1. 23 Feb, 2019 13 commits
    • Jason Wang's avatar
      vhost: correctly check the return value of translate_desc() in log_used() · 9a752d37
      Jason Wang authored
      [ Upstream commit 816db766 ]
      
      When fail, translate_desc() returns negative value, otherwise the
      number of iovs. So we should fail when the return value is negative
      instead of a blindly check against zero.
      
      Detected by CoverityScan, CID# 1442593:  Control flow issues  (DEADCODE)
      
      Fixes: cc5e7107 ("vhost: log dirty page correctly")
      Acked-by: default avatarMichael S. Tsirkin <mst@redhat.com>
      Reported-by: default avatarStephen Hemminger <stephen@networkplumber.org>
      Signed-off-by: default avatarJason Wang <jasowang@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      9a752d37
    • Kai-Heng Feng's avatar
      sky2: Increase D3 delay again · 1e3300eb
      Kai-Heng Feng authored
      [ Upstream commit 1765f5dc ]
      
      Another platform requires even longer delay to make the device work
      correctly after S3.
      
      So increase the delay to 300ms.
      
      BugLink: https://bugs.launchpad.net/bugs/1798921Signed-off-by: default avatarKai-Heng Feng <kai.heng.feng@canonical.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      1e3300eb
    • Alexandre Torgue's avatar
      net: stmmac: handle endianness in dwmac4_get_timestamp · 6e04b821
      Alexandre Torgue authored
      [ Upstream commit 224babd62d6f19581757a6d8bae3bf9501fc10de ]
      
      GMAC IP is little-endian and used on several kind of CPU (big or little
      endian). Main callbacks functions of the stmmac drivers take care about
      it. It was not the case for dwmac4_get_timestamp function.
      
      Fixes: ba1ffd74 ("stmmac: fix PTP support for GMAC4")
      Signed-off-by: default avatarAlexandre Torgue <alexandre.torgue@st.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      6e04b821
    • Jose Abreu's avatar
      net: stmmac: Fix a race in EEE enable callback · 176ab701
      Jose Abreu authored
      [ Upstream commit 8a7493e5 ]
      
      We are saving the status of EEE even before we try to enable it. This
      leads to a race with XMIT function that tries to arm EEE timer before we
      set it up.
      
      Fix this by only saving the EEE parameters after all operations are
      performed with success.
      Signed-off-by: default avatarJose Abreu <joabreu@synopsys.com>
      Fixes: d765955d ("stmmac: add the Energy Efficient Ethernet support")
      Cc: Joao Pinto <jpinto@synopsys.com>
      Cc: David S. Miller <davem@davemloft.net>
      Cc: Giuseppe Cavallaro <peppe.cavallaro@st.com>
      Cc: Alexandre Torgue <alexandre.torgue@st.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      176ab701
    • Paul Kocialkowski's avatar
      net: phy: xgmiitorgmii: Support generic PHY status read · 618bd2c2
      Paul Kocialkowski authored
      [ Upstream commit 197f9ab7 ]
      
      Some PHY drivers like the generic one do not provide a read_status
      callback on their own but rely on genphy_read_status being called
      directly.
      
      With the current code, this results in a NULL function pointer call.
      Call genphy_read_status instead when there is no specific callback.
      
      Fixes: f411a616 ("net: phy: Add gmiitorgmii converter support")
      Signed-off-by: default avatarPaul Kocialkowski <paul.kocialkowski@bootlin.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      618bd2c2
    • Lorenzo Bianconi's avatar
      net: ipv4: use a dedicated counter for icmp_v4 redirect packets · 1764111c
      Lorenzo Bianconi authored
      [ Upstream commit c09551c6 ]
      
      According to the algorithm described in the comment block at the
      beginning of ip_rt_send_redirect, the host should try to send
      'ip_rt_redirect_number' ICMP redirect packets with an exponential
      backoff and then stop sending them at all assuming that the destination
      ignores redirects.
      If the device has previously sent some ICMP error packets that are
      rate-limited (e.g TTL expired) and continues to receive traffic,
      the redirect packets will never be transmitted. This happens since
      peer->rate_tokens will be typically greater than 'ip_rt_redirect_number'
      and so it will never be reset even if the redirect silence timeout
      (ip_rt_redirect_silence) has elapsed without receiving any packet
      requiring redirects.
      
      Fix it by using a dedicated counter for the number of ICMP redirect
      packets that has been sent by the host
      
      I have not been able to identify a given commit that introduced the
      issue since ip_rt_send_redirect implements the same rate-limiting
      algorithm from commit 1da177e4 ("Linux-2.6.12-rc2")
      Signed-off-by: default avatarLorenzo Bianconi <lorenzo.bianconi@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      1764111c
    • Lorenzo Bianconi's avatar
      net: ip6_gre: initialize erspan_ver just for erspan tunnels · 4523bc86
      Lorenzo Bianconi authored
      [ Upstream commit 4974d5f6 ]
      
      After commit c706863b ("net: ip6_gre: always reports o_key to
      userspace"), ip6gre and ip6gretap tunnels started reporting TUNNEL_KEY
      output flag even if it is not configured.
      ip6gre_fill_info checks erspan_ver value to add TUNNEL_KEY for
      erspan tunnels, however in commit 84581bda ("erspan: set
      erspan_ver to 1 by default when adding an erspan dev")
      erspan_ver is initialized to 1 even for ip6gre or ip6gretap
      Fix the issue moving erspan_ver initialization in a dedicated routine
      
      Fixes: c706863b ("net: ip6_gre: always reports o_key to userspace")
      Signed-off-by: default avatarLorenzo Bianconi <lorenzo.bianconi@redhat.com>
      Reviewed-by: default avatarGreg Rose <gvrose8192@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      4523bc86
    • Zhiqiang Liu's avatar
      net: fix IPv6 prefix route residue · 4c1b91b8
      Zhiqiang Liu authored
      [ Upstream commit e75913c9 ]
      
      Follow those steps:
       # ip addr add 2001:123::1/32 dev eth0
       # ip addr add 2001:123:456::2/64 dev eth0
       # ip addr del 2001:123::1/32 dev eth0
       # ip addr del 2001:123:456::2/64 dev eth0
      and then prefix route of 2001:123::1/32 will still exist.
      
      This is because ipv6_prefix_equal in check_cleanup_prefix_route
      func does not check whether two IPv6 addresses have the same
      prefix length. If the prefix of one address starts with another
      shorter address prefix, even though their prefix lengths are
      different, the return value of ipv6_prefix_equal is true.
      
      Here I add a check of whether two addresses have the same prefix
      to decide whether their prefixes are equal.
      
      Fixes: 5b84efec ("ipv6 addrconf: don't cleanup prefix route for IFA_F_NOPREFIXROUTE")
      Signed-off-by: default avatarZhiqiang Liu <liuzhiqiang26@huawei.com>
      Reported-by: default avatarWenhao Zhang <zhangwenhao8@huawei.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      4c1b91b8
    • Hauke Mehrtens's avatar
      net: Fix for_each_netdev_feature on Big endian · b2975c2e
      Hauke Mehrtens authored
      [ Upstream commit 3b89ea9c ]
      
      The features attribute is of type u64 and stored in the native endianes on
      the system. The for_each_set_bit() macro takes a pointer to a 32 bit array
      and goes over the bits in this area. On little Endian systems this also
      works with an u64 as the most significant bit is on the highest address,
      but on big endian the words are swapped. When we expect bit 15 here we get
      bit 47 (15 + 32).
      
      This patch converts it more or less to its own for_each_set_bit()
      implementation which works on 64 bit integers directly. This is then
      completely in host endianness and should work like expected.
      
      Fixes: fd867d51 ("net/core: generic support for disabling netdev features down stack")
      Signed-off-by: default avatarHauke Mehrtens <hauke.mehrtens@intel.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      b2975c2e
    • Mao Wenan's avatar
      net: crypto set sk to NULL when af_alg_release. · eb5e6869
      Mao Wenan authored
      [ Upstream commit 9060cb71 ]
      
      KASAN has found use-after-free in sockfs_setattr.
      The existed commit 6d8c50dc ("socket: close race condition between sock_close()
      and sockfs_setattr()") is to fix this simillar issue, but it seems to ignore
      that crypto module forgets to set the sk to NULL after af_alg_release.
      
      KASAN report details as below:
      BUG: KASAN: use-after-free in sockfs_setattr+0x120/0x150
      Write of size 4 at addr ffff88837b956128 by task syz-executor0/4186
      
      CPU: 2 PID: 4186 Comm: syz-executor0 Not tainted xxx + #1
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
      1.10.2-1ubuntu1 04/01/2014
      Call Trace:
       dump_stack+0xca/0x13e
       print_address_description+0x79/0x330
       ? vprintk_func+0x5e/0xf0
       kasan_report+0x18a/0x2e0
       ? sockfs_setattr+0x120/0x150
       sockfs_setattr+0x120/0x150
       ? sock_register+0x2d0/0x2d0
       notify_change+0x90c/0xd40
       ? chown_common+0x2ef/0x510
       chown_common+0x2ef/0x510
       ? chmod_common+0x3b0/0x3b0
       ? __lock_is_held+0xbc/0x160
       ? __sb_start_write+0x13d/0x2b0
       ? __mnt_want_write+0x19a/0x250
       do_fchownat+0x15c/0x190
       ? __ia32_sys_chmod+0x80/0x80
       ? trace_hardirqs_on_thunk+0x1a/0x1c
       __x64_sys_fchownat+0xbf/0x160
       ? lockdep_hardirqs_on+0x39a/0x5e0
       do_syscall_64+0xc8/0x580
       entry_SYSCALL_64_after_hwframe+0x49/0xbe
      RIP: 0033:0x462589
      Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89
      f7 48 89 d6 48 89
      ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3
      48 c7 c1 bc ff ff
      ff f7 d8 64 89 01 48
      RSP: 002b:00007fb4b2c83c58 EFLAGS: 00000246 ORIG_RAX: 0000000000000104
      RAX: ffffffffffffffda RBX: 000000000072bfa0 RCX: 0000000000462589
      RDX: 0000000000000000 RSI: 00000000200000c0 RDI: 0000000000000007
      RBP: 0000000000000005 R08: 0000000000001000 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000246 R12: 00007fb4b2c846bc
      R13: 00000000004bc733 R14: 00000000006f5138 R15: 00000000ffffffff
      
      Allocated by task 4185:
       kasan_kmalloc+0xa0/0xd0
       __kmalloc+0x14a/0x350
       sk_prot_alloc+0xf6/0x290
       sk_alloc+0x3d/0xc00
       af_alg_accept+0x9e/0x670
       hash_accept+0x4a3/0x650
       __sys_accept4+0x306/0x5c0
       __x64_sys_accept4+0x98/0x100
       do_syscall_64+0xc8/0x580
       entry_SYSCALL_64_after_hwframe+0x49/0xbe
      
      Freed by task 4184:
       __kasan_slab_free+0x12e/0x180
       kfree+0xeb/0x2f0
       __sk_destruct+0x4e6/0x6a0
       sk_destruct+0x48/0x70
       __sk_free+0xa9/0x270
       sk_free+0x2a/0x30
       af_alg_release+0x5c/0x70
       __sock_release+0xd3/0x280
       sock_close+0x1a/0x20
       __fput+0x27f/0x7f0
       task_work_run+0x136/0x1b0
       exit_to_usermode_loop+0x1a7/0x1d0
       do_syscall_64+0x461/0x580
       entry_SYSCALL_64_after_hwframe+0x49/0xbe
      
      Syzkaller reproducer:
      r0 = perf_event_open(&(0x7f0000000000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0,
      0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
      0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
      0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0,
      0xffffffffffffffff, 0x0)
      r1 = socket$alg(0x26, 0x5, 0x0)
      getrusage(0x0, 0x0)
      bind(r1, &(0x7f00000001c0)=@alg={0x26, 'hash\x00', 0x0, 0x0,
      'sha256-ssse3\x00'}, 0x80)
      r2 = accept(r1, 0x0, 0x0)
      r3 = accept4$unix(r2, 0x0, 0x0, 0x0)
      r4 = dup3(r3, r0, 0x0)
      fchownat(r4, &(0x7f00000000c0)='\x00', 0x0, 0x0, 0x1000)
      
      Fixes: 6d8c50dc ("socket: close race condition between sock_close() and sockfs_setattr()")
      Signed-off-by: default avatarMao Wenan <maowenan@huawei.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      eb5e6869
    • Petr Machata's avatar
      mlxsw: __mlxsw_sp_port_headroom_set(): Fix a use of local variable · bd1488b8
      Petr Machata authored
      [ Upstream commit 28946040 ]
      
      The function-local variable "delay" enters the loop interpreted as delay
      in bits. However, inside the loop it gets overwritten by the result of
      mlxsw_sp_pg_buf_delay_get(), and thus leaves the loop as quantity in
      cells. Thus on second and further loop iterations, the headroom for a
      given priority is configured with a wrong size.
      
      Fix by introducing a loop-local variable, delay_cells. Rename thres to
      thres_cells for consistency.
      
      Fixes: f417f04d ("mlxsw: spectrum: Refactor port buffer configuration")
      Signed-off-by: default avatarPetr Machata <petrm@mellanox.com>
      Acked-by: default avatarJiri Pirko <jiri@mellanox.com>
      Signed-off-by: default avatarIdo Schimmel <idosch@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      bd1488b8
    • John David Anglin's avatar
      dsa: mv88e6xxx: Ensure all pending interrupts are handled prior to exit · 017d5110
      John David Anglin authored
      [ Upstream commit 7c0db24c ]
      
      The GPIO interrupt controller on the espressobin board only supports edge interrupts.
      If one enables the use of hardware interrupts in the device tree for the 88E6341, it is
      possible to miss an edge.  When this happens, the INTn pin on the Marvell switch is
      stuck low and no further interrupts occur.
      
      I found after adding debug statements to mv88e6xxx_g1_irq_thread_work() that there is
      a race in handling device interrupts (e.g. PHY link interrupts).  Some interrupts are
      directly cleared by reading the Global 1 status register.  However, the device interrupt
      flag, for example, is not cleared until all the unmasked SERDES and PHY ports are serviced.
      This is done by reading the relevant SERDES and PHY status register.
      
      The code only services interrupts whose status bit is set at the time of reading its status
      register.  If an interrupt event occurs after its status is read and before all interrupts
      are serviced, then this event will not be serviced and the INTn output pin will remain low.
      
      This is not a problem with polling or level interrupts since the handler will be called
      again to process the event.  However, it's a big problem when using level interrupts.
      
      The fix presented here is to add a loop around the code servicing switch interrupts.  If
      any pending interrupts remain after the current set has been handled, we loop and process
      the new set.  If there are no pending interrupts after servicing, we are sure that INTn has
      gone high and we will get an edge when a new event occurs.
      
      Tested on espressobin board.
      
      Fixes: dc30c35b ("net: dsa: mv88e6xxx: Implement interrupt support.")
      Signed-off-by: default avatarJohn David Anglin <dave.anglin@bell.net>
      Tested-by: default avatarAndrew Lunn <andrew@lunn.ch>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      017d5110
    • Nicolas Dichtel's avatar
      af_packet: fix raw sockets over 6in4 tunnel · bbbefe81
      Nicolas Dichtel authored
      [ Upstream commit 88a8121d ]
      
      Since commit cb9f1b78, scapy (which uses an AF_PACKET socket in
      SOCK_RAW mode) is unable to send a basic icmp packet over a sit tunnel:
      
      Here is a example of the setup:
      $ ip link set ntfp2 up
      $ ip addr add 10.125.0.1/24 dev ntfp2
      $ ip tunnel add tun1 mode sit ttl 64 local 10.125.0.1 remote 10.125.0.2 dev ntfp2
      $ ip addr add fd00:cafe:cafe::1/128 dev tun1
      $ ip link set dev tun1 up
      $ ip route add fd00:200::/64 dev tun1
      $ scapy
      >>> p = []
      >>> p += IPv6(src='fd00:100::1', dst='fd00:200::1')/ICMPv6EchoRequest()
      >>> send(p, count=1, inter=0.1)
      >>> quit()
      $ ip -s link ls dev tun1 | grep -A1 "TX.*errors"
          TX: bytes  packets  errors  dropped carrier collsns
          0          0        1       0       0       0
      
      The problem is that the network offset is set to the hard_header_len of the
      output device (tun1, ie 14 + 20) and in our case, because the packet is
      small (48 bytes) the pskb_inet_may_pull() fails (it tries to pull 40 bytes
      (ipv6 header) starting from the network offset).
      
      This problem is more generally related to device with variable hard header
      length. To avoid a too intrusive patch in the current release, a (ugly)
      workaround is proposed in this patch. It has to be cleaned up in net-next.
      
      Link: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=993675a3100b1
      Link: http://patchwork.ozlabs.org/patch/1024489/
      Fixes: cb9f1b78 ("ip: validate header length on virtual device xmit")
      CC: Willem de Bruijn <willemb@google.com>
      CC: Maxim Mikityanskiy <maximmi@mellanox.com>
      Signed-off-by: default avatarNicolas Dichtel <nicolas.dichtel@6wind.com>
      Acked-by: default avatarWillem de Bruijn <willemb@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      bbbefe81
  2. 20 Feb, 2019 27 commits
    • Greg Kroah-Hartman's avatar
      Linux 4.19.24 · f287634f
      Greg Kroah-Hartman authored
      f287634f
    • Sandeep Patil's avatar
      mm: proc: smaps_rollup: fix pss_locked calculation · dd5f4d06
      Sandeep Patil authored
      commit 27dd768e upstream.
      
      The 'pss_locked' field of smaps_rollup was being calculated incorrectly.
      It accumulated the current pss everytime a locked VMA was found.  Fix
      that by adding to 'pss_locked' the same time as that of 'pss' if the vma
      being walked is locked.
      
      Link: http://lkml.kernel.org/r/20190203065425.14650-1-sspatil@android.com
      Fixes: 493b0e9d ("mm: add /proc/pid/smaps_rollup")
      Signed-off-by: default avatarSandeep Patil <sspatil@android.com>
      Acked-by: default avatarVlastimil Babka <vbabka@suse.cz>
      Reviewed-by: default avatarJoel Fernandes (Google) <joel@joelfernandes.org>
      Cc: Alexey Dobriyan <adobriyan@gmail.com>
      Cc: Daniel Colascione <dancol@google.com>
      Cc: <stable@vger.kernel.org>	[4.14.x, 4.19.x]
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      dd5f4d06
    • Joonas Lahtinen's avatar
      drm/i915: Prevent a race during I915_GEM_MMAP ioctl with WC set · 6a204bd5
      Joonas Lahtinen authored
      commit 2e7bd10e upstream.
      
      Make sure the underlying VMA in the process address space is the
      same as it was during vm_mmap to avoid applying WC to wrong VMA.
      
      A more long-term solution would be to have vm_mmap_locked variant
      in linux/mmap.h for when caller wants to hold mmap_sem for an
      extended duration.
      
      v2:
      - Refactor the compare function
      
      Fixes: 1816f923 ("drm/i915: Support creation of unbound wc user mappings for objects")
      Reported-by: default avatarAdam Zabrocki <adamza@microsoft.com>
      Suggested-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarJoonas Lahtinen <joonas.lahtinen@linux.intel.com>
      Cc: <stable@vger.kernel.org> # v4.0+
      Cc: Akash Goel <akash.goel@intel.com>
      Cc: Chris Wilson <chris@chris-wilson.co.uk>
      Cc: Tvrtko Ursulin <tvrtko.ursulin@linux.intel.com>
      Cc: Adam Zabrocki <adamza@microsoft.com>
      Reviewed-by: default avatarChris Wilson <chris@chris-wilson.co.uk>
      Reviewed-by: Tvrtko Ursulin <tvrtko.ursulin@intel.com> #v1
      Link: https://patchwork.freedesktop.org/patch/msgid/20190207085454.10598-1-joonas.lahtinen@linux.intel.com
      (cherry picked from commit 5c4604e7)
      Signed-off-by: default avatarJani Nikula <jani.nikula@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6a204bd5
    • Lyude Paul's avatar
      drm/i915: Block fbdev HPD processing during suspend · 4631e0b4
      Lyude Paul authored
      commit e8a8fedd upstream.
      
      When resuming, we check whether or not any previously connected
      MST topologies are still present and if so, attempt to resume them. If
      this fails, we disable said MST topologies and fire off a hotplug event
      so that userspace knows to reprobe.
      
      However, sending a hotplug event involves calling
      drm_fb_helper_hotplug_event(), which in turn results in fbcon doing a
      connector reprobe in the caller's thread - something we can't do at the
      point in which i915 calls drm_dp_mst_topology_mgr_resume() since
      hotplugging hasn't been fully initialized yet.
      
      This currently causes some rather subtle but fatal issues. For example,
      on my T480s the laptop dock connected to it usually disappears during a
      suspend cycle, and comes back up a short while after the system has been
      resumed. This guarantees pretty much every suspend and resume cycle,
      drm_dp_mst_topology_mgr_set_mst(mgr, false); will be caused and in turn,
      a connector hotplug will occur. Now it's Rute Goldberg time: when the
      connector hotplug occurs, i915 reprobes /all/ of the connectors,
      including eDP. However, eDP probing requires that we power on the panel
      VDD which in turn, grabs a wakeref to the appropriate power domain on
      the GPU (on my T480s, this is the PORT_DDI_A_IO domain). This is where
      things start breaking, since this all happens before
      intel_power_domains_enable() is called we end up leaking the wakeref
      that was acquired and never releasing it later. Come next suspend/resume
      cycle, this causes us to fail to shut down the GPU properly, which
      causes it not to resume properly and die a horrible complicated death.
      
      (as a note: this only happens when there's both an eDP panel and MST
      topology connected which is removed mid-suspend. One or the other seems
      to always be OK).
      
      We could try to fix the VDD wakeref leak, but this doesn't seem like
      it's worth it at all since we aren't able to handle hotplug detection
      while resuming anyway. So, let's go with a more robust solution inspired
      by nouveau: block fbdev from handling hotplug events until we resume
      fbdev. This allows us to still send sysfs hotplug events to be handled
      later by user space while we're resuming, while also preventing us from
      actually processing any hotplug events we receive until it's safe.
      
      This fixes the wakeref leak observed on the T480s and as such, also
      fixes suspend/resume with MST topologies connected on this machine.
      
      Changes since v2:
      * Don't call drm_fb_helper_hotplug_event() under lock, do it after lock
        (Chris Wilson)
      * Don't call drm_fb_helper_hotplug_event() in
        intel_fbdev_output_poll_changed() under lock (Chris Wilson)
      * Always set ifbdev->hpd_waiting (Chris Wilson)
      Signed-off-by: default avatarLyude Paul <lyude@redhat.com>
      Fixes: 0e32b39c ("drm/i915: add DP 1.2 MST support (v0.7)")
      Cc: Todd Previte <tprevite@gmail.com>
      Cc: Dave Airlie <airlied@redhat.com>
      Cc: Jani Nikula <jani.nikula@linux.intel.com>
      Cc: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
      Cc: Rodrigo Vivi <rodrigo.vivi@intel.com>
      Cc: Imre Deak <imre.deak@intel.com>
      Cc: intel-gfx@lists.freedesktop.org
      Cc: <stable@vger.kernel.org> # v3.17+
      Reviewed-by: default avatarChris Wilson <chris@chris-wilson.co.uk>
      Link: https://patchwork.freedesktop.org/patch/msgid/20190129191001.442-2-lyude@redhat.com
      (cherry picked from commit fe5ec656)
      Signed-off-by: default avatarJani Nikula <jani.nikula@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4631e0b4
    • Rodrigo Siqueira's avatar
      drm/vkms: Fix license inconsistent · de48b5f3
      Rodrigo Siqueira authored
      commit 7fd56e02 upstream.
      
      Fixes license inconsistent related to the VKMS driver and remove the
      redundant boilerplate comment.
      
      Fixes: 854502fa ("drm/vkms: Add basic CRTC initialization")
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarRodrigo Siqueira <rodrigosiqueiramelo@gmail.com>
      Acked-by: default avatarDaniel Vetter <daniel.vetter@ffwll.ch>
      Link: https://patchwork.freedesktop.org/patch/msgid/20190206140116.7qvy2lpwbcd7wds6@smtp.gmail.comSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      de48b5f3
    • Matthew Wilcox's avatar
      drm: Use array_size() when creating lease · 3312e0ae
      Matthew Wilcox authored
      commit 69ef943d upstream.
      
      Passing an object_count of sufficient size will make
      object_count * 4 wrap around to be very small, then a later function
      will happily iterate off the end of the object_ids array.  Using
      array_size() will saturate at SIZE_MAX, the kmalloc() will fail and
      we'll return an -ENOMEM to the norty userspace.
      
      Fixes: 62884cd3 ("drm: Add four ioctls for managing drm mode object leases [v7]")
      Signed-off-by: default avatarMatthew Wilcox <willy@infradead.org>
      Acked-by: default avatarKees Cook <keescook@chromium.org>
      Acked-by: default avatarDaniel Vetter <daniel.vetter@ffwll.ch>
      Cc: <stable@vger.kernel.org> # v4.15+
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3312e0ae
    • Nikos Tsironis's avatar
      dm thin: fix bug where bio that overwrites thin block ignores FUA · 029a38f8
      Nikos Tsironis authored
      commit 4ae280b4 upstream.
      
      When provisioning a new data block for a virtual block, either because
      the block was previously unallocated or because we are breaking sharing,
      if the whole block of data is being overwritten the bio that triggered
      the provisioning is issued immediately, skipping copying or zeroing of
      the data block.
      
      When this bio completes the new mapping is inserted in to the pool's
      metadata by process_prepared_mapping(), where the bio completion is
      signaled to the upper layers.
      
      This completion is signaled without first committing the metadata.  If
      the bio in question has the REQ_FUA flag set and the system crashes
      right after its completion and before the next metadata commit, then the
      write is lost despite the REQ_FUA flag requiring that I/O completion for
      this request must only be signaled after the data has been committed to
      non-volatile storage.
      
      Fix this by deferring the completion of overwrite bios, with the REQ_FUA
      flag set, until after the metadata has been committed.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarNikos Tsironis <ntsironis@arrikto.com>
      Acked-by: default avatarJoe Thornber <ejt@redhat.com>
      Acked-by: default avatarMikulas Patocka <mpatocka@redhat.com>
      Signed-off-by: default avatarMike Snitzer <snitzer@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      029a38f8
    • Mikulas Patocka's avatar
      dm crypt: don't overallocate the integrity tag space · 3ec93eb3
      Mikulas Patocka authored
      commit ff0c129d upstream.
      
      bio_sectors() returns the value in the units of 512-byte sectors (no
      matter what the real sector size of the device).  dm-crypt multiplies
      bio_sectors() by on_disk_tag_size to calculate the space allocated for
      integrity tags.  If dm-crypt is running with sector size larger than
      512b, it allocates more data than is needed.
      
      Device Mapper trims the extra space when passing the bio to
      dm-integrity, so this bug didn't result in any visible misbehavior.
      But it must be fixed to avoid wasteful memory allocation for the block
      integrity payload.
      
      Fixes: ef43aa38 ("dm crypt: add cryptographic data integrity protection (authenticated encryption)")
      Cc: stable@vger.kernel.org # 4.12+
      Reported-by: default avatarMilan Broz <mbroz@redhat.com>
      Signed-off-by: default avatarMikulas Patocka <mpatocka@redhat.com>
      Signed-off-by: default avatarMike Snitzer <snitzer@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3ec93eb3
    • Borislav Petkov's avatar
      x86/a.out: Clear the dump structure initially · b2778ef8
      Borislav Petkov authored
      commit 10970e1b upstream.
      
      dump_thread32() in aout_core_dump() does not clear the user32 structure
      allocated on the stack as the first thing on function entry.
      
      As a result, the dump.u_comm, dump.u_ar0 and dump.signal which get
      assigned before the clearing, get overwritten.
      
      Rename that function to fill_dump() to make it clear what it does and
      call it first thing.
      
      This was caught while staring at a patch by Derek Robson
      <robsonde@gmail.com>.
      Signed-off-by: default avatarBorislav Petkov <bp@suse.de>
      Cc: Derek Robson <robsonde@gmail.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Michael Matz <matz@suse.de>
      Cc: x86@kernel.org
      Cc: <stable@vger.kernel.org>
      Link: https://lkml.kernel.org/r/20190202005512.3144-1-robsonde@gmail.comSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b2778ef8
    • Nate Dailey's avatar
      md/raid1: don't clear bitmap bits on interrupted recovery. · ddf96641
      Nate Dailey authored
      commit dfcc34c9 upstream.
      
      sync_request_write no longer submits writes to a Faulty device. This has
      the unfortunate side effect that bitmap bits can be incorrectly cleared
      if a recovery is interrupted (previously, end_sync_write would have
      prevented this). This means the next recovery may not copy everything
      it should, potentially corrupting data.
      
      Add a function for doing the proper md_bitmap_end_sync, called from
      end_sync_write and the Faulty case in sync_request_write.
      
      backport note to 4.14: s/md_bitmap_end_sync/bitmap_end_sync
      Cc: stable@vger.kernel.org 4.14+
      Fixes: 0c9d5b12 ("md/raid1: avoid reusing a resync bio after error handling.")
      Reviewed-by: default avatarJack Wang <jinpu.wang@cloud.ionos.com>
      Tested-by: default avatarJack Wang <jinpu.wang@cloud.ionos.com>
      Signed-off-by: default avatarNate Dailey <nate.dailey@stratus.com>
      Signed-off-by: default avatarSong Liu <songliubraving@fb.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ddf96641
    • Eric W. Biederman's avatar
      signal: Restore the stop PTRACE_EVENT_EXIT · a2b3e2c0
      Eric W. Biederman authored
      commit cf43a757 upstream.
      
      In the middle of do_exit() there is there is a call
      "ptrace_event(PTRACE_EVENT_EXIT, code);" That call places the process
      in TACKED_TRACED aka "(TASK_WAKEKILL | __TASK_TRACED)" and waits for
      for the debugger to release the task or SIGKILL to be delivered.
      
      Skipping past dequeue_signal when we know a fatal signal has already
      been delivered resulted in SIGKILL remaining pending and
      TIF_SIGPENDING remaining set.  This in turn caused the
      scheduler to not sleep in PTACE_EVENT_EXIT as it figured
      a fatal signal was pending.  This also caused ptrace_freeze_traced
      in ptrace_check_attach to fail because it left a per thread
      SIGKILL pending which is what fatal_signal_pending tests for.
      
      This difference in signal state caused strace to report
      strace: Exit of unknown pid NNNNN ignored
      
      Therefore update the signal handling state like dequeue_signal
      would when removing a per thread SIGKILL, by removing SIGKILL
      from the per thread signal mask and clearing TIF_SIGPENDING.
      Acked-by: default avatarOleg Nesterov <oleg@redhat.com>
      Reported-by: default avatarOleg Nesterov <oleg@redhat.com>
      Reported-by: default avatarIvan Delalande <colona@arista.com>
      Cc: stable@vger.kernel.org
      Fixes: 35634ffa ("signal: Always notice exiting tasks")
      Signed-off-by: default avatar"Eric W. Biederman" <ebiederm@xmission.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a2b3e2c0
    • James Bottomley's avatar
      scsi: sd: fix entropy gathering for most rotational disks · 0396cf55
      James Bottomley authored
      commit e4a05698 upstream.
      
      The problem is that the default for MQ is not to gather entropy, whereas
      the default for the legacy queue was always to gather it.  The original
      attempt to fix entropy gathering for rotational disks under MQ added an
      else branch in sd_read_block_characteristics().  Unfortunately, the entire
      check isn't reached if the device has no characteristics VPD page.  Since
      this page was only introduced in SBC-3 and its optional anyway, most less
      expensive rotational disks don't have one, meaning they all stopped
      gathering entropy when we made MQ the default.  In a wholly unrelated
      change, openssl and openssh won't function until the random number
      generator is initialised, meaning lots of people have been seeing large
      delays before they could log into systems with default MQ kernels due to
      this lack of entropy, because it now can take tens of minutes to initialise
      the kernel random number generator.
      
      The fix is to set the non-rotational and add-randomness flags
      unconditionally early on in the disk initialization path, so they can be
      reset only if the device actually reports being non-rotational via the VPD
      page.
      Reported-by: default avatarMikael Pettersson <mikpelinux@gmail.com>
      Fixes: 83e32a59 ("scsi: sd: Contribute to randomness when running rotational device")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarJames Bottomley <James.Bottomley@HansenPartnership.com>
      Reviewed-by: default avatarJens Axboe <axboe@kernel.dk>
      Reviewed-by: default avatarXuewei Zhang <xueweiz@google.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0396cf55
    • Hedi Berriche's avatar
      x86/platform/UV: Use efi_runtime_lock to serialise BIOS calls · cdc35685
      Hedi Berriche authored
      commit f331e766 upstream.
      
      Calls into UV firmware must be protected against concurrency, expose the
      efi_runtime_lock to the UV platform, and use it to serialise UV BIOS
      calls.
      Signed-off-by: default avatarHedi Berriche <hedi.berriche@hpe.com>
      Signed-off-by: default avatarBorislav Petkov <bp@suse.de>
      Reviewed-by: default avatarArd Biesheuvel <ard.biesheuvel@linaro.org>
      Reviewed-by: default avatarRuss Anderson <rja@hpe.com>
      Reviewed-by: default avatarDimitri Sivanich <sivanich@hpe.com>
      Reviewed-by: default avatarMike Travis <mike.travis@hpe.com>
      Cc: Andy Shevchenko <andy@infradead.org>
      Cc: Bhupesh Sharma <bhsharma@redhat.com>
      Cc: Darren Hart <dvhart@infradead.org>
      Cc: "H. Peter Anvin" <hpa@zytor.com>
      Cc: Ingo Molnar <mingo@redhat.com>
      Cc: linux-efi <linux-efi@vger.kernel.org>
      Cc: platform-driver-x86@vger.kernel.org
      Cc: stable@vger.kernel.org # v4.9+
      Cc: Steve Wahl <steve.wahl@hpe.com>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: x86-ml <x86@kernel.org>
      Link: https://lkml.kernel.org/r/20190213193413.25560-5-hedi.berriche@hpe.comSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      cdc35685
    • Andreas Ziegler's avatar
      tracing/uprobes: Fix output for multiple string arguments · 45649b99
      Andreas Ziegler authored
      commit 0722069a upstream.
      
      When printing multiple uprobe arguments as strings the output for the
      earlier arguments would also include all later string arguments.
      
      This is best explained in an example:
      
      Consider adding a uprobe to a function receiving two strings as
      parameters which is at offset 0xa0 in strlib.so and we want to print
      both parameters when the uprobe is hit (on x86_64):
      
      $ echo 'p:func /lib/strlib.so:0xa0 +0(%di):string +0(%si):string' > \
          /sys/kernel/debug/tracing/uprobe_events
      
      When the function is called as func("foo", "bar") and we hit the probe,
      the trace file shows a line like the following:
      
        [...] func: (0x7f7e683706a0) arg1="foobar" arg2="bar"
      
      Note the extra "bar" printed as part of arg1. This behaviour stacks up
      for additional string arguments.
      
      The strings are stored in a dynamically growing part of the uprobe
      buffer by fetch_store_string() after copying them from userspace via
      strncpy_from_user(). The return value of strncpy_from_user() is then
      directly used as the required size for the string. However, this does
      not take the terminating null byte into account as the documentation
      for strncpy_from_user() cleary states that it "[...] returns the
      length of the string (not including the trailing NUL)" even though the
      null byte will be copied to the destination.
      
      Therefore, subsequent calls to fetch_store_string() will overwrite
      the terminating null byte of the most recently fetched string with
      the first character of the current string, leading to the
      "accumulation" of strings in earlier arguments in the output.
      
      Fix this by incrementing the return value of strncpy_from_user() by
      one if we did not hit the maximum buffer size.
      
      Link: http://lkml.kernel.org/r/20190116141629.5752-1-andreas.ziegler@fau.de
      
      Cc: Ingo Molnar <mingo@redhat.com>
      Cc: stable@vger.kernel.org
      Fixes: 5baaa59e ("tracing/probes: Implement 'memory' fetch method for uprobes")
      Acked-by: default avatarMasami Hiramatsu <mhiramat@kernel.org>
      Signed-off-by: default avatarAndreas Ziegler <andreas.ziegler@fau.de>
      Signed-off-by: default avatarSteven Rostedt (VMware) <rostedt@goodmis.org>
      Signed-off-by: default avatarMasami Hiramatsu <mhiramat@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      45649b99
    • Harald Freudenberger's avatar
      s390/zcrypt: fix specification exception on z196 during ap probe · 88e1e66a
      Harald Freudenberger authored
      commit 8f9aca0c upstream.
      
      The older machines don't have the QCI instruction available.
      With support for up to 256 crypto cards the probing of each
      card has been extended to check card ids from 0 up to 255.
      For machines with QCI support there is a filter limiting the
      range of probed cards. The older machines (z196 and older)
      don't have this filter and so since support for 256 cards is
      in the driver all cards are probed. However, these machines
      also require to have the card id fit into 6 bits. Exceeding
      this limit results in a specification exception which happens
      on every kernel startup even when there is no crypto configured
      and used at all.
      
      This fix limits the range of probed crypto cards to 64 if
      there is no QCI instruction available to obey to the older
      ap architecture and so fixes the specification exceptions
      on z196 machines.
      
      Cc: stable@vger.kernel.org # v4.17+
      Fixes: af4a7227 ("s390/zcrypt: Support up to 256 crypto adapters.")
      Signed-off-by: default avatarHarald Freudenberger <freude@linux.ibm.com>
      Signed-off-by: default avatarMartin Schwidefsky <schwidefsky@de.ibm.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      88e1e66a
    • Meelis Roos's avatar
      alpha: Fix Eiger NR_IRQS to 128 · a3fadeff
      Meelis Roos authored
      commit bfc91368 upstream.
      
      Eiger machine vector definition has nr_irqs 128, and working 2.6.26
      boot shows SCSI getting IRQ-s 64 and 65. Current kernel boot fails
      because Symbios SCSI fails to request IRQ-s and does not find the disks.
      It has been broken at least since 3.18 - the earliest I could test with
      my gcc-5.
      
      The headers have moved around and possibly another order of defines has
      worked in the past - but since 128 seems to be correct and used, fix
      arch/alpha/include/asm/irq.h to have NR_IRQS=128 for Eiger.
      
      This fixes 4.19-rc7 boot on my Force Flexor A264 (Eiger subarch).
      
      Cc: stable@vger.kernel.org # v3.18+
      Signed-off-by: default avatarMeelis Roos <mroos@linux.ee>
      Signed-off-by: default avatarMatt Turner <mattst88@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a3fadeff
    • Sergei Trofimovich's avatar
      alpha: fix page fault handling for r16-r18 targets · c56eef69
      Sergei Trofimovich authored
      commit 491af60f upstream.
      
      Fix page fault handling code to fixup r16-r18 registers.
      Before the patch code had off-by-two registers bug.
      This bug caused overwriting of ps,pc,gp registers instead
      of fixing intended r16,r17,r18 (see `struct pt_regs`).
      
      More details:
      
      Initially Dmitry noticed a kernel bug as a failure
      on strace test suite. Test passes unmapped userspace
      pointer to io_submit:
      
      ```c
          #include <err.h>
          #include <unistd.h>
          #include <sys/mman.h>
          #include <asm/unistd.h>
          int main(void)
          {
              unsigned long ctx = 0;
              if (syscall(__NR_io_setup, 1, &ctx))
                  err(1, "io_setup");
              const size_t page_size = sysconf(_SC_PAGESIZE);
              const size_t size = page_size * 2;
              void *ptr = mmap(NULL, size, PROT_READ | PROT_WRITE,
                               MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
              if (MAP_FAILED == ptr)
                  err(1, "mmap(%zu)", size);
              if (munmap(ptr, size))
                  err(1, "munmap");
              syscall(__NR_io_submit, ctx, 1, ptr + page_size);
              syscall(__NR_io_destroy, ctx);
              return 0;
          }
      ```
      
      Running this test causes kernel to crash when handling page fault:
      
      ```
          Unable to handle kernel paging request at virtual address ffffffffffff9468
          CPU 3
          aio(26027): Oops 0
          pc = [<fffffc00004eddf8>]  ra = [<fffffc00004edd5c>]  ps = 0000    Not tainted
          pc is at sys_io_submit+0x108/0x200
          ra is at sys_io_submit+0x6c/0x200
          v0 = fffffc00c58e6300  t0 = fffffffffffffff2  t1 = 000002000025e000
          t2 = fffffc01f159fef8  t3 = fffffc0001009640  t4 = fffffc0000e0f6e0
          t5 = 0000020001002e9e  t6 = 4c41564e49452031  t7 = fffffc01f159c000
          s0 = 0000000000000002  s1 = 000002000025e000  s2 = 0000000000000000
          s3 = 0000000000000000  s4 = 0000000000000000  s5 = fffffffffffffff2
          s6 = fffffc00c58e6300
          a0 = fffffc00c58e6300  a1 = 0000000000000000  a2 = 000002000025e000
          a3 = 00000200001ac260  a4 = 00000200001ac1e8  a5 = 0000000000000001
          t8 = 0000000000000008  t9 = 000000011f8bce30  t10= 00000200001ac440
          t11= 0000000000000000  pv = fffffc00006fd320  at = 0000000000000000
          gp = 0000000000000000  sp = 00000000265fd174
          Disabling lock debugging due to kernel taint
          Trace:
          [<fffffc0000311404>] entSys+0xa4/0xc0
      ```
      
      Here `gp` has invalid value. `gp is s overwritten by a fixup for the
      following page fault handler in `io_submit` syscall handler:
      
      ```
          __se_sys_io_submit
          ...
              ldq     a1,0(t1)
              bne     t0,4280 <__se_sys_io_submit+0x180>
      ```
      
      After a page fault `t0` should contain -EFALUT and `a1` is 0.
      Instead `gp` was overwritten in place of `a1`.
      
      This happens due to a off-by-two bug in `dpf_reg()` for `r16-r18`
      (aka `a0-a2`).
      
      I think the bug went unnoticed for a long time as `gp` is one
      of scratch registers. Any kernel function call would re-calculate `gp`.
      
      Dmitry tracked down the bug origin back to 2.1.32 kernel version
      where trap_a{0,1,2} fields were inserted into struct pt_regs.
      And even before that `dpf_reg()` contained off-by-one error.
      
      Cc: Richard Henderson <rth@twiddle.net>
      Cc: Ivan Kokshaysky <ink@jurassic.park.msu.ru>
      Cc: linux-alpha@vger.kernel.org
      Cc: linux-kernel@vger.kernel.org
      Reported-and-reviewed-by: default avatar"Dmitry V. Levin" <ldv@altlinux.org>
      Cc: stable@vger.kernel.org # v2.1.32+
      Bug: https://bugs.gentoo.org/672040Signed-off-by: default avatarSergei Trofimovich <slyfox@gentoo.org>
      Signed-off-by: default avatarMatt Turner <mattst88@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c56eef69
    • Dave Chinner's avatar
      Revert "mm: slowly shrink slabs with a relatively small number of objects" · 657fbf79
      Dave Chinner authored
      commit a9a238e8 upstream.
      
      This reverts commit 172b06c3 ("mm: slowly shrink slabs with a
      relatively small number of objects").
      
      This change changes the agressiveness of shrinker reclaim, causing small
      cache and low priority reclaim to greatly increase scanning pressure on
      small caches.  As a result, light memory pressure has a disproportionate
      affect on small caches, and causes large caches to be reclaimed much
      faster than previously.
      
      As a result, it greatly perturbs the delicate balance of the VFS caches
      (dentry/inode vs file page cache) such that the inode/dentry caches are
      reclaimed much, much faster than the page cache and this drives us into
      several other caching imbalance related problems.
      
      As such, this is a bad change and needs to be reverted.
      
      [ Needs some massaging to retain the later seekless shrinker
        modifications.]
      
      Link: http://lkml.kernel.org/r/20190130041707.27750-3-david@fromorbit.com
      Fixes: 172b06c3 ("mm: slowly shrink slabs with a relatively small number of objects")
      Signed-off-by: default avatarDave Chinner <dchinner@redhat.com>
      Cc: Wolfgang Walter <linux@stwm.de>
      Cc: Roman Gushchin <guro@fb.com>
      Cc: Spock <dairinin@gmail.com>
      Cc: Rik van Riel <riel@surriel.com>
      Cc: Michal Hocko <mhocko@kernel.org>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      657fbf79
    • Dave Chinner's avatar
      Revert "mm: don't reclaim inodes with many attached pages" · 8d485d3a
      Dave Chinner authored
      commit 69056ee6 upstream.
      
      This reverts commit a76cf1a4 ("mm: don't reclaim inodes with many
      attached pages").
      
      This change causes serious changes to page cache and inode cache
      behaviour and balance, resulting in major performance regressions when
      combining worklaods such as large file copies and kernel compiles.
      
        https://bugzilla.kernel.org/show_bug.cgi?id=202441
      
      This change is a hack to work around the problems introduced by changing
      how agressive shrinkers are on small caches in commit 172b06c3 ("mm:
      slowly shrink slabs with a relatively small number of objects").  It
      creates more problems than it solves, wasn't adequately reviewed or
      tested, so it needs to be reverted.
      
      Link: http://lkml.kernel.org/r/20190130041707.27750-2-david@fromorbit.com
      Fixes: a76cf1a4 ("mm: don't reclaim inodes with many attached pages")
      Signed-off-by: default avatarDave Chinner <dchinner@redhat.com>
      Cc: Wolfgang Walter <linux@stwm.de>
      Cc: Roman Gushchin <guro@fb.com>
      Cc: Spock <dairinin@gmail.com>
      Cc: Rik van Riel <riel@surriel.com>
      Cc: Michal Hocko <mhocko@kernel.org>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8d485d3a
    • J. Bruce Fields's avatar
      Revert "nfsd4: return default lease period" · 93769fef
      J. Bruce Fields authored
      commit 3bf6b57e upstream.
      
      This reverts commit d6ebf508.
      
      I forgot that the kernel's default lease period should never be
      decreased!
      
      After a kernel upgrade, the kernel has no way of knowing on its own what
      the previous lease time was.  Unless userspace tells it otherwise, it
      will assume the previous lease period was the same.
      
      So if we decrease this value in a kernel upgrade, we end up enforcing a
      grace period that's too short, and clients will fail to reclaim state in
      time.  Symptoms may include EIO and log messages like "NFS:
      nfs4_reclaim_open_state: Lock reclaim failed!"
      
      There was no real justification for the lease period decrease anyway.
      Reported-by: default avatarDonald Buczek <buczek@molgen.mpg.de>
      Fixes: d6ebf508 "nfsd4: return default lease period"
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarJ. Bruce Fields <bfields@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      93769fef
    • Matti Kurkela's avatar
      Input: elantech - enable 3rd button support on Fujitsu CELSIUS H780 · 17f4ddaa
      Matti Kurkela authored
      commit e8b22d0a upstream.
      
      Like Fujitsu CELSIUS H760, the H780 also has a three-button Elantech
      touchpad, but the driver needs to be told so to enable the middle touchpad
      button.
      
      The elantech_dmi_force_crc_enabled quirk was not necessary with the H780.
      
      Also document the fw_version and caps values detected for both H760 and
      H780 models.
      Signed-off-by: default avatarMatti Kurkela <Matti.Kurkela@iki.fi>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      17f4ddaa
    • Jonathan Bakker's avatar
      Input: bma150 - register input device after setting private data · 3bd12095
      Jonathan Bakker authored
      commit 90cc55f0 upstream.
      
      Otherwise we introduce a race condition where userspace can request input
      before we're ready leading to null pointer dereference such as
      
      input: bma150 as /devices/platform/i2c-gpio-2/i2c-5/5-0038/input/input3
      Unable to handle kernel NULL pointer dereference at virtual address 00000018
      pgd = (ptrval)
      [00000018] *pgd=55dac831, *pte=00000000, *ppte=00000000
      Internal error: Oops: 17 [#1] PREEMPT ARM
      Modules linked in: bma150 input_polldev [last unloaded: bma150]
      CPU: 0 PID: 2870 Comm: accelerometer Not tainted 5.0.0-rc3-dirty #46
      Hardware name: Samsung S5PC110/S5PV210-based board
      PC is at input_event+0x8/0x60
      LR is at bma150_report_xyz+0x9c/0xe0 [bma150]
      pc : [<80450f70>]    lr : [<7f0a614c>]    psr: 800d0013
      sp : a4c1fd78  ip : 00000081  fp : 00020000
      r10: 00000000  r9 : a5e2944c  r8 : a7455000
      r7 : 00000016  r6 : 00000101  r5 : a7617940  r4 : 80909048
      r3 : fffffff2  r2 : 00000000  r1 : 00000003  r0 : 00000000
      Flags: Nzcv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment none
      Control: 10c5387d  Table: 54e34019  DAC: 00000051
      Process accelerometer (pid: 2870, stack limit = 0x(ptrval))
      Stackck: (0xa4c1fd78 to 0xa4c20000)
      fd60:                                                       fffffff3 fc813f6c
      fd80: 40410581 d7530ce3 a5e2817c a7617f00 a5e29404 a5e2817c 00000000 7f008324
      fda0: a5e28000 8044f59c a5fdd9d0 a5e2945c a46a4a00 a5e29668 a7455000 80454f10
      fdc0: 80909048 a5e29668 a5fdd9d0 a46a4a00 806316d0 00000000 a46a4a00 801df5f0
      fde0: 00000000 d7530ce3 a4c1fec0 a46a4a00 00000000 a5fdd9d0 a46a4a08 801df53c
      fe00: 00000000 801d74bc a4c1fec0 00000000 a4c1ff70 00000000 a7038da8 00000000
      fe20: a46a4a00 801e91fc a411bbe0 801f2e88 00000004 00000000 80909048 00000041
      fe40: 00000000 00020000 00000000 dead4ead a6a88da0 00000000 ffffe000 806fcae8
      fe60: a4c1fec8 00000000 80909048 00000002 a5fdd9d0 a7660110 a411bab0 00000001
      fe80: dead4ead ffffffff ffffffff a4c1fe8c a4c1fe8c d7530ce3 20000013 80909048
      fea0: 80909048 a4c1ff70 00000001 fffff000 a4c1e000 00000005 00026038 801eabd8
      fec0: a7660110 a411bab0 b9394901 00000006 a696201b 76fb3000 00000000 a7039720
      fee0: a5fdd9d0 00000101 00000002 00000096 00000000 00000000 00000000 a4c1ff00
      ff00: a6b310f4 805cb174 a6b310f4 00000010 00000fe0 00000010 a4c1e000 d7530ce3
      ff20: 00000003 a5f41400 a5f41424 00000000 a6962000 00000000 00000003 00000002
      ff40: ffffff9c 000a0000 80909048 d7530ce3 a6962000 00000003 80909048 ffffff9c
      ff60: a6962000 801d890c 00000000 00000000 00020000 a7590000 00000004 00000100
      ff80: 00000001 d7530ce3 000288b8 00026320 000288b8 00000005 80101204 a4c1e000
      ffa0: 00000005 80101000 000288b8 00026320 000288b8 000a0000 00000000 00000000
      ffc0: 000288b8 00026320 000288b8 00000005 7eef3bac 000264e8 00028ad8 00026038
      ffe0: 00000005 7eef3300 76f76e91 76f78546 800d0030 000288b8 00000000 00000000
      [<80450f70>] (input_event) from [<a5e2817c>] (0xa5e2817c)
      Code: e1a08148 eaffffa8 e351001f 812fff1e (e590c018)
      ---[ end trace 1c691ee85f2ff243 ]---
      Signed-off-by: default avatarJonathan Bakker <xc-racer2@live.ca>
      Signed-off-by: default avatarPaweł Chmiel <pawel.mikolaj.chmiel@gmail.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3bd12095
    • Zachary Hays's avatar
      mmc: block: handle complete_work on separate workqueue · c4609e81
      Zachary Hays authored
      commit dcf6e2e3 upstream.
      
      The kblockd workqueue is created with the WQ_MEM_RECLAIM flag set.
      This generates a rescuer thread for that queue that will trigger when
      the CPU is under heavy load and collect the uncompleted work.
      
      In the case of mmc, this creates the possibility of a deadlock when
      there are multiple partitions on the device as other blk-mq work is
      also run on the same queue. For example:
      
      - worker 0 claims the mmc host to work on partition 1
      - worker 1 attempts to claim the host for partition 2 but has to wait
        for worker 0 to finish
      - worker 0 schedules complete_work to release the host
      - rescuer thread is triggered after time-out and collects the dangling
        work
      - rescuer thread attempts to complete the work in order starting with
        claim host
      - the task to release host is now blocked by a task to claim it and
        will never be called
      
      The above results in multiple hung tasks that lead to failures to
      mount partitions.
      
      Handling complete_work on a separate workqueue avoids this by keeping
      the work completion tasks separate from the other blk-mq work. This
      allows the host to be released without getting blocked by other tasks
      attempting to claim the host.
      Signed-off-by: default avatarZachary Hays <zhays@lexmark.com>
      Fixes: 81196976 ("mmc: block: Add blk-mq support")
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarUlf Hansson <ulf.hansson@linaro.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c4609e81
    • Chen-Yu Tsai's avatar
      mmc: sunxi: Filter out unsupported modes declared in the device tree · 248a2f3c
      Chen-Yu Tsai authored
      commit d6f11e7d upstream.
      
      The MMC device tree bindings include properties used to signal various
      signalling speed modes. Until now the sunxi driver was accepting them
      without any further filtering, while the sunxi device trees were not
      actually using them.
      
      Since some of the H5 boards can not run at higher speed modes stably,
      we are resorting to declaring the higher speed modes per-board.
      
      Regardless, having boards declare modes and blindly following them,
      even without proper support in the driver, is generally a bad thing.
      
      Filter out all unsupported modes from the capabilities mask after
      the device tree properties have been parsed.
      
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarChen-Yu Tsai <wens@csie.org>
      Acked-by: default avatarMaxime Ripard <maxime.ripard@bootlin.com>
      Signed-off-by: default avatarUlf Hansson <ulf.hansson@linaro.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      248a2f3c
    • Xiaoyao Li's avatar
      kvm: vmx: Fix entry number check for add_atomic_switch_msr() · 0d41c03c
      Xiaoyao Li authored
      commit 98ae70cc upstream.
      
      Commit ca83b4a7 ("x86/KVM/VMX: Add find_msr() helper function")
      introduces the helper function find_msr(), which returns -ENOENT when
      not find the msr in vmx->msr_autoload.guest/host. Correct checking contion
      of no more available entry in vmx->msr_autoload.
      
      Fixes: ca83b4a7 ("x86/KVM/VMX: Add find_msr() helper function")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarXiaoyao Li <xiaoyao.li@linux.intel.com>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0d41c03c
    • Vitaly Kuznetsov's avatar
      x86/kvm/nVMX: read from MSR_IA32_VMX_PROCBASED_CTLS2 only when it is available · c58f010b
      Vitaly Kuznetsov authored
      commit 6b1971c6 upstream.
      
      SDM says MSR_IA32_VMX_PROCBASED_CTLS2 is only available "If
      (CPUID.01H:ECX.[5] && IA32_VMX_PROCBASED_CTLS[63])". It was found that
      some old cpus (namely "Intel(R) Core(TM)2 CPU 6600 @ 2.40GHz (family: 0x6,
      model: 0xf, stepping: 0x6") don't have it. Add the missing check.
      Reported-by: default avatarZdenek Kaspar <zkaspar82@gmail.com>
      Tested-by: default avatarZdenek Kaspar <zkaspar82@gmail.com>
      Signed-off-by: default avatarVitaly Kuznetsov <vkuznets@redhat.com>
      Reviewed-by: default avatarJim Mattson <jmattson@google.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c58f010b
    • Stefan O'Rear's avatar
      riscv: Add pte bit to distinguish swap from invalid · 2ab14838
      Stefan O'Rear authored
      commit e3613bb8 upstream.
      
      Previously, invalid PTEs and swap PTEs had the same binary
      representation, causing errors when attempting to unmap PROT_NONE
      mappings, including implicit unmap on exit.
      
      Typical error:
      
      swap_info_get: Bad swap file entry 40000000007a9879
      BUG: Bad page map in process a.out  pte:3d4c3cc0 pmd:3e521401
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarStefan O'Rear <sorear2@gmail.com>
      Reviewed-by: default avatarChristoph Hellwig <hch@lst.de>
      Signed-off-by: default avatarPalmer Dabbelt <palmer@sifive.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2ab14838