Re: [PATCH] PCI: set flag IRQCHIP_ONESHOT_SAFE for PCI-MSI irqchip's

[Thomas Gleixner]

On Fri, 3 Aug 2018, Heiner Kallweit wrote:

> PCI-MSI is oneshot-safe, therefore set flag IRQCHIP_ONESHOT_SAFE to
> avoid unneeded masking/unmasking. See also discussion here:
> https://marc.info/?l=linux-pci&m=153332526101128&w=2

This changelog really wants a bit more detailed information.

> Signed-off-by: Heiner Kallweit 
> ---
>  drivers/pci/msi.c | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/drivers/pci/msi.c b/drivers/pci/msi.c
> index 4d88afdf..f2ef8964 100644
> --- a/drivers/pci/msi.c
> +++ b/drivers/pci/msi.c
> @@ -1446,6 +1446,9 @@ struct irq_domain *pci_msi_create_irq_domain(struct 
> fwnode_handle *fwnode,
>   if (IS_ENABLED(CONFIG_GENERIC_IRQ_RESERVATION_MODE))
>   info->flags |= MSI_FLAG_MUST_REACTIVATE;
>  
> + /* PCI-MSI is oneshot-safe */
> + info->chip->flags |= IRQCHIP_ONESHOT_SAFE;
> +
>   domain = msi_create_irq_domain(fwnode, info, parent);
>   if (!domain)
>   return NULL;
> -- 
> 2.18.0
> 
> 

[PATCH 6/7] arm64: dts: allwinner: a64: Enable the THS on A64 boards

[Emmanuel Vadot]

Enable the Thermal Sensor Controller on all A64 boards.

Signed-off-by: Emmanuel Vadot 
---
 arch/arm64/boot/dts/allwinner/sun50i-a64-amarula-relic.dts| 4 
 arch/arm64/boot/dts/allwinner/sun50i-a64-bananapi-m64.dts | 4 
 arch/arm64/boot/dts/allwinner/sun50i-a64-nanopi-a64.dts   | 4 
 arch/arm64/boot/dts/allwinner/sun50i-a64-olinuxino.dts| 4 
 arch/arm64/boot/dts/allwinner/sun50i-a64-orangepi-win.dts | 4 
 arch/arm64/boot/dts/allwinner/sun50i-a64-pine64.dts   | 4 
 arch/arm64/boot/dts/allwinner/sun50i-a64-pinebook.dts | 4 
 arch/arm64/boot/dts/allwinner/sun50i-a64-sopine-baseboard.dts | 4 
 arch/arm64/boot/dts/allwinner/sun50i-a64-teres-i.dts  | 4 
 9 files changed, 36 insertions(+)

diff --git a/arch/arm64/boot/dts/allwinner/sun50i-a64-amarula-relic.dts 
b/arch/arm64/boot/dts/allwinner/sun50i-a64-amarula-relic.dts
index eac4793c8502..1201fcf9 100644
--- a/arch/arm64/boot/dts/allwinner/sun50i-a64-amarula-relic.dts
+++ b/arch/arm64/boot/dts/allwinner/sun50i-a64-amarula-relic.dts
@@ -201,6 +201,10 @@
regulator-name = "vcc-rtc";
 };
 
+&ths {
+   status = "okay";
+};
+
 &uart0 {
pinctrl-names = "default";
pinctrl-0 = <&uart0_pins_a>;
diff --git a/arch/arm64/boot/dts/allwinner/sun50i-a64-bananapi-m64.dts 
b/arch/arm64/boot/dts/allwinner/sun50i-a64-bananapi-m64.dts
index 094cfed13df9..3bacffd5eebc 100644
--- a/arch/arm64/boot/dts/allwinner/sun50i-a64-bananapi-m64.dts
+++ b/arch/arm64/boot/dts/allwinner/sun50i-a64-bananapi-m64.dts
@@ -300,6 +300,10 @@
vcc-hdmi-supply = <®_dldo1>;
 };
 
+&ths {
+   status = "okay";
+};
+
 &uart0 {
pinctrl-names = "default";
pinctrl-0 = <&uart0_pins_a>;
diff --git a/arch/arm64/boot/dts/allwinner/sun50i-a64-nanopi-a64.dts 
b/arch/arm64/boot/dts/allwinner/sun50i-a64-nanopi-a64.dts
index 98dbff19f5cc..3a9305995db0 100644
--- a/arch/arm64/boot/dts/allwinner/sun50i-a64-nanopi-a64.dts
+++ b/arch/arm64/boot/dts/allwinner/sun50i-a64-nanopi-a64.dts
@@ -199,6 +199,10 @@
vcc-hdmi-supply = <®_dldo1>;
 };
 
+&ths {
+   status = "okay";
+};
+
 &uart0 {
pinctrl-names = "default";
pinctrl-0 = <&uart0_pins_a>;
diff --git a/arch/arm64/boot/dts/allwinner/sun50i-a64-olinuxino.dts 
b/arch/arm64/boot/dts/allwinner/sun50i-a64-olinuxino.dts
index 3f531393eaee..e7eb88b7b514 100644
--- a/arch/arm64/boot/dts/allwinner/sun50i-a64-olinuxino.dts
+++ b/arch/arm64/boot/dts/allwinner/sun50i-a64-olinuxino.dts
@@ -218,6 +218,10 @@
vcc-hdmi-supply = <®_dldo1>;
 };
 
+&ths {
+   status = "okay";
+};
+
 &uart0 {
pinctrl-names = "default";
pinctrl-0 = <&uart0_pins_a>;
diff --git a/arch/arm64/boot/dts/allwinner/sun50i-a64-orangepi-win.dts 
b/arch/arm64/boot/dts/allwinner/sun50i-a64-orangepi-win.dts
index 1221764f5719..649419a793bb 100644
--- a/arch/arm64/boot/dts/allwinner/sun50i-a64-orangepi-win.dts
+++ b/arch/arm64/boot/dts/allwinner/sun50i-a64-orangepi-win.dts
@@ -195,6 +195,10 @@
vcc-hdmi-supply = <®_dldo1>;
 };
 
+&ths {
+   status = "okay";
+};
+
 &uart0 {
pinctrl-names = "default";
pinctrl-0 = <&uart0_pins_a>;
diff --git a/arch/arm64/boot/dts/allwinner/sun50i-a64-pine64.dts 
b/arch/arm64/boot/dts/allwinner/sun50i-a64-pine64.dts
index 1b9b92e541d2..44fe900f6f46 100644
--- a/arch/arm64/boot/dts/allwinner/sun50i-a64-pine64.dts
+++ b/arch/arm64/boot/dts/allwinner/sun50i-a64-pine64.dts
@@ -238,6 +238,10 @@
status = "disabled";
 };
 
+&ths {
+   status = "okay";
+};
+
 /* On Exp and Euler connectors */
 &uart0 {
pinctrl-names = "default";
diff --git a/arch/arm64/boot/dts/allwinner/sun50i-a64-pinebook.dts 
b/arch/arm64/boot/dts/allwinner/sun50i-a64-pinebook.dts
index 897e60cbe38d..f70817babec6 100644
--- a/arch/arm64/boot/dts/allwinner/sun50i-a64-pinebook.dts
+++ b/arch/arm64/boot/dts/allwinner/sun50i-a64-pinebook.dts
@@ -268,6 +268,10 @@
vcc-hdmi-supply = <®_dldo1>;
 };
 
+&ths {
+   status = "okay";
+};
+
 &uart0 {
pinctrl-names = "default";
pinctrl-0 = <&uart0_pins_a>;
diff --git a/arch/arm64/boot/dts/allwinner/sun50i-a64-sopine-baseboard.dts 
b/arch/arm64/boot/dts/allwinner/sun50i-a64-sopine-baseboard.dts
index c21f2331add6..32e7d2542e48 100644
--- a/arch/arm64/boot/dts/allwinner/sun50i-a64-sopine-baseboard.dts
+++ b/arch/arm64/boot/dts/allwinner/sun50i-a64-sopine-baseboard.dts
@@ -138,6 +138,10 @@
vcc-hdmi-supply = <®_dldo1>;
 };
 
+&ths {
+   status = "okay";
+};
+
 &uart0 {
pinctrl-names = "default";
pinctrl-0 = <&uart0_pins_a>;
diff --git a/arch/arm64/boot/dts/allwinner/sun50i-a64-teres-i.dts 
b/arch/arm64/boot/dts/allwinner/sun50i-a64-teres-i.dts
index 81f8e0098699..fa12281a6839 100644
--- a/arch/arm64/boot/dts/allwinner/sun50i-a64-teres-i.dts
+++ b/arch/arm64/boot/dts/allwinner/sun50i-a64-teres-i.dts
@@ -258,6 +258,10 @@
vcc-hdmi-supply = <®_dldo1>;
 };
 
+&ths {
+   status = "okay";
+};
+
 &uart0 {
 

[PATCH 1/7] dt-bindings: Add DT bindings documentation for Allwinner Thermal Sensor Controller

[Emmanuel Vadot]

This patch adds documentation for Device-Tree bindings for the Allwinner
Thermal Sensor Controller found on the H3, H5 and A64 SoCs

Signed-off-by: Emmanuel Vadot 
---
 .../bindings/thermal/allwinner-thermal.txt| 41 +++
 1 file changed, 41 insertions(+)
 create mode 100644 
Documentation/devicetree/bindings/thermal/allwinner-thermal.txt

diff --git a/Documentation/devicetree/bindings/thermal/allwinner-thermal.txt 
b/Documentation/devicetree/bindings/thermal/allwinner-thermal.txt
new file mode 100644
index ..5810d44cf495
--- /dev/null
+++ b/Documentation/devicetree/bindings/thermal/allwinner-thermal.txt
@@ -0,0 +1,41 @@
+* Thermal Sensor Controller on Allwinner SoCs
+
+Required properties:
+- compatible : should be "allwinner,-ths"
+   "allwinner,sun8i-h3-ths": found on H3 and H2+ SoCs
+   "allwinner,sun50i-h5-ths": found on H5 SoC
+   "allwinner,sun50i-a64-ths": found on H5 SoC
+- reg : physical base address of the controller and length of memory mapped
+   region.
+- interrupts : The interrupt number to the cpu. The interrupt specifier format
+  depends on the interrupt controller.
+- clocks : Must contain an entry for each entry in clock-names.
+- clock-names : Shall be "apb" for the bus, and "ths" for
+   the peripheral clock.
+- resets : Must contain an entry for each entry in reset-names.
+  See ../reset/reset.txt for details.
+- reset-names : Must be "apb".
+- #thermal-sensor-cells : Depend on the SoC
+   For H3 should be 0
+   For H5 should be 1
+   For A64 should be 2
+   See ./thermal.txt for a description.
+- nvmem-cells : Phandle to the calibration data
+- nvmem-cell-names = Should be "ths-calib"
+
+Example:
+
+ths: thermal_sensor@1c25000 {
+   compatible = "allwinner,sun8i-h3-ths";
+   reg = <0x01c25000 0x100>;
+   interrupts = ;
+   clocks = <&ccu CLK_BUS_THS>, <&ccu CLK_THS>;
+   clock-names = "apb", "ths";
+   resets = <&ccu RST_BUS_THS>;
+   reset-names = "apb";
+   #thermal-sensor-cells = <0>;
+   status = "disabled";
+
+   nvmem-cells = <&ths_calib>;
+   nvmem-cell-names = "ths-calib";
+};
-- 
2.18.0

[PATCH 3/7] arm64: dts: allwinner: h5: Add thermal sensor controller node

[Emmanuel Vadot]

This add the ths controller for the H5 and the nvmem cell for the
calibration data on the sid node.

Signed-off-by: Emmanuel Vadot 
---
 arch/arm64/boot/dts/allwinner/sun50i-h5.dtsi | 19 +++
 1 file changed, 19 insertions(+)

diff --git a/arch/arm64/boot/dts/allwinner/sun50i-h5.dtsi 
b/arch/arm64/boot/dts/allwinner/sun50i-h5.dtsi
index 9838acaeea58..908237bc5804 100644
--- a/arch/arm64/boot/dts/allwinner/sun50i-h5.dtsi
+++ b/arch/arm64/boot/dts/allwinner/sun50i-h5.dtsi
@@ -97,6 +97,25 @@
sid: eeprom@1c14000 {
compatible = "allwinner,sun50i-h5-sid";
reg = <0x1c14000 0x400>;
+
+   ths_calib: calib@234 {
+   reg = <0x234 0x4>;
+   };
+   };
+
+   ths: thermal_sensor@1c25000 {
+   compatible = "allwinner,sun50i-h5-ths";
+   reg = <0x01c25000 0x100>;
+   interrupts = ;
+   clocks = <&ccu CLK_BUS_THS>, <&ccu CLK_THS>;
+   clock-names = "apb", "ths";
+   resets = <&ccu RST_BUS_THS>;
+   reset-names = "apb";
+   #thermal-sensor-cells = <1>;
+   status = "disabled";
+
+   nvmem-cells = <&ths_calib>;
+   nvmem-cell-names = "ths-calib";
};
};
 };
-- 
2.18.0

[PATCH 4/7] arm64: dts: allwinner: a64: Add thermal sensor controller node

[Emmanuel Vadot]

This add the ths controller for the A64 and the nvmem cell for the
calibration data on the sid node.

Signed-off-by: Emmanuel Vadot 
---
 arch/arm64/boot/dts/allwinner/sun50i-a64.dtsi | 19 +++
 1 file changed, 19 insertions(+)

diff --git a/arch/arm64/boot/dts/allwinner/sun50i-a64.dtsi 
b/arch/arm64/boot/dts/allwinner/sun50i-a64.dtsi
index 925bf38fb536..ad72a6fcdd7c 100644
--- a/arch/arm64/boot/dts/allwinner/sun50i-a64.dtsi
+++ b/arch/arm64/boot/dts/allwinner/sun50i-a64.dtsi
@@ -273,6 +273,25 @@
sid: eeprom@1c14000 {
compatible = "allwinner,sun50i-a64-sid";
reg = <0x1c14000 0x400>;
+
+   ths_calib: calib@234 {
+   reg = <0x234 0x6>;
+   };
+   };
+
+   ths: thermal_sensor@1c25000 {
+   compatible = "allwinner,sun50i-a64-ths";
+   reg = <0x01c25000 0x100>;
+   interrupts = ;
+   clocks = <&ccu CLK_BUS_THS>, <&ccu CLK_THS>;
+   clock-names = "apb", "ths";
+   resets = <&ccu RST_BUS_THS>;
+   reset-names = "apb";
+   #thermal-sensor-cells = <2>;
+   status = "disabled";
+
+   nvmem-cells = <&ths_calib>;
+   nvmem-cell-names = "ths-calib";
};
 
usb_otg: usb@1c19000 {
-- 
2.18.0

[PATCH 7/7] arm64: dts: allwinner: H5: Enable the THS on H5 boards

[Emmanuel Vadot]

Enable the Thermal Sensor Controller on all H5 boards.

Signed-off-by: Emmanuel Vadot 
---
 arch/arm64/boot/dts/allwinner/sun50i-h5-nanopi-neo-plus2.dts  | 4 
 arch/arm64/boot/dts/allwinner/sun50i-h5-nanopi-neo2.dts   | 4 
 arch/arm64/boot/dts/allwinner/sun50i-h5-orangepi-pc2.dts  | 4 
 arch/arm64/boot/dts/allwinner/sun50i-h5-orangepi-prime.dts| 4 
 .../arm64/boot/dts/allwinner/sun50i-h5-orangepi-zero-plus.dts | 4 
 .../boot/dts/allwinner/sun50i-h5-orangepi-zero-plus2.dts  | 4 
 6 files changed, 24 insertions(+)

diff --git a/arch/arm64/boot/dts/allwinner/sun50i-h5-nanopi-neo-plus2.dts 
b/arch/arm64/boot/dts/allwinner/sun50i-h5-nanopi-neo-plus2.dts
index 506e25ba028a..767826684d2a 100644
--- a/arch/arm64/boot/dts/allwinner/sun50i-h5-nanopi-neo-plus2.dts
+++ b/arch/arm64/boot/dts/allwinner/sun50i-h5-nanopi-neo-plus2.dts
@@ -189,6 +189,10 @@
status = "okay";
 };
 
+&ths {
+   status = "okay";
+};
+
 &uart0 {
pinctrl-names = "default";
pinctrl-0 = <&uart0_pins_a>;
diff --git a/arch/arm64/boot/dts/allwinner/sun50i-h5-nanopi-neo2.dts 
b/arch/arm64/boot/dts/allwinner/sun50i-h5-nanopi-neo2.dts
index cc268a69786c..dc49cc942fa9 100644
--- a/arch/arm64/boot/dts/allwinner/sun50i-h5-nanopi-neo2.dts
+++ b/arch/arm64/boot/dts/allwinner/sun50i-h5-nanopi-neo2.dts
@@ -140,6 +140,10 @@
status = "okay";
 };
 
+&ths {
+   status = "okay";
+};
+
 &uart0 {
pinctrl-names = "default";
pinctrl-0 = <&uart0_pins_a>;
diff --git a/arch/arm64/boot/dts/allwinner/sun50i-h5-orangepi-pc2.dts 
b/arch/arm64/boot/dts/allwinner/sun50i-h5-orangepi-pc2.dts
index 3e0d5a9c096d..6ffd048c0d93 100644
--- a/arch/arm64/boot/dts/allwinner/sun50i-h5-orangepi-pc2.dts
+++ b/arch/arm64/boot/dts/allwinner/sun50i-h5-orangepi-pc2.dts
@@ -219,6 +219,10 @@
};
 };
 
+&ths {
+   status = "okay";
+};
+
 &uart0 {
pinctrl-names = "default";
pinctrl-0 = <&uart0_pins_a>;
diff --git a/arch/arm64/boot/dts/allwinner/sun50i-h5-orangepi-prime.dts 
b/arch/arm64/boot/dts/allwinner/sun50i-h5-orangepi-prime.dts
index b75ca4d7d001..07819747a731 100644
--- a/arch/arm64/boot/dts/allwinner/sun50i-h5-orangepi-prime.dts
+++ b/arch/arm64/boot/dts/allwinner/sun50i-h5-orangepi-prime.dts
@@ -222,6 +222,10 @@
status = "okay";
 };
 
+&ths {
+   status = "okay";
+};
+
 &uart0 {
pinctrl-names = "default";
pinctrl-0 = <&uart0_pins_a>;
diff --git a/arch/arm64/boot/dts/allwinner/sun50i-h5-orangepi-zero-plus.dts 
b/arch/arm64/boot/dts/allwinner/sun50i-h5-orangepi-zero-plus.dts
index 1238de25a969..405440fedd1e 100644
--- a/arch/arm64/boot/dts/allwinner/sun50i-h5-orangepi-zero-plus.dts
+++ b/arch/arm64/boot/dts/allwinner/sun50i-h5-orangepi-zero-plus.dts
@@ -125,6 +125,10 @@
status = "okay";
 };
 
+&ths {
+   status = "okay";
+};
+
 &uart0 {
pinctrl-names = "default";
pinctrl-0 = <&uart0_pins_a>;
diff --git a/arch/arm64/boot/dts/allwinner/sun50i-h5-orangepi-zero-plus2.dts 
b/arch/arm64/boot/dts/allwinner/sun50i-h5-orangepi-zero-plus2.dts
index 53c8c11620e0..09d2bbefcefa 100644
--- a/arch/arm64/boot/dts/allwinner/sun50i-h5-orangepi-zero-plus2.dts
+++ b/arch/arm64/boot/dts/allwinner/sun50i-h5-orangepi-zero-plus2.dts
@@ -132,6 +132,10 @@
status = "okay";
 };
 
+&ths {
+   status = "okay";
+};
+
 &uart0 {
pinctrl-names = "default";
pinctrl-0 = <&uart0_pins_a>;
-- 
2.18.0

[PATCH 2/7] ARM: dts: sun8i: h3: Add thermal sensor controller node

[Emmanuel Vadot]

This add the ths controller for the H3 and the nvmem cell for the
calibration data on the sid node.

Signed-off-by: Emmanuel Vadot 
---
 arch/arm/boot/dts/sun8i-h3.dtsi | 19 +++
 1 file changed, 19 insertions(+)

diff --git a/arch/arm/boot/dts/sun8i-h3.dtsi b/arch/arm/boot/dts/sun8i-h3.dtsi
index 281038a7d7b4..fcfcd50b398a 100644
--- a/arch/arm/boot/dts/sun8i-h3.dtsi
+++ b/arch/arm/boot/dts/sun8i-h3.dtsi
@@ -145,6 +145,25 @@
sid: eeprom@1c14000 {
compatible = "allwinner,sun8i-h3-sid";
reg = <0x1c14000 0x400>;
+
+   ths_calib: calib@234 {
+   reg = <0x234 0x2>;
+   };
+   };
+
+   ths: thermal_sensor@1c25000 {
+   compatible = "allwinner,sun8i-h3-ths";
+   reg = <0x01c25000 0x100>;
+   interrupts = ;
+   clocks = <&ccu CLK_BUS_THS>, <&ccu CLK_THS>;
+   clock-names = "apb", "ths";
+   resets = <&ccu RST_BUS_THS>;
+   reset-names = "apb";
+   #thermal-sensor-cells = <0>;
+   status = "disabled";
+
+   nvmem-cells = <&ths_calib>;
+   nvmem-cell-names = "ths-calib";
};
 
mali: gpu@1c4 {
-- 
2.18.0

[PATCH 5/7] ARM: dts: sun8i: h3: Enable the THS on H3 boards

[Emmanuel Vadot]

Enable the Thermal Sensor Controller on all H3 boards.

Signed-off-by: Emmanuel Vadot 
---
 arch/arm/boot/dts/sun8i-h3-bananapi-m2-plus.dts | 4 
 arch/arm/boot/dts/sun8i-h3-beelink-x2.dts   | 4 
 arch/arm/boot/dts/sun8i-h3-nanopi-m1-plus.dts   | 4 
 arch/arm/boot/dts/sun8i-h3-nanopi-m1.dts| 4 
 arch/arm/boot/dts/sun8i-h3-nanopi-neo-air.dts   | 4 
 arch/arm/boot/dts/sun8i-h3-nanopi-neo.dts   | 4 
 arch/arm/boot/dts/sun8i-h3-nanopi.dtsi  | 4 
 arch/arm/boot/dts/sun8i-h3-orangepi-2.dts   | 4 
 arch/arm/boot/dts/sun8i-h3-orangepi-lite.dts| 4 
 arch/arm/boot/dts/sun8i-h3-orangepi-one.dts | 4 
 arch/arm/boot/dts/sun8i-h3-orangepi-pc-plus.dts | 4 
 arch/arm/boot/dts/sun8i-h3-orangepi-pc.dts  | 4 
 arch/arm/boot/dts/sun8i-h3-orangepi-plus.dts| 4 
 arch/arm/boot/dts/sun8i-h3-orangepi-plus2e.dts  | 4 
 14 files changed, 56 insertions(+)

diff --git a/arch/arm/boot/dts/sun8i-h3-bananapi-m2-plus.dts 
b/arch/arm/boot/dts/sun8i-h3-bananapi-m2-plus.dts
index 30540dc8e0c5..e6cf879f7324 100644
--- a/arch/arm/boot/dts/sun8i-h3-bananapi-m2-plus.dts
+++ b/arch/arm/boot/dts/sun8i-h3-bananapi-m2-plus.dts
@@ -211,6 +211,10 @@
status = "okay";
 };
 
+&ths {
+   status = "okay";
+};
+
 &uart0 {
pinctrl-names = "default";
pinctrl-0 = <&uart0_pins_a>;
diff --git a/arch/arm/boot/dts/sun8i-h3-beelink-x2.dts 
b/arch/arm/boot/dts/sun8i-h3-beelink-x2.dts
index 5d23667dc2d2..d95269df8dca 100644
--- a/arch/arm/boot/dts/sun8i-h3-beelink-x2.dts
+++ b/arch/arm/boot/dts/sun8i-h3-beelink-x2.dts
@@ -197,6 +197,10 @@
status = "okay";
 };
 
+&ths {
+   status = "okay";
+};
+
 &uart0 {
pinctrl-names = "default";
pinctrl-0 = <&uart0_pins_a>;
diff --git a/arch/arm/boot/dts/sun8i-h3-nanopi-m1-plus.dts 
b/arch/arm/boot/dts/sun8i-h3-nanopi-m1-plus.dts
index 65cba1050802..9858ca42a826 100644
--- a/arch/arm/boot/dts/sun8i-h3-nanopi-m1-plus.dts
+++ b/arch/arm/boot/dts/sun8i-h3-nanopi-m1-plus.dts
@@ -135,6 +135,10 @@
status = "okay";
 };
 
+&ths {
+   status = "okay";
+};
+
 &uart3 {
pinctrl-names = "default";
pinctrl-0 = <&uart3_pins>, <&uart3_rts_cts_pins>;
diff --git a/arch/arm/boot/dts/sun8i-h3-nanopi-m1.dts 
b/arch/arm/boot/dts/sun8i-h3-nanopi-m1.dts
index 9412668bb888..ad9df48f86fa 100644
--- a/arch/arm/boot/dts/sun8i-h3-nanopi-m1.dts
+++ b/arch/arm/boot/dts/sun8i-h3-nanopi-m1.dts
@@ -104,3 +104,7 @@
 &ohci2 {
status = "okay";
 };
+
+&ths {
+   status = "okay";
+};
diff --git a/arch/arm/boot/dts/sun8i-h3-nanopi-neo-air.dts 
b/arch/arm/boot/dts/sun8i-h3-nanopi-neo-air.dts
index 6246d3eff39d..2a21dfedfc31 100644
--- a/arch/arm/boot/dts/sun8i-h3-nanopi-neo-air.dts
+++ b/arch/arm/boot/dts/sun8i-h3-nanopi-neo-air.dts
@@ -103,6 +103,10 @@
};
 };
 
+&ths {
+   status = "okay";
+};
+
 &uart0 {
pinctrl-names = "default";
pinctrl-0 = <&uart0_pins_a>;
diff --git a/arch/arm/boot/dts/sun8i-h3-nanopi-neo.dts 
b/arch/arm/boot/dts/sun8i-h3-nanopi-neo.dts
index 9f33f6fae595..1122ac363f55 100644
--- a/arch/arm/boot/dts/sun8i-h3-nanopi-neo.dts
+++ b/arch/arm/boot/dts/sun8i-h3-nanopi-neo.dts
@@ -62,6 +62,10 @@
status = "okay";
 };
 
+&ths {
+   status = "okay";
+};
+
 &usb_otg {
status = "okay";
dr_mode = "peripheral";
diff --git a/arch/arm/boot/dts/sun8i-h3-nanopi.dtsi 
b/arch/arm/boot/dts/sun8i-h3-nanopi.dtsi
index f110ee382239..7166f6af530b 100644
--- a/arch/arm/boot/dts/sun8i-h3-nanopi.dtsi
+++ b/arch/arm/boot/dts/sun8i-h3-nanopi.dtsi
@@ -123,6 +123,10 @@
};
 };
 
+&ths {
+   status = "okay";
+};
+
 &uart0 {
pinctrl-names = "default";
pinctrl-0 = <&uart0_pins_a>;
diff --git a/arch/arm/boot/dts/sun8i-h3-orangepi-2.dts 
b/arch/arm/boot/dts/sun8i-h3-orangepi-2.dts
index f1fc6bdca8be..0aa15832e9a1 100644
--- a/arch/arm/boot/dts/sun8i-h3-orangepi-2.dts
+++ b/arch/arm/boot/dts/sun8i-h3-orangepi-2.dts
@@ -208,6 +208,10 @@
status = "okay";
 };
 
+&ths {
+   status = "okay";
+};
+
 &uart0 {
pinctrl-names = "default";
pinctrl-0 = <&uart0_pins_a>;
diff --git a/arch/arm/boot/dts/sun8i-h3-orangepi-lite.dts 
b/arch/arm/boot/dts/sun8i-h3-orangepi-lite.dts
index 476ae8e387ca..f78aaec27a8f 100644
--- a/arch/arm/boot/dts/sun8i-h3-orangepi-lite.dts
+++ b/arch/arm/boot/dts/sun8i-h3-orangepi-lite.dts
@@ -179,6 +179,10 @@
};
 };
 
+&ths {
+   status = "okay";
+};
+
 &uart0 {
pinctrl-names = "default";
pinctrl-0 = <&uart0_pins_a>;
diff --git a/arch/arm/boot/dts/sun8i-h3-orangepi-one.dts 
b/arch/arm/boot/dts/sun8i-h3-orangepi-one.dts
index 245fd658defb..221d130b4153 100644
--- a/arch/arm/boot/dts/sun8i-h3-orangepi-one.dts
+++ b/arch/arm/boot/dts/sun8i-h3-orangepi-one.dts
@@ -190,6 +190,10 @@
status = "okay";
 };
 
+&ths {
+   status = "okay";
+};
+
 &uart0 {
pinctrl-names = "default";
pinctrl-0 = <&uart0_pins_a>;
diff --git a/arch/ar

[PATCH] Staging: rtlwifi: base: fixed a brace coding style issue

[Sohil Ladhani]

Fixed a coding style issue

Signed-off-by: Sohil Ladhani 
---
 drivers/staging/rtlwifi/base.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/drivers/staging/rtlwifi/base.c b/drivers/staging/rtlwifi/base.c
index 094827c1879a..654aa4e068ba 100644
--- a/drivers/staging/rtlwifi/base.c
+++ b/drivers/staging/rtlwifi/base.c
@@ -685,9 +685,8 @@ static void _rtl_query_protection_mode(struct ieee80211_hw 
*hw,
}
 }
 
-u8 rtl_mrate_idx_to_arfr_id(
-   struct ieee80211_hw *hw, u8 rate_index,
-   enum wireless_mode wirelessmode)
+u8 rtl_mrate_idx_to_arfr_id(struct ieee80211_hw *hw, u8 rate_index,
+   enum wireless_mode wirelessmode)
 {
struct rtl_priv *rtlpriv = rtl_priv(hw);
struct rtl_phy *rtlphy = &rtlpriv->phy;
-- 
2.18.0

Re: [PATCH] Staging: rtlwifi: base: fixed a brace coding style issue

[Julia Lawall]

On Sat, 4 Aug 2018, Sohil Ladhani wrote:

> Fixed a coding style issue

This seems to fix the header problem.  But it is a patch on the same code
at the same place doing the same thing as the previous message.  So you
should say [PATCH v2] in the subject line, and then below the --- explain
what has changed as compared to the previous submission.

julia

>
> Signed-off-by: Sohil Ladhani 
> ---
>  drivers/staging/rtlwifi/base.c | 5 ++---
>  1 file changed, 2 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/staging/rtlwifi/base.c b/drivers/staging/rtlwifi/base.c
> index 094827c1879a..654aa4e068ba 100644
> --- a/drivers/staging/rtlwifi/base.c
> +++ b/drivers/staging/rtlwifi/base.c
> @@ -685,9 +685,8 @@ static void _rtl_query_protection_mode(struct 
> ieee80211_hw *hw,
>   }
>  }
>
> -u8 rtl_mrate_idx_to_arfr_id(
> - struct ieee80211_hw *hw, u8 rate_index,
> - enum wireless_mode wirelessmode)
> +u8 rtl_mrate_idx_to_arfr_id(struct ieee80211_hw *hw, u8 rate_index,
> + enum wireless_mode wirelessmode)
>  {
>   struct rtl_priv *rtlpriv = rtl_priv(hw);
>   struct rtl_phy *rtlphy = &rtlpriv->phy;
> --
> 2.18.0
>
>

[PATCH v0] clk: rockchip: Add pclk_rkpwm_pmu to PMU critical clocks in rk3399

[djw]

From: Levin Du 

PWM2 is commonly used to control voltage of PWM regulator of VDD_LOG in
RK3399. On the Firefly-RK3399 board, PWM2 outputs 40 KHz square wave
from power on and the VDD_LOG is about 0.9V. When the kernel boots
normally into the system, the PWM2 keeps outputing PWM signal.

But the kernel hangs randomly after "Starting kernel ..." line on that
board. When it happens, PWM2 outputs high level which causes VDD_LOG
drops to 0.4V below the normal operating voltage.

By adding "pclk_rkpwm_pmu" to the rk3399_pmucru_critical_clocks array,
PWM clock is ensured to be prepared at startup and the PWM2 output is
normal. After repeated tests, the early boot hang is gone.

This patch works on both Firefly-RK3399 and ROC-RK3399-PC boards.

Signed-off-by: Levin Du 

---

 drivers/clk/rockchip/clk-rk3399.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/clk/rockchip/clk-rk3399.c 
b/drivers/clk/rockchip/clk-rk3399.c
index 2a8634a..5a62814 100644
--- a/drivers/clk/rockchip/clk-rk3399.c
+++ b/drivers/clk/rockchip/clk-rk3399.c
@@ -1523,6 +1523,7 @@ static const char *const rk3399_pmucru_critical_clocks[] 
__initconst = {
"pclk_pmu_src",
"fclk_cm0s_src_pmu",
"clk_timer_src_pmu",
+   "pclk_rkpwm_pmu",
 };
 
 static void __init rk3399_clk_init(struct device_node *np)
-- 
2.7.4

[PATCH] Staging: rtlwifi: base: Fixed line ending with parentheses

[Sohil Ladhani]

This patch fixes the "Lines should not end with a '('" problem reported by
checkpatch

Signed-off-by: Sohil Ladhani 
---
 drivers/staging/rtlwifi/base.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/drivers/staging/rtlwifi/base.c b/drivers/staging/rtlwifi/base.c
index 094827c1879a..654aa4e068ba 100644
--- a/drivers/staging/rtlwifi/base.c
+++ b/drivers/staging/rtlwifi/base.c
@@ -685,9 +685,8 @@ static void _rtl_query_protection_mode(struct ieee80211_hw 
*hw,
}
 }
 
-u8 rtl_mrate_idx_to_arfr_id(
-   struct ieee80211_hw *hw, u8 rate_index,
-   enum wireless_mode wirelessmode)
+u8 rtl_mrate_idx_to_arfr_id(struct ieee80211_hw *hw, u8 rate_index,
+   enum wireless_mode wirelessmode)
 {
struct rtl_priv *rtlpriv = rtl_priv(hw);
struct rtl_phy *rtlphy = &rtlpriv->phy;
-- 
2.18.0

Re: [PATCH] Staging: rtlwifi: base: Fixed line ending with parentheses

[Julia Lawall]

On Sat, 4 Aug 2018, Sohil Ladhani wrote:

> This patch fixes the "Lines should not end with a '('" problem reported by
> checkpatch

There is still no v2 in the subject line, or explanation of what has
changed under the --- (I assume this is still the same place and the same
code; I didn't keep the old versions to check).

julia

>
> Signed-off-by: Sohil Ladhani 
> ---
>  drivers/staging/rtlwifi/base.c | 5 ++---
>  1 file changed, 2 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/staging/rtlwifi/base.c b/drivers/staging/rtlwifi/base.c
> index 094827c1879a..654aa4e068ba 100644
> --- a/drivers/staging/rtlwifi/base.c
> +++ b/drivers/staging/rtlwifi/base.c
> @@ -685,9 +685,8 @@ static void _rtl_query_protection_mode(struct 
> ieee80211_hw *hw,
>   }
>  }
>
> -u8 rtl_mrate_idx_to_arfr_id(
> - struct ieee80211_hw *hw, u8 rate_index,
> - enum wireless_mode wirelessmode)
> +u8 rtl_mrate_idx_to_arfr_id(struct ieee80211_hw *hw, u8 rate_index,
> + enum wireless_mode wirelessmode)
>  {
>   struct rtl_priv *rtlpriv = rtl_priv(hw);
>   struct rtl_phy *rtlphy = &rtlpriv->phy;
> --
> 2.18.0
>
>

[PATCH 3/8] RISC-V: remove INTERRUPT_CAUSE_* defines from asm/irq.h

[Christoph Hellwig]

These are only of use to the local irq controller driver, so add them in
that driver implementation instead, which will be submitted soon.

Signed-off-by: Christoph Hellwig 
---
 arch/riscv/include/asm/irq.h | 4 
 1 file changed, 4 deletions(-)

diff --git a/arch/riscv/include/asm/irq.h b/arch/riscv/include/asm/irq.h
index c871661c9df4..996b6fbe17a6 100644
--- a/arch/riscv/include/asm/irq.h
+++ b/arch/riscv/include/asm/irq.h
@@ -17,10 +17,6 @@
 
 #define NR_IRQS 0
 
-#define INTERRUPT_CAUSE_SOFTWARE1
-#define INTERRUPT_CAUSE_TIMER   5
-#define INTERRUPT_CAUSE_EXTERNAL9
-
 void riscv_timer_interrupt(void);
 void riscv_software_interrupt(void);
 
-- 
2.18.0

[PATCH 1/8] RISC-V: remove timer leftovers

[Christoph Hellwig]

This code is currently unused and will be added back later in a different
place with the real interrupt and clocksource support.

Signed-off-by: Christoph Hellwig 
---
 arch/riscv/kernel/time.c | 21 -
 1 file changed, 21 deletions(-)

diff --git a/arch/riscv/kernel/time.c b/arch/riscv/kernel/time.c
index 2463fcca719e..0df9b2cbd645 100644
--- a/arch/riscv/kernel/time.c
+++ b/arch/riscv/kernel/time.c
@@ -13,32 +13,11 @@
  */
 
 #include 
-#include 
 #include 
-
-#ifdef CONFIG_RISCV_TIMER
-#include 
-#endif
-
 #include 
 
 unsigned long riscv_timebase;
 
-DECLARE_PER_CPU(struct clock_event_device, riscv_clock_event);
-
-void riscv_timer_interrupt(void)
-{
-#ifdef CONFIG_RISCV_TIMER
-   /*
-* FIXME: This needs to be cleaned up along with the rest of the IRQ
-* handling cleanup.  See irq.c for more details.
-*/
-   struct clock_event_device *evdev = this_cpu_ptr(&riscv_clock_event);
-
-   evdev->event_handler(evdev);
-#endif
-}
-
 void __init init_clockevent(void)
 {
timer_probe();
-- 
2.18.0

[PATCH 2/8] RISC-V: simplify software interrupt / IPI code

[Christoph Hellwig]

Rename handle_ipi to riscv_software_interrupt, drop the unused return
value and move the prototype to irq.h together with riscv_timer_interupt.
This allows simplifying the upcoming interrupt handling support.

Signed-off-by: Christoph Hellwig 
---
 arch/riscv/include/asm/irq.h | 1 +
 arch/riscv/include/asm/smp.h | 3 ---
 arch/riscv/kernel/smp.c  | 6 ++
 3 files changed, 3 insertions(+), 7 deletions(-)

diff --git a/arch/riscv/include/asm/irq.h b/arch/riscv/include/asm/irq.h
index 4dee9d4c13c0..c871661c9df4 100644
--- a/arch/riscv/include/asm/irq.h
+++ b/arch/riscv/include/asm/irq.h
@@ -22,6 +22,7 @@
 #define INTERRUPT_CAUSE_EXTERNAL9
 
 void riscv_timer_interrupt(void);
+void riscv_software_interrupt(void);
 
 #include 
 
diff --git a/arch/riscv/include/asm/smp.h b/arch/riscv/include/asm/smp.h
index 85e4220839b0..c9395fff246f 100644
--- a/arch/riscv/include/asm/smp.h
+++ b/arch/riscv/include/asm/smp.h
@@ -44,9 +44,6 @@ void arch_send_call_function_single_ipi(int cpu);
  */
 #define raw_smp_processor_id() (*((int*)((char*)get_current() + TASK_TI_CPU)))
 
-/* Interprocessor interrupt handler */
-irqreturn_t handle_ipi(void);
-
 #endif /* CONFIG_SMP */
 
 #endif /* _ASM_RISCV_SMP_H */
diff --git a/arch/riscv/kernel/smp.c b/arch/riscv/kernel/smp.c
index 6d3962435720..906fe21ea21b 100644
--- a/arch/riscv/kernel/smp.c
+++ b/arch/riscv/kernel/smp.c
@@ -45,7 +45,7 @@ int setup_profiling_timer(unsigned int multiplier)
return -EINVAL;
 }
 
-irqreturn_t handle_ipi(void)
+void riscv_software_interrupt(void)
 {
unsigned long *pending_ipis = &ipi_data[smp_processor_id()].bits;
 
@@ -60,7 +60,7 @@ irqreturn_t handle_ipi(void)
 
ops = xchg(pending_ipis, 0);
if (ops == 0)
-   return IRQ_HANDLED;
+   return;
 
if (ops & (1 << IPI_RESCHEDULE))
scheduler_ipi();
@@ -73,8 +73,6 @@ irqreturn_t handle_ipi(void)
/* Order data access and bit testing. */
mb();
}
-
-   return IRQ_HANDLED;
 }
 
 static void
-- 
2.18.0

[PATCH 4/8] RISC-V: add a definition for the SIE SEIE bit

[Christoph Hellwig]

This mirrors the SIE_SSIE and SETE bits that are used in a similar
fashion.

Signed-off-by: Christoph Hellwig 
---
 arch/riscv/include/asm/csr.h | 1 +
 1 file changed, 1 insertion(+)

diff --git a/arch/riscv/include/asm/csr.h b/arch/riscv/include/asm/csr.h
index 421fa3585798..28a0d1cb374c 100644
--- a/arch/riscv/include/asm/csr.h
+++ b/arch/riscv/include/asm/csr.h
@@ -54,6 +54,7 @@
 /* Interrupt Enable and Interrupt Pending flags */
 #define SIE_SSIE _AC(0x0002, UL) /* Software Interrupt Enable */
 #define SIE_STIE _AC(0x0020, UL) /* Timer Interrupt Enable */
+#define SIE_SEIE _AC(0x0200, UL) /* External Interrupt Enable */
 
 #define EXC_INST_MISALIGNED 0
 #define EXC_INST_ACCESS 1
-- 
2.18.0

[PATCH 5/8] RISC-V: implement low-level interrupt handling

[Christoph Hellwig]

Add support for a routine that dispatches exceptions with the interrupt
flags set to either the IPI or irqdomain code (and the clock source in the
future).

Loosely based on the irq-riscv-int.c irqchip driver from the RISC-V tree.

Signed-off-by: Christoph Hellwig 
---
 arch/riscv/kernel/entry.S |  4 +--
 arch/riscv/kernel/irq.c   | 52 ---
 2 files changed, 45 insertions(+), 11 deletions(-)

diff --git a/arch/riscv/kernel/entry.S b/arch/riscv/kernel/entry.S
index 9aaf6c986771..fa2c08e3c05e 100644
--- a/arch/riscv/kernel/entry.S
+++ b/arch/riscv/kernel/entry.S
@@ -168,8 +168,8 @@ ENTRY(handle_exception)
 
/* Handle interrupts */
move a0, sp /* pt_regs */
-   REG_L a1, handle_arch_irq
-   jr a1
+   move a1, s4 /* scause */
+   tail do_IRQ
 1:
/* Exceptions run with interrupts enabled */
csrs sstatus, SR_SIE
diff --git a/arch/riscv/kernel/irq.c b/arch/riscv/kernel/irq.c
index 7bcdaed15703..ab5f3e22c7cc 100644
--- a/arch/riscv/kernel/irq.c
+++ b/arch/riscv/kernel/irq.c
@@ -1,21 +1,55 @@
+// SPDX-License-Identifier: GPL-2.0
 /*
  * Copyright (C) 2012 Regents of the University of California
  * Copyright (C) 2017 SiFive
- *
- *   This program is free software; you can redistribute it and/or
- *   modify it under the terms of the GNU General Public License
- *   as published by the Free Software Foundation, version 2.
- *
- *   This program is distributed in the hope that it will be useful,
- *   but WITHOUT ANY WARRANTY; without even the implied warranty of
- *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *   GNU General Public License for more details.
+ * Copyright (C) 2018 Christoph Hellwig
  */
 
 #include 
 #include 
 #include 
 
+/*
+ * Possible interrupt causes:
+ */
+#define INTERRUPT_CAUSE_SOFTWARE1
+#define INTERRUPT_CAUSE_TIMER   5
+#define INTERRUPT_CAUSE_EXTERNAL9
+
+/*
+ * The high order bit of the trap cause register is always set for
+ * interrupts, which allows us to differentiate them from exceptions
+ * quickly.  The INTERRUPT_CAUSE_* macros don't contain that bit, so we
+ * need to mask it off.
+ */
+#define INTERRUPT_CAUSE_FLAG   (1UL << (__riscv_xlen - 1))
+
+asmlinkage void __irq_entry do_IRQ(struct pt_regs *regs, unsigned long cause)
+{
+   struct pt_regs *old_regs = set_irq_regs(regs);
+
+   irq_enter();
+   switch (cause & ~INTERRUPT_CAUSE_FLAG) {
+#ifdef CONFIG_SMP
+   case INTERRUPT_CAUSE_SOFTWARE:
+   /*
+* We only use software interrupts to pass IPIs, so if a non-SMP
+* system gets one, then we don't know what to do.
+*/
+   riscv_software_interrupt();
+   break;
+#endif
+   case INTERRUPT_CAUSE_EXTERNAL:
+   handle_arch_irq(regs);
+   break;
+   default:
+   panic("unexpected interrupt cause");
+   }
+   irq_exit();
+
+   set_irq_regs(old_regs);
+}
+
 void __init init_IRQ(void)
 {
irqchip_init();
-- 
2.18.0

simplified RISC-V interrupt and clocksource handling v3

[Christoph Hellwig]

This series tries adds support for interrupt handling and timers
for the RISC-V architecture.

The basic per-hart interrupt handling implemented by the scause
and sie CSRs is extremely simple and implemented directly in
arch/riscv/kernel/irq.c.  In addition there is a irqchip driver
for the PLIC external interrupt controller, which is called through
the set_handle_irq API, and a clocksource driver that gets its
timer interrupt directly from the low-level interrupt handling.

Compared to previous iterations this version does not try to use an
irqchip driver for the low-level interrupt handling.  This saves
a couple indirect calls and an additional read of the scause CSR
in the hot path, makes the code much simpler and last but not least
avoid the dependency on a device tree for a mandatory architectural
feature.

A git tree is available here (contains a few more patches before
the ones in this series)

git://git.infradead.org/users/hch/riscv.git riscv-irq-simple.3

Gitweb:


http://git.infradead.org/users/hch/riscv.git/shortlog/refs/heads/riscv-irq-simple.3

Changes since v2:
 - actually use SEIE instead of STIE in the plic driver
 - rename the default compat string for the plic to sifive,u5-plic
 - various spelling fixes
 - drop a superflous derefence in the plic driver that is taken care of
   by the following loop
 - drop the patch to document the enable method - not relevant for the
   rest of the series
 - drop the patches for the per-hart timebase frequency - not relevant
   for the rest of the series.
 - use riscv_of_processor_hart in the timer driver

Changes since v1:
 - rename the plic driver to irq-sifive-plic
 - switch to a default compatible of sifive,plic0 (still supporting the
   riscv,plic0 name for compatibility)
 - add a reference for the SiFive PLIC register layout
 - fix plic_toggle addressing for large numbers of hwirqs
 - remove the call to ack_bad_irq
 - use a raw spinlock for plic_toggle_lock
 - use the irq_desc cpumask in the plic enable/disable methods
 - add back OF contexid parsing in the plic driver
 - don't allow COMPILE_TEST builds of the clocksource driver, as it
   depends on 
 - default the clocksource driver to y
 - clean up naming in the clocksource driver
 - remove the MINDELTA and MAXDELTA #defines
 - various DT binding fixes

[PATCH 7/8] irqchip: add a SiFive PLIC driver

[Christoph Hellwig]

Adds a driver for the SiFive implementation of the RISC-V Platform Level
Interrupt Controller (PLIC).  The PLIC connects global interrupt sources
to the local interrupt controller on each hart.

This driver is based on the driver in the RISC-V tree from Palmer Dabbelt,
but has been almost entirely rewritten since, and includes many fixes
from Atish Patra.

Signed-off-by: Christoph Hellwig 
Acked-by: Thomas Gleixner 
---
 arch/riscv/configs/defconfig  |   1 +
 drivers/irqchip/Kconfig   |  12 ++
 drivers/irqchip/Makefile  |   1 +
 drivers/irqchip/irq-sifive-plic.c | 259 ++
 4 files changed, 273 insertions(+)
 create mode 100644 drivers/irqchip/irq-sifive-plic.c

diff --git a/arch/riscv/configs/defconfig b/arch/riscv/configs/defconfig
index 07326466871b..36473d7dbaac 100644
--- a/arch/riscv/configs/defconfig
+++ b/arch/riscv/configs/defconfig
@@ -76,3 +76,4 @@ CONFIG_ROOT_NFS=y
 CONFIG_CRYPTO_USER_API_HASH=y
 CONFIG_MODULES=y
 CONFIG_MODULE_UNLOAD=y
+CONFIG_SIFIVE_PLIC=y
diff --git a/drivers/irqchip/Kconfig b/drivers/irqchip/Kconfig
index e9233db16e03..df345b878ac2 100644
--- a/drivers/irqchip/Kconfig
+++ b/drivers/irqchip/Kconfig
@@ -372,3 +372,15 @@ config QCOM_PDC
  IRQs for Qualcomm Technologies Inc (QTI) mobile chips.
 
 endmenu
+
+config SIFIVE_PLIC
+   bool "SiFive Platform-Level Interrupt Controller"
+   depends on RISCV
+   help
+  This enables support for the PLIC chip found in SiFive (and
+  potentially other) RISC-V systems.  The PLIC controls devices
+  interrupts and connects them to each core's local interrupt
+  controller.  Aside from timer and software interrupts, all other
+  interrupt sources are subordinate to the PLIC.
+
+  If you don't know what to do here, say Y.
diff --git a/drivers/irqchip/Makefile b/drivers/irqchip/Makefile
index 15f268f646bf..fbd1ec8070ef 100644
--- a/drivers/irqchip/Makefile
+++ b/drivers/irqchip/Makefile
@@ -87,3 +87,4 @@ obj-$(CONFIG_MESON_IRQ_GPIO)  += irq-meson-gpio.o
 obj-$(CONFIG_GOLDFISH_PIC) += irq-goldfish-pic.o
 obj-$(CONFIG_NDS32)+= irq-ativic32.o
 obj-$(CONFIG_QCOM_PDC) += qcom-pdc.o
+obj-$(CONFIG_SIFIVE_PLIC)  += irq-sifive-plic.o
diff --git a/drivers/irqchip/irq-sifive-plic.c 
b/drivers/irqchip/irq-sifive-plic.c
new file mode 100644
index ..faacf428e250
--- /dev/null
+++ b/drivers/irqchip/irq-sifive-plic.c
@@ -0,0 +1,259 @@
+// SPDX-License-Identifier: GPL-2.0
+/*
+ * Copyright (C) 2017 SiFive
+ * Copyright (C) 2018 Christoph Hellwig
+ */
+#define pr_fmt(fmt) "plic: " fmt
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+
+/*
+ * This driver implements a version of the RISC-V PLIC with the actual layout
+ * specified in chapter 8 of the SiFive U5 Coreplex Series Manual:
+ *
+ * https://static.dev.sifive.com/U54-MC-RVCoreIP.pdf
+ *
+ * The largest number supported by devices marked as 'riscv,plic0', is 1024, of
+ * which device 0 is defined as non-existent by the RISC-V Privileged Spec.
+ */
+
+#define MAX_DEVICES1024
+#define MAX_CONTEXTS   15872
+
+/*
+ * Each interrupt source has a priority register associated with it.
+ * We always hardwire it to one in Linux.
+ */
+#define PRIORITY_BASE  0
+#define PRIORITY_PER_ID4
+
+/*
+ * Each hart context has a vector of interrupt enable bits associated with it.
+ * There's one bit for each interrupt source.
+ */
+#define ENABLE_BASE0x2000
+#define ENABLE_PER_HART0x80
+
+/*
+ * Each hart context has a set of control registers associated with it.  Right
+ * now there's only two: a source priority threshold over which the hart will
+ * take an interrupt, and a register to claim interrupts.
+ */
+#define CONTEXT_BASE   0x20
+#define CONTEXT_PER_HART   0x1000
+#define CONTEXT_THRESHOLD  0x00
+#define CONTEXT_CLAIM  0x04
+
+static void __iomem *plic_regs;
+
+struct plic_handler {
+   boolpresent;
+   int ctxid;
+};
+static DEFINE_PER_CPU(struct plic_handler, plic_handlers);
+
+static inline void __iomem *plic_hart_offset(int ctxid)
+{
+   return plic_regs + CONTEXT_BASE + ctxid * CONTEXT_PER_HART;
+}
+
+static inline u32 __iomem *plic_enable_base(int ctxid)
+{
+   return plic_regs + ENABLE_BASE + ctxid * ENABLE_PER_HART;
+}
+
+/*
+ * Protect mask operations on the registers given that we can't assume that
+ * atomic memory operations work on them.
+ */
+static DEFINE_RAW_SPINLOCK(plic_toggle_lock);
+
+static inline void plic_toggle(int ctxid, int hwirq, int enable)
+{
+   u32 __iomem *reg = plic_enable_base(ctxid) + (hwirq / 32);
+   u32 hwirq_mask = 1 << (hwirq % 32);
+
+   raw_spin_lock(&plic_toggle_lock);
+   if 

[PATCH 8/8] clocksource: new RISC-V SBI timer driver

[Christoph Hellwig]

From: Palmer Dabbelt 

The RISC-V ISA defines a per-hart real-time clock and timer, which is
present on all systems.  The clock is accessed via the 'rdtime'
pseudo-instruction (which reads a CSR), and the timer is set via an SBI
call.

Contains various improvements from Atish Patra .

Signed-off-by: Dmitriy Cherkasov 
Signed-off-by: Palmer Dabbelt 
[hch: remove dead code, add SPDX tags, used riscv_of_processor_hart(),
 minor cleanups, merged  hotplug cpu support and other improvements
 from Atish]
Signed-off-by: Christoph Hellwig 
Acked-by: Thomas Gleixner 
Reviewed-by: Atish Patra 
---
 arch/riscv/include/asm/smp.h  |   3 -
 arch/riscv/kernel/irq.c   |   3 +
 arch/riscv/kernel/smpboot.c   |   1 -
 arch/riscv/kernel/time.c  |   9 +--
 drivers/clocksource/Kconfig   |  11 
 drivers/clocksource/Makefile  |   1 +
 drivers/clocksource/riscv_timer.c | 105 ++
 include/linux/cpuhotplug.h|   1 +
 8 files changed, 122 insertions(+), 12 deletions(-)
 create mode 100644 drivers/clocksource/riscv_timer.c

diff --git a/arch/riscv/include/asm/smp.h b/arch/riscv/include/asm/smp.h
index c9395fff246f..36016845461d 100644
--- a/arch/riscv/include/asm/smp.h
+++ b/arch/riscv/include/asm/smp.h
@@ -24,9 +24,6 @@
 
 #ifdef CONFIG_SMP
 
-/* SMP initialization hook for setup_arch */
-void __init init_clockevent(void);
-
 /* SMP initialization hook for setup_arch */
 void __init setup_smp(void);
 
diff --git a/arch/riscv/kernel/irq.c b/arch/riscv/kernel/irq.c
index ab5f3e22c7cc..0cfac48a1272 100644
--- a/arch/riscv/kernel/irq.c
+++ b/arch/riscv/kernel/irq.c
@@ -30,6 +30,9 @@ asmlinkage void __irq_entry do_IRQ(struct pt_regs *regs, 
unsigned long cause)
 
irq_enter();
switch (cause & ~INTERRUPT_CAUSE_FLAG) {
+   case INTERRUPT_CAUSE_TIMER:
+   riscv_timer_interrupt();
+   break;
 #ifdef CONFIG_SMP
case INTERRUPT_CAUSE_SOFTWARE:
/*
diff --git a/arch/riscv/kernel/smpboot.c b/arch/riscv/kernel/smpboot.c
index f741458c5a3f..56abab6a9812 100644
--- a/arch/riscv/kernel/smpboot.c
+++ b/arch/riscv/kernel/smpboot.c
@@ -104,7 +104,6 @@ asmlinkage void __init smp_callin(void)
current->active_mm = mm;
 
trap_init();
-   init_clockevent();
notify_cpu_starting(smp_processor_id());
set_cpu_online(smp_processor_id(), 1);
local_flush_tlb_all();
diff --git a/arch/riscv/kernel/time.c b/arch/riscv/kernel/time.c
index 0df9b2cbd645..1911c8f6b8a6 100644
--- a/arch/riscv/kernel/time.c
+++ b/arch/riscv/kernel/time.c
@@ -18,12 +18,6 @@
 
 unsigned long riscv_timebase;
 
-void __init init_clockevent(void)
-{
-   timer_probe();
-   csr_set(sie, SIE_STIE);
-}
-
 void __init time_init(void)
 {
struct device_node *cpu;
@@ -35,6 +29,5 @@ void __init time_init(void)
riscv_timebase = prop;
 
lpj_fine = riscv_timebase / HZ;
-
-   init_clockevent();
+   timer_probe();
 }
diff --git a/drivers/clocksource/Kconfig b/drivers/clocksource/Kconfig
index dec0dd88ec15..a11f4ba98b05 100644
--- a/drivers/clocksource/Kconfig
+++ b/drivers/clocksource/Kconfig
@@ -609,4 +609,15 @@ config ATCPIT100_TIMER
help
  This option enables support for the Andestech ATCPIT100 timers.
 
+config RISCV_TIMER
+   bool "Timer for the RISC-V platform"
+   depends on RISCV
+   default y
+   select TIMER_PROBE
+   select TIMER_OF
+   help
+ This enables the per-hart timer built into all RISC-V systems, which
+ is accessed via both the SBI and the rdcycle instruction.  This is
+ required for all RISC-V systems.
+
 endmenu
diff --git a/drivers/clocksource/Makefile b/drivers/clocksource/Makefile
index 00caf37e52f9..ded31f720bd9 100644
--- a/drivers/clocksource/Makefile
+++ b/drivers/clocksource/Makefile
@@ -78,3 +78,4 @@ obj-$(CONFIG_H8300_TPU)   += h8300_tpu.o
 obj-$(CONFIG_CLKSRC_ST_LPC)+= clksrc_st_lpc.o
 obj-$(CONFIG_X86_NUMACHIP) += numachip.o
 obj-$(CONFIG_ATCPIT100_TIMER)  += timer-atcpit100.o
+obj-$(CONFIG_RISCV_TIMER)  += riscv_timer.o
diff --git a/drivers/clocksource/riscv_timer.c 
b/drivers/clocksource/riscv_timer.c
new file mode 100644
index ..4e8b347e43e2
--- /dev/null
+++ b/drivers/clocksource/riscv_timer.c
@@ -0,0 +1,105 @@
+// SPDX-License-Identifier: GPL-2.0
+/*
+ * Copyright (C) 2012 Regents of the University of California
+ * Copyright (C) 2017 SiFive
+ */
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+
+/*
+ * All RISC-V systems have a timer attached to every hart.  These timers can be
+ * read by the 'rdcycle' pseudo instruction, and can use the SBI to setup
+ * events.  In order to abstract the architecture-specific timer reading and
+ * setting functions away from the clock event insertion code, we provide
+ * function pointers to the clockevent subsystem that perform two basic
+ * operations: rdtime() re

[PATCH 6/8] dt-bindings: interrupt-controller: RISC-V PLIC documentation

[Christoph Hellwig]

From: Palmer Dabbelt 

This patch adds documentation for the platform-level interrupt
controller (PLIC) found in all RISC-V systems.  This interrupt
controller routes interrupts from all the devices in the system to each
hart-local interrupt controller.

Note: the DTS bindings for the PLIC aren't set in stone yet, as we might
want to change how we're specifying holes in the hart list.

Signed-off-by: Palmer Dabbelt 
[hch: various fixes and updates]
Signed-off-by: Christoph Hellwig 
---
 .../interrupt-controller/sifive,plic0.txt | 57 +++
 1 file changed, 57 insertions(+)
 create mode 100644 
Documentation/devicetree/bindings/interrupt-controller/sifive,plic0.txt

diff --git 
a/Documentation/devicetree/bindings/interrupt-controller/sifive,plic0.txt 
b/Documentation/devicetree/bindings/interrupt-controller/sifive,plic0.txt
new file mode 100644
index ..bbfa61cf8d3f
--- /dev/null
+++ b/Documentation/devicetree/bindings/interrupt-controller/sifive,plic0.txt
@@ -0,0 +1,57 @@
+SiFive Platform-Level Interrupt Controller (PLIC)
+-
+
+SiFive SOCs include an implementation of the Platform-Level Interrupt 
Controller
+(PLIC) high-level specification in the RISC-V Privileged Architecture
+specification.  The PLIC connects all external interrupts in the system to all
+hart contexts in the system, via the external interrupt source in each hart.
+
+A hart context is a privilege mode in a hardware execution thread.  For 
example,
+in an 4 core system with 2-way SMT, you have 8 harts and probably at least two
+privilege modes per hart; machine mode and supervisor mode.
+
+Each interrupt can be enabled on per-context basis.  Any context can claim
+a pending enabled interrupt and then release it once it has been handled.
+
+Each interrupt has a configurable priority.  Higher priority interrupts are
+serviced first.  Each context can specify a priority threshold. Interrupts
+with priority below this threshold will not cause the PLIC to raise its
+interrupt line leading to the context.
+
+While the PLIC supports both edge-triggered and level-triggered interrupts,
+interrupt handlers are oblivious to this distinction and therefore it is not
+specified in the PLIC device-tree binding.
+
+While the RISC-V ISA doesn't specify a memory layout for the PLIC, the
+"sifive,plic0" device is a concrete implementation of the PLIC that contains a
+specific memory layout, which is documented in chapter 8 of the SiFive U5
+Coreplex Series Manual .
+
+Required properties:
+- compatible : "sifive,plic0".
+- #address-cells : should be <0>.
+- #interrupt-cells : should be <1>.
+- interrupt-controller : Identifies the node as an interrupt controller.
+- reg : Should contain 1 register range (address and length).
+- interrupts-extended : Specifies which contexts are connected to the PLIC,
+  with "-1" specifying that a context is not present.  The nodes pointed
+  to should be "riscv" HART nodes, or eventually be parented by such nodes.
+- riscv,ndev: Specifies how many external interrupts are supported by
+  this controller.
+
+Example:
+
+   plic: interrupt-controller@c00 {
+   #address-cells = <0>;
+   #interrupt-cells = <1>;
+   compatible = "riscv,plic0";
+   interrupt-controller;
+   interrupts-extended = <
+   &cpu0-intc 11
+   &cpu1-intc 11 &cpu1-intc 9
+   &cpu2-intc 11 &cpu2-intc 9
+   &cpu3-intc 11 &cpu3-intc 9
+   &cpu4-intc 11 &cpu4-intc 9>;
+   reg = <0xc00 0x400>;
+   riscv,ndev = <10>;
+   };
-- 
2.18.0

Re: [PATCH] RISC-V: Don't use a global include guard for uapi/asm/syscalls.h

[Christoph Hellwig]

> index 818655b0d535..882a6aa09a33 100644
> --- a/arch/riscv/include/uapi/asm/syscalls.h
> +++ b/arch/riscv/include/uapi/asm/syscalls.h
> @@ -1,10 +1,11 @@
> -/* SPDX-License-Identifier: GPL-2.0 */
> +// SPDX-License-Identifier: GPL-2.0

/* */ is the required style for headers, // is only for other files.

> +/* There is explicitly no include guard here because this file is expected to
> + * be included multiple times in order to define the syscall macros via
> + * __SYSCALL. */

Normal Linux comment style would be:

/*
 * There is explicitly no include guard here because this file is expected to
 * be included multiple times in order to define the syscall macros via
 * __SYSCALL.
 */

Also syscalls.h isn't included directly anywhere, but through
, so we'll probably need a similar comment there as well.

[PATCH 4.17 13/31] can: ems_usb: Fix memory leak on ems_usb_disconnect()

[Greg Kroah-Hartman]

4.17-stable review patch.  If anyone has any objections, please let me know.

--

From: Anton Vasilyev 

commit 72c05f32f4a5055c9c8fe889bb6903ec959c0aad upstream.

ems_usb_probe() allocates memory for dev->tx_msg_buffer, but there
is no its deallocation in ems_usb_disconnect().

Found by Linux Driver Verification project (linuxtesting.org).

Signed-off-by: Anton Vasilyev 
Cc: 
Signed-off-by: Marc Kleine-Budde 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/net/can/usb/ems_usb.c |1 +
 1 file changed, 1 insertion(+)

--- a/drivers/net/can/usb/ems_usb.c
+++ b/drivers/net/can/usb/ems_usb.c
@@ -1072,6 +1072,7 @@ static void ems_usb_disconnect(struct us
usb_free_urb(dev->intr_urb);
 
kfree(dev->intr_in_buffer);
+   kfree(dev->tx_msg_buffer);
}
 }
 

[PATCH 4.17 10/31] net/mlx5e: IPoIB, Set the netdevice sw mtu in ipoib enhanced flow

[Greg Kroah-Hartman]

4.17-stable review patch.  If anyone has any objections, please let me know.

--

From: Feras Daoud 

[ Upstream commit 8e1d162d8e81838119de18b4ca1e302ce906f2a6 ]

After introduction of the cited commit, mlx5e_build_nic_params
receives the netdevice mtu in order to set the sw_mtu of mlx5e_params.
For enhanced IPoIB, the netdevice mtu is not set in this stage,
therefore, the initial sw_mtu equals zero. As a result, the hw_mtu
of the receive queue will be calculated incorrectly causing traffic
issues.

To fix this issue, query for port mtu before building the nic params.

Fixes: 472a1e44b349 ("net/mlx5e: Save MTU in channels params")
Signed-off-by: Feras Daoud 
Reviewed-by: Tariq Toukan 
Signed-off-by: Saeed Mahameed 
Signed-off-by: Greg Kroah-Hartman 
---
 drivers/net/ethernet/mellanox/mlx5/core/ipoib/ipoib.c |4 
 1 file changed, 4 insertions(+)

--- a/drivers/net/ethernet/mellanox/mlx5/core/ipoib/ipoib.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/ipoib/ipoib.c
@@ -76,6 +76,7 @@ void mlx5i_init(struct mlx5_core_dev *md
void *ppriv)
 {
struct mlx5e_priv *priv  = mlx5i_epriv(netdev);
+   u16 max_mtu;
 
/* priv init */
priv->mdev= mdev;
@@ -84,6 +85,9 @@ void mlx5i_init(struct mlx5_core_dev *md
priv->ppriv   = ppriv;
mutex_init(&priv->state_lock);
 
+   mlx5_query_port_max_mtu(mdev, &max_mtu, 1);
+   netdev->mtu = max_mtu;
+
mlx5e_build_nic_params(mdev, &priv->channels.params,
   profile->max_nch(mdev), netdev->mtu);
mlx5i_build_nic_params(mdev, &priv->channels.params);

[PATCH 4.17 11/31] squashfs: more metadata hardening

[Greg Kroah-Hartman]

4.17-stable review patch.  If anyone has any objections, please let me know.

--

From: Linus Torvalds 

commit d512584780d3e6a7cacb2f482834849453d444a1 upstream.

Anatoly reports another squashfs fuzzing issue, where the decompression
parameters themselves are in a compressed block.

This causes squashfs_read_data() to be called in order to read the
decompression options before the decompression stream having been set
up, making squashfs go sideways.

Reported-by: Anatoly Trosinenko 
Acked-by: Phillip Lougher 
Cc: sta...@kernel.org
Signed-off-by: Linus Torvalds 
Signed-off-by: Greg Kroah-Hartman 

---
 fs/squashfs/block.c |2 ++
 1 file changed, 2 insertions(+)

--- a/fs/squashfs/block.c
+++ b/fs/squashfs/block.c
@@ -167,6 +167,8 @@ int squashfs_read_data(struct super_bloc
}
 
if (compressed) {
+   if (!msblk->stream)
+   goto read_failure;
length = squashfs_decompress(msblk, bh, b, offset, length,
output);
if (length < 0)

[PATCH 4.17 01/31] bonding: avoid lockdep confusion in bond_get_stats()

[Greg Kroah-Hartman]

4.17-stable review patch.  If anyone has any objections, please let me know.

--

From: Eric Dumazet 

[ Upstream commit 7e2556e40026a1b0c16f37446ab398d5a5a892e4 ]

syzbot found that the following sequence produces a LOCKDEP splat [1]

ip link add bond10 type bond
ip link add bond11 type bond
ip link set bond11 master bond10

To fix this, we can use the already provided nest_level.

This patch also provides correct nesting for dev->addr_list_lock

[1]
WARNING: possible recursive locking detected
4.18.0-rc6+ #167 Not tainted

syz-executor751/4439 is trying to acquire lock:
(ptrval) (&(&bond->stats_lock)->rlock){+.+.}, at: spin_lock 
include/linux/spinlock.h:310 [inline]
(ptrval) (&(&bond->stats_lock)->rlock){+.+.}, at: 
bond_get_stats+0xb4/0x560 drivers/net/bonding/bond_main.c:3426

but task is already holding lock:
(ptrval) (&(&bond->stats_lock)->rlock){+.+.}, at: spin_lock 
include/linux/spinlock.h:310 [inline]
(ptrval) (&(&bond->stats_lock)->rlock){+.+.}, at: 
bond_get_stats+0xb4/0x560 drivers/net/bonding/bond_main.c:3426

other info that might help us debug this:
 Possible unsafe locking scenario:

   CPU0
   
  lock(&(&bond->stats_lock)->rlock);
  lock(&(&bond->stats_lock)->rlock);

 *** DEADLOCK ***

 May be due to missing lock nesting notation

3 locks held by syz-executor751/4439:
 #0: (ptrval) (rtnl_mutex){+.+.}, at: rtnl_lock+0x17/0x20 
net/core/rtnetlink.c:77
 #1: (ptrval) (&(&bond->stats_lock)->rlock){+.+.}, at: spin_lock 
include/linux/spinlock.h:310 [inline]
 #1: (ptrval) (&(&bond->stats_lock)->rlock){+.+.}, at: 
bond_get_stats+0xb4/0x560 drivers/net/bonding/bond_main.c:3426
 #2: (ptrval) (rcu_read_lock){}, at: bond_get_stats+0x0/0x560 
include/linux/compiler.h:215

stack backtrace:
CPU: 0 PID: 4439 Comm: syz-executor751 Not tainted 4.18.0-rc6+ #167
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 
01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1c9/0x2b4 lib/dump_stack.c:113
 print_deadlock_bug kernel/locking/lockdep.c:1765 [inline]
 check_deadlock kernel/locking/lockdep.c:1809 [inline]
 validate_chain kernel/locking/lockdep.c:2405 [inline]
 __lock_acquire.cold.64+0x1fb/0x486 kernel/locking/lockdep.c:3435
 lock_acquire+0x1e4/0x540 kernel/locking/lockdep.c:3924
 __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
 _raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:144
 spin_lock include/linux/spinlock.h:310 [inline]
 bond_get_stats+0xb4/0x560 drivers/net/bonding/bond_main.c:3426
 dev_get_stats+0x10f/0x470 net/core/dev.c:8316
 bond_get_stats+0x232/0x560 drivers/net/bonding/bond_main.c:3432
 dev_get_stats+0x10f/0x470 net/core/dev.c:8316
 rtnl_fill_stats+0x4d/0xac0 net/core/rtnetlink.c:1169
 rtnl_fill_ifinfo+0x1aa6/0x3fb0 net/core/rtnetlink.c:1611
 rtmsg_ifinfo_build_skb+0xc8/0x190 net/core/rtnetlink.c:3268
 rtmsg_ifinfo_event.part.30+0x45/0xe0 net/core/rtnetlink.c:3300
 rtmsg_ifinfo_event net/core/rtnetlink.c:3297 [inline]
 rtnetlink_event+0x144/0x170 net/core/rtnetlink.c:4716
 notifier_call_chain+0x180/0x390 kernel/notifier.c:93
 __raw_notifier_call_chain kernel/notifier.c:394 [inline]
 raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401
 call_netdevice_notifiers_info+0x3f/0x90 net/core/dev.c:1735
 call_netdevice_notifiers net/core/dev.c:1753 [inline]
 netdev_features_change net/core/dev.c:1321 [inline]
 netdev_change_features+0xb3/0x110 net/core/dev.c:7759
 bond_compute_features.isra.47+0x585/0xa50 drivers/net/bonding/bond_main.c:1120
 bond_enslave+0x1b25/0x5da0 drivers/net/bonding/bond_main.c:1755
 bond_do_ioctl+0x7cb/0xae0 drivers/net/bonding/bond_main.c:3528
 dev_ifsioc+0x43c/0xb30 net/core/dev_ioctl.c:327
 dev_ioctl+0x1b5/0xcc0 net/core/dev_ioctl.c:493
 sock_do_ioctl+0x1d3/0x3e0 net/socket.c:992
 sock_ioctl+0x30d/0x680 net/socket.c:1093
 vfs_ioctl fs/ioctl.c:46 [inline]
 file_ioctl fs/ioctl.c:500 [inline]
 do_vfs_ioctl+0x1de/0x1720 fs/ioctl.c:684
 ksys_ioctl+0xa9/0xd0 fs/ioctl.c:701
 __do_sys_ioctl fs/ioctl.c:708 [inline]
 __se_sys_ioctl fs/ioctl.c:706 [inline]
 __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:706
 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x440859
Code: e8 2c af 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 
89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 
3b 10 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:7ffc51a92878 EFLAGS: 0213 ORIG_RAX: 0010
RAX: ffda RBX:  RCX: 00440859
RDX: 2040 RSI: 8990 RDI: 0003
RBP:  R08: 004002c8 R09: 004002c8
R10: 022d5880 R11: 0213 R12: 7390
R13: 00401db0 R14:  R15: 

Signed-off-by: Eric Dumazet 
Cc: Jay Vosburgh 
Cc: Veaceslav Falico 
C

[PATCH 4.17 17/31] x86/efi: Access EFI MMIO data as unencrypted when SEV is active

[Greg Kroah-Hartman]

4.17-stable review patch.  If anyone has any objections, please let me know.

--

From: Brijesh Singh 

commit 9b788f32bee6b0b293a4bdfca4ad4bb0206407fb upstream.

SEV guest fails to update the UEFI runtime variables stored in the
flash.

The following commit:

  1379edd59673 ("x86/efi: Access EFI data as encrypted when SEV is active")

unconditionally maps all the UEFI runtime data as 'encrypted' (C=1).

When SEV is active the UEFI runtime data marked as EFI_MEMORY_MAPPED_IO
should be mapped as 'unencrypted' so that both guest and hypervisor can
access the data.

Signed-off-by: Brijesh Singh 
Signed-off-by: Ard Biesheuvel 
Reviewed-by: Tom Lendacky 
Cc:  # 4.15.x
Cc: Linus Torvalds 
Cc: Peter Zijlstra 
Cc: Thomas Gleixner 
Cc: linux-...@vger.kernel.org
Fixes: 1379edd59673 ("x86/efi: Access EFI data as encrypted ...")
Link: http://lkml.kernel.org/r/20180720012846.23560-2-ard.biesheu...@linaro.org
Signed-off-by: Ingo Molnar 
Signed-off-by: Greg Kroah-Hartman 

---
 arch/x86/platform/efi/efi_64.c |2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/x86/platform/efi/efi_64.c
+++ b/arch/x86/platform/efi/efi_64.c
@@ -417,7 +417,7 @@ static void __init __map_region(efi_memo
if (!(md->attribute & EFI_MEMORY_WB))
flags |= _PAGE_PCD;
 
-   if (sev_active())
+   if (sev_active() && md->type != EFI_MEMORY_MAPPED_IO)
flags |= _PAGE_ENC;
 
pfn = md->phys_addr >> PAGE_SHIFT;

[PATCH 4.17 02/31] inet: frag: enforce memory limits earlier

[Greg Kroah-Hartman]

4.17-stable review patch.  If anyone has any objections, please let me know.

--

From: Eric Dumazet 

[ Upstream commit 56e2c94f055d328f5f6b0a5c1721cca2f2d4e0a1 ]

We currently check current frags memory usage only when
a new frag queue is created. This allows attackers to first
consume the memory budget (default : 4 MB) creating thousands
of frag queues, then sending tiny skbs to exceed high_thresh
limit by 2 to 3 order of magnitude.

Note that before commit 648700f76b03 ("inet: frags: use rhashtables
for reassembly units"), work queue could be starved under DOS,
getting no cpu cycles.
After commit 648700f76b03, only the per frag queue timer can eventually
remove an incomplete frag queue and its skbs.

Fixes: b13d3cbfb8e8 ("inet: frag: move eviction of queues to work queue")
Signed-off-by: Eric Dumazet 
Reported-by: Jann Horn 
Cc: Florian Westphal 
Cc: Peter Oskolkov 
Cc: Paolo Abeni 
Acked-by: Florian Westphal 
Signed-off-by: David S. Miller 
Signed-off-by: Greg Kroah-Hartman 
---
 net/ipv4/inet_fragment.c |6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

--- a/net/ipv4/inet_fragment.c
+++ b/net/ipv4/inet_fragment.c
@@ -157,9 +157,6 @@ static struct inet_frag_queue *inet_frag
 {
struct inet_frag_queue *q;
 
-   if (!nf->high_thresh || frag_mem_limit(nf) > nf->high_thresh)
-   return NULL;
-
q = kmem_cache_zalloc(f->frags_cachep, GFP_ATOMIC);
if (!q)
return NULL;
@@ -204,6 +201,9 @@ struct inet_frag_queue *inet_frag_find(s
 {
struct inet_frag_queue *fq;
 
+   if (!nf->high_thresh || frag_mem_limit(nf) > nf->high_thresh)
+   return NULL;
+
rcu_read_lock();
 
fq = rhashtable_lookup(&nf->rhashtable, key, nf->f->rhash_params);

[PATCH 4.17 14/31] net: socket: fix potential spectre v1 gadget in socketcall

[Greg Kroah-Hartman]

4.17-stable review patch.  If anyone has any objections, please let me know.

--

From: Jeremy Cline 

commit c8e8cd579bb4265651df8223730105341e61a2d1 upstream.

'call' is a user-controlled value, so sanitize the array index after the
bounds check to avoid speculating past the bounds of the 'nargs' array.

Found with the help of Smatch:

net/socket.c:2508 __do_sys_socketcall() warn: potential spectre issue
'nargs' [r] (local cap)

Cc: Josh Poimboeuf 
Cc: sta...@vger.kernel.org
Signed-off-by: Jeremy Cline 
Signed-off-by: David S. Miller 
Signed-off-by: Greg Kroah-Hartman 

---
 net/socket.c |2 ++
 1 file changed, 2 insertions(+)

--- a/net/socket.c
+++ b/net/socket.c
@@ -89,6 +89,7 @@
 #include 
 #include 
 #include 
+#include 
 
 #include 
 #include 
@@ -2526,6 +2527,7 @@ SYSCALL_DEFINE2(socketcall, int, call, u
 
if (call < 1 || call > SYS_SENDMMSG)
return -EINVAL;
+   call = array_index_nospec(call, SYS_SENDMMSG + 1);
 
len = nargs[call];
if (len > sizeof(a))

[PATCH 4.17 15/31] net: socket: Fix potential spectre v1 gadget in sock_is_registered

[Greg Kroah-Hartman]

4.17-stable review patch.  If anyone has any objections, please let me know.

--

From: Jeremy Cline 

commit e978de7a6d382ec378830ca2cf38e902df0b6d84 upstream.

'family' can be a user-controlled value, so sanitize it after the bounds
check to avoid speculative out-of-bounds access.

Cc: Josh Poimboeuf 
Cc: sta...@vger.kernel.org
Signed-off-by: Jeremy Cline 
Signed-off-by: David S. Miller 
Signed-off-by: Greg Kroah-Hartman 

---
 net/socket.c |3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/net/socket.c
+++ b/net/socket.c
@@ -2694,7 +2694,8 @@ EXPORT_SYMBOL(sock_unregister);
 
 bool sock_is_registered(int family)
 {
-   return family < NPROTO && rcu_access_pointer(net_families[family]);
+   return family < NPROTO &&
+   rcu_access_pointer(net_families[array_index_nospec(family, 
NPROTO)]);
 }
 
 static int __init sock_init(void)

[PATCH 4.17 03/31] ipv4: frags: handle possible skb truesize change

[Greg Kroah-Hartman]

4.17-stable review patch.  If anyone has any objections, please let me know.

--

From: Eric Dumazet 

[ Upstream commit 4672694bd4f1aebdab0ad763ae4716e89cb15221 ]

ip_frag_queue() might call pskb_pull() on one skb that
is already in the fragment queue.

We need to take care of possible truesize change, or we
might have an imbalance of the netns frags memory usage.

IPv6 is immune to this bug, because RFC5722, Section 4,
amended by Errata ID 3089 states :

  When reassembling an IPv6 datagram, if
  one or more its constituent fragments is determined to be an
  overlapping fragment, the entire datagram (and any constituent
  fragments) MUST be silently discarded.

Fixes: 158f323b9868 ("net: adjust skb->truesize in pskb_expand_head()")
Signed-off-by: Eric Dumazet 
Signed-off-by: David S. Miller 
Signed-off-by: Greg Kroah-Hartman 
---
 net/ipv4/ip_fragment.c |5 +
 1 file changed, 5 insertions(+)

--- a/net/ipv4/ip_fragment.c
+++ b/net/ipv4/ip_fragment.c
@@ -383,11 +383,16 @@ found:
int i = end - next->ip_defrag_offset; /* overlap is 'i' bytes */
 
if (i < next->len) {
+   int delta = -next->truesize;
+
/* Eat head of the next overlapped fragment
 * and leave the loop. The next ones cannot overlap.
 */
if (!pskb_pull(next, i))
goto err;
+   delta += next->truesize;
+   if (delta)
+   add_frag_mem_limit(qp->q.net, delta);
next->ip_defrag_offset += i;
qp->q.meat -= i;
if (next->ip_summed != CHECKSUM_UNNECESSARY)

[PATCH 4.17 05/31] netlink: Fix spectre v1 gadget in netlink_create()

[Greg Kroah-Hartman]

4.17-stable review patch.  If anyone has any objections, please let me know.

--

From: Jeremy Cline 

[ Upstream commit bc5b6c0b62b932626a135f516a41838c510c6eba ]

'protocol' is a user-controlled value, so sanitize it after the bounds
check to avoid using it for speculative out-of-bounds access to arrays
indexed by it.

This addresses the following accesses detected with the help of smatch:

* net/netlink/af_netlink.c:654 __netlink_create() warn: potential
  spectre issue 'nlk_cb_mutex_keys' [w]

* net/netlink/af_netlink.c:654 __netlink_create() warn: potential
  spectre issue 'nlk_cb_mutex_key_strings' [w]

* net/netlink/af_netlink.c:685 netlink_create() warn: potential spectre
  issue 'nl_table' [w] (local cap)

Cc: Josh Poimboeuf 
Signed-off-by: Jeremy Cline 
Reviewed-by: Josh Poimboeuf 
Signed-off-by: David S. Miller 
Signed-off-by: Greg Kroah-Hartman 
---
 net/netlink/af_netlink.c |2 ++
 1 file changed, 2 insertions(+)

--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -63,6 +63,7 @@
 #include 
 #include 
 #include 
+#include 
 
 #include 
 #include 
@@ -679,6 +680,7 @@ static int netlink_create(struct net *ne
 
if (protocol < 0 || protocol >= MAX_LINKS)
return -EPROTONOSUPPORT;
+   protocol = array_index_nospec(protocol, MAX_LINKS);
 
netlink_lock_table();
 #ifdef CONFIG_MODULES

[PATCH 4.17 04/31] net: dsa: Do not suspend/resume closed slave_dev

[Greg Kroah-Hartman]

4.17-stable review patch.  If anyone has any objections, please let me know.

--

From: Florian Fainelli 

[ Upstream commit a94c689e6c9e72e722f28339e12dff191ee5a265 ]

If a DSA slave network device was previously disabled, there is no need
to suspend or resume it.

Fixes: 2446254915a7 ("net: dsa: allow switch drivers to implement 
suspend/resume hooks")
Signed-off-by: Florian Fainelli 
Reviewed-by: Andrew Lunn 
Signed-off-by: David S. Miller 
Signed-off-by: Greg Kroah-Hartman 
---
 net/dsa/slave.c |6 ++
 1 file changed, 6 insertions(+)

--- a/net/dsa/slave.c
+++ b/net/dsa/slave.c
@@ -1195,6 +1195,9 @@ int dsa_slave_suspend(struct net_device
 {
struct dsa_slave_priv *p = netdev_priv(slave_dev);
 
+   if (!netif_running(slave_dev))
+   return 0;
+
netif_device_detach(slave_dev);
 
if (slave_dev->phydev) {
@@ -1210,6 +1213,9 @@ int dsa_slave_suspend(struct net_device
 
 int dsa_slave_resume(struct net_device *slave_dev)
 {
+   if (!netif_running(slave_dev))
+   return 0;
+
netif_device_attach(slave_dev);
 
if (slave_dev->phydev) {

[PATCH 4.17 16/31] virtio_balloon: fix another race between migration and ballooning

[Greg Kroah-Hartman]

4.17-stable review patch.  If anyone has any objections, please let me know.

--

From: Jiang Biao 

commit 89da619bc18d79bca5304724c11d4ba3b67ce2c6 upstream.

Kernel panic when with high memory pressure, calltrace looks like,

PID: 21439 TASK: 881be3afedd0 CPU: 16 COMMAND: "java"
 #0 [881ec7ed7630] machine_kexec at 81059beb
 #1 [881ec7ed7690] __crash_kexec at 81105942
 #2 [881ec7ed7760] crash_kexec at 81105a30
 #3 [881ec7ed7778] oops_end at 816902c8
 #4 [881ec7ed77a0] no_context at 8167ff46
 #5 [881ec7ed77f0] __bad_area_nosemaphore at 8167ffdc
 #6 [881ec7ed7838] __node_set at 81680300
 #7 [881ec7ed7860] __do_page_fault at 8169320f
 #8 [881ec7ed78c0] do_page_fault at 816932b5
 #9 [881ec7ed78f0] page_fault at 8168f4c8
[exception RIP: _raw_spin_lock_irqsave+47]
RIP: 8168edef RSP: 881ec7ed79a8 RFLAGS: 00010046
RAX: 0246 RBX: ea0019740d00 RCX: 881ec7ed7fd8
RDX: 0002 RSI: 0016 RDI: 0008
RBP: 881ec7ed79a8 R8: 0246 R9: 0001a098
R10: 88107ffda000 R11:  R12: 
R13: 0008 R14: 881ec7ed7a80 R15: 881be3afedd0
ORIG_RAX:  CS: 0010 SS: 0018

It happens in the pagefault and results in double pagefault
during compacting pages when memory allocation fails.

Analysed the vmcore, the page leads to second pagefault is corrupted
with _mapcount=-256, but private=0.

It's caused by the race between migration and ballooning, and lock
missing in virtballoon_migratepage() of virtio_balloon driver.
This patch fix the bug.

Fixes: e22504296d4f64f ("virtio_balloon: introduce migration primitives to 
balloon pages")
Cc: sta...@vger.kernel.org
Signed-off-by: Jiang Biao 
Signed-off-by: Huang Chong 
Signed-off-by: Michael S. Tsirkin 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/virtio/virtio_balloon.c |2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/virtio/virtio_balloon.c
+++ b/drivers/virtio/virtio_balloon.c
@@ -513,7 +513,9 @@ static int virtballoon_migratepage(struc
tell_host(vb, vb->inflate_vq);
 
/* balloon's page migration 2nd step -- deflate "page" */
+   spin_lock_irqsave(&vb_dev_info->pages_lock, flags);
balloon_page_delete(page);
+   spin_unlock_irqrestore(&vb_dev_info->pages_lock, flags);
vb->num_pfns = VIRTIO_BALLOON_PAGES_PER_PAGE;
set_page_pfns(vb, vb->pfns, page);
tell_host(vb, vb->deflate_vq);

[PATCH 4.17 06/31] net: stmmac: Fix WoL for PCI-based setups

[Greg Kroah-Hartman]

4.17-stable review patch.  If anyone has any objections, please let me know.

--

From: Jose Abreu 

[ Upstream commit b7d0f08e9129c45ed41bc0cfa8e77067881e45fd ]

WoL won't work in PCI-based setups because we are not saving the PCI EP
state before entering suspend state and not allowing D3 wake.

Fix this by using a wrapper around stmmac_{suspend/resume} which
correctly sets the PCI EP state.

Signed-off-by: Jose Abreu 
Cc: David S. Miller 
Cc: Joao Pinto 
Cc: Giuseppe Cavallaro 
Cc: Alexandre Torgue 
Signed-off-by: David S. Miller 
Signed-off-by: Greg Kroah-Hartman 
---
 drivers/net/ethernet/stmicro/stmmac/stmmac_pci.c |   40 +--
 1 file changed, 38 insertions(+), 2 deletions(-)

--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_pci.c
+++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_pci.c
@@ -257,7 +257,7 @@ static int stmmac_pci_probe(struct pci_d
return -ENOMEM;
 
/* Enable pci device */
-   ret = pcim_enable_device(pdev);
+   ret = pci_enable_device(pdev);
if (ret) {
dev_err(&pdev->dev, "%s: ERROR: failed to enable device\n",
__func__);
@@ -300,9 +300,45 @@ static int stmmac_pci_probe(struct pci_d
 static void stmmac_pci_remove(struct pci_dev *pdev)
 {
stmmac_dvr_remove(&pdev->dev);
+   pci_disable_device(pdev);
 }
 
-static SIMPLE_DEV_PM_OPS(stmmac_pm_ops, stmmac_suspend, stmmac_resume);
+static int stmmac_pci_suspend(struct device *dev)
+{
+   struct pci_dev *pdev = to_pci_dev(dev);
+   int ret;
+
+   ret = stmmac_suspend(dev);
+   if (ret)
+   return ret;
+
+   ret = pci_save_state(pdev);
+   if (ret)
+   return ret;
+
+   pci_disable_device(pdev);
+   pci_wake_from_d3(pdev, true);
+   return 0;
+}
+
+static int stmmac_pci_resume(struct device *dev)
+{
+   struct pci_dev *pdev = to_pci_dev(dev);
+   int ret;
+
+   pci_restore_state(pdev);
+   pci_set_power_state(pdev, PCI_D0);
+
+   ret = pci_enable_device(pdev);
+   if (ret)
+   return ret;
+
+   pci_set_master(pdev);
+
+   return stmmac_resume(dev);
+}
+
+static SIMPLE_DEV_PM_OPS(stmmac_pm_ops, stmmac_pci_suspend, stmmac_pci_resume);
 
 /* synthetic ID, no official vendor */
 #define PCI_VENDOR_ID_STMMAC 0x700

[PATCH 4.17 09/31] net/mlx5e: Set port trust mode to PCP as default

[Greg Kroah-Hartman]

4.17-stable review patch.  If anyone has any objections, please let me know.

--

From: Or Gerlitz 

[ Upstream commit 2e8e70d249e8c5c79bf88bbb36bb68154ab15471 ]

The hairpin offload code has dependency on the trust mode being PCP.

Hence we should set PCP as the default for handling cases where we are
disallowed to read the trust mode from the FW, or failed to initialize it.

Fixes: 106be53b6b0a ('net/mlx5e: Set per priority hairpin pairs')
Signed-off-by: Or Gerlitz 
Reviewed-by: Parav Pandit 
Signed-off-by: Saeed Mahameed 
Signed-off-by: Greg Kroah-Hartman 
---
 drivers/net/ethernet/mellanox/mlx5/core/en_dcbnl.c |2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/net/ethernet/mellanox/mlx5/core/en_dcbnl.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_dcbnl.c
@@ -1057,6 +1057,8 @@ static int mlx5e_trust_initialize(struct
struct mlx5_core_dev *mdev = priv->mdev;
int err;
 
+   priv->dcbx_dp.trust_state = MLX5_QPTS_TRUST_PCP;
+
if (!MLX5_DSCP_SUPPORTED(mdev))
return 0;
 

[PATCH 4.17 08/31] net/mlx5e: E-Switch, Initialize eswitch only if eswitch manager

[Greg Kroah-Hartman]

4.17-stable review patch.  If anyone has any objections, please let me know.

--

From: Eli Cohen 

[ Upstream commit 5f5991f36dce1e69dd8bd7495763eec2e28f08e7 ]

Execute mlx5_eswitch_init() only if we have MLX5_ESWITCH_MANAGER
capabilities.
Do the same for mlx5_eswitch_cleanup().

Fixes: a9f7705ffd66 ("net/mlx5: Unify vport manager capability check")
Signed-off-by: Eli Cohen 
Signed-off-by: Saeed Mahameed 
Signed-off-by: Greg Kroah-Hartman 
---
 drivers/net/ethernet/mellanox/mlx5/core/eswitch.c |4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c
@@ -1698,7 +1698,7 @@ int mlx5_eswitch_init(struct mlx5_core_d
int vport_num;
int err;
 
-   if (!MLX5_VPORT_MANAGER(dev))
+   if (!MLX5_ESWITCH_MANAGER(dev))
return 0;
 
esw_info(dev,
@@ -1767,7 +1767,7 @@ abort:
 
 void mlx5_eswitch_cleanup(struct mlx5_eswitch *esw)
 {
-   if (!esw || !MLX5_VPORT_MANAGER(esw->dev))
+   if (!esw || !MLX5_ESWITCH_MANAGER(esw->dev))
return;
 
esw_info(esw->dev, "cleanup\n");

[PATCH 4.17 00/31] 4.17.13-stable review

[Greg Kroah-Hartman]

This is the start of the stable review cycle for the 4.17.13 release.
There are 31 patches in this series, all will be posted as a response
to this one.  If anyone has any issues with these being applied, please
let me know.

Responses should be made by Mon Aug  6 08:26:21 UTC 2018.
Anything received after that time might be too late.

The whole patch series can be found in one patch at:

https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.17.13-rc1.gz
or in the git tree and branch at:

git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git 
linux-4.17.y
and the diffstat can be found below.

thanks,

greg k-h

-
Pseudo-Shortlog of commits:

Greg Kroah-Hartman 
Linux 4.17.13-rc1

Tony Battersby 
scsi: sg: fix minor memory leak in error path

Boris Brezillon 
drm/atomic: Initialize variables in drm_atomic_helper_async_check() to make 
gcc happy

Boris Brezillon 
drm/atomic: Check old_plane_state->crtc in drm_atomic_helper_async_check()

Boris Brezillon 
drm/vc4: Reset ->{x, y}_scaling[1] when dealing with uniplanar formats

Herbert Xu 
crypto: padlock-aes - Fix Nano workaround data corruption

Jack Morgenstein 
RDMA/uverbs: Expand primary and alt AV port checks

Rafał Miłecki 
brcmfmac: fix regression in parsing NVRAM for multiple devices

Emmanuel Grumbach 
iwlwifi: add more card IDs for 9000 series

Mike Rapoport 
userfaultfd: remove uffd flags from vma->vm_flags if UFFD_EVENT_FORK fails

Jane Chu 
ipc/shm.c add ->pagesize function to shm_vm_ops

Yi Wang 
audit: fix potential null dereference 'context->module.name'

Roman Kagan 
kvm: x86: vmx: fix vpid leak

Andy Lutomirski 
x86/entry/64: Remove %ebx handling from error_entry/exit

Len Brown 
x86/apic: Future-proof the TSC_DEADLINE quirk for SKX

Brijesh Singh 
x86/efi: Access EFI MMIO data as unencrypted when SEV is active

Jiang Biao 
virtio_balloon: fix another race between migration and ballooning

Jeremy Cline 
net: socket: Fix potential spectre v1 gadget in sock_is_registered

Jeremy Cline 
net: socket: fix potential spectre v1 gadget in socketcall

Anton Vasilyev 
can: ems_usb: Fix memory leak on ems_usb_disconnect()

Linus Torvalds 
squashfs: more metadata hardenings

Linus Torvalds 
squashfs: more metadata hardening

Feras Daoud 
net/mlx5e: IPoIB, Set the netdevice sw mtu in ipoib enhanced flow

Or Gerlitz 
net/mlx5e: Set port trust mode to PCP as default

Eli Cohen 
net/mlx5e: E-Switch, Initialize eswitch only if eswitch manager

YueHaibing 
rxrpc: Fix user call ID check in rxrpc_service_prealloc_one

Jose Abreu 
net: stmmac: Fix WoL for PCI-based setups

Jeremy Cline 
netlink: Fix spectre v1 gadget in netlink_create()

Florian Fainelli 
net: dsa: Do not suspend/resume closed slave_dev

Eric Dumazet 
ipv4: frags: handle possible skb truesize change

Eric Dumazet 
inet: frag: enforce memory limits earlier

Eric Dumazet 
bonding: avoid lockdep confusion in bond_get_stats()


-

Diffstat:

 Makefile   |  4 +-
 arch/x86/entry/entry_64.S  | 18 ++
 arch/x86/kernel/apic/apic.c|  3 +
 arch/x86/kvm/vmx.c |  7 +--
 arch/x86/platform/efi/efi_64.c |  2 +-
 drivers/crypto/padlock-aes.c   |  8 ++-
 drivers/gpu/drm/drm_atomic_helper.c|  8 ++-
 drivers/gpu/drm/vc4/vc4_plane.c|  3 +
 drivers/infiniband/core/uverbs_cmd.c   | 59 --
 drivers/net/bonding/bond_main.c| 14 -
 drivers/net/can/usb/ems_usb.c  |  1 +
 drivers/net/ethernet/mellanox/mlx5/core/en_dcbnl.c |  2 +
 drivers/net/ethernet/mellanox/mlx5/core/eswitch.c  |  4 +-
 .../net/ethernet/mellanox/mlx5/core/ipoib/ipoib.c  |  4 ++
 drivers/net/ethernet/stmicro/stmmac/stmmac_pci.c   | 40 -
 .../wireless/broadcom/brcm80211/brcmfmac/pcie.c|  3 +-
 drivers/net/wireless/intel/iwlwifi/cfg/9000.c  | 69 ++
 drivers/net/wireless/intel/iwlwifi/iwl-config.h|  5 ++
 drivers/net/wireless/intel/iwlwifi/pcie/drv.c  | 22 +++
 drivers/scsi/sg.c  |  1 +
 drivers/virtio/virtio_balloon.c|  2 +
 fs/squashfs/block.c|  2 +
 fs/squashfs/fragment.c | 13 ++--
 fs/squashfs/squashfs_fs_sb.h   |  1 +
 fs/squashfs/super.c|  5 +-
 fs/userfaultfd.c   |  4 +-
 ipc/shm.c  | 12 
 kernel/auditsc.c   | 13 ++--
 mm/hugetlb.c   |  7 +++
 net/dsa/slave.c|  6 ++
 net/ipv4/inet_fragment.c 

[PATCH 4.17 07/31] rxrpc: Fix user call ID check in rxrpc_service_prealloc_one

[Greg Kroah-Hartman]

4.17-stable review patch.  If anyone has any objections, please let me know.

--

From: YueHaibing 

[ Upstream commit c01f6c9b3207e52fc9973a066a856ddf7a0538d8 ]

There just check the user call ID isn't already in use, hence should
compare user_call_ID with xcall->user_call_ID, which is current
node's user_call_ID.

Fixes: 540b1c48c37a ("rxrpc: Fix deadlock between call creation and 
sendmsg/recvmsg")
Suggested-by: David Howells 
Signed-off-by: YueHaibing 
Signed-off-by: David Howells 
Signed-off-by: David S. Miller 
Signed-off-by: Greg Kroah-Hartman 
---
 net/rxrpc/call_accept.c |4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/net/rxrpc/call_accept.c
+++ b/net/rxrpc/call_accept.c
@@ -116,9 +116,9 @@ static int rxrpc_service_prealloc_one(st
while (*pp) {
parent = *pp;
xcall = rb_entry(parent, struct rxrpc_call, sock_node);
-   if (user_call_ID < call->user_call_ID)
+   if (user_call_ID < xcall->user_call_ID)
pp = &(*pp)->rb_left;
-   else if (user_call_ID > call->user_call_ID)
+   else if (user_call_ID > xcall->user_call_ID)
pp = &(*pp)->rb_right;
else
goto id_in_use;

[PATCH 4.17 29/31] drm/atomic: Check old_plane_state->crtc in drm_atomic_helper_async_check()

[Greg Kroah-Hartman]

4.17-stable review patch.  If anyone has any objections, please let me know.

--

From: Boris Brezillon 

commit 603ba2dfb338b307aebe95fe344c479a59b3a175 upstream.

Async plane update is supposed to work only when updating the FB or FB
position of an already enabled plane. That does not apply to requests
where the plane was previously disabled or assigned to a different
CTRC.

Check old_plane_state->crtc value to make sure async plane update is
allowed.

Fixes: fef9df8b5945 ("drm/atomic: initial support for asynchronous plane 
update")
Cc: 
Signed-off-by: Boris Brezillon 
Reviewed-by: Eric Anholt 
Link: 
https://patchwork.freedesktop.org/patch/msgid/20180724133215.31917-1-boris.brezil...@bootlin.com
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/gpu/drm/drm_atomic_helper.c |3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/gpu/drm/drm_atomic_helper.c
+++ b/drivers/gpu/drm/drm_atomic_helper.c
@@ -1516,7 +1516,8 @@ int drm_atomic_helper_async_check(struct
if (n_planes != 1)
return -EINVAL;
 
-   if (!new_plane_state->crtc)
+   if (!new_plane_state->crtc ||
+   old_plane_state->crtc != new_plane_state->crtc)
return -EINVAL;
 
funcs = plane->helper_private;

[PATCH 4.17 30/31] drm/atomic: Initialize variables in drm_atomic_helper_async_check() to make gcc happy

[Greg Kroah-Hartman]

4.17-stable review patch.  If anyone has any objections, please let me know.

--

From: Boris Brezillon 

commit de2d8db395c32d121d02871819444b631f73e0b6 upstream.

drm_atomic_helper_async_check() declares the plane, old_plane_state and
new_plane_state variables to iterate over all planes of the atomic
state and make sure only one plane is enabled.

Unfortunately gcc is not smart enough to figure out that the check on
n_planes is enough to guarantee that plane, new_plane_state and
old_plane_state are initialized.

Explicitly initialize those variables to NULL to make gcc happy.

Fixes: fef9df8b5945 ("drm/atomic: initial support for asynchronous plane 
update")
Cc: 
Signed-off-by: Boris Brezillon 
Reviewed-by: Sean Paul 
Link: 
https://patchwork.freedesktop.org/patch/msgid/20180724133300.32023-1-boris.brezil...@bootlin.com
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/gpu/drm/drm_atomic_helper.c |5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

--- a/drivers/gpu/drm/drm_atomic_helper.c
+++ b/drivers/gpu/drm/drm_atomic_helper.c
@@ -1499,8 +1499,9 @@ int drm_atomic_helper_async_check(struct
 {
struct drm_crtc *crtc;
struct drm_crtc_state *crtc_state;
-   struct drm_plane *plane;
-   struct drm_plane_state *old_plane_state, *new_plane_state;
+   struct drm_plane *plane = NULL;
+   struct drm_plane_state *old_plane_state = NULL;
+   struct drm_plane_state *new_plane_state = NULL;
const struct drm_plane_helper_funcs *funcs;
int i, n_planes = 0;
 

[PATCH 4.14 01/23] bonding: avoid lockdep confusion in bond_get_stats()

[Greg Kroah-Hartman]

4.14-stable review patch.  If anyone has any objections, please let me know.

--

From: Eric Dumazet 

[ Upstream commit 7e2556e40026a1b0c16f37446ab398d5a5a892e4 ]

syzbot found that the following sequence produces a LOCKDEP splat [1]

ip link add bond10 type bond
ip link add bond11 type bond
ip link set bond11 master bond10

To fix this, we can use the already provided nest_level.

This patch also provides correct nesting for dev->addr_list_lock

[1]
WARNING: possible recursive locking detected
4.18.0-rc6+ #167 Not tainted

syz-executor751/4439 is trying to acquire lock:
(ptrval) (&(&bond->stats_lock)->rlock){+.+.}, at: spin_lock 
include/linux/spinlock.h:310 [inline]
(ptrval) (&(&bond->stats_lock)->rlock){+.+.}, at: 
bond_get_stats+0xb4/0x560 drivers/net/bonding/bond_main.c:3426

but task is already holding lock:
(ptrval) (&(&bond->stats_lock)->rlock){+.+.}, at: spin_lock 
include/linux/spinlock.h:310 [inline]
(ptrval) (&(&bond->stats_lock)->rlock){+.+.}, at: 
bond_get_stats+0xb4/0x560 drivers/net/bonding/bond_main.c:3426

other info that might help us debug this:
 Possible unsafe locking scenario:

   CPU0
   
  lock(&(&bond->stats_lock)->rlock);
  lock(&(&bond->stats_lock)->rlock);

 *** DEADLOCK ***

 May be due to missing lock nesting notation

3 locks held by syz-executor751/4439:
 #0: (ptrval) (rtnl_mutex){+.+.}, at: rtnl_lock+0x17/0x20 
net/core/rtnetlink.c:77
 #1: (ptrval) (&(&bond->stats_lock)->rlock){+.+.}, at: spin_lock 
include/linux/spinlock.h:310 [inline]
 #1: (ptrval) (&(&bond->stats_lock)->rlock){+.+.}, at: 
bond_get_stats+0xb4/0x560 drivers/net/bonding/bond_main.c:3426
 #2: (ptrval) (rcu_read_lock){}, at: bond_get_stats+0x0/0x560 
include/linux/compiler.h:215

stack backtrace:
CPU: 0 PID: 4439 Comm: syz-executor751 Not tainted 4.18.0-rc6+ #167
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 
01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1c9/0x2b4 lib/dump_stack.c:113
 print_deadlock_bug kernel/locking/lockdep.c:1765 [inline]
 check_deadlock kernel/locking/lockdep.c:1809 [inline]
 validate_chain kernel/locking/lockdep.c:2405 [inline]
 __lock_acquire.cold.64+0x1fb/0x486 kernel/locking/lockdep.c:3435
 lock_acquire+0x1e4/0x540 kernel/locking/lockdep.c:3924
 __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
 _raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:144
 spin_lock include/linux/spinlock.h:310 [inline]
 bond_get_stats+0xb4/0x560 drivers/net/bonding/bond_main.c:3426
 dev_get_stats+0x10f/0x470 net/core/dev.c:8316
 bond_get_stats+0x232/0x560 drivers/net/bonding/bond_main.c:3432
 dev_get_stats+0x10f/0x470 net/core/dev.c:8316
 rtnl_fill_stats+0x4d/0xac0 net/core/rtnetlink.c:1169
 rtnl_fill_ifinfo+0x1aa6/0x3fb0 net/core/rtnetlink.c:1611
 rtmsg_ifinfo_build_skb+0xc8/0x190 net/core/rtnetlink.c:3268
 rtmsg_ifinfo_event.part.30+0x45/0xe0 net/core/rtnetlink.c:3300
 rtmsg_ifinfo_event net/core/rtnetlink.c:3297 [inline]
 rtnetlink_event+0x144/0x170 net/core/rtnetlink.c:4716
 notifier_call_chain+0x180/0x390 kernel/notifier.c:93
 __raw_notifier_call_chain kernel/notifier.c:394 [inline]
 raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401
 call_netdevice_notifiers_info+0x3f/0x90 net/core/dev.c:1735
 call_netdevice_notifiers net/core/dev.c:1753 [inline]
 netdev_features_change net/core/dev.c:1321 [inline]
 netdev_change_features+0xb3/0x110 net/core/dev.c:7759
 bond_compute_features.isra.47+0x585/0xa50 drivers/net/bonding/bond_main.c:1120
 bond_enslave+0x1b25/0x5da0 drivers/net/bonding/bond_main.c:1755
 bond_do_ioctl+0x7cb/0xae0 drivers/net/bonding/bond_main.c:3528
 dev_ifsioc+0x43c/0xb30 net/core/dev_ioctl.c:327
 dev_ioctl+0x1b5/0xcc0 net/core/dev_ioctl.c:493
 sock_do_ioctl+0x1d3/0x3e0 net/socket.c:992
 sock_ioctl+0x30d/0x680 net/socket.c:1093
 vfs_ioctl fs/ioctl.c:46 [inline]
 file_ioctl fs/ioctl.c:500 [inline]
 do_vfs_ioctl+0x1de/0x1720 fs/ioctl.c:684
 ksys_ioctl+0xa9/0xd0 fs/ioctl.c:701
 __do_sys_ioctl fs/ioctl.c:708 [inline]
 __se_sys_ioctl fs/ioctl.c:706 [inline]
 __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:706
 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x440859
Code: e8 2c af 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 
89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 
3b 10 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:7ffc51a92878 EFLAGS: 0213 ORIG_RAX: 0010
RAX: ffda RBX:  RCX: 00440859
RDX: 2040 RSI: 8990 RDI: 0003
RBP:  R08: 004002c8 R09: 004002c8
R10: 022d5880 R11: 0213 R12: 7390
R13: 00401db0 R14:  R15: 

Signed-off-by: Eric Dumazet 
Cc: Jay Vosburgh 
Cc: Veaceslav Falico 
C

[PATCH 4.14 13/23] virtio_balloon: fix another race between migration and ballooning

[Greg Kroah-Hartman]

4.14-stable review patch.  If anyone has any objections, please let me know.

--

From: Jiang Biao 

commit 89da619bc18d79bca5304724c11d4ba3b67ce2c6 upstream.

Kernel panic when with high memory pressure, calltrace looks like,

PID: 21439 TASK: 881be3afedd0 CPU: 16 COMMAND: "java"
 #0 [881ec7ed7630] machine_kexec at 81059beb
 #1 [881ec7ed7690] __crash_kexec at 81105942
 #2 [881ec7ed7760] crash_kexec at 81105a30
 #3 [881ec7ed7778] oops_end at 816902c8
 #4 [881ec7ed77a0] no_context at 8167ff46
 #5 [881ec7ed77f0] __bad_area_nosemaphore at 8167ffdc
 #6 [881ec7ed7838] __node_set at 81680300
 #7 [881ec7ed7860] __do_page_fault at 8169320f
 #8 [881ec7ed78c0] do_page_fault at 816932b5
 #9 [881ec7ed78f0] page_fault at 8168f4c8
[exception RIP: _raw_spin_lock_irqsave+47]
RIP: 8168edef RSP: 881ec7ed79a8 RFLAGS: 00010046
RAX: 0246 RBX: ea0019740d00 RCX: 881ec7ed7fd8
RDX: 0002 RSI: 0016 RDI: 0008
RBP: 881ec7ed79a8 R8: 0246 R9: 0001a098
R10: 88107ffda000 R11:  R12: 
R13: 0008 R14: 881ec7ed7a80 R15: 881be3afedd0
ORIG_RAX:  CS: 0010 SS: 0018

It happens in the pagefault and results in double pagefault
during compacting pages when memory allocation fails.

Analysed the vmcore, the page leads to second pagefault is corrupted
with _mapcount=-256, but private=0.

It's caused by the race between migration and ballooning, and lock
missing in virtballoon_migratepage() of virtio_balloon driver.
This patch fix the bug.

Fixes: e22504296d4f64f ("virtio_balloon: introduce migration primitives to 
balloon pages")
Cc: sta...@vger.kernel.org
Signed-off-by: Jiang Biao 
Signed-off-by: Huang Chong 
Signed-off-by: Michael S. Tsirkin 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/virtio/virtio_balloon.c |2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/virtio/virtio_balloon.c
+++ b/drivers/virtio/virtio_balloon.c
@@ -490,7 +490,9 @@ static int virtballoon_migratepage(struc
tell_host(vb, vb->inflate_vq);
 
/* balloon's page migration 2nd step -- deflate "page" */
+   spin_lock_irqsave(&vb_dev_info->pages_lock, flags);
balloon_page_delete(page);
+   spin_unlock_irqrestore(&vb_dev_info->pages_lock, flags);
vb->num_pfns = VIRTIO_BALLOON_PAGES_PER_PAGE;
set_page_pfns(vb, vb->pfns, page);
tell_host(vb, vb->deflate_vq);

[PATCH 4.17 27/31] crypto: padlock-aes - Fix Nano workaround data corruption

[Greg Kroah-Hartman]

4.17-stable review patch.  If anyone has any objections, please let me know.

--

From: Herbert Xu 

commit 46d8c4b28652d35dc6cfb5adf7f54e102fc04384 upstream.

This was detected by the self-test thanks to Ard's chunking patch.

I finally got around to testing this out on my ancient Via box.  It
turns out that the workaround got the assembly wrong and we end up
doing count + initial cycles of the loop instead of just count.

This obviously causes corruption, either by overwriting the source
that is yet to be processed, or writing over the end of the buffer.

On CPUs that don't require the workaround only ECB is affected.
On Nano CPUs both ECB and CBC are affected.

This patch fixes it by doing the subtraction prior to the assembly.

Fixes: a76c1c23d0c3 ("crypto: padlock-aes - work around Nano CPU...")
Cc: 
Reported-by: Jamie Heilman 
Signed-off-by: Herbert Xu 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/crypto/padlock-aes.c |8 ++--
 1 file changed, 6 insertions(+), 2 deletions(-)

--- a/drivers/crypto/padlock-aes.c
+++ b/drivers/crypto/padlock-aes.c
@@ -266,6 +266,8 @@ static inline void padlock_xcrypt_ecb(co
return;
}
 
+   count -= initial;
+
if (initial)
asm volatile (".byte 0xf3,0x0f,0xa7,0xc8"   /* rep 
xcryptecb */
  : "+S"(input), "+D"(output)
@@ -273,7 +275,7 @@ static inline void padlock_xcrypt_ecb(co
 
asm volatile (".byte 0xf3,0x0f,0xa7,0xc8"   /* rep xcryptecb */
  : "+S"(input), "+D"(output)
- : "d"(control_word), "b"(key), "c"(count - initial));
+ : "d"(control_word), "b"(key), "c"(count));
 }
 
 static inline u8 *padlock_xcrypt_cbc(const u8 *input, u8 *output, void *key,
@@ -284,6 +286,8 @@ static inline u8 *padlock_xcrypt_cbc(con
if (count < cbc_fetch_blocks)
return cbc_crypt(input, output, key, iv, control_word, count);
 
+   count -= initial;
+
if (initial)
asm volatile (".byte 0xf3,0x0f,0xa7,0xd0"   /* rep 
xcryptcbc */
  : "+S" (input), "+D" (output), "+a" (iv)
@@ -291,7 +295,7 @@ static inline u8 *padlock_xcrypt_cbc(con
 
asm volatile (".byte 0xf3,0x0f,0xa7,0xd0"   /* rep xcryptcbc */
  : "+S" (input), "+D" (output), "+a" (iv)
- : "d" (control_word), "b" (key), "c" (count-initial));
+ : "d" (control_word), "b" (key), "c" (count));
return iv;
 }
 

[PATCH 4.14 12/23] net: socket: fix potential spectre v1 gadget in socketcall

[Greg Kroah-Hartman]

4.14-stable review patch.  If anyone has any objections, please let me know.

--

From: Jeremy Cline 

commit c8e8cd579bb4265651df8223730105341e61a2d1 upstream.

'call' is a user-controlled value, so sanitize the array index after the
bounds check to avoid speculating past the bounds of the 'nargs' array.

Found with the help of Smatch:

net/socket.c:2508 __do_sys_socketcall() warn: potential spectre issue
'nargs' [r] (local cap)

Cc: Josh Poimboeuf 
Cc: sta...@vger.kernel.org
Signed-off-by: Jeremy Cline 
Signed-off-by: David S. Miller 
Signed-off-by: Greg Kroah-Hartman 

---
 net/socket.c |2 ++
 1 file changed, 2 insertions(+)

--- a/net/socket.c
+++ b/net/socket.c
@@ -89,6 +89,7 @@
 #include 
 #include 
 #include 
+#include 
 
 #include 
 #include 
@@ -2443,6 +2444,7 @@ SYSCALL_DEFINE2(socketcall, int, call, u
 
if (call < 1 || call > SYS_SENDMMSG)
return -EINVAL;
+   call = array_index_nospec(call, SYS_SENDMMSG + 1);
 
len = nargs[call];
if (len > sizeof(a))

[PATCH 4.17 20/31] kvm: x86: vmx: fix vpid leak

[Greg Kroah-Hartman]

4.17-stable review patch.  If anyone has any objections, please let me know.

--

From: Roman Kagan 

commit 63aff65573d73eb8dda4732ad4ef222dd35e4862 upstream.

VPID for the nested vcpu is allocated at vmx_create_vcpu whenever nested
vmx is turned on with the module parameter.

However, it's only freed if the L1 guest has executed VMXON which is not
a given.

As a result, on a system with nested==on every creation+deletion of an
L1 vcpu without running an L2 guest results in leaking one vpid.  Since
the total number of vpids is limited to 64k, they can eventually get
exhausted, preventing L2 from starting.

Delay allocation of the L2 vpid until VMXON emulation, thus matching its
freeing.

Fixes: 5c614b3583e7b6dab0c86356fa36c2bcbb8322a0
Cc: sta...@vger.kernel.org
Signed-off-by: Roman Kagan 
Signed-off-by: Paolo Bonzini 
Signed-off-by: Greg Kroah-Hartman 

---
 arch/x86/kvm/vmx.c |7 +++
 1 file changed, 3 insertions(+), 4 deletions(-)

--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -7660,6 +7660,8 @@ static int enter_vmx_operation(struct kv
 HRTIMER_MODE_REL_PINNED);
vmx->nested.preemption_timer.function = vmx_preemption_timer_fn;
 
+   vmx->nested.vpid02 = allocate_vpid();
+
vmx->nested.vmxon = true;
return 0;
 
@@ -10108,11 +10110,9 @@ static struct kvm_vcpu *vmx_create_vcpu(
goto free_vmcs;
}
 
-   if (nested) {
+   if (nested)
nested_vmx_setup_ctls_msrs(&vmx->nested.msrs,
   kvm_vcpu_apicv_active(&vmx->vcpu));
-   vmx->nested.vpid02 = allocate_vpid();
-   }
 
vmx->nested.posted_intr_nv = -1;
vmx->nested.current_vmptr = -1ull;
@@ -10129,7 +10129,6 @@ static struct kvm_vcpu *vmx_create_vcpu(
return &vmx->vcpu;
 
 free_vmcs:
-   free_vpid(vmx->nested.vpid02);
free_loaded_vmcs(vmx->loaded_vmcs);
 free_msrs:
kfree(vmx->guest_msrs);

[PATCH 4.17 31/31] scsi: sg: fix minor memory leak in error path

[Greg Kroah-Hartman]

4.17-stable review patch.  If anyone has any objections, please let me know.

--

From: Tony Battersby 

commit c170e5a8d222537e98aa8d4fddb667ff7a2ee114 upstream.

Fix a minor memory leak when there is an error opening a /dev/sg device.

Fixes: cc833acbee9d ("sg: O_EXCL and other lock handling")
Cc: 
Reviewed-by: Ewan D. Milne 
Signed-off-by: Tony Battersby 
Reviewed-by: Bart Van Assche 
Signed-off-by: Martin K. Petersen 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/scsi/sg.c |1 +
 1 file changed, 1 insertion(+)

--- a/drivers/scsi/sg.c
+++ b/drivers/scsi/sg.c
@@ -2186,6 +2186,7 @@ sg_add_sfp(Sg_device * sdp)
write_lock_irqsave(&sdp->sfd_lock, iflags);
if (atomic_read(&sdp->detaching)) {
write_unlock_irqrestore(&sdp->sfd_lock, iflags);
+   kfree(sfp);
return ERR_PTR(-ENODEV);
}
list_add_tail(&sfp->sfd_siblings, &sdp->sfds);

[PATCH 4.17 24/31] iwlwifi: add more card IDs for 9000 series

[Greg Kroah-Hartman]

4.17-stable review patch.  If anyone has any objections, please let me know.

--

From: Emmanuel Grumbach 

commit 0a5257bc6d89c2ae69b9bf955679cb4f89261874 upstream.

Add new device IDs for the 9000 series.

Cc: sta...@vger.kernel.org # 4.14
Signed-off-by: Emmanuel Grumbach 
Signed-off-by: Kalle Valo 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/net/wireless/intel/iwlwifi/cfg/9000.c   |   69 
 drivers/net/wireless/intel/iwlwifi/iwl-config.h |5 +
 drivers/net/wireless/intel/iwlwifi/pcie/drv.c   |   22 +++
 3 files changed, 96 insertions(+)

--- a/drivers/net/wireless/intel/iwlwifi/cfg/9000.c
+++ b/drivers/net/wireless/intel/iwlwifi/cfg/9000.c
@@ -180,6 +180,17 @@ const struct iwl_cfg iwl9260_2ac_cfg = {
.max_ht_ampdu_exponent = IEEE80211_HT_MAX_AMPDU_64K,
 };
 
+const struct iwl_cfg iwl9260_killer_2ac_cfg = {
+   .name = "Killer (R) Wireless-AC 1550 Wireless Network Adapter 
(9260NGW)",
+   .fw_name_pre = IWL9260A_FW_PRE,
+   .fw_name_pre_b_or_c_step = IWL9260B_FW_PRE,
+   IWL_DEVICE_9000,
+   .ht_params = &iwl9000_ht_params,
+   .nvm_ver = IWL9000_NVM_VERSION,
+   .nvm_calib_ver = IWL9000_TX_POWER_VERSION,
+   .max_ht_ampdu_exponent = IEEE80211_HT_MAX_AMPDU_64K,
+};
+
 const struct iwl_cfg iwl9270_2ac_cfg = {
.name = "Intel(R) Dual Band Wireless AC 9270",
.fw_name_pre = IWL9260A_FW_PRE,
@@ -269,6 +280,34 @@ const struct iwl_cfg iwl9560_2ac_cfg_soc
.soc_latency = 5000,
 };
 
+const struct iwl_cfg iwl9560_killer_2ac_cfg_soc = {
+   .name = "Killer (R) Wireless-AC 1550i Wireless Network Adapter 
(9560NGW)",
+   .fw_name_pre = IWL9000A_FW_PRE,
+   .fw_name_pre_b_or_c_step = IWL9000B_FW_PRE,
+   .fw_name_pre_rf_next_step = IWL9000RFB_FW_PRE,
+   IWL_DEVICE_9000,
+   .ht_params = &iwl9000_ht_params,
+   .nvm_ver = IWL9000_NVM_VERSION,
+   .nvm_calib_ver = IWL9000_TX_POWER_VERSION,
+   .max_ht_ampdu_exponent = IEEE80211_HT_MAX_AMPDU_64K,
+   .integrated = true,
+   .soc_latency = 5000,
+};
+
+const struct iwl_cfg iwl9560_killer_s_2ac_cfg_soc = {
+   .name = "Killer (R) Wireless-AC 1550s Wireless Network Adapter 
(9560NGW)",
+   .fw_name_pre = IWL9000A_FW_PRE,
+   .fw_name_pre_b_or_c_step = IWL9000B_FW_PRE,
+   .fw_name_pre_rf_next_step = IWL9000RFB_FW_PRE,
+   IWL_DEVICE_9000,
+   .ht_params = &iwl9000_ht_params,
+   .nvm_ver = IWL9000_NVM_VERSION,
+   .nvm_calib_ver = IWL9000_TX_POWER_VERSION,
+   .max_ht_ampdu_exponent = IEEE80211_HT_MAX_AMPDU_64K,
+   .integrated = true,
+   .soc_latency = 5000,
+};
+
 const struct iwl_cfg iwl9460_2ac_cfg_shared_clk = {
.name = "Intel(R) Dual Band Wireless AC 9460",
.fw_name_pre = IWL9000A_FW_PRE,
@@ -319,6 +358,36 @@ const struct iwl_cfg iwl9560_2ac_cfg_sha
.fw_name_pre = IWL9000A_FW_PRE,
.fw_name_pre_b_or_c_step = IWL9000B_FW_PRE,
.fw_name_pre_rf_next_step = IWL9000RFB_FW_PRE,
+   IWL_DEVICE_9000,
+   .ht_params = &iwl9000_ht_params,
+   .nvm_ver = IWL9000_NVM_VERSION,
+   .nvm_calib_ver = IWL9000_TX_POWER_VERSION,
+   .max_ht_ampdu_exponent = IEEE80211_HT_MAX_AMPDU_64K,
+   .integrated = true,
+   .soc_latency = 5000,
+   .extra_phy_cfg_flags = FW_PHY_CFG_SHARED_CLK
+};
+
+const struct iwl_cfg iwl9560_killer_2ac_cfg_shared_clk = {
+   .name = "Killer (R) Wireless-AC 1550i Wireless Network Adapter 
(9560NGW)",
+   .fw_name_pre = IWL9000A_FW_PRE,
+   .fw_name_pre_b_or_c_step = IWL9000B_FW_PRE,
+   .fw_name_pre_rf_next_step = IWL9000RFB_FW_PRE,
+   IWL_DEVICE_9000,
+   .ht_params = &iwl9000_ht_params,
+   .nvm_ver = IWL9000_NVM_VERSION,
+   .nvm_calib_ver = IWL9000_TX_POWER_VERSION,
+   .max_ht_ampdu_exponent = IEEE80211_HT_MAX_AMPDU_64K,
+   .integrated = true,
+   .soc_latency = 5000,
+   .extra_phy_cfg_flags = FW_PHY_CFG_SHARED_CLK
+};
+
+const struct iwl_cfg iwl9560_killer_s_2ac_cfg_shared_clk = {
+   .name = "Killer (R) Wireless-AC 1550s Wireless Network Adapter 
(9560NGW)",
+   .fw_name_pre = IWL9000A_FW_PRE,
+   .fw_name_pre_b_or_c_step = IWL9000B_FW_PRE,
+   .fw_name_pre_rf_next_step = IWL9000RFB_FW_PRE,
IWL_DEVICE_9000,
.ht_params = &iwl9000_ht_params,
.nvm_ver = IWL9000_NVM_VERSION,
--- a/drivers/net/wireless/intel/iwlwifi/iwl-config.h
+++ b/drivers/net/wireless/intel/iwlwifi/iwl-config.h
@@ -471,6 +471,7 @@ extern const struct iwl_cfg iwl8275_2ac_
 extern const struct iwl_cfg iwl4165_2ac_cfg;
 extern const struct iwl_cfg iwl9160_2ac_cfg;
 extern const struct iwl_cfg iwl9260_2ac_cfg;
+extern const struct iwl_cfg iwl9260_killer_2ac_cfg;
 extern const struct iwl_cfg iwl9270_2ac_cfg;
 extern const struct iwl_cfg iwl9460_2ac_cfg;
 extern const struct iwl_cfg iwl9560_2ac_cfg;
@@ -478,10 +479,14 @@ extern const struct iwl_cfg iwl9460_2ac_
 extern const struct iwl_cfg iwl9461_2ac_cfg_soc;
 extern const struct iwl_cfg

[PATCH 4.17 19/31] x86/entry/64: Remove %ebx handling from error_entry/exit

[Greg Kroah-Hartman]

4.17-stable review patch.  If anyone has any objections, please let me know.

--

From: Andy Lutomirski 

commit b3681dd548d06deb2e1573890829dff4b15abf46 upstream.

error_entry and error_exit communicate the user vs. kernel status of
the frame using %ebx.  This is unnecessary -- the information is in
regs->cs.  Just use regs->cs.

This makes error_entry simpler and makes error_exit more robust.

It also fixes a nasty bug.  Before all the Spectre nonsense, the
xen_failsafe_callback entry point returned like this:

ALLOC_PT_GPREGS_ON_STACK
SAVE_C_REGS
SAVE_EXTRA_REGS
ENCODE_FRAME_POINTER
jmp error_exit

And it did not go through error_entry.  This was bogus: RBX
contained garbage, and error_exit expected a flag in RBX.

Fortunately, it generally contained *nonzero* garbage, so the
correct code path was used.  As part of the Spectre fixes, code was
added to clear RBX to mitigate certain speculation attacks.  Now,
depending on kernel configuration, RBX got zeroed and, when running
some Wine workloads, the kernel crashes.  This was introduced by:

commit 3ac6d8c787b8 ("x86/entry/64: Clear registers for 
exceptions/interrupts, to reduce speculation attack surface")

With this patch applied, RBX is no longer needed as a flag, and the
problem goes away.

I suspect that malicious userspace could use this bug to crash the
kernel even without the offending patch applied, though.

[ Historical note: I wrote this patch as a cleanup before I was aware
  of the bug it fixed. ]

[ Note to stable maintainers: this should probably get applied to all
  kernels.  If you're nervous about that, a more conservative fix to
  add xorl %ebx,%ebx; incl %ebx before the jump to error_exit should
  also fix the problem. ]

Reported-and-tested-by: M. Vefa Bicakci 
Signed-off-by: Andy Lutomirski 
Cc: Boris Ostrovsky 
Cc: Borislav Petkov 
Cc: Brian Gerst 
Cc: Dave Hansen 
Cc: Denys Vlasenko 
Cc: Dominik Brodowski 
Cc: Greg KH 
Cc: H. Peter Anvin 
Cc: Josh Poimboeuf 
Cc: Juergen Gross 
Cc: Linus Torvalds 
Cc: Peter Zijlstra 
Cc: Thomas Gleixner 
Cc: sta...@vger.kernel.org
Cc: xen-de...@lists.xenproject.org
Fixes: 3ac6d8c787b8 ("x86/entry/64: Clear registers for exceptions/interrupts, 
to reduce speculation attack surface")
Link: 
http://lkml.kernel.org/r/b5010a090d3586b2d6e06c7ad3ec5542d1241c45.1532282627.git.l...@kernel.org
Signed-off-by: Ingo Molnar 
Signed-off-by: Greg Kroah-Hartman 

---
 arch/x86/entry/entry_64.S |   18 --
 1 file changed, 4 insertions(+), 14 deletions(-)

--- a/arch/x86/entry/entry_64.S
+++ b/arch/x86/entry/entry_64.S
@@ -981,7 +981,7 @@ ENTRY(\sym)
 
call\do_sym
 
-   jmp error_exit  /* %ebx: no swapgs flag */
+   jmp error_exit
.endif
 END(\sym)
 .endm
@@ -1222,7 +1222,6 @@ END(paranoid_exit)
 
 /*
  * Save all registers in pt_regs, and switch GS if needed.
- * Return: EBX=0: came from user mode; EBX=1: otherwise
  */
 ENTRY(error_entry)
UNWIND_HINT_FUNC
@@ -1269,7 +1268,6 @@ ENTRY(error_entry)
 * for these here too.
 */
 .Lerror_kernelspace:
-   incl%ebx
leaqnative_irq_return_iret(%rip), %rcx
cmpq%rcx, RIP+8(%rsp)
je  .Lerror_bad_iret
@@ -1303,28 +1301,20 @@ ENTRY(error_entry)
 
/*
 * Pretend that the exception came from user mode: set up pt_regs
-* as if we faulted immediately after IRET and clear EBX so that
-* error_exit knows that we will be returning to user mode.
+* as if we faulted immediately after IRET.
 */
mov %rsp, %rdi
callfixup_bad_iret
mov %rax, %rsp
-   decl%ebx
jmp .Lerror_entry_from_usermode_after_swapgs
 END(error_entry)
 
-
-/*
- * On entry, EBX is a "return to kernel mode" flag:
- *   1: already in kernel mode, don't need SWAPGS
- *   0: user gsbase is loaded, we need SWAPGS and standard preparation for 
return to usermode
- */
 ENTRY(error_exit)
UNWIND_HINT_REGS
DISABLE_INTERRUPTS(CLBR_ANY)
TRACE_IRQS_OFF
-   testl   %ebx, %ebx
-   jnz retint_kernel
+   testb   $3, CS(%rsp)
+   jz  retint_kernel
jmp retint_user
 END(error_exit)
 

[PATCH 4.14 11/23] can: ems_usb: Fix memory leak on ems_usb_disconnect()

[Greg Kroah-Hartman]

4.14-stable review patch.  If anyone has any objections, please let me know.

--

From: Anton Vasilyev 

commit 72c05f32f4a5055c9c8fe889bb6903ec959c0aad upstream.

ems_usb_probe() allocates memory for dev->tx_msg_buffer, but there
is no its deallocation in ems_usb_disconnect().

Found by Linux Driver Verification project (linuxtesting.org).

Signed-off-by: Anton Vasilyev 
Cc: 
Signed-off-by: Marc Kleine-Budde 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/net/can/usb/ems_usb.c |1 +
 1 file changed, 1 insertion(+)

--- a/drivers/net/can/usb/ems_usb.c
+++ b/drivers/net/can/usb/ems_usb.c
@@ -1071,6 +1071,7 @@ static void ems_usb_disconnect(struct us
usb_free_urb(dev->intr_urb);
 
kfree(dev->intr_in_buffer);
+   kfree(dev->tx_msg_buffer);
}
 }
 

[PATCH 4.17 28/31] drm/vc4: Reset ->{x, y}_scaling[1] when dealing with uniplanar formats

[Greg Kroah-Hartman]

4.17-stable review patch.  If anyone has any objections, please let me know.

--

From: Boris Brezillon 

commit a6a00918d4ad8718c3ccde38c02cec17f116b2fd upstream.

This is needed to ensure ->is_unity is correct when the plane was
previously configured to output a multi-planar format with scaling
enabled, and is then being reconfigured to output a uniplanar format.

Fixes: fc04023fafec ("drm/vc4: Add support for YUV planes.")
Cc: 
Signed-off-by: Boris Brezillon 
Reviewed-by: Eric Anholt 
Link: 
https://patchwork.freedesktop.org/patch/msgid/20180724133601.32114-1-boris.brezil...@bootlin.com
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/gpu/drm/vc4/vc4_plane.c |3 +++
 1 file changed, 3 insertions(+)

--- a/drivers/gpu/drm/vc4/vc4_plane.c
+++ b/drivers/gpu/drm/vc4/vc4_plane.c
@@ -319,6 +319,9 @@ static int vc4_plane_setup_clipping_and_
vc4_state->x_scaling[0] = VC4_SCALING_TPZ;
if (vc4_state->y_scaling[0] == VC4_SCALING_NONE)
vc4_state->y_scaling[0] = VC4_SCALING_TPZ;
+   } else {
+   vc4_state->x_scaling[1] = VC4_SCALING_NONE;
+   vc4_state->y_scaling[1] = VC4_SCALING_NONE;
}
 
vc4_state->is_unity = (vc4_state->x_scaling[0] == VC4_SCALING_NONE &&

[PATCH 4.17 26/31] RDMA/uverbs: Expand primary and alt AV port checks

[Greg Kroah-Hartman]

4.17-stable review patch.  If anyone has any objections, please let me know.

--

From: Jack Morgenstein 

commit addb8a6559f0f8b5a37582b7ca698358445a55bf upstream.

The commit cited below checked that the port numbers provided in the
primary and alt AVs are legal.

That is sufficient to prevent a kernel panic. However, it is not
sufficient for correct operation.

In Linux, AVs (both primary and alt) must be completely self-described.
We do not accept an AV from userspace without an embedded port number.
(This has been the case since kernel 3.14 commit dbf727de7440
("IB/core: Use GID table in AH creation and dmac resolution")).

For the primary AV, this embedded port number must match the port number
specified with IB_QP_PORT.

We also expect the port number embedded in the alt AV to match the
alt_port_num value passed by the userspace driver in the modify_qp command
base structure.

Add these checks to modify_qp.

Cc:  # 4.16
Fixes: 5d4c05c3ee36 ("RDMA/uverbs: Sanitize user entered port numbers prior to 
access it")
Signed-off-by: Jack Morgenstein 
Signed-off-by: Leon Romanovsky 
Signed-off-by: Jason Gunthorpe 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/infiniband/core/uverbs_cmd.c |   59 ---
 1 file changed, 54 insertions(+), 5 deletions(-)

--- a/drivers/infiniband/core/uverbs_cmd.c
+++ b/drivers/infiniband/core/uverbs_cmd.c
@@ -1984,15 +1984,64 @@ static int modify_qp(struct ib_uverbs_fi
goto release_qp;
}
 
-   if ((cmd->base.attr_mask & IB_QP_AV) &&
-   !rdma_is_port_valid(qp->device, cmd->base.dest.port_num)) {
-   ret = -EINVAL;
-   goto release_qp;
+   if ((cmd->base.attr_mask & IB_QP_AV)) {
+   if (!rdma_is_port_valid(qp->device, cmd->base.dest.port_num)) {
+   ret = -EINVAL;
+   goto release_qp;
+   }
+
+   if (cmd->base.attr_mask & IB_QP_STATE &&
+   cmd->base.qp_state == IB_QPS_RTR) {
+   /* We are in INIT->RTR TRANSITION (if we are not,
+* this transition will be rejected in subsequent checks).
+* In the INIT->RTR transition, we cannot have IB_QP_PORT set,
+* but the IB_QP_STATE flag is required.
+*
+* Since kernel 3.14 (commit dbf727de7440), the uverbs driver,
+* when IB_QP_AV is set, has required inclusion of a valid
+* port number in the primary AV. (AVs are created and handled
+* differently for infiniband and ethernet (RoCE) ports).
+*
+* Check the port number included in the primary AV against
+* the port number in the qp struct, which was set (and saved)
+* in the RST->INIT transition.
+*/
+   if (cmd->base.dest.port_num != qp->real_qp->port) {
+   ret = -EINVAL;
+   goto release_qp;
+   }
+   } else {
+   /* We are in SQD->SQD. (If we are not, this transition will
+* be rejected later in the verbs layer checks).
+* Check for both IB_QP_PORT and IB_QP_AV, these can be set
+* together in the SQD->SQD transition.
+*
+* If only IP_QP_AV was set, add in IB_QP_PORT as well (the
+* verbs layer driver does not track primary port changes
+* resulting from path migration. Thus, in SQD, if the primary
+* AV is modified, the primary port should also be modified).
+*
+* Note that in this transition, the IB_QP_STATE flag
+* is not allowed.
+*/
+   if (((cmd->base.attr_mask & (IB_QP_AV | IB_QP_PORT))
+== (IB_QP_AV | IB_QP_PORT)) &&
+   cmd->base.port_num != cmd->base.dest.port_num) {
+   ret = -EINVAL;
+   goto release_qp;
+   }
+   if ((cmd->base.attr_mask & (IB_QP_AV | IB_QP_PORT))
+   == IB_QP_AV) {
+   cmd->base.attr_mask |= IB_QP_PORT;
+   cmd->base.port_num = cmd->base.dest.port_num;
+   }
+   }
}
 
if ((cmd->base.attr_mask & IB_QP_ALT_PATH) &&
(!rdma_is_port_valid(qp->device, cmd->base.alt_port_num) ||
-   !rdma_is_port_valid(qp->device, cmd->base.alt_dest.port_num))) {
+   !rdma_is_port_valid(qp->device, cmd->base.alt_dest.port_num) ||
+   cmd->base.alt_port_num != cmd->base.alt_dest.port_num)) {
ret = -EINVAL;
goto release_qp;
}

[PATCH 4.17 21/31] audit: fix potential null dereference context->module.name

[Greg Kroah-Hartman]

4.17-stable review patch.  If anyone has any objections, please let me know.

--

From: Yi Wang 

commit b305f7ed0f4f494ad6f3ef5667501535d5a8fa31 upstream.

The variable 'context->module.name' may be null pointer when
kmalloc return null, so it's better to check it before using
to avoid null dereference.
Another one more thing this patch does is using kstrdup instead
of (kmalloc + strcpy), and signal a lost record via audit_log_lost.

Cc: sta...@vger.kernel.org # 4.11
Signed-off-by: Yi Wang 
Reviewed-by: Jiang Biao 
Reviewed-by: Richard Guy Briggs 
Signed-off-by: Paul Moore 
Signed-off-by: Greg Kroah-Hartman 

---
 kernel/auditsc.c |   13 +
 1 file changed, 9 insertions(+), 4 deletions(-)

--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -1274,8 +1274,12 @@ static void show_special(struct audit_co
break;
case AUDIT_KERN_MODULE:
audit_log_format(ab, "name=");
-   audit_log_untrustedstring(ab, context->module.name);
-   kfree(context->module.name);
+   if (context->module.name) {
+   audit_log_untrustedstring(ab, context->module.name);
+   kfree(context->module.name);
+   } else
+   audit_log_format(ab, "(null)");
+
break;
}
audit_log_end(ab);
@@ -2408,8 +2412,9 @@ void __audit_log_kern_module(char *name)
 {
struct audit_context *context = current->audit_context;
 
-   context->module.name = kmalloc(strlen(name) + 1, GFP_KERNEL);
-   strcpy(context->module.name, name);
+   context->module.name = kstrdup(name, GFP_KERNEL);
+   if (!context->module.name)
+   audit_log_lost("out of memory in __audit_log_kern_module");
context->type = AUDIT_KERN_MODULE;
 }
 

[PATCH 4.17 23/31] userfaultfd: remove uffd flags from vma->vm_flags if UFFD_EVENT_FORK fails

[Greg Kroah-Hartman]

4.17-stable review patch.  If anyone has any objections, please let me know.

--

From: Mike Rapoport 

commit 31e810aa1033a7db50a2746cd34a2432237f6420 upstream.

The fix in commit 0cbb4b4f4c44 ("userfaultfd: clear the
vma->vm_userfaultfd_ctx if UFFD_EVENT_FORK fails") cleared the
vma->vm_userfaultfd_ctx but kept userfaultfd flags in vma->vm_flags
that were copied from the parent process VMA.

As the result, there is an inconsistency between the values of
vma->vm_userfaultfd_ctx.ctx and vma->vm_flags which triggers BUG_ON
in userfaultfd_release().

Clearing the uffd flags from vma->vm_flags in case of UFFD_EVENT_FORK
failure resolves the issue.

Link: 
http://lkml.kernel.org/r/1532931975-25473-1-git-send-email-r...@linux.vnet.ibm.com
Fixes: 0cbb4b4f4c44 ("userfaultfd: clear the vma->vm_userfaultfd_ctx if 
UFFD_EVENT_FORK fails")
Signed-off-by: Mike Rapoport 
Reported-by: syzbot+121be635a7a35ddb7...@syzkaller.appspotmail.com
Cc: Andrea Arcangeli 
Cc: Eric Biggers 
Cc: 
Signed-off-by: Andrew Morton 
Signed-off-by: Linus Torvalds 
Signed-off-by: Greg Kroah-Hartman 

---
 fs/userfaultfd.c |4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/fs/userfaultfd.c
+++ b/fs/userfaultfd.c
@@ -631,8 +631,10 @@ static void userfaultfd_event_wait_compl
/* the various vma->vm_userfaultfd_ctx still points to it */
down_write(&mm->mmap_sem);
for (vma = mm->mmap; vma; vma = vma->vm_next)
-   if (vma->vm_userfaultfd_ctx.ctx == release_new_ctx)
+   if (vma->vm_userfaultfd_ctx.ctx == release_new_ctx) {
vma->vm_userfaultfd_ctx = NULL_VM_UFFD_CTX;
+   vma->vm_flags &= ~(VM_UFFD_WP | 
VM_UFFD_MISSING);
+   }
up_write(&mm->mmap_sem);
 
userfaultfd_ctx_put(release_new_ctx);

[PATCH 4.17 18/31] x86/apic: Future-proof the TSC_DEADLINE quirk for SKX

[Greg Kroah-Hartman]

4.17-stable review patch.  If anyone has any objections, please let me know.

--

From: Len Brown 

commit d9e6dbcf28f383bf08e6a3180972f5722e514a54 upstream.

All SKX with stepping higher than 4 support the TSC_DEADLINE,
no matter the microcode version.

Without this patch, upcoming SKX steppings will not be able to use
their TSC_DEADLINE timer.

Signed-off-by: Len Brown 
Cc:  # v4.14+
Cc: Linus Torvalds 
Cc: Peter Zijlstra 
Cc: Thomas Gleixner 
Fixes: 616dd5872e ("x86/apic: Update TSC_DEADLINE quirk with additional SKX 
stepping")
Link: 
http://lkml.kernel.org/r/d0c7129e509660be9ec6b233284b8d42d90659e8.1532207856.git.len.br...@intel.com
Signed-off-by: Ingo Molnar 
Signed-off-by: Greg Kroah-Hartman 

---
 arch/x86/kernel/apic/apic.c |3 +++
 1 file changed, 3 insertions(+)

--- a/arch/x86/kernel/apic/apic.c
+++ b/arch/x86/kernel/apic/apic.c
@@ -573,6 +573,9 @@ static u32 skx_deadline_rev(void)
case 0x04: return 0x0214;
}
 
+   if (boot_cpu_data.x86_stepping > 4)
+   return 0;
+
return ~0U;
 }
 

[PATCH 4.14 14/23] x86/apic: Future-proof the TSC_DEADLINE quirk for SKX

[Greg Kroah-Hartman]

4.14-stable review patch.  If anyone has any objections, please let me know.

--

From: Len Brown 

commit d9e6dbcf28f383bf08e6a3180972f5722e514a54 upstream.

All SKX with stepping higher than 4 support the TSC_DEADLINE,
no matter the microcode version.

Without this patch, upcoming SKX steppings will not be able to use
their TSC_DEADLINE timer.

Signed-off-by: Len Brown 
Cc:  # v4.14+
Cc: Linus Torvalds 
Cc: Peter Zijlstra 
Cc: Thomas Gleixner 
Fixes: 616dd5872e ("x86/apic: Update TSC_DEADLINE quirk with additional SKX 
stepping")
Link: 
http://lkml.kernel.org/r/d0c7129e509660be9ec6b233284b8d42d90659e8.1532207856.git.len.br...@intel.com
Signed-off-by: Ingo Molnar 
Signed-off-by: Greg Kroah-Hartman 

---
 arch/x86/kernel/apic/apic.c |3 +++
 1 file changed, 3 insertions(+)

--- a/arch/x86/kernel/apic/apic.c
+++ b/arch/x86/kernel/apic/apic.c
@@ -580,6 +580,9 @@ static u32 skx_deadline_rev(void)
case 0x04: return 0x0214;
}
 
+   if (boot_cpu_data.x86_stepping > 4)
+   return 0;
+
return ~0U;
 }
 

[PATCH 4.14 15/23] x86/entry/64: Remove %ebx handling from error_entry/exit

[Greg Kroah-Hartman]

4.14-stable review patch.  If anyone has any objections, please let me know.

--

From: Andy Lutomirski 

commit b3681dd548d06deb2e1573890829dff4b15abf46 upstream.

error_entry and error_exit communicate the user vs. kernel status of
the frame using %ebx.  This is unnecessary -- the information is in
regs->cs.  Just use regs->cs.

This makes error_entry simpler and makes error_exit more robust.

It also fixes a nasty bug.  Before all the Spectre nonsense, the
xen_failsafe_callback entry point returned like this:

ALLOC_PT_GPREGS_ON_STACK
SAVE_C_REGS
SAVE_EXTRA_REGS
ENCODE_FRAME_POINTER
jmp error_exit

And it did not go through error_entry.  This was bogus: RBX
contained garbage, and error_exit expected a flag in RBX.

Fortunately, it generally contained *nonzero* garbage, so the
correct code path was used.  As part of the Spectre fixes, code was
added to clear RBX to mitigate certain speculation attacks.  Now,
depending on kernel configuration, RBX got zeroed and, when running
some Wine workloads, the kernel crashes.  This was introduced by:

commit 3ac6d8c787b8 ("x86/entry/64: Clear registers for 
exceptions/interrupts, to reduce speculation attack surface")

With this patch applied, RBX is no longer needed as a flag, and the
problem goes away.

I suspect that malicious userspace could use this bug to crash the
kernel even without the offending patch applied, though.

[ Historical note: I wrote this patch as a cleanup before I was aware
  of the bug it fixed. ]

[ Note to stable maintainers: this should probably get applied to all
  kernels.  If you're nervous about that, a more conservative fix to
  add xorl %ebx,%ebx; incl %ebx before the jump to error_exit should
  also fix the problem. ]

Reported-and-tested-by: M. Vefa Bicakci 
Signed-off-by: Andy Lutomirski 
Cc: Boris Ostrovsky 
Cc: Borislav Petkov 
Cc: Brian Gerst 
Cc: Dave Hansen 
Cc: Denys Vlasenko 
Cc: Dominik Brodowski 
Cc: Greg KH 
Cc: H. Peter Anvin 
Cc: Josh Poimboeuf 
Cc: Juergen Gross 
Cc: Linus Torvalds 
Cc: Peter Zijlstra 
Cc: Thomas Gleixner 
Cc: sta...@vger.kernel.org
Cc: xen-de...@lists.xenproject.org
Fixes: 3ac6d8c787b8 ("x86/entry/64: Clear registers for exceptions/interrupts, 
to reduce speculation attack surface")
Link: 
http://lkml.kernel.org/r/b5010a090d3586b2d6e06c7ad3ec5542d1241c45.1532282627.git.l...@kernel.org
Signed-off-by: Ingo Molnar 
Signed-off-by: Greg Kroah-Hartman 

---
 arch/x86/entry/entry_64.S |   18 --
 1 file changed, 4 insertions(+), 14 deletions(-)

--- a/arch/x86/entry/entry_64.S
+++ b/arch/x86/entry/entry_64.S
@@ -933,7 +933,7 @@ ENTRY(\sym)
 
call\do_sym
 
-   jmp error_exit  /* %ebx: no swapgs flag */
+   jmp error_exit
.endif
 END(\sym)
 .endm
@@ -1166,7 +1166,6 @@ END(paranoid_exit)
 
 /*
  * Save all registers in pt_regs, and switch GS if needed.
- * Return: EBX=0: came from user mode; EBX=1: otherwise
  */
 ENTRY(error_entry)
UNWIND_HINT_FUNC
@@ -1213,7 +1212,6 @@ ENTRY(error_entry)
 * for these here too.
 */
 .Lerror_kernelspace:
-   incl%ebx
leaqnative_irq_return_iret(%rip), %rcx
cmpq%rcx, RIP+8(%rsp)
je  .Lerror_bad_iret
@@ -1247,28 +1245,20 @@ ENTRY(error_entry)
 
/*
 * Pretend that the exception came from user mode: set up pt_regs
-* as if we faulted immediately after IRET and clear EBX so that
-* error_exit knows that we will be returning to user mode.
+* as if we faulted immediately after IRET.
 */
mov %rsp, %rdi
callfixup_bad_iret
mov %rax, %rsp
-   decl%ebx
jmp .Lerror_entry_from_usermode_after_swapgs
 END(error_entry)
 
-
-/*
- * On entry, EBX is a "return to kernel mode" flag:
- *   1: already in kernel mode, don't need SWAPGS
- *   0: user gsbase is loaded, we need SWAPGS and standard preparation for 
return to usermode
- */
 ENTRY(error_exit)
UNWIND_HINT_REGS
DISABLE_INTERRUPTS(CLBR_ANY)
TRACE_IRQS_OFF
-   testl   %ebx, %ebx
-   jnz retint_kernel
+   testb   $3, CS(%rsp)
+   jz  retint_kernel
jmp retint_user
 END(error_exit)
 

[PATCH 4.14 16/23] kvm: x86: vmx: fix vpid leak

[Greg Kroah-Hartman]

4.14-stable review patch.  If anyone has any objections, please let me know.

--

From: Roman Kagan 

commit 63aff65573d73eb8dda4732ad4ef222dd35e4862 upstream.

VPID for the nested vcpu is allocated at vmx_create_vcpu whenever nested
vmx is turned on with the module parameter.

However, it's only freed if the L1 guest has executed VMXON which is not
a given.

As a result, on a system with nested==on every creation+deletion of an
L1 vcpu without running an L2 guest results in leaking one vpid.  Since
the total number of vpids is limited to 64k, they can eventually get
exhausted, preventing L2 from starting.

Delay allocation of the L2 vpid until VMXON emulation, thus matching its
freeing.

Fixes: 5c614b3583e7b6dab0c86356fa36c2bcbb8322a0
Cc: sta...@vger.kernel.org
Signed-off-by: Roman Kagan 
Signed-off-by: Paolo Bonzini 
Signed-off-by: Greg Kroah-Hartman 

---
 arch/x86/kvm/vmx.c |7 +++
 1 file changed, 3 insertions(+), 4 deletions(-)

--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -7354,6 +7354,8 @@ static int enter_vmx_operation(struct kv
 HRTIMER_MODE_REL_PINNED);
vmx->nested.preemption_timer.function = vmx_preemption_timer_fn;
 
+   vmx->nested.vpid02 = allocate_vpid();
+
vmx->nested.vmxon = true;
return 0;
 
@@ -9802,10 +9804,8 @@ static struct kvm_vcpu *vmx_create_vcpu(
goto free_vmcs;
}
 
-   if (nested) {
+   if (nested)
nested_vmx_setup_ctls_msrs(vmx);
-   vmx->nested.vpid02 = allocate_vpid();
-   }
 
vmx->nested.posted_intr_nv = -1;
vmx->nested.current_vmptr = -1ull;
@@ -9822,7 +9822,6 @@ static struct kvm_vcpu *vmx_create_vcpu(
return &vmx->vcpu;
 
 free_vmcs:
-   free_vpid(vmx->nested.vpid02);
free_loaded_vmcs(vmx->loaded_vmcs);
 free_msrs:
kfree(vmx->guest_msrs);

[PATCH 4.14 17/23] audit: fix potential null dereference context->module.name

[Greg Kroah-Hartman]

4.14-stable review patch.  If anyone has any objections, please let me know.

--

From: Yi Wang 

commit b305f7ed0f4f494ad6f3ef5667501535d5a8fa31 upstream.

The variable 'context->module.name' may be null pointer when
kmalloc return null, so it's better to check it before using
to avoid null dereference.
Another one more thing this patch does is using kstrdup instead
of (kmalloc + strcpy), and signal a lost record via audit_log_lost.

Cc: sta...@vger.kernel.org # 4.11
Signed-off-by: Yi Wang 
Reviewed-by: Jiang Biao 
Reviewed-by: Richard Guy Briggs 
Signed-off-by: Paul Moore 
Signed-off-by: Greg Kroah-Hartman 

---
 kernel/auditsc.c |   13 +
 1 file changed, 9 insertions(+), 4 deletions(-)

--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -1274,8 +1274,12 @@ static void show_special(struct audit_co
break;
case AUDIT_KERN_MODULE:
audit_log_format(ab, "name=");
-   audit_log_untrustedstring(ab, context->module.name);
-   kfree(context->module.name);
+   if (context->module.name) {
+   audit_log_untrustedstring(ab, context->module.name);
+   kfree(context->module.name);
+   } else
+   audit_log_format(ab, "(null)");
+
break;
}
audit_log_end(ab);
@@ -2387,8 +2391,9 @@ void __audit_log_kern_module(char *name)
 {
struct audit_context *context = current->audit_context;
 
-   context->module.name = kmalloc(strlen(name) + 1, GFP_KERNEL);
-   strcpy(context->module.name, name);
+   context->module.name = kstrdup(name, GFP_KERNEL);
+   if (!context->module.name)
+   audit_log_lost("out of memory in __audit_log_kern_module");
context->type = AUDIT_KERN_MODULE;
 }
 

[PATCH 4.14 19/23] iwlwifi: add more card IDs for 9000 series

[Greg Kroah-Hartman]

4.14-stable review patch.  If anyone has any objections, please let me know.

--

From: Emmanuel Grumbach 

commit 0a5257bc6d89c2ae69b9bf955679cb4f89261874 upstream.

Add new device IDs for the 9000 series.

Cc: sta...@vger.kernel.org # 4.14
Signed-off-by: Emmanuel Grumbach 
Signed-off-by: Kalle Valo 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/net/wireless/intel/iwlwifi/cfg/9000.c   |   69 
 drivers/net/wireless/intel/iwlwifi/iwl-config.h |5 +
 drivers/net/wireless/intel/iwlwifi/pcie/drv.c   |   22 +++
 3 files changed, 96 insertions(+)

--- a/drivers/net/wireless/intel/iwlwifi/cfg/9000.c
+++ b/drivers/net/wireless/intel/iwlwifi/cfg/9000.c
@@ -177,6 +177,17 @@ const struct iwl_cfg iwl9260_2ac_cfg = {
.max_ht_ampdu_exponent = IEEE80211_HT_MAX_AMPDU_64K,
 };
 
+const struct iwl_cfg iwl9260_killer_2ac_cfg = {
+   .name = "Killer (R) Wireless-AC 1550 Wireless Network Adapter 
(9260NGW)",
+   .fw_name_pre = IWL9260A_FW_PRE,
+   .fw_name_pre_b_or_c_step = IWL9260B_FW_PRE,
+   IWL_DEVICE_9000,
+   .ht_params = &iwl9000_ht_params,
+   .nvm_ver = IWL9000_NVM_VERSION,
+   .nvm_calib_ver = IWL9000_TX_POWER_VERSION,
+   .max_ht_ampdu_exponent = IEEE80211_HT_MAX_AMPDU_64K,
+};
+
 const struct iwl_cfg iwl9270_2ac_cfg = {
.name = "Intel(R) Dual Band Wireless AC 9270",
.fw_name_pre = IWL9260A_FW_PRE,
@@ -266,6 +277,34 @@ const struct iwl_cfg iwl9560_2ac_cfg_soc
.soc_latency = 5000,
 };
 
+const struct iwl_cfg iwl9560_killer_2ac_cfg_soc = {
+   .name = "Killer (R) Wireless-AC 1550i Wireless Network Adapter 
(9560NGW)",
+   .fw_name_pre = IWL9000A_FW_PRE,
+   .fw_name_pre_b_or_c_step = IWL9000B_FW_PRE,
+   .fw_name_pre_rf_next_step = IWL9000RFB_FW_PRE,
+   IWL_DEVICE_9000,
+   .ht_params = &iwl9000_ht_params,
+   .nvm_ver = IWL9000_NVM_VERSION,
+   .nvm_calib_ver = IWL9000_TX_POWER_VERSION,
+   .max_ht_ampdu_exponent = IEEE80211_HT_MAX_AMPDU_64K,
+   .integrated = true,
+   .soc_latency = 5000,
+};
+
+const struct iwl_cfg iwl9560_killer_s_2ac_cfg_soc = {
+   .name = "Killer (R) Wireless-AC 1550s Wireless Network Adapter 
(9560NGW)",
+   .fw_name_pre = IWL9000A_FW_PRE,
+   .fw_name_pre_b_or_c_step = IWL9000B_FW_PRE,
+   .fw_name_pre_rf_next_step = IWL9000RFB_FW_PRE,
+   IWL_DEVICE_9000,
+   .ht_params = &iwl9000_ht_params,
+   .nvm_ver = IWL9000_NVM_VERSION,
+   .nvm_calib_ver = IWL9000_TX_POWER_VERSION,
+   .max_ht_ampdu_exponent = IEEE80211_HT_MAX_AMPDU_64K,
+   .integrated = true,
+   .soc_latency = 5000,
+};
+
 const struct iwl_cfg iwl9460_2ac_cfg_shared_clk = {
.name = "Intel(R) Dual Band Wireless AC 9460",
.fw_name_pre = IWL9000A_FW_PRE,
@@ -316,6 +355,36 @@ const struct iwl_cfg iwl9560_2ac_cfg_sha
.fw_name_pre = IWL9000A_FW_PRE,
.fw_name_pre_b_or_c_step = IWL9000B_FW_PRE,
.fw_name_pre_rf_next_step = IWL9000RFB_FW_PRE,
+   IWL_DEVICE_9000,
+   .ht_params = &iwl9000_ht_params,
+   .nvm_ver = IWL9000_NVM_VERSION,
+   .nvm_calib_ver = IWL9000_TX_POWER_VERSION,
+   .max_ht_ampdu_exponent = IEEE80211_HT_MAX_AMPDU_64K,
+   .integrated = true,
+   .soc_latency = 5000,
+   .extra_phy_cfg_flags = FW_PHY_CFG_SHARED_CLK
+};
+
+const struct iwl_cfg iwl9560_killer_2ac_cfg_shared_clk = {
+   .name = "Killer (R) Wireless-AC 1550i Wireless Network Adapter 
(9560NGW)",
+   .fw_name_pre = IWL9000A_FW_PRE,
+   .fw_name_pre_b_or_c_step = IWL9000B_FW_PRE,
+   .fw_name_pre_rf_next_step = IWL9000RFB_FW_PRE,
+   IWL_DEVICE_9000,
+   .ht_params = &iwl9000_ht_params,
+   .nvm_ver = IWL9000_NVM_VERSION,
+   .nvm_calib_ver = IWL9000_TX_POWER_VERSION,
+   .max_ht_ampdu_exponent = IEEE80211_HT_MAX_AMPDU_64K,
+   .integrated = true,
+   .soc_latency = 5000,
+   .extra_phy_cfg_flags = FW_PHY_CFG_SHARED_CLK
+};
+
+const struct iwl_cfg iwl9560_killer_s_2ac_cfg_shared_clk = {
+   .name = "Killer (R) Wireless-AC 1550s Wireless Network Adapter 
(9560NGW)",
+   .fw_name_pre = IWL9000A_FW_PRE,
+   .fw_name_pre_b_or_c_step = IWL9000B_FW_PRE,
+   .fw_name_pre_rf_next_step = IWL9000RFB_FW_PRE,
IWL_DEVICE_9000,
.ht_params = &iwl9000_ht_params,
.nvm_ver = IWL9000_NVM_VERSION,
--- a/drivers/net/wireless/intel/iwlwifi/iwl-config.h
+++ b/drivers/net/wireless/intel/iwlwifi/iwl-config.h
@@ -470,6 +470,7 @@ extern const struct iwl_cfg iwl8265_2ac_
 extern const struct iwl_cfg iwl4165_2ac_sdio_cfg;
 extern const struct iwl_cfg iwl9160_2ac_cfg;
 extern const struct iwl_cfg iwl9260_2ac_cfg;
+extern const struct iwl_cfg iwl9260_killer_2ac_cfg;
 extern const struct iwl_cfg iwl9270_2ac_cfg;
 extern const struct iwl_cfg iwl9460_2ac_cfg;
 extern const struct iwl_cfg iwl9560_2ac_cfg;
@@ -477,10 +478,14 @@ extern const struct iwl_cfg iwl9460_2ac_
 extern const struct iwl_cfg iwl9461_2ac_cfg_soc;
 extern const struct iw

[PATCH 4.9 13/32] tcp: do not aggressively quick ack after ECN events

[Greg Kroah-Hartman]

4.9-stable review patch.  If anyone has any objections, please let me know.

--

From: Eric Dumazet 

[ Upstream commit 522040ea5fdd1c33bbf75e1d7c7c0422b96a94ef ]

ECN signals currently forces TCP to enter quickack mode for
up to 16 (TCP_MAX_QUICKACKS) following incoming packets.

We believe this is not needed, and only sending one immediate ack
for the current packet should be enough.

This should reduce the extra load noticed in DCTCP environments,
after congestion events.

This is part 2 of our effort to reduce pure ACK packets.

Signed-off-by: Eric Dumazet 
Acked-by: Soheil Hassas Yeganeh 
Acked-by: Yuchung Cheng 
Acked-by: Neal Cardwell 
Signed-off-by: David S. Miller 
Signed-off-by: Greg Kroah-Hartman 
---
 net/ipv4/tcp_input.c |4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -259,7 +259,7 @@ static void __tcp_ecn_check_ce(struct tc
 * it is probably a retransmit.
 */
if (tp->ecn_flags & TCP_ECN_SEEN)
-   tcp_enter_quickack_mode((struct sock *)tp, 
TCP_MAX_QUICKACKS);
+   tcp_enter_quickack_mode((struct sock *)tp, 1);
break;
case INET_ECN_CE:
if (tcp_ca_needs_ecn((struct sock *)tp))
@@ -267,7 +267,7 @@ static void __tcp_ecn_check_ce(struct tc
 
if (!(tp->ecn_flags & TCP_ECN_DEMAND_CWR)) {
/* Better not delay acks, sender can have a very low 
cwnd */
-   tcp_enter_quickack_mode((struct sock *)tp, 
TCP_MAX_QUICKACKS);
+   tcp_enter_quickack_mode((struct sock *)tp, 1);
tp->ecn_flags |= TCP_ECN_DEMAND_CWR;
}
tp->ecn_flags |= TCP_ECN_SEEN;

[PATCH 4.14 00/23] 4.14.61-stable review

[Greg Kroah-Hartman]

This is the start of the stable review cycle for the 4.14.61 release.
There are 23 patches in this series, all will be posted as a response
to this one.  If anyone has any issues with these being applied, please
let me know.

Responses should be made by Mon Aug  6 08:26:30 UTC 2018.
Anything received after that time might be too late.

The whole patch series can be found in one patch at:

https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.14.61-rc1.gz
or in the git tree and branch at:

git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git 
linux-4.14.y
and the diffstat can be found below.

thanks,

greg k-h

-
Pseudo-Shortlog of commits:

Greg Kroah-Hartman 
Linux 4.14.61-rc1

Tony Battersby 
scsi: sg: fix minor memory leak in error path

Boris Brezillon 
drm/vc4: Reset ->{x, y}_scaling[1] when dealing with uniplanar formats

Herbert Xu 
crypto: padlock-aes - Fix Nano workaround data corruption

Jack Morgenstein 
RDMA/uverbs: Expand primary and alt AV port checks

Emmanuel Grumbach 
iwlwifi: add more card IDs for 9000 series

Mike Rapoport 
userfaultfd: remove uffd flags from vma->vm_flags if UFFD_EVENT_FORK fails

Yi Wang 
audit: fix potential null dereference 'context->module.name'

Roman Kagan 
kvm: x86: vmx: fix vpid leak

Andy Lutomirski 
x86/entry/64: Remove %ebx handling from error_entry/exit

Len Brown 
x86/apic: Future-proof the TSC_DEADLINE quirk for SKX

Jiang Biao 
virtio_balloon: fix another race between migration and ballooning

Jeremy Cline 
net: socket: fix potential spectre v1 gadget in socketcall

Anton Vasilyev 
can: ems_usb: Fix memory leak on ems_usb_disconnect()

Linus Torvalds 
squashfs: more metadata hardenings

Linus Torvalds 
squashfs: more metadata hardening

Eli Cohen 
net/mlx5e: E-Switch, Initialize eswitch only if eswitch manager

YueHaibing 
rxrpc: Fix user call ID check in rxrpc_service_prealloc_one

Jose Abreu 
net: stmmac: Fix WoL for PCI-based setups

Jeremy Cline 
netlink: Fix spectre v1 gadget in netlink_create()

Florian Fainelli 
net: dsa: Do not suspend/resume closed slave_dev

Eric Dumazet 
ipv4: frags: handle possible skb truesize change

Eric Dumazet 
inet: frag: enforce memory limits earlier

Eric Dumazet 
bonding: avoid lockdep confusion in bond_get_stats()


-

Diffstat:

 Makefile  |  4 +-
 arch/x86/entry/entry_64.S | 18 ++
 arch/x86/kernel/apic/apic.c   |  3 +
 arch/x86/kvm/vmx.c|  7 +--
 drivers/crypto/padlock-aes.c  |  8 ++-
 drivers/gpu/drm/vc4/vc4_plane.c   |  3 +
 drivers/infiniband/core/uverbs_cmd.c  | 59 +--
 drivers/net/bonding/bond_main.c   | 14 -
 drivers/net/can/usb/ems_usb.c |  1 +
 drivers/net/ethernet/mellanox/mlx5/core/eswitch.c |  4 +-
 drivers/net/ethernet/stmicro/stmmac/stmmac_pci.c  | 40 -
 drivers/net/wireless/intel/iwlwifi/cfg/9000.c | 69 +++
 drivers/net/wireless/intel/iwlwifi/iwl-config.h   |  5 ++
 drivers/net/wireless/intel/iwlwifi/pcie/drv.c | 22 
 drivers/scsi/sg.c |  1 +
 drivers/virtio/virtio_balloon.c   |  2 +
 fs/squashfs/block.c   |  2 +
 fs/squashfs/fragment.c| 13 +++--
 fs/squashfs/squashfs_fs_sb.h  |  1 +
 fs/squashfs/super.c   |  5 +-
 fs/userfaultfd.c  |  4 +-
 kernel/auditsc.c  | 13 +++--
 net/dsa/slave.c   |  6 ++
 net/ipv4/inet_fragment.c  | 10 ++--
 net/ipv4/ip_fragment.c|  5 ++
 net/netlink/af_netlink.c  |  2 +
 net/rxrpc/call_accept.c   |  4 +-
 net/socket.c  |  2 +
 28 files changed, 276 insertions(+), 51 deletions(-)

[PATCH 4.9 01/32] ipv4: remove BUG_ON() from fib_compute_spec_dst

[Greg Kroah-Hartman]

4.9-stable review patch.  If anyone has any objections, please let me know.

--

From: Lorenzo Bianconi 

[ Upstream commit 9fc12023d6f51551d6ca9ed7e02ecc19d79caf17 ]

Remove BUG_ON() from fib_compute_spec_dst routine and check
in_dev pointer during flowi4 data structure initialization.
fib_compute_spec_dst routine can be run concurrently with device removal
where ip_ptr net_device pointer is set to NULL. This can happen
if userspace enables pkt info on UDP rx socket and the device
is removed while traffic is flowing

Fixes: 35ebf65e851c ("ipv4: Create and use fib_compute_spec_dst() helper")
Signed-off-by: Lorenzo Bianconi 
Signed-off-by: David S. Miller 
Signed-off-by: Greg Kroah-Hartman 
---
 net/ipv4/fib_frontend.c |4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/net/ipv4/fib_frontend.c
+++ b/net/ipv4/fib_frontend.c
@@ -282,19 +282,19 @@ __be32 fib_compute_spec_dst(struct sk_bu
return ip_hdr(skb)->daddr;
 
in_dev = __in_dev_get_rcu(dev);
-   BUG_ON(!in_dev);
 
net = dev_net(dev);
 
scope = RT_SCOPE_UNIVERSE;
if (!ipv4_is_zeronet(ip_hdr(skb)->saddr)) {
+   bool vmark = in_dev && IN_DEV_SRC_VMARK(in_dev);
struct flowi4 fl4 = {
.flowi4_iif = LOOPBACK_IFINDEX,
.flowi4_oif = l3mdev_master_ifindex_rcu(dev),
.daddr = ip_hdr(skb)->saddr,
.flowi4_tos = RT_TOS(ip_hdr(skb)->tos),
.flowi4_scope = scope,
-   .flowi4_mark = IN_DEV_SRC_VMARK(in_dev) ? skb->mark : 0,
+   .flowi4_mark = vmark ? skb->mark : 0,
};
if (!fib_lookup(net, &fl4, &res, 0))
return FIB_RES_PREFSRC(net, res);

[PATCH 4.14 09/23] squashfs: more metadata hardening

[Greg Kroah-Hartman]

4.14-stable review patch.  If anyone has any objections, please let me know.

--

From: Linus Torvalds 

commit d512584780d3e6a7cacb2f482834849453d444a1 upstream.

Anatoly reports another squashfs fuzzing issue, where the decompression
parameters themselves are in a compressed block.

This causes squashfs_read_data() to be called in order to read the
decompression options before the decompression stream having been set
up, making squashfs go sideways.

Reported-by: Anatoly Trosinenko 
Acked-by: Phillip Lougher 
Cc: sta...@kernel.org
Signed-off-by: Linus Torvalds 
Signed-off-by: Greg Kroah-Hartman 

---
 fs/squashfs/block.c |2 ++
 1 file changed, 2 insertions(+)

--- a/fs/squashfs/block.c
+++ b/fs/squashfs/block.c
@@ -167,6 +167,8 @@ int squashfs_read_data(struct super_bloc
}
 
if (compressed) {
+   if (!msblk->stream)
+   goto read_failure;
length = squashfs_decompress(msblk, bh, b, offset, length,
output);
if (length < 0)

[PATCH 4.9 10/32] netlink: Dont shift with UB on nlk->ngroups

[Greg Kroah-Hartman]

4.9-stable review patch.  If anyone has any objections, please let me know.

--

From: Dmitry Safonov 

[ Upstream commit 61f4b23769f0cc72ae62c9a81cf08f0397d40da8 ]

On i386 nlk->ngroups might be 32 or 0. Which leads to UB, resulting in
hang during boot.
Check for 0 ngroups and use (unsigned long long) as a type to shift.

Fixes: 7acf9d4237c4 ("netlink: Do not subscribe to non-existent groups").
Reported-by: kernel test robot 
Signed-off-by: Dmitry Safonov 
Signed-off-by: David S. Miller 
Signed-off-by: Greg Kroah-Hartman 
---
 net/netlink/af_netlink.c |6 +-
 1 file changed, 5 insertions(+), 1 deletion(-)

--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -983,7 +983,11 @@ static int netlink_bind(struct socket *s
if (err)
return err;
}
-   groups &= (1UL << nlk->ngroups) - 1;
+
+   if (nlk->ngroups == 0)
+   groups = 0;
+   else
+   groups &= (1ULL << nlk->ngroups) - 1;
 
bound = nlk->bound;
if (bound) {

[PATCH 4.9 12/32] tcp: add max_quickacks param to tcp_incr_quickack and tcp_enter_quickack_mode

[Greg Kroah-Hartman]

4.9-stable review patch.  If anyone has any objections, please let me know.

--

From: Eric Dumazet 

[ Upstream commit 9a9c9b51e54618861420093ae6e9b50a961914c5 ]

We want to add finer control of the number of ACK packets sent after
ECN events.

This patch is not changing current behavior, it only enables following
change.

Signed-off-by: Eric Dumazet 
Acked-by: Soheil Hassas Yeganeh 
Acked-by: Neal Cardwell 
Signed-off-by: David S. Miller 
Signed-off-by: Greg Kroah-Hartman 
---
 include/net/tcp.h|2 +-
 net/ipv4/tcp_dctcp.c |4 ++--
 net/ipv4/tcp_input.c |   24 +---
 3 files changed, 16 insertions(+), 14 deletions(-)

--- a/include/net/tcp.h
+++ b/include/net/tcp.h
@@ -363,7 +363,7 @@ ssize_t tcp_splice_read(struct socket *s
struct pipe_inode_info *pipe, size_t len,
unsigned int flags);
 
-void tcp_enter_quickack_mode(struct sock *sk);
+void tcp_enter_quickack_mode(struct sock *sk, unsigned int max_quickacks);
 static inline void tcp_dec_quickack_mode(struct sock *sk,
 const unsigned int pkts)
 {
--- a/net/ipv4/tcp_dctcp.c
+++ b/net/ipv4/tcp_dctcp.c
@@ -138,7 +138,7 @@ static void dctcp_ce_state_0_to_1(struct
 */
if (inet_csk(sk)->icsk_ack.pending & ICSK_ACK_TIMER)
__tcp_send_ack(sk, ca->prior_rcv_nxt);
-   tcp_enter_quickack_mode(sk);
+   tcp_enter_quickack_mode(sk, 1);
}
 
ca->prior_rcv_nxt = tp->rcv_nxt;
@@ -159,7 +159,7 @@ static void dctcp_ce_state_1_to_0(struct
 */
if (inet_csk(sk)->icsk_ack.pending & ICSK_ACK_TIMER)
__tcp_send_ack(sk, ca->prior_rcv_nxt);
-   tcp_enter_quickack_mode(sk);
+   tcp_enter_quickack_mode(sk, 1);
}
 
ca->prior_rcv_nxt = tp->rcv_nxt;
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -198,21 +198,23 @@ static void tcp_measure_rcv_mss(struct s
}
 }
 
-static void tcp_incr_quickack(struct sock *sk)
+static void tcp_incr_quickack(struct sock *sk, unsigned int max_quickacks)
 {
struct inet_connection_sock *icsk = inet_csk(sk);
unsigned int quickacks = tcp_sk(sk)->rcv_wnd / (2 * 
icsk->icsk_ack.rcv_mss);
 
if (quickacks == 0)
quickacks = 2;
+   quickacks = min(quickacks, max_quickacks);
if (quickacks > icsk->icsk_ack.quick)
-   icsk->icsk_ack.quick = min(quickacks, TCP_MAX_QUICKACKS);
+   icsk->icsk_ack.quick = quickacks;
 }
 
-void tcp_enter_quickack_mode(struct sock *sk)
+void tcp_enter_quickack_mode(struct sock *sk, unsigned int max_quickacks)
 {
struct inet_connection_sock *icsk = inet_csk(sk);
-   tcp_incr_quickack(sk);
+
+   tcp_incr_quickack(sk, max_quickacks);
icsk->icsk_ack.pingpong = 0;
icsk->icsk_ack.ato = TCP_ATO_MIN;
 }
@@ -257,7 +259,7 @@ static void __tcp_ecn_check_ce(struct tc
 * it is probably a retransmit.
 */
if (tp->ecn_flags & TCP_ECN_SEEN)
-   tcp_enter_quickack_mode((struct sock *)tp);
+   tcp_enter_quickack_mode((struct sock *)tp, 
TCP_MAX_QUICKACKS);
break;
case INET_ECN_CE:
if (tcp_ca_needs_ecn((struct sock *)tp))
@@ -265,7 +267,7 @@ static void __tcp_ecn_check_ce(struct tc
 
if (!(tp->ecn_flags & TCP_ECN_DEMAND_CWR)) {
/* Better not delay acks, sender can have a very low 
cwnd */
-   tcp_enter_quickack_mode((struct sock *)tp);
+   tcp_enter_quickack_mode((struct sock *)tp, 
TCP_MAX_QUICKACKS);
tp->ecn_flags |= TCP_ECN_DEMAND_CWR;
}
tp->ecn_flags |= TCP_ECN_SEEN;
@@ -675,7 +677,7 @@ static void tcp_event_data_recv(struct s
/* The _first_ data packet received, initialize
 * delayed ACK engine.
 */
-   tcp_incr_quickack(sk);
+   tcp_incr_quickack(sk, TCP_MAX_QUICKACKS);
icsk->icsk_ack.ato = TCP_ATO_MIN;
} else {
int m = now - icsk->icsk_ack.lrcvtime;
@@ -691,7 +693,7 @@ static void tcp_event_data_recv(struct s
/* Too long gap. Apparently sender failed to
 * restart window, so that we send ACKs quickly.
 */
-   tcp_incr_quickack(sk);
+   tcp_incr_quickack(sk, TCP_MAX_QUICKACKS);
sk_mem_reclaim(sk);
}
}
@@ -4210,7 +4212,7 @@ static void tcp_send_dupack(struct sock
if (TCP_SKB_CB(skb)->end_seq != TCP_SKB_CB(skb)->seq &&
before(TCP_SKB_CB(skb)->seq, tp->rcv_nxt)) {
NET_INC_STATS(sock_net(sk), LINUX_MIB_DELAYEDACKLOST);
-   tcp_enter_quickack_mode(

[PATCH 4.9 11/32] tcp: do not force quickack when receiving out-of-order packets

[Greg Kroah-Hartman]

4.9-stable review patch.  If anyone has any objections, please let me know.

--

From: Eric Dumazet 

[ Upstream commit a3893637e1eb0ef5eb1bbc52b3a8d2dfa317a35d ]

As explained in commit 9f9843a751d0 ("tcp: properly handle stretch
acks in slow start"), TCP stacks have to consider how many packets
are acknowledged in one single ACK, because of GRO, but also
because of ACK compression or losses.

We plan to add SACK compression in the following patch, we
must therefore not call tcp_enter_quickack_mode()

Signed-off-by: Eric Dumazet 
Acked-by: Neal Cardwell 
Acked-by: Soheil Hassas Yeganeh 
Signed-off-by: David S. Miller 
Signed-off-by: Greg Kroah-Hartman 
---
 net/ipv4/tcp_input.c |2 --
 1 file changed, 2 deletions(-)

--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -4745,8 +4745,6 @@ drop:
if (!before(TCP_SKB_CB(skb)->seq, tp->rcv_nxt + tcp_receive_window(tp)))
goto out_of_window;
 
-   tcp_enter_quickack_mode(sk);
-
if (before(TCP_SKB_CB(skb)->seq, tp->rcv_nxt)) {
/* Partial packet, seq < rcv_next < end_seq */
SOCK_DEBUG(sk, "partial packet: rcv_next %X seq %X - %X\n",

[PATCH 4.9 02/32] net: ena: Fix use of uninitialized DMA address bits field

[Greg Kroah-Hartman]

4.9-stable review patch.  If anyone has any objections, please let me know.

--

From: Gal Pressman 

[ Upstream commit 101f0cd4f2216d32f1b8a75a2154cf3997484ee2 ]

UBSAN triggers the following undefined behaviour warnings:
[...]
[   13.236124] UBSAN: Undefined behaviour in 
drivers/net/ethernet/amazon/ena/ena_eth_com.c:468:22
[   13.240043] shift exponent 64 is too large for 64-bit type 'long long 
unsigned int'
[...]
[   13.744769] UBSAN: Undefined behaviour in 
drivers/net/ethernet/amazon/ena/ena_eth_com.c:373:4
[   13.748694] shift exponent 64 is too large for 64-bit type 'long long 
unsigned int'
[...]

When splitting the address to high and low, GENMASK_ULL is used to generate
a bitmask with dma_addr_bits field from io_sq (in ena_com_prepare_tx and
ena_com_add_single_rx_desc).
The problem is that dma_addr_bits is not initialized with a proper value
(besides being cleared in ena_com_create_io_queue).
Assign dma_addr_bits the correct value that is stored in ena_dev when
initializing the SQ.

Fixes: 1738cd3ed342 ("net: ena: Add a driver for Amazon Elastic Network 
Adapters (ENA)")
Signed-off-by: Gal Pressman 
Signed-off-by: David S. Miller 
Signed-off-by: Greg Kroah-Hartman 
---
 drivers/net/ethernet/amazon/ena/ena_com.c |1 +
 1 file changed, 1 insertion(+)

--- a/drivers/net/ethernet/amazon/ena/ena_com.c
+++ b/drivers/net/ethernet/amazon/ena/ena_com.c
@@ -331,6 +331,7 @@ static int ena_com_init_io_sq(struct ena
 
memset(&io_sq->desc_addr, 0x0, sizeof(struct ena_com_io_desc_addr));
 
+   io_sq->dma_addr_bits = ena_dev->dma_addr_bits;
io_sq->desc_entry_size =
(io_sq->direction == ENA_COM_IO_QUEUE_DIRECTION_TX) ?
sizeof(struct ena_eth_io_tx_desc) :

[PATCH 4.9 19/32] inet: frag: enforce memory limits earlier

[Greg Kroah-Hartman]

4.9-stable review patch.  If anyone has any objections, please let me know.

--

From: Eric Dumazet 

[ Upstream commit 56e2c94f055d328f5f6b0a5c1721cca2f2d4e0a1 ]

We currently check current frags memory usage only when
a new frag queue is created. This allows attackers to first
consume the memory budget (default : 4 MB) creating thousands
of frag queues, then sending tiny skbs to exceed high_thresh
limit by 2 to 3 order of magnitude.

Note that before commit 648700f76b03 ("inet: frags: use rhashtables
for reassembly units"), work queue could be starved under DOS,
getting no cpu cycles.
After commit 648700f76b03, only the per frag queue timer can eventually
remove an incomplete frag queue and its skbs.

Fixes: b13d3cbfb8e8 ("inet: frag: move eviction of queues to work queue")
Signed-off-by: Eric Dumazet 
Reported-by: Jann Horn 
Cc: Florian Westphal 
Cc: Peter Oskolkov 
Cc: Paolo Abeni 
Acked-by: Florian Westphal 
Signed-off-by: David S. Miller 
Signed-off-by: Greg Kroah-Hartman 
---
 net/ipv4/inet_fragment.c |   10 +-
 1 file changed, 5 insertions(+), 5 deletions(-)

--- a/net/ipv4/inet_fragment.c
+++ b/net/ipv4/inet_fragment.c
@@ -356,11 +356,6 @@ static struct inet_frag_queue *inet_frag
 {
struct inet_frag_queue *q;
 
-   if (!nf->high_thresh || frag_mem_limit(nf) > nf->high_thresh) {
-   inet_frag_schedule_worker(f);
-   return NULL;
-   }
-
q = kmem_cache_zalloc(f->frags_cachep, GFP_ATOMIC);
if (!q)
return NULL;
@@ -397,6 +392,11 @@ struct inet_frag_queue *inet_frag_find(s
struct inet_frag_queue *q;
int depth = 0;
 
+   if (!nf->high_thresh || frag_mem_limit(nf) > nf->high_thresh) {
+   inet_frag_schedule_worker(f);
+   return NULL;
+   }
+
if (frag_mem_limit(nf) > nf->low_thresh)
inet_frag_schedule_worker(f);
 

[PATCH 4.14 23/23] scsi: sg: fix minor memory leak in error path

[Greg Kroah-Hartman]

4.14-stable review patch.  If anyone has any objections, please let me know.

--

From: Tony Battersby 

commit c170e5a8d222537e98aa8d4fddb667ff7a2ee114 upstream.

Fix a minor memory leak when there is an error opening a /dev/sg device.

Fixes: cc833acbee9d ("sg: O_EXCL and other lock handling")
Cc: 
Reviewed-by: Ewan D. Milne 
Signed-off-by: Tony Battersby 
Reviewed-by: Bart Van Assche 
Signed-off-by: Martin K. Petersen 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/scsi/sg.c |1 +
 1 file changed, 1 insertion(+)

--- a/drivers/scsi/sg.c
+++ b/drivers/scsi/sg.c
@@ -2186,6 +2186,7 @@ sg_add_sfp(Sg_device * sdp)
write_lock_irqsave(&sdp->sfd_lock, iflags);
if (atomic_read(&sdp->detaching)) {
write_unlock_irqrestore(&sdp->sfd_lock, iflags);
+   kfree(sfp);
return ERR_PTR(-ENODEV);
}
list_add_tail(&sfp->sfd_siblings, &sdp->sfds);

[PATCH 4.14 04/23] net: dsa: Do not suspend/resume closed slave_dev

[Greg Kroah-Hartman]

4.14-stable review patch.  If anyone has any objections, please let me know.

--

From: Florian Fainelli 

[ Upstream commit a94c689e6c9e72e722f28339e12dff191ee5a265 ]

If a DSA slave network device was previously disabled, there is no need
to suspend or resume it.

Fixes: 2446254915a7 ("net: dsa: allow switch drivers to implement 
suspend/resume hooks")
Signed-off-by: Florian Fainelli 
Reviewed-by: Andrew Lunn 
Signed-off-by: David S. Miller 
Signed-off-by: Greg Kroah-Hartman 
---
 net/dsa/slave.c |6 ++
 1 file changed, 6 insertions(+)

--- a/net/dsa/slave.c
+++ b/net/dsa/slave.c
@@ -1219,6 +1219,9 @@ int dsa_slave_suspend(struct net_device
 {
struct dsa_slave_priv *p = netdev_priv(slave_dev);
 
+   if (!netif_running(slave_dev))
+   return 0;
+
netif_device_detach(slave_dev);
 
if (p->phy) {
@@ -1236,6 +1239,9 @@ int dsa_slave_resume(struct net_device *
 {
struct dsa_slave_priv *p = netdev_priv(slave_dev);
 
+   if (!netif_running(slave_dev))
+   return 0;
+
netif_device_attach(slave_dev);
 
if (p->phy) {

[PATCH 4.9 18/32] bonding: avoid lockdep confusion in bond_get_stats()

[Greg Kroah-Hartman]

4.9-stable review patch.  If anyone has any objections, please let me know.

--

From: Eric Dumazet 

[ Upstream commit 7e2556e40026a1b0c16f37446ab398d5a5a892e4 ]

syzbot found that the following sequence produces a LOCKDEP splat [1]

ip link add bond10 type bond
ip link add bond11 type bond
ip link set bond11 master bond10

To fix this, we can use the already provided nest_level.

This patch also provides correct nesting for dev->addr_list_lock

[1]
WARNING: possible recursive locking detected
4.18.0-rc6+ #167 Not tainted

syz-executor751/4439 is trying to acquire lock:
(ptrval) (&(&bond->stats_lock)->rlock){+.+.}, at: spin_lock 
include/linux/spinlock.h:310 [inline]
(ptrval) (&(&bond->stats_lock)->rlock){+.+.}, at: 
bond_get_stats+0xb4/0x560 drivers/net/bonding/bond_main.c:3426

but task is already holding lock:
(ptrval) (&(&bond->stats_lock)->rlock){+.+.}, at: spin_lock 
include/linux/spinlock.h:310 [inline]
(ptrval) (&(&bond->stats_lock)->rlock){+.+.}, at: 
bond_get_stats+0xb4/0x560 drivers/net/bonding/bond_main.c:3426

other info that might help us debug this:
 Possible unsafe locking scenario:

   CPU0
   
  lock(&(&bond->stats_lock)->rlock);
  lock(&(&bond->stats_lock)->rlock);

 *** DEADLOCK ***

 May be due to missing lock nesting notation

3 locks held by syz-executor751/4439:
 #0: (ptrval) (rtnl_mutex){+.+.}, at: rtnl_lock+0x17/0x20 
net/core/rtnetlink.c:77
 #1: (ptrval) (&(&bond->stats_lock)->rlock){+.+.}, at: spin_lock 
include/linux/spinlock.h:310 [inline]
 #1: (ptrval) (&(&bond->stats_lock)->rlock){+.+.}, at: 
bond_get_stats+0xb4/0x560 drivers/net/bonding/bond_main.c:3426
 #2: (ptrval) (rcu_read_lock){}, at: bond_get_stats+0x0/0x560 
include/linux/compiler.h:215

stack backtrace:
CPU: 0 PID: 4439 Comm: syz-executor751 Not tainted 4.18.0-rc6+ #167
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 
01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1c9/0x2b4 lib/dump_stack.c:113
 print_deadlock_bug kernel/locking/lockdep.c:1765 [inline]
 check_deadlock kernel/locking/lockdep.c:1809 [inline]
 validate_chain kernel/locking/lockdep.c:2405 [inline]
 __lock_acquire.cold.64+0x1fb/0x486 kernel/locking/lockdep.c:3435
 lock_acquire+0x1e4/0x540 kernel/locking/lockdep.c:3924
 __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
 _raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:144
 spin_lock include/linux/spinlock.h:310 [inline]
 bond_get_stats+0xb4/0x560 drivers/net/bonding/bond_main.c:3426
 dev_get_stats+0x10f/0x470 net/core/dev.c:8316
 bond_get_stats+0x232/0x560 drivers/net/bonding/bond_main.c:3432
 dev_get_stats+0x10f/0x470 net/core/dev.c:8316
 rtnl_fill_stats+0x4d/0xac0 net/core/rtnetlink.c:1169
 rtnl_fill_ifinfo+0x1aa6/0x3fb0 net/core/rtnetlink.c:1611
 rtmsg_ifinfo_build_skb+0xc8/0x190 net/core/rtnetlink.c:3268
 rtmsg_ifinfo_event.part.30+0x45/0xe0 net/core/rtnetlink.c:3300
 rtmsg_ifinfo_event net/core/rtnetlink.c:3297 [inline]
 rtnetlink_event+0x144/0x170 net/core/rtnetlink.c:4716
 notifier_call_chain+0x180/0x390 kernel/notifier.c:93
 __raw_notifier_call_chain kernel/notifier.c:394 [inline]
 raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401
 call_netdevice_notifiers_info+0x3f/0x90 net/core/dev.c:1735
 call_netdevice_notifiers net/core/dev.c:1753 [inline]
 netdev_features_change net/core/dev.c:1321 [inline]
 netdev_change_features+0xb3/0x110 net/core/dev.c:7759
 bond_compute_features.isra.47+0x585/0xa50 drivers/net/bonding/bond_main.c:1120
 bond_enslave+0x1b25/0x5da0 drivers/net/bonding/bond_main.c:1755
 bond_do_ioctl+0x7cb/0xae0 drivers/net/bonding/bond_main.c:3528
 dev_ifsioc+0x43c/0xb30 net/core/dev_ioctl.c:327
 dev_ioctl+0x1b5/0xcc0 net/core/dev_ioctl.c:493
 sock_do_ioctl+0x1d3/0x3e0 net/socket.c:992
 sock_ioctl+0x30d/0x680 net/socket.c:1093
 vfs_ioctl fs/ioctl.c:46 [inline]
 file_ioctl fs/ioctl.c:500 [inline]
 do_vfs_ioctl+0x1de/0x1720 fs/ioctl.c:684
 ksys_ioctl+0xa9/0xd0 fs/ioctl.c:701
 __do_sys_ioctl fs/ioctl.c:708 [inline]
 __se_sys_ioctl fs/ioctl.c:706 [inline]
 __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:706
 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x440859
Code: e8 2c af 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 
89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 
3b 10 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:7ffc51a92878 EFLAGS: 0213 ORIG_RAX: 0010
RAX: ffda RBX:  RCX: 00440859
RDX: 2040 RSI: 8990 RDI: 0003
RBP:  R08: 004002c8 R09: 004002c8
R10: 022d5880 R11: 0213 R12: 7390
R13: 00401db0 R14:  R15: 

Signed-off-by: Eric Dumazet 
Cc: Jay Vosburgh 
Cc: Veaceslav Falico 
Cc

[PATCH 4.14 08/23] net/mlx5e: E-Switch, Initialize eswitch only if eswitch manager

[Greg Kroah-Hartman]

4.14-stable review patch.  If anyone has any objections, please let me know.

--

From: Eli Cohen 

[ Upstream commit 5f5991f36dce1e69dd8bd7495763eec2e28f08e7 ]

Execute mlx5_eswitch_init() only if we have MLX5_ESWITCH_MANAGER
capabilities.
Do the same for mlx5_eswitch_cleanup().

Fixes: a9f7705ffd66 ("net/mlx5: Unify vport manager capability check")
Signed-off-by: Eli Cohen 
Signed-off-by: Saeed Mahameed 
Signed-off-by: Greg Kroah-Hartman 
---
 drivers/net/ethernet/mellanox/mlx5/core/eswitch.c |4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c
@@ -1616,7 +1616,7 @@ int mlx5_eswitch_init(struct mlx5_core_d
int vport_num;
int err;
 
-   if (!MLX5_VPORT_MANAGER(dev))
+   if (!MLX5_ESWITCH_MANAGER(dev))
return 0;
 
esw_info(dev,
@@ -1689,7 +1689,7 @@ abort:
 
 void mlx5_eswitch_cleanup(struct mlx5_eswitch *esw)
 {
-   if (!esw || !MLX5_VPORT_MANAGER(esw->dev))
+   if (!esw || !MLX5_ESWITCH_MANAGER(esw->dev))
return;
 
esw_info(esw->dev, "cleanup\n");

[PATCH 4.9 16/32] pinctrl: intel: Read back TX buffer state

[Greg Kroah-Hartman]

4.9-stable review patch.  If anyone has any objections, please let me know.

--

From: Andy Shevchenko 
Date: Thu, 24 Aug 2017 11:19:33 +0300
Subject: [PATCH 4.9 16/32] pinctrl: intel: Read back TX buffer state

From: Andy Shevchenko 

commit d68b42e30bbacd24354d644f430d088435b15e83 upstream.

In the same way as it's done in pinctrl-cherryview.c we would provide
a readback TX buffer state.

Fixes: 17fab473693 ("pinctrl: intel: Set pin direction properly")
Reported-by: "Bourque, Francis" 
Signed-off-by: Andy Shevchenko 
Acked-by: Mika Westerberg 
Tested-by: "Bourque, Francis" 
Signed-off-by: Linus Walleij 
Cc: Anthony de Boer 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/pinctrl/intel/pinctrl-intel.c |7 ++-
 1 file changed, 6 insertions(+), 1 deletion(-)

--- a/drivers/pinctrl/intel/pinctrl-intel.c
+++ b/drivers/pinctrl/intel/pinctrl-intel.c
@@ -604,12 +604,17 @@ static int intel_gpio_get(struct gpio_ch
 {
struct intel_pinctrl *pctrl = gpiochip_get_data(chip);
void __iomem *reg;
+   u32 padcfg0;
 
reg = intel_get_padcfg(pctrl, offset, PADCFG0);
if (!reg)
return -EINVAL;
 
-   return !!(readl(reg) & PADCFG0_GPIORXSTATE);
+   padcfg0 = readl(reg);
+   if (!(padcfg0 & PADCFG0_GPIOTXDIS))
+   return !!(padcfg0 & PADCFG0_GPIOTXSTATE);
+
+   return !!(padcfg0 & PADCFG0_GPIORXSTATE);
 }
 
 static void intel_gpio_set(struct gpio_chip *chip, unsigned offset, int value)

[PATCH 4.14 03/23] ipv4: frags: handle possible skb truesize change

[Greg Kroah-Hartman]

4.14-stable review patch.  If anyone has any objections, please let me know.

--

From: Eric Dumazet 

[ Upstream commit 4672694bd4f1aebdab0ad763ae4716e89cb15221 ]

ip_frag_queue() might call pskb_pull() on one skb that
is already in the fragment queue.

We need to take care of possible truesize change, or we
might have an imbalance of the netns frags memory usage.

IPv6 is immune to this bug, because RFC5722, Section 4,
amended by Errata ID 3089 states :

  When reassembling an IPv6 datagram, if
  one or more its constituent fragments is determined to be an
  overlapping fragment, the entire datagram (and any constituent
  fragments) MUST be silently discarded.

Fixes: 158f323b9868 ("net: adjust skb->truesize in pskb_expand_head()")
Signed-off-by: Eric Dumazet 
Signed-off-by: David S. Miller 
Signed-off-by: Greg Kroah-Hartman 
---
 net/ipv4/ip_fragment.c |5 +
 1 file changed, 5 insertions(+)

--- a/net/ipv4/ip_fragment.c
+++ b/net/ipv4/ip_fragment.c
@@ -447,11 +447,16 @@ found:
int i = end - FRAG_CB(next)->offset; /* overlap is 'i' bytes */
 
if (i < next->len) {
+   int delta = -next->truesize;
+
/* Eat head of the next overlapped fragment
 * and leave the loop. The next ones cannot overlap.
 */
if (!pskb_pull(next, i))
goto err;
+   delta += next->truesize;
+   if (delta)
+   add_frag_mem_limit(qp->q.net, delta);
FRAG_CB(next)->offset += i;
qp->q.meat -= i;
if (next->ip_summed != CHECKSUM_UNNECESSARY)

[PATCH 4.9 17/32] sched/wait: Remove the lockless swait_active() check in swake_up*()

[Greg Kroah-Hartman]

4.9-stable review patch.  If anyone has any objections, please let me know.

--

From: Boqun Feng 

commit 35a2897c2a306cca344ca5c0b43416707018f434 upstream.

Steven Rostedt reported a potential race in RCU core because of
swake_up():

CPU0CPU1

__call_rcu_core() {

 spin_lock(rnp_root)
 need_wake = __rcu_start_gp() {
  rcu_start_gp_advanced() {
   gp_flags = FLAG_INIT
  }
 }

 rcu_gp_kthread() {
   swait_event_interruptible(wq,
gp_flags & FLAG_INIT) {
   spin_lock(q->lock)

*fetch wq->task_list here! *

   list_add(wq->task_list, q->task_list)
   spin_unlock(q->lock);

   *fetch old value of gp_flags here *

 spin_unlock(rnp_root)

 rcu_gp_kthread_wake() {
  swake_up(wq) {
   swait_active(wq) {
list_empty(wq->task_list)

   } * return false *

  if (condition) * false *
schedule();

In this case, a wakeup is missed, which could cause the rcu_gp_kthread
waits for a long time.

The reason of this is that we do a lockless swait_active() check in
swake_up(). To fix this, we can either 1) add a smp_mb() in swake_up()
before swait_active() to provide the proper order or 2) simply remove
the swait_active() in swake_up().

The solution 2 not only fixes this problem but also keeps the swait and
wait API as close as possible, as wake_up() doesn't provide a full
barrier and doesn't do a lockless check of the wait queue either.
Moreover, there are users already using swait_active() to do their quick
checks for the wait queues, so it make less sense that swake_up() and
swake_up_all() do this on their own.

This patch then removes the lockless swait_active() check in swake_up()
and swake_up_all().

Reported-by: Steven Rostedt 
Signed-off-by: Boqun Feng 
Signed-off-by: Peter Zijlstra (Intel) 
Cc: Krister Johansen 
Cc: Linus Torvalds 
Cc: Paul E. McKenney 
Cc: Paul Gortmaker 
Cc: Peter Zijlstra 
Cc: Thomas Gleixner 
Link: http://lkml.kernel.org/r/20170615041828.zk3a3sfyudm5p6nl@tardis
Signed-off-by: Ingo Molnar 
Cc: David Chen 
Signed-off-by: Greg Kroah-Hartman 

---
 kernel/sched/swait.c |6 --
 1 file changed, 6 deletions(-)

--- a/kernel/sched/swait.c
+++ b/kernel/sched/swait.c
@@ -33,9 +33,6 @@ void swake_up(struct swait_queue_head *q
 {
unsigned long flags;
 
-   if (!swait_active(q))
-   return;
-
raw_spin_lock_irqsave(&q->lock, flags);
swake_up_locked(q);
raw_spin_unlock_irqrestore(&q->lock, flags);
@@ -51,9 +48,6 @@ void swake_up_all(struct swait_queue_hea
struct swait_queue *curr;
LIST_HEAD(tmp);
 
-   if (!swait_active(q))
-   return;
-
raw_spin_lock_irq(&q->lock);
list_splice_init(&q->task_list, &tmp);
while (!list_empty(&tmp)) {

[PATCH 4.9 14/32] tcp: refactor tcp_ecn_check_ce to remove sk type cast

[Greg Kroah-Hartman]

4.9-stable review patch.  If anyone has any objections, please let me know.

--

From: Yousuk Seung 

[ Upstream commit f4c9f85f3b2cb7669830cd04d0be61192a4d2436 ]

Refactor tcp_ecn_check_ce and __tcp_ecn_check_ce to accept struct sock*
instead of tcp_sock* to clean up type casts. This is a pure refactor
patch.

Signed-off-by: Yousuk Seung 
Signed-off-by: Neal Cardwell 
Signed-off-by: Yuchung Cheng 
Signed-off-by: Eric Dumazet 
Acked-by: Soheil Hassas Yeganeh 
Signed-off-by: David S. Miller 
Signed-off-by: Greg Kroah-Hartman 
---
 net/ipv4/tcp_input.c |   26 ++
 1 file changed, 14 insertions(+), 12 deletions(-)

--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -250,8 +250,10 @@ static void tcp_ecn_withdraw_cwr(struct
tp->ecn_flags &= ~TCP_ECN_DEMAND_CWR;
 }
 
-static void __tcp_ecn_check_ce(struct tcp_sock *tp, const struct sk_buff *skb)
+static void __tcp_ecn_check_ce(struct sock *sk, const struct sk_buff *skb)
 {
+   struct tcp_sock *tp = tcp_sk(sk);
+
switch (TCP_SKB_CB(skb)->ip_dsfield & INET_ECN_MASK) {
case INET_ECN_NOT_ECT:
/* Funny extension: if ECT is not set on a segment,
@@ -259,31 +261,31 @@ static void __tcp_ecn_check_ce(struct tc
 * it is probably a retransmit.
 */
if (tp->ecn_flags & TCP_ECN_SEEN)
-   tcp_enter_quickack_mode((struct sock *)tp, 1);
+   tcp_enter_quickack_mode(sk, 1);
break;
case INET_ECN_CE:
-   if (tcp_ca_needs_ecn((struct sock *)tp))
-   tcp_ca_event((struct sock *)tp, CA_EVENT_ECN_IS_CE);
+   if (tcp_ca_needs_ecn(sk))
+   tcp_ca_event(sk, CA_EVENT_ECN_IS_CE);
 
if (!(tp->ecn_flags & TCP_ECN_DEMAND_CWR)) {
/* Better not delay acks, sender can have a very low 
cwnd */
-   tcp_enter_quickack_mode((struct sock *)tp, 1);
+   tcp_enter_quickack_mode(sk, 1);
tp->ecn_flags |= TCP_ECN_DEMAND_CWR;
}
tp->ecn_flags |= TCP_ECN_SEEN;
break;
default:
-   if (tcp_ca_needs_ecn((struct sock *)tp))
-   tcp_ca_event((struct sock *)tp, CA_EVENT_ECN_NO_CE);
+   if (tcp_ca_needs_ecn(sk))
+   tcp_ca_event(sk, CA_EVENT_ECN_NO_CE);
tp->ecn_flags |= TCP_ECN_SEEN;
break;
}
 }
 
-static void tcp_ecn_check_ce(struct tcp_sock *tp, const struct sk_buff *skb)
+static void tcp_ecn_check_ce(struct sock *sk, const struct sk_buff *skb)
 {
-   if (tp->ecn_flags & TCP_ECN_OK)
-   __tcp_ecn_check_ce(tp, skb);
+   if (tcp_sk(sk)->ecn_flags & TCP_ECN_OK)
+   __tcp_ecn_check_ce(sk, skb);
 }
 
 static void tcp_ecn_rcv_synack(struct tcp_sock *tp, const struct tcphdr *th)
@@ -699,7 +701,7 @@ static void tcp_event_data_recv(struct s
}
icsk->icsk_ack.lrcvtime = now;
 
-   tcp_ecn_check_ce(tp, skb);
+   tcp_ecn_check_ce(sk, skb);
 
if (skb->len >= 128)
tcp_grow_window(sk, skb);
@@ -4456,7 +4458,7 @@ static void tcp_data_queue_ofo(struct so
u32 seq, end_seq;
bool fragstolen;
 
-   tcp_ecn_check_ce(tp, skb);
+   tcp_ecn_check_ce(sk, skb);
 
if (unlikely(tcp_try_rmem_schedule(sk, skb, skb->truesize))) {
NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPOFODROP);

[PATCH 4.14 07/23] rxrpc: Fix user call ID check in rxrpc_service_prealloc_one

[Greg Kroah-Hartman]

4.14-stable review patch.  If anyone has any objections, please let me know.

--

From: YueHaibing 

[ Upstream commit c01f6c9b3207e52fc9973a066a856ddf7a0538d8 ]

There just check the user call ID isn't already in use, hence should
compare user_call_ID with xcall->user_call_ID, which is current
node's user_call_ID.

Fixes: 540b1c48c37a ("rxrpc: Fix deadlock between call creation and 
sendmsg/recvmsg")
Suggested-by: David Howells 
Signed-off-by: YueHaibing 
Signed-off-by: David Howells 
Signed-off-by: David S. Miller 
Signed-off-by: Greg Kroah-Hartman 
---
 net/rxrpc/call_accept.c |4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/net/rxrpc/call_accept.c
+++ b/net/rxrpc/call_accept.c
@@ -115,9 +115,9 @@ static int rxrpc_service_prealloc_one(st
while (*pp) {
parent = *pp;
xcall = rb_entry(parent, struct rxrpc_call, sock_node);
-   if (user_call_ID < call->user_call_ID)
+   if (user_call_ID < xcall->user_call_ID)
pp = &(*pp)->rb_left;
-   else if (user_call_ID > call->user_call_ID)
+   else if (user_call_ID > xcall->user_call_ID)
pp = &(*pp)->rb_right;
else
goto id_in_use;

[PATCH 4.14 05/23] netlink: Fix spectre v1 gadget in netlink_create()

[Greg Kroah-Hartman]

4.14-stable review patch.  If anyone has any objections, please let me know.

--

From: Jeremy Cline 

[ Upstream commit bc5b6c0b62b932626a135f516a41838c510c6eba ]

'protocol' is a user-controlled value, so sanitize it after the bounds
check to avoid using it for speculative out-of-bounds access to arrays
indexed by it.

This addresses the following accesses detected with the help of smatch:

* net/netlink/af_netlink.c:654 __netlink_create() warn: potential
  spectre issue 'nlk_cb_mutex_keys' [w]

* net/netlink/af_netlink.c:654 __netlink_create() warn: potential
  spectre issue 'nlk_cb_mutex_key_strings' [w]

* net/netlink/af_netlink.c:685 netlink_create() warn: potential spectre
  issue 'nl_table' [w] (local cap)

Cc: Josh Poimboeuf 
Signed-off-by: Jeremy Cline 
Reviewed-by: Josh Poimboeuf 
Signed-off-by: David S. Miller 
Signed-off-by: Greg Kroah-Hartman 
---
 net/netlink/af_netlink.c |2 ++
 1 file changed, 2 insertions(+)

--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -63,6 +63,7 @@
 #include 
 #include 
 #include 
+#include 
 
 #include 
 #include 
@@ -647,6 +648,7 @@ static int netlink_create(struct net *ne
 
if (protocol < 0 || protocol >= MAX_LINKS)
return -EPROTONOSUPPORT;
+   protocol = array_index_nospec(protocol, MAX_LINKS);
 
netlink_lock_table();
 #ifdef CONFIG_MODULES

[PATCH 4.14 06/23] net: stmmac: Fix WoL for PCI-based setups

[Greg Kroah-Hartman]

4.14-stable review patch.  If anyone has any objections, please let me know.

--

From: Jose Abreu 

[ Upstream commit b7d0f08e9129c45ed41bc0cfa8e77067881e45fd ]

WoL won't work in PCI-based setups because we are not saving the PCI EP
state before entering suspend state and not allowing D3 wake.

Fix this by using a wrapper around stmmac_{suspend/resume} which
correctly sets the PCI EP state.

Signed-off-by: Jose Abreu 
Cc: David S. Miller 
Cc: Joao Pinto 
Cc: Giuseppe Cavallaro 
Cc: Alexandre Torgue 
Signed-off-by: David S. Miller 
Signed-off-by: Greg Kroah-Hartman 
---
 drivers/net/ethernet/stmicro/stmmac/stmmac_pci.c |   40 +--
 1 file changed, 38 insertions(+), 2 deletions(-)

--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_pci.c
+++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_pci.c
@@ -257,7 +257,7 @@ static int stmmac_pci_probe(struct pci_d
return -ENOMEM;
 
/* Enable pci device */
-   ret = pcim_enable_device(pdev);
+   ret = pci_enable_device(pdev);
if (ret) {
dev_err(&pdev->dev, "%s: ERROR: failed to enable device\n",
__func__);
@@ -300,9 +300,45 @@ static int stmmac_pci_probe(struct pci_d
 static void stmmac_pci_remove(struct pci_dev *pdev)
 {
stmmac_dvr_remove(&pdev->dev);
+   pci_disable_device(pdev);
 }
 
-static SIMPLE_DEV_PM_OPS(stmmac_pm_ops, stmmac_suspend, stmmac_resume);
+static int stmmac_pci_suspend(struct device *dev)
+{
+   struct pci_dev *pdev = to_pci_dev(dev);
+   int ret;
+
+   ret = stmmac_suspend(dev);
+   if (ret)
+   return ret;
+
+   ret = pci_save_state(pdev);
+   if (ret)
+   return ret;
+
+   pci_disable_device(pdev);
+   pci_wake_from_d3(pdev, true);
+   return 0;
+}
+
+static int stmmac_pci_resume(struct device *dev)
+{
+   struct pci_dev *pdev = to_pci_dev(dev);
+   int ret;
+
+   pci_restore_state(pdev);
+   pci_set_power_state(pdev, PCI_D0);
+
+   ret = pci_enable_device(pdev);
+   if (ret)
+   return ret;
+
+   pci_set_master(pdev);
+
+   return stmmac_resume(dev);
+}
+
+static SIMPLE_DEV_PM_OPS(stmmac_pm_ops, stmmac_pci_suspend, stmmac_pci_resume);
 
 /* synthetic ID, no official vendor */
 #define PCI_VENDOR_ID_STMMAC 0x700

[PATCH 4.14 02/23] inet: frag: enforce memory limits earlier

[Greg Kroah-Hartman]

4.14-stable review patch.  If anyone has any objections, please let me know.

--

From: Eric Dumazet 

[ Upstream commit 56e2c94f055d328f5f6b0a5c1721cca2f2d4e0a1 ]

We currently check current frags memory usage only when
a new frag queue is created. This allows attackers to first
consume the memory budget (default : 4 MB) creating thousands
of frag queues, then sending tiny skbs to exceed high_thresh
limit by 2 to 3 order of magnitude.

Note that before commit 648700f76b03 ("inet: frags: use rhashtables
for reassembly units"), work queue could be starved under DOS,
getting no cpu cycles.
After commit 648700f76b03, only the per frag queue timer can eventually
remove an incomplete frag queue and its skbs.

Fixes: b13d3cbfb8e8 ("inet: frag: move eviction of queues to work queue")
Signed-off-by: Eric Dumazet 
Reported-by: Jann Horn 
Cc: Florian Westphal 
Cc: Peter Oskolkov 
Cc: Paolo Abeni 
Acked-by: Florian Westphal 
Signed-off-by: David S. Miller 
Signed-off-by: Greg Kroah-Hartman 
---
 net/ipv4/inet_fragment.c |   10 +-
 1 file changed, 5 insertions(+), 5 deletions(-)

--- a/net/ipv4/inet_fragment.c
+++ b/net/ipv4/inet_fragment.c
@@ -356,11 +356,6 @@ static struct inet_frag_queue *inet_frag
 {
struct inet_frag_queue *q;
 
-   if (!nf->high_thresh || frag_mem_limit(nf) > nf->high_thresh) {
-   inet_frag_schedule_worker(f);
-   return NULL;
-   }
-
q = kmem_cache_zalloc(f->frags_cachep, GFP_ATOMIC);
if (!q)
return NULL;
@@ -397,6 +392,11 @@ struct inet_frag_queue *inet_frag_find(s
struct inet_frag_queue *q;
int depth = 0;
 
+   if (!nf->high_thresh || frag_mem_limit(nf) > nf->high_thresh) {
+   inet_frag_schedule_worker(f);
+   return NULL;
+   }
+
if (frag_mem_limit(nf) > nf->low_thresh)
inet_frag_schedule_worker(f);
 

[PATCH 4.9 15/32] tcp: add one more quick ack after after ECN events

[Greg Kroah-Hartman]

4.9-stable review patch.  If anyone has any objections, please let me know.

--

From: Eric Dumazet 

[ Upstream commit 15ecbe94a45ef88491ca459b26efdd02f91edb6d ]

Larry Brakmo proposal ( https://patchwork.ozlabs.org/patch/935233/
tcp: force cwnd at least 2 in tcp_cwnd_reduction) made us rethink
about our recent patch removing ~16 quick acks after ECN events.

tcp_enter_quickack_mode(sk, 1) makes sure one immediate ack is sent,
but in the case the sender cwnd was lowered to 1, we do not want
to have a delayed ack for the next packet we will receive.

Fixes: 522040ea5fdd ("tcp: do not aggressively quick ack after ECN events")
Signed-off-by: Eric Dumazet 
Reported-by: Neal Cardwell 
Cc: Lawrence Brakmo 
Acked-by: Neal Cardwell 
Signed-off-by: David S. Miller 
Signed-off-by: Greg Kroah-Hartman 
---
 net/ipv4/tcp_input.c |4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -261,7 +261,7 @@ static void __tcp_ecn_check_ce(struct so
 * it is probably a retransmit.
 */
if (tp->ecn_flags & TCP_ECN_SEEN)
-   tcp_enter_quickack_mode(sk, 1);
+   tcp_enter_quickack_mode(sk, 2);
break;
case INET_ECN_CE:
if (tcp_ca_needs_ecn(sk))
@@ -269,7 +269,7 @@ static void __tcp_ecn_check_ce(struct so
 
if (!(tp->ecn_flags & TCP_ECN_DEMAND_CWR)) {
/* Better not delay acks, sender can have a very low 
cwnd */
-   tcp_enter_quickack_mode(sk, 1);
+   tcp_enter_quickack_mode(sk, 2);
tp->ecn_flags |= TCP_ECN_DEMAND_CWR;
}
tp->ecn_flags |= TCP_ECN_SEEN;

[PATCH 4.14 22/23] drm/vc4: Reset ->{x, y}_scaling[1] when dealing with uniplanar formats

[Greg Kroah-Hartman]

4.14-stable review patch.  If anyone has any objections, please let me know.

--

From: Boris Brezillon 

commit a6a00918d4ad8718c3ccde38c02cec17f116b2fd upstream.

This is needed to ensure ->is_unity is correct when the plane was
previously configured to output a multi-planar format with scaling
enabled, and is then being reconfigured to output a uniplanar format.

Fixes: fc04023fafec ("drm/vc4: Add support for YUV planes.")
Cc: 
Signed-off-by: Boris Brezillon 
Reviewed-by: Eric Anholt 
Link: 
https://patchwork.freedesktop.org/patch/msgid/20180724133601.32114-1-boris.brezil...@bootlin.com
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/gpu/drm/vc4/vc4_plane.c |3 +++
 1 file changed, 3 insertions(+)

--- a/drivers/gpu/drm/vc4/vc4_plane.c
+++ b/drivers/gpu/drm/vc4/vc4_plane.c
@@ -352,6 +352,9 @@ static int vc4_plane_setup_clipping_and_
vc4_state->x_scaling[0] = VC4_SCALING_TPZ;
if (vc4_state->y_scaling[0] == VC4_SCALING_NONE)
vc4_state->y_scaling[0] = VC4_SCALING_TPZ;
+   } else {
+   vc4_state->x_scaling[1] = VC4_SCALING_NONE;
+   vc4_state->y_scaling[1] = VC4_SCALING_NONE;
}
 
vc4_state->is_unity = (vc4_state->x_scaling[0] == VC4_SCALING_NONE &&

[PATCH 4.14 20/23] RDMA/uverbs: Expand primary and alt AV port checks

[Greg Kroah-Hartman]

4.14-stable review patch.  If anyone has any objections, please let me know.

--

From: Jack Morgenstein 

commit addb8a6559f0f8b5a37582b7ca698358445a55bf upstream.

The commit cited below checked that the port numbers provided in the
primary and alt AVs are legal.

That is sufficient to prevent a kernel panic. However, it is not
sufficient for correct operation.

In Linux, AVs (both primary and alt) must be completely self-described.
We do not accept an AV from userspace without an embedded port number.
(This has been the case since kernel 3.14 commit dbf727de7440
("IB/core: Use GID table in AH creation and dmac resolution")).

For the primary AV, this embedded port number must match the port number
specified with IB_QP_PORT.

We also expect the port number embedded in the alt AV to match the
alt_port_num value passed by the userspace driver in the modify_qp command
base structure.

Add these checks to modify_qp.

Cc:  # 4.16
Fixes: 5d4c05c3ee36 ("RDMA/uverbs: Sanitize user entered port numbers prior to 
access it")
Signed-off-by: Jack Morgenstein 
Signed-off-by: Leon Romanovsky 
Signed-off-by: Jason Gunthorpe 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/infiniband/core/uverbs_cmd.c |   59 ---
 1 file changed, 54 insertions(+), 5 deletions(-)

--- a/drivers/infiniband/core/uverbs_cmd.c
+++ b/drivers/infiniband/core/uverbs_cmd.c
@@ -1981,15 +1981,64 @@ static int modify_qp(struct ib_uverbs_fi
goto release_qp;
}
 
-   if ((cmd->base.attr_mask & IB_QP_AV) &&
-   !rdma_is_port_valid(qp->device, cmd->base.dest.port_num)) {
-   ret = -EINVAL;
-   goto release_qp;
+   if ((cmd->base.attr_mask & IB_QP_AV)) {
+   if (!rdma_is_port_valid(qp->device, cmd->base.dest.port_num)) {
+   ret = -EINVAL;
+   goto release_qp;
+   }
+
+   if (cmd->base.attr_mask & IB_QP_STATE &&
+   cmd->base.qp_state == IB_QPS_RTR) {
+   /* We are in INIT->RTR TRANSITION (if we are not,
+* this transition will be rejected in subsequent checks).
+* In the INIT->RTR transition, we cannot have IB_QP_PORT set,
+* but the IB_QP_STATE flag is required.
+*
+* Since kernel 3.14 (commit dbf727de7440), the uverbs driver,
+* when IB_QP_AV is set, has required inclusion of a valid
+* port number in the primary AV. (AVs are created and handled
+* differently for infiniband and ethernet (RoCE) ports).
+*
+* Check the port number included in the primary AV against
+* the port number in the qp struct, which was set (and saved)
+* in the RST->INIT transition.
+*/
+   if (cmd->base.dest.port_num != qp->real_qp->port) {
+   ret = -EINVAL;
+   goto release_qp;
+   }
+   } else {
+   /* We are in SQD->SQD. (If we are not, this transition will
+* be rejected later in the verbs layer checks).
+* Check for both IB_QP_PORT and IB_QP_AV, these can be set
+* together in the SQD->SQD transition.
+*
+* If only IP_QP_AV was set, add in IB_QP_PORT as well (the
+* verbs layer driver does not track primary port changes
+* resulting from path migration. Thus, in SQD, if the primary
+* AV is modified, the primary port should also be modified).
+*
+* Note that in this transition, the IB_QP_STATE flag
+* is not allowed.
+*/
+   if (((cmd->base.attr_mask & (IB_QP_AV | IB_QP_PORT))
+== (IB_QP_AV | IB_QP_PORT)) &&
+   cmd->base.port_num != cmd->base.dest.port_num) {
+   ret = -EINVAL;
+   goto release_qp;
+   }
+   if ((cmd->base.attr_mask & (IB_QP_AV | IB_QP_PORT))
+   == IB_QP_AV) {
+   cmd->base.attr_mask |= IB_QP_PORT;
+   cmd->base.port_num = cmd->base.dest.port_num;
+   }
+   }
}
 
if ((cmd->base.attr_mask & IB_QP_ALT_PATH) &&
(!rdma_is_port_valid(qp->device, cmd->base.alt_port_num) ||
-   !rdma_is_port_valid(qp->device, cmd->base.alt_dest.port_num))) {
+   !rdma_is_port_valid(qp->device, cmd->base.alt_dest.port_num) ||
+   cmd->base.alt_port_num != cmd->base.alt_dest.port_num)) {
ret = -EINVAL;
goto release_qp;
}

[PATCH 4.14 21/23] crypto: padlock-aes - Fix Nano workaround data corruption

[Greg Kroah-Hartman]

4.14-stable review patch.  If anyone has any objections, please let me know.

--

From: Herbert Xu 

commit 46d8c4b28652d35dc6cfb5adf7f54e102fc04384 upstream.

This was detected by the self-test thanks to Ard's chunking patch.

I finally got around to testing this out on my ancient Via box.  It
turns out that the workaround got the assembly wrong and we end up
doing count + initial cycles of the loop instead of just count.

This obviously causes corruption, either by overwriting the source
that is yet to be processed, or writing over the end of the buffer.

On CPUs that don't require the workaround only ECB is affected.
On Nano CPUs both ECB and CBC are affected.

This patch fixes it by doing the subtraction prior to the assembly.

Fixes: a76c1c23d0c3 ("crypto: padlock-aes - work around Nano CPU...")
Cc: 
Reported-by: Jamie Heilman 
Signed-off-by: Herbert Xu 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/crypto/padlock-aes.c |8 ++--
 1 file changed, 6 insertions(+), 2 deletions(-)

--- a/drivers/crypto/padlock-aes.c
+++ b/drivers/crypto/padlock-aes.c
@@ -266,6 +266,8 @@ static inline void padlock_xcrypt_ecb(co
return;
}
 
+   count -= initial;
+
if (initial)
asm volatile (".byte 0xf3,0x0f,0xa7,0xc8"   /* rep 
xcryptecb */
  : "+S"(input), "+D"(output)
@@ -273,7 +275,7 @@ static inline void padlock_xcrypt_ecb(co
 
asm volatile (".byte 0xf3,0x0f,0xa7,0xc8"   /* rep xcryptecb */
  : "+S"(input), "+D"(output)
- : "d"(control_word), "b"(key), "c"(count - initial));
+ : "d"(control_word), "b"(key), "c"(count));
 }
 
 static inline u8 *padlock_xcrypt_cbc(const u8 *input, u8 *output, void *key,
@@ -284,6 +286,8 @@ static inline u8 *padlock_xcrypt_cbc(con
if (count < cbc_fetch_blocks)
return cbc_crypt(input, output, key, iv, control_word, count);
 
+   count -= initial;
+
if (initial)
asm volatile (".byte 0xf3,0x0f,0xa7,0xd0"   /* rep 
xcryptcbc */
  : "+S" (input), "+D" (output), "+a" (iv)
@@ -291,7 +295,7 @@ static inline u8 *padlock_xcrypt_cbc(con
 
asm volatile (".byte 0xf3,0x0f,0xa7,0xd0"   /* rep xcryptcbc */
  : "+S" (input), "+D" (output), "+a" (iv)
- : "d" (control_word), "b" (key), "c" (count-initial));
+ : "d" (control_word), "b" (key), "c" (count));
return iv;
 }
 

[PATCH 4.9 23/32] net: stmmac: Fix WoL for PCI-based setups

[Greg Kroah-Hartman]

4.9-stable review patch.  If anyone has any objections, please let me know.

--

From: Jose Abreu 

[ Upstream commit b7d0f08e9129c45ed41bc0cfa8e77067881e45fd ]

WoL won't work in PCI-based setups because we are not saving the PCI EP
state before entering suspend state and not allowing D3 wake.

Fix this by using a wrapper around stmmac_{suspend/resume} which
correctly sets the PCI EP state.

Signed-off-by: Jose Abreu 
Cc: David S. Miller 
Cc: Joao Pinto 
Cc: Giuseppe Cavallaro 
Cc: Alexandre Torgue 
Signed-off-by: David S. Miller 
Signed-off-by: Greg Kroah-Hartman 
---
 drivers/net/ethernet/stmicro/stmmac/stmmac_pci.c |   40 +--
 1 file changed, 38 insertions(+), 2 deletions(-)

--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_pci.c
+++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_pci.c
@@ -183,7 +183,7 @@ static int stmmac_pci_probe(struct pci_d
return -ENOMEM;
 
/* Enable pci device */
-   ret = pcim_enable_device(pdev);
+   ret = pci_enable_device(pdev);
if (ret) {
dev_err(&pdev->dev, "%s: ERROR: failed to enable device\n",
__func__);
@@ -232,9 +232,45 @@ static int stmmac_pci_probe(struct pci_d
 static void stmmac_pci_remove(struct pci_dev *pdev)
 {
stmmac_dvr_remove(&pdev->dev);
+   pci_disable_device(pdev);
 }
 
-static SIMPLE_DEV_PM_OPS(stmmac_pm_ops, stmmac_suspend, stmmac_resume);
+static int stmmac_pci_suspend(struct device *dev)
+{
+   struct pci_dev *pdev = to_pci_dev(dev);
+   int ret;
+
+   ret = stmmac_suspend(dev);
+   if (ret)
+   return ret;
+
+   ret = pci_save_state(pdev);
+   if (ret)
+   return ret;
+
+   pci_disable_device(pdev);
+   pci_wake_from_d3(pdev, true);
+   return 0;
+}
+
+static int stmmac_pci_resume(struct device *dev)
+{
+   struct pci_dev *pdev = to_pci_dev(dev);
+   int ret;
+
+   pci_restore_state(pdev);
+   pci_set_power_state(pdev, PCI_D0);
+
+   ret = pci_enable_device(pdev);
+   if (ret)
+   return ret;
+
+   pci_set_master(pdev);
+
+   return stmmac_resume(dev);
+}
+
+static SIMPLE_DEV_PM_OPS(stmmac_pm_ops, stmmac_pci_suspend, stmmac_pci_resume);
 
 #define STMMAC_VENDOR_ID 0x700
 #define STMMAC_QUARK_ID  0x0937

[PATCH 4.9 03/32] net: fix amd-xgbe flow-control issue

[Greg Kroah-Hartman]

4.9-stable review patch.  If anyone has any objections, please let me know.

--

From: tangpengpeng 

[ Upstream commit 7f3fc7ddf719cd6faaf787722c511f6918ac6aab ]

If we enable or disable xgbe flow-control by ethtool ,
it does't work.Because the parameter is not properly
assigned,so we need to adjust the assignment order
of the parameters.

Fixes: c1ce2f77366b ("amd-xgbe: Fix flow control setting logic")
Signed-off-by: tangpengpeng 
Acked-by: Tom Lendacky 
Signed-off-by: David S. Miller 
Signed-off-by: Greg Kroah-Hartman 
---
 drivers/net/ethernet/amd/xgbe/xgbe-mdio.c |4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/net/ethernet/amd/xgbe/xgbe-mdio.c
+++ b/drivers/net/ethernet/amd/xgbe/xgbe-mdio.c
@@ -877,14 +877,14 @@ static void xgbe_phy_adjust_link(struct
 
if (pdata->tx_pause != pdata->phy.tx_pause) {
new_state = 1;
-   pdata->hw_if.config_tx_flow_control(pdata);
pdata->tx_pause = pdata->phy.tx_pause;
+   pdata->hw_if.config_tx_flow_control(pdata);
}
 
if (pdata->rx_pause != pdata->phy.rx_pause) {
new_state = 1;
-   pdata->hw_if.config_rx_flow_control(pdata);
pdata->rx_pause = pdata->phy.rx_pause;
+   pdata->hw_if.config_rx_flow_control(pdata);
}
 
/* Speed support */

[PATCH 4.9 22/32] netlink: Fix spectre v1 gadget in netlink_create()

[Greg Kroah-Hartman]

4.9-stable review patch.  If anyone has any objections, please let me know.

--

From: Jeremy Cline 

[ Upstream commit bc5b6c0b62b932626a135f516a41838c510c6eba ]

'protocol' is a user-controlled value, so sanitize it after the bounds
check to avoid using it for speculative out-of-bounds access to arrays
indexed by it.

This addresses the following accesses detected with the help of smatch:

* net/netlink/af_netlink.c:654 __netlink_create() warn: potential
  spectre issue 'nlk_cb_mutex_keys' [w]

* net/netlink/af_netlink.c:654 __netlink_create() warn: potential
  spectre issue 'nlk_cb_mutex_key_strings' [w]

* net/netlink/af_netlink.c:685 netlink_create() warn: potential spectre
  issue 'nl_table' [w] (local cap)

Cc: Josh Poimboeuf 
Signed-off-by: Jeremy Cline 
Reviewed-by: Josh Poimboeuf 
Signed-off-by: David S. Miller 
Signed-off-by: Greg Kroah-Hartman 
---
 net/netlink/af_netlink.c |2 ++
 1 file changed, 2 insertions(+)

--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -62,6 +62,7 @@
 #include 
 #include 
 #include 
+#include 
 
 #include 
 #include 
@@ -654,6 +655,7 @@ static int netlink_create(struct net *ne
 
if (protocol < 0 || protocol >= MAX_LINKS)
return -EPROTONOSUPPORT;
+   protocol = array_index_nospec(protocol, MAX_LINKS);
 
netlink_lock_table();
 #ifdef CONFIG_MODULES

[PATCH 4.9 21/32] net: dsa: Do not suspend/resume closed slave_dev

[Greg Kroah-Hartman]

4.9-stable review patch.  If anyone has any objections, please let me know.

--

From: Florian Fainelli 

[ Upstream commit a94c689e6c9e72e722f28339e12dff191ee5a265 ]

If a DSA slave network device was previously disabled, there is no need
to suspend or resume it.

Fixes: 2446254915a7 ("net: dsa: allow switch drivers to implement 
suspend/resume hooks")
Signed-off-by: Florian Fainelli 
Reviewed-by: Andrew Lunn 
Signed-off-by: David S. Miller 
Signed-off-by: Greg Kroah-Hartman 
---
 net/dsa/slave.c |6 ++
 1 file changed, 6 insertions(+)

--- a/net/dsa/slave.c
+++ b/net/dsa/slave.c
@@ -1199,6 +1199,9 @@ int dsa_slave_suspend(struct net_device
 {
struct dsa_slave_priv *p = netdev_priv(slave_dev);
 
+   if (!netif_running(slave_dev))
+   return 0;
+
netif_device_detach(slave_dev);
 
if (p->phy) {
@@ -1216,6 +1219,9 @@ int dsa_slave_resume(struct net_device *
 {
struct dsa_slave_priv *p = netdev_priv(slave_dev);
 
+   if (!netif_running(slave_dev))
+   return 0;
+
netif_device_attach(slave_dev);
 
if (p->phy) {

[PATCH 4.9 04/32] net: lan78xx: fix rx handling before first packet is send

[Greg Kroah-Hartman]

4.9-stable review patch.  If anyone has any objections, please let me know.

--

From: Stefan Wahren 

[ Upstream commit 136f55f660192ce04af091642efc75d85e017364 ]

As long the bh tasklet isn't scheduled once, no packet from the rx path
will be handled. Since the tx path also schedule the same tasklet
this situation only persits until the first packet transmission.
So fix this issue by scheduling the tasklet after link reset.

Link: https://github.com/raspberrypi/linux/issues/2617
Fixes: 55d7de9de6c3 ("Microchip's LAN7800 family USB 2/3 to 10/100/1000 
Ethernet")
Suggested-by: Floris Bos 
Signed-off-by: Stefan Wahren 
Signed-off-by: David S. Miller 
Signed-off-by: Greg Kroah-Hartman 
---
 drivers/net/usb/lan78xx.c |2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/net/usb/lan78xx.c
+++ b/drivers/net/usb/lan78xx.c
@@ -1170,6 +1170,8 @@ static int lan78xx_link_reset(struct lan
mod_timer(&dev->stat_monitor,
  jiffies + STAT_UPDATE_TIMER);
}
+
+   tasklet_schedule(&dev->bh);
}
 
return ret;

[PATCH 4.9 20/32] ipv4: frags: handle possible skb truesize change

[Greg Kroah-Hartman]

4.9-stable review patch.  If anyone has any objections, please let me know.

--

From: Eric Dumazet 

[ Upstream commit 4672694bd4f1aebdab0ad763ae4716e89cb15221 ]

ip_frag_queue() might call pskb_pull() on one skb that
is already in the fragment queue.

We need to take care of possible truesize change, or we
might have an imbalance of the netns frags memory usage.

IPv6 is immune to this bug, because RFC5722, Section 4,
amended by Errata ID 3089 states :

  When reassembling an IPv6 datagram, if
  one or more its constituent fragments is determined to be an
  overlapping fragment, the entire datagram (and any constituent
  fragments) MUST be silently discarded.

Fixes: 158f323b9868 ("net: adjust skb->truesize in pskb_expand_head()")
Signed-off-by: Eric Dumazet 
Signed-off-by: David S. Miller 
Signed-off-by: Greg Kroah-Hartman 
---
 net/ipv4/ip_fragment.c |5 +
 1 file changed, 5 insertions(+)

--- a/net/ipv4/ip_fragment.c
+++ b/net/ipv4/ip_fragment.c
@@ -446,11 +446,16 @@ found:
int i = end - FRAG_CB(next)->offset; /* overlap is 'i' bytes */
 
if (i < next->len) {
+   int delta = -next->truesize;
+
/* Eat head of the next overlapped fragment
 * and leave the loop. The next ones cannot overlap.
 */
if (!pskb_pull(next, i))
goto err;
+   delta += next->truesize;
+   if (delta)
+   add_frag_mem_limit(qp->q.net, delta);
FRAG_CB(next)->offset += i;
qp->q.meat -= i;
if (next->ip_summed != CHECKSUM_UNNECESSARY)

[PATCH 4.9 27/32] net: socket: fix potential spectre v1 gadget in socketcall

[Greg Kroah-Hartman]

4.9-stable review patch.  If anyone has any objections, please let me know.

--

From: Jeremy Cline 

commit c8e8cd579bb4265651df8223730105341e61a2d1 upstream.

'call' is a user-controlled value, so sanitize the array index after the
bounds check to avoid speculating past the bounds of the 'nargs' array.

Found with the help of Smatch:

net/socket.c:2508 __do_sys_socketcall() warn: potential spectre issue
'nargs' [r] (local cap)

Cc: Josh Poimboeuf 
Cc: sta...@vger.kernel.org
Signed-off-by: Jeremy Cline 
Signed-off-by: David S. Miller 
Signed-off-by: Greg Kroah-Hartman 

---
 net/socket.c |2 ++
 1 file changed, 2 insertions(+)

--- a/net/socket.c
+++ b/net/socket.c
@@ -89,6 +89,7 @@
 #include 
 #include 
 #include 
+#include 
 
 #include 
 #include 
@@ -2338,6 +2339,7 @@ SYSCALL_DEFINE2(socketcall, int, call, u
 
if (call < 1 || call > SYS_SENDMMSG)
return -EINVAL;
+   call = array_index_nospec(call, SYS_SENDMMSG + 1);
 
len = nargs[call];
if (len > sizeof(a))

[PATCH 4.9 06/32] NET: stmmac: align DMA stuff to largest cache line length

[Greg Kroah-Hartman]

4.9-stable review patch.  If anyone has any objections, please let me know.

--

From: Eugeniy Paltsev 

[ Upstream commit 9939a46d90c6c76f4533d534dbadfa7b39dc6acc ]

As for today STMMAC_ALIGN macro (which is used to align DMA stuff)
relies on L1 line length (L1_CACHE_BYTES).
This isn't correct in case of system with several cache levels
which might have L1 cache line length smaller than L2 line. This
can lead to sharing one cache line between DMA buffer and other
data, so we can lose this data while invalidate DMA buffer before
DMA transaction.

Fix that by using SMP_CACHE_BYTES instead of L1_CACHE_BYTES for
aligning.

Signed-off-by: Eugeniy Paltsev 
Signed-off-by: David S. Miller 
Signed-off-by: Greg Kroah-Hartman 
---
 drivers/net/ethernet/stmicro/stmmac/stmmac_main.c |2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
@@ -55,7 +55,7 @@
 #include 
 #include "dwmac1000.h"
 
-#define STMMAC_ALIGN(x)L1_CACHE_ALIGN(x)
+#defineSTMMAC_ALIGN(x) __ALIGN_KERNEL(x, SMP_CACHE_BYTES)
 #defineTSO_MAX_BUFF_SIZE   (SZ_16K - 1)
 
 /* Module parameters */

[PATCH 4.9 29/32] kvm: x86: vmx: fix vpid leak

[Greg Kroah-Hartman]

4.9-stable review patch.  If anyone has any objections, please let me know.

--

From: Roman Kagan 

commit 63aff65573d73eb8dda4732ad4ef222dd35e4862 upstream.

VPID for the nested vcpu is allocated at vmx_create_vcpu whenever nested
vmx is turned on with the module parameter.

However, it's only freed if the L1 guest has executed VMXON which is not
a given.

As a result, on a system with nested==on every creation+deletion of an
L1 vcpu without running an L2 guest results in leaking one vpid.  Since
the total number of vpids is limited to 64k, they can eventually get
exhausted, preventing L2 from starting.

Delay allocation of the L2 vpid until VMXON emulation, thus matching its
freeing.

Fixes: 5c614b3583e7b6dab0c86356fa36c2bcbb8322a0
Cc: sta...@vger.kernel.org
Signed-off-by: Roman Kagan 
Signed-off-by: Paolo Bonzini 
Signed-off-by: Greg Kroah-Hartman 

---
 arch/x86/kvm/vmx.c |7 +++
 1 file changed, 3 insertions(+), 4 deletions(-)

--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -7085,6 +7085,8 @@ static int handle_vmon(struct kvm_vcpu *
 HRTIMER_MODE_REL_PINNED);
vmx->nested.preemption_timer.function = vmx_preemption_timer_fn;
 
+   vmx->nested.vpid02 = allocate_vpid();
+
vmx->nested.vmxon = true;
 
skip_emulated_instruction(vcpu);
@@ -9264,10 +9266,8 @@ static struct kvm_vcpu *vmx_create_vcpu(
goto free_vmcs;
}
 
-   if (nested) {
+   if (nested)
nested_vmx_setup_ctls_msrs(vmx);
-   vmx->nested.vpid02 = allocate_vpid();
-   }
 
vmx->nested.posted_intr_nv = -1;
vmx->nested.current_vmptr = -1ull;
@@ -9285,7 +9285,6 @@ static struct kvm_vcpu *vmx_create_vcpu(
return &vmx->vcpu;
 
 free_vmcs:
-   free_vpid(vmx->nested.vpid02);
free_loaded_vmcs(vmx->loaded_vmcs);
 free_msrs:
kfree(vmx->guest_msrs);

[PATCH 4.9 26/32] can: ems_usb: Fix memory leak on ems_usb_disconnect()

[Greg Kroah-Hartman]

4.9-stable review patch.  If anyone has any objections, please let me know.

--

From: Anton Vasilyev 

commit 72c05f32f4a5055c9c8fe889bb6903ec959c0aad upstream.

ems_usb_probe() allocates memory for dev->tx_msg_buffer, but there
is no its deallocation in ems_usb_disconnect().

Found by Linux Driver Verification project (linuxtesting.org).

Signed-off-by: Anton Vasilyev 
Cc: 
Signed-off-by: Marc Kleine-Budde 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/net/can/usb/ems_usb.c |1 +
 1 file changed, 1 insertion(+)

--- a/drivers/net/can/usb/ems_usb.c
+++ b/drivers/net/can/usb/ems_usb.c
@@ -1071,6 +1071,7 @@ static void ems_usb_disconnect(struct us
usb_free_urb(dev->intr_urb);
 
kfree(dev->intr_in_buffer);
+   kfree(dev->tx_msg_buffer);
}
 }
 

[PATCH 4.9 09/32] netlink: Do not subscribe to non-existent groups

[Greg Kroah-Hartman]

4.9-stable review patch.  If anyone has any objections, please let me know.

--

From: Dmitry Safonov 

[ Upstream commit 7acf9d4237c46894e0fa0492dd96314a41742e84 ]

Make ABI more strict about subscribing to group > ngroups.
Code doesn't check for that and it looks bogus.
(one can subscribe to non-existing group)
Still, it's possible to bind() to all possible groups with (-1)

Cc: "David S. Miller" 
Cc: Herbert Xu 
Cc: Steffen Klassert 
Cc: net...@vger.kernel.org
Signed-off-by: Dmitry Safonov 
Signed-off-by: David S. Miller 
Signed-off-by: Greg Kroah-Hartman 
---
 net/netlink/af_netlink.c |1 +
 1 file changed, 1 insertion(+)

--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -983,6 +983,7 @@ static int netlink_bind(struct socket *s
if (err)
return err;
}
+   groups &= (1UL << nlk->ngroups) - 1;
 
bound = nlk->bound;
if (bound) {

[PATCH 4.9 05/32] net: mdio-mux: bcm-iproc: fix wrong getter and setter pair

[Greg Kroah-Hartman]

4.9-stable review patch.  If anyone has any objections, please let me know.

--

From: Anton Vasilyev 

[ Upstream commit b0753408aadf32c7ece9e6b765017881e54af833 ]

mdio_mux_iproc_probe() uses platform_set_drvdata() to store md pointer
in device, whereas mdio_mux_iproc_remove() restores md pointer by
dev_get_platdata(&pdev->dev). This leads to wrong resources release.

The patch replaces getter to platform_get_drvdata.

Fixes: 98bc865a1ec8 ("net: mdio-mux: Add MDIO mux driver for iProc SoCs")
Signed-off-by: Anton Vasilyev 
Reviewed-by: Andrew Lunn 
Signed-off-by: David S. Miller 
Signed-off-by: Greg Kroah-Hartman 
---
 drivers/net/phy/mdio-mux-bcm-iproc.c |2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/net/phy/mdio-mux-bcm-iproc.c
+++ b/drivers/net/phy/mdio-mux-bcm-iproc.c
@@ -218,7 +218,7 @@ out:
 
 static int mdio_mux_iproc_remove(struct platform_device *pdev)
 {
-   struct iproc_mdiomux_desc *md = dev_get_platdata(&pdev->dev);
+   struct iproc_mdiomux_desc *md = platform_get_drvdata(pdev);
 
mdio_mux_uninit(md->mux_handle);
mdiobus_unregister(md->mii_bus);

[PATCH 4.9 07/32] tcp_bbr: fix bw probing to raise in-flight data for very small BDPs

[Greg Kroah-Hartman]

4.9-stable review patch.  If anyone has any objections, please let me know.

--

From: Neal Cardwell 

[ Upstream commit 383d470936c05554219094a4d364d964cb324827 ]

For some very small BDPs (with just a few packets) there was a
quantization effect where the target number of packets in flight
during the super-unity-gain (1.25x) phase of gain cycling was
implicitly truncated to a number of packets no larger than the normal
unity-gain (1.0x) phase of gain cycling. This meant that in multi-flow
scenarios some flows could get stuck with a lower bandwidth, because
they did not push enough packets inflight to discover that there was
more bandwidth available. This was really only an issue in multi-flow
LAN scenarios, where RTTs and BDPs are low enough for this to be an
issue.

This fix ensures that gain cycling can raise inflight for small BDPs
by ensuring that in PROBE_BW mode target inflight values with a
super-unity gain are always greater than inflight values with a gain
<= 1. Importantly, this applies whether the inflight value is
calculated for use as a cwnd value, or as a target inflight value for
the end of the super-unity phase in bbr_is_next_cycle_phase() (both
need to be bigger to ensure we can probe with more packets in flight
reliably).

This is a candidate fix for stable releases.

Fixes: 0f8782ea1497 ("tcp_bbr: add BBR congestion control")
Signed-off-by: Neal Cardwell 
Acked-by: Yuchung Cheng 
Acked-by: Soheil Hassas Yeganeh 
Acked-by: Priyaranjan Jha 
Reviewed-by: Eric Dumazet 
Signed-off-by: David S. Miller 
Signed-off-by: Greg Kroah-Hartman 
---
 net/ipv4/tcp_bbr.c |4 
 1 file changed, 4 insertions(+)

--- a/net/ipv4/tcp_bbr.c
+++ b/net/ipv4/tcp_bbr.c
@@ -324,6 +324,10 @@ static u32 bbr_target_cwnd(struct sock *
/* Reduce delayed ACKs by rounding up cwnd to the next even number. */
cwnd = (cwnd + 1) & ~1U;
 
+   /* Ensure gain cycling gets inflight above BDP even for small BDPs. */
+   if (bbr->mode == BBR_PROBE_BW && gain > BBR_UNIT)
+   cwnd += 2;
+
return cwnd;
 }
 

[PATCH 4.9 28/32] virtio_balloon: fix another race between migration and ballooning

[Greg Kroah-Hartman]

4.9-stable review patch.  If anyone has any objections, please let me know.

--

From: Jiang Biao 

commit 89da619bc18d79bca5304724c11d4ba3b67ce2c6 upstream.

Kernel panic when with high memory pressure, calltrace looks like,

PID: 21439 TASK: 881be3afedd0 CPU: 16 COMMAND: "java"
 #0 [881ec7ed7630] machine_kexec at 81059beb
 #1 [881ec7ed7690] __crash_kexec at 81105942
 #2 [881ec7ed7760] crash_kexec at 81105a30
 #3 [881ec7ed7778] oops_end at 816902c8
 #4 [881ec7ed77a0] no_context at 8167ff46
 #5 [881ec7ed77f0] __bad_area_nosemaphore at 8167ffdc
 #6 [881ec7ed7838] __node_set at 81680300
 #7 [881ec7ed7860] __do_page_fault at 8169320f
 #8 [881ec7ed78c0] do_page_fault at 816932b5
 #9 [881ec7ed78f0] page_fault at 8168f4c8
[exception RIP: _raw_spin_lock_irqsave+47]
RIP: 8168edef RSP: 881ec7ed79a8 RFLAGS: 00010046
RAX: 0246 RBX: ea0019740d00 RCX: 881ec7ed7fd8
RDX: 0002 RSI: 0016 RDI: 0008
RBP: 881ec7ed79a8 R8: 0246 R9: 0001a098
R10: 88107ffda000 R11:  R12: 
R13: 0008 R14: 881ec7ed7a80 R15: 881be3afedd0
ORIG_RAX:  CS: 0010 SS: 0018

It happens in the pagefault and results in double pagefault
during compacting pages when memory allocation fails.

Analysed the vmcore, the page leads to second pagefault is corrupted
with _mapcount=-256, but private=0.

It's caused by the race between migration and ballooning, and lock
missing in virtballoon_migratepage() of virtio_balloon driver.
This patch fix the bug.

Fixes: e22504296d4f64f ("virtio_balloon: introduce migration primitives to 
balloon pages")
Cc: sta...@vger.kernel.org
Signed-off-by: Jiang Biao 
Signed-off-by: Huang Chong 
Signed-off-by: Michael S. Tsirkin 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/virtio/virtio_balloon.c |2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/virtio/virtio_balloon.c
+++ b/drivers/virtio/virtio_balloon.c
@@ -493,7 +493,9 @@ static int virtballoon_migratepage(struc
tell_host(vb, vb->inflate_vq);
 
/* balloon's page migration 2nd step -- deflate "page" */
+   spin_lock_irqsave(&vb_dev_info->pages_lock, flags);
balloon_page_delete(page);
+   spin_unlock_irqrestore(&vb_dev_info->pages_lock, flags);
vb->num_pfns = VIRTIO_BALLOON_PAGES_PER_PAGE;
set_page_pfns(vb, vb->pfns, page);
tell_host(vb, vb->deflate_vq);