Commit graph

606655 commits

Author SHA1 Message Date
Rajasekaran Kalidoss
c94369b4c1 cnss2: print firmware cap info in stats
Show firmware capability information i.e Chip ID
Chip family, SOC Info, Board id,Firmware Version,
and Firmware Build Timestamp in /d/cnss/stats.

Change-Id: I1d2f2e4a88960e690aabe610182d33cf8035f6c1
Signed-off-by: Rajasekaran Kalidoss <rkalidos@codeaurora.org>
2019-06-24 00:47:44 -07:00
Linux Build Service Account
335e20ca95 Merge "soc: qcom: glink_spi_xprt: Sanitize input for short cmd" 2019-06-21 16:30:48 -07:00
Linux Build Service Account
abc2a59bfd Merge "soc: qcom: hab: add error handling when dt item is missing" 2019-06-21 08:40:23 -07:00
Daniel Colascione
9998d2e52d mm: add /proc/pid/smaps_rollup
/proc/pid/smaps_rollup is a new proc file that improves the performance
of user programs that determine aggregate memory statistics (e.g., total
PSS) of a process.

Android regularly "samples" the memory usage of various processes in
order to balance its memory pool sizes.  This sampling process involves
opening /proc/pid/smaps and summing certain fields.  For very large
processes, sampling memory use this way can take several hundred
milliseconds, due mostly to the overhead of the seq_printf calls in
task_mmu.c.

smaps_rollup improves the situation.  It contains most of the fields of
/proc/pid/smaps, but instead of a set of fields for each VMA,
smaps_rollup instead contains one synthetic smaps-format entry
representing the whole process.  In the single smaps_rollup synthetic
entry, each field is the summation of the corresponding field in all of
the real-smaps VMAs.  Using a common format for smaps_rollup and smaps
allows userspace parsers to repurpose parsers meant for use with
non-rollup smaps for smaps_rollup, and it allows userspace to switch
between smaps_rollup and smaps at runtime (say, based on the
availability of smaps_rollup in a given kernel) with minimal fuss.

By using smaps_rollup instead of smaps, a caller can avoid the
significant overhead of formatting, reading, and parsing each of a large
process's potentially very numerous memory mappings.  For sampling
system_server's PSS in Android, we measured a 12x speedup, representing
a savings of several hundred milliseconds.

One alternative to a new per-process proc file would have been including
PSS information in /proc/pid/status.  We considered this option but
thought that PSS would be too expensive (by a few orders of magnitude)
to collect relative to what's already emitted as part of
/proc/pid/status, and slowing every user of /proc/pid/status for the
sake of readers that happen to want PSS feels wrong.

The code itself works by reusing the existing VMA-walking framework we
use for regular smaps generation and keeping the mem_size_stats
structure around between VMA walks instead of using a fresh one for each
VMA.  In this way, summation happens automatically.  We let seq_file
walk over the VMAs just as it does for regular smaps and just emit
nothing to the seq_file until we hit the last VMA.

Benchmarks:

    using smaps:
    iterations:1000 pid:1163 pss:220023808
    0m29.46s real 0m08.28s user 0m20.98s system

    using smaps_rollup:
    iterations:1000 pid:1163 pss:220702720
    0m04.39s real 0m00.03s user 0m04.31s system

We're using the PSS samples we collect asynchronously for
system-management tasks like fine-tuning oom_adj_score, memory use
tracking for debugging, application-level memory-use attribution, and
deciding whether we want to kill large processes during system idle
maintenance windows.  Android has been using PSS for these purposes for
a long time; as the average process VMA count has increased and and
devices become more efficiency-conscious, PSS-collection inefficiency
has started to matter more.  IMHO, it'd be a lot safer to optimize the
existing PSS-collection model, which has been fine-tuned over the years,
instead of changing the memory tracking approach entirely to work around
smaps-generation inefficiency.

Tim said:

: There are two main reasons why Android gathers PSS information:
:
: 1. Android devices can show the user the amount of memory used per
:    application via the settings app.  This is a less important use case.
:
: 2. We log PSS to help identify leaks in applications.  We have found
:    an enormous number of bugs (in the Android platform, in Google's own
:    apps, and in third-party applications) using this data.
:
: To do this, system_server (the main process in Android userspace) will
: sample the PSS of a process three seconds after it changes state (for
: example, app is launched and becomes the foreground application) and about
: every ten minutes after that.  The net result is that PSS collection is
: regularly running on at least one process in the system (usually a few
: times a minute while the screen is on, less when screen is off due to
: suspend).  PSS of a process is an incredibly useful stat to track, and we
: aren't going to get rid of it.  We've looked at some very hacky approaches
: using RSS ("take the RSS of the target process, subtract the RSS of the
: zygote process that is the parent of all Android apps") to reduce the
: accounting time, but it regularly overestimated the memory used by 20+
: percent.  Accordingly, I don't think that there's a good alternative to
: using PSS.
:
: We started looking into PSS collection performance after we noticed random
: frequency spikes while a phone's screen was off; occasionally, one of the
: CPU clusters would ramp to a high frequency because there was 200-300ms of
: constant CPU work from a single thread in the main Android userspace
: process.  The work causing the spike (which is reasonable governor
: behavior given the amount of CPU time needed) was always PSS collection.
: As a result, Android is burning more power than we should be on PSS
: collection.
:
: The other issue (and why I'm less sure about improving smaps as a
: long-term solution) is that the number of VMAs per process has increased
: significantly from release to release.  After trying to figure out why we
: were seeing these 200-300ms PSS collection times on Android O but had not
: noticed it in previous versions, we found that the number of VMAs in the
: main system process increased by 50% from Android N to Android O (from
: ~1800 to ~2700) and varying increases in every userspace process.  Android
: M to N also had an increase in the number of VMAs, although not as much.
: I'm not sure why this is increasing so much over time, but thinking about
: ASLR and ways to make ASLR better, I expect that this will continue to
: increase going forward.  I would not be surprised if we hit 5000 VMAs on
: the main Android process (system_server) by 2020.
:
: If we assume that the number of VMAs is going to increase over time, then
: doing anything we can do to reduce the overhead of each VMA during PSS
: collection seems like the right way to go, and that means outputting an
: aggregate statistic (to avoid whatever overhead there is per line in
: writing smaps and in reading each line from userspace).

Link: http://lkml.kernel.org/r/20170812022148.178293-1-dancol@google.com
Signed-off-by: Daniel Colascione <dancol@google.com>
Cc: Tim Murray <timmurray@google.com>
Cc: Joel Fernandes <joelaf@google.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Randy Dunlap <rdunlap@infradead.org>
Cc: Minchan Kim <minchan@kernel.org>
Cc: Michal Hocko <mhocko@kernel.org>
Cc: Sonny Rao <sonnyrao@chromium.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

Change-Id: Id86ab841e6ad1a50b372e8d6e8fa4ecc148ffd44
Git-commit: 493b0e9d945fa9dfe96be93ae41b4ca4b6fdb317
Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
[spathi@codeaurora.org: resolved conflicts in task_mmu.c file]
Signed-off-by: Srinivasarao P <spathi@codeaurora.org>
2019-06-20 21:56:35 -07:00
Linux Build Service Account
a216516368 Merge "msm: ais: sensor: actuator: fix out of bound read for bivcm region params" 2019-06-20 05:00:41 -07:00
Jiacheng Zheng
7ec9476039 soc: qcom: hab: add error handling when dt item is missing
If certain testgipc node under aliases in device tree is
missing, ep_path remains NULL and it will cause NULL
dereference problem later in the code. We need to go to
error handler and deinitialize everything under this
condition.

Change-Id: I98a27acfb2e8af9687114d610304a31a1ac9c3ca
Signed-off-by: Jiacheng Zheng <jiaczhen@codeaurora.org>
2019-06-20 18:15:25 +08:00
E V Ravi
7967865bb4 msm: ais: sensor: actuator: fix out of bound read for bivcm region params
Issue:
The region index for bivcm is not validated against the region size.
This cause out-of-bound read on the KASAN kernel.
Fix:
Add restriction that region index smaller than region size.
CRs-Fixed: 2379514

Change-Id: Iff77993000fc89513be90d9de174728fed3b50a7
Signed-off-by: E V Ravi <evenka@codeaurora.org>
2019-06-19 20:59:02 -07:00
Linux Build Service Account
14f9c77766 Merge "Merge android-4.4.182 (9c4ab57) into msm-4.4" 2019-06-19 17:24:59 -07:00
Xianbin Zhu
291c54b284 i2c: virtio: reallocate memory for each msg buffer
We'd better reallocate memory for each msg buffer to avoid
the memory in stack space be transferred to the backend for
the driver of i2c virtualization.

Change-Id: I6daa58cf819d4f612ae246b5a685898e28fbeb54
Signed-off-by: Xianbin Zhu <xianzhu@codeaurora.org>
2019-06-19 14:22:56 +08:00
Gerrit - the friendly Code Review server
ca64572d54 Merge changes into msm-4.4 2019-06-18 08:47:08 -07:00
Srinivasarao P
a32f2cd759 Merge android-4.4.182 (9c4ab57) into msm-4.4
* refs/heads/tmp-9c4ab57
  Linux 4.4.182
  tcp: enforce tcp_min_snd_mss in tcp_mtu_probing()
  tcp: add tcp_min_snd_mss sysctl
  tcp: tcp_fragment() should apply sane memory limits
  tcp: limit payload size of sacked skbs
  UPSTREAM: binder: check for overflow when alloc for security context
  BACKPORT: binder: fix race between munmap() and direct reclaim

Change-Id: I4cfb9eb282f54f083631fec4c8161eed42e8ab54
Signed-off-by: Srinivasarao P <spathi@codeaurora.org>
2019-06-18 12:42:28 +05:30
Linux Build Service Account
2ae4cde579 Merge "i2c: refine the driver of i2c virtualization" 2019-06-17 23:51:36 -07:00
Greg Kroah-Hartman
9c4ab57299 This is the 4.4.182 stable release
-----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAl0H088ACgkQONu9yGCS
 aT76DQ/+P8y0xk1PUWdaIWj8sjlZJXFc/5lBdxYiJ7pVi8pfXS2aFq1EG9ubTecR
 JWSJ7aMSJHuyLx4Lc2LIeW9dIz1bhp7h61Jqrxvfeo1EoS3diiiu+J1jp3rJyG3A
 4QrqzSsJTswMldmaEVM4vbC0NClwLuHh/c0715f7qi8kuZiTrSuh2x2FVAsaswp0
 Pt8XnKFQ9oE9TvsivfcB24ZiCVQlFSqgk8YwGL111Tfr51mTGddExHyTawXjnH23
 5zgPzVQBMpONLy9r+aW8NJ+CFjk0xTJ2kaWejN9+909J2Nic3h8CZmbb+VMbOnP2
 +ELcy/vUYik/YTaGKmutAWEDJ8Pwlzw0c2EXdXZ8srv8nwz4i/GXwutBsCKsDc0D
 XS9ftELJJDGe4cOACLKwabL5i5vIMqgy78XcNsCXmMEJP+tKF20U3G3Amze9vR/1
 FXtSHRfunzMdTIPqRUuVPzuTze6dP4pICcPkuxZePnbVeOTjjz5GZs0fTGH0xkr9
 p94mSFC90nIbkGpzCqO33uTfqmmWsadbq39DgVZotKR7u9hlfEHst6djEBt7gFej
 CQV28C0Gv1I7rNdAjy+RV9siyhOjtaIsqjhhOAiNf01HlrcgBXCVUJ/Jzpisfs8P
 B23cnWgEjjzsCCaq9nH61Zcd4iyU2Yu0azOWRKigbh1Nfe3X3pA=
 =R6Xb
 -----END PGP SIGNATURE-----

Merge 4.4.182 into android-4.4

Changes in 4.4.182
	tcp: limit payload size of sacked skbs
	tcp: tcp_fragment() should apply sane memory limits
	tcp: add tcp_min_snd_mss sysctl
	tcp: enforce tcp_min_snd_mss in tcp_mtu_probing()
	Linux 4.4.182

Change-Id: I2698fa2ad3884a20d936e6bee638304f52df19bd
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
2019-06-17 20:28:36 +02:00
Greg Kroah-Hartman
33790f2eda Linux 4.4.182 2019-06-17 19:54:23 +02:00
Eric Dumazet
f938ae0ce5 tcp: enforce tcp_min_snd_mss in tcp_mtu_probing()
commit 967c05aee439e6e5d7d805e195b3a20ef5c433d6 upstream.

If mtu probing is enabled tcp_mtu_probing() could very well end up
with a too small MSS.

Use the new sysctl tcp_min_snd_mss to make sure MSS search
is performed in an acceptable range.

CVE-2019-11479 -- tcp mss hardcoded to 48

Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Jonathan Lemon <jonathan.lemon@gmail.com>
Cc: Jonathan Looney <jtl@netflix.com>
Acked-by: Neal Cardwell <ncardwell@google.com>
Cc: Yuchung Cheng <ycheng@google.com>
Cc: Tyler Hicks <tyhicks@canonical.com>
Cc: Bruce Curtis <brucec@netflix.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2019-06-17 19:54:22 +02:00
Eric Dumazet
e757d052f3 tcp: add tcp_min_snd_mss sysctl
commit 5f3e2bf008c2221478101ee72f5cb4654b9fc363 upstream.

Some TCP peers announce a very small MSS option in their SYN and/or
SYN/ACK messages.

This forces the stack to send packets with a very high network/cpu
overhead.

Linux has enforced a minimal value of 48. Since this value includes
the size of TCP options, and that the options can consume up to 40
bytes, this means that each segment can include only 8 bytes of payload.

In some cases, it can be useful to increase the minimal value
to a saner value.

We still let the default to 48 (TCP_MIN_SND_MSS), for compatibility
reasons.

Note that TCP_MAXSEG socket option enforces a minimal value
of (TCP_MIN_MSS). David Miller increased this minimal value
in commit c39508d6f1 ("tcp: Make TCP_MAXSEG minimum more correct.")
from 64 to 88.

We might in the future merge TCP_MIN_SND_MSS and TCP_MIN_MSS.

CVE-2019-11479 -- tcp mss hardcoded to 48

Signed-off-by: Eric Dumazet <edumazet@google.com>
Suggested-by: Jonathan Looney <jtl@netflix.com>
Acked-by: Neal Cardwell <ncardwell@google.com>
Cc: Yuchung Cheng <ycheng@google.com>
Cc: Tyler Hicks <tyhicks@canonical.com>
Cc: Bruce Curtis <brucec@netflix.com>
Cc: Jonathan Lemon <jonathan.lemon@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2019-06-17 19:54:22 +02:00
Eric Dumazet
ad472d3a94 tcp: tcp_fragment() should apply sane memory limits
commit f070ef2ac66716357066b683fb0baf55f8191a2e upstream.

Jonathan Looney reported that a malicious peer can force a sender
to fragment its retransmit queue into tiny skbs, inflating memory
usage and/or overflow 32bit counters.

TCP allows an application to queue up to sk_sndbuf bytes,
so we need to give some allowance for non malicious splitting
of retransmit queue.

A new SNMP counter is added to monitor how many times TCP
did not allow to split an skb if the allowance was exceeded.

Note that this counter might increase in the case applications
use SO_SNDBUF socket option to lower sk_sndbuf.

CVE-2019-11478 : tcp_fragment, prevent fragmenting a packet when the
	socket is already using more than half the allowed space

Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Jonathan Looney <jtl@netflix.com>
Acked-by: Neal Cardwell <ncardwell@google.com>
Acked-by: Yuchung Cheng <ycheng@google.com>
Reviewed-by: Tyler Hicks <tyhicks@canonical.com>
Cc: Bruce Curtis <brucec@netflix.com>
Cc: Jonathan Lemon <jonathan.lemon@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2019-06-17 19:54:22 +02:00
Eric Dumazet
4657ee0fe0 tcp: limit payload size of sacked skbs
commit 3b4929f65b0d8249f19a50245cd88ed1a2f78cff upstream.

Jonathan Looney reported that TCP can trigger the following crash
in tcp_shifted_skb() :

	BUG_ON(tcp_skb_pcount(skb) < pcount);

This can happen if the remote peer has advertized the smallest
MSS that linux TCP accepts : 48

An skb can hold 17 fragments, and each fragment can hold 32KB
on x86, or 64KB on PowerPC.

This means that the 16bit witdh of TCP_SKB_CB(skb)->tcp_gso_segs
can overflow.

Note that tcp_sendmsg() builds skbs with less than 64KB
of payload, so this problem needs SACK to be enabled.
SACK blocks allow TCP to coalesce multiple skbs in the retransmit
queue, thus filling the 17 fragments to maximal capacity.

CVE-2019-11477 -- u16 overflow of TCP_SKB_CB(skb)->tcp_gso_segs

Backport notes, provided by Joao Martins <joao.m.martins@oracle.com>

v4.15 or since commit 737ff314563 ("tcp: use sequence distance to
detect reordering") had switched from the packet-based FACK tracking and
switched to sequence-based.

v4.14 and older still have the old logic and hence on
tcp_skb_shift_data() needs to retain its original logic and have
@fack_count in sync. In other words, we keep the increment of pcount with
tcp_skb_pcount(skb) to later used that to update fack_count. To make it
more explicit we track the new skb that gets incremented to pcount in
@next_pcount, and we get to avoid the constant invocation of
tcp_skb_pcount(skb) all together.

Fixes: 832d11c5cd ("tcp: Try to restore large SKBs while SACK processing")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Jonathan Looney <jtl@netflix.com>
Acked-by: Neal Cardwell <ncardwell@google.com>
Reviewed-by: Tyler Hicks <tyhicks@canonical.com>
Cc: Yuchung Cheng <ycheng@google.com>
Cc: Bruce Curtis <brucec@netflix.com>
Cc: Jonathan Lemon <jonathan.lemon@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2019-06-17 19:54:22 +02:00
Linux Build Service Account
17c66e9e49 Merge "msm: vidc: add additional check to avoid out of bound access" 2019-06-17 10:19:40 -07:00
Linux Build Service Account
4e933027e6 Merge "Merge android-4.4.181 (bd858d7) into msm-4.4" 2019-06-17 10:19:38 -07:00
Xianbin Zhu
be5afd9343 i2c: refine the driver of i2c virtualization
1. there's no need to allocate buffer for virtio_i2c_req every
   time when it comes to data transmission, we can prepare this
   buffer at probe stage.

2. we need to add some input parameter checking for avoiding
   security risks.

3. refine the code to reduce the number of judgement statements.

Change-Id: Idb6ae8bb632c1a3032c6ba04de6ebb460f1e1a5c
Signed-off-by: Xianbin Zhu <xianzhu@codeaurora.org>
2019-06-17 07:23:00 -07:00
Govindaraj Rajagopal
f1057f82fa msm: vidc: add additional check to avoid out of bound access
pkt->msg_size can be corrupted and that leads to OOB access. So added
additional conditional check to avoid OOB access in debug queue
packet handling.

Change-Id: I360812c40369ecef2dd99464d400661bc785074b
Signed-off-by: Govindaraj Rajagopal <grajagop@codeaurora.org>
2019-06-17 06:03:29 -07:00
Manoj Prabhu B
c176a066df diag: dci: Correct out of bounds check in processing dci pkt rsp
Correct the out of bounds check and prevent moving the temp pointer
further than out of bounds check which is not necessary while
processing dci pkt rsp.

Change-Id: I01f8cd7454aff81b24c986eade35c79724976151
Signed-off-by: Manoj Prabhu B <bmanoj@codeaurora.org>
2019-06-17 01:30:06 -07:00
Linux Build Service Account
cc47c2c325 Merge "msm: adsprpc: maintain local copy of rpra offloaded to DSP" 2019-06-14 08:06:12 -07:00
Tharun Kumar Merugu
1f3eb68e71 msm: adsprpc: maintain local copy of rpra offloaded to DSP
Since DSP is not supposed to modify the base pointer rpra of the
input/output arguments offloaded to DSP, maintain a local copy of
the pointer and use it after receiving interrupt from DSP.

Change-Id: I4afade7184cb2aca148060fb0cda06c6174f3b55
Acked-by: Maitreyi Gupta <maitreyi@qti.qualcomm.com>
Signed-off-by: Tharun Kumar Merugu <mtharu@codeaurora.org>
Signed-off-by: Mohammed Nayeem Ur Rahman <mohara@codeaurora.org>
2019-06-14 15:03:35 +05:30
Linux Build Service Account
a50f44266d Merge "diag: Prevent out-of-bound access while processing userspace data" 2019-06-13 16:34:55 -07:00
Linux Build Service Account
c658076e45 Merge "ASoC: msm: Add support for AVS version check" 2019-06-13 16:34:53 -07:00
Linux Build Service Account
f328b4d28d Merge "arm: dts: msm: Add avs-version dt property for 8996" 2019-06-12 18:51:25 -07:00
Hardik Arya
5dbfa1533a diag: Prevent out-of-bound access while processing userspace data
Proper buffer length checks are missing in diagchar_write
handlers for userspace data while processing the same buffer.

Change-Id: I5b8095766e09c22f164398089505fe827fee8b54
Signed-off-by: Hardik Arya <harya@codeaurora.org>
2019-06-12 17:39:26 +05:30
Soumya Managoli
eb0322ea9b arm: dts: msm: Add avs-version dt property for 8996
Add avs-version dt property for reading the ADSP AVS version

Change-Id: I5da40c9530ca4c6ff61f0f1ea5e6b39f1e47e2ad
Signed-off-by: Soumya Managoli <smanag@codeaurora.org>
2019-06-12 14:24:22 +05:30
Srinivasarao P
5ef154a266 Merge android-4.4.181 (bd858d7) into msm-4.4
* refs/heads/tmp-bd858d7
  Linux 4.4.181
  ethtool: check the return value of get_regs_len
  ipv4: Define __ipv4_neigh_lookup_noref when CONFIG_INET is disabled
  fuse: Add FOPEN_STREAM to use stream_open()
  fs: stream_open - opener for stream-like files so that read and write can run simultaneously without deadlock
  drm/gma500/cdv: Check vbt config bits when detecting lvds panels
  genwqe: Prevent an integer overflow in the ioctl
  MIPS: pistachio: Build uImage.gz by default
  fuse: fallocate: fix return with locked inode
  parisc: Use implicit space register selection for loading the coherence index of I/O pdirs
  rcu: locking and unlocking need to always be at least barriers
  pktgen: do not sleep with the thread lock held.
  net: rds: fix memory leak in rds_ib_flush_mr_pool
  net/mlx4_en: ethtool, Remove unsupported SFP EEPROM high pages query
  neighbor: Call __ipv4_neigh_lookup_noref in neigh_xmit
  ethtool: fix potential userspace buffer overflow
  media: uvcvideo: Fix uvc_alloc_entity() allocation alignment
  usb: gadget: fix request length error for isoc transfer
  net: cdc_ncm: GetNtbFormat endian fix
  Revert "x86/build: Move _etext to actual end of .text"
  userfaultfd: don't pin the user memory in userfaultfd_file_create()
  brcmfmac: add subtype check for event handling in data path
  brcmfmac: add length checks in scheduled scan result handler
  brcmfmac: fix incorrect event channel deduction
  brcmfmac: revise handling events in receive path
  brcmfmac: screening firmware event packet
  brcmfmac: Add length checks on firmware events
  bnx2x: disable GSO where gso_size is too big for hardware
  net: create skb_gso_validate_mac_len()
  binder: replace "%p" with "%pK"
  binder: Replace "%p" with "%pK" for stable
  CIFS: cifs_read_allocate_pages: don't iterate through whole page array on ENOMEM
  kernel/signal.c: trace_signal_deliver when signal_group_exit
  memcg: make it work on sparse non-0-node systems
  tty: max310x: Fix external crystal register setup
  tty: serial: msm_serial: Fix XON/XOFF
  drm/nouveau/i2c: Disable i2c bus access after ->fini()
  ALSA: hda/realtek - Set default power save node to 0
  Btrfs: fix race updating log root item during fsync
  scsi: zfcp: fix to prevent port_remove with pure auto scan LUNs (only sdevs)
  scsi: zfcp: fix missing zfcp_port reference put on -EBUSY from port_remove
  media: smsusb: better handle optional alignment
  media: usb: siano: Fix false-positive "uninitialized variable" warning
  media: usb: siano: Fix general protection fault in smsusb
  USB: rio500: fix memory leak in close after disconnect
  USB: rio500: refuse more than one device at a time
  USB: Add LPM quirk for Surface Dock GigE adapter
  USB: sisusbvga: fix oops in error path of sisusb_probe
  USB: Fix slab-out-of-bounds write in usb_get_bos_descriptor
  usb: xhci: avoid null pointer deref when bos field is NULL
  xhci: Convert xhci_handshake() to use readl_poll_timeout_atomic()
  include/linux/bitops.h: sanitize rotate primitives
  sparc64: Fix regression in non-hypervisor TLB flush xcall
  tipc: fix modprobe tipc failed after switch order of device registration -v2
  Revert "tipc: fix modprobe tipc failed after switch order of device registration"
  xen/pciback: Don't disable PCI_COMMAND on PCI device reset.
  crypto: vmx - ghash: do nosimd fallback manually
  net: mvpp2: fix bad MVPP2_TXQ_SCHED_TOKEN_CNTR_REG queue value
  bnxt_en: Fix aggregation buffer leak under OOM condition.
  tipc: Avoid copying bytes beyond the supplied data
  usbnet: fix kernel crash after disconnect
  net: stmmac: fix reset gpio free missing
  net-gro: fix use-after-free read in napi_gro_frags()
  llc: fix skb leak in llc_build_and_send_ui_pkt()
  ipv6: Consider sk_bound_dev_if when binding a raw socket to an address
  ASoC: davinci-mcasp: Fix clang warning without CONFIG_PM
  spi: Fix zero length xfer bug
  spi: rspi: Fix sequencer reset during initialization
  spi : spi-topcliff-pch: Fix to handle empty DMA buffers
  scsi: lpfc: Fix SLI3 commands being issued on SLI4 devices
  media: saa7146: avoid high stack usage with clang
  media: go7007: avoid clang frame overflow warning with KASAN
  media: m88ds3103: serialize reset messages in m88ds3103_set_frontend
  scsi: qla4xxx: avoid freeing unallocated dma memory
  usb: core: Add PM runtime calls to usb_hcd_platform_shutdown
  rcutorture: Fix cleanup path for invalid torture_type strings
  tty: ipwireless: fix missing checks for ioremap
  virtio_console: initialize vtermno value for ports
  media: wl128x: prevent two potential buffer overflows
  spi: tegra114: reset controller on probe
  cxgb3/l2t: Fix undefined behaviour
  ASoC: fsl_utils: fix a leaked reference by adding missing of_node_put
  ASoC: eukrea-tlv320: fix a leaked reference by adding missing of_node_put
  HID: core: move Usage Page concatenation to Main item
  chardev: add additional check for minor range overlap
  x86/ia32: Fix ia32_restore_sigcontext() AC leak
  arm64: cpu_ops: fix a leaked reference by adding missing of_node_put
  scsi: ufs: Avoid configuring regulator with undefined voltage range
  scsi: ufs: Fix regulator load and icc-level configuration
  brcmfmac: fix race during disconnect when USB completion is in progress
  brcmfmac: convert dev_init_lock mutex to completion
  b43: shut up clang -Wuninitialized variable warning
  brcmfmac: fix missing checks for kmemdup
  rtlwifi: fix a potential NULL pointer dereference
  iio: common: ssp_sensors: Initialize calculated_time in ssp_common_process_data
  iio: hmc5843: fix potential NULL pointer dereferences
  iio: ad_sigma_delta: Properly handle SPI bus locking vs CS assertion
  x86/build: Keep local relocations with ld.lld
  cpufreq: pmac32: fix possible object reference leak
  cpufreq/pasemi: fix possible object reference leak
  cpufreq: ppc_cbe: fix possible object reference leak
  s390: cio: fix cio_irb declaration
  extcon: arizona: Disable mic detect if running when driver is removed
  PM / core: Propagate dev->power.wakeup_path when no callbacks
  mmc: sdhci-of-esdhc: add erratum eSDHC-A001 and A-008358 support
  mmc: sdhci-of-esdhc: add erratum eSDHC5 support
  mmc_spi: add a status check for spi_sync_locked
  scsi: libsas: Do discovery on empty PHY to update PHY info
  hwmon: (f71805f) Use request_muxed_region for Super-IO accesses
  hwmon: (pc87427) Use request_muxed_region for Super-IO accesses
  hwmon: (smsc47b397) Use request_muxed_region for Super-IO accesses
  hwmon: (smsc47m1) Use request_muxed_region for Super-IO accesses
  hwmon: (vt1211) Use request_muxed_region for Super-IO accesses
  RDMA/cxgb4: Fix null pointer dereference on alloc_skb failure
  i40e: don't allow changes to HW VLAN stripping on active port VLANs
  x86/irq/64: Limit IST stack overflow check to #DB stack
  USB: core: Don't unbind interfaces following device reset failure
  sched/core: Handle overflow in cpu_shares_write_u64
  sched/core: Check quota and period overflow at usec to nsec conversion
  powerpc/numa: improve control of topology updates
  media: pvrusb2: Prevent a buffer overflow
  media: au0828: Fix NULL pointer dereference in au0828_analog_stream_enable()
  audit: fix a memory leak bug
  media: ov2659: make S_FMT succeed even if requested format doesn't match
  media: au0828: stop video streaming only when last user stops
  media: ov6650: Move v4l2_clk_get() to ov6650_video_probe() helper
  media: coda: clear error return value before picture run
  dmaengine: at_xdmac: remove BUG_ON macro in tasklet
  pinctrl: pistachio: fix leaked of_node references
  HID: logitech-hidpp: use RAP instead of FAP to get the protocol version
  mm/uaccess: Use 'unsigned long' to placate UBSAN warnings on older GCC versions
  x86/mm: Remove in_nmi() warning from 64-bit implementation of vmalloc_fault()
  smpboot: Place the __percpu annotation correctly
  x86/build: Move _etext to actual end of .text
  bcache: avoid clang -Wunintialized warning
  bcache: add failure check to run_cache_set() for journal replay
  bcache: fix failure in journal relplay
  bcache: return error immediately in bch_journal_replay()
  net: cw1200: fix a NULL pointer dereference
  mwifiex: prevent an array overflow
  ASoC: fsl_sai: Update is_slave_mode with correct value
  mac80211/cfg80211: update bss channel on channel switch
  dmaengine: pl330: _stop: clear interrupt status
  w1: fix the resume command API
  rtc: 88pm860x: prevent use-after-free on device remove
  brcm80211: potential NULL dereference in brcmf_cfg80211_vndr_cmds_dcmd_handler()
  spi: pxa2xx: fix SCR (divisor) calculation
  ASoC: imx: fix fiq dependencies
  powerpc/boot: Fix missing check of lseek() return value
  mmc: core: Verify SD bus width
  cxgb4: Fix error path in cxgb4_init_module
  gfs2: Fix lru_count going negative
  tools include: Adopt linux/bits.h
  perf tools: No need to include bitops.h in util.h
  at76c50x-usb: Don't register led_trigger if usb_register_driver failed
  ssb: Fix possible NULL pointer dereference in ssb_host_pcmcia_exit
  media: vivid: use vfree() instead of kfree() for dev->bitmap_cap
  media: cpia2: Fix use-after-free in cpia2_exit
  fbdev: fix WARNING in __alloc_pages_nodemask bug
  hugetlb: use same fault hash key for shared and private mappings
  fbdev: fix divide error in fb_var_to_videomode
  btrfs: sysfs: don't leak memory when failing add fsid
  Btrfs: fix race between ranged fsync and writeback of adjacent ranges
  gfs2: Fix sign extension bug in gfs2_update_stats
  crypto: vmx - CTR: always increment IV as quadword
  Revert "scsi: sd: Keep disk read-only when re-reading partition"
  bio: fix improper use of smp_mb__before_atomic()
  KVM: x86: fix return value for reserved EFER
  ext4: do not delete unlinked inode from orphan list on failed truncate
  fbdev: sm712fb: fix memory frequency by avoiding a switch/case fallthrough
  btrfs: Honour FITRIM range constraints during free space trim
  md/raid: raid5 preserve the writeback action after the parity check
  Revert "Don't jump to compute_result state from check_result state"
  perf bench numa: Add define for RUSAGE_THREAD if not present
  ufs: fix braino in ufs_get_inode_gid() for solaris UFS flavour
  power: supply: sysfs: prevent endless uevent loop with CONFIG_POWER_SUPPLY_DEBUG
  KVM: arm/arm64: Ensure vcpu target is unset on reset failure
  xfrm4: Fix uninitialized memory read in _decode_session4
  vti4: ipip tunnel deregistration fixes.
  xfrm6_tunnel: Fix potential panic when unloading xfrm6_tunnel module
  xfrm: policy: Fix out-of-bound array accesses in __xfrm_policy_unlink
  dm delay: fix a crash when invalid device is specified
  PCI: Mark Atheros AR9462 to avoid bus reset
  fbdev: sm712fb: fix crashes and garbled display during DPMS modesetting
  fbdev: sm712fb: use 1024x768 by default on non-MIPS, fix garbled display
  fbdev: sm712fb: fix support for 1024x768-16 mode
  fbdev: sm712fb: fix crashes during framebuffer writes by correctly mapping VRAM
  fbdev: sm712fb: fix boot screen glitch when sm712fb replaces VGA
  fbdev: sm712fb: fix white screen of death on reboot, don't set CR3B-CR3F
  fbdev: sm712fb: fix VRAM detection, don't set SR70/71/74/75
  fbdev: sm712fb: fix brightness control on reboot, don't set SR30
  perf intel-pt: Fix sample timestamp wrt non-taken branches
  perf intel-pt: Fix improved sample timestamp
  perf intel-pt: Fix instructions sampling rate
  memory: tegra: Fix integer overflow on tick value calculation
  tracing: Fix partial reading of trace event's id file
  ceph: flush dirty inodes before proceeding with remount
  iommu/tegra-smmu: Fix invalid ASID bits on Tegra30/114
  fuse: honor RLIMIT_FSIZE in fuse_file_fallocate
  fuse: fix writepages on 32bit
  clk: tegra: Fix PLLM programming on Tegra124+ when PMC overrides divider
  NFS4: Fix v4.0 client state corruption when mount
  media: ov6650: Fix sensor possibly not detected on probe
  cifs: fix strcat buffer overflow and reduce raciness in smb21_set_oplock_level()
  of: fix clang -Wunsequenced for be32_to_cpu()
  intel_th: msu: Fix single mode with IOMMU
  md: add mddev->pers to avoid potential NULL pointer dereference
  stm class: Fix channel free in stm output free path
  tipc: fix modprobe tipc failed after switch order of device registration
  tipc: switch order of device registration to fix a crash
  ppp: deflate: Fix possible crash in deflate_init
  net/mlx4_core: Change the error print to info print
  net: avoid weird emergency message
  KVM: x86: Skip EFER vs. guest CPUID checks for host-initiated writes
  ALSA: hda/realtek - Fix for Lenovo B50-70 inverted internal microphone bug
  ext4: zero out the unused memory region in the extent tree block
  fs/writeback.c: use rcu_barrier() to wait for inflight wb switches going into workqueue when umount
  writeback: synchronize sync(2) against cgroup writeback membership switches
  crypto: arm/aes-neonbs - don't access already-freed walk.iv
  crypto: salsa20 - don't access already-freed walk.iv
  crypto: chacha20poly1305 - set cra_name correctly
  crypto: gcm - fix incompatibility between "gcm" and "gcm_base"
  crypto: gcm - Fix error return code in crypto_gcm_create_common()
  ipmi:ssif: compare block number correctly for multi-part return messages
  bcache: never set KEY_PTRS of journal key to 0 in journal_reclaim()
  bcache: fix a race between cache register and cacheset unregister
  Btrfs: do not start a transaction at iterate_extent_inodes()
  ext4: fix ext4_show_options for file systems w/o journal
  ext4: actually request zeroing of inode table after grow
  tty/vt: fix write/write race in ioctl(KDSKBSENT) handler
  mfd: da9063: Fix OTP control register names to match datasheets for DA9063/63L
  ocfs2: fix ocfs2 read inode data panic in ocfs2_iget
  mm/mincore.c: make mincore() more conservative
  ASoC: RT5677-SPI: Disable 16Bit SPI Transfers
  ASoC: max98090: Fix restore of DAPM Muxes
  ALSA: hda/realtek - EAPD turn on later
  ALSA: hda/hdmi - Consider eld_valid when reporting jack event
  ALSA: usb-audio: Fix a memory leak bug
  crypto: x86/crct10dif-pcl - fix use via crypto_shash_digest()
  crypto: crct10dif-generic - fix use via crypto_shash_digest()
  crypto: vmx - fix copy-paste error in CTR mode
  ARM: exynos: Fix a leaked reference by adding missing of_node_put
  x86/speculation/mds: Improve CPU buffer clear documentation
  x86/speculation/mds: Revert CPU buffer clear on double fault exit
  f2fs: link f2fs quota ops for sysfile
  fs: sdcardfs: Add missing option to show_options

Conflicts:
	drivers/scsi/sd.c
	drivers/scsi/ufs/ufshcd.c

Change-Id: If6679c7cc8c3fee323c749ac359353fbebfd12d9
Signed-off-by: Srinivasarao P <spathi@codeaurora.org>
2019-06-12 13:53:42 +05:30
Jay Jayanna
7caeb5cb7c soc: qcom: glink_spi_xprt: Sanitize input for short cmd
Check for data fragment size against the maximum size that can be read
from the source.

Change-Id: I779a9055599cebbeb8f0f9ffb8d62be7e5c53deb
Signed-off-by: Jay Jayanna <jayanna@codeaurora.org>
2019-06-11 19:00:45 -07:00
Linux Build Service Account
17fd8dbacb Merge "soc: qcom: hab: add missing variable declaration" 2019-06-11 16:33:28 -07:00
Todd Kjos
1cc130f95e UPSTREAM: binder: check for overflow when alloc for security context
commit 0b0509508beff65c1d50541861bc0d4973487dc5 upstream.

When allocating space in the target buffer for the security context,
make sure the extra_buffers_size doesn't overflow. This can only
happen if the given size is invalid, but an overflow can turn it
into a valid size. Fail the transaction if an overflow is detected.

Bug: 130571081
Change-Id: Ibaec652d2073491cc426a4a24004a848348316bf
Signed-off-by: Todd Kjos <tkjos@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2019-06-11 15:49:00 -07:00
Todd Kjos
7846725776 BACKPORT: binder: fix race between munmap() and direct reclaim
commit 5cec2d2e5839f9c0fec319c523a911e0a7fd299f upstream.

An munmap() on a binder device causes binder_vma_close() to be called
which clears the alloc->vma pointer.

If direct reclaim causes binder_alloc_free_page() to be called, there
is a race where alloc->vma is read into a local vma pointer and then
used later after the mm->mmap_sem is acquired. This can result in
calling zap_page_range() with an invalid vma which manifests as a
use-after-free in zap_page_range().

The fix is to check alloc->vma after acquiring the mmap_sem (which we
were acquiring anyway) and skip zap_page_range() if it has changed
to NULL.

Bug: 120025196
Change-Id: I2f3284d294326ec7736303374769640a1e028783
Cc: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: Todd Kjos <tkjos@google.com>
Reviewed-by: Joel Fernandes (Google) <joel@joelfernandes.org>
Cc: stable <stable@vger.kernel.org> # 4.14
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2019-06-11 10:19:30 -07:00
Shiju Mathew
849ecbea55 soc: qcom: hab: add missing variable declaration
This line was lost in last submission.

Change-Id: If957de37e58d2ddb8ada9e4f00f83abc3eb19d20
Signed-off-by: Shiju Mathew <shijum@codeaurora.org>
2019-06-11 07:51:19 -07:00
Greg Kroah-Hartman
bd858d7309 This is the 4.4.181 stable release
-----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAlz/gVcACgkQONu9yGCS
 aT4kBQ//adwq+iNdyEF550hc8tWZny0dSLPRKflzTb4hPXnzGdImCSY6pO1KdXzK
 IhjtgLb8aeFpDSZyyAw+sqFxY/2Nd9GZ5pgetWedm218uX/Hr9ETRUe+QqfmXKfx
 sIeBfhSSCm2T8HV23SOL+MWqLaHLQFEXWjSDxJAPxB7ptzGiYJ4jmje0MBrN1xV8
 22H5ijDR9SweZoR83AFtDAr9hKnpXz2ciQtJ/0xOjnVPGDQgD2uK3mpaO+F2r1hR
 kbLA2Hst3m4C3mtQZnns/SZWCKURkPk1hFYhKZyD0k757sRcSR4iHnqKdBBk29kR
 lFNfjVsAARCIj1ucYwwBbkiRJfBaCpT6TMphdtgT0f91zVMOCDTuVTN2couGSsJl
 6wWmboyM20SKkHJ3VawvtZ4YcTUjut2B1mZC/iFBSQJsMyVPQkhFzSdAXUKO6VZ9
 ZLrMTXNpPwlkYLL7VluIzdUr5crRmYj9sYIH1A/+pyzfM8WZO779jev/i2E4Eipt
 lU7ak2UMgSEZhv3GWmqPkFnJIpZwHyIsl5bGUWJ2b3wd69VasUjroVxRu1CyynXN
 CeDnqmJGLSoOlFD6/SF3MCqgvuavt3hgF+eKT2gbVti9zwLnxCxkQ7pgWMQpiMZs
 uIECSg9f1Zox/E+RpsyWc6Jx7r5yIkYHTlAyIpMuwgT+zwhWXaY=
 =sf4M
 -----END PGP SIGNATURE-----

Merge 4.4.181 into android-4.4

Changes in 4.4.181
	x86/speculation/mds: Revert CPU buffer clear on double fault exit
	x86/speculation/mds: Improve CPU buffer clear documentation
	ARM: exynos: Fix a leaked reference by adding missing of_node_put
	crypto: vmx - fix copy-paste error in CTR mode
	crypto: crct10dif-generic - fix use via crypto_shash_digest()
	crypto: x86/crct10dif-pcl - fix use via crypto_shash_digest()
	ALSA: usb-audio: Fix a memory leak bug
	ALSA: hda/hdmi - Consider eld_valid when reporting jack event
	ALSA: hda/realtek - EAPD turn on later
	ASoC: max98090: Fix restore of DAPM Muxes
	ASoC: RT5677-SPI: Disable 16Bit SPI Transfers
	mm/mincore.c: make mincore() more conservative
	ocfs2: fix ocfs2 read inode data panic in ocfs2_iget
	mfd: da9063: Fix OTP control register names to match datasheets for DA9063/63L
	tty/vt: fix write/write race in ioctl(KDSKBSENT) handler
	ext4: actually request zeroing of inode table after grow
	ext4: fix ext4_show_options for file systems w/o journal
	Btrfs: do not start a transaction at iterate_extent_inodes()
	bcache: fix a race between cache register and cacheset unregister
	bcache: never set KEY_PTRS of journal key to 0 in journal_reclaim()
	ipmi:ssif: compare block number correctly for multi-part return messages
	crypto: gcm - Fix error return code in crypto_gcm_create_common()
	crypto: gcm - fix incompatibility between "gcm" and "gcm_base"
	crypto: chacha20poly1305 - set cra_name correctly
	crypto: salsa20 - don't access already-freed walk.iv
	crypto: arm/aes-neonbs - don't access already-freed walk.iv
	writeback: synchronize sync(2) against cgroup writeback membership switches
	fs/writeback.c: use rcu_barrier() to wait for inflight wb switches going into workqueue when umount
	ext4: zero out the unused memory region in the extent tree block
	ALSA: hda/realtek - Fix for Lenovo B50-70 inverted internal microphone bug
	KVM: x86: Skip EFER vs. guest CPUID checks for host-initiated writes
	net: avoid weird emergency message
	net/mlx4_core: Change the error print to info print
	ppp: deflate: Fix possible crash in deflate_init
	tipc: switch order of device registration to fix a crash
	tipc: fix modprobe tipc failed after switch order of device registration
	stm class: Fix channel free in stm output free path
	md: add mddev->pers to avoid potential NULL pointer dereference
	intel_th: msu: Fix single mode with IOMMU
	of: fix clang -Wunsequenced for be32_to_cpu()
	cifs: fix strcat buffer overflow and reduce raciness in smb21_set_oplock_level()
	media: ov6650: Fix sensor possibly not detected on probe
	NFS4: Fix v4.0 client state corruption when mount
	clk: tegra: Fix PLLM programming on Tegra124+ when PMC overrides divider
	fuse: fix writepages on 32bit
	fuse: honor RLIMIT_FSIZE in fuse_file_fallocate
	iommu/tegra-smmu: Fix invalid ASID bits on Tegra30/114
	ceph: flush dirty inodes before proceeding with remount
	tracing: Fix partial reading of trace event's id file
	memory: tegra: Fix integer overflow on tick value calculation
	perf intel-pt: Fix instructions sampling rate
	perf intel-pt: Fix improved sample timestamp
	perf intel-pt: Fix sample timestamp wrt non-taken branches
	fbdev: sm712fb: fix brightness control on reboot, don't set SR30
	fbdev: sm712fb: fix VRAM detection, don't set SR70/71/74/75
	fbdev: sm712fb: fix white screen of death on reboot, don't set CR3B-CR3F
	fbdev: sm712fb: fix boot screen glitch when sm712fb replaces VGA
	fbdev: sm712fb: fix crashes during framebuffer writes by correctly mapping VRAM
	fbdev: sm712fb: fix support for 1024x768-16 mode
	fbdev: sm712fb: use 1024x768 by default on non-MIPS, fix garbled display
	fbdev: sm712fb: fix crashes and garbled display during DPMS modesetting
	PCI: Mark Atheros AR9462 to avoid bus reset
	dm delay: fix a crash when invalid device is specified
	xfrm: policy: Fix out-of-bound array accesses in __xfrm_policy_unlink
	xfrm6_tunnel: Fix potential panic when unloading xfrm6_tunnel module
	vti4: ipip tunnel deregistration fixes.
	xfrm4: Fix uninitialized memory read in _decode_session4
	KVM: arm/arm64: Ensure vcpu target is unset on reset failure
	power: supply: sysfs: prevent endless uevent loop with CONFIG_POWER_SUPPLY_DEBUG
	ufs: fix braino in ufs_get_inode_gid() for solaris UFS flavour
	perf bench numa: Add define for RUSAGE_THREAD if not present
	Revert "Don't jump to compute_result state from check_result state"
	md/raid: raid5 preserve the writeback action after the parity check
	btrfs: Honour FITRIM range constraints during free space trim
	fbdev: sm712fb: fix memory frequency by avoiding a switch/case fallthrough
	ext4: do not delete unlinked inode from orphan list on failed truncate
	KVM: x86: fix return value for reserved EFER
	bio: fix improper use of smp_mb__before_atomic()
	Revert "scsi: sd: Keep disk read-only when re-reading partition"
	crypto: vmx - CTR: always increment IV as quadword
	gfs2: Fix sign extension bug in gfs2_update_stats
	Btrfs: fix race between ranged fsync and writeback of adjacent ranges
	btrfs: sysfs: don't leak memory when failing add fsid
	fbdev: fix divide error in fb_var_to_videomode
	hugetlb: use same fault hash key for shared and private mappings
	fbdev: fix WARNING in __alloc_pages_nodemask bug
	media: cpia2: Fix use-after-free in cpia2_exit
	media: vivid: use vfree() instead of kfree() for dev->bitmap_cap
	ssb: Fix possible NULL pointer dereference in ssb_host_pcmcia_exit
	at76c50x-usb: Don't register led_trigger if usb_register_driver failed
	perf tools: No need to include bitops.h in util.h
	tools include: Adopt linux/bits.h
	gfs2: Fix lru_count going negative
	cxgb4: Fix error path in cxgb4_init_module
	mmc: core: Verify SD bus width
	powerpc/boot: Fix missing check of lseek() return value
	ASoC: imx: fix fiq dependencies
	spi: pxa2xx: fix SCR (divisor) calculation
	brcm80211: potential NULL dereference in brcmf_cfg80211_vndr_cmds_dcmd_handler()
	rtc: 88pm860x: prevent use-after-free on device remove
	w1: fix the resume command API
	dmaengine: pl330: _stop: clear interrupt status
	mac80211/cfg80211: update bss channel on channel switch
	ASoC: fsl_sai: Update is_slave_mode with correct value
	mwifiex: prevent an array overflow
	net: cw1200: fix a NULL pointer dereference
	bcache: return error immediately in bch_journal_replay()
	bcache: fix failure in journal relplay
	bcache: add failure check to run_cache_set() for journal replay
	bcache: avoid clang -Wunintialized warning
	x86/build: Move _etext to actual end of .text
	smpboot: Place the __percpu annotation correctly
	x86/mm: Remove in_nmi() warning from 64-bit implementation of vmalloc_fault()
	mm/uaccess: Use 'unsigned long' to placate UBSAN warnings on older GCC versions
	HID: logitech-hidpp: use RAP instead of FAP to get the protocol version
	pinctrl: pistachio: fix leaked of_node references
	dmaengine: at_xdmac: remove BUG_ON macro in tasklet
	media: coda: clear error return value before picture run
	media: ov6650: Move v4l2_clk_get() to ov6650_video_probe() helper
	media: au0828: stop video streaming only when last user stops
	media: ov2659: make S_FMT succeed even if requested format doesn't match
	audit: fix a memory leak bug
	media: au0828: Fix NULL pointer dereference in au0828_analog_stream_enable()
	media: pvrusb2: Prevent a buffer overflow
	powerpc/numa: improve control of topology updates
	sched/core: Check quota and period overflow at usec to nsec conversion
	sched/core: Handle overflow in cpu_shares_write_u64
	USB: core: Don't unbind interfaces following device reset failure
	x86/irq/64: Limit IST stack overflow check to #DB stack
	i40e: don't allow changes to HW VLAN stripping on active port VLANs
	RDMA/cxgb4: Fix null pointer dereference on alloc_skb failure
	hwmon: (vt1211) Use request_muxed_region for Super-IO accesses
	hwmon: (smsc47m1) Use request_muxed_region for Super-IO accesses
	hwmon: (smsc47b397) Use request_muxed_region for Super-IO accesses
	hwmon: (pc87427) Use request_muxed_region for Super-IO accesses
	hwmon: (f71805f) Use request_muxed_region for Super-IO accesses
	scsi: libsas: Do discovery on empty PHY to update PHY info
	mmc_spi: add a status check for spi_sync_locked
	mmc: sdhci-of-esdhc: add erratum eSDHC5 support
	mmc: sdhci-of-esdhc: add erratum eSDHC-A001 and A-008358 support
	PM / core: Propagate dev->power.wakeup_path when no callbacks
	extcon: arizona: Disable mic detect if running when driver is removed
	s390: cio: fix cio_irb declaration
	cpufreq: ppc_cbe: fix possible object reference leak
	cpufreq/pasemi: fix possible object reference leak
	cpufreq: pmac32: fix possible object reference leak
	x86/build: Keep local relocations with ld.lld
	iio: ad_sigma_delta: Properly handle SPI bus locking vs CS assertion
	iio: hmc5843: fix potential NULL pointer dereferences
	iio: common: ssp_sensors: Initialize calculated_time in ssp_common_process_data
	rtlwifi: fix a potential NULL pointer dereference
	brcmfmac: fix missing checks for kmemdup
	b43: shut up clang -Wuninitialized variable warning
	brcmfmac: convert dev_init_lock mutex to completion
	brcmfmac: fix race during disconnect when USB completion is in progress
	scsi: ufs: Fix regulator load and icc-level configuration
	scsi: ufs: Avoid configuring regulator with undefined voltage range
	arm64: cpu_ops: fix a leaked reference by adding missing of_node_put
	x86/ia32: Fix ia32_restore_sigcontext() AC leak
	chardev: add additional check for minor range overlap
	HID: core: move Usage Page concatenation to Main item
	ASoC: eukrea-tlv320: fix a leaked reference by adding missing of_node_put
	ASoC: fsl_utils: fix a leaked reference by adding missing of_node_put
	cxgb3/l2t: Fix undefined behaviour
	spi: tegra114: reset controller on probe
	media: wl128x: prevent two potential buffer overflows
	virtio_console: initialize vtermno value for ports
	tty: ipwireless: fix missing checks for ioremap
	rcutorture: Fix cleanup path for invalid torture_type strings
	usb: core: Add PM runtime calls to usb_hcd_platform_shutdown
	scsi: qla4xxx: avoid freeing unallocated dma memory
	media: m88ds3103: serialize reset messages in m88ds3103_set_frontend
	media: go7007: avoid clang frame overflow warning with KASAN
	media: saa7146: avoid high stack usage with clang
	scsi: lpfc: Fix SLI3 commands being issued on SLI4 devices
	spi : spi-topcliff-pch: Fix to handle empty DMA buffers
	spi: rspi: Fix sequencer reset during initialization
	spi: Fix zero length xfer bug
	ASoC: davinci-mcasp: Fix clang warning without CONFIG_PM
	ipv6: Consider sk_bound_dev_if when binding a raw socket to an address
	llc: fix skb leak in llc_build_and_send_ui_pkt()
	net-gro: fix use-after-free read in napi_gro_frags()
	net: stmmac: fix reset gpio free missing
	usbnet: fix kernel crash after disconnect
	tipc: Avoid copying bytes beyond the supplied data
	bnxt_en: Fix aggregation buffer leak under OOM condition.
	net: mvpp2: fix bad MVPP2_TXQ_SCHED_TOKEN_CNTR_REG queue value
	crypto: vmx - ghash: do nosimd fallback manually
	xen/pciback: Don't disable PCI_COMMAND on PCI device reset.
	Revert "tipc: fix modprobe tipc failed after switch order of device registration"
	tipc: fix modprobe tipc failed after switch order of device registration -v2
	sparc64: Fix regression in non-hypervisor TLB flush xcall
	include/linux/bitops.h: sanitize rotate primitives
	xhci: Convert xhci_handshake() to use readl_poll_timeout_atomic()
	usb: xhci: avoid null pointer deref when bos field is NULL
	USB: Fix slab-out-of-bounds write in usb_get_bos_descriptor
	USB: sisusbvga: fix oops in error path of sisusb_probe
	USB: Add LPM quirk for Surface Dock GigE adapter
	USB: rio500: refuse more than one device at a time
	USB: rio500: fix memory leak in close after disconnect
	media: usb: siano: Fix general protection fault in smsusb
	media: usb: siano: Fix false-positive "uninitialized variable" warning
	media: smsusb: better handle optional alignment
	scsi: zfcp: fix missing zfcp_port reference put on -EBUSY from port_remove
	scsi: zfcp: fix to prevent port_remove with pure auto scan LUNs (only sdevs)
	Btrfs: fix race updating log root item during fsync
	ALSA: hda/realtek - Set default power save node to 0
	drm/nouveau/i2c: Disable i2c bus access after ->fini()
	tty: serial: msm_serial: Fix XON/XOFF
	tty: max310x: Fix external crystal register setup
	memcg: make it work on sparse non-0-node systems
	kernel/signal.c: trace_signal_deliver when signal_group_exit
	CIFS: cifs_read_allocate_pages: don't iterate through whole page array on ENOMEM
	binder: Replace "%p" with "%pK" for stable
	binder: replace "%p" with "%pK"
	net: create skb_gso_validate_mac_len()
	bnx2x: disable GSO where gso_size is too big for hardware
	brcmfmac: Add length checks on firmware events
	brcmfmac: screening firmware event packet
	brcmfmac: revise handling events in receive path
	brcmfmac: fix incorrect event channel deduction
	brcmfmac: add length checks in scheduled scan result handler
	brcmfmac: add subtype check for event handling in data path
	userfaultfd: don't pin the user memory in userfaultfd_file_create()
	Revert "x86/build: Move _etext to actual end of .text"
	net: cdc_ncm: GetNtbFormat endian fix
	usb: gadget: fix request length error for isoc transfer
	media: uvcvideo: Fix uvc_alloc_entity() allocation alignment
	ethtool: fix potential userspace buffer overflow
	neighbor: Call __ipv4_neigh_lookup_noref in neigh_xmit
	net/mlx4_en: ethtool, Remove unsupported SFP EEPROM high pages query
	net: rds: fix memory leak in rds_ib_flush_mr_pool
	pktgen: do not sleep with the thread lock held.
	rcu: locking and unlocking need to always be at least barriers
	parisc: Use implicit space register selection for loading the coherence index of I/O pdirs
	fuse: fallocate: fix return with locked inode
	MIPS: pistachio: Build uImage.gz by default
	genwqe: Prevent an integer overflow in the ioctl
	drm/gma500/cdv: Check vbt config bits when detecting lvds panels
	fs: stream_open - opener for stream-like files so that read and write can run simultaneously without deadlock
	fuse: Add FOPEN_STREAM to use stream_open()
	ipv4: Define __ipv4_neigh_lookup_noref when CONFIG_INET is disabled
	ethtool: check the return value of get_regs_len
	Linux 4.4.181

Change-Id: Ibadc58ab76330698ff36ffdc0ca8c9d52ce36f9e
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
2019-06-11 13:55:47 +02:00
Linux Build Service Account
0434b31d56 Merge "dwc3-msm: Fix dwc3_drd_state_string for undefined state" 2019-06-11 04:12:22 -07:00
Linux Build Service Account
411c38c969 Merge "usb: dwc3-msm: Ensure hardware is reset during role change" 2019-06-11 04:12:21 -07:00
Linux Build Service Account
8dce56fa0c Merge "usb: dwc3-msm: add enum for drd_states to remove otg_state usage" 2019-06-11 04:12:20 -07:00
Greg Kroah-Hartman
d7b7345c3a Linux 4.4.181 2019-06-11 12:24:13 +02:00
Yunsheng Lin
f1d7eebd9d ethtool: check the return value of get_regs_len
commit f9fc54d313fab2834f44f516459cdc8ac91d797f upstream.

The return type for get_regs_len in struct ethtool_ops is int,
the hns3 driver may return error when failing to get the regs
len by sending cmd to firmware.

Signed-off-by: Yunsheng Lin <linyunsheng@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Cc: Michal Kubecek <mkubecek@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2019-06-11 12:24:13 +02:00
David Ahern
647f72b0d7 ipv4: Define __ipv4_neigh_lookup_noref when CONFIG_INET is disabled
commit 9b3040a6aafd7898ece7fc7efcbca71e42aa8069 upstream.

Define __ipv4_neigh_lookup_noref to return NULL when CONFIG_INET is disabled.

Fixes: 4b2a2bfeb3f0 ("neighbor: Call __ipv4_neigh_lookup_noref in neigh_xmit")
Reported-by: kbuild test robot <lkp@intel.com>
Signed-off-by: David Ahern <dsahern@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Cc: Nobuhiro Iwamatsu <nobuhiro1.iwamatsu@toshiba.co.jp>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2019-06-11 12:24:13 +02:00
Kirill Smelkov
c9696a8f3e fuse: Add FOPEN_STREAM to use stream_open()
commit bbd84f33652f852ce5992d65db4d020aba21f882 upstream.

Starting from commit 9c225f2655 ("vfs: atomic f_pos accesses as per
POSIX") files opened even via nonseekable_open gate read and write via lock
and do not allow them to be run simultaneously. This can create read vs
write deadlock if a filesystem is trying to implement a socket-like file
which is intended to be simultaneously used for both read and write from
filesystem client.  See commit 10dce8af3422 ("fs: stream_open - opener for
stream-like files so that read and write can run simultaneously without
deadlock") for details and e.g. commit 581d21a2d02a ("xenbus: fix deadlock
on writes to /proc/xen/xenbus") for a similar deadlock example on
/proc/xen/xenbus.

To avoid such deadlock it was tempting to adjust fuse_finish_open to use
stream_open instead of nonseekable_open on just FOPEN_NONSEEKABLE flags,
but grepping through Debian codesearch shows users of FOPEN_NONSEEKABLE,
and in particular GVFS which actually uses offset in its read and write
handlers

	https://codesearch.debian.net/search?q=-%3Enonseekable+%3D
	https://gitlab.gnome.org/GNOME/gvfs/blob/1.40.0-6-gcbc54396/client/gvfsfusedaemon.c#L1080
	https://gitlab.gnome.org/GNOME/gvfs/blob/1.40.0-6-gcbc54396/client/gvfsfusedaemon.c#L1247-1346
	https://gitlab.gnome.org/GNOME/gvfs/blob/1.40.0-6-gcbc54396/client/gvfsfusedaemon.c#L1399-1481

so if we would do such a change it will break a real user.

Add another flag (FOPEN_STREAM) for filesystem servers to indicate that the
opened handler is having stream-like semantics; does not use file position
and thus the kernel is free to issue simultaneous read and write request on
opened file handle.

This patch together with stream_open() should be added to stable kernels
starting from v3.14+. This will allow to patch OSSPD and other FUSE
filesystems that provide stream-like files to return FOPEN_STREAM |
FOPEN_NONSEEKABLE in open handler and this way avoid the deadlock on all
kernel versions. This should work because fuse_finish_open ignores unknown
open flags returned from a filesystem and so passing FOPEN_STREAM to a
kernel that is not aware of this flag cannot hurt. In turn the kernel that
is not aware of FOPEN_STREAM will be < v3.14 where just FOPEN_NONSEEKABLE
is sufficient to implement streams without read vs write deadlock.

Cc: stable@vger.kernel.org # v3.14+
Signed-off-by: Kirill Smelkov <kirr@nexedi.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2019-06-11 12:24:13 +02:00
Kirill Smelkov
3bf0c45961 fs: stream_open - opener for stream-like files so that read and write can run simultaneously without deadlock
commit 10dce8af34226d90fa56746a934f8da5dcdba3df upstream.

Commit 9c225f2655 ("vfs: atomic f_pos accesses as per POSIX") added
locking for file.f_pos access and in particular made concurrent read and
write not possible - now both those functions take f_pos lock for the
whole run, and so if e.g. a read is blocked waiting for data, write will
deadlock waiting for that read to complete.

This caused regression for stream-like files where previously read and
write could run simultaneously, but after that patch could not do so
anymore. See e.g. commit 581d21a2d02a ("xenbus: fix deadlock on writes
to /proc/xen/xenbus") which fixes such regression for particular case of
/proc/xen/xenbus.

The patch that added f_pos lock in 2014 did so to guarantee POSIX thread
safety for read/write/lseek and added the locking to file descriptors of
all regular files. In 2014 that thread-safety problem was not new as it
was already discussed earlier in 2006.

However even though 2006'th version of Linus's patch was adding f_pos
locking "only for files that are marked seekable with FMODE_LSEEK (thus
avoiding the stream-like objects like pipes and sockets)", the 2014
version - the one that actually made it into the tree as 9c225f2655 -
is doing so irregardless of whether a file is seekable or not.

See

    https://lore.kernel.org/lkml/53022DB1.4070805@gmail.com/
    https://lwn.net/Articles/180387
    https://lwn.net/Articles/180396

for historic context.

The reason that it did so is, probably, that there are many files that
are marked non-seekable, but e.g. their read implementation actually
depends on knowing current position to correctly handle the read. Some
examples:

	kernel/power/user.c		snapshot_read
	fs/debugfs/file.c		u32_array_read
	fs/fuse/control.c		fuse_conn_waiting_read + ...
	drivers/hwmon/asus_atk0110.c	atk_debugfs_ggrp_read
	arch/s390/hypfs/inode.c		hypfs_read_iter
	...

Despite that, many nonseekable_open users implement read and write with
pure stream semantics - they don't depend on passed ppos at all. And for
those cases where read could wait for something inside, it creates a
situation similar to xenbus - the write could be never made to go until
read is done, and read is waiting for some, potentially external, event,
for potentially unbounded time -> deadlock.

Besides xenbus, there are 14 such places in the kernel that I've found
with semantic patch (see below):

	drivers/xen/evtchn.c:667:8-24: ERROR: evtchn_fops: .read() can deadlock .write()
	drivers/isdn/capi/capi.c:963:8-24: ERROR: capi_fops: .read() can deadlock .write()
	drivers/input/evdev.c:527:1-17: ERROR: evdev_fops: .read() can deadlock .write()
	drivers/char/pcmcia/cm4000_cs.c:1685:7-23: ERROR: cm4000_fops: .read() can deadlock .write()
	net/rfkill/core.c:1146:8-24: ERROR: rfkill_fops: .read() can deadlock .write()
	drivers/s390/char/fs3270.c:488:1-17: ERROR: fs3270_fops: .read() can deadlock .write()
	drivers/usb/misc/ldusb.c:310:1-17: ERROR: ld_usb_fops: .read() can deadlock .write()
	drivers/hid/uhid.c:635:1-17: ERROR: uhid_fops: .read() can deadlock .write()
	net/batman-adv/icmp_socket.c:80:1-17: ERROR: batadv_fops: .read() can deadlock .write()
	drivers/media/rc/lirc_dev.c:198:1-17: ERROR: lirc_fops: .read() can deadlock .write()
	drivers/leds/uleds.c:77:1-17: ERROR: uleds_fops: .read() can deadlock .write()
	drivers/input/misc/uinput.c:400:1-17: ERROR: uinput_fops: .read() can deadlock .write()
	drivers/infiniband/core/user_mad.c:985:7-23: ERROR: umad_fops: .read() can deadlock .write()
	drivers/gnss/core.c:45:1-17: ERROR: gnss_fops: .read() can deadlock .write()

In addition to the cases above another regression caused by f_pos
locking is that now FUSE filesystems that implement open with
FOPEN_NONSEEKABLE flag, can no longer implement bidirectional
stream-like files - for the same reason as above e.g. read can deadlock
write locking on file.f_pos in the kernel.

FUSE's FOPEN_NONSEEKABLE was added in 2008 in a7c1b990f7 ("fuse:
implement nonseekable open") to support OSSPD. OSSPD implements /dev/dsp
in userspace with FOPEN_NONSEEKABLE flag, with corresponding read and
write routines not depending on current position at all, and with both
read and write being potentially blocking operations:

See

    https://github.com/libfuse/osspd
    https://lwn.net/Articles/308445

    https://github.com/libfuse/osspd/blob/14a9cff0/osspd.c#L1406
    https://github.com/libfuse/osspd/blob/14a9cff0/osspd.c#L1438-L1477
    https://github.com/libfuse/osspd/blob/14a9cff0/osspd.c#L1479-L1510

Corresponding libfuse example/test also describes FOPEN_NONSEEKABLE as
"somewhat pipe-like files ..." with read handler not using offset.
However that test implements only read without write and cannot exercise
the deadlock scenario:

    https://github.com/libfuse/libfuse/blob/fuse-3.4.2-3-ga1bff7d/example/poll.c#L124-L131
    https://github.com/libfuse/libfuse/blob/fuse-3.4.2-3-ga1bff7d/example/poll.c#L146-L163
    https://github.com/libfuse/libfuse/blob/fuse-3.4.2-3-ga1bff7d/example/poll.c#L209-L216

I've actually hit the read vs write deadlock for real while implementing
my FUSE filesystem where there is /head/watch file, for which open
creates separate bidirectional socket-like stream in between filesystem
and its user with both read and write being later performed
simultaneously. And there it is semantically not easy to split the
stream into two separate read-only and write-only channels:

    https://lab.nexedi.com/kirr/wendelin.core/blob/f13aa600/wcfs/wcfs.go#L88-169

Let's fix this regression. The plan is:

1. We can't change nonseekable_open to include &~FMODE_ATOMIC_POS -
   doing so would break many in-kernel nonseekable_open users which
   actually use ppos in read/write handlers.

2. Add stream_open() to kernel to open stream-like non-seekable file
   descriptors. Read and write on such file descriptors would never use
   nor change ppos. And with that property on stream-like files read and
   write will be running without taking f_pos lock - i.e. read and write
   could be running simultaneously.

3. With semantic patch search and convert to stream_open all in-kernel
   nonseekable_open users for which read and write actually do not
   depend on ppos and where there is no other methods in file_operations
   which assume @offset access.

4. Add FOPEN_STREAM to fs/fuse/ and open in-kernel file-descriptors via
   steam_open if that bit is present in filesystem open reply.

   It was tempting to change fs/fuse/ open handler to use stream_open
   instead of nonseekable_open on just FOPEN_NONSEEKABLE flags, but
   grepping through Debian codesearch shows users of FOPEN_NONSEEKABLE,
   and in particular GVFS which actually uses offset in its read and
   write handlers

	https://codesearch.debian.net/search?q=-%3Enonseekable+%3D
	https://gitlab.gnome.org/GNOME/gvfs/blob/1.40.0-6-gcbc54396/client/gvfsfusedaemon.c#L1080
	https://gitlab.gnome.org/GNOME/gvfs/blob/1.40.0-6-gcbc54396/client/gvfsfusedaemon.c#L1247-1346
	https://gitlab.gnome.org/GNOME/gvfs/blob/1.40.0-6-gcbc54396/client/gvfsfusedaemon.c#L1399-1481

   so if we would do such a change it will break a real user.

5. Add stream_open and FOPEN_STREAM handling to stable kernels starting
   from v3.14+ (the kernel where 9c225f2655 first appeared).

   This will allow to patch OSSPD and other FUSE filesystems that
   provide stream-like files to return FOPEN_STREAM | FOPEN_NONSEEKABLE
   in their open handler and this way avoid the deadlock on all kernel
   versions. This should work because fs/fuse/ ignores unknown open
   flags returned from a filesystem and so passing FOPEN_STREAM to a
   kernel that is not aware of this flag cannot hurt. In turn the kernel
   that is not aware of FOPEN_STREAM will be < v3.14 where just
   FOPEN_NONSEEKABLE is sufficient to implement streams without read vs
   write deadlock.

This patch adds stream_open, converts /proc/xen/xenbus to it and adds
semantic patch to automatically locate in-kernel places that are either
required to be converted due to read vs write deadlock, or that are just
safe to be converted because read and write do not use ppos and there
are no other funky methods in file_operations.

Regarding semantic patch I've verified each generated change manually -
that it is correct to convert - and each other nonseekable_open instance
left - that it is either not correct to convert there, or that it is not
converted due to current stream_open.cocci limitations.

The script also does not convert files that should be valid to convert,
but that currently have .llseek = noop_llseek or generic_file_llseek for
unknown reason despite file being opened with nonseekable_open (e.g.
drivers/input/mousedev.c)

Cc: Michael Kerrisk <mtk.manpages@gmail.com>
Cc: Yongzhi Pan <panyongzhi@gmail.com>
Cc: Jonathan Corbet <corbet@lwn.net>
Cc: David Vrabel <david.vrabel@citrix.com>
Cc: Juergen Gross <jgross@suse.com>
Cc: Miklos Szeredi <miklos@szeredi.hu>
Cc: Tejun Heo <tj@kernel.org>
Cc: Kirill Tkhai <ktkhai@virtuozzo.com>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Christoph Hellwig <hch@lst.de>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Julia Lawall <Julia.Lawall@lip6.fr>
Cc: Nikolaus Rath <Nikolaus@rath.org>
Cc: Han-Wen Nienhuys <hanwen@google.com>
[ backport to 4.4: actually fixed deadlock on /proc/xen/xenbus as 581d21a2d02a was not backported to 4.4 ]
Signed-off-by: Kirill Smelkov <kirr@nexedi.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2019-06-11 12:24:13 +02:00
Patrik Jakobsson
0f5fab865a drm/gma500/cdv: Check vbt config bits when detecting lvds panels
commit 7c420636860a719049fae9403e2c87804f53bdde upstream.

Some machines have an lvds child device in vbt even though a panel is
not attached. To make detection more reliable we now also check the lvds
config bits available in the vbt.

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1665766
Cc: stable@vger.kernel.org
Reviewed-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Patrik Jakobsson <patrik.r.jakobsson@gmail.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20190416114607.1072-1-patrik.r.jakobsson@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2019-06-11 12:24:13 +02:00
Dan Carpenter
e087f75191 genwqe: Prevent an integer overflow in the ioctl
commit 110080cea0d0e4dfdb0b536e7f8a5633ead6a781 upstream.

There are a couple potential integer overflows here.

	round_up(m->size + (m->addr & ~PAGE_MASK), PAGE_SIZE);

The first thing is that the "m->size + (...)" addition could overflow,
and the second is that round_up() overflows to zero if the result is
within PAGE_SIZE of the type max.

In this code, the "m->size" variable is an u64 but we're saving the
result in "map_size" which is an unsigned long and genwqe_user_vmap()
takes an unsigned long as well.  So I have used ULONG_MAX as the upper
bound.  From a practical perspective unsigned long is fine/better than
trying to change all the types to u64.

Fixes: eaf4722d46 ("GenWQE Character device and DDCB queue")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2019-06-11 12:24:13 +02:00
Paul Burton
59565e8945 MIPS: pistachio: Build uImage.gz by default
commit e4f2d1af7163becb181419af9dece9206001e0a6 upstream.

The pistachio platform uses the U-Boot bootloader & generally boots a
kernel in the uImage format. As such it's useful to build one when
building the kernel, but to do so currently requires the user to
manually specify a uImage target on the make command line.

Make uImage.gz the pistachio platform's default build target, so that
the default is to build a kernel image that we can actually boot on a
board such as the MIPS Creator Ci40.

Marked for stable backport as far as v4.1 where pistachio support was
introduced. This is primarily useful for CI systems such as kernelci.org
which will benefit from us building a suitable image which can then be
booted as part of automated testing, extending our test coverage to the
affected stable branches.

Signed-off-by: Paul Burton <paul.burton@mips.com>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Kevin Hilman <khilman@baylibre.com>
Tested-by: Kevin Hilman <khilman@baylibre.com>
URL: https://groups.io/g/kernelci/message/388
Cc: stable@vger.kernel.org # v4.1+
Cc: linux-mips@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2019-06-11 12:24:13 +02:00
Miklos Szeredi
8061c23f53 fuse: fallocate: fix return with locked inode
commit 35d6fcbb7c3e296a52136347346a698a35af3fda upstream.

Do the proper cleanup in case the size check fails.

Tested with xfstests:generic/228

Reported-by: kbuild test robot <lkp@intel.com>
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Fixes: 0cbade024ba5 ("fuse: honor RLIMIT_FSIZE in fuse_file_fallocate")
Cc: Liu Bo <bo.liu@linux.alibaba.com>
Cc: <stable@vger.kernel.org> # v3.5
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2019-06-11 12:24:13 +02:00
John David Anglin
cf30c19534 parisc: Use implicit space register selection for loading the coherence index of I/O pdirs
commit 63923d2c3800919774f5c651d503d1dd2adaddd5 upstream.

We only support I/O to kernel space. Using %sr1 to load the coherence
index may be racy unless interrupts are disabled. This patch changes the
code used to load the coherence index to use implicit space register
selection. This saves one instruction and eliminates the race.

Tested on rp3440, c8000 and c3750.

Signed-off-by: John David Anglin <dave.anglin@bell.net>
Cc: stable@vger.kernel.org
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2019-06-11 12:24:13 +02:00