commit 5507839a723e4edeed4efda2fa2249c4713fe0bb Author: Greg Kroah-Hartman Date: Wed Feb 27 10:07:03 2019 +0100 Linux 4.9.161 commit 8ff3c2ecc1a4b79d6ee2b0e705784e2619ccaf7d Author: Masahiro Yamada Date: Tue Nov 6 12:04:55 2018 +0900 kbuild: consolidate Clang compiler flags commit 238bcbc4e07fad2fff99c5b157d0c37ccd4d093c upstream. Collect basic Clang options such as --target, --prefix, --gcc-toolchain, -no-integrated-as into a single variable CLANG_FLAGS so that it can be easily reused in other parts of Makefile. Signed-off-by: Masahiro Yamada Reviewed-by: Nick Desaulniers Tested-by: Nick Desaulniers Acked-by: Greg Hackmann Signed-off-by: Nathan Chancellor Signed-off-by: Greg Kroah-Hartman commit 9eea082f762f7f71c0d0373d821b1aac22f719e3 Author: Matthias Kaehlcke Date: Mon Oct 30 11:08:16 2017 -0700 sched/sysctl: Fix attributes of some extern declarations commit a9903f04e0a4ea522d959c2f287cdf0ab029e324 upstream. The definition of sysctl_sched_migration_cost, sysctl_sched_nr_migrate and sysctl_sched_time_avg includes the attribute const_debug. This attribute is not part of the extern declaration of these variables in include/linux/sched/sysctl.h, while it is in kernel/sched/sched.h, and as a result Clang generates warnings like this: kernel/sched/sched.h:1618:33: warning: section attribute is specified on redeclared variable [-Wsection] extern const_debug unsigned int sysctl_sched_time_avg; ^ ./include/linux/sched/sysctl.h:42:21: note: previous declaration is here extern unsigned int sysctl_sched_time_avg; The header only declares the variables when CONFIG_SCHED_DEBUG is defined, therefore it is not necessary to duplicate the definition of const_debug. Instead we can use the attribute __read_mostly, which is the expansion of const_debug when CONFIG_SCHED_DEBUG=y is set. Signed-off-by: Matthias Kaehlcke Reviewed-by: Nick Desaulniers Cc: Douglas Anderson Cc: Guenter Roeck Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Shile Zhang Cc: Thomas Gleixner Link: http://lkml.kernel.org/r/20171030180816.170850-1-mka@chromium.org Signed-off-by: Ingo Molnar [nc: Backport to 4.9] Signed-off-by: Nathan Chancellor Signed-off-by: Greg Kroah-Hartman commit ffd36a6801880a1f42ca769327fd9ff30f25e577 Author: Colin Ian King Date: Thu Nov 23 11:10:47 2017 +0000 phy: tegra: remove redundant self assignment of 'map' commit a0dd6773038f3fd2bd1b4f7ec193887cffc49046 upstream. The assignment of map to itself is redundant and can be removed. Detected with Coccinelle. Signed-off-by: Colin Ian King Signed-off-by: Kishon Vijay Abraham I Cc: Nathan Chancellor Signed-off-by: Greg Kroah-Hartman commit 87e964d19fdb95867eb05525bed8594f4de84e2b Author: Nathan Chancellor Date: Wed Oct 31 17:50:21 2018 -0700 pinctrl: max77620: Use define directive for max77620_pinconf_param values commit 1f60652dd586d1b3eee7c4602892a97a62fa937a upstream. Clang warns when one enumerated type is implicitly converted to another: drivers/pinctrl/pinctrl-max77620.c:56:12: warning: implicit conversion from enumeration type 'enum max77620_pinconf_param' to different enumeration type 'enum pin_config_param' [-Wenum-conversion] .param = MAX77620_ACTIVE_FPS_SOURCE, ^~~~~~~~~~~~~~~~~~~~~~~~~~ It is expected that pinctrl drivers can extend pin_config_param because of the gap between PIN_CONFIG_END and PIN_CONFIG_MAX so this conversion isn't an issue. Most drivers that take advantage of this define the PIN_CONFIG variables as constants, rather than enumerated values. Do the same thing here so that Clang no longer warns. Link: https://github.com/ClangBuiltLinux/linux/issues/139 Signed-off-by: Nathan Chancellor Signed-off-by: Linus Walleij Signed-off-by: Greg Kroah-Hartman commit deba234596ead92e6d65de42fa5345e3e02d73dc Author: Pablo Neira Ayuso Date: Fri Feb 15 12:50:24 2019 +0100 netfilter: nf_tables: fix flush after rule deletion in the same batch commit 23b7ca4f745f21c2b9cfcb67fdd33733b3ae7e66 upstream. Flush after rule deletion bogusly hits -ENOENT. Skip rules that have been already from nft_delrule_by_chain() which is always called from the flush path. Fixes: cf9dc09d0949 ("netfilter: nf_tables: fix missing rules flushing per table") Reported-by: Phil Sutter Acked-by: Phil Sutter Signed-off-by: Pablo Neira Ayuso Signed-off-by: Greg Kroah-Hartman commit 0b6633d1f19b7dc99066b96731daf451dbe9aaf7 Author: Hangbin Liu Date: Fri Feb 22 21:22:32 2019 +0800 Revert "bridge: do not add port to router list when receives query with source 0.0.0.0" commit 278e2148c07559dd4ad8602f22366d61eb2ee7b7 upstream. This reverts commit 5a2de63fd1a5 ("bridge: do not add port to router list when receives query with source 0.0.0.0") and commit 0fe5119e267f ("net: bridge: remove ipv6 zero address check in mcast queries") The reason is RFC 4541 is not a standard but suggestive. Currently we will elect 0.0.0.0 as Querier if there is no ip address configured on bridge. If we do not add the port which recives query with source 0.0.0.0 to router list, the IGMP reports will not be about to forward to Querier, IGMP data will also not be able to forward to dest. As Nikolay suggested, revert this change first and add a boolopt api to disable none-zero election in future if needed. Reported-by: Linus Lüssing Reported-by: Sebastian Gottschall Fixes: 5a2de63fd1a5 ("bridge: do not add port to router list when receives query with source 0.0.0.0") Fixes: 0fe5119e267f ("net: bridge: remove ipv6 zero address check in mcast queries") Signed-off-by: Hangbin Liu Acked-by: Nikolay Aleksandrov Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 5ac69185d4641c8215353a8a5f2d9f58a5e75ff5 Author: Nick Desaulniers Date: Mon Jul 10 15:47:26 2017 -0700 mm/zsmalloc.c: fix -Wunneeded-internal-declaration warning commit 3457f4147675108aa83f9f33c136f06bb9f8518f upstream. is_first_page() is only called from the macro VM_BUG_ON_PAGE() which is only compiled in as a runtime check when CONFIG_DEBUG_VM is set, otherwise is checked at compile time and not actually compiled in. Fixes the following warning, found with Clang: mm/zsmalloc.c:472:12: warning: function 'is_first_page' is not needed and will not be emitted [-Wunneeded-internal-declaration] static int is_first_page(struct page *page) ^ Link: http://lkml.kernel.org/r/20170524053859.29059-1-nick.desaulniers@gmail.com Signed-off-by: Nick Desaulniers Reviewed-by: Sergey Senozhatsky Acked-by: Minchan Kim Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Nathan Chancellor Signed-off-by: Greg Kroah-Hartman commit d069e8ca02afdb5ca9e2b60a580e521e73493291 Author: Matthias Kaehlcke Date: Fri Sep 8 16:13:02 2017 -0700 mm/zsmalloc.c: change stat type parameter to int commit 3eb95feac113d8ebad5b7b5189a65efcbd95a749 upstream. zs_stat_inc/dec/get() uses enum zs_stat_type for the stat type, however some callers pass an enum fullness_group value. Change the type to int to reflect the actual use of the functions and get rid of 'enum-conversion' warnings Link: http://lkml.kernel.org/r/20170731175000.56538-1-mka@chromium.org Signed-off-by: Matthias Kaehlcke Reviewed-by: Sergey Senozhatsky Acked-by: Minchan Kim Cc: Doug Anderson Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Nathan Chancellor Signed-off-by: Greg Kroah-Hartman commit 411b7ca7f67a373b8001496f022cf1f12cd750a1 Author: Will Deacon Date: Fri Oct 28 12:23:57 2016 +0100 irqchip/gic-v3: Convert arm64 GIC accessors to {read,write}_sysreg_s commit d44ffa5ae70a15a15190aa9ffa6f6acdeae1d25c upstream. The GIC system registers are accessed using open-coded wrappers around the mrs_s/msr_s asm macros. This patch moves the code over to the {read,wrote}_sysreg_s accessors instead, reducing the amount of explicit asm blocks in the arch headers. Reviewed-by: Mark Rutland Signed-off-by: Will Deacon Signed-off-by: Marc Zyngier [nc: Also fix gic_write_bpr1, which was incidentally fixed in 0e9884fe63c6 ("arm64: sysreg: subsume GICv3 sysreg definitions")] Signed-off-by: Nathan Chancellor Signed-off-by: Greg Kroah-Hartman commit c95a870d1cdeda811c9ba4a16c16c4d1e2baa701 Author: Masahiro Yamada Date: Tue Nov 6 12:04:54 2018 +0900 kbuild: add -no-integrated-as Clang option unconditionally commit dbe27a002ef8573168cb64e181458ea23a74e2b6 upstream. We are still a way off the Clang's integrated assembler support for the kernel. Hence, -no-integrated-as is mandatory to build the kernel with Clang. If you had an ancient version of Clang that does not recognize this option, you would not be able to compile the kernel anyway. Signed-off-by: Masahiro Yamada Reviewed-by: Nick Desaulniers Tested-by: Nick Desaulniers Signed-off-by: Nathan Chancellor Signed-off-by: Greg Kroah-Hartman commit e1e7f343ea57be71cf6b57caae43e123033ee1e5 Author: Stefan Agner Date: Mon Mar 19 22:12:53 2018 +0100 kbuild: set no-integrated-as before incl. arch Makefile commit 0f0e8de334c54c38818a4a5390a39aa09deff5bf upstream. In order to make sure compiler flag detection for ARM works correctly the no-integrated-as flags need to be set before including the arch specific Makefile. Fixes: cfe17c9bbe6a ("kbuild: move cc-option and cc-disable-warning after incl. arch Makefile") Signed-off-by: Stefan Agner Signed-off-by: Masahiro Yamada [nc: Backport to 4.9; adjust context due to a previous backport] Signed-off-by: Nathan Chancellor Signed-off-by: Greg Kroah-Hartman commit 9362c0885a48d5c4ffefc0bac9ff81bf3f6bac38 Author: Sodagudi Prasad Date: Tue Feb 6 15:46:51 2018 -0800 kbuild: clang: disable unused variable warnings only when constant commit 0a5f41767444cc3b4fc5573921ab914b4f78baaa upstream. Currently, GCC disables -Wunused-const-variable, but not -Wunused-variable, so warns unused variables if they are non-constant. While, Clang does not warn unused variables at all regardless of the const qualifier because -Wno-unused-const-variable is implied by the stronger option -Wno-unused-variable. Disable -Wunused-const-variable instead of -Wunused-variable so that GCC and Clang work in the same way. Signed-off-by: Prasad Sodagudi Signed-off-by: Masahiro Yamada Signed-off-by: Nathan Chancellor Signed-off-by: Greg Kroah-Hartman commit b018806f8ab17dcd789ecfb6656569a0b0097990 Author: Nick Desaulniers Date: Sat Oct 7 13:23:23 2017 -0700 kbuild: clang: remove crufty HOSTCFLAGS commit df16aaac26e92e97ab7234d3f93c953466adc4b5 upstream. When compiling with `make CC=clang HOSTCC=clang`, I was seeing warnings that clang did not recognize -fno-delete-null-pointer-checks for HOSTCC targets. These were added in commit 61163efae020 ("kbuild: LLVMLinux: Add Kbuild support for building kernel with Clang"). Clang does not support -fno-delete-null-pointer-checks, so adding it to HOSTCFLAGS if HOSTCC is clang does not make sense. It's not clear why the other warnings were disabled, and just for HOSTCFLAGS, but I can remove them, add -Werror to HOSTCFLAGS and compile with clang just fine. Suggested-by: Masahiro Yamada Signed-off-by: Nick Desaulniers Signed-off-by: Masahiro Yamada [nc: Backport to 4.9; adjust context] Signed-off-by: Nathan Chancellor Signed-off-by: Greg Kroah-Hartman commit 3f46fe4a39fd0634abdd60294706aa005c6d8b0c Author: David Lin Date: Fri Oct 20 14:09:13 2017 -0700 kbuild: clang: fix build failures with sparse check commit bb3f38c3c5b759163e09b9152629cc789731de47 upstream. We should avoid using the space character when passing arguments to clang, because static code analysis check tool such as sparse may misinterpret the arguments followed by spaces as build targets hence cause the build to fail. Signed-off-by: David Lin Signed-off-by: Masahiro Yamada [nc: Backport to 4.9; adjust context] Signed-off-by: Nathan Chancellor Signed-off-by: Greg Kroah-Hartman commit b098b0228598af3ca2fd02892c4b976185988e7d Author: Masahiro Yamada Date: Mon Nov 27 21:15:13 2017 +0900 kbuild: move cc-option and cc-disable-warning after incl. arch Makefile commit cfe17c9bbe6a673fdafdab179c32b355ed447f66 upstream. Geert reported commit ae6b289a3789 ("kbuild: Set KBUILD_CFLAGS before incl. arch Makefile") broke cross-compilation using a cross-compiler that supports less compiler options than the host compiler. For example, cc1: error: unrecognized command line option "-Wno-unused-but-set-variable" This problem happens on architectures that setup CROSS_COMPILE in their arch/*/Makefile. Move the cc-option and cc-disable-warning back to the original position, but keep the Clang target options untouched. Fixes: ae6b289a3789 ("kbuild: Set KBUILD_CFLAGS before incl. arch Makefile") Reported-by: Geert Uytterhoeven Signed-off-by: Masahiro Yamada Tested-by: Geert Uytterhoeven [nc: Backport to 4.9; adjust context due to a previous backport] Signed-off-by: Nathan Chancellor Signed-off-by: Greg Kroah-Hartman commit ebf4753ab1c83883bb67b4a74685a59322012dd9 Author: Ville Syrjälä Date: Fri Sep 1 17:31:23 2017 +0300 drm/i915: Fix enum pipe vs. enum transcoder for the PCH transcoder commit 41c32e5da3ff3922490341a988b2a3ae46d0b6a8 upstream. Use enum pipe for PCH transcoders also in the FIFO underrun code. Fixes the following new sparse warnings: intel_fifo_underrun.c:340:49: warning: mixing different enum types intel_fifo_underrun.c:340:49: int enum pipe versus intel_fifo_underrun.c:340:49: int enum transcoder intel_fifo_underrun.c:344:49: warning: mixing different enum types intel_fifo_underrun.c:344:49: int enum pipe versus intel_fifo_underrun.c:344:49: int enum transcoder intel_fifo_underrun.c:397:57: warning: mixing different enum types intel_fifo_underrun.c:397:57: int enum pipe versus intel_fifo_underrun.c:397:57: int enum transcoder intel_fifo_underrun.c:398:17: warning: mixing different enum types intel_fifo_underrun.c:398:17: int enum pipe versus intel_fifo_underrun.c:398:17: int enum transcoder Cc: Matthias Kaehlcke Fixes: a21960339c8c ("drm/i915: Consistently use enum pipe for PCH transcoders") Signed-off-by: "Ville Syrjälä" Link: https://patchwork.freedesktop.org/patch/msgid/20170901143123.7590-3-ville.syrjala@linux.intel.com Reviewed-by: Chris Wilson [nc: Backport to 4.9, drop unneeded hunks] Signed-off-by: Nathan Chancellor Signed-off-by: Greg Kroah-Hartman commit 01e081790f150581b875e3da256083ffd02e9e81 Author: Matthias Kaehlcke Date: Mon Jul 17 11:14:03 2017 -0700 drm/i915: Consistently use enum pipe for PCH transcoders commit a21960339c8c107eae99d68c85e6355189b22192 upstream. The current code uses in some instances enum transcoder for PCH transcoders and enum pipe in others. This is error prone and clang raises warnings like this: drivers/gpu/drm/i915/intel_dp.c:3546:51: warning: implicit conversion from enumeration type 'enum pipe' to different enumeration type 'enum transcoder' [-Wenum-conversion] intel_set_pch_fifo_underrun_reporting(dev_priv, PIPE_A, false); Consistently use the type enum pipe for PCH transcoders. Signed-off-by: Matthias Kaehlcke Signed-off-by: Daniel Vetter Link: https://patchwork.freedesktop.org/patch/msgid/20170717181403.57324-1-mka@chromium.org [nc: Backport to 4.9; adjust context and drop unneeded hunks] Signed-off-by: Nathan Chancellor Signed-off-by: Greg Kroah-Hartman commit e81c46456bfbd1a7fb8d6d03efcd79d3b13509c3 Author: Matthias Kaehlcke Date: Tue Jul 25 14:50:53 2017 -0700 x86/boot: Disable the address-of-packed-member compiler warning commit 20c6c189045539d29f4854d92b7ea9c329e1edfc upstream. The clang warning 'address-of-packed-member' is disabled for the general kernel code, also disable it for the x86 boot code. This suppresses a bunch of warnings like this when building with clang: ./arch/x86/include/asm/processor.h:535:30: warning: taking address of packed member 'sp0' of class or structure 'x86_hw_tss' may result in an unaligned pointer value [-Waddress-of-packed-member] return this_cpu_read_stable(cpu_tss.x86_tss.sp0); ^~~~~~~~~~~~~~~~~~~ ./arch/x86/include/asm/percpu.h:391:59: note: expanded from macro 'this_cpu_read_stable' #define this_cpu_read_stable(var) percpu_stable_op("mov", var) ^~~ ./arch/x86/include/asm/percpu.h:228:16: note: expanded from macro 'percpu_stable_op' : "p" (&(var))); ^~~ Signed-off-by: Matthias Kaehlcke Cc: Doug Anderson Cc: Linus Torvalds Cc: Masahiro Yamada Cc: Peter Zijlstra Cc: Thomas Gleixner Link: http://lkml.kernel.org/r/20170725215053.135586-1-mka@chromium.org Signed-off-by: Ingo Molnar Signed-off-by: Nathan Chancellor Signed-off-by: Greg Kroah-Hartman commit 8bd71286fde0fe25024c0cc97a91962ec68a74b2 Author: Matthias Kaehlcke Date: Fri Apr 21 16:41:10 2017 -0700 tracing: Use cpumask_available() to check if cpumask variable may be used commit 4dbbe2d8e95c351157f292ece067f985c30c7b53 upstream. This fixes the following clang warning: kernel/trace/trace.c:3231:12: warning: address of array 'iter->started' will always evaluate to 'true' [-Wpointer-bool-conversion] if (iter->started) Link: http://lkml.kernel.org/r/20170421234110.117075-1-mka@chromium.org Signed-off-by: Matthias Kaehlcke Signed-off-by: Steven Rostedt (VMware) Signed-off-by: Nathan Chancellor Signed-off-by: Greg Kroah-Hartman commit 64696ba9577f7742358cd7be42da2a4eb4877244 Author: Matthias Kaehlcke Date: Tue Jul 25 11:36:25 2017 -0700 netpoll: Fix device name check in netpoll_setup() commit 0c3a8f8b8fabff4f3ad2dd7b95ae0e90cdd1aebb upstream. Apparently netpoll_setup() assumes that netpoll.dev_name is a pointer when checking if the device name is set: if (np->dev_name) { ... However the field is a character array, therefore the condition always yields true. Check instead whether the first byte of the array has a non-zero value. Signed-off-by: Matthias Kaehlcke Signed-off-by: David S. Miller Signed-off-by: Nathan Chancellor Signed-off-by: Greg Kroah-Hartman commit 146558f0d27f299d607973574e33000f3c8aa87d Author: Matthias Kaehlcke Date: Tue Apr 18 16:30:37 2017 -0700 clocksource: Use GENMASK_ULL in definition of CLOCKSOURCE_MASK commit 0773cea37470f8e080c510fe720fc356cf35df3a upstream Besides reusing existing code this removes the special case handling for 64-bit masks, which causes clang to raise a shift count overflow warning due to https://bugs.llvm.org//show_bug.cgi?id=10030. Suggested-by: Dmitry Torokhov Signed-off-by: Matthias Kaehlcke Cc: Grant Grundler Cc: Greg Hackmann Cc: Michael Davidson Cc: John Stultz Link: http://lkml.kernel.org/r/20170418233037.70990-1-mka@chromium.org Signed-off-by: Thomas Gleixner [nc: cycle_t wasn't eliminated until commit a5a1d1c2914b ("clocksource: Use a plain u64 instead of cycle_t") in v4.10] Signed-off-by: Nathan Chancellor Signed-off-by: Greg Kroah-Hartman commit 62c0e9c3dd464d94020d6d7a3c6f7a3354286783 Author: Matthias Kaehlcke Date: Mon Mar 13 11:57:25 2017 -0700 hpet: Make cmd parameter of hpet_ioctl_common() unsigned commit 5cd5e6ad0ede862432e1e766bfe02a9ad447533e upstream. The value passed by the two callers of the function is unsigned anyway. Making the parameter unsigned fixes the following warning when building with clang: drivers/char/hpet.c:588:7: error: overflow converting case value to switch condition type (2149083139 to 18446744071563667459) [-Werror,-Wswitch] case HPET_INFO: ^ include/uapi/linux/hpet.h:18:19: note: expanded from macro 'HPET_INFO' ^ include/uapi/asm-generic/ioctl.h:77:28: note: expanded from macro '_IOR' ^ include/uapi/asm-generic/ioctl.h:66:2: note: expanded from macro '_IOC' (((dir) << _IOC_DIRSHIFT) | \ Signed-off-by: Matthias Kaehlcke Acked-by: Clemens Ladisch Signed-off-by: Greg Kroah-Hartman Signed-off-by: Nathan Chancellor Signed-off-by: Greg Kroah-Hartman commit 9e3bd8686189d87e72f44965537a81ec3831f5f7 Author: Alexey Brodkin Date: Fri Feb 8 13:55:19 2019 +0300 ARC: define ARCH_SLAB_MINALIGN = 8 commit b6835ea77729e7faf4656ca637ba53f42b8ee3fd upstream. The default value of ARCH_SLAB_MINALIGN in "include/linux/slab.h" is "__alignof__(unsigned long long)" which for ARC unexpectedly turns out to be 4. This is not a compiler bug, but as defined by ARC ABI [1] Thus slab allocator would allocate a struct which is 32-bit aligned, which is generally OK even if struct has long long members. There was however potetial problem when it had any atomic64_t which use LLOCKD/SCONDD instructions which are required by ISA to take 64-bit addresses. This is the problem we ran into [ 4.015732] EXT4-fs (mmcblk0p2): re-mounted. Opts: (null) [ 4.167881] Misaligned Access [ 4.172356] Path: /bin/busybox.nosuid [ 4.176004] CPU: 2 PID: 171 Comm: rm Not tainted 4.19.14-yocto-standard #1 [ 4.182851] [ 4.182851] [ECR ]: 0x000d0000 => Check Programmer's Manual [ 4.190061] [EFA ]: 0xbeaec3fc [ 4.190061] [BLINK ]: ext4_delete_entry+0x210/0x234 [ 4.190061] [ERET ]: ext4_delete_entry+0x13e/0x234 [ 4.202985] [STAT32]: 0x80080002 : IE K [ 4.207236] BTA: 0x9009329c SP: 0xbe5b1ec4 FP: 0x00000000 [ 4.212790] LPS: 0x9074b118 LPE: 0x9074b120 LPC: 0x00000000 [ 4.218348] r00: 0x00000040 r01: 0x00000021 r02: 0x00000001 ... ... [ 4.270510] Stack Trace: [ 4.274510] ext4_delete_entry+0x13e/0x234 [ 4.278695] ext4_rmdir+0xe0/0x238 [ 4.282187] vfs_rmdir+0x50/0xf0 [ 4.285492] do_rmdir+0x9e/0x154 [ 4.288802] EV_Trap+0x110/0x114 The fix is to make sure slab allocations are 64-bit aligned. Do note that atomic64_t is __attribute__((aligned(8)) which means gcc does generate 64-bit aligned references, relative to beginning of container struct. However the issue is if the container itself is not 64-bit aligned, atomic64_t ends up unaligned which is what this patch ensures. [1] https://github.com/foss-for-synopsys-dwc-arc-processors/toolchain/wiki/files/ARCv2_ABI.pdf Signed-off-by: Alexey Brodkin Cc: # 4.8+ Signed-off-by: Vineet Gupta [vgupta: reworked changelog, added dependency on LL64+LLSC] Signed-off-by: Greg Kroah-Hartman commit 036df538627b97a17fbb9233a2c443fb3e46cae2 Author: Eugeniy Paltsev Date: Thu Feb 14 18:07:44 2019 +0300 ARC: U-boot: check arguments paranoidly commit a66f2e57bd566240d8b3884eedf503928fbbe557 upstream. Handle U-boot arguments paranoidly: * don't allow to pass unknown tag. * try to use external device tree blob only if corresponding tag (TAG_DTB) is set. * don't check uboot_tag if kernel build with no ARC_UBOOT_SUPPORT. NOTE: If U-boot args are invalid we skip them and try to use embedded device tree blob. We can't panic on invalid U-boot args as we really pass invalid args due to bug in U-boot code. This happens if we don't provide external DTB to U-boot and don't set 'bootargs' U-boot environment variable (which is default case at least for HSDK board) In that case we will pass {r0 = 1 (bootargs in r2); r1 = 0; r2 = 0;} to linux which is invalid. While I'm at it refactor U-boot arguments handling code. Cc: stable@vger.kernel.org Tested-by: Corentin LABBE Signed-off-by: Eugeniy Paltsev Signed-off-by: Vineet Gupta Signed-off-by: Greg Kroah-Hartman commit 812224d6b1fddb567fcbd480f9e35d94d7dad321 Author: Eugeniy Paltsev Date: Wed Jan 16 14:29:50 2019 +0300 ARCv2: Enable unaligned access in early ASM code commit 252f6e8eae909bc075a1b1e3b9efb095ae4c0b56 upstream. It is currently done in arc_init_IRQ() which might be too late considering gcc 7.3.1 onwards (GNU 2018.03) generates unaligned memory accesses by default Cc: stable@vger.kernel.org #4.4+ Signed-off-by: Eugeniy Paltsev Signed-off-by: Vineet Gupta [vgupta: rewrote changelog] Signed-off-by: Greg Kroah-Hartman commit e9f06133d7ddd4788371ec5613f9c577bba8c103 Author: Dmitry V. Levin Date: Sat Feb 16 16:10:39 2019 +0300 parisc: Fix ptrace syscall number modification commit b7dc5a071ddf69c0350396b203cba32fe5bab510 upstream. Commit 910cd32e552e ("parisc: Fix and enable seccomp filter support") introduced a regression in ptrace-based syscall tampering: when tracer changes syscall number to -1, the kernel fails to initialize %r28 with -ENOSYS and subsequently fails to return the error code of the failed syscall to userspace. This erroneous behaviour could be observed with a simple strace syscall fault injection command which is expected to print something like this: $ strace -a0 -ewrite -einject=write:error=enospc echo hello write(1, "hello\n", 6) = -1 ENOSPC (No space left on device) (INJECTED) write(2, "echo: ", 6) = -1 ENOSPC (No space left on device) (INJECTED) write(2, "write error", 11) = -1 ENOSPC (No space left on device) (INJECTED) write(2, "\n", 1) = -1 ENOSPC (No space left on device) (INJECTED) +++ exited with 1 +++ After commit 910cd32e552ea09caa89cdbe328e468979b030dd it loops printing something like this instead: write(1, "hello\n", 6../strace: Failed to tamper with process 12345: unexpectedly got no error (return value 0, error 0) ) = 0 (INJECTED) This bug was found by strace test suite. Fixes: 910cd32e552e ("parisc: Fix and enable seccomp filter support") Cc: stable@vger.kernel.org # v4.5+ Signed-off-by: Dmitry V. Levin Tested-by: Helge Deller Signed-off-by: Helge Deller Signed-off-by: Greg Kroah-Hartman commit fcfa562a61a9f52d54bba7a539ac7180121e0089 Author: Saeed Mahameed Date: Mon Feb 11 18:04:17 2019 +0200 net/mlx4_en: Force CHECKSUM_NONE for short ethernet frames [ Upstream commit 29dded89e80e3fff61efb34f07a8a3fba3ea146d ] When an ethernet frame is padded to meet the minimum ethernet frame size, the padding octets are not covered by the hardware checksum. Fortunately the padding octets are usually zero's, which don't affect checksum. However, it is not guaranteed. For example, switches might choose to make other use of these octets. This repeatedly causes kernel hardware checksum fault. Prior to the cited commit below, skb checksum was forced to be CHECKSUM_NONE when padding is detected. After it, we need to keep skb->csum updated. However, fixing up CHECKSUM_COMPLETE requires to verify and parse IP headers, it does not worth the effort as the packets are so small that CHECKSUM_COMPLETE has no significant advantage. Future work: when reporting checksum complete is not an option for IP non-TCP/UDP packets, we can actually fallback to report checksum unnecessary, by looking at cqe IPOK bit. Fixes: 88078d98d1bb ("net: pskb_trim_rcsum() and CHECKSUM_COMPLETE are friends") Cc: Eric Dumazet Signed-off-by: Saeed Mahameed Signed-off-by: Tariq Toukan Reviewed-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 176ef96c1900432ba7ef659f435a7320bf026ca6 Author: Xin Long Date: Tue Feb 12 18:47:30 2019 +0800 sctp: call gso_reset_checksum when computing checksum in sctp_gso_segment [ Upstream commit fc228abc2347e106a44c0e9b29ab70b712c4ca51 ] Jianlin reported a panic when running sctp gso over gre over vlan device: [ 84.772930] RIP: 0010:do_csum+0x6d/0x170 [ 84.790605] Call Trace: [ 84.791054] csum_partial+0xd/0x20 [ 84.791657] gre_gso_segment+0x2c3/0x390 [ 84.792364] inet_gso_segment+0x161/0x3e0 [ 84.793071] skb_mac_gso_segment+0xb8/0x120 [ 84.793846] __skb_gso_segment+0x7e/0x180 [ 84.794581] validate_xmit_skb+0x141/0x2e0 [ 84.795297] __dev_queue_xmit+0x258/0x8f0 [ 84.795949] ? eth_header+0x26/0xc0 [ 84.796581] ip_finish_output2+0x196/0x430 [ 84.797295] ? skb_gso_validate_network_len+0x11/0x80 [ 84.798183] ? ip_finish_output+0x169/0x270 [ 84.798875] ip_output+0x6c/0xe0 [ 84.799413] ? ip_append_data.part.50+0xc0/0xc0 [ 84.800145] iptunnel_xmit+0x144/0x1c0 [ 84.800814] ip_tunnel_xmit+0x62d/0x930 [ip_tunnel] [ 84.801699] gre_tap_xmit+0xac/0xf0 [ip_gre] [ 84.802395] dev_hard_start_xmit+0xa5/0x210 [ 84.803086] sch_direct_xmit+0x14f/0x340 [ 84.803733] __dev_queue_xmit+0x799/0x8f0 [ 84.804472] ip_finish_output2+0x2e0/0x430 [ 84.805255] ? skb_gso_validate_network_len+0x11/0x80 [ 84.806154] ip_output+0x6c/0xe0 [ 84.806721] ? ip_append_data.part.50+0xc0/0xc0 [ 84.807516] sctp_packet_transmit+0x716/0xa10 [sctp] [ 84.808337] sctp_outq_flush+0xd7/0x880 [sctp] It was caused by SKB_GSO_CB(skb)->csum_start not set in sctp_gso_segment. sctp_gso_segment() calls skb_segment() with 'feature | NETIF_F_HW_CSUM', which causes SKB_GSO_CB(skb)->csum_start not to be set in skb_segment(). For TCP/UDP, when feature supports HW_CSUM, CHECKSUM_PARTIAL will be set and gso_reset_checksum will be called to set SKB_GSO_CB(skb)->csum_start. So SCTP should do the same as TCP/UDP, to call gso_reset_checksum() when computing checksum in sctp_gso_segment. Reported-by: Jianlin Shi Signed-off-by: Xin Long Acked-by: Neil Horman Acked-by: Marcelo Ricardo Leitner Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 2b0925f939cbf8e74f6c342fc0eedf45ade967c8 Author: Hangbin Liu Date: Thu Feb 7 18:36:11 2019 +0800 sit: check if IPv6 enabled before calling ip6_err_gen_icmpv6_unreach() [ Upstream commit 173656accaf583698bac3f9e269884ba60d51ef4 ] If we disabled IPv6 from the kernel command line (ipv6.disable=1), we should not call ip6_err_gen_icmpv6_unreach(). This: ip link add sit1 type sit local 192.0.2.1 remote 192.0.2.2 ttl 1 ip link set sit1 up ip addr add 198.51.100.1/24 dev sit1 ping 198.51.100.2 if IPv6 is disabled at boot time, will crash the kernel. v2: there's no need to use in6_dev_get(), use __in6_dev_get() instead, as we only need to check that idev exists and we are under rcu_read_lock() (from netif_receive_skb_internal()). Reported-by: Jianlin Shi Fixes: ca15a078bd90 ("sit: generate icmpv6 error when receiving icmpv4 error") Cc: Oussama Ghorbel Signed-off-by: Hangbin Liu Reviewed-by: Stefano Brivio Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 03ad40df95398ed7eaa647b5d2e2ff747945ae8b Author: Cong Wang Date: Mon Feb 11 21:59:51 2019 -0800 team: avoid complex list operations in team_nl_cmd_options_set() [ Upstream commit 2fdeee2549231b1f989f011bb18191f5660d3745 ] The current opt_inst_list operations inside team_nl_cmd_options_set() is too complex to track: LIST_HEAD(opt_inst_list); nla_for_each_nested(...) { list_for_each_entry(opt_inst, &team->option_inst_list, list) { if (__team_option_inst_tmp_find(&opt_inst_list, opt_inst)) continue; list_add(&opt_inst->tmp_list, &opt_inst_list); } } team_nl_send_event_options_get(team, &opt_inst_list); as while we retrieve 'opt_inst' from team->option_inst_list, it could be added to the local 'opt_inst_list' for multiple times. The __team_option_inst_tmp_find() doesn't work, as the setter team_mode_option_set() still calls team->ops.exit() which uses ->tmp_list too in __team_options_change_check(). Simplify the list operations by moving the 'opt_inst_list' and team_nl_send_event_options_get() into the nla_for_each_nested() loop so that it can be guranteed that we won't insert a same list entry for multiple times. Therefore, __team_option_inst_tmp_find() can be removed too. Fixes: 4fb0534fb7bb ("team: avoid adding twice the same option to the event list") Fixes: 2fcdb2c9e659 ("team: allow to send multiple set events in one message") Reported-by: syzbot+4d4af685432dc0e56c91@syzkaller.appspotmail.com Reported-by: syzbot+68ee510075cf64260cc4@syzkaller.appspotmail.com Cc: Jiri Pirko Cc: Paolo Abeni Signed-off-by: Cong Wang Acked-by: Jiri Pirko Reviewed-by: Paolo Abeni Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 3b70317bf9298f50511ce77857ccccb7a7ddf000 Author: Kal Conley Date: Sun Feb 10 09:57:11 2019 +0100 net/packet: fix 4gb buffer limit due to overflow check [ Upstream commit fc62814d690cf62189854464f4bd07457d5e9e50 ] When calculating rb->frames_per_block * req->tp_block_nr the result can overflow. Check it for overflow without limiting the total buffer size to UINT_MAX. This change fixes support for packet ring buffers >= UINT_MAX. Fixes: 8f8d28e4d6d8 ("net/packet: fix overflow in check for tp_frame_nr") Signed-off-by: Kal Conley Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit af9a0dba3a879ea466a3b9b9ed39dd01267081ee Author: Eric Dumazet Date: Mon Feb 11 14:41:22 2019 -0800 batman-adv: fix uninit-value in batadv_interface_tx() [ Upstream commit 4ffcbfac60642f63ae3d80891f573ba7e94a265c ] KMSAN reported batadv_interface_tx() was possibly using a garbage value [1] batadv_get_vid() does have a pskb_may_pull() call but batadv_interface_tx() does not actually make sure this did not fail. [1] BUG: KMSAN: uninit-value in batadv_interface_tx+0x908/0x1e40 net/batman-adv/soft-interface.c:231 CPU: 0 PID: 10006 Comm: syz-executor469 Not tainted 4.20.0-rc7+ #5 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x173/0x1d0 lib/dump_stack.c:113 kmsan_report+0x12e/0x2a0 mm/kmsan/kmsan.c:613 __msan_warning+0x82/0xf0 mm/kmsan/kmsan_instr.c:313 batadv_interface_tx+0x908/0x1e40 net/batman-adv/soft-interface.c:231 __netdev_start_xmit include/linux/netdevice.h:4356 [inline] netdev_start_xmit include/linux/netdevice.h:4365 [inline] xmit_one net/core/dev.c:3257 [inline] dev_hard_start_xmit+0x607/0xc40 net/core/dev.c:3273 __dev_queue_xmit+0x2e42/0x3bc0 net/core/dev.c:3843 dev_queue_xmit+0x4b/0x60 net/core/dev.c:3876 packet_snd net/packet/af_packet.c:2928 [inline] packet_sendmsg+0x8306/0x8f30 net/packet/af_packet.c:2953 sock_sendmsg_nosec net/socket.c:621 [inline] sock_sendmsg net/socket.c:631 [inline] __sys_sendto+0x8c4/0xac0 net/socket.c:1788 __do_sys_sendto net/socket.c:1800 [inline] __se_sys_sendto+0x107/0x130 net/socket.c:1796 __x64_sys_sendto+0x6e/0x90 net/socket.c:1796 do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291 entry_SYSCALL_64_after_hwframe+0x63/0xe7 RIP: 0033:0x441889 Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 bb 10 fc ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007ffdda6fd468 EFLAGS: 00000216 ORIG_RAX: 000000000000002c RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 0000000000441889 RDX: 000000000000000e RSI: 00000000200000c0 RDI: 0000000000000003 RBP: 0000000000000003 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000216 R12: 00007ffdda6fd4c0 R13: 00007ffdda6fd4b0 R14: 0000000000000000 R15: 0000000000000000 Uninit was created at: kmsan_save_stack_with_flags mm/kmsan/kmsan.c:204 [inline] kmsan_internal_poison_shadow+0x92/0x150 mm/kmsan/kmsan.c:158 kmsan_kmalloc+0xa6/0x130 mm/kmsan/kmsan_hooks.c:176 kmsan_slab_alloc+0xe/0x10 mm/kmsan/kmsan_hooks.c:185 slab_post_alloc_hook mm/slab.h:446 [inline] slab_alloc_node mm/slub.c:2759 [inline] __kmalloc_node_track_caller+0xe18/0x1030 mm/slub.c:4383 __kmalloc_reserve net/core/skbuff.c:137 [inline] __alloc_skb+0x309/0xa20 net/core/skbuff.c:205 alloc_skb include/linux/skbuff.h:998 [inline] alloc_skb_with_frags+0x1c7/0xac0 net/core/skbuff.c:5220 sock_alloc_send_pskb+0xafd/0x10e0 net/core/sock.c:2083 packet_alloc_skb net/packet/af_packet.c:2781 [inline] packet_snd net/packet/af_packet.c:2872 [inline] packet_sendmsg+0x661a/0x8f30 net/packet/af_packet.c:2953 sock_sendmsg_nosec net/socket.c:621 [inline] sock_sendmsg net/socket.c:631 [inline] __sys_sendto+0x8c4/0xac0 net/socket.c:1788 __do_sys_sendto net/socket.c:1800 [inline] __se_sys_sendto+0x107/0x130 net/socket.c:1796 __x64_sys_sendto+0x6e/0x90 net/socket.c:1796 do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291 entry_SYSCALL_64_after_hwframe+0x63/0xe7 Fixes: c6c8fea29769 ("net: Add batman-adv meshing protocol") Signed-off-by: Eric Dumazet Reported-by: syzbot Cc: Marek Lindner Cc: Simon Wunderlich Cc: Antonio Quartulli Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit dc070cdb427e42a6b6b503427a029083e307ed34 Author: Eric Biggers Date: Fri Feb 22 15:36:18 2019 +0000 KEYS: always initialize keyring_index_key::desc_len commit ede0fa98a900e657d1fcd80b50920efc896c1a4c upstream. syzbot hit the 'BUG_ON(index_key->desc_len == 0);' in __key_link_begin() called from construct_alloc_key() during sys_request_key(), because the length of the key description was never calculated. The problem is that we rely on ->desc_len being initialized by search_process_keyrings(), specifically by search_nested_keyrings(). But, if the process isn't subscribed to any keyrings that never happens. Fix it by always initializing keyring_index_key::desc_len as soon as the description is set, like we already do in some places. The following program reproduces the BUG_ON() when it's run as root and no session keyring has been installed. If it doesn't work, try removing pam_keyinit.so from /etc/pam.d/login and rebooting. #include #include #include int main(void) { int id = add_key("keyring", "syz", NULL, 0, KEY_SPEC_USER_KEYRING); keyctl_setperm(id, KEY_OTH_WRITE); setreuid(5000, 5000); request_key("user", "desc", "", id); } Reported-by: syzbot+ec24e95ea483de0a24da@syzkaller.appspotmail.com Fixes: b2a4df200d57 ("KEYS: Expand the capacity of a keyring") Signed-off-by: Eric Biggers Signed-off-by: David Howells Cc: stable@vger.kernel.org Signed-off-by: James Morris Signed-off-by: Greg Kroah-Hartman commit acf476e026ee99e6cf2ad169f938b4668112582b Author: Eric Biggers Date: Wed Feb 20 13:32:11 2019 +0000 KEYS: user: Align the payload buffer commit cc1780fc42c76c705dd07ea123f1143dc5057630 upstream. Align the payload of "user" and "logon" keys so that users of the keyrings service can access it as a struct that requires more than 2-byte alignment. fscrypt currently does this which results in the read of fscrypt_key::size being misaligned as it needs 4-byte alignment. Align to __alignof__(u64) rather than __alignof__(long) since in the future it's conceivable that people would use structs beginning with u64, which on some platforms would require more than 'long' alignment. Reported-by: Aaro Koskinen Fixes: 2aa349f6e37c ("[PATCH] Keys: Export user-defined keyring operations") Fixes: 88bd6ccdcdd6 ("ext4 crypto: add encryption key management facilities") Cc: stable@vger.kernel.org Signed-off-by: Eric Biggers Tested-by: Aaro Koskinen Signed-off-by: David Howells Signed-off-by: James Morris Signed-off-by: Greg Kroah-Hartman commit 8a7a605e10863a633e7abd85c29cb54cebd40dc1 Author: Bart Van Assche Date: Wed Jan 30 14:05:55 2019 -0800 RDMA/srp: Rework SCSI device reset handling commit 48396e80fb6526ea5ed267bd84f028bae56d2f9e upstream. Since .scsi_done() must only be called after scsi_queue_rq() has finished, make sure that the SRP initiator driver does not call .scsi_done() while scsi_queue_rq() is in progress. Although invoking sg_reset -d while I/O is in progress works fine with kernel v4.20 and before, that is not the case with kernel v5.0-rc1. This patch avoids that the following crash is triggered with kernel v5.0-rc1: BUG: unable to handle kernel NULL pointer dereference at 0000000000000138 CPU: 0 PID: 360 Comm: kworker/0:1H Tainted: G B 5.0.0-rc1-dbg+ #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014 Workqueue: kblockd blk_mq_run_work_fn RIP: 0010:blk_mq_dispatch_rq_list+0x116/0xb10 Call Trace: blk_mq_sched_dispatch_requests+0x2f7/0x300 __blk_mq_run_hw_queue+0xd6/0x180 blk_mq_run_work_fn+0x27/0x30 process_one_work+0x4f1/0xa20 worker_thread+0x67/0x5b0 kthread+0x1cf/0x1f0 ret_from_fork+0x24/0x30 Cc: Fixes: 94a9174c630c ("IB/srp: reduce lock coverage of command completion") Signed-off-by: Bart Van Assche Signed-off-by: Jason Gunthorpe Signed-off-by: Greg Kroah-Hartman commit cbc9ea4fc2dd1a1b8d59b99cc1bb8df79c8c8b07 Author: Michael Weiser Date: Mon Nov 14 18:58:05 2016 +0100 net: ethernet: stmmac: change dma descriptors to __le32 commit f8be0d78be6e7f199116a5e644ee20ff0ce413f7 upstream. The stmmac driver does not take into account the processor may be big endian when writing the DMA descriptors. This causes the ethernet interface not to be initialised correctly when running a big-endian kernel. Change the descriptors for DMA to use __le32 and ensure they are suitably swapped before writing. Tested successfully on the Cubieboard2. Signed-off-by: Michael Weiser Cc: Giuseppe Cavallaro Cc: Alexandre Torgue Cc: netdev@vger.kernel.org Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 1767f6cdfc06d5afc70b6007a754e38f82f7fa22 Author: Nathan Chancellor Date: Wed Jan 9 22:41:08 2019 -0700 isdn: avm: Fix string plus integer warning from Clang [ Upstream commit 7afa81c55fca0cad589722cb4bce698b4803b0e1 ] A recent commit in Clang expanded the -Wstring-plus-int warning, showing some odd behavior in this file. drivers/isdn/hardware/avm/b1.c:426:30: warning: adding 'int' to a string does not append to the string [-Wstring-plus-int] cinfo->version[j] = "\0\0" + 1; ~~~~~~~^~~ drivers/isdn/hardware/avm/b1.c:426:30: note: use array indexing to silence this warning cinfo->version[j] = "\0\0" + 1; ^ & [ ] 1 warning generated. This is equivalent to just "\0". Nick pointed out that it is smarter to use "" instead of "\0" because "" is used elsewhere in the kernel and can be deduplicated at the linking stage. Link: https://github.com/ClangBuiltLinux/linux/issues/309 Suggested-by: Nick Desaulniers Signed-off-by: Nathan Chancellor Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 85992a31427d6129608d6c857d885915eadb2540 Author: Tariq Toukan Date: Thu Nov 8 12:06:53 2018 +0200 net/mlx5e: Fix wrong (zero) TX drop counter indication for representor [ Upstream commit 7fdc1adc52d3975740547a78c2df329bb207f15d ] For representors, the TX dropped counter is not folded from the per-ring counters. Fix it. Signed-off-by: Tariq Toukan Signed-off-by: Saeed Mahameed Signed-off-by: Sasha Levin commit a1953b40c6b4749f157cc73a78b6b0a6be100538 Author: Ido Schimmel Date: Fri Jan 18 15:58:01 2019 +0000 mlxsw: spectrum_switchdev: Do not treat static FDB entries as sticky [ Upstream commit 64254a2054611205798e6bde634639bc704573ac ] The driver currently treats static FDB entries as both static and sticky. This is incorrect and prevents such entries from being roamed to a different port via learning. Fix this by configuring static entries with ageing disabled and roaming enabled. In net-next we can add proper support for the newly introduced 'sticky' flag. Fixes: 56ade8fe3fe1 ("mlxsw: spectrum: Add initial support for Spectrum ASIC") Signed-off-by: Ido Schimmel Reported-by: Alexander Petrovskiy Reviewed-by: Petr Machata Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 38ad9f0362b2f79786c65c26c92e09f788512864 Author: Kangjie Lu Date: Tue Dec 25 22:18:23 2018 -0600 leds: lp5523: fix a missing check of return value of lp55xx_read [ Upstream commit 248b57015f35c94d4eae2fdd8c6febf5cd703900 ] When lp55xx_read() fails, "status" is an uninitialized variable and thus may contain random value; using it leads to undefined behaviors. The fix inserts a check for the return value of lp55xx_read: if it fails, returns with its error code. Signed-off-by: Kangjie Lu Signed-off-by: Jacek Anaszewski Signed-off-by: Sasha Levin commit 364f3761461395230ee45ed54c1962649df9e640 Author: Colin Ian King Date: Tue Jan 15 18:03:38 2019 +0000 atm: he: fix sign-extension overflow on large shift [ Upstream commit cb12d72b27a6f41325ae23a11033cf5fedfa1b97 ] Shifting the 1 by exp by an int can lead to sign-extension overlow when exp is 31 since 1 is an signed int and sign-extending this result to an unsigned long long will set the upper 32 bits. Fix this by shifting an unsigned long. Detected by cppcheck: (warning) Shifting signed 32-bit value by 31 bits is undefined behaviour Signed-off-by: Colin Ian King Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 46154d295b82ff4f470dd3934440433ce333825b Author: Jia-Ju Bai Date: Tue Jan 8 21:04:48 2019 +0800 isdn: i4l: isdn_tty: Fix some concurrency double-free bugs [ Upstream commit 2ff33d6637393fe9348357285931811b76e1402f ] The functions isdn_tty_tiocmset() and isdn_tty_set_termios() may be concurrently executed. isdn_tty_tiocmset isdn_tty_modem_hup line 719: kfree(info->dtmf_state); line 721: kfree(info->silence_state); line 723: kfree(info->adpcms); line 725: kfree(info->adpcmr); isdn_tty_set_termios isdn_tty_modem_hup line 719: kfree(info->dtmf_state); line 721: kfree(info->silence_state); line 723: kfree(info->adpcms); line 725: kfree(info->adpcmr); Thus, some concurrency double-free bugs may occur. These possible bugs are found by a static tool written by myself and my manual code review. To fix these possible bugs, the mutex lock "modem_info_mutex" used in isdn_tty_tiocmset() is added in isdn_tty_set_termios(). Signed-off-by: Jia-Ju Bai Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit ee3cf5aee221029dce651ab0cf4c736ba92ade62 Author: Jose Abreu Date: Wed Jan 9 10:05:56 2019 +0100 net: stmmac: Fix PCI module removal leak [ Upstream commit 6dea7e1881fd86b80da64e476ac398008daed857 ] Since commit b7d0f08e9129, the enable / disable of PCI device is not managed which will result in IO regions not being automatically unmapped. As regions continue mapped it is currently not possible to remove and then probe again the PCI module of stmmac. Fix this by manually unmapping regions on remove callback. Changes from v1: - Fix build error Cc: Joao Pinto Cc: David S. Miller Cc: Giuseppe Cavallaro Cc: Alexandre Torgue Fixes: b7d0f08e9129 ("net: stmmac: Fix WoL for PCI-based setups") Signed-off-by: Jose Abreu Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 8b5c7892fc8474030e84c4097687af7055a574a9 Author: Thomas Bogendoerfer Date: Wed Jan 9 18:12:16 2019 +0100 MIPS: jazz: fix 64bit build [ Upstream commit 41af167fbc0032f9d7562854f58114eaa9270336 ] 64bit JAZZ builds failed with linux-next/arch/mips/jazz/jazzdma.c: In function `vdma_init`: /linux-next/arch/mips/jazz/jazzdma.c:77:30: error: implicit declaration of function `KSEG1ADDR`; did you mean `CKSEG1ADDR`? [-Werror=implicit-function-declaration] pgtbl = (VDMA_PGTBL_ENTRY *)KSEG1ADDR(pgtbl); ^~~~~~~~~ CKSEG1ADDR /linux-next/arch/mips/jazz/jazzdma.c:77:10: error: cast to pointer from integer of different size [-Werror=int-to-pointer-cast] pgtbl = (VDMA_PGTBL_ENTRY *)KSEG1ADDR(pgtbl); ^ In file included from /linux-next/arch/mips/include/asm/barrier.h:11:0, from /linux-next/include/linux/compiler.h:248, from /linux-next/include/linux/kernel.h:10, from /linux-next/arch/mips/jazz/jazzdma.c:11: /linux-next/arch/mips/include/asm/addrspace.h:41:29: error: cast from pointer to integer of different size [-Werror=pointer-to-int-cast] #define _ACAST32_ (_ATYPE_)(_ATYPE32_) /* widen if necessary */ ^ /linux-next/arch/mips/include/asm/addrspace.h:53:25: note: in expansion of macro `_ACAST32_` #define CPHYSADDR(a) ((_ACAST32_(a)) & 0x1fffffff) ^~~~~~~~~ /linux-next/arch/mips/jazz/jazzdma.c:84:44: note: in expansion of macro `CPHYSADDR` r4030_write_reg32(JAZZ_R4030_TRSTBL_BASE, CPHYSADDR(pgtbl)); Using correct casts and CKSEG1ADDR when dealing with the pgtbl setup fixes this. Signed-off-by: Thomas Bogendoerfer Signed-off-by: Paul Burton Cc: Ralf Baechle Cc: James Hogan Cc: linux-mips@vger.kernel.org Cc: linux-kernel@vger.kernel.org Signed-off-by: Sasha Levin commit 0acf907103554dedc51dbb3e976367967988b8f8 Author: Logan Gunthorpe Date: Tue Jan 8 13:50:43 2019 -0700 scsi: isci: initialize shost fully before calling scsi_add_host() [ Upstream commit cc29a1b0a3f2597ce887d339222fa85b9307706d ] scsi_mq_setup_tags(), which is called by scsi_add_host(), calculates the command size to allocate based on the prot_capabilities. In the isci driver, scsi_host_set_prot() is called after scsi_add_host() so the command size gets calculated to be smaller than it needs to be. Eventually, scsi_mq_init_request() locates the 'prot_sdb' after the command assuming it was sized correctly and a buffer overrun may occur. However, seeing blk_mq_alloc_rqs() rounds up to the nearest cache line size, the mistake can go unnoticed. The bug was noticed after the struct request size was reduced by commit 9d037ad707ed ("block: remove req->timeout_list") Which likely reduced the allocated space for the request by an entire cache line, enough that the overflow could be hit and it caused a panic, on boot, at: RIP: 0010:t10_pi_complete+0x77/0x1c0 Call Trace: sd_done+0xf5/0x340 scsi_finish_command+0xc3/0x120 blk_done_softirq+0x83/0xb0 __do_softirq+0xa1/0x2e6 irq_exit+0xbc/0xd0 call_function_single_interrupt+0xf/0x20 sd_done() would call scsi_prot_sg_count() which reads the number of entities in 'prot_sdb', but seeing 'prot_sdb' is located after the end of the allocated space it reads a garbage number and erroneously calls t10_pi_complete(). To prevent this, the calls to scsi_host_set_prot() are moved into isci_host_alloc() before the call to scsi_add_host(). Out of caution, also move the similar call to scsi_host_set_guard(). Fixes: 3d2d75254915 ("[SCSI] isci: T10 DIF support") Link: http://lkml.kernel.org/r/da851333-eadd-163a-8c78-e1f4ec5ec857@deltatee.com Signed-off-by: Logan Gunthorpe Cc: Intel SCU Linux support Cc: Artur Paszkiewicz Cc: "James E.J. Bottomley" Cc: "Martin K. Petersen" Cc: Christoph Hellwig Cc: Jens Axboe Cc: Jeff Moyer Reviewed-by: Jeff Moyer Reviewed-by: Jens Axboe Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 73d21cdbe2c2ce8e78a6ca31a4df08377a118661 Author: YueHaibing Date: Thu Dec 20 11:16:07 2018 +0800 scsi: qla4xxx: check return code of qla4xxx_copy_from_fwddb_param [ Upstream commit 72b4a0465f995175a2e22cf4a636bf781f1f28a7 ] The return code should be check while qla4xxx_copy_from_fwddb_param fails. Signed-off-by: YueHaibing Acked-by: Manish Rangankar Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit ef5cb2ef9d046369e6c79c33c923afc7abd14cc4 Author: Alban Bedel Date: Mon Jan 7 20:45:15 2019 +0100 MIPS: ath79: Enable OF serial ports in the default config [ Upstream commit 565dc8a4f55e491935bfb04866068d21784ea9a4 ] CONFIG_SERIAL_OF_PLATFORM is needed to get a working console on the OF boards, enable it in the default config to get a working setup out of the box. Signed-off-by: Alban Bedel Signed-off-by: Paul Burton Cc: linux-mips@vger.kernel.org Cc: Ralf Baechle Cc: James Hogan Cc: linux-kernel@vger.kernel.org Signed-off-by: Sasha Levin commit 80459778c5cecf039b4758a9fee1c0d6b4da77c8 Author: Yonglong Liu Date: Fri Jan 4 20:18:11 2019 +0800 net: hns: Fix use after free identified by SLUB debug [ Upstream commit bb989501abcafa0de5f18b0ec0ec459b5b817908 ] When enable SLUB debug, than remove hns_enet_drv module, SLUB debug will identify a use after free bug: [134.189505] Unable to handle kernel paging request at virtual address 006b6b6b6b6b6b6b [134.197553] Mem abort info: [134.200381] ESR = 0x96000004 [134.203487] Exception class = DABT (current EL), IL = 32 bits [134.209497] SET = 0, FnV = 0 [134.212596] EA = 0, S1PTW = 0 [134.215777] Data abort info: [134.218701] ISV = 0, ISS = 0x00000004 [134.222596] CM = 0, WnR = 0 [134.225606] [006b6b6b6b6b6b6b] address between user and kernel address ranges [134.232851] Internal error: Oops: 96000004 [#1] SMP [134.237798] CPU: 21 PID: 27834 Comm: rmmod Kdump: loaded Tainted: G OE 4.19.5-1.2.34.aarch64 #1 [134.247856] Hardware name: Huawei TaiShan 2280 /BC11SPCD, BIOS 1.58 10/24/2018 [134.255181] pstate: 20000005 (nzCv daif -PAN -UAO) [134.260044] pc : hns_ae_put_handle+0x38/0x60 [134.264372] lr : hns_ae_put_handle+0x24/0x60 [134.268700] sp : ffff00001be93c50 [134.272054] x29: ffff00001be93c50 x28: ffff802faaec8040 [134.277442] x27: 0000000000000000 x26: 0000000000000000 [134.282830] x25: 0000000056000000 x24: 0000000000000015 [134.288284] x23: ffff0000096fe098 x22: ffff000001050070 [134.293671] x21: ffff801fb3c044a0 x20: ffff80afb75ec098 [134.303287] x19: ffff80afb75ec098 x18: 0000000000000000 [134.312945] x17: 0000000000000000 x16: 0000000000000000 [134.322517] x15: 0000000000000002 x14: 0000000000000000 [134.332030] x13: dead000000000100 x12: ffff7e02bea3c988 [134.341487] x11: ffff80affbee9e68 x10: 0000000000000000 [134.351033] x9 : 6fffff8000008101 x8 : 0000000000000000 [134.360569] x7 : dead000000000100 x6 : ffff000009579748 [134.370059] x5 : 0000000000210d00 x4 : 0000000000000000 [134.379550] x3 : 0000000000000001 x2 : 0000000000000000 [134.388813] x1 : 6b6b6b6b6b6b6b6b x0 : 0000000000000000 [134.397993] Process rmmod (pid: 27834, stack limit = 0x00000000d474b7fd) [134.408498] Call trace: [134.414611] hns_ae_put_handle+0x38/0x60 [134.422208] hnae_put_handle+0xd4/0x108 [134.429563] hns_nic_dev_remove+0x60/0xc0 [hns_enet_drv] [134.438342] platform_drv_remove+0x2c/0x70 [134.445958] device_release_driver_internal+0x174/0x208 [134.454810] driver_detach+0x70/0xd8 [134.461913] bus_remove_driver+0x64/0xe8 [134.469396] driver_unregister+0x34/0x60 [134.476822] platform_driver_unregister+0x20/0x30 [134.485130] hns_nic_dev_driver_exit+0x14/0x6e4 [hns_enet_drv] [134.494634] __arm64_sys_delete_module+0x238/0x290 struct hnae_handle is a member of struct hnae_vf_cb, so when vf_cb is freed, than use hnae_handle will cause use after free panic. This patch frees vf_cb after hnae_handle used. Signed-off-by: Yonglong Liu Signed-off-by: Huazhong Tan Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 351d66319845a1751ba9bb757077f0d259f05e14 Author: Denis Bolotin Date: Thu Jan 3 12:02:40 2019 +0200 qed: Fix qed_ll2_post_rx_buffer_notify_fw() by adding a write memory barrier [ Upstream commit 46721c3d9e273aea880e9ff835b0e1271e1cd2fb ] Make sure chain element is updated before ringing the doorbell. Signed-off-by: Denis Bolotin Signed-off-by: Ariel Elior Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit f98bcfadc81aaa38711b119f920dce3448b5782c Author: Kangjie Lu Date: Thu Dec 20 15:12:11 2018 -0600 mfd: mc13xxx: Fix a missing check of a register-read failure [ Upstream commit 9e28989d41c0eab57ec0bb156617a8757406ff8a ] When mc13xxx_reg_read() fails, "old_adc0" is uninitialized and will contain random value. Further execution uses "old_adc0" even when mc13xxx_reg_read() fails. The fix checks the return value of mc13xxx_reg_read(), and exits the execution when it fails. Signed-off-by: Kangjie Lu Signed-off-by: Lee Jones Signed-off-by: Sasha Levin commit 33e081e80d7947212ca9e6bf3ddd29da6e6ac573 Author: Charles Keepax Date: Wed Nov 28 10:04:22 2018 +0000 mfd: wm5110: Add missing ASRC rate register [ Upstream commit 04c801c18ded421845324255e660147a6f58dcd6 ] Signed-off-by: Charles Keepax Signed-off-by: Lee Jones Signed-off-by: Sasha Levin commit 7955783d5b7f3621959e0f6bf28c0e3b3a768f3d Author: Jonathan Marek Date: Mon Nov 19 14:53:17 2018 -0500 mfd: qcom_rpm: write fw_version to CTRL_REG [ Upstream commit 504e4175829c44328773b96ad9c538e4783a8d22 ] This is required as part of the initialization sequence on certain SoCs. If these registers are not initialized, the hardware can be unresponsive. This fixes the driver on apq8060 (HP TouchPad device). Signed-off-by: Jonathan Marek Signed-off-by: Lee Jones Signed-off-by: Sasha Levin commit a688b8b61767d03c140aa2b7cc3265dbc7697b9f Author: Dan Carpenter Date: Thu Oct 25 15:43:44 2018 +0300 mfd: ab8500-core: Return zero in get_register_interruptible() [ Upstream commit 10628e3ecf544fa2e4e24f8e112d95c37884dc98 ] This function is supposed to return zero on success or negative error codes on error. Unfortunately, there is a bug so it sometimes returns non-zero, positive numbers on success. I noticed this bug during review and I can't test it. It does appear that the return is sometimes propogated back to _regmap_read() where all non-zero returns are treated as failure so this may affect run time. Fixes: 47c1697508f2 ("mfd: Align ab8500 with the abx500 interface") Signed-off-by: Dan Carpenter Reviewed-by: Linus Walleij Signed-off-by: Lee Jones Signed-off-by: Sasha Levin commit 91e6613e22921b4e975608f83785a48f28eac65d Author: Nicolas Boichat Date: Mon Oct 22 10:55:06 2018 +0800 mfd: mt6397: Do not call irq_domain_remove if PMIC unsupported [ Upstream commit a177276aa098aa47a100d51a13eaaef029604b6d ] If the PMIC ID is unknown, the current code would call irq_domain_remove and panic, as pmic->irq_domain is only initialized by mt6397_irq_init. Return immediately with an error, if the chip ID is unsupported. Signed-off-by: Nicolas Boichat Signed-off-by: Lee Jones Signed-off-by: Sasha Levin commit 5b3bcee0775f90a43f5be733166dcdaacc2cf32e Author: Nathan Chancellor Date: Wed Oct 17 17:56:28 2018 -0700 mfd: db8500-prcmu: Fix some section annotations [ Upstream commit a3888f62fe66429fad3be7f2ba962e1e08c26fd6 ] When building the kernel with Clang, the following section mismatch warnings appear: WARNING: vmlinux.o(.text+0x7239cc): Section mismatch in reference from the function db8500_prcmu_probe() to the function .init.text:init_prcm_registers() The function db8500_prcmu_probe() references the function __init init_prcm_registers(). This is often because db8500_prcmu_probe lacks a __init annotation or the annotation of init_prcm_registers is wrong. WARNING: vmlinux.o(.text+0x723e28): Section mismatch in reference from the function db8500_prcmu_probe() to the function .init.text:fw_project_name() The function db8500_prcmu_probe() references the function __init fw_project_name(). This is often because db8500_prcmu_probe lacks a __init annotation or the annotation of fw_project_name is wrong. db8500_prcmu_probe should not be marked as __init so remove the __init annotation from fw_project_name and init_prcm_registers. Signed-off-by: Nathan Chancellor Signed-off-by: Lee Jones Signed-off-by: Sasha Levin commit c42ae90ce5ee137854ab8445bbdddc4642d9e79c Author: Nathan Chancellor Date: Wed Oct 17 10:13:23 2018 -0700 mfd: twl-core: Fix section annotations on {,un}protect_pm_master [ Upstream commit 8838555089f0345b87f4277fe5a8dd647dc65589 ] When building the kernel with Clang, the following section mismatch warning appears: WARNING: vmlinux.o(.text+0x3d84a3b): Section mismatch in reference from the function twl_probe() to the function .init.text:unprotect_pm_master() The function twl_probe() references the function __init unprotect_pm_master(). This is often because twl_probe lacks a __init annotation or the annotation of unprotect_pm_master is wrong. Remove the __init annotation on the *protect_pm_master functions so there is no more mismatch. Signed-off-by: Nathan Chancellor Signed-off-by: Lee Jones Signed-off-by: Sasha Levin commit fcbdbda22d97b8b7a4dd140776f573e3a1ffaec4 Author: Vignesh R Date: Mon Dec 3 13:31:17 2018 +0530 mfd: ti_am335x_tscadc: Use PLATFORM_DEVID_AUTO while registering mfd cells [ Upstream commit b40ee006fe6a8a25093434e5d394128c356a48f3 ] Use PLATFORM_DEVID_AUTO to number mfd cells while registering, so that different instances are uniquely identified. This is required in order to support registering of multiple instances of same ti_am335x_tscadc IP. Signed-off-by: Vignesh R Signed-off-by: Lee Jones Signed-off-by: Sasha Levin commit 6704b9d8a075227b018959f5acd2aac3dfcd2e2e Author: Eric Biggers Date: Thu Feb 14 16:20:01 2019 +0000 KEYS: allow reaching the keys quotas exactly commit a08bf91ce28ed3ae7b6fef35d843fef8dc8c2cd9 upstream. If the sysctl 'kernel.keys.maxkeys' is set to some number n, then actually users can only add up to 'n - 1' keys. Likewise for 'kernel.keys.maxbytes' and the root_* versions of these sysctls. But these sysctls are apparently supposed to be *maximums*, as per their names and all documentation I could find -- the keyrings(7) man page, Documentation/security/keys/core.rst, and all the mentions of EDQUOT meaning that the key quota was *exceeded* (as opposed to reached). Thus, fix the code to allow reaching the quotas exactly. Fixes: 0b77f5bfb45c ("keys: make the keyring quotas controllable through /proc/sys") Cc: stable@vger.kernel.org Signed-off-by: Eric Biggers Signed-off-by: David Howells Signed-off-by: James Morris Signed-off-by: Greg Kroah-Hartman commit 2d182ba4345814dc332bfb0f78d6210f6c7de6f7 Author: Michal Hocko Date: Wed Feb 20 22:19:42 2019 -0800 proc, oom: do not report alien mms when setting oom_score_adj commit b2b469939e93458753cfbf8282ad52636495965e upstream. Tetsuo has reported that creating a thousands of processes sharing MM without SIGHAND (aka alien threads) and setting /proc//oom_score_adj will swamp the kernel log and takes ages [1] to finish. This is especially worrisome that all that printing is done under RCU lock and this can potentially trigger RCU stall or softlockup detector. The primary reason for the printk was to catch potential users who might depend on the behavior prior to 44a70adec910 ("mm, oom_adj: make sure processes sharing mm have same view of oom_score_adj") but after more than 2 years without a single report I guess it is safe to simply remove the printk altogether. The next step should be moving oom_score_adj over to the mm struct and remove all the tasks crawling as suggested by [2] [1] http://lkml.kernel.org/r/97fce864-6f75-bca5-14bc-12c9f890e740@i-love.sakura.ne.jp [2] http://lkml.kernel.org/r/20190117155159.GA4087@dhcp22.suse.cz Link: http://lkml.kernel.org/r/20190212102129.26288-1-mhocko@kernel.org Signed-off-by: Michal Hocko Reported-by: Tetsuo Handa Acked-by: Johannes Weiner Cc: David Rientjes Cc: Yong-Taek Lee Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 17ef08517a03b5c7f51e09856b35e6051e84a2d8 Author: Ralph Campbell Date: Wed Feb 20 22:18:58 2019 -0800 numa: change get_mempolicy() to use nr_node_ids instead of MAX_NUMNODES commit 050c17f239fd53adb55aa768d4f41bc76c0fe045 upstream. The system call, get_mempolicy() [1], passes an unsigned long *nodemask pointer and an unsigned long maxnode argument which specifies the length of the user's nodemask array in bits (which is rounded up). The manual page says that if the maxnode value is too small, get_mempolicy will return EINVAL but there is no system call to return this minimum value. To determine this value, some programs search /proc//status for a line starting with "Mems_allowed:" and use the number of digits in the mask to determine the minimum value. A recent change to the way this line is formatted [2] causes these programs to compute a value less than MAX_NUMNODES so get_mempolicy() returns EINVAL. Change get_mempolicy(), the older compat version of get_mempolicy(), and the copy_nodes_to_user() function to use nr_node_ids instead of MAX_NUMNODES, thus preserving the defacto method of computing the minimum size for the nodemask array and the maxnode argument. [1] http://man7.org/linux/man-pages/man2/get_mempolicy.2.html [2] https://lore.kernel.org/lkml/1545405631-6808-1-git-send-email-longman@redhat.com Link: http://lkml.kernel.org/r/20190211180245.22295-1-rcampbell@nvidia.com Fixes: 4fb8e5b89bcbbbb ("include/linux/nodemask.h: use nr_node_ids (not MAX_NUMNODES) in __nodemask_pr_numnodes()") Signed-off-by: Ralph Campbell Suggested-by: Alexander Duyck Cc: Waiman Long Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 79e3959b68cb08f086c6a65f3b3a36348e0cc5fd Author: Yan, Zheng Date: Mon Feb 11 15:18:52 2019 +0800 ceph: avoid repeatedly adding inode to mdsc->snap_flush_list commit 04242ff3ac0abbaa4362f97781dac268e6c3541a upstream. Otherwise, mdsc->snap_flush_list may get corrupted. Cc: stable@vger.kernel.org Signed-off-by: "Yan, Zheng" Reviewed-by: Ilya Dryomov Signed-off-by: Ilya Dryomov Signed-off-by: Greg Kroah-Hartman commit a1f11de42378ef4c9fab701f6f2ff21b266a5c87 Author: Ilya Dryomov Date: Tue Feb 5 20:30:27 2019 +0100 libceph: handle an empty authorize reply commit 0fd3fd0a9bb0b02b6435bb7070e9f7b82a23f068 upstream. The authorize reply can be empty, for example when the ticket used to build the authorizer is too old and TAG_BADAUTHORIZER is returned from the service. Calling ->verify_authorizer_reply() results in an attempt to decrypt and validate (somewhat) random data in au->buf (most likely the signature block from calc_signature()), which fails and ends up in con_fault_finish() with !con->auth_retry. The ticket isn't invalidated and the connection is retried again and again until a new ticket is obtained from the monitor: libceph: osd2 192.168.122.1:6809 bad authorize reply libceph: osd2 192.168.122.1:6809 bad authorize reply libceph: osd2 192.168.122.1:6809 bad authorize reply libceph: osd2 192.168.122.1:6809 bad authorize reply Let TAG_BADAUTHORIZER handler kick in and increment con->auth_retry. Cc: stable@vger.kernel.org Fixes: 5c056fdc5b47 ("libceph: verify authorize reply on connect") Link: https://tracker.ceph.com/issues/20164 Signed-off-by: Ilya Dryomov Reviewed-by: Sage Weil Signed-off-by: Greg Kroah-Hartman commit efbc76008c119f20faca5bc478b3c227b801c8c5 Author: Herbert Xu Date: Thu Feb 14 22:03:25 2019 +0800 mac80211: Free mpath object when rhashtable insertion fails commit 4ff3a9d14c6c06eaa4e5976c61599ea2bd9e81b2 upstream. When rhashtable insertion fails the mesh table code doesn't free the now-orphan mesh path object. This patch fixes that. Cc: stable@vger.kernel.org Signed-off-by: Herbert Xu Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman