From: Greg Kroah-Hartman Date: Tue, 23 Apr 2019 20:53:51 +0000 (+0200) Subject: 4.14-stable patches X-Git-Tag: v3.18.139~39 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=21cf661e5df9018e3433a2ec13c60bf9c6beaaa6;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches added patches: alsa-core-fix-card-races-between-register-and-disconnect.patch alsa-hda-realtek-add-two-more-pin-configuration-sets-to-quirk-table.patch arm64-futex-restore-oldval-initialization-to-work-around-buggy-compilers.patch cifs-keep-fileinfo-handle-live-during-oplock-break.patch coredump-fix-race-condition-between-mmget_not_zero-get_task_mm-and-core-dumping.patch crypto-x86-poly1305-fix-overflow-during-partial-reduction.patch iio-ad_sigma_delta-select-channel-when-reading-register.patch iio-adc-at91-disable-adc-channel-interrupt-in-timeout-case.patch iio-core-fix-a-possible-circular-locking-dependency.patch iio-cros_ec-fix-the-maths-for-gyro-scale-calculation.patch iio-dac-mcp4725-add-missing-powerdown-bits-in-store-eeprom.patch iio-fix-scan-mask-selection.patch iio-gyro-bmg160-use-millidegrees-for-temperature-scale.patch iio-gyro-mpu3050-fix-chip-id-reading.patch io-accel-kxcjk1013-restore-the-range-after-resume.patch kprobes-fix-error-check-when-reusing-optimized-probes.patch kprobes-mark-ftrace-mcount-handler-functions-nokprobe.patch kvm-x86-don-t-clear-efer-during-smm-transitions-for-32-bit-vcpu.patch kvm-x86-svm-make-sure-nmi-is-injected-after-nmi_singlestep.patch mac80211-do-not-call-driver-wake_tx_queue-op-during-reconfig.patch perf-x86-amd-add-event-map-for-amd-family-17h.patch perf-x86-fix-incorrect-pebs_regs.patch revert-scsi-fcoe-clear-fc_rp_started-flags-when-receiving-a-logo.patch revert-svm-fix-avic-incomplete-ipi-emulation.patch rt2x00-do-not-increment-sequence-number-while-re-transmitting.patch scsi-core-set-result-when-the-command-cannot-be-dispatched.patch staging-comedi-ni_usb6501-fix-possible-double-free-of-usb_rx_buf.patch staging-comedi-ni_usb6501-fix-use-of-uninitialized-mutex.patch staging-comedi-vmk80xx-fix-possible-double-free-of-usb_rx_buf.patch staging-comedi-vmk80xx-fix-use-of-uninitialized-semaphore.patch staging-iio-ad7192-fix-ad7193-channel-address.patch staging-iio-meter-fixed-typo.patch x86-cpu-bugs-use-__initconst-for-const-init-data.patch x86-kprobes-verify-stack-frame-on-kretprobe.patch x86-speculation-prevent-deadlock-on-ssb_state-lock.patch --- diff --git a/queue-4.14/alsa-core-fix-card-races-between-register-and-disconnect.patch b/queue-4.14/alsa-core-fix-card-races-between-register-and-disconnect.patch new file mode 100644 index 00000000000..f777b2be766 --- /dev/null +++ b/queue-4.14/alsa-core-fix-card-races-between-register-and-disconnect.patch @@ -0,0 +1,76 @@ +From 2a3f7221acddfe1caa9ff09b3a8158c39b2fdeac Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Tue, 16 Apr 2019 17:06:33 +0200 +Subject: ALSA: core: Fix card races between register and disconnect + +From: Takashi Iwai + +commit 2a3f7221acddfe1caa9ff09b3a8158c39b2fdeac upstream. + +There is a small race window in the card disconnection code that +allows the registration of another card with the very same card id. +This leads to a warning in procfs creation as caught by syzkaller. + +The problem is that we delete snd_cards and snd_cards_lock entries at +the very beginning of the disconnection procedure. This makes the +slot available to be assigned for another card object while the +disconnection procedure is being processed. Then it becomes possible +to issue a procfs registration with the existing file name although we +check the conflict beforehand. + +The fix is simply to move the snd_cards and snd_cards_lock clearances +at the end of the disconnection procedure. The references to these +entries are merely either from the global proc files like +/proc/asound/cards or from the card registration / disconnection, so +it should be fine to shift at the very end. + +Reported-by: syzbot+48df349490c36f9f54ab@syzkaller.appspotmail.com +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/core/init.c | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +--- a/sound/core/init.c ++++ b/sound/core/init.c +@@ -406,14 +406,7 @@ int snd_card_disconnect(struct snd_card + card->shutdown = 1; + spin_unlock(&card->files_lock); + +- /* phase 1: disable fops (user space) operations for ALSA API */ +- mutex_lock(&snd_card_mutex); +- snd_cards[card->number] = NULL; +- clear_bit(card->number, snd_cards_lock); +- mutex_unlock(&snd_card_mutex); +- +- /* phase 2: replace file->f_op with special dummy operations */ +- ++ /* replace file->f_op with special dummy operations */ + spin_lock(&card->files_lock); + list_for_each_entry(mfile, &card->files_list, list) { + /* it's critical part, use endless loop */ +@@ -429,7 +422,7 @@ int snd_card_disconnect(struct snd_card + } + spin_unlock(&card->files_lock); + +- /* phase 3: notify all connected devices about disconnection */ ++ /* notify all connected devices about disconnection */ + /* at this point, they cannot respond to any calls except release() */ + + #if IS_ENABLED(CONFIG_SND_MIXER_OSS) +@@ -445,6 +438,13 @@ int snd_card_disconnect(struct snd_card + device_del(&card->card_dev); + card->registered = false; + } ++ ++ /* disable fops (user space) operations for ALSA API */ ++ mutex_lock(&snd_card_mutex); ++ snd_cards[card->number] = NULL; ++ clear_bit(card->number, snd_cards_lock); ++ mutex_unlock(&snd_card_mutex); ++ + #ifdef CONFIG_PM + wake_up(&card->power_sleep); + #endif diff --git a/queue-4.14/alsa-hda-realtek-add-two-more-pin-configuration-sets-to-quirk-table.patch b/queue-4.14/alsa-hda-realtek-add-two-more-pin-configuration-sets-to-quirk-table.patch new file mode 100644 index 00000000000..7a3d2e645cb --- /dev/null +++ b/queue-4.14/alsa-hda-realtek-add-two-more-pin-configuration-sets-to-quirk-table.patch @@ -0,0 +1,45 @@ +From b26e36b7ef36a8a3a147b1609b2505f8a4ecf511 Mon Sep 17 00:00:00 2001 +From: Hui Wang +Date: Wed, 17 Apr 2019 16:10:32 +0800 +Subject: ALSA: hda/realtek - add two more pin configuration sets to quirk table + +From: Hui Wang + +commit b26e36b7ef36a8a3a147b1609b2505f8a4ecf511 upstream. + +We have two Dell laptops which have the codec 10ec0236 and 10ec0256 +respectively, the headset mic on them can't work, need to apply the +quirk of ALC255_FIXUP_DELL1_MIC_NO_PRESENCE. So adding their pin +configurations in the pin quirk table. + +Cc: +Signed-off-by: Hui Wang +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/patch_realtek.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -6743,6 +6743,8 @@ static const struct snd_hda_pin_quirk al + {0x12, 0x90a60140}, + {0x14, 0x90170150}, + {0x21, 0x02211020}), ++ SND_HDA_PIN_QUIRK(0x10ec0236, 0x1028, "Dell", ALC255_FIXUP_DELL1_MIC_NO_PRESENCE, ++ {0x21, 0x02211020}), + SND_HDA_PIN_QUIRK(0x10ec0255, 0x1028, "Dell", ALC255_FIXUP_DELL2_MIC_NO_PRESENCE, + {0x14, 0x90170110}, + {0x21, 0x02211020}), +@@ -6853,6 +6855,10 @@ static const struct snd_hda_pin_quirk al + {0x21, 0x0221101f}), + SND_HDA_PIN_QUIRK(0x10ec0256, 0x1028, "Dell", ALC255_FIXUP_DELL1_MIC_NO_PRESENCE, + ALC256_STANDARD_PINS), ++ SND_HDA_PIN_QUIRK(0x10ec0256, 0x1028, "Dell", ALC255_FIXUP_DELL1_MIC_NO_PRESENCE, ++ {0x14, 0x90170110}, ++ {0x1b, 0x01011020}, ++ {0x21, 0x0221101f}), + SND_HDA_PIN_QUIRK(0x10ec0256, 0x1043, "ASUS", ALC256_FIXUP_ASUS_MIC, + {0x14, 0x90170110}, + {0x1b, 0x90a70130}, diff --git a/queue-4.14/arm64-futex-restore-oldval-initialization-to-work-around-buggy-compilers.patch b/queue-4.14/arm64-futex-restore-oldval-initialization-to-work-around-buggy-compilers.patch new file mode 100644 index 00000000000..bb94d6fd7e9 --- /dev/null +++ b/queue-4.14/arm64-futex-restore-oldval-initialization-to-work-around-buggy-compilers.patch @@ -0,0 +1,52 @@ +From ff8acf929014b7f87315588e0daf8597c8aa9d1c Mon Sep 17 00:00:00 2001 +From: Nathan Chancellor +Date: Wed, 17 Apr 2019 00:21:21 -0700 +Subject: arm64: futex: Restore oldval initialization to work around buggy compilers + +From: Nathan Chancellor + +commit ff8acf929014b7f87315588e0daf8597c8aa9d1c upstream. + +Commit 045afc24124d ("arm64: futex: Fix FUTEX_WAKE_OP atomic ops with +non-zero result value") removed oldval's zero initialization in +arch_futex_atomic_op_inuser because it is not necessary. Unfortunately, +Android's arm64 GCC 4.9.4 [1] does not agree: + +../kernel/futex.c: In function 'do_futex': +../kernel/futex.c:1658:17: warning: 'oldval' may be used uninitialized +in this function [-Wmaybe-uninitialized] + return oldval == cmparg; + ^ +In file included from ../kernel/futex.c:73:0: +../arch/arm64/include/asm/futex.h:53:6: note: 'oldval' was declared here + int oldval, ret, tmp; + ^ + +GCC fails to follow that when ret is non-zero, futex_atomic_op_inuser +returns right away, avoiding the uninitialized use that it claims. +Restoring the zero initialization works around this issue. + +[1]: https://android.googlesource.com/platform/prebuilts/gcc/linux-x86/aarch64/aarch64-linux-android-4.9/ + +Cc: stable@vger.kernel.org +Fixes: 045afc24124d ("arm64: futex: Fix FUTEX_WAKE_OP atomic ops with non-zero result value") +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: Nathan Chancellor +Signed-off-by: Catalin Marinas +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/include/asm/futex.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm64/include/asm/futex.h ++++ b/arch/arm64/include/asm/futex.h +@@ -50,7 +50,7 @@ do { \ + static inline int + arch_futex_atomic_op_inuser(int op, int oparg, int *oval, u32 __user *_uaddr) + { +- int oldval, ret, tmp; ++ int oldval = 0, ret, tmp; + u32 __user *uaddr = __uaccess_mask_ptr(_uaddr); + + pagefault_disable(); diff --git a/queue-4.14/cifs-keep-fileinfo-handle-live-during-oplock-break.patch b/queue-4.14/cifs-keep-fileinfo-handle-live-during-oplock-break.patch new file mode 100644 index 00000000000..87bb5052cd8 --- /dev/null +++ b/queue-4.14/cifs-keep-fileinfo-handle-live-during-oplock-break.patch @@ -0,0 +1,179 @@ +From b98749cac4a695f084a5ff076f4510b23e353ecd Mon Sep 17 00:00:00 2001 +From: Aurelien Aptel +Date: Fri, 29 Mar 2019 10:49:12 +0100 +Subject: CIFS: keep FileInfo handle live during oplock break + +From: Aurelien Aptel + +commit b98749cac4a695f084a5ff076f4510b23e353ecd upstream. + +In the oplock break handler, writing pending changes from pages puts +the FileInfo handle. If the refcount reaches zero it closes the handle +and waits for any oplock break handler to return, thus causing a deadlock. + +To prevent this situation: + +* We add a wait flag to cifsFileInfo_put() to decide whether we should + wait for running/pending oplock break handlers + +* We keep an additionnal reference of the SMB FileInfo handle so that + for the rest of the handler putting the handle won't close it. + - The ref is bumped everytime we queue the handler via the + cifs_queue_oplock_break() helper. + - The ref is decremented at the end of the handler + +This bug was triggered by xfstest 464. + +Also important fix to address the various reports of +oops in smb2_push_mandatory_locks + +Signed-off-by: Aurelien Aptel +Signed-off-by: Steve French +Reviewed-by: Pavel Shilovsky +CC: Stable +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/cifsglob.h | 2 ++ + fs/cifs/file.c | 30 +++++++++++++++++++++++++----- + fs/cifs/misc.c | 25 +++++++++++++++++++++++-- + fs/cifs/smb2misc.c | 6 +++--- + 4 files changed, 53 insertions(+), 10 deletions(-) + +--- a/fs/cifs/cifsglob.h ++++ b/fs/cifs/cifsglob.h +@@ -1189,6 +1189,7 @@ cifsFileInfo_get_locked(struct cifsFileI + } + + struct cifsFileInfo *cifsFileInfo_get(struct cifsFileInfo *cifs_file); ++void _cifsFileInfo_put(struct cifsFileInfo *cifs_file, bool wait_oplock_hdlr); + void cifsFileInfo_put(struct cifsFileInfo *cifs_file); + + #define CIFS_CACHE_READ_FLG 1 +@@ -1693,6 +1694,7 @@ GLOBAL_EXTERN spinlock_t gidsidlock; + #endif /* CONFIG_CIFS_ACL */ + + void cifs_oplock_break(struct work_struct *work); ++void cifs_queue_oplock_break(struct cifsFileInfo *cfile); + + extern const struct slow_work_ops cifs_oplock_break_ops; + extern struct workqueue_struct *cifsiod_wq; +--- a/fs/cifs/file.c ++++ b/fs/cifs/file.c +@@ -358,13 +358,31 @@ cifsFileInfo_get(struct cifsFileInfo *ci + return cifs_file; + } + +-/* +- * Release a reference on the file private data. This may involve closing +- * the filehandle out on the server. Must be called without holding +- * tcon->open_file_lock and cifs_file->file_info_lock. ++/** ++ * cifsFileInfo_put - release a reference of file priv data ++ * ++ * Always potentially wait for oplock handler. See _cifsFileInfo_put(). + */ + void cifsFileInfo_put(struct cifsFileInfo *cifs_file) + { ++ _cifsFileInfo_put(cifs_file, true); ++} ++ ++/** ++ * _cifsFileInfo_put - release a reference of file priv data ++ * ++ * This may involve closing the filehandle @cifs_file out on the ++ * server. Must be called without holding tcon->open_file_lock and ++ * cifs_file->file_info_lock. ++ * ++ * If @wait_for_oplock_handler is true and we are releasing the last ++ * reference, wait for any running oplock break handler of the file ++ * and cancel any pending one. If calling this function from the ++ * oplock break handler, you need to pass false. ++ * ++ */ ++void _cifsFileInfo_put(struct cifsFileInfo *cifs_file, bool wait_oplock_handler) ++{ + struct inode *inode = d_inode(cifs_file->dentry); + struct cifs_tcon *tcon = tlink_tcon(cifs_file->tlink); + struct TCP_Server_Info *server = tcon->ses->server; +@@ -411,7 +429,8 @@ void cifsFileInfo_put(struct cifsFileInf + + spin_unlock(&tcon->open_file_lock); + +- oplock_break_cancelled = cancel_work_sync(&cifs_file->oplock_break); ++ oplock_break_cancelled = wait_oplock_handler ? ++ cancel_work_sync(&cifs_file->oplock_break) : false; + + if (!tcon->need_reconnect && !cifs_file->invalidHandle) { + struct TCP_Server_Info *server = tcon->ses->server; +@@ -4136,6 +4155,7 @@ void cifs_oplock_break(struct work_struc + cinode); + cifs_dbg(FYI, "Oplock release rc = %d\n", rc); + } ++ _cifsFileInfo_put(cfile, false /* do not wait for ourself */); + cifs_done_oplock_break(cinode); + } + +--- a/fs/cifs/misc.c ++++ b/fs/cifs/misc.c +@@ -486,8 +486,7 @@ is_valid_oplock_break(char *buffer, stru + CIFS_INODE_DOWNGRADE_OPLOCK_TO_L2, + &pCifsInode->flags); + +- queue_work(cifsoplockd_wq, +- &netfile->oplock_break); ++ cifs_queue_oplock_break(netfile); + netfile->oplock_break_cancelled = false; + + spin_unlock(&tcon->open_file_lock); +@@ -584,6 +583,28 @@ void cifs_put_writer(struct cifsInodeInf + spin_unlock(&cinode->writers_lock); + } + ++/** ++ * cifs_queue_oplock_break - queue the oplock break handler for cfile ++ * ++ * This function is called from the demultiplex thread when it ++ * receives an oplock break for @cfile. ++ * ++ * Assumes the tcon->open_file_lock is held. ++ * Assumes cfile->file_info_lock is NOT held. ++ */ ++void cifs_queue_oplock_break(struct cifsFileInfo *cfile) ++{ ++ /* ++ * Bump the handle refcount now while we hold the ++ * open_file_lock to enforce the validity of it for the oplock ++ * break handler. The matching put is done at the end of the ++ * handler. ++ */ ++ cifsFileInfo_get(cfile); ++ ++ queue_work(cifsoplockd_wq, &cfile->oplock_break); ++} ++ + void cifs_done_oplock_break(struct cifsInodeInfo *cinode) + { + clear_bit(CIFS_INODE_PENDING_OPLOCK_BREAK, &cinode->flags); +--- a/fs/cifs/smb2misc.c ++++ b/fs/cifs/smb2misc.c +@@ -517,7 +517,7 @@ smb2_tcon_has_lease(struct cifs_tcon *tc + clear_bit(CIFS_INODE_DOWNGRADE_OPLOCK_TO_L2, + &cinode->flags); + +- queue_work(cifsoplockd_wq, &cfile->oplock_break); ++ cifs_queue_oplock_break(cfile); + kfree(lw); + return true; + } +@@ -661,8 +661,8 @@ smb2_is_valid_oplock_break(char *buffer, + CIFS_INODE_DOWNGRADE_OPLOCK_TO_L2, + &cinode->flags); + spin_unlock(&cfile->file_info_lock); +- queue_work(cifsoplockd_wq, +- &cfile->oplock_break); ++ ++ cifs_queue_oplock_break(cfile); + + spin_unlock(&tcon->open_file_lock); + spin_unlock(&cifs_tcp_ses_lock); diff --git a/queue-4.14/coredump-fix-race-condition-between-mmget_not_zero-get_task_mm-and-core-dumping.patch b/queue-4.14/coredump-fix-race-condition-between-mmget_not_zero-get_task_mm-and-core-dumping.patch new file mode 100644 index 00000000000..f7b1cec1646 --- /dev/null +++ b/queue-4.14/coredump-fix-race-condition-between-mmget_not_zero-get_task_mm-and-core-dumping.patch @@ -0,0 +1,215 @@ +From 04f5866e41fb70690e28397487d8bd8eea7d712a Mon Sep 17 00:00:00 2001 +From: Andrea Arcangeli +Date: Thu, 18 Apr 2019 17:50:52 -0700 +Subject: coredump: fix race condition between mmget_not_zero()/get_task_mm() and core dumping + +From: Andrea Arcangeli + +commit 04f5866e41fb70690e28397487d8bd8eea7d712a upstream. + +The core dumping code has always run without holding the mmap_sem for +writing, despite that is the only way to ensure that the entire vma +layout will not change from under it. Only using some signal +serialization on the processes belonging to the mm is not nearly enough. +This was pointed out earlier. For example in Hugh's post from Jul 2017: + + https://lkml.kernel.org/r/alpine.LSU.2.11.1707191716030.2055@eggly.anvils + + "Not strictly relevant here, but a related note: I was very surprised + to discover, only quite recently, how handle_mm_fault() may be called + without down_read(mmap_sem) - when core dumping. That seems a + misguided optimization to me, which would also be nice to correct" + +In particular because the growsdown and growsup can move the +vm_start/vm_end the various loops the core dump does around the vma will +not be consistent if page faults can happen concurrently. + +Pretty much all users calling mmget_not_zero()/get_task_mm() and then +taking the mmap_sem had the potential to introduce unexpected side +effects in the core dumping code. + +Adding mmap_sem for writing around the ->core_dump invocation is a +viable long term fix, but it requires removing all copy user and page +faults and to replace them with get_dump_page() for all binary formats +which is not suitable as a short term fix. + +For the time being this solution manually covers the places that can +confuse the core dump either by altering the vma layout or the vma flags +while it runs. Once ->core_dump runs under mmap_sem for writing the +function mmget_still_valid() can be dropped. + +Allowing mmap_sem protected sections to run in parallel with the +coredump provides some minor parallelism advantage to the swapoff code +(which seems to be safe enough by never mangling any vma field and can +keep doing swapins in parallel to the core dumping) and to some other +corner case. + +In order to facilitate the backporting I added "Fixes: 86039bd3b4e6" +however the side effect of this same race condition in /proc/pid/mem +should be reproducible since before 2.6.12-rc2 so I couldn't add any +other "Fixes:" because there's no hash beyond the git genesis commit. + +Because find_extend_vma() is the only location outside of the process +context that could modify the "mm" structures under mmap_sem for +reading, by adding the mmget_still_valid() check to it, all other cases +that take the mmap_sem for reading don't need the new check after +mmget_not_zero()/get_task_mm(). The expand_stack() in page fault +context also doesn't need the new check, because all tasks under core +dumping are frozen. + +Link: http://lkml.kernel.org/r/20190325224949.11068-1-aarcange@redhat.com +Fixes: 86039bd3b4e6 ("userfaultfd: add new syscall to provide memory externalization") +Signed-off-by: Andrea Arcangeli +Reported-by: Jann Horn +Suggested-by: Oleg Nesterov +Acked-by: Peter Xu +Reviewed-by: Mike Rapoport +Reviewed-by: Oleg Nesterov +Reviewed-by: Jann Horn +Acked-by: Jason Gunthorpe +Acked-by: Michal Hocko +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/proc/task_mmu.c | 18 ++++++++++++++++++ + fs/userfaultfd.c | 9 +++++++++ + include/linux/sched/mm.h | 21 +++++++++++++++++++++ + mm/mmap.c | 7 ++++++- + 4 files changed, 54 insertions(+), 1 deletion(-) + +--- a/fs/proc/task_mmu.c ++++ b/fs/proc/task_mmu.c +@@ -1160,6 +1160,24 @@ static ssize_t clear_refs_write(struct f + count = -EINTR; + goto out_mm; + } ++ /* ++ * Avoid to modify vma->vm_flags ++ * without locked ops while the ++ * coredump reads the vm_flags. ++ */ ++ if (!mmget_still_valid(mm)) { ++ /* ++ * Silently return "count" ++ * like if get_task_mm() ++ * failed. FIXME: should this ++ * function have returned ++ * -ESRCH if get_task_mm() ++ * failed like if ++ * get_proc_task() fails? ++ */ ++ up_write(&mm->mmap_sem); ++ goto out_mm; ++ } + for (vma = mm->mmap; vma; vma = vma->vm_next) { + vma->vm_flags &= ~VM_SOFTDIRTY; + vma_set_page_prot(vma); +--- a/fs/userfaultfd.c ++++ b/fs/userfaultfd.c +@@ -627,6 +627,8 @@ static void userfaultfd_event_wait_compl + + /* the various vma->vm_userfaultfd_ctx still points to it */ + down_write(&mm->mmap_sem); ++ /* no task can run (and in turn coredump) yet */ ++ VM_WARN_ON(!mmget_still_valid(mm)); + for (vma = mm->mmap; vma; vma = vma->vm_next) + if (vma->vm_userfaultfd_ctx.ctx == release_new_ctx) { + vma->vm_userfaultfd_ctx = NULL_VM_UFFD_CTX; +@@ -867,6 +869,8 @@ static int userfaultfd_release(struct in + * taking the mmap_sem for writing. + */ + down_write(&mm->mmap_sem); ++ if (!mmget_still_valid(mm)) ++ goto skip_mm; + prev = NULL; + for (vma = mm->mmap; vma; vma = vma->vm_next) { + cond_resched(); +@@ -889,6 +893,7 @@ static int userfaultfd_release(struct in + vma->vm_flags = new_flags; + vma->vm_userfaultfd_ctx = NULL_VM_UFFD_CTX; + } ++skip_mm: + up_write(&mm->mmap_sem); + mmput(mm); + wakeup: +@@ -1327,6 +1332,8 @@ static int userfaultfd_register(struct u + goto out; + + down_write(&mm->mmap_sem); ++ if (!mmget_still_valid(mm)) ++ goto out_unlock; + vma = find_vma_prev(mm, start, &prev); + if (!vma) + goto out_unlock; +@@ -1514,6 +1521,8 @@ static int userfaultfd_unregister(struct + goto out; + + down_write(&mm->mmap_sem); ++ if (!mmget_still_valid(mm)) ++ goto out_unlock; + vma = find_vma_prev(mm, start, &prev); + if (!vma) + goto out_unlock; +--- a/include/linux/sched/mm.h ++++ b/include/linux/sched/mm.h +@@ -57,6 +57,27 @@ static inline void mmdrop_async(struct m + } + } + ++/* ++ * This has to be called after a get_task_mm()/mmget_not_zero() ++ * followed by taking the mmap_sem for writing before modifying the ++ * vmas or anything the coredump pretends not to change from under it. ++ * ++ * NOTE: find_extend_vma() called from GUP context is the only place ++ * that can modify the "mm" (notably the vm_start/end) under mmap_sem ++ * for reading and outside the context of the process, so it is also ++ * the only case that holds the mmap_sem for reading that must call ++ * this function. Generally if the mmap_sem is hold for reading ++ * there's no need of this check after get_task_mm()/mmget_not_zero(). ++ * ++ * This function can be obsoleted and the check can be removed, after ++ * the coredump code will hold the mmap_sem for writing before ++ * invoking the ->core_dump methods. ++ */ ++static inline bool mmget_still_valid(struct mm_struct *mm) ++{ ++ return likely(!mm->core_state); ++} ++ + /** + * mmget() - Pin the address space associated with a &struct mm_struct. + * @mm: The address space to pin. +--- a/mm/mmap.c ++++ b/mm/mmap.c +@@ -45,6 +45,7 @@ + #include + #include + #include ++#include + + #include + #include +@@ -2448,7 +2449,8 @@ find_extend_vma(struct mm_struct *mm, un + vma = find_vma_prev(mm, addr, &prev); + if (vma && (vma->vm_start <= addr)) + return vma; +- if (!prev || expand_stack(prev, addr)) ++ /* don't alter vm_end if the coredump is running */ ++ if (!prev || !mmget_still_valid(mm) || expand_stack(prev, addr)) + return NULL; + if (prev->vm_flags & VM_LOCKED) + populate_vma_page_range(prev, addr, prev->vm_end, NULL); +@@ -2474,6 +2476,9 @@ find_extend_vma(struct mm_struct *mm, un + return vma; + if (!(vma->vm_flags & VM_GROWSDOWN)) + return NULL; ++ /* don't alter vm_start if the coredump is running */ ++ if (!mmget_still_valid(mm)) ++ return NULL; + start = vma->vm_start; + if (expand_stack(vma, addr)) + return NULL; diff --git a/queue-4.14/crypto-x86-poly1305-fix-overflow-during-partial-reduction.patch b/queue-4.14/crypto-x86-poly1305-fix-overflow-during-partial-reduction.patch new file mode 100644 index 00000000000..bc1bee9e46f --- /dev/null +++ b/queue-4.14/crypto-x86-poly1305-fix-overflow-during-partial-reduction.patch @@ -0,0 +1,193 @@ +From 678cce4019d746da6c680c48ba9e6d417803e127 Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Sun, 31 Mar 2019 13:04:11 -0700 +Subject: crypto: x86/poly1305 - fix overflow during partial reduction + +From: Eric Biggers + +commit 678cce4019d746da6c680c48ba9e6d417803e127 upstream. + +The x86_64 implementation of Poly1305 produces the wrong result on some +inputs because poly1305_4block_avx2() incorrectly assumes that when +partially reducing the accumulator, the bits carried from limb 'd4' to +limb 'h0' fit in a 32-bit integer. This is true for poly1305-generic +which processes only one block at a time. However, it's not true for +the AVX2 implementation, which processes 4 blocks at a time and +therefore can produce intermediate limbs about 4x larger. + +Fix it by making the relevant calculations use 64-bit arithmetic rather +than 32-bit. Note that most of the carries already used 64-bit +arithmetic, but the d4 -> h0 carry was different for some reason. + +To be safe I also made the same change to the corresponding SSE2 code, +though that only operates on 1 or 2 blocks at a time. I don't think +it's really needed for poly1305_block_sse2(), but it doesn't hurt +because it's already x86_64 code. It *might* be needed for +poly1305_2block_sse2(), but overflows aren't easy to reproduce there. + +This bug was originally detected by my patches that improve testmgr to +fuzz algorithms against their generic implementation. But also add a +test vector which reproduces it directly (in the AVX2 case). + +Fixes: b1ccc8f4b631 ("crypto: poly1305 - Add a four block AVX2 variant for x86_64") +Fixes: c70f4abef07a ("crypto: poly1305 - Add a SSE2 SIMD variant for x86_64") +Cc: # v4.3+ +Cc: Martin Willi +Cc: Jason A. Donenfeld +Signed-off-by: Eric Biggers +Reviewed-by: Martin Willi +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/crypto/poly1305-avx2-x86_64.S | 14 +++++++--- + arch/x86/crypto/poly1305-sse2-x86_64.S | 22 ++++++++++------ + crypto/testmgr.h | 44 ++++++++++++++++++++++++++++++++- + 3 files changed, 67 insertions(+), 13 deletions(-) + +--- a/arch/x86/crypto/poly1305-avx2-x86_64.S ++++ b/arch/x86/crypto/poly1305-avx2-x86_64.S +@@ -323,6 +323,12 @@ ENTRY(poly1305_4block_avx2) + vpaddq t2,t1,t1 + vmovq t1x,d4 + ++ # Now do a partial reduction mod (2^130)-5, carrying h0 -> h1 -> h2 -> ++ # h3 -> h4 -> h0 -> h1 to get h0,h2,h3,h4 < 2^26 and h1 < 2^26 + a small ++ # amount. Careful: we must not assume the carry bits 'd0 >> 26', ++ # 'd1 >> 26', 'd2 >> 26', 'd3 >> 26', and '(d4 >> 26) * 5' fit in 32-bit ++ # integers. It's true in a single-block implementation, but not here. ++ + # d1 += d0 >> 26 + mov d0,%rax + shr $26,%rax +@@ -361,16 +367,16 @@ ENTRY(poly1305_4block_avx2) + # h0 += (d4 >> 26) * 5 + mov d4,%rax + shr $26,%rax +- lea (%eax,%eax,4),%eax +- add %eax,%ebx ++ lea (%rax,%rax,4),%rax ++ add %rax,%rbx + # h4 = d4 & 0x3ffffff + mov d4,%rax + and $0x3ffffff,%eax + mov %eax,h4 + + # h1 += h0 >> 26 +- mov %ebx,%eax +- shr $26,%eax ++ mov %rbx,%rax ++ shr $26,%rax + add %eax,h1 + # h0 = h0 & 0x3ffffff + andl $0x3ffffff,%ebx +--- a/arch/x86/crypto/poly1305-sse2-x86_64.S ++++ b/arch/x86/crypto/poly1305-sse2-x86_64.S +@@ -253,16 +253,16 @@ ENTRY(poly1305_block_sse2) + # h0 += (d4 >> 26) * 5 + mov d4,%rax + shr $26,%rax +- lea (%eax,%eax,4),%eax +- add %eax,%ebx ++ lea (%rax,%rax,4),%rax ++ add %rax,%rbx + # h4 = d4 & 0x3ffffff + mov d4,%rax + and $0x3ffffff,%eax + mov %eax,h4 + + # h1 += h0 >> 26 +- mov %ebx,%eax +- shr $26,%eax ++ mov %rbx,%rax ++ shr $26,%rax + add %eax,h1 + # h0 = h0 & 0x3ffffff + andl $0x3ffffff,%ebx +@@ -520,6 +520,12 @@ ENTRY(poly1305_2block_sse2) + paddq t2,t1 + movq t1,d4 + ++ # Now do a partial reduction mod (2^130)-5, carrying h0 -> h1 -> h2 -> ++ # h3 -> h4 -> h0 -> h1 to get h0,h2,h3,h4 < 2^26 and h1 < 2^26 + a small ++ # amount. Careful: we must not assume the carry bits 'd0 >> 26', ++ # 'd1 >> 26', 'd2 >> 26', 'd3 >> 26', and '(d4 >> 26) * 5' fit in 32-bit ++ # integers. It's true in a single-block implementation, but not here. ++ + # d1 += d0 >> 26 + mov d0,%rax + shr $26,%rax +@@ -558,16 +564,16 @@ ENTRY(poly1305_2block_sse2) + # h0 += (d4 >> 26) * 5 + mov d4,%rax + shr $26,%rax +- lea (%eax,%eax,4),%eax +- add %eax,%ebx ++ lea (%rax,%rax,4),%rax ++ add %rax,%rbx + # h4 = d4 & 0x3ffffff + mov d4,%rax + and $0x3ffffff,%eax + mov %eax,h4 + + # h1 += h0 >> 26 +- mov %ebx,%eax +- shr $26,%eax ++ mov %rbx,%rax ++ shr $26,%rax + add %eax,h1 + # h0 = h0 & 0x3ffffff + andl $0x3ffffff,%ebx +--- a/crypto/testmgr.h ++++ b/crypto/testmgr.h +@@ -4660,7 +4660,49 @@ static const struct hash_testvec poly130 + .psize = 80, + .digest = "\x13\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00", +- }, ++ }, { /* Regression test for overflow in AVX2 implementation */ ++ .plaintext = "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff", ++ .psize = 300, ++ .digest = "\xfb\x5e\x96\xd8\x61\xd5\xc7\xc8" ++ "\x78\xe5\x87\xcc\x2d\x5a\x22\xe1", ++ } + }; + + /* diff --git a/queue-4.14/iio-ad_sigma_delta-select-channel-when-reading-register.patch b/queue-4.14/iio-ad_sigma_delta-select-channel-when-reading-register.patch new file mode 100644 index 00000000000..000c09d3e87 --- /dev/null +++ b/queue-4.14/iio-ad_sigma_delta-select-channel-when-reading-register.patch @@ -0,0 +1,35 @@ +From fccfb9ce70ed4ea7a145f77b86de62e38178517f Mon Sep 17 00:00:00 2001 +From: Dragos Bogdan +Date: Tue, 19 Mar 2019 12:47:00 +0200 +Subject: iio: ad_sigma_delta: select channel when reading register + +From: Dragos Bogdan + +commit fccfb9ce70ed4ea7a145f77b86de62e38178517f upstream. + +The desired channel has to be selected in order to correctly fill the +buffer with the corresponding data. +The `ad_sd_write_reg()` already does this, but for the +`ad_sd_read_reg_raw()` this was omitted. + +Fixes: af3008485ea03 ("iio:adc: Add common code for ADI Sigma Delta devices") +Signed-off-by: Dragos Bogdan +Signed-off-by: Alexandru Ardelean +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/adc/ad_sigma_delta.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/iio/adc/ad_sigma_delta.c ++++ b/drivers/iio/adc/ad_sigma_delta.c +@@ -121,6 +121,7 @@ static int ad_sd_read_reg_raw(struct ad_ + if (sigma_delta->info->has_registers) { + data[0] = reg << sigma_delta->info->addr_shift; + data[0] |= sigma_delta->info->read_mask; ++ data[0] |= sigma_delta->comm; + spi_message_add_tail(&t[0], &m); + } + spi_message_add_tail(&t[1], &m); diff --git a/queue-4.14/iio-adc-at91-disable-adc-channel-interrupt-in-timeout-case.patch b/queue-4.14/iio-adc-at91-disable-adc-channel-interrupt-in-timeout-case.patch new file mode 100644 index 00000000000..47ee547dcb2 --- /dev/null +++ b/queue-4.14/iio-adc-at91-disable-adc-channel-interrupt-in-timeout-case.patch @@ -0,0 +1,69 @@ +From 09c6bdee51183a575bf7546890c8c137a75a2b44 Mon Sep 17 00:00:00 2001 +From: Georg Ottinger +Date: Wed, 30 Jan 2019 14:42:02 +0100 +Subject: iio: adc: at91: disable adc channel interrupt in timeout case + +From: Georg Ottinger + +commit 09c6bdee51183a575bf7546890c8c137a75a2b44 upstream. + +Having a brief look at at91_adc_read_raw() it is obvious that in the case +of a timeout the setting of AT91_ADC_CHDR and AT91_ADC_IDR registers is +omitted. If 2 different channels are queried we can end up with a +situation where two interrupts are enabled, but only one interrupt is +cleared in the interrupt handler. Resulting in a interrupt loop and a +system hang. + +Signed-off-by: Georg Ottinger +Acked-by: Ludovic Desroches +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/adc/at91_adc.c | 28 +++++++++++++++++----------- + 1 file changed, 17 insertions(+), 11 deletions(-) + +--- a/drivers/iio/adc/at91_adc.c ++++ b/drivers/iio/adc/at91_adc.c +@@ -705,23 +705,29 @@ static int at91_adc_read_raw(struct iio_ + ret = wait_event_interruptible_timeout(st->wq_data_avail, + st->done, + msecs_to_jiffies(1000)); +- if (ret == 0) +- ret = -ETIMEDOUT; +- if (ret < 0) { +- mutex_unlock(&st->lock); +- return ret; +- } +- +- *val = st->last_value; + ++ /* Disable interrupts, regardless if adc conversion was ++ * successful or not ++ */ + at91_adc_writel(st, AT91_ADC_CHDR, + AT91_ADC_CH(chan->channel)); + at91_adc_writel(st, AT91_ADC_IDR, BIT(chan->channel)); + +- st->last_value = 0; +- st->done = false; ++ if (ret > 0) { ++ /* a valid conversion took place */ ++ *val = st->last_value; ++ st->last_value = 0; ++ st->done = false; ++ ret = IIO_VAL_INT; ++ } else if (ret == 0) { ++ /* conversion timeout */ ++ dev_err(&idev->dev, "ADC Channel %d timeout.\n", ++ chan->channel); ++ ret = -ETIMEDOUT; ++ } ++ + mutex_unlock(&st->lock); +- return IIO_VAL_INT; ++ return ret; + + case IIO_CHAN_INFO_SCALE: + *val = st->vref_mv; diff --git a/queue-4.14/iio-core-fix-a-possible-circular-locking-dependency.patch b/queue-4.14/iio-core-fix-a-possible-circular-locking-dependency.patch new file mode 100644 index 00000000000..0cf04179795 --- /dev/null +++ b/queue-4.14/iio-core-fix-a-possible-circular-locking-dependency.patch @@ -0,0 +1,151 @@ +From 7f75591fc5a123929a29636834d1bcb8b5c9fee3 Mon Sep 17 00:00:00 2001 +From: Fabrice Gasnier +Date: Mon, 25 Mar 2019 14:01:23 +0100 +Subject: iio: core: fix a possible circular locking dependency + +From: Fabrice Gasnier + +commit 7f75591fc5a123929a29636834d1bcb8b5c9fee3 upstream. + +This fixes a possible circular locking dependency detected warning seen +with: +- CONFIG_PROVE_LOCKING=y +- consumer/provider IIO devices (ex: "voltage-divider" consumer of "adc") + +When using the IIO consumer interface, e.g. iio_channel_get(), the consumer +device will likely call iio_read_channel_raw() or similar that rely on +'info_exist_lock' mutex. + +typically: +... + mutex_lock(&chan->indio_dev->info_exist_lock); + if (chan->indio_dev->info == NULL) { + ret = -ENODEV; + goto err_unlock; + } + ret = do_some_ops() +err_unlock: + mutex_unlock(&chan->indio_dev->info_exist_lock); + return ret; +... + +Same mutex is also hold in iio_device_unregister(). + +The following deadlock warning happens when: +- the consumer device has called an API like iio_read_channel_raw() + at least once. +- the consumer driver is unregistered, removed (unbind from sysfs) + +====================================================== +WARNING: possible circular locking dependency detected +4.19.24 #577 Not tainted +------------------------------------------------------ +sh/372 is trying to acquire lock: +(kn->count#30){++++}, at: kernfs_remove_by_name_ns+0x3c/0x84 + +but task is already holding lock: +(&dev->info_exist_lock){+.+.}, at: iio_device_unregister+0x18/0x60 + +which lock already depends on the new lock. + +the existing dependency chain (in reverse order) is: + +-> #1 (&dev->info_exist_lock){+.+.}: + __mutex_lock+0x70/0xa3c + mutex_lock_nested+0x1c/0x24 + iio_read_channel_raw+0x1c/0x60 + iio_read_channel_info+0xa8/0xb0 + dev_attr_show+0x1c/0x48 + sysfs_kf_seq_show+0x84/0xec + seq_read+0x154/0x528 + __vfs_read+0x2c/0x15c + vfs_read+0x8c/0x110 + ksys_read+0x4c/0xac + ret_fast_syscall+0x0/0x28 + 0xbedefb60 + +-> #0 (kn->count#30){++++}: + lock_acquire+0xd8/0x268 + __kernfs_remove+0x288/0x374 + kernfs_remove_by_name_ns+0x3c/0x84 + remove_files+0x34/0x78 + sysfs_remove_group+0x40/0x9c + sysfs_remove_groups+0x24/0x34 + device_remove_attrs+0x38/0x64 + device_del+0x11c/0x360 + cdev_device_del+0x14/0x2c + iio_device_unregister+0x24/0x60 + release_nodes+0x1bc/0x200 + device_release_driver_internal+0x1a0/0x230 + unbind_store+0x80/0x130 + kernfs_fop_write+0x100/0x1e4 + __vfs_write+0x2c/0x160 + vfs_write+0xa4/0x17c + ksys_write+0x4c/0xac + ret_fast_syscall+0x0/0x28 + 0xbe906840 + +other info that might help us debug this: + + Possible unsafe locking scenario: + + CPU0 CPU1 + ---- ---- + lock(&dev->info_exist_lock); + lock(kn->count#30); + lock(&dev->info_exist_lock); + lock(kn->count#30); + + *** DEADLOCK *** +... + +cdev_device_del() can be called without holding the lock. It should be safe +as info_exist_lock prevents kernelspace consumers to use the exported +routines during/after provider removal. cdev_device_del() is for userspace. + +Help to reproduce: +See example: Documentation/devicetree/bindings/iio/afe/voltage-divider.txt +sysv { + compatible = "voltage-divider"; + io-channels = <&adc 0>; + output-ohms = <22>; + full-ohms = <222>; +}; + +First, go to iio:deviceX for the "voltage-divider", do one read: +$ cd /sys/bus/iio/devices/iio:deviceX +$ cat in_voltage0_raw + +Then, unbind the consumer driver. It triggers above deadlock warning. +$ cd /sys/bus/platform/drivers/iio-rescale/ +$ echo sysv > unbind + +Note I don't actually expect stable will pick this up all the +way back into IIO being in staging, but if's probably valid that +far back. + +Signed-off-by: Fabrice Gasnier +Fixes: ac917a81117c ("staging:iio:core set the iio_dev.info pointer to null on unregister") +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/industrialio-core.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/iio/industrialio-core.c ++++ b/drivers/iio/industrialio-core.c +@@ -1741,10 +1741,10 @@ EXPORT_SYMBOL(iio_device_register); + **/ + void iio_device_unregister(struct iio_dev *indio_dev) + { +- mutex_lock(&indio_dev->info_exist_lock); +- + cdev_device_del(&indio_dev->chrdev, &indio_dev->dev); + ++ mutex_lock(&indio_dev->info_exist_lock); ++ + iio_device_unregister_debugfs(indio_dev); + + iio_disable_all_buffers(indio_dev); diff --git a/queue-4.14/iio-cros_ec-fix-the-maths-for-gyro-scale-calculation.patch b/queue-4.14/iio-cros_ec-fix-the-maths-for-gyro-scale-calculation.patch new file mode 100644 index 00000000000..9f8b8ad63d3 --- /dev/null +++ b/queue-4.14/iio-cros_ec-fix-the-maths-for-gyro-scale-calculation.patch @@ -0,0 +1,59 @@ +From 3d02d7082e5823598090530c3988a35f69689943 Mon Sep 17 00:00:00 2001 +From: Gwendal Grignou +Date: Wed, 13 Mar 2019 12:40:02 +0100 +Subject: iio: cros_ec: Fix the maths for gyro scale calculation + +From: Gwendal Grignou + +commit 3d02d7082e5823598090530c3988a35f69689943 upstream. + +Calculation did not use IIO_DEGREE_TO_RAD and implemented a variant to +avoid precision loss as we aim a nano value. The offset added to avoid +rounding error, though, doesn't give us a close result to the expected +value. E.g. + +For 1000dps, the result should be: + + (1000 * pi ) / 180 >> 15 ~= 0.000532632218 + +But with current calculation we get + + $ cat scale + 0.000547890 + +Fix the calculation by just doing the maths involved for a nano value + + val * pi * 10e12 / (180 * 2^15) + +so we get a closer result. + + $ cat scale + 0.000532632 + +Fixes: c14dca07a31d ("iio: cros_ec_sensors: add ChromeOS EC Contiguous Sensors driver") +Signed-off-by: Gwendal Grignou +Signed-off-by: Enric Balletbo i Serra +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/common/cros_ec_sensors/cros_ec_sensors.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/iio/common/cros_ec_sensors/cros_ec_sensors.c ++++ b/drivers/iio/common/cros_ec_sensors/cros_ec_sensors.c +@@ -104,9 +104,10 @@ static int cros_ec_sensors_read(struct i + * Do not use IIO_DEGREE_TO_RAD to avoid precision + * loss. Round to the nearest integer. + */ +- *val = div_s64(val64 * 314159 + 9000000ULL, 1000); +- *val2 = 18000 << (CROS_EC_SENSOR_BITS - 1); +- ret = IIO_VAL_FRACTIONAL; ++ *val = 0; ++ *val2 = div_s64(val64 * 3141592653ULL, ++ 180 << (CROS_EC_SENSOR_BITS - 1)); ++ ret = IIO_VAL_INT_PLUS_NANO; + break; + case MOTIONSENSE_TYPE_MAG: + /* diff --git a/queue-4.14/iio-dac-mcp4725-add-missing-powerdown-bits-in-store-eeprom.patch b/queue-4.14/iio-dac-mcp4725-add-missing-powerdown-bits-in-store-eeprom.patch new file mode 100644 index 00000000000..921684730a5 --- /dev/null +++ b/queue-4.14/iio-dac-mcp4725-add-missing-powerdown-bits-in-store-eeprom.patch @@ -0,0 +1,40 @@ +From 06003531502d06bc89d32528f6ec96bf978790f9 Mon Sep 17 00:00:00 2001 +From: Jean-Francois Dagenais +Date: Wed, 6 Mar 2019 15:56:06 -0500 +Subject: iio: dac: mcp4725: add missing powerdown bits in store eeprom + +From: Jean-Francois Dagenais + +commit 06003531502d06bc89d32528f6ec96bf978790f9 upstream. + +When issuing the write DAC register and write eeprom command, the two +powerdown bits (PD0 and PD1) are assumed by the chip to be present in +the bytes sent. Leaving them at 0 implies "powerdown disabled" which is +a different state that the current one. By adding the current state of +the powerdown in the i2c write, the chip will correctly power-on exactly +like as it is at the moment of store_eeprom call. + +This is documented in MCP4725's datasheet, FIGURE 6-2: "Write Commands +for DAC Input Register and EEPROM" and MCP4726's datasheet, FIGURE 6-3: +"Write All Memory Command". + +Signed-off-by: Jean-Francois Dagenais +Acked-by: Peter Meerwald-Stadler +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/dac/mcp4725.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/iio/dac/mcp4725.c ++++ b/drivers/iio/dac/mcp4725.c +@@ -98,6 +98,7 @@ static ssize_t mcp4725_store_eeprom(stru + + inoutbuf[0] = 0x60; /* write EEPROM */ + inoutbuf[0] |= data->ref_mode << 3; ++ inoutbuf[0] |= data->powerdown ? ((data->powerdown_mode + 1) << 1) : 0; + inoutbuf[1] = data->dac_value >> 4; + inoutbuf[2] = (data->dac_value & 0xf) << 4; + diff --git a/queue-4.14/iio-fix-scan-mask-selection.patch b/queue-4.14/iio-fix-scan-mask-selection.patch new file mode 100644 index 00000000000..b89d6f6f391 --- /dev/null +++ b/queue-4.14/iio-fix-scan-mask-selection.patch @@ -0,0 +1,43 @@ +From 20ea39ef9f2f911bd01c69519e7d69cfec79fde3 Mon Sep 17 00:00:00 2001 +From: Lars-Peter Clausen +Date: Wed, 20 Feb 2019 17:11:32 +0200 +Subject: iio: Fix scan mask selection + +From: Lars-Peter Clausen + +commit 20ea39ef9f2f911bd01c69519e7d69cfec79fde3 upstream. + +The trialmask is expected to have all bits set to 0 after allocation. +Currently kmalloc_array() is used which does not zero the memory and so +random bits are set. This results in random channels being enabled when +they shouldn't. Replace kmalloc_array() with kcalloc() which has the same +interface but zeros the memory. + +Note the fix is actually required earlier than the below fixes tag, but +will require a manual backport due to move from kmalloc to kmalloc_array. + +Signed-off-by: Lars-Peter Clausen +Signed-off-by: Alexandru Ardelean +Fixes commit 057ac1acdfc4 ("iio: Use kmalloc_array() in iio_scan_mask_set()"). +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/industrialio-buffer.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/drivers/iio/industrialio-buffer.c ++++ b/drivers/iio/industrialio-buffer.c +@@ -320,9 +320,8 @@ static int iio_scan_mask_set(struct iio_ + const unsigned long *mask; + unsigned long *trialmask; + +- trialmask = kmalloc_array(BITS_TO_LONGS(indio_dev->masklength), +- sizeof(*trialmask), +- GFP_KERNEL); ++ trialmask = kcalloc(BITS_TO_LONGS(indio_dev->masklength), ++ sizeof(*trialmask), GFP_KERNEL); + if (trialmask == NULL) + return -ENOMEM; + if (!indio_dev->masklength) { diff --git a/queue-4.14/iio-gyro-bmg160-use-millidegrees-for-temperature-scale.patch b/queue-4.14/iio-gyro-bmg160-use-millidegrees-for-temperature-scale.patch new file mode 100644 index 00000000000..7aeb5d90eb5 --- /dev/null +++ b/queue-4.14/iio-gyro-bmg160-use-millidegrees-for-temperature-scale.patch @@ -0,0 +1,45 @@ +From 40a7198a4a01037003c7ca714f0d048a61e729ac Mon Sep 17 00:00:00 2001 +From: Mike Looijmans +Date: Wed, 13 Feb 2019 08:41:47 +0100 +Subject: iio/gyro/bmg160: Use millidegrees for temperature scale + +From: Mike Looijmans + +commit 40a7198a4a01037003c7ca714f0d048a61e729ac upstream. + +Standard unit for temperature is millidegrees Celcius, whereas this driver +was reporting in degrees. Fix the scale factor in the driver. + +Signed-off-by: Mike Looijmans +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/gyro/bmg160_core.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/iio/gyro/bmg160_core.c ++++ b/drivers/iio/gyro/bmg160_core.c +@@ -583,11 +583,10 @@ static int bmg160_read_raw(struct iio_de + case IIO_CHAN_INFO_LOW_PASS_FILTER_3DB_FREQUENCY: + return bmg160_get_filter(data, val); + case IIO_CHAN_INFO_SCALE: +- *val = 0; + switch (chan->type) { + case IIO_TEMP: +- *val2 = 500000; +- return IIO_VAL_INT_PLUS_MICRO; ++ *val = 500; ++ return IIO_VAL_INT; + case IIO_ANGL_VEL: + { + int i; +@@ -595,6 +594,7 @@ static int bmg160_read_raw(struct iio_de + for (i = 0; i < ARRAY_SIZE(bmg160_scale_table); ++i) { + if (bmg160_scale_table[i].dps_range == + data->dps_range) { ++ *val = 0; + *val2 = bmg160_scale_table[i].scale; + return IIO_VAL_INT_PLUS_MICRO; + } diff --git a/queue-4.14/iio-gyro-mpu3050-fix-chip-id-reading.patch b/queue-4.14/iio-gyro-mpu3050-fix-chip-id-reading.patch new file mode 100644 index 00000000000..389decb3861 --- /dev/null +++ b/queue-4.14/iio-gyro-mpu3050-fix-chip-id-reading.patch @@ -0,0 +1,49 @@ +From 409a51e0a4a5f908763191fae2c29008632eb712 Mon Sep 17 00:00:00 2001 +From: Sergey Larin +Date: Sat, 2 Mar 2019 19:54:55 +0300 +Subject: iio: gyro: mpu3050: fix chip ID reading + +From: Sergey Larin + +commit 409a51e0a4a5f908763191fae2c29008632eb712 upstream. + +According to the datasheet, the last bit of CHIP_ID register controls +I2C bus, and the first one is unused. Handle this correctly. + +Note that there are chips out there that have a value such that +the id check currently fails. + +Signed-off-by: Sergey Larin +Reviewed-by: Linus Walleij +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/gyro/mpu3050-core.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/drivers/iio/gyro/mpu3050-core.c ++++ b/drivers/iio/gyro/mpu3050-core.c +@@ -29,7 +29,8 @@ + + #include "mpu3050.h" + +-#define MPU3050_CHIP_ID 0x69 ++#define MPU3050_CHIP_ID 0x68 ++#define MPU3050_CHIP_ID_MASK 0x7E + + /* + * Register map: anything suffixed *_H is a big-endian high byte and always +@@ -1178,8 +1179,9 @@ int mpu3050_common_probe(struct device * + goto err_power_down; + } + +- if (val != MPU3050_CHIP_ID) { +- dev_err(dev, "unsupported chip id %02x\n", (u8)val); ++ if ((val & MPU3050_CHIP_ID_MASK) != MPU3050_CHIP_ID) { ++ dev_err(dev, "unsupported chip id %02x\n", ++ (u8)(val & MPU3050_CHIP_ID_MASK)); + ret = -ENODEV; + goto err_power_down; + } diff --git a/queue-4.14/io-accel-kxcjk1013-restore-the-range-after-resume.patch b/queue-4.14/io-accel-kxcjk1013-restore-the-range-after-resume.patch new file mode 100644 index 00000000000..5dfcb6017c5 --- /dev/null +++ b/queue-4.14/io-accel-kxcjk1013-restore-the-range-after-resume.patch @@ -0,0 +1,35 @@ +From fe2d3df639a7940a125a33d6460529b9689c5406 Mon Sep 17 00:00:00 2001 +From: "he, bo" +Date: Wed, 6 Mar 2019 10:32:20 +0800 +Subject: io: accel: kxcjk1013: restore the range after resume. + +From: he, bo + +commit fe2d3df639a7940a125a33d6460529b9689c5406 upstream. + +On some laptops, kxcjk1013 is powered off when system enters S3. We need +restore the range regiter during resume. Otherwise, the sensor doesn't +work properly after S3. + +Signed-off-by: he, bo +Signed-off-by: Chen, Hu +Reviewed-by: Hans de Goede +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/accel/kxcjk-1013.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/iio/accel/kxcjk-1013.c ++++ b/drivers/iio/accel/kxcjk-1013.c +@@ -1340,6 +1340,8 @@ static int kxcjk1013_resume(struct devic + + mutex_lock(&data->mutex); + ret = kxcjk1013_set_mode(data, OPERATION); ++ if (ret == 0) ++ ret = kxcjk1013_set_range(data, data->range); + mutex_unlock(&data->mutex); + + return ret; diff --git a/queue-4.14/kprobes-fix-error-check-when-reusing-optimized-probes.patch b/queue-4.14/kprobes-fix-error-check-when-reusing-optimized-probes.patch new file mode 100644 index 00000000000..24ac768bd04 --- /dev/null +++ b/queue-4.14/kprobes-fix-error-check-when-reusing-optimized-probes.patch @@ -0,0 +1,82 @@ +From 5f843ed415581cfad4ef8fefe31c138a8346ca8a Mon Sep 17 00:00:00 2001 +From: Masami Hiramatsu +Date: Mon, 15 Apr 2019 15:01:25 +0900 +Subject: kprobes: Fix error check when reusing optimized probes + +From: Masami Hiramatsu + +commit 5f843ed415581cfad4ef8fefe31c138a8346ca8a upstream. + +The following commit introduced a bug in one of our error paths: + + 819319fc9346 ("kprobes: Return error if we fail to reuse kprobe instead of BUG_ON()") + +it missed to handle the return value of kprobe_optready() as +error-value. In reality, the kprobe_optready() returns a bool +result, so "true" case must be passed instead of 0. + +This causes some errors on kprobe boot-time selftests on ARM: + + [ ] Beginning kprobe tests... + [ ] Probe ARM code + [ ] kprobe + [ ] kretprobe + [ ] ARM instruction simulation + [ ] Check decoding tables + [ ] Run test cases + [ ] FAIL: test_case_handler not run + [ ] FAIL: Test andge r10, r11, r14, asr r7 + [ ] FAIL: Scenario 11 + ... + [ ] FAIL: Scenario 7 + [ ] Total instruction simulation tests=1631, pass=1433 fail=198 + [ ] kprobe tests failed + +This can happen if an optimized probe is unregistered and next +kprobe is registered on same address until the previous probe +is not reclaimed. + +If this happens, a hidden aggregated probe may be kept in memory, +and no new kprobe can probe same address. Also, in that case +register_kprobe() will return "1" instead of minus error value, +which can mislead caller logic. + +Signed-off-by: Masami Hiramatsu +Cc: Anil S Keshavamurthy +Cc: David S . Miller +Cc: Linus Torvalds +Cc: Naveen N . Rao +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: stable@vger.kernel.org # v5.0+ +Fixes: 819319fc9346 ("kprobes: Return error if we fail to reuse kprobe instead of BUG_ON()") +Link: http://lkml.kernel.org/r/155530808559.32517.539898325433642204.stgit@devnote2 +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/kprobes.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +--- a/kernel/kprobes.c ++++ b/kernel/kprobes.c +@@ -703,7 +703,6 @@ static void unoptimize_kprobe(struct kpr + static int reuse_unused_kprobe(struct kprobe *ap) + { + struct optimized_kprobe *op; +- int ret; + + BUG_ON(!kprobe_unused(ap)); + /* +@@ -717,9 +716,8 @@ static int reuse_unused_kprobe(struct kp + /* Enable the probe again */ + ap->flags &= ~KPROBE_FLAG_DISABLED; + /* Optimize it again (remove from op->list) */ +- ret = kprobe_optready(ap); +- if (ret) +- return ret; ++ if (!kprobe_optready(ap)) ++ return -EINVAL; + + optimize_kprobe(ap); + return 0; diff --git a/queue-4.14/kprobes-mark-ftrace-mcount-handler-functions-nokprobe.patch b/queue-4.14/kprobes-mark-ftrace-mcount-handler-functions-nokprobe.patch new file mode 100644 index 00000000000..08a3d6b4093 --- /dev/null +++ b/queue-4.14/kprobes-mark-ftrace-mcount-handler-functions-nokprobe.patch @@ -0,0 +1,72 @@ +From fabe38ab6b2bd9418350284c63825f13b8a6abba Mon Sep 17 00:00:00 2001 +From: Masami Hiramatsu +Date: Sun, 24 Feb 2019 01:50:20 +0900 +Subject: kprobes: Mark ftrace mcount handler functions nokprobe + +From: Masami Hiramatsu + +commit fabe38ab6b2bd9418350284c63825f13b8a6abba upstream. + +Mark ftrace mcount handler functions nokprobe since +probing on these functions with kretprobe pushes +return address incorrectly on kretprobe shadow stack. + +Reported-by: Francis Deslauriers +Tested-by: Andrea Righi +Signed-off-by: Masami Hiramatsu +Acked-by: Steven Rostedt +Acked-by: Steven Rostedt (VMware) +Cc: Linus Torvalds +Cc: Mathieu Desnoyers +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: stable@vger.kernel.org +Link: http://lkml.kernel.org/r/155094062044.6137.6419622920568680640.stgit@devbox +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/trace/ftrace.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/kernel/trace/ftrace.c ++++ b/kernel/trace/ftrace.c +@@ -33,6 +33,7 @@ + #include + #include + #include ++#include + + #include + +@@ -6035,7 +6036,7 @@ void ftrace_reset_array_ops(struct trace + tr->ops->func = ftrace_stub; + } + +-static inline void ++static nokprobe_inline void + __ftrace_ops_list_func(unsigned long ip, unsigned long parent_ip, + struct ftrace_ops *ignored, struct pt_regs *regs) + { +@@ -6098,11 +6099,13 @@ static void ftrace_ops_list_func(unsigne + { + __ftrace_ops_list_func(ip, parent_ip, NULL, regs); + } ++NOKPROBE_SYMBOL(ftrace_ops_list_func); + #else + static void ftrace_ops_no_ops(unsigned long ip, unsigned long parent_ip) + { + __ftrace_ops_list_func(ip, parent_ip, NULL, NULL); + } ++NOKPROBE_SYMBOL(ftrace_ops_no_ops); + #endif + + /* +@@ -6132,6 +6135,7 @@ static void ftrace_ops_assist_func(unsig + preempt_enable_notrace(); + trace_clear_recursion(bit); + } ++NOKPROBE_SYMBOL(ftrace_ops_assist_func); + + /** + * ftrace_ops_get_func - get the function a trampoline should call diff --git a/queue-4.14/kvm-x86-don-t-clear-efer-during-smm-transitions-for-32-bit-vcpu.patch b/queue-4.14/kvm-x86-don-t-clear-efer-during-smm-transitions-for-32-bit-vcpu.patch new file mode 100644 index 00000000000..9060cdfac61 --- /dev/null +++ b/queue-4.14/kvm-x86-don-t-clear-efer-during-smm-transitions-for-32-bit-vcpu.patch @@ -0,0 +1,80 @@ +From 8f4dc2e77cdfaf7e644ef29693fa229db29ee1de Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Tue, 2 Apr 2019 08:10:47 -0700 +Subject: KVM: x86: Don't clear EFER during SMM transitions for 32-bit vCPU + +From: Sean Christopherson + +commit 8f4dc2e77cdfaf7e644ef29693fa229db29ee1de upstream. + +Neither AMD nor Intel CPUs have an EFER field in the legacy SMRAM save +state area, i.e. don't save/restore EFER across SMM transitions. KVM +somewhat models this, e.g. doesn't clear EFER on entry to SMM if the +guest doesn't support long mode. But during RSM, KVM unconditionally +clears EFER so that it can get back to pure 32-bit mode in order to +start loading CRs with their actual non-SMM values. + +Clear EFER only when it will be written when loading the non-SMM state +so as to preserve bits that can theoretically be set on 32-bit vCPUs, +e.g. KVM always emulates EFER_SCE. + +And because CR4.PAE is cleared only to play nice with EFER, wrap that +code in the long mode check as well. Note, this may result in a +compiler warning about cr4 being consumed uninitialized. Re-read CR4 +even though it's technically unnecessary, as doing so allows for more +readable code and RSM emulation is not a performance critical path. + +Fixes: 660a5d517aaab ("KVM: x86: save/load state on SMM switch") +Cc: stable@vger.kernel.org +Signed-off-by: Sean Christopherson +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/emulate.c | 23 ++++++++++++----------- + 1 file changed, 12 insertions(+), 11 deletions(-) + +--- a/arch/x86/kvm/emulate.c ++++ b/arch/x86/kvm/emulate.c +@@ -2588,15 +2588,13 @@ static int em_rsm(struct x86_emulate_ctx + * CR0/CR3/CR4/EFER. It's all a bit more complicated if the vCPU + * supports long mode. + */ +- cr4 = ctxt->ops->get_cr(ctxt, 4); + if (emulator_has_longmode(ctxt)) { + struct desc_struct cs_desc; + + /* Zero CR4.PCIDE before CR0.PG. */ +- if (cr4 & X86_CR4_PCIDE) { ++ cr4 = ctxt->ops->get_cr(ctxt, 4); ++ if (cr4 & X86_CR4_PCIDE) + ctxt->ops->set_cr(ctxt, 4, cr4 & ~X86_CR4_PCIDE); +- cr4 &= ~X86_CR4_PCIDE; +- } + + /* A 32-bit code segment is required to clear EFER.LMA. */ + memset(&cs_desc, 0, sizeof(cs_desc)); +@@ -2610,13 +2608,16 @@ static int em_rsm(struct x86_emulate_ctx + if (cr0 & X86_CR0_PE) + ctxt->ops->set_cr(ctxt, 0, cr0 & ~(X86_CR0_PG | X86_CR0_PE)); + +- /* Now clear CR4.PAE (which must be done before clearing EFER.LME). */ +- if (cr4 & X86_CR4_PAE) +- ctxt->ops->set_cr(ctxt, 4, cr4 & ~X86_CR4_PAE); +- +- /* And finally go back to 32-bit mode. */ +- efer = 0; +- ctxt->ops->set_msr(ctxt, MSR_EFER, efer); ++ if (emulator_has_longmode(ctxt)) { ++ /* Clear CR4.PAE before clearing EFER.LME. */ ++ cr4 = ctxt->ops->get_cr(ctxt, 4); ++ if (cr4 & X86_CR4_PAE) ++ ctxt->ops->set_cr(ctxt, 4, cr4 & ~X86_CR4_PAE); ++ ++ /* And finally go back to 32-bit mode. */ ++ efer = 0; ++ ctxt->ops->set_msr(ctxt, MSR_EFER, efer); ++ } + + smbase = ctxt->ops->get_smbase(ctxt); + if (emulator_has_longmode(ctxt)) diff --git a/queue-4.14/kvm-x86-svm-make-sure-nmi-is-injected-after-nmi_singlestep.patch b/queue-4.14/kvm-x86-svm-make-sure-nmi-is-injected-after-nmi_singlestep.patch new file mode 100644 index 00000000000..59513b9c015 --- /dev/null +++ b/queue-4.14/kvm-x86-svm-make-sure-nmi-is-injected-after-nmi_singlestep.patch @@ -0,0 +1,50 @@ +From 99c221796a810055974b54c02e8f53297e48d146 Mon Sep 17 00:00:00 2001 +From: Vitaly Kuznetsov +Date: Wed, 3 Apr 2019 16:06:42 +0200 +Subject: KVM: x86: svm: make sure NMI is injected after nmi_singlestep + +From: Vitaly Kuznetsov + +commit 99c221796a810055974b54c02e8f53297e48d146 upstream. + +I noticed that apic test from kvm-unit-tests always hangs on my EPYC 7401P, +the hanging test nmi-after-sti is trying to deliver 30000 NMIs and tracing +shows that we're sometimes able to deliver a few but never all. + +When we're trying to inject an NMI we may fail to do so immediately for +various reasons, however, we still need to inject it so enable_nmi_window() +arms nmi_singlestep mode. #DB occurs as expected, but we're not checking +for pending NMIs before entering the guest and unless there's a different +event to process, the NMI will never get delivered. + +Make KVM_REQ_EVENT request on the vCPU from db_interception() to make sure +pending NMIs are checked and possibly injected. + +Signed-off-by: Vitaly Kuznetsov +Cc: stable@vger.kernel.org +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/svm.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/arch/x86/kvm/svm.c ++++ b/arch/x86/kvm/svm.c +@@ -2211,6 +2211,7 @@ static int pf_interception(struct vcpu_s + static int db_interception(struct vcpu_svm *svm) + { + struct kvm_run *kvm_run = svm->vcpu.run; ++ struct kvm_vcpu *vcpu = &svm->vcpu; + + if (!(svm->vcpu.guest_debug & + (KVM_GUESTDBG_SINGLESTEP | KVM_GUESTDBG_USE_HW_BP)) && +@@ -2221,6 +2222,8 @@ static int db_interception(struct vcpu_s + + if (svm->nmi_singlestep) { + disable_nmi_singlestep(svm); ++ /* Make sure we check for pending NMIs upon entry */ ++ kvm_make_request(KVM_REQ_EVENT, vcpu); + } + + if (svm->vcpu.guest_debug & diff --git a/queue-4.14/mac80211-do-not-call-driver-wake_tx_queue-op-during-reconfig.patch b/queue-4.14/mac80211-do-not-call-driver-wake_tx_queue-op-during-reconfig.patch new file mode 100644 index 00000000000..d370c5c57a1 --- /dev/null +++ b/queue-4.14/mac80211-do-not-call-driver-wake_tx_queue-op-during-reconfig.patch @@ -0,0 +1,43 @@ +From 4856bfd230985e43e84c26473c91028ff0a533bd Mon Sep 17 00:00:00 2001 +From: Felix Fietkau +Date: Fri, 1 Mar 2019 14:48:37 +0100 +Subject: mac80211: do not call driver wake_tx_queue op during reconfig + +From: Felix Fietkau + +commit 4856bfd230985e43e84c26473c91028ff0a533bd upstream. + +There are several scenarios in which mac80211 can call drv_wake_tx_queue +after ieee80211_restart_hw has been called and has not yet completed. +Driver private structs are considered uninitialized until mac80211 has +uploaded the vifs, stations and keys again, so using private tx queue +data during that time is not safe. + +The driver can also not rely on drv_reconfig_complete to figure out when +it is safe to accept drv_wake_tx_queue calls again, because it is only +called after all tx queues are woken again. + +To fix this, bail out early in drv_wake_tx_queue if local->in_reconfig +is set. + +Cc: stable@vger.kernel.org +Signed-off-by: Felix Fietkau +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + net/mac80211/driver-ops.h | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/mac80211/driver-ops.h ++++ b/net/mac80211/driver-ops.h +@@ -1164,6 +1164,9 @@ static inline void drv_wake_tx_queue(str + { + struct ieee80211_sub_if_data *sdata = vif_to_sdata(txq->txq.vif); + ++ if (local->in_reconfig) ++ return; ++ + if (!check_sdata_in_driver(sdata)) + return; + diff --git a/queue-4.14/perf-x86-amd-add-event-map-for-amd-family-17h.patch b/queue-4.14/perf-x86-amd-add-event-map-for-amd-family-17h.patch new file mode 100644 index 00000000000..fe6a322546d --- /dev/null +++ b/queue-4.14/perf-x86-amd-add-event-map-for-amd-family-17h.patch @@ -0,0 +1,103 @@ +From 3fe3331bb285700ab2253dbb07f8e478fcea2f1b Mon Sep 17 00:00:00 2001 +From: Kim Phillips +Date: Thu, 21 Mar 2019 21:15:22 +0000 +Subject: perf/x86/amd: Add event map for AMD Family 17h +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Kim Phillips + +commit 3fe3331bb285700ab2253dbb07f8e478fcea2f1b upstream. + +Family 17h differs from prior families by: + + - Does not support an L2 cache miss event + - It has re-enumerated PMC counters for: + - L2 cache references + - front & back end stalled cycles + +So we add a new amd_f17h_perfmon_event_map[] so that the generic +perf event names will resolve to the correct h/w events on +family 17h and above processors. + +Reference sections 2.1.13.3.3 (stalls) and 2.1.13.3.6 (L2): + + https://www.amd.com/system/files/TechDocs/54945_PPR_Family_17h_Models_00h-0Fh.pdf + +Signed-off-by: Kim Phillips +Cc: # v4.9+ +Cc: Alexander Shishkin +Cc: Arnaldo Carvalho de Melo +Cc: Borislav Petkov +Cc: H. Peter Anvin +Cc: Janakarajan Natarajan +Cc: Jiri Olsa +Cc: Linus Torvalds +Cc: Martin LiÅ¡ka +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: Pu Wen +Cc: Suravee Suthikulpanit +Cc: Thomas Gleixner +Cc: linux-kernel@vger.kernel.org +Fixes: e40ed1542dd7 ("perf/x86: Add perf support for AMD family-17h processors") +[ Improved the formatting a bit. ] +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/events/amd/core.c | 35 ++++++++++++++++++++++++++--------- + 1 file changed, 26 insertions(+), 9 deletions(-) + +--- a/arch/x86/events/amd/core.c ++++ b/arch/x86/events/amd/core.c +@@ -117,22 +117,39 @@ static __initconst const u64 amd_hw_cach + }; + + /* +- * AMD Performance Monitor K7 and later. ++ * AMD Performance Monitor K7 and later, up to and including Family 16h: + */ + static const u64 amd_perfmon_event_map[PERF_COUNT_HW_MAX] = + { +- [PERF_COUNT_HW_CPU_CYCLES] = 0x0076, +- [PERF_COUNT_HW_INSTRUCTIONS] = 0x00c0, +- [PERF_COUNT_HW_CACHE_REFERENCES] = 0x077d, +- [PERF_COUNT_HW_CACHE_MISSES] = 0x077e, +- [PERF_COUNT_HW_BRANCH_INSTRUCTIONS] = 0x00c2, +- [PERF_COUNT_HW_BRANCH_MISSES] = 0x00c3, +- [PERF_COUNT_HW_STALLED_CYCLES_FRONTEND] = 0x00d0, /* "Decoder empty" event */ +- [PERF_COUNT_HW_STALLED_CYCLES_BACKEND] = 0x00d1, /* "Dispatch stalls" event */ ++ [PERF_COUNT_HW_CPU_CYCLES] = 0x0076, ++ [PERF_COUNT_HW_INSTRUCTIONS] = 0x00c0, ++ [PERF_COUNT_HW_CACHE_REFERENCES] = 0x077d, ++ [PERF_COUNT_HW_CACHE_MISSES] = 0x077e, ++ [PERF_COUNT_HW_BRANCH_INSTRUCTIONS] = 0x00c2, ++ [PERF_COUNT_HW_BRANCH_MISSES] = 0x00c3, ++ [PERF_COUNT_HW_STALLED_CYCLES_FRONTEND] = 0x00d0, /* "Decoder empty" event */ ++ [PERF_COUNT_HW_STALLED_CYCLES_BACKEND] = 0x00d1, /* "Dispatch stalls" event */ ++}; ++ ++/* ++ * AMD Performance Monitor Family 17h and later: ++ */ ++static const u64 amd_f17h_perfmon_event_map[PERF_COUNT_HW_MAX] = ++{ ++ [PERF_COUNT_HW_CPU_CYCLES] = 0x0076, ++ [PERF_COUNT_HW_INSTRUCTIONS] = 0x00c0, ++ [PERF_COUNT_HW_CACHE_REFERENCES] = 0xff60, ++ [PERF_COUNT_HW_BRANCH_INSTRUCTIONS] = 0x00c2, ++ [PERF_COUNT_HW_BRANCH_MISSES] = 0x00c3, ++ [PERF_COUNT_HW_STALLED_CYCLES_FRONTEND] = 0x0287, ++ [PERF_COUNT_HW_STALLED_CYCLES_BACKEND] = 0x0187, + }; + + static u64 amd_pmu_event_map(int hw_event) + { ++ if (boot_cpu_data.x86 >= 0x17) ++ return amd_f17h_perfmon_event_map[hw_event]; ++ + return amd_perfmon_event_map[hw_event]; + } + diff --git a/queue-4.14/perf-x86-fix-incorrect-pebs_regs.patch b/queue-4.14/perf-x86-fix-incorrect-pebs_regs.patch new file mode 100644 index 00000000000..8266b6b5a80 --- /dev/null +++ b/queue-4.14/perf-x86-fix-incorrect-pebs_regs.patch @@ -0,0 +1,101 @@ +From 9d5dcc93a6ddfc78124f006ccd3637ce070ef2fc Mon Sep 17 00:00:00 2001 +From: Kan Liang +Date: Tue, 2 Apr 2019 12:44:58 -0700 +Subject: perf/x86: Fix incorrect PEBS_REGS + +From: Kan Liang + +commit 9d5dcc93a6ddfc78124f006ccd3637ce070ef2fc upstream. + +PEBS_REGS used as mask for the supported registers for large PEBS. +However, the mask cannot filter the sample_regs_user/sample_regs_intr +correctly. + +(1ULL << PERF_REG_X86_*) should be used to replace PERF_REG_X86_*, which +is only the index. + +Rename PEBS_REGS to PEBS_GP_REGS, because the mask is only for general +purpose registers. + +Signed-off-by: Kan Liang +Signed-off-by: Peter Zijlstra (Intel) +Cc: +Cc: Alexander Shishkin +Cc: Arnaldo Carvalho de Melo +Cc: Jiri Olsa +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Stephane Eranian +Cc: Thomas Gleixner +Cc: Vince Weaver +Cc: acme@kernel.org +Cc: jolsa@kernel.org +Fixes: 2fe1bc1f501d ("perf/x86: Enable free running PEBS for REGS_USER/INTR") +Link: https://lkml.kernel.org/r/20190402194509.2832-2-kan.liang@linux.intel.com +[ Renamed it to PEBS_GP_REGS - as 'GPRS' is used elsewhere ;-) ] +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/events/intel/core.c | 2 +- + arch/x86/events/perf_event.h | 38 +++++++++++++++++++------------------- + 2 files changed, 20 insertions(+), 20 deletions(-) + +--- a/arch/x86/events/intel/core.c ++++ b/arch/x86/events/intel/core.c +@@ -3001,7 +3001,7 @@ static unsigned long intel_pmu_free_runn + flags &= ~PERF_SAMPLE_TIME; + if (!event->attr.exclude_kernel) + flags &= ~PERF_SAMPLE_REGS_USER; +- if (event->attr.sample_regs_user & ~PEBS_REGS) ++ if (event->attr.sample_regs_user & ~PEBS_GP_REGS) + flags &= ~(PERF_SAMPLE_REGS_USER | PERF_SAMPLE_REGS_INTR); + return flags; + } +--- a/arch/x86/events/perf_event.h ++++ b/arch/x86/events/perf_event.h +@@ -95,25 +95,25 @@ struct amd_nb { + PERF_SAMPLE_TRANSACTION | PERF_SAMPLE_PHYS_ADDR | \ + PERF_SAMPLE_REGS_INTR | PERF_SAMPLE_REGS_USER) + +-#define PEBS_REGS \ +- (PERF_REG_X86_AX | \ +- PERF_REG_X86_BX | \ +- PERF_REG_X86_CX | \ +- PERF_REG_X86_DX | \ +- PERF_REG_X86_DI | \ +- PERF_REG_X86_SI | \ +- PERF_REG_X86_SP | \ +- PERF_REG_X86_BP | \ +- PERF_REG_X86_IP | \ +- PERF_REG_X86_FLAGS | \ +- PERF_REG_X86_R8 | \ +- PERF_REG_X86_R9 | \ +- PERF_REG_X86_R10 | \ +- PERF_REG_X86_R11 | \ +- PERF_REG_X86_R12 | \ +- PERF_REG_X86_R13 | \ +- PERF_REG_X86_R14 | \ +- PERF_REG_X86_R15) ++#define PEBS_GP_REGS \ ++ ((1ULL << PERF_REG_X86_AX) | \ ++ (1ULL << PERF_REG_X86_BX) | \ ++ (1ULL << PERF_REG_X86_CX) | \ ++ (1ULL << PERF_REG_X86_DX) | \ ++ (1ULL << PERF_REG_X86_DI) | \ ++ (1ULL << PERF_REG_X86_SI) | \ ++ (1ULL << PERF_REG_X86_SP) | \ ++ (1ULL << PERF_REG_X86_BP) | \ ++ (1ULL << PERF_REG_X86_IP) | \ ++ (1ULL << PERF_REG_X86_FLAGS) | \ ++ (1ULL << PERF_REG_X86_R8) | \ ++ (1ULL << PERF_REG_X86_R9) | \ ++ (1ULL << PERF_REG_X86_R10) | \ ++ (1ULL << PERF_REG_X86_R11) | \ ++ (1ULL << PERF_REG_X86_R12) | \ ++ (1ULL << PERF_REG_X86_R13) | \ ++ (1ULL << PERF_REG_X86_R14) | \ ++ (1ULL << PERF_REG_X86_R15)) + + /* + * Per register state. diff --git a/queue-4.14/revert-scsi-fcoe-clear-fc_rp_started-flags-when-receiving-a-logo.patch b/queue-4.14/revert-scsi-fcoe-clear-fc_rp_started-flags-when-receiving-a-logo.patch new file mode 100644 index 00000000000..0627ad84eb3 --- /dev/null +++ b/queue-4.14/revert-scsi-fcoe-clear-fc_rp_started-flags-when-receiving-a-logo.patch @@ -0,0 +1,35 @@ +From 0228034d8e5915b98c33db35a98f5e909e848ae9 Mon Sep 17 00:00:00 2001 +From: Saurav Kashyap +Date: Thu, 18 Apr 2019 03:40:12 -0700 +Subject: Revert "scsi: fcoe: clear FC_RP_STARTED flags when receiving a LOGO" + +From: Saurav Kashyap + +commit 0228034d8e5915b98c33db35a98f5e909e848ae9 upstream. + +This patch clears FC_RP_STARTED flag during logoff, because of this +re-login(flogi) didn't happen to the switch. + +This reverts commit 1550ec458e0cf1a40a170ab1f4c46e3f52860f65. + +Fixes: 1550ec458e0c ("scsi: fcoe: clear FC_RP_STARTED flags when receiving a LOGO") +Cc: # v4.18+ +Signed-off-by: Saurav Kashyap +Reviewed-by: Hannes Reinecke +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/libfc/fc_rport.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/drivers/scsi/libfc/fc_rport.c ++++ b/drivers/scsi/libfc/fc_rport.c +@@ -2164,7 +2164,6 @@ static void fc_rport_recv_logo_req(struc + FC_RPORT_DBG(rdata, "Received LOGO request while in state %s\n", + fc_rport_state(rdata)); + +- rdata->flags &= ~FC_RP_STARTED; + fc_rport_enter_delete(rdata, RPORT_EV_STOP); + mutex_unlock(&rdata->rp_mutex); + kref_put(&rdata->kref, fc_rport_destroy); diff --git a/queue-4.14/revert-svm-fix-avic-incomplete-ipi-emulation.patch b/queue-4.14/revert-svm-fix-avic-incomplete-ipi-emulation.patch new file mode 100644 index 00000000000..cdb835d341a --- /dev/null +++ b/queue-4.14/revert-svm-fix-avic-incomplete-ipi-emulation.patch @@ -0,0 +1,71 @@ +From 4a58038b9e420276157785afa0a0bbb4b9bc2265 Mon Sep 17 00:00:00 2001 +From: "Suthikulpanit, Suravee" +Date: Wed, 20 Mar 2019 08:12:28 +0000 +Subject: Revert "svm: Fix AVIC incomplete IPI emulation" +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Suthikulpanit, Suravee + +commit 4a58038b9e420276157785afa0a0bbb4b9bc2265 upstream. + +This reverts commit bb218fbcfaaa3b115d4cd7a43c0ca164f3a96e57. + +As Oren Twaig pointed out the old discussion: + + https://patchwork.kernel.org/patch/8292231/ + +that the change coud potentially cause an extra IPI to be sent to +the destination vcpu because the AVIC hardware already set the IRR bit +before the incomplete IPI #VMEXIT with id=1 (target vcpu is not running). +Since writting to ICR and ICR2 will also set the IRR. If something triggers +the destination vcpu to get scheduled before the emulation finishes, then +this could result in an additional IPI. + +Also, the issue mentioned in the commit bb218fbcfaaa was misdiagnosed. + +Cc: Radim Krčmář +Cc: Paolo Bonzini +Reported-by: Oren Twaig +Signed-off-by: Suravee Suthikulpanit +Cc: stable@vger.kernel.org +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/svm.c | 19 +++++++++++++++---- + 1 file changed, 15 insertions(+), 4 deletions(-) + +--- a/arch/x86/kvm/svm.c ++++ b/arch/x86/kvm/svm.c +@@ -4017,14 +4017,25 @@ static int avic_incomplete_ipi_intercept + kvm_lapic_reg_write(apic, APIC_ICR, icrl); + break; + case AVIC_IPI_FAILURE_TARGET_NOT_RUNNING: { ++ int i; ++ struct kvm_vcpu *vcpu; ++ struct kvm *kvm = svm->vcpu.kvm; + struct kvm_lapic *apic = svm->vcpu.arch.apic; + + /* +- * Update ICR high and low, then emulate sending IPI, +- * which is handled when writing APIC_ICR. ++ * At this point, we expect that the AVIC HW has already ++ * set the appropriate IRR bits on the valid target ++ * vcpus. So, we just need to kick the appropriate vcpu. + */ +- kvm_lapic_reg_write(apic, APIC_ICR2, icrh); +- kvm_lapic_reg_write(apic, APIC_ICR, icrl); ++ kvm_for_each_vcpu(i, vcpu, kvm) { ++ bool m = kvm_apic_match_dest(vcpu, apic, ++ icrl & KVM_APIC_SHORT_MASK, ++ GET_APIC_DEST_FIELD(icrh), ++ icrl & KVM_APIC_DEST_MASK); ++ ++ if (m && !avic_vcpu_is_running(vcpu)) ++ kvm_vcpu_wake_up(vcpu); ++ } + break; + } + case AVIC_IPI_FAILURE_INVALID_TARGET: diff --git a/queue-4.14/rt2x00-do-not-increment-sequence-number-while-re-transmitting.patch b/queue-4.14/rt2x00-do-not-increment-sequence-number-while-re-transmitting.patch new file mode 100644 index 00000000000..2fee3099b8d --- /dev/null +++ b/queue-4.14/rt2x00-do-not-increment-sequence-number-while-re-transmitting.patch @@ -0,0 +1,99 @@ +From 746ba11f170603bf1eaade817553a6c2e9135bbe Mon Sep 17 00:00:00 2001 +From: Vijayakumar Durai +Date: Wed, 27 Mar 2019 11:03:17 +0100 +Subject: rt2x00: do not increment sequence number while re-transmitting + +From: Vijayakumar Durai + +commit 746ba11f170603bf1eaade817553a6c2e9135bbe upstream. + +Currently rt2x00 devices retransmit the management frames with +incremented sequence number if hardware is assigning the sequence. + +This is HW bug fixed already for non-QOS data frames, but it should +be fixed for management frames except beacon. + +Without fix retransmitted frames have wrong SN: + + AlphaNet_e8:fb:36 Vivotek_52:31:51 Authentication, SN=1648, FN=0, Flags=........C Frame is not being retransmitted 1648 1 + AlphaNet_e8:fb:36 Vivotek_52:31:51 Authentication, SN=1649, FN=0, Flags=....R...C Frame is being retransmitted 1649 1 + AlphaNet_e8:fb:36 Vivotek_52:31:51 Authentication, SN=1650, FN=0, Flags=....R...C Frame is being retransmitted 1650 1 + +With the fix SN stays correctly the same: + + 88:6a:e3:e8:f9:a2 8c:f5:a3:88:76:87 Authentication, SN=1450, FN=0, Flags=........C + 88:6a:e3:e8:f9:a2 8c:f5:a3:88:76:87 Authentication, SN=1450, FN=0, Flags=....R...C + 88:6a:e3:e8:f9:a2 8c:f5:a3:88:76:87 Authentication, SN=1450, FN=0, Flags=....R...C + +Cc: stable@vger.kernel.org +Signed-off-by: Vijayakumar Durai +[sgruszka: simplify code, change comments and changelog] +Signed-off-by: Stanislaw Gruszka +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/ralink/rt2x00/rt2x00.h | 1 - + drivers/net/wireless/ralink/rt2x00/rt2x00mac.c | 10 ---------- + drivers/net/wireless/ralink/rt2x00/rt2x00queue.c | 15 +++++++++------ + 3 files changed, 9 insertions(+), 17 deletions(-) + +--- a/drivers/net/wireless/ralink/rt2x00/rt2x00.h ++++ b/drivers/net/wireless/ralink/rt2x00/rt2x00.h +@@ -672,7 +672,6 @@ enum rt2x00_state_flags { + CONFIG_CHANNEL_HT40, + CONFIG_POWERSAVING, + CONFIG_HT_DISABLED, +- CONFIG_QOS_DISABLED, + CONFIG_MONITORING, + + /* +--- a/drivers/net/wireless/ralink/rt2x00/rt2x00mac.c ++++ b/drivers/net/wireless/ralink/rt2x00/rt2x00mac.c +@@ -670,19 +670,9 @@ void rt2x00mac_bss_info_changed(struct i + rt2x00dev->intf_associated--; + + rt2x00leds_led_assoc(rt2x00dev, !!rt2x00dev->intf_associated); +- +- clear_bit(CONFIG_QOS_DISABLED, &rt2x00dev->flags); + } + + /* +- * Check for access point which do not support 802.11e . We have to +- * generate data frames sequence number in S/W for such AP, because +- * of H/W bug. +- */ +- if (changes & BSS_CHANGED_QOS && !bss_conf->qos) +- set_bit(CONFIG_QOS_DISABLED, &rt2x00dev->flags); +- +- /* + * When the erp information has changed, we should perform + * additional configuration steps. For all other changes we are done. + */ +--- a/drivers/net/wireless/ralink/rt2x00/rt2x00queue.c ++++ b/drivers/net/wireless/ralink/rt2x00/rt2x00queue.c +@@ -200,15 +200,18 @@ static void rt2x00queue_create_tx_descri + if (!rt2x00_has_cap_flag(rt2x00dev, REQUIRE_SW_SEQNO)) { + /* + * rt2800 has a H/W (or F/W) bug, device incorrectly increase +- * seqno on retransmited data (non-QOS) frames. To workaround +- * the problem let's generate seqno in software if QOS is +- * disabled. ++ * seqno on retransmitted data (non-QOS) and management frames. ++ * To workaround the problem let's generate seqno in software. ++ * Except for beacons which are transmitted periodically by H/W ++ * hence hardware has to assign seqno for them. + */ +- if (test_bit(CONFIG_QOS_DISABLED, &rt2x00dev->flags)) +- __clear_bit(ENTRY_TXD_GENERATE_SEQ, &txdesc->flags); +- else ++ if (ieee80211_is_beacon(hdr->frame_control)) { ++ __set_bit(ENTRY_TXD_GENERATE_SEQ, &txdesc->flags); + /* H/W will generate sequence number */ + return; ++ } ++ ++ __clear_bit(ENTRY_TXD_GENERATE_SEQ, &txdesc->flags); + } + + /* diff --git a/queue-4.14/scsi-core-set-result-when-the-command-cannot-be-dispatched.patch b/queue-4.14/scsi-core-set-result-when-the-command-cannot-be-dispatched.patch new file mode 100644 index 00000000000..17c0797b648 --- /dev/null +++ b/queue-4.14/scsi-core-set-result-when-the-command-cannot-be-dispatched.patch @@ -0,0 +1,45 @@ +From be549d49115422f846b6d96ee8fd7173a5f7ceb0 Mon Sep 17 00:00:00 2001 +From: Jaesoo Lee +Date: Tue, 9 Apr 2019 17:02:22 -0700 +Subject: scsi: core: set result when the command cannot be dispatched + +From: Jaesoo Lee + +commit be549d49115422f846b6d96ee8fd7173a5f7ceb0 upstream. + +When SCSI blk-mq is enabled, there is a bug in handling errors in +scsi_queue_rq. Specifically, the bug is not setting result field of +scsi_request correctly when the dispatch of the command has been +failed. Since the upper layer code including the sg_io ioctl expects to +receive any error status from result field of scsi_request, the error is +silently ignored and this could cause data corruptions for some +applications. + +Fixes: d285203cf647 ("scsi: add support for a blk-mq based I/O path.") +Cc: +Signed-off-by: Jaesoo Lee +Reviewed-by: Hannes Reinecke +Reviewed-by: Bart Van Assche +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/scsi_lib.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/scsi/scsi_lib.c ++++ b/drivers/scsi/scsi_lib.c +@@ -2050,8 +2050,12 @@ out: + blk_mq_delay_run_hw_queue(hctx, SCSI_QUEUE_DELAY); + break; + default: ++ if (unlikely(!scsi_device_online(sdev))) ++ scsi_req(req)->result = DID_NO_CONNECT << 16; ++ else ++ scsi_req(req)->result = DID_ERROR << 16; + /* +- * Make sure to release all allocated ressources when ++ * Make sure to release all allocated resources when + * we hit an error, as we will never see this command + * again. + */ diff --git a/queue-4.14/series b/queue-4.14/series index 90e93a47e86..b09ad3222e6 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -10,6 +10,41 @@ ipv4-recompile-ip-options-in-ipv4_link_failure.patch ipv4-ensure-rcu_read_lock-in-ipv4_link_failure.patch net-thunderx-raise-xdp-mtu-to-1508.patch net-thunderx-don-t-allow-jumbo-frames-with-xdp.patch +cifs-keep-fileinfo-handle-live-during-oplock-break.patch +kvm-x86-don-t-clear-efer-during-smm-transitions-for-32-bit-vcpu.patch +kvm-x86-svm-make-sure-nmi-is-injected-after-nmi_singlestep.patch +staging-iio-meter-fixed-typo.patch +staging-iio-ad7192-fix-ad7193-channel-address.patch +iio-gyro-mpu3050-fix-chip-id-reading.patch +iio-gyro-bmg160-use-millidegrees-for-temperature-scale.patch +iio-cros_ec-fix-the-maths-for-gyro-scale-calculation.patch +iio-ad_sigma_delta-select-channel-when-reading-register.patch +iio-dac-mcp4725-add-missing-powerdown-bits-in-store-eeprom.patch +iio-fix-scan-mask-selection.patch +iio-adc-at91-disable-adc-channel-interrupt-in-timeout-case.patch +iio-core-fix-a-possible-circular-locking-dependency.patch +io-accel-kxcjk1013-restore-the-range-after-resume.patch +staging-comedi-vmk80xx-fix-use-of-uninitialized-semaphore.patch +staging-comedi-vmk80xx-fix-possible-double-free-of-usb_rx_buf.patch +staging-comedi-ni_usb6501-fix-use-of-uninitialized-mutex.patch +staging-comedi-ni_usb6501-fix-possible-double-free-of-usb_rx_buf.patch +alsa-hda-realtek-add-two-more-pin-configuration-sets-to-quirk-table.patch +alsa-core-fix-card-races-between-register-and-disconnect.patch +scsi-core-set-result-when-the-command-cannot-be-dispatched.patch +revert-scsi-fcoe-clear-fc_rp_started-flags-when-receiving-a-logo.patch +revert-svm-fix-avic-incomplete-ipi-emulation.patch +coredump-fix-race-condition-between-mmget_not_zero-get_task_mm-and-core-dumping.patch +crypto-x86-poly1305-fix-overflow-during-partial-reduction.patch +arm64-futex-restore-oldval-initialization-to-work-around-buggy-compilers.patch +x86-kprobes-verify-stack-frame-on-kretprobe.patch +kprobes-mark-ftrace-mcount-handler-functions-nokprobe.patch +kprobes-fix-error-check-when-reusing-optimized-probes.patch +rt2x00-do-not-increment-sequence-number-while-re-transmitting.patch +mac80211-do-not-call-driver-wake_tx_queue-op-during-reconfig.patch +perf-x86-amd-add-event-map-for-amd-family-17h.patch +x86-cpu-bugs-use-__initconst-for-const-init-data.patch +perf-x86-fix-incorrect-pebs_regs.patch +x86-speculation-prevent-deadlock-on-ssb_state-lock.patch crypto-crypto4xx-properly-set-iv-after-de-and-encryp.patch mmc-sdhci-fix-data-command-crc-error-handling.patch mmc-sdhci-rename-sdhci_acmd12_err-and-sdhci_int_acmd.patch diff --git a/queue-4.14/staging-comedi-ni_usb6501-fix-possible-double-free-of-usb_rx_buf.patch b/queue-4.14/staging-comedi-ni_usb6501-fix-possible-double-free-of-usb_rx_buf.patch new file mode 100644 index 00000000000..9fa13ab4217 --- /dev/null +++ b/queue-4.14/staging-comedi-ni_usb6501-fix-possible-double-free-of-usb_rx_buf.patch @@ -0,0 +1,44 @@ +From af4b54a2e5ba18259ff9aac445bf546dd60d037e Mon Sep 17 00:00:00 2001 +From: Ian Abbott +Date: Mon, 15 Apr 2019 12:43:02 +0100 +Subject: staging: comedi: ni_usb6501: Fix possible double-free of ->usb_rx_buf + +From: Ian Abbott + +commit af4b54a2e5ba18259ff9aac445bf546dd60d037e upstream. + +`ni6501_alloc_usb_buffers()` is called from `ni6501_auto_attach()` to +allocate RX and TX buffers for USB transfers. It allocates +`devpriv->usb_rx_buf` followed by `devpriv->usb_tx_buf`. If the +allocation of `devpriv->usb_tx_buf` fails, it frees +`devpriv->usb_rx_buf`, leaving the pointer set dangling, and returns an +error. Later, `ni6501_detach()` will be called from the core comedi +module code to clean up. `ni6501_detach()` also frees both +`devpriv->usb_rx_buf` and `devpriv->usb_tx_buf`, but +`devpriv->usb_rx_buf` may have already beed freed, leading to a +double-free error. Fix it bu removing the call to +`kfree(devpriv->usb_rx_buf)` from `ni6501_alloc_usb_buffers()`, relying +on `ni6501_detach()` to free the memory. + +Signed-off-by: Ian Abbott +Cc: stable +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/comedi/drivers/ni_usb6501.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/drivers/staging/comedi/drivers/ni_usb6501.c ++++ b/drivers/staging/comedi/drivers/ni_usb6501.c +@@ -472,10 +472,8 @@ static int ni6501_alloc_usb_buffers(stru + + size = usb_endpoint_maxp(devpriv->ep_tx); + devpriv->usb_tx_buf = kzalloc(size, GFP_KERNEL); +- if (!devpriv->usb_tx_buf) { +- kfree(devpriv->usb_rx_buf); ++ if (!devpriv->usb_tx_buf) + return -ENOMEM; +- } + + return 0; + } diff --git a/queue-4.14/staging-comedi-ni_usb6501-fix-use-of-uninitialized-mutex.patch b/queue-4.14/staging-comedi-ni_usb6501-fix-use-of-uninitialized-mutex.patch new file mode 100644 index 00000000000..9e9ff8290f4 --- /dev/null +++ b/queue-4.14/staging-comedi-ni_usb6501-fix-use-of-uninitialized-mutex.patch @@ -0,0 +1,112 @@ +From 660cf4ce9d0f3497cc7456eaa6d74c8b71d6282c Mon Sep 17 00:00:00 2001 +From: Ian Abbott +Date: Mon, 15 Apr 2019 12:43:01 +0100 +Subject: staging: comedi: ni_usb6501: Fix use of uninitialized mutex + +From: Ian Abbott + +commit 660cf4ce9d0f3497cc7456eaa6d74c8b71d6282c upstream. + +If `ni6501_auto_attach()` returns an error, the core comedi module code +will call `ni6501_detach()` to clean up. If `ni6501_auto_attach()` +successfully allocated the comedi device private data, `ni6501_detach()` +assumes that a `struct mutex mut` contained in the private data has been +initialized and uses it. Unfortunately, there are a couple of places +where `ni6501_auto_attach()` can return an error after allocating the +device private data but before initializing the mutex, so this +assumption is invalid. Fix it by initializing the mutex just after +allocating the private data in `ni6501_auto_attach()` before any other +errors can be retturned. Also move the call to `usb_set_intfdata()` +just to keep the code a bit neater (either position for the call is +fine). + +I believe this was the cause of the following syzbot crash report +: + +usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 +usb 1-1: config 0 descriptor?? +usb 1-1: string descriptor 0 read error: -71 +comedi comedi0: Wrong number of endpoints +ni6501 1-1:0.233: driver 'ni6501' failed to auto-configure device. +INFO: trying to register non-static key. +the code is fine but needs lockdep annotation. +turning off the locking correctness validator. +CPU: 0 PID: 585 Comm: kworker/0:3 Not tainted 5.1.0-rc4-319354-g9a33b36 #3 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Workqueue: usb_hub_wq hub_event +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0xe8/0x16e lib/dump_stack.c:113 + assign_lock_key kernel/locking/lockdep.c:786 [inline] + register_lock_class+0x11b8/0x1250 kernel/locking/lockdep.c:1095 + __lock_acquire+0xfb/0x37c0 kernel/locking/lockdep.c:3582 + lock_acquire+0x10d/0x2f0 kernel/locking/lockdep.c:4211 + __mutex_lock_common kernel/locking/mutex.c:925 [inline] + __mutex_lock+0xfe/0x12b0 kernel/locking/mutex.c:1072 + ni6501_detach+0x5b/0x110 drivers/staging/comedi/drivers/ni_usb6501.c:567 + comedi_device_detach+0xed/0x800 drivers/staging/comedi/drivers.c:204 + comedi_device_cleanup.part.0+0x68/0x140 drivers/staging/comedi/comedi_fops.c:156 + comedi_device_cleanup drivers/staging/comedi/comedi_fops.c:187 [inline] + comedi_free_board_dev.part.0+0x16/0x90 drivers/staging/comedi/comedi_fops.c:190 + comedi_free_board_dev drivers/staging/comedi/comedi_fops.c:189 [inline] + comedi_release_hardware_device+0x111/0x140 drivers/staging/comedi/comedi_fops.c:2880 + comedi_auto_config.cold+0x124/0x1b0 drivers/staging/comedi/drivers.c:1068 + usb_probe_interface+0x31d/0x820 drivers/usb/core/driver.c:361 + really_probe+0x2da/0xb10 drivers/base/dd.c:509 + driver_probe_device+0x21d/0x350 drivers/base/dd.c:671 + __device_attach_driver+0x1d8/0x290 drivers/base/dd.c:778 + bus_for_each_drv+0x163/0x1e0 drivers/base/bus.c:454 + __device_attach+0x223/0x3a0 drivers/base/dd.c:844 + bus_probe_device+0x1f1/0x2a0 drivers/base/bus.c:514 + device_add+0xad2/0x16e0 drivers/base/core.c:2106 + usb_set_configuration+0xdf7/0x1740 drivers/usb/core/message.c:2021 + generic_probe+0xa2/0xda drivers/usb/core/generic.c:210 + usb_probe_device+0xc0/0x150 drivers/usb/core/driver.c:266 + really_probe+0x2da/0xb10 drivers/base/dd.c:509 + driver_probe_device+0x21d/0x350 drivers/base/dd.c:671 + __device_attach_driver+0x1d8/0x290 drivers/base/dd.c:778 + bus_for_each_drv+0x163/0x1e0 drivers/base/bus.c:454 + __device_attach+0x223/0x3a0 drivers/base/dd.c:844 + bus_probe_device+0x1f1/0x2a0 drivers/base/bus.c:514 + device_add+0xad2/0x16e0 drivers/base/core.c:2106 + usb_new_device.cold+0x537/0xccf drivers/usb/core/hub.c:2534 + hub_port_connect drivers/usb/core/hub.c:5089 [inline] + hub_port_connect_change drivers/usb/core/hub.c:5204 [inline] + port_event drivers/usb/core/hub.c:5350 [inline] + hub_event+0x138e/0x3b00 drivers/usb/core/hub.c:5432 + process_one_work+0x90f/0x1580 kernel/workqueue.c:2269 + worker_thread+0x9b/0xe20 kernel/workqueue.c:2415 + kthread+0x313/0x420 kernel/kthread.c:253 + ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352 + +Reported-by: syzbot+cf4f2b6c24aff0a3edf6@syzkaller.appspotmail.com +Signed-off-by: Ian Abbott +Cc: stable +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/comedi/drivers/ni_usb6501.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/staging/comedi/drivers/ni_usb6501.c ++++ b/drivers/staging/comedi/drivers/ni_usb6501.c +@@ -527,6 +527,9 @@ static int ni6501_auto_attach(struct com + if (!devpriv) + return -ENOMEM; + ++ mutex_init(&devpriv->mut); ++ usb_set_intfdata(intf, devpriv); ++ + ret = ni6501_find_endpoints(dev); + if (ret) + return ret; +@@ -535,9 +538,6 @@ static int ni6501_auto_attach(struct com + if (ret) + return ret; + +- mutex_init(&devpriv->mut); +- usb_set_intfdata(intf, devpriv); +- + ret = comedi_alloc_subdevices(dev, 2); + if (ret) + return ret; diff --git a/queue-4.14/staging-comedi-vmk80xx-fix-possible-double-free-of-usb_rx_buf.patch b/queue-4.14/staging-comedi-vmk80xx-fix-possible-double-free-of-usb_rx_buf.patch new file mode 100644 index 00000000000..5b40f07f1a9 --- /dev/null +++ b/queue-4.14/staging-comedi-vmk80xx-fix-possible-double-free-of-usb_rx_buf.patch @@ -0,0 +1,44 @@ +From 663d294b4768bfd89e529e069bffa544a830b5bf Mon Sep 17 00:00:00 2001 +From: Ian Abbott +Date: Mon, 15 Apr 2019 12:52:30 +0100 +Subject: staging: comedi: vmk80xx: Fix possible double-free of ->usb_rx_buf + +From: Ian Abbott + +commit 663d294b4768bfd89e529e069bffa544a830b5bf upstream. + +`vmk80xx_alloc_usb_buffers()` is called from `vmk80xx_auto_attach()` to +allocate RX and TX buffers for USB transfers. It allocates +`devpriv->usb_rx_buf` followed by `devpriv->usb_tx_buf`. If the +allocation of `devpriv->usb_tx_buf` fails, it frees +`devpriv->usb_rx_buf`, leaving the pointer set dangling, and returns an +error. Later, `vmk80xx_detach()` will be called from the core comedi +module code to clean up. `vmk80xx_detach()` also frees both +`devpriv->usb_rx_buf` and `devpriv->usb_tx_buf`, but +`devpriv->usb_rx_buf` may have already been freed, leading to a +double-free error. Fix it by removing the call to +`kfree(devpriv->usb_rx_buf)` from `vmk80xx_alloc_usb_buffers()`, relying +on `vmk80xx_detach()` to free the memory. + +Signed-off-by: Ian Abbott +Cc: stable +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/comedi/drivers/vmk80xx.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/drivers/staging/comedi/drivers/vmk80xx.c ++++ b/drivers/staging/comedi/drivers/vmk80xx.c +@@ -691,10 +691,8 @@ static int vmk80xx_alloc_usb_buffers(str + + size = usb_endpoint_maxp(devpriv->ep_tx); + devpriv->usb_tx_buf = kzalloc(size, GFP_KERNEL); +- if (!devpriv->usb_tx_buf) { +- kfree(devpriv->usb_rx_buf); ++ if (!devpriv->usb_tx_buf) + return -ENOMEM; +- } + + return 0; + } diff --git a/queue-4.14/staging-comedi-vmk80xx-fix-use-of-uninitialized-semaphore.patch b/queue-4.14/staging-comedi-vmk80xx-fix-use-of-uninitialized-semaphore.patch new file mode 100644 index 00000000000..c32f8892492 --- /dev/null +++ b/queue-4.14/staging-comedi-vmk80xx-fix-use-of-uninitialized-semaphore.patch @@ -0,0 +1,109 @@ +From 08b7c2f9208f0e2a32159e4e7a4831b7adb10a3e Mon Sep 17 00:00:00 2001 +From: Ian Abbott +Date: Mon, 15 Apr 2019 12:10:14 +0100 +Subject: staging: comedi: vmk80xx: Fix use of uninitialized semaphore + +From: Ian Abbott + +commit 08b7c2f9208f0e2a32159e4e7a4831b7adb10a3e upstream. + +If `vmk80xx_auto_attach()` returns an error, the core comedi module code +will call `vmk80xx_detach()` to clean up. If `vmk80xx_auto_attach()` +successfully allocated the comedi device private data, +`vmk80xx_detach()` assumes that a `struct semaphore limit_sem` contained +in the private data has been initialized and uses it. Unfortunately, +there are a couple of places where `vmk80xx_auto_attach()` can return an +error after allocating the device private data but before initializing +the semaphore, so this assumption is invalid. Fix it by initializing +the semaphore just after allocating the private data in +`vmk80xx_auto_attach()` before any other errors can be returned. + +I believe this was the cause of the following syzbot crash report +: + +usb 1-1: config 0 has no interface number 0 +usb 1-1: New USB device found, idVendor=10cf, idProduct=8068, bcdDevice=e6.8d +usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 +usb 1-1: config 0 descriptor?? +vmk80xx 1-1:0.117: driver 'vmk80xx' failed to auto-configure device. +INFO: trying to register non-static key. +the code is fine but needs lockdep annotation. +turning off the locking correctness validator. +CPU: 0 PID: 12 Comm: kworker/0:1 Not tainted 5.1.0-rc4-319354-g9a33b36 #3 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Workqueue: usb_hub_wq hub_event +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0xe8/0x16e lib/dump_stack.c:113 + assign_lock_key kernel/locking/lockdep.c:786 [inline] + register_lock_class+0x11b8/0x1250 kernel/locking/lockdep.c:1095 + __lock_acquire+0xfb/0x37c0 kernel/locking/lockdep.c:3582 + lock_acquire+0x10d/0x2f0 kernel/locking/lockdep.c:4211 + __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] + _raw_spin_lock_irqsave+0x44/0x60 kernel/locking/spinlock.c:152 + down+0x12/0x80 kernel/locking/semaphore.c:58 + vmk80xx_detach+0x59/0x100 drivers/staging/comedi/drivers/vmk80xx.c:829 + comedi_device_detach+0xed/0x800 drivers/staging/comedi/drivers.c:204 + comedi_device_cleanup.part.0+0x68/0x140 drivers/staging/comedi/comedi_fops.c:156 + comedi_device_cleanup drivers/staging/comedi/comedi_fops.c:187 [inline] + comedi_free_board_dev.part.0+0x16/0x90 drivers/staging/comedi/comedi_fops.c:190 + comedi_free_board_dev drivers/staging/comedi/comedi_fops.c:189 [inline] + comedi_release_hardware_device+0x111/0x140 drivers/staging/comedi/comedi_fops.c:2880 + comedi_auto_config.cold+0x124/0x1b0 drivers/staging/comedi/drivers.c:1068 + usb_probe_interface+0x31d/0x820 drivers/usb/core/driver.c:361 + really_probe+0x2da/0xb10 drivers/base/dd.c:509 + driver_probe_device+0x21d/0x350 drivers/base/dd.c:671 + __device_attach_driver+0x1d8/0x290 drivers/base/dd.c:778 + bus_for_each_drv+0x163/0x1e0 drivers/base/bus.c:454 + __device_attach+0x223/0x3a0 drivers/base/dd.c:844 + bus_probe_device+0x1f1/0x2a0 drivers/base/bus.c:514 + device_add+0xad2/0x16e0 drivers/base/core.c:2106 + usb_set_configuration+0xdf7/0x1740 drivers/usb/core/message.c:2021 + generic_probe+0xa2/0xda drivers/usb/core/generic.c:210 + usb_probe_device+0xc0/0x150 drivers/usb/core/driver.c:266 + really_probe+0x2da/0xb10 drivers/base/dd.c:509 + driver_probe_device+0x21d/0x350 drivers/base/dd.c:671 + __device_attach_driver+0x1d8/0x290 drivers/base/dd.c:778 + bus_for_each_drv+0x163/0x1e0 drivers/base/bus.c:454 + __device_attach+0x223/0x3a0 drivers/base/dd.c:844 + bus_probe_device+0x1f1/0x2a0 drivers/base/bus.c:514 + device_add+0xad2/0x16e0 drivers/base/core.c:2106 + usb_new_device.cold+0x537/0xccf drivers/usb/core/hub.c:2534 + hub_port_connect drivers/usb/core/hub.c:5089 [inline] + hub_port_connect_change drivers/usb/core/hub.c:5204 [inline] + port_event drivers/usb/core/hub.c:5350 [inline] + hub_event+0x138e/0x3b00 drivers/usb/core/hub.c:5432 + process_one_work+0x90f/0x1580 kernel/workqueue.c:2269 + worker_thread+0x9b/0xe20 kernel/workqueue.c:2415 + kthread+0x313/0x420 kernel/kthread.c:253 + ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352 + +Reported-by: syzbot+54c2f58f15fe6876b6ad@syzkaller.appspotmail.com +Signed-off-by: Ian Abbott +Cc: stable +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/comedi/drivers/vmk80xx.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/staging/comedi/drivers/vmk80xx.c ++++ b/drivers/staging/comedi/drivers/vmk80xx.c +@@ -809,6 +809,8 @@ static int vmk80xx_auto_attach(struct co + + devpriv->model = board->model; + ++ sema_init(&devpriv->limit_sem, 8); ++ + ret = vmk80xx_find_usb_endpoints(dev); + if (ret) + return ret; +@@ -817,8 +819,6 @@ static int vmk80xx_auto_attach(struct co + if (ret) + return ret; + +- sema_init(&devpriv->limit_sem, 8); +- + usb_set_intfdata(intf, devpriv); + + if (devpriv->model == VMK8055_MODEL) diff --git a/queue-4.14/staging-iio-ad7192-fix-ad7193-channel-address.patch b/queue-4.14/staging-iio-ad7192-fix-ad7193-channel-address.patch new file mode 100644 index 00000000000..049cc4dd324 --- /dev/null +++ b/queue-4.14/staging-iio-ad7192-fix-ad7193-channel-address.patch @@ -0,0 +1,37 @@ +From 7ce0f216221856a17fc4934b39284678a5fef2e9 Mon Sep 17 00:00:00 2001 +From: Mircea Caprioru +Date: Wed, 20 Feb 2019 13:08:20 +0200 +Subject: staging: iio: ad7192: Fix ad7193 channel address + +From: Mircea Caprioru + +commit 7ce0f216221856a17fc4934b39284678a5fef2e9 upstream. + +This patch fixes the differential channels addresses for the ad7193. + +Signed-off-by: Mircea Caprioru +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/iio/adc/ad7192.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/staging/iio/adc/ad7192.c ++++ b/drivers/staging/iio/adc/ad7192.c +@@ -109,10 +109,10 @@ + #define AD7192_CH_AIN3 BIT(6) /* AIN3 - AINCOM */ + #define AD7192_CH_AIN4 BIT(7) /* AIN4 - AINCOM */ + +-#define AD7193_CH_AIN1P_AIN2M 0x000 /* AIN1(+) - AIN2(-) */ +-#define AD7193_CH_AIN3P_AIN4M 0x001 /* AIN3(+) - AIN4(-) */ +-#define AD7193_CH_AIN5P_AIN6M 0x002 /* AIN5(+) - AIN6(-) */ +-#define AD7193_CH_AIN7P_AIN8M 0x004 /* AIN7(+) - AIN8(-) */ ++#define AD7193_CH_AIN1P_AIN2M 0x001 /* AIN1(+) - AIN2(-) */ ++#define AD7193_CH_AIN3P_AIN4M 0x002 /* AIN3(+) - AIN4(-) */ ++#define AD7193_CH_AIN5P_AIN6M 0x004 /* AIN5(+) - AIN6(-) */ ++#define AD7193_CH_AIN7P_AIN8M 0x008 /* AIN7(+) - AIN8(-) */ + #define AD7193_CH_TEMP 0x100 /* Temp senseor */ + #define AD7193_CH_AIN2P_AIN2M 0x200 /* AIN2(+) - AIN2(-) */ + #define AD7193_CH_AIN1 0x401 /* AIN1 - AINCOM */ diff --git a/queue-4.14/staging-iio-meter-fixed-typo.patch b/queue-4.14/staging-iio-meter-fixed-typo.patch new file mode 100644 index 00000000000..1534c619f70 --- /dev/null +++ b/queue-4.14/staging-iio-meter-fixed-typo.patch @@ -0,0 +1,33 @@ +From 0a8a29be499cbb67df79370aaf5109085509feb8 Mon Sep 17 00:00:00 2001 +From: Leonard Pollak +Date: Wed, 13 Feb 2019 11:19:52 +0100 +Subject: Staging: iio: meter: fixed typo + +From: Leonard Pollak + +commit 0a8a29be499cbb67df79370aaf5109085509feb8 upstream. + +This patch fixes an obvious typo, which will cause erroneously returning the Peak +Voltage instead of the Peak Current. + +Signed-off-by: Leonard Pollak +Cc: +Acked-by: Michael Hennerich +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/iio/meter/ade7854.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/staging/iio/meter/ade7854.c ++++ b/drivers/staging/iio/meter/ade7854.c +@@ -269,7 +269,7 @@ static IIO_DEV_ATTR_VPEAK(0644, + static IIO_DEV_ATTR_IPEAK(0644, + ade7854_read_32bit, + ade7854_write_32bit, +- ADE7854_VPEAK); ++ ADE7854_IPEAK); + static IIO_DEV_ATTR_APHCAL(0644, + ade7854_read_16bit, + ade7854_write_16bit, diff --git a/queue-4.14/x86-cpu-bugs-use-__initconst-for-const-init-data.patch b/queue-4.14/x86-cpu-bugs-use-__initconst-for-const-init-data.patch new file mode 100644 index 00000000000..4b29f143c44 --- /dev/null +++ b/queue-4.14/x86-cpu-bugs-use-__initconst-for-const-init-data.patch @@ -0,0 +1,54 @@ +From 1de7edbb59c8f1b46071f66c5c97b8a59569eb51 Mon Sep 17 00:00:00 2001 +From: Andi Kleen +Date: Fri, 29 Mar 2019 17:47:43 -0700 +Subject: x86/cpu/bugs: Use __initconst for 'const' init data + +From: Andi Kleen + +commit 1de7edbb59c8f1b46071f66c5c97b8a59569eb51 upstream. + +Some of the recently added const tables use __initdata which causes section +attribute conflicts. + +Use __initconst instead. + +Fixes: fa1202ef2243 ("x86/speculation: Add command line control") +Signed-off-by: Andi Kleen +Signed-off-by: Thomas Gleixner +Cc: stable@vger.kernel.org +Link: https://lkml.kernel.org/r/20190330004743.29541-9-andi@firstfloor.org +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/cpu/bugs.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/arch/x86/kernel/cpu/bugs.c ++++ b/arch/x86/kernel/cpu/bugs.c +@@ -271,7 +271,7 @@ static const struct { + const char *option; + enum spectre_v2_user_cmd cmd; + bool secure; +-} v2_user_options[] __initdata = { ++} v2_user_options[] __initconst = { + { "auto", SPECTRE_V2_USER_CMD_AUTO, false }, + { "off", SPECTRE_V2_USER_CMD_NONE, false }, + { "on", SPECTRE_V2_USER_CMD_FORCE, true }, +@@ -406,7 +406,7 @@ static const struct { + const char *option; + enum spectre_v2_mitigation_cmd cmd; + bool secure; +-} mitigation_options[] __initdata = { ++} mitigation_options[] __initconst = { + { "off", SPECTRE_V2_CMD_NONE, false }, + { "on", SPECTRE_V2_CMD_FORCE, true }, + { "retpoline", SPECTRE_V2_CMD_RETPOLINE, false }, +@@ -642,7 +642,7 @@ static const char * const ssb_strings[] + static const struct { + const char *option; + enum ssb_mitigation_cmd cmd; +-} ssb_mitigation_options[] __initdata = { ++} ssb_mitigation_options[] __initconst = { + { "auto", SPEC_STORE_BYPASS_CMD_AUTO }, /* Platform decides */ + { "on", SPEC_STORE_BYPASS_CMD_ON }, /* Disable Speculative Store Bypass */ + { "off", SPEC_STORE_BYPASS_CMD_NONE }, /* Don't touch Speculative Store Bypass */ diff --git a/queue-4.14/x86-kprobes-verify-stack-frame-on-kretprobe.patch b/queue-4.14/x86-kprobes-verify-stack-frame-on-kretprobe.patch new file mode 100644 index 00000000000..a35f4ec73b6 --- /dev/null +++ b/queue-4.14/x86-kprobes-verify-stack-frame-on-kretprobe.patch @@ -0,0 +1,112 @@ +From 3ff9c075cc767b3060bdac12da72fc94dd7da1b8 Mon Sep 17 00:00:00 2001 +From: Masami Hiramatsu +Date: Sun, 24 Feb 2019 01:49:52 +0900 +Subject: x86/kprobes: Verify stack frame on kretprobe + +From: Masami Hiramatsu + +commit 3ff9c075cc767b3060bdac12da72fc94dd7da1b8 upstream. + +Verify the stack frame pointer on kretprobe trampoline handler, +If the stack frame pointer does not match, it skips the wrong +entry and tries to find correct one. + +This can happen if user puts the kretprobe on the function +which can be used in the path of ftrace user-function call. +Such functions should not be probed, so this adds a warning +message that reports which function should be blacklisted. + +Tested-by: Andrea Righi +Signed-off-by: Masami Hiramatsu +Acked-by: Steven Rostedt +Cc: Linus Torvalds +Cc: Mathieu Desnoyers +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: stable@vger.kernel.org +Link: http://lkml.kernel.org/r/155094059185.6137.15527904013362842072.stgit@devbox +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/kprobes/core.c | 26 ++++++++++++++++++++++++++ + include/linux/kprobes.h | 1 + + 2 files changed, 27 insertions(+) + +--- a/arch/x86/kernel/kprobes/core.c ++++ b/arch/x86/kernel/kprobes/core.c +@@ -553,6 +553,7 @@ void arch_prepare_kretprobe(struct kretp + unsigned long *sara = stack_addr(regs); + + ri->ret_addr = (kprobe_opcode_t *) *sara; ++ ri->fp = sara; + + /* Replace the return addr with trampoline addr */ + *sara = (unsigned long) &kretprobe_trampoline; +@@ -754,15 +755,21 @@ __visible __used void *trampoline_handle + unsigned long flags, orig_ret_address = 0; + unsigned long trampoline_address = (unsigned long)&kretprobe_trampoline; + kprobe_opcode_t *correct_ret_addr = NULL; ++ void *frame_pointer; ++ bool skipped = false; + + INIT_HLIST_HEAD(&empty_rp); + kretprobe_hash_lock(current, &head, &flags); + /* fixup registers */ + #ifdef CONFIG_X86_64 + regs->cs = __KERNEL_CS; ++ /* On x86-64, we use pt_regs->sp for return address holder. */ ++ frame_pointer = ®s->sp; + #else + regs->cs = __KERNEL_CS | get_kernel_rpl(); + regs->gs = 0; ++ /* On x86-32, we use pt_regs->flags for return address holder. */ ++ frame_pointer = ®s->flags; + #endif + regs->ip = trampoline_address; + regs->orig_ax = ~0UL; +@@ -784,8 +791,25 @@ __visible __used void *trampoline_handle + if (ri->task != current) + /* another task is sharing our hash bucket */ + continue; ++ /* ++ * Return probes must be pushed on this hash list correct ++ * order (same as return order) so that it can be poped ++ * correctly. However, if we find it is pushed it incorrect ++ * order, this means we find a function which should not be ++ * probed, because the wrong order entry is pushed on the ++ * path of processing other kretprobe itself. ++ */ ++ if (ri->fp != frame_pointer) { ++ if (!skipped) ++ pr_warn("kretprobe is stacked incorrectly. Trying to fixup.\n"); ++ skipped = true; ++ continue; ++ } + + orig_ret_address = (unsigned long)ri->ret_addr; ++ if (skipped) ++ pr_warn("%ps must be blacklisted because of incorrect kretprobe order\n", ++ ri->rp->kp.addr); + + if (orig_ret_address != trampoline_address) + /* +@@ -803,6 +827,8 @@ __visible __used void *trampoline_handle + if (ri->task != current) + /* another task is sharing our hash bucket */ + continue; ++ if (ri->fp != frame_pointer) ++ continue; + + orig_ret_address = (unsigned long)ri->ret_addr; + if (ri->rp && ri->rp->handler) { +--- a/include/linux/kprobes.h ++++ b/include/linux/kprobes.h +@@ -198,6 +198,7 @@ struct kretprobe_instance { + struct kretprobe *rp; + kprobe_opcode_t *ret_addr; + struct task_struct *task; ++ void *fp; + char data[0]; + }; + diff --git a/queue-4.14/x86-speculation-prevent-deadlock-on-ssb_state-lock.patch b/queue-4.14/x86-speculation-prevent-deadlock-on-ssb_state-lock.patch new file mode 100644 index 00000000000..631db2349d0 --- /dev/null +++ b/queue-4.14/x86-speculation-prevent-deadlock-on-ssb_state-lock.patch @@ -0,0 +1,68 @@ +From 2f5fb19341883bb6e37da351bc3700489d8506a7 Mon Sep 17 00:00:00 2001 +From: Thomas Gleixner +Date: Sun, 14 Apr 2019 19:51:06 +0200 +Subject: x86/speculation: Prevent deadlock on ssb_state::lock + +From: Thomas Gleixner + +commit 2f5fb19341883bb6e37da351bc3700489d8506a7 upstream. + +Mikhail reported a lockdep splat related to the AMD specific ssb_state +lock: + + CPU0 CPU1 + lock(&st->lock); + local_irq_disable(); + lock(&(&sighand->siglock)->rlock); + lock(&st->lock); + + lock(&(&sighand->siglock)->rlock); + + *** DEADLOCK *** + +The connection between sighand->siglock and st->lock comes through seccomp, +which takes st->lock while holding sighand->siglock. + +Make sure interrupts are disabled when __speculation_ctrl_update() is +invoked via prctl() -> speculation_ctrl_update(). Add a lockdep assert to +catch future offenders. + +Fixes: 1f50ddb4f418 ("x86/speculation: Handle HT correctly on AMD") +Reported-by: Mikhail Gavrilov +Signed-off-by: Thomas Gleixner +Tested-by: Mikhail Gavrilov +Cc: Thomas Lendacky +Cc: stable@vger.kernel.org +Link: https://lkml.kernel.org/r/alpine.DEB.2.21.1904141948200.4917@nanos.tec.linutronix.de +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/process.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/arch/x86/kernel/process.c ++++ b/arch/x86/kernel/process.c +@@ -414,6 +414,8 @@ static __always_inline void __speculatio + u64 msr = x86_spec_ctrl_base; + bool updmsr = false; + ++ lockdep_assert_irqs_disabled(); ++ + /* + * If TIF_SSBD is different, select the proper mitigation + * method. Note that if SSBD mitigation is disabled or permanentely +@@ -465,10 +467,12 @@ static unsigned long speculation_ctrl_up + + void speculation_ctrl_update(unsigned long tif) + { ++ unsigned long flags; ++ + /* Forced update. Make sure all relevant TIF flags are different */ +- preempt_disable(); ++ local_irq_save(flags); + __speculation_ctrl_update(~tif, tif); +- preempt_enable(); ++ local_irq_restore(flags); + } + + /* Called from seccomp/prctl update */