commit 37428a8003d96089e49e116bac4bce59a57c1f07 Author: Greg Kroah-Hartman Date: Sun Feb 25 11:03:55 2018 +0100 Linux 4.4.118 commit 554d660e4472a246ef7c98c247e43152badfa3f5 Author: Wu Fengguang Date: Fri Mar 18 23:27:28 2016 +0800 net: dst_cache_per_cpu_dst_set() can be static commit b73f96fcb49ec90c2f837719893e7b25fcdf08d8 upstream. Signed-off-by: Fengguang Wu Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 6e0d1fb619f06d7d3ba37d9bb1240788fe61c96e Author: Kamil Konieczny Date: Wed Feb 7 16:52:09 2018 +0100 crypto: s5p-sss - Fix kernel Oops in AES-ECB mode commit c927b080c67e3e97193c81fc1d27f4251bf4e036 upstream. In AES-ECB mode crypt is done with key only, so any use of IV can cause kernel Oops. Use IV only in AES-CBC and AES-CTR. Signed-off-by: Kamil Konieczny Reported-by: Anand Moon Reviewed-by: Krzysztof Kozlowski Tested-by: Anand Moon Cc: stable@vger.kernel.org # can be applied after commit 8f9702aad138 Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit 853106cae8900801ebbdf6029c62800a99045d37 Author: Jan Dakinevich Date: Fri Feb 23 11:42:18 2018 +0100 KVM: nVMX: invvpid handling improvements commit bcdde302b8268ef7dbc4ddbdaffb5b44eafe9a1e upstream - Expose all invalidation types to the L1 - Reject invvpid instruction, if L1 passed zero vpid value to single context invalidations Signed-off-by: Jan Dakinevich Tested-by: Ladi Prosek Signed-off-by: Radim Krčmář [jwang: port to 4.4] Signed-off-by: Jack Wang Signed-off-by: Greg Kroah-Hartman commit 6f0a79ff1b62e78b782c4f80298c586aa8495259 Author: Jan Dakinevich Date: Fri Feb 23 11:42:17 2018 +0100 KVM: VMX: clean up declaration of VPID/EPT invalidation types commit 63f3ac48133a19110c8a3666028dbd9b1bf3dcb3 upstream - Remove VMX_EPT_EXTENT_INDIVIDUAL_ADDR, since there is no such type of EPT invalidation - Add missing VPID types names Signed-off-by: Jan Dakinevich Tested-by: Ladi Prosek Signed-off-by: Radim Krčmář [jwang: port to 4.4] Signed-off-by: Jack Wang Signed-off-by: Greg Kroah-Hartman commit 82a945257ea995db797401eae023ec667967db18 Author: Jim Mattson Date: Fri Feb 23 11:42:16 2018 +0100 kvm: nVMX: Fix kernel panics induced by illegal INVEPT/INVVPID types commit 85c856b39b479dde410ddd09df1da745343010c9 upstream Bitwise shifts by amounts greater than or equal to the width of the left operand are undefined. A malicious guest can exploit this to crash a 32-bit host, due to the BUG_ON(1)'s in handle_{invept,invvpid}. Signed-off-by: Jim Mattson Message-Id: <1477496318-17681-1-git-send-email-jmattson@google.com> [Change 1UL to 1, to match the range check on the shift count. - Paolo] Signed-off-by: Paolo Bonzini [jwang: port from linux-4.9 to 4.4 ] Signed-off-by: Jack Wang Signed-off-by: Greg Kroah-Hartman commit 04e8b366d3594bc6aaa728e183a13245a7f70653 Author: David Hildenbrand Date: Fri Feb 23 11:42:15 2018 +0100 KVM: nVMX: vmx_complete_nested_posted_interrupt() can't fail (cherry picked from commit 6342c50ad12e8ce0736e722184a7dbdea4a3477f) vmx_complete_nested_posted_interrupt() can't fail, let's turn it into a void function. Signed-off-by: David Hildenbrand Signed-off-by: Paolo Bonzini Signed-off-by: David Woodhouse [jwang: port to 4.4] Signed-off-by: Jack Wang Signed-off-by: Greg Kroah-Hartman commit e7a3bc31dc0841ff5c3fc544edd94824a8b13b18 Author: David Hildenbrand Date: Fri Feb 23 11:42:14 2018 +0100 KVM: nVMX: kmap() can't fail commit 42cf014d38d8822cce63703a467e00f65d000952 upstream. kmap() can't fail, therefore it will always return a valid pointer. Let's just get rid of the unnecessary checks. Signed-off-by: David Hildenbrand Signed-off-by: Paolo Bonzini [jwang: port to 4.4] Signed-off-by: Jack Wang Signed-off-by: Greg Kroah-Hartman commit fd94ae98d2dd6883ed8c7948dcbb48867894045d Author: Darren Kenny Date: Fri Feb 23 11:42:13 2018 +0100 x86/speculation: Fix typo IBRS_ATT, which should be IBRS_ALL (cherry picked from commit af189c95a371b59f493dbe0f50c0a09724868881) Fixes: 117cc7a908c83 ("x86/retpoline: Fill return stack buffer on vmexit") Signed-off-by: Darren Kenny Signed-off-by: Thomas Gleixner Reviewed-by: Konrad Rzeszutek Wilk Cc: Tom Lendacky Cc: Andi Kleen Cc: Borislav Petkov Cc: Masami Hiramatsu Cc: Arjan van de Ven Cc: David Woodhouse Link: https://lkml.kernel.org/r/20180202191220.blvgkgutojecxr3b@starbug-vm.ie.oracle.com Signed-off-by: David Woodhouse [jwang: cherry pick to 4.4] Signed-off-by: Jack Wang Signed-off-by: Greg Kroah-Hartman commit 3fc9b05df62de1877cb69f11368d1936b4f22160 Author: KarimAllah Ahmed Date: Fri Feb 23 11:42:12 2018 +0100 x86/spectre: Simplify spectre_v2 command line parsing (cherry picked from commit 9005c6834c0ffdfe46afa76656bd9276cca864f6) [dwmw2: Use ARRAY_SIZE] Signed-off-by: KarimAllah Ahmed Signed-off-by: David Woodhouse Signed-off-by: Thomas Gleixner Cc: peterz@infradead.org Cc: bp@alien8.de Link: https://lkml.kernel.org/r/1517484441-1420-3-git-send-email-dwmw@amazon.co.uk Signed-off-by: David Woodhouse [jwang: cherry pick to 4.4] Signed-off-by: Jack Wang Signed-off-by: Greg Kroah-Hartman commit b98197294b48051b3499d764ff0c6ccd40783fc8 Author: David Woodhouse Date: Fri Feb 23 11:42:11 2018 +0100 x86/retpoline: Avoid retpolines for built-in __init functions (cherry picked from commit 66f793099a636862a71c59d4a6ba91387b155e0c) There's no point in building init code with retpolines, since it runs before any potentially hostile userspace does. And before the retpoline is actually ALTERNATIVEd into place, for much of it. Signed-off-by: David Woodhouse Signed-off-by: Thomas Gleixner Cc: karahmed@amazon.de Cc: peterz@infradead.org Cc: bp@alien8.de Link: https://lkml.kernel.org/r/1517484441-1420-2-git-send-email-dwmw@amazon.co.uk Signed-off-by: David Woodhouse [jwang: port to 4.4] Signed-off-by: Jack Wang Signed-off-by: Greg Kroah-Hartman commit 355e059499da0eca1cd550ffcb3136f442dc7df8 Author: Dan Williams Date: Fri Feb 23 11:42:10 2018 +0100 x86/kvm: Update spectre-v1 mitigation (cherry picked from commit 085331dfc6bbe3501fb936e657331ca943827600) Commit 75f139aaf896 "KVM: x86: Add memory barrier on vmcs field lookup" added a raw 'asm("lfence");' to prevent a bounds check bypass of 'vmcs_field_to_offset_table'. The lfence can be avoided in this path by using the array_index_nospec() helper designed for these types of fixes. Signed-off-by: Dan Williams Signed-off-by: Thomas Gleixner Acked-by: Paolo Bonzini Cc: Andrew Honig Cc: kvm@vger.kernel.org Cc: Jim Mattson Link: https://lkml.kernel.org/r/151744959670.6342.3001723920950249067.stgit@dwillia2-desk3.amr.corp.intel.com Signed-off-by: David Woodhouse [jwang: cherry pick to 4.4] Signed-off-by: Jack Wang Signed-off-by: Greg Kroah-Hartman commit ac0242fe0d9d698dde4a1fc249915af24a2a4c99 Author: Josh Poimboeuf Date: Fri Feb 23 11:42:09 2018 +0100 x86/paravirt: Remove 'noreplace-paravirt' cmdline option (cherry picked from commit 12c69f1e94c89d40696e83804dd2f0965b5250cd) The 'noreplace-paravirt' option disables paravirt patching, leaving the original pv indirect calls in place. That's highly incompatible with retpolines, unless we want to uglify paravirt even further and convert the paravirt calls to retpolines. As far as I can tell, the option doesn't seem to be useful for much other than introducing surprising corner cases and making the kernel vulnerable to Spectre v2. It was probably a debug option from the early paravirt days. So just remove it. Signed-off-by: Josh Poimboeuf Signed-off-by: Thomas Gleixner Reviewed-by: Juergen Gross Cc: Andrea Arcangeli Cc: Peter Zijlstra Cc: Andi Kleen Cc: Ashok Raj Cc: Greg KH Cc: Jun Nakajima Cc: Tim Chen Cc: Rusty Russell Cc: Dave Hansen Cc: Asit Mallick Cc: Andy Lutomirski Cc: Linus Torvalds Cc: Jason Baron Cc: Paolo Bonzini Cc: Alok Kataria Cc: Arjan Van De Ven Cc: David Woodhouse Cc: Dan Williams Link: https://lkml.kernel.org/r/20180131041333.2x6blhxirc2kclrq@treble Signed-off-by: David Woodhouse [jwang: chery pick to 4.4] Signed-off-by: Jack Wang Signed-off-by: Greg Kroah-Hartman commit bf17809d19146865c29c985e82b0c419147d5b97 Author: Colin Ian King Date: Fri Feb 23 11:42:08 2018 +0100 x86/spectre: Fix spelling mistake: "vunerable"-> "vulnerable" (cherry picked from commit e698dcdfcda41efd0984de539767b4cddd235f1e) Trivial fix to spelling mistake in pr_err error message text. Signed-off-by: Colin Ian King Signed-off-by: Thomas Gleixner Cc: Andi Kleen Cc: Greg Kroah-Hartman Cc: kernel-janitors@vger.kernel.org Cc: Andy Lutomirski Cc: Borislav Petkov Cc: David Woodhouse Link: https://lkml.kernel.org/r/20180130193218.9271-1-colin.king@canonical.com Signed-off-by: David Woodhouse [jwang: cherry pick to 4.4] Signed-off-by: Jack Wang Signed-off-by: Greg Kroah-Hartman commit b9c288b664da79d18b71edce8be7640d9ea8c0bf Author: Dan Williams Date: Fri Feb 23 11:42:07 2018 +0100 x86/spectre: Report get_user mitigation for spectre_v1 (cherry picked from commit edfbae53dab8348fca778531be9f4855d2ca0360) Reflect the presence of get_user(), __get_user(), and 'syscall' protections in sysfs. The expectation is that new and better tooling will allow the kernel to grow more usages of array_index_nospec(), for now, only claim mitigation for __user pointer de-references. Reported-by: Jiri Slaby Signed-off-by: Dan Williams Signed-off-by: Thomas Gleixner Cc: linux-arch@vger.kernel.org Cc: kernel-hardening@lists.openwall.com Cc: gregkh@linuxfoundation.org Cc: torvalds@linux-foundation.org Cc: alan@linux.intel.com Link: https://lkml.kernel.org/r/151727420158.33451.11658324346540434635.stgit@dwillia2-desk3.amr.corp.intel.com Signed-off-by: David Woodhouse [jwang: cherry pick to 4.4] Signed-off-by: Jack Wang Signed-off-by: Greg Kroah-Hartman commit f7b9243f5f384fee1201f7708c49b349540458dc Author: Dan Williams Date: Fri Feb 23 11:42:06 2018 +0100 nl80211: Sanitize array index in parse_txq_params (cherry picked from commit 259d8c1e984318497c84eef547bbb6b1d9f4eb05) Wireless drivers rely on parse_txq_params to validate that txq_params->ac is less than NL80211_NUM_ACS by the time the low-level driver's ->conf_tx() handler is called. Use a new helper, array_index_nospec(), to sanitize txq_params->ac with respect to speculation. I.e. ensure that any speculation into ->conf_tx() handlers is done with a value of txq_params->ac that is within the bounds of [0, NL80211_NUM_ACS). Reported-by: Christian Lamparter Reported-by: Elena Reshetova Signed-off-by: Dan Williams Signed-off-by: Thomas Gleixner Acked-by: Johannes Berg Cc: linux-arch@vger.kernel.org Cc: kernel-hardening@lists.openwall.com Cc: gregkh@linuxfoundation.org Cc: linux-wireless@vger.kernel.org Cc: torvalds@linux-foundation.org Cc: "David S. Miller" Cc: alan@linux.intel.com Link: https://lkml.kernel.org/r/151727419584.33451.7700736761686184303.stgit@dwillia2-desk3.amr.corp.intel.com Signed-off-by: David Woodhouse [jwang: cherry pick to 4.4] Signed-off-by: Jack Wang Signed-off-by: Greg Kroah-Hartman commit 43e4f5aeaff2d6604d2c16267c8b15257cf974ea Author: Dan Williams Date: Fri Feb 23 11:42:05 2018 +0100 vfs, fdtable: Prevent bounds-check bypass via speculative execution (cherry picked from commit 56c30ba7b348b90484969054d561f711ba196507) 'fd' is a user controlled value that is used as a data dependency to read from the 'fdt->fd' array. In order to avoid potential leaks of kernel memory values, block speculative execution of the instruction stream that could issue reads based on an invalid 'file *' returned from __fcheck_files. Co-developed-by: Elena Reshetova Signed-off-by: Dan Williams Signed-off-by: Thomas Gleixner Cc: linux-arch@vger.kernel.org Cc: kernel-hardening@lists.openwall.com Cc: gregkh@linuxfoundation.org Cc: Al Viro Cc: torvalds@linux-foundation.org Cc: alan@linux.intel.com Link: https://lkml.kernel.org/r/151727418500.33451.17392199002892248656.stgit@dwillia2-desk3.amr.corp.intel.com Signed-off-by: David Woodhouse [jwang: cherry pick to 4.4] Signed-off-by: Jack Wang Signed-off-by: Greg Kroah-Hartman commit c8961332d6da59b8a39998f46831fe7871cd1519 Author: Dan Williams Date: Fri Feb 23 11:42:04 2018 +0100 x86/syscall: Sanitize syscall table de-references under speculation (cherry picked from commit 2fbd7af5af8665d18bcefae3e9700be07e22b681) The syscall table base is a user controlled function pointer in kernel space. Use array_index_nospec() to prevent any out of bounds speculation. While retpoline prevents speculating into a userspace directed target it does not stop the pointer de-reference, the concern is leaking memory relative to the syscall table base, by observing instruction cache behavior. Reported-by: Linus Torvalds Signed-off-by: Dan Williams Signed-off-by: Thomas Gleixner Cc: linux-arch@vger.kernel.org Cc: kernel-hardening@lists.openwall.com Cc: gregkh@linuxfoundation.org Cc: Andy Lutomirski Cc: alan@linux.intel.com Link: https://lkml.kernel.org/r/151727417984.33451.1216731042505722161.stgit@dwillia2-desk3.amr.corp.intel.com Signed-off-by: David Woodhouse [jwang: port to 4.4, no syscall_64] Signed-off-by: Jack Wang Signed-off-by: Greg Kroah-Hartman commit fd3d9535450c3c9b720bae22419c7419f50decf6 Author: Dan Williams Date: Fri Feb 23 11:42:03 2018 +0100 x86/get_user: Use pointer masking to limit speculation (cherry picked from commit c7f631cb07e7da06ac1d231ca178452339e32a94) Quoting Linus: I do think that it would be a good idea to very expressly document the fact that it's not that the user access itself is unsafe. I do agree that things like "get_user()" want to be protected, but not because of any direct bugs or problems with get_user() and friends, but simply because get_user() is an excellent source of a pointer that is obviously controlled from a potentially attacking user space. So it's a prime candidate for then finding _subsequent_ accesses that can then be used to perturb the cache. Unlike the __get_user() case get_user() includes the address limit check near the pointer de-reference. With that locality the speculation can be mitigated with pointer narrowing rather than a barrier, i.e. array_index_nospec(). Where the narrowing is performed by: cmp %limit, %ptr sbb %mask, %mask and %mask, %ptr With respect to speculation the value of %ptr is either less than %limit or NULL. Co-developed-by: Linus Torvalds Signed-off-by: Dan Williams Signed-off-by: Thomas Gleixner Cc: linux-arch@vger.kernel.org Cc: Kees Cook Cc: kernel-hardening@lists.openwall.com Cc: gregkh@linuxfoundation.org Cc: Al Viro Cc: Andy Lutomirski Cc: torvalds@linux-foundation.org Cc: alan@linux.intel.com Link: https://lkml.kernel.org/r/151727417469.33451.11804043010080838495.stgit@dwillia2-desk3.amr.corp.intel.com Signed-off-by: David Woodhouse [jwang: port to 4.4] Signed-off-by: Jack Wang Signed-off-by: Greg Kroah-Hartman commit 64d41d13ed81d55e03c80d241cf353b1aa0bf1c3 Author: Dan Williams Date: Fri Feb 23 11:42:02 2018 +0100 x86: Introduce barrier_nospec (cherry picked from commit b3d7ad85b80bbc404635dca80f5b129f6242bc7a) Rename the open coded form of this instruction sequence from rdtsc_ordered() into a generic barrier primitive, barrier_nospec(). One of the mitigations for Spectre variant1 vulnerabilities is to fence speculative execution after successfully validating a bounds check. I.e. force the result of a bounds check to resolve in the instruction pipeline to ensure speculative execution honors that result before potentially operating on out-of-bounds data. No functional changes. Suggested-by: Linus Torvalds Suggested-by: Andi Kleen Suggested-by: Ingo Molnar Signed-off-by: Dan Williams Signed-off-by: Thomas Gleixner Cc: linux-arch@vger.kernel.org Cc: Tom Lendacky Cc: Kees Cook Cc: kernel-hardening@lists.openwall.com Cc: gregkh@linuxfoundation.org Cc: Al Viro Cc: alan@linux.intel.com Link: https://lkml.kernel.org/r/151727415361.33451.9049453007262764675.stgit@dwillia2-desk3.amr.corp.intel.com Signed-off-by: David Woodhouse [jwang: cherry pick to 4.4] Signed-off-by: Jack Wang Signed-off-by: Greg Kroah-Hartman commit f136b56017ad7848449ac8b8aaebc340346acbbd Author: Dan Williams Date: Fri Feb 23 11:42:01 2018 +0100 x86: Implement array_index_mask_nospec (cherry picked from commit babdde2698d482b6c0de1eab4f697cf5856c5859) array_index_nospec() uses a mask to sanitize user controllable array indexes, i.e. generate a 0 mask if 'index' >= 'size', and a ~0 mask otherwise. While the default array_index_mask_nospec() handles the carry-bit from the (index - size) result in software. The x86 array_index_mask_nospec() does the same, but the carry-bit is handled in the processor CF flag without conditional instructions in the control flow. Suggested-by: Linus Torvalds Signed-off-by: Dan Williams Signed-off-by: Thomas Gleixner Cc: linux-arch@vger.kernel.org Cc: kernel-hardening@lists.openwall.com Cc: gregkh@linuxfoundation.org Cc: alan@linux.intel.com Link: https://lkml.kernel.org/r/151727414808.33451.1873237130672785331.stgit@dwillia2-desk3.amr.corp.intel.com Signed-off-by: David Woodhouse [jwang:chery pick to 4.4] Signed-off-by: Jack Wang Signed-off-by: Greg Kroah-Hartman commit 37b33b59ec6096c207d12df2c4b3ab6711fb952c Author: Dan Williams Date: Fri Feb 23 11:42:00 2018 +0100 array_index_nospec: Sanitize speculative array de-references (cherry picked from commit f3804203306e098dae9ca51540fcd5eb700d7f40) array_index_nospec() is proposed as a generic mechanism to mitigate against Spectre-variant-1 attacks, i.e. an attack that bypasses boundary checks via speculative execution. The array_index_nospec() implementation is expected to be safe for current generation CPUs across multiple architectures (ARM, x86). Based on an original implementation by Linus Torvalds, tweaked to remove speculative flows by Alexei Starovoitov, and tweaked again by Linus to introduce an x86 assembly implementation for the mask generation. Co-developed-by: Linus Torvalds Co-developed-by: Alexei Starovoitov Suggested-by: Cyril Novikov Signed-off-by: Dan Williams Signed-off-by: Thomas Gleixner Cc: linux-arch@vger.kernel.org Cc: kernel-hardening@lists.openwall.com Cc: Peter Zijlstra Cc: Catalin Marinas Cc: Will Deacon Cc: Russell King Cc: gregkh@linuxfoundation.org Cc: torvalds@linux-foundation.org Cc: alan@linux.intel.com Link: https://lkml.kernel.org/r/151727414229.33451.18411580953862676575.stgit@dwillia2-desk3.amr.corp.intel.com Signed-off-by: David Woodhouse [jwang: cherry pick to 4.4] Signed-off-by: Jack Wang Signed-off-by: Greg Kroah-Hartman commit 3416cebfd1037797660f20543895a43524f420ee Author: Mark Rutland Date: Fri Feb 23 11:41:59 2018 +0100 Documentation: Document array_index_nospec (cherry picked from commit f84a56f73dddaeac1dba8045b007f742f61cd2da) Document the rationale and usage of the new array_index_nospec() helper. Signed-off-by: Mark Rutland Signed-off-by: Will Deacon Signed-off-by: Dan Williams Signed-off-by: Thomas Gleixner Reviewed-by: Kees Cook Cc: linux-arch@vger.kernel.org Cc: Jonathan Corbet Cc: Peter Zijlstra Cc: gregkh@linuxfoundation.org Cc: kernel-hardening@lists.openwall.com Cc: torvalds@linux-foundation.org Cc: alan@linux.intel.com Link: https://lkml.kernel.org/r/151727413645.33451.15878817161436755393.stgit@dwillia2-desk3.amr.corp.intel.com Signed-off-by: David Woodhouse [jwang: cherry pick to 4.4] Signed-off-by: Jack Wang Signed-off-by: Greg Kroah-Hartman commit 131f3e886648a186fddb43be72b4b7b091876a1c Author: Dou Liyang Date: Fri Feb 23 11:41:58 2018 +0100 x86/spectre: Check CONFIG_RETPOLINE in command line parser (cherry picked from commit 9471eee9186a46893726e22ebb54cade3f9bc043) The spectre_v2 option 'auto' does not check whether CONFIG_RETPOLINE is enabled. As a consequence it fails to emit the appropriate warning and sets feature flags which have no effect at all. Add the missing IS_ENABLED() check. Fixes: da285121560e ("x86/spectre: Add boot time option to select Spectre v2 mitigation") Signed-off-by: Dou Liyang Signed-off-by: Thomas Gleixner Cc: ak@linux.intel.com Cc: peterz@infradead.org Cc: Tomohiro Cc: dave.hansen@intel.com Cc: bp@alien8.de Cc: arjan@linux.intel.com Cc: dwmw@amazon.co.uk Cc: stable@vger.kernel.org Link: https://lkml.kernel.org/r/f5892721-7528-3647-08fb-f8d10e65ad87@cn.fujitsu.com Signed-off-by: David Woodhouse [jwang: cherry-pick to 4.4] Signed-off-by: Jack Wang Signed-off-by: Greg Kroah-Hartman commit e905005d58ebed85108f9a473d4a33127c013fd3 Author: Thomas Gleixner Date: Fri Feb 23 11:41:57 2018 +0100 x86/cpu/bugs: Make retpoline module warning conditional (cherry picked from commit e383095c7fe8d218e00ec0f83e4b95ed4e627b02) If sysfs is disabled and RETPOLINE not defined: arch/x86/kernel/cpu/bugs.c:97:13: warning: ‘spectre_v2_bad_module’ defined but not used [-Wunused-variable] static bool spectre_v2_bad_module; Hide it. Fixes: caf7501a1b4e ("module/retpoline: Warn about missing retpoline in module") Reported-by: Borislav Petkov Signed-off-by: Thomas Gleixner Cc: Andi Kleen Cc: David Woodhouse Signed-off-by: David Woodhouse [jwang: port to 4.4] Signed-off-by: Jack Wang Signed-off-by: Greg Kroah-Hartman commit e9560fbe97d0c5da9e7cac0ede8448f0f2b83769 Author: Borislav Petkov Date: Fri Feb 23 11:41:56 2018 +0100 x86/bugs: Drop one "mitigation" from dmesg (cherry picked from commit 55fa19d3e51f33d9cd4056d25836d93abf9438db) Make [ 0.031118] Spectre V2 mitigation: Mitigation: Full generic retpoline into [ 0.031118] Spectre V2: Mitigation: Full generic retpoline to reduce the mitigation mitigations strings. Signed-off-by: Borislav Petkov Signed-off-by: Thomas Gleixner Reviewed-by: Greg Kroah-Hartman Cc: riel@redhat.com Cc: ak@linux.intel.com Cc: peterz@infradead.org Cc: David Woodhouse Cc: jikos@kernel.org Cc: luto@amacapital.net Cc: dave.hansen@intel.com Cc: torvalds@linux-foundation.org Cc: keescook@google.com Cc: Josh Poimboeuf Cc: tim.c.chen@linux.intel.com Cc: pjt@google.com Link: https://lkml.kernel.org/r/20180126121139.31959-5-bp@alien8.de Signed-off-by: David Woodhouse [jwang: port to 4.4] Signed-off-by: Jack Wang Signed-off-by: Greg Kroah-Hartman commit 3d535a0f55d1ba44b66c88d44e592f12056c188b Author: Borislav Petkov Date: Fri Feb 23 11:41:55 2018 +0100 x86/nospec: Fix header guards names (cherry picked from commit 7a32fc51ca938e67974cbb9db31e1a43f98345a9) ... to adhere to the _ASM_X86_ naming scheme. No functional change. Signed-off-by: Borislav Petkov Signed-off-by: Thomas Gleixner Cc: riel@redhat.com Cc: ak@linux.intel.com Cc: peterz@infradead.org Cc: David Woodhouse Cc: jikos@kernel.org Cc: luto@amacapital.net Cc: dave.hansen@intel.com Cc: torvalds@linux-foundation.org Cc: keescook@google.com Cc: Josh Poimboeuf Cc: tim.c.chen@linux.intel.com Cc: gregkh@linux-foundation.org Cc: pjt@google.com Link: https://lkml.kernel.org/r/20180126121139.31959-3-bp@alien8.de Signed-off-by: David Woodhouse [cherry-pick to 4.4] Signed-off-by: Jack Wang Signed-off-by: Greg Kroah-Hartman commit 6cd5513c813eb57eba081563beb817abd9923a3a Author: Andi Kleen Date: Fri Feb 23 11:41:54 2018 +0100 module/retpoline: Warn about missing retpoline in module (cherry picked from commit caf7501a1b4ec964190f31f9c3f163de252273b8) There's a risk that a kernel which has full retpoline mitigations becomes vulnerable when a module gets loaded that hasn't been compiled with the right compiler or the right option. To enable detection of that mismatch at module load time, add a module info string "retpoline" at build time when the module was compiled with retpoline support. This only covers compiled C source, but assembler source or prebuilt object files are not checked. If a retpoline enabled kernel detects a non retpoline protected module at load time, print a warning and report it in the sysfs vulnerability file. [ tglx: Massaged changelog ] Signed-off-by: Andi Kleen Signed-off-by: Thomas Gleixner Cc: David Woodhouse Cc: gregkh@linuxfoundation.org Cc: torvalds@linux-foundation.org Cc: jeyu@kernel.org Cc: arjan@linux.intel.com Link: https://lkml.kernel.org/r/20180125235028.31211-1-andi@firstfloor.org Signed-off-by: David Woodhouse [jwang: port to 4.4] Signed-off-by: Jack Wang Signed-off-by: Greg Kroah-Hartman commit d5030418b0c82956921545121b4f08df0f9ece70 Author: Peter Zijlstra Date: Fri Feb 23 11:41:53 2018 +0100 KVM: VMX: Make indirect call speculation safe (cherry picked from commit c940a3fb1e2e9b7d03228ab28f375fb5a47ff699) Replace indirect call with CALL_NOSPEC. Signed-off-by: Peter Zijlstra (Intel) Signed-off-by: Thomas Gleixner Reviewed-by: David Woodhouse Cc: Andrea Arcangeli Cc: Andi Kleen Cc: Ashok Raj Cc: Greg KH Cc: Jun Nakajima Cc: David Woodhouse Cc: Linus Torvalds Cc: rga@amazon.de Cc: Dave Hansen Cc: Asit Mallick Cc: Andy Lutomirski Cc: Josh Poimboeuf Cc: Jason Baron Cc: Paolo Bonzini Cc: Dan Williams Cc: Arjan Van De Ven Cc: Tim Chen Link: https://lkml.kernel.org/r/20180125095843.645776917@infradead.org Signed-off-by: David Woodhouse [backport to 4.4] Signed-off-by: Jack Wang Signed-off-by: Greg Kroah-Hartman commit 5dac465887db57833830601e290b8a581a95a9aa Author: Peter Zijlstra Date: Fri Feb 23 11:41:52 2018 +0100 KVM: x86: Make indirect calls in emulator speculation safe (cherry picked from commit 1a29b5b7f347a1a9230c1e0af5b37e3e571588ab) Replace the indirect calls with CALL_NOSPEC. Signed-off-by: Peter Zijlstra (Intel) Signed-off-by: Thomas Gleixner Reviewed-by: David Woodhouse Cc: Andrea Arcangeli Cc: Andi Kleen Cc: Ashok Raj Cc: Greg KH Cc: Jun Nakajima Cc: David Woodhouse Cc: Linus Torvalds Cc: rga@amazon.de Cc: Dave Hansen Cc: Asit Mallick Cc: Andy Lutomirski Cc: Josh Poimboeuf Cc: Jason Baron Cc: Paolo Bonzini Cc: Dan Williams Cc: Arjan Van De Ven Cc: Tim Chen Link: https://lkml.kernel.org/r/20180125095843.595615683@infradead.org [dwmw2: Use ASM_CALL_CONSTRAINT like upstream, now we have it] Signed-off-by: David Woodhouse [backport to 4.4] Signed-off-by: Jack Wang Signed-off-by: Greg Kroah-Hartman commit ffe69f2dd11a8ef5f708f116a3bccb80b9d57e7d Author: Waiman Long Date: Fri Feb 23 11:41:51 2018 +0100 x86/retpoline: Remove the esp/rsp thunk commit 1df37383a8aeabb9b418698f0bcdffea01f4b1b2 upstream. It doesn't make sense to have an indirect call thunk with esp/rsp as retpoline code won't work correctly with the stack pointer register. Removing it will help compiler writers to catch error in case such a thunk call is emitted incorrectly. Fixes: 76b043848fd2 ("x86/retpoline: Add initial retpoline support") Suggested-by: Jeff Law Signed-off-by: Waiman Long Signed-off-by: Thomas Gleixner Acked-by: David Woodhouse Cc: Tom Lendacky Cc: Kees Cook Cc: Andi Kleen Cc: Tim Chen Cc: Peter Zijlstra Cc: Linus Torvalds Cc: Jiri Kosina Cc: Andy Lutomirski Cc: Dave Hansen Cc: Josh Poimboeuf Cc: Arjan van de Ven Cc: Greg Kroah-Hartman Cc: Paul Turner Link: https://lkml.kernel.org/r/1516658974-27852-1-git-send-email-longman@redhat.com Signed-off-by: David Woodhouse [jwang: cherry pick to 4.4] Signed-off-by: Jack Wang Signed-off-by: Greg Kroah-Hartman commit 5f7537133212bc12298e99abf21bea6e08489d58 Author: Wanpeng Li Date: Thu Sep 14 03:54:16 2017 -0700 KVM: async_pf: Fix #DF due to inject "Page not Present" and "Page Ready" exceptions simultaneously commit 9a6e7c39810e4a8bc7fc95056cefb40583fe07ef upstream. qemu-system-x86-8600 [004] d..1 7205.687530: kvm_entry: vcpu 2 qemu-system-x86-8600 [004] .... 7205.687532: kvm_exit: reason EXCEPTION_NMI rip 0xffffffffa921297d info ffffeb2c0e44e018 80000b0e qemu-system-x86-8600 [004] .... 7205.687532: kvm_page_fault: address ffffeb2c0e44e018 error_code 0 qemu-system-x86-8600 [004] .... 7205.687620: kvm_try_async_get_page: gva = 0xffffeb2c0e44e018, gfn = 0x427e4e qemu-system-x86-8600 [004] .N.. 7205.687628: kvm_async_pf_not_present: token 0x8b002 gva 0xffffeb2c0e44e018 kworker/4:2-7814 [004] .... 7205.687655: kvm_async_pf_completed: gva 0xffffeb2c0e44e018 address 0x7fcc30c4e000 qemu-system-x86-8600 [004] .... 7205.687703: kvm_async_pf_ready: token 0x8b002 gva 0xffffeb2c0e44e018 qemu-system-x86-8600 [004] d..1 7205.687711: kvm_entry: vcpu 2 After running some memory intensive workload in guest, I catch the kworker which completes the GUP too quickly, and queues an "Page Ready" #PF exception after the "Page not Present" exception before the next vmentry as the above trace which will result in #DF injected to guest. This patch fixes it by clearing the queue for "Page not Present" if "Page Ready" occurs before the next vmentry since the GUP has already got the required page and shadow page table has already been fixed by "Page Ready" handler. Cc: Paolo Bonzini Cc: Radim Krčmář Signed-off-by: Wanpeng Li Fixes: 7c90705bf2a3 ("KVM: Inject asynchronous page fault into a PV guest if page is swapped out.") [Changed indentation and added clearing of injected. - Radim] Signed-off-by: Radim Krčmář [port from upstream v4.14-rc1, Don't assign to kvm_queued_exception::injected or x86_exception::async_page_fault] Signed-off-by: Jack Wang Signed-off-by: Greg Kroah-Hartman commit 0ffa39fb594e22e974da2101d92d8967a7777253 Author: Arnd Bergmann Date: Tue Feb 20 12:55:09 2018 +0100 kasan: rework Kconfig settings commit e7c52b84fb18f08ce49b6067ae6285aca79084a8 upstream. We get a lot of very large stack frames using gcc-7.0.1 with the default -fsanitize-address-use-after-scope --param asan-stack=1 options, which can easily cause an overflow of the kernel stack, e.g. drivers/gpu/drm/i915/gvt/handlers.c:2434:1: warning: the frame size of 46176 bytes is larger than 3072 bytes drivers/net/wireless/ralink/rt2x00/rt2800lib.c:5650:1: warning: the frame size of 23632 bytes is larger than 3072 bytes lib/atomic64_test.c:250:1: warning: the frame size of 11200 bytes is larger than 3072 bytes drivers/gpu/drm/i915/gvt/handlers.c:2621:1: warning: the frame size of 9208 bytes is larger than 3072 bytes drivers/media/dvb-frontends/stv090x.c:3431:1: warning: the frame size of 6816 bytes is larger than 3072 bytes fs/fscache/stats.c:287:1: warning: the frame size of 6536 bytes is larger than 3072 bytes To reduce this risk, -fsanitize-address-use-after-scope is now split out into a separate CONFIG_KASAN_EXTRA Kconfig option, leading to stack frames that are smaller than 2 kilobytes most of the time on x86_64. An earlier version of this patch also prevented combining KASAN_EXTRA with KASAN_INLINE, but that is no longer necessary with gcc-7.0.1. All patches to get the frame size below 2048 bytes with CONFIG_KASAN=y and CONFIG_KASAN_EXTRA=n have been merged by maintainers now, so we can bring back that default now. KASAN_EXTRA=y still causes lots of warnings but now defaults to !COMPILE_TEST to disable it in allmodconfig, and it remains disabled in all other defconfigs since it is a new option. I arbitrarily raise the warning limit for KASAN_EXTRA to 3072 to reduce the noise, but an allmodconfig kernel still has around 50 warnings on gcc-7. I experimented a bit more with smaller stack frames and have another follow-up series that reduces the warning limit for 64-bit architectures to 1280 bytes (without CONFIG_KASAN). With earlier versions of this patch series, I also had patches to address the warnings we get with KASAN and/or KASAN_EXTRA, using a "noinline_if_stackbloat" annotation. That annotation now got replaced with a gcc-8 bugfix (see https://gcc.gnu.org/bugzilla/show_bug.cgi?id=81715) and a workaround for older compilers, which means that KASAN_EXTRA is now just as bad as before and will lead to an instant stack overflow in a few extreme cases. This reverts parts of commit 3f181b4d8652 ("lib/Kconfig.debug: disable -Wframe-larger-than warnings with KASAN=y"). Two patches in linux-next should be merged first to avoid introducing warnings in an allmodconfig build: 3cd890dbe2a4 ("media: dvb-frontends: fix i2c access helpers for KASAN") 16c3ada89cff ("media: r820t: fix r820t_write_reg for KASAN") Do we really need to backport this? I think we do: without this patch, enabling KASAN will lead to unavoidable kernel stack overflow in certain device drivers when built with gcc-7 or higher on linux-4.10+ or any version that contains a backport of commit c5caf21ab0cf8. Most people are probably still on older compilers, but it will get worse over time as they upgrade their distros. The warnings we get on kernels older than this should all be for code that uses dangerously large stack frames, though most of them do not cause an actual stack overflow by themselves.The asan-stack option was added in linux-4.0, and commit 3f181b4d8652 ("lib/Kconfig.debug: disable -Wframe-larger-than warnings with KASAN=y") effectively turned off the warning for allmodconfig kernels, so I would like to see this fix backported to any kernels later than 4.0. I have done dozens of fixes for individual functions with stack frames larger than 2048 bytes with asan-stack, and I plan to make sure that all those fixes make it into the stable kernels as well (most are already there). Part of the complication here is that asan-stack (from 4.0) was originally assumed to always require much larger stacks, but that turned out to be a combination of multiple gcc bugs that we have now worked around and fixed, but sanitize-address-use-after-scope (from v4.10) has a much higher inherent stack usage and also suffers from at least three other problems that we have analyzed but not yet fixed upstream, each of them makes the stack usage more severe than it should be. Link: http://lkml.kernel.org/r/20171221134744.2295529-1-arnd@arndb.de Signed-off-by: Arnd Bergmann Acked-by: Andrey Ryabinin Cc: Mauro Carvalho Chehab Cc: Andrey Ryabinin Cc: Alexander Potapenko Cc: Dmitry Vyukov Cc: Andrey Konovalov Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds [arnd: rebase to v4.4; only re-enable warning] Signed-off-by: Arnd Bergmann Signed-off-by: Greg Kroah-Hartman commit f45cd9bda573bacbb89a493db3c395c3347a5a2c Author: Sudip Mukherjee Date: Tue Feb 20 12:55:08 2018 +0100 drm/gma500: remove helper function commit db9b60400f9253c25ae639797df2d0ff7a35d9d8 upstream. We were getting build warning about: drivers/gpu/drm/gma500/mdfld_dsi_output.c:407:2: warning: initialization from incompatible pointer type The callback to dpms was pointing to a helper function which had a return type of void, whereas the callback should point to a function which has a return type of int. On closer look it turned out that we do not need the helper function since if we call drm_helper_connector_dpms() directly, the first check that drm_helper_connector_dpms() does is: if (mode == connector->dpms) Signed-off-by: Sudip Mukherjee Link: http://patchwork.freedesktop.org/patch/msgid/1454393155-13142-1-git-send-email-sudipm.mukherjee@gmail.com Acked-by: Patrik Jakobsson Signed-off-by: Daniel Vetter [arnd: rebased to 4.4] Signed-off-by: Arnd Bergmann Signed-off-by: Greg Kroah-Hartman commit 26c3a6a7f5435712eaa70cb413717838abc49258 Author: Borislav Petkov Date: Tue Feb 20 12:55:05 2018 +0100 x86/microcode/AMD: Change load_microcode_amd()'s param to bool to fix preemptibility bug commit dac6ca243c4c49a9ca7507d3d66140ebfac8b04b upstream. With CONFIG_DEBUG_PREEMPT enabled, I get: BUG: using smp_processor_id() in preemptible [00000000] code: swapper/0/1 caller is debug_smp_processor_id CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.12.0-rc2+ #2 Call Trace: dump_stack check_preemption_disabled debug_smp_processor_id save_microcode_in_initrd_amd ? microcode_init save_microcode_in_initrd ... because, well, it says it above, we're using smp_processor_id() in preemptible code. But passing the CPU number is not really needed. It is only used to determine whether we're on the BSP, and, if so, to save the microcode patch for early loading. [ We don't absolutely need to do it on the BSP but we do that customarily there. ] Instead, convert that function parameter to a boolean which denotes whether the patch should be saved or not, thereby avoiding the use of smp_processor_id() in preemptible code. Signed-off-by: Borislav Petkov Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Thomas Gleixner Link: http://lkml.kernel.org/r/20170528200414.31305-1-bp@alien8.de Signed-off-by: Ingo Molnar [arnd: rebased to 4.9, after running into warning: arch/x86/kernel/cpu/microcode/amd.c:881:30: self-comparison always evaluates to true] Signed-off-by: Arnd Bergmann Signed-off-by: Greg Kroah-Hartman commit d93cf73400848e97b59e162aaead9c91fd701fa2 Author: Michal Marek Date: Tue Feb 20 12:55:01 2018 +0100 genksyms: Fix segfault with invalid declarations commit d920f7c6628c63a390009c237fb80a203c2e400a upstream. Do not try to recover too early and segfault when parsing invalid declarations such as echo 'int (int);' | scripts/genksyms/genksyms echo 'int a, (int);' | scripts/genksyms/genksyms echo 'extern void *__inline_memcpy((void *), (const void *), (__kernel_size_t));' | scripts/genksyms/genksyms The last one was a real-life bug with include/asm-generic/asm-prototypes.h on x86_64. Reported-and-tested-by: Borislav Petkov Signed-off-by: Michal Marek [arnd: rebase to 4.4, regenerate parse.tab.{c,h}] Signed-off-by: Arnd Bergmann Signed-off-by: Greg Kroah-Hartman commit 5381db24f6471272901fd0c0a9a016f7c34f5252 Author: Andy Lutomirski Date: Tue Feb 20 12:55:00 2018 +0100 dell-wmi, dell-laptop: depends DMI commit a570af4850043260b87fb1b8aa27a4484e648878 upstream. dell-wmi and dell-laptop will compile but won't work right if DMI isn't selected. Signed-off-by: Andy Lutomirski Acked-by: Pali Rohár [arnd: Use depends instead of selects to avoid recursive dependencies] Signed-off-by: Arnd Bergmann Signed-off-by: Darren Hart [arnd: rebase to 4.4-stable] Signed-off-by: Arnd Bergmann Signed-off-by: Greg Kroah-Hartman commit 15a242fd439a2f630f170ff92c2e1019f0337c17 Author: Arnd Bergmann Date: Tue Feb 20 12:54:58 2018 +0100 netlink: fix nla_put_{u8,u16,u32} for KASAN commit b4391db42308c9940944b5d7be5ca4b78fb88dd0 upstream. When CONFIG_KASAN is enabled, the "--param asan-stack=1" causes rather large stack frames in some functions. This goes unnoticed normally because CONFIG_FRAME_WARN is disabled with CONFIG_KASAN by default as of commit 3f181b4d8652 ("lib/Kconfig.debug: disable -Wframe-larger-than warnings with KASAN=y"). The kernelci.org build bot however has the warning enabled and that led me to investigate it a little further, as every build produces these warnings: net/wireless/nl80211.c:4389:1: warning: the frame size of 2240 bytes is larger than 2048 bytes [-Wframe-larger-than=] net/wireless/nl80211.c:1895:1: warning: the frame size of 3776 bytes is larger than 2048 bytes [-Wframe-larger-than=] net/wireless/nl80211.c:1410:1: warning: the frame size of 2208 bytes is larger than 2048 bytes [-Wframe-larger-than=] net/bridge/br_netlink.c:1282:1: warning: the frame size of 2544 bytes is larger than 2048 bytes [-Wframe-larger-than=] Most of this problem is now solved in gcc-8, which can consolidate the stack slots for the inline function arguments. On older compilers we can add a workaround by declaring a local variable in each function to pass the inline function argument. Cc: stable@vger.kernel.org Link: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=81715 Signed-off-by: Arnd Bergmann Signed-off-by: David S. Miller [arnd: rebased to 4.4-stable] Signed-off-by: Arnd Bergmann Signed-off-by: Greg Kroah-Hartman commit bd84055a3748ca0b11c466a252d46af6cf8e765f Author: Vinod Koul Date: Tue Feb 20 12:54:57 2018 +0100 ASoC: Intel: Kconfig: fix build when ACPI is not enabled commit 3493d4a86457c7de9f1e602b4267c9b0f9ec1c9f upstream. Randy reported following error when ACPI is not enabled: warning: (SND_SOC_INTEL_BYTCR_RT5640_MACH && SND_SOC_INTEL_BYTCR_RT5651_MACH && SND_SOC_INTEL_CHT_BSW_RT5672_MACH && SND_SOC_INTEL_CHT_BSW_RT5645_MACH && SND_SOC_INTEL_CHT_BSW_MAX98090_TI_MACH) selects SND_SST_IPC_ACPI +which has unmet direct dependencies (SOUND && !M68K && !UML && SND && SND_SOC && ACPI) causing these build errors: In file included from ../sound/soc/intel/atom/sst/sst_acpi.c:40:0: ../include/acpi/acpi_bus.h:65:20: error: conflicting types for 'acpi_evaluate_dsm' union acpi_object *acpi_evaluate_dsm(acpi_handle handle, const u8 *uuid, In file included from ../sound/soc/intel/atom/sst/sst_acpi.c:31:0: ../include/linux/acpi.h:676:34: note: previous definition of 'acpi_evaluate_dsm' was here static inline union acpi_object *acpi_evaluate_dsm(acpi_handle handle, CONFIG_SND_SST_IPC_ACPI was already dependent upon ACPI, but that was not solving it. So move the depends up to machine drivers and remove from CONFIG_SND_SST_IPC_ACPI. Reported-by: Randy Dunlap Signed-off-by: Vinod Koul Signed-off-by: Mark Brown [arnd: rebased to PATCH kernel] Signed-off-by: Arnd Bergmann Signed-off-by: Greg Kroah-Hartman commit 0522f5e8c0a5f3835c2115aa2627d621ebbc7818 Author: Arnd Bergmann Date: Tue Feb 20 12:54:56 2018 +0100 ARM: tegra: select USB_ULPI from EHCI rather than platform commit a262e87ff354f12447bb6268bd63edf7ba1c20e0 upstream. For historic reasons, the tegra platform selects USB_ULPI from architecture code, but that hasn't really made sense for a long time, as the only user of that code is the Tegra EHCI driver that has its own Kconfig symbol. This removes the 'select' statements from mach-tegra and drivers/soc/tegra and adds them with the device driver that actually needs them. Signed-off-by: Arnd Bergmann Signed-off-by: Thierry Reding [arnd: rebased to 4.4-stable] Signed-off-by: Arnd Bergmann Signed-off-by: Greg Kroah-Hartman commit 4d48916f2707176edd705c500028362657b2757b Author: Arnd Bergmann Date: Tue Feb 20 12:54:55 2018 +0100 ncr5380: shut up gcc indentation warning gcc-6 and higher warn about the way some loops are written in the ncr5380 driver: drivers/scsi/g_NCR5380.c: In function 'generic_NCR5380_pread': drivers/scsi/g_NCR5380.c:541:3: error: this 'while' clause does not guard... [-Werror=misleading-indentation] while (NCR5380_read(C400_CONTROL_STATUS_REG) & CSR_HOST_BUF_NOT_RDY); ^~~~~ drivers/scsi/g_NCR5380.c:544:3: note: ...this statement, but the latter is misleadingly indented as if it is guarded by the 'while' This was addressed in mainline kernels as part of a rework on commit 12150797d064 ("ncr5380: Use runtime register mapping"). We don't want the entire patch backported to stable kernels, but we can backport one hunk to get rid of the warning. Signed-off-by: Arnd Bergmann Acked-by: Finn Thain Signed-off-by: Greg Kroah-Hartman commit 18e5cdf6f4c9fa79e409f24802a2223262b93eff Author: Arnd Bergmann Date: Tue Feb 20 12:54:54 2018 +0100 usb: phy: msm add regulator dependency On linux-4.4 and linux-4.9 we get a warning about an array that is never initialized when CONFIG_REGULATOR is disabled: drivers/usb/phy/phy-msm-usb.c: In function 'msm_otg_probe': drivers/usb/phy/phy-msm-usb.c:1911:14: error: 'regs[0].consumer' may be used uninitialized in this function [-Werror=maybe-uninitialized] motg->vddcx = regs[0].consumer; ~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~ drivers/usb/phy/phy-msm-usb.c:1912:14: error: 'regs[1].consumer' may be used uninitialized in this function [-Werror=maybe-uninitialized] motg->v3p3 = regs[1].consumer; ~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~ drivers/usb/phy/phy-msm-usb.c:1913:14: error: 'regs[2].consumer' may be used uninitialized in this function [-Werror=maybe-uninitialized] motg->v1p8 = regs[2].consumer; This adds a Kconfig dependency for it. In newer kernels, the driver no longer exists, so this is only needed for stable kernels. Signed-off-by: Arnd Bergmann Signed-off-by: Greg Kroah-Hartman commit 3596e409a454a880a564045bf7443994f53a39cd Author: Arnd Bergmann Date: Tue Feb 20 12:54:53 2018 +0100 idle: i7300: add PCI dependency GCC correctly points out an uninitialized variable use when CONFIG_PCI is disabled. drivers/idle/i7300_idle.c: In function 'i7300_idle_notifier': include/asm-generic/bug.h:119:5: error: 'got_ctl' may be used uninitialized in this function [-Werror=maybe-uninitialized] if (unlikely(__ret_warn_once && !__warned)) { \ ^ drivers/idle/i7300_idle.c:415:5: note: 'got_ctl' was declared here u8 got_ctl; ^~~~~~~ The driver no longer exists in later kernels, so this patch only appplies to linux-4.9.y and earlier. Signed-off-by: Arnd Bergmann Signed-off-by: Greg Kroah-Hartman commit b8b624d9885fea0d0bb7f51d9548004cd6882002 Author: Arnd Bergmann Date: Tue Feb 20 12:54:52 2018 +0100 binfmt_elf: compat: avoid unused function warning When CONFIG_ELF_CORE is disabled, we get a harmless warning in the compat version of binfmt_elf: fs/compat_binfmt_elf.c:58:13: error: 'cputime_to_compat_timeval' defined but not used [-Werror=unused-function] This was addressed in mainline Linux as part of a larger rework with commit cd19c364b313 ("fs/binfmt: Convert obsolete cputime type to nsecs"). For 4.9 and earlier, this just shuts up the warning by adding an #ifdef around the function definition. Signed-off-by: Arnd Bergmann Signed-off-by: Greg Kroah-Hartman commit 9e9c3045bb4521c0eb92cf533cba2f8ba5bd1a69 Author: Arnd Bergmann Date: Tue Feb 20 12:54:51 2018 +0100 isdn: sc: work around type mismatch warning This driver shows warnings on many architectures: drivers/isdn/sc/init.c: In function 'identify_board': drivers/isdn/sc/init.c:484:2: error: passing argument 1 of 'readl' makes pointer from integer without a cast [-Werror] In newer kernels, it was completely removed, but for the 4.4-stable series, let's just shut up that warning by adding an extra variable to do the necessary type cast. Signed-off-by: Arnd Bergmann Signed-off-by: Greg Kroah-Hartman commit e8988dbe21b0449e1e5393e92fafd1f19b7db197 Author: Arnd Bergmann Date: Tue Feb 20 12:54:50 2018 +0100 power: bq27xxx_battery: mark some symbols __maybe_unused Without the I2C driver, we get a few warnings: drivers/power/bq27xxx_battery.c:288:12: error: 'bq27xxx_regs' defined but not used [-Werror=unused-variable] static u8 *bq27xxx_regs[] = { ^ drivers/power/bq27xxx_battery.c:994:12: error: 'bq27xxx_powersupply_init' defined but not used [-Werror=unused-function] static int bq27xxx_powersupply_init(struct bq27xxx_device_info *di, ^ drivers/power/bq27xxx_battery.c:1029:13: error: 'bq27xxx_powersupply_unregister' defined but not used [-Werror=unused-function] static void bq27xxx_powersupply_unregister(struct bq27xxx_device_info *di) ^ In mainline kernels, this was addressed by a larger rework in 703df6c09795 ("power: bq27xxx_battery: Reorganize I2C into a module"). We probably don't want this backported into stable kernels, so instead let's shut up the warnings by marking the symbols as __maybe_unused. Signed-off-by: Arnd Bergmann Signed-off-by: Greg Kroah-Hartman commit 7131acefb98a5f96745847221ce9825fa21dbde7 Author: Arnd Bergmann Date: Tue Feb 20 12:54:49 2018 +0100 Revert "power: bq27xxx_battery: Remove unneeded dependency in Kconfig" This reverts commit 6bd03ce3c12a22d86f59070f1da15aaa2bde8a51, it was applied in error and cuased this link failure drivers/built-in.o: In function `bq27xxx_battery_i2c_read': core.c:(.text+0xa6da8): undefined reference to `i2c_transfer' drivers/built-in.o: In function `bq27xxx_battery_init': core.c:(.init.text+0x68e0): undefined reference to `i2c_register_driver' drivers/built-in.o: In function `bq27xxx_battery_exit': core.c:(.exit.text+0xc6c): undefined reference to `i2c_del_driver' Later upstream kernels fixed this with a larger rework in commit 703df6c09795 ("power: bq27xxx_battery: Reorganize I2C into a module"), but we cannot backport that to 4.4. Signed-off-by: Arnd Bergmann Signed-off-by: Greg Kroah-Hartman commit 633c324b829e13005b12470da1b2d5d447030e82 Author: Miklos Szeredi Date: Tue Sep 27 11:03:57 2016 +0200 ncpfs: fix unused variable warning commit 9a232de4999666b2e8ea6775b2b0e3e4feb09b7a upstream. Without CONFIG_NCPFS_NLS the following warning is seen: fs/ncpfs/dir.c: In function 'ncp_hash_dentry': fs/ncpfs/dir.c:136:23: warning: unused variable 'sb' [-Wunused-variable] struct super_block *sb = dentry->d_sb; Signed-off-by: Miklos Szeredi Signed-off-by: Greg Kroah-Hartman commit ac331bd2f61b5ea6f74f04c41d8e2caf01f9d243 Author: Arnd Bergmann Date: Fri Feb 17 16:13:44 2017 +0100 gpio: xgene: mark PM functions as __maybe_unused commit b115bebc07f282067eccc06fd5aa3060ab1426da upstream. When CONFIG_PM_SLEEP is disabled, we get a warning about unused functions: drivers/gpio/gpio-xgene.c:155:12: warning: 'xgene_gpio_resume' defined but not used [-Wunused-function] static int xgene_gpio_resume(struct device *dev) ^~~~~~~~~~~~~~~~~ drivers/gpio/gpio-xgene.c:142:12: warning: 'xgene_gpio_suspend' defined but not used [-Wunused-function] static int xgene_gpio_suspend(struct device *dev) The warnings are harmless and can be avoided by simplifying the code and marking the functions as __maybe_unused. Signed-off-by: Arnd Bergmann Signed-off-by: Linus Walleij Signed-off-by: Greg Kroah-Hartman commit d9a4d80bb375c509c91d901d985fe67c7af478c1 Author: Arnd Bergmann Date: Fri Jan 29 12:39:11 2016 +0100 net: hp100: remove unnecessary #ifdefs commit 747a11279a442b913a57bf38934879babab3b58b upstream. Building the hp100 ethernet driver causes warnings when both the PCI and EISA drivers are disabled: ethernet/hp/hp100.c: In function 'hp100_module_init': ethernet/hp/hp100.c:3047:2: warning: label 'out3' defined but not used [-Wunused-label] ethernet/hp/hp100.c: At top level: ethernet/hp/hp100.c:2828:13: warning: 'cleanup_dev' defined but not used [-Wunused-function] We can easily avoid the warnings and make the driver look slightly nicer by removing the #ifdefs that check for the CONFIG_PCI and CONFIG_EISA, as all the registration functions are designed to have no effect when the buses are disabled. Signed-off-by: Arnd Bergmann Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 4b88c89bc2375fdaf52d0231c7ebf4f4200701d5 Author: Jun Nie Date: Tue Jan 10 17:23:40 2017 +0800 dmaengine: zx: fix build warning commit 067fdeb2f391bfa071f741a2b3eb74b8ff3785cd upstream. Fix build warning that related to PAGE_SIZE. The maximum DMA length has nothing to do with PAGE_SIZE, just use a fix number for the definition. drivers/dma/zx_dma.c: In function 'zx_dma_prep_memcpy': drivers/dma/zx_dma.c:523:8: warning: division by zero [-Wdiv-by-zero] drivers/dma/zx_dma.c: In function 'zx_dma_prep_slave_sg': drivers/dma/zx_dma.c:567:11: warning: division by zero [-Wdiv-by-zero] Signed-off-by: Jun Nie Tested-by: Shawn Guo Signed-off-by: Vinod Koul Signed-off-by: Greg Kroah-Hartman commit e787fce41c0746e39b9edafcadb3c4d05b43d063 Author: Arnd Bergmann Date: Wed Jul 19 14:52:59 2017 +0200 perf/x86: Shut up false-positive -Wmaybe-uninitialized warning commit 11d8b05855f3749bcb6c57e2c4052921b9605c77 upstream. The intialization function checks for various failure scenarios, but unfortunately the compiler gets a little confused about the possible combinations, leading to a false-positive build warning when -Wmaybe-uninitialized is set: arch/x86/events/core.c: In function ‘init_hw_perf_events’: arch/x86/events/core.c:264:3: warning: ‘reg_fail’ may be used uninitialized in this function [-Wmaybe-uninitialized] arch/x86/events/core.c:264:3: warning: ‘val_fail’ may be used uninitialized in this function [-Wmaybe-uninitialized] pr_err(FW_BUG "the BIOS has corrupted hw-PMU resources (MSR %x is %Lx)\n", We can't actually run into this case, so this shuts up the warning by initializing the variables to a known-invalid state. Suggested-by: Peter Zijlstra Signed-off-by: Arnd Bergmann Cc: Alexander Shishkin Cc: Andy Lutomirski Cc: Arnaldo Carvalho de Melo Cc: Josh Poimboeuf Cc: Linus Torvalds Cc: Thomas Gleixner Link: http://lkml.kernel.org/r/20170719125310.2487451-2-arnd@arndb.de Link: https://patchwork.kernel.org/patch/9392595/ Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit d3843789e778f93147b719ccf91e2aeea15b59fc Author: Arnd Bergmann Date: Wed Mar 2 16:59:02 2016 +0100 wireless: cw1200: use __maybe_unused to hide pm functions_ commit 836856e3bd61d0644e5178a2c1b51d90459e2788 upstream. The cw1200 uses #ifdef to check for CONFIG_PM, but then uses SIMPLE_DEV_PM_OPS, which leaves the references out when CONFIG_PM_SLEEP is not defined, so we get a warning with PM=y && PM_SLEEP=n: drivers/net/wireless/st/cw1200/cw1200_spi.c:450:12: error: 'cw1200_spi_suspend' defined but not used [-Werror=unused-function] This removes the incorrect #ifdef and instead uses a __maybe_unused annotation to let the compiler know it can silently drop the function definition. For the DEV_PM_OPS definition, we can use an IS_ENABLED() check to avoid defining the structure when CONFIG_PM is not set without the #ifdef. Signed-off-by: Arnd Bergmann Signed-off-by: Kalle Valo Signed-off-by: Greg Kroah-Hartman commit 6420c014ed9c9f34ea0b0dd9889f7deb55aeba5b Author: Arnd Bergmann Date: Tue Oct 25 22:21:04 2016 +0200 cw1200: fix bogus maybe-uninitialized warning commit 7fc1503c906f0fac62d3506a6e993e49fb996248 upstream. On x86, the cw1200 driver produces a rather silly warning about the possible use of the 'ret' variable without an initialization presumably after being confused by the architecture specific definition of WARN_ON: drivers/net/wireless/st/cw1200/wsm.c: In function ‘wsm_handle_rx’: drivers/net/wireless/st/cw1200/wsm.c:1457:9: error: ‘ret’ may be used uninitialized in this function [-Werror=maybe-uninitialized] We have already checked that 'count' is larger than 0 here, so we know that 'ret' is initialized. Changing the 'for' loop into do/while also makes this clear to the compiler. Suggested-by: David Laight Signed-off-by: Arnd Bergmann Signed-off-by: Kalle Valo Signed-off-by: Greg Kroah-Hartman commit 30ddc36cb7651907c6cefcf19d4f7abe21815c9f Author: Arnd Bergmann Date: Tue Jan 26 19:46:02 2016 -0200 v4l: remove MEDIA_TUNER dependency for VIDEO_TUNER commit 7c8fe516bd81d991feb73ccd969ec29850af3013 upstream. em28xx selects VIDEO_TUNER, which has a dependency on MEDIA_TUNER, so we get a Kconfig warning if that is disabled: warning: (VIDEO_PVRUSB2 && VIDEO_USBVISION && VIDEO_GO7007 && VIDEO_AU0828_V4L2 && VIDEO_CX231XX && VIDEO_TM6000 && VIDEO_EM28XX && VIDEO_IVTV && VIDEO_MXB && VIDEO_CX18 && VIDEO_CX23885 && VIDEO_CX88 && VIDEO_BT848 && VIDEO_SAA7134 && VIDEO_SAA7164) selects VIDEO_TUNER which has unmet direct dependencies (MEDIA_SUPPORT && MEDIA_TUNER) VIDEO_TUNER does not actually depend on MEDIA_TUNER, and the dependency does nothing except cause the above warning, so let's remove it. Signed-off-by: Arnd Bergmann Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit a32040f7bbaf3c3800452657f9864ec8abeb10ef Author: Arnd Bergmann Date: Tue Jan 26 12:09:56 2016 -0200 hdpvr: hide unused variable commit b97baa3e22e18dac42001e665cf27ad1211bf878 upstream. The i2c client pointer is only used when CONFIG_I2C is set, and otherwise produces a compile-time warning: drivers/media/usb/hdpvr/hdpvr-core.c: In function 'hdpvr_probe': drivers/media/usb/hdpvr/hdpvr-core.c:276:21: error: unused variable 'client' [-Werror=unused-variable] This uses the same #ifdef to hide the variable when the code using it is hidden. Signed-off-by: Arnd Bergmann Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit 3d2ff1139dfc27e385b129334d41e9acf4d71062 Author: Thierry Reding Date: Tue Dec 15 12:20:49 2015 +0100 drm/gma500: Sanity-check pipe index commit 4f250706211cdb949f7580d4fe4dd1fd646de693 upstream. If the DSI output isn't connected, then mdfld_dsi_encoder_get_pipe() will return -1. The mdfld_dsi_dp_mode_set() function doesn't properly check for this condition and causes the following compiler warnings: CC drivers/gpu/drm/gma500/mdfld_dsi_dpi.o drivers/gpu/drm/gma500/mdfld_dsi_dpi.c: In function ‘mdfld_dsi_dpi_mode_set’: drivers/gpu/drm/gma500/mdfld_dsi_dpi.c:828:35: warning: array subscript is below array bounds [-Warray-bounds] u32 pipeconf = dev_priv->pipeconf[pipe]; ^ drivers/gpu/drm/gma500/mdfld_dsi_dpi.c:829:33: warning: array subscript is below array bounds [-Warray-bounds] u32 dspcntr = dev_priv->dspcntr[pipe]; ^ Fix this by checking for a valid pipe before indexing the pipeconf and dspcntr arrays. Cc: Patrik Jakobsson Reviewed-by: Patrik Jakobsson Signed-off-by: Thierry Reding Signed-off-by: Boris Brezillon Link: http://patchwork.freedesktop.org/patch/msgid/1450178476-26284-2-git-send-email-boris.brezillon@free-electrons.com Signed-off-by: Daniel Vetter Signed-off-by: Greg Kroah-Hartman commit ab7b4a32b4e89ff1d59b5d3843b548fb5c0e80a2 Author: Heikki Krogerus Date: Thu Dec 10 13:26:21 2015 +0200 serial: 8250_mid: fix broken DMA dependency commit 0ff4230584320b2153752ba54e2e8edbd6addf2c upstream. In order to enable HSU DMA PCI driver, the HSU DMA Engine must be enabled. This add a check for that. Reported-by: kbuild test robot Signed-off-by: Heikki Krogerus Signed-off-by: Greg Kroah-Hartman commit 8caadd7bf286336f5542f2302b960419190b60fe Author: Arnd Bergmann Date: Wed Mar 2 16:59:06 2016 +0100 ASoC: rockchip: use __maybe_unused to hide st_irq_syscfg_resume commit d8fc2198aab117a4bc16ee305caef19c4c7e7f5c upstream. The rockchip spdif driver uses SIMPLE_DEV_PM_OPS to conditionally set its power management functions, but we get a warning about rk_spdif_runtime_resume being unused when CONFIG_PM is not set: sound/soc/rockchip/rockchip_spdif.c:67:12: error: 'rk_spdif_runtime_resume' defined but not used [-Werror=unused-function] This adds a __maybe_unused annotation so the compiler knows it can silently drop it instead of warning. Signed-off-by: Arnd Bergmann Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 31f92b9f1746fc34a101c1ecefb80de1410a1b9a Author: Arnd Bergmann Date: Wed Jan 25 23:15:53 2017 +0100 ISDN: eicon: reduce stack size of sig_ind function commit 27d807180ae0a9e50d90adf9b22573c21be904c2 upstream. I noticed that this function uses a lot of kernel stack when the "latent entropy" plugin is enabled: drivers/isdn/hardware/eicon/message.c: In function 'sig_ind': drivers/isdn/hardware/eicon/message.c:6113:1: error: the frame size of 1168 bytes is larger than 1152 bytes [-Werror=frame-larger-than=] We currently don't warn about this, as we raise the warning limit to 2048 bytes in mainline, but I'd like to lower that limit again in the future, and this function can easily be changed to be more efficient and avoid that warning, by making some of its local variables 'const'. Signed-off-by: Arnd Bergmann Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit b17b3fdc762aec17d49f7e1805ffae7506abe45f Author: Arnd Bergmann Date: Tue Jan 26 12:09:59 2016 -0200 em28xx: only use mt9v011 if camera support is enabled commit 190b23b4eb997767afad186bd8c96badceabf39e upstream. In randconfig builds that select VIDEO_EM28XX_V4L2 and MEDIA_SUBDRV_AUTOSELECT, but not MEDIA_CAMERA_SUPPORT, we get a Kconfig warning: warning: (VIDEO_EM28XX_V4L2) selects VIDEO_MT9V011 which has unmet direct dependencies (MEDIA_SUPPORT && I2C && VIDEO_V4L2 && MEDIA_CAMERA_SUPPORT) This avoids the warning by making that 'select' conditional on MEDIA_CAMERA_SUPPORT. Alternatively we could mark EM28XX as 'depends on MEDIA_CAMERA_SUPPORT', but it does not seem to have any real dependency on that itself. Signed-off-by: Arnd Bergmann Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit 48528cb611cdd73db285549cf1eec87c5116a85c Author: Arnd Bergmann Date: Tue Jan 26 12:10:01 2016 -0200 go7007: add MEDIA_CAMERA_SUPPORT dependency commit fa6317eedd6341f2144ed1097706d8c34f18b6e4 upstream. If MEDIA_SUBDRV_AUTOSELECT and VIDEO_GO7007 are both set, we automatically select VIDEO_OV7640, but that depends on MEDIA_CAMERA_SUPPORT, so we get a Kconfig warning if that is disabled: warning: (VIDEO_GO7007) selects VIDEO_OV7640 which has unmet direct dependencies (MEDIA_SUPPORT && I2C && VIDEO_V4L2 && MEDIA_CAMERA_SUPPORT) This adds another dependency so we don't accidentally select it when it is unavailable. Signed-off-by: Arnd Bergmann Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit 6f2f10ea6ed781681f66c6554868620158e94ea3 Author: Arnd Bergmann Date: Wed Oct 4 12:28:18 2017 +0200 KVM: add X86_LOCAL_APIC dependency commit e42eef4ba38806b18c4a74f0c276fb2e0b548173 upstream. The rework of the posted interrupt handling broke building without support for the local APIC: ERROR: "boot_cpu_physical_apicid" [arch/x86/kvm/kvm-intel.ko] undefined! That configuration is probably not particularly useful anyway, so we can avoid the randconfig failures by adding a Kconfig dependency. Fixes: 8b306e2f3c41 ("KVM: VMX: avoid double list add with VT-d posted interrupts") Signed-off-by: Arnd Bergmann Signed-off-by: Radim Krčmář Signed-off-by: Greg Kroah-Hartman commit 9975bd33e12b37f986d47234b1b5dd56c805ed53 Author: Arnd Bergmann Date: Wed Oct 26 15:55:02 2016 -0700 Input: tca8418_keypad - hide gcc-4.9 -Wmaybe-uninitialized warning commit ea4348c8462a20e8b1b6455a7145d2b86f8a49b6 upstream. Older versions of gcc warn about the tca8418_irq_handler function as they can't keep track of the variable assignment inside of the loop when using the -Wmaybe-unintialized flag: drivers/input/keyboard/tca8418_keypad.c: In function ‘tca8418_irq_handler’: drivers/input/keyboard/tca8418_keypad.c:172:9: error: ‘reg’ may be used uninitialized in this function [-Werror=maybe-uninitialized] drivers/input/keyboard/tca8418_keypad.c:165:5: note: ‘reg’ was declared here This is fixed in gcc-6, but it's possible to rearrange the code in a way that avoids the warning on older compilers as well. Signed-off-by: Arnd Bergmann Signed-off-by: Dmitry Torokhov Signed-off-by: Greg Kroah-Hartman commit c19bb06726c02ffa8cd45bc5f787811b774612c2 Author: Arnd Bergmann Date: Mon Oct 24 17:30:38 2016 +0200 drm/nouveau: hide gcc-4.9 -Wmaybe-uninitialized commit b74c0a9969f25217a5e5bbcac56a11bee16718d3 upstream. gcc-4.9 notices that the validate_init() function returns unintialized data when called with a zero 'nr_buffers' argument, when called with the -Wmaybe-uninitialized flag: drivers/gpu/drm/nouveau/nouveau_gem.c: In function ‘validate_init.isra.6’: drivers/gpu/drm/nouveau/nouveau_gem.c:457:5: error: ‘ret’ may be used uninitialized in this function [-Werror=maybe-uninitialized] However, the only caller of this function always passes a nonzero argument, and gcc-6 is clever enough to take this into account and not warn about it any more. Adding an explicit initialization to -EINVAL here is correct even if the caller changed, and it avoids the warning on gcc-4.9 as well. Signed-off-by: Arnd Bergmann Reviewed-By: Karol Herbst Signed-off-by: Ben Skeggs Signed-off-by: Greg Kroah-Hartman commit f9e55370862787ddb68e94bedfcfdf32df526e03 Author: Arnd Bergmann Date: Wed Feb 8 19:14:13 2017 -0200 tc358743: fix register i2c_rd/wr functions commit 3538aa6ecfb2dd727a40f9ebbbf25a0c2afe6226 upstream. While testing with CONFIG_UBSAN, I got this warning: drivers/media/i2c/tc358743.c: In function 'tc358743_probe': drivers/media/i2c/tc358743.c:1930:1: error: the frame size of 2480 bytes is larger than 2048 bytes [-Werror=frame-larger-than=] The problem is that the i2c_rd8/wr8/rd16/... functions in this driver pass a pointer to a local variable into a common function, and each call to one of them adds another variable plus redzone to the stack. I also noticed that the way this is done is broken on big-endian machines, as we copy the registers in CPU byte order. To address both those problems, I'm adding two helper functions for reading a register of up to 32 bits with correct endianess and change all other functions to use that instead. Just to be sure we don't get the problem back with changed optimizations in gcc, I'm also marking the new functions as 'noinline', although my tests with gcc-7 don't require that. Signed-off-by: Arnd Bergmann Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit 0176ed74e5b899a9b96e115eb0f3cf1b841d42b5 Author: Randy Dunlap Date: Fri Feb 26 09:09:59 2016 -0800 staging: unisys: visorinput depends on INPUT commit 82ddecfe8de54331bafe2d0ff526739fd0980190 upstream. Fix build errors by limiting UNISYS_VISORINPUT to the INPUT kconfig setting. drivers/built-in.o: In function `visorinput_remove': visorinput.c:(.text+0x20802e): undefined reference to `input_unregister_device' drivers/built-in.o: In function `visorinput_probe': visorinput.c:(.text+0x208177): undefined reference to `input_allocate_device' visorinput.c:(.text+0x208241): undefined reference to `input_register_device' visorinput.c:(.text+0x20824d): undefined reference to `input_free_device' visorinput.c:(.text+0x208286): undefined reference to `input_allocate_device' visorinput.c:(.text+0x208302): undefined reference to `input_set_abs_params' visorinput.c:(.text+0x20831a): undefined reference to `input_set_abs_params' visorinput.c:(.text+0x20833f): undefined reference to `input_register_device' visorinput.c:(.text+0x20834b): undefined reference to `input_free_device' visorinput.c:(.text+0x20835f): undefined reference to `input_set_capability' drivers/built-in.o: In function `visorinput_channel_interrupt': visorinput.c:(.text+0x20851e): undefined reference to `input_event' visorinput.c:(.text+0x20862c): undefined reference to `input_event' drivers/built-in.o: In function `input_report_key': visorinput.c:(.text+0x207fd1): undefined reference to `input_event' drivers/built-in.o: In function `input_sync': visorinput.c:(.text+0x207fdc): undefined reference to `input_event' Signed-off-by: Randy Dunlap Signed-off-by: Greg Kroah-Hartman commit c4514d8b1b095641aed11d7889820224d48fe307 Author: Luis R. Rodriguez Date: Tue Jun 7 16:52:27 2016 -0700 i2c: remove __init from i2c_register_board_info() commit 5abe9b26847c65a698f38744a52635b287514294 upstream. As of next-20160607 with allyesconfig we get this linker failure: MODPOST vmlinux.o WARNING: vmlinux.o(.text+0x21bc0d): Section mismatch in reference from the function intel_scu_devices_create() to the function .init.text:i2c_register_board_info() This is caused by the fact that intel_scu_devices_create() calls i2c_register_board_info() and intel_scu_devices_create() is not annotated with __init. This typically involves manual code inspection and if one is certain this is correct we would just peg intel_scu_devices_create() with a __ref annotation. In this case this would be wrong though as the intel_scu_devices_create() call is exported, and used in the ipc_probe() on drivers/platform/x86/intel_scu_ipc.c. The issue is that even though builtin_pci_driver(ipc_driver) is used this just exposes the probe routine, which can occur at any point in time if this bus supports hotplug. A race can happen between kernel_init_freeable() that calls the init calls (in this case registeres the intel_scu_ipc.c driver, and later free_initmem(), which would free the i2c_register_board_info(). If a probe happens later in boot i2c_register_board_info() would not be present and we should get a page fault. Signed-off-by: Luis R. Rodriguez [wsa: made function declaration a one-liner] Signed-off-by: Wolfram Sang Signed-off-by: Greg Kroah-Hartman commit 7a06f431f9974dd4e461fec60ee19ec8e14dd6c1 Author: Arnd Bergmann Date: Tue Jan 26 12:09:58 2016 -0200 b2c2: flexcop: avoid unused function warnings commit 733d0def3ebdd1d088330d904149af21fa4b9ae2 upstream. The flexcop driver has two functions that are normally used, except when multiple frontend drivers are disabled: drivers/media/common/b2c2/flexcop-fe-tuner.c:42:12: warning: 'flexcop_set_voltage' defined but not used [-Wunused-function] drivers/media/common/b2c2/flexcop-fe-tuner.c:71:12: warning: 'flexcop_sleep' defined but not used [-Wunused-function] This avoids the build warning by updating the #ifdef for flexcop_set_voltage to the exact condition under which it is used. For flexcop_sleep, the condition is rather complex, so I resort to marking it as __maybe_unused, so the compiler can silently drop it. Signed-off-by: Arnd Bergmann Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit 5bef71a69fb57e73ccf300cc6f609f18336ae9c7 Author: Arnd Bergmann Date: Mon Feb 1 17:42:02 2016 +0100 infiniband: cxgb4: use %pR format string for printing resources commit 3021376d6d12dd1be8a0a13c16dae8badb7766fd upstream. The cxgb4 prints an MMIO resource using the "0x%x" and "%p" format strings on the length and start, respective, but that triggers a compiler warning when using a 64-bit resource_size_t on a 32-bit architecture: drivers/infiniband/hw/cxgb4/device.c: In function 'c4iw_rdev_open': drivers/infiniband/hw/cxgb4/device.c:807:7: warning: cast to pointer from integer of different size [-Wint-to-pointer-cast] (void *)pci_resource_start(rdev->lldi.pdev, 2), This changes the format string to use %pR instead, which pretty-prints the resource, avoids the warning and is shorter. Signed-off-by: Arnd Bergmann Acked-by: Steve Wise Signed-off-by: Doug Ledford Signed-off-by: Greg Kroah-Hartman commit 4f4762381f966e191221da1b1401e0edb7424384 Author: Colin Ian King Date: Fri Jan 22 17:49:22 2016 +0000 iio: adc: axp288: remove redundant duplicate const on axp288_adc_channels commit 7ca6574a7afb669b0b4b30dd63adeb310e97e250 upstream. duplicate const can be removed, it is redundant. Found by static analysis using smatch. Signed-off-by: Colin Ian King Signed-off-by: Jonathan Cameron Signed-off-by: Greg Kroah-Hartman commit c7284a1114f07e866d9c7fe27d6f491262b8d0d0 Author: Arnd Bergmann Date: Wed Jan 13 23:14:54 2016 +0100 ASoC: mediatek: add i2c dependency commit ec3995da27e782cc407ce48101c98c19c9ce738d upstream. The newly added mediatek drivers for mt8173 select codes that depend on I2C, which cuases a build failure if I2C is disabled: warning: (SND_SOC_ADAU1761_I2C && SND_SOC_ADAU1781_I2C && SND_SOC_ADAU1977_I2C && SND_SOC_RT5677 && EXTCON_MAX14577 && EXTCON_MAX77693 && EXTCON_MAX77843 && BMC150_ACCEL_I2C && BMG160_I2C) selects REGMAP_I2C which has unmet direct dependencies (I2C) codecs/rt5645.c:3854:1: warning: data definition has no type or storage class codecs/rt5645.c:3854:1: error: type defaults to 'int' in declaration of 'module_i2c_driver' [-Werror=implicit-int] codecs/rt5677.c:5270:1: warning: data definition has no type or storage class 77_i2c_driver); codecs/rt5677.c:5270:1: error: type defaults to 'int' in declaration of 'module_i2c_driver' [-Werror=implicit-int] This adds an explicit dependency. Signed-off-by: Arnd Bergmann Acked-by: Koro Chen Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 5ca6fd47199ba436d45499fd6f505ca3c3cee585 Author: Arnd Bergmann Date: Tue Feb 14 22:53:12 2017 +0100 genirq/msi: Add stubs for get_cached_msi_msg/pci_write_msi_msg commit 2f44e29cef006a4b0a4ecf7d4c5aac7d0fbb505c upstream. A bug fix to the MSIx handling in vfio added references to functions that may not be defined if MSI is disabled in the kernel, resulting in this link error: drivers/built-in.o: In function `vfio_msi_set_vector_signal': :(.text+0x450808): undefined reference to `get_cached_msi_msg' :(.text+0x45080c): undefined reference to `write_msi_msg' As suggested by Alex Williamson, add stub implementations for get_cached_msi_msg() and pci_write_msi_msg(). In case this bugfix gets backported, please note that the #ifdef has changed over time, originally both functions were implemented in drivers/pci/msi.c and controlled by CONFIG_PCI_MSI, while nowadays get_cached_msi_msg() is part of the generic MSI support and can be used without PCI. Fixes: b8f02af096b1 ("vfio/pci: Restore MSIx message prior to enabling") Signed-off-by: Arnd Bergmann Cc: Marc Zyngier Cc: Alex Williamson Cc: Bjorn Helgaas Cc: Bart Van Assche Link: http://lkml.kernel.org/r/1413190208.4202.34.camel@ul30vt.home Link: http://lkml.kernel.org/r/20170214215343.3307861-1-arnd@arndb.de Signed-off-by: Thomas Gleixner Signed-off-by: Greg Kroah-Hartman commit 33d71a8ff78d51f6f3a815972be5200d4db9c664 Author: Arnd Bergmann Date: Mon Jan 25 22:54:57 2016 +0100 tty: cyclades: cyz_interrupt is only used for PCI commit 05ead49691d245f67bdd1b30cab5d9af522ac884 upstream. When CONFIG_PCI is not set, enabling CONFIG_CYZ_INTR has no practical effect other than generating a warning about an unused function: drivers/tty/cyclades.c:1184:20: warning: 'cyz_interrupt' defined but not used [-Wunused-function] static irqreturn_t cyz_interrupt(int irq, void *dev_id) This adds a dependency to avoid that warning. Signed-off-by: Arnd Bergmann Signed-off-by: Greg Kroah-Hartman commit 5820027ee20c874678b49dbd22cb70765437b5fb Author: Paul Bolle Date: Thu Mar 3 11:26:10 2016 +0100 drm/vmwgfx: use *_32_bits() macros commit 0e7c875d1ae9dcf4d8c6018a45e5529feaef8956 upstream. Use the upper_32_bits() macro instead of the four line equivalent that triggers a GCC warning on 32 bits x86: drivers/gpu/drm/vmwgfx/vmwgfx_cmdbuf.c: In function 'vmw_cmdbuf_header_submit': drivers/gpu/drm/vmwgfx/vmwgfx_cmdbuf.c:297:25: warning: right shift count >= width of type [-Wshift-count-overflow] val = (header->handle >> 32); ^ And use the lower_32_bits() macro instead of and-ing with a 32 bits mask. Signed-off-by: Paul Bolle Acked-by: Joe Perches Signed-off-by: Daniel Vetter Link: http://patchwork.freedesktop.org/patch/msgid/1457000770-2317-1-git-send-email-pebolle@tiscali.nl Signed-off-by: Greg Kroah-Hartman commit 731339363c5ddfd9607610ef9e58d9c0fb46a9f4 Author: Arnd Bergmann Date: Mon Oct 10 14:41:10 2016 +0200 tlan: avoid unused label with PCI=n commit 1e09c106a44c2b2685a77a1ef27951381c9fcd23 upstream. While build testing with randconfig on x86, I ran into this warning that appears to have been around forever drivers/net/ethernet/ti/tlan.c: In function ‘tlan_probe1’: drivers/net/ethernet/ti/tlan.c:614:1: error: label ‘err_out’ defined but not used [-Werror=unused-label] This can be trivially avoided by just moving the label into the existing #ifdef. Signed-off-by: Arnd Bergmann Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 6cd38c25bf3f345c0b5402a6a32f37318811613b Author: Colin Ian King Date: Wed Jan 6 18:02:59 2016 +0000 tc1100-wmi: fix build warning when CONFIG_PM not enabled commit 75d7e7d7a8f4966cb8b1da54a1c74fb2a97ae8fc upstream. Conditionally declare suspend_data on CONFIG_PM to avoid the following warning when CONFIG_OM is not enabled: drivers/platform/x86/tc1100-wmi.c:55:27: warning: 'suspend_data' defined but not used [-Wunused-variable] Signed-off-by: Colin Ian King Signed-off-by: Darren Hart Signed-off-by: Greg Kroah-Hartman commit a2f1d9b7030bd388347fa0b77383ab6e06a44c63 Author: Arnd Bergmann Date: Thu Jan 28 17:39:24 2016 +0100 ipv4: ipconfig: avoid unused ic_proto_used symbol commit 52b79e2bdf92b07b37c805c50811eaf69a33683d upstream. When CONFIG_PROC_FS, CONFIG_IP_PNP_BOOTP, CONFIG_IP_PNP_DHCP and CONFIG_IP_PNP_RARP are all disabled, we get a warning about the ic_proto_used variable being unused: net/ipv4/ipconfig.c:146:12: error: 'ic_proto_used' defined but not used [-Werror=unused-variable] This avoids the warning, by making the definition conditional on whether a dynamic IP configuration protocol is configured. If not, we know that the value is always zero, so we can optimize away the variable and all code that depends on it. Signed-off-by: Arnd Bergmann Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 88fb56455b1acd17cfd8d484e508fa4efe4794e7 Author: Arnd Bergmann Date: Wed Jan 27 14:52:01 2016 +0100 netfilter: ipvs: avoid unused variable warnings commit f6ca9f46f6615c3a87529550058d1b468c0cad89 upstream. The proc_create() and remove_proc_entry() functions do not reference their arguments when CONFIG_PROC_FS is disabled, so we get a couple of warnings about unused variables in IPVS: ipvs/ip_vs_app.c:608:14: warning: unused variable 'net' [-Wunused-variable] ipvs/ip_vs_ctl.c:3950:14: warning: unused variable 'net' [-Wunused-variable] ipvs/ip_vs_ctl.c:3994:14: warning: unused variable 'net' [-Wunused-variable] This removes the local variables and instead looks them up separately for each use, which obviously avoids the warning. Signed-off-by: Arnd Bergmann Fixes: 4c50a8ce2b63 ("netfilter: ipvs: avoid unused variable warning") Acked-by: Julian Anastasov Signed-off-by: Simon Horman Signed-off-by: Greg Kroah-Hartman commit d4869f7f25a8441dbc004b67d1d55aa6520ce997 Author: Borislav Petkov Date: Sat Nov 26 15:27:06 2016 +0100 x86/platform/olpc: Fix resume handler build warning commit 20ab6677716c7bbdcfd1cdb9aef296a0b3101f73 upstream. Fix: arch/x86/platform/olpc/olpc-xo15-sci.c:199:12: warning: ‘xo15_sci_resume’ defined but not used [-Wunused-function] static int xo15_sci_resume(struct device *dev) ^ which I see in randconfig builds here. Signed-off-by: Borislav Petkov Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Thomas Gleixner Link: http://lkml.kernel.org/r/20161126142706.13602-1-bp@alien8.de Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 0b75172281b5c8a231f4bb377759d9fa8127227e Author: Glen Lee Date: Thu Nov 5 16:12:08 2015 +0900 staging: wilc1000: fix kbuild test robot error commit b22fa80cdbf4ff1056ecddb4efdcc0ede5f5f422 upstream. This patch fixes build warning and error reported by kbuild test robot. It is fixed by including netdevice.h. >> drivers/staging/wilc1000/wilc_wlan_if.h:940:27: warning: 'struct net_device' declared inside parameter list int wilc_wlan_init(struct net_device *dev, wilc_wlan_inp_t *inp); >> drivers/staging/wilc1000/wilc_wlan_if.h:940:27: warning: its scope is only this definition or declaration, which is probably not what you want >> drivers/staging/wilc1000/wilc_wlan.c:1954:5: error: conflicting types for 'wilc_wlan_init' int wilc_wlan_init(struct net_device *dev, wilc_wlan_inp_t *inp) Fixes: 30135ce ("staging: wilc1000: wilc_wlan_init: add argument struct net_device") Reported-by: kbuild test robot Signed-off-by: Glen Lee Signed-off-by: Greg Kroah-Hartman commit 5d62b755c38c32bc10f0b069500977847504f3a0 Author: Arnd Bergmann Date: Thu Mar 17 11:03:50 2016 +0100 rtlwifi: fix gcc-6 indentation warning commit 2acd846485549655582ee379ceb966206f91e6f8 upstream. The rtl8821ae_dm_txpower_tracking_callback_thermalmeter function contains a call to RT_TRACE() that is indented in a misleading way, as pointed out by a gcc-6 warning: drivers/net/wireless/realtek/rtlwifi/rtl8821ae/dm.c: In function 'rtl8821ae_dm_txpower_tracking_callback_thermalmeter': drivers/net/wireless/realtek/rtlwifi/rtl8821ae/dm.c:2491:4: error: statement is indented as if it were guarded by... RT_TRACE(rtlpriv, COMP_POWER_TRACKING, DBG_LOUD, ^~~~~~~~ drivers/net/wireless/realtek/rtlwifi/rtl8821ae/dm.c:2488:3: note: ...this 'for' clause, but it is not for (p = RF90_PATH_A; p < MAX_PATH_NUM_8821A; p++) ^~~ It is clear from the context that the call was not meant to be part of the loop and only the indentation is wrong, so this removes the extra tabs. Signed-off-by: Arnd Bergmann Acked-by: Larry Finger Signed-off-by: Kalle Valo Signed-off-by: Greg Kroah-Hartman commit affad7ad16a4a9a4741036c9d90cebf883f0fc68 Author: Arnd Bergmann Date: Wed Feb 17 23:25:11 2016 +0100 USB: cdc_subset: only build when one driver is enabled commit f3bb23764fac042d189129d485d3a9246cb777da upstream. This avoids a harmless randconfig warning I get when USB_NET_CDC_SUBSET is enabled, but all of the more specific drivers are not: drivers/net/usb/cdc_subset.c:241:2: #warning You need to configure some hardware for this driver The current behavior is clearly intentional, giving a warning when a user picks a configuration that won't do anything good. The only reason for even addressing this is that I'm getting close to eliminating all 'randconfig' warnings on ARM, and this came up a couple of times. My workaround is to not even build the module when none of the configurations are enable. Alternatively we could simply remove the #warning (nothing wrong for compile-testing), turn it into a runtime warning, or change the Kconfig options into a menu to hide CONFIG_USB_NET_CDC_SUBSET. Signed-off-by: Arnd Bergmann Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 2d69b722e418dec6b2b60db23a2798233c685244 Author: Arnd Bergmann Date: Wed Mar 2 16:58:59 2016 +0100 hwrng: exynos - use __maybe_unused to hide pm functions commit b93f342da1766ef1740e6277508329356c4ea48b upstream. The exynos random driver uses #ifdef to check for CONFIG_PM, but then uses SIMPLE_DEV_PM_OPS, which leaves the references out when CONFIG_PM_SLEEP is not defined, so we get a warning with PM=y && PM_SLEEP=n: drivers/char/hw_random/exynos-rng.c:166:12: error: 'exynos_rng_suspend' defined but not used [-Werror=unused-function] drivers/char/hw_random/exynos-rng.c:171:12: error: 'exynos_rng_resume' defined but not used [-Werror=unused-function] This removes the incorrect #ifdef and instead uses a __maybe_unused annotation to let the compiler know it can silently drop the function definition. Signed-off-by: Arnd Bergmann Reviewed-by: Krzysztof Kozlowski Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit ac21d006fcfd3e1faaef9ab4cf492f056cb0aa88 Author: Arnd Bergmann Date: Fri Nov 20 22:48:36 2015 +0100 fbdev: sm712fb: avoid unused function warnings commit 24ed78dc2e8b2428eccc70c3162e70d33ab448c4 upstream. The sm712fb framebuffer driver encloses the power-management functions in #ifdef CONFIG_PM, but the smtcfb_pci_suspend/resume functions are only really used when CONFIG_PM_SLEEP is also set, as a frequent gcc warning shows: fbdev/sm712fb.c:1549:12: warning: 'smtcfb_pci_suspend' defined but not used fbdev/sm712fb.c:1572:12: warning: 'smtcfb_pci_resume' defined but not used The driver also avoids using the SIMPLE_DEV_PM_OPS macro when CONFIG_PM is unset, which is redundant. This changes the driver to remove the #ifdef and instead mark the functions as __maybe_unused, which is a nicer anyway, as it provides build testing for all the code in all configurations and is harder to get wrong. Signed-off-by: Arnd Bergmann Signed-off-by: Tomi Valkeinen Signed-off-by: Greg Kroah-Hartman commit 3f488a9fd5c088e67b9f4865a96db0cf1d8c3790 Author: Sudip Mukherjee Date: Fri Dec 11 14:23:11 2015 +0530 Drivers: hv: vmbus: fix build warning commit 9220e39b5c900c67ddcb517d52fe52d90fb5e3c8 upstream. We were getting build warning about unused variable "tsc_msr" and "va_tsc" while building for i386 allmodconfig. Signed-off-by: Sudip Mukherjee Signed-off-by: Greg Kroah-Hartman commit 9adeb5b0b544bd2eddf1b1a57f89167d92fadadc Author: Arnd Bergmann Date: Thu Feb 25 17:31:32 2016 +0100 modsign: hide openssl output in silent builds commit 5d06ee20b662a78417245714fc576cba90e6374f upstream. When a user calls 'make -s', we can assume they don't want to see any output except for warnings and errors, but instead they see this for a warning free build: ### ### Now generating an X.509 key pair to be used for signing modules. ### ### If this takes a long time, you might wish to run rngd in the ### background to keep the supply of entropy topped up. It ### needs to be run as root, and uses a hardware random ### number generator if one is available. ### Generating a 4096 bit RSA private key .................................................................................................................................................................................................................................++ ..............................................................................................................................++ writing new private key to 'certs/signing_key.pem' ----- ### ### Key pair generated. ### The output can confuse simple build testing scripts that just check for an empty build log. This patch silences all the output: - "echo" is changed to "@$(kecho)", which is dropped when "-s" gets passed - the openssl command itself is only printed with V=1, using the $(Q) macro - The output of openssl gets redirected to /dev/null on "-s" builds. Signed-off-by: Arnd Bergmann Signed-off-by: David Howells Signed-off-by: Greg Kroah-Hartman commit 12ec0529dbcc9871f68ced823572169ddc9048f2 Author: Arnd Bergmann Date: Mon Jan 25 16:04:03 2016 +0100 fbdev: s6e8ax0: avoid unused function warnings commit b54729b6cea7d1f46b1ed70cb7065c6bdefaa780 upstream. The s6e8ax0 suspend/resume functions are hidden inside of an #ifdef when CONFIG_PM is set to avoid unused function warnings, but they call some other functions that nothing else calls, and we get warnings about those: drivers/video/fbdev/exynos/s6e8ax0.c:449:13: error: 's6e8ax0_sleep_in' defined but not used [-Werror=unused-function] drivers/video/fbdev/exynos/s6e8ax0.c:485:13: error: 's6e8ax0_display_off' defined but not used [-Werror=unused-function] This marks the PM functions as __maybe_unused so the compiler can silently drop them when they are not referenced. Signed-off-by: Arnd Bergmann Reviewed-by: Krzysztof Kozlowski Signed-off-by: Tomi Valkeinen Signed-off-by: Greg Kroah-Hartman commit 25bce31b08d1fe7332f2e814472c5eacc5d84d65 Author: Arnd Bergmann Date: Mon Nov 23 14:39:33 2015 +0100 mtd: cfi: enforce valid geometry configuration commit f5f92b36fbbb8ac7d70ff5fa39ec2637cce3094c upstream. MTD allows compile-time configuration of the possible CFI geometry settings that are allowed by the kernel, but that includes a couple of invalid configurations, where no bank width or no interleave setting is allowed. These are then caught with a compile-time warning: include/linux/mtd/cfi.h:76:2: warning: #warning No CONFIG_MTD_CFI_Ix selected. No NOR chip support can work. include/linux/mtd/map.h:145:2: warning: #warning "No CONFIG_MTD_MAP_BANK_WIDTH_xx selected. No NOR chip support can work" This is a bit annoying for randconfig tests, and can be avoided if we change the Kconfig logic to always select the simplest configuration when no other one is enabled. Signed-off-by: Arnd Bergmann Signed-off-by: Brian Norris Signed-off-by: Greg Kroah-Hartman commit b4a69fede2eb4b7362482524bbe2e2a41a4e1303 Author: Arnd Bergmann Date: Tue Dec 8 16:38:12 2015 +0100 mtd: sh_flctl: pass FIFO as physical address commit 1873315fb156cbc8e46f28e8b128f17ff6c31728 upstream. By convention, the FIFO address we pass using dmaengine_slave_config is a physical address in the form that is understood by the DMA engine, as a dma_addr_t, phys_addr_t or resource_size_t. The sh_flctl driver however passes a virtual __iomem address that gets cast to dma_addr_t in the slave driver. This happens to work on shmobile because that platform sets up an identity mapping for its MMIO regions, but such code is not portable to other platforms, and prevents us from ever changing the platform mapping or reusing the driver on other architectures like ARM64 that might not have the mapping. We also get a warning about a type mismatch for the case that dma_addr_t is wider than a pointer, i.e. when CONFIG_LPAE is set: drivers/mtd/nand/sh_flctl.c: In function 'flctl_setup_dma': drivers/mtd/nand/sh_flctl.c:163:17: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast] cfg.dst_addr = (dma_addr_t)FLDTFIFO(flctl); This changes the driver to instead pass the physical address of the FIFO that is extracted from the MMIO resource, making the code more portable and avoiding the warning. Signed-off-by: Arnd Bergmann Signed-off-by: Brian Norris Signed-off-by: Greg Kroah-Hartman commit 91e017896dc5e7417e164733a3c97de02b14adaa Author: Borislav Petkov Date: Sat Nov 26 21:53:52 2016 +0100 amd-xgbe: Fix unused suspend handlers build warning commit 91eefaabf102c539e6f5531e9a1e5ed46d2b41ca upstream. Fix: drivers/net/ethernet/amd/xgbe/xgbe-main.c:835:12: warning: ‘xgbe_suspend’ defined but not used [-Wunused-function] drivers/net/ethernet/amd/xgbe/xgbe-main.c:855:12: warning: ‘xgbe_resume’ defined but not used [-Wunused-function] I see it during randconfig builds here. Signed-off-by: Borislav Petkov Cc: Tom Lendacky Cc: netdev@vger.kernel.org Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 07701436d096360931ade31a6ac9cca6426b6f99 Author: Arnd Bergmann Date: Fri Nov 20 22:47:41 2015 +0100 fbdev: auo_k190x: avoid unused function warnings commit a8a31afad5ffa1c7de0cef1c4bc383b50f426bf8 upstream. The auo_k190x framebuffer driver encloses the power-management functions in #ifdef CONFIG_PM, but the auok190x_suspend/resume functions are only really used when CONFIG_PM_SLEEP is also set, as a frequent gcc warning shows: drivers/video/fbdev/auo_k190x.c:859:12: warning: 'auok190x_suspend' defined but not used drivers/video/fbdev/auo_k190x.c:899:12: warning: 'auok190x_resume' defined but not used This changes the driver to remove the #ifdef and instead mark the functions as __maybe_unused, which is a nicer anyway, as it provides build testing for all the code in all configurations and is harder to get wrong. Signed-off-by: Arnd Bergmann Signed-off-by: Tomi Valkeinen Signed-off-by: Greg Kroah-Hartman commit 716fae62bcfe8cd6ce9a860d5ca783846b7258db Author: Arnd Bergmann Date: Thu Mar 24 22:19:40 2016 +0100 driver-core: use 'dev' argument in dev_dbg_ratelimited stub commit 1f62ff34a90471d1b735bac2c79e894afc7c59bc upstream. dev_dbg_ratelimited() is a macro that ignores its first argument when DEBUG is not set, which can lead to unused variable warnings: ethernet/mellanox/mlxsw/pci.c: In function 'mlxsw_pci_cqe_sdq_handle': ethernet/mellanox/mlxsw/pci.c:646:18: warning: unused variable 'pdev' [-Wunused-variable] ethernet/mellanox/mlxsw/pci.c: In function 'mlxsw_pci_cqe_rdq_handle': ethernet/mellanox/mlxsw/pci.c:671:18: warning: unused variable 'pdev' [-Wunused-variable] The macro already ensures that all its other arguments are silently ignored by the compiler without triggering a warning, through the use of the no_printk() macro, but the dev argument is not passed into that. This changes the definition to use the same trick as no_printk() with an if(0) that leads the compiler to not evaluate the side-effects but still see that 'dev' might not be unused. Signed-off-by: Arnd Bergmann Suggested-by: Andrew Lunn Fixes: 6f586e663e3b ("driver-core: Shut up dev_dbg_reatelimited() without DEBUG") Reviewed-by: Dmitry Torokhov Signed-off-by: Greg Kroah-Hartman commit f290b26f941e70a2531a84d378cfc7b4b56ecc06 Author: Arnd Bergmann Date: Mon Feb 1 17:29:45 2016 +0100 target/user: Fix cast from pointer to phys_addr_t commit 0633e123465b61a12a262b742bebf2a9945f7964 upstream. The uio_mem structure has a member that is a phys_addr_t, but can be a number of other types too. The target core driver attempts to assign a pointer from vmalloc() to it, by casting it to phys_addr_t, but that causes a warning when phys_addr_t is longer than a pointer: drivers/target/target_core_user.c: In function 'tcmu_configure_device': drivers/target/target_core_user.c:906:22: error: cast from pointer to integer of different size [-Werror=pointer-to-int-cast] This adds another cast to uintptr_t to shut up the warning. A nicer fix might be to have additional fields in uio_mem for the different purposes, so we can assign a pointer directly. Signed-off-by: Arnd Bergmann Signed-off-by: Nicholas Bellinger Signed-off-by: Greg Kroah-Hartman commit f1691276e5e96d3922d6082130decb49e6524f5d Author: Arnd Bergmann Date: Mon Jan 25 22:54:58 2016 +0100 tty: hvc_xen: hide xen_console_remove when unused commit e36ae3439936e13c33f5841c7c2c1a9875acbb6d upstream. xencons_disconnect_backend() is only called from xen_console_remove(), which is conditionally compiled, so we get a harmless warning when CONFIG_HVC_XEN_FRONTEND is unset: hvc/hvc_xen.c:350:12: error: 'xen_console_remove' defined but not used [-Werror=unused-function] This moves the function down into the same #ifdef section to silence the warning. Signed-off-by: Arnd Bergmann Signed-off-by: Greg Kroah-Hartman Signed-off-by: Greg Kroah-Hartman commit 86f630e5b7cc1ef02f1e7de20a55bd84c09b3330 Author: Arnd Bergmann Date: Thu Jan 28 17:23:15 2016 +0100 usb: musb/ux500: remove duplicate check for dma_is_compatible commit 62a6abdd427b5fc4d8aad5dac874904e96273e6d upstream. When dma_addr_t is 64-bit, we get a warning about an invalid cast in the call to ux500_dma_is_compatible() from ux500_dma_channel_program(): drivers/usb/musb/ux500_dma.c: In function 'ux500_dma_channel_program': drivers/usb/musb/ux500_dma.c:210:51: error: cast to pointer from integer of different size [-Werror=int-to-pointer-cast] if (!ux500_dma_is_compatible(channel, packet_sz, (void *)dma_addr, len)) The problem is that ux500_dma_is_compatible() is called from the main musb driver on the virtual address, but here we pass in a DMA address, so the types are fundamentally different but it works because the function only checks the alignment of the buffer and that is the same. We could work around this by adding another cast, but I have checked that the buffer we get passed here is already checked before it gets mapped, so the second check seems completely unnecessary and removing it must be the cleanest solution. Signed-off-by: Arnd Bergmann Signed-off-by: Felipe Balbi Signed-off-by: Greg Kroah-Hartman commit f21a7417311c1d000f754749c0fe3b74d3a95230 Author: Arnd Bergmann Date: Tue Jan 26 14:17:24 2016 -0200 pwc: hide unused label commit 1f6bcd011464cb36059e2562f72baf75f98b732d upstream. The pwc driver causes a warning when CONFIG_USB_PWC_INPUT_EVDEV is unset: drivers/media/usb/pwc/pwc-if.c: In function 'usb_pwc_probe': drivers/media/usb/pwc/pwc-if.c:1115:1: warning: label 'err_video_unreg' defined but not used [-Wunused-label] This moves the unused label and code inside another #ifdef to get rid of the warning. Signed-off-by: Arnd Bergmann Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit 11d5aa1935a94bbe734aafe1d78a8725ec8f0faf Author: Arnd Bergmann Date: Thu Nov 19 15:33:41 2015 +0100 SCSI: initio: remove duplicate module device table commit d282e2b383e3f41a7758e8cbf3076091ef9d9447 upstream. The initio driver has for many years had two copies of the same module device table. One of them is also used for registering the other driver, the other one is entirely useless after the large scale cleanup that Alan Cox did back in 2007. The compiler warns about this whenever the driver is built-in: drivers/scsi/initio.c:131:29: warning: 'i91u_pci_devices' defined but not used [-Wunused-variable] This removes the extraneous table and the warning. Signed-off-by: Arnd Bergmann Fixes: 72d39fea901 ("[SCSI] initio: Convert into a real Linux driver and update to modern style") Reviewed-by: Christoph Hellwig Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit fcb86b38aceb61b393a618592a2eec1afa173fa5 Author: Arnd Bergmann Date: Wed Mar 2 16:59:00 2016 +0100 scsi: mvumi: use __maybe_unused to hide pm functions commit fddbeb80a904aae41c84ed566e2b0d1de55907df upstream. The mvumi scsi hides the references to its suspend/resume functions in an #ifdef but does not hide the implementation the same way: drivers/scsi/mvumi.c:2632:12: error: 'mvumi_suspend' defined but not used [-Werror=unused-function] drivers/scsi/mvumi.c:2651:12: error: 'mvumi_resume' defined but not used [-Werror=unused-function] This adds __maybe_unused annotations so the compiler knows it can silently drop them instead of warning, while avoiding the addition of another #ifdef. Signed-off-by: Arnd Bergmann Reviewed-by: Johannes Thumshirn Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit f83c36bd7bfcfe378029b5dcf6ed0df6a861171b Author: Daniel Wagner Date: Tue Feb 9 10:18:32 2016 +0100 video: Use bool instead int pointer for get_opt_bool() argument commit 206fc20598157ce15597822cf01b94377e30075b upstream. As the function name already indicates that get_opt_bool() parses for a bool. It is not a surprise that compiler is complaining about it when -Werror=incompatible-pointer-types is used: drivers/video/fbdev/intelfb/intelfbdrv.c: In function ‘intelfb_setup’: drivers/video/fbdev/intelfb/intelfbdrv.c:353:39: error: passing argument 3 of ‘get_opt_bool’ from incompatible pointer type [-Werror=incompatible-pointer-types] if (get_opt_bool(this_opt, "accel", &accel)) Signed-off-by: Daniel Wagner Reported-by: Fengguang Wu Signed-off-by: Tomi Valkeinen Signed-off-by: Greg Kroah-Hartman commit 3343627d2b8d5a6d48b6f14a054ac7fc000a8f8c Author: Arnd Bergmann Date: Fri Nov 27 15:33:11 2015 +0100 fbdev: sis: enforce selection of at least one backend commit 5b833fea4377577eafecb888141a05470922ef25 upstream. The sis framebuffer driver complains with a compile-time warning if neither the FB_SIS_300 nor FB_SIS_315 symbols are selected: drivers/video/fbdev/sis/sis_main.c:61:2: warning: #warning Neither CONFIG_FB_SIS_300 nor CONFIG_FB_SIS_315 is se This is reasonable because it doesn't work in that case, but it's also annoying for randconfig builds and is one of the most common warnings I'm seeing on ARM now. This changes the Kconfig logic to prevent the silly configuration, by always selecting the FB_SIS_300 variant if the other one is not set. Signed-off-by: Arnd Bergmann Signed-off-by: Tomi Valkeinen Signed-off-by: Greg Kroah-Hartman commit 57aafe5c3728f83467ee46717693da0d0e21ef36 Author: Arnd Bergmann Date: Fri Nov 20 22:59:14 2015 +0100 staging: ste_rmi4: avoid unused function warnings commit 9045a4a7e686a6316129d6d0b21b4fe2520968e4 upstream. The rmi4 touchscreen driver encloses the power-management functions in #ifdef CONFIG_PM, but the smtcfb_pci_suspend/resume functions are only really used when CONFIG_PM_SLEEP is also set, as a frequent gcc warning shows: ste_rmi4/synaptics_i2c_rmi4.c:1050:12: warning: 'synaptics_rmi4_suspend' defined but not used ste_rmi4/synaptics_i2c_rmi4.c:1084:12: warning: 'synaptics_rmi4_resume' defined but not used This changes the driver to remove the #ifdef and instead mark the functions as __maybe_unused, which is a nicer anyway, as it provides build testing for all the code in all configurations and is harder to get wrong. Signed-off-by: Arnd Bergmann Acked-by: Linus Walleij Signed-off-by: Greg Kroah-Hartman Signed-off-by: Greg Kroah-Hartman commit caa08023001c61de02e9b16ca0808203cdc81fc0 Author: Sudip Mukherjee Date: Mon Feb 29 23:32:29 2016 +0530 video: fbdev: sis: remove unused variable commit 32ad61951574d011d363694d6037592e99da9421 upstream. The variables modeflag and resinfo were only assigned some value but were never used. Signed-off-by: Sudip Mukherjee Signed-off-by: Tomi Valkeinen Signed-off-by: Greg Kroah-Hartman commit 422188b34ca887ce1a41213bf37e717fd4cb0134 Author: Arnd Bergmann Date: Wed Jan 27 16:57:17 2016 +0100 scsi: fdomain: drop fdomain_pci_tbl when built-in commit 120f83f8d6f2e2e7dea3570646722c62ecee70b0 upstream. The fdomain SCSI host driver is one of the last remaining drivers that manually search the PCI bus using pci_get_device rather than registering a pci_driver instance. This means the module device table is unused when the driver is built-in, and we get a warning about it: drivers/scsi/fdomain.c:1773:29: warning: 'fdomain_pci_tbl' defined but not used [-Wunused-variable] To avoid the warning, this adds another #ifdef around the table definition. Signed-off-by: Arnd Bergmann Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit a125eb8bec000ed4252be4f7ede74508b3f3ca9e Author: Arnd Bergmann Date: Wed Jan 27 16:57:18 2016 +0100 mptfusion: hide unused seq_mpt_print_ioc_summary function commit 28558f5af50d8335cbbc8bc2726e0747553e29f5 upstream. The seq_mpt_print_ioc_summary function is used for the /proc/mpt/iocN/summary implementation and never gets called when CONFIG_PROC_FS is disabled: drivers/message/fusion/mptbase.c:6851:13: warning: 'seq_mpt_print_ioc_summary' defined but not used [-Wunused-function] static void seq_mpt_print_ioc_summary(MPT_ADAPTER *ioc, struct seq_file *m, int showlan) This adds an #ifdef to hide the function definition in that case and avoid the warning. Signed-off-by: Arnd Bergmann Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit 7f0fb06c9626e4a8607577d71e95f3d6f2bde44d Author: Julia Lawall Date: Tue Apr 19 14:33:33 2016 +0200 mtd: maps: add __init attribute commit e4106a7c8236eb7b91686d36f3bf33ee43db94b4 upstream. Add __init attribute on functions that are only called from other __init functions and that are not inlined, at least with gcc version 4.8.4 on an x86 machine with allyesconfig. Currently, the functions are put in the .text.unlikely segment. Declaring them as __init will cause them to be put in the .init.text and to disappear after initialization. The result of objdump -x on the functions before the change is as follows: 00000000000001bc l F .text.unlikely 00000000000006a2 ck804xrom_init_one.isra.1 00000000000001aa l F .text.unlikely 0000000000000764 esb2rom_init_one.isra.1 00000000000001db l F .text.unlikely 0000000000000716 ichxrom_init_one.isra.1 And after the change it is as follows: 0000000000000000 l F .init.text 000000000000069d ck804xrom_init_one.isra.1 0000000000000000 l F .init.text 000000000000075f esb2rom_init_one.isra.1 0000000000000000 l F .init.text 0000000000000711 ichxrom_init_one.isra.1 Done with the help of Coccinelle. The semantic patch checks for local static non-init functions that are called from an __init function and are not called from any other function. Note that in each case, the function is stored in the probe field of a pci_driver structure, but this code is under an #if 0. The #if 0s have been unchanged since 2009 at the latest. Signed-off-by: Julia Lawall Signed-off-by: Brian Norris Signed-off-by: Greg Kroah-Hartman commit 9bb2a284c238c163e496163096b7187bbd6918fd Author: Arnd Bergmann Date: Mon Oct 24 17:28:35 2016 +0200 mtd: ichxrom: maybe-uninitialized with gcc-4.9 commit e70dda0868fad0f74c46df21f7f45fec24f29879 upstream. pci_read_config_word() might fail and not initialize its output, as pointed out by older versions of gcc when using the -Wmaybe-unintialized flag: drivers/mtd/maps/ichxrom.c: In function ‘ichxrom_cleanup’: drivers/mtd/maps/ichxrom.c:63:2: error: ‘word’ is used uninitialized in this function [-Werror=uninitialized] This is apparently a correct warning, though it does not show up with newer compilers. Changing the code to not attempt to write back uninitialized data into PCI config space is a correct fix for the problem and avoids the warning. Signed-off-by: Arnd Bergmann Reviewed-by: Marek Vasut Signed-off-by: Brian Norris Signed-off-by: Greg Kroah-Hartman commit 78c5a07a72070fffca89b94647e17e13c918e71e Author: Arnd Bergmann Date: Mon Dec 21 10:51:01 2015 +1100 md: avoid warning for 32-bit sector_t commit 3312c951efaba55080958974047414576b9e5d63 upstream. When CONFIG_LBDAF is not set, sector_t is only 32-bits wide, which means we cannot have devices with more than 2TB, and the code that is trying to handle compatibility support for large devices in md version 0.90 is meaningless but also causes a compile-time warning: drivers/md/md.c: In function 'super_90_load': drivers/md/md.c:1029:19: warning: large integer implicitly truncated to unsigned type [-Woverflow] drivers/md/md.c: In function 'super_90_rdev_size_change': drivers/md/md.c:1323:17: warning: large integer implicitly truncated to unsigned type [-Woverflow] This adds a check for CONFIG_LBDAF to avoid even getting into this code path, and also adds an explicit cast to let the compiler know it doesn't have to warn about the truncation. Signed-off-by: Arnd Bergmann Signed-off-by: NeilBrown Signed-off-by: Greg Kroah-Hartman commit 28ad68ba162265d447c98ef9c8d0d938d219da02 Author: Arnd Bergmann Date: Tue Mar 22 14:27:26 2016 -0700 profile: hide unused functions when !CONFIG_PROC_FS commit ade356b99a4187578609f2a91c4d2ed88e4e70dc upstream. A couple of functions and variables in the profile implementation are used only on SMP systems by the procfs code, but are unused if either procfs is disabled or in uniprocessor kernels. gcc prints a harmless warning about the unused symbols: kernel/profile.c:243:13: error: 'profile_flip_buffers' defined but not used [-Werror=unused-function] static void profile_flip_buffers(void) ^ kernel/profile.c:266:13: error: 'profile_discard_flip_buffers' defined but not used [-Werror=unused-function] static void profile_discard_flip_buffers(void) ^ kernel/profile.c:330:12: error: 'profile_cpu_callback' defined but not used [-Werror=unused-function] static int profile_cpu_callback(struct notifier_block *info, ^ This adds further #ifdef to the file, to annotate exactly in which cases they are used. I have done several thousand ARM randconfig kernels with this patch applied and no longer get any warnings in this file. Signed-off-by: Arnd Bergmann Cc: Vlastimil Babka Cc: Robin Holt Cc: Johannes Weiner Cc: Christoph Lameter Cc: Tejun Heo Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 6fed08895707322a0128cac1e9047afeaf9cc645 Author: Sudip Mukherjee Date: Thu Feb 18 13:59:13 2016 +0530 dpt_i2o: fix build warning commit f50abb9b63b1d8773e1ce32115701c06416e6f91 upstream. We were getting build warning about: drivers/scsi/dpt_i2o.c:183:29: warning: 'dptids' defined but not used dptids[] is only used in the MODULE_DEVICE_TABLE so when MODULE is not defined then dptids[] becomes unused. Signed-off-by: Sudip Mukherjee Reviewed-by: Johannes Thumshirn Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit 5fb37ef0b0942783587849b2a67fb2230669c2b3 Author: Fabian Frederick Date: Sat Dec 12 18:24:38 2015 +0100 drivers/net: fix eisa_driver probe section mismatch commit cb4396edd84ed73081635fb933d19c1410fafaf4 upstream. Some eisa_driver structures used __init probe functions which generates a warning and could crash if function is called after being deleted. Signed-off-by: Fabian Frederick Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 6edb5595bc950b56409fdcac346136cc71801e33 Author: Sudip Mukherjee Date: Thu Feb 11 10:29:03 2016 +0530 scsi: sim710: fix build warning commit 648a0a7da34f281410e8e3a59de8c13ec6ea380a upstream. We are getting build warning about: "Section mismatch in reference from the variable sim710_eisa_driver to the function .init.text:sim710_eisa_probe() The variable sim710_eisa_driver references the function __init sim710_eisa_probe()" sim710_eisa_probe() was having __init but that was being referenced from sim710_eisa_driver. Signed-off-by: Sudip Mukherjee Reviewed-by: Johannes Thumshirn Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit 96b745cacbaf50dbfb25a469d7dc8c9a13440f0f Author: Arnd Bergmann Date: Wed Nov 16 15:17:09 2016 +0100 x86/boot: Avoid warning for zero-filling .bss commit 553bbc11aa6c1f9e0f529a06aeeca15fbe4a3985 upstream. The latest binutils are warning about a .fill directive with an explicit value in a .bss section: arch/x86/kernel/head_32.S: Assembler messages: arch/x86/kernel/head_32.S:677: Warning: ignoring fill value in section `.bss..page_aligned' arch/x86/kernel/head_32.S:679: Warning: ignoring fill value in section `.bss..page_aligned' This comes from the 'ENTRY()' macro padding the space between the symbols with 'nop' via: .align 4,0x90 Open-coding the .globl directive without the padding avoids that warning, as all the symbols are already page aligned. Signed-off-by: Arnd Bergmann Cc: Andy Lutomirski Cc: Borislav Petkov Cc: Brian Gerst Cc: Denys Vlasenko Cc: H. Peter Anvin Cc: Josh Poimboeuf Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Thomas Gleixner Link: http://lkml.kernel.org/r/20161116141726.2013389-1-arnd@arndb.de Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 117c28bef36365a9e57777640a80ebea6171bfd1 Author: Arnd Bergmann Date: Mon Jan 25 17:44:10 2016 +0100 thermal: spear: use __maybe_unused for PM functions commit d612c64d1f4d6b2464993dfeafd9ec319f774188 upstream. The spear thermal driver hides its suspend/resume function conditionally based on CONFIG_PM, but references them based on CONFIG_PM_SLEEP, so we get a warning if the former is set but the latter is not: thermal/spear_thermal.c:58:12: warning: 'spear_thermal_suspend' defined but not used [-Wunused-function] thermal/spear_thermal.c:75:12: warning: 'spear_thermal_resume' defined but not used [-Wunused-function] This removes the #ifdef and instead uses a __maybe_uninitialized annotation to avoid the warning and improve compile-time coverage. Signed-off-by: Arnd Bergmann Signed-off-by: Eduardo Valentin Signed-off-by: Greg Kroah-Hartman commit 8205dd3aa3d7b313aa19b13a377928fb2b3ed20d Author: Arnd Bergmann Date: Mon Jan 18 20:39:56 2016 +0100 ssb: mark ssb_bus_register as __maybe_unused commit b7e2d195cc523bd92ed7a64aac089421dbab2a2d upstream. The SoC variant of the ssb code is now optional like the other ones, which means we can build the framwork without any front-end, but that results in a warning: drivers/ssb/main.c:616:12: warning: 'ssb_bus_register' defined but not used [-Wunused-function] This annotates the ssb_bus_register function as __maybe_unused to shut up the warning. A configuration like this will not work on any hardware of course, but we still want this to silently build without warnings if the configuration is allowed in the first place. Signed-off-by: Arnd Bergmann Fixes: 845da6e58e19 ("ssb: add Kconfig entry for compiling SoC related code") Acked-by: Michael Buesch Signed-off-by: Kalle Valo Signed-off-by: Greg Kroah-Hartman commit a8aeea21973fc72d8fc587862b79acdc61411ff8 Author: Arnd Bergmann Date: Thu Mar 23 16:06:13 2017 +0100 reiserfs: avoid a -Wmaybe-uninitialized warning commit ab4949640d6674b617b314ad3c2c00353304bab9 upstream. The latest gcc-7.0.1 snapshot warns about an unintialized variable use: In file included from fs/reiserfs/lbalance.c:8:0: fs/reiserfs/lbalance.c: In function 'leaf_item_bottle.isra.3': fs/reiserfs/reiserfs.h:1279:13: error: '*((void *)&n_ih+8).v' may be used uninitialized in this function [-Werror=maybe-uninitialized] v2->v = (v2->v & cpu_to_le64(15ULL << 60)) | cpu_to_le64(offset); ~~^~~ fs/reiserfs/reiserfs.h:1279:13: error: '*((void *)&n_ih+8).v' may be used uninitialized in this function [-Werror=maybe-uninitialized] v2->v = (v2->v & cpu_to_le64(15ULL << 60)) | cpu_to_le64(offset); This happens because the offset/type pair that is stored in ih.key.u.k_offset_v2 is actually uninitialized when we call set_le_ih_k_offset() and set_le_ih_k_type(). After we have called both, all data is correct, but the first of the two reads uninitialized data for the type field and writes it back before it gets overwritten. This works around the warning by initializing the k_offset_v2 through the slightly larger memcpy(). [JK: Remove now unused define and make it obvious we initialize the key] Signed-off-by: Arnd Bergmann Signed-off-by: Jan Kara Signed-off-by: Greg Kroah-Hartman commit 3f0754639bac017520524034cf75d11c889c0b2f Author: Arnd Bergmann Date: Wed Jan 11 14:39:44 2017 +0100 ALSA: hda/ca0132 - fix possible NULL pointer use commit 46a049dae771b95e77ac6c823330f4a60f600236 upstream. gcc-7 caught what it considers a NULL pointer dereference: sound/pci/hda/patch_ca0132.c: In function 'dspio_scp.constprop': sound/pci/hda/patch_ca0132.c:1487:4: error: argument 1 null where non-null expected [-Werror=nonnull] This is plausible from looking at the function, as we compare 'reply' to NULL earlier in it. I have not tried to analyze if there are constraints that make it impossible to hit the bug, but adding another NULL check in the end kills the warning and makes the function more robust. Signed-off-by: Arnd Bergmann Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 622d825999111ddeda9338386f8bc1effd5a2ea1 Author: Kefeng Wang Date: Thu Jan 26 11:19:55 2017 +0800 arm64: Kconfig: select COMPAT_BINFMT_ELF only when BINFMT_ELF is set commit 2e449048a25eb75d48dff12882b93f26d130a1c6 upstream. Fix warning: "(COMPAT) selects COMPAT_BINFMT_ELF which has unmet direct dependencies (COMPAT && BINFMT_ELF)" Signed-off-by: Kefeng Wang Signed-off-by: Will Deacon Signed-off-by: Greg Kroah-Hartman commit c66ef738ce4da7b1ebd57b74f623539af28c0b82 Author: Arnd Bergmann Date: Thu Mar 23 16:02:18 2017 +0100 scsi: advansys: fix uninitialized data access commit 44a5b977128c0ffff0654392b40f4c2ce72a619b upstream. gcc-7.0.1 now warns about a previously unnoticed access of uninitialized struct members: drivers/scsi/advansys.c: In function 'AscMsgOutSDTR': drivers/scsi/advansys.c:3860:26: error: '*((void *)&sdtr_buf+5)' may be used uninitialized in this function [-Werror=maybe-uninitialized] ((ushort)s_buffer[i + 1] << 8) | s_buffer[i]); ^ drivers/scsi/advansys.c:3860:26: error: '*((void *)&sdtr_buf+7)' may be used uninitialized in this function [-Werror=maybe-uninitialized] drivers/scsi/advansys.c:3860:26: error: '*((void *)&sdtr_buf+5)' may be used uninitialized in this function [-Werror=maybe-uninitialized] drivers/scsi/advansys.c:3860:26: error: '*((void *)&sdtr_buf+7)' may be used uninitialized in this function [-Werror=maybe-uninitialized] The code has existed in this exact form at least since v2.6.12, and the warning seems correct. This uses named initializers to ensure we initialize all members of the structure. Signed-off-by: Arnd Bergmann Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit e2e297df05361b05da1af484921bd0c1c51ef4c3 Author: Arnd Bergmann Date: Wed Jul 19 14:53:05 2017 +0200 x86/platform: Add PCI dependency for PUNIT_ATOM_DEBUG commit d689c64d189e43d782fec5649fb0afe303c5b3f9 upstream. The IOSF_MBI option requires PCI support, without it we get a harmless Kconfig warning when it gets selected by PUNIT_ATOM_DEBUG: warning: (X86_INTEL_LPSS && SND_SST_IPC_ACPI && MMC_SDHCI_ACPI && PUNIT_ATOM_DEBUG) selects IOSF_MBI which has unmet direct dependencies (PCI) This adds another dependency to avoid the warning. Signed-off-by: Arnd Bergmann Cc: Andy Lutomirski Cc: Josh Poimboeuf Cc: Kees Cook Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Thomas Gleixner Link: http://lkml.kernel.org/r/20170719125310.2487451-8-arnd@arndb.de Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 4d3835f64c1f457aa4286a899c960233d683f953 Author: Arnd Bergmann Date: Wed Jul 19 14:53:04 2017 +0200 x86: add MULTIUSER dependency for KVM commit c2ce3f5d89d57301e2756ac325fe2ebc33bfec30 upstream. KVM tries to select 'TASKSTATS', which had additional dependencies: warning: (KVM) selects TASKSTATS which has unmet direct dependencies (NET && MULTIUSER) Signed-off-by: Arnd Bergmann Signed-off-by: Radim Krčmář Signed-off-by: Greg Kroah-Hartman commit ce0e7ed12eacfa195245b2667a3baf4c5b572f32 Author: Arnd Bergmann Date: Fri Jul 21 18:16:28 2017 +0200 thermal: fix INTEL_SOC_DTS_IOSF_CORE dependencies commit 68fd77cf8a4b045594231f07e5fc92e1a34c0a9e upstream. We get a Kconfig warning when selecting this without also enabling CONFIG_PCI: warning: (X86_INTEL_LPSS && INTEL_SOC_DTS_IOSF_CORE && SND_SST_IPC_ACPI && MMC_SDHCI_ACPI && PUNIT_ATOM_DEBUG) selects IOSF_MBI which has unmet direct dependencies (PCI) This adds a new depedency. Fixes: 3a2419f865a6 ("Thermal: Intel SoC: DTS thermal use common APIs") Signed-off-by: Arnd Bergmann Reviewed-by: Srinivas Pandruvada Signed-off-by: Zhang Rui Signed-off-by: Greg Kroah-Hartman commit 149f6f5f5f788cb7a9477c3f7346ac4fff22e4a2 Author: Arnd Bergmann Date: Wed Jul 19 14:53:03 2017 +0200 x86/build: Silence the build with "make -s" commit d460131dd50599e0e9405d5f4ae02c27d529a44a upstream. Every kernel build on x86 will result in some output: Setup is 13084 bytes (padded to 13312 bytes). System is 4833 kB CRC 6d35fa35 Kernel: arch/x86/boot/bzImage is ready (#2) This shuts it up, so that 'make -s' is truely silent as long as everything works. Building without '-s' should produce unchanged output. Signed-off-by: Arnd Bergmann Cc: Linus Torvalds Cc: Matt Fleming Cc: Peter Zijlstra Cc: Thomas Gleixner Link: http://lkml.kernel.org/r/20170719125310.2487451-6-arnd@arndb.de Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit c6ce3e85ac8349f6686d9f12fbb4c5fde23fad9d Author: Josh Poimboeuf Date: Wed Jan 18 22:16:55 2017 -0600 tools build: Add tools tree support for 'make -s' commit e572d0887137acfc53f18175522964ec19d88175 upstream. When doing a kernel build with 'make -s', everything is silenced except the objtool build. That's because the tools tree support for silent builds is some combination of missing and broken. Three changes are needed to fix it: - Makefile: propagate '-s' to the sub-make's MAKEFLAGS variable so the tools Makefiles can see it. - tools/scripts/Makefile.include: fix the tools Makefiles' ability to recognize '-s'. The MAKE_VERSION and MAKEFLAGS checks are copied from the top-level Makefile. This silences the "DESCEND objtool" message. - tools/build/Makefile.build: add support to the tools Build files for recognizing '-s'. Again the MAKE_VERSION and MAKEFLAGS checks are copied from the top-level Makefile. This silences all the object compile/link messages. Reported-and-Tested-by: Peter Zijlstra Signed-off-by: Josh Poimboeuf Cc: Jiri Olsa Cc: Michal Marek Link: http://lkml.kernel.org/r/e8967562ef640c3ae9a76da4ae0f4e47df737c34.1484799200.git.jpoimboe@redhat.com Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Greg Kroah-Hartman commit d721427c28d437d30e9e0a6375a17b3c72d53b75 Author: Arnd Bergmann Date: Wed Jul 19 14:53:00 2017 +0200 x86/fpu/math-emu: Fix possible uninitialized variable use commit 75e2f0a6b16141cb347f442033ec907380d4d66e upstream. When building the kernel with "make EXTRA_CFLAGS=...", this overrides the "PARANOID" preprocessor macro defined in arch/x86/math-emu/Makefile, and we run into a build warning: arch/x86/math-emu/reg_compare.c: In function ‘compare_i_st_st’: arch/x86/math-emu/reg_compare.c:254:6: error: ‘f’ may be used uninitialized in this function [-Werror=maybe-uninitialized] This fixes the implementation to work correctly even without the PARANOID flag, and also fixes the Makefile to not use the EXTRA_CFLAGS variable but instead use the ccflags-y variable in the Makefile that is meant for this purpose. Signed-off-by: Arnd Bergmann Cc: Bill Metzenthen Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Thomas Gleixner Link: http://lkml.kernel.org/r/20170719125310.2487451-3-arnd@arndb.de Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 93e482ea8557e91d5944142091193f79e6dfcee8 Author: Arnd Bergmann Date: Tue Mar 14 22:39:21 2017 +0100 arm64: define BUG() instruction without CONFIG_BUG commit f13d52cb3fad03c237572be2ee691e1fe2d1d7bb upstream. This mirrors commit e9c38ceba8d9 ("ARM: 8455/1: define __BUG as asm(BUG_INSTR) without CONFIG_BUG") to make the behavior of arm64 consistent with arm and x86, and avoids lots of warnings in randconfig builds, such as: kernel/seccomp.c: In function '__seccomp_filter': kernel/seccomp.c:666:1: error: no return statement in function returning non-void [-Werror=return-type] Acked-by: Will Deacon Signed-off-by: Arnd Bergmann Signed-off-by: Catalin Marinas Signed-off-by: Greg Kroah-Hartman commit e2ac5159c5c126f90490305e8de128a5384aef43 Author: Borislav Petkov Date: Mon Jan 23 19:35:06 2017 +0100 x86/ras/inject: Make it depend on X86_LOCAL_APIC=y commit d4b2ac63b0eae461fc10c9791084be24724ef57a upstream. ... and get rid of the annoying: arch/x86/kernel/cpu/mcheck/mce-inject.c:97:13: warning: ‘mce_irq_ipi’ defined but not used [-Wunused-function] when doing randconfig builds. Signed-off-by: Borislav Petkov Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Thomas Gleixner Cc: Tony Luck Cc: Yazen Ghannam Cc: linux-edac Link: http://lkml.kernel.org/r/20170123183514.13356-2-bp@alien8.de Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 583c7f54ad378d41081b551b5f596f445e7b5c9f Author: Arnd Bergmann Date: Mon Oct 24 17:51:55 2016 +0200 scsi: advansys: fix build warning for PCI=n commit f46e7cd36b5f2ce2bfb567e278a10ca717f85b84 upstream. The advansys probe function tries to handle both ISA and PCI cases, each hidden in an #ifdef when unused. This leads to a warning indicating that when PCI is disabled we could be using uninitialized data: drivers/scsi/advansys.c: In function advansys_board_found : drivers/scsi/advansys.c:11036:5: error: ret may be used uninitialized in this function [-Werror=maybe-uninitialized] drivers/scsi/advansys.c:10928:28: note: ret was declared here drivers/scsi/advansys.c:11309:8: error: share_irq may be used uninitialized in this function [-Werror=maybe-uninitialized] drivers/scsi/advansys.c:10928:6: note: share_irq was declared here This cannot happen in practice because the hardware in question only exists for PCI, but changing the code to just error out here is better for consistency and avoids the warning. Signed-off-by: Arnd Bergmann Reviewed-by: Hannes Reinecke Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit c1273b467ee9fd76ddfd88edc479598815b46c13 Author: Arnd Bergmann Date: Wed Jun 14 12:40:36 2017 +0200 video: fbdev: via: remove possibly unused variables commit 484c7bbf2649831714da3a0fa30213977458e9b5 upstream. When CONFIG_PROC_FS is disabled, we get warnings about unused variables as remove_proc_entry() evaluates to an empty macro. drivers/video/fbdev/via/viafbdev.c: In function 'viafb_remove_proc': drivers/video/fbdev/via/viafbdev.c:1635:4: error: unused variable 'iga2_entry' [-Werror=unused-variable] drivers/video/fbdev/via/viafbdev.c:1634:4: error: unused variable 'iga1_entry' [-Werror=unused-variable] These are easy to avoid by using the pointer from the structure. Signed-off-by: Arnd Bergmann Cc: Florian Tobias Schandinat Signed-off-by: Bartlomiej Zolnierkiewicz Signed-off-by: Greg Kroah-Hartman commit a5635932ae47ddd13ac25c3cfa9633090c9e56f8 Author: Borislav Petkov Date: Sat Nov 26 17:01:51 2016 +0100 platform/x86: intel_mid_thermal: Fix suspend handlers unused warning commit b4aca383f9afb5f84b05de272656e6d4a919d995 upstream. Fix: drivers/platform/x86/intel_mid_thermal.c:424:12: warning: ‘mid_thermal_resume’ defined but not used [-Wunused-function] static int mid_thermal_resume(struct device *dev) ^ drivers/platform/x86/intel_mid_thermal.c:436:12: warning: ‘mid_thermal_suspend’ defined but not used [-Wunused-function] static int mid_thermal_suspend(struct device *dev) ^ which I see during randbuilds here. Signed-off-by: Borislav Petkov Cc: Darren Hart Cc: platform-driver-x86@vger.kernel.org Reviewed-by: Andy Shevchenko Signed-off-by: Andy Shevchenko Signed-off-by: Greg Kroah-Hartman commit 7d38bf9c9d1cfb22c36b5a5692c429e50f390964 Author: Augusto Mecking Caringi Date: Mon Jan 16 14:30:41 2017 +0000 gpio: intel-mid: Fix build warning when !CONFIG_PM commit fbc2a294f29e726787a0f5238b27137904f26b81 upstream. The only usage of function intel_gpio_runtime_idle() is here (in the same file): static const struct dev_pm_ops intel_gpio_pm_ops = { SET_RUNTIME_PM_OPS(NULL, NULL, intel_gpio_runtime_idle) }; And when CONFIG_PM is not set, the macro SET_RUNTIME_PM_OPS expands to nothing, causing the following compiler warning: drivers/gpio/gpio-intel-mid.c:324:12: warning: ‘intel_gpio_runtime_idle’ defined but not used [-Wunused-function] static int intel_gpio_runtime_idle(struct device *dev) Fix it by annotating the function with __maybe_unused. Signed-off-by: Augusto Mecking Caringi Acked-by: Andy Shevchenko Signed-off-by: Linus Walleij Signed-off-by: Greg Kroah-Hartman commit d9e7836a880cdf1d1d8584e98909a00edf4ad7de Author: Arnd Bergmann Date: Fri Feb 17 16:08:30 2017 +0100 vmxnet3: prevent building with 64K pages commit fbdf0e28d061708cf18ba0f8e0db5360dc9a15b9 upstream. I got a warning about broken code on ARM64 with 64K pages: drivers/net/vmxnet3/vmxnet3_drv.c: In function 'vmxnet3_rq_init': drivers/net/vmxnet3/vmxnet3_drv.c:1679:29: error: large integer implicitly truncated to unsigned type [-Werror=overflow] rq->buf_info[0][i].len = PAGE_SIZE; 'len' here is a 16-bit integer, so this clearly won't work. I don't think this driver is used much on anything other than x86, so there is no need to fix this properly and we can work around it with a Kconfig dependency to forbid known-broken configurations. qemu in theory supports it on other architectures too, but presumably only for compatibility with x86 guests that also run on vmware. CONFIG_PAGE_SIZE_64KB is used on hexagon, mips, sh and tile, the other symbols are architecture-specific names for the same thing. Signed-off-by: Arnd Bergmann Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 9de791d7a5e6d9a581c039c3ae3d566f19ba3847 Author: Arnd Bergmann Date: Wed Mar 2 20:06:45 2016 +0100 isdn: icn: remove a #warning commit 01ed1e1504ac83a8b0b365c9f55d3427babbd7d9 upstream. The icn driver currently produces an unconditional #warning whenever we build it, introduced by Karsten Keil back in 2003: #warning TODO test headroom or use skb->nb to flag ACK Karsten's original commit (from BitKeeper) contains this description: - here are lot of bugs left, so ISDN is not stable yet but I think it's really time to fix it, even if it need some cycles to get it right (normally I'm only send patches if it works 100% for me). - I add some additional #warnings to address places which need fixing (I hope that some of the other ISDN developer jump in) Apparently this has not happened, and it is unlikely that it ever will, given that the driver doesn't seem to work. No substantial bug fixes other than janitorial cleanups have happened in the driver since then, and I see no indication that anyone who patched it had the hardware. We should probably either remove the driver, or remove all of i4l, but for now, this shuts up the distracting #warning by turning it into a comment. Signed-off-by: Arnd Bergmann Link: http://git.meleeweb.net/linux.git/commit/?id=b0deac0886b0056765afd149e9834373b38e096b Signed-off-by: Greg Kroah-Hartman Signed-off-by: Greg Kroah-Hartman commit 0c4c9449ab165789daff079a4b123ef07581839c Author: Arnd Bergmann Date: Tue Mar 28 18:46:59 2017 +0200 virtio_balloon: prevent uninitialized variable use commit f0bb2d50dfcc519f06f901aac88502be6ff1df2c upstream. The latest gcc-7.0.1 snapshot reports a new warning: virtio/virtio_balloon.c: In function 'update_balloon_stats': virtio/virtio_balloon.c:258:26: error: 'events[2]' is used uninitialized in this function [-Werror=uninitialized] virtio/virtio_balloon.c:260:26: error: 'events[3]' is used uninitialized in this function [-Werror=uninitialized] virtio/virtio_balloon.c:261:56: error: 'events[18]' is used uninitialized in this function [-Werror=uninitialized] virtio/virtio_balloon.c:262:56: error: 'events[17]' is used uninitialized in this function [-Werror=uninitialized] This seems absolutely right, so we should add an extra check to prevent copying uninitialized stack data into the statistics. >From all I can tell, this has been broken since the statistics code was originally added in 2.6.34. Fixes: 9564e138b1f6 ("virtio: Add memory statistics reporting to the balloon driver (V4)") Signed-off-by: Arnd Bergmann Signed-off-by: Ladi Prosek Signed-off-by: Michael S. Tsirkin Signed-off-by: Greg Kroah-Hartman commit c70bc19ac90188a71da3417a0d8a464bf091f2b1 Author: Jia-Ju Bai Date: Tue Dec 12 16:49:52 2017 +0800 hippi: Fix a Fix a possible sleep-in-atomic bug in rr_close [ Upstream commit 6e266610eb6553cfb7e7eb5d11914bd01509c406 ] The driver may sleep under a spinlock. The function call path is: rr_close (acquire the spinlock) free_irq --> may sleep To fix it, free_irq is moved to the place without holding the spinlock. This bug is found by my static analysis tool(DSAC) and checked by my code review. Signed-off-by: Jia-Ju Bai Signed-off-by: David S. Miller Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 5959d49f7c740c4b4a79b6273b64cec7374db823 Author: Jan Beulich Date: Tue Dec 12 03:18:11 2017 -0700 xen: XEN_ACPI_PROCESSOR is Dom0-only [ Upstream commit c4f9d9cb2c29ff04c6b4bb09b72802d8aedfc7cb ] Add a respective dependency. Signed-off-by: Jan Beulich Reviewed-by: Juergen Gross Signed-off-by: Boris Ostrovsky Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 7b2f5c1c72066f548beecee94323ba0f849fcde9 Author: Karol Herbst Date: Mon Nov 27 08:51:39 2017 +0100 x86/mm/kmmio: Fix mmiotrace for page unaligned addresses [ Upstream commit 6d60ce384d1d5ca32b595244db4077a419acc687 ] If something calls ioremap() with an address not aligned to PAGE_SIZE, the returned address might be not aligned as well. This led to a probe registered on exactly the returned address, but the entire page was armed for mmiotracing. On calling iounmap() the address passed to unregister_kmmio_probe() was PAGE_SIZE aligned by the caller leading to a complete freeze of the machine. We should always page align addresses while (un)registerung mappings, because the mmiotracer works on top of pages, not mappings. We still keep track of the probes based on their real addresses and lengths though, because the mmiotrace still needs to know what are mapped memory regions. Also move the call to mmiotrace_iounmap() prior page aligning the address, so that all probes are unregistered properly, otherwise the kernel ends up failing memory allocations randomly after disabling the mmiotracer. Tested-by: Lyude Signed-off-by: Karol Herbst Acked-by: Pekka Paalanen Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Steven Rostedt Cc: Thomas Gleixner Cc: nouveau@lists.freedesktop.org Link: http://lkml.kernel.org/r/20171127075139.4928-1-kherbst@redhat.com Signed-off-by: Ingo Molnar Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit aa7dca0a5ae1930839c9a467ef6d90c0b726f630 Author: Dave Young Date: Sat Dec 9 12:16:10 2017 +0800 mm/early_ioremap: Fix boot hang with earlyprintk=efi,keep [ Upstream commit 7f6f60a1ba52538c16f26930bfbcfe193d9d746a ] earlyprintk=efi,keep does not work any more with a warning in mm/early_ioremap.c: WARN_ON(system_state != SYSTEM_BOOTING): Boot just hangs because of the earlyprintk within the earlyprintk implementation code itself. This is caused by a new introduced middle state in: 69a78ff226fe ("init: Introduce SYSTEM_SCHEDULING state") early_ioremap() is fine in both SYSTEM_BOOTING and SYSTEM_SCHEDULING states, original condition should be updated accordingly. Signed-off-by: Dave Young Acked-by: Thomas Gleixner Cc: Linus Torvalds Cc: Peter Zijlstra Cc: bp@suse.de Cc: linux-efi@vger.kernel.org Cc: linux-mm@kvack.org Link: http://lkml.kernel.org/r/20171209041610.GA3249@dhcp-128-65.nay.redhat.com Signed-off-by: Ingo Molnar Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 884438152f585559c253087f1d2d1d0d632d62ca Author: Tobias Jordan Date: Wed Dec 6 14:28:27 2017 +0100 dmaengine: jz4740: disable/unprepare clk if probe fails [ Upstream commit eb9436966fdc84cebdf222952a99898ab46d9bb0 ] in error path of jz4740_dma_probe(), call clk_disable_unprepare() to clean up. Found by Linux Driver Verification project (linuxtesting.org). Fixes: 25ce6c35fea0 MIPS: jz4740: Remove custom DMA API Signed-off-by: Tobias Jordan Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit b22c361ea98d9ade1a6055aec27e04c5e9f3342e Author: Russell King Date: Fri Dec 8 12:16:22 2017 +0000 drm/armada: fix leak of crtc structure [ Upstream commit 33cd3c07a976e11c3c4cc6b0b3db6760ad1590c5 ] Fix the leak of the CRTC structure in the failure paths of armada_drm_crtc_create(). Signed-off-by: Russell King Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit cce422b32d74f6009b7111d323347a07e09512aa Author: Steffen Klassert Date: Fri Dec 8 08:07:25 2017 +0100 xfrm: Fix stack-out-of-bounds with misconfigured transport mode policies. [ Upstream commit 732706afe1cc46ef48493b3d2b69c98f36314ae4 ] On policies with a transport mode template, we pass the addresses from the flowi to xfrm_state_find(), assuming that the IP addresses (and address family) don't change during transformation. Unfortunately our policy template validation is not strict enough. It is possible to configure policies with transport mode template where the address family of the template does not match the selectors address family. This lead to stack-out-of-bound reads because we compare arddesses of the wrong family. Fix this by refusing such a configuration, address family can not change on transport mode. We use the assumption that, on transport mode, the first templates address family must match the address family of the policy selector. Subsequent transport mode templates must mach the address family of the previous template. Signed-off-by: Steffen Klassert Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 227f4fe806eec9aa6130efb0fee8f7a2dd0b1e64 Author: Takuo Koguchi Date: Thu Dec 7 16:20:14 2017 +0900 spi: sun4i: disable clocks in the remove function [ Upstream commit c810daba0ab5226084a56893a789af427a801146 ] mclk and hclk need to be disabled. Since pm_runtime_disable does not disable the clocks, use pm_runtime_force_suspend instead. Found by Linux Driver Verification project (linuxtesting.org). Signed-off-by: Takuo Koguchi Acked-by: Maxime Ripard Signed-off-by: Mark Brown Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 253e3a668b273546530436a294b0107878883d25 Author: Stefan Potyra Date: Wed Dec 6 16:03:24 2017 +0100 ASoC: rockchip: disable clock on error [ Upstream commit c7b92172a61b91936be985cb9bc499a4ebc6489b ] Disable the clocks in rk_spdif_probe when an error occurs after one of the clocks has been enabled previously. Found by Linux Driver Verification project (linuxtesting.org). Fixes: f874b80e1571 ASoC: rockchip: Add rockchip SPDIF transceiver driver Signed-off-by: Stefan Potyra Signed-off-by: Mark Brown Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit dc97e9ecd86d7e02cd5449d7aa43810346693eef Author: Cai Li Date: Tue Nov 21 17:24:38 2017 +0800 clk: fix a panic error caused by accessing NULL pointer [ Upstream commit 975b820b6836b6b6c42fb84cd2e772e2b41bca67 ] In some cases the clock parent would be set NULL when doing re-parent, it will cause a NULL pointer accessing if clk_set trace event is enabled. This patch sets the parent as "none" if the input parameter is NULL. Fixes: dfc202ead312 (clk: Add tracepoints for hardware operations) Signed-off-by: Cai Li Signed-off-by: Chunyan Zhang Signed-off-by: Stephen Boyd Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 343bf423341ca284008c328f3029fa1bdaa531fe Author: Gustavo A. R. Silva Date: Mon Nov 20 08:28:14 2017 -0600 dmaengine: at_hdmac: fix potential NULL pointer dereference in atc_prep_dma_interleaved [ Upstream commit 62a277d43d47e74972de44d33bd3763e31992414 ] _xt_ is being dereferenced before it is null checked, hence there is a potential null pointer dereference. Fix this by moving the pointer dereference after _xt_ has been null checked. This issue was detected with the help of Coccinelle. Fixes: 4483320e241c ("dmaengine: Use Pointer xt after NULL check.") Signed-off-by: Gustavo A. R. Silva Acked-by: Ludovic Desroches Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit da4bb3d1c4d2590923b5cf41fc7cd812568f614a Author: Christophe JAILLET Date: Fri Nov 17 22:37:53 2017 +0100 dmaengine: ioat: Fix error handling path [ Upstream commit 5c9afbda911ce20b3f2181d1e440a0222e1027dd ] If the last test in 'ioat_dma_self_test()' fails, we must release all the allocated resources and not just part of them. Signed-off-by: Christophe JAILLET Acked-by: Dave Jiang Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit a7fbdc8875a676b9ddef27b0149b4a686725fca8 Author: Eric Biggers Date: Fri Dec 8 15:13:28 2017 +0000 509: fix printing uninitialized stack memory when OID is empty [ Upstream commit 8dfd2f22d3bf3ab7714f7495ad5d897b8845e8c1 ] Callers of sprint_oid() do not check its return value before printing the result. In the case where the OID is zero-length, -EBADMSG was being returned without anything being written to the buffer, resulting in uninitialized stack memory being printed. Fix this by writing "(bad)" to the buffer in the cases where -EBADMSG is returned. Fixes: 4f73175d0375 ("X.509: Add utility functions to render OIDs as strings") Signed-off-by: Eric Biggers Signed-off-by: David Howells Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 6fdf5856c6a513a6b2ea37c0fed2b1450e611be6 Author: Nikolay Borisov Date: Fri Dec 1 11:19:42 2017 +0200 btrfs: Fix possible off-by-one in btrfs_search_path_in_tree [ Upstream commit c8bcbfbd239ed60a6562964b58034ac8a25f4c31 ] The name char array passed to btrfs_search_path_in_tree is of size BTRFS_INO_LOOKUP_PATH_MAX (4080). So the actual accessible char indexes are in the range of [0, 4079]. Currently the code uses the define but this represents an off-by-one. Implications: Size of btrfs_ioctl_ino_lookup_args is 4096, so the new byte will be written to extra space, not some padding that could be provided by the allocator. btrfs-progs store the arguments on stack, but kernel does own copy of the ioctl buffer and the off-by-one overwrite does not affect userspace, but the ending 0 might be lost. Kernel ioctl buffer is allocated dynamically so we're overwriting somebody else's memory, and the ioctl is privileged if args.objectid is not 256. Which is in most cases, but resolving a subvolume stored in another directory will trigger that path. Before this patch the buffer was one byte larger, but then the -1 was not added. Fixes: ac8e9819d71f907 ("Btrfs: add search and inode lookup ioctls") Signed-off-by: Nikolay Borisov Reviewed-by: David Sterba [ added implications ] Signed-off-by: David Sterba Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 27d2bda4f592e1cc838d93f1d94eb8ddb372fceb Author: Nogah Frankel Date: Mon Dec 4 13:31:11 2017 +0200 net_sched: red: Avoid illegal values [ Upstream commit 8afa10cbe281b10371fee5a87ab266e48d71a7f9 ] Check the qmin & qmax values doesn't overflow for the given Wlog value. Check that qmin <= qmax. Fixes: a783474591f2 ("[PKT_SCHED]: Generic RED layer") Signed-off-by: Nogah Frankel Signed-off-by: David S. Miller Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit ba51edae4b38ed49fafd7276440b43faf5cde29e Author: Nogah Frankel Date: Mon Dec 4 13:31:10 2017 +0200 net_sched: red: Avoid devision by zero [ Upstream commit 5c472203421ab4f928aa1ae9e1dbcfdd80324148 ] Do not allow delta value to be zero since it is used as a divisor. Fixes: 8af2a218de38 ("sch_red: Adaptative RED AQM") Signed-off-by: Nogah Frankel Signed-off-by: David S. Miller Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 034317d43f532e0678eaf0701e692ff4cc436186 Author: Zumeng Chen Date: Mon Dec 4 11:22:02 2017 +0800 gianfar: fix a flooded alignment reports because of padding issue. [ Upstream commit 58117672943734715bbe7565ac9f062effa524f0 ] According to LS1021A RM, the value of PAL can be set so that the start of the IP header in the receive data buffer is aligned to a 32-bit boundary. Normally, setting PAL = 2 provides minimal padding to ensure such alignment of the IP header. However every incoming packet's 8-byte time stamp will be inserted into the packet data buffer as padding alignment bytes when hardware time stamping is enabled. So we set the padding 8+2 here to avoid the flooded alignment faults: root@128:~# cat /proc/cpu/alignment User: 0 System: 17539 (inet_gro_receive+0x114/0x2c0) Skipped: 0 Half: 0 Word: 0 DWord: 0 Multi: 17539 User faults: 2 (fixup) Also shown when exception report enablement CPU: 0 PID: 161 Comm: irq/66-eth1_g0_ Not tainted 4.1.21-rt13-WR8.0.0.0_preempt-rt #16 Hardware name: Freescale LS1021A [<8001b420>] (unwind_backtrace) from [<8001476c>] (show_stack+0x20/0x24) [<8001476c>] (show_stack) from [<807cfb48>] (dump_stack+0x94/0xac) [<807cfb48>] (dump_stack) from [<80025d70>] (do_alignment+0x720/0x958) [<80025d70>] (do_alignment) from [<80009224>] (do_DataAbort+0x40/0xbc) [<80009224>] (do_DataAbort) from [<80015398>] (__dabt_svc+0x38/0x60) Exception stack(0x86ad1cc0 to 0x86ad1d08) 1cc0: f9b3e080 86b3d072 2d78d287 00000000 866816c0 86b3d05e 86e785d0 00000000 1ce0: 00000011 0000000e 80840ab0 86ad1d3c 86ad1d08 86ad1d08 806d7fc0 806d806c 1d00: 40070013 ffffffff [<80015398>] (__dabt_svc) from [<806d806c>] (inet_gro_receive+0x114/0x2c0) [<806d806c>] (inet_gro_receive) from [<80660eec>] (dev_gro_receive+0x21c/0x3c0) [<80660eec>] (dev_gro_receive) from [<8066133c>] (napi_gro_receive+0x44/0x17c) [<8066133c>] (napi_gro_receive) from [<804f0538>] (gfar_clean_rx_ring+0x39c/0x7d4) [<804f0538>] (gfar_clean_rx_ring) from [<804f0bf4>] (gfar_poll_rx_sq+0x58/0xe0) [<804f0bf4>] (gfar_poll_rx_sq) from [<80660b10>] (net_rx_action+0x27c/0x43c) [<80660b10>] (net_rx_action) from [<80033638>] (do_current_softirqs+0x1e0/0x3dc) [<80033638>] (do_current_softirqs) from [<800338c4>] (__local_bh_enable+0x90/0xa8) [<800338c4>] (__local_bh_enable) from [<8008025c>] (irq_forced_thread_fn+0x70/0x84) [<8008025c>] (irq_forced_thread_fn) from [<800805e8>] (irq_thread+0x16c/0x244) [<800805e8>] (irq_thread) from [<8004e490>] (kthread+0xe8/0x104) [<8004e490>] (kthread) from [<8000fda8>] (ret_from_fork+0x14/0x2c) Signed-off-by: Zumeng Chen Signed-off-by: David S. Miller Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 529bbbe4817e5f9ee0faaa82ffb6fdda7842400d Author: Stefan Haberland Date: Thu Oct 26 14:37:35 2017 +0200 s390/dasd: prevent prefix I/O error [ Upstream commit da340f921d3454f1521671c7a5a43ad3331fbe50 ] Prevent that a prefix flag is set based on invalid configuration data. The validity.verify_base flag should only be set for alias devices. Usually the unit address type is either one of base, PAV alias or HyperPAV alias. But in cases where the unit address type is not set or any other value the validity.verify_base flag might be set as well. This would lead to follow on errors. Explicitly check for alias devices and set the validity flag only for them. Signed-off-by: Stefan Haberland Reviewed-by: Jan Hoeppner Signed-off-by: Martin Schwidefsky Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit ca20b875a9e2c2730240cecb40875f89a3a4355d Author: Ravi Bangoria Date: Thu Nov 30 14:03:22 2017 +0530 powerpc/perf: Fix oops when grouping different pmu events [ Upstream commit 5aa04b3eb6fca63d2e9827be656dcadc26d54e11 ] When user tries to group imc (In-Memory Collections) event with normal event, (sometime) kernel crashes with following log: Faulting instruction address: 0x00000000 [link register ] c00000000010ce88 power_check_constraints+0x128/0x980 ... c00000000010e238 power_pmu_event_init+0x268/0x6f0 c0000000002dc60c perf_try_init_event+0xdc/0x1a0 c0000000002dce88 perf_event_alloc+0x7b8/0xac0 c0000000002e92e0 SyS_perf_event_open+0x530/0xda0 c00000000000b004 system_call+0x38/0xe0 'event_base' field of 'struct hw_perf_event' is used as flags for normal hw events and used as memory address for imc events. While grouping these two types of events, collect_events() tries to interpret imc 'event_base' as a flag, which causes a corruption resulting in a crash. Consider only those events which belongs to 'perf_hw_context' in collect_events(). Signed-off-by: Ravi Bangoria Reviewed-By: Madhavan Srinivasan Signed-off-by: Michael Ellerman Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 5a87feefe4969b9ae9c359463337d0741dc2b520 Author: Gao Feng Date: Fri Dec 1 09:58:42 2017 +0800 ipvlan: Add the skb->mark as flow4's member to lookup route [ Upstream commit a98a4ebc8c61d20f0150d6be66e0e65223a347af ] Current codes don't use skb->mark to assign flowi4_mark, it would make the policy route rule with fwmark doesn't work as expected. Signed-off-by: Gao Feng Signed-off-by: David S. Miller Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 19ff1dfd2cc3fbd7a8e5b0d0d78d8d54b950038e Author: Will Deacon Date: Wed Nov 29 15:20:03 2017 +0000 scripts/kernel-doc: Don't fail with status != 0 if error encountered with -none [ Upstream commit e814bccbafece52a24e152d2395b5d49eef55841 ] My bisect scripts starting running into build failures when trying to compile 4.15-rc1 with the builds failing with things like: drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c:2078: error: Cannot parse struct or union! The line in question is actually just a #define, but after some digging it turns out that my scripts pass W=1 and since commit 3a025e1d1c2ea ("Add optional check for bad kernel-doc comments") that results in kernel-doc running on each source file. The file in question has a badly formatted comment immediately before the #define: /** * struct brcmf_skbuff_cb reserves first two bytes in sk_buff::cb for * bus layer usage. */ which causes the regex in dump_struct to fail (lack of braces following struct declaration) and kernel-doc returns 1, which causes the build to fail. Fix the issue by always returning 0 from kernel-doc when invoked with -none. It successfully generates no documentation, and prints out any issues. Cc: Matthew Wilcox Cc: Jonathan Corbet Signed-off-by: Will Deacon Signed-off-by: Jonathan Corbet Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit a09498d0eb54a52e9dd6e8e56e7a7b14072a2b0b Author: Moni Shoua Date: Sun Nov 26 20:23:54 2017 +0200 RDMA/cma: Make sure that PSN is not over max allowed [ Upstream commit 23a9cd2ad90543e9da3786878d2b2729c095439d ] This patch limits the initial value for PSN to 24 bits as spec requires. Signed-off-by: Moni Shoua Signed-off-by: Mukesh Kacker Signed-off-by: Daniel Jurgens Reviewed-by: Parav Pandit Signed-off-by: Leon Romanovsky Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 2970ecd18415d55abcc469e32592e231f1eb132e Author: Andre Przywara Date: Sat Nov 25 12:19:48 2017 +0000 pinctrl: sunxi: Fix A80 interrupt pin bank [ Upstream commit 6ad4cc8d1ac483e0fd33f605fb2788b0ecf51ed4 ] On the A80 the pins on port B can trigger interrupts, and those are assigned to the second interrupt bank. Having two pins assigned to the same interrupt bank/pin combination does not look healthy (instead more like a copy&paste bug from pins PA14-PA16), so fix the interrupt bank for pins PB14-PB16, which is actually 1. I don't have any A80 board, so could not test this. Fixes: d5e9fb31baa2 ("pinctrl: sunxi: Add A80 pinctrl muxing options") Signed-off-by: Andre Przywara Acked-by: Chen-Yu Tsai Signed-off-by: Linus Walleij Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 010b29406c06fb93cff78d73efae90ef6ad9efcd Author: Mauro Carvalho Chehab Date: Wed Nov 29 08:44:41 2017 -0500 media: s5k6aa: describe some function parameters [ Upstream commit 070250a1715cee2297de0d9e7e2cea58be999d37 ] as warned: drivers/media/i2c/s5k6aa.c:429: warning: No description found for parameter 's5k6aa' drivers/media/i2c/s5k6aa.c:679: warning: No description found for parameter 's5k6aa' drivers/media/i2c/s5k6aa.c:733: warning: No description found for parameter 's5k6aa' drivers/media/i2c/s5k6aa.c:733: warning: No description found for parameter 'preset' drivers/media/i2c/s5k6aa.c:787: warning: No description found for parameter 'sd' Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit d08d292b3300d383157c1b547d4cb97388a550c0 Author: Satheesh Rajendran Date: Wed Nov 22 22:13:53 2017 +0530 perf bench numa: Fixup discontiguous/sparse numa nodes [ Upstream commit 321a7c35c90cc834851ceda18a8ee18f1d032b92 ] Certain systems are designed to have sparse/discontiguous nodes. On such systems, 'perf bench numa' hangs, shows wrong number of nodes and shows values for non-existent nodes. Handle this by only taking nodes that are exposed by kernel to userspace. Signed-off-by: Satheesh Rajendran Reviewed-by: Srikar Dronamraju Acked-by: Naveen N. Rao Link: http://lkml.kernel.org/r/1edbcd353c009e109e93d78f2f46381930c340fe.1511368645.git.sathnaga@linux.vnet.ibm.com Signed-off-by: Balamuruhan S Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 01656ec6d986252a989a8f571d509ccfbd45332d Author: Jiri Olsa Date: Tue Nov 14 10:23:39 2017 +0100 perf top: Fix window dimensions change handling [ Upstream commit 89d0aeab4252adc2a7ea693637dd21c588bfa2d1 ] The stdio perf top crashes when we change the terminal window size. The reason is that we assumed we get the perf_top pointer as a signal handler argument which is not the case. Changing the SIGWINCH handler logic to change global resize variable, which is checked in the main thread loop. Signed-off-by: Jiri Olsa Tested-by: Arnaldo Carvalho de Melo Tested-by: Ravi Bangoria Cc: Adrian Hunter Cc: Andi Kleen Cc: David Ahern Cc: Namhyung Kim Cc: Wang Nan Link: http://lkml.kernel.org/n/tip-ysuzwz77oev1ftgvdscn9bpu@git.kernel.org Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 1d2905b09771c3dc6234dcf0b80f8bfdf91c7a73 Author: Peter Ujfalusi Date: Wed Nov 1 11:03:31 2017 +0200 ARM: dts: am4372: Correct the interrupts_properties of McASP [ Upstream commit 627395a6f8091c0aa18f49dca7df59ba3ec147ef ] Fixes the following warnings: arch/arm/boot/dts/am437x-cm-t43.dtb: Warning (interrupts_property): interrupts size is (8), expected multiple of 12 in /ocp@44000000/mcasp@48038000 arch/arm/boot/dts/am437x-cm-t43.dtb: Warning (interrupts_property): interrupts size is (8), expected multiple of 12 in /ocp@44000000/mcasp@4803C000 Signed-off-by: Peter Ujfalusi Signed-off-by: Tony Lindgren Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit ffb47e3a6101c36638ab467a27dfd509a563e149 Author: Tony Lindgren Date: Fri Nov 17 08:56:58 2017 -0800 ARM: dts: Fix omap4 hang with GPS connected to USB by using wakeupgen [ Upstream commit cf87634c8b24e24bf379b8c6807c8b0fb5f23567 ] There's been a reproducable USB OHCI/EHCI cpuidle related hang on omap4 for a while that happens after about 20 - 40 minutes on an idle system with some data feeding device being connected, like a USB GPS device or a cellular modem. This issue happens in cpuidle states C2 and C3 and does not happen if cpuidle is limited to C1 state only. The symptoms are that the whole system hangs and never wakes up from idle, and if a watchdog is configured the system reboots after a while. Turns out that OHCI/EHCI devices on omap4 are trying to use the GIC interrupt controller directly as a parent instead of the WUGEN. We need to pass the interrupts through WUGEN to GIC to provide the wakeup events for the processor. Let's fix the issue by removing the gic interrupt-parent and use the default interrupt-parent wakeupgen instead. Note that omap5.dtsi had this already fixes earlier by commit 7136d457f365 ("ARM: omap: convert wakeupgen to stacked domains") but we somehow missed omap4 at that point. Fixes: 7136d457f365 ("ARM: omap: convert wakeupgen to stacked domains") Cc: Dave Gerlach Cc: Nishanth Menon Cc: Marc Zyngier Cc: Sebastian Reichel Reviewed-by: Roger Quadros Signed-off-by: Tony Lindgren Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 8d9fd11f8a806999eb100a08e38fa3dec2beb3c6 Author: Keerthy Date: Fri Nov 10 16:56:52 2017 +0530 ARM: AM33xx: PRM: Remove am33xx_pwrdm_read_prev_pwrst function [ Upstream commit b6d6af7226465b6d11eac09d0be2ab78a4a9eb62 ] Referring TRM Am335X series: http://www.ti.com/lit/ug/spruh73p/spruh73p.pdf The LastPowerStateEntered bitfield is present only for PM_CEFUSE domain. This is not present in any of the other power domains. Hence remove the generic am33xx_pwrdm_read_prev_pwrst hook which wrongly reads the reserved bit fields for all the other power domains. Reading the reserved bits leads to wrongly interpreting the low power transitions for various power domains that do not have the LastPowerStateEntered field. The pm debug counters values are wrong currently as we are incrementing them based on the reserved bits. Signed-off-by: Keerthy Signed-off-by: Tony Lindgren Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 7780d2af34151493afc17101ebce0ada2d6979e2 Author: Tony Lindgren Date: Mon Nov 27 08:57:26 2017 -0800 ARM: OMAP2+: Fix SRAM virt to phys translation for save_secure_ram_context [ Upstream commit d09220a887f70368afa79e850c95e74890c0a32d ] With the CMA changes from Joonsoo Kim , it was noticed that n900 stopped booting. After investigating it turned out that n900 save_secure_ram_context does some whacky virtual to physical address translation for the SRAM data address. As we now only have minimal parts of omap3 idle code copied to SRAM, running save_secure_ram_context() in SRAM is not needed. It only gets called on PM init. And it seems there's no need to ever call this from SRAM idle code. So let's just keep save_secure_ram_context() in DDR, and pass it the physical address of the parameters. We can do everything else in omap-secure.c like we already do for other secure code. And since we don't have any documentation, I still have no clue what the values for 0, 1 and 1 for the parameters might be. If somebody has figured it out, please do send a patch to add some comments. Debugged-by: Joonsoo Kim Signed-off-by: Tony Lindgren Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit d0ee2dfab1d7405d2ef15b470cf5fdad223cdb6d Author: Randy Dunlap Date: Fri Nov 17 11:00:45 2017 -0800 usb: build drivers/usb/common/ when USB_SUPPORT is set [ Upstream commit c9d24f78268be444e803fb2bb138a2f598de9c23 ] PHY drivers can use ULPI interfaces when CONFIG_USB (which is host side support) is not enabled, so also build drivers/usb/ when CONFIG_USB_SUPPORT is enabled so that drivers/usb/common/ is built. ERROR: "ulpi_unregister_driver" [drivers/phy/ti/phy-tusb1210.ko] undefined! ERROR: "__ulpi_register_driver" [drivers/phy/ti/phy-tusb1210.ko] undefined! ERROR: "ulpi_read" [drivers/phy/ti/phy-tusb1210.ko] undefined! ERROR: "ulpi_write" [drivers/phy/ti/phy-tusb1210.ko] undefined! ERROR: "ulpi_unregister_driver" [drivers/phy/qualcomm/phy-qcom-usb-hs.ko] undefined! ERROR: "__ulpi_register_driver" [drivers/phy/qualcomm/phy-qcom-usb-hs.ko] undefined! ERROR: "ulpi_write" [drivers/phy/qualcomm/phy-qcom-usb-hs.ko] undefined! Signed-off-by: Randy Dunlap Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit a909d246e00574cfb93d995747ac16c6bf80558c Author: Shuah Khan Date: Fri Jan 26 11:56:50 2018 -0700 usbip: keep usbip_device sockfd state in sync with tcp_socket commit 009f41aed4b3e11e6dc1e3c07377a10c20f1a5ed upstream. Keep usbip_device sockfd state in sync with tcp_socket. When tcp_socket is reset to null, reset sockfd to -1 to keep it in sync. Signed-off-by: Shuah Khan Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman commit 67315b2b2905f99da06f58debeac81da09a92d36 Author: Alexandru Ardelean Date: Mon Jan 22 11:53:12 2018 +0200 staging: iio: adc: ad7192: fix external frequency setting commit e31b617d0a63c6558485aaa730fd162faa95a766 upstream. The external clock frequency was set only when selecting the internal clock, which is fixed at 4.9152 Mhz. This is incorrect, since it should be set when any of the external clock or crystal settings is selected. Added range validation for the external (crystal/clock) frequency setting. Valid values are between 2.4576 and 5.12 Mhz. Signed-off-by: Alexandru Ardelean Cc: Signed-off-by: Jonathan Cameron Signed-off-by: Greg Kroah-Hartman commit 83c76f2c50f197d1d827ec057f064bcaf13d22d1 Author: Eric Biggers Date: Tue Jan 30 23:11:24 2018 -0800 binder: check for binder_thread allocation failure in binder_poll() commit f88982679f54f75daa5b8eff3da72508f1e7422f upstream. If the kzalloc() in binder_get_thread() fails, binder_poll() dereferences the resulting NULL pointer. Fix it by returning POLLERR if the memory allocation failed. This bug was found by syzkaller using fault injection. Reported-by: syzbot Fixes: 457b9a6f09f0 ("Staging: android: add binder driver") Cc: stable@vger.kernel.org Signed-off-by: Eric Biggers Signed-off-by: Greg Kroah-Hartman commit 74d1cc277e8bdb3d6ee6e12a989ba059e8be9431 Author: Ben Hutchings Date: Sun Feb 4 02:06:27 2018 +0000 staging: android: ashmem: Fix a race condition in pin ioctls commit ce8a3a9e76d0193e2e8d74a06d275b3c324ca652 upstream. ashmem_pin_unpin() reads asma->file and asma->size before taking the ashmem_mutex, so it can race with other operations that modify them. Build-tested only. Signed-off-by: Ben Hutchings Signed-off-by: Greg Kroah-Hartman commit 32faf7d68aab33956a522624d0ed8fc8fdf13150 Author: Paolo Abeni Date: Thu Feb 15 16:59:49 2018 +0100 dn_getsockoptdecnet: move nf_{get/set}sockopt outside sock lock commit dfec091439bb2acf763497cfc58f2bdfc67c56b7 upstream. After commit 3f34cfae1238 ("netfilter: on sockopt() acquire sock lock only in the required scope"), the caller of nf_{get/set}sockopt() must not hold any lock, but, in such changeset, I forgot to cope with DECnet. This commit addresses the issue moving the nf call outside the lock, in the dn_{get,set}sockopt() with the same schema currently used by ipv4 and ipv6. Also moves the unhandled sockopts of the end of the main switch statements, to improve code readability. Reported-by: Petr Vandrovec BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=198791#c2 Fixes: 3f34cfae1238 ("netfilter: on sockopt() acquire sock lock only in the required scope") Signed-off-by: Paolo Abeni Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit ecac3b72af82e1ebdf24671e9fb75a09f47117ef Author: Dave Jones Date: Mon Mar 21 18:37:22 2016 -0400 Make DST_CACHE a silent config option commit 9b246841f4041f85265dec5f769c017fc36a0d33 upstream. commit 911362c70d ("net: add dst_cache support") added a new kconfig option that gets selected by other networking options. It seems the intent wasn't to offer this as a user-selectable option given the lack of help text, so this patch converts it to a silent option. Signed-off-by: Dave Jones Signed-off-by: David S. Miller Cc: Paolo Abeni Cc: Signed-off-by: Greg Kroah-Hartman commit 5683797eb99d5662ba7c67414ab63f1406fb452b Author: Arnd Bergmann Date: Wed Jan 10 22:06:48 2018 +0100 arm64: dts: add #cooling-cells to CPU nodes commit acbf76ee05067c3942852019993f7beb69a0f45f upstream. dtc complains about the lack of #coolin-cells properties for the CPU nodes that are referred to as "cooling-device": arch/arm64/boot/dts/mediatek/mt8173-evb.dtb: Warning (cooling_device_property): Missing property '#cooling-cells' in node /cpus/cpu@0 or bad phandle (referred from /thermal-zones/cpu_thermal/cooling-maps/map@0:cooling-device[0]) arch/arm64/boot/dts/mediatek/mt8173-evb.dtb: Warning (cooling_device_property): Missing property '#cooling-cells' in node /cpus/cpu@100 or bad phandle (referred from /thermal-zones/cpu_thermal/cooling-maps/map@1:cooling-device[0]) Apparently this property must be '<2>' to match the binding. Signed-off-by: Arnd Bergmann Tested-by: Chunfeng Yun Signed-off-by: Olof Johansson [arnd: backported to 4.15] Signed-off-by: Arnd Bergmann Signed-off-by: Greg Kroah-Hartman commit 1289a793371640d5770c71f71aebf17bb3d6bcd0 Author: Arnd Bergmann Date: Mon Jan 15 17:04:22 2018 +0100 video: fbdev/mmp: add MODULE_LICENSE commit c1530ac5a3ce93a1f02adabc4508b5fbf862dfe2 upstream. Kbuild complains about the lack of a license tag in this driver: WARNING: modpost: missing MODULE_LICENSE() in drivers/video/fbdev/mmp/mmp_disp.o This adds the license, author and description tags. Signed-off-by: Arnd Bergmann Signed-off-by: Bartlomiej Zolnierkiewicz Signed-off-by: Greg Kroah-Hartman commit 33180fe1d84a4c1da7124ba9b6f31c114ccac124 Author: Arnd Bergmann Date: Wed Jan 10 17:34:45 2018 +0100 ASoC: ux500: add MODULE_LICENSE tag commit 1783c9d7cb7bc3181b9271665959b87280d98d8e upstream. This adds MODULE_LICENSE/AUTHOR/DESCRIPTION tags to the ux500 platform drivers, to avoid these build warnings: WARNING: modpost: missing MODULE_LICENSE() in sound/soc/ux500/snd-soc-ux500-plat-dma.o WARNING: modpost: missing MODULE_LICENSE() in sound/soc/ux500/snd-soc-ux500-mach-mop500.o The company no longer exists, so the email addresses of the authors don't work any more, but I've added them anyway for consistency. Signed-off-by: Arnd Bergmann Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit c1eb38748c284e318699ae2d35b53ef7308fcd9d Author: Willem de Bruijn Date: Tue Dec 12 11:39:04 2017 -0500 net: avoid skb_warn_bad_offload on IS_ERR commit 8d74e9f88d65af8bb2e095aff506aa6eac755ada upstream. skb_warn_bad_offload warns when packets enter the GSO stack that require skb_checksum_help or vice versa. Do not warn on arbitrary bad packets. Packet sockets can craft many. Syzkaller was able to demonstrate another one with eth_type games. In particular, suppress the warning when segmentation returns an error, which is for reasons other than checksum offload. See also commit 36c92474498a ("net: WARN if skb_checksum_help() is called on skb requiring segmentation") for context on this warning. Signed-off-by: Willem de Bruijn Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 4b1932a19b9d2e09ee1a45c90fb43e1e72928032 Author: Cong Wang Date: Mon Feb 5 14:41:45 2018 -0800 netfilter: xt_RATEEST: acquire xt_rateest_mutex for hash insert commit 7dc68e98757a8eccf8ca7a53a29b896f1eef1f76 upstream. rateest_hash is supposed to be protected by xt_rateest_mutex, and, as suggested by Eric, lookup and insert should be atomic, so we should acquire the xt_rateest_mutex once for both. So introduce a non-locking helper for internal use and keep the locking one for external. Reported-by: Fixes: 5859034d7eb8 ("[NETFILTER]: x_tables: add RATEEST target") Signed-off-by: Cong Wang Reviewed-by: Florian Westphal Reviewed-by: Eric Dumazet Signed-off-by: Pablo Neira Ayuso Signed-off-by: Greg Kroah-Hartman commit 622cdb9c9ec86aedc527f0c669884e223b7a3ef5 Author: Paolo Abeni Date: Tue Jan 30 19:01:40 2018 +0100 netfilter: on sockopt() acquire sock lock only in the required scope commit 3f34cfae1238848fd53f25e5c8fd59da57901f4b upstream. Syzbot reported several deadlocks in the netfilter area caused by rtnl lock and socket lock being acquired with a different order on different code paths, leading to backtraces like the following one: ====================================================== WARNING: possible circular locking dependency detected 4.15.0-rc9+ #212 Not tainted ------------------------------------------------------ syzkaller041579/3682 is trying to acquire lock: (sk_lock-AF_INET6){+.+.}, at: [<000000008775e4dd>] lock_sock include/net/sock.h:1463 [inline] (sk_lock-AF_INET6){+.+.}, at: [<000000008775e4dd>] do_ipv6_setsockopt.isra.8+0x3c5/0x39d0 net/ipv6/ipv6_sockglue.c:167 but task is already holding lock: (rtnl_mutex){+.+.}, at: [<000000004342eaa9>] rtnl_lock+0x17/0x20 net/core/rtnetlink.c:74 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #1 (rtnl_mutex){+.+.}: __mutex_lock_common kernel/locking/mutex.c:756 [inline] __mutex_lock+0x16f/0x1a80 kernel/locking/mutex.c:893 mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:908 rtnl_lock+0x17/0x20 net/core/rtnetlink.c:74 register_netdevice_notifier+0xad/0x860 net/core/dev.c:1607 tee_tg_check+0x1a0/0x280 net/netfilter/xt_TEE.c:106 xt_check_target+0x22c/0x7d0 net/netfilter/x_tables.c:845 check_target net/ipv6/netfilter/ip6_tables.c:538 [inline] find_check_entry.isra.7+0x935/0xcf0 net/ipv6/netfilter/ip6_tables.c:580 translate_table+0xf52/0x1690 net/ipv6/netfilter/ip6_tables.c:749 do_replace net/ipv6/netfilter/ip6_tables.c:1165 [inline] do_ip6t_set_ctl+0x370/0x5f0 net/ipv6/netfilter/ip6_tables.c:1691 nf_sockopt net/netfilter/nf_sockopt.c:106 [inline] nf_setsockopt+0x67/0xc0 net/netfilter/nf_sockopt.c:115 ipv6_setsockopt+0x115/0x150 net/ipv6/ipv6_sockglue.c:928 udpv6_setsockopt+0x45/0x80 net/ipv6/udp.c:1422 sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2978 SYSC_setsockopt net/socket.c:1849 [inline] SyS_setsockopt+0x189/0x360 net/socket.c:1828 entry_SYSCALL_64_fastpath+0x29/0xa0 -> #0 (sk_lock-AF_INET6){+.+.}: lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:3914 lock_sock_nested+0xc2/0x110 net/core/sock.c:2780 lock_sock include/net/sock.h:1463 [inline] do_ipv6_setsockopt.isra.8+0x3c5/0x39d0 net/ipv6/ipv6_sockglue.c:167 ipv6_setsockopt+0xd7/0x150 net/ipv6/ipv6_sockglue.c:922 udpv6_setsockopt+0x45/0x80 net/ipv6/udp.c:1422 sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2978 SYSC_setsockopt net/socket.c:1849 [inline] SyS_setsockopt+0x189/0x360 net/socket.c:1828 entry_SYSCALL_64_fastpath+0x29/0xa0 other info that might help us debug this: Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(rtnl_mutex); lock(sk_lock-AF_INET6); lock(rtnl_mutex); lock(sk_lock-AF_INET6); *** DEADLOCK *** 1 lock held by syzkaller041579/3682: #0: (rtnl_mutex){+.+.}, at: [<000000004342eaa9>] rtnl_lock+0x17/0x20 net/core/rtnetlink.c:74 The problem, as Florian noted, is that nf_setsockopt() is always called with the socket held, even if the lock itself is required only for very tight scopes and only for some operation. This patch addresses the issues moving the lock_sock() call only where really needed, namely in ipv*_getorigdst(), so that nf_setsockopt() does not need anymore to acquire both locks. Fixes: 22265a5c3c10 ("netfilter: xt_TEE: resolve oif using netdevice notifiers") Reported-by: syzbot+a4c2dc980ac1af699b36@syzkaller.appspotmail.com Suggested-by: Florian Westphal Signed-off-by: Paolo Abeni Signed-off-by: Pablo Neira Ayuso Signed-off-by: Greg Kroah-Hartman commit 1eda32ca09cf593d096a0038ebc239ba889faf70 Author: Dmitry Vyukov Date: Tue Jan 30 15:21:34 2018 +0100 netfilter: ipt_CLUSTERIP: fix out-of-bounds accesses in clusterip_tg_check() commit 1a38956cce5eabd7b74f94bab70265e4df83165e upstream. Commit 136e92bbec0a switched local_nodes from an array to a bitmask but did not add proper bounds checks. As the result clusterip_config_init_nodelist() can both over-read ipt_clusterip_tgt_info.local_nodes and over-write clusterip_config.local_nodes. Add bounds checks for both. Fixes: 136e92bbec0a ("[NETFILTER] CLUSTERIP: use a bitmap to store node responsibility data") Signed-off-by: Dmitry Vyukov Reported-by: syzbot Signed-off-by: Pablo Neira Ayuso Signed-off-by: Greg Kroah-Hartman commit 4556b01a0a559ee8fec3615acb47b8825f8e2ba9 Author: Eric Dumazet Date: Wed Jan 24 17:16:09 2018 -0800 netfilter: x_tables: avoid out-of-bounds reads in xt_request_find_{match|target} commit da17c73b6eb74aad3c3c0654394635675b623b3e upstream. It looks like syzbot found its way into netfilter territory. Issue here is that @name comes from user space and might not be null terminated. Out-of-bound reads happen, KASAN is not happy. v2 added similar fix for xt_request_find_target(), as Florian advised. Signed-off-by: Eric Dumazet Reported-by: syzbot Acked-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso Signed-off-by: Greg Kroah-Hartman commit 9626ac658a19f9863da04c0727e0b5c32175cc04 Author: Dmitry Vyukov Date: Thu Dec 28 09:48:54 2017 +0100 netfilter: x_tables: fix int overflow in xt_alloc_table_info() commit 889c604fd0b5f6d3b8694ade229ee44124de1127 upstream. syzkaller triggered OOM kills by passing ipt_replace.size = -1 to IPT_SO_SET_REPLACE. The root cause is that SMP_ALIGN() in xt_alloc_table_info() causes int overflow and the size check passes when it should not. SMP_ALIGN() is no longer needed leftover. Remove SMP_ALIGN() call in xt_alloc_table_info(). Reported-by: syzbot+4396883fa8c4f64e0175@syzkaller.appspotmail.com Signed-off-by: Dmitry Vyukov Signed-off-by: Pablo Neira Ayuso Signed-off-by: Greg Kroah-Hartman commit 9435c32b3763c829abf245b30c28ef3e5087907a Author: Wanpeng Li Date: Wed Dec 13 10:46:40 2017 +0100 KVM: x86: fix escape of guest dr6 to the host commit efdab992813fb2ed825745625b83c05032e9cda2 upstream. syzkaller reported: WARNING: CPU: 0 PID: 12927 at arch/x86/kernel/traps.c:780 do_debug+0x222/0x250 CPU: 0 PID: 12927 Comm: syz-executor Tainted: G OE 4.15.0-rc2+ #16 RIP: 0010:do_debug+0x222/0x250 Call Trace: <#DB> debug+0x3e/0x70 RIP: 0010:copy_user_enhanced_fast_string+0x10/0x20 _copy_from_user+0x5b/0x90 SyS_timer_create+0x33/0x80 entry_SYSCALL_64_fastpath+0x23/0x9a The testcase sets a watchpoint (with perf_event_open) on a buffer that is passed to timer_create() as the struct sigevent argument. In timer_create(), copy_from_user()'s rep movsb triggers the BP. The testcase also sets the debug registers for the guest. However, KVM only restores host debug registers when the host has active watchpoints, which triggers a race condition when running the testcase with multiple threads. The guest's DR6.BS bit can escape to the host before another thread invokes timer_create(), and do_debug() complains. The fix is to respect do_debug()'s dr6 invariant when leaving KVM. Reported-by: Dmitry Vyukov Cc: Paolo Bonzini Cc: Radim Krčmář Cc: David Hildenbrand Cc: Dmitry Vyukov Reviewed-by: David Hildenbrand Signed-off-by: Wanpeng Li Signed-off-by: Paolo Bonzini Signed-off-by: Radim Krčmář Signed-off-by: Greg Kroah-Hartman commit 6bfbf2aacb212002e774bb586dd2d0edfd470077 Author: Eric Biggers Date: Mon Dec 18 16:40:26 2017 -0800 crypto: x86/twofish-3way - Fix %rbp usage commit d8c7fe9f2a486a6e5f0d5229ca43807af5ab22c6 upstream. Using %rbp as a temporary register breaks frame pointer convention and breaks stack traces when unwinding from an interrupt in the crypto code. In twofish-3way, we can't simply replace %rbp with another register because there are none available. Instead, we use the stack to hold the values that %rbp, %r11, and %r12 were holding previously. Each of these values represents the half of the output from the previous Feistel round that is being passed on unchanged to the following round. They are only used once per round, when they are exchanged with %rax, %rbx, and %rcx. As a result, we free up 3 registers (one per block) and can reassign them so that %rbp is not used, and additionally %r14 and %r15 are not used so they do not need to be saved/restored. There may be a small overhead caused by replacing 'xchg REG, REG' with the needed sequence 'mov MEM, REG; mov REG, MEM; mov REG, REG' once per round. But, counterintuitively, when I tested "ctr-twofish-3way" on a Haswell processor, the new version was actually about 2% faster. (Perhaps 'xchg' is not as well optimized as plain moves.) Reported-by: syzbot Signed-off-by: Eric Biggers Reviewed-by: Josh Poimboeuf Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit 002924ab7b023d16d3291d5ae600c49cebed1c59 Author: Paul Moore Date: Tue Dec 5 17:17:43 2017 -0500 selinux: skip bounded transition processing if the policy isn't loaded commit 4b14752ec4e0d87126e636384cf37c8dd9df157c upstream. We can't do anything reasonable in security_bounded_transition() if we don't have a policy loaded, and in fact we could run into problems with some of the code inside expecting a policy. Fix these problems like we do many others in security/selinux/ss/services.c by checking to see if the policy is loaded (ss_initialized) and returning quickly if it isn't. Reported-by: syzbot Signed-off-by: Paul Moore Acked-by: Stephen Smalley Reviewed-by: James Morris Signed-off-by: Greg Kroah-Hartman commit d6233121d5ed6c7ff250b146666b73f29d5c0a1c Author: Paul Moore Date: Tue Nov 28 18:51:12 2017 -0500 selinux: ensure the context is NUL terminated in security_context_to_sid_core() commit ef28df55ac27e1e5cd122e19fa311d886d47a756 upstream. The syzbot/syzkaller automated tests found a problem in security_context_to_sid_core() during early boot (before we load the SELinux policy) where we could potentially feed context strings without NUL terminators into the strcmp() function. We already guard against this during normal operation (after the SELinux policy has been loaded) by making a copy of the context strings and explicitly adding a NUL terminator to the end. The patch extends this protection to the early boot case (no loaded policy) by moving the context copy earlier in security_context_to_sid_core(). Reported-by: syzbot Signed-off-by: Paul Moore Reviewed-By: William Roberts Signed-off-by: Greg Kroah-Hartman commit 4dbb8e38a1aad1b2ac4abb2a6486d7f2c91a2248 Author: David Howells Date: Tue Jul 4 17:25:02 2017 +0100 Provide a function to create a NUL-terminated string from unterminated data commit f35157417215ec138c920320c746fdb3e04ef1d5 upstream. Provide a function, kmemdup_nul(), that will create a NUL-terminated string from an unterminated character array where the length is known in advance. This is better than kstrndup() in situations where we already know the string length as the strnlen() in kstrndup() is superfluous. Signed-off-by: David Howells Signed-off-by: Al Viro Signed-off-by: Greg Kroah-Hartman commit 016cf65fbd1c8acd267e118e536cdb888adbaf78 Author: Chris Wilson Date: Tue Oct 31 11:55:35 2017 +0000 drm: Require __GFP_NOFAIL for the legacy drm_modeset_lock_all commit d18d1a5ac811d12f7ebc1129230312b5f2c50cb8 upstream. To acquire all modeset locks requires a ww_ctx to be allocated. As this is the legacy path and the allocation small, to reduce the changes required (and complex untested error handling) to the legacy drivers, we simply assume that the allocation succeeds. At present, it relies on the too-small-to-fail rule, but syzbot found that by injecting a failure here we would hit the WARN. Document that this allocation must succeed with __GFP_NOFAIL. Signed-off-by: Chris Wilson Cc: Daniel Vetter Reported-by: syzbot Signed-off-by: Daniel Vetter Reviewed-by: Ville Syrjälä Link: https://patchwork.freedesktop.org/patch/msgid/20171031115535.15166-1-chris@chris-wilson.co.uk Signed-off-by: Greg Kroah-Hartman commit 28de93896add426355ceec633ef80b566402b5ff Author: Jens Axboe Date: Sun Nov 5 09:16:09 2017 -0700 blktrace: fix unlocked registration of tracepoints commit a6da0024ffc19e0d47712bb5ca4fd083f76b07df upstream. We need to ensure that tracepoints are registered and unregistered with the users of them. The existing atomic count isn't enough for that. Add a lock around the tracepoints, so we serialize access to them. This fixes cases where we have multiple users setting up and tearing down tracepoints, like this: CPU: 0 PID: 2995 Comm: syzkaller857118 Not tainted 4.14.0-rc5-next-20171018+ #36 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:16 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:52 panic+0x1e4/0x41c kernel/panic.c:183 __warn+0x1c4/0x1e0 kernel/panic.c:546 report_bug+0x211/0x2d0 lib/bug.c:183 fixup_bug+0x40/0x90 arch/x86/kernel/traps.c:177 do_trap_no_signal arch/x86/kernel/traps.c:211 [inline] do_trap+0x260/0x390 arch/x86/kernel/traps.c:260 do_error_trap+0x120/0x390 arch/x86/kernel/traps.c:297 do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:310 invalid_op+0x18/0x20 arch/x86/entry/entry_64.S:905 RIP: 0010:tracepoint_add_func kernel/tracepoint.c:210 [inline] RIP: 0010:tracepoint_probe_register_prio+0x397/0x9a0 kernel/tracepoint.c:283 RSP: 0018:ffff8801d1d1f6c0 EFLAGS: 00010293 RAX: ffff8801d22e8540 RBX: 00000000ffffffef RCX: ffffffff81710f07 RDX: 0000000000000000 RSI: ffffffff85b679c0 RDI: ffff8801d5f19818 RBP: ffff8801d1d1f7c8 R08: ffffffff81710c10 R09: 0000000000000004 R10: ffff8801d1d1f6b0 R11: 0000000000000003 R12: ffffffff817597f0 R13: 0000000000000000 R14: 00000000ffffffff R15: ffff8801d1d1f7a0 tracepoint_probe_register+0x2a/0x40 kernel/tracepoint.c:304 register_trace_block_rq_insert include/trace/events/block.h:191 [inline] blk_register_tracepoints+0x1e/0x2f0 kernel/trace/blktrace.c:1043 do_blk_trace_setup+0xa10/0xcf0 kernel/trace/blktrace.c:542 blk_trace_setup+0xbd/0x180 kernel/trace/blktrace.c:564 sg_ioctl+0xc71/0x2d90 drivers/scsi/sg.c:1089 vfs_ioctl fs/ioctl.c:45 [inline] do_vfs_ioctl+0x1b1/0x1520 fs/ioctl.c:685 SYSC_ioctl fs/ioctl.c:700 [inline] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:691 entry_SYSCALL_64_fastpath+0x1f/0xbe RIP: 0033:0x444339 RSP: 002b:00007ffe05bb5b18 EFLAGS: 00000206 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00000000006d66c0 RCX: 0000000000444339 RDX: 000000002084cf90 RSI: 00000000c0481273 RDI: 0000000000000009 RBP: 0000000000000082 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000206 R12: ffffffffffffffff R13: 00000000c0481273 R14: 0000000000000000 R15: 0000000000000000 since we can now run these in parallel. Ensure that the exported helpers for doing this are grabbing the queue trace mutex. Reported-by: Steven Rostedt Tested-by: Dmitry Vyukov Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit 40cda9b7bac5e863d9b968339dd8d5287a267a47 Author: Cong Wang Date: Mon Nov 27 11:15:16 2017 -0800 xfrm: check id proto in validate_tmpl() commit 6a53b7593233ab9e4f96873ebacc0f653a55c3e1 upstream. syzbot reported a kernel warning in xfrm_state_fini(), which indicates that we have entries left in the list net->xfrm.state_all whose proto is zero. And xfrm_id_proto_match() doesn't consider them as a match with IPSEC_PROTO_ANY in this case. Proto with value 0 is probably not a valid value, at least verify_newsa_info() doesn't consider it valid either. This patch fixes it by checking the proto value in validate_tmpl() and rejecting invalid ones, like what iproute2 does in xfrm_xfrmproto_getbyname(). Reported-by: syzbot Cc: Steffen Klassert Cc: Herbert Xu Signed-off-by: Cong Wang Signed-off-by: Steffen Klassert Signed-off-by: Greg Kroah-Hartman commit 7800c76fb039e3d88cbdae49e3e1a47098e71111 Author: Steffen Klassert Date: Wed Nov 29 06:53:55 2017 +0100 xfrm: Fix stack-out-of-bounds read on socket policy lookup. commit ddc47e4404b58f03e98345398fb12d38fe291512 upstream. When we do tunnel or beet mode, we pass saddr and daddr from the template to xfrm_state_find(), this is ok. On transport mode, we pass the addresses from the flowi, assuming that the IP addresses (and address family) don't change during transformation. This assumption is wrong in the IPv4 mapped IPv6 case, packet is IPv4 and template is IPv6. Fix this by catching address family missmatches of the policy and the flow already before we do the lookup. Reported-by: syzbot Signed-off-by: Steffen Klassert Signed-off-by: Greg Kroah-Hartman commit 0de023ab7d3e907d1e9174e04ec44b80fac14de5 Author: Tetsuo Handa Date: Mon Dec 18 20:31:41 2017 +0900 mm,vmscan: Make unregister_shrinker() no-op if register_shrinker() failed. commit bb422a738f6566f7439cd347d54e321e4fe92a9f upstream. Syzbot caught an oops at unregister_shrinker() because combination of commit 1d3d4437eae1bb29 ("vmscan: per-node deferred work") and fault injection made register_shrinker() fail and the caller of register_shrinker() did not check for failure. ---------- [ 554.881422] FAULT_INJECTION: forcing a failure. [ 554.881422] name failslab, interval 1, probability 0, space 0, times 0 [ 554.881438] CPU: 1 PID: 13231 Comm: syz-executor1 Not tainted 4.14.0-rc8+ #82 [ 554.881443] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 554.881445] Call Trace: [ 554.881459] dump_stack+0x194/0x257 [ 554.881474] ? arch_local_irq_restore+0x53/0x53 [ 554.881486] ? find_held_lock+0x35/0x1d0 [ 554.881507] should_fail+0x8c0/0xa40 [ 554.881522] ? fault_create_debugfs_attr+0x1f0/0x1f0 [ 554.881537] ? check_noncircular+0x20/0x20 [ 554.881546] ? find_next_zero_bit+0x2c/0x40 [ 554.881560] ? ida_get_new_above+0x421/0x9d0 [ 554.881577] ? find_held_lock+0x35/0x1d0 [ 554.881594] ? __lock_is_held+0xb6/0x140 [ 554.881628] ? check_same_owner+0x320/0x320 [ 554.881634] ? lock_downgrade+0x990/0x990 [ 554.881649] ? find_held_lock+0x35/0x1d0 [ 554.881672] should_failslab+0xec/0x120 [ 554.881684] __kmalloc+0x63/0x760 [ 554.881692] ? lock_downgrade+0x990/0x990 [ 554.881712] ? register_shrinker+0x10e/0x2d0 [ 554.881721] ? trace_event_raw_event_module_request+0x320/0x320 [ 554.881737] register_shrinker+0x10e/0x2d0 [ 554.881747] ? prepare_kswapd_sleep+0x1f0/0x1f0 [ 554.881755] ? _down_write_nest_lock+0x120/0x120 [ 554.881765] ? memcpy+0x45/0x50 [ 554.881785] sget_userns+0xbcd/0xe20 (...snipped...) [ 554.898693] kasan: CONFIG_KASAN_INLINE enabled [ 554.898724] kasan: GPF could be caused by NULL-ptr deref or user memory access [ 554.898732] general protection fault: 0000 [#1] SMP KASAN [ 554.898737] Dumping ftrace buffer: [ 554.898741] (ftrace buffer empty) [ 554.898743] Modules linked in: [ 554.898752] CPU: 1 PID: 13231 Comm: syz-executor1 Not tainted 4.14.0-rc8+ #82 [ 554.898755] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 554.898760] task: ffff8801d1dbe5c0 task.stack: ffff8801c9e38000 [ 554.898772] RIP: 0010:__list_del_entry_valid+0x7e/0x150 [ 554.898775] RSP: 0018:ffff8801c9e3f108 EFLAGS: 00010246 [ 554.898780] RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000 [ 554.898784] RDX: 0000000000000000 RSI: ffff8801c53c6f98 RDI: ffff8801c53c6fa0 [ 554.898788] RBP: ffff8801c9e3f120 R08: 1ffff100393c7d55 R09: 0000000000000004 [ 554.898791] R10: ffff8801c9e3ef70 R11: 0000000000000000 R12: 0000000000000000 [ 554.898795] R13: dffffc0000000000 R14: 1ffff100393c7e45 R15: ffff8801c53c6f98 [ 554.898800] FS: 0000000000000000(0000) GS:ffff8801db300000(0000) knlGS:0000000000000000 [ 554.898804] CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033 [ 554.898807] CR2: 00000000dbc23000 CR3: 00000001c7269000 CR4: 00000000001406e0 [ 554.898813] DR0: 0000000020000000 DR1: 0000000020000000 DR2: 0000000000000000 [ 554.898816] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600 [ 554.898818] Call Trace: [ 554.898828] unregister_shrinker+0x79/0x300 [ 554.898837] ? perf_trace_mm_vmscan_writepage+0x750/0x750 [ 554.898844] ? down_write+0x87/0x120 [ 554.898851] ? deactivate_super+0x139/0x1b0 [ 554.898857] ? down_read+0x150/0x150 [ 554.898864] ? check_same_owner+0x320/0x320 [ 554.898875] deactivate_locked_super+0x64/0xd0 [ 554.898883] deactivate_super+0x141/0x1b0 ---------- Since allowing register_shrinker() callers to call unregister_shrinker() when register_shrinker() failed can simplify error recovery path, this patch makes unregister_shrinker() no-op when register_shrinker() failed. Also, reset shrinker->nr_deferred in case unregister_shrinker() was by error called twice. Signed-off-by: Tetsuo Handa Signed-off-by: Aliaksei Karaliou Reported-by: syzbot Cc: Glauber Costa Cc: Al Viro Signed-off-by: Al Viro Signed-off-by: Greg Kroah-Hartman commit 941095c5af57fa67c5beb5370adca1e32ff52cd7 Author: Johannes Berg Date: Mon Jan 15 09:58:27 2018 +0100 cfg80211: check dev_set_name() return value commit 59b179b48ce2a6076448a44531242ac2b3f6cef2 upstream. syzbot reported a warning from rfkill_alloc(), and after a while I think that the reason is that it was doing fault injection and the dev_set_name() failed, leaving the name NULL, and we didn't check the return value and got to rfkill_alloc() with a NULL name. Since we really don't want a NULL name, we ought to check the return value. Fixes: fb28ad35906a ("net: struct device - replace bus_id with dev_name(), dev_set_name()") Reported-by: syzbot+1ddfb3357e1d7bb5b5d3@syzkaller.appspotmail.com Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman commit b8c7f80cbdcd99b24f25edd5505fde90759ce07c Author: Paolo Abeni Date: Fri Feb 12 15:43:54 2016 +0100 net: replace dst_cache ip6_tunnel implementation with the generic one commit 607f725f6f7d5ec3759fbc16224afb60e2152a5b upstream. This also fix a potential race into the existing tunnel code, which could lead to the wrong dst to be permanenty cached: CPU1: CPU2: dst = ip6_route_output(...) dst_cache_reset() // no effect, // the cache is empty dst_cache_set() // the wrong dst // is permanenty stored // into the cache With the new dst implementation the above race is not possible since the first cache lookup after dst_cache_reset will fail due to the timestamp check Signed-off-by: Paolo Abeni Suggested-and-acked-by: Hannes Frederic Sowa Signed-off-by: David S. Miller Signed-off-by: Manoj Boopathi Raj Signed-off-by: Greg Kroah-Hartman commit d365b297433cf2969fa94f243d7afddc073c7bf1 Author: Paolo Abeni Date: Fri Feb 12 15:43:53 2016 +0100 net: add dst_cache support commit 911362c70df5b766c243dc297fadeaced786ffd8 upstream. This patch add a generic, lockless dst cache implementation. The need for lock is avoided updating the dst cache fields only in per cpu scope, and requiring that the cache manipulation functions are invoked with the local bh disabled. The refresh_ts and reset_ts fields are used to ensure the cache consistency in case of cuncurrent cache update (dst_cache_set*) and reset operation (dst_cache_reset). Consider the following scenario: CPU1: CPU2: dst_cache_reset() dst_cache_set() The dst entry set passed to dst_cache_set() should not be used for later dst cache lookup, because it's obtained using old configuration values. Since the refresh_ts is updated only on dst_cache lookup, the cached value in the above scenario will be discarded on the next lookup. Signed-off-by: Paolo Abeni Suggested-and-acked-by: Hannes Frederic Sowa Signed-off-by: David S. Miller Signed-off-by: Manoj Boopathi Raj Signed-off-by: Greg Kroah-Hartman