1. 10 12月, 2018 6 次提交
    • L
      Merge tag 'staging-4.20-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging · 47dcb080
      Linus Torvalds 提交于
      Pull staging fixes from Greg KH:
       "Here are two staging driver bugfixes for 4.20-rc6.
      
        One is a revert of a previously incorrect patch that was merged a
        while ago, and the other resolves a possible buffer overrun that was
        found by code inspection.
      
        Both of these have been in the linux-next tree with no reported
        issues"
      
      * tag 'staging-4.20-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging:
        Revert commit ef9209b6 "staging: rtl8723bs: Fix indenting errors and an off-by-one mistake in core/rtw_mlme_ext.c"
        staging: rtl8712: Fix possible buffer overrun
      47dcb080
    • L
      Merge tag 'tty-4.20-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty · 822b7683
      Linus Torvalds 提交于
      Pull tty driver fixes from Greg KH:
       "Here are three small tty driver fixes for 4.20-rc6
      
        Nothing major, just some bug fixes for reported issues. Full details
        are in the shortlog.
      
        All of these have been in linux-next for a while with no reported
        issues"
      
      * tag 'tty-4.20-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty:
        kgdboc: fix KASAN global-out-of-bounds bug in param_set_kgdboc_var()
        tty: serial: 8250_mtk: always resume the device in probe.
        tty: do not set TTY_IO_ERROR flag if console port
      822b7683
    • L
      Merge tag 'usb-4.20-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb · 50a5528a
      Linus Torvalds 提交于
      Pull USB fixes from Greg KH:
       "Here are some small USB fixes for 4.20-rc6
      
        The "largest" here are some xhci fixes for reported issues. Also here
        is a USB core fix, some quirk additions, and a usb-serial fix which
        required the export of one of the tty layer's functions to prevent
        code duplication. The tty maintainer agreed with this change.
      
        All of these have been in linux-next with no reported issues"
      
      * tag 'usb-4.20-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb:
        xhci: Prevent U1/U2 link pm states if exit latency is too long
        xhci: workaround CSS timeout on AMD SNPS 3.0 xHC
        USB: check usb_get_extra_descriptor for proper size
        USB: serial: console: fix reported terminal settings
        usb: quirk: add no-LPM quirk on SanDisk Ultra Flair device
        USB: Fix invalid-free bug in port_over_current_notify()
        usb: appledisplay: Add 27" Apple Cinema Display
      50a5528a
    • L
      Merge tag '4.20-rc5-smb3-fixes' of git://git.samba.org/sfrench/cifs-2.6 · bc4caf18
      Linus Torvalds 提交于
      Pull cifs fixes from Steve French:
       "Three small fixes: a fix for smb3 direct i/o, a fix for CIFS DFS for
        stable and a minor cifs Kconfig fix"
      
      * tag '4.20-rc5-smb3-fixes' of git://git.samba.org/sfrench/cifs-2.6:
        CIFS: Avoid returning EBUSY to upper layer VFS
        cifs: Fix separator when building path from dentry
        cifs: In Kconfig CONFIG_CIFS_POSIX needs depends on legacy (insecure cifs)
      bc4caf18
    • L
      Merge tag 'dax-fixes-4.20-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/nvdimm/nvdimm · fa82dcbf
      Linus Torvalds 提交于
      Pull dax fixes from Dan Williams:
       "The last of the known regression fixes and fallout from the Xarray
        conversion of the filesystem-dax implementation.
      
        On the path to debugging why the dax memory-failure injection test
        started failing after the Xarray conversion a couple more fixes for
        the dax_lock_mapping_entry(), now called dax_lock_page(), surfaced.
        Those plus the bug that started the hunt are now addressed. These
        patches have appeared in a -next release with no issues reported.
      
        Note the touches to mm/memory-failure.c are just the conversion to the
        new function signature for dax_lock_page().
      
        Summary:
      
         - Fix the Xarray conversion of fsdax to properly handle
           dax_lock_mapping_entry() in the presense of pmd entries
      
         - Fix inode destruction racing a new lock request"
      
      * tag 'dax-fixes-4.20-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/nvdimm/nvdimm:
        dax: Fix unlock mismatch with updated API
        dax: Don't access a freed inode
        dax: Check page->mapping isn't NULL
      fa82dcbf
    • L
      Merge tag 'libnvdimm-fixes-4.20-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/nvdimm/nvdimm · bd799eb6
      Linus Torvalds 提交于
      Pull libnvdimm fixes from Dan Williams:
       "A regression fix for the Address Range Scrub implementation, yes
        another one, and support for platforms that misalign persistent memory
        relative to the Linux memory hotplug section constraint. Longer term,
        support for sub-section memory hotplug would alleviate alignment
        waste, but until then this hack allows a 'struct page' memmap to be
        established for these misaligned memory regions.
      
        These have all appeared in a -next release, and thanks to Patrick for
        reporting and testing the alignment padding fix.
      
        Summary:
      
         - Unless and until the core mm handles memory hotplug units smaller
           than a section (128M), persistent memory namespaces must be padded
           to section alignment.
      
           The libnvdimm core already handled section collision with "System
           RAM", but some configurations overlap independent "Persistent
           Memory" ranges within a section, so additional padding injection is
           added for that case.
      
         - The recent reworks of the ARS (address range scrub) state machine
           to reduce the number of state flags inadvertantly missed a
           conversion of acpi_nfit_ars_rescan() call sites. Fix the regression
           whereby user-requested ARS results in a "short" scrub rather than a
           "long" scrub.
      
         - Fixup the unit tests to handle / test the 128M section alignment of
           mocked test resources.
      
      * tag 'libnvdimm-fixes-4.20-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/nvdimm/nvdimm:
        acpi/nfit: Fix user-initiated ARS to be "ARS-long" rather than "ARS-short"
        libnvdimm, pfn: Pad pfn namespaces relative to other regions
        tools/testing/nvdimm: Align test resources to 128M
      bd799eb6
  2. 09 12月, 2018 5 次提交
    • L
      Merge branch 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/evalenti/linux-soc-thermal · 6ec067e3
      Linus Torvalds 提交于
      Pull thermal SoC fixes from Eduardo Valentin:
       "Fixes for armada and broadcom thermal drivers"
      
      * 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/evalenti/linux-soc-thermal:
        thermal: broadcom: constify thermal_zone_of_device_ops structure
        thermal: armada: constify thermal_zone_of_device_ops structure
        thermal: bcm2835: Switch to SPDX identifier
        thermal: armada: fix legacy resource fixup
        thermal: armada: fix legacy validity test sense
      6ec067e3
    • L
      Merge tag 'asm-generic-4.20' of git://git.kernel.org/pub/scm/linux/kernel/git/arnd/asm-generic · 8214bdf7
      Linus Torvalds 提交于
      Pull asm-generic fix from Arnd Bergmann:
       "Multiple people reported a bug I introduced in asm-generic/unistd.h in
        4.20, this is the obvious bugfix to get glibc and others to correctly
        build again on new architectures that no longer provide the old
        fstatat64() family of system calls"
      
      * tag 'asm-generic-4.20' of git://git.kernel.org/pub/scm/linux/kernel/git/arnd/asm-generic:
        asm-generic: unistd.h: fixup broken macro include.
      8214bdf7
    • L
      Merge tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux · 570c9139
      Linus Torvalds 提交于
      Pull clk fixes from Stephen Boyd:
       "A few clk driver fixes this time:
      
         - Introduce protected-clock DT binding to fix breakage on qcom
           sdm845-mtp boards where the qspi clks introduced this merge window
           cause the firmware on those boards to take down the system if we
           try to read the clk registers
      
         - Fix a couple off-by-one errors found by Dan Carpenter
      
         - Handle failure in zynq fixed factor clk driver to avoid using
           uninitialized data"
      
      * tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux:
        clk: zynqmp: Off by one in zynqmp_is_valid_clock()
        clk: mmp: Off by one in mmp_clk_add()
        clk: mvebu: Off by one bugs in cp110_of_clk_get()
        arm64: dts: qcom: sdm845-mtp: Mark protected gcc clocks
        clk: qcom: Support 'protected-clocks' property
        dt-bindings: clk: Introduce 'protected-clocks' property
        clk: zynqmp: handle fixed factor param query error
      570c9139
    • L
      Merge tag 'xfs-4.20-fixes-3' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux · f896adc4
      Linus Torvalds 提交于
      Pull xfs fixes from Darrick Wong:
       "Here are hopefully the last set of fixes for 4.20.
      
        There's a fix for a longstanding statfs reporting problem with project
        quotas, a correction for page cache invalidation behaviors when
        fallocating near EOF, and a fix for a broken metadata verifier return
        code.
      
        Finally, the most important fix is to the pipe splicing code (aka the
        generic copy_file_range fallback) to avoid pointless short directio
        reads by only asking the filesystem for as much data as there are
        available pages in the pipe buffer. Our previous fix (simulated short
        directio reads because the number of pages didn't match the length of
        the read requested) caused subtle problems on overlayfs, so that part
        is reverted.
      
        Anyhow, this series passes fstests -g all on xfs and overlay+xfs, and
        has passed 17 billion fsx operations problem-free since I started
        testing
      
        Summary:
      
         - Fix broken project quota inode counts
      
         - Fix incorrect PAGE_MASK/PAGE_SIZE usage
      
         - Fix incorrect return value in btree verifier
      
         - Fix WARN_ON remap flags false positive
      
         - Fix splice read overflows"
      
      * tag 'xfs-4.20-fixes-3' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux:
        iomap: partially revert 4721a601 (simulated directio short read on EFAULT)
        splice: don't read more than available pipe space
        vfs: allow some remap flags to be passed to vfs_clone_file_range
        xfs: fix inverted return from xfs_btree_sblock_verify_crc
        xfs: fix PAGE_MASK usage in xfs_free_file_space
        fs/xfs: fix f_ffree value for statfs when project quota is set
      f896adc4
    • D
      Revert "mm, thp: consolidate THP gfp handling into alloc_hugepage_direct_gfpmask" · 356ff8a9
      David Rientjes 提交于
      This reverts commit 89c83fb5.
      
      This should have been done as part of 2f0799a0 ("mm, thp: restore
      node-local hugepage allocations").  The movement of the thp allocation
      policy from alloc_pages_vma() to alloc_hugepage_direct_gfpmask() was
      intended to only set __GFP_THISNODE for mempolicies that are not
      MPOL_BIND whereas the revert could set this regardless of mempolicy.
      
      While the check for MPOL_BIND between alloc_hugepage_direct_gfpmask()
      and alloc_pages_vma() was racy, that has since been removed since the
      revert.  What is left is the possibility to use __GFP_THISNODE in
      policy_node() when it is unexpected because the special handling for
      hugepages in alloc_pages_vma()  was removed as part of the consolidation.
      
      Secondly, prior to 89c83fb5, alloc_pages_vma() implemented a somewhat
      different policy for hugepage allocations, which were allocated through
      alloc_hugepage_vma().  For hugepage allocations, if the allocating
      process's node is in the set of allowed nodes, allocate with
      __GFP_THISNODE for that node (for MPOL_PREFERRED, use that node with
      __GFP_THISNODE instead).  This was changed for shmem_alloc_hugepage() to
      allow fallback to other nodes in 89c83fb5 as it did for new_page() in
      mm/mempolicy.c which is functionally different behavior and removes the
      requirement to only allocate hugepages locally.
      
      So this commit does a full revert of 89c83fb5 instead of the partial
      revert that was done in 2f0799a0.  The result is the same thp
      allocation policy for 4.20 that was in 4.19.
      
      Fixes: 89c83fb5 ("mm, thp: consolidate THP gfp handling into alloc_hugepage_direct_gfpmask")
      Fixes: 2f0799a0 ("mm, thp: restore node-local hugepage allocations")
      Signed-off-by: NDavid Rientjes <rientjes@google.com>
      Acked-by: NVlastimil Babka <vbabka@suse.cz>
      Cc: Andrea Arcangeli <aarcange@redhat.com>
      Cc: Mel Gorman <mgorman@techsingularity.net>
      Cc: Michal Hocko <mhocko@kernel.org>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      356ff8a9
  3. 08 12月, 2018 8 次提交
  4. 07 12月, 2018 21 次提交
    • W
      arm64: hibernate: Avoid sending cross-calling with interrupts disabled · b4aecf78
      Will Deacon 提交于
      Since commit 3b8c9f1c ("arm64: IPI each CPU after invalidating the
      I-cache for kernel mappings"), a call to flush_icache_range() will use
      an IPI to cross-call other online CPUs so that any stale instructions
      are flushed from their pipelines. This triggers a WARN during the
      hibernation resume path, where flush_icache_range() is called with
      interrupts disabled and is therefore prone to deadlock:
      
        | Disabling non-boot CPUs ...
        | CPU1: shutdown
        | psci: CPU1 killed.
        | CPU2: shutdown
        | psci: CPU2 killed.
        | CPU3: shutdown
        | psci: CPU3 killed.
        | WARNING: CPU: 0 PID: 1 at ../kernel/smp.c:416 smp_call_function_many+0xd4/0x350
        | Modules linked in:
        | CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.20.0-rc4 #1
      
      Since all secondary CPUs have been taken offline prior to invalidating
      the I-cache, there's actually no need for an IPI and we can simply call
      __flush_icache_range() instead.
      
      Cc: <stable@vger.kernel.org>
      Fixes: 3b8c9f1c ("arm64: IPI each CPU after invalidating the I-cache for kernel mappings")
      Reported-by: NKunihiko Hayashi <hayashi.kunihiko@socionext.com>
      Tested-by: NKunihiko Hayashi <hayashi.kunihiko@socionext.com>
      Tested-by: NJames Morse <james.morse@arm.com>
      Signed-off-by: NWill Deacon <will.deacon@arm.com>
      Signed-off-by: NCatalin Marinas <catalin.marinas@arm.com>
      b4aecf78
    • J
      Merge branch 'nvme-4.20' of git://git.infradead.org/nvme into for-linus · 8b878ee2
      Jens Axboe 提交于
      Pull NVMe fixes from Christoph.
      
      * 'nvme-4.20' of git://git.infradead.org/nvme:
        nvmet-rdma: fix response use after free
        nvme: validate controller state before rescheduling keep alive
      8b878ee2
    • J
      blk-mq: punt failed direct issue to dispatch list · c616cbee
      Jens Axboe 提交于
      After the direct dispatch corruption fix, we permanently disallow direct
      dispatch of non read/write requests. This works fine off the normal IO
      path, as they will be retried like any other failed direct dispatch
      request. But for the blk_insert_cloned_request() that only DM uses to
      bypass the bottom level scheduler, we always first attempt direct
      dispatch. For some types of requests, that's now a permanent failure,
      and no amount of retrying will make that succeed. This results in a
      livelock.
      
      Instead of making special cases for what we can direct issue, and now
      having to deal with DM solving the livelock while still retaining a BUSY
      condition feedback loop, always just add a request that has been through
      ->queue_rq() to the hardware queue dispatch list. These are safe to use
      as no merging can take place there. Additionally, if requests do have
      prepped data from drivers, we aren't dependent on them not sharing space
      in the request structure to safely add them to the IO scheduler lists.
      
      This basically reverts ffe81d45 and is based on a patch from Ming,
      but with the list insert case covered as well.
      
      Fixes: ffe81d45 ("blk-mq: fix corruption with direct issue")
      Cc: stable@vger.kernel.org
      Suggested-by: NMing Lei <ming.lei@redhat.com>
      Reported-by: NBart Van Assche <bvanassche@acm.org>
      Tested-by: NMing Lei <ming.lei@redhat.com>
      Acked-by: NMike Snitzer <snitzer@redhat.com>
      Signed-off-by: NJens Axboe <axboe@kernel.dk>
      c616cbee
    • I
      nvmet-rdma: fix response use after free · d7dcdf9d
      Israel Rukshin 提交于
      nvmet_rdma_release_rsp() may free the response before using it at error
      flow.
      
      Fixes: 8407879c ("nvmet-rdma: fix possible bogus dereference under heavy load")
      Signed-off-by: NIsrael Rukshin <israelr@mellanox.com>
      Reviewed-by: NSagi Grimberg <sagi@grimberg.me>
      Reviewed-by: NMax Gurtovoy <maxg@mellanox.com>
      Signed-off-by: NChristoph Hellwig <hch@lst.de>
      d7dcdf9d
    • J
      nvme: validate controller state before rescheduling keep alive · 86880d64
      James Smart 提交于
      Delete operations are seeing NULL pointer references in call_timer_fn.
      Tracking these back, the timer appears to be the keep alive timer.
      
      nvme_keep_alive_work() which is tied to the timer that is cancelled
      by nvme_stop_keep_alive(), simply starts the keep alive io but doesn't
      wait for it's completion. So nvme_stop_keep_alive() only stops a timer
      when it's pending. When a keep alive is in flight, there is no timer
      running and the nvme_stop_keep_alive() will have no affect on the keep
      alive io. Thus, if the io completes successfully, the keep alive timer
      will be rescheduled.   In the failure case, delete is called, the
      controller state is changed, the nvme_stop_keep_alive() is called while
      the io is outstanding, and the delete path continues on. The keep
      alive happens to successfully complete before the delete paths mark it
      as aborted as part of the queue termination, so the timer is restarted.
      The delete paths then tear down the controller, and later on the timer
      code fires and the timer entry is now corrupt.
      
      Fix by validating the controller state before rescheduling the keep
      alive. Testing with the fix has confirmed the condition above was hit.
      Signed-off-by: NJames Smart <jsmart2021@gmail.com>
      Reviewed-by: NSagi Grimberg <sagi@grimberg.me>
      Signed-off-by: NChristoph Hellwig <hch@lst.de>
      86880d64
    • P
      block, bfq: fix decrement of num_active_groups · ba7aeae5
      Paolo Valente 提交于
      Since commit '2d29c9f8 ("block, bfq: improve asymmetric scenarios
      detection")', if there are process groups with I/O requests waiting for
      completion, then BFQ tags the scenario as 'asymmetric'. This detection
      is needed for preserving service guarantees (for details, see comments
      on the computation * of the variable asymmetric_scenario in the
      function bfq_better_to_idle).
      
      Unfortunately, commit '2d29c9f8 ("block, bfq: improve asymmetric
      scenarios detection")' contains an error exactly in the updating of
      the number of groups with I/O requests waiting for completion: if a
      group has more than one descendant process, then the above number of
      groups, which is renamed from num_active_groups to a more appropriate
      num_groups_with_pending_reqs by this commit, may happen to be wrongly
      decremented multiple times, namely every time one of the descendant
      processes gets all its pending I/O requests completed.
      
      A correct, complete solution should work as follows. Consider a group
      that is inactive, i.e., that has no descendant process with pending
      I/O inside BFQ queues. Then suppose that num_groups_with_pending_reqs
      is still accounting for this group, because the group still has some
      descendant process with some I/O request still in
      flight. num_groups_with_pending_reqs should be decremented when the
      in-flight request of the last descendant process is finally completed
      (assuming that nothing else has changed for the group in the meantime,
      in terms of composition of the group and active/inactive state of
      child groups and processes). To accomplish this, an additional
      pending-request counter must be added to entities, and must be
      updated correctly.
      
      To avoid this additional field and operations, this commit resorts to
      the following tradeoff between simplicity and accuracy: for an
      inactive group that is still counted in num_groups_with_pending_reqs,
      this commit decrements num_groups_with_pending_reqs when the first
      descendant process of the group remains with no request waiting for
      completion.
      
      This simplified scheme provides a fix to the unbalanced decrements
      introduced by 2d29c9f8. Since this error was also caused by lack
      of comments on this non-trivial issue, this commit also adds related
      comments.
      
      Fixes: 2d29c9f8 ("block, bfq: improve asymmetric scenarios detection")
      Reported-by: NSteven Barrett <steven@liquorix.net>
      Tested-by: NSteven Barrett <steven@liquorix.net>
      Tested-by: NLucjan Lucjanov <lucjan.lucjanov@gmail.com>
      Reviewed-by: NFederico Motta <federico@willer.it>
      Signed-off-by: NPaolo Valente <paolo.valente@linaro.org>
      Signed-off-by: NJens Axboe <axboe@kernel.dk>
      ba7aeae5
    • L
      CIFS: Avoid returning EBUSY to upper layer VFS · 6ac79291
      Long Li 提交于
      EBUSY is not handled by VFS, and will be passed to user-mode. This is not
      correct as we need to wait for more credits.
      
      This patch also fixes a bug where rsize or wsize is used uninitialized when
      the call to server->ops->wait_mtu_credits() fails.
      Reported-by: NDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: NLong Li <longli@microsoft.com>
      Signed-off-by: NSteve French <stfrench@microsoft.com>
      Reviewed-by: NPavel Shilovsky <pshilov@microsoft.com>
      6ac79291
    • H
      crypto: user - Disable statistics interface · e61efff4
      Herbert Xu 提交于
      Since this user-space API is still undergoing significant changes,
      this patch disables it for the current merge window.
      Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
      e61efff4
    • L
      Merge tag 'drm-fixes-2018-12-07' of git://anongit.freedesktop.org/drm/drm · d387ac13
      Linus Torvalds 提交于
      Pull drm fixes from Dave Airlie:
       "There's a bit more in here than I'd like, and I'm hoping things calm
        down when I'm out.
      
        msm:
         - a bunch of display fixes for the new DPU
         - a couple of command submission fixes
      
        omap:
         - some DSI fixes
      
        ast:
         - driver unload crash fix
      
        core:
         - fix the lease uevent so userspace can distinguish it
      
        amd:
         - fix a bpc regression
         - fix lru handling regression
         - fixed firmware support for new GPUs
         - power management fixes for vega20"
      
      * tag 'drm-fixes-2018-12-07' of git://anongit.freedesktop.org/drm/drm: (37 commits)
        drm/ast: Fix connector leak during driver unload
        drm/amdgpu/vcn: Update vcn.cur_state during suspend
        drm/amd/display: Fix overflow/truncation from strncpy.
        drm/amd/powerplay: improve OD code robustness
        drm/amdgpu: enlarge maximum waiting time of KIQ
        drm/fb-helper: Fix typo in parameter description
        drm/amd/powerplay: support SoftMin/Max setting for some specific DPM
        drm/amd/powerplay: issue pre-display settings for display change event
        drm/amd/powerplay: support new pptable upload on Vega20
        drm/amdgpu/gmc8: always load MC firmware in the driver
        drm/amdgpu/gmc8: update MC firmware for polaris
        drm/amdgpu: update mc firmware image for polaris12 variants
        drm/msm: Fix error return checking
        drm/msm/dpu: Ignore alpha for XBGR8888 format
        drm/msm: dpu: Fix "WARNING: invalid free of devm_ allocated data"
        drm/msm/hdmi: Drop pointless static qualifier in msm_hdmi_bind()
        drm/msm: Move fence put to where failure occurs
        drm/msm: dpu: Don't set legacy plane->crtc pointer
        drm/msm/gpu: Don't map command buffers with nr_relocs equal to 0
        drm/msm/hdmi: Enable HPD after HDMI IRQ is set up
        ...
      d387ac13
    • L
      Merge tag 'nfs-for-4.20-5' of git://git.linux-nfs.org/projects/trondmy/linux-nfs · 7f80c732
      Linus Torvalds 提交于
      Pull NFS client bugfixes from Trond Myklebust:
       "This is mainly fallout from the updates to the SUNRPC code that is
        being triggered from less common combinations of NFS mount options.
      
        Highlights include:
      
        Stable fixes:
         - Fix a page leak when using RPCSEC_GSS/krb5p to encrypt data.
      
        Bugfixes:
         - Fix a regression that causes the RPC receive code to hang
         - Fix call_connect_status() so that it handles tasks that got
           transmitted while queued waiting for the socket lock.
         - Fix a memory leak in call_encode()
         - Fix several other connect races.
         - Fix receive code error handling.
         - Use the discard iterator rather than MSG_TRUNC for compatibility
           with AF_UNIX/AF_LOCAL sockets.
         - nfs: don't dirty kernel pages read by direct-io
         - pnfs/Flexfiles fix to enforce per-mirror stateid only for NFSv4
           data servers"
      
      * tag 'nfs-for-4.20-5' of git://git.linux-nfs.org/projects/trondmy/linux-nfs:
        SUNRPC: Don't force a redundant disconnection in xs_read_stream()
        SUNRPC: Fix up socket polling
        SUNRPC: Use the discard iterator rather than MSG_TRUNC
        SUNRPC: Treat EFAULT as a truncated message in xs_read_stream_request()
        SUNRPC: Fix up handling of the XDRBUF_SPARSE_PAGES flag
        SUNRPC: Fix RPC receive hangs
        SUNRPC: Fix a potential race in xprt_connect()
        SUNRPC: Fix a memory leak in call_encode()
        SUNRPC: Fix leak of krb5p encode pages
        SUNRPC: call_connect_status() must handle tasks that got transmitted
        nfs: don't dirty kernel pages read by direct-io
        flexfiles: enforce per-mirror stateid only for v4 DSes
      7f80c732
    • L
      Merge branch 'spectre' of git://git.armlinux.org.uk/~rmk/linux-arm · b72f711a
      Linus Torvalds 提交于
      Pull ARM spectre fix from Russell King:
       "Exynos folk noticed that CPU hotplug wasn't working with their kernel
        configuration, and have tested this as fixing the problem"
      
      * 'spectre' of git://git.armlinux.org.uk/~rmk/linux-arm:
        ARM: ensure that processor vtables is not lost after boot
      b72f711a
    • L
      Merge branch 'fixes' of git://git.armlinux.org.uk/~rmk/linux-arm · 7e40b56c
      Linus Torvalds 提交于
      Pull ARM fixes from Russell King:
       "Some small fixes that have been accumulated:
      
         - Chris Cole noticed that in a SMP environment, the DMA cache
           coherence handling can produce undesirable results in a corner
           case
      
         - Propagate that fix for ARMv7M as well
      
         - Fix a false positive with source fortification
      
         - Fix an uninitialised return that Nathan Jones spotted"
      
      * 'fixes' of git://git.armlinux.org.uk/~rmk/linux-arm:
        ARM: 8816/1: dma-mapping: fix potential uninitialized return
        ARM: 8815/1: V7M: align v7m_dma_inv_range() with v7 counterpart
        ARM: 8814/1: mm: improve/fix ARM v7_dma_inv_range() unaligned address handling
        ARM: 8806/1: kprobes: Fix false positive with FORTIFY_SOURCE
      7e40b56c
    • M
      i2c: uniphier-f: fix violation of tLOW requirement for Fast-mode · ece27a33
      Masahiro Yamada 提交于
      Currently, the clock duty is set as tLOW/tHIGH = 1/1. For Fast-mode,
      tLOW is set to 1.25 us while the I2C spec requires tLOW >= 1.3 us.
      
      tLOW/tHIGH = 5/4 would meet both Standard-mode and Fast-mode:
        Standard-mode: tLOW = 5.56 us, tHIGH = 4.44 us
        Fast-mode:     tLOW = 1.39 us, tHIGH = 1.11 us
      Signed-off-by: NMasahiro Yamada <yamada.masahiro@socionext.com>
      Signed-off-by: NWolfram Sang <wsa@the-dreams.de>
      ece27a33
    • M
      i2c: uniphier: fix violation of tLOW requirement for Fast-mode · 8469636a
      Masahiro Yamada 提交于
      Currently, the clock duty is set as tLOW/tHIGH = 1/1. For Fast-mode,
      tLOW is set to 1.25 us while the I2C spec requires tLOW >= 1.3 us.
      
      tLOW/tHIGH = 5/4 would meet both Standard-mode and Fast-mode:
        Standard-mode: tLOW = 5.56 us, tHIGH = 4.44 us
        Fast-mode:     tLOW = 1.39 us, tHIGH = 1.11 us
      Signed-off-by: NMasahiro Yamada <yamada.masahiro@socionext.com>
      Signed-off-by: NWolfram Sang <wsa@the-dreams.de>
      8469636a
    • M
      i2c: uniphier-f: fill TX-FIFO only in IRQ handler for repeated START · cd8843f5
      Masahiro Yamada 提交于
      - For a repeated START condition, this controller starts data transfer
         immediately after the slave address is written to the TX-FIFO.
      
       - Once the TX-FIFO empty interrupt is asserted, the controller makes
         a pause even if additional data are written to the TX-FIFO.
      
      Given those circumstances, the data after a repeated START may not be
      transferred if the interrupt is asserted while the TX-FIFO is being
      filled up. A more reliable way is to append TX data only in the
      interrupt handler.
      Signed-off-by: NMasahiro Yamada <yamada.masahiro@socionext.com>
      Signed-off-by: NWolfram Sang <wsa@the-dreams.de>
      cd8843f5
    • M
      i2c: uniphier-f: fix timeout error after reading 8 bytes · c2a653de
      Masahiro Yamada 提交于
      I was totally screwed up in commit eaba6878 ("i2c: uniphier-f:
      fix race condition when IRQ is cleared"). Since that commit, if the
      number of read bytes is multiple of the FIFO size (8, 16, 24... bytes),
      the STOP condition could be issued twice, depending on the timing.
      If this happens, the controller will go wrong, resulting in the timeout
      error.
      
      It was more than 3 years ago when I wrote this driver, so my memory
      about this hardware was vague. Please let me correct the description
      in the commit log of eaba6878.
      
      Clearing the IRQ status on exiting the IRQ handler is absolutely
      fine. This controller makes a pause while any IRQ status is asserted.
      If the IRQ status is cleared first, the hardware may start the next
      transaction before the IRQ handler finishes what it supposed to do.
      
      This partially reverts the bad commit with clear comments so that I
      will never repeat this mistake.
      
      I also investigated what is happening at the last moment of the read
      mode. The UNIPHIER_FI2C_INT_RF interrupt is asserted a bit earlier
      (by half a period of the clock cycle) than UNIPHIER_FI2C_INT_RB.
      
      I consulted a hardware engineer, and I got the following information:
      
      UNIPHIER_FI2C_INT_RF
          asserted at the falling edge of SCL at the 8th bit.
      
      UNIPHIER_FI2C_INT_RB
          asserted at the rising edge of SCL at the 9th (ACK) bit.
      
      In order to avoid calling uniphier_fi2c_stop() twice, check the latter
      interrupt. I also commented this because it is obscure hardware internal.
      
      Fixes: eaba6878 ("i2c: uniphier-f: fix race condition when IRQ is cleared")
      Signed-off-by: NMasahiro Yamada <yamada.masahiro@socionext.com>
      Signed-off-by: NWolfram Sang <wsa@the-dreams.de>
      c2a653de
    • H
      i2c: scmi: Fix probe error on devices with an empty SMB0001 ACPI device node · 0544ee4b
      Hans de Goede 提交于
      Some AMD based HP laptops have a SMB0001 ACPI device node which does not
      define any methods.
      
      This leads to the following error in dmesg:
      
      [    5.222731] cmi: probe of SMB0001:00 failed with error -5
      
      This commit makes acpi_smbus_cmi_add() return -ENODEV instead in this case
      silencing the error. In case of a failure of the i2c_add_adapter() call
      this commit now propagates the error from that call instead of -EIO.
      Signed-off-by: NHans de Goede <hdegoede@redhat.com>
      Signed-off-by: NWolfram Sang <wsa@the-dreams.de>
      0544ee4b
    • A
      i2c: axxia: properly handle master timeout · 6c7f25ca
      Adamski, Krzysztof (Nokia - PL/Wroclaw) 提交于
      According to Intel (R) Axxia TM Lionfish Communication Processor
      Peripheral Subsystem Hardware Reference Manual, the AXXIA I2C module
      have a programmable Master Wait Timer, which among others, checks the
      time between commands send in manual mode. When a timeout (25ms) passes,
      TSS bit is set in Master Interrupt Status register and a Stop command is
      issued by the hardware.
      
      The axxia_i2c_xfer(), does not properly handle this situation, however.
      For each message a separate axxia_i2c_xfer_msg() is called and this
      function incorrectly assumes that any interrupt might happen only when
      waiting for completion. This is mostly correct but there is one
      exception - a master timeout can trigger if enough time has passed
      between individual transfers. It will, by definition, happen between
      transfers when the interrupts are disabled by the code. If that happens,
      the hardware issues Stop command.
      
      The interrupt indicating timeout will not be triggered as soon as we
      enable them since the Master Interrupt Status is cleared when master
      mode is entered again (which happens before enabling irqs) meaning this
      error is lost and the transfer is continued even though the Stop was
      issued on the bus. The subsequent operations completes without error but
      a bogus value (0xFF in case of read) is read as the client device is
      confused because aborted transfer. No error is returned from
      master_xfer() making caller believe that a valid value was read.
      
      To fix the problem, the TSS bit (indicating timeout) in Master Interrupt
      Status register is checked before each transfer. If it is set, there was
      a timeout before this transfer and (as described above) the hardware
      already issued Stop command so the transaction should be aborted thus
      -ETIMEOUT is returned from the master_xfer() callback. In order to be
      sure no timeout was issued we can't just read the status just before
      starting new transaction as there will always be a small window of time
      (few CPU cycles at best) where this might still happen. For this reason
      we have to temporally disable the timer before checking for TSS bit.
      Disabling it will, however, clear the TSS bit so in order to preserve
      that information, we have to read it in ISR so we have to ensure that
      the TSS interrupt is not masked between transfers of one transaction.
      There is no need to call bus recovery or controller reinitialization if
      that happens so it's skipped.
      Signed-off-by: NKrzysztof Adamski <krzysztof.adamski@nokia.com>
      Reviewed-by: NAlexander Sverdlin <alexander.sverdlin@nokia.com>
      Signed-off-by: NWolfram Sang <wsa@the-dreams.de>
      6c7f25ca
    • S
      vhost/vsock: fix use-after-free in network stack callers · 834e772c
      Stefan Hajnoczi 提交于
      If the network stack calls .send_pkt()/.cancel_pkt() during .release(),
      a struct vhost_vsock use-after-free is possible.  This occurs because
      .release() does not wait for other CPUs to stop using struct
      vhost_vsock.
      
      Switch to an RCU-enabled hashtable (indexed by guest CID) so that
      .release() can wait for other CPUs by calling synchronize_rcu().  This
      also eliminates vhost_vsock_lock acquisition in the data path so it
      could have a positive effect on performance.
      
      This is CVE-2018-14625 "kernel: use-after-free Read in vhost_transport_send_pkt".
      
      Cc: stable@vger.kernel.org
      Reported-and-tested-by: syzbot+bd391451452fb0b93039@syzkaller.appspotmail.com
      Reported-by: syzbot+e3e074963495f92a89ed@syzkaller.appspotmail.com
      Reported-by: syzbot+d5a0a170c5069658b141@syzkaller.appspotmail.com
      Signed-off-by: NStefan Hajnoczi <stefanha@redhat.com>
      Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
      Acked-by: NJason Wang <jasowang@redhat.com>
      834e772c
    • H
      virtio/s390: fix race in ccw_io_helper() · 78b1a52e
      Halil Pasic 提交于
      While ccw_io_helper() seems like intended to be exclusive in a sense that
      it is supposed to facilitate I/O for at most one thread at any given
      time, there is actually nothing ensuring that threads won't pile up at
      vcdev->wait_q. If they do, all threads get woken up and see the status
      that belongs to some other request than their own. This can lead to bugs.
      For an example see:
      https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1788432
      
      This race normally does not cause any problems. The operations provided
      by struct virtio_config_ops are usually invoked in a well defined
      sequence, normally don't fail, and are normally used quite infrequent
      too.
      
      Yet, if some of the these operations are directly triggered via sysfs
      attributes, like in the case described by the referenced bug, userspace
      is given an opportunity to force races by increasing the frequency of the
      given operations.
      
      Let us fix the problem by ensuring, that for each device, we finish
      processing the previous request before starting with a new one.
      Signed-off-by: NHalil Pasic <pasic@linux.ibm.com>
      Reported-by: NColin Ian King <colin.king@canonical.com>
      Cc: stable@vger.kernel.org
      Message-Id: <20180925121309.58524-3-pasic@linux.ibm.com>
      Signed-off-by: NCornelia Huck <cohuck@redhat.com>
      Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
      78b1a52e
    • H
      virtio/s390: avoid race on vcdev->config · 2448a299
      Halil Pasic 提交于
      Currently we have a race on vcdev->config in virtio_ccw_get_config() and
      in virtio_ccw_set_config().
      
      This normally does not cause problems, as these are usually infrequent
      operations. However, for some devices writing to/reading from the config
      space can be triggered through sysfs attributes. For these, userspace can
      force the race by increasing the frequency.
      Signed-off-by: NHalil Pasic <pasic@linux.ibm.com>
      Cc: stable@vger.kernel.org
      Message-Id: <20180925121309.58524-2-pasic@linux.ibm.com>
      Signed-off-by: NCornelia Huck <cohuck@redhat.com>
      Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
      2448a299