However, since we use task_curr() outside of rq::lock, we can race
+ * against the actual state. This means the result can be wrong.
+ *
+ * If we get a false positive, we retry, this is harmless.
+ *
+ * If we get a false negative, things are complicated. If we are after
+ * perf_event_context_sched_in() ctx::lock will serialize us, and the
+ * value must be correct. If we're before, it doesn't matter since
+ * perf_event_context_sched_in() will program the counter.
+ *
+ * However, this hinges on the remote context switch having observed
+ * our task->perf_event_ctxp[] store, such that it will in fact take
+ * ctx::lock in perf_event_context_sched_in().
+ *
+ * We do this by task_function_call(), if the IPI fails to hit the task
+ * we know any future context switch of task must see the
+ * perf_event_ctpx[] store.
*/
-again:
+
/*
- * Cannot use task_function_call() because we need to run on the task's
- * CPU regardless of whether its current or not.
+ * This smp_mb() orders the task->perf_event_ctxp[] store with the
+ * task_cpu() load, such that if the IPI then does not find the task
+ * running, a future context switch of that task must observe the
+ * store.
*/
- if (!cpu_function_call(task_cpu(task), __perf_install_in_context, event))
+ smp_mb();
+again:
+ if (!task_function_call(task, __perf_install_in_context, event))
return;

raw_spin_lock_irq(&ctx->lock);
@@ -2371,12 +2393,16 @@ again:
raw_spin_unlock_irq(&ctx->lock);
return;
}
- raw_spin_unlock_irq(&ctx->lock);
/*
- * Since !ctx->is_active doesn't mean anything, we must IPI
- * unconditionally.
+ * If the task is not running, ctx->lock will avoid it becoming so,
+ * thus we can safely install the event.
*/
- goto again;
+ if (task_curr(task)) {
+ raw_spin_unlock_irq(&ctx->lock);
+ goto again;
+ }
+ add_event_to_ctx(event, ctx);
+ raw_spin_unlock_irq(&ctx->lock);
}

/*

[Greg Kroah-Hartman]

4.9-stable review patch. If anyone has any objections, please let me know.

------------------

From: Balakrishnan Raman <ram...@cumulusnetworks.com>


[ Upstream commit efb5f68f32995c146944a9d4257c3cf8eae2c4a1 ]

Mac aging is applicable only for dynamically learnt remote mac
entries. Check for user configured static remote mac entries
and skip aging.

Signed-off-by: Balakrishnan Raman <ram...@cumulusnetworks.com>
Signed-off-by: Roopa Prabhu <ro...@cumulusnetworks.com>

Signed-off-by: David S. Miller <da...@davemloft.net>

Signed-off-by: Sasha Levin <alexand...@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>
---

drivers/net/vxlan.c | 2 +-

1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/net/vxlan.c
+++ b/drivers/net/vxlan.c
@@ -2285,7 +2285,7 @@ static void vxlan_cleanup(unsigned long
= container_of(p, struct vxlan_fdb, hlist);
unsigned long timeout;

- if (f->state & NUD_PERMANENT)
+ if (f->state & (NUD_PERMANENT | NUD_NOARP))
continue;

timeout = f->used + vxlan->cfg.age_interval * HZ;

[Greg Kroah-Hartman]

4.9-stable review patch. If anyone has any objections, please let me know.

------------------

From: "G. Campana" <gcam...@quarkslab.com>


[ Upstream commit 8379cadf71c3ee8173a1c6fc1ea7762a9638c047 ]

Using control_work instead of config_work as the 3rd argument to
container_of results in an invalid portdev pointer. Indeed, the work
structure is initialized as below:

INIT_WORK(&portdev->config_work, &config_work_handler);

It leads to a crash when portdev->vdev is dereferenced later. This
bug
is triggered when the guest uses a virtio-console without multiport
feature and receives a config_changed virtio interrupt.

Signed-off-by: G. Campana <gcam...@quarkslab.com>
Reviewed-by: Amit Shah <amit...@redhat.com>

Signed-off-by: Michael S. Tsirkin <m...@redhat.com>

Signed-off-by: Sasha Levin <alexand...@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>
---

drivers/char/virtio_console.c | 2 +-

1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/char/virtio_console.c
+++ b/drivers/char/virtio_console.c
@@ -1870,7 +1870,7 @@ static void config_work_handler(struct w
{
struct ports_device *portdev;

- portdev = container_of(work, struct ports_device, control_work);
+ portdev = container_of(work, struct ports_device, config_work);
if (!use_multiport(portdev)) {
struct virtio_device *vdev;
struct port *port;

[Greg Kroah-Hartman]

4.9-stable review patch. If anyone has any objections, please let me know.

------------------

From: Brendan McGrath <red...@redmandi.dyndns.org>


[ Upstream commit a89af4abdf9b353cdd6f61afc0eaaac403304873 ]

Support for the Asus Touchpad was recently added. It turns out this
device can fail initialisation (and become unusable) when the RESET
command is sent too soon after the POWER ON command.

Unfortunately the i2c-hid specification does not specify the need for
a delay between these two commands. But it was discovered the Windows
driver has a 1ms delay.

As a result, this patch modifies the i2c-hid module to add a sleep
inbetween the POWER ON and RESET commands which lasts between 1ms and 5ms.

See https://github.com/vlasenko/hid-asus-dkms/issues/24 for further
details.

Signed-off-by: Brendan McGrath <red...@redmandi.dyndns.org>
Reviewed-by: Benjamin Tissoires <benjamin....@redhat.com>
Signed-off-by: Jiri Kosina <jko...@suse.cz>

Signed-off-by: Sasha Levin <alexand...@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>
---

drivers/hid/i2c-hid/i2c-hid.c | 9 +++++++++
1 file changed, 9 insertions(+)

--- a/drivers/hid/i2c-hid/i2c-hid.c
+++ b/drivers/hid/i2c-hid/i2c-hid.c
@@ -427,6 +427,15 @@ static int i2c_hid_hwreset(struct i2c_cl
if (ret)
goto out_unlock;

+ /*
+ * The HID over I2C specification states that if a DEVICE needs time
+ * after the PWR_ON request, it should utilise CLOCK stretching.
+ * However, it has been observered that the Windows driver provides a
+ * 1ms sleep between the PWR_ON and RESET requests and that some devices
+ * rely on this.
+ */
+ usleep_range(1000, 5000);
+
i2c_hid_dbg(ihid, "resetting...\n");

ret = i2c_hid_command(client, &hid_reset_cmd, NULL, 0);

[Greg Kroah-Hartman]

4.9-stable review patch. If anyone has any objections, please let me know.

------------------

From: "Lendacky, Thomas" <Thomas....@amd.com>


[ Upstream commit 738f7f647371ff4cfc9646c99dba5b58ad142db3 ]

The xgbe_init() routine returns a return code indicating success or
failure, but the return code is not checked. Add code to xgbe_init()
to issue a message when failures are seen and add code to check the
xgbe_init() return code.

Signed-off-by: Tom Lendacky <thomas....@amd.com>

Signed-off-by: David S. Miller <da...@davemloft.net>

Signed-off-by: Sasha Levin <alexand...@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>
---

drivers/net/ethernet/amd/xgbe/xgbe-dev.c | 4 +++-
drivers/net/ethernet/amd/xgbe/xgbe-drv.c | 4 +++-
2 files changed, 6 insertions(+), 2 deletions(-)

--- a/drivers/net/ethernet/amd/xgbe/xgbe-dev.c
+++ b/drivers/net/ethernet/amd/xgbe/xgbe-dev.c
@@ -2825,8 +2825,10 @@ static int xgbe_init(struct xgbe_prv_dat

/* Flush Tx queues */
ret = xgbe_flush_tx_queues(pdata);
- if (ret)
+ if (ret) {
+ netdev_err(pdata->netdev, "error flushing TX queues\n");
return ret;
+ }

/*
* Initialize DMA related features
--- a/drivers/net/ethernet/amd/xgbe/xgbe-drv.c
+++ b/drivers/net/ethernet/amd/xgbe/xgbe-drv.c
@@ -877,7 +877,9 @@ static int xgbe_start(struct xgbe_prv_da

DBGPR("-->xgbe_start\n");

- hw_if->init(pdata);
+ ret = hw_if->init(pdata);
+ if (ret)
+ return ret;

ret = phy_if->phy_start(pdata);
if (ret)

[Greg Kroah-Hartman]

4.9-stable review patch. If anyone has any objections, please let me know.

------------------

From: Vineeth Remanan Pillai <vine...@amazon.com>


[ Upstream commit 90c311b0eeead647b708a723dbdde1eda3dcad05 ]

During an OOM scenario, request slots could not be created as skb
allocation fails. So the netback cannot pass in packets and netfront
wrongly assumes that there is no more work to be done and it disables
polling. This causes Rx to stall.

The issue is with the retry logic which schedules the timer if the
created slots are less than NET_RX_SLOTS_MIN. The count of new request
slots to be pushed are calculated as a difference between new req_prod
and rsp_cons which could be more than the actual slots, if there are
unconsumed responses.

The fix is to calculate the count of newly created slots as the
difference between new req_prod and old req_prod.

Signed-off-by: Vineeth Remanan Pillai <vine...@amazon.com>
Reviewed-by: Juergen Gross <jgr...@suse.com>

Signed-off-by: David S. Miller <da...@davemloft.net>
Signed-off-by: Sasha Levin <alexand...@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>
---

drivers/net/xen-netfront.c | 2 +-

1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/net/xen-netfront.c
+++ b/drivers/net/xen-netfront.c
@@ -321,7 +321,7 @@ static void xennet_alloc_rx_buffers(stru
queue->rx.req_prod_pvt = req_prod;

/* Not enough requests? Try again later. */
- if (req_prod - queue->rx.rsp_cons < NET_RX_SLOTS_MIN) {
+ if (req_prod - queue->rx.sring->req_prod < NET_RX_SLOTS_MIN) {
mod_timer(&queue->rx_refill_timer, jiffies + (HZ/10));
return;
}

[Greg Kroah-Hartman]

4.9-stable review patch. If anyone has any objections, please let me know.

------------------

From: Guillaume Nault <g.n...@alphalink.fr>

commit dbdbc73b44782e22b3b4b6e8b51e7a3d245f3086 upstream.

l2tp_session_create() relies on its caller for checking for duplicate
sessions. This is racy since a session can be concurrently inserted
after the caller's verification.

Fix this by letting l2tp_session_create() verify sessions uniqueness
upon insertion. Callers need to be adapted to check for
l2tp_session_create()'s return code instead of calling
l2tp_session_find().

pppol2tp_connect() is a bit special because it has to work on existing
sessions (if they're not connected) or to create a new session if none
is found. When acting on a preexisting session, a reference must be
held or it could go away on us. So we have to use l2tp_session_get()
instead of l2tp_session_find() and drop the reference before exiting.

Fixes: d9e31d17ceba ("l2tp: Add L2TP ethernet pseudowire support")
Fixes: fd558d186df2 ("l2tp: Split pppol2tp patch into separate l2tp and ppp parts")
Signed-off-by: Guillaume Nault <g.n...@alphalink.fr>

Signed-off-by: David S. Miller <da...@davemloft.net>

Signed-off-by: Amit Pundir <amit....@linaro.org>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

net/l2tp/l2tp_core.c | 70 ++++++++++++++++++++++++++++++++++++++-------------
net/l2tp/l2tp_eth.c | 10 +------
net/l2tp/l2tp_ppp.c | 60 +++++++++++++++++++++----------------------
3 files changed, 84 insertions(+), 56 deletions(-)

--- a/net/l2tp/l2tp_core.c
+++ b/net/l2tp/l2tp_core.c
@@ -378,6 +378,48 @@ struct l2tp_session *l2tp_session_find_b
}
EXPORT_SYMBOL_GPL(l2tp_session_find_by_ifname);

+static int l2tp_session_add_to_tunnel(struct l2tp_tunnel *tunnel,
+ struct l2tp_session *session)
+{
+ struct l2tp_session *session_walk;
+ struct hlist_head *g_head;
+ struct hlist_head *head;
+ struct l2tp_net *pn;
+
+ head = l2tp_session_id_hash(tunnel, session->session_id);
+
+ write_lock_bh(&tunnel->hlist_lock);
+ hlist_for_each_entry(session_walk, head, hlist)
+ if (session_walk->session_id == session->session_id)
+ goto exist;
+
+ if (tunnel->version == L2TP_HDR_VER_3) {
+ pn = l2tp_pernet(tunnel->l2tp_net);
+ g_head = l2tp_session_id_hash_2(l2tp_pernet(tunnel->l2tp_net),
+ session->session_id);
+
+ spin_lock_bh(&pn->l2tp_session_hlist_lock);
+ hlist_for_each_entry(session_walk, g_head, global_hlist)
+ if (session_walk->session_id == session->session_id)
+ goto exist_glob;
+
+ hlist_add_head_rcu(&session->global_hlist, g_head);
+ spin_unlock_bh(&pn->l2tp_session_hlist_lock);
+ }
+
+ hlist_add_head(&session->hlist, head);
+ write_unlock_bh(&tunnel->hlist_lock);
+
+ return 0;
+
+exist_glob:
+ spin_unlock_bh(&pn->l2tp_session_hlist_lock);
+exist:
+ write_unlock_bh(&tunnel->hlist_lock);
+
+ return -EEXIST;
+}
+
/* Lookup a tunnel by id
*/

struct l2tp_tunnel *l2tp_tunnel_find(struct net *net, u32 tunnel_id)

@@ -1787,6 +1829,7 @@ EXPORT_SYMBOL_GPL(l2tp_session_set_heade
struct l2tp_session *l2tp_session_create(int priv_size, struct l2tp_tunnel *tunnel, u32 session_id, u32 peer_session_id, struct l2tp_session_cfg *cfg)
{
struct l2tp_session *session;
+ int err;

session = kzalloc(sizeof(struct l2tp_session) + priv_size, GFP_KERNEL);
if (session != NULL) {
@@ -1842,6 +1885,13 @@ struct l2tp_session *l2tp_session_create

l2tp_session_set_header_len(session, tunnel->version);

+ err = l2tp_session_add_to_tunnel(tunnel, session);
+ if (err) {
+ kfree(session);
+
+ return ERR_PTR(err);
+ }
+
/* Bump the reference count. The session context is deleted
* only when this drops to zero.
*/
@@ -1851,28 +1901,14 @@ struct l2tp_session *l2tp_session_create
/* Ensure tunnel socket isn't deleted */
sock_hold(tunnel->sock);

- /* Add session to the tunnel's hash list */
- write_lock_bh(&tunnel->hlist_lock);
- hlist_add_head(&session->hlist,
- l2tp_session_id_hash(tunnel, session_id));
- write_unlock_bh(&tunnel->hlist_lock);
-
- /* And to the global session list if L2TPv3 */
- if (tunnel->version != L2TP_HDR_VER_2) {
- struct l2tp_net *pn = l2tp_pernet(tunnel->l2tp_net);
-
- spin_lock_bh(&pn->l2tp_session_hlist_lock);
- hlist_add_head_rcu(&session->global_hlist,
- l2tp_session_id_hash_2(pn, session_id));
- spin_unlock_bh(&pn->l2tp_session_hlist_lock);
- }
-
/* Ignore management session in session count value */
if (session->session_id != 0)
atomic_inc(&l2tp_session_count);
+
+ return session;
}

- return session;
+ return ERR_PTR(-ENOMEM);
}
EXPORT_SYMBOL_GPL(l2tp_session_create);

--- a/net/l2tp/l2tp_eth.c
+++ b/net/l2tp/l2tp_eth.c
@@ -223,12 +223,6 @@ static int l2tp_eth_create(struct net *n
goto out;

}

- session = l2tp_session_find(net, tunnel, session_id);

- if (session) {
- rc = -EEXIST;
- goto out;
- }
-
if (cfg->ifname) {
dev = dev_get_by_name(net, cfg->ifname);
if (dev) {
@@ -242,8 +236,8 @@ static int l2tp_eth_create(struct net *n

session = l2tp_session_create(sizeof(*spriv), tunnel, session_id,
peer_session_id, cfg);
- if (!session) {
- rc = -ENOMEM;
+ if (IS_ERR(session)) {
+ rc = PTR_ERR(session);
goto out;
}

--- a/net/l2tp/l2tp_ppp.c
+++ b/net/l2tp/l2tp_ppp.c
@@ -583,6 +583,7 @@ static int pppol2tp_connect(struct socke
int error = 0;
u32 tunnel_id, peer_tunnel_id;
u32 session_id, peer_session_id;
+ bool drop_refcnt = false;
int ver = 2;
int fd;

@@ -684,36 +685,36 @@ static int pppol2tp_connect(struct socke
if (tunnel->peer_tunnel_id == 0)
tunnel->peer_tunnel_id = peer_tunnel_id;

- /* Create session if it doesn't already exist. We handle the
- * case where a session was previously created by the netlink
- * interface by checking that the session doesn't already have
- * a socket and its tunnel socket are what we expect. If any
- * of those checks fail, return EEXIST to the caller.
- */
- session = l2tp_session_find(sock_net(sk), tunnel, session_id);
- if (session == NULL) {
- /* Default MTU must allow space for UDP/L2TP/PPP
- * headers.
+ session = l2tp_session_get(sock_net(sk), tunnel, session_id, false);
+ if (session) {
+ drop_refcnt = true;
+ ps = l2tp_session_priv(session);
+
+ /* Using a pre-existing session is fine as long as it hasn't
+ * been connected yet.
*/
- cfg.mtu = cfg.mru = 1500 - PPPOL2TP_HEADER_OVERHEAD;
+ if (ps->sock) {
+ error = -EEXIST;
+ goto end;
+ }

- /* Allocate and initialize a new session context. */
- session = l2tp_session_create(sizeof(struct pppol2tp_session),
- tunnel, session_id,
- peer_session_id, &cfg);
- if (session == NULL) {
- error = -ENOMEM;
+ /* consistency checks */
+ if (ps->tunnel_sock != tunnel->sock) {
+ error = -EEXIST;
goto end;
}
} else {
- ps = l2tp_session_priv(session);
- error = -EEXIST;
- if (ps->sock != NULL)
- goto end;
+ /* Default MTU must allow space for UDP/L2TP/PPP headers */
+ cfg.mtu = 1500 - PPPOL2TP_HEADER_OVERHEAD;
+ cfg.mru = cfg.mtu;

- /* consistency checks */
- if (ps->tunnel_sock != tunnel->sock)
+ session = l2tp_session_create(sizeof(struct pppol2tp_session),
+ tunnel, session_id,
+ peer_session_id, &cfg);
+ if (IS_ERR(session)) {
+ error = PTR_ERR(session);
goto end;
+ }
}

/* Associate session with its PPPoL2TP socket */
@@ -778,6 +779,8 @@ out_no_ppp:
session->name);

end:
+ if (drop_refcnt)
+ l2tp_session_dec_refcount(session);
release_sock(sk);

return error;
@@ -805,12 +808,6 @@ static int pppol2tp_session_create(struc
if (tunnel->sock == NULL)
goto out;

- /* Check that this session doesn't already exist */
- error = -EEXIST;

- session = l2tp_session_find(net, tunnel, session_id);

- if (session != NULL)
- goto out;
-
/* Default MTU values. */
if (cfg->mtu == 0)
cfg->mtu = 1500 - PPPOL2TP_HEADER_OVERHEAD;
@@ -818,12 +815,13 @@ static int pppol2tp_session_create(struc
cfg->mru = cfg->mtu;

/* Allocate and initialize a new session context. */
- error = -ENOMEM;
session = l2tp_session_create(sizeof(struct pppol2tp_session),
tunnel, session_id,
peer_session_id, cfg);
- if (session == NULL)
+ if (IS_ERR(session)) {
+ error = PTR_ERR(session);
goto out;
+ }

ps = l2tp_session_priv(session);
ps->tunnel_sock = tunnel->sock;

[Greg Kroah-Hartman]

4.9-stable review patch. If anyone has any objections, please let me know.

------------------

From: Tobias Klauser <tkla...@distanz.ch>


[ Upstream commit 453828625731d0ba7218242ef6ec88f59408f368 ]

info->si_addr is of type void __user *, so it should be compared against
something from the same address space.

This fixes the following sparse error:

arch/x86/mm/mpx.c:296:27: error: incompatible types in comparison expression (different address spaces)

Signed-off-by: Tobias Klauser <tkla...@distanz.ch>
Cc: Dave Hansen <dave....@linux.intel.com>

Cc: Linus Torvalds <torv...@linux-foundation.org>
Cc: Peter Zijlstra <pet...@infradead.org>

Cc: Thomas Gleixner <tg...@linutronix.de>
Cc: linux-...@vger.kernel.org

Signed-off-by: Ingo Molnar <mi...@kernel.org>
Signed-off-by: Sasha Levin <alexand...@verizon.com>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>
---

arch/x86/mm/mpx.c | 2 +-

1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/x86/mm/mpx.c
+++ b/arch/x86/mm/mpx.c
@@ -293,7 +293,7 @@ siginfo_t *mpx_generate_siginfo(struct p
* We were not able to extract an address from the instruction,
* probably because there was something invalid in it.
*/
- if (info->si_addr == (void *)-1) {
+ if (info->si_addr == (void __user *)-1) {
err = -EINVAL;
goto err_out;
}

[Greg Kroah-Hartman]

4.9-stable review patch. If anyone has any objections, please let me know.

------------------

From: Heiko Carstens <heiko.c...@de.ibm.com>


[ Upstream commit e991c24d68b8c0ba297eeb7af80b1e398e98c33f ]

We have quite a lot of code that depends on the order of the
__ctl_load inline assemby and subsequent memory accesses, like
e.g. disabling lowcore protection and the writing to lowcore.

Since the __ctl_load macro does not have memory barrier semantics, nor
any other dependencies the compiler is, theoretically, free to shuffle
code around. Or in other words: storing to lowcore could happen before
lowcore protection is disabled.

In order to avoid this class of potential bugs simply add a full
memory barrier to the __ctl_load macro.

Signed-off-by: Heiko Carstens <heiko.c...@de.ibm.com>
Signed-off-by: Martin Schwidefsky <schwi...@de.ibm.com>

Signed-off-by: Sasha Levin <alexand...@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>
---

arch/s390/include/asm/ctl_reg.h | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)

--- a/arch/s390/include/asm/ctl_reg.h
+++ b/arch/s390/include/asm/ctl_reg.h
@@ -15,7 +15,9 @@
BUILD_BUG_ON(sizeof(addrtype) != (high - low + 1) * sizeof(long));\
asm volatile( \
" lctlg %1,%2,%0\n" \
- : : "Q" (*(addrtype *)(&array)), "i" (low), "i" (high));\
+ : \
+ : "Q" (*(addrtype *)(&array)), "i" (low), "i" (high) \
+ : "memory"); \
}

#define __ctl_store(array, low, high) { \

[Greg Kroah-Hartman]

4.9-stable review patch. If anyone has any objections, please let me know.

------------------

From: Dave Kleikamp <dave.k...@oracle.com>


[ Upstream commit 4d22c75d4c7b5c5f4bd31054f09103ee490878fd ]

If the last section of a core file ends with an unmapped or zero page,
the size of the file does not correspond with the last dump_skip() call.
gdb complains that the file is truncated and can be confusing to users.

After all of the vma sections are written, make sure that the file size
is no smaller than the current file position.

This problem can be demonstrated with gdb's bigcore testcase on the
sparc architecture.

Signed-off-by: Dave Kleikamp <dave.k...@oracle.com>
Cc: Alexander Viro <vi...@zeniv.linux.org.uk>
Cc: linux-...@vger.kernel.org
Cc: linux-...@vger.kernel.org
Signed-off-by: Al Viro <vi...@zeniv.linux.org.uk>

Signed-off-by: Sasha Levin <alexand...@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>
---

fs/binfmt_elf.c | 1 +
fs/coredump.c | 18 ++++++++++++++++++
include/linux/coredump.h | 1 +
3 files changed, 20 insertions(+)

--- a/fs/binfmt_elf.c
+++ b/fs/binfmt_elf.c
@@ -2296,6 +2296,7 @@ static int elf_core_dump(struct coredump
goto end_coredump;
}
}
+ dump_truncate(cprm);

if (!elf_core_write_extra_data(cprm))
goto end_coredump;
--- a/fs/coredump.c
+++ b/fs/coredump.c
@@ -833,3 +833,21 @@ int dump_align(struct coredump_params *c
return mod ? dump_skip(cprm, align - mod) : 1;
}
EXPORT_SYMBOL(dump_align);
+
+/*
+ * Ensures that file size is big enough to contain the current file
+ * postion. This prevents gdb from complaining about a truncated file
+ * if the last "write" to the file was dump_skip.
+ */
+void dump_truncate(struct coredump_params *cprm)
+{
+ struct file *file = cprm->file;
+ loff_t offset;
+
+ if (file->f_op->llseek && file->f_op->llseek != no_llseek) {
+ offset = file->f_op->llseek(file, 0, SEEK_CUR);
+ if (i_size_read(file->f_mapping->host) < offset)
+ do_truncate(file->f_path.dentry, offset, 0, file);
+ }
+}
+EXPORT_SYMBOL(dump_truncate);
--- a/include/linux/coredump.h
+++ b/include/linux/coredump.h
@@ -14,6 +14,7 @@ struct coredump_params;
extern int dump_skip(struct coredump_params *cprm, size_t nr);
extern int dump_emit(struct coredump_params *cprm, const void *addr, int nr);
extern int dump_align(struct coredump_params *cprm, int align);
+extern void dump_truncate(struct coredump_params *cprm);
#ifdef CONFIG_COREDUMP
extern void do_coredump(const siginfo_t *siginfo);
#else

[Greg Kroah-Hartman]

4.9-stable review patch. If anyone has any objections, please let me know.

------------------

From: Len Brown <len....@intel.com>


[ Upstream commit 695085b4bc7603551db0b3da897b8bf9893ca218 ]

The Intel Denverton microserver uses a 25 MHz TSC crystal,
so we can derive its exact [*] TSC frequency
using CPUID and some arithmetic, eg.:

TSC: 1800 MHz (25000000 Hz * 216 / 3 / 1000000)

[*] 'exact' is only as good as the crystal, which should be +/- 20ppm

Signed-off-by: Len Brown <len....@intel.com>

Cc: Linus Torvalds <torv...@linux-foundation.org>
Cc: Peter Zijlstra <pet...@infradead.org>
Cc: Thomas Gleixner <tg...@linutronix.de>

Link: http://lkml.kernel.org/r/306899f94804aece6d8fa8b4223ede3b...@intel.com
Signed-off-by: Ingo Molnar <mi...@kernel.org>

Signed-off-by: Sasha Levin <alexand...@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>
---

arch/x86/kernel/tsc.c | 1 +
1 file changed, 1 insertion(+)

--- a/arch/x86/kernel/tsc.c
+++ b/arch/x86/kernel/tsc.c
@@ -694,6 +694,7 @@ unsigned long native_calibrate_tsc(void)
crystal_khz = 24000; /* 24.0 MHz */
break;
case INTEL_FAM6_SKYLAKE_X:
+ case INTEL_FAM6_ATOM_DENVERTON:
crystal_khz = 25000; /* 25.0 MHz */
break;
case INTEL_FAM6_ATOM_GOLDMONT:

[Greg Kroah-Hartman]

4.9-stable review patch. If anyone has any objections, please let me know.

------------------

From: John Crispin <jo...@phrozen.org>


[ Upstream commit 61976fff20f92aceecc3670f6168bfc57a79e047 ]

When the binding was defined, I was not aware that mt2701 was an earlier
version of the SoC. For sake of consistency, the ethernet driver should
use mt2701 inside the compat string as this is the earliest SoC with the
ethernet core.

The ethernet driver is currently of no real use until we finish and
upstream the DSA driver. There are no users of this binding yet. It should
be safe to fix this now before it is too late and we need to provide
backward compatibility for the mt7623-eth compat string.

Reported-by: Sean Wang <sean...@mediatek.com>
Signed-off-by: John Crispin <jo...@phrozen.org>
Reviewed-by: Matthias Brugger <matthi...@gmail.com>

Signed-off-by: David S. Miller <da...@davemloft.net>

Signed-off-by: Sasha Levin <alexand...@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>
---

Documentation/devicetree/bindings/net/mediatek-net.txt | 2 +-

1 file changed, 1 insertion(+), 1 deletion(-)

--- a/Documentation/devicetree/bindings/net/mediatek-net.txt
+++ b/Documentation/devicetree/bindings/net/mediatek-net.txt
@@ -7,7 +7,7 @@ have dual GMAC each represented by a chi
* Ethernet controller node

Required properties:
-- compatible: Should be "mediatek,mt7623-eth"
+- compatible: Should be "mediatek,mt2701-eth"
- reg: Address and length of the register set for the device
- interrupts: Should contain the three frame engines interrupts in numeric
order. These are fe_int0, fe_int1 and fe_int2.

[Greg Kroah-Hartman]

4.9-stable review patch. If anyone has any objections, please let me know.

------------------

From: Eric Dumazet <edum...@google.com>


[ Upstream commit 21b995a9cb093fff33ec91d7cb3822b882a90a1e ]

Since ip6_tnl_parse_tlv_enc_lim() can call pskb_may_pull(),
we must reload any pointer that was related to skb->head
(or skb->data), or risk use after free.

Fixes: c12b395a4664 ("gre: Support GRE over IPv6")
Signed-off-by: Eric Dumazet <edum...@google.com>
Cc: Dmitry Kozlov <x...@mail.ru>

Signed-off-by: David S. Miller <da...@davemloft.net>
Signed-off-by: Sasha Levin <alexand...@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>
---

net/ipv6/ip6_gre.c | 3 +++
net/ipv6/ip6_tunnel.c | 2 ++
2 files changed, 5 insertions(+)

--- a/net/ipv6/ip6_gre.c
+++ b/net/ipv6/ip6_gre.c
@@ -582,6 +582,9 @@ static inline int ip6gre_xmit_ipv6(struc
return -1;

offset = ip6_tnl_parse_tlv_enc_lim(skb, skb_network_header(skb));
+ /* ip6_tnl_parse_tlv_enc_lim() might have reallocated skb->head */
+ ipv6h = ipv6_hdr(skb);
+
if (offset > 0) {
struct ipv6_tlv_tnl_enc_lim *tel;
tel = (struct ipv6_tlv_tnl_enc_lim *)&skb_network_header(skb)[offset];
--- a/net/ipv6/ip6_tunnel.c
+++ b/net/ipv6/ip6_tunnel.c
@@ -1313,6 +1313,8 @@ ip6ip6_tnl_xmit(struct sk_buff *skb, str
fl6.flowlabel = key->label;
} else {
offset = ip6_tnl_parse_tlv_enc_lim(skb, skb_network_header(skb));
+ /* ip6_tnl_parse_tlv_enc_lim() might have reallocated skb->head */
+ ipv6h = ipv6_hdr(skb);
if (offset > 0) {
struct ipv6_tlv_tnl_enc_lim *tel;

[Greg Kroah-Hartman]

4.9-stable review patch. If anyone has any objections, please let me know.

------------------

From: Colin Ian King <colin...@canonical.com>


[ Upstream commit 0e73fc9a56f22f2eec4d2b2910c649f7af67b74d ]

The comparison on the timeout can lead to an array overrun
read on sctp_timer_tbl because of an off-by-one error. Fix
this by using < instead of <= and also compare to the array
size rather than SCTP_EVENT_TIMEOUT_MAX.

Fixes CoverityScan CID#1397639 ("Out-of-bounds read")

Signed-off-by: Colin Ian King <colin...@canonical.com>

Signed-off-by: David S. Miller <da...@davemloft.net>
Signed-off-by: Sasha Levin <alexand...@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>
---

net/sctp/debug.c | 2 +-

1 file changed, 1 insertion(+), 1 deletion(-)

--- a/net/sctp/debug.c
+++ b/net/sctp/debug.c
@@ -166,7 +166,7 @@ static const char *const sctp_timer_tbl[
/* Lookup timer debug name. */
const char *sctp_tname(const sctp_subtype_t id)
{
- if (id.timeout <= SCTP_EVENT_TIMEOUT_MAX)
+ if (id.timeout < ARRAY_SIZE(sctp_timer_tbl))
return sctp_timer_tbl[id.timeout];
return "unknown_timer";
}

[Greg Kroah-Hartman]

4.9-stable review patch. If anyone has any objections, please let me know.

------------------

From: Deepak Rawat <dra...@vmware.com>

commit 82fcee526ba8ca2c5d378bdf51b21b7eb058fe3a upstream.

The hash table created during vmw_cmdbuf_res_man_create was
never freed. This causes memory leak in context creation.
Added the corresponding drm_ht_remove in vmw_cmdbuf_res_man_destroy.

Tested for memory leak by running piglit overnight and kernel
memory is not inflated which earlier was.

Signed-off-by: Deepak Rawat <dra...@vmware.com>
Reviewed-by: Sinclair Yeh <sy...@vmware.com>
Signed-off-by: Thomas Hellstrom <thell...@vmware.com>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

drivers/gpu/drm/vmwgfx/vmwgfx_cmdbuf_res.c | 1 +

1 file changed, 1 insertion(+)

--- a/drivers/gpu/drm/vmwgfx/vmwgfx_cmdbuf_res.c
+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_cmdbuf_res.c
@@ -321,6 +321,7 @@ void vmw_cmdbuf_res_man_destroy(struct v
list_for_each_entry_safe(entry, next, &man->list, head)
vmw_cmdbuf_res_free(man, entry);

+ drm_ht_remove(&man->resources);
kfree(man);
}

[Greg Kroah-Hartman]

4.9-stable review patch. If anyone has any objections, please let me know.

------------------

From: Rex Zhu <Rex...@amd.com>


[ Upstream commit ab8db87b8256e13a62f10af1d32f5fc233c398cc ]

Program HardMin based on the vce_arbiter.ecclk
if ecclk is 0, disable ECLK DPM 0. Otherwise VCE
could hang if switching SCLK from DPM 0 to 6/7

Signed-off-by: Rex Zhu <Rex...@amd.com>
Acked-by: Alex Deucher <alexande...@amd.com>

Signed-off-by: Alex Deucher <alexande...@amd.com>
Signed-off-by: Sasha Levin <alexand...@verizon.com>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>
---

drivers/gpu/drm/amd/powerplay/hwmgr/cz_hwmgr.c | 24 ++++++++++++++++--------
1 file changed, 16 insertions(+), 8 deletions(-)

--- a/drivers/gpu/drm/amd/powerplay/hwmgr/cz_hwmgr.c
+++ b/drivers/gpu/drm/amd/powerplay/hwmgr/cz_hwmgr.c
@@ -1402,14 +1402,22 @@ int cz_dpm_update_vce_dpm(struct pp_hwm
cz_hwmgr->vce_dpm.hard_min_clk,
PPSMC_MSG_SetEclkHardMin));
} else {
- /*EPR# 419220 -HW limitation to to */
- cz_hwmgr->vce_dpm.hard_min_clk = hwmgr->vce_arbiter.ecclk;
- smum_send_msg_to_smc_with_parameter(hwmgr->smumgr,
- PPSMC_MSG_SetEclkHardMin,
- cz_get_eclk_level(hwmgr,
- cz_hwmgr->vce_dpm.hard_min_clk,
- PPSMC_MSG_SetEclkHardMin));
-
+ /*Program HardMin based on the vce_arbiter.ecclk */
+ if (hwmgr->vce_arbiter.ecclk == 0) {
+ smum_send_msg_to_smc_with_parameter(hwmgr->smumgr,
+ PPSMC_MSG_SetEclkHardMin, 0);
+ /* disable ECLK DPM 0. Otherwise VCE could hang if
+ * switching SCLK from DPM 0 to 6/7 */
+ smum_send_msg_to_smc_with_parameter(hwmgr->smumgr,
+ PPSMC_MSG_SetEclkSoftMin, 1);
+ } else {
+ cz_hwmgr->vce_dpm.hard_min_clk = hwmgr->vce_arbiter.ecclk;
+ smum_send_msg_to_smc_with_parameter(hwmgr->smumgr,
+ PPSMC_MSG_SetEclkHardMin,
+ cz_get_eclk_level(hwmgr,
+ cz_hwmgr->vce_dpm.hard_min_clk,
+ PPSMC_MSG_SetEclkHardMin));
+ }
}
return 0;
}

[Greg Kroah-Hartman]

4.9-stable review patch. If anyone has any objections, please let me know.

------------------

From: Eric Farman <far...@linux.vnet.ibm.com>


[ Upstream commit 773c7220e22d193e5667c352fcbf8d47eefc817f ]

In the case of a graceful set of detaches, where the virtio-scsi-ccw
disk is removed from the guest prior to the controller, the guest
behaves quite normally. Specifically, the detach gets us into
sd_sync_cache to issue a Synchronize Cache(10) command, which
immediately fails (and is retried a couple of times) because the device
has been removed. Later, the removal of the controller sees two CRWs
presented, but there's no further indication of the removal from the
guest viewpoint.

[ 17.217458] sd 0:0:0:0: [sda] Synchronizing SCSI cache
[ 17.219257] sd 0:0:0:0: [sda] Synchronize Cache(10) failed: Result: hostbyte=DID_BAD_TARGET driverbyte=DRIVER_OK
[ 21.449400] crw_info : CRW reports slct=0, oflw=0, chn=1, rsc=3, anc=0, erc=4, rsid=2
[ 21.449406] crw_info : CRW reports slct=0, oflw=0, chn=0, rsc=3, anc=0, erc=4, rsid=0

However, on s390, the SCSI disks can be removed "by surprise" when an
entire controller (host) is removed and all associated disks are removed
via the loop in scsi_forget_host. The same call to sd_sync_cache is
made, but because the controller has already been removed, the
Synchronize Cache(10) command is neither issued (and then failed) nor
rejected.

That the I/O isn't returned means the guest cannot have other devices
added nor removed, and other tasks (such as shutdown or reboot) issued
by the guest will not complete either. The virtio ring has already been
marked as broken (via virtio_break_device in virtio_ccw_remove), but we
still attempt to queue the command only to have it remain there. The
calling sequence provides a bit of distinction for us:

virtscsi_queuecommand()
-> virtscsi_kick_cmd()
-> virtscsi_add_cmd()
-> virtqueue_add_sgs()
-> virtqueue_add()
if success
return 0
elseif vq->broken or vring_mapping_error()
return -EIO
else
return -ENOSPC

A return of ENOSPC is generally a temporary condition, so returning
"host busy" from virtscsi_queuecommand makes sense here, to have it
redriven in a moment or two. But the EIO return code is more of a
permanent error and so it would be wise to return the I/O itself and
allow the calling thread to finish gracefully. The result is these four
kernel messages in the guest (the fourth one does not occur prior to
this patch):

[ 22.921562] crw_info : CRW reports slct=0, oflw=0, chn=1, rsc=3, anc=0, erc=4, rsid=2
[ 22.921580] crw_info : CRW reports slct=0, oflw=0, chn=0, rsc=3, anc=0, erc=4, rsid=0
[ 22.921978] sd 0:0:0:0: [sda] Synchronizing SCSI cache
[ 22.921993] sd 0:0:0:0: [sda] Synchronize Cache(10) failed: Result: hostbyte=DID_BAD_TARGET driverbyte=DRIVER_OK

I opted to fill in the same response data that is returned from the more
graceful device detach, where the disk device is removed prior to the
controller device.

Signed-off-by: Eric Farman <far...@linux.vnet.ibm.com>
Reviewed-by: Fam Zheng <fa...@redhat.com>
Signed-off-by: Martin K. Petersen <martin....@oracle.com>

Signed-off-by: Sasha Levin <alexand...@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>
---

drivers/scsi/virtio_scsi.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)

--- a/drivers/scsi/virtio_scsi.c
+++ b/drivers/scsi/virtio_scsi.c
@@ -534,7 +534,9 @@ static int virtscsi_queuecommand(struct
{
struct Scsi_Host *shost = virtio_scsi_host(vscsi->vdev);
struct virtio_scsi_cmd *cmd = scsi_cmd_priv(sc);
+ unsigned long flags;
int req_size;
+ int ret;

BUG_ON(scsi_sg_count(sc) > shost->sg_tablesize);

@@ -562,8 +564,15 @@ static int virtscsi_queuecommand(struct
req_size = sizeof(cmd->req.cmd);
}

- if (virtscsi_kick_cmd(req_vq, cmd, req_size, sizeof(cmd->resp.cmd)) != 0)
+ ret = virtscsi_kick_cmd(req_vq, cmd, req_size, sizeof(cmd->resp.cmd));
+ if (ret == -EIO) {
+ cmd->resp.cmd.response = VIRTIO_SCSI_S_BAD_TARGET;
+ spin_lock_irqsave(&req_vq->vq_lock, flags);
+ virtscsi_complete_cmd(vscsi, cmd);
+ spin_unlock_irqrestore(&req_vq->vq_lock, flags);
+ } else if (ret != 0) {
return SCSI_MLQUEUE_HOST_BUSY;
+ }
return 0;
}

[Greg Kroah-Hartman]

4.9-stable review patch. If anyone has any objections, please let me know.

------------------

From: Jiri Olsa <jo...@redhat.com>


[ Upstream commit 18e7a45af91acdde99d3aa1372cc40e1f8142f7b ]

As Peter suggested [1] rejecting non sampling PEBS events,
because they dont make any sense and could cause bugs
in the NMI handler [2].

[1] http://lkml.kernel.org/r/20170103094059.GC3093@worktop
[2] http://lkml.kernel.org/r/1482931866-6018-3-g...@kernel.org

Signed-off-by: Jiri Olsa <jo...@redhat.com>

Signed-off-by: Peter Zijlstra (Intel) <pet...@infradead.org>
Cc: Alexander Shishkin <alexander...@linux.intel.com>
Cc: Arnaldo Carvalho de Melo <ac...@kernel.org>
Cc: Arnaldo Carvalho de Melo <ac...@redhat.com>

Cc: Jiri Olsa <jo...@kernel.org>

Cc: Linus Torvalds <torv...@linux-foundation.org>
Cc: Peter Zijlstra <pet...@infradead.org>

Cc: Stephane Eranian <era...@google.com>
Cc: Thomas Gleixner <tg...@linutronix.de>
Cc: Vince Weaver <vi...@deater.net>
Cc: Vince Weaver <vincent...@maine.edu>
Link: http://lkml.kernel.org/r/20170103142454.GA26251@krava
Signed-off-by: Ingo Molnar <mi...@kernel.org>

Signed-off-by: Sasha Levin <alexand...@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>
---

arch/x86/events/core.c | 4 ++++
1 file changed, 4 insertions(+)

--- a/arch/x86/events/core.c
+++ b/arch/x86/events/core.c
@@ -505,6 +505,10 @@ int x86_pmu_hw_config(struct perf_event

if (event->attr.precise_ip > precise)
return -EOPNOTSUPP;
+
+ /* There's no sense in having PEBS for non sampling events: */
+ if (!is_sampling_event(event))
+ return -EINVAL;
}
/*
* check that PEBS LBR correction does not conflict with

[Greg Kroah-Hartman]

4.9-stable review patch. If anyone has any objections, please let me know.

------------------

From: Amelie Delaunay <amelie....@st.com>


[ Upstream commit ca02954ada711b08e5b0d84590a631fd63ed39f9 ]

USBTrdTim must be programmed to 0x5 when phy has a UTMI+ 16-bit wide
interface or 0x9 when it has a 8-bit wide interface.
GUSBCFG reset value (Value After Reset: 0x1400) sets USBTrdTim to 0x5.
In case of 8-bit UTMI+, without clearing GUSBCFG.USBTRDTIM mask, USBTrdTim
results in 0xD (0x5 | 0x9).
That's why we need to clear GUSBCFG.USBTRDTIM mask before setting USBTrdTim
value, to ensure USBTrdTim is correctly set in case of 8-bit UTMI+.

Signed-off-by: Amelie Delaunay <amelie....@st.com>
Signed-off-by: Felipe Balbi <felipe...@linux.intel.com>

Signed-off-by: Sasha Levin <alexand...@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>
---

drivers/usb/dwc2/gadget.c | 4 ++--

1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/usb/dwc2/gadget.c
+++ b/drivers/usb/dwc2/gadget.c
@@ -2532,7 +2532,7 @@ void dwc2_hsotg_core_init_disconnected(s
/* keep other bits untouched (so e.g. forced modes are not lost) */
usbcfg = dwc2_readl(hsotg->regs + GUSBCFG);
usbcfg &= ~(GUSBCFG_TOUTCAL_MASK | GUSBCFG_PHYIF16 | GUSBCFG_SRPCAP |
- GUSBCFG_HNPCAP);
+ GUSBCFG_HNPCAP | GUSBCFG_USBTRDTIM_MASK);

/* set the PLL on, remove the HNP/SRP and set the PHY */
val = (hsotg->phyif == GUSBCFG_PHYIF8) ? 9 : 5;
@@ -3403,7 +3403,7 @@ static void dwc2_hsotg_init(struct dwc2_
/* keep other bits untouched (so e.g. forced modes are not lost) */
usbcfg = dwc2_readl(hsotg->regs + GUSBCFG);
usbcfg &= ~(GUSBCFG_TOUTCAL_MASK | GUSBCFG_PHYIF16 | GUSBCFG_SRPCAP |
- GUSBCFG_HNPCAP);
+ GUSBCFG_HNPCAP | GUSBCFG_USBTRDTIM_MASK);

/* set the PLL on, remove the HNP/SRP and set the PHY */
trdtim = (hsotg->phyif == GUSBCFG_PHYIF8) ? 9 : 5;

[Greg Kroah-Hartman]

4.9-stable review patch. If anyone has any objections, please let me know.

------------------

From: Vadim Lomovtsev <Vadim.L...@caviumnetworks.com>


[ Upstream commit 7aa4865506a26c607e00bd9794a85785b55ebca7 ]

While probing BGX we requesting appropriate QLM for it's configuration
and get LMAC count by that request. Then, while reading configured
MAC values from SSDT table we need to save them in proper mapping:
BGX[i]->lmac[j].mac = <MAC value>
to later provide for initialization stuff. In order to fill
such mapping properly we need to add lmac index to be used while
acpi initialization since at this moment bgx->lmac_count already contains
actual value.

Signed-off-by: Vadim Lomovtsev <Vadim.L...@caviumnetworks.com>

Signed-off-by: David S. Miller <da...@davemloft.net>

Signed-off-by: Sasha Levin <alexand...@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>
---

drivers/net/ethernet/cavium/thunder/thunder_bgx.c | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)

--- a/drivers/net/ethernet/cavium/thunder/thunder_bgx.c
+++ b/drivers/net/ethernet/cavium/thunder/thunder_bgx.c
@@ -48,8 +48,9 @@ struct lmac {
struct bgx {
u8 bgx_id;
struct lmac lmac[MAX_LMAC_PER_BGX];
- int lmac_count;
+ u8 lmac_count;
u8 max_lmac;
+ u8 acpi_lmac_idx;
void __iomem *reg_base;
struct pci_dev *pdev;
bool is_dlm;
@@ -1159,13 +1160,13 @@ static acpi_status bgx_acpi_register_phy
if (acpi_bus_get_device(handle, &adev))
goto out;

- acpi_get_mac_address(dev, adev, bgx->lmac[bgx->lmac_count].mac);
+ acpi_get_mac_address(dev, adev, bgx->lmac[bgx->acpi_lmac_idx].mac);

- SET_NETDEV_DEV(&bgx->lmac[bgx->lmac_count].netdev, dev);
+ SET_NETDEV_DEV(&bgx->lmac[bgx->acpi_lmac_idx].netdev, dev);

- bgx->lmac[bgx->lmac_count].lmacid = bgx->lmac_count;
+ bgx->lmac[bgx->acpi_lmac_idx].lmacid = bgx->acpi_lmac_idx;
+ bgx->acpi_lmac_idx++; /* move to next LMAC */
out:
- bgx->lmac_count++;
return AE_OK;
}

[Greg Kroah-Hartman]

4.9-stable review patch. If anyone has any objections, please let me know.

------------------

From: Russell King <rmk+k...@armlinux.org.uk>


[ Upstream commit a13c06525ab9ff442924e67df9393a5efa914c56 ]

When an Marvell 88E1512 PHY is connected to a nic in SGMII mode, the
fiber page is used for the SGMII host-side connection. The PHY driver
notices that SUPPORTED_FIBRE is set, so it tries reading the fiber page
for the link status, and ends up reading the MAC-side status instead of
the outgoing (copper) link. This leads to incorrect results reported
via ethtool.

If the PHY is connected via SGMII to the host, ignore the fiber page.
However, continue to allow the existing power management code to
suspend and resume the fiber page.

Fixes: 6cfb3bcc0641 ("Marvell phy: check link status in case of fiber link.")
Signed-off-by: Russell King <rmk+k...@armlinux.org.uk>

Signed-off-by: David S. Miller <da...@davemloft.net>
Signed-off-by: Sasha Levin <alexand...@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>
---

drivers/net/phy/marvell.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/net/phy/marvell.c
+++ b/drivers/net/phy/marvell.c
@@ -1200,7 +1200,8 @@ static int marvell_read_status(struct ph
int err;

/* Check the fiber mode first */
- if (phydev->supported & SUPPORTED_FIBRE) {
+ if (phydev->supported & SUPPORTED_FIBRE &&
+ phydev->interface != PHY_INTERFACE_MODE_SGMII) {
err = phy_write(phydev, MII_MARVELL_PHY_PAGE, MII_M1111_FIBER);
if (err < 0)
goto error;

[Greg Kroah-Hartman]

4.9-stable review patch. If anyone has any objections, please let me know.

------------------

From: Thomas Huth <th...@redhat.com>


[ Upstream commit 23d28a859fb847fd7fcfbd31acb3b160abb5d6ae ]

When using the ibmveth driver in a KVM/QEMU based VM, it currently
always prints out a scary error message like this when it is started:

ibmveth 71000003 (unregistered net_device): unable to change
checksum offload settings. 1 rc=-2 ret_attr=71000003

This happens because the driver always tries to enable the checksum
offloading without checking for the availability of this feature first.
QEMU does not support checksum offloading for the spapr-vlan device,
thus we always get the error message here.
According to the LoPAPR specification, the "ibm,illan-options" property
of the corresponding device tree node should be checked first to see
whether the H_ILLAN_ATTRIUBTES hypercall and thus the checksum offloading
feature is available. Thus let's do this in the ibmveth driver, too, so
that the error message is really only limited to cases where something
goes wrong, and does not occur if the feature is just missing.

Signed-off-by: Thomas Huth <th...@redhat.com>

Signed-off-by: David S. Miller <da...@davemloft.net>
Signed-off-by: Sasha Levin <alexand...@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>
---

drivers/net/ethernet/ibm/ibmveth.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)

--- a/drivers/net/ethernet/ibm/ibmveth.c
+++ b/drivers/net/ethernet/ibm/ibmveth.c
@@ -1604,8 +1604,11 @@ static int ibmveth_probe(struct vio_dev
netdev->netdev_ops = &ibmveth_netdev_ops;
netdev->ethtool_ops = &netdev_ethtool_ops;
SET_NETDEV_DEV(netdev, &dev->dev);
- netdev->hw_features = NETIF_F_SG | NETIF_F_RXCSUM |
- NETIF_F_IP_CSUM | NETIF_F_IPV6_CSUM;
+ netdev->hw_features = NETIF_F_SG;
+ if (vio_get_attribute(dev, "ibm,illan-options", NULL) != NULL) {
+ netdev->hw_features |= NETIF_F_IP_CSUM | NETIF_F_IPV6_CSUM |
+ NETIF_F_RXCSUM;
+ }

netdev->features |= netdev->hw_features;

[Greg Kroah-Hartman]

4.9-stable review patch. If anyone has any objections, please let me know.

------------------

From: Jiri Slaby <jsl...@suse.cz>


[ Upstream commit ff7a28a074ccbea999dadbb58c46212cf90984c6 ]

When a system panics, the "Rebooting in X seconds.." message is never
printed because it lacks a new line. Fix it.

Link: http://lkml.kernel.org/r/20170119114751...@suse.cz
Signed-off-by: Jiri Slaby <jsl...@suse.cz>
Signed-off-by: Andrew Morton <ak...@linux-foundation.org>
Signed-off-by: Linus Torvalds <torv...@linux-foundation.org>

Signed-off-by: Sasha Levin <alexand...@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>
---

kernel/panic.c | 2 +-

1 file changed, 1 insertion(+), 1 deletion(-)

--- a/kernel/panic.c
+++ b/kernel/panic.c
@@ -249,7 +249,7 @@ void panic(const char *fmt, ...)
* Delay timeout seconds before rebooting the machine.
* We can't use the "normal" timers since we just panicked.
*/
- pr_emerg("Rebooting in %d seconds..", panic_timeout);
+ pr_emerg("Rebooting in %d seconds..\n", panic_timeout);

for (i = 0; i < panic_timeout * 1000; i += PANIC_TIMER_STEP) {
touch_nmi_watchdog();

[Greg Kroah-Hartman]

4.9-stable review patch. If anyone has any objections, please let me know.

------------------

From: Karl Beldan <karl....@gmail.com>

commit 25d8b92e0af75d72ce8b99e63e5a449cc0888efa upstream.

In this sequence the 'move' is assumed in the delay slot of the 'beq',
but head.S is in reorder mode and the former gets pushed one 'nop'
farther by the assembler.

The corrected behavior made booting with an UHI supplied dtb erratic.

Fixes: 15f37e158892 ("MIPS: store the appended dtb address in a variable")
Signed-off-by: Karl Beldan <karl.be...@gmail.com>
Reviewed-by: James Hogan <james...@imgtec.com>
Cc: Jonas Gorski <jo...@openwrt.org>
Cc: linux...@linux-mips.org
Cc: linux-...@vger.kernel.org
Patchwork: https://patchwork.linux-mips.org/patch/16614/
Signed-off-by: Ralf Baechle <ra...@linux-mips.org>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

arch/mips/kernel/head.S | 2 +-

1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/mips/kernel/head.S
+++ b/arch/mips/kernel/head.S
@@ -106,8 +106,8 @@ NESTED(kernel_entry, 16, sp) # kernel
beq t0, t1, dtb_found
#endif
li t1, -2
- beq a0, t1, dtb_found
move t2, a1
+ beq a0, t1, dtb_found

li t2, 0
dtb_found:

[Greg Kroah-Hartman]

4.9-stable review patch. If anyone has any objections, please let me know.

------------------

From: Igor Druzhinin <igor.dr...@citrix.com>


[ Upstream commit 9a6cdf52b85ea5fb21d2bb31e4a7bc61b79923a7 ]

Eliminate memory leaks introduced several years ago by cleaning the
queue resources which are allocated on XenBus connection event. Namely, queue
structure array and pages used for IO rings.

Signed-off-by: Igor Druzhinin <igor.dr...@citrix.com>
Reviewed-by: Paul Durrant <paul.d...@citrix.com>
Acked-by: Wei Liu <wei....@citrix.com>

Signed-off-by: David S. Miller <da...@davemloft.net>
Signed-off-by: Sasha Levin <alexand...@verizon.com>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>
---

drivers/net/xen-netback/xenbus.c | 11 +++++++++++
1 file changed, 11 insertions(+)

--- a/drivers/net/xen-netback/xenbus.c
+++ b/drivers/net/xen-netback/xenbus.c
@@ -493,11 +493,20 @@ static int backend_create_xenvif(struct
static void backend_disconnect(struct backend_info *be)
{
if (be->vif) {
+ unsigned int queue_index;
+
xen_unregister_watchers(be->vif);
#ifdef CONFIG_DEBUG_FS
xenvif_debugfs_delif(be->vif);
#endif /* CONFIG_DEBUG_FS */
xenvif_disconnect_data(be->vif);
+ for (queue_index = 0; queue_index < be->vif->num_queues; ++queue_index)
+ xenvif_deinit_queue(&be->vif->queues[queue_index]);
+
+ vfree(be->vif->queues);
+ be->vif->num_queues = 0;
+ be->vif->queues = NULL;
+
xenvif_disconnect_ctrl(be->vif);
}
}
@@ -1040,6 +1049,8 @@ static void connect(struct backend_info
err:
if (be->vif->num_queues > 0)
xenvif_disconnect_data(be->vif); /* Clean up existing queues */
+ for (queue_index = 0; queue_index < be->vif->num_queues; ++queue_index)
+ xenvif_deinit_queue(&be->vif->queues[queue_index]);
vfree(be->vif->queues);
be->vif->queues = NULL;
be->vif->num_queues = 0;

[Greg Kroah-Hartman]

4.9-stable review patch. If anyone has any objections, please let me know.

------------------

From: jbrunet <jbr...@baylibre.com>


[ Upstream commit 57f3986231bb2c69a55ccab1d2b30a00818027ac ]

The patches regarding eee-broken-modes was merged before all people
involved could find an agreement on the best way to move forward.

While we agreed on having a DT property to mark particular modes as broken,
the value used for eee-broken-modes mapped the phy register in very direct
way. Because of this, the concern is that it could be used to implement
configuration policies instead of describing a broken HW.

In the end, having a boolean property for each mode seems to be preferred
over one bit field value mapping the register (too) directly.

Cc: Florian Fainelli <f.fai...@gmail.com>
Signed-off-by: Jerome Brunet <jbr...@baylibre.com>

Signed-off-by: David S. Miller <da...@davemloft.net>
Signed-off-by: Sasha Levin <alexand...@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>
---

drivers/net/phy/phy_device.c | 18 +++++++++++++++---
1 file changed, 15 insertions(+), 3 deletions(-)

--- a/drivers/net/phy/phy_device.c
+++ b/drivers/net/phy/phy_device.c
@@ -1633,7 +1633,7 @@ static void of_set_phy_supported(struct
static void of_set_phy_eee_broken(struct phy_device *phydev)
{
struct device_node *node = phydev->mdio.dev.of_node;
- u32 broken;
+ u32 broken = 0;

if (!IS_ENABLED(CONFIG_OF_MDIO))
return;
@@ -1641,8 +1641,20 @@ static void of_set_phy_eee_broken(struct
if (!node)
return;

- if (!of_property_read_u32(node, "eee-broken-modes", &broken))
- phydev->eee_broken_modes = broken;
+ if (of_property_read_bool(node, "eee-broken-100tx"))
+ broken |= MDIO_EEE_100TX;
+ if (of_property_read_bool(node, "eee-broken-1000t"))
+ broken |= MDIO_EEE_1000T;
+ if (of_property_read_bool(node, "eee-broken-10gt"))
+ broken |= MDIO_EEE_10GT;
+ if (of_property_read_bool(node, "eee-broken-1000kx"))
+ broken |= MDIO_EEE_1000KX;
+ if (of_property_read_bool(node, "eee-broken-10gkx4"))
+ broken |= MDIO_EEE_10GKX4;
+ if (of_property_read_bool(node, "eee-broken-10gkr"))
+ broken |= MDIO_EEE_10GKR;
+
+ phydev->eee_broken_modes = broken;
}

/**

[Greg Kroah-Hartman]

4.9-stable review patch. If anyone has any objections, please let me know.

------------------

From: David Ahern <dsa...@gmail.com>


[ Upstream commit 097d3c9508dc58286344e4a22b300098cf0c1566 ]

Commit 1aa6c4f6b8cd8 ("net: vrf: Add l3mdev rules on first device create")
adds the l3mdev FIB rule the first time a VRF device is created. However,
it only creates the rule once and only in the namespace the first device
is created - which may not be init_net. Fix by using the net_generic
capability to make the add_fib_rules flag per network namespace.

Fixes: 1aa6c4f6b8cd8 ("net: vrf: Add l3mdev rules on first device create")
Reported-by: Petr Machata <pe...@mellanox.com>
Signed-off-by: David Ahern <dsa...@gmail.com>

Signed-off-by: David S. Miller <da...@davemloft.net>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>
---
drivers/net/vrf.c | 36 ++++++++++++++++++++++++++++++++----
1 file changed, 32 insertions(+), 4 deletions(-)

--- a/drivers/net/vrf.c
+++ b/drivers/net/vrf.c
@@ -36,12 +36,14 @@
#include <net/addrconf.h>
#include <net/l3mdev.h>
#include <net/fib_rules.h>
+#include <net/netns/generic.h>

#define DRV_NAME "vrf"
#define DRV_VERSION "1.0"

#define FIB_RULE_PREF 1000 /* default preference for FIB rules */
-static bool add_fib_rules = true;
+
+static unsigned int vrf_net_id;

struct net_vrf {
struct rtable __rcu *rth;
@@ -1237,6 +1239,8 @@ static int vrf_newlink(struct net *src_n
struct nlattr *tb[], struct nlattr *data[])
{
struct net_vrf *vrf = netdev_priv(dev);
+ bool *add_fib_rules;
+ struct net *net;
int err;

if (!data || !data[IFLA_VRF_TABLE])
@@ -1252,13 +1256,15 @@ static int vrf_newlink(struct net *src_n
if (err)
goto out;

- if (add_fib_rules) {
+ net = dev_net(dev);
+ add_fib_rules = net_generic(net, vrf_net_id);
+ if (*add_fib_rules) {
err = vrf_add_fib_rules(dev);
if (err) {
unregister_netdevice(dev);
goto out;
}
- add_fib_rules = false;
+ *add_fib_rules = false;
}

out:
@@ -1341,16 +1347,38 @@ static struct notifier_block vrf_notifie
.notifier_call = vrf_device_event,
};

+/* Initialize per network namespace state */
+static int __net_init vrf_netns_init(struct net *net)
+{
+ bool *add_fib_rules = net_generic(net, vrf_net_id);
+
+ *add_fib_rules = true;

+
+ return 0;
+}
+

+static struct pernet_operations vrf_net_ops __net_initdata = {
+ .init = vrf_netns_init,
+ .id = &vrf_net_id,
+ .size = sizeof(bool),
+};
+
static int __init vrf_init_module(void)
{
int rc;

register_netdevice_notifier(&vrf_notifier_block);

- rc = rtnl_link_register(&vrf_link_ops);
+ rc = register_pernet_subsys(&vrf_net_ops);
if (rc < 0)
goto error;

+ rc = rtnl_link_register(&vrf_link_ops);
+ if (rc < 0) {
+ unregister_pernet_subsys(&vrf_net_ops);
+ goto error;
+ }
+
return 0;

error:

[Greg Kroah-Hartman]

4.9-stable review patch. If anyone has any objections, please let me know.

------------------

From: "Liam R. Howlett" <Liam.H...@Oracle.com>


[ Upstream commit 7a7dc961a28b965a0d0303c2e989df17b411708b ]

Error queues use a non-zero first word to detect if the queues are full.
Using pages that have not been zeroed may result in false positive
overflow events. These queues are set up once during boot so zeroing
all mondo and error queue pages is safe.

Note that the false positive overflow does not always occur because the
page allocation for these queues is so early in the boot cycle that
higher number CPUs get fresh pages. It is only when traps are serviced
with lower number CPUs who were given already used pages that this issue
is exposed.

Signed-off-by: Liam R. Howlett <Liam.H...@Oracle.com>

Signed-off-by: David S. Miller <da...@davemloft.net>

Signed-off-by: Sasha Levin <alexand...@verizon.com>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>
---

arch/sparc/kernel/irq_64.c | 2 +-

1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/sparc/kernel/irq_64.c
+++ b/arch/sparc/kernel/irq_64.c
@@ -1021,7 +1021,7 @@ static void __init alloc_one_queue(unsig
unsigned long order = get_order(size);
unsigned long p;

- p = __get_free_pages(GFP_KERNEL, order);
+ p = __get_free_pages(GFP_KERNEL | __GFP_ZERO, order);
if (!p) {
prom_printf("SUN4V: Error, cannot allocate queue.\n");
prom_halt();

[Greg Kroah-Hartman]

4.9-stable review patch. If anyone has any objections, please let me know.

------------------

From: "Mintz, Yuval" <Yuval...@cavium.com>


[ Upstream commit 0eed9cf58446b28b233388b7f224cbca268b6986 ]

Some of the structure's fields are not initialized by the
rtnetlink. If driver doesn't set those in ndo_get_vf_config(),
they'd leak memory to user.

Signed-off-by: Yuval Mintz <Yuval...@cavium.com>
CC: Michal Schmidt <msch...@redhat.com>
Reviewed-by: Greg Rose <gvros...@gmail.com>

Signed-off-by: David S. Miller <da...@davemloft.net>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>
---
net/core/rtnetlink.c | 3 ++-

1 file changed, 2 insertions(+), 1 deletion(-)

--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -1130,6 +1130,8 @@ static noinline_for_stack int rtnl_fill_
struct ifla_vf_mac vf_mac;
struct ifla_vf_info ivi;

+ memset(&ivi, 0, sizeof(ivi));
+
/* Not all SR-IOV capable drivers support the
* spoofcheck and "RSS query enable" query. Preset to
* -1 so the user space tool can detect that the driver
@@ -1138,7 +1140,6 @@ static noinline_for_stack int rtnl_fill_
ivi.spoofchk = -1;
ivi.rss_query_en = -1;
ivi.trusted = -1;
- memset(ivi.mac, 0, sizeof(ivi.mac));
/* The default value for VF link state is "auto"
* IFLA_VF_LINK_STATE_AUTO which equals zero
*/

[Greg Kroah-Hartman]

4.9-stable review patch. If anyone has any objections, please let me know.

------------------

From: Chandan Rajendra <cha...@linux.vnet.ibm.com>


[ Upstream commit 97dcdea076ecef41ea4aaa23d4397c2f622e4265 ]

The following deadlock is seen when executing generic/113 test,

---------------------------------------------------------+----------------------------------------------------
Direct I/O task Fast fsync task
---------------------------------------------------------+----------------------------------------------------
btrfs_direct_IO
__blockdev_direct_IO
do_blockdev_direct_IO
do_direct_IO
btrfs_get_blocks_direct
while (blocks needs to written)
get_more_blocks (first iteration)
btrfs_get_blocks_direct
btrfs_create_dio_extent
down_read(&BTRFS_I(inode) >dio_sem)
Create and add extent map and ordered extent
up_read(&BTRFS_I(inode) >dio_sem)
btrfs_sync_file
btrfs_log_dentry_safe
btrfs_log_inode_parent
btrfs_log_inode
btrfs_log_changed_extents
down_write(&BTRFS_I(inode) >dio_sem)
Collect new extent maps and ordered extents
wait for ordered extent completion
get_more_blocks (second iteration)
btrfs_get_blocks_direct
btrfs_create_dio_extent
down_read(&BTRFS_I(inode) >dio_sem)
--------------------------------------------------------------------------------------------------------------

In the above description, Btrfs direct I/O code path has not yet started
submitting bios for file range covered by the initial ordered
extent. Meanwhile, The fast fsync task obtains the write semaphore and
waits for I/O on the ordered extent to get completed. However, the
Direct I/O task is now blocked on obtaining the read semaphore.

To resolve the deadlock, this commit modifies the Direct I/O code path
to obtain the read semaphore before invoking
__blockdev_direct_IO(). The semaphore is then given up after
__blockdev_direct_IO() returns. This allows the Direct I/O code to
complete I/O on all the ordered extents it creates.

Signed-off-by: Chandan Rajendra <cha...@linux.vnet.ibm.com>
Reviewed-by: Filipe Manana <fdma...@suse.com>
Signed-off-by: David Sterba <dst...@suse.com>
Signed-off-by: Sasha Levin <alexand...@verizon.com>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>
---

fs/btrfs/inode.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

--- a/fs/btrfs/inode.c
+++ b/fs/btrfs/inode.c
@@ -7235,7 +7235,6 @@ static struct extent_map *btrfs_create_d
struct extent_map *em = NULL;
int ret;

- down_read(&BTRFS_I(inode)->dio_sem);
if (type != BTRFS_ORDERED_NOCOW) {
em = create_pinned_em(inode, start, len, orig_start,
block_start, block_len, orig_block_len,
@@ -7254,7 +7253,6 @@ static struct extent_map *btrfs_create_d
em = ERR_PTR(ret);
}
out:
- up_read(&BTRFS_I(inode)->dio_sem);

return em;
}
@@ -8707,6 +8705,7 @@ static ssize_t btrfs_direct_IO(struct ki
dio_data.unsubmitted_oe_range_start = (u64)offset;
dio_data.unsubmitted_oe_range_end = (u64)offset;
current->journal_info = &dio_data;
+ down_read(&BTRFS_I(inode)->dio_sem);
} else if (test_bit(BTRFS_INODE_READDIO_NEED_LOCK,
&BTRFS_I(inode)->runtime_flags)) {
inode_dio_end(inode);
@@ -8719,6 +8718,7 @@ static ssize_t btrfs_direct_IO(struct ki
iter, btrfs_get_blocks_direct, NULL,
btrfs_submit_direct, flags);
if (iov_iter_rw(iter) == WRITE) {
+ up_read(&BTRFS_I(inode)->dio_sem);
current->journal_info = NULL;
if (ret < 0 && ret != -EIOCBQUEUED) {
if (dio_data.reserve)

[Greg Kroah-Hartman]

4.9-stable review patch. If anyone has any objections, please let me know.

------------------

From: Quinn Tran <quinn...@cavium.com>


[ Upstream commit 5f35509db179ca7ed1feaa4b14f841adb06ed220 ]

Corrupted ATIO is defined as length of fcp_header & fcp_cmd
payload is less than 0x38. It's the minimum size for a frame to
carry 8..16 bytes SCSI CDB. The exchange will be dropped or
terminated if corrupted.

Signed-off-by: Quinn Tran <quinn...@cavium.com>
Signed-off-by: Himanshu Madhani <himanshu...@cavium.com>
Reviewed-by: Christoph Hellwig <h...@lst.de>
[ bvanassche: Fixed spelling in patch title ]
Signed-off-by: Bart Van Assche <bart.va...@sandisk.com>

Signed-off-by: Sasha Levin <alexand...@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>
---

drivers/scsi/qla2xxx/qla_def.h | 3 ++-
drivers/scsi/qla2xxx/qla_target.c | 23 ++++++++++++++++++++---
drivers/scsi/qla2xxx/qla_target.h | 22 +++++++++++++++++++++-
3 files changed, 43 insertions(+), 5 deletions(-)

--- a/drivers/scsi/qla2xxx/qla_def.h
+++ b/drivers/scsi/qla2xxx/qla_def.h
@@ -1555,7 +1555,8 @@ typedef struct {
struct atio {
uint8_t entry_type; /* Entry type. */
uint8_t entry_count; /* Entry count. */
- uint8_t data[58];
+ __le16 attr_n_length;
+ uint8_t data[56];
uint32_t signature;
#define ATIO_PROCESSED 0xDEADDEAD /* Signature */
};
--- a/drivers/scsi/qla2xxx/qla_target.c
+++ b/drivers/scsi/qla2xxx/qla_target.c
@@ -6463,12 +6463,29 @@ qlt_24xx_process_atio_queue(struct scsi_
if (!vha->flags.online)
return;

- while (ha->tgt.atio_ring_ptr->signature != ATIO_PROCESSED) {
+ while ((ha->tgt.atio_ring_ptr->signature != ATIO_PROCESSED) ||
+ fcpcmd_is_corrupted(ha->tgt.atio_ring_ptr)) {
pkt = (struct atio_from_isp *)ha->tgt.atio_ring_ptr;
cnt = pkt->u.raw.entry_count;

- qlt_24xx_atio_pkt_all_vps(vha, (struct atio_from_isp *)pkt,
- ha_locked);
+ if (unlikely(fcpcmd_is_corrupted(ha->tgt.atio_ring_ptr))) {
+ /*
+ * This packet is corrupted. The header + payload
+ * can not be trusted. There is no point in passing
+ * it further up.
+ */
+ ql_log(ql_log_warn, vha, 0xffff,
+ "corrupted fcp frame SID[%3phN] OXID[%04x] EXCG[%x] %64phN\n",
+ pkt->u.isp24.fcp_hdr.s_id,
+ be16_to_cpu(pkt->u.isp24.fcp_hdr.ox_id),
+ le32_to_cpu(pkt->u.isp24.exchange_addr), pkt);
+
+ adjust_corrupted_atio(pkt);
+ qlt_send_term_exchange(vha, NULL, pkt, ha_locked, 0);
+ } else {
+ qlt_24xx_atio_pkt_all_vps(vha,
+ (struct atio_from_isp *)pkt, ha_locked);
+ }

for (i = 0; i < cnt; i++) {
ha->tgt.atio_ring_index++;
--- a/drivers/scsi/qla2xxx/qla_target.h
+++ b/drivers/scsi/qla2xxx/qla_target.h
@@ -427,13 +427,33 @@ struct atio_from_isp {
struct {
uint8_t entry_type; /* Entry type. */
uint8_t entry_count; /* Entry count. */
- uint8_t data[58];
+ __le16 attr_n_length;
+#define FCP_CMD_LENGTH_MASK 0x0fff
+#define FCP_CMD_LENGTH_MIN 0x38
+ uint8_t data[56];
uint32_t signature;
#define ATIO_PROCESSED 0xDEADDEAD /* Signature */
} raw;
} u;
} __packed;

+static inline int fcpcmd_is_corrupted(struct atio *atio)
+{
+ if (atio->entry_type == ATIO_TYPE7 &&
+ (le16_to_cpu(atio->attr_n_length & FCP_CMD_LENGTH_MASK) <
+ FCP_CMD_LENGTH_MIN))
+ return 1;
+ else

+ return 0;
+}
+

+/* adjust corrupted atio so we won't trip over the same entry again. */
+static inline void adjust_corrupted_atio(struct atio_from_isp *atio)
+{
+ atio->u.raw.attr_n_length = cpu_to_le16(FCP_CMD_LENGTH_MIN);
+ atio->u.isp24.fcp_cmnd.add_cdb_len = 0;
+}
+
#define CTIO_TYPE7 0x12 /* Continue target I/O entry (for 24xx) */

/*

[Greg Kroah-Hartman]

4.9-stable review patch. If anyone has any objections, please let me know.

------------------

From: Guillaume Nault <g.n...@alphalink.fr>

commit 61b9a047729bb230978178bca6729689d0c50ca2 upstream.

Taking a reference on sessions in l2tp_recv_common() is racy; this
has to be done by the callers.

To this end, a new function is required (l2tp_session_get()) to
atomically lookup a session and take a reference on it. Callers then
have to manually drop this reference.

Fixes: fd558d186df2 ("l2tp: Split pppol2tp patch into separate l2tp and ppp parts")
Signed-off-by: Guillaume Nault <g.n...@alphalink.fr>

Signed-off-by: David S. Miller <da...@davemloft.net>

Signed-off-by: Amit Pundir <amit....@linaro.org>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>
---

net/l2tp/l2tp_core.c | 73 +++++++++++++++++++++++++++++++++++++++++----------
net/l2tp/l2tp_core.h | 3 ++
net/l2tp/l2tp_ip.c | 17 ++++++++---
net/l2tp/l2tp_ip6.c | 18 +++++++++---
4 files changed, 88 insertions(+), 23 deletions(-)

--- a/net/l2tp/l2tp_core.c
+++ b/net/l2tp/l2tp_core.c
@@ -278,6 +278,55 @@ struct l2tp_session *l2tp_session_find(s
}
EXPORT_SYMBOL_GPL(l2tp_session_find);

+/* Like l2tp_session_find() but takes a reference on the returned session.
+ * Optionally calls session->ref() too if do_ref is true.
+ */
+struct l2tp_session *l2tp_session_get(struct net *net,
+ struct l2tp_tunnel *tunnel,
+ u32 session_id, bool do_ref)
+{
+ struct hlist_head *session_list;
+ struct l2tp_session *session;
+
+ if (!tunnel) {
+ struct l2tp_net *pn = l2tp_pernet(net);
+
+ session_list = l2tp_session_id_hash_2(pn, session_id);
+
+ rcu_read_lock_bh();
+ hlist_for_each_entry_rcu(session, session_list, global_hlist) {
+ if (session->session_id == session_id) {
+ l2tp_session_inc_refcount(session);
+ if (do_ref && session->ref)
+ session->ref(session);
+ rcu_read_unlock_bh();
+
+ return session;
+ }
+ }
+ rcu_read_unlock_bh();
+
+ return NULL;
+ }
+
+ session_list = l2tp_session_id_hash(tunnel, session_id);
+ read_lock_bh(&tunnel->hlist_lock);
+ hlist_for_each_entry(session, session_list, hlist) {
+ if (session->session_id == session_id) {
+ l2tp_session_inc_refcount(session);
+ if (do_ref && session->ref)
+ session->ref(session);
+ read_unlock_bh(&tunnel->hlist_lock);
+
+ return session;
+ }
+ }
+ read_unlock_bh(&tunnel->hlist_lock);
+
+ return NULL;
+}
+EXPORT_SYMBOL_GPL(l2tp_session_get);
+
struct l2tp_session *l2tp_session_get_nth(struct l2tp_tunnel *tunnel, int nth,
bool do_ref)
{
@@ -637,6 +686,9 @@ discard:
* a data (not control) frame before coming here. Fields up to the
* session-id have already been parsed and ptr points to the data
* after the session-id.
+ *
+ * session->ref() must have been called prior to l2tp_recv_common().
+ * session->deref() will be called automatically after skb is processed.
*/
void l2tp_recv_common(struct l2tp_session *session, struct sk_buff *skb,
unsigned char *ptr, unsigned char *optr, u16 hdrflags,
@@ -646,14 +698,6 @@ void l2tp_recv_common(struct l2tp_sessio
int offset;
u32 ns, nr;

- /* The ref count is increased since we now hold a pointer to
- * the session. Take care to decrement the refcnt when exiting
- * this function from now on...
- */
- l2tp_session_inc_refcount(session);
- if (session->ref)
- (*session->ref)(session);
-
/* Parse and check optional cookie */
if (session->peer_cookie_len > 0) {
if (memcmp(ptr, &session->peer_cookie[0], session->peer_cookie_len)) {
@@ -806,8 +850,6 @@ void l2tp_recv_common(struct l2tp_sessio
/* Try to dequeue as many skbs from reorder_q as we can. */
l2tp_recv_dequeue(session);

- l2tp_session_dec_refcount(session);
-
return;

discard:
@@ -816,8 +858,6 @@ discard:

if (session->deref)
(*session->deref)(session);
-
- l2tp_session_dec_refcount(session);
}
EXPORT_SYMBOL(l2tp_recv_common);

@@ -924,8 +964,14 @@ static int l2tp_udp_recv_core(struct l2t
}

/* Find the session context */
- session = l2tp_session_find(tunnel->l2tp_net, tunnel, session_id);
+ session = l2tp_session_get(tunnel->l2tp_net, tunnel, session_id, true);
if (!session || !session->recv_skb) {
+ if (session) {
+ if (session->deref)
+ session->deref(session);
+ l2tp_session_dec_refcount(session);
+ }
+
/* Not found? Pass to userspace to deal with */
l2tp_info(tunnel, L2TP_MSG_DATA,
"%s: no session found (%u/%u). Passing up.\n",
@@ -934,6 +980,7 @@ static int l2tp_udp_recv_core(struct l2t
}

l2tp_recv_common(session, skb, ptr, optr, hdrflags, length, payload_hook);
+ l2tp_session_dec_refcount(session);

return 0;

--- a/net/l2tp/l2tp_core.h
+++ b/net/l2tp/l2tp_core.h
@@ -240,6 +240,9 @@ out:
return tunnel;
}

+struct l2tp_session *l2tp_session_get(struct net *net,
+ struct l2tp_tunnel *tunnel,
+ u32 session_id, bool do_ref);
struct l2tp_session *l2tp_session_find(struct net *net,
struct l2tp_tunnel *tunnel,
u32 session_id);
--- a/net/l2tp/l2tp_ip.c
+++ b/net/l2tp/l2tp_ip.c
@@ -143,19 +143,19 @@ static int l2tp_ip_recv(struct sk_buff *
}

/* Ok, this is a data packet. Lookup the session. */
- session = l2tp_session_find(net, NULL, session_id);

- if (session == NULL)

+ session = l2tp_session_get(net, NULL, session_id, true);
+ if (!session)
goto discard;

tunnel = session->tunnel;
- if (tunnel == NULL)
- goto discard;
+ if (!tunnel)
+ goto discard_sess;

/* Trace packet contents, if enabled */
if (tunnel->debug & L2TP_MSG_DATA) {
length = min(32u, skb->len);
if (!pskb_may_pull(skb, length))
- goto discard;
+ goto discard_sess;

/* Point to L2TP header */
optr = ptr = skb->data;
@@ -165,6 +165,7 @@ static int l2tp_ip_recv(struct sk_buff *
}

l2tp_recv_common(session, skb, ptr, optr, 0, skb->len, tunnel->recv_payload_hook);
+ l2tp_session_dec_refcount(session);

return 0;

@@ -203,6 +204,12 @@ pass_up:

return sk_receive_skb(sk, skb, 1);

+discard_sess:
+ if (session->deref)
+ session->deref(session);
+ l2tp_session_dec_refcount(session);
+ goto discard;
+
discard_put:
sock_put(sk);

--- a/net/l2tp/l2tp_ip6.c
+++ b/net/l2tp/l2tp_ip6.c
@@ -156,19 +156,19 @@ static int l2tp_ip6_recv(struct sk_buff
}

/* Ok, this is a data packet. Lookup the session. */
- session = l2tp_session_find(net, NULL, session_id);

- if (session == NULL)

+ session = l2tp_session_get(net, NULL, session_id, true);
+ if (!session)
goto discard;

tunnel = session->tunnel;
- if (tunnel == NULL)
- goto discard;
+ if (!tunnel)
+ goto discard_sess;

/* Trace packet contents, if enabled */
if (tunnel->debug & L2TP_MSG_DATA) {
length = min(32u, skb->len);
if (!pskb_may_pull(skb, length))
- goto discard;
+ goto discard_sess;

/* Point to L2TP header */
optr = ptr = skb->data;
@@ -179,6 +179,8 @@ static int l2tp_ip6_recv(struct sk_buff

l2tp_recv_common(session, skb, ptr, optr, 0, skb->len,
tunnel->recv_payload_hook);
+ l2tp_session_dec_refcount(session);
+
return 0;

pass_up:
@@ -216,6 +218,12 @@ pass_up:

return sk_receive_skb(sk, skb, 1);

+discard_sess:
+ if (session->deref)
+ session->deref(session);
+ l2tp_session_dec_refcount(session);
+ goto discard;
+
discard_put:
sock_put(sk);

[Greg Kroah-Hartman]

4.9-stable review patch. If anyone has any objections, please let me know.

------------------

From: "Alvaro G. M" <alvaro...@hazent.com>


[ Upstream commit 93b43fd137cd8865adf9978ab9870a344365d3af ]

This PHY with fiber support is register compatible with DP83848,
so add support for it.

Signed-off-by: Alvaro Gamez Machado <alvaro...@hazent.com>

Signed-off-by: David S. Miller <da...@davemloft.net>

Signed-off-by: Sasha Levin <alexand...@verizon.com>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>
---

drivers/net/phy/dp83848.c | 3 +++
1 file changed, 3 insertions(+)

--- a/drivers/net/phy/dp83848.c
+++ b/drivers/net/phy/dp83848.c
@@ -17,6 +17,7 @@
#include <linux/phy.h>

#define TI_DP83848C_PHY_ID 0x20005ca0
+#define TI_DP83620_PHY_ID 0x20005ce0
#define NS_DP83848C_PHY_ID 0x20005c90
#define TLK10X_PHY_ID 0x2000a210
#define TI_DP83822_PHY_ID 0x2000a240
@@ -77,6 +78,7 @@ static int dp83848_config_intr(struct ph
static struct mdio_device_id __maybe_unused dp83848_tbl[] = {
{ TI_DP83848C_PHY_ID, 0xfffffff0 },
{ NS_DP83848C_PHY_ID, 0xfffffff0 },
+ { TI_DP83620_PHY_ID, 0xfffffff0 },
{ TLK10X_PHY_ID, 0xfffffff0 },
{ TI_DP83822_PHY_ID, 0xfffffff0 },
{ }
@@ -106,6 +108,7 @@ MODULE_DEVICE_TABLE(mdio, dp83848_tbl);
static struct phy_driver dp83848_driver[] = {
DP83848_PHY_DRIVER(TI_DP83848C_PHY_ID, "TI DP83848C 10/100 Mbps PHY"),
DP83848_PHY_DRIVER(NS_DP83848C_PHY_ID, "NS DP83848C 10/100 Mbps PHY"),
+ DP83848_PHY_DRIVER(TI_DP83620_PHY_ID, "TI DP83620 10/100 Mbps PHY"),
DP83848_PHY_DRIVER(TLK10X_PHY_ID, "TI TLK10X 10/100 Mbps PHY"),
DP83848_PHY_DRIVER(TI_DP83822_PHY_ID, "TI DP83822 10/100 Mbps PHY"),
};

[Greg Kroah-Hartman]

4.9-stable review patch. If anyone has any objections, please let me know.

------------------

From: Mateusz Jurczyk <mjur...@google.com>


[ Upstream commit dd0da17b209ed91f39872766634ca967c170ada1 ]

Verify that the length of the socket buffer is sufficient to cover the
nlmsghdr structure before accessing the nlh->nlmsg_len field for further
input sanitization. If the client only supplies 1-3 bytes of data in
sk_buff, then nlh->nlmsg_len remains partially uninitialized and
contains leftover memory from the corresponding kernel allocation.
Operating on such data may result in indeterminate evaluation of the
nlmsg_len < sizeof(*nlh) expression.

The bug was discovered by a runtime instrumentation designed to detect
use of uninitialized memory in the kernel. The patch prevents this and
other similar tools (e.g. KMSAN) from flagging this behavior in the future.

Signed-off-by: Mateusz Jurczyk <mjur...@google.com>

Signed-off-by: David S. Miller <da...@davemloft.net>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>
---
net/decnet/netfilter/dn_rtmsg.c | 4 +++-

1 file changed, 3 insertions(+), 1 deletion(-)

--- a/net/decnet/netfilter/dn_rtmsg.c
+++ b/net/decnet/netfilter/dn_rtmsg.c
@@ -102,7 +102,9 @@ static inline void dnrmg_receive_user_sk
{
struct nlmsghdr *nlh = nlmsg_hdr(skb);

- if (nlh->nlmsg_len < sizeof(*nlh) || skb->len < nlh->nlmsg_len)
+ if (skb->len < sizeof(*nlh) ||
+ nlh->nlmsg_len < sizeof(*nlh) ||
+ skb->len < nlh->nlmsg_len)
return;

if (!netlink_capable(skb, CAP_NET_ADMIN))

[Greg Kroah-Hartman]

4.9-stable review patch. If anyone has any objections, please let me know.

------------------

From: Michael Chan <michae...@broadcom.com>


[ Upstream commit 719ca8111402aa6157bd83a3c966d184db0d8956 ]

In the TPA GRO code path, initialize the tcp_opt_len variable to 0 so
that it will be correct for packets without TCP timestamps. The bug
caused the SKB fields to be incorrectly set up for packets without
TCP timestamps, leading to these packets being rejected by the stack.

Reported-by: Andy Gospodarek <andrew.g...@broadocm.com>
Acked-by: Andy Gospodarek <andrew.g...@broadocm.com>
Signed-off-by: Michael Chan <michae...@broadcom.com>

Signed-off-by: David S. Miller <da...@davemloft.net>

Signed-off-by: Sasha Levin <alexand...@verizon.com>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>
---

drivers/net/ethernet/broadcom/bnxt/bnxt.c | 2 +-

1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
@@ -1097,7 +1097,7 @@ static struct sk_buff *bnxt_gro_func_573
{
#ifdef CONFIG_INET
struct tcphdr *th;
- int len, nw_off, tcp_opt_len;
+ int len, nw_off, tcp_opt_len = 0;

if (tcp_ts)
tcp_opt_len = 12;

[Greg Kroah-Hartman]

4.9-stable review patch. If anyone has any objections, please let me know.

------------------

From: Damien Le Moal <damien...@wdc.com>


[ Upstream commit 26f2819772af891dee2843e1f8662c58e5129d5f ]

Zoned block devices force the use of READ/WRITE(16) commands by setting
sdkp->use_16_for_rw and clearing sdkp->use_10_for_rw. This result in
DPOFUA always being disabled for these drives as the assumed use of
the deprecated READ/WRITE(6) commands only looks at sdkp->use_10_for_rw.
Strenghten the test by also checking that sdkp->use_16_for_rw is false.

Signed-off-by: Damien Le Moal <damien...@wdc.com>
Reviewed-by: Hannes Reinecke <ha...@suse.com>

Signed-off-by: Martin K. Petersen <martin....@oracle.com>

Signed-off-by: Sasha Levin <alexand...@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>
---

drivers/scsi/sd.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/scsi/sd.c
+++ b/drivers/scsi/sd.c
@@ -2572,7 +2572,8 @@ sd_read_cache_type(struct scsi_disk *sdk
if (sdp->broken_fua) {
sd_first_printk(KERN_NOTICE, sdkp, "Disabling FUA\n");
sdkp->DPOFUA = 0;
- } else if (sdkp->DPOFUA && !sdkp->device->use_10_for_rw) {
+ } else if (sdkp->DPOFUA && !sdkp->device->use_10_for_rw &&
+ !sdkp->device->use_16_for_rw) {
sd_first_printk(KERN_NOTICE, sdkp,
"Uses READ/WRITE(6), disabling FUA\n");
sdkp->DPOFUA = 0;

[Greg Kroah-Hartman]

4.9-stable review patch. If anyone has any objections, please let me know.

------------------

From: Kinglong Mee <kingl...@gmail.com>

commit 366a1569bff3fe14abfdf9285e31e05e091745f5 upstream.

Because nfs4_opendata_access() has close the state when access is denied,
so the state isn't leak.
Rather than revert the commit a974deee47, I'd like clean the strange state close.

[ 1615.094218] ------------[ cut here ]------------
[ 1615.094607] WARNING: CPU: 0 PID: 23702 at lib/list_debug.c:31 __list_add_valid+0x8e/0xa0
[ 1615.094913] list_add double add: new=ffff9d7901d9f608, prev=ffff9d7901d9f608, next=ffff9d7901ee8dd0.
[ 1615.095458] Modules linked in: nfsv4(E) nfs(E) nfsd(E) tun bridge stp llc fuse ip_set nfnetlink vmw_vsock_vmci_transport vsock f2fs snd_seq_midi snd_seq_midi_event fscrypto coretemp ppdev crct10dif_pclmul crc32_pclmul ghash_clmulni_intel intel_rapl_perf vmw_balloon snd_ens1371 joydev gameport snd_ac97_codec ac97_bus snd_seq snd_pcm snd_rawmidi snd_timer snd_seq_device snd soundcore nfit parport_pc parport acpi_cpufreq tpm_tis tpm_tis_core tpm i2c_piix4 vmw_vmci shpchp auth_rpcgss nfs_acl lockd(E) grace sunrpc(E) xfs libcrc32c vmwgfx drm_kms_helper ttm drm crc32c_intel mptspi e1000 serio_raw scsi_transport_spi mptscsih mptbase ata_generic pata_acpi fjes [last unloaded: nfs]
[ 1615.097663] CPU: 0 PID: 23702 Comm: fstest Tainted: G W E 4.11.0-rc1+ #517
[ 1615.098015] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 07/02/2015
[ 1615.098807] Call Trace:
[ 1615.099183] dump_stack+0x63/0x86
[ 1615.099578] __warn+0xcb/0xf0
[ 1615.099967] warn_slowpath_fmt+0x5f/0x80
[ 1615.100370] __list_add_valid+0x8e/0xa0
[ 1615.100760] nfs4_put_state_owner+0x75/0xc0 [nfsv4]
[ 1615.101136] __nfs4_close+0x109/0x140 [nfsv4]
[ 1615.101524] nfs4_close_state+0x15/0x20 [nfsv4]
[ 1615.101949] nfs4_close_context+0x21/0x30 [nfsv4]
[ 1615.102691] __put_nfs_open_context+0xb8/0x110 [nfs]
[ 1615.103155] put_nfs_open_context+0x10/0x20 [nfs]
[ 1615.103586] nfs4_file_open+0x13b/0x260 [nfsv4]
[ 1615.103978] do_dentry_open+0x20a/0x2f0
[ 1615.104369] ? nfs4_copy_file_range+0x30/0x30 [nfsv4]
[ 1615.104739] vfs_open+0x4c/0x70
[ 1615.105106] ? may_open+0x5a/0x100
[ 1615.105469] path_openat+0x623/0x1420
[ 1615.105823] do_filp_open+0x91/0x100
[ 1615.106174] ? __alloc_fd+0x3f/0x170
[ 1615.106568] do_sys_open+0x130/0x220
[ 1615.106920] ? __put_cred+0x3d/0x50
[ 1615.107256] SyS_open+0x1e/0x20
[ 1615.107588] entry_SYSCALL_64_fastpath+0x1a/0xa9
[ 1615.107922] RIP: 0033:0x7fab599069b0
[ 1615.108247] RSP: 002b:00007ffcf0600d78 EFLAGS: 00000246 ORIG_RAX: 0000000000000002
[ 1615.108575] RAX: ffffffffffffffda RBX: 00007fab59bcfae0 RCX: 00007fab599069b0
[ 1615.108896] RDX: 0000000000000200 RSI: 0000000000000200 RDI: 00007ffcf060255e
[ 1615.109211] RBP: 0000000000040010 R08: 0000000000000000 R09: 0000000000000016
[ 1615.109515] R10: 00000000000006a1 R11: 0000000000000246 R12: 0000000000041000
[ 1615.109806] R13: 0000000000040010 R14: 0000000000001000 R15: 0000000000002710
[ 1615.110152] ---[ end trace 96ed63b1306bf2f3 ]---

Fixes: a974deee47 ("NFSv4: Fix memory and state leak in...")
Signed-off-by: Kinglong Mee <kingl...@gmail.com>
Signed-off-by: Anna Schumaker <Anna.Sc...@Netapp.com>
Cc: Trond Myklebust <trond.m...@primarydata.com>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

fs/nfs/nfs4proc.c | 2 --
1 file changed, 2 deletions(-)

--- a/fs/nfs/nfs4proc.c
+++ b/fs/nfs/nfs4proc.c
@@ -2343,8 +2343,6 @@ static int nfs4_opendata_access(struct r
if ((mask & ~cache.mask & (MAY_READ | MAY_EXEC)) == 0)
return 0;

- /* even though OPEN succeeded, access is denied. Close the file */
- nfs4_close_state(state, fmode);
return -EACCES;
}

[Greg Kroah-Hartman]

4.9-stable review patch. If anyone has any objections, please let me know.

------------------

From: Bartosz Golaszewski <br...@bgdev.pl>

commit ad537b822577fcc143325786cd6ad50d7b9df31c upstream.

GPIOEVENT_REQUEST_BOTH_EDGES is not a single flag, but a binary OR of
GPIOEVENT_REQUEST_RISING_EDGE and GPIOEVENT_REQUEST_FALLING_EDGE.

The expression 'le->eflags & GPIOEVENT_REQUEST_BOTH_EDGES' we'll get
evaluated to true even if only one event type was requested.

Fix it by checking both RISING & FALLING flags explicitly.

Fixes: 61f922db7221 ("gpio: userspace ABI for reading GPIO line events")
Signed-off-by: Bartosz Golaszewski <br...@bgdev.pl>
Signed-off-by: Linus Walleij <linus....@linaro.org>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

drivers/gpio/gpiolib.c | 3 ++-

1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/gpio/gpiolib.c
+++ b/drivers/gpio/gpiolib.c
@@ -707,7 +707,8 @@ static irqreturn_t lineevent_irq_thread(

ge.timestamp = ktime_get_real_ns();

- if (le->eflags & GPIOEVENT_REQUEST_BOTH_EDGES) {
+ if (le->eflags & GPIOEVENT_REQUEST_RISING_EDGE
+ && le->eflags & GPIOEVENT_REQUEST_FALLING_EDGE) {
int level = gpiod_get_value_cansleep(le->desc);

if (level)

[Greg Kroah-Hartman]

4.9-stable review patch. If anyone has any objections, please let me know.

------------------

From: Baoquan He <b...@redhat.com>

commit fc5f9d5f151c9fff21d3d1d2907b888a5aec3ff7 upstream.

Jeff Moyer reported that on his system with two memory regions 0~64G and
1T~1T+192G, and kernel option "memmap=192G!1024G" added, enabling KASLR
will make the system hang intermittently during boot. While adding 'nokaslr'
won't.

The back trace is:

Oops: 0000 [#1] SMP

RIP: memcpy_erms()
[ .... ]
Call Trace:
pmem_rw_page()
bdev_read_page()
do_mpage_readpage()
mpage_readpages()
blkdev_readpages()
__do_page_cache_readahead()
force_page_cache_readahead()
page_cache_sync_readahead()
generic_file_read_iter()
blkdev_read_iter()
__vfs_read()
vfs_read()
SyS_read()
entry_SYSCALL_64_fastpath()

This crash happens because the for loop count calculation in sync_global_pgds()
is not correct. When a mapping area crosses PGD entries, we should
calculate the starting address of region which next PGD covers and assign
it to next for loop count, but not add PGDIR_SIZE directly. The old
code works right only if the mapping area is an exact multiple of PGDIR_SIZE,
otherwize the end region could be skipped so that it can't be synchronized
to all other processes from kernel PGD init_mm.pgd.

In Jeff's system, emulated pmem area [1024G, 1216G) is smaller than
PGDIR_SIZE. While 'nokaslr' works because PAGE_OFFSET is 1T aligned, it
makes this area be mapped inside one PGD entry. With KASLR enabled,
this area could cross two PGD entries, then the next PGD entry won't
be synced to all other processes. That is why we saw empty PGD.

Fix it.

Reported-by: Jeff Moyer <jmo...@redhat.com>
Signed-off-by: Baoquan He <b...@redhat.com>
Cc: Andrew Morton <ak...@linux-foundation.org>
Cc: Andy Lutomirski <lu...@kernel.org>
Cc: Borislav Petkov <b...@alien8.de>
Cc: Brian Gerst <brg...@gmail.com>
Cc: Dan Williams <dan.j.w...@intel.com>
Cc: Dave Hansen <dave....@linux.intel.com>
Cc: Dave Young <dyo...@redhat.com>
Cc: Denys Vlasenko <dvla...@redhat.com>
Cc: H. Peter Anvin <h...@zytor.com>
Cc: Jinbum Park <jinb....@gmail.com>
Cc: Josh Poimboeuf <jpoi...@redhat.com>
Cc: Kees Cook <kees...@chromium.org>
Cc: Kirill A. Shutemov <kirill....@linux.intel.com>

Cc: Linus Torvalds <torv...@linux-foundation.org>
Cc: Peter Zijlstra <pet...@infradead.org>

Cc: Thomas Garnier <thga...@google.com>
Cc: Thomas Gleixner <tg...@linutronix.de>
Cc: Yasuaki Ishimatsu <yasu.i...@gmail.com>
Cc: Yinghai Lu <yin...@kernel.org>
Link: http://lkml.kernel.org/r/1493864747-8506-1-...@redhat.com
Signed-off-by: Ingo Molnar <mi...@kernel.org>
Signed-off-by: Dan Williams <dan.j.w...@intel.com>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>
---

arch/x86/mm/init_64.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)

--- a/arch/x86/mm/init_64.c
+++ b/arch/x86/mm/init_64.c
@@ -94,10 +94,10 @@ __setup("noexec32=", nonx32_setup);
*/
void sync_global_pgds(unsigned long start, unsigned long end, int removed)
{
- unsigned long address;
+ unsigned long addr;

- for (address = start; address <= end; address += PGDIR_SIZE) {
- const pgd_t *pgd_ref = pgd_offset_k(address);
+ for (addr = start; addr <= end; addr = ALIGN(addr + 1, PGDIR_SIZE)) {
+ const pgd_t *pgd_ref = pgd_offset_k(addr);
struct page *page;

/*
@@ -113,7 +113,7 @@ void sync_global_pgds(unsigned long star
pgd_t *pgd;
spinlock_t *pgt_lock;

- pgd = (pgd_t *)page_address(page) + pgd_index(address);
+ pgd = (pgd_t *)page_address(page) + pgd_index(addr);
/* the pgt_lock only for Xen */
pgt_lock = &pgd_page_get_mm(page)->page_table_lock;
spin_lock(pgt_lock);