Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v4.14.134 2019-07-21T07:04:43+00:00 2019-07-21T07:04:43+00:00 Greg Kroah-Hartman gregkh@linuxfoundation.org 2019-07-21T07:04:43+00:00 urn:sha1:ff33472c282e209da54cbc0c7c1c06ddfcc93d33 2019-07-21T07:04:43+00:00 Dave Airlie airlied@redhat.com 2019-07-15T19:36:18+00:00 urn:sha1:a5fb6a7e126484e364786ee1ee41efa689915d96 commit 6ecac85eadb9d4065b9038fa3d3c66d49038e14b upstream. This should help with some of the lifetime issues, and move us away from load/unload. [rez] Regarding the backport to v4.14.y, the only difference is due to the fact that in v4.14.y the udl_usb_probe() function still uses drm_dev_unref() instead of drm_dev_put(). Backport notes: On Mon, Jul 15, 2019 at 09:13:08PM -0400, Sasha Levin wrote: > Hm, we don't need ac3b35f11a06 here? Why not? I'd love to document that > with the backport. Nope, we don't need that patch in the v4.14 backport. In v4.19.y we have two functions, drm_dev_put() and drm_dev_unref(), which are aliases for one another (drm_dev_unref() just calls drm_dev_put()). drm_dev_unref() is the older of the two, and was introduced back in v4.0. drm_dev_put() was introduced in v4.15 with 9a96f55034e41 drm: introduce drm_dev_{get/put} functions and slowly callers were moved from the old name (_unref) to the new name (_put). The patch you mentioned, ac3b35f11a06, is one such patch where we are replacing a drm_dev_unref() call with a drm_dev_put() call. This doesn't have a functional change, but was necessary so that the third patch in the v4.19.y series I sent would apply cleanly. For the v4.14.y series, though, the drm_dev_put() function hasn't yet been defined and everyone is still using drm_dev_unref(). So, we don't need a backport of ac3b35f11a06, and I also had a small backport change in the last patch of the v4.14.y series where I had to change a drm_dev_put() call with a drm_dev_unref() call. Just for posterity, the drm_dev_unref() calls were eventually all changed to drm_dev_put() in v5.0, and drm_dev_unref() was removed entirely. That happened with the following two patches: 808bad32ea423 drm: replace "drm_dev_unref" function with "drm_dev_put" ba1d345401476 drm: remove deprecated "drm_dev_unref" function Acked-by: Alex Deucher <alexander.deucher@amd.com> Signed-off-by: Dave Airlie <airlied@redhat.com> Link: https://patchwork.freedesktop.org/patch/msgid/20190405031715.5959-4-airlied@gmail.com Signed-off-by: Ross Zwisler <zwisler@google.com> Signed-off-by: Sasha Levin <sashal@kernel.org> 2019-07-21T07:04:43+00:00 Dave Airlie airlied@redhat.com 2019-07-15T19:36:17+00:00 urn:sha1:24cb483b557a141d7bcab2a411809308d37ceaed commit fd96e0dba19c53c2d66f2a398716bb74df8ca85e upstream. This just makes it easier to later embed drm into udl. [rez] Regarding the backport to v4.14.y, the only difference is due to the fact that in v4.14.y the udl_gem_mmap() function doesn't have a local 'struct udl_device' pointer so it didn't need to be converted. Reviewed-by: Alex Deucher <alexander.deucher@amd.com> Signed-off-by: Dave Airlie <airlied@redhat.com> Link: https://patchwork.freedesktop.org/patch/msgid/20190405031715.5959-3-airlied@gmail.com Signed-off-by: Ross Zwisler <zwisler@google.com> Signed-off-by: Sasha Levin <sashal@kernel.org> 2019-07-21T07:04:42+00:00 Haren Myneni haren@linux.vnet.ibm.com 2019-06-18T19:09:22+00:00 urn:sha1:772cabe226268eb2e748e661cb6a0ba9d8ab6d22 commit e52d484d9869eb291140545746ccbe5ffc7c9306 upstream. System gets checkstop if RxFIFO overruns with more requests than the maximum possible number of CRBs in FIFO at the same time. The max number of requests per window is controlled by window credits. So find max CRBs from FIFO size and set it to receive window credits. Fixes: b0d6c9bab5e4 ("crypto/nx: Add P9 NX support for 842 compression engine") CC: stable@vger.kernel.org # v4.14+ Signed-off-by:Haren Myneni <haren@us.ibm.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 2019-07-21T07:04:42+00:00 Julian Wiedmann jwi@linux.ibm.com 2019-06-18T11:12:20+00:00 urn:sha1:9583ec77c920639ca220b6091a3e20555890c01d commit ac6639cd3db607d386616487902b4cc1850a7be5 upstream. Current code sets the dsci to 0x00000080. Which doesn't make any sense, as the indicator area is located in the _left-most_ byte. Worse: if the dsci is the _shared_ indicator, this potentially clears the indication of activity for a _different_ device. tiqdio_thinint_handler() will then have no reason to call that device's IRQ handler, and the device ends up stalling. Fixes: d0c9d4a89fff ("[S390] qdio: set correct bit in dsci") Cc: <stable@vger.kernel.org> Signed-off-by: Julian Wiedmann <jwi@linux.ibm.com> Signed-off-by: Vasily Gorbik <gor@linux.ibm.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2019-07-21T07:04:42+00:00 Julian Wiedmann jwi@linux.ibm.com 2019-06-18T09:25:59+00:00 urn:sha1:a25b1a8fb197b25a59406d0ef6845b902b6fc222 commit e54e4785cb5cb4896cf4285964aeef2125612fb2 upstream. When tiqdio_remove_input_queues() removes a queue from the tiq_list as part of qdio_shutdown(), it doesn't re-initialize the queue's list entry and the prev/next pointers go stale. If a subsequent qdio_establish() fails while sending the ESTABLISH cmd, it calls qdio_shutdown() again in QDIO_IRQ_STATE_ERR state and tiqdio_remove_input_queues() will attempt to remove the queue entry a second time. This dereferences the stale pointers, and bad things ensue. Fix this by re-initializing the list entry after removing it from the list. For good practice also initialize the list entry when the queue is first allocated, and remove the quirky checks that papered over this omission. Note that prior to commit e521813468f7 ("s390/qdio: fix access to uninitialized qdio_q fields"), these checks were bogus anyway. setup_queues_misc() clears the whole queue struct, and thus needs to re-init the prev/next pointers as well. Fixes: 779e6e1c724d ("[S390] qdio: new qdio driver.") Cc: <stable@vger.kernel.org> Signed-off-by: Julian Wiedmann <jwi@linux.ibm.com> Signed-off-by: Vasily Gorbik <gor@linux.ibm.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2019-07-21T07:04:41+00:00 Heiko Carstens heiko.carstens@de.ibm.com 2019-06-17T12:02:41+00:00 urn:sha1:6f477767c52fd3aade15cd61e8543e625e49ed7e commit 4f18d869ffd056c7858f3d617c71345cf19be008 upstream. The stfle inline assembly returns the number of double words written (condition code 0) or the double words it would have written (condition code 3), if the memory array it got as parameter would have been large enough. The current stfle implementation assumes that the array is always large enough and clears those parts of the array that have not been written to with a subsequent memset call. If however the array is not large enough memset will get a negative length parameter, which means that memset clears memory until it gets an exception and the kernel crashes. To fix this simply limit the maximum length. Move also the inline assembly to an extra function to avoid clobbering of register 0, which might happen because of the added min_t invocation together with code instrumentation. The bug was introduced with commit 14375bc4eb8d ("[S390] cleanup facility list handling") but was rather harmless, since it would only write to a rather large array. It became a potential problem with commit 3ab121ab1866 ("[S390] kernel: Add z/VM LGR detection"). Since then it writes to an array with only four double words, while some machines already deliver three double words. As soon as machines have a facility bit within the fifth double a crash on IPL would happen. Fixes: 14375bc4eb8d ("[S390] cleanup facility list handling") Cc: <stable@vger.kernel.org> # v2.6.37+ Reviewed-by: Vasily Gorbik <gor@linux.ibm.com> Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com> Signed-off-by: Vasily Gorbik <gor@linux.ibm.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2019-07-21T07:04:41+00:00 Arnd Bergmann arnd@arndb.de 2019-07-03T13:39:25+00:00 urn:sha1:7498108f2b6293c266e829074d5084fac33153a9 commit fd5de2721ea7d16e2b16c4049ac49f229551b290 upstream. As kernelci.org reports, this function is not used in vdk_hs38_defconfig: arch/arc/kernel/unwind.c:188:14: warning: 'unw_hdr_alloc' defined but not used [-Wunused-function] Fixes: bc79c9a72165 ("ARC: dw2 unwind: Reinstante unwinding out of modules") Link: https://kernelci.org/build/id/5d1cae3f59b514300340c132/logs/ Cc: stable@vger.kernel.org Signed-off-by: Arnd Bergmann <arnd@arndb.de> Signed-off-by: Vineet Gupta <vgupta@synopsys.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2019-07-21T07:04:41+00:00 Vinod Koul vkoul@kernel.org 2019-06-28T19:07:21+00:00 urn:sha1:6ad56d51446f9dca44a9868f16a3c5ef0fb36e2d [ Upstream commit 8f9fab480c7a87b10bb5440b5555f370272a5d59 ] DIV_ROUND_UP_ULL adds the two arguments and then invokes DIV_ROUND_DOWN_ULL. But on a 32bit system the addition of two 32 bit values can overflow. DIV_ROUND_DOWN_ULL does it correctly and stashes the addition into a unsigned long long so cast the result to unsigned long long here to avoid the overflow condition. [akpm@linux-foundation.org: DIV_ROUND_UP_ULL must be an rval] Link: http://lkml.kernel.org/r/20190625100518.30753-1-vkoul@kernel.org Signed-off-by: Vinod Koul <vkoul@kernel.org> Reviewed-by: Andrew Morton <akpm@linux-foundation.org> Cc: Bjorn Andersson <bjorn.andersson@linaro.org> Cc: Randy Dunlap <rdunlap@infradead.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Sasha Levin <sashal@kernel.org> 2019-07-21T07:04:40+00:00 Eiichi Tsukata devel@etsukata.com 2019-06-27T02:47:32+00:00 urn:sha1:8f5e923556d11ee183ca5c4f332afd3b3a5b35bd [ Upstream commit 33d4a5a7a5b4d02915d765064b2319e90a11cbde ] Setting invalid value to /sys/devices/system/cpu/cpuX/hotplug/fail can control `struct cpuhp_step *sp` address, results in the following global-out-of-bounds read. Reproducer: # echo -2 > /sys/devices/system/cpu/cpu0/hotplug/fail KASAN report: BUG: KASAN: global-out-of-bounds in write_cpuhp_fail+0x2cd/0x2e0 Read of size 8 at addr ffffffff89734438 by task bash/1941 CPU: 0 PID: 1941 Comm: bash Not tainted 5.2.0-rc6+ #31 Call Trace: write_cpuhp_fail+0x2cd/0x2e0 dev_attr_store+0x58/0x80 sysfs_kf_write+0x13d/0x1a0 kernfs_fop_write+0x2bc/0x460 vfs_write+0x1e1/0x560 ksys_write+0x126/0x250 do_syscall_64+0xc1/0x390 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x7f05e4f4c970 The buggy address belongs to the variable: cpu_hotplug_lock+0x98/0xa0 Memory state around the buggy address: ffffffff89734300: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00 ffffffff89734380: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00 >ffffffff89734400: 00 00 00 00 fa fa fa fa 00 00 00 00 fa fa fa fa ^ ffffffff89734480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffffffff89734500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Add a sanity check for the value written from user space. Fixes: 1db49484f21ed ("smp/hotplug: Hotplug state fail injection") Signed-off-by: Eiichi Tsukata <devel@etsukata.com> Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Cc: peterz@infradead.org Link: https://lkml.kernel.org/r/20190627024732.31672-1-devel@etsukata.com Signed-off-by: Sasha Levin <sashal@kernel.org>