commit 68ed359d373931a351591152ce693d802a421cd0 Author: Alexandre Frade Date: Wed Nov 20 18:54:31 2019 -0300 4.19.85-xanmod41 Signed-off-by: Alexandre Frade commit 195c62787888cf9873e4140d2283f723e5419a8a Merge: 76f485244e46 c63ee2939dc1 Author: Alexandre Frade Date: Wed Nov 20 18:50:59 2019 -0300 Merge tag 'v4.19.85' into 4.19 This is the 4.19.85 stable release commit c63ee2939dc1c6eee6c544af1b4ab441490bfe6e Author: Greg Kroah-Hartman Date: Wed Nov 20 18:47:54 2019 +0100 Linux 4.19.85 commit e99d64837815753cfc4d8e193e0fc23ce91e3c57 Author: Jouni Hogander Date: Wed Nov 13 12:08:01 2019 +0200 slcan: Fix memory leak in error path commit ed50e1600b4483c049ce76e6bd3b665a6a9300ed upstream. This patch is fixing memory leak reported by Syzkaller: BUG: memory leak unreferenced object 0xffff888067f65500 (size 4096): comm "syz-executor043", pid 454, jiffies 4294759719 (age 11.930s) hex dump (first 32 bytes): 73 6c 63 61 6e 30 00 00 00 00 00 00 00 00 00 00 slcan0.......... 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [<00000000a06eec0d>] __kmalloc+0x18b/0x2c0 [<0000000083306e66>] kvmalloc_node+0x3a/0xc0 [<000000006ac27f87>] alloc_netdev_mqs+0x17a/0x1080 [<0000000061a996c9>] slcan_open+0x3ae/0x9a0 [<000000001226f0f9>] tty_ldisc_open.isra.1+0x76/0xc0 [<0000000019289631>] tty_set_ldisc+0x28c/0x5f0 [<000000004de5a617>] tty_ioctl+0x48d/0x1590 [<00000000daef496f>] do_vfs_ioctl+0x1c7/0x1510 [<0000000059068dbc>] ksys_ioctl+0x99/0xb0 [<000000009a6eb334>] __x64_sys_ioctl+0x78/0xb0 [<0000000053d0332e>] do_syscall_64+0x16f/0x580 [<0000000021b83b99>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [<000000008ea75434>] 0xffffffffffffffff Cc: Wolfgang Grandegger Cc: Marc Kleine-Budde Cc: Lukas Bulwahn Signed-off-by: Jouni Hogander Signed-off-by: Marc Kleine-Budde Cc: Oliver Hartkopp Signed-off-by: Greg Kroah-Hartman commit e4cc9c81e2305aabfa9a0e46e17d3895a10ba3d8 Author: zhong jiang Date: Mon Nov 18 11:26:08 2019 +0800 memfd: Use radix_tree_deref_slot_protected to avoid the warning. The commit 99b45e7a1ba1 ("memfd: Fix locking when tagging pins") introduces the following warning messages. *WARNING: suspicious RCU usage in memfd_wait_for_pins* It is because we still use radix_tree_deref_slot without read_rcu_lock. We should use radix_tree_deref_slot_protected instead in the case. Cc: stable@vger.kernel.org Fixes: 99b45e7a1ba1 ("memfd: Fix locking when tagging pins") Signed-off-by: zhong jiang Reviewed-by: Matthew Wilcox (Oracle) Signed-off-by: Greg Kroah-Hartman commit 914834a73b167ec4246e17ada4ecd304657f9ce1 Author: Arnd Bergmann Date: Wed Sep 26 15:14:10 2018 +0200 net: phy: mdio-bcm-unimac: mark PM functions as __maybe_unused [ Upstream commit 9b97123a584f60a5bca5a2663485768a1f6cd0a4 ] The newly added runtime-pm support causes a harmless warning when CONFIG_PM is disabled: drivers/net/phy/mdio-bcm-unimac.c:330:12: error: 'unimac_mdio_resume' defined but not used [-Werror=unused-function] static int unimac_mdio_resume(struct device *d) drivers/net/phy/mdio-bcm-unimac.c:321:12: error: 'unimac_mdio_suspend' defined but not used [-Werror=unused-function] static int unimac_mdio_suspend(struct device *d) Marking the functions as __maybe_unused is the easiest workaround and avoids adding #ifdef checks. Fixes: b78ac6ecd1b6 ("net: phy: mdio-bcm-unimac: Allow configuring MDIO clock divider") Signed-off-by: Arnd Bergmann Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 2ed924f2782fc34cfd763b6e61ba433c16d8db4c Author: Vasily Gorbik Date: Wed Jan 2 13:43:22 2019 +0100 s390/vdso: correct vdso mapping for compat tasks [ Upstream commit 190f056fba230abee80712eb810939ef9a8c462f ] While "s390/vdso: avoid 64-bit vdso mapping for compat tasks" fixed 64-bit vdso mapping for compat tasks under gdb it introduced another problem. "compat_mm" flag is not inherited during fork and when 31-bit process forks a child (but does not perform exec) it ends up with 64-bit vdso. To address that, init_new_context (which is called during fork and exec) now initialize compat_mm based on thread TIF_31BIT flag. Later compat_mm is adjusted in arch_setup_additional_pages, which is called during exec. Fixes: d1befa65823e ("s390/vdso: avoid 64-bit vdso mapping for compat tasks") Reported-by: Stefan Liebler Reviewed-by: Heiko Carstens Cc: # v4.20+ Signed-off-by: Vasily Gorbik Signed-off-by: Martin Schwidefsky Signed-off-by: Sasha Levin commit 1b904b2eb9c1d9216e1be9f4615952bcd6b99856 Author: Rui Miguel Silva Date: Wed Nov 21 05:59:55 2018 -0500 media: ov2680: fix null dereference at power on [ Upstream commit c45fbdf24c61a7b7a37f1b3bbd46f054637a3627 ] Swapping the order between v4l2 subdevice registration and checking chip id in b7a417628abf ("media: ov2680: don't register the v4l2 subdevice before checking chip ID") makes the mode restore to use the sensor controls before they are set, so move the mode restore call to s_power after the handler setup for controls is done. This remove also the need for the error code path in power on function. Fixes: b7a417628abf ("media: ov2680: don't register the v4l2 subdevice before checking chip ID") Signed-off-by: Rui Miguel Silva Signed-off-by: Sakari Ailus Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 0c3e32230bcc4a8721f203ba73b353b4659f939e Author: Israel Rukshin Date: Wed Sep 26 09:44:18 2018 +0000 IB/iser: Fix possible NULL deref at iser_inv_desc() [ Upstream commit 65f07f5a09dacf3b60619f196f096ea3671a5eda ] In case target remote invalidates bogus rkey and signature is not used, pi_ctx is NULL deref. The commit also fails the connection on bogus remote invalidation. Fixes: 59caaed7a72a ("IB/iser: Support the remote invalidation exception") Signed-off-by: Israel Rukshin Reviewed-by: Max Gurtovoy Reviewed-by: Sagi Grimberg Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit d7b412e1448e84db8c6b1987a1e1eae829dd1197 Author: Kirill Tkhai Date: Mon Aug 27 18:29:29 2018 +0300 fuse: use READ_ONCE on congestion_threshold and max_background [ Upstream commit 2a23f2b8adbe4bd584f936f7ac17a99750eed9d7 ] Since they are of unsigned int type, it's allowed to read them unlocked during reporting to userspace. Let's underline this fact with READ_ONCE() macroses. Signed-off-by: Kirill Tkhai Signed-off-by: Miklos Szeredi Signed-off-by: Sasha Levin commit 2e72489c822e56124007539cbcb12c62fe30581a Author: Guido Kiener Date: Tue Sep 25 01:30:31 2018 +0200 usb: usbtmc: uninitialized symbol 'actual' in usbtmc_ioctl_clear [ Upstream commit 9a83190300867fb024d53f47c31088e34188efc1 ] Fix uninitialized symbol 'actual' in function usbtmc_ioctl_clear. When symbol 'actual' is not initialized and usb_bulk_msg() fails, the subsequent kernel debug message shows a random value. Signed-off-by: Guido Kiener Fixes: dfee02ac4bce ("usb: usbtmc: Fix ioctl USBTMC_IOCTL_CLEAR") Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit eb9b6c203870dfa917ec28db544e63ee81938107 Author: Chunfeng Yun Date: Thu Sep 20 19:13:32 2018 +0300 usb: xhci-mtk: fix ISOC error when interval is zero [ Upstream commit 87173acc0d8f0987bda8827da35fff67f52ad15d ] If the interval equal zero, needn't round up to power of two for the number of packets in each ESIT, so fix it. Signed-off-by: Chunfeng Yun Signed-off-by: Mathias Nyman Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 8ddec6aaad865e70b6e9b47d1b2408767357e2b7 Author: Tan Hu Date: Fri Sep 7 16:33:33 2018 +0800 netfilter: masquerade: don't flush all conntracks if only one address deleted on device [ Upstream commit 097f95d319f817e651bd51f8846aced92a55a6a1 ] We configured iptables as below, which only allowed incoming data on established connections: iptables -t mangle -A PREROUTING -m state --state ESTABLISHED -j ACCEPT iptables -t mangle -P PREROUTING DROP When deleting a secondary address, current masquerade implements would flush all conntracks on this device. All the established connections on primary address also be deleted, then subsequent incoming data on the connections would be dropped wrongly because it was identified as NEW connection. So when an address was delete, it should only flush connections related with the address. Signed-off-by: Tan Hu Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin commit ba8c4cc746a55b7eec4d38baa6ca7769194b940a Author: Alexandre Belloni Date: Mon Sep 24 16:25:34 2018 +0200 rtc: armada38x: fix possible race condition [ Upstream commit 7d61cbb945a753af08e247b5f10bdd5dbb8d6c80 ] The IRQ is requested before the struct rtc is allocated and registered, but this struct is used in the IRQ handler. This may lead to a NULL pointer dereference. Switch to devm_rtc_allocate_device/rtc_register_device to allocate the rtc before requesting the IRQ. Signed-off-by: Alexandre Belloni Signed-off-by: Sasha Levin commit 44bb1b1256b517315c9fba02029029a3f88f98e1 Author: Alexandre Belloni Date: Wed Sep 19 03:14:58 2018 +0200 rtc: tx4939: fixup nvmem name and register size [ Upstream commit 2ab78755e93a10f6216c860a2012f3592f395603 ] The default word_size and stride of 1 are correct for the tx4939. Also fix the nvmem folder name. Signed-off-by: Alexandre Belloni Signed-off-by: Sasha Levin commit e7ab2bab7e60831cd63672ee0d18f299ec513552 Author: Alexandre Belloni Date: Sat Sep 15 13:29:56 2018 +0200 rtc: isl1208: avoid possible sysfs race [ Upstream commit 1b4c794fda583edabe864ac466e9cd43c707be80 ] Use rtc_add_group to add the common sysfs group to avoid a possible race condition. [Denis.Osterland@diehl.com: use to_i2c_client(dev->parent)] Signed-off-by: Denis Osterland Signed-off-by: Alexandre Belloni The move of atrim, dtrim usr sysfs properties from i2c device to rtc device require to access them via dev->parent. This patch also aligns timestamp0. Signed-off-by: Sasha Levin commit 70f0ead5c6afa37544d56059d5ecfa73008dbde2 Author: Rob Herring Date: Thu Sep 13 13:12:33 2018 -0500 ARM: dts: lpc32xx: Fix SPI controller node names [ Upstream commit 11236ef582b8d66290bb3b3710e03ca1d85d8ad8 ] SPI controller nodes should be named 'spi' rather than 'ssp'. Fixing the name enables dtc SPI bus checks. Cc: Vladimir Zapolskiy Cc: Sylvain Lemieux Signed-off-by: Rob Herring Signed-off-by: Arnd Bergmann Signed-off-by: Sasha Levin commit 8e359bce724cf9d1f1fa868b1cea255e9c5abc79 Author: Rob Herring Date: Thu Sep 13 13:12:44 2018 -0500 arm64: dts: lg: Fix SPI controller node names [ Upstream commit 09bae3b64cb580c95329bd8d16f08f0a5cb81ec9 ] SPI controller nodes should be named 'spi' rather than 'ssp'. Fixing the name enables dtc SPI bus checks. Cc: Chanho Min Signed-off-by: Rob Herring Signed-off-by: Arnd Bergmann Signed-off-by: Sasha Levin commit f52a34b5b111890126bee35f8491ebffd207f8c9 Author: Rob Herring Date: Thu Sep 13 13:12:40 2018 -0500 arm64: dts: amd: Fix SPI bus warnings [ Upstream commit e9f0878c4b2004ac19581274c1ae4c61ae3ca70e ] dtc has new checks for SPI buses. Fix the warnings in node names. arch/arm64/boot/dts/amd/amd-overdrive.dtb: Warning (spi_bus_bridge): /smb/ssp@e1030000: node name for SPI buses should be 'spi' arch/arm64/boot/dts/amd/amd-overdrive-rev-b0.dtb: Warning (spi_bus_bridge): /smb/ssp@e1030000: node name for SPI buses should be 'spi' arch/arm64/boot/dts/amd/amd-overdrive-rev-b1.dtb: Warning (spi_bus_bridge): /smb/ssp@e1030000: node name for SPI buses should be 'spi' Cc: Brijesh Singh Cc: Suravee Suthikulpanit Cc: Tom Lendacky Signed-off-by: Rob Herring Signed-off-by: Arnd Bergmann Signed-off-by: Sasha Levin commit b26edaa53496c79c4a8008bf1b49ebf66baa5ca0 Author: Finn Thain Date: Thu Sep 27 11:17:11 2018 +1000 scsi: NCR5380: Check for bus reset [ Upstream commit 6b0e87a6aafe12d75c2bea6fc8e49e88b98b3083 ] The SR_RST bit isn't latched. Hence, detecting a bus reset isn't reliable. When it is detected, the right thing to do is to drop all connected and disconnected commands. The code for that is already present so refactor it and call it when SR_RST is set. Tested-by: Michael Schmitz Signed-off-by: Finn Thain Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 080b37aacd2b4b430915409d45d8d7ece82a73e1 Author: Finn Thain Date: Thu Sep 27 11:17:11 2018 +1000 scsi: NCR5380: Handle BUS FREE during reselection [ Upstream commit ca694afad707cb3ae2fdef3b28454444d9ac726e ] The X3T9.2 specification (draft) says, under "6.1.4.2 RESELECTION time-out procedure", that a target may assert RST or go to BUS FREE phase if the initiator does not respond within 200 us. Something like this has been observed with AztecMonster II target. When it happens, all we can do is wait for the target to try again. Tested-by: Michael Schmitz Signed-off-by: Finn Thain Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit aa45f4ab86a204114a338b069a3628f2af7103f7 Author: Finn Thain Date: Thu Sep 27 11:17:11 2018 +1000 scsi: NCR5380: Don't call dsprintk() following reselection interrupt [ Upstream commit 08267216b3f8aa5adc204bdccf8deb72c1cd7665 ] The X3T9.2 specification (draft) says, under "6.1.4.1 RESELECTION", ... The reselected initiator shall then assert the BSY signal within a selection abort time of its most recent detection of being reselected; this is required for correct operation of the time-out procedure. The selection abort time is only 200 us which may be insufficient time for a printk() call. Move the diagnostics to the error paths. Tested-by: Michael Schmitz Signed-off-by: Finn Thain Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 23635cf271a3c6f284f410859f6ec40e753b76b9 Author: Finn Thain Date: Thu Sep 27 11:17:11 2018 +1000 scsi: NCR5380: Don't clear busy flag when abort fails [ Upstream commit 45ddc1b24806cc8f1a09f23dd4e7b6e4a8ae36e1 ] When NCR5380_abort() returns FAILED, the driver forgets that the target is still busy. Hence, further commands may be sent to the target, which may fail during selection and produce the error message, "reselection after won arbitration?". Prevent this by leaving the busy flag set when NCR5380_abort() fails. Tested-by: Michael Schmitz Signed-off-by: Finn Thain Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit aeb0ed2e5bb98f6b78a216f61206191157ff8db5 Author: Finn Thain Date: Thu Sep 27 11:17:11 2018 +1000 scsi: NCR5380: Check for invalid reselection target [ Upstream commit 7ef55f6744c45e3d7c85a3f74ada39b67ac741dd ] The X3T9.2 specification (draft) says, under "6.1.4.1 RESELECTION", that "the initiator shall not respond to a RESELECTION phase if other than two SCSI ID bits are on the DATA BUS." This issue (too many bits set) has been observed in the wild, so add a check. Tested-by: Michael Schmitz Signed-off-by: Finn Thain Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 98c6d8f8a4016351bd0defb95b9304982c003987 Author: Finn Thain Date: Thu Sep 27 11:17:11 2018 +1000 scsi: NCR5380: Use DRIVER_SENSE to indicate valid sense data [ Upstream commit 070356513963be6196142acff56acc8359069fa1 ] When sense data is valid, call set_driver_byte(cmd, DRIVER_SENSE). Otherwise some callers of scsi_execute() will ignore sense data. Don't set DID_ERROR or DID_RESET just because sense data is missing. Tested-by: Michael Schmitz Signed-off-by: Finn Thain Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 1a46e4d3da315795dddb536267d193dd3fdd5d80 Author: Finn Thain Date: Thu Sep 27 11:17:11 2018 +1000 scsi: NCR5380: Withhold disconnect privilege for REQUEST SENSE [ Upstream commit 7c8ed783c2faa1e3f741844ffac41340338ea0f4 ] This is mostly needed because an AztecMonster II target has been observed disconnecting REQUEST SENSE commands and then failing to reselect properly. Suggested-by: Michael Schmitz Tested-by: Michael Schmitz Signed-off-by: Finn Thain Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 624f60251f1a9deb4f153da199c0a7988a60d66e Author: Finn Thain Date: Thu Sep 27 11:17:11 2018 +1000 scsi: NCR5380: Have NCR5380_select() return a bool [ Upstream commit dad8261e643849ea134c7cd5c8e794e31d93b9eb ] The return value is taken to mean "retry" or "don't retry". Change it to bool to improve readability. Fix related comments. No functional change. Tested-by: Michael Schmitz Signed-off-by: Finn Thain Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 873506e566ef4f246e6d28d84204b681fc19c15f Author: Hannes Reinecke Date: Thu Sep 27 11:17:11 2018 +1000 scsi: NCR5380: Clear all unissued commands on host reset [ Upstream commit 1aeeeed7f03c576f096eede7b0384f99a98f588c ] When doing a host reset we should be clearing all outstanding commands, not just the command triggering the reset. [mkp: adjusted Hannes' SoB address] Signed-off-by: Hannes Reinecke Reviewed-by: Johannes Thumshirn Cc: Ondrey Zary Signed-off-by: Finn Thain Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit fe5ef5fe3e19c6908ac5d2f17c3222cc04a298bb Author: Ilan Peer Date: Mon Jun 11 14:05:11 2018 +0300 iwlwifi: mvm: Allow TKIP for AP mode [ Upstream commit 6f3df8c1192c873a6ad9a76328920f6f85af90a8 ] Support for setting keys for TKIP cipher suite was mistakenly removed for AP mode. Fix this. Fixes: 85aeb58cec1a ("iwlwifi: mvm: Enable security on new TX API") Signed-off-by: Ilan Peer Signed-off-by: Luca Coelho Signed-off-by: Sasha Levin commit c4a3dcb0a273db81e990a92b5670b71353001908 Author: Sara Sharon Date: Sun Jun 3 09:19:35 2018 +0300 iwlwifi: mvm: use correct FIFO length [ Upstream commit 7126b6f2bbdf8e25f85e7ca6d91d49ea4ce9f6a6 ] Current FIFO size calculation is wrong for two reasons: - We access lmac 0 by default - We don't take 11ax into consideration. Fix both. Signed-off-by: Sara Sharon Signed-off-by: Luca Coelho Signed-off-by: Sasha Levin commit d395b6f51cf7b0ceb5ee5a538a4df3a81b3c094a Author: Golan Ben Ami Date: Tue Jun 5 11:58:13 2018 +0300 iwlwifi: pcie: fit reclaim msg to MAX_MSG_LEN [ Upstream commit 81f0c66187e1ebb7b63529d82faf7ff1e0ef428a ] Today, the length of a debug message in iwl_trans_pcie_reclaim may pass the MAX_MSG_LEN, which is 110. An example for this kind of message is: 'iwl_trans_pcie_reclaim: Read index for DMA queue txq id (2), last_to_free 65535 is out of range [0-65536] 2 2.' Cut the message a bit so it will fit the allowed MAX_MSG_LEN. Signed-off-by: Golan Ben Ami Signed-off-by: Luca Coelho Signed-off-by: Sasha Levin commit 08d2000d21628ffe559d40ec3c9ec954b8ba2903 Author: Johannes Berg Date: Fri Jun 1 09:45:55 2018 +0200 iwlwifi: pcie: gen2: build A-MSDU only for GSO [ Upstream commit 53f474e6a8d74d5dc0c3a015d889471f9a157685 ] If the incoming frame should be an A-MSDU, it may already be one, for example in the case of NAN multicast being encapsulated in an A-MSDU. Thus, use the GSO algorithm to build A-MSDU only if the skb actually contains GSO data. Fixes: 6ffe5de35b05 ("iwlwifi: pcie: add AMSDU to gen2") Signed-off-by: Johannes Berg Signed-off-by: Luca Coelho Signed-off-by: Sasha Levin commit f4f0909f3d3fe0bcf1f91c17d24f2487451507b9 Author: Johannes Berg Date: Wed May 30 14:13:18 2018 +0200 iwlwifi: api: annotate compressed BA notif array sizes [ Upstream commit 6f68cc367ab6578a33cca21b6056804165621f00 ] Annotate the compressed BA notification array sizes and make both of them 0-length since the length of 1 is just confusing - it may be different than that and the offset to the second one needs to be calculated in the C code anyhow. Signed-off-by: Johannes Berg Signed-off-by: Luca Coelho Signed-off-by: Sasha Levin commit e455ecaf52da2f7f72bfdf33e16ea610d3d34e61 Author: Sara Sharon Date: Wed May 30 15:19:56 2018 +0300 iwlwifi: pcie: read correct prph address for newer devices [ Upstream commit 84fb372c892e231e9a2ffdaa5c2df52d94aa536c ] For newer devices we have higher range of periphery addresses. Currently it is masked out, so we end up reading another address. Signed-off-by: Sara Sharon Signed-off-by: Luca Coelho Signed-off-by: Sasha Levin commit c5eafde04ad32a355e34b3ea044c21046335d2e4 Author: Erel Geron Date: Mon May 28 17:15:56 2018 +0300 iwlwifi: fix non_shared_ant for 22000 devices [ Upstream commit a40287727d9b737e183959fd31a4e0c55f312853 ] The non-shared antenna was wrong for 22000 device series. Fix it to ANT_B for correct antenna preference by coex in MVM driver. Fixes: e34d975e40ff ("iwlwifi: Add a000 HW family support") Signed-off-by: Erel Geron Signed-off-by: Luca Coelho Signed-off-by: Sasha Levin commit f73c75560ffdb6e7cb956c5e9e49e4a6ae54d7bb Author: Emmanuel Grumbach Date: Tue May 29 10:04:16 2018 +0300 iwlwifi: dbg: don't crash if the firmware crashes in the middle of a debug dump [ Upstream commit 79f25b10c9da3dbc953e47033d0494e51580ac3b ] We can dump data from the firmware either when it crashes, or when the firmware is alive. Not all the data is available if the firmware is running (like the Tx / Rx FIFOs which are available only when the firmware is halted), so we first check that the firmware is alive to compute the required size for the dump and then fill the buffer with the data. When we allocate the buffer, we test the STATUS_FW_ERROR bit to check if the firmware is alive or not. This bit can be changed during the course of the dump since it is modified in the interrupt handler. We hit a case where we allocate the buffer while the firmware is sill working, and while we start to fill the buffer, the firmware crashes. Then we test STATUS_FW_ERROR again and decide to fill the buffer with data like the FIFOs even if no room was allocated for this data in the buffer. This means that we overflow the buffer that was allocated leading to memory corruption. To fix this, test the STATUS_FW_ERROR bit only once and rely on local variables to check if we should dump fifos or other firmware components. Fixes: 04fd2c28226f ("iwlwifi: mvm: add rxf and txf to dump data") Signed-off-by: Emmanuel Grumbach Signed-off-by: Luca Coelho Signed-off-by: Sasha Levin commit 98ca4f397febb86b9dd81232df5db95ec5378ad4 Author: Dan Aloni Date: Mon Sep 17 20:24:32 2018 +0300 crypto: fix a memory leak in rsa-kcs1pad's encryption mode [ Upstream commit 3944f139d5592790b70bc64f197162e643a8512b ] The encryption mode of pkcs1pad never uses out_sg and out_buf, so there's no need to allocate the buffer, which presently is not even being freed. CC: Herbert Xu CC: linux-crypto@vger.kernel.org CC: "David S. Miller" Signed-off-by: Dan Aloni Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit 975b3c8dd182dfae77ea3ceaa8ad7c51a396b0e7 Author: Christoph Manszewski Date: Mon Sep 17 17:09:28 2018 +0200 crypto: s5p-sss: Fix Fix argument list alignment [ Upstream commit 6c12b6ba45490eeb820fdceccf5a53f42a26799c ] Fix misalignment of continued argument list. Signed-off-by: Christoph Manszewski Reviewed-by: Krzysztof Kozlowski Acked-by: Kamil Konieczny Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit ef089d9b58a79eaa5052d50e5becc7549de81dee Author: Christoph Manszewski Date: Mon Sep 17 17:09:27 2018 +0200 crypto: s5p-sss: Fix race in error handling [ Upstream commit 5842cd44786055231b233ed5ed98cdb63ffb7db3 ] Remove a race condition introduced by error path in functions: s5p_aes_interrupt and s5p_aes_crypt_start. Setting the busy field of struct s5p_aes_dev to false made it possible for s5p_tasklet_cb to change the req field, before s5p_aes_complete was called. Change the first parameter of s5p_aes_complete to struct ablkcipher_request. Before spin_unlock, make a copy of the currently handled request, to ensure s5p_aes_complete function call with the correct request. Signed-off-by: Christoph Manszewski Acked-by: Kamil Konieczny Reviewed-by: Krzysztof Kozlowski Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit d34465e722e7f2d753652ff03d94bd4a780c4509 Author: Dexuan Cui Date: Tue Sep 18 22:29:50 2018 +0000 x86/hyperv: Suppress "PCI: Fatal: No config space access function found" [ Upstream commit 2f285f46240d67060061d153786740d4df53cd78 ] A Generation-2 Linux VM on Hyper-V doesn't have the legacy PCI bus, and users always see the scary warning, which is actually harmless. Suppress it. Signed-off-by: Dexuan Cui Signed-off-by: Thomas Gleixner Reviewed-by: Michael Kelley Cc: "H. Peter Anvin" Cc: KY Srinivasan Cc: Haiyang Zhang Cc: Stephen Hemminger Cc: "devel@linuxdriverproject.org" Cc: Olaf Aepfle Cc: Andy Whitcroft Cc: Jason Wang Cc: Vitaly Kuznetsov Cc: Marcelo Cerri Cc: Josh Poulson Link: https://lkml.kernel.org/r/ commit 23a4059cd6b815fae8264c3d0a9edaa42f84699a Author: Sanjay Kumar Konduri Date: Mon Sep 3 11:27:46 2018 +0530 Bluetooth: btrsi: fix bt tx timeout issue [ Upstream commit 7cbfd1e2aad410d96fa6162aeb3f9cff1fecfc58 ] observed sometimes data is coming with unaligned address from kernel BT stack. If unaligned address is passed, some data in payload is stripped when packet is loading to firmware and this results, BT connection timeout is happening. sh# hciconfig hci0 up Can't init device hci0: hci0 command 0x0c03 tx timeout Fixed this by moving the data to aligned address. Signed-off-by: Sanjay Kumar Konduri Signed-off-by: Siva Rebbagondla Signed-off-by: Marcel Holtmann Signed-off-by: Sasha Levin commit 245b2765e87c43e31db6232b4576e0005579a3d6 Author: Luiz Augusto von Dentz Date: Tue Sep 4 13:39:22 2018 +0300 Bluetooth: L2CAP: Detect if remote is not able to use the whole MPS [ Upstream commit a5c3021bb62b970713550db3f7fd08aa70665d7e ] If the remote is not able to fully utilize the MPS choosen recalculate the credits based on the actual amount it is sending that way it can still send packets of MTU size without credits dropping to 0. Signed-off-by: Luiz Augusto von Dentz Signed-off-by: Marcel Holtmann Signed-off-by: Sasha Levin commit 2c8946462f074603259cca407b89a19dc42832e7 Author: Balakrishna Godavarthi Date: Wed Aug 22 17:34:11 2018 +0530 Bluetooth: hci_serdev: clear HCI_UART_PROTO_READY to avoid closing proto races [ Upstream commit 7cf7846d27bfc9731e449857db3eec5e0e9701ba ] Clearing HCI_UART_PROTO_READY will avoid usage of proto function pointers before running the proto close function pointer. There is chance of kernel crash, due to usage of non proto close function pointers after proto close. Signed-off-by: Balakrishna Godavarthi Signed-off-by: Marcel Holtmann Signed-off-by: Sasha Levin commit f416fe070ec108f6bfaaf124903734a5dfaa76c3 Author: Stuart Hayes Date: Wed Sep 26 16:50:17 2018 -0500 firmware: dell_rbu: Make payload memory uncachable [ Upstream commit 6aecee6ad41cf97c0270f72da032c10eef025bf0 ] The dell_rbu driver takes firmware update payloads and puts them in memory so the system BIOS can find them after a reboot. This sometimes fails (though rarely), because the memory containing the payload is in the CPU cache but never gets written back to main memory before the system is rebooted (CPU cache contents are lost on reboot). With this patch, the payload memory will be changed to uncachable to ensure that the payload is actually in main memory before the system is rebooted. Signed-off-by: Stuart Hayes Signed-off-by: Andy Shevchenko Signed-off-by: Sasha Levin commit 5d3675e3e6d1677f4d9310ab429c1fe5e1f49d10 Author: Rob Herring Date: Thu Sep 13 13:12:26 2018 -0500 ARM: dts: realview: Fix SPI controller node names [ Upstream commit 016add12977bcc30f77d7e48fc9a3a024cb46645 ] SPI controller nodes should be named 'spi' rather than 'ssp'. Fixing the name enables dtc SPI bus checks. Cc: Linus Walleij Signed-off-by: Rob Herring Signed-off-by: Linus Walleij Signed-off-by: Sasha Levin commit 57b78e41a397ca520069c13b5552c0a2d20729cc Author: Justin Ernst Date: Tue Sep 25 09:34:49 2018 -0500 EDAC: Raise the maximum number of memory controllers [ Upstream commit 6b58859419554fb824e09cfdd73151a195473cbc ] We observe an oops in the skx_edac module during boot: EDAC MC0: Giving out device to module skx_edac controller Skylake Socket#0 IMC#0 EDAC MC1: Giving out device to module skx_edac controller Skylake Socket#0 IMC#1 EDAC MC2: Giving out device to module skx_edac controller Skylake Socket#1 IMC#0 ... EDAC MC13: Giving out device to module skx_edac controller Skylake Socket#0 IMC#1 EDAC MC14: Giving out device to module skx_edac controller Skylake Socket#1 IMC#0 EDAC MC15: Giving out device to module skx_edac controller Skylake Socket#1 IMC#1 Too many memory controllers: 16 EDAC MC: Removed device 0 for skx_edac Skylake Socket#0 IMC#0 We observe there are two memory controllers per socket, with a limit of 16. Raise the maximum number of memory controllers from 16 to 2 * MAX_NUMNODES (1024). [ bp: This is just a band-aid fix until we've sorted out the whole issue with the bus_type association and handling in EDAC and can get rid of this arbitrary limit. ] Signed-off-by: Justin Ernst Signed-off-by: Borislav Petkov Acked-by: Russ Anderson Cc: Mauro Carvalho Chehab Cc: linux-edac@vger.kernel.org Link: https://lkml.kernel.org/r/20180925143449.284634-1-justin.ernst@hpe.com Signed-off-by: Sasha Levin commit 352668d32cd53150033143a1af82126046bd097d Author: Arnd Bergmann Date: Wed Sep 26 21:36:52 2018 +0200 RDMA: Fix dependencies for rdma_user_mmap_io [ Upstream commit 46bdf777685677c1cc6b3da9220aace9da690731 ] The mlx4 driver produces a link error when it is configured as built-in while CONFIG_INFINIBAND_USER_ACCESS is set to =m: drivers/infiniband/hw/mlx4/main.o: In function `mlx4_ib_mmap': main.c:(.text+0x1af4): undefined reference to `rdma_user_mmap_io' The same function is called from mlx5, which already has a dependency to ensure we can call it, and from hns, which appears to suffer from the same problem. This adds the same dependency that mlx5 uses to the other two. Fixes: 6745d356ab39 ("RDMA/hns: Use rdma_user_mmap_io") Fixes: c282da4109e4 ("RDMA/mlx4: Use rdma_user_mmap_io") Signed-off-by: Arnd Bergmann Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit 36ffc9a76df95ee835b5e00667d20c68005cd08c Author: Chao Yu Date: Tue Sep 25 15:36:03 2018 +0800 f2fs: mark inode dirty explicitly in recover_inode() [ Upstream commit 4a1728cad6340bfbe17bd17fd158b2165cd99508 ] Mark inode dirty explicitly in the end of recover_inode() to make sure that all recoverable fields can be persisted later. Signed-off-by: Chao Yu Signed-off-by: Jaegeuk Kim Signed-off-by: Sasha Levin commit a4bd303d67745ccb7acae231c4317cca3998cb7c Author: Chao Yu Date: Tue Sep 25 15:35:58 2018 +0800 f2fs: fix to recover inode's project id during POR [ Upstream commit f4474aa6e5e901ee4af21f39f1b9115aaaaec503 ] Testcase to reproduce this bug: 1. mkfs.f2fs -O extra_attr -O project_quota /dev/sdd 2. mount -t f2fs /dev/sdd /mnt/f2fs 3. touch /mnt/f2fs/file 4. sync 5. chattr -p 1 /mnt/f2fs/file 6. xfs_io -f /mnt/f2fs/file -c "fsync" 7. godown /mnt/f2fs 8. umount /mnt/f2fs 9. mount -t f2fs /dev/sdd /mnt/f2fs 10. lsattr -p /mnt/f2fs/file 0 -----------------N- /mnt/f2fs/file But actually, we expect the correct result is: 1 -----------------N- /mnt/f2fs/file The reason is we didn't recover inode.i_projid field during mount, fix it. Signed-off-by: Chao Yu Signed-off-by: Jaegeuk Kim Signed-off-by: Sasha Levin commit 7bae8b6b73e46c307fa355ce086800b7ad6610f8 Author: Jaegeuk Kim Date: Wed Sep 19 15:28:40 2018 -0700 f2fs: update i_size after DIO completion [ Upstream commit 0a4daae5ffea39f5015334e4d18a6a80b447cae4 ] This is related to ee70daaba82d ("xfs: update i_size after unwritten conversion in dio completion") If we update i_size during dio_write, dio_read can read out stale data, which breaks xfstests/465. Reviewed-by: Chao Yu Signed-off-by: Jaegeuk Kim Signed-off-by: Sasha Levin commit 9de276a804c719f553fe9bc90b6b1998e8747557 Author: Keith Busch Date: Thu Sep 20 10:27:13 2018 -0600 PCI/ERR: Run error recovery callbacks for all affected devices [ Upstream commit bfcb79fca19d267712e425af1dd48812c40dec0c ] If an Endpoint reported an error with ERR_FATAL, we previously ran driver error recovery callbacks only for the Endpoint's driver. But if we reset a Link to recover from the error, all downstream components are affected, including the Endpoint, any multi-function peers, and children of those peers. Initiate the Link reset from the deepest Downstream Port that is reliable, and call the error recovery callbacks for all its children. If a Downstream Port (including a Root Port) reports an error, we assume the Port itself is reliable and we need to reset its downstream Link. In all other cases (Switch Upstream Ports, Endpoints, Bridges, etc), we assume the Link leading to the component needs to be reset, so we initiate the reset at the parent Downstream Port. This allows two other clean-ups. First, we currently only use a Link reset, which can only be initiated using a Downstream Port, so we can remove checks for Endpoints. Second, the Downstream Port where we initiate the Link reset is reliable (unlike components downstream from it), so the special cases for error detect and resume are no longer necessary. Signed-off-by: Keith Busch [bhelgaas: changelog] Signed-off-by: Bjorn Helgaas Reviewed-by: Sinan Kaya Signed-off-by: Sasha Levin commit 8738fd312e63e51c8774e75e4e77c19ba27b6d71 Author: YueHaibing Date: Wed Sep 26 17:13:05 2018 +0800 net: faraday: fix return type of ndo_start_xmit function [ Upstream commit 0a715156656bddf4aa92d9868f850aeeb0465fd0 ] The method ndo_start_xmit() is defined as returning an 'netdev_tx_t', which is a typedef for an enum type, so make sure the implementation in this driver has returns 'netdev_tx_t' value, and change the function return type to netdev_tx_t. Found by coccinelle. Signed-off-by: YueHaibing Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 8ff333f3f81981ada2c69d0f05b4e97877d2fd55 Author: YueHaibing Date: Wed Sep 26 17:06:29 2018 +0800 net: smsc: fix return type of ndo_start_xmit function [ Upstream commit 6323d57f335ce1490d025cacc83fc10b07792130 ] The method ndo_start_xmit() is defined as returning an 'netdev_tx_t', which is a typedef for an enum type, so make sure the implementation in this driver has returns 'netdev_tx_t' value, and change the function return type to netdev_tx_t. Found by coccinelle. Signed-off-by: YueHaibing Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 4481669a3a95e2ed968a61309b3bbbf132002136 Author: Marc Dietrich Date: Thu Aug 2 10:45:40 2018 +0200 ARM: dts: paz00: fix wakeup gpio keycode [ Upstream commit ebea2a43fdafdbce918bd7e200b709d6c33b9f3b ] The power key is controlled solely by the EC, which only tiggeres this gpio after wakeup. Fixes immediately return to suspend after wake from LP1. Signed-off-by: Marc Dietrich Tested-by: Nicolas Chauvet Signed-off-by: Thierry Reding Signed-off-by: Sasha Levin commit 4e9cf62e8ffb4014931b679e6042b17072d8bd51 Author: Marcel Ziswiler Date: Sat Sep 1 10:12:44 2018 +0200 ARM: tegra: colibri_t30: fix mcp2515 can controller interrupt polarity [ Upstream commit 503fcd8464fb6cd18073e97dec59b933930655d6 ] Fix the MCP2515 SPI CAN controller interrupt polarity which according to its datasheet defaults to low-active aka falling edge. Signed-off-by: Marcel Ziswiler Signed-off-by: Thierry Reding Signed-off-by: Sasha Levin commit 63c28c08e485496fe6e1b4c1f17a81d44c2294cc Author: Marcel Ziswiler Date: Fri Aug 31 18:38:14 2018 +0200 ARM: tegra: apalis_t30: fix mcp2515 can controller interrupt polarity [ Upstream commit b38f6aa4b60a1fcc41f5c469981f8f62d6070ee3 ] Fix the MCP2515 SPI CAN controller interrupt polarity which according to its datasheet defaults to low-active aka falling edge. Signed-off-by: Marcel Ziswiler Signed-off-by: Thierry Reding Signed-off-by: Sasha Levin commit 2241b82d7b3fb910f5c029ea24ef5e5017c2ad39 Author: Marcel Ziswiler Date: Fri Aug 31 18:37:43 2018 +0200 ARM: tegra: apalis_t30: fix mmc1 cmd pull-up [ Upstream commit 1c997fe4becdc6fcbc06e23982ceb65621e6572a ] Fix MMC1 cmd pin pull-up causing issues on carrier boards without external pull-up. Signed-off-by: Marcel Ziswiler Signed-off-by: Thierry Reding Signed-off-by: Sasha Levin commit 1717eca134f2351c766a2079a30bd57c447caa47 Author: Marcel Ziswiler Date: Thu Aug 16 10:06:03 2018 +0200 ARM: dts: tegra20: restore address order [ Upstream commit 8188391c127ea34d66f37eda6755d0acb51dc600 ] Commit 6c468f109884 ("ARM: dts: tegra: add Tegra20 NAND flash controller node") introduced the nand-controller node. However, it got added at the wrong spot not honoring the address order. Fix this. Signed-off-by: Marcel Ziswiler Reviewed-by: Stefan Agner Signed-off-by: Thierry Reding Signed-off-by: Sasha Levin commit 619f46726e66a2983a05e014469d15e252fb2b0b Author: Marcel Ziswiler Date: Fri Aug 31 14:42:33 2018 +0200 ARM: dts: tegra30: fix xcvr-setup-use-fuses [ Upstream commit 564706f65cda3de52b09e51feb423a43940fe661 ] There was a dot instead of a comma. Fix this. Signed-off-by: Marcel Ziswiler Signed-off-by: Thierry Reding Signed-off-by: Sasha Levin commit 70c4b0fb4fd5ef48ca4b145e4dc88dca3ef46e27 Author: Thierry Reding Date: Fri Sep 21 12:14:46 2018 +0200 arm64: tegra: I2C on Tegra194 is not compatible with Tegra114 [ Upstream commit d9fd22447ba59a9b53a202fade977e82bfba8d8d ] Tegra194 contains a version of the I2C controller that is no longer compatible with the version found in Tegra114. Signed-off-by: Thierry Reding Signed-off-by: Sasha Levin commit e821b710b58d3402d543e846c0b0ae5733795cd3 Author: Fabio Estevam Date: Tue Sep 18 08:43:31 2018 -0300 ARM: dts: imx51-zii-rdu1: Fix the rtc compatible string [ Upstream commit 1c5f335f61ffb838fc3cc1cec9464067663eb8c8 ] According to Documentation/devicetree/bindings/rtc/rtc-ds1307.txt the original compatible "maxim,ds1341" is not a valid entry. Switch to the documented "dallas,ds1341" compatible. Reported-by: Chris Healy Signed-off-by: Fabio Estevam Reviewed-by: Lucas Stach Tested-by: Chris Healy Signed-off-by: Shawn Guo Signed-off-by: Sasha Levin commit a09b6731c4dd2844faebaf65fd2b405a2fe4e1f7 Author: Rob Herring Date: Thu Sep 13 13:12:43 2018 -0500 arm64: dts: fsl: Fix I2C and SPI bus warnings [ Upstream commit b739c177e1aeab532f355493439a1901b85be38c ] dtc has new checks for I2C and SPI buses. Fix the SPI bus node names and warnings in unit-addresses. arch/arm64/boot/dts/freescale/fsl-ls1046a-rdb.dtb: Warning (i2c_bus_reg): /soc/i2c@2180000/eeprom@57: I2C bus unit address format error, expected "53" arch/arm64/boot/dts/freescale/fsl-ls1046a-rdb.dtb: Warning (i2c_bus_reg): /soc/i2c@2180000/eeprom@56: I2C bus unit address format error, expected "52" Cc: Shawn Guo Cc: Li Yang Signed-off-by: Rob Herring Acked-by: Li Yang Signed-off-by: Shawn Guo Signed-off-by: Sasha Levin commit 2d6b885ba7416e80f3a5bee7553d3f3dee0b9745 Author: Hauke Mehrtens Date: Tue Sep 25 21:54:07 2018 +0200 phy: lantiq: Fix compile warning [ Upstream commit 3a00dae006623d799266d85f28b5f76ef07d6b6c ] This local variable is unused, remove it. Fixes: dea54fbad332 ("phy: Add an USB PHY driver for the Lantiq SoCs using the RCU module") Signed-off-by: Hauke Mehrtens Signed-off-by: Kishon Vijay Abraham I Signed-off-by: Sasha Levin commit 6fce50c100c85f1c05f463b2ee0b83be1290f4cb Author: Chengguang Xu Date: Sat Sep 22 22:43:09 2018 +0800 f2fs: fix remount problem of option io_bits [ Upstream commit c6b1867b1da3b1203b4c49988afeebdcbdf65499 ] Currently we show mount option "io_bits=%u" as "io_size=%uKB", it will cause option parsing problem(unrecognized mount option) in remount. Signed-off-by: Chengguang Xu Reviewed-by: Chao Yu Signed-off-by: Jaegeuk Kim Signed-off-by: Sasha Levin commit c4a33c4ecc1f0c2d8573f21509eb474951b354ea Author: Jason Yan Date: Tue Sep 25 10:56:52 2018 +0800 scsi: libsas: always unregister the old device if going to discover new [ Upstream commit 32c850bf587f993b2620b91e5af8a64a7813f504 ] If we went into sas_rediscover_dev() the attached_sas_addr was already insured not to be zero. So it's unnecessary to check if the attached_sas_addr is zero. And although if the sas address is not changed, we always have to unregister the old device when we are going to register a new one. We cannot just leave the device there and bring up the new. Signed-off-by: Jason Yan CC: chenxiang CC: John Garry CC: Johannes Thumshirn CC: Ewan Milne CC: Christoph Hellwig CC: Tomas Henzl CC: Dan Williams CC: Hannes Reinecke Reviewed-by: Johannes Thumshirn Reviewed-by: Hannes Reinecke Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 2f9d0f703b9c1cc521ec4894ed749c876dfd14d7 Author: Nathan Chancellor Date: Mon Sep 24 12:29:03 2018 -0700 iw_cxgb4: Use proper enumerated type in c4iw_bar2_addrs [ Upstream commit 1b571086e869395b6a11ab24186b0104fe05c057 ] Clang warns when one enumerated type is implicitly converted to another. drivers/infiniband/hw/cxgb4/qp.c:287:8: warning: implicit conversion from enumeration type 'enum t4_bar2_qtype' to different enumeration type 'enum cxgb4_bar2_qtype' [-Wenum-conversion] T4_BAR2_QTYPE_EGRESS, ^~~~~~~~~~~~~~~~~~~~ c4iw_bar2_addrs expects a value from enum cxgb4_bar2_qtype so use the corresponding values from that type so Clang is satisfied without changing the meaning of the code. T4_BAR2_QTYPE_EGRESS = CXGB4_BAR2_QTYPE_EGRESS = 0 T4_BAR2_QTYPE_INGRESS = CXGB4_BAR2_QTYPE_INGRESS = 1 Reported-by: Nick Desaulniers Signed-off-by: Nathan Chancellor Acked-by: Steve Wise Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit 1ae5bfee6cff11dfe958dc86f38e168d7fe7865e Author: Alex Williamson Date: Tue Sep 25 13:01:27 2018 -0600 vfio/pci: Mask buggy SR-IOV VF INTx support [ Upstream commit db04264fe9bc0f2b62e036629f9afb530324b693 ] The SR-IOV spec requires that VFs must report zero for the INTx pin register as VFs are precluded from INTx support. It's much easier for the host kernel to understand whether a device is a VF and therefore whether a non-zero pin register value is bogus than it is to do the same in userspace. Override the INTx count for such devices and virtualize the pin register to provide a consistent view of the device to the user. As this is clearly a spec violation, warn about it to support hardware validation, but also provide a known whitelist as it doesn't do much good to continue complaining if the hardware vendor doesn't plan to fix it. Known devices with this issue: 8086:270c Tested-by: Gage Eads Reviewed-by: Ashok Raj Signed-off-by: Alex Williamson Signed-off-by: Sasha Levin commit dde3433de9a067a33d67d65b9093cad3e043e49e Author: Li Qiang Date: Tue Sep 25 13:01:27 2018 -0600 vfio/pci: Fix potential memory leak in vfio_msi_cap_len [ Upstream commit 30ea32ab1951c80c6113f300fce2c70cd12659e4 ] Free allocated vdev->msi_perm in error path. Signed-off-by: Li Qiang Reviewed-by: Eric Auger Signed-off-by: Alex Williamson Signed-off-by: Sasha Levin commit 86f886e91dcff23f34ab3ccdc1a8b130763004cb Author: Stephen Hemminger Date: Fri Sep 14 09:10:16 2018 -0700 vmbus: keep pointer to ring buffer page [ Upstream commit 52a42c2a90226dc61c99bbd0cb096deeb52c334b ] Avoid going from struct page to virt address (and back) by just keeping pointer to the allocated pages instead of virt address. Signed-off-by: Stephen Hemminger Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 728a7552dc498b06c517a11f4053802c2f5a5b7e Author: zhong jiang Date: Thu Sep 20 10:29:13 2018 +0800 misc: genwqe: should return proper error value. [ Upstream commit 02241995b004faa7d9ff628e97f24056190853f8 ] The function should return -EFAULT when copy_from_user fails. Even though the caller does not distinguish them. but we should keep backward compatibility. Signed-off-by: zhong jiang Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 6707b1ba53be158b5526e53c909d5a1ad61e8d8a Author: Laura Abbott Date: Tue Sep 11 10:44:03 2018 -0700 misc: kgdbts: Fix restrict error [ Upstream commit fa0218ef733e6f247a1a3986e3eb12460064ac77 ] kgdbts current fails when compiled with restrict: drivers/misc/kgdbts.c: In function ‘configure_kgdbts’: drivers/misc/kgdbts.c:1070:2: error: ‘strcpy’ source argument is the same as destination [-Werror=restrict] strcpy(config, opt); ^~~~~~~~~~~~~~~~~~~ As the error says, config is being used in both the source and destination. Refactor the code to avoid the extra copy and put the parsing closer to the actual location. Signed-off-by: Laura Abbott Acked-by: Daniel Thompson Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 890bee6757298c23da3b1595361418e145986939 Author: Srinivas Kandagatla Date: Sun Sep 16 16:45:44 2018 -0700 silmbus: ngd: register controller after power up. [ Upstream commit 94fe5f2b45c4108885e4b71f6b181068632ec904 ] Register slimbus controller only after finishing powerup sequnce so that we do not endup in situation where core starts sending transactions before the controller is ready. Signed-off-by: Srinivas Kandagatla Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 932980ed5b7735364366f746b4efecedd6b9aeb9 Author: Srinivas Kandagatla Date: Sun Sep 16 16:45:45 2018 -0700 slimbus: ngd: return proper error code instead of zero [ Upstream commit 9652e6aa62a1836494ebb8dbd402587c083b568c ] It looks like there is a typo in probe return. Fix it. Signed-off-by: Srinivas Kandagatla Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 9874abd5c8786572811517d170ff661476ac4047 Author: Srinivas Kandagatla Date: Sun Sep 16 16:45:46 2018 -0700 slimbus: ngd: register ngd driver only once. [ Upstream commit 1830dad34c070161fda2ff1db77b39ffa78aa380 ] Move ngd platform driver out of loop so that it registers only once. Signed-off-by: Srinivas Kandagatla Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 614744f4e80e983dc00a7e983b82594e9c91a95e Author: Suzuki K Poulose Date: Thu Sep 20 13:18:10 2018 -0600 coresight: dynamic-replicator: Handle multiple connections [ Upstream commit 30af4fb619e5126cb3152072e687b377fc9398d6 ] When a replicator port is enabled, we block the traffic on the other port and route all traffic to the new enabled port. If there are two active trace sessions each targeting the two different paths from the replicator, the second session will disable the first session and route all the data to the second path. ETR / e.g, replicator \ ETB If CPU0 is operated in sysfs mode to ETR and CPU1 is operated in perf mode to ETB, depending on the order in which the replicator is enabled one device is blocked. Ideally we need trace-id for the session to make the right choice. That implies we need a trace-id allocation logic for the coresight subsystem and use that to route the traffic. The short term solution is to only manage the "target port" and leave the other port untouched. That leaves both the paths unaffected, except that some unwanted traffic may be pushed to the paths (if the Trace-IDs are not far enough), which is still fine and can be filtered out while processing rather than silently blocking the data. Cc: Mathieu Poirier Signed-off-by: Suzuki K Poulose Signed-off-by: Mathieu Poirier Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 36aa9cd28c5971281dafe88637432ee387bc0c91 Author: Leo Yan Date: Thu Sep 20 13:18:02 2018 -0600 coresight: tmc: Fix byte-address alignment for RRP [ Upstream commit e7753f3937610633a540f2be81be87531f96ff04 ] >From the comment in the code, it claims the requirement for byte-address alignment for RRP register: 'for 32-bit, 64-bit and 128-bit wide trace memory, the four LSBs must be 0s. For 256-bit wide trace memory, the five LSBs must be 0s'. This isn't consistent with the program, the program sets five LSBs as zeros for 32/64/128-bit wide trace memory and set six LSBs zeros for 256-bit wide trace memory. After checking with the CoreSight Trace Memory Controller technical reference manual (ARM DDI 0461B, section 3.3.4 RAM Read Pointer Register), it proves the comment is right and the program does wrong setting. This patch fixes byte-address alignment for RRP by following correct definition in the technical reference manual. Cc: Mathieu Poirier Cc: Mike Leach Signed-off-by: Leo Yan Signed-off-by: Mathieu Poirier Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 0bb87d413aeff4f25e9a21db2c5633fd4e8d0f42 Author: Tomasz Nowicki Date: Thu Sep 20 13:18:00 2018 -0600 coresight: etm4x: Configure EL2 exception level when kernel is running in HYP [ Upstream commit b860801e3237ec4c74cf8de0be4816996757ae5c ] For non-VHE systems host kernel runs at EL1 and jumps to EL2 whenever hypervisor code should be executed. In this case ETM4x driver must restrict configuration to EL1 when it setups kernel tracing. However, there is no separate hypervisor privilege level when VHE is enabled, the host kernel runs at EL2. This patch fixes configuration of TRCACATRn register for VHE systems so that ETM_EXLEVEL_NS_HYP bit is used instead of ETM_EXLEVEL_NS_OS to on/off kernel tracing. At the same time, it moves common code to new helper. Signed-off-by: Tomasz Nowicki Signed-off-by: Mathieu Poirier Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit a0e0ec0a5544de8edb4fcdc6a25525d004258bd7 Author: Suzuki K Poulose Date: Thu Sep 20 13:17:51 2018 -0600 coresight: tmc-etr: Handle driver mode specific ETR buffers [ Upstream commit 96a7f644006ecc05eaaa1a5d09373d0ee63beb0a ] Since the ETR could be driven either by SYSFS or by perf, it becomes complicated how we deal with the buffers used for each of these modes. The ETR driver cannot simply free the current attached buffer without knowing the provider (i.e, sysfs vs perf). To solve this issue, we provide: 1) the driver-mode specific etr buffer to be retained in the drvdata 2) the etr_buf for a session should be passed on when enabling the hardware, which will be stored in drvdata->etr_buf. This will be replaced (not free'd) as soon as the hardware is disabled, after necessary sync operation. The advantages of this are : 1) The common code path doesn't need to worry about how to dispose an existing buffer, if it is about to start a new session with a different buffer, possibly in a different mode. 2) The driver mode can control its buffers and can get access to the saved session even when the hardware is operating in a different mode. (e.g, we can still access a trace buffer from a sysfs mode even if the etr is now used in perf mode, without disrupting the current session.) Towards this, we introduce a sysfs specific data which will hold the etr_buf used for sysfs mode of operation, controlled solely by the sysfs mode handling code. Cc: Mathieu Poirier Signed-off-by: Suzuki K Poulose Signed-off-by: Mathieu Poirier Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 1099665125ed4eff523c93ffe4cafe6ac42c5cf2 Author: Suzuki K Poulose Date: Thu Sep 20 13:17:50 2018 -0600 coresight: perf: Disable trace path upon source error [ Upstream commit 4f8ef21007531c3d7cb5b826e7b2c8999b65ecae ] We enable the trace path, before activating the source. If we fail to enable the source, we must disable the path to make sure it is available for another session. Cc: Mathieu Poirier Signed-off-by: Suzuki K Poulose Signed-off-by: Mathieu Poirier Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 87e382c3f70658d31a8ec32a14f11f8142e3b6f1 Author: Suzuki K Poulose Date: Thu Sep 20 13:17:47 2018 -0600 coresight: perf: Fix per cpu path management [ Upstream commit 5ecabe4a76e8cdb61fa3e24862d9ca240a1c4ddf ] We create a coresight trace path for each online CPU when we start the event. We rely on the number of online CPUs and then go on to allocate an array matching the "number of online CPUs" for holding the path and then uses normal CPU id as the index to the array. This is problematic as we could have some offline CPUs causing us to access beyond the actual array size (e.g, on a dual SMP system, if CPU0 is offline, CPU1 could be really accessing beyond the array). The solution is to switch to per-cpu array for holding the path. Cc: Mathieu Poirier Signed-off-by: Suzuki K Poulose Signed-off-by: Mathieu Poirier Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 25deeb3c1b9fa584cfc5aa00b07d22bc44f4d5b4 Author: Suzuki K Poulose Date: Thu Sep 20 13:17:45 2018 -0600 coresight: Fix handling of sinks [ Upstream commit c71369de02b285d9da526a526d8f2affc7b17c59 ] The coresight components could be operated either in sysfs mode or in perf mode. For some of the components, the mode of operation doesn't matter as they simply relay the data to the next component in the trace path. But for sinks, they need to be able to provide the trace data back to the user. Thus we need to make sure that "mode" is handled appropriately. e.g, the sysfs mode could have multiple sources driving the trace data, while perf mode doesn't allow sharing the sink. The coresight_enable_sink() however doesn't really allow this check to trigger as it skips the "enable_sink" callback if the component is already enabled, irrespective of the mode. This could cause mixing of data from different modes or even same mode (in perf), if the sources are different. Also, if we fail to enable the sink while enabling a path (where sink is the first component enabled), we could end up in disabling the components in the "entire" path which were not enabled in this trial, causing disruptions in the existing trace paths. Cc: Mathieu Poirier Signed-off-by: Suzuki K Poulose Signed-off-by: Mathieu Poirier Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 59a488998cafc34ad70483cc3fdd23ff7bdac1bd Author: zhong jiang Date: Thu Sep 20 13:17:44 2018 -0600 coresight: Use ERR_CAST instead of ERR_PTR [ Upstream commit bbd35ba6fab5419e58e96f35f1431f13bdc14f98 ] Use ERR_CAT inlined function to replace the ERR_PTR(PTR_ERR). It make the code more concise. Signed-off-by: zhong jiang Signed-off-by: Mathieu Poirier Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 240293e02123b24a3e9cd3be335c9bf3f7e61cc1 Author: Laurent Pinchart Date: Fri Aug 10 15:44:57 2018 +0300 usb: gadget: uvc: Only halt video streaming endpoint in bulk mode [ Upstream commit 8dbf9c7abefd5c1434a956d5c6b25e11183061a3 ] When USB requests for video data fail to be submitted, the driver signals a problem to the host by halting the video streaming endpoint. This is only valid in bulk mode, as isochronous transfers have no handshake phase and can't thus report a stall. The usb_ep_set_halt() call returns an error when using isochronous endpoints, which we happily ignore, but some UDCs complain in the kernel log. Fix this by only trying to halt the endpoint in bulk mode. Signed-off-by: Laurent Pinchart Reviewed-by: Paul Elder Tested-by: Paul Elder Reviewed-by: Kieran Bingham Signed-off-by: Sasha Levin commit bb7c36e91d453cd187d7a1fb15c12b905f03579e Author: Laurent Pinchart Date: Fri Aug 10 15:42:03 2018 +0300 usb: gadget: uvc: Factor out video USB request queueing [ Upstream commit 9d1ff5dcb3cd3390b1e56f1c24ae42c72257c4a3 ] USB requests for video data are queued from two different locations in the driver, with the same code block occurring twice. Factor it out to a function. Signed-off-by: Laurent Pinchart Reviewed-by: Paul Elder Tested-by: Paul Elder Reviewed-by: Kieran Bingham Signed-off-by: Sasha Levin commit c4635c27d3ac255a4f1b0358a1928e8d2edcd04d Author: Anson Huang Date: Wed Sep 12 16:13:29 2018 +0800 ARM: dts: imx6ull: update vdd_soc voltage for 900MHz operating point [ Upstream commit 245f880c25dbd8927af0f33aa5d1404370013957 ] Update VDD_SOC voltage to 1.25V for 900MHz operating point according to datasheet Rev. 1.3, 08/2018, 25mV is added to the minimum allowed values to cover power supply ripple. Signed-off-by: Anson Huang Reviewed-by: Sébastien Szymanski Signed-off-by: Shawn Guo Signed-off-by: Sasha Levin commit a9c11660389cb31899afdde1325107ccccf9e97e Author: Andreas Kemnade Date: Sat Sep 22 11:44:05 2018 +0200 phy: phy-twl4030-usb: fix denied runtime access [ Upstream commit 6c7103aa026094a4ee2c2708ec6977a6dfc5331d ] When runtime is not enabled, pm_runtime_get_sync() returns -EACCESS, the counter will be incremented but the resume callback not called, so enumeration and charging will not start properly. To avoid that happen, disable irq on suspend and recheck on resume. Practically this happens when the device is woken up from suspend by plugging in usb. Signed-off-by: Andreas Kemnade Signed-off-by: Kishon Vijay Abraham I Signed-off-by: Sasha Levin commit 6e176dd0e4c285f327c4a0b8f65035b0b1fab0ce Author: Yoshihiro Shimoda Date: Fri Sep 21 20:53:18 2018 +0900 phy: renesas: rcar-gen3-usb2: fix vbus_ctrl for role sysfs [ Upstream commit 09938ea9d136243e8d1fed6d4d7a257764f28f6d ] This patch fixes and issue that the vbus_ctrl is disabled by rcar_gen3_init_from_a_peri_to_a_host(), so a usb host cannot supply the vbus. Note that this condition will exit when the otg irq happens even if we don't apply this patch. Fixes: 9bb86777fb71 ("phy: rcar-gen3-usb2: add sysfs for usb role swap") Signed-off-by: Yoshihiro Shimoda Reviewed-by: Simon Horman Signed-off-by: Kishon Vijay Abraham I Signed-off-by: Sasha Levin commit f0525581df5f29c07f38426272a2477d4c94f06c Author: Florian Fainelli Date: Thu Sep 20 12:16:36 2018 -0700 phy: brcm-sata: allow PHY_BRCM_SATA driver to be built for DSL SoCs [ Upstream commit 26728df4b254ae06247726a9a6e64823e39ac504 ] Broadcom ARM-based DSL SoCs (BCM63xx product line) have the same Broadcom SATA PHY that other SoCs are using, make it possible to select that driver on these platforms. Signed-off-by: Florian Fainelli Signed-off-by: Kishon Vijay Abraham I Signed-off-by: Sasha Levin commit ff0eabfaf4a407105e65ac969167c594d57fc880 Author: zhong jiang Date: Thu Aug 16 18:26:22 2018 +0800 ARM: at91: pm: call put_device instead of of_node_put in at91_pm_config_ws [ Upstream commit 95590a6286c547b7287d01c55515fb96b904aa03 ] of_find_device_by_node takes a reference to the struct device when it finds a match via get_device. but it fails to put_device in at91_pm_config_ws, for_each_matching_node_and_match will get and put the node properly, there is no need to call the of_put_node. Therefore, just call put_device instead of of_node_put in at91_pm_config_ws. Fixes: d7484f5c6b3b ("ARM: at91: pm: configure wakeup sources for ULP1 mode") Suggested-by: Claudiu Beznea Signed-off-by: zhong jiang Signed-off-by: Alexandre Belloni Signed-off-by: Sasha Levin commit 1b23c28d87e77953ff9f3346662ef144b60d97c7 Author: Ricardo Ribalda Delgado Date: Fri Sep 21 12:36:03 2018 +0200 gpiolib: Fix gpio_direction_* for single direction GPIOs [ Upstream commit ae9847f48a4b4bff0335da20be63ac84d94eb54c ] GPIOs with no programmable direction are not required to implement direction_output nor direction_input. If we try to set an output direction on an output-only GPIO or input direction on an input-only GPIO simply return 0. This allows this single direction GPIO to be used by libgpiod. Signed-off-by: Ricardo Ribalda Delgado Signed-off-by: Linus Walleij Signed-off-by: Sasha Levin commit ec0b30347e4a55cc8a2ae0d1485f3528a9e9848f Author: Brendan Higgins Date: Fri Sep 21 16:30:50 2018 -0700 i2c: aspeed: fix invalid clock parameters for very large divisors [ Upstream commit 17ccba67109cd0631f206cf49e17986218b47854 ] The function that computes clock parameters from divisors did not respect the maximum size of the bitfields that the parameters were written to. This fixes the bug. This bug can be reproduced with (and this fix verified with) the test at: https://kunit-review.googlesource.com/c/linux/+/1035/ Discovered-by-KUnit: https://kunit-review.googlesource.com/c/linux/+/1035/ Signed-off-by: Brendan Higgins Reviewed-by: Jae Hyun Yoo Signed-off-by: Wolfram Sang Signed-off-by: Sasha Levin commit de2875336ee8ff25166cac622879b953ba0f7be7 Author: Marek Szyprowski Date: Fri Sep 14 08:55:03 2018 +0200 ARM: dts: exynos: Correct audio subsystem parent clock on Peach Chromebooks [ Upstream commit ff1e37c6809daab75f7b2dea1efe69330e8eb65b ] The proper parent clock for audio subsystem for Exynos5420 and Exynos5800 SoCs is CLK_MAU_EPLL. This fixes following warning: clk: failed to reparent mout_audss to fout_epll: -22 Fixes: ed7d1307077e: ARM: dts: exynos: Enable HDMI audio support on Peach Pit Fixes: bae0f445c1e7: ARM: dts: exynos: Enable HDMI audio support on Peach Pi Signed-off-by: Marek Szyprowski Signed-off-by: Krzysztof Kozlowski Signed-off-by: Sasha Levin commit 4e6c6562409058eb8f1f0a6d098fd16b57cca241 Author: Paul Elder Date: Sun Sep 2 19:46:03 2018 -0400 usb: gadget: uvc: configfs: Sort frame intervals upon writing [ Upstream commit 89969a842e72b1b653140a4bbddd927b242736d0 ] There is an issue where the host is unable to tell the gadget what frame rate it wants if the dwFrameIntervals in the interface descriptors are not in ascending order. This means that when instantiating a uvc gadget via configfs the user must make sure the dwFrameIntervals are in ascending order. Instead of silently failing the breaking of this rule, we sort the dwFrameIntervals upon writing to configfs. Signed-off-by: Paul Elder Reviewed-by: Laurent Pinchart Signed-off-by: Sasha Levin commit d036103870c6d6d069e4a751716650ef4b40783e Author: Joel Pepper Date: Tue May 29 21:02:12 2018 +0200 usb: gadget: uvc: configfs: Prevent format changes after linking header [ Upstream commit cb2200f7af8341aaf0c6abd7ba37e4c667c41639 ] While checks are in place to avoid attributes and children of a format being manipulated after the format is linked into the streaming header, the linked flag was never actually set, invalidating the protections. Update the flag as appropriate in the header link calls. Signed-off-by: Joel Pepper Reviewed-by: Kieran Bingham Signed-off-by: Laurent Pinchart Signed-off-by: Sasha Levin commit e6e1ad1e2537b908cbee144538db778aa3d57546 Author: Laurent Pinchart Date: Thu Aug 2 00:14:00 2018 +0300 usb: gadget: uvc: configfs: Drop leaked references to config items [ Upstream commit 86f3daed59bceb4fa7981d85e89f63ebbae1d561 ] Some of the .allow_link() and .drop_link() operations implementations call config_group_find_item() and then leak the reference to the returned item. Fix this by dropping those references where needed. Signed-off-by: Laurent Pinchart Reviewed-by: Kieran Bingham Signed-off-by: Sasha Levin commit b7ffda42d720693b4efbce52d94449bc935fb2df Author: Heiko Stuebner Date: Thu Sep 20 11:34:36 2018 +0200 ARM: dts: rockchip: explicitly set vcc_sd0 pin to gpio on rk3188-radxarock [ Upstream commit a2df0984e73fd9e1dad5fc3f1c307ec3de395e30 ] It is good practice to make the setting of gpio-pinctrls explicitly in the devicetree, and in this case even necessary. Rockchip boards start with iomux settings set to gpio for most pins and while the linux pinctrl driver also implicitly sets the gpio function if a pin is requested as gpio that is not necessarily true for other drivers. The issue in question stems from uboot, where the sdmmc_pwr pin is set to function 1 (sdmmc-power) by the bootrom when reading the 1st-stage loader. The regulator controlled by the pin is active-low though, so when the dwmmc hw-block sets its enabled bit, it actually disables the regulator. By changing the pin back to gpio we fix that behaviour. Signed-off-by: Heiko Stuebner Signed-off-by: Sasha Levin commit 0b08daf034cc2da18cb7faad11c3b8a6ea8e7043 Author: Nathan Chancellor Date: Sat Sep 15 02:16:15 2018 -0400 media: davinci: Fix implicit enum conversion warning [ Upstream commit 4158757395b300b6eb308fc20b96d1d231484413 ] Clang warns when one enumerated type is implicitly converted to another. drivers/media/platform/davinci/vpbe_display.c:524:24: warning: implicit conversion from enumeration type 'enum osd_v_exp_ratio' to different enumeration type 'enum osd_h_exp_ratio' [-Wenum-conversion] layer_info->h_exp = V_EXP_6_OVER_5; ~ ^~~~~~~~~~~~~~ 1 warning generated. This appears to be a copy and paste error judging from the couple of lines directly above this statement and the way that height is handled in the if block above this one. Reported-by: Nick Desaulniers Signed-off-by: Nathan Chancellor Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 0994d0cb86ec9bf9188bf8d7af32c6bca4841951 Author: Brad Love Date: Thu Sep 6 17:07:49 2018 -0400 media: au0828: Fix incorrect error messages [ Upstream commit f347596f2bf114a3af3d80201c6e6bef538d884f ] Correcting red herring error messages. Where appropriate, replaces au0282_dev_register with: - au0828_analog_register - au0828_dvb_register Signed-off-by: Brad Love Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 0e63f5db54d84f131f0733661389ff2a28072948 Author: Jia-Ju Bai Date: Sat Sep 1 07:44:09 2018 -0400 media: pci: ivtv: Fix a sleep-in-atomic-context bug in ivtv_yuv_init() [ Upstream commit 8d11eb847de7d89c2754988c944d51a4f63e219b ] The driver may sleep in a interrupt handler. The function call paths (from bottom to top) in Linux-4.16 are: [FUNC] kzalloc(GFP_KERNEL) drivers/media/pci/ivtv/ivtv-yuv.c, 938: kzalloc in ivtv_yuv_init drivers/media/pci/ivtv/ivtv-yuv.c, 960: ivtv_yuv_init in ivtv_yuv_next_free drivers/media/pci/ivtv/ivtv-yuv.c, 1126: ivtv_yuv_next_free in ivtv_yuv_setup_stream_frame drivers/media/pci/ivtv/ivtv-irq.c, 827: ivtv_yuv_setup_stream_frame in ivtv_irq_dec_data_req drivers/media/pci/ivtv/ivtv-irq.c, 1013: ivtv_irq_dec_data_req in ivtv_irq_handler To fix this bug, GFP_KERNEL is replaced with GFP_ATOMIC. This bug is found by my static analysis tool DSAC. Signed-off-by: Jia-Ju Bai Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 2dacea472335efa7149d91cc9fe3992b4966efc2 Author: Arnd Bergmann Date: Mon Aug 13 17:32:17 2018 -0400 media: imx: work around false-positive warning, again [ Upstream commit 8d1a4817cce1b15b4909f0e324a4f5af5952da67 ] A warning that I thought to be solved by a previous patch of mine has resurfaced with gcc-8: media/imx/imx-media-csi.c: In function 'csi_link_validate': media/imx/imx-media-csi.c:1025:20: error: 'upstream_ep' may be used uninitialized in this function [-Werror=maybe-uninitialized] media/imx/imx-media-csi.c:1026:24: error: 'upstream_ep.bus_type' may be used uninitialized in this function [-Werror=maybe-uninitialized] media/imx/imx-media-csi.c:127:19: error: 'upstream_ep.bus.parallel.bus_width' may be used uninitialized in this function [-Werror=maybe-uninitialized] media/imx/imx-media-csi.c: In function 'csi_enum_mbus_code': media/imx/imx-media-csi.c:132:9: error: '*((void *)&upstream_ep+12)' may be used uninitialized in this function [-Werror=maybe-uninitialized] media/imx/imx-media-csi.c:132:48: error: 'upstream_ep.bus.parallel.bus_width' may be used uninitialized in this function [-Werror=maybe-uninitialized] I spent some more time digging in this time, and think I have a better fix, bailing out of the function that either initializes or errors out here, which simplifies the code enough for gcc to figure out what is going on. The earlier partial workaround can be removed now, as the new workaround is better. Fixes: 890f27693f2a ("media: imx: work around false-positive warning") Signed-off-by: Arnd Bergmann Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 1b73ea8377daf651fae6fdaa19a713d08256e2d9 Author: Petr Machata Date: Sun Sep 23 17:48:55 2018 +0300 mlxsw: Make MLXSW_SP1_FWREV_MINOR a hard requirement [ Upstream commit 12ba7e1045521ec9f251c93ae0a6735cc3f42337 ] Up until now, mlxsw tolerated firmware versions that weren't exactly matching the required version, if the branch number matched. That allowed the users to test various firmware versions as long as they were on the right branch. On the other hand, it made it impossible for mlxsw to put a hard lower bound on a version that fixes all problems known to date. If a user had a somewhat older FW version installed, mlxsw would start up just fine, possibly performing non-optimally as it would use features that trigger problematic behavior. Therefore tweak the check to accept any FW version that is: - on the same branch as the preferred version, and - the same as or newer than the preferred version. Signed-off-by: Petr Machata Reviewed-by: Jiri Pirko Signed-off-by: Ido Schimmel Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 9d2ce0611ad5c2f5327021b7427d6a547b961da3 Author: Vicente Bergas Date: Mon Sep 17 15:47:14 2018 +0200 arm64: dts: rockchip: Fix microSD in rk3399 sapphire board [ Upstream commit 88a20edf76091ee7f1bb459b89d714d53f0f8940 ] The microSD card slot in the Sapphire board is not working because of several issues: 1.- The vmmc power supply is missing in the DTS. It is capable of 3.0V and has a GPIO-based enable control. 2.- The vqmmc power supply can provide up to 3.3V, but it is capped in the DTS to just 3.0V because of the vmmc capability. This results in a conflict from the mmc driver requesting an unsupportable voltage range from 3.3V to 3.0V (min > max) as reported in dmesg. So, extend the range up to 3.3V. The hw should be able to stand this 0.3V tolerance. See mmc_regulator_set_vqmmc in drivers/mmc/core/core.c. 3.- The card detect signal is non-working. There is a known conflict with jtag, but the workaround in drivers/soc/rockchip/grf.c does not work. Adding the broken-cd attribute to the DTS fixes the issue. Signed-off-by: Vicente Bergas Signed-off-by: Heiko Stuebner Signed-off-by: Sasha Levin commit 46a9bbe9d579e271d04c6a6a60ea0ed5967b4135 Author: Dengcheng Zhu Date: Tue Sep 11 14:49:23 2018 -0700 MIPS: kexec: Relax memory restriction [ Upstream commit a6da4d6fdf8bd512c98d3ac7f1d16bc4bb282919 ] We can rely on the system kernel and the dump capture kernel themselves in memory usage. Being restrictive with 512MB limit may cause kexec tool failure on some platforms. Tested-by: Rachel Mozes Reported-by: Rachel Mozes Signed-off-by: Dengcheng Zhu Signed-off-by: Paul Burton Patchwork: https://patchwork.linux-mips.org/patch/20568/ Cc: pburton@wavecomp.com Cc: ralf@linux-mips.org Cc: linux-mips@linux-mips.org Signed-off-by: Sasha Levin commit 3b9528b302a60023347480c3b880e681704113b6 Author: Qiuxu Zhuo Date: Tue Sep 18 17:34:33 2018 -0700 EDAC: Correct DIMM capacity unit symbol [ Upstream commit 6f6da136046294a1e8d2944336eb97412751f653 ] The {i3200|i7core|sb|skx}_edac drivers show DIMM capacity using the wrong unit symbol: 'Mb' - megabit. Fix them by replacing 'Mb' with 'MiB' - mebibyte. [Tony: These are all "edac_dbg()" messages, so this won't break scripts that parse console logs.] Signed-off-by: Qiuxu Zhuo Signed-off-by: Tony Luck Signed-off-by: Borislav Petkov Acked-by: Aristeu Rozanski Cc: Mauro Carvalho Chehab Cc: linux-edac@vger.kernel.org Link: https://lkml.kernel.org/r/20180919003433.16475-1-tony.luck@intel.com Signed-off-by: Sasha Levin commit e897dd4cfdde740d1ed1d6835ccd7f35836b0b82 Author: Matthew Whitehead Date: Fri Sep 21 17:20:41 2018 -0400 x86/CPU: Change query logic so CPUID is enabled before testing [ Upstream commit 2893cc8ff892fa74972d8dc0e1d0dc65116daaa3 ] Presently we check first if CPUID is enabled. If it is not already enabled, then we next call identify_cpu_without_cpuid() and clear X86_FEATURE_CPUID. Unfortunately, identify_cpu_without_cpuid() is the function where CPUID becomes _enabled_ on Cyrix 6x86/6x86L CPUs. Reverse the calling sequence so that CPUID is first enabled, and then check a second time to see if the feature has now been activated. [ bp: Massage commit message and remove trailing whitespace. ] Suggested-by: Andy Lutomirski Signed-off-by: Matthew Whitehead Signed-off-by: Borislav Petkov Reviewed-by: Andy Lutomirski Cc: David Woodhouse Cc: H. Peter Anvin Cc: Ingo Molnar Cc: Konrad Rzeszutek Wilk Cc: Peter Zijlstra Cc: Thomas Gleixner Link: http://lkml.kernel.org/r/20180921212041.13096-3-tedheadster@gmail.com Signed-off-by: Sasha Levin commit d26ad73be70f5e2545033523d763f48899bf861d Author: Matthew Whitehead Date: Fri Sep 21 17:20:40 2018 -0400 x86/CPU: Use correct macros for Cyrix calls [ Upstream commit 03b099bdcdf7125d4a63dc9ddeefdd454e05123d ] There are comments in processor-cyrix.h advising you to _not_ make calls using the deprecated macros in this style: setCx86_old(CX86_CCR4, getCx86_old(CX86_CCR4) | 0x80); This is because it expands the macro into a non-functioning calling sequence. The calling order must be: outb(CX86_CCR2, 0x22); inb(0x23); From the comments: * When using the old macros a line like * setCx86(CX86_CCR2, getCx86(CX86_CCR2) | 0x88); * gets expanded to: * do { * outb((CX86_CCR2), 0x22); * outb((({ * outb((CX86_CCR2), 0x22); * inb(0x23); * }) | 0x88), 0x23); * } while (0); The new macros fix this problem, so use them instead. Signed-off-by: Matthew Whitehead Signed-off-by: Borislav Petkov Reviewed-by: Andy Lutomirski Cc: Greg Kroah-Hartman Cc: "H. Peter Anvin" Cc: Ingo Molnar Cc: Jia Zhang Cc: Peter Zijlstra Cc: Philippe Ombredanne Cc: Thomas Gleixner Link: http://lkml.kernel.org/r/20180921212041.13096-2-tedheadster@gmail.com Signed-off-by: Sasha Levin commit fd3f592b2af6bb7ee5eff624d3d4b0c94ddef229 Author: YueHaibing Date: Fri Sep 21 10:50:32 2018 +0800 net: freescale: fix return type of ndo_start_xmit function [ Upstream commit 06983aa526c759ebdf43f202d8d0491d9494e2f4 ] The method ndo_start_xmit() is defined as returning an 'netdev_tx_t', which is a typedef for an enum type, so make sure the implementation in this driver has returns 'netdev_tx_t' value, and change the function return type to netdev_tx_t. Found by coccinelle. Signed-off-by: YueHaibing Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit cab175f881c578cb16679cb2777c9d6ececafd31 Author: YueHaibing Date: Fri Sep 21 10:42:15 2018 +0800 net: micrel: fix return type of ndo_start_xmit function [ Upstream commit 2b49117a5abee8478b0470cba46ac74f93b4a479 ] The method ndo_start_xmit() is defined as returning an 'netdev_tx_t', which is a typedef for an enum type, so make sure the implementation in this driver has returns 'netdev_tx_t' value, and change the function return type to netdev_tx_t. Found by coccinelle. Signed-off-by: YueHaibing Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 590ee2e0aec71938951fec21d27fdb54684f264e Author: Florian Fainelli Date: Thu Sep 20 17:05:40 2018 -0700 net: phy: mdio-bcm-unimac: Allow configuring MDIO clock divider [ Upstream commit b78ac6ecd1b6b46f8767cbafa95a7b0b51b87ad8 ] Allow the configuration of the MDIO clock divider when the Device Tree contains 'clock-frequency' property (similar to I2C and SPI buses). Because the hardware may have lost its state during suspend/resume, re-apply the MDIO clock divider upon resumption. Signed-off-by: Florian Fainelli Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 73cb54858021d908dbb97a576b96a4f2c98f49d5 Author: Prashant Bhole Date: Thu Sep 20 16:52:03 2018 +0900 samples/bpf: fix compilation failure [ Upstream commit 32c009798385ce21080beaa87a9b95faad3acd1e ] following commit: commit d58e468b1112 ("flow_dissector: implements flow dissector BPF hook") added struct bpf_flow_keys which conflicts with the struct with same name in sockex2_kern.c and sockex3_kern.c similar to commit: commit 534e0e52bc23 ("samples/bpf: fix a compilation failure") we tried the rename it "flow_keys" but it also conflicted with struct having same name in include/net/flow_dissector.h. Hence renaming the struct to "flow_key_record". Also, this commit doesn't fix the compilation error completely because the similar struct is present in sockex3_kern.c. Hence renaming it in both files sockex3_user.c and sockex3_kern.c Signed-off-by: Prashant Bhole Acked-by: Song Liu Signed-off-by: Daniel Borkmann Signed-off-by: Sasha Levin commit 3536c05af6f41877caa033b4a5c15063152d1562 Author: Keith Busch Date: Thu Sep 20 10:27:11 2018 -0600 PCI/ERR: Use slot reset if available [ Upstream commit c4eed62a214330908eec11b0dc170d34fa50b412 ] The secondary bus reset may have link side effects that a hotplug capable port may incorrectly react to. Use the slot specific reset for hotplug ports, fixing the undesirable link down-up handling during error recovering. Signed-off-by: Keith Busch [bhelgaas: fold in https://lore.kernel.org/linux-pci/20180926152326.14821-1-keith.busch@intel.com for issue reported by Stephen Rothwell ] Signed-off-by: Bjorn Helgaas Reviewed-by: Sinan Kaya Signed-off-by: Sasha Levin commit 0729c5944eeec932aa47b8e0a7b1a62dd64fff04 Author: Keith Busch Date: Thu Sep 20 10:27:10 2018 -0600 PCI/AER: Don't read upstream ports below fatal errors [ Upstream commit 9d938ea53b265ed6df6cdd1715d971f0235fdbfc ] The AER driver has never read the config space of an endpoint that reported a fatal error because the link to that device is considered unreliable. An ERR_FATAL from an upstream port almost certainly indicates an error on its upstream link, so we can't expect to reliably read its config space for the same reason. Signed-off-by: Keith Busch Signed-off-by: Bjorn Helgaas Reviewed-by: Sinan Kaya Signed-off-by: Sasha Levin commit f3f55d83ea0d7fa5dddfb5a51f3eb92345919da3 Author: Keith Busch Date: Thu Sep 20 10:27:09 2018 -0600 PCI/AER: Take reference on error devices [ Upstream commit 60271ab044a53edb9dcbe76bebea2221c4ff04d9 ] Error handling may be running in parallel with a hot removal. Reference count the device during AER handling so the device can not be freed while AER wants to reference it. Signed-off-by: Keith Busch Signed-off-by: Bjorn Helgaas Reviewed-by: Sinan Kaya Signed-off-by: Sasha Levin commit 40ebd8b31feaf0e78991656eb7659e115fb902dd Author: Shahed Shaikh Date: Thu Sep 20 11:22:51 2018 -0700 bnx2x: Ignore bandwidth attention in single function mode [ Upstream commit 75a110a1783ef8324ffd763b24f4ac268253cbca ] This is a workaround for FW bug - MFW generates bandwidth attention in single function mode, which is only expected to be generated in multi function mode. This undesired attention in SF mode results in incorrect HW configuration and resulting into Tx timeout. Signed-off-by: Shahed Shaikh Signed-off-by: Ariel Elior Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 0769f445afa4b97b1b1d20dd564863fcb09211ad Author: Rob Herring Date: Fri Sep 21 14:25:41 2018 +0200 ARM: dts: stm32: Fix SPI controller node names [ Upstream commit 1ba23b1df0bb6eec430408614c3a11280941e112 ] SPI controller nodes should be named 'spi' rather than 'qspi'. Fixing the name enables dtc SPI bus checks. Cc: Maxime Coquelin Cc: Alexandre Torgue Signed-off-by: Rob Herring Signed-off-by: Alexandre Torgue Signed-off-by: Sasha Levin commit c6305dfb214b0d527a3636767738b27a820f88ee Author: Baruch Siach Date: Tue Aug 21 22:12:33 2018 +0300 ARM: dts: clearfog: fix sdhci supply property name [ Upstream commit e807f0298144c06740022a2f900d86b7f115595e ] The vmmc phandle, like all power supply property names, must have the '-supply' suffix. Signed-off-by: Baruch Siach Signed-off-by: Gregory CLEMENT Signed-off-by: Sasha Levin commit b939d8b914d87d67a68cc35bcf039b4e08dafe09 Author: Yannick Fertré Date: Thu Sep 20 16:33:52 2018 +0200 ARM: dts: stm32: enable display on stm32mp157c-ev1 board [ Upstream commit 67330599f93672bd351123c729e2591a460fd24c ] Enable panel raydium RM68200, DSI bridge & display controller. Signed-off-by: Yannick Fertré Signed-off-by: Alexandre Torgue Signed-off-by: Sasha Levin commit 098e12f385f97e9a069e23af5e4426d7ff0cd6e1 Author: Borislav Petkov Date: Tue Sep 4 11:22:12 2018 +0200 x86/mce-inject: Reset injection struct after injection [ Upstream commit 7401a633c34adc7aefd3edfec60074cb0475a3e8 ] Clear the MCE struct which is used for collecting the injection details after injection. Also, populate it with more details from the machine. Signed-off-by: Borislav Petkov Link: https://lkml.kernel.org/r/20180905081954.10391-1-bp@alien8.de Signed-off-by: Sasha Levin commit aa190837bec5607f7bd7257977056ef46299aee9 Author: Rob Herring Date: Thu Sep 13 13:12:31 2018 -0500 ARM: dts: marvell: Fix SPI and I2C bus warnings [ Upstream commit cf680cc5251487b9a39919c3cda31a108af19cf8 ] dtc has new checks for I2C and SPI buses. Fix the warnings in node names and unit-addresses. arch/arm/boot/dts/dove-cubox.dtb: Warning (i2c_bus_reg): /i2c-mux/i2c@0/clock-generator: I2C bus unit address format error, expected "60" arch/arm/boot/dts/dove-cubox-es.dtb: Warning (i2c_bus_reg): /i2c-mux/i2c@0/clock-generator: I2C bus unit address format error, expected "60" arch/arm/boot/dts/dove-cubox.dtb: Warning (spi_bus_bridge): /mbus/internal-regs/spi-ctrl@10600: node name for SPI buses should be 'spi' arch/arm/boot/dts/dove-cubox-es.dtb: Warning (spi_bus_bridge): /mbus/internal-regs/spi-ctrl@10600: node name for SPI buses should be 'spi' arch/arm/boot/dts/dove-dove-db.dtb: Warning (spi_bus_bridge): /mbus/internal-regs/spi-ctrl@10600: node name for SPI buses should be 'spi' arch/arm/boot/dts/dove-sbc-a510.dtb: Warning (spi_bus_bridge): /mbus/internal-regs/spi-ctrl@10600: node name for SPI buses should be 'spi' arch/arm/boot/dts/dove-sbc-a510.dtb: Warning (spi_bus_bridge): /mbus/internal-regs/spi-ctrl@14600: node name for SPI buses should be 'spi' arch/arm/boot/dts/orion5x-kuroboxpro.dtb: Warning (i2c_bus_reg): /soc/internal-regs/i2c@11000/rtc: I2C bus unit address format error, expected "32" arch/arm/boot/dts/orion5x-linkstation-lschl.dtb: Warning (i2c_bus_reg): /soc/internal-regs/i2c@11000/rtc: I2C bus unit address format error, expected "32" arch/arm/boot/dts/orion5x-linkstation-lsgl.dtb: Warning (i2c_bus_reg): /soc/internal-regs/i2c@11000/rtc: I2C bus unit address format error, expected "32" arch/arm/boot/dts/orion5x-linkstation-lswtgl.dtb: Warning (i2c_bus_reg): /soc/internal-regs/i2c@11000/rtc: I2C bus unit address format error, expected "32" Cc: Jason Cooper Cc: Andrew Lunn Cc: Sebastian Hesselbarth Cc: Gregory Clement Signed-off-by: Rob Herring Signed-off-by: Gregory CLEMENT Signed-off-by: Sasha Levin commit ccc8bf41dac8e740d50e2e228fc0ec57d646bf97 Author: Stefan Agner Date: Sat Sep 15 21:38:25 2018 -0700 crypto: arm/crc32 - avoid warning when compiling with Clang [ Upstream commit cd560235d8f9ddd94aa51e1c4dabdf3212b9b241 ] The table id (second) argument to MODULE_DEVICE_TABLE is often referenced otherwise. This is not the case for CPU features. This leads to a warning when building the kernel with Clang: arch/arm/crypto/crc32-ce-glue.c:239:33: warning: variable 'crc32_cpu_feature' is not needed and will not be emitted [-Wunneeded-internal-declaration] static const struct cpu_feature crc32_cpu_feature[] = { ^ Avoid warnings by using __maybe_unused, similar to commit 1f318a8bafcf ("modules: mark __inittest/__exittest as __maybe_unused"). Fixes: 2a9faf8b7e43 ("crypto: arm/crc32 - enable module autoloading based on CPU feature bits") Signed-off-by: Stefan Agner Acked-by: Ard Biesheuvel Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit 9e70da12d01fd7cb1a78203e3330166d7478e88c Author: Stefan Agner Date: Sat Sep 15 21:38:24 2018 -0700 cpufeature: avoid warning when compiling with clang [ Upstream commit c785896b21dd8e156326ff660050b0074d3431df ] The table id (second) argument to MODULE_DEVICE_TABLE is often referenced otherwise. This is not the case for CPU features. This leads to warnings when building the kernel with Clang: arch/arm/crypto/aes-ce-glue.c:450:1: warning: variable 'cpu_feature_match_AES' is not needed and will not be emitted [-Wunneeded-internal-declaration] module_cpu_feature_match(AES, aes_init); ^ Avoid warnings by using __maybe_unused, similar to commit 1f318a8bafcf ("modules: mark __inittest/__exittest as __maybe_unused"). Fixes: 67bad2fdb754 ("cpu: add generic support for CPU feature based module autoloading") Signed-off-by: Stefan Agner Acked-by: Ard Biesheuvel Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit ad28c2ba4318e9c882647c57edd5a435edf57907 Author: Eric Biggers Date: Tue Sep 11 20:05:10 2018 -0700 crypto: chacha20 - Fix chacha20_block() keystream alignment (again) [ Upstream commit a5e9f557098e54af44ade5d501379be18435bfbf ] In commit 9f480faec58c ("crypto: chacha20 - Fix keystream alignment for chacha20_block()"), I had missed that chacha20_block() can be called directly on the buffer passed to get_random_bytes(), which can have any alignment. So, while my commit didn't break anything, it didn't fully solve the alignment problems. Revert my solution and just update chacha20_block() to use put_unaligned_le32(), so the output buffer need not be aligned. This is simpler, and on many CPUs it's the same speed. But, I kept the 'tmp' buffers in extract_crng_user() and _get_random_bytes() 4-byte aligned, since that alignment is actually needed for _crng_backtrack_protect() too. Reported-by: Stephan Müller Cc: Theodore Ts'o Signed-off-by: Eric Biggers Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit af4749d23d46fc81c59e19a338081422ea779af1 Author: Nathan Chancellor Date: Thu Sep 20 16:13:37 2018 -0700 spi: pic32: Use proper enum in dmaengine_prep_slave_rg [ Upstream commit 8cfde7847d5ed0bb77bace41519572963e43cd17 ] Clang warns when one enumerated type is converted implicitly to another: drivers/spi/spi-pic32.c:323:8: warning: implicit conversion from enumeration type 'enum dma_data_direction' to different enumeration type 'enum dma_transfer_direction' [-Wenum-conversion] DMA_FROM_DEVICE, ^~~~~~~~~~~~~~~ drivers/spi/spi-pic32.c:333:8: warning: implicit conversion from enumeration type 'enum dma_data_direction' to different enumeration type 'enum dma_transfer_direction' [-Wenum-conversion] DMA_TO_DEVICE, ^~~~~~~~~~~~~ 2 warnings generated. Use the proper enums from dma_transfer_direction (DMA_FROM_DEVICE = DMA_DEV_TO_MEM = 2, DMA_TO_DEVICE = DMA_MEM_TO_DEV = 1) to satify Clang. Link: https://github.com/ClangBuiltLinux/linux/issues/159 Signed-off-by: Nathan Chancellor Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit c2f76a19fbc84784ef279c0eadd6724974d2265b Author: Rob Herring Date: Thu Sep 13 13:12:34 2018 -0500 ARM: dts: ste: Fix SPI controller node names [ Upstream commit 2f967f9e9fa076affb711da1a8389b5d33814fc6 ] SPI controller nodes should be named 'spi' rather than 'ssp'. Fixing the name enables dtc SPI bus checks. Signed-off-by: Rob Herring Signed-off-by: Linus Walleij Signed-off-by: Sasha Levin commit 4d22878d58944e68c26d20c5c9a89a5f8f00a573 Author: Linus Walleij Date: Tue Jul 3 10:30:03 2018 +0200 ARM: dts: ux500: Fix LCDA clock line muxing [ Upstream commit ecde29569e3484e1d0a032bf4074449bce4d4a03 ] The "lcdaclk_b_1" group is muxed with the function "lcd" but needs a separate entry to be muxed in with "lcda" rather than "lcd". Signed-off-by: Linus Walleij Signed-off-by: Sasha Levin commit 8be4d596d3f237732163346788519cabc246af7e Author: Geert Uytterhoeven Date: Tue Jun 26 09:50:09 2018 +0200 ARM: dts: ux500: Correct SCU unit address [ Upstream commit 2f217d24ecaec2012e628d21e244eef0608656a4 ] The unit address of the Cortex-A9 SCU device node contains one zero too many. Remove it. Signed-off-by: Geert Uytterhoeven Signed-off-by: Linus Walleij Signed-off-by: Sasha Levin commit dfc81686a642f32421047017df0deabba2b32ee0 Author: Chao Yu Date: Thu Sep 20 17:41:30 2018 +0800 f2fs: fix to recover inode's uid/gid during POR [ Upstream commit dc4cd1257c86451cec3e8e352cc376348e4f4af4 ] Step to reproduce this bug: 1. logon as root 2. mount -t f2fs /dev/sdd /mnt; 3. touch /mnt/file; 4. chown system /mnt/file; chgrp system /mnt/file; 5. xfs_io -f /mnt/file -c "fsync"; 6. godown /mnt; 7. umount /mnt; 8. mount -t f2fs /dev/sdd /mnt; After step 8) we will expect file's uid/gid are all system, but during recovery, these two fields were not been recovered, fix it. Signed-off-by: Chao Yu Signed-off-by: Jaegeuk Kim Signed-off-by: Sasha Levin commit c783946ea9b1f251948b754999d6c9958e8e2b36 Author: Jaegeuk Kim Date: Wed Sep 19 15:45:19 2018 -0700 f2fs: avoid infinite loop in f2fs_alloc_nid [ Upstream commit f84262b0862d43b71b3e80a036cdd9d82e620367 ] If we have an error in f2fs_build_free_nids, we're able to fall into a loop to find free nids. Suggested-by: Chao Yu Reviewed-by: Chao Yu Signed-off-by: Jaegeuk Kim Signed-off-by: Sasha Levin commit caab324d1b018feff5b3a4256b715afbe9591620 Author: Rob Herring Date: Thu Sep 13 13:12:25 2018 -0500 ARM: dts: ti: Fix SPI and I2C bus warnings [ Upstream commit cc893871f092be9ac1184a78f9ae1e76b85d5317 ] dtc has new checks for I2C and SPI buses. Fix the warnings in node names and unit-addresses. arch/arm/boot/dts/am437x-idk-evm.dtb: Warning (spi_bus_bridge): /ocp@44000000/qspi@47900000: node name for SPI buses should be 'spi' arch/arm/boot/dts/am437x-sk-evm.dtb: Warning (spi_bus_bridge): /ocp@44000000/qspi@47900000: node name for SPI buses should be 'spi' arch/arm/boot/dts/am43x-epos-evm.dtb: Warning (spi_bus_bridge): /ocp@44000000/qspi@47900000: node name for SPI buses should be 'spi' arch/arm/boot/dts/omap3-n9.dtb: Warning (i2c_bus_reg): /ocp@68000000/i2c@48060000/ak8975@0f: I2C bus unit address format error, expected "f" arch/arm/boot/dts/am335x-osd3358-sm-red.dtb: Warning (i2c_bus_reg): /ocp/i2c@44e0b000/pressure@78: I2C bus unit address format error, expected "76" arch/arm/boot/dts/am335x-boneblack.dtb: Warning (i2c_bus_reg): /ocp/i2c@44e0b000/tda19988: I2C bus unit address format error, expected "70" arch/arm/boot/dts/am335x-boneblack-wireless.dtb: Warning (i2c_bus_reg): /ocp/i2c@44e0b000/tda19988: I2C bus unit address format error, expected "70" arch/arm/boot/dts/am335x-sancloud-bbe.dtb: Warning (i2c_bus_reg): /ocp/i2c@44e0b000/tda19988: I2C bus unit address format error, expected "70" arch/arm/boot/dts/am571x-idk.dtb: Warning (spi_bus_bridge): /ocp/qspi@4b300000: node name for SPI buses should be 'spi' arch/arm/boot/dts/am572x-idk.dtb: Warning (spi_bus_bridge): /ocp/qspi@4b300000: node name for SPI buses should be 'spi' arch/arm/boot/dts/am574x-idk.dtb: Warning (spi_bus_bridge): /ocp/qspi@4b300000: node name for SPI buses should be 'spi' arch/arm/boot/dts/am57xx-cl-som-am57x.dtb: Warning (spi_bus_bridge): /ocp/qspi@4b300000: node name for SPI buses should be 'spi' arch/arm/boot/dts/am57xx-sbc-am57x.dtb: Warning (spi_bus_bridge): /ocp/qspi@4b300000: node name for SPI buses should be 'spi' arch/arm/boot/dts/dra72-evm.dtb: Warning (spi_bus_bridge): /ocp/qspi@4b300000: node name for SPI buses should be 'spi' arch/arm/boot/dts/dra72-evm-revc.dtb: Warning (spi_bus_bridge): /ocp/qspi@4b300000: node name for SPI buses should be 'spi' arch/arm/boot/dts/dra76-evm.dtb: Warning (spi_bus_bridge): /ocp/qspi@4b300000: node name for SPI buses should be 'spi' arch/arm/boot/dts/dra7-evm.dtb: Warning (spi_bus_bridge): /ocp/qspi@4b300000: node name for SPI buses should be 'spi' arch/arm/boot/dts/am335x-pdu001.dtb: Warning (spi_bus_reg): /ocp/spi@481a0000/cfaf240320a032t: SPI bus unit address format error, expected "0" arch/arm/boot/dts/keystone-k2g-evm.dtb: Warning (spi_bus_bridge): /soc@0/qspi@2940000: node name for SPI buses should be 'spi' arch/arm/boot/dts/keystone-k2g-ice.dtb: Warning (spi_bus_bridge): /soc@0/qspi@2940000: node name for SPI buses should be 'spi' Cc: "Benoît Cousson" Cc: Tony Lindgren Cc: Santosh Shilimkar Cc: linux-omap@vger.kernel.org Signed-off-by: Rob Herring [tony@atomide.com: fixed mode to 644 for am335x-osd3358-sm-red.dts while at it] Signed-off-by: Tony Lindgren Signed-off-by: Sasha Levin commit 2cf6352a6d4c0de596db6c18795b00ad42499a21 Author: Grygorii Strashko Date: Sat Sep 8 17:33:40 2018 -0500 ARM: dts: am335x-evm: fix number of cpsw [ Upstream commit dcbf6b18d81bcdc51390ca1b258c17e2e13b7d0c ] am335x-evm has only one CPSW external port physically wired, but DT defines 2 ext. ports. As result, PHY connection failure reported for the second ext. port. Update DT to reflect am335x-evm board HW configuration, and, while here, switch to use phy-handle instead of phy_id. Signed-off-by: Grygorii Strashko Signed-off-by: Tony Lindgren Signed-off-by: Sasha Levin commit 1eeee2fd2e0c79ca5a51f10bb255e330ecbc638c Author: Keith Busch Date: Thu Sep 20 10:27:06 2018 -0600 PCI: portdrv: Initialize service drivers directly [ Upstream commit c29de84149aba5f74e87b6491c13ac7203c12f55 ] The PCI port driver saves the PCI state after initializing the device with the applicable service devices. This was, however, before the service drivers were even registered because PCI probe happens before the device_initcall initialized those service drivers. The config space state that the services set up were not being saved. The end result would cause PCI devices to not react to events that the drivers think they did if the PCI state ever needed to be restored. Fix this by changing the service drivers from using the init calls to having the portdrv driver calling the services directly. This will get the state saved as desired, while making the relationship between the port driver and the services under it more explicit in the code. Signed-off-by: Keith Busch Signed-off-by: Bjorn Helgaas Reviewed-by: Sinan Kaya Signed-off-by: Sasha Levin commit 38bee3f3f2806afd8fd2d261b70f80c90491c685 Author: Petr Machata Date: Thu Sep 20 09:21:24 2018 +0300 mlxsw: spectrum: Init shaper for TCs 8..15 [ Upstream commit a9f36656b519a9a21309793c306941a3cd0eeb8f ] With introduction of MC-aware mode to mlxsw, it became necessary to configure TCs above 7 as well. There is now code in mlxsw to disable ETS for these higher classes, but disablement of max shaper was neglected. By default, max shaper is currently disabled to begin with, so the problem is just cosmetic. However, for symmetry, do like we do for ETS configuration, and call mlxsw_sp_port_ets_maxrate_set() for both TC i and i + 8. Signed-off-by: Petr Machata Reviewed-by: Jiri Pirko Signed-off-by: Ido Schimmel Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 636cbdec5cf41150c58364f2c93cd737e9be6205 Author: Takashi Iwai Date: Thu Sep 13 08:15:17 2018 +0200 brcmsmac: Use kvmalloc() for ucode allocations [ Upstream commit 6c3efbe77bc78bf49db851aec7f385be475afca6 ] The ucode chunk might be relatively large and the allocation with kmalloc() may fail occasionally. Since the data isn't DMA-transferred but by manual loops, we can use vmalloc instead of kmalloc. For a better performance, though, kvmalloc() would be the best choice in such a case, so let's replace with it. Bugzilla: https://bugzilla.suse.com/show_bug.cgi?id=1103431 Signed-off-by: Takashi Iwai Signed-off-by: Kalle Valo Signed-off-by: Sasha Levin commit 2980b6a8137843a5cdd951d91d4e43e2a294a781 Author: Arend van Spriel Date: Wed Sep 5 09:48:59 2018 +0200 brcmfmac: increase buffer for obtaining firmware capabilities [ Upstream commit 59c2a30d36c8ae430d26a902c4c9665ea33ccee5 ] When obtaining the firmware capability a buffer is provided of 512 bytes. However, if all features in firmware are supported the buffer needs to be 565 bytes as otherwise truncated information is retrieved from firmware. Increasing the buffer to 768 bytes on stack. Reviewed-by: Hante Meuleman Reviewed-by: Pieter-Paul Giesberts Reviewed-by: Franky Lin Signed-off-by: Arend van Spriel Signed-off-by: Kalle Valo Signed-off-by: Sasha Levin commit 59d6e59f32cc01848dd31a932f22769bba5c4598 Author: Vasily Gorbik Date: Fri Sep 14 18:08:10 2018 +0200 s390/vdso: correct CFI annotations of vDSO functions [ Upstream commit 26f4414a45b808f83d42d6fd2fbf4a59ef25e84b ] Correct stack frame overhead for 31-bit vdso, which should be 96 rather then 160. This is done by reusing STACK_FRAME_OVERHEAD definition which contains correct value based on build flags. This fixes stack unwinding within vdso code for 31-bit processes. While at it replace all hard coded stack frame overhead values with the same definition in vdso64 as well. Reviewed-by: Hendrik Brueckner Signed-off-by: Vasily Gorbik Signed-off-by: Martin Schwidefsky Signed-off-by: Sasha Levin commit 84bfa03445bc34bf486036c124890b6a3a7022af Author: Vasily Gorbik Date: Fri Sep 14 17:29:39 2018 +0200 s390/vdso: avoid 64-bit vdso mapping for compat tasks [ Upstream commit d1befa65823e9c6d013883b8a41d081ec338c489 ] vdso_fault used is_compat_task function (on s390 it tests "current" thread_info flags) to distinguish compat tasks and map 31-bit vdso pages. But "current" task might not correspond to mm context. When 31-bit compat inferior is executed under gdb, gdb does PTRACE_PEEKTEXT on vdso page, causing vdso_fault with "current" being 64-bit gdb process. So, 31-bit inferior ends up with 64-bit vdso mapped. To avoid this problem a new compat_mm flag has been introduced into mm context. This flag is used in vdso_fault and vdso_mremap instead of is_compat_task. Signed-off-by: Vasily Gorbik Signed-off-by: Martin Schwidefsky Signed-off-by: Sasha Levin commit 3d510bdf35c23ca72cfbf40eb84c04e1cbd3a4d8 Author: Halil Pasic Date: Mon Sep 17 15:23:03 2018 +0200 s390/zcrypt: enable AP bus scan without a valid default domain [ Upstream commit 1c472d46283263497adccd7a0bec64ee2f9c09e5 ] The AP bus scan is aborted before doing anything worth mentioning if ap_select_domain() fails, e.g. if the ap_rights.aqm mask is all zeros. As the result of this the ap bus fails to manage (e.g. create and register) devices like it is supposed to. Let us make ap_scan_bus() work even if ap_select_domain() can't select a default domain. Let's also make ap_select_domain() return void, as there are no more callers interested in its return value. Signed-off-by: Halil Pasic Reported-by: Michael Mueller Fixes: 7e0bdbe5c21c "s390/zcrypt: AP bus support for alternate driver(s)" [freude@linux.ibm.com: title and patch header slightly modified] Signed-off-by: Harald Freudenberger Signed-off-by: Martin Schwidefsky Signed-off-by: Sasha Levin commit 5e9923e85e1c7bff99a964417d5ae1808e23dfb5 Author: Guido Kiener Date: Wed Sep 12 10:51:05 2018 +0200 usb: usbtmc: Fix ioctl USBTMC_IOCTL_ABORT_BULK_OUT [ Upstream commit 0e59088e7ff7aeda49dedadbf0e967761b909ad8 ] Add parameter 'tag' to function usbtmc_ioctl_abort_bulk_out_tag() for future versions. Use USBTMC_BUFSIZE (4k) instead of USBTMC_SIZE_IOBUFFER (2k). Using USBTMC_SIZE_IOBUFFER is deprecated. Insert a sleep of 50 ms between subsequent CHECK_ABORT_BULK_OUT_STATUS control requests to avoid stressing the instrument with repeated requests. Use common macro USB_CTRL_GET_TIMEOUT instead of USBTMC_TIMEOUT. Signed-off-by: Guido Kiener Reviewed-by: Steve Bayless Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 92aeb3756c432aef63d461d451275eef7388a169 Author: Loic Poulain Date: Tue Sep 4 17:18:58 2018 +0200 usb: chipidea: Fix otg event handler [ Upstream commit 59739131e0ca06db7560f9073fff2fb83f6bc2a5 ] At OTG work running time, it's possible that several events need to be addressed (e.g. ID and VBUS events). The current implementation handles only one event at a time which leads to ignoring the other one. Fix it. Signed-off-by: Loic Poulain Signed-off-by: Peter Chen Signed-off-by: Sasha Levin commit 979f541851d9f5589ace7e47693c4f6bd5b9187e Author: Nicolas Adell Date: Mon Aug 27 15:59:56 2018 +0200 usb: chipidea: imx: enable OTG overcurrent in case USB subsystem is already started [ Upstream commit 1dedbdf2bbb1ede8d96f35f9845ecae179dc1988 ] When initializing the USB subsystem before starting the kernel, OTG overcurrent detection is disabled. In case the OTG polarity of overcurrent is low active, the overcurrent detection is never enabled again and events cannot be reported as expected. Because imx usb overcurrent polarity is low active by default, only detection needs to be enable in usbmisc init function. Signed-off-by: Nicolas Adell Signed-off-by: Peter Chen Signed-off-by: Sasha Levin commit b39e733da3f83bc77e9eda5016b991b08c003f68 Author: Jakub Kicinski Date: Wed Sep 19 14:42:50 2018 -0700 nfp: provide a better warning when ring allocation fails [ Upstream commit 23d9f5531c7c28546954b0bf332134a9b8a38c0a ] NFP supports fairly enormous ring sizes (up to 256k descriptors). In commit 466271703867 ("nfp: use kvcalloc() to allocate SW buffer descriptor arrays") we have started using kvcalloc() functions to make sure the allocation of software state arrays doesn't hit the MAX_ORDER limit. Unfortunately, we can't use virtual mappings for the DMA region holding HW descriptors. In case this allocation fails instead of the generic (and fairly scary) warning/splat in the logs print a helpful message explaining what happened and suggesting how to fix it. Signed-off-by: Jakub Kicinski Reviewed-by: Dirk van der Merwe Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 883843b5a9123fafbb9fab749d44efd73854c0e7 Author: Jian Shen Date: Wed Sep 19 18:29:58 2018 +0100 net: hns3: Fix parameter type for q_id in hclge_tm_q_to_qs_map_cfg() [ Upstream commit 32c7fbc8ffd752c6aa05d2dd7c13b0f0aa00ddaa ] So far all the places calling hclge_tm_q_to_qs_map_cfg() are assigning an u16 type value to "q_id", and in the processing of hclge_tm_q_to_qs_map_cfg(), it also converts the "q_id" to le16. The max tqp number for pf can be more than 256, we should use "u16" to store the queue id, instead of "u8", which may cause data lost. Fixes: 848440544b41 ("net: hns3: Add support of TX Scheduler & Shaper to HNS3 driver") Signed-off-by: Jian Shen Signed-off-by: Peng Li Signed-off-by: Salil Mehta Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit a1b2c39f3ec719a31efa5762f866a1d3109d5557 Author: Jian Shen Date: Wed Sep 19 18:29:57 2018 +0100 net: hns3: Fix client initialize state issue when roce client initialize failed [ Upstream commit d9f28fc23d544f673d087b00a6c7132d972f89ea ] When roce is loaded before nic, the roce client will not be initialized until nic client is initialized, but roce init flag is set before it. Furthermore, in this case of nic initialized success and roce failed, the nic init flag is not set, and roce init flag is not cleared. This patch fixes it by set init flag only after the client is initialized successfully. Fixes: e2cb1dec9779 ("net: hns3: Add HNS3 VF HCL(Hardware Compatibility Layer) Support") Fixes: 46a3df9f9718 ("net: hns3: Add HNS3 Acceleration Engine & Compatibility Layer Support") Signed-off-by: Jian Shen Signed-off-by: Peng Li Signed-off-by: Salil Mehta Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 20f2b72faff033111589b4259621016e34589669 Author: Jian Shen Date: Wed Sep 19 18:29:56 2018 +0100 net: hns3: Clear client pointer when initialize client failed or unintialize finished [ Upstream commit 49dd80541c75c2f21c28bbbdd958e993b55bf97b ] If initialize client failed or finish uninitializing client, we should clear the client pointer. It may cause unexpected result when use uninitialized client. Meanwhile, we also should check whether client exist when uninitialize it. Fixes: 46a3df9f9718 ("net: hns3: Add HNS3 Acceleration Engine & Compatibility Layer Support") Signed-off-by: Jian Shen Signed-off-by: Peng Li Signed-off-by: Salil Mehta Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit ae95237256de0cef566c7c5f5452d55b5f393bf9 Author: Jian Shen Date: Wed Sep 19 18:29:55 2018 +0100 net: hns3: Fix cmdq registers initialization issue for vf [ Upstream commit 37dc9cdbdc1bd64bd3b6ea285a9c2e811404dc82 ] According to hardware's description, the head pointer register should be written before the tail pointer register while initializing the vf command queue. Otherwise, it may trigger an interrupt even though there is no command received. Fixes: fedd0c15d288 ("net: hns3: Add HNS3 VF IMP(Integrated Management Proc) cmd interface") Signed-off-by: Jian Shen Signed-off-by: Peng Li Signed-off-by: Salil Mehta Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 110de23fc502a6feb2069fb4c9453b56593df7eb Author: Fuyun Liang Date: Wed Sep 19 18:29:54 2018 +0100 net: hns3: Fix for setting speed for phy failed problem [ Upstream commit fd8133148eb6a733f9cfdaecd4d99f378e21d582 ] The function of genphy_read_status is that reading phy information from HW and using these information to update SW variable. If user is using ethtool to setting the speed of phy and service task is calling by hclge_get_mac_phy_link, the result of speed setting is uncertain. Because ethtool cmd will modified phydev and hclge_get_mac_phy_link also will modified phydev. Because phy state machine will update phy link periodically, we can just use phydev->link to check the link status. This patch removes function call of genphy_read_status. To ensure accuracy, this patch adds a phy state check. If phy state is not PHY_RUNNING, we consider link is down. Because in some scenarios, phydev->link may be link up, but phy state is not PHY_RUNNING. This is just an intermediate state. In fact, the link is not ready yet. Fixes: 46a3df9f9718 ("net: hns3: Add HNS3 Acceleration Engine & Compatibility Layer Support") Signed-off-by: Fuyun Liang Signed-off-by: Peng Li Signed-off-by: Salil Mehta Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit bd23121daecfe9406588f7ec5157682010a1065d Author: YueHaibing Date: Wed Sep 19 19:21:32 2018 +0800 net: sun: fix return type of ndo_start_xmit function [ Upstream commit 0e0cc31f6999df18bb5cfd0bd83c892ed5633975 ] The method ndo_start_xmit() is defined as returning an 'netdev_tx_t', which is a typedef for an enum type, but the implementation in this driver returns an 'int'. Found by coccinelle. Signed-off-by: YueHaibing Acked-by: Shannon Nelson Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 5d52c10c345ddd0a2974db3819348318883dd0c7 Author: YueHaibing Date: Wed Sep 19 18:50:17 2018 +0800 net: amd: fix return type of ndo_start_xmit function [ Upstream commit fe72352e37ae8478f4c97975a9831f0c50f22e73 ] The method ndo_start_xmit() is defined as returning an 'netdev_tx_t', which is a typedef for an enum type, so make sure the implementation in this driver has returns 'netdev_tx_t' value, and change the function return type to netdev_tx_t. Found by coccinelle. Signed-off-by: YueHaibing Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 0cd3edaf82e608b03d916b6fc1ee8e9c9d2be576 Author: YueHaibing Date: Wed Sep 19 18:45:12 2018 +0800 net: broadcom: fix return type of ndo_start_xmit function [ Upstream commit 0c13b8d1aee87c35a2fbc1d85a1f766227cf54b5 ] The method ndo_start_xmit() is defined as returning an 'netdev_tx_t', which is a typedef for an enum type, so make sure the implementation in this driver has returns 'netdev_tx_t' value, and change the function return type to netdev_tx_t. Found by coccinelle. Signed-off-by: YueHaibing Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 63a0e0512dba6ead5dff7f64177ccc23eb2e23d2 Author: YueHaibing Date: Wed Sep 19 18:32:40 2018 +0800 net: xilinx: fix return type of ndo_start_xmit function [ Upstream commit 81255af8d9d5565004792c295dde49344df450ca ] The method ndo_start_xmit() is defined as returning an 'netdev_tx_t', which is a typedef for an enum type, so make sure the implementation in this driver has returns 'netdev_tx_t' value, and change the function return type to netdev_tx_t. Found by coccinelle. Signed-off-by: YueHaibing Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit df9f5c799d85d0b6116803b4271ca917251ae804 Author: YueHaibing Date: Wed Sep 19 18:23:39 2018 +0800 net: toshiba: fix return type of ndo_start_xmit function [ Upstream commit bacade822524e02f662d88f784d2ae821a5546fb ] The method ndo_start_xmit() is defined as returning an 'netdev_tx_t', which is a typedef for an enum type, so make sure the implementation in this driver has returns 'netdev_tx_t' value, and change the function return type to netdev_tx_t. Found by coccinelle. Signed-off-by: YueHaibing Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit e50d7274104c77d8375eb1985cacdc2e128f59f0 Author: YueHaibing Date: Wed Sep 19 18:19:26 2018 +0800 net: marvell: fix return type of ndo_start_xmit function [ Upstream commit f03508ce3f9650148262c176e0178413e16c902b ] The method ndo_start_xmit() is defined as returning an 'netdev_tx_t', which is a typedef for an enum type, so make sure the implementation in this driver has returns 'netdev_tx_t' value, and change the function return type to netdev_tx_t. Found by coccinelle. Signed-off-by: YueHaibing Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 28fae2d588beaee2a696ba883937473084ef607c Author: Antoine Tenart Date: Wed Sep 19 11:27:04 2018 +0200 net: mvpp2: fix the number of queues per cpu for PPv2.2 [ Upstream commit 70afb58e9856a70ff9e45760af2d0ebeb7c46ac2 ] The Marvell PPv2.2 engine only has 8 Rx queues per CPU, while PPv2.1 has 16 of them. This patch updates the code so that the Rx queues mask width is selected given the version of the network controller used. Signed-off-by: Antoine Tenart Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 0ede78b3576c649696f1fec8baea478537fcc877 Author: Andreas Kemnade Date: Mon Sep 17 07:00:07 2018 +0200 power: supply: twl4030_charger: disable eoc interrupt on linear charge [ Upstream commit 079cdff3d0a09c5da10ae1be35def7a116776328 ] This avoids getting woken up from suspend after power interruptions when the bci wrongly thinks the battery is full just because of input current going low because of low input power Signed-off-by: Andreas Kemnade Signed-off-by: Sebastian Reichel Signed-off-by: Sasha Levin commit 773fb69e430751062015467e9f97f35158bd3bf9 Author: Andreas Kemnade Date: Mon Sep 17 07:20:35 2018 +0200 power: supply: twl4030_charger: fix charging current out-of-bounds [ Upstream commit 8314c212f995bc0d06b54ad02ef0ab4089781540 ] the charging current uses unsigned int variables, if we step back if the current is still low, we would run into negative which means setting the target to a huge value. Better add checks here. Signed-off-by: Andreas Kemnade Signed-off-by: Sebastian Reichel Signed-off-by: Sasha Levin commit 0729f87b840a12daab0a1dc95e8939abbf89ec57 Author: Rob Herring Date: Thu Sep 13 15:16:22 2018 -0500 libfdt: Ensure INT_MAX is defined in libfdt_env.h [ Upstream commit 53dd9dce6979bc54d64a3a09a2fb20187a025be7 ] The next update of libfdt has a new dependency on INT_MAX. Update the instances of libfdt_env.h in the kernel to either include the necessary header with the definition or define it locally. Cc: Russell King Cc: Benjamin Herrenschmidt Cc: Paul Mackerras Cc: Michael Ellerman Cc: linux-arm-kernel@lists.infradead.org Cc: linuxppc-dev@lists.ozlabs.org Signed-off-by: Rob Herring Signed-off-by: Sasha Levin commit e000de3f01c574ee16480cee7a33d924b6a07c63 Author: Rob Herring Date: Thu Sep 13 14:38:56 2018 -0500 of/unittest: Fix I2C bus unit-address error [ Upstream commit 62287dce5d0ee207b6a09a0a1abd06b61cee1094 ] dtc has new checks for I2C buses. Fix the warnings in unit-addresses in the unittests. drivers/of/unittest-data/testcases.dtb: Warning (i2c_bus_reg): /testcase-data/overlay-node/test-bus/i2c-test-bus/test-unittest14/i2c@0/test-mux-dev: I2C bus unit address format error, expected "20" drivers/of/unittest-data/overlay_15.dtb: Warning (i2c_bus_reg): /fragment@0/__overlay__/test-unittest15/i2c@0/test-mux-dev: I2C bus unit address format error, expected "20" Cc: Frank Rowand Signed-off-by: Rob Herring Signed-off-by: Sasha Levin commit 4c64ce947cfa447993efe005cbaad7ba31a91612 Author: Viresh Kumar Date: Fri Aug 3 07:05:21 2018 +0530 OPP: Protect dev_list with opp_table lock [ Upstream commit 3d2556992a878a2210d3be498416aee39e0c32aa ] The dev_list needs to be protected with a lock, else we may have simultaneous access (addition/removal) to it and that would be racy. Extend scope of the opp_table lock to protect dev_list as well. Tested-by: Niklas Cassel Signed-off-by: Viresh Kumar Signed-off-by: Sasha Levin commit 51e509caf5fad3a50860d588227bb6ae4388c7f2 Author: Rob Herring Date: Thu Sep 13 13:12:28 2018 -0500 ARM: dts: atmel: Fix I2C and SPI bus warnings [ Upstream commit c890ecdbe93d482512a911b299bfb009780a29c2 ] dtc has new checks for I2C and SPI buses. Fix the warnings in node names and unit-addresses. arch/arm/boot/dts/at91-dvk_som60.dtb: Warning (i2c_bus_reg): /ahb/apb/i2c@f0018000/eeprom@87: I2C bus unit address format error, expected "57" arch/arm/boot/dts/at91-dvk_som60.dtb: Warning (i2c_bus_reg): /ahb/apb/i2c@f0018000/ft5426@56: I2C bus unit address format error, expected "38" arch/arm/boot/dts/at91-vinco.dtb: Warning (i2c_bus_reg): /ahb/apb/i2c@f8024000/rtc@64: I2C bus unit address format error, expected "32" arch/arm/boot/dts/at91sam9260ek.dtb: Warning (spi_bus_reg): /ahb/apb/spi@fffc8000/mtd_dataflash@0: SPI bus unit address format error, expected "1" arch/arm/boot/dts/at91sam9g20ek_2mmc.dtb: Warning (spi_bus_reg): /ahb/apb/spi@fffc8000/mtd_dataflash@0: SPI bus unit address format error, expected "1" arch/arm/boot/dts/at91sam9g20ek.dtb: Warning (spi_bus_reg): /ahb/apb/spi@fffc8000/mtd_dataflash@0: SPI bus unit address format error, expected "1" arch/arm/boot/dts/at91sam9261ek.dtb: Warning (spi_bus_reg): /ahb/apb/spi@fffc8000/tsc2046@0: SPI bus unit address format error, expected "2" Signed-off-by: Rob Herring Acked-by: Nicolas Ferre Signed-off-by: Alexandre Belloni Signed-off-by: Sasha Levin commit 7cfb3b04d09643dc5fed735f8c58795750031443 Author: Håkon Bugge Date: Mon Sep 17 16:07:07 2018 +0200 RDMA/i40iw: Fix incorrect iterator type [ Upstream commit 802fa45cd320de319e86c93bca72abec028ba059 ] Commit f27b4746f378 ("i40iw: add connection management code") uses an incorrect rcu iterator, whilst holding the rtnl_lock. Since the critical region invokes i40iw_manage_qhash(), which is a sleeping function, the rcu locking and traversal cannot be used. Signed-off-by: Håkon Bugge Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit eb355ccfdf1dc692670a0fb46feeda02e6cf7af9 Author: Anton Blanchard Date: Fri Sep 14 13:36:48 2018 +0930 powerpc: Fix duplicate const clang warning in user access code [ Upstream commit e00d93ac9a189673028ac125a74b9bc8ae73eebc ] This re-applies commit b91c1e3e7a6f ("powerpc: Fix duplicate const clang warning in user access code") (Jun 2015) which was undone in commits: f2ca80905929 ("powerpc/sparse: Constify the address pointer in __get_user_nosleep()") (Feb 2017) d466f6c5cac1 ("powerpc/sparse: Constify the address pointer in __get_user_nocheck()") (Feb 2017) f84ed59a612d ("powerpc/sparse: Constify the address pointer in __get_user_check()") (Feb 2017) We see a large number of duplicate const errors in the user access code when building with llvm/clang: include/linux/pagemap.h:576:8: warning: duplicate 'const' declaration specifier [-Wduplicate-decl-specifier] ret = __get_user(c, uaddr); The problem is we are doing const __typeof__(*(ptr)), which will hit the warning if ptr is marked const. Removing const does not seem to have any effect on GCC code generation. Signed-off-by: Anton Blanchard Signed-off-by: Joel Stanley Reviewed-by: Nick Desaulniers Signed-off-by: Michael Ellerman Signed-off-by: Sasha Levin commit e7b37640916fdfede5569f467a109aad97ff909b Author: Nathan Fontenot Date: Mon Sep 17 14:14:02 2018 -0500 powerpc/pseries: Disable CPU hotplug across migrations [ Upstream commit 85a88cabad57d26d826dd94ea34d3a785824d802 ] When performing partition migrations all present CPUs must be online as all present CPUs must make the H_JOIN call as part of the migration process. Once all present CPUs make the H_JOIN call, one CPU is returned to make the rtas call to perform the migration to the destination system. During testing of migration and changing the SMT state we have found instances where CPUs are offlined, as part of the SMT state change, before they make the H_JOIN call. This results in a hung system where every CPU is either in H_JOIN or offline. To prevent this this patch disables CPU hotplug during the migration process. Signed-off-by: Nathan Fontenot Reviewed-by: Tyrel Datwyler Signed-off-by: Michael Ellerman Signed-off-by: Sasha Levin commit 9271304c26fc7918e4e78ff499c7405124c76b9f Author: Nathan Fontenot Date: Fri Apr 20 15:29:48 2018 -0500 powerpc/pseries/memory-hotplug: Only update DT once per memory DLPAR request [ Upstream commit 063b8b1251fd069f3740339fca56119d218f11ba ] The updates to powerpc numa and memory hotplug code now use the in-kernel LMB array instead of the device tree. This change allows the pseries memory DLPAR code to only update the device tree once after successfully handling a DLPAR request. Prior to the in-kernel LMB array, the numa code looked up the affinity for memory being added in the device tree, the code now looks this up in the LMB array. This change means the memory hotplug code can just update the affinity for an LMB in the LMB array instead of updating the device tree. This also provides a savings in kernel memory. When updating the device tree old properties are never free'ed since there is no usecount on properties. This behavior leads to a new copy of the property being allocated every time a LMB is added or removed (i.e. a request to add 100 LMBs creates 100 new copies of the property). With this update only a single new property is created when a DLPAR request completes successfully. Signed-off-by: Nathan Fontenot Signed-off-by: Michael Ellerman Signed-off-by: Sasha Levin commit 0ab2545aa4041357d7300b7ebc402313671c7a1c Author: Nicholas Piggin Date: Sat Sep 15 01:30:45 2018 +1000 powerpc/64s/hash: Fix stab_rr off by one initialization [ Upstream commit 09b4438db13fa83b6219aee5993711a2aa2a0c64 ] This causes SLB alloation to start 1 beyond the start of the SLB. There is no real problem because after it wraps it stats behaving properly, it's just surprisig to see when looking at SLB traces. Signed-off-by: Nicholas Piggin Signed-off-by: Michael Ellerman Signed-off-by: Sasha Levin commit a3581509e890192fa12eb0a56accd26eae7cb61e Author: Breno Leitao Date: Wed Sep 12 17:31:05 2018 -0300 selftests/powerpc: Do not fail with reschedule [ Upstream commit 44d947eff19d64384efc06069509db7a0a1103b0 ] There are cases where the test is not expecting to have the transaction aborted, but, the test process might have been rescheduled, either in the OS level or by KVM (if it is running on a KVM guest machine). The process reschedule will cause a treclaim/recheckpoint which will cause the transaction to doom, aborting the transaction as soon as the process is rescheduled back to the CPU. This might cause the test to fail, but this is not a failure in essence. If that is the case, TEXASR[FC] is indicated with either TM_CAUSE_RESCHEDULE or TM_CAUSE_KVM_RESCHEDULE for KVM interruptions. In this scenario, ignore these two failures and avoid the whole test to return failure. Signed-off-by: Breno Leitao Reviewed-by: Gustavo Romero Signed-off-by: Michael Ellerman Signed-off-by: Sasha Levin commit 089b169ceb80e2ae13b1f2928be33819443f9d54 Author: Breno Leitao Date: Tue Aug 21 15:44:48 2018 -0300 powerpc/iommu: Avoid derefence before pointer check [ Upstream commit 984ecdd68de0fa1f63ce205d6c19ef5a7bc67b40 ] The tbl pointer is being derefenced by IOMMU_PAGE_SIZE prior the check if it is not NULL. Just moving the dereference code to after the check, where there will be guarantee that 'tbl' will not be NULL. Signed-off-by: Breno Leitao Signed-off-by: Michael Ellerman Signed-off-by: Sasha Levin commit 13d5bc50f4057bc01dba1567b3259fbf510d3808 Author: YueHaibing Date: Tue Sep 18 14:35:47 2018 +0800 net: ibm: fix return type of ndo_start_xmit function [ Upstream commit 94b2bb28dbb43fcb943d5275ab19fd5a4972bedb ] The method ndo_start_xmit() is defined as returning an 'netdev_tx_t', which is a typedef for an enum type, so make sure the implementation in this driver has returns 'netdev_tx_t' value, and change the function return type to netdev_tx_t. Found by coccinelle. Signed-off-by: YueHaibing Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit efe22c12087d2f87d1e9129d20976d322521b29f Author: YueHaibing Date: Tue Sep 18 14:19:05 2018 +0800 net: cavium: fix return type of ndo_start_xmit function [ Upstream commit ac1172dea10b6ba51de9346d3130db688b5196c5 ] The method ndo_start_xmit() is defined as returning an 'netdev_tx_t', which is a typedef for an enum type, so make sure the implementation in this driver has returns 'netdev_tx_t' value, and change the function return type to netdev_tx_t. Found by coccinelle. Signed-off-by: YueHaibing Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 279a4f77546a4c4a989e400b49bf9ba328322036 Author: YueHaibing Date: Tue Sep 18 14:09:43 2018 +0800 net: hns3: fix return type of ndo_start_xmit function [ Upstream commit c9c3941186c5637caed131c4f4064411d6882299 ] The method ndo_start_xmit() is defined as returning an 'netdev_tx_t', which is a typedef for an enum type, also the implementation in this driver has returns 'netdev_tx_t' value, so just change the function return type to netdev_tx_t. Found by coccinelle. Signed-off-by: YueHaibing Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit dd4b87a945c1ad30c69dc8108a9123af25299dee Author: YueHaibing Date: Tue Aug 28 07:07:36 2018 +0000 ipmi: fix return value of ipmi_set_my_LUN [ Upstream commit 060e8fb53fe3455568982d10ab8c3dd605565049 ] Fixes gcc '-Wunused-but-set-variable' warning: drivers/char/ipmi/ipmi_msghandler.c: In function 'ipmi_set_my_LUN': drivers/char/ipmi/ipmi_msghandler.c:1335:13: warning: variable 'rv' set but not used [-Wunused-but-set-variable] int index, rv = 0; 'rv' should be the correct return value. Fixes: 048f7c3e352e ("ipmi: Properly release srcu locks on error conditions") Signed-off-by: YueHaibing Signed-off-by: Corey Minyard Signed-off-by: Sasha Levin commit ea944c71360f2af281c260f165507a60a691452a Author: Corey Minyard Date: Thu Jun 21 15:32:48 2018 -0500 ipmi:dmi: Ignore IPMI SMBIOS entries with a zero base address [ Upstream commit 1574608f5f4204440d6d9f52b971aba967664764 ] Looking at logs from systems all over the place, it looks like tons of broken systems exist that set the base address to zero. I can only guess that is some sort of non-standard idea to mark the interface as not being present. It can't be zero, anyway, so just complain and ignore it. Signed-off-by: Corey Minyard Signed-off-by: Sasha Levin commit 438bf726def0f5bdc418b1c4ac038355a55f306a Author: Colin Ian King Date: Tue Jun 5 17:51:07 2018 +0100 ipmi_si: fix potential integer overflow on large shift [ Upstream commit 97a103e6b584442cd848887ed8d47be2410b7e09 ] Shifting unsigned char b by an int type can lead to sign-extension overflow. For example, if b is 0xff and the shift is 24, then top bit is sign-extended so the final value passed to writeq has all the upper 32 bits set. Fix this by casting b to a 64 bit unsigned before the shift. Detected by CoverityScan, CID#1465246 ("Unintended sign extension") Signed-off-by: Colin Ian King Signed-off-by: Corey Minyard Signed-off-by: Sasha Levin commit 78538bae1dab67036efaf9b675b60f1c2f5635b2 Author: Meelis Roos Date: Wed Jun 6 16:11:26 2018 +0300 ipmi_si_pci: fix NULL device in ipmi_si error message [ Upstream commit 01508d9ebf4fc863f2fc4561c390bf4b7c3301a6 ] I noticed that 4.17.0 logs the follwing during ipmi_si setup: ipmi_si 0000:01:04.6: probing via PCI (NULL device *): Could not setup I/O space ipmi_si 0000:01:04.6: [mem 0xf5ef0000-0xf5ef00ff] regsize 1 spacing 1 irq 21 Fix the "NULL device *) by moving io.dev assignment before its potential use by ipmi_pci_probe_regspacing(). Result: ipmi_si 0000:01:04.6: probing via PCI ipmi_si 0000:01:04.6: Could not setup I/O space ipmi_si 0000:01:04.6: [mem 0xf5ef0000-0xf5ef00ff] regsize 1 spacing 1 irq 21 Signed-off-by: Meelis Roos Signed-off-by: Corey Minyard Signed-off-by: Sasha Levin commit 5ab64c1633f64b8520ba9088976f36db91bf0cd7 Author: Shuming Fan Date: Tue Sep 18 19:51:38 2018 +0800 ASoC: rt5682: Fix the boost volume at the begining of playback [ Upstream commit 28b20dde5e1c943ab899549a655ac4935cffccbb ] This patch fixed the boost volume at the begining of playback while DAC volume set to lower level. Signed-off-by: Shuming Fan Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 6237e9d0715a669b25a0d9466a6bc99f2129fea4 Author: Peter Shih Date: Mon Sep 10 11:54:21 2018 +0800 spi: mediatek: Don't modify spi_transfer when transfer. [ Upstream commit 00bca73bfca4fb0ab089b94cad0fc83d8b49c25f ] Mediatek SPI driver modifies some fields (tx_buf, rx_buf, len, tx_dma, rx_dma) of the spi_transfer* passed in when doing transfer_one and in interrupt handler. This is somewhat unexpected, and there are some caller (e.g. Cr50 spi driver) that reuse the spi_transfer for multiple messages. Add a field to record how many bytes have been transferred, and calculate the right len / buffer based on it instead. Signed-off-by: Pi-Hsun Shih Change-Id: I23e218cd964f16c0b2b26127d4a5ca6529867673 Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 779c96ef3fac4d2aa50c1554bf7a4af1f3d63f48 Author: Jonas Gorski Date: Tue Aug 28 13:44:11 2018 +0200 spi/bcm63xx-hsspi: keep pll clk enabled [ Upstream commit 0fd85869c2a9c8723a98bc1f56a876e8383649f4 ] If the pll clock needs to be enabled to get its rate, it will also need to be enabled to provide it. So ensure it is kept enabled through the lifetime of the device. Fixes: 0d7412ed1f5dc ("spi/bcm63xx-hspi: Enable the clock before calling clk_get_rate().") Signed-off-by: Jonas Gorski Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit eaa4d5ac4403fa7d59e1cb0f8b1eee7f4de51716 Author: Yonghong Song Date: Mon Sep 17 22:08:13 2018 -0700 samples/bpf: fix a compilation failure [ Upstream commit 534e0e52bc23de588e81b5a6f75e10c8c4b189fc ] samples/bpf build failed with the following errors: $ make samples/bpf/ ... HOSTCC samples/bpf/sockex3_user.o /data/users/yhs/work/net-next/samples/bpf/sockex3_user.c:16:8: error: redefinition of ‘struct bpf_flow_keys’ struct bpf_flow_keys { ^ In file included from /data/users/yhs/work/net-next/samples/bpf/sockex3_user.c:4:0: ./usr/include/linux/bpf.h:2338:9: note: originally defined here struct bpf_flow_keys *flow_keys; ^ make[3]: *** [samples/bpf/sockex3_user.o] Error 1 Commit d58e468b1112d ("flow_dissector: implements flow dissector BPF hook") introduced struct bpf_flow_keys in include/uapi/linux/bpf.h and hence caused the naming conflict with samples/bpf/sockex3_user.c. The fix is to rename struct bpf_flow_keys in samples/bpf/sockex3_user.c to flow_keys to avoid the conflict. Signed-off-by: Yonghong Song Signed-off-by: Daniel Borkmann Signed-off-by: Sasha Levin commit feb52253d7380f17f355a5a97205110a594844b0 Author: Kishon Vijay Abraham I Date: Wed Sep 5 16:47:38 2018 +0530 arm64: dts: ti: k3-am65: Change #address-cells and #size-cells of interconnect to 2 [ Upstream commit 3bc1572068e3896b60d86f9c0fb56d1cef28201c ] AM65 has two PCIe controllers and each PCIe controller has '2' address spaces one within the 4GB address space of the SoC and the other above the 4GB address space of the SoC (cbass_main) in addition to the register space. The size of the address space above the 4GB SoC address space is 4GB. These address ranges will be used by CPU/DMA to access the PCIe address space. In order to represent the address space above the 4GB SoC address space and to represent the size of this address space as 4GB, change address-cells and size-cells of interconnect to 2. Since OSPI has similar need in MCU Domain Memory Map, change address-cells and size-cells of cbass_mcu interconnect also to 2. Fixes: ea47eed33a3fe3d919 ("arm64: dts: ti: Add Support for AM654 SoC") Signed-off-by: Kishon Vijay Abraham I Acked-by: Tony Lindgren Acked-by: Vignesh R Acked-by: Nishanth Menon Signed-off-by: Tero Kristo Signed-off-by: Sasha Levin commit 1ea4603cc81299eb13fb0a8f33d0a41d01457b8a Author: Douglas Anderson Date: Wed Sep 5 13:11:46 2018 -0700 tty: serial: qcom_geni_serial: Fix serial when not used as console [ Upstream commit c362272bdea32bf048d6916b0a2dc485eb9cf787 ] If you've got the "console" serial port setup to use just as a UART (AKA there is no "console=ttyMSMX" on the kernel command line) then certain initialization is skipped. When userspace later tries to do something with the port then things go boom (specifically, on my system, some sort of exception hit that caused the system to reboot itself w/ no error messages). Let's cleanup / refactor the init so that we always run the same init code regardless of whether we're using the console. To make this work, we make rely on qcom_geni_serial_pm doing its job to turn resources on. For the record, here is a trace of the order of things (after this patch) when console= is specified on the command line and we have an agetty on the port: qcom_geni_serial_pm: 4 (undefined) => 0 (on) qcom_geni_console_setup qcom_geni_serial_port_setup qcom_geni_serial_console_write qcom_geni_serial_startup qcom_geni_serial_start_tx ...and here is the order of things (after this patch) when console= is _NOT_ specified on the command line and we have an agetty port: qcom_geni_serial_pm: 4 => 0 qcom_geni_serial_pm: 0 => 3 qcom_geni_serial_pm: 3 => 0 qcom_geni_serial_startup qcom_geni_serial_port_setup qcom_geni_serial_pm: 0 => 3 qcom_geni_serial_pm: 3 => 0 qcom_geni_serial_startup qcom_geni_serial_start_tx Fixes: c4f528795d1a ("tty: serial: msm_geni_serial: Add serial driver support for GENI based QUP") Signed-off-by: Douglas Anderson Reviewed-by: Matthias Kaehlcke Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 87153f7a04c9904625537d9a552eff56dfd5cef0 Author: Anton Vasilyev Date: Tue Aug 7 13:59:05 2018 +0300 serial: mxs-auart: Fix potential infinite loop [ Upstream commit 5963e8a3122471cadfe0eba41c4ceaeaa5c8bb4d ] On the error path of mxs_auart_request_gpio_irq() is performed backward iterating with index i of enum type. Underline enum type may be unsigned char. In this case check (--i >= 0) will be always true and error handling goes into infinite loop. The patch changes the check so that it is valid for signed and unsigned types. Found by Linux Driver Verification project (linuxtesting.org). Signed-off-by: Anton Vasilyev Acked-by: Uwe Kleine-König Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 400caa3d02ea1628b6e14fef44805e64ab6172a8 Author: Marek Szyprowski Date: Thu Sep 13 10:21:25 2018 +0200 serial: samsung: Enable baud clock for UART reset procedure in resume [ Upstream commit 1ff3652bc7111df26b5807037f624be294cf69d5 ] Ensure that the baud clock is also enabled for UART register writes in driver resume. On Exynos5433 SoC this is needed to avoid external abort issue. Signed-off-by: Marek Szyprowski Reviewed-by: Krzysztof Kozlowski Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 30cfa3ebc0ed2caf3b53c5dadadc495dcd75e206 Author: Nava kishore Manne Date: Mon Sep 3 15:10:51 2018 +0200 serial: uartps: Fix suspend functionality [ Upstream commit 4b9d33c6a30688344a3e95179654ea31b07f59b7 ] The driver's suspend/resume functions were buggy. If UART node contains any child node in the DT and the child is established a communication path with the parent UART. The relevant /dev/ttyPS* node will be not available for other operations. If the driver is trying to do any operations like suspend/resume without checking the tty->dev status it leads to the kernel crash/hang. This patch fix this issue by call the device_may_wake() with the generic parameter of type struct device. in the uart suspend and resume paths. It also fixes a race condition in the uart suspend path(i.e uart_suspend_port() should be called at the end of cdns_uart_suspend API this path updates the same) Signed-off-by: Nava kishore Manne Signed-off-by: Michal Simek Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit bad4e6d3d40daac35f683fbe4b8d07308214e065 Author: Rob Herring Date: Thu Sep 13 13:12:39 2018 -0500 ARM: dts: xilinx: Fix I2C and SPI bus warnings [ Upstream commit f5054ceed420b1f38d37920a4c65446fcc5d6b90 ] dtc has new checks for I2C and SPI buses. Fix the warnings in node names and unit-addresses. arch/arm/boot/dts/zynq-zc702.dtb: Warning (i2c_bus_reg): /amba/i2c@e0004000/i2c-mux@74/i2c@7/hwmon@52: I2C bus unit address format error, expected "34" arch/arm/boot/dts/zynq-zc702.dtb: Warning (i2c_bus_reg): /amba/i2c@e0004000/i2c-mux@74/i2c@7/hwmon@53: I2C bus unit address format error, expected "35" arch/arm/boot/dts/zynq-zc702.dtb: Warning (i2c_bus_reg): /amba/i2c@e0004000/i2c-mux@74/i2c@7/hwmon@54: I2C bus unit address format error, expected "36" arch/arm/boot/dts/zynq-zc770-xm013.dtb: Warning (spi_bus_reg): /amba/spi@e0006000/eeprom@0: SPI bus unit address format error, expected "2" arch/arm/boot/dts/zynq-zc770-xm010.dtb: Warning (spi_bus_reg): /amba/spi@e0007000/flash@0: SPI bus unit address format error, expected "1" Cc: Michal Simek Signed-off-by: Rob Herring Signed-off-by: Michal Simek Signed-off-by: Sasha Levin commit d15e5038213ec28e1df349ee1408018e032dce03 Author: Gustavo A. R. Silva Date: Fri Jul 20 10:01:58 2018 -0500 PCI: mediatek: Fix unchecked return value [ Upstream commit 17a0a1e5f6c4bd6df17834312ff577c1373d87b8 ] Check return value of devm_pci_remap_iospace(). Addresses-Coverity-ID: 1471965 ("Unchecked return value") Signed-off-by: Gustavo A. R. Silva Signed-off-by: Lorenzo Pieralisi Acked-by: Honghui Zhang Signed-off-by: Sasha Levin commit 80ec7fcb04a04ce1dcad8c96220dd1f0f056b0da Author: Jia-Ju Bai Date: Sat Sep 15 12:02:46 2018 +0800 net: socionext: Fix two sleep-in-atomic-context bugs in ave_rxfifo_reset() [ Upstream commit 0020f5c807ef67954d9210eea0ba17a6134cdf7d ] The driver may sleep with holding a spinlock. The function call paths (from bottom to top) in Linux-4.17 are: [FUNC] usleep_range drivers/net/ethernet/socionext/sni_ave.c, 892: usleep_range in ave_rxfifo_reset drivers/net/ethernet/socionext/sni_ave.c, 932: ave_rxfifo_reset in ave_irq_handler [FUNC] usleep_range drivers/net/ethernet/socionext/sni_ave.c, 888: usleep_range in ave_rxfifo_reset drivers/net/ethernet/socionext/sni_ave.c, 932: ave_rxfifo_reset in ave_irq_handler To fix these bugs, usleep_range() is replaced with udelay(). These bugs are found by my static analysis tool DSAC. Signed-off-by: Jia-Ju Bai Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 176f6203a4f415d73b9c4092d889cc4435b2bbc3 Author: Sinan Kaya Date: Fri Aug 10 04:32:11 2018 +0000 PCI/ACPI: Correct error message for ASPM disabling [ Upstream commit 1ad61b612b95980a4d970c52022aa01dfc0f6068 ] If _OSC execution fails today for platforms without an _OSC entry, code is printing a misleading message saying disabling ASPM as follows: acpi PNP0A03:00: _OSC failed (AE_NOT_FOUND); disabling ASPM We need to ensure that platform supports ASPM to begin with. Reported-by: Michael Kelley Signed-off-by: Sinan Kaya Signed-off-by: Bjorn Helgaas Signed-off-by: Sasha Levin commit 525552a0e849347bb7779622b2d1807314d65ea8 Author: Javier Martinez Canillas Date: Sat Sep 1 08:46:29 2018 -0400 media: ov2680: don't register the v4l2 subdevice before checking chip ID [ Upstream commit b7a417628abf49dae98cb80a272dc133b0e4d1a3 ] The driver registers the v4l2 subdevice before attempting to power on the chip and checking its ID. This means that a media device driver that it's waiting for this subdevice to be bound, will prematurely expose its media device node to userspace because if something goes wrong the media entity will be cleaned up again on the ov2680 probe function. This also simplifies the probe function error path since no initialization is made before attempting to enable the resources or checking the chip ID. Fixes: 3ee47cad3e69 ("media: ov2680: Add Omnivision OV2680 sensor driver") Signed-off-by: Javier Martinez Canillas Signed-off-by: Sakari Ailus Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit f4683c89808fa1bbb2dbac995fc5d7bf873f3db9 Author: Koji Matsuoka Date: Thu Oct 26 02:27:51 2017 -0400 media: vsp1: Fix YCbCr planar formats pitch calculation [ Upstream commit 9b2798d5b71c50f64c41a40f0cbcae47c3fbd067 ] YCbCr planar formats can have different pitch values for the luma and chroma planes. This isn't taken into account in the driver. Fix it. Based on a BSP patch from Koji Matsuoka . Fixes: 7863ac504bc5 ("drm: rcar-du: Add tri-planar memory formats support") [Updated documentation of the struct vsp1_du_atomic_config pitch field] Signed-off-by: Koji Matsuoka Signed-off-by: Laurent Pinchart Reviewed-by: Kieran Bingham Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit ee5a1460f271b9c8d339b7f02367255e1e134521 Author: Laurent Pinchart Date: Fri Apr 27 17:41:12 2018 -0400 media: vsp1: Fix vsp1_regs.h license header [ Upstream commit 5eea860a6fec1e60709d19832015ee0991d3e80c ] All source files of the vsp1 driver are licensed under the GPLv2+ except for vsp1_regs.h which is licensed under GPLv2. This is caused by a bad copy&paste that dates back from the initial version of the driver. Fix it. Acked-by: Kieran Bingham Acked-by: Sergei Shtylyov Acked-by: Niklas Söderlund Acked-by: Wolfram Sang Acked-by: Nobuhiro Iwamatsu Signed-off-by: Laurent Pinchart Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 2d7578285958713e709923e7e3813d43a226e912 Author: Julian Wiedmann Date: Mon Sep 17 17:36:06 2018 +0200 s390/qeth: invoke softirqs after napi_schedule() [ Upstream commit 4d19db777a2f32c9b76f6fd517ed8960576cb43e ] Calling napi_schedule() from process context does not ensure that the NET_RX softirq is run in a timely fashion. So trigger it manually. This is no big issue with current code. A call to ndo_open() is usually followed by a ndo_set_rx_mode() call, and for qeth this contains a spin_unlock_bh(). Except for OSN, where qeth_l2_set_rx_mode() bails out early. Nevertheless it's best to not depend on this behaviour, and just fix the issue at its source like all other drivers do. For instance see commit 83a0c6e58901 ("i40e: Invoke softirqs after napi_reschedule"). Fixes: a1c3ed4c9ca0 ("qeth: NAPI support for l2 and l3 discipline") Signed-off-by: Julian Wiedmann Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 66fb291b264dce4130779a2255949f0440546125 Author: Julian Wiedmann Date: Mon Sep 17 17:36:05 2018 +0200 s390/qeth: uninstall IRQ handler on device removal [ Upstream commit 121ca39aa5585def682a2c8592983442438b84dc ] When setting up, qeth installs its IRQ handler on the ccw devices. But the IRQ handler is not cleared on removal - so even after qeth yields control of the ccw devices, spurious interrupts would still be presented to us. Make (de-)installation of the IRQ handler part of the ccw channel setup/removal helpers, and while at it also add the appropriate locking. Shift around qeth_setup_channel() to avoid a forward declaration for qeth_irq(). Signed-off-by: Julian Wiedmann Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit ccc1e600844d085ccfdbedf77db979a2d83c1a7c Author: Dan Carpenter Date: Fri Oct 19 23:08:43 2018 +0300 ath9k: Fix a locking bug in ath9k_add_interface() [ Upstream commit 461cf036057477805a8a391e5fd0f5264a5e56a8 ] We tried to revert commit d9c52fd17cb4 ("ath9k: fix tx99 with monitor mode interface") but accidentally missed part of the locking change. The lock has to be held earlier so that we're holding it when we do "sc->tx99_vif = vif;" and also there in the current code there is a stray unlock before we have taken the lock. Fixes: 6df0580be8bc ("ath9k: add back support for using active monitor interfaces for tx99") Signed-off-by: Dan Carpenter Signed-off-by: Kalle Valo Signed-off-by: Sasha Levin commit e97d09277b7730f85427969115c4ea358bcc2703 Author: Florian Westphal Date: Tue Sep 4 16:01:47 2018 +0200 netfilter: nf_tables: avoid BUG_ON usage [ Upstream commit fa5950e498e7face21a1761f327e6c1152f778c3 ] None of these spots really needs to crash the kernel. In one two cases we can jsut report error to userspace, in the other cases we can just use WARN_ON (and leak memory instead). Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin commit d1440f1a38ebbcb9db1b676edc0c7f1c9f42fbd7 Author: Hans de Goede Date: Sat Sep 8 20:08:13 2018 +0200 ACPI / LPSS: Exclude I2C busses shared with PUNIT from pmc_atom_d3_mask [ Upstream commit 86b62e5cd8965d3056f9e9ccdec51631c37add81 ] lpss_iosf_enter_d3_state() checks if all hw-blocks using the DMA controllers are in d3 before powering down the DMA controllers. But on devices, where the I2C bus connected to the PMIC is shared by the PUNIT, the controller for that bus will never reach d3 since it has an effectively empty _PS3 method. Instead it appears to automatically power-down during S0i3 and we never see it as being in d3. This causes the DMA controllers to never be powered-down on these devices, causing them to never reach S0i3. This commit uses the ACPI _SEM method to detect if an I2C bus is shared with the PUNIT and if it is, it removes it from the mask of devices which lpss_iosf_enter_d3_state() checks for. This fixes these devices never reaching any S0ix states. Signed-off-by: Hans de Goede Acked-by: Mika Westerberg Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin commit 75fd1aec33c6395c602fb866b37115eb23da04b6 Author: Rob Herring Date: Thu Sep 13 13:12:45 2018 -0500 arm64: dts: rockchip: Fix I2C bus unit-address error on rk3399-puma-haikou [ Upstream commit 501500e65fa96f899230d66153fefd780f08dd34 ] dtc has new checks for I2C buses. Fix the warnings in unit-addresses. arch/arm64/boot/dts/rockchip/rk3399-puma-haikou.dtb: Warning (i2c_bus_reg): /i2c@ff3d0000/codec@0a: I2C bus unit address format error, expected "a" Cc: Heiko Stuebner Cc: linux-rockchip@lists.infradead.org Signed-off-by: Rob Herring Signed-off-by: Heiko Stuebner Signed-off-by: Sasha Levin commit 5fc9af407fc5032458f003880bc176c767543d06 Author: Rob Herring Date: Thu Sep 13 13:12:36 2018 -0500 ARM: dts: rockchip: Fix erroneous SPI bus dtc warnings on rk3036 [ Upstream commit 131c3eb428ccd5f0c784b9edb4f72ec296a045d2 ] dtc has new checks for SPI buses. The rk3036 dts file has a node named spi' which causes false positive warnings. As the node is a pinctrl child node, change the node name to be 'spi-pins' to fix the warnings. arch/arm/boot/dts/rk3036-evb.dtb: Warning (spi_bus_bridge): /pinctrl/spi: incorrect #address-cells for SPI bus arch/arm/boot/dts/rk3036-kylin.dtb: Warning (spi_bus_bridge): /pinctrl/spi: incorrect #address-cells for SPI bus arch/arm/boot/dts/rk3036-evb.dtb: Warning (spi_bus_bridge): /pinctrl/spi: incorrect #size-cells for SPI bus arch/arm/boot/dts/rk3036-kylin.dtb: Warning (spi_bus_bridge): /pinctrl/spi: incorrect #size-cells for SPI bus Cc: Heiko Stuebner Cc: linux-rockchip@lists.infradead.org Signed-off-by: Rob Herring Signed-off-by: Heiko Stuebner Signed-off-by: Sasha Levin commit 0592c2178e3cce76e839365eed67e1481d618ff0 Author: Vivek Gautam Date: Tue Aug 7 23:17:39 2018 +0530 scsi: ufshcd: Fix NULL pointer dereference for in ufshcd_init [ Upstream commit eebcc19646489b68399ce7b35d9c38eb9f4ec40f ] Error paths in ufshcd_init() ufshcd_hba_exit() killed clk_scaling workqueue when the workqueue is actually created quite late in ufshcd_init(). So, we end up getting NULL pointer dereference in such error paths. Fix this by moving clk_scaling initialization and kill codes to two separate methods, and call them at required places. Fixes: 401f1e4490ee ("scsi: ufs: don't suspend clock scaling during clock gating") Signed-off-by: Vivek Gautam Cc: Bjorn Andersson Cc: Subhash Jadavani Cc: Matthias Kaehlcke Cc: Evan Green Cc: Martin K. Petersen Reviewed-by: Evan Green Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 6745591c8da94418078b8b0f86bf0dff0e1a4a88 Author: Haishuang Yan Date: Fri Sep 14 12:26:47 2018 +0800 ip_gre: fix parsing gre header in ipgre_err [ Upstream commit b0350d51f001e6edc13ee4f253b98b50b05dd401 ] gre_parse_header stops parsing when csum_err is encountered, which means tpi->key is undefined and ip_tunnel_lookup will return NULL improperly. This patch introduce a NULL pointer as csum_err parameter. Even when csum_err is encountered, it won't return error and continue parsing gre header as expected. Fixes: 9f57c67c379d ("gre: Remove support for sharing GRE protocol hook.") Reported-by: Jiri Benc Signed-off-by: Haishuang Yan Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit ada2a0f1ac54fd6625e791a98402b57f24ad5470 Author: Bernd Edlinger Date: Sat Jul 7 17:52:47 2018 +0000 kernfs: Fix range checks in kernfs_get_target_path [ Upstream commit a75e78f21f9ad4b810868c89dbbabcc3931591ca ] The terminating NUL byte is only there because the buffer is allocated with kzalloc(PAGE_SIZE, GFP_KERNEL), but since the range-check is off-by-one, and PAGE_SIZE==PATH_MAX, the returned string may not be zero-terminated if it is exactly PATH_MAX characters long. Furthermore also the initial loop may theoretically exceed PATH_MAX and cause a fault. Signed-off-by: Bernd Edlinger Acked-by: Tejun Heo Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 5fba8151069702486138d05cd96c1713f1720343 Author: Banajit Goswami Date: Mon Aug 27 21:15:39 2018 -0700 component: fix loop condition to call unbind() if bind() fails [ Upstream commit bdae566d5d9733b6e32b378668b84eadf28a94d4 ] During component_bind_all(), if bind() fails for any particular component associated with a master, unbind() should be called for all previous components in that master's match array, whose bind() might have completed successfully. As per the current logic, if bind() fails for the component at position 'n' in the master's match array, it would start calling unbind() from component in 'n'th position itself and work backwards, and will always skip calling unbind() for component in 0th position in the master's match array. Fix this by updating the loop condition, and the logic to refer to the components in master's match array, so that unbind() is called for all components starting from 'n-1'st position in the array, until (and including) component in 0th position. Signed-off-by: Banajit Goswami Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 925c19a8c6bb37f76f625c29fd7a59699dc8d1bc Author: Tomasz Figa Date: Tue Jul 17 18:05:07 2018 +0200 power: supply: max8998-charger: Fix platform data retrieval [ Upstream commit cb90a2c6f77fe9b43d1e3f759bb2f13fe7fa1811 ] Since the max8998 MFD driver supports instantiation by DT, platform data retrieval is handled in MFD probe and cell drivers should get use the pdata field of max8998_dev struct to obtain them. Fixes: ee999fb3f17f ("mfd: max8998: Add support for Device Tree") Signed-off-by: Tomasz Figa Signed-off-by: Paweł Chmiel Signed-off-by: Sebastian Reichel Signed-off-by: Sasha Levin commit 82d8a34470e96e192290885ffb54422b6f42700f Author: Claudiu Beznea Date: Thu Aug 30 14:50:11 2018 +0300 power: reset: at91-poweroff: do not procede if at91_shdwc is allocated [ Upstream commit 9f1e44774be578fb92776add95f1fcaf8284d692 ] There should be only one instance of struct shdwc in the system. This is referenced through at91_shdwc. Return in probe if at91_shdwc is already allocated. Signed-off-by: Claudiu Beznea Acked-by: Nicolas Ferre Signed-off-by: Sebastian Reichel Signed-off-by: Sasha Levin commit 1fb3d279a38471134e68dd7da647bc7eb9ae9513 Author: Dan Carpenter Date: Mon Sep 10 11:39:04 2018 +0300 power: supply: ab8500_fg: silence uninitialized variable warnings [ Upstream commit 54baff8d4e5dce2cef61953b1dc22079cda1ddb1 ] If kstrtoul() fails then we print "charge_full" when it's uninitialized. The debug printk doesn't add anything so I deleted it and cleaned these two functions up a bit. Signed-off-by: Dan Carpenter Signed-off-by: Sebastian Reichel Signed-off-by: Sasha Levin commit c9398259cf85201a573bbdafdca458fa108f2d80 Author: Rob Herring Date: Thu Sep 13 13:12:41 2018 -0500 arm64: dts: meson: Fix erroneous SPI bus warnings [ Upstream commit 68ecb5c1920c5b98b1e717fd2349fba2ee5d4031 ] dtc has new checks for SPI buses. The meson dts files have a node named spi' which causes false positive warnings. As the node is a pinctrl child node, change the node name to be 'spi-pins' to fix the warnings. arch/arm64/boot/dts/amlogic/meson-gxbb-nanopi-k2.dtb: Warning (spi_bus_bridge): /soc/periphs@c8834000/pinctrl@4b0/spi: incorrect #address-cells for SPI bus Cc: Carlo Caione Cc: Kevin Hilman Cc: linux-amlogic@lists.infradead.org Signed-off-by: Rob Herring Signed-off-by: Kevin Hilman Signed-off-by: Sasha Levin commit 89f4d27c1bcd9d4f8f1590f6d29ae3b77ca2f41a Author: Paolo Valente Date: Fri Sep 14 16:23:09 2018 +0200 blok, bfq: do not plug I/O if all queues are weight-raised [ Upstream commit c8765de0adfcaaf4ffb2d951e07444f00ffa9453 ] To reduce latency for interactive and soft real-time applications, bfq privileges the bfq_queues containing the I/O of these applications. These privileged queues, referred-to as weight-raised queues, get a much higher share of the device throughput w.r.t. non-privileged queues. To preserve this higher share, the I/O of any non-weight-raised queue must be plugged whenever a sync weight-raised queue, while being served, remains temporarily empty. To attain this goal, bfq simply plugs any I/O (from any queue), if a sync weight-raised queue remains empty while in service. Unfortunately, this plugging typically lowers throughput with random I/O, on devices with internal queueing (because it reduces the filling level of the internal queues of the device). This commit addresses this issue by restricting the cases where plugging is performed: if a sync weight-raised queue remains empty while in service, then I/O plugging is performed only if some of the active bfq_queues are *not* weight-raised (which is actually the only circumstance where plugging is needed to preserve the higher share of the throughput of weight-raised queues). This restriction proved able to boost throughput in really many use cases needing only maximum throughput. Signed-off-by: Paolo Valente Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit 6c9a79651bff3470cbd95db4b987961e13495a64 Author: Paolo Valente Date: Fri Sep 14 16:23:08 2018 +0200 block, bfq: inject other-queue I/O into seeky idle queues on NCQ flash [ Upstream commit d0edc2473be9d70f999282e1ca7863ad6ae704dc ] The Achilles' heel of BFQ is its failing to reach a high throughput with sync random I/O on flash storage with internal queueing, in case the processes doing I/O have differentiated weights. The cause of this failure is as follows. If at least two processes do sync I/O, and have a different weight from each other, then BFQ plugs I/O dispatching every time one of these processes, while it is being served, remains temporarily without pending I/O requests. This plugging is necessary to guarantee that every process enjoys a bandwidth proportional to its weight; but it empties the internal queue(s) of the drive. And this kills throughput with random I/O. So, if some processes have differentiated weights and do both sync and random I/O, the end result is a throughput collapse. This commit tries to counter this problem by injecting the service of other processes, in a controlled way, while the process in service happens to have no I/O. This injection is performed only if the medium is non rotational and performs internal queueing, and the process in service does random I/O (service injection might be beneficial for sequential I/O too, we'll work on that). As an example of the benefits of this commit, on a PLEXTOR PX-256M5S SSD, and with five processes having differentiated weights and doing sync random 4KB I/O, this commit makes the throughput with bfq grow by 400%, from 25 to 100MB/s. This higher throughput is 10MB/s lower than that reached with none. As some less random I/O is added to the mix, the throughput becomes equal to or higher than that with none. This commit is a very first attempt to recover throughput without losing control, and certainly has many limitations. One is, e.g., that the processes whose service is injected are not chosen so as to distribute the extra bandwidth they receive in accordance to their weights. Thus there might be loss of weighted fairness in some cases. Anyway, this loss concerns extra service, which would not have been received at all without this commit. Other limitations and issues will probably show up with usage. Signed-off-by: Paolo Valente Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit 6d7757f04866c126f5ddf1dcb265c5d09daea160 Author: Hari Vyas Date: Tue Aug 7 16:33:48 2018 +0530 arm64: fix for bad_mode() handler to always result in panic [ Upstream commit e4ba15debcfd27f60d43da940a58108783bff2a6 ] The bad_mode() handler is called if we encounter an uunknown exception, with the expectation that the subsequent call to panic() will halt the system. Unfortunately, if the exception calling bad_mode() is taken from EL0, then the call to die() can end up killing the current user task and calling schedule() instead of falling through to panic(). Remove the die() call altogether, since we really want to bring down the machine in this "impossible" case. Signed-off-by: Hari Vyas Signed-off-by: Will Deacon Signed-off-by: Catalin Marinas Signed-off-by: Sasha Levin commit 7f49a2210e85446ca8f52400b4f85f0d5373ab3d Author: Ganesh Goudar Date: Fri Sep 14 14:36:27 2018 +0530 cxgb4: Fix endianness issue in t4_fwcache() [ Upstream commit 0dc235afc59a226d951352b0adf4a89b532a9d13 ] Do not put host-endian 0 or 1 into big endian feild. Reported-by: Al Viro Signed-off-by: Ganesh Goudar Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit b0cb2d8164d0dfd19ef050505fbf936b2df1b10d Author: Sherry Yang Date: Mon Aug 13 17:28:53 2018 -0700 android: binder: no outgoing transaction when thread todo has transaction [ Upstream commit 44b73962cb25f1c8170ea695c4564b05a75e1fd4 ] When a process dies, failed reply is sent to the sender of any transaction queued on a dead thread's todo list. The sender asserts that the received failed reply corresponds to the head of the transaction stack. This assert can fail if the dead thread is allowed to send outgoing transactions when there is already a transaction on its todo list, because this new transaction can end up on the transaction stack of the original sender. The following steps illustrate how this assertion can fail. 1. Thread1 sends txn19 to Thread2 (T1->transaction_stack=txn19, T2->todo+=txn19) 2. Without processing todo list, Thread2 sends txn20 to Thread1 (T1->todo+=txn20, T2->transaction_stack=txn20) 3. T1 processes txn20 on its todo list (T1->transaction_stack=txn20->txn19, T1->todo=) 4. T2 dies, T2->todo cleanup attempts to send failed reply for txn19, but T1->transaction_stack points to txn20 -- assertion failes Step 2. is the incorrect behavior. When there is a transaction on a thread's todo list, this thread should not be able to send any outgoing synchronous transactions. Only the head of the todo list needs to be checked because only threads that are waiting for proc work can directly receive work from another thread, and no work is allowed to be queued on such a thread without waking up the thread. This patch also enforces that a thread is not waiting for proc work when a work is directly enqueued to its todo list. Acked-by: Arve Hjønnevåg Signed-off-by: Sherry Yang Reviewed-by: Martijn Coenen Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 31e470f92d9e2f25593657f4e37f64c6a4b46745 Author: Rob Herring Date: Thu Sep 13 13:12:38 2018 -0500 ARM: dts: sun9i: Fix I2C bus warnings [ Upstream commit 57a83c5222c1b5e7b3acc72c6e60fce00a38991a ] dtc has new checks for I2C buses. The sun9i-a80 dts file has a node named 'i2c' which causes a false positive warning. As the node is a RSB bus, correct the node name to be 'rsb' to fix the warnings. arch/arm/boot/dts/sun9i-a80-cubieboard4.dtb: Warning (i2c_bus_reg): /soc/i2c@8003400/codec@e89:reg: I2C address must be less than 10-bits, got "0xe89" arch/arm/boot/dts/sun9i-a80-cubieboard4.dtb: Warning (i2c_bus_reg): /soc/i2c@8003400/pmic@745:reg: I2C address must be less than 10-bits, got "0x745" arch/arm/boot/dts/sun9i-a80-optimus.dtb: Warning (i2c_bus_reg): /soc/i2c@8003400/codec@e89:reg: I2C address must be less than 10-bits, got "0xe89" arch/arm/boot/dts/sun9i-a80-optimus.dtb: Warning (i2c_bus_reg): /soc/i2c@8003400/pmic@745:reg: I2C address must be less than 10-bits, got "0x745" Cc: Maxime Ripard Cc: Chen-Yu Tsai Signed-off-by: Rob Herring Signed-off-by: Chen-Yu Tsai Signed-off-by: Sasha Levin commit 0989aa65bc37849e786021b37e9e313d55767b6a Author: Ludovic Desroches Date: Thu Sep 13 14:42:13 2018 +0200 pinctrl: at91: don't use the same irqchip with multiple gpiochips [ Upstream commit 0c3dfa176912b5f87732545598200fb55e9c1978 ] Sharing the same irqchip with multiple gpiochips is not a good practice. For instance, when installing hooks, we change the state of the irqchip. The initial state of the irqchip for the second gpiochip to register is then disrupted. Signed-off-by: Ludovic Desroches Signed-off-by: Linus Walleij Signed-off-by: Sasha Levin commit d1b9d321df35320f2393113f69c07bc21e582f3f Author: Rob Herring Date: Thu Sep 13 13:12:32 2018 -0500 ARM: dts: sunxi: Fix I2C bus warnings [ Upstream commit 0729b4af5753b65aa031f58c435da53dbbf56d19 ] dtc has new checks for I2C buses. Fix the warnings in unit-addresses. arch/arm/boot/dts/sun8i-a23-gt90h-v4.dtb: Warning (i2c_bus_reg): /soc@1c00000/i2c@1c2ac00/touchscreen@0: I2C bus unit address format error, expected "40" arch/arm/boot/dts/sun8i-a23-inet86dz.dtb: Warning (i2c_bus_reg): /soc@1c00000/i2c@1c2ac00/touchscreen@0: I2C bus unit address format error, expected "40" arch/arm/boot/dts/sun8i-a23-polaroid-mid2407pxe03.dtb: Warning (i2c_bus_reg): /soc@1c00000/i2c@1c2ac00/touchscreen@0: I2C bus unit address format error, expected "40" arch/arm/boot/dts/sun8i-a23-polaroid-mid2809pxe04.dtb: Warning (i2c_bus_reg): /soc@1c00000/i2c@1c2ac00/touchscreen@0: I2C bus unit address format error, expected "40" arch/arm/boot/dts/sun8i-a33-ga10h-v1.1.dtb: Warning (i2c_bus_reg): /soc@1c00000/i2c@1c2ac00/touchscreen@0: I2C bus unit address format error, expected "40" arch/arm/boot/dts/sun8i-a33-inet-d978-rev2.dtb: Warning (i2c_bus_reg): /soc@1c00000/i2c@1c2ac00/touchscreen@0: missing or empty reg property arch/arm/boot/dts/sun8i-a33-ippo-q8h-v1.2.dtb: Warning (i2c_bus_reg): /soc@1c00000/i2c@1c2ac00/touchscreen@0: missing or empty reg property arch/arm/boot/dts/sun8i-a33-q8-tablet.dtb: Warning (i2c_bus_reg): /soc@1c00000/i2c@1c2ac00/touchscreen@0: missing or empty reg property arch/arm/boot/dts/sun5i-a13-utoo-p66.dtb: Warning (i2c_bus_reg): /soc@1c00000/i2c@1c2b000/touchscreen: I2C bus unit address format error, expected "40" arch/arm/boot/dts/sun5i-a13-difrnce-dit4350.dtb: Warning (i2c_bus_reg): /soc@1c00000/i2c@1c2b000/touchscreen: missing or empty reg property arch/arm/boot/dts/sun5i-a13-empire-electronix-m712.dtb: Warning (i2c_bus_reg): /soc@1c00000/i2c@1c2b000/touchscreen: missing or empty reg property arch/arm/boot/dts/sun5i-a13-inet-98v-rev2.dtb: Warning (i2c_bus_reg): /soc@1c00000/i2c@1c2b000/touchscreen: missing or empty reg property arch/arm/boot/dts/sun5i-a13-q8-tablet.dtb: Warning (i2c_bus_reg): /soc@1c00000/i2c@1c2b000/touchscreen: missing or empty reg property Cc: Maxime Ripard Cc: Chen-Yu Tsai Signed-off-by: Rob Herring Signed-off-by: Chen-Yu Tsai Signed-off-by: Sasha Levin commit 8ac08053744cdd9cc88c26857f5ff48583e995ac Author: Dinh Nguyen Date: Thu Sep 13 23:52:49 2018 -0500 ARM: dts: socfpga: Fix I2C bus unit-address error [ Upstream commit cbbc488ed85061a765cf370c3e41f383c1e0add6 ] dtc has new checks for I2C buses. Fix the warnings in unit-addresses. arch/arm/boot/dts/socfpga_cyclone5_de0_sockit.dtb: Warning (i2c_bus_reg): /soc/i2c@ffc04000/adxl345@0: I2C bus unit address format error, expected "53" Signed-off-by: Rob Herring Signed-off-by: Dinh Nguyen Signed-off-by: Sasha Levin commit e70ccd8a13a9a966df74496fc65a7caa308ae481 Author: Alan Modra Date: Fri Sep 14 13:10:04 2018 +0930 powerpc/vdso: Correct call frame information [ Upstream commit 56d20861c027498b5a1112b4f9f05b56d906fdda ] Call Frame Information is used by gdb for back-traces and inserting breakpoints on function return for the "finish" command. This failed when inside __kernel_clock_gettime. More concerning than difficulty debugging is that CFI is also used by stack frame unwinding code to implement exceptions. If you have an app that needs to handle asynchronous exceptions for some reason, and you are unlucky enough to get one inside the VDSO time functions, your app will crash. What's wrong: There is control flow in __kernel_clock_gettime that reaches label 99 without saving lr in r12. CFI info however is interpreted by the unwinder without reference to control flow: It's a simple matter of "Execute all the CFI opcodes up to the current address". That means the unwinder thinks r12 contains the return address at label 99. Disabuse it of that notion by resetting CFI for the return address at label 99. Note that the ".cfi_restore lr" could have gone anywhere from the "mtlr r12" a few instructions earlier to the instruction at label 99. I put the CFI as late as possible, because in general that's best practice (and if possible grouped with other CFI in order to reduce the number of CFI opcodes executed when unwinding). Using r12 as the return address is perfectly fine after the "mtlr r12" since r12 on that code path still contains the return address. __get_datapage also has a CFI error. That function temporarily saves lr in r0, and reflects that fact with ".cfi_register lr,r0". A later use of r0 means the CFI at that point isn't correct, as r0 no longer contains the return address. Fix that too. Signed-off-by: Alan Modra Tested-by: Reza Arbab Signed-off-by: Paul Mackerras Signed-off-by: Sasha Levin commit 11d7842812f8bb133347d717cc3f309f8a34f2dd Author: Rob Herring Date: Thu Sep 13 13:12:27 2018 -0500 ARM: dts: aspeed: Fix I2C bus warnings [ Upstream commit 1426d40e11f730e0c0fd3700a7048082f87b0e6e ] dtc has new checks for I2C buses. The ASpeed dts files have a node named 'i2c' which causes a false positive warning. As the node is a 'simple-bus', correct the node name to be 'bus' to fix the warnings. arch/arm/boot/dts/aspeed-bmc-opp-lanyang.dtb: Warning (i2c_bus_bridge): /ahb/apb/i2c@1e78a000: incorrect #size-cells for I2C bus arch/arm/boot/dts/aspeed-bmc-opp-romulus.dtb: Warning (i2c_bus_bridge): /ahb/apb/i2c@1e78a000: incorrect #size-cells for I2C bus arch/arm/boot/dts/aspeed-ast2500-evb.dtb: Warning (i2c_bus_bridge): /ahb/apb/i2c@1e78a000: incorrect #size-cells for I2C bus arch/arm/boot/dts/aspeed-bmc-arm-centriq2400-rep.dtb: Warning (i2c_bus_bridge): /ahb/apb/i2c@1e78a000: incorrect #size-cells for I2C bus arch/arm/boot/dts/aspeed-bmc-intel-s2600wf.dtb: Warning (i2c_bus_bridge): /ahb/apb/i2c@1e78a000: incorrect #size-cells for I2C bus arch/arm/boot/dts/aspeed-bmc-opp-palmetto.dtb: Warning (i2c_bus_bridge): /ahb/apb/i2c@1e78a000: incorrect #size-cells for I2C bus arch/arm/boot/dts/aspeed-bmc-opp-witherspoon.dtb: Warning (i2c_bus_bridge): /ahb/apb/i2c@1e78a000: incorrect #size-cells for I2C bus arch/arm/boot/dts/aspeed-bmc-opp-zaius.dtb: Warning (i2c_bus_bridge): /ahb/apb/i2c@1e78a000: incorrect #size-cells for I2C bus arch/arm/boot/dts/aspeed-bmc-portwell-neptune.dtb: Warning (i2c_bus_bridge): /ahb/apb/i2c@1e78a000: incorrect #size-cells for I2C bus arch/arm/boot/dts/aspeed-bmc-quanta-q71l.dtb: Warning (i2c_bus_bridge): /ahb/apb/i2c@1e78a000: incorrect #size-cells for I2C bus Cc: Joel Stanley Cc: Andrew Jeffery Cc: linux-aspeed@lists.ozlabs.org Signed-off-by: Rob Herring Signed-off-by: Joel Stanley Signed-off-by: Sasha Levin commit 5a8130ed237f9c298df02113fa284f81009a882d Author: Rob Herring Date: Thu Sep 13 13:12:30 2018 -0500 ARM: dts: bcm: Fix SPI bus warnings [ Upstream commit ab0b47d2eff413d60b0a1fc0c1f87f87f0d7f375 ] dtc has new checks for SPI buses. Fix the warnings in node names. arch/arm/boot/dts/bcm53340-ubnt-unifi-switch8.dtb: Warning (spi_bus_bridge): /axi@18000000/qspi@27200: node name for SPI buses should be 'spi' arch/arm/boot/dts/bcm958525er.dtb: Warning (spi_bus_bridge): /axi/qspi@27200: node name for SPI buses should be 'spi' arch/arm/boot/dts/bcm958525xmc.dtb: Warning (spi_bus_bridge): /axi/qspi@27200: node name for SPI buses should be 'spi' arch/arm/boot/dts/bcm958622hr.dtb: Warning (spi_bus_bridge): /axi/qspi@27200: node name for SPI buses should be 'spi' arch/arm/boot/dts/bcm958625hr.dtb: Warning (spi_bus_bridge): /axi/qspi@27200: node name for SPI buses should be 'spi' arch/arm/boot/dts/bcm988312hr.dtb: Warning (spi_bus_bridge): /axi/qspi@27200: node name for SPI buses should be 'spi' Cc: Ray Jui Cc: Scott Branden Cc: Jon Mason Cc: bcm-kernel-feedback-list@broadcom.com Signed-off-by: Rob Herring Signed-off-by: Florian Fainelli Signed-off-by: Sasha Levin commit 08ffefc8e7ed7551eaefd106b5f0bd391c0a12ea Author: Rob Herring Date: Thu Sep 13 13:12:42 2018 -0500 arm64: dts: broadcom: Fix I2C and SPI bus warnings [ Upstream commit 7cdbe45da1a189e744e6801aebb462ee47235580 ] dtc has new checks for I2C and SPI buses. Fix the warnings in node names and unit-addresses. arch/arm64/boot/dts/broadcom/stingray/bcm958742k.dtb: Warning (i2c_bus_reg): /hsls/i2c@e0000/pcf8574@20: I2C bus unit address format error, expected "27" arch/arm64/boot/dts/broadcom/stingray/bcm958742t.dtb: Warning (i2c_bus_reg): /hsls/i2c@e0000/pcf8574@20: I2C bus unit address format error, expected "27" arch/arm64/boot/dts/broadcom/stingray/bcm958742k.dtb: Warning (spi_bus_bridge): /hsls/ssp@180000: node name for SPI buses should be 'spi' arch/arm64/boot/dts/broadcom/stingray/bcm958742k.dtb: Warning (spi_bus_bridge): /hsls/ssp@190000: node name for SPI buses should be 'spi' Cc: Ray Jui Cc: Scott Branden Cc: Jon Mason Cc: bcm-kernel-feedback-list@broadcom.com Signed-off-by: Rob Herring Acked-by: Scott Branden Signed-off-by: Florian Fainelli Signed-off-by: Sasha Levin commit 174e8262f08a8342159a68b9ae6676091d4ee8cf Author: Lina Iyer Date: Wed Sep 5 14:14:38 2018 -0600 drivers: qcom: rpmh-rsc: clear wait_for_compl after use [ Upstream commit 09e97b6c8754c91470455e69ebd827b741f80af5 ] The wait_for_compl register ensures the request sequence is maintained when sending requests from the TCS. Clear the register after sending active request and during invalidate of the sleep and wake TCS. Reported-by: Raju P.L.S.S.S.N Signed-off-by: Lina Iyer Signed-off-by: Andy Gross Signed-off-by: Sasha Levin commit 09c8a33ed766244ac4d9427fe48f60d82682f625 Author: Niklas Cassel Date: Wed Aug 29 09:57:22 2018 +0200 soc: qcom: apr: Avoid string overflow [ Upstream commit 4fadb26574cb74e5de079dd384f25f44f4fb3ec3 ] 'adev->name' is used as a NUL-terminated string, but using strncpy() with the length equal to the buffer size may result in lack of the termination: In function 'apr_add_device', inlined from 'of_register_apr_devices' at drivers//soc/qcom/apr.c:264:7, inlined from 'apr_probe' at drivers//soc/qcom/apr.c:290:2: drivers//soc/qcom/apr.c:222:3: warning: 'strncpy' specified bound 32 equals destination size [-Wstringop-truncation] strncpy(adev->name, np->name, APR_NAME_SIZE); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This changes it to use the safer strscpy() instead. Signed-off-by: Niklas Cassel Reviewed-by: Bjorn Andersson Signed-off-by: Andy Gross Signed-off-by: Sasha Levin commit 6651ecf92f3cbe91358b5b190b39a674607b03ae Author: Niklas Cassel Date: Wed Aug 29 09:57:21 2018 +0200 soc: qcom: wcnss_ctrl: Avoid string overflow [ Upstream commit 4c96ed170d658d8826d94edec8ac93ee777981a2 ] 'chinfo.name' is used as a NUL-terminated string, but using strncpy() with the length equal to the buffer size may result in lack of the termination: drivers//soc/qcom/wcnss_ctrl.c: In function 'qcom_wcnss_open_channel': drivers//soc/qcom/wcnss_ctrl.c:284:2: warning: 'strncpy' specified bound 32 equals destination size [-Wstringop-truncation] strncpy(chinfo.name, name, sizeof(chinfo.name)); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This changes it to use the safer strscpy() instead. Signed-off-by: Niklas Cassel Reviewed-by: Bjorn Andersson Signed-off-by: Andy Gross Signed-off-by: Sasha Levin commit 4a2c4d1a0b6bdaf28391107375bc14c9fdc2109b Author: Douglas Anderson Date: Thu Sep 6 15:49:06 2018 -0700 soc: qcom: geni: geni_se_clk_freq_match() should always accept multiples [ Upstream commit 867d4aa7013fdee8b962cde1711f96c8dd86d926 ] The geni_se_clk_freq_match() has some strange semantics. Specifically it is defined with two modes: 1. It can find a clock that's an exact multiple of the requested rate 2. It can find a non-exact match but it can't handle multiples then ...but callers should always be able to handle a clock that is a multiple of the requested clock so mode #2 doesn't really make sense. Let's change the semantics so that the non-exact match can also accept multiples and then change the code to handle that. The only caller of this code is the unlanded SPI driver [1] which currently passes "exact = True", thus it should be safe to change the semantics in this way. ...and, in fact, the SPI driver should likely be modified to pass "exact = False" (with the new semantics) since that will allow it to work with SPI devices that request a clock rate that doesn't exactly match a rate we can make. [1] https://lkml.kernel.org/r/1535107336-2214-1-git-send-email-dkota@codeaurora.org Fixes: eddac5af0654 ("soc: qcom: Add GENI based QUP Wrapper driver") Signed-off-by: Douglas Anderson Reviewed-by: Matthias Kaehlcke Signed-off-by: Andy Gross Signed-off-by: Sasha Levin commit 331ed266987e4fe7adb1febdf85cd0d1e1a30787 Author: Douglas Anderson Date: Thu Sep 6 15:49:05 2018 -0700 soc: qcom: geni: Don't ignore clk_round_rate() errors in geni_se_clk_tbl_get() [ Upstream commit e11bbcedecae85ce60a5d99ea03528c2d6f867e0 ] The function clk_round_rate() is defined to return a "long", not an "unsigned long". That's because it might return a negative error code. Change the call in geni_se_clk_tbl_get() to check for errors. While we're at it, get rid of a useless init of "freq". NOTE: overall the idea that we should iterate over clk_round_rate() to try to reconstruct a table already present in the clock driver is questionable. Specifically: - This method relies on "clk_round_rate()" rounding up. - This method only works if the table is sorted and has no duplicates. ...this patch doesn't try to fix those problems, it just makes the error handling more correct. Fixes: eddac5af0654 ("soc: qcom: Add GENI based QUP Wrapper driver") Signed-off-by: Douglas Anderson Reviewed-by: Matthias Kaehlcke Signed-off-by: Andy Gross Signed-off-by: Sasha Levin commit b0826d4774c2c83bc814cc49c103d12a40eec197 Author: Christian Lamparter Date: Wed Jul 25 10:37:47 2018 +0200 ARM: dts: qcom: ipq4019: fix cpu0's qcom,saw2 reg value [ Upstream commit bd73a3dd257fb838bd456a18eeee0ef0224b7a40 ] while compiling an ipq4019 target, dtc will complain: regulator@b089000 unit address format error, expected "2089000" The saw0 regulator reg value seems to be copied and pasted from qcom-ipq8064.dtsi. This patch fixes the reg value to match that of the unit address which in turn silences the warning. (There is no driver for qcom,saw2 right now. So this went unnoticed) Signed-off-by: Christian Lamparter Signed-off-by: John Crispin Signed-off-by: Andy Gross Signed-off-by: Sasha Levin commit 9a484516a4105fcc01a21b321d06f5f0b8588242 Author: Cong Wang Date: Tue Sep 11 11:42:06 2018 -0700 llc: avoid blocking in llc_sap_close() [ Upstream commit 9708d2b5b7c648e8e0a40d11e8cea12f6277f33c ] llc_sap_close() is called by llc_sap_put() which could be called in BH context in llc_rcv(). We can't block in BH. There is no reason to block it here, kfree_rcu() should be sufficient. Signed-off-by: Cong Wang Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 50e40ebcaa32e27e62b916886f8ce2822b96778c Author: Dan Carpenter Date: Mon Sep 10 11:37:45 2018 +0300 pinctrl: at91-pio4: fix has_config check in atmel_pctl_dt_subnode_to_map() [ Upstream commit b97760ae8e3dc8bb91881c13425a0bff55f2bd85 ] Smatch complains about this condition: if (has_config && num_pins >= 1) The "has_config" variable is either uninitialized or true. The "num_pins" variable is unsigned and we verified that it is non-zero on the lines before so we know "num_pines >= 1" is true. Really, we could just check "num_configs" directly and remove the "has_config" variable. Fixes: 776180848b57 ("pinctrl: introduce driver for Atmel PIO4 controller") Signed-off-by: Dan Carpenter Acked-by: Ludovic Desroches Signed-off-by: Linus Walleij Signed-off-by: Sasha Levin commit 3f57f7387db258348aaf192b682ca99321690d48 Author: Geert Uytterhoeven Date: Tue Aug 28 16:13:27 2018 +0200 arm64: dts: renesas: r8a77965: Fix clock/reset for usb2_phy1 [ Upstream commit 7a590fe317488783a229e5a80e91868942e8463f ] usb2_phy1 accidentally uses the same clock/reset as usb2_phy0. Fixes: b5857630a829a8d5 ("arm64: dts: renesas: r8a77965: add usb2_phy nodes") Signed-off-by: Geert Uytterhoeven Reviewed-by: Yoshihiro Shimoda Signed-off-by: Simon Horman Signed-off-by: Sasha Levin commit 7ed1974d2b0338702c9affd532a0bb1fbfe2d1ae Author: Geert Uytterhoeven Date: Tue Aug 28 15:57:02 2018 +0200 arm64: dts: renesas: r8a77965: Fix HS-USB compatible [ Upstream commit 99584d93e301d820d817bba2eb77b9152e13009c ] Should be "renesas,usbhs-r8a77965", not "renesas,usbhs-r8a7796". Fixes: a06e8af801760a98 ("arm64: dts: renesas: r8a77965: add HS-USB node") Signed-off-by: Geert Uytterhoeven Reviewed-by: Yoshihiro Shimoda Signed-off-by: Simon Horman Signed-off-by: Sasha Levin commit dc521bf8ffda0945626f29cfe645a87cadf11edf Author: Magnus Damm Date: Mon Aug 20 23:17:56 2018 +0900 arm64: dts: renesas: r8a77965: Attach the SYS-DMAC to the IPMMU [ Upstream commit 4d76ad7d9de05506f1ee9a7b22416440468be090 ] For R-Car M3-N hook up SYS-DMAC0, SYS-DMAC1 and SYS-DMAC2 to IPMMU-DS0 and IPMMU-DS1 in same way as for R-Car M3-W. This follows the R-Car Gen3 Rev.1.00 (April 2018) datasheet. Signed-off-by: Magnus Damm Signed-off-by: Simon Horman Signed-off-by: Sasha Levin commit 1badf45f08b33d3b0ec48d8dd72dfe0a693922f2 Author: Kieran Bingham Date: Tue Aug 7 16:59:33 2018 +0100 arm64: dts: renesas: salvator-common: adv748x: Override secondary addresses [ Upstream commit e3da41a6c28f9b61ea03df987f1c9ffffc8b8e60 ] Ensure that the ADV748x device addresses do not conflict, and group them together (visually in i2cdetect) Signed-off-by: Kieran Bingham Signed-off-by: Simon Horman Signed-off-by: Sasha Levin commit 20f93eb9194c53ab31968da100152011547e2479 Author: Takashi Iwai Date: Tue Aug 28 16:39:10 2018 +0200 ALSA: intel8x0m: Register irq handler after register initializations [ Upstream commit 7064f376d4a10686f51c879401a569bb4babf9c6 ] The interrupt handler has to be acquired after the other resource initialization when allocated with IRQF_SHARED. Otherwise it's triggered before the resource gets ready, and may lead to unpleasant behavior. Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit e80e83fb0106326aff99f20f0f0b8237f07cf0d7 Author: Neil Armstrong Date: Mon Sep 10 20:39:10 2018 +0200 arm64: dts: meson-axg: use the proper compatible for ethmac [ Upstream commit eaf8f57c0bf5451132932616ab62f9481adefb55 ] Use the correct compatible for the AXG ethernet mac node. Signed-off-by: Neil Armstrong Acked-by: Martin Blumenstingl Signed-off-by: Kevin Hilman Signed-off-by: Sasha Levin commit 2694107888a5865cd2b7e088415136da28f59f7a Author: Jerome Brunet Date: Thu Aug 30 12:53:17 2018 +0200 arm64: dts: meson: libretech: update board model [ Upstream commit b7eb0e26cc4a212fde09144cd49d4103170d2b9e ] There is actually several different libretech board with the CC suffix so the model name is not appropriate here. Update to something more specific Reported-by: Da Xue Signed-off-by: Jerome Brunet Signed-off-by: Kevin Hilman Signed-off-by: Sasha Levin commit 3804f9dd8f76946980bcf030dec176181a6d1f4f Author: Andrew Lunn Date: Wed Sep 12 01:53:12 2018 +0200 net: bcmgenet: Fix speed selection for reverse MII [ Upstream commit 00eb2243b933a496958f4ce1bcf59840fea8be16 ] The phy supported speed is being used to determine if the MAC should be configured to 100 or 1G. The masking logic is broken. Instead, look at 1G supported speeds to enable 1G MAC support. Signed-off-by: Andrew Lunn Acked-by: Florian Fainelli Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 914282c62ab2bee7b34bcf0f15b4b67f549d2d59 Author: Arnd Bergmann Date: Mon Aug 27 15:56:21 2018 -0400 media: dvb: fix compat ioctl translation [ Upstream commit 1ccbeeb888ac33627d91f1ccf0b84ef3bcadef24 ] The VIDEO_GET_EVENT and VIDEO_STILLPICTURE was added back in 2005 but it never worked because the command number is wrong. Using the right command number means we have a better chance of them actually doing the right thing, though clearly nobody has ever tried it successfully. I noticed these while auditing the remaining users of compat_time_t for y2038 bugs. This one is fine in that regard, it just never did anything. Fixes: 6e87abd0b8cb ("[DVB]: Add compat ioctl handling.") Signed-off-by: Arnd Bergmann Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 03056f8c725a423eb7183f55157edad024d56bdd Author: Lao Wei Date: Mon Jul 9 08:15:53 2018 -0400 media: fix: media: pci: meye: validate offset to avoid arbitrary access [ Upstream commit eac7230fdb4672c2cb56f6a01a1744f562c01f80 ] Motion eye video4linux driver for Sony Vaio PictureBook desn't validate user-controlled parameter 'vma->vm_pgoff', a malicious process might access all of kernel memory from user space by trying pass different arbitrary address. Discussion: http://www.openwall.com/lists/oss-security/2018/07/06/1 Signed-off-by: Lao Wei Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit fe384ab1496cfcd6cb2e602c9a4003d690e9697d Author: Mark Brown Date: Wed Sep 12 12:31:32 2018 +0100 ALSA: hda: Fix implicit definition of pci_iomap() on SH [ Upstream commit d9b84a15892c02334ac8a5c28865ae54168d9b22 ] Include asm/io.h directly so we've got a definition of pci_iomap(), the current set of includes do this implicitly on most architectures but not on SH. Reported-by: kbuild test robot Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 6281d021bbb37c4d4b521c17b070b067e52d7b0a Author: Geert Uytterhoeven Date: Thu Jun 14 09:48:07 2018 -0400 media: dt-bindings: adv748x: Fix decimal unit addresses [ Upstream commit 27582f0ea97fe3e4a38beb98ab36cce4b6f029d5 ] With recent dtc and W=1: Warning (graph_port): video-receiver@70/port@10: graph node unit address error, expected "a" Warning (graph_port): video-receiver@70/port@11: graph node unit address error, expected "b" Unit addresses are always hexadecimal (without prefix), while the bases of reg property values depend on their prefixes. Fixes: e69595170b1cad85 ("media: adv748x: Add adv7481, adv7482 bindings") Signed-off-by: Geert Uytterhoeven Reviewed-by: Rob Herring Reviewed-by: Kieran Bingham Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 88e9f8198dd5039868519f88e9bf78839643775c Author: Srinivas Kandagatla Date: Tue Aug 7 13:19:35 2018 +0100 nvmem: core: return error code instead of NULL from nvmem_device_get [ Upstream commit ca6ac25cecf0e740d7cc8e03e0ebbf8acbeca3df ] nvmem_device_get() should return ERR_PTR() on error or valid pointer on success, but one of the code path seems to return NULL, so fix it. Reported-by: Niklas Cassel Signed-off-by: Srinivas Kandagatla Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit b0d54e40f3c44f43862e3f0952b3b0bf0984e014 Author: Michael Kelley Date: Fri Aug 10 23:06:11 2018 +0000 Drivers: hv: vmbus: Fix synic per-cpu context initialization [ Upstream commit f25a7ece08bdb1f2b3c4bbeae942682fc3a99dde ] If hv_synic_alloc() errors out, the state of the per-cpu context for some CPUs is unknown since the zero'ing is done as each CPU is iterated over. In such case, hv_synic_cleanup() may try to free memory based on uninitialized values. Fix this by zero'ing the per-cpu context for all CPUs before doing any memory allocations that might fail. Signed-off-by: Michael Kelley Reported-by: Dan Carpenter Signed-off-by: K. Y. Srinivasan Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit a1d374ea1e95aacbace98ff2b7c657b86f5bab8e Author: Yana Esina Date: Mon Sep 10 12:39:28 2018 +0300 net: aquantia: fix hw_atl_utils_fw_upload_dwords [ Upstream commit 3ee5c8873fd369e2005dc93bf6d4b299b4976e68 ] This patch fixes the upload function, which worked incorrectly with some chips. Signed-off-by: Yana Esina Signed-off-by: Nikita Danilov Tested-by: Nikita Danilov Signed-off-by: Igor Russkikh Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit a9cab0fe6e264743fdac3b1de4b4d41b63a1fb3f Author: Masami Hiramatsu Date: Tue Sep 11 19:21:09 2018 +0900 kprobes: Don't call BUG_ON() if there is a kprobe in use on free list [ Upstream commit cbdd96f5586151e48317d90a403941ec23f12660 ] Instead of calling BUG_ON(), if we find a kprobe in use on free kprobe list, just remove it from the list and keep it on kprobe hash list as same as other in-use kprobes. Signed-off-by: Masami Hiramatsu Cc: Anil S Keshavamurthy Cc: David S . Miller Cc: Linus Torvalds Cc: Naveen N . Rao Cc: Peter Zijlstra Cc: Thomas Gleixner Link: http://lkml.kernel.org/r/153666126882.21306.10738207224288507996.stgit@devbox Signed-off-by: Ingo Molnar Signed-off-by: Sasha Levin commit 7aea0bd886ae7b564d50364fa854e6361bdd3ee4 Author: Deepak Ukey Date: Tue Sep 11 14:18:04 2018 +0530 scsi: pm80xx: Fixed system hang issue during kexec boot [ Upstream commit 72349b62a571effd6faadd0600b8e657dd87afbf ] When the firmware is not responding, execution of kexec boot causes a system hang. When firmware assertion happened, driver get notified with interrupt vector updated in MPI configuration table. Then, the driver will read scratchpad register and set controller_fatal_error flag to true. Signed-off-by: Deepak Ukey Signed-off-by: Viswas G Acked-by: Jack Wang Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit a66a544dca327dbdc04283464200ebd50172d2b9 Author: Deepak Ukey Date: Tue Sep 11 14:18:03 2018 +0530 scsi: pm80xx: Corrected dma_unmap_sg() parameter [ Upstream commit 76cb25b058034d37244be6aca97a2ad52a5fbcad ] For the function dma_unmap_sg(), the parameter should be number of elements in the scatter list prior to the mapping, not after the mapping. Signed-off-by: Deepak Ukey Signed-off-by: Viswas G Acked-by: Jack Wang Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit ac892349e21b4e29834e15f9d96e69425db97cce Author: Oleksij Rempel Date: Thu Aug 2 12:34:21 2018 +0200 ARM: imx6: register pm_power_off handler if "fsl,pmic-stby-poweroff" is set [ Upstream commit 8148d2136002da2e2887caf6a07bbd9c033f14f3 ] One of the Freescale recommended sequences for power off with external PMIC is the following: ... 3. SoC is programming PMIC for power off when standby is asserted. 4. In CCM STOP mode, Standby is asserted, PMIC gates SoC supplies. See: http://www.nxp.com/assets/documents/data/en/reference-manuals/IMX6DQRM.pdf page 5083 This patch implements step 4. of this sequence. Signed-off-by: Oleksij Rempel Signed-off-by: Shawn Guo Signed-off-by: Sasha Levin commit 86d5ceaea04ce40a42e9405936bed6c18e625e1b Author: George Kennedy Date: Wed Aug 29 11:38:16 2018 -0400 scsi: sym53c8xx: fix NULL pointer dereference panic in sym_int_sir() [ Upstream commit 288315e95264b6355e26609e9dec5dc4563d4ab0 ] sym_int_sir() in sym_hipd.c does not check the command pointer for NULL before using it in debug message prints. Suggested-by: Matthew Wilcox Signed-off-by: George Kennedy Reviewed-by: Mark Kanda Acked-by: Matthew Wilcox Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 66b2e4c7afd07d069b16bc8d0b0a9c89661b94e6 Author: James Smart Date: Mon Sep 10 10:30:48 2018 -0700 scsi: lpfc: Fix errors in log messages. [ Upstream commit 2879265f514b1f4154288243c91438ddbedb3ed4 ] Message 6408 is displayed for each entry in an array, but the cpu and queue numbers were incorrect for the entry. Message 6001 includes an extraneous character. Resolve both issues Signed-off-by: Dick Kennedy Signed-off-by: James Smart Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 87c32dbd7eff10681aa09226be887a222245883f Author: James Smart Date: Mon Sep 10 10:30:47 2018 -0700 scsi: lpfc: Correct invalid EQ doorbell write on if_type=6 [ Upstream commit aad59d5d34738d6fd8c359df8048a84cd443e504 ] During attachment, the driver writes the EQ doorbell to disable potential interrupts from an EQ. The current EQ doorbell format used for clearing the interrupt is incorrect and uses an if_type=2 format, making the operation act on the wrong EQ. Correct the code to use the proper if_type=6 EQ doorbell format. Signed-off-by: Dick Kennedy Signed-off-by: James Smart Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 8caed6a5d3857e4ca1dfc9ea455ec8e4d1837ec1 Author: James Smart Date: Mon Sep 10 10:30:41 2018 -0700 scsi: lpfc: Fix GFT_ID and PRLI logic for RSCN [ Upstream commit 01a8aed6a009625282b6265880f6b20cbd7a9c70 ] Driver only sends NVME PRLI to a device that also supports FCP. This resuls in remote ports that don't have fc_remote_ports created for them. The driver is clearing the nlp_fc4_type for a ndlp at the wrong time. Fix by moving the nlp_fc4_type clearing to the discovery engine in the DEVICE_RECOVERY state. Also ensure that rport registration is done for all nlp_fc4_types. Signed-off-by: Dick Kennedy Signed-off-by: James Smart Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 050e019c2d699e951e0be333fa370a324279ada6 Author: Quinn Tran Date: Tue Sep 11 10:18:25 2018 -0700 scsi: qla2xxx: Fix duplicate switch's Nport ID entries [ Upstream commit f3a03ee1102a44ccbd2c5de80a6e862ba23e9b55 ] Current code relies on switch to provide a unique combination of WWPN + NPORTID to tract an FC port. This patch tries to detect a case where switch data base can get corrupted where multiple WWPNs can have the same Nport ID. The 1st Nport ID on the list will be kept while the duplicate Nport ID will be discarded. Signed-off-by: Quinn Tran Signed-off-by: Himanshu Madhani Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit c7ddd7ba1d05fdd07e8762677771b338dd38e35e Author: Quinn Tran Date: Tue Sep 11 10:18:16 2018 -0700 scsi: qla2xxx: Fix dropped srb resource. [ Upstream commit 527b8ae3948bb59c13ebaa7d657ced56ea25ab05 ] When FW rejects a command due to "entry_status" error (malform IOCB), the srb resource needs to be returned back for cleanup. The filter to catch this is in the wrong location. Signed-off-by: Quinn Tran Signed-off-by: Himanshu Madhani Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 8c32664a6a0d8fcc4d1147cf35dfcd92f247fa5d Author: Quinn Tran Date: Tue Sep 11 10:18:15 2018 -0700 scsi: qla2xxx: Fix port speed display on chip reset [ Upstream commit 5d74c87a20adcc77b19753c315ad9c320b2288be ] Clear port speed value on chip reset. Signed-off-by: Quinn Tran Signed-off-by: Himanshu Madhani Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 3e3a2c5c45693834f5530c752b6569c2438a0855 Author: Sawan Chandak Date: Tue Sep 11 10:18:14 2018 -0700 scsi: qla2xxx: Check for Register disconnect [ Upstream commit f99c5d294b3653e6ae563eaac5db5b4138afe31c ] During adapter shutdown process check for register disconnect before proceeding to call PCI functions. Signed-off-by: Sawan Chandak Signed-off-by: Himanshu Madhani Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 3a7ec92a5b2aaef67ef4ff2484a1b0d8394f4908 Author: Quinn Tran Date: Tue Sep 11 10:18:13 2018 -0700 scsi: qla2xxx: Increase abort timeout value [ Upstream commit 8bccfe0d21b5adbba6ec4fe1776160b80d09f78a ] Abort IOCB request can take up to 40s or 2 ABTS timeout. We will wait for ABTS response for 20s. On a timeout, second ABTS can go out with another 20s timeout. On 2nd ABTS timeout FW will automatically do Logout. Signed-off-by: Quinn Tran Signed-off-by: Himanshu Madhani Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 5320b946687a0857c07cd2c947d14589e38bf523 Author: Quinn Tran Date: Tue Sep 4 14:19:10 2018 -0700 scsi: qla2xxx: Fix deadlock between ATIO and HW lock [ Upstream commit 1073daa470d906f1853ed4b828f16e2350a5875c ] Move ATIO queue processing out of hardware_lock to prevent deadlock. Fixes: 3bb67df5b5f8 ("qla2xxx: Check for online flag instead of active reset when transmitting responses") Signed-off-by: Quinn Tran Signed-off-by: Himanshu Madhani Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 6f6e01ff7413aec64649e6f6f7943dca75edb296 Author: Quinn Tran Date: Fri Aug 31 11:24:38 2018 -0700 scsi: qla2xxx: Terminate Plogi/PRLI if WWN is 0 [ Upstream commit aa9e6d7b9643fc50a88c7b7aa1e34be8dc032749 ] When driver receive PLOGI/PRLI from FW, the WWPN value will be provided. If it is not, then driver will terminate it. The WWPN allows driver to locate the session or create a new session. Signed-off-by: Quinn Tran Signed-off-by: Himanshu Madhani Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit f91811dd950132328d0bf991c1d16d0b19fdb406 Author: Quinn Tran Date: Fri Aug 31 11:24:37 2018 -0700 scsi: qla2xxx: Defer chip reset until target mode is enabled [ Upstream commit 93eca6135183f7a71e36acd47655a085ed11bcdc ] For target mode, any chip reset triggered before target mode is enabled will be held off until user is ready to enable. This prevents the chip from starting or running before it is intended. Signed-off-by: Quinn Tran Signed-off-by: Himanshu Madhani Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 667bdc46aa4e58ce5abe3dd1132a949bc82ca132 Author: Quinn Tran Date: Fri Aug 31 11:24:36 2018 -0700 scsi: qla2xxx: Fix iIDMA error [ Upstream commit 8d9bf0a9a268f7ca0b811d6e6a1fc783afa5c746 ] When switch responds with error for Get Port Speed Command (GPSC), driver should not proceed with telling FW about the speed of the remote port. Signed-off-by: Quinn Tran Signed-off-by: Himanshu Madhani Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit ca35c5a1cb21c99a1d948a189b9ff5f3354f2c39 Author: Quinn Tran Date: Fri Aug 31 11:24:28 2018 -0700 scsi: qla2xxx: Use correct qpair for ABTS/CMD [ Upstream commit 49cecca7dd49e2950ed6d973acfa84e7c8c7a480 ] On Abort of initiator scsi command, the abort needs to follow the same qpair as the the scsi command to prevent out of order processing. Signed-off-by: Quinn Tran Signed-off-by: Himanshu Madhani Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit a1f14df33c051fcdb1d050c8ea5b32851863ebff Author: Wang Shilong Date: Tue Sep 11 08:54:21 2018 +0900 f2fs: fix setattr project check upon fssetxattr ioctl [ Upstream commit c8e927579e00a182eda07e4c45df9c8c699c8ded ] Currently, project quota could be changed by fssetxattr ioctl, and existed permission check inode_owner_or_capable() is obviously not enough, just think that common users could change project id of file, that could make users to break project quota easily. This patch try to follow same regular of xfs project quota: "Project Quota ID state is only allowed to change from within the init namespace. Enforce that restriction only if we are trying to change the quota ID state. Everything else is allowed in user namespaces." Besides that, check and set project id'state should be an atomic operation, protect whole operation with inode lock. Signed-off-by: Wang Shilong Reviewed-by: Chao Yu Signed-off-by: Jaegeuk Kim Signed-off-by: Sasha Levin commit 7b55102cdc61e2f2af0f21e3733b2a8624313310 Author: Chao Yu Date: Wed Sep 5 14:54:02 2018 +0800 f2fs: fix memory leak of percpu counter in fill_super() [ Upstream commit 4a70e255449c9a13eed7a6eeecc85a1ea63cef76 ] In fill_super -> init_percpu_info, we should destroy percpu counter in error path, otherwise memory allcoated for percpu counter will leak. Signed-off-by: Chao Yu Signed-off-by: Jaegeuk Kim Signed-off-by: Sasha Levin commit 88303730801843b59b64a4c75228750428d3303c Author: Chao Yu Date: Wed Sep 5 14:54:01 2018 +0800 f2fs: fix memory leak of write_io in fill_super() [ Upstream commit 0b2103e886e6de9802e1170e57c573443286a483 ] It needs to release memory allocated for sbi->write_io in error path, otherwise, it will cause memory leak. Signed-off-by: Chao Yu Signed-off-by: Jaegeuk Kim Signed-off-by: Sasha Levin commit e5b515f56626137502269cef8eb305a1dee26ef8 Author: Eric W. Biederman Date: Thu Jul 19 20:48:30 2018 -0500 signal: Properly deliver SIGSEGV from x86 uprobes [ Upstream commit 4a63c1ffd384ebdce40aac9c997dab68379137be ] For userspace to tell the difference between an random signal and an exception, the exception must include siginfo information. Using SEND_SIG_FORCED for SIGSEGV is thus wrong, and it will result in userspace seeing si_code == SI_USER (like a random signal) instead of si_code == SI_KERNEL or a more specific si_code as all exceptions deliver. Therefore replace force_sig_info(SIGSEGV, SEND_SIG_FORCE, current) with force_sig(SIG_SEGV, current) which gets this right and is shorter and easier to type. Fixes: 791eca10107f ("uretprobes/x86: Hijack return address") Reviewed-by: Thomas Gleixner Signed-off-by: "Eric W. Biederman" Signed-off-by: Sasha Levin commit 91c3a88054c172b8af0671b1c0eebeaea7026cdd Author: Eric W. Biederman Date: Thu Jul 19 20:33:53 2018 -0500 signal: Properly deliver SIGILL from uprobes [ Upstream commit 55a3235fc71bf34303e34a95eeee235b2d2a35dd ] For userspace to tell the difference between a random signal and an exception, the exception must include siginfo information. Using SEND_SIG_FORCED for SIGILL is thus wrong, and it will result in userspace seeing si_code == SI_USER (like a random signal) instead of si_code == SI_KERNEL or a more specific si_code as all exceptions deliver. Therefore replace force_sig_info(SIGILL, SEND_SIG_FORCE, current) with force_sig(SIG_ILL, current) which gets this right and is shorter and easier to type. Fixes: 014940bad8e4 ("uprobes/x86: Send SIGILL if arch_uprobe_post_xol() fails") Fixes: 0b5256c7f173 ("uprobes: Send SIGILL if handle_trampoline() fails") Reviewed-by: Thomas Gleixner Signed-off-by: "Eric W. Biederman" Signed-off-by: Sasha Levin commit 3b5681d39fa45d198a8b83ca8c960263070f081e Author: Eric W. Biederman Date: Thu Jul 19 19:47:27 2018 -0500 signal: Always ignore SIGKILL and SIGSTOP sent to the global init [ Upstream commit 86989c41b5ea08776c450cb759592532314a4ed6 ] If the first process started (aka /sbin/init) receives a SIGKILL it will panic the system if it is delivered. Making the system unusable and undebugable. It isn't much better if the first process started receives SIGSTOP. So always ignore SIGSTOP and SIGKILL sent to init. This is done in a separate clause in sig_task_ignored as force_sig_info can clear SIG_UNKILLABLE and this protection should work even then. Reviewed-by: Thomas Gleixner Signed-off-by: "Eric W. Biederman" Signed-off-by: Sasha Levin commit 93ae4ded2abe8fce6183bcb200d647494ce40549 Author: Michael J. Ruhl Date: Mon Sep 10 09:39:28 2018 -0700 IB/hfi1: Missing return value in error path for user sdma [ Upstream commit 2bf4b33f83dfe521c4c7c407b6b150aeec04d69c ] If the set_txreq_header_agh() function returns an error, the exit path is chosen. In this path, the code fails to set the return value. This will cause the caller to not realize an error has occurred. Set the return value correctly in the error path. Signed-off-by: Michael J. Ruhl Signed-off-by: Dennis Dalessandro Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit 45d0ddf9744815f5ef67dfb630c131f306d9c100 Author: Dan Carpenter Date: Mon Sep 10 11:35:11 2018 +0300 RDMA/hns: Fix an error code in hns_roce_v2_init_eq_table() [ Upstream commit f1a315420e79fe5c077fa119db9439ffabd2cda2 ] The error code isn't set on this path. Signed-off-by: Dan Carpenter Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit 8edddc2cf3c1f8b96708df55e478d2181029f437 Author: Dan Carpenter Date: Fri May 3 16:15:07 2019 +0300 dmaengine: at_xdmac: remove a stray bottom half unlock [ Upstream commit 0b515abb6b7eb08e90bdfc01fc8fbdd112c15d81 ] We switched this code from spin_lock_bh() to vanilla spin_lock() but there was one stray spin_unlock_bh() that was overlooked. This patch converts it to spin_unlock() as well. Fixes: d8570d018f69 ("dmaengine: at_xdmac: move spin_lock_bh to spin_lock in tasklet") Signed-off-by: Dan Carpenter Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit 9234fbbd778238725b35a6fb5ab6a8fa9953ecc6 Author: Felix Fietkau Date: Sat Sep 22 18:49:05 2018 +0200 ath9k: add back support for using active monitor interfaces for tx99 [ Upstream commit 6df0580be8bc30803c4d8b2ed9c2230a2740c795 ] Various documented examples on how to set up tx99 with ath9k rely on setting up a regular monitor interface for setting the channel. My previous patch "ath9k: fix tx99 with monitor mode interface" made it possible to set it up this way again. However, it was removing support for using an active monitor interface, which is required for controlling the bitrate as well, since the bitrate is not passed down with a regular monitor interface. This patch partially reverts the previous one, but keeps support for using a regular monitor interface to keep documented steps working in cases where the bitrate does not matter Fixes: d9c52fd17cb48 ("ath9k: fix tx99 with monitor mode interface") Signed-off-by: Felix Fietkau Signed-off-by: Kalle Valo Signed-off-by: Sasha Levin commit 82663f99cbdf1c1c8ee25c738814594ec1ba0e81 Author: Alexandre Belloni Date: Sun Sep 9 22:38:47 2018 +0200 rtc: pl030: fix possible race condition [ Upstream commit c778ec85825dc895936940072aea9fe9037db684 ] The IRQ is requested before the struct rtc is allocated and registered, but this struct is used in the IRQ handler. This may lead to a NULL pointer dereference. Switch to devm_rtc_allocate_device/rtc_register_device to allocate the rtc before requesting the IRQ. Signed-off-by: Alexandre Belloni Signed-off-by: Sasha Levin commit 5a869e9828e89756370dc1c15b75d79a73732fac Author: Alexandre Belloni Date: Sun Sep 9 22:38:46 2018 +0200 rtc: mt6397: fix possible race condition [ Upstream commit babab2f86440352d24e76118fdd7d40cab5fd7bf ] The IRQ is requested before the struct rtc is allocated and registered, but this struct is used in the IRQ handler. This may lead to a NULL pointer dereference. Switch to devm_rtc_allocate_device/rtc_register_device to allocate the rtc before requesting the IRQ. Acked-by: Eddie Huang Signed-off-by: Alexandre Belloni Signed-off-by: Sasha Levin commit 0773f03aebdd8533b425fc1eb6fdb43f9b721f81 Author: Qiuxu Zhuo Date: Fri Sep 7 16:08:27 2018 -0700 EDAC, sb_edac: Return early on ADDRV bit and address type test [ Upstream commit dcc960b225ceb2bd66c45e0845d03e577f7010f9 ] Users of the mce_register_decode_chain() are called for every logged error. EDAC drivers should check: 1) Is this a memory error? [bit 7 in status register] 2) Is there a valid address? [bit 58 in status register] 3) Is the address a system address? [bitfield 8:6 in misc register] The sb_edac driver performed test "1" twice. Waited far too long to perform check "2". Didn't do check "3" at all. Fix it by moving the test for valid address from sbridge_mce_output_error() into sbridge_mce_check_error() and add a test for the type immediately after. Delete the redundant check for the type of the error from sbridge_mce_output_error(). Signed-off-by: Qiuxu Zhuo Cc: Aristeu Rozanski Cc: Mauro Carvalho Chehab Cc: Qiuxu Zhuo Cc: linux-edac Link: http://lkml.kernel.org/r/20180907230828.13901-2-tony.luck@intel.com [ Re-word commit message. ] Signed-off-by: Tony Luck Signed-off-by: Borislav Petkov Signed-off-by: Sasha Levin commit fc7be6308364ec52cfe5021c8934b156b00666cf Author: Daniel Silsby Date: Wed Aug 29 23:32:56 2018 +0200 dmaengine: dma-jz4780: Further residue status fix [ Upstream commit 83ef4fb7556b6a673f755da670cbacab7e2c7f1b ] Func jz4780_dma_desc_residue() expects the index to the next hw descriptor as its last parameter. Caller func jz4780_dma_tx_status(), however, applied modulus before passing it. When the current hw descriptor was last in the list, the index passed became zero. The resulting excess of reported residue especially caused problems with cyclic DMA transfer clients, i.e. ALSA AIC audio output, which rely on this for determining current DMA location within buffer. Combined with the recent and related residue-reporting fixes, spurious ALSA audio underruns on jz4770 hardware are now fixed. Signed-off-by: Daniel Silsby Signed-off-by: Paul Cercueil Tested-by: Mathieu Malaterre Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit f6d4561cae3ac24533f0065590d3003624133ad2 Author: Paul Cercueil Date: Wed Aug 29 23:32:48 2018 +0200 dmaengine: dma-jz4780: Don't depend on MACH_JZ4780 [ Upstream commit c558ecd21c852c97ff98dc6c61f715ba420ec251 ] If we make this driver depend on MACH_JZ4780, that means it can be enabled only if we're building a kernel specially crafted for a JZ4780-based board, while most GNU/Linux distributions will want one generic MIPS kernel that works on multiple boards. Signed-off-by: Paul Cercueil Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit a34ea3ddc763f2ed7a8887035a5c5ddc597ec39a Author: Chunfeng Yun Date: Wed Aug 29 10:36:50 2018 +0800 usb: mtu3: disable vbus rise/fall interrupts of ltssm [ Upstream commit 0eae49582b4dee1a0e96007e1dea5122db98371a ] The vbus rise & fall interrupts are used to enable and disable U3 function of device automatically, this cause some issues when class driver is initialized as deactivated, and will skip over software-controlled connect by pullup(), but UDC wants to keep disconnect until usb_gadget_activate() is called which calls pullup() if needed. So we disable vbus rise & fall interrupts and just use pullup() to enable & disable U3 function, and reset mtu3 state when disconnect instead when vbus fall. Signed-off-by: Chunfeng Yun Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit a5d1ffee2f2f91dfd7da74f7bc3d762a7957397c Author: Marek Szyprowski Date: Fri Sep 7 09:46:59 2018 +0200 ARM: dts: exynos: Disable pull control for PMIC IRQ line on Artik5 board [ Upstream commit 62623718fd31d08b26ebea6c8b40f24924153ab7 ] S2MPS14 PMIC interrupt line on Exynos3250-based Artik5 evaluation board has external pull-up resistors, so disable any pull control for it in controller node. This fixes support for S2MPS14 PMIC interrupts and enables operation of wakeup from S2MPS14 RTC alarm. Signed-off-by: Marek Szyprowski Signed-off-by: Krzysztof Kozlowski Signed-off-by: Sasha Levin commit 67e477d8eaa0ca9b56c812307aaa6ea3e7148452 Author: Vicente Bergas Date: Sat Sep 8 21:00:46 2018 +0200 arm64: dts: rockchip: Fix VCC5V0_HOST_EN on rk3399-sapphire [ Upstream commit bcdb578a5f5b4aea79441606ab7f0a2e076b4474 ] The pin is GPIO4-D1 not GPIO1-D1, see schematic, page 15 for reference. Signed-off-by: Vicente Bergas Signed-off-by: Heiko Stuebner Signed-off-by: Sasha Levin commit 4c884128b414e02dad5be3cc510f00215fe64a3e Author: Sudeep Holla Date: Fri Sep 7 17:03:25 2018 +0100 firmware: arm_scmi: use strlcpy to ensure NULL-terminated strings [ Upstream commit ca64b719a1e665ac7449b6a968059176af7365a8 ] Replace all the memcpy() for copying name strings from the firmware with strlcpy() to make sure we are bounded by the source buffer size and we also always have NULL-terminated strings. This is needed to avoid out of bounds accesses if the firmware returns a non-terminated string. Reported-by: Olof Johansson Acked-by: Olof Johansson Signed-off-by: Sudeep Holla Signed-off-by: Sasha Levin commit d786bf93f0c5200296559e878972afc2ea40212d Author: Uwe Kleine-König Date: Wed Sep 5 11:36:36 2018 +0200 sched/debug: Use symbolic names for task state constants [ Upstream commit ff28915fd31ccafc0d38e6f84b66df280ed9e86a ] include/trace/events/sched.h includes (via ) and so knows about the TASK_* constants used to interpret .prev_state. So instead of duplicating the magic numbers make use of the defined macros to ease understanding the mapping from state bits to letters which isn't completely intuitive for an outsider. Signed-off-by: Uwe Kleine-König Signed-off-by: Peter Zijlstra (Intel) Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Sebastian Andrzej Siewior Cc: Thomas Gleixner Cc: kernel@pengutronix.de Link: http://lkml.kernel.org/r/20180905093636.24068-1-u.kleine-koenig@pengutronix.de Signed-off-by: Ingo Molnar Signed-off-by: Sasha Levin commit e4e522609854d577eebff009b81b352a473ed9da Author: Peter Zijlstra Date: Wed Aug 29 11:45:21 2018 +0200 sched/debug: Explicitly cast sched_feat() to bool [ Upstream commit 7e6f4c5d600c1c8e2a1d900e65cab319d9b6782e ] LLVM has a warning that tags expressions like: if (foo && non-bool-const) This pattern triggers for CONFIG_SCHED_DEBUG=n where sched_feat() ends up being whatever bit we select. Avoid the warning with an explicit cast to bool. Reported-by: Philipp Klocke Tested-by: Nick Desaulniers Signed-off-by: Peter Zijlstra (Intel) Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Thomas Gleixner Cc: linux-kernel@vger.kernel.org Signed-off-by: Ingo Molnar Signed-off-by: Sasha Levin commit 0ddcbbf4cd47e03940be0c37647e5200c4563138 Author: YueHaibing Date: Thu Sep 6 21:04:12 2018 +0800 failover: Fix error return code in net_failover_create [ Upstream commit 09317da317e55e70ccbe23f65008348a4a1b7c7f ] if failover_register failed, 'err' code should be set correctly Fixes: cfc80d9a1163 ("net: Introduce net_failover driver") Signed-off-by: YueHaibing Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit eca5b74e008039b1477241a2d62ff76a4860b3d6 Author: Jaegeuk Kim Date: Thu Sep 6 11:40:12 2018 -0700 f2fs: submit bio after shutdown [ Upstream commit 5ce805869cbed93267ed26552ff76e30f05c91f7 ] Sometimes, some merged IOs could get a chance to be submitted, resulting in system hang in shutdown test. This issues IOs all the time after shutdown. Signed-off-by: Jaegeuk Kim Signed-off-by: Sasha Levin commit 0f9c9a21628868cb79f89947ceed5b5dd8615541 Author: H. Nikolaus Schaller Date: Tue Jul 31 09:11:14 2018 +0200 ARM: dts: omap3-gta04: keep vpll2 always on [ Upstream commit 1ae00833e30c9b4af5cbfda65d75b1de12f74013 ] This is needed to make the display and venc work properly. Compare to omap3-beagle.dts. Signed-off-by: H. Nikolaus Schaller Signed-off-by: Tony Lindgren Signed-off-by: Sasha Levin commit d59817b0ca6256bf1ee562ed649f69fb261f7435 Author: H. Nikolaus Schaller Date: Tue Jul 31 09:11:12 2018 +0200 ARM: dts: omap3-gta04: make NAND partitions compatible with recent U-Boot [ Upstream commit fa99c21ecb3cd4021a60d0e8bf880e78b5bd0729 ] Vendor defined U-Boot has changed the partition scheme a while ago: * kernel partition 6MB * file system partition uses the remainder up to end of the NAND * increased size of the environment partition (to get an OneNAND compatible base address) * shrink the U-Boot partition Let's be compatible (e.g. Debian kernel built from upstream). Signed-off-by: H. Nikolaus Schaller Signed-off-by: Tony Lindgren Signed-off-by: Sasha Levin commit 6b268c233df78fead6c7873988f489f50d02442c Author: H. Nikolaus Schaller Date: Tue Jul 31 09:11:10 2018 +0200 ARM: dts: omap3-gta04: fix touchscreen tsc2007 [ Upstream commit 7384a24248eda140a234d356b6c840701ee9f055 ] we fix penirq polarity, add penirq pinmux and touchscreen properties. Signed-off-by: H. Nikolaus Schaller Signed-off-by: Tony Lindgren Signed-off-by: Sasha Levin commit 96907aa1ab3c950e1edea53779d86037bd93cf88 Author: H. Nikolaus Schaller Date: Tue Jul 31 09:11:09 2018 +0200 ARM: dts: omap3-gta04: tvout: enable as display1 alias [ Upstream commit 8905592b6e50cec905e6c6035bbd36201a3bfac1 ] The omap dss susbystem takes the display aliases to find out which displays exist. To enable tv-out we must define an alias. Signed-off-by: H. Nikolaus Schaller Signed-off-by: Tony Lindgren Signed-off-by: Sasha Levin commit 8f03a5116e9d440a58a5b3e4a0d8d70bf60b0ce2 Author: H. Nikolaus Schaller Date: Tue Jul 31 09:11:07 2018 +0200 ARM: dts: omap3-gta04: fixes for tvout / venc [ Upstream commit f6591391373dbff2c0200e1055d4ff86191578d2 ] * fix connector compatibility (composite) * add comment for gpio1 23 * add proper #address-cells * we use only one venc_out channel for composite Signed-off-by: H. Nikolaus Schaller Signed-off-by: Tony Lindgren Signed-off-by: Sasha Levin commit 5cacb026fe26d35f881c89b170c22d0184cc03c0 Author: H. Nikolaus Schaller Date: Tue Jul 31 09:11:06 2018 +0200 ARM: dts: omap3-gta04: give spi_lcd node a label so that we can overwrite in other DTS files [ Upstream commit fa0d7dc355c890725b6178dab0cc11b194203afa ] needed for device variants based on GTA04 board but with different display panel (driver). Signed-off-by: H. Nikolaus Schaller Signed-off-by: Tony Lindgren Signed-off-by: Sasha Levin commit 69116e3bae2b166c69fa39a08c85866c8d613ee9 Author: Rob Herring Date: Mon Aug 27 09:50:09 2018 -0500 of: make PowerMac cache node search conditional on CONFIG_PPC_PMAC [ Upstream commit f6707fd6241e483f6fea2caae82d876e422bb11a ] Cache nodes under the cpu node(s) is PowerMac specific according to the comment above, so make the code enforce that. Signed-off-by: Rob Herring Signed-off-by: Sasha Levin commit cc5f462c1b0813a313cc0cd23351a50adde454e4 Author: Suman Tripathi Date: Fri Sep 7 08:32:17 2018 -0600 ata: Disable AHCI ALPM feature for Ampere Computing eMAG SATA [ Upstream commit 20bdc376b427cb420836f39ee8f281ea85dbaeef ] Due to hardware errata, Ampere Computing eMAG SATA can't support AHCI ALPM feature. This patch disables the AHCI ALPM feature for eMAG SATA. Signed-off-by: Suman Trpathi Signed-off-by: Rameshwar Prasad Sahu Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit 3d5d2f7806a9a685ab8cca3511119755af2645a1 Author: Yong Zhi Date: Tue Aug 7 12:19:16 2018 -0500 ASoC: Intel: hdac_hdmi: Limit sampling rates at dai creation [ Upstream commit 3b857472f34faa7d11001afa5e158833812c98d7 ] Playback of 44.1Khz contents with HDMI plugged returns "Invalid pipe config" because HDMI paths in the FW topology are configured to operate at 48Khz. This patch filters out sampling rates not supported at hdac_hdmi_create_dais() to let user space SRC to do the converting. Signed-off-by: Yong Zhi Reviewed-by: Pierre-Louis Bossart Reviewed-by: Takashi Iwai Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 0376916b7b2cff6db9566b4db946c43d97064f9e Author: Charles Keepax Date: Thu Sep 6 17:41:55 2018 +0100 ASoC: dapm: Avoid uninitialised variable warning [ Upstream commit fc269c0396448cabe1afd648c0b335669aa347b7 ] Commit 4a75aae17b2a ("ASoC: dapm: Add support for multi-CODEC CODEC to CODEC links") adds loops that iterate over multiple CODECs in snd_soc_dai_link_event. This also introduced a compiler warning for a potentially uninitialised variable in the case no CODECs are present. This should never be the case as the DAI link must by definition contain at least 1 CODEC however probably best to avoid the compiler warning by initialising ret to zero. Signed-off-by: Charles Keepax Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 0204720dde67e77d9db67d648736a5f62f26a32d Author: Jan Kara Date: Thu Sep 6 15:46:17 2018 +0200 udf: Fix crash during mount [ Upstream commit b085fbe2ef7fa7489903c45271ae7b7a52b0f9ab ] Fix a crash during an attempt to mount a filesystem that has both Unallocated Space Table and Unallocated Space Bitmap. Such filesystem actually violates the UDF standard so we just have to properly detect such situation and refuse to mount such filesystem read-write. When we are at it, verify also other constraints on the allocation information mandated by the standard. Reported-by: Anatoly Trosinenko Signed-off-by: Jan Kara Signed-off-by: Sasha Levin commit 52cda4c1d9cd1054c3052e8f2dd4eeb9bdccd20b Author: Ding Xiang Date: Thu Sep 6 12:19:19 2018 +0800 mips: txx9: fix iounmap related issue [ Upstream commit c6e1241a82e6e74d1ae5cc34581dab2ffd6022d0 ] if device_register return error, iounmap should be called, also iounmap need to call before put_device. Signed-off-by: Ding Xiang Reviewed-by: Atsushi Nemoto Signed-off-by: Paul Burton Patchwork: https://patchwork.linux-mips.org/patch/20476/ Cc: ralf@linux-mips.org Cc: jhogan@kernel.org Cc: linux-mips@linux-mips.org Cc: linux-kernel@vger.kernel.org Signed-off-by: Sasha Levin commit f63587cbb091e929f8651449540cf35be87ae2a2 Author: Parav Pandit Date: Thu Sep 6 10:55:31 2018 +0300 RDMA/core: Follow correct unregister order between sysfs and cgroup [ Upstream commit c715a39541bb399eb03d728a996b224d90ce1336 ] During register_device() init sequence is, (a) register with rdma cgroup followed by (b) register with sysfs Therefore, unregister_device() sequence should follow the reverse order. Signed-off-by: Parav Pandit Reviewed-by: Daniel Jurgens Signed-off-by: Leon Romanovsky Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit 6b827d38cead1417fda38f180e56ac70ef21f285 Author: Parav Pandit Date: Tue Aug 28 14:45:31 2018 +0300 RDMA/core: Rate limit MAD error messages [ Upstream commit f9d08f1e1939ad4d92e38bd3dee6842512f5bee6 ] While registering a mad agent, a user space can trigger various errors and flood the logs. Therefore, decrease verbosity and rate limit such error messages. While we are at it, use __func__ to print function name. Signed-off-by: Parav Pandit Signed-off-by: Leon Romanovsky Reviewed-by: Dennis Dalessandro Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit a618cca0438ba548cc15eef748560a1fd4174903 Author: Muhammad Sammar Date: Tue Aug 28 14:45:30 2018 +0300 IB/ipoib: Ensure that MTU isn't less than minimum permitted [ Upstream commit 142a9c287613560edf5a03c8d142c8b6ebc1995b ] It is illegal to change MTU to a value lower than the minimum MTU stated in ethernet spec. In addition to that we need to add 4 bytes for encapsulation header (IPOIB_ENCAP_LEN). Before "ifconfig ib0 mtu 0" command, succeeds while it obviously shouldn't. Signed-off-by: Muhammad Sammar Reviewed-by: Feras Daoud Signed-off-by: Leon Romanovsky Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit 2543eeba256ae4a7bbfa0c8531e34371bfe306f6 Author: Parav Pandit Date: Tue Aug 28 14:45:29 2018 +0300 IB/mlx5: Don't hold spin lock while checking device state [ Upstream commit 6c75520f7e5a6a353f3b332509d205e213d05855 ] mdev->state device state is not protected by the QP for which WRs are being processed. Therefore, there is no need to hold spin lock while checking mdev state. Given that device fatal error is unlikely situation, wrap the condition check with unlikely(). Additionally, kernel QP1 is also a kernel ULP for which soft CQEs needs to be generated. Therefore, check for device fatal error before processing QP1 work requests. Fixes: 89ea94a7b6c4 ("IB/mlx5: Reset flow support for IB kernel ULPs") Signed-off-by: Parav Pandit Reviewed-by: Daniel Jurgens Reviewed-by: Maor Gottlieb Signed-off-by: Leon Romanovsky Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit 4d8d651e1c5f1dde2f5d7e5d21d88e0b4a4963f4 Author: Jun Gao Date: Thu Sep 6 21:15:29 2018 +0800 i2c: mediatek: Use DMA safe buffers for i2c transactions [ Upstream commit fc66b39fe36acfd06f716e338de7cd8f9550fad2 ] DMA mode will always be used in i2c transactions, try to allocate a DMA safe buffer if the buf of struct i2c_msg used is not DMA safe. Signed-off-by: Jun Gao Signed-off-by: Wolfram Sang Signed-off-by: Sasha Levin commit d0d8f0efb6bd528d9bb2edbd5f7cb42ddea19467 Author: Erik Stromdahl Date: Tue Sep 4 15:07:07 2018 +0300 ath10k: wmi: disable softirq's while calling ieee80211_rx [ Upstream commit 37f62c0d5822f631b786b29a1b1069ab714d1a28 ] This is done in order not to trig the below warning in ieee80211_rx_napi: WARN_ON_ONCE(softirq_count() == 0); ieee80211_rx_napi requires that softirq's are disabled during execution. The High latency bus drivers (SDIO and USB) sometimes call the wmi ep_rx_complete callback from non softirq context, resulting in a trigger of the above warning. Calling ieee80211_rx_ni with softirq's already disabled (e.g., from softirq context) should be safe as the local_bh_disable and local_bh_enable functions (called from ieee80211_rx_ni) are fully reentrant. Signed-off-by: Erik Stromdahl Signed-off-by: Kalle Valo Signed-off-by: Sasha Levin commit 14c9bc4be084d9950eafcd28fadd1bff8288779d Author: Marek Szyprowski Date: Thu Sep 6 17:41:35 2018 +0200 ARM: dts: exynos: Disable pull control for S5M8767 PMIC [ Upstream commit ef2ecab9af5feae97c47b7f61cdd96f7f49b2c23 ] S5M8767 PMIC interrupt line on Exynos5250-based Arndale board has external pull-up resistors, so disable any pull control for it in in controller node. This fixes support for S5M8767 interrupts and enables operation of wakeup from S5M8767 RTC alarm. Signed-off-by: Marek Szyprowski Signed-off-by: Krzysztof Kozlowski Signed-off-by: Sasha Levin commit 588822fcb313ddc569576c36d2c950538d232a9b Author: K.T.VIJAYAKUMAAR Date: Mon Sep 3 20:07:44 2018 +0300 ath10k: avoid possible memory access violation [ Upstream commit 97c69a70dc2cecb2c3b96a66529e0082dabc2d2c ] array "ctl_power_table" access index "pream" is initialized with -1 and is raised as a static analysis tool issue. [drivers\net\wireless\ath\ath10k\wmi.c:4719] -> [drivers\net\wireless\ath\ath10k\wmi.c:4730]: (error) Array index -1 is out of bounds. Since the "pream" index for accessing ctl_power_table array is initialized with -1, there is a chance of memory access violation for the cases below. 1) wmi_pdev_tpc_final_table_event change frequency is between 2483 and 5180 2) pream_idx is out of the enumeration ranges of wmi_tpc_pream_2ghz, wmi_tpc_pream_5ghz Signed-off-by: K.T.VIJAYAKUMAAR [kvalo@codeaurora.org: clean up the warning message] Signed-off-by: Kalle Valo Signed-off-by: Sasha Levin commit 34293775f1176932781f7bfccecf775aa1f8e1bc Author: Colin Ian King Date: Thu Sep 6 11:41:52 2018 +0100 ASoC: sgtl5000: avoid division by zero if lo_vag is zero [ Upstream commit 9ab708aef61f5620113269a9d1bdb1543d1207d0 ] In the case where lo_vag <= SGTL5000_LINE_OUT_GND_BASE, lo_vag is set to zero and later vol_quot is computed by dividing by lo_vag causing a division by zero error. Fix this by avoiding a zero division and set vol_quot to zero in this specific case so that the lowest setting for i is correctly set. Signed-off-by: Colin Ian King Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 6cbd0932ab9a8592d03ad7306f796bc765bc2083 Author: Christian Brauner Date: Tue Sep 4 21:53:51 2018 +0200 rtnetlink: move type calculation out of loop [ Upstream commit 87ccbb1f943625884b824c5560f635dcea8e4510 ] I don't see how the type - which is one of RTM_{GETADDR,GETROUTE,GETNETCONF} - can change. So do the message type calculation once before entering the for loop. Signed-off-by: Christian Brauner Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 4b702fdd6e7e6d7a7e6359857a2c49ffbc891a29 Author: Stefan Wahren Date: Tue Sep 4 19:29:09 2018 +0200 net: lan78xx: Bail out if lan78xx_get_endpoints fails [ Upstream commit fa8cd98c06407b5798b927cd7fd14d30f360ed02 ] We need to bail out if lan78xx_get_endpoints() fails, otherwise the result is overwritten. Fixes: 55d7de9de6c3 ("Microchip's LAN7800 family USB 2/3 to 10/100/1000 Ethernet") Signed-off-by: Stefan Wahren Reviewed-by: Raghuram Chary Jallipalli Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 23ad83c399b0ac62b6e8cd10352119f3b4116c0b Author: Jaegeuk Kim Date: Wed Aug 22 21:18:00 2018 -0700 f2fs: avoid wrong decrypted data from disk [ Upstream commit 0ded69f632bb717be9aeea3ae74e29050fcb060c ] 1. Create a file in an encrypted directory 2. Do GC & drop caches 3. Read stale data before its bio for metapage was not issued yet Reviewed-by: Chao Yu Signed-off-by: Jaegeuk Kim Signed-off-by: Sasha Levin commit b6410b95c22467e5315294b48f1e4b47f13f4d47 Author: Stanislaw Gruszka Date: Wed Aug 22 13:52:22 2018 +0200 cfg80211: validate wmm rule when setting [ Upstream commit 014f5a250fc49fa8c6cd50093e725e71f3ae52da ] Add validation check for wmm rule when copy rules from fwdb and print error when rule is invalid. Signed-off-by: Stanislaw Gruszka Signed-off-by: Johannes Berg Signed-off-by: Sasha Levin commit 8d705195a9a3cf3bd6a7a530b63e0e523f87189f Author: Naftali Goldstein Date: Wed Sep 5 08:06:07 2018 +0300 mac80211: fix saving a few HE values [ Upstream commit 77cbbc35a49b75969d98edce9400beb21720aa39 ] After masking the he_oper_params, to get the requested values as integers one must rshift and not lshift. Fix that by using the le32_get_bits() macro. Fixes: 41cbb0f5a295 ("mac80211: add support for HE") Signed-off-by: Naftali Goldstein [converted to use le32_get_bits()] Signed-off-by: Luca Coelho Signed-off-by: Johannes Berg Signed-off-by: Sasha Levin commit 4d146d72687e99dfa5f45b185f2be8c716053e55 Author: Peter Wu Date: Tue Sep 4 22:27:47 2018 +0200 qxl: fix null-pointer crash during suspend [ Upstream commit 7948a2b15873319d1bff4d37c09b9f2bf87b9021 ] "crtc->helper_private" is not initialized by the QXL driver and thus the "crtc_funcs->disable" call would crash (resulting in suspend failure). Fix this by converting the suspend/resume functions to use the drm_mode_config_helper_* helpers. Tested system sleep with QEMU 3.0 using "echo mem > /sys/power/state". During suspend the following message is visible from QEMU: spice/server/display-channel.c:2425:display_channel_validate_surface: canvas address is 0x7fd05da68308 for 0 (and is NULL) spice/server/display-channel.c:2426:display_channel_validate_surface: failed on 0 This seems to be triggered by QXL_IO_NOTIFY_CMD after QXL_IO_DESTROY_PRIMARY_ASYNC, but aside from the warning things still seem to work (tested with both the GTK and -spice options). Signed-off-by: Peter Wu Link: http://patchwork.freedesktop.org/patch/msgid/20180904202747.14968-1-peter@lekensteyn.nl Signed-off-by: Gerd Hoffmann Signed-off-by: Sasha Levin commit f5ee703ff92ccdb746936d0e7666f230b15a57a3 Author: Majd Dibbiny Date: Tue Aug 28 14:29:05 2018 +0300 IB/mlx5: Change TX affinity assignment in RoCE LAG mode [ Upstream commit c6a21c3864fc7f5febae7d096cd136f397c791f2 ] In the current code, the TX affinity is per RoCE device, which can cause unfairness between different contexts. e.g. if we open two contexts, and each open 10 QPs concurrently, all of the QPs of the first context might end up on the first port instead of distributed on the two ports as expected To overcome this unfairness between processes, we maintain per device TX affinity, and per process TX affinity. The allocation algorithm is as follow: 1. Hold two tx_port_affinity atomic variables, one per RoCE device and one per ucontext. Both initialized to 0. 2. In mlx5_ib_alloc_ucontext do: 2.1. ucontext.tx_port_affinity = device.tx_port_affinity 2.2. device.tx_port_affinity += 1 3. In modify QP INIT2RST: 3.1. qp.tx_port_affinity = ucontext.tx_port_affinity % MLX5_PORT_NUM 3.2. ucontext.tx_port_affinity += 1 Signed-off-by: Majd Dibbiny Reviewed-by: Moni Shoua Signed-off-by: Leon Romanovsky Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit 5128ea974c22aa76e62c60448a89cd830e2e196e Author: Christoph Hellwig Date: Mon Aug 27 10:59:43 2018 +0200 mtd: rawnand: qcom: don't include dma-direct.h [ Upstream commit ab0fb17c7d46406e1aac2dda265874751946626d ] A recent commit removed the incorrect use of phys_to_dma from this driver, but failed to remove the dma-direct.h include, so do that now. Signed-off-by: Christoph Hellwig Signed-off-by: Miquel Raynal Signed-off-by: Sasha Levin commit d6ebf70120c6140c822d38f58eb246a2694dd6fd Author: Kurt Kanzenbach Date: Mon Aug 13 09:18:46 2018 +0200 mtd: rawnand: fsl_ifc: fixup SRAM init for newer ctrl versions [ Upstream commit ff8648f29fe58c2d94d32a076d2de7b92be4b485 ] Newer versions of the IFC controller use a different method of initializing the internal SRAM: Instead of reading from flash, a bit in the NAND configuration register has to be set in order to trigger the self-initializing process. Signed-off-by: Kurt Kanzenbach Signed-off-by: Miquel Raynal Signed-off-by: Sasha Levin commit 29535bafb64b43a9c1925b95cd73143f55582ddf Author: Kurt Kanzenbach Date: Mon Aug 13 09:18:45 2018 +0200 mtd: rawnand: fsl_ifc: check result of SRAM initialization [ Upstream commit 434655af6a187129d8114640443b27d2cecfb979 ] The SRAM initialization might fail. If that happens further NAND operations won't be successful. Therefore, the chip init routine should fail if the SRAM initialization didn't work. Signed-off-by: Kurt Kanzenbach Signed-off-by: Miquel Raynal Signed-off-by: Sasha Levin commit 6ae8c86ee4581d8a990f83b28363f7c6b8c927d6 Author: Thomas Petazzoni Date: Thu Aug 2 10:56:25 2018 +0200 mtd: rawnand: marvell: use regmap_update_bits() for syscon access [ Upstream commit 88aa3bbfc020d14b13d67af3f5c08aa992d82cd8 ] The marvell_nfc_init() function fiddles with some bits of a system controller on Armada 7K/8K. However, it does a read/modify/write sequence on GENCONF_CLK_GATING_CTRL and GENCONF_ND_CLK_CTRL, which isn't safe from a concurrency point of view, as the regmap lock isn't taken accross the read/modify/write sequence. To solve this issue, use regmap_update_bits(). While at it, since the "reg" variable is no longer needed for the read/modify/write sequences, get rid of it for the regmap_write() to GENCONF_SOC_DEVICE_MUX, and directly pass the value to be written as argument. Fixes: 02f26ecf8c772 ("mtd: nand: add reworked Marvell NAND controller driver") Signed-off-by: Thomas Petazzoni Signed-off-by: Miquel Raynal Signed-off-by: Sasha Levin commit 6c7644ad22ae80398e86132ba9d4caa5fd71be88 Author: Martin Blumenstingl Date: Sat Jul 21 21:05:53 2018 +0200 ARM: dts: meson8b: fix the clock controller register size [ Upstream commit f31094fe8c16fbd2ca47921acf93b744b045aace ] The clock controller registers are not 0x460 wide because the reset controller starts at CBUS 0x4404. This currently overlaps with the clock controller (which is at CBUS 0x4000). There is no public documentation available on the actual size of the clock controller's register area (also called "HHI"). However, in Amlogic's GPL kernel sources the last "HHI" register is HHI_HDMI_PHY_CNTL2 at CBUS + 0x43a8. 0x400 was chosen because that size doesn't seem unlikely. Fixes: 4a69fcd3a10803 ("ARM: meson: Add DTS for Odroid-C1 and Tronfy MXQ boards") Signed-off-by: Martin Blumenstingl Reviewed-by: Neil Armstrong Signed-off-by: Kevin Hilman Signed-off-by: Sasha Levin commit e39779f6ea677924dc8db202e7073238af96ed98 Author: Martin Blumenstingl Date: Sat Jul 21 21:05:52 2018 +0200 ARM: dts: meson8: fix the clock controller register size [ Upstream commit f7f9da89bc4f61e33f7b9f5c75c4efdc1f0455d8 ] The clock controller registers are not 0x460 wide because the reset controller starts at CBUS 0x4404. This currently overlaps with the clock controller (which is at CBUS 0x4000). There is no public documentation available on the actual size of the clock controller's register area (also called "HHI"). However, in Amlogic's GPL kernel sources the last "HHI" register is HHI_HDMI_PHY_CNTL2 at CBUS + 0x43a8. 0x400 was chosen because that size doesn't seem unlikely. Fixes: 2c323c43a3d619 ("ARM: dts: meson8: add and use the real clock controller") Signed-off-by: Martin Blumenstingl Reviewed-by: Neil Armstrong Signed-off-by: Kevin Hilman Signed-off-by: Sasha Levin commit 6da9a4a982153bc6b2748829492331a5282a3da8 Author: Quentin Schulz Date: Mon Sep 3 10:48:50 2018 +0200 net: phy: mscc: read 'vsc8531, edge-slowdown' as an u32 [ Upstream commit 36c53cf0f46526b898390659b125155939f67892 ] In the DT binding, it is specified nowhere that 'vsc8531,edge-slowdown' is an u8, even though it's read as an u8 in the driver. Let's update the driver to take into consideration that the 'vsc8531,edge-slowdown' property is of the default type u32. Signed-off-by: Quentin Schulz Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 77f9e263e29606dfb366b1fcc79403f1b82d30b9 Author: Quentin Schulz Date: Mon Sep 3 10:48:49 2018 +0200 net: phy: mscc: read 'vsc8531,vddmac' as an u32 [ Upstream commit a993e0f583c7925adaa7721226ccd7a41e7e63d1 ] In the DT binding, it is specified nowhere that 'vsc8531,vddmac' is an u16, even though it's read as an u16 in the driver. Let's update the driver to take into consideration that the 'vsc8531,vddmac' property is of the default type u32. Signed-off-by: Quentin Schulz Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 5dc1cbcff700b11bea1b5707d6ee0f95c2850e5c Author: Moni Shoua Date: Mon Sep 3 20:19:28 2018 +0300 net/mlx5: Fix atomic_mode enum values [ Upstream commit aa7e80b220f3a543eefbe4b7e2c5d2b73e2e2ef7 ] The field atomic_mode is 4 bits wide and therefore can hold values from 0x0 to 0xf. Remove the unnecessary 20 bit shift that made the values be incorrect. While that, remove unused enum values. Fixes: 57cda166bbe0 ("net/mlx5: Add DCT command interface") Signed-off-by: Moni Shoua Reviewed-by: Artemy Kovalyov Signed-off-by: Leon Romanovsky Signed-off-by: Sasha Levin commit b5f6d6de5b12a68154367c36173bbd47d232b5c6 Author: Yunsheng Lin Date: Mon Sep 3 11:21:54 2018 +0100 net: hns3: Change the dst mac addr of loopback packet [ Upstream commit 7f7d9e501f4123e64b130576621d24f9379adc8f ] Currently, the dst mac addr of loopback packet is the same as the host' mac addr, the SSU component may loop back the packet to host before the packet reaches mac or serdes, which will defect the purpose of mac or serdes selftest. This patch changes it by adding 0x1f to the last byte of dst mac addr. Signed-off-by: Yunsheng Lin Signed-off-by: Peng Li Signed-off-by: Salil Mehta Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit f995b2efa4392fc63c549c6df625d3b896c11332 Author: Yunsheng Lin Date: Mon Sep 3 11:21:50 2018 +0100 net: hns3: Fix for loopback selftest failed problem [ Upstream commit 0f29fc23b21d3cbd966537bfabba07c00466b787 ] Tqp and mac need to be enabled when doing loopback selftest, ae_algo->ops->start/stop is used to do the job, there is a time window between ae_algo->ops->start/stop and loopback setup, which will cause selftest failed problem when there is frame coming in during that time window. This patch fixes it by enabling the tqp and mac during loopback setup process. Fixes: c39c4d98dc65 ("net: hns3: Add mac loopback selftest support in hns3 driver") Signed-off-by: Yunsheng Lin Signed-off-by: Peng Li Signed-off-by: Salil Mehta Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit d01caf35564ce4de308797fddf84e4df5674fabd Author: Jian Shen Date: Mon Sep 3 11:21:48 2018 +0100 net: hns3: Fix error of checking used vlan id [ Upstream commit 54e97d117bafa161b08c6ade243a335d92890d94 ] PF uses hdev->vlan_table to manage the port vlan table. In function hclge_set_vlan_filter_hw(), it checks whether a vlan id has been used, by foreach all the vport bits. It should use macro HCLGE_VPORT_NUM, not VLAN_N_VID as the foreach condition. Fixes: 6c251711b37f ("net: hns3: Disable vf vlan filter when vf vlan table is full") Signed-off-by: Jian Shen Signed-off-by: Peng Li Signed-off-by: Salil Mehta Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 4aea8f76727e3c00c215307042335b07992c3204 Author: Huazhong Tan Date: Mon Sep 3 11:21:47 2018 +0100 net: hns3: Fix for multicast failure [ Upstream commit fd5f9da3f6583046215d614a87792b46e55785e2 ] When the lower 24 bits of the IPV6 link-local addresses at both ends are the same, the multicast MAC address for Neigbour Discovery is the same. The multicast for Neigbour Discovery will fail. This patch fixes it by including the bonding uplink port in the multicast group. Fixes: 46a3df9f9718("net: hns3: Add HNS3 Acceleration Engine & Compatibility Layer Support") Signed-off-by: Huazhong Tan Signed-off-by: Peng Li Signed-off-by: Salil Mehta Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit e5f48f8eff66b7fd5c8330eb822a0b45a7c905d3 Author: Jiada Wang Date: Mon Sep 3 07:07:07 2018 +0000 ASoC: rsnd: ssi: Fix issue in dma data address assignment [ Upstream commit 0e289012b47a2de1f029a6b61c75998e2f159dd9 ] Same SSI device may be used in different dai links, by only having one dma struct in rsnd_ssi, after the first instance's dma config be initilized, the following instances can no longer configure dma, this causes issue, when their dma data address are different from the first instance. Signed-off-by: Jiada Wang Signed-off-by: Timo Wischer [Kuninori: tidyup for upstream] Signed-off-by: Kuninori Morimoto Tested-by: Hiroyuki Yokoyama Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 0b8e8bddc5c00c39d28ba9832db0a4e37b006503 Author: Sven Schmitt Date: Tue Jul 24 09:46:03 2018 +0000 soc: imx: gpc: fix PDN delay [ Upstream commit 9f4d61d531e0efc9c3283963ae5ef7e314579191 ] imx6_pm_domain_power_off() reads iso and iso2sw from GPC_PGC_PUPSCR_OFFS which stores the power up delays. So use GPC_PGC_PDNSCR_OFFS for the correct delays. Signed-off-by: Sven Schmitt Reviewed-by: Leonard Crestez Signed-off-by: Shawn Guo Signed-off-by: Sasha Levin commit 7f88d806443f2dad3e62911079e5b184b445e09c Author: Geert Uytterhoeven Date: Thu Aug 23 23:27:38 2018 +0200 mt76: Fix comparisons with invalid hardware key index [ Upstream commit 81c8eccc2404d06082025b773f1d90e8c861bc6a ] With gcc 4.1.2: drivers/net/wireless/mediatek/mt76/mt76x0/tx.c: In function ‘mt76x0_tx’: drivers/net/wireless/mediatek/mt76/mt76x0/tx.c:169: warning: comparison is always true due to limited range of data type drivers/net/wireless/mediatek/mt76/mt76x2_tx_common.c: In function ‘mt76x2_tx’: drivers/net/wireless/mediatek/mt76/mt76x2_tx_common.c:35: warning: comparison is always true due to limited range of data type While assigning -1 to a u8 works fine, comparing with -1 does not work as expected. Fix this by comparing with 0xff, like is already done in some other places. Signed-off-by: Geert Uytterhoeven Signed-off-by: Kalle Valo Signed-off-by: Sasha Levin commit 1f54ec5b30476a660b85114e5d1f72c40fb0a85d Author: Rasmus Villemoes Date: Wed Aug 22 15:22:15 2018 +0200 brcmfmac: fix wrong strnchr usage [ Upstream commit cb18e2e9ec71d42409a51b83546686c609780dde ] strnchr takes arguments in the order of its name: string, max bytes to read, character to search for. Here we're passing '\n' aka 10 as the buffer size, and searching for sizeof(buf) aka BRCMF_DCMD_SMLEN aka 256 (aka '\0', since it's implicitly converted to char) within those 10 bytes. Just interchanging the last two arguments would still leave a bug, because if we've been successful once, there are not sizeof(buf) characters left after the new value of p. Since clmver is immediately afterwards passed as a %s argument, I assume that it is actually a properly nul-terminated string. For that case, we have strreplace(). Signed-off-by: Rasmus Villemoes Signed-off-by: Kalle Valo Signed-off-by: Sasha Levin commit f05f8607622cf0e378cbb412e2a7d4bea77464f8 Author: Ganapathi Bhat Date: Tue Aug 21 13:23:02 2018 +0530 mwifex: free rx_cmd skb in suspended state [ Upstream commit 33a164fa8a4c91408e0b7738f754cb1a7827c5f2 ] USB suspend handler will kill the presubmitted rx_cmd URB. This triggers a call to the corresponding URB complete handler, which will free the rx_cmd skb, associated with rx_cmd URB. Due to a possible race betwen suspend handler and main thread, depicted in 'commit bfcacac6c84b ("mwifiex: do no submit URB in suspended state")', it is possible that the rx_cmd skb will fail to get freed. This causes a memory leak, since the resume handler will always allocate a new rx_cmd skb. To fix this, free the rx_cmd skb in mwifiex_usb_submit_rx_urb, if the device is in suspended state. Signed-off-by: Vidya Dharmaraju Signed-off-by: Cathy Luo Signed-off-by: Ganapathi Bhat Signed-off-by: Kalle Valo Signed-off-by: Sasha Levin commit 6c27b9267a84a46cbcdf88272aacdb3825ce80bc Author: Ganapathi Bhat Date: Tue Aug 21 13:23:01 2018 +0530 mwifiex: do no submit URB in suspended state [ Upstream commit 7bd4628c2f31c51254aa39628ecae521d00d0b90 ] There is a possible race between USB suspend and main thread: 1. After processing the command response, main thread will submit rx_cmd URB back so as to process next command response, by calling mwifiex_usb_submit_rx_urb. 2. During USB suspend, the suspend handler will check if rx_cmd URB is pending(submitted) and if true, kill this URB. There is a possible race between #1 and #2, where rx_cmd URB will be submitted by main thread(#1) after the suspend handler check in #2. To fix this, check if device is already suspended in mwifiex_usb_submit_rx_urb, in which case do not submit the URB. Signed-off-by: Vidya Dharmaraju Signed-off-by: Cathy Luo Signed-off-by: Ganapathi Bhat Signed-off-by: Kalle Valo Signed-off-by: Sasha Levin commit cd554b025c09ab67c278fb8599fd268185a07628 Author: Larry Finger Date: Mon Aug 20 13:48:31 2018 -0500 rtl8187: Fix warning generated when strncpy() destination length matches the sixe argument [ Upstream commit 199ba9faca909e77ac533449ecd1248123ce89e7 ] In gcc8, when the 3rd argument (size) of a call to strncpy() matches the length of the first argument, the compiler warns of the possibility of an unterminated string. Using strlcpy() forces a null at the end. Signed-off-by: Larry Finger Signed-off-by: Kalle Valo Signed-off-by: Sasha Levin commit c495a8c78b50425ae690c39f741b4a00d0c50937 Author: Marcel Ziswiler Date: Fri Aug 31 14:03:09 2018 +0200 ARM: dts: pxa: fix power i2c base address [ Upstream commit 8a1ecc01a473b75ab97be9b36f623e4551a6e9ae ] There is one too many zeroes in the Power I2C base address. Fix this. Signed-off-by: Marcel Ziswiler Signed-off-by: Robert Jarzmik Signed-off-by: Sasha Levin commit 72e13203c56dfaf3a4f00a59f7c6da4ac2fa5b09 Author: Robert Jarzmik Date: Mon Jun 25 18:44:01 2018 +0200 ARM: dts: pxa: fix the rtc controller [ Upstream commit 24a610eba32a80ed778ea79680b600c3fe73d7de ] The RTC controller is fed by an external fixed 32kHz clock. Yet the driver wants to acquire this clock, even though it doesn't make any use of it, ie. doesn't get the rate to make calculation. Therefore, use the exported 32.768kHz clock in the PXA clock tree to make the driver happy and working. Signed-off-by: Robert Jarzmik Signed-off-by: Sasha Levin commit fe9048c7bb38822aebb4cbefaa9c17833194a1a0 Author: Alexey Khoroshilov Date: Wed Aug 15 16:10:39 2018 -0400 media: ov772x: Disable clk on error path [ Upstream commit 1d18c2cd9d38ad639b2e00546b9ee638f2cef4b0 ] If ov772x_power_on() is unable to get GPIO rstb, the clock is left undisabled. Found by Linux Driver Verification project (linuxtesting.org). Signed-off-by: Alexey Khoroshilov Acked-by: Jacopo Mondi Signed-off-by: Sakari Ailus Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit b489c1e010e49023e5ae0f912c02c53a3720a4c6 Author: Sakari Ailus Date: Mon Jul 30 07:44:43 2018 -0400 media: i2c: Fix pm_runtime_get_if_in_use() usage in sensor drivers [ Upstream commit 4d471563d87b2b83e73b8abffb9273950e6d2e36 ] pm_runtime_get_if_in_use() returns -EINVAL if runtime PM is disabled. This should not be considered an error. Generally the driver has enabled runtime PM already so getting this error due to runtime PM being disabled will not happen. Instead of checking for lesser or equal to zero, check for zero only. Address this for drivers where this pattern exists. This patch has been produced using the following command: $ git grep -l pm_runtime_get_if_in_use -- drivers/media/i2c/ | \ xargs perl -i -pe 's/(pm_runtime_get_if_in_use\(.*\)) \<\= 0/!$1/' Signed-off-by: Sakari Ailus Reviewed-by: Tomasz Figa Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 5a21c7a0b59288a6296f892ab0d1a7977b088796 Author: Hans Verkuil Date: Thu Aug 23 04:10:05 2018 -0400 media: vicodec: fix out-of-range values when decoding [ Upstream commit be5a1509af8dd8a78fea24a35fe4a82d4cd0ae70 ] While decoding you need to make sure you do not get values < 0 or > 255. Note that since this code will also be used in userspace utilities the clamp macro isn't used since that is kernel-only. Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 17743861edc71e01231b563eca750c89d0cf94db Author: Sara Sharon Date: Tue May 1 15:12:08 2018 +0300 iwlwifi: mvm: avoid sending too many BARs [ Upstream commit 1a19c139be18ed4d6d681049cc48586fae070120 ] When we receive TX response, we may release a few packets due to a hole that was closed in the transmission window. However, if that frame failed, we will mark all the released frames as failed and will send multiple BARs. This affects statistics badly, and cause unnecessary frames transmission. Instead, mark all the following packets as success, with the desired result of sending a bar for the failed frame only. Signed-off-by: Sara Sharon Signed-off-by: Luca Coelho Signed-off-by: Sasha Levin commit 75de80e11e6b4fd410ddae418d3f2fe33a687482 Author: Johannes Berg Date: Thu Apr 19 10:57:08 2018 +0200 iwlwifi: don't WARN on trying to dump dead firmware [ Upstream commit 84f260251ed8153e84c64eb2c5278ab18d3ddef6 ] There's no point in warning here, the user will just get an error back to the debugfs file write, and warning just makes it seem like there's an internal consistency problem when in reality the user just happened to hit this at a bad time. Remove the warning. Fixes: f45f979dc208 ("iwlwifi: mvm: disable dbg data collect when fw isn't alive") Signed-off-by: Johannes Berg Signed-off-by: Luca Coelho Signed-off-by: Sasha Levin commit ecedae02e89d7118c21d826b8026905d779bc725 Author: Sara Sharon Date: Mon Apr 9 14:00:27 2018 +0300 iwlwifi: drop packets with bad status in CD [ Upstream commit 7891965d74bc48fb42b5068033192f97c9aa2090 ] We need to drop packets with errors (such as replay, MIC, ICV, conversion, duplicate and so on). Drop invalid packets, put the status bits in the metadata and move the enum definition to the correct place (FW API header). Signed-off-by: Sara Sharon Signed-off-by: Luca Coelho Signed-off-by: Sasha Levin commit 02adbecf542ea31f4ae445942edaae6162f42878 Author: Vijay Immanuel Date: Wed Jun 13 18:48:07 2018 -0700 IB/rxe: fixes for rdma read retry [ Upstream commit 030e46e495af855a13964a0aab9753ea82a96edc ] When a read request is retried for the remaining partial data, the response may restart from read response first or read response only. So support those cases. Do not advance the comp psn beyond the current wqe's last_psn as that could skip over an entire read wqe and will cause the req_retry() logic to set an incorrect req psn. An example sequence is as follows: Write PSN 40 -- this is the current WQE. Read request PSN 41 Write PSN 42 Receive ACK PSN 42 -- this will complete the current WQE for PSN 40, and set the comp psn to 42 which is a problem because the read request at PSN 41 has been skipped over. So when req_retry() tries to retransmit the read request, it sets the req psn to 42 which is incorrect. When retrying a read request, calculate the number of psns completed based on the dma resid instead of the wqe first_psn. The wqe first_psn could have moved if the read request was retried multiple times. Set the reth length to the dma resid to handle read retries for the remaining partial data. Signed-off-by: Vijay Immanuel Signed-off-by: Doug Ledford Signed-off-by: Sasha Levin commit cad889676bdbc818c98b9b552a1fe8129fa0c86d Author: Vijay Immanuel Date: Wed Jun 13 18:47:30 2018 -0700 IB/rxe: avoid back-to-back retries [ Upstream commit 4e4c53df567714b3d08b2b5d8ccb1d175fc9be01 ] Error retries can occur due to timeouts, NAKs or receiving packets beyond the current read request. Avoid back-to-back retries due to packet processing, by only retrying the initial attempt immediately. Subsequent retries must be due to timeouts. Continue to process completion packets after scheduling a retry. Signed-off-by: Vijay Immanuel Signed-off-by: Doug Ledford Signed-off-by: Sasha Levin commit ac0ab821c4d581af456ece8004e9d6b303a11e2a Author: Patryk Małek Date: Tue Aug 28 10:16:09 2018 -0700 i40e: Prevent deleting MAC address from VF when set by PF [ Upstream commit 5907cf6c5bbe78be2ed18b875b316c6028b20634 ] To prevent VF from deleting MAC address that was assigned by the PF we need to check for that scenario when we try to delete a MAC address from a VF. Signed-off-by: Patryk Małek Tested-by: Andrew Bowers Signed-off-by: Jeff Kirsher Signed-off-by: Sasha Levin commit 712d35e0d2c157eaa11b346a8905182e48ab0100 Author: Lihong Yang Date: Tue Aug 28 10:16:08 2018 -0700 i40evf: cancel workqueue sync for adminq when a VF is removed [ Upstream commit babbcc60040abfb7a9e3caa1c58fe182ae73762a ] If a VF is being removed, there is no need to continue with the workqueue sync for the adminq task, thus cancel it. Without this call, when VFs are created and removed right away, there might be a chance for the driver to crash with events stuck in the adminq. Signed-off-by: Lihong Yang Tested-by: Andrew Bowers Signed-off-by: Jeff Kirsher Signed-off-by: Sasha Levin commit e5d3afbe3a5c1805ba190de5e2adcba417e3a782 Author: Patryk Małek Date: Tue Aug 28 10:16:03 2018 -0700 i40e: hold the rtnl lock on clearing interrupt scheme [ Upstream commit 5cba17b14182696d6bb0ec83a1d087933f252241 ] Hold the rtnl lock when we're clearing interrupt scheme in i40e_shutdown and in i40e_remove. Signed-off-by: Patryk Małek Tested-by: Andrew Bowers Signed-off-by: Jeff Kirsher Signed-off-by: Sasha Levin commit f9a84bbd3ca66e92e99254b626a43ab9ede49d8b Author: Patryk Małek Date: Tue Aug 28 10:16:02 2018 -0700 i40evf: Don't enable vlan stripping when rx offload is turned on [ Upstream commit 3bd77e2ae1477d6f87fc3f542c737119d5decf9f ] With current implementation of i40evf_set_features when user sets any offload via ethtool we set I40EVF_FLAG_AQ_ENABLE_VLAN_STRIPPING as a required aq which triggers driver to call i40evf_enable_vlan_stripping. This shouldn't take place. This patches fixes it by setting the flag only when VLAN offload is turned on. Signed-off-by: Patryk Małek Tested-by: Andrew Bowers Signed-off-by: Jeff Kirsher Signed-off-by: Sasha Levin commit fe301cf64f7e6ea894bbc5d1ae4555c20d2388d2 Author: Jan Sokolowski Date: Tue Aug 28 10:16:01 2018 -0700 i40e: Check and correct speed values for link on open [ Upstream commit e78d9a39fd06109022d11c8ca444cfcec2abb290 ] If our card has been put in an unstable state due to other drivers interacting with it, speed settings might be incorrect. If incorrect, forcefully reset them on open to known default values. Signed-off-by: Jan Sokolowski Tested-by: Andrew Bowers Signed-off-by: Jeff Kirsher Signed-off-by: Sasha Levin commit 8d7e6ab3b5d2de2b47cf56a41e746a48b6ede5e6 Author: Lihong Yang Date: Mon Aug 20 08:12:31 2018 -0700 i40evf: set IFF_UNICAST_FLT flag for the VF [ Upstream commit e65aae086330d0a6c6c9f874aef03c69cf98884b ] Set IFF_UNICAST_FLT flag for the VF to prevent it from entering promiscuous mode when macvlan is added to the VF. Signed-off-by: Lihong Yang Tested-by: Andrew Bowers Signed-off-by: Jeff Kirsher Signed-off-by: Sasha Levin commit 015fc52519962a40de716f4b7fe77ad332c418b1 Author: Mitch Williams Date: Mon Aug 20 08:12:30 2018 -0700 i40e: use correct length for strncpy [ Upstream commit 7eb74ff891b4e94b8bac48f648a21e4b94ddee64 ] Caught by GCC 8. When we provide a length for strncpy, we should not include the terminating null. So we must tell it one less than the size of the destination buffer. Signed-off-by: Mitch Williams Tested-by: Andrew Bowers Signed-off-by: Jeff Kirsher Signed-off-by: Sasha Levin commit a90fcbdb9b22f8b4418154ec4c30c7d677e094d5 Author: Paul M Stillwell Jr Date: Mon Aug 20 08:12:29 2018 -0700 i40evf: Validate the number of queues a PF sends [ Upstream commit 3c818910911c93bb5099c6637ec350f90c0e71fc ] A PF can send any number of queues to the VF and the VF may not be able to support that many. Check to see that the number of queues is less than or equal to the max number of queues the VF can have. Signed-off-by: Paul M Stillwell Jr Tested-by: Andrew Bowers Signed-off-by: Jeff Kirsher Signed-off-by: Sasha Levin commit 2da61f212f4d8f33b6b5200572e01be33ca1f25d Author: Marek Szyprowski Date: Fri Aug 10 10:04:25 2018 +0200 ARM: dts: exynos: Fix regulators configuration on Peach Pi/Pit Chromebooks [ Upstream commit f8f3b7fc21b1cb59385b780acd9b9a26d04cb7b2 ] Regulators, which are marked as 'on-in-suspend' seems to be critical for board operation, thus they must not be disabled anytime. This can be only assured by marking them as 'always-on', because otherwise some actions of their clients might result in turning them off. This patch restores suspend/resume operation on Peach-Pit Chromebook board. It partially reverts 'always-on' property removal done by the commit mentioned in the Fixes tag. Fixes: 665c441eea3d ("ARM: dts: exynos: Remove unneded always-on for regulators on Peach boards") Signed-off-by: Marek Szyprowski Tested-by: Tomasz Figa Signed-off-by: Krzysztof Kozlowski Signed-off-by: Sasha Levin commit d4e5c8aeb19823ab4ea9725a9b093f05cdfb0825 Author: Alan Tull Date: Wed Aug 8 10:42:41 2018 -0500 arm64: dts: stratix10: i2c clock running out of spec [ Upstream commit c8da1d15b8a4957f105ad77bb1404d72e304566f ] DesignWare I2C controller was observed running at 105.93kHz rather than the specified 100kHz. Adjust device tree settings to bring it within spec (a slightly conservative 98 MHz). Signed-off-by: Alan Tull Signed-off-by: Dinh Nguyen Signed-off-by: Sasha Levin commit b0bac46b52a9bcd7687271d9b842aa6abe55c8e6 Author: Rick Farrington Date: Tue Aug 28 11:32:55 2018 -0700 liquidio: fix race condition in instruction completion processing [ Upstream commit b943f17e06493fd2c7fd00743093ad5dcdb90e7f ] In lio_enable_irq, the pkt_in_done count register was being cleared to zero. However, there could be some completed instructions which were not yet processed due to budget and limit constraints. So, only write this register with the number of actual completions that were processed. Signed-off-by: Rick Farrington Signed-off-by: Felix Manlunas Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit b2e427c268f367f61fd6284fdaa4353ca01d6afb Author: Marek Szyprowski Date: Fri Aug 3 12:55:32 2018 +0200 ARM: dts: exynos: Fix sound in Snow-rev5 Chromebook [ Upstream commit 64858773d78e820003a94e5a7179d368213655d6 ] This patch adds missing properties to the CODEC and sound nodes, so the audio will work also on Snow rev5 Chromebook. This patch is an extension to the commit e9eefc3f8ce0 ("ARM: dts: exynos: Add missing clock and DAI properties to the max98095 node in Snow Chromebook") and commit 6ab569936d60 ("ARM: dts: exynos: Enable HDMI audio on Snow Chromebook"). It has been reported that such changes work fine on the rev5 board too. Signed-off-by: Marek Szyprowski [krzk: Fixed typo in phandle to &max98090] Signed-off-by: Krzysztof Kozlowski Signed-off-by: Sasha Levin commit 0b53b56287ab9771cf223d4a5384931659382da2 Author: Andrzej Hajda Date: Thu Jul 26 12:12:28 2018 +0200 ARM: dts: exynos: Fix HDMI-HPD line handling on Arndale [ Upstream commit 21cb5a27483a3cfdbcb7508a06a30c0a485e1211 ] HDMI-HPD was set active low, moreover by default pincontrol chip sets pull-down on the pin. As a result HDMI driver assumes TV is always connected regardless of actual state. The patch fixes it. Signed-off-by: Andrzej Hajda Signed-off-by: Krzysztof Kozlowski Signed-off-by: Sasha Levin commit 0baa3fe5805e8e5bcff3161e3691bbbe5baff0a4 Author: Andrzej Hajda Date: Thu Jul 26 15:22:09 2018 +0200 ARM: dts: exynos: Use i2c-gpio for HDMI-DDC on Arndale [ Upstream commit 620375c8fdf2f9f5110ed48d6c407cc4b7554f86 ] HDMI-DDC for unknown reasons doesn't work with Exynos I2C controllers. Fortunately i2c-gpio comes to the rescue. Signed-off-by: Andrzej Hajda Signed-off-by: Krzysztof Kozlowski Signed-off-by: Sasha Levin commit 8e6acc5ee14d7671ad98e6a690efc9187b86eec4 Author: Tuomas Tynkkynen Date: Sun Aug 19 22:20:23 2018 +0300 MIPS: BCM47XX: Enable USB power on Netgear WNDR3400v3 [ Upstream commit feef7918667b84f9d5653c501542dd8d84ae32af ] Setting GPIO 21 high seems to be required to enable power to USB ports on the WNDR3400v3. As there is already similar code for WNR3500L, make the existing USB power GPIO code generic and use that. Signed-off-by: Tuomas Tynkkynen Acked-by: Hauke Mehrtens Signed-off-by: Paul Burton Patchwork: https://patchwork.linux-mips.org/patch/20259/ Cc: Rafał Miłecki Cc: linux-mips@linux-mips.org Cc: linux-kernel@vger.kernel.org Signed-off-by: Sasha Levin commit 7c68184fced7f3fca1e5f150b132ac7f0096c002 Author: Paul Cercueil Date: Tue Aug 21 18:42:30 2018 +0200 pinctrl: ingenic: Probe driver at subsys_initcall [ Upstream commit 556a36a71ed80e17ade49225b58513ea3c9e4558 ] Using postcore_initcall() makes the driver try to initialize way too early. Signed-off-by: Paul Cercueil Signed-off-by: Linus Walleij Signed-off-by: Sasha Levin commit 8ddea21d4c0b4d10b981e1aa1b06c5f53ff6ce96 Author: Akshu Agrawal Date: Tue Aug 21 12:29:43 2018 +0530 ASoC: AMD: Change MCLK to 48Mhz [ Upstream commit a1b1e9880f0c2754a5ac416a546d9f295f72eabc ] 25Mhz MCLK which was earlier used was of spread type. Thus, we were not getting accurate rate. The 48Mhz system clk is of non-spread type and we are changing to it to get accurate rate. Signed-off-by: Akshu Agrawal Reviewed-by: Daniel Kurtz Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit bdb7368ac333f4358dce3c841c2464d93dd220dc Author: Jerome Brunet Date: Mon Aug 27 16:15:29 2018 +0200 ASoC: meson: axg-fifo: report interrupt request failure [ Upstream commit dadfab7272b13ca441efdb9aa9117bc669680b05 ] Return value of request_irq() was irgnored. Fix this and report the failure if any Fixes: 6dc4fa179fb8 ("ASoC: meson: add axg fifo base driver") Signed-off-by: Jerome Brunet Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit aac9381b2ca8fc7ca09220d6199d85211f9d7731 Author: Charles Keepax Date: Mon Aug 27 14:26:47 2018 +0100 ASoC: dpcm: Properly initialise hw->rate_max [ Upstream commit e33ffbd9cd39da09831ce62c11025d830bf78d9e ] If the CPU DAI does not initialise rate_max, say if using using KNOT or CONTINUOUS, then the rate_max field will be initialised to 0. A value of zero in the rate_max field of the hardware runtime will cause the sound card to support no sample rates at all. Obviously this is not desired, just a different mechanism is being used to apply the constraints. As such update the setting of rate_max in dpcm_init_runtime_hw to be consistent with the non-DPCM cases and set rate_max to UINT_MAX if nothing is defined on the CPU DAI. Signed-off-by: Charles Keepax Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit ac66c0c470a309a14066cba756026e73edc9cd7b Author: Charles Keepax Date: Tue Aug 28 14:35:03 2018 +0100 ASoC: dapm: Don't fail creating new DAPM control on NULL pinctrl [ Upstream commit a5cd7e9cf587f51a84b86c828b4e1c7b392f448e ] devm_pinctrl_get will only return NULL in the case that pinctrl is not built into the kernel and all the pinctrl functions used by the DAPM core are appropriately stubbed for that case. There is no need to error out of snd_soc_dapm_new_control_unlocked if pinctrl isn't built into the kernel, so change the IS_ERR_OR_NULL to just an IS_ERR. Signed-off-by: Charles Keepax Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit d3a45d4d6f2db5d725165c5a335a8e4771a8ce08 Author: Anirudh Venkataramanan Date: Thu Aug 9 06:29:58 2018 -0700 ice: Fix and update driver version string [ Upstream commit 9ea47d81a7f17c6b77211ab75fbca2127719ad39 ] Remove the "ice" prefix for the driver version string and bump version to 0.7.1-k. Signed-off-by: Anirudh Venkataramanan Tested-by: Tony Brelinski Signed-off-by: Jeff Kirsher Signed-off-by: Sasha Levin commit 48b128cddb91ca5f65dea425b55b579549f32718 Author: Bob Peterson Date: Thu Aug 16 10:32:13 2018 -0500 gfs2: Don't set GFS2_RDF_UPTODATE when the lvb is updated [ Upstream commit 4f36cb36c9d14340bb200d2ad9117b03ce992cfe ] The GFS2_RDF_UPTODATE flag in the rgrp is used to determine when a rgrp buffer is valid. It's cleared when the glock is invalidated, signifying that the buffer data is now invalid. But before this patch, function update_rgrp_lvb was setting the flag when it determined it had a valid lvb. But that's an invalid assumption: just because you have a valid lvb doesn't mean you have valid buffers. After all, another node may have made the lvb valid, and this node just fetched it from the glock via dlm. Consider this scenario: 1. The file system is mounted with RGRPLVB option. 2. In gfs2_inplace_reserve it locks the rgrp glock EX, but thanks to GL_SKIP, it skips the gfs2_rgrp_bh_get. 3. Since loops == 0 and the allocation target (ap->target) is bigger than the largest known chunk of blocks in the rgrp (rs->rs_rbm.rgd->rd_extfail_pt) it skips that rgrp and bypasses the call to gfs2_rgrp_bh_get there as well. 4. update_rgrp_lvb sees the lvb MAGIC number is valid, so bypasses gfs2_rgrp_bh_get, but it still sets sets GFS2_RDF_UPTODATE due to this invalid assumption. 5. The next time update_rgrp_lvb is called, it sees the bit is set and just returns 0, assuming both the lvb and rgrp are both uptodate. But since this is a smaller allocation, or space has been freed by another node, thus adjusting the lvb values, it decides to use the rgrp for allocations, with invalid rd_free due to the fact it was never updated. This patch changes update_rgrp_lvb so it doesn't set the UPTODATE flag anymore. That way, it has no choice but to fetch the latest values. Signed-off-by: Bob Peterson Signed-off-by: Sasha Levin commit 9ca72984d7c0084c3b20e989a3a8498daf9f69d8 Author: Anirudh Venkataramanan Date: Thu Aug 9 06:29:47 2018 -0700 ice: Prevent control queue operations during reset [ Upstream commit fd2a981777d911b2e94cdec50779c85c58a0dec9 ] Once reset is issued, the driver loses all control queue interfaces. Exercising control queue operations during reset is incorrect and may result in long timeouts. This patch introduces a new field 'reset_ongoing' in the hw structure. This is set to 1 by the core driver when it receives a reset interrupt. ice_sq_send_cmd checks reset_ongoing before actually issuing the control queue operation. If a reset is in progress, it returns a soft error code (ICE_ERR_RESET_PENDING) to the caller. The caller may or may not have to take any action based on this return. Once the driver knows that the reset is done, it has to set reset_ongoing back to 0. This will allow control queue operations to be posted to the hardware again. This "bail out" logic was specifically added to ice_sq_send_cmd (which is pretty low level function) so that we have one solution in one place that applies to all types of control queues. Signed-off-by: Anirudh Venkataramanan Tested-by: Tony Brelinski Signed-off-by: Jeff Kirsher Signed-off-by: Sasha Levin commit a881088f512e95d082bfe6ec2a401f2a82d7fd41 Author: Dan Nowlin Date: Thu Aug 9 06:29:46 2018 -0700 ice: Update request resource command to latest specification [ Upstream commit ff2b13213a6a0baca105bc3bc724225f0adde1f8 ] Align Request Resource Ownership AQ command (0x0008) to the latest specification. This includes: - Correcting the resource IDs for the Global Cfg and Change locks. - new enum ICE_CHANGE_LOCK_RES_ID - new enum ICE_GLOBAL_CFG_LOCK_RES_ID - Altering the flow for Global Config Lock to allow only the first PF to download the package. Signed-off-by: Dan Nowlin Signed-off-by: Anirudh Venkataramanan Tested-by: Tony Brelinski Signed-off-by: Jeff Kirsher Signed-off-by: Sasha Levin commit f71230e6898e0089c8a88c49d2ec43bfd628d050 Author: Sven Eckelmann Date: Fri Aug 24 15:04:59 2018 +0300 ath10k: limit available channels via DT ieee80211-freq-limit [ Upstream commit 34d5629d2ca89d847b7040762b87964c696c14da ] Tri-band devices (1x 2.4GHz + 2x 5GHz) often incorporate special filters in the RX and TX path. These filtered channel can in theory still be used by the hardware but the signal strength is reduced so much that it makes no sense. There is already a DT property to limit the available channels but ath10k has to manually call this functionality to limit the currrently set wiphy channels further. Signed-off-by: Sven Eckelmann Signed-off-by: Kalle Valo Signed-off-by: Sasha Levin commit 8cad5d80f8d0c5e551bf89c48dc4a532fba2b0b3 Author: Dedy Lansky Date: Thu Aug 23 14:47:13 2018 +0300 wil6210: fix invalid memory access for rx_buff_mgmt debugfs [ Upstream commit 4405b632e3da839defec966e4b0be44d0c5e3102 ] Check rx_buff_mgmt is allocated before accessing its internal fields. Signed-off-by: Dedy Lansky Signed-off-by: Maya Erez Signed-off-by: Kalle Valo Signed-off-by: Sasha Levin commit bcaabaa75eebe5fd6aad0624d311a49ce6b475ae Author: Maya Erez Date: Thu Aug 23 14:47:10 2018 +0300 wil6210: prevent usage of tx ring 0 for eDMA [ Upstream commit df2b53884a5a454bf441ca78e5b57307262c73f4 ] In enhanced DMA ring 0 is used for RX ring, hence TX ring 0 is an unused element in ring_tx and ring2cid_tid arrays. Initialize ring2cid_tid CID to WIL6210_MAX_CID to prevent a false match of CID 0. Go over the ring_tx and ring2cid_tid from wil_get_min_tx_ring_id and on to prevent access to index 0 in eDMA. Signed-off-by: Maya Erez Signed-off-by: Kalle Valo Signed-off-by: Sasha Levin commit acf041edec0a54834f0e72dd4e4b19adb33f2d32 Author: Maya Erez Date: Thu Aug 23 14:47:08 2018 +0300 wil6210: set edma variables only for Talyn-MB devices [ Upstream commit 596bdbcce90fa93f43ebcb99cefea34bd2e27707 ] use_rx_hw_reordering is already set to true in wil_set_capabilities for Talyn-MB devices. Remove its setting from wil_priv_init to prevent its activation for older chips. Similarly, move the setting of use_compressed_rx_status to wil_set_capabilities. Signed-off-by: Maya Erez Signed-off-by: Kalle Valo Signed-off-by: Sasha Levin commit be039c973093611756f6a00a38be00ae1cd233af Author: Dedy Lansky Date: Thu Aug 23 14:47:07 2018 +0300 wil6210: drop Rx multicast packets that are looped-back to STA [ Upstream commit 9a65064abdf82934e0ed4744125f9f466f421f57 ] Delivering a looped-back multicast packet to network stack can cause higher layer protocols to fail like for example IPv6 DAD. In STA mode, upon receiving Rx multicast packet, check if the source MAC address is equal to our own MAC address and if so drop the packet. Signed-off-by: Dedy Lansky Signed-off-by: Maya Erez Signed-off-by: Kalle Valo Signed-off-by: Sasha Levin commit 1b0581bf379f78a6e2376514a6a7405cc0ba9e0e Author: Felix Fietkau Date: Mon Aug 20 11:37:51 2018 +0200 ath9k: fix tx99 with monitor mode interface [ Upstream commit d9c52fd17cb483bd8a470398afcb79f86c1b77c8 ] Tx99 is typically configured via a monitor mode interface, which does not get added to the driver as a vif. Since the code currently expects a configured virtual interface for tx99, enabling tx99 via debugfs fails. Since the vif is not needed anyway, remove all checks for it. Signed-off-by: Felix Fietkau [kvalo@codeaurora.org: s/CPTCFG/CONFIG/] Signed-off-by: Kalle Valo Signed-off-by: Sasha Levin commit a618e2069783e60164c40490d7371fa12307f3aa Author: Rakesh Pillai Date: Mon Aug 6 20:18:08 2018 +0530 ath10k: skip resetting rx filter for WCN3990 [ Upstream commit 58da3b42307061b71f2dcce2bd1185d578a3aa53 ] WCN3990 has the MAC_PCU_ADDR1 configured properly and hence it will not send spurious ack frames during boot up. Hence the reset_rx_filter workaround is not needed for WCN3990. Add a hw_param to indicate if hardware rx filter reset is needed and skip the reset_rx_filter for WCN3990. Tested HW: WCN3990 Tested FW: WLAN.HL.2.0-01188-QCAHLSWMTPLZ-1 Signed-off-by: Rakesh Pillai Signed-off-by: Kalle Valo Signed-off-by: Sasha Levin commit f7b2312c68a8d2aa376f8abc503238e429d69cc0 Author: Takashi Iwai Date: Tue Aug 28 12:49:43 2018 +0200 ALSA: seq: Do error checks at creating system ports [ Upstream commit b8e131542b47b81236ecf6768c923128e1f5db6e ] snd_seq_system_client_init() doesn't check the errors returned from its port creations. Let's do it properly and handle the error paths. Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit c2f459d3340ffe720792e889213816418aaf92ea Author: Rajeev Kumar Sirasanagandla Date: Tue Jul 10 18:46:13 2018 +0530 cfg80211: Avoid regulatory restore when COUNTRY_IE_IGNORE is set [ Upstream commit 7417844b63d4b0dc8ab23f88259bf95de7d09b57 ] When REGULATORY_COUNTRY_IE_IGNORE is set, __reg_process_hint_country_ie() ignores the country code change request from __cfg80211_connect_result() via regulatory_hint_country_ie(). After Disconnect, similar to above, country code should not be reset to world when country IE ignore is set. But this is violated and restore of regulatory settings is invoked by cfg80211_disconnect_work via regulatory_hint_disconnect(). To address this, avoid regulatory restore from regulatory_hint_disconnect() when COUNTRY_IE_IGNORE is set. Note: Currently, restore_regulatory_settings() takes care of clearing beacon hints. But in the proposed change, regulatory restore is avoided. Therefore, explicitly clear beacon hints when DISABLE_BEACON_HINTS is not set. Signed-off-by: Rajeev Kumar Sirasanagandla Signed-off-by: Johannes Berg Signed-off-by: Sasha Levin commit d377d63a9228d3bf2271dde370e8decce5fea992 Author: Andy Shevchenko Date: Mon Aug 27 18:35:53 2018 +0300 extcon: cht-wc: Return from default case to avoid warnings [ Upstream commit 962341b54b99965ebec5f70c8d39f1c382eea833 ] When we have first case to fall through it's not enough to put single comment there to satisfy compiler. Instead of doing that, return fall back value directly from default case. This to avoid following warnings: drivers/extcon/extcon-intel-cht-wc.c: In function ‘cht_wc_extcon_get_charger’: include/linux/device.h:1420:2: warning: this statement may fall through [-Wimplicit-fallthrough=] _dev_warn(dev, dev_fmt(fmt), ##__VA_ARGS__) ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/extcon/extcon-intel-cht-wc.c:148:3: note: in expansion of macro ‘dev_warn’ dev_warn(ext->dev, ^~~~~~~~ drivers/extcon/extcon-intel-cht-wc.c:152:2: note: here case CHT_WC_USBSRC_TYPE_SDP: ^~~~ Signed-off-by: Andy Shevchenko Signed-off-by: Chanwoo Choi Signed-off-by: Sasha Levin commit 7575a34ed101b0f7d4dd50d5e71a6c2d625ea055 Author: Bjorn Andersson Date: Thu Aug 16 17:49:19 2018 -0700 remoteproc/davinci: Use %zx for formating size_t [ Upstream commit 1e28dbbeced6152b9ea7c417ff8cef3f7dcf0f19 ] da8xx_rproc_mem size is of type size_t, so use %zx to format the debug print of it to avoid a compile warning. Acked-by: Suman Anna Reviewed-by: Bartosz Golaszewski Signed-off-by: Bjorn Andersson Signed-off-by: Sasha Levin commit c2dca83e9e835f10d9af76afcc55e2a328a2ee6c Author: Alexandre Belloni Date: Mon Aug 27 23:23:43 2018 +0200 rtc: rv8803: fix the rv8803 id in the OF table [ Upstream commit c856618d20662695fcdb47bf4d560dc457662aec ] The ID for RV8803 must be rv_8803 Signed-off-by: Alexandre Belloni Signed-off-by: Sasha Levin commit 5a408693b414afcea1e0c31ed4b2e36fe3a64458 Author: Dan Carpenter Date: Mon Aug 27 12:22:34 2018 +0300 rtc: sysfs: fix NULL check in rtc_add_groups() [ Upstream commit 777d8ae56da18fb6440acd941edb3597c1b02bf0 ] devm_kcalloc() returns NULL, it never returns error pointers. In the current code we would return PTR_ERR(NULL) which is success, instead of returning the -ENOMEM error code. Fixes: a0a1a1ba3032 ("rtc: sysfs: facilitate attribute add to rtc device") Signed-off-by: Dan Carpenter Signed-off-by: Alexandre Belloni Signed-off-by: Sasha Levin commit a01d6a3204404f9fee97af8c1af4783790f3fd78 Author: Jay Foster Date: Mon Aug 20 11:42:01 2018 +0200 ARM: dts: at91/trivial: Fix USART1 definition for at91sam9g45 [ Upstream commit 10af10db8c76fa5b9bf1f52a895c1cb2c0ac24da ] Fix a typo. No functional change made by this patch. Signed-off-by: Jay Foster Signed-off-by: Nicolas Ferre Signed-off-by: Alexandre Belloni Signed-off-by: Sasha Levin commit ea6a25cd2d41a037a9aa784b1f4600feba57411f Author: Geert Uytterhoeven Date: Fri Jul 20 14:28:57 2018 +0200 ARM: dts: rcar: Correct SATA device sizes to 2 MiB [ Upstream commit 441f61e3aa9e7386731ce1405044d484bd81f911 ] Update the SATA device nodes on R-Car H1, H2, and M2-W to use a 2 MiB I/O space, as specified in Rev.1.0 of the R-Car H1 and R-Car Gen2 hardware user manuals. See also commit e9f0089b2d8a3d45 ("arm64: dts: r8a7795: Correct SATA device size to 2MiB"). Signed-off-by: Geert Uytterhoeven Signed-off-by: Simon Horman Signed-off-by: Sasha Levin commit 32d3fe68d20e3da9737fe828c23008fec94d48fa Author: Arnd Bergmann Date: Tue Aug 14 15:18:20 2018 +0200 y2038: make do_gettimeofday() and get_seconds() inline [ Upstream commit 33e26418193f58d1895f2f968e1953b1caf8deb7 ] get_seconds() and do_gettimeofday() are only used by a few modules now any more (waiting for the respective patches to get accepted), and they are among the last holdouts of code that is not y2038 safe in the core kernel. Move the implementation into the timekeeping32.h header to clean up the core kernel and isolate the old interfaces further. Signed-off-by: Arnd Bergmann Signed-off-by: Sasha Levin commit 5a830803b593a5c2d9a15f68c055ea1422f4c8a9 Author: Aapo Vienamo Date: Fri Aug 10 21:08:35 2018 +0300 arm64: dts: tegra210-p2180: Correct sdmmc4 vqmmc-supply [ Upstream commit 6ff7705da8806de45ca1490194f0b4eb07725804 ] On p2180 sdmmc4 is powered from a fixed 1.8 V regulator. Signed-off-by: Aapo Vienamo Reviewed-by: Mikko Perttunen Signed-off-by: Thierry Reding Signed-off-by: Sasha Levin commit a124e7f2fecf24540d9381f915e703a588993ac3 Author: Aapo Vienamo Date: Fri Aug 10 21:08:07 2018 +0300 soc/tegra: pmc: Fix pad voltage configuration for Tegra186 [ Upstream commit 13136a47a061c01c91df78b37f7708dd5ce7035f ] Implement support for the PMC_IMPL_E_33V_PWR register which replaces PMC_PWR_DET register interface of the SoC generations preceding Tegra186. Also add the voltage bit offsets to the tegra186_io_pads[] table and the AO_HV pad. Signed-off-by: Aapo Vienamo Acked-by: Jon Hunter Signed-off-by: Thierry Reding Signed-off-by: Sasha Levin commit 90cfef191a30589ef373241821233ce56d244f58 Author: Dan Carpenter Date: Mon Aug 27 12:21:45 2018 +0300 ALSA: pcm: signedness bug in snd_pcm_plug_alloc() [ Upstream commit 6f128fa41f310e1f39ebcea9621d2905549ecf52 ] The "frames" variable is unsigned so the error handling doesn't work properly. Signed-off-by: Dan Carpenter Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit e84cb5882da6d3e78964ca50fe0eade8fb8365ff Author: Andre Przywara Date: Mon Jul 30 13:31:34 2018 +0100 arm64: dts: allwinner: a64: NanoPi-A64: Fix DCDC1 voltage [ Upstream commit 480f58cdbe392d4387a2193b6131a277e0111dd0 ] According to the NanoPi-A64 schematics, DCDC1 is connected to a voltage rail named "VDD_SYS_3.3V". All users seem to expect 3.3V here: the Ethernet PHY, the uSD card slot, the camera interface and the GPIO pins on the headers. Fix up the voltage on the regulator to lift it up to 3.3V. Signed-off-by: Andre Przywara Acked-by: Maxime Ripard Signed-off-by: Chen-Yu Tsai Signed-off-by: Sasha Levin commit 3bbce894d52d5b9b98b698d04f52beccc3676b24 Author: Andre Przywara Date: Mon Jul 30 13:31:31 2018 +0100 arm64: dts: allwinner: a64: Olinuxino: fix DRAM voltage [ Upstream commit 93366b49a35f3a190052734b3f32c8fe2535b53f ] The Olinuxino board uses DDR3L chips which are supposed to be driven with 1.35V. The reset default of the AXP is properly set to 1.36V. While technically the chips can also run at 1.5 volts, changing the voltage on the fly while booting Linux is asking for trouble. Also running at a lower voltage saves power. So fix the DCDC5 value to match the actual board design. Signed-off-by: Andre Przywara Tested-by: Martin Lucina Acked-by: Maxime Ripard Signed-off-by: Chen-Yu Tsai Signed-off-by: Sasha Levin commit d304218f959ea27da4059ed3095f8cd5f76e6476 Author: Samuel Holland Date: Mon Jul 30 13:31:21 2018 +0100 arm64: dts: allwinner: a64: Orange Pi Win: Fix SD card node [ Upstream commit 09b964afca14d0594b2b2f265df3d987e2f43867 ] The Orange Pi Win has a microSD card slot which is connected via all four SD data lines. As the DT was not mentioning this fact, we got the default single bit transfers, losing out on performance. Also, as microSD does not have a write protect switch, we disable this feature in the DT node. Signed-off-by: Samuel Holland Signed-off-by: Andre Przywara Acked-by: Maxime Ripard Signed-off-by: Chen-Yu Tsai Signed-off-by: Sasha Levin commit 030f6397eb8975fdd5c1a7a6055062a5dff9fda7 Author: Vinod Koul Date: Tue Aug 7 11:54:50 2018 +0530 soundwire: intel: Fix uninitialized adev deref [ Upstream commit e1c815f4b24a305e5bc9eceb541674bf4d02b709 ] In case of error, we can dereference uninitialized 'adev' drivers/soundwire/intel_init.c:154 sdw_intel_acpi_cb() error: uninitialized symbol 'adev'. Fix that by not using adev for warn print and make it pr_err. Reported-by: Dan Carpenter Acked-by: Pierre-Louis Bossart Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit 4b4153b7d6aff0b6efc6d8ae60538ad7ae4321f0 Author: Shreyas NC Date: Fri Jul 27 14:44:12 2018 +0530 soundwire: Initialize completion for defer messages [ Upstream commit a306a0e4a5326269b6c78d136407f08433ab5ece ] Deferred messages are async messages used to synchronize transitions mostly while doing a bank switch on multi links. On successful transitions these messages are marked complete and thereby confirming that all the buses performed bank switch successfully. So, initialize the completion structure for the same. Signed-off-by: Sanyog Kale Signed-off-by: Shreyas NC Acked-by: Pierre-Louis Bossart Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit 38d1ecc23e3ef19857706270aa1a96442d2196ae Author: Rongyi Chen Date: Fri Aug 10 23:16:38 2018 +0800 clk: sunxi-ng: h6: fix PWM gate/reset offset [ Upstream commit 58c0f79887d5e425fe6a9fd542778e50df69e9c6 ] Currently the register offset of the PWM bus gate in Allwinner H6 clock driver is wrong. Fix this issue. Fixes: 542353ea ("clk: sunxi-ng: add support for the Allwinner H6 CCU") Signed-off-by: Rongyi Chen [Icenowy: refactor commit message] Signed-off-by: Icenowy Zheng Signed-off-by: Chen-Yu Tsai Signed-off-by: Sasha Levin commit 6c0fcc727ff098bf3188d0d24380237f08123ba6 Author: Marcus Folkesson Date: Fri Aug 24 22:24:40 2018 +0200 iio: dac: mcp4922: fix error handling in mcp4922_write_raw [ Upstream commit 0833627fc3f757a0dca11e2a9c46c96335a900ee ] Do not try to write negative values and make sure that the write goes well. Signed-off-by: Marcus Folkesson Signed-off-by: Jonathan Cameron Signed-off-by: Sasha Levin commit f125d1831402aa6ebd790a11e28ec0605cb4870c Author: Tamizh chelvam Date: Mon Aug 6 12:39:01 2018 +0300 ath10k: fix kernel panic by moving pci flush after napi_disable [ Upstream commit bd1d395070cca4f42a93e520b0597274789274a4 ] When continuously running wifi up/down sequence, the napi poll can be scheduled after the CE buffers being freed by ath10k_pci_flush Steps: In a certain condition, during wifi down below scenario might occur. ath10k_stop->ath10k_hif_stop->napi_schedule->ath10k_pci_flush->napi_poll(napi_synchronize). In the above scenario, CE buffer entries will be freed up and become NULL in ath10k_pci_flush. And the napi_poll has been invoked after the flush process and it will try to get the skb from the CE buffer entry and perform some action on that. Since the CE buffer already cleaned by pci flush this action will create NULL pointer dereference and trigger below kernel panic. Unable to handle kernel NULL pointer dereference at virtual address 0000005c PC is at ath10k_pci_htt_rx_cb+0x64/0x3ec [ath10k_pci] ath10k_pci_htt_rx_cb [ath10k_pci] ath10k_ce_per_engine_service+0x74/0xc4 [ath10k_pci] ath10k_ce_per_engine_service [ath10k_pci] ath10k_ce_per_engine_service_any+0x74/0x80 [ath10k_pci] ath10k_ce_per_engine_service_any [ath10k_pci] ath10k_pci_napi_poll+0x48/0xec [ath10k_pci] ath10k_pci_napi_poll [ath10k_pci] net_rx_action+0xac/0x160 net_rx_action __do_softirq+0xdc/0x208 __do_softirq irq_exit+0x84/0xe0 irq_exit __handle_domain_irq+0x80/0xa0 __handle_domain_irq gic_handle_irq+0x38/0x5c gic_handle_irq __irq_usr+0x44/0x60 Tested on QCA4019 and firmware version 10.4.3.2.1.1-00010 Signed-off-by: Tamizh chelvam Signed-off-by: Kalle Valo Signed-off-by: Sasha Levin commit 75a600d7f062a9633fe9f5728aa2e26c13193e40 Author: Ard Biesheuvel Date: Wed Aug 1 11:48:33 2018 +0200 tee: optee: take DT status property into account [ Upstream commit db878f76b9ff7487da9bb0f686153f81829f1230 ] DT nodes may have a 'status' property which, if set to anything other than 'ok' or 'okay', indicates to the OS that the DT node should be treated as if it was not present. So add that missing logic to the OP-TEE driver. Signed-off-by: Ard Biesheuvel Signed-off-by: Jens Wiklander Signed-off-by: Sasha Levin commit cd3de5870c8043fc9fba2c7547e46d5e62650879 Author: Stefan Agner Date: Sat Aug 11 11:12:19 2018 +0200 iio: adc: max9611: explicitly cast gain_selectors [ Upstream commit b1ec0802503820ccbc894aadfd2a44da20232f5e ] After finding a reasonable gain, the function converts the configured gain to a gain configuration option selector enum max9611_csa_gain. Make the conversion clearly visible by using an explicit cast. This also avoids a warning seen with clang: drivers/iio/adc/max9611.c:292:16: warning: implicit conversion from enumeration type 'enum max9611_conf_ids' to different enumeration type 'enum max9611_csa_gain' [-Wenum-conversion] *csa_gain = gain_selectors[i]; ~ ^~~~~~~~~~~~~~~~~ Signed-off-by: Stefan Agner Signed-off-by: Jonathan Cameron Signed-off-by: Sasha Levin commit a6bb63183de28b4bf83097ba36f20d4fbf7481f2 Author: Eugen Hristev Date: Thu Nov 14 12:59:26 2019 +0000 mmc: sdhci-of-at91: fix quirk2 overwrite commit fed23c5829ecab4ddc712d7b0046e59610ca3ba4 upstream. The quirks2 are parsed and set (e.g. from DT) before the quirk for broken HS200 is set in the driver. The driver needs to enable just this flag, not rewrite the whole quirk set. Fixes: 7871aa60ae00 ("mmc: sdhci-of-at91: add quirk for broken HS200") Signed-off-by: Eugen Hristev Acked-by: Adrian Hunter Cc: stable@vger.kernel.org Signed-off-by: Ulf Hansson Signed-off-by: Greg Kroah-Hartman commit b4bc6498c39be23db585f2c6a9b5db9e6dedb62b Author: Roman Gushchin Date: Fri Nov 15 17:34:46 2019 -0800 mm: hugetlb: switch to css_tryget() in hugetlb_cgroup_charge_cgroup() commit 0362f326d86c645b5e96b7dbc3ee515986ed019d upstream. An exiting task might belong to an offline cgroup. In this case an attempt to grab a cgroup reference from the task can end up with an infinite loop in hugetlb_cgroup_charge_cgroup(), because neither the cgroup will become online, neither the task will be migrated to a live cgroup. Fix this by switching over to css_tryget(). As css_tryget_online() can't guarantee that the cgroup won't go offline, in most cases the check doesn't make sense. In this particular case users of hugetlb_cgroup_charge_cgroup() are not affected by this change. A similar problem is described by commit 18fa84a2db0e ("cgroup: Use css_tryget() instead of css_tryget_online() in task_get_css()"). Link: http://lkml.kernel.org/r/20191106225131.3543616-2-guro@fb.com Signed-off-by: Roman Gushchin Acked-by: Johannes Weiner Acked-by: Tejun Heo Reviewed-by: Shakeel Butt Cc: Michal Hocko Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit bb1bc2d8231c78644cacadeccd20df7bb38e1668 Author: Roman Gushchin Date: Fri Nov 15 17:34:43 2019 -0800 mm: memcg: switch to css_tryget() in get_mem_cgroup_from_mm() commit 00d484f354d85845991b40141d40ba9e5eb60faf upstream. We've encountered a rcu stall in get_mem_cgroup_from_mm(): rcu: INFO: rcu_sched self-detected stall on CPU rcu: 33-....: (21000 ticks this GP) idle=6c6/1/0x4000000000000002 softirq=35441/35441 fqs=5017 (t=21031 jiffies g=324821 q=95837) NMI backtrace for cpu 33 <...> RIP: 0010:get_mem_cgroup_from_mm+0x2f/0x90 <...> __memcg_kmem_charge+0x55/0x140 __alloc_pages_nodemask+0x267/0x320 pipe_write+0x1ad/0x400 new_sync_write+0x127/0x1c0 __kernel_write+0x4f/0xf0 dump_emit+0x91/0xc0 writenote+0xa0/0xc0 elf_core_dump+0x11af/0x1430 do_coredump+0xc65/0xee0 get_signal+0x132/0x7c0 do_signal+0x36/0x640 exit_to_usermode_loop+0x61/0xd0 do_syscall_64+0xd4/0x100 entry_SYSCALL_64_after_hwframe+0x44/0xa9 The problem is caused by an exiting task which is associated with an offline memcg. We're iterating over and over in the do {} while (!css_tryget_online()) loop, but obviously the memcg won't become online and the exiting task won't be migrated to a live memcg. Let's fix it by switching from css_tryget_online() to css_tryget(). As css_tryget_online() cannot guarantee that the memcg won't go offline, the check is usually useless, except some rare cases when for example it determines if something should be presented to a user. A similar problem is described by commit 18fa84a2db0e ("cgroup: Use css_tryget() instead of css_tryget_online() in task_get_css()"). Johannes: : The bug aside, it doesn't matter whether the cgroup is online for the : callers. It used to matter when offlining needed to evacuate all charges : from the memcg, and so needed to prevent new ones from showing up, but we : don't care now. Link: http://lkml.kernel.org/r/20191106225131.3543616-1-guro@fb.com Signed-off-by: Roman Gushchin Acked-by: Johannes Weiner Acked-by: Tejun Heo Reviewed-by: Shakeel Butt Cc: Michal Hocko Cc: Michal Koutn Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 653d9e0c55bff54a55d092596db40c738833371b Author: Yang Shi Date: Fri Nov 15 17:34:33 2019 -0800 mm: mempolicy: fix the wrong return value and potential pages leak of mbind commit a85dfc305a21acfc48fa28a0fa0a0cb6ad496120 upstream. Commit d883544515aa ("mm: mempolicy: make the behavior consistent when MPOL_MF_MOVE* and MPOL_MF_STRICT were specified") fixed the return value of mbind() for a couple of corner cases. But, it altered the errno for some other cases, for example, mbind() should return -EFAULT when part or all of the memory range specified by nodemask and maxnode points outside your accessible address space, or there was an unmapped hole in the specified memory range specified by addr and len. Fix this by preserving the errno returned by queue_pages_range(). And, the pagelist may be not empty even though queue_pages_range() returns error, put the pages back to LRU since mbind_range() is not called to really apply the policy so those pages should not be migrated, this is also the old behavior before the problematic commit. Link: http://lkml.kernel.org/r/1572454731-3925-1-git-send-email-yang.shi@linux.alibaba.com Fixes: d883544515aa ("mm: mempolicy: make the behavior consistent when MPOL_MF_MOVE* and MPOL_MF_STRICT were specified") Signed-off-by: Yang Shi Reported-by: Li Xinhai Reviewed-by: Li Xinhai Cc: Vlastimil Babka Cc: Michal Hocko Cc: Mel Gorman Cc: [4.19 and 5.2+] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 5b1c342fc3e02784c0bb94fe90f24a50bd2934b3 Author: Eric Auger Date: Fri Nov 8 16:58:03 2019 +0100 iommu/vt-d: Fix QI_DEV_IOTLB_PFSID and QI_DEV_EIOTLB_PFSID macros commit 4e7120d79edb31e4ee68e6f8421448e4603be1e9 upstream. For both PASID-based-Device-TLB Invalidate Descriptor and Device-TLB Invalidate Descriptor, the Physical Function Source-ID value is split according to this layout: PFSID[3:0] is set at offset 12 and PFSID[15:4] is put at offset 52. Fix the part laid out at offset 52. Fixes: 0f725561e1684 ("iommu/vt-d: Add definitions for PFSID") Signed-off-by: Eric Auger Acked-by: Jacob Pan Cc: stable@vger.kernel.org # v4.19+ Acked-by: Lu Baolu Signed-off-by: Joerg Roedel Signed-off-by: Greg Kroah-Hartman commit 29dcbbb5ab0ac181f239c80106b97e6118e96475 Author: Corentin Labbe Date: Sun Nov 10 11:30:48 2019 +0000 net: ethernet: dwmac-sun8i: Use the correct function in exit path commit 40a1dcee2d1846a24619fe9ca45c661ca0db7dda upstream. When PHY is not powered, the probe function fail and some resource are still unallocated. Furthermore some BUG happens: dwmac-sun8i 5020000.ethernet: EMAC reset timeout ------------[ cut here ]------------ kernel BUG at /linux-next/net/core/dev.c:9844! So let's use the right function (stmmac_pltfr_remove) in the error path. Fixes: 9f93ac8d4085 ("net-next: stmmac: Add dwmac-sun8i") Cc: # v4.15+ Signed-off-by: Corentin Labbe Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit bdae2f7b2031cbeebca93267bef5e829e55c03ca Author: Al Viro Date: Sun Nov 3 13:55:43 2019 -0500 ecryptfs_lookup_interpose(): lower_dentry->d_parent is not stable either commit 762c69685ff7ad5ad7fee0656671e20a0c9c864d upstream. We need to get the underlying dentry of parent; sure, absent the races it is the parent of underlying dentry, but there's nothing to prevent losing a timeslice to preemtion in the middle of evaluation of lower_dentry->d_parent->d_inode, having another process move lower_dentry around and have its (ex)parent not pinned anymore and freed on memory pressure. Then we regain CPU and try to fetch ->d_inode from memory that is freed by that point. dentry->d_parent *is* stable here - it's an argument of ->lookup() and we are guaranteed that it won't be moved anywhere until we feed it to d_add/d_splice_alias. So we safely go that way to get to its underlying dentry. Cc: stable@vger.kernel.org # since 2009 or so Signed-off-by: Al Viro Signed-off-by: Greg Kroah-Hartman commit beb3860c2e0edb81786fbeaeace366174b59d5ef Author: Al Viro Date: Sun Nov 3 13:45:04 2019 -0500 ecryptfs_lookup_interpose(): lower_dentry->d_inode is not stable commit e72b9dd6a5f17d0fb51f16f8685f3004361e83d0 upstream. lower_dentry can't go from positive to negative (we have it pinned), but it *can* go from negative to positive. So fetching ->d_inode into a local variable, doing a blocking allocation, checking that now ->d_inode is non-NULL and feeding the value we'd fetched earlier to a function that won't accept NULL is not a good idea. Cc: stable@vger.kernel.org Signed-off-by: Al Viro Signed-off-by: Greg Kroah-Hartman commit 1a48aaabf1cd75d831b0d9b3005a2b0c9f831123 Author: Hans de Goede Date: Wed Nov 13 19:29:38 2019 +0100 i2c: acpi: Force bus speed to 400KHz if a Silead touchscreen is present commit 7574c0db2e68c4d0bae9d415a683bdd8b2a761e9 upstream. Many cheap devices use Silead touchscreen controllers. Testing has shown repeatedly that these touchscreen controllers work fine at 400KHz, but for unknown reasons do not work properly at 100KHz. This has been seen on both ARM and x86 devices using totally different i2c controllers. On some devices the ACPI tables list another device at the same I2C-bus as only being capable of 100KHz, testing has shown that these other devices work fine at 400KHz (as can be expected of any recent I2C hw). This commit makes i2c_acpi_find_bus_speed() always return 400KHz if a Silead touchscreen controller is present, fixing the touchscreen not working on devices which ACPI tables' wrongly list another device on the same bus as only being capable of 100KHz. Specifically this fixes the touchscreen on the Jumper EZpad 6 m4 not working. Reported-by: youling 257 Tested-by: youling 257 Signed-off-by: Hans de Goede Reviewed-by: Jarkko Nikula Acked-by: Mika Westerberg [wsa: rewording warning a little] Signed-off-by: Wolfram Sang Cc: stable@kernel.org Signed-off-by: Greg Kroah-Hartman commit 9ace24bba6577fe1fbebe382a6497796d47c6a06 Author: Mike Marciniszyn Date: Fri Oct 4 16:49:34 2019 -0400 IB/hfi1: Use a common pad buffer for 9B and 16B packets commit 22bb13653410424d9fce8d447506a41f8292f22f upstream. There is no reason for a different pad buffer for the two packet types. Expand the current buffer allocation to allow for both packet types. Fixes: f8195f3b14a0 ("IB/hfi1: Eliminate allocation while atomic") Reported-by: Dan Carpenter Reviewed-by: Kaike Wan Reviewed-by: Dennis Dalessandro Signed-off-by: Mike Marciniszyn Signed-off-by: Dennis Dalessandro Link: https://lore.kernel.org/r/20191004204934.26838.13099.stgit@awfm-01.aw.intel.com Signed-off-by: Doug Ledford Signed-off-by: Greg Kroah-Hartman commit 6ec4a5498ee57d682958d552a49145eb6a28bc6f Author: James Erwin Date: Fri Nov 1 15:20:59 2019 -0400 IB/hfi1: Ensure full Gen3 speed in a Gen4 system commit a9c3c4c597704b3a1a2b9bef990e7d8a881f6533 upstream. If an hfi1 card is inserted in a Gen4 systems, the driver will avoid the gen3 speed bump and the card will operate at half speed. This is because the driver avoids the gen3 speed bump when the parent bus speed isn't identical to gen3, 8.0GT/s. This is not compatible with gen4 and newer speeds. Fix by relaxing the test to explicitly look for the lower capability speeds which inherently allows for gen4 and all future speeds. Fixes: 7724105686e7 ("IB/hfi1: add driver files") Link: https://lore.kernel.org/r/20191101192059.106248.1699.stgit@awfm-01.aw.intel.com Cc: Reviewed-by: Dennis Dalessandro Reviewed-by: Kaike Wan Signed-off-by: James Erwin Signed-off-by: Mike Marciniszyn Signed-off-by: Dennis Dalessandro Signed-off-by: Jason Gunthorpe Signed-off-by: Greg Kroah-Hartman commit 1f3bbf9f0adcfe87a30a83e23c51f676fa7c7c3c Author: Chuhong Yuan Date: Fri Nov 15 11:32:36 2019 -0800 Input: synaptics-rmi4 - destroy F54 poller workqueue when removing commit ba60cf9f78f0d7c8e73c7390608f7f818ee68aa0 upstream. The driver forgets to destroy workqueue in remove() similarly to what is done when probe() fails. Add a call to destroy_workqueue() to fix it. Since unregistration will wait for the work to finish, we do not need to cancel/flush the work instance in remove(). Signed-off-by: Chuhong Yuan Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20191114023405.31477-1-hslester96@gmail.com Signed-off-by: Dmitry Torokhov Signed-off-by: Greg Kroah-Hartman commit 5c9fd709c5f5e1181892e879d08c8cec6ec67fdc Author: Lucas Stach Date: Tue Nov 12 16:47:08 2019 -0800 Input: synaptics-rmi4 - clear IRQ enables for F54 commit 549766ac2ac1f6c8bb85906bbcea759541bb19a2 upstream. The driver for F54 just polls the status and doesn't even have a IRQ handler registered. Make sure to disable all F54 IRQs, so we don't crash the kernel on a nonexistent handler. Signed-off-by: Lucas Stach Link: https://lore.kernel.org/r/20191105114402.6009-1-l.stach@pengutronix.de Cc: stable@vger.kernel.org Signed-off-by: Dmitry Torokhov Signed-off-by: Greg Kroah-Hartman commit fbe9849f79aad0f5ee1b3805e65ba8a2a623fc4a Author: Andrew Duggan Date: Mon Nov 4 16:07:30 2019 -0800 Input: synaptics-rmi4 - do not consume more data than we have (F11, F12) commit 5d40d95e7e64756cc30606c2ba169271704d47cb upstream. Currently, rmi_f11_attention() and rmi_f12_attention() functions update the attn_data data pointer and size based on the size of the expected size of the attention data. However, if the actual valid data in the attn buffer is less then the expected value then the updated data pointer will point to memory beyond the end of the attn buffer. Using the calculated valid_bytes instead will prevent this from happening. Signed-off-by: Andrew Duggan Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20191025002527.3189-3-aduggan@synaptics.com Signed-off-by: Dmitry Torokhov Signed-off-by: Greg Kroah-Hartman commit 924a8f2c745a694c7a7f4f5f04d2d34fc012b023 Author: Andrew Duggan Date: Mon Nov 4 16:06:44 2019 -0800 Input: synaptics-rmi4 - disable the relative position IRQ in the F12 driver commit f6aabe1ff1d9d7bad0879253011216438bdb2530 upstream. This patch fixes an issue seen on HID touchpads which report finger positions using RMI4 Function 12. The issue manifests itself as spurious button presses as described in: https://www.spinics.net/lists/linux-input/msg58618.html Commit 24d28e4f1271 ("Input: synaptics-rmi4 - convert irq distribution to irq_domain") switched the RMI4 driver to using an irq_domain to handle RMI4 function interrupts. Functions with more then one interrupt now have each interrupt mapped to their own IRQ and IRQ handler. The result of this change is that the F12 IRQ handler was now getting called twice. Once for the absolute data interrupt and once for the relative data interrupt. For HID devices, calling rmi_f12_attention() a second time causes the attn_data data pointer and size to be set incorrectly. When the touchpad button is pressed, F30 will generate an interrupt and attempt to read the F30 data from the invalid attn_data data pointer and report incorrect button events. This patch disables the F12 relative interrupt which prevents rmi_f12_attention() from being called twice. Signed-off-by: Andrew Duggan Reported-by: Simon Wood Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20191025002527.3189-2-aduggan@synaptics.com Signed-off-by: Dmitry Torokhov Signed-off-by: Greg Kroah-Hartman commit 8e347aa4e04ba3caf75990630faee4a700bcb93d Author: Lucas Stach Date: Mon Nov 4 15:58:34 2019 -0800 Input: synaptics-rmi4 - fix video buffer size commit 003f01c780020daa9a06dea1db495b553a868c29 upstream. The video buffer used by the queue is a vb2_v4l2_buffer, not a plain vb2_buffer. Using the wrong type causes the allocation of the buffer storage to be too small, causing a out of bounds write when __init_vb2_v4l2_buffer initializes the buffer. Signed-off-by: Lucas Stach Fixes: 3a762dbd5347 ("[media] Input: synaptics-rmi4 - add support for F54 diagnostics") Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20191104114454.10500-1-l.stach@pengutronix.de Signed-off-by: Dmitry Torokhov Signed-off-by: Greg Kroah-Hartman commit c02230815282a436366d3d0d6de6d2636dd71b74 Author: Oliver Neukum Date: Fri Nov 15 11:35:05 2019 -0800 Input: ff-memless - kill timer in destroy() commit fa3a5a1880c91bb92594ad42dfe9eedad7996b86 upstream. No timer must be left running when the device goes away. Signed-off-by: Oliver Neukum Reported-and-tested-by: syzbot+b6c55daa701fc389e286@syzkaller.appspotmail.com Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/1573726121.17351.3.camel@suse.com Signed-off-by: Dmitry Torokhov Signed-off-by: Greg Kroah-Hartman commit 47d06a15f25a5b052204a5597fd0f59aa08329f3 Author: Filipe Manana Date: Fri Nov 8 16:11:56 2019 +0000 Btrfs: fix log context list corruption after rename exchange operation commit e6c617102c7e4ac1398cb0b98ff1f0727755b520 upstream. During rename exchange we might have successfully log the new name in the source root's log tree, in which case we leave our log context (allocated on stack) in the root's list of log contextes. However we might fail to log the new name in the destination root, in which case we fallback to a transaction commit later and never sync the log of the source root, which causes the source root log context to remain in the list of log contextes. This later causes invalid memory accesses because the context was allocated on stack and after rename exchange finishes the stack gets reused and overwritten for other purposes. The kernel's linked list corruption detector (CONFIG_DEBUG_LIST=y) can detect this and report something like the following: [ 691.489929] ------------[ cut here ]------------ [ 691.489947] list_add corruption. prev->next should be next (ffff88819c944530), but was ffff8881c23f7be4. (prev=ffff8881c23f7a38). [ 691.489967] WARNING: CPU: 2 PID: 28933 at lib/list_debug.c:28 __list_add_valid+0x95/0xe0 (...) [ 691.489998] CPU: 2 PID: 28933 Comm: fsstress Not tainted 5.4.0-rc6-btrfs-next-62 #1 [ 691.490001] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-0-ga698c8995f-prebuilt.qemu.org 04/01/2014 [ 691.490003] RIP: 0010:__list_add_valid+0x95/0xe0 (...) [ 691.490007] RSP: 0018:ffff8881f0b3faf8 EFLAGS: 00010282 [ 691.490010] RAX: 0000000000000000 RBX: ffff88819c944530 RCX: 0000000000000000 [ 691.490011] RDX: 0000000000000001 RSI: 0000000000000008 RDI: ffffffffa2c497e0 [ 691.490013] RBP: ffff8881f0b3fe68 R08: ffffed103eaa4115 R09: ffffed103eaa4114 [ 691.490015] R10: ffff88819c944000 R11: ffffed103eaa4115 R12: 7fffffffffffffff [ 691.490016] R13: ffff8881b4035610 R14: ffff8881e7b84728 R15: 1ffff1103e167f7b [ 691.490019] FS: 00007f4b25ea2e80(0000) GS:ffff8881f5500000(0000) knlGS:0000000000000000 [ 691.490021] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 691.490022] CR2: 00007fffbb2d4eec CR3: 00000001f2a4a004 CR4: 00000000003606e0 [ 691.490025] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 691.490027] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 691.490029] Call Trace: [ 691.490058] btrfs_log_inode_parent+0x667/0x2730 [btrfs] [ 691.490083] ? join_transaction+0x24a/0xce0 [btrfs] [ 691.490107] ? btrfs_end_log_trans+0x80/0x80 [btrfs] [ 691.490111] ? dget_parent+0xb8/0x460 [ 691.490116] ? lock_downgrade+0x6b0/0x6b0 [ 691.490121] ? rwlock_bug.part.0+0x90/0x90 [ 691.490127] ? do_raw_spin_unlock+0x142/0x220 [ 691.490151] btrfs_log_dentry_safe+0x65/0x90 [btrfs] [ 691.490172] btrfs_sync_file+0x9f1/0xc00 [btrfs] [ 691.490195] ? btrfs_file_write_iter+0x1800/0x1800 [btrfs] [ 691.490198] ? rcu_read_lock_any_held.part.11+0x20/0x20 [ 691.490204] ? __do_sys_newstat+0x88/0xd0 [ 691.490207] ? cp_new_stat+0x5d0/0x5d0 [ 691.490218] ? do_fsync+0x38/0x60 [ 691.490220] do_fsync+0x38/0x60 [ 691.490224] __x64_sys_fdatasync+0x32/0x40 [ 691.490228] do_syscall_64+0x9f/0x540 [ 691.490233] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 691.490235] RIP: 0033:0x7f4b253ad5f0 (...) [ 691.490239] RSP: 002b:00007fffbb2d6078 EFLAGS: 00000246 ORIG_RAX: 000000000000004b [ 691.490242] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f4b253ad5f0 [ 691.490244] RDX: 00007fffbb2d5fe0 RSI: 00007fffbb2d5fe0 RDI: 0000000000000003 [ 691.490245] RBP: 000000000000000d R08: 0000000000000001 R09: 00007fffbb2d608c [ 691.490247] R10: 00000000000002e8 R11: 0000000000000246 R12: 00000000000001f4 [ 691.490248] R13: 0000000051eb851f R14: 00007fffbb2d6120 R15: 00005635a498bda0 This started happening recently when running some test cases from fstests like btrfs/004 for example, because support for rename exchange was added last week to fsstress from fstests. So fix this by deleting the log context for the source root from the list if we have logged the new name in the source root. Reported-by: Su Yue Fixes: d4682ba03ef618 ("Btrfs: sync log after logging new name") CC: stable@vger.kernel.org # 4.19+ Tested-by: Su Yue Signed-off-by: Filipe Manana Signed-off-by: David Sterba Signed-off-by: Greg Kroah-Hartman commit f2465526866aa4fc57ccaa64f988d094be4af78e Author: Takashi Iwai Date: Thu Nov 14 17:56:12 2019 +0100 ALSA: usb-audio: Fix incorrect size check for processing/extension units commit 976a68f06b2ea49e2ab67a5f84919a8b105db8be upstream. The recently introduced unit descriptor validation had some bug for processing and extension units, it counts a bControlSize byte twice so it expected a bigger size than it should have been. This seems resulting in a probe error on a few devices. Fix the calculation for proper checks of PU and EU. Fixes: 57f8770620e9 ("ALSA: usb-audio: More validations of descriptor units") Cc: Link: https://lore.kernel.org/r/20191114165613.7422-1-tiwai@suse.de Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 420433f6cf5c6505433a6324584bebb219599806 Author: Takashi Iwai Date: Wed Nov 13 12:12:59 2019 +0100 ALSA: usb-audio: Fix incorrect NULL check in create_yamaha_midi_quirk() commit cc9dbfa9707868fb0ca864c05e0c42d3f4d15cf2 upstream. The commit 60849562a5db ("ALSA: usb-audio: Fix possible NULL dereference at create_yamaha_midi_quirk()") added NULL checks in create_yamaha_midi_quirk(), but there was an overlook. The code allows one of either injd or outjd is NULL, but the second if check made returning -ENODEV if any of them is NULL. Fix it in a proper form. Fixes: 60849562a5db ("ALSA: usb-audio: Fix possible NULL dereference at create_yamaha_midi_quirk()") Reported-by: Pavel Machek Cc: Link: https://lore.kernel.org/r/20191113111259.24123-1-tiwai@suse.de Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit ab2ee4299b7e2ae441d6b539ff846413d6b85d29 Author: Henry Lin Date: Wed Nov 13 10:14:19 2019 +0800 ALSA: usb-audio: not submit urb for stopped endpoint commit 528699317dd6dc722dccc11b68800cf945109390 upstream. While output urb's snd_complete_urb() is executing, calling prepare_outbound_urb() may cause endpoint stopped before prepare_outbound_urb() returns and result in next urb submitted to stopped endpoint. usb-audio driver cannot re-use it afterwards as the urb is still hold by usb stack. This change checks EP_FLAG_RUNNING flag after prepare_outbound_urb() again to let snd_complete_urb() know the endpoint already stopped and does not submit next urb. Below kind of error will be fixed: [ 213.153103] usb 1-2: timeout: still 1 active urbs on EP #1 [ 213.164121] usb 1-2: cannot submit urb 0, error -16: unknown error Signed-off-by: Henry Lin Cc: Link: https://lore.kernel.org/r/20191113021420.13377-1-henryl@nvidia.com Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit a2c763cd9609cdbf3c0b88c887a4f2e440e4cb3c Author: Takashi Iwai Date: Sat Nov 9 19:16:58 2019 +0100 ALSA: usb-audio: Fix missing error check at mixer resolution test commit 167beb1756791e0806365a3f86a0da10d7a327ee upstream. A check of the return value from get_cur_mix_raw() is missing at the resolution test code in get_min_max_with_quirks(), which may leave the variable untouched, leading to a random uninitialized value, as detected by syzkaller fuzzer. Add the missing return error check for fixing that. Reported-and-tested-by: syzbot+abe1ab7afc62c6bb6377@syzkaller.appspotmail.com Cc: Link: https://lore.kernel.org/r/20191109181658.30368-1-tiwai@suse.de Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit edc471038b4846b119d0b025f0336bf4b3e1ce23 Author: Jouni Hogander Date: Wed Nov 13 13:45:02 2019 +0200 slip: Fix memory leak in slip_open error path [ Upstream commit 3b5a39979dafea9d0cd69c7ae06088f7a84cdafa ] Driver/net/can/slcan.c is derived from slip.c. Memory leak was detected by Syzkaller in slcan. Same issue exists in slip.c and this patch is addressing the leak in slip.c. Here is the slcan memory leak trace reported by Syzkaller: BUG: memory leak unreferenced object 0xffff888067f65500 (size 4096): comm "syz-executor043", pid 454, jiffies 4294759719 (age 11.930s) hex dump (first 32 bytes): 73 6c 63 61 6e 30 00 00 00 00 00 00 00 00 00 00 slcan0.......... 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [<00000000a06eec0d>] __kmalloc+0x18b/0x2c0 [<0000000083306e66>] kvmalloc_node+0x3a/0xc0 [<000000006ac27f87>] alloc_netdev_mqs+0x17a/0x1080 [<0000000061a996c9>] slcan_open+0x3ae/0x9a0 [<000000001226f0f9>] tty_ldisc_open.isra.1+0x76/0xc0 [<0000000019289631>] tty_set_ldisc+0x28c/0x5f0 [<000000004de5a617>] tty_ioctl+0x48d/0x1590 [<00000000daef496f>] do_vfs_ioctl+0x1c7/0x1510 [<0000000059068dbc>] ksys_ioctl+0x99/0xb0 [<000000009a6eb334>] __x64_sys_ioctl+0x78/0xb0 [<0000000053d0332e>] do_syscall_64+0x16f/0x580 [<0000000021b83b99>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [<000000008ea75434>] 0xfffffffffffffff Cc: "David S. Miller" Cc: Oliver Hartkopp Cc: Lukas Bulwahn Signed-off-by: Jouni Hogander Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 4cd50a31ac9e865ac4b52cba3337ae7207c534b4 Author: Aleksander Morgado Date: Wed Nov 13 11:11:10 2019 +0100 net: usb: qmi_wwan: add support for Foxconn T77W968 LTE modules [ Upstream commit 802753cb0b141cf5170ab97fe7e79f5ca10d06b0 ] These are the Foxconn-branded variants of the Dell DW5821e modules, same USB layout as those. The QMI interface is exposed in USB configuration #1: P: Vendor=0489 ProdID=e0b4 Rev=03.18 S: Manufacturer=FII S: Product=T77W968 LTE S: SerialNumber=0123456789ABCDEF C: #Ifs= 6 Cfg#= 1 Atr=a0 MxPwr=500mA I: If#=0x0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan I: If#=0x1 Alt= 0 #EPs= 1 Cls=03(HID ) Sub=00 Prot=00 Driver=usbhid I: If#=0x2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option I: If#=0x3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option I: If#=0x4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option I: If#=0x5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option Signed-off-by: Aleksander Morgado Acked-by: Bjørn Mork Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 0a772b2ac696f335551176c6ed7802b5c9399143 Author: Chuhong Yuan Date: Fri Nov 15 14:24:54 2019 +0800 net: gemini: add missed free_netdev [ Upstream commit 18d647ae74116bfee38953978501cea2960a0c25 ] This driver forgets to free allocated netdev in remove like what is done in probe failure. Add the free to fix it. Signed-off-by: Chuhong Yuan Reviewed-by: Linus Walleij Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 66daa05750a9889094546551a0c7ca528ff7b8cd Author: Guillaume Nault Date: Fri Nov 15 18:29:52 2019 +0100 ipmr: Fix skb headroom in ipmr_get_route(). [ Upstream commit 7901cd97963d6cbde88fa25a4a446db3554c16c6 ] In route.c, inet_rtm_getroute_build_skb() creates an skb with no headroom. This skb is then used by inet_rtm_getroute() which may pass it to rt_fill_info() and, from there, to ipmr_get_route(). The later might try to reuse this skb by cloning it and prepending an IPv4 header. But since the original skb has no headroom, skb_push() triggers skb_under_panic(): skbuff: skb_under_panic: text:00000000ca46ad8a len:80 put:20 head:00000000cd28494e data:000000009366fd6b tail:0x3c end:0xec0 dev:veth0 ------------[ cut here ]------------ kernel BUG at net/core/skbuff.c:108! invalid opcode: 0000 [#1] SMP KASAN PTI CPU: 6 PID: 587 Comm: ip Not tainted 5.4.0-rc6+ #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-2.fc30 04/01/2014 RIP: 0010:skb_panic+0xbf/0xd0 Code: 41 a2 ff 8b 4b 70 4c 8b 4d d0 48 c7 c7 20 76 f5 8b 44 8b 45 bc 48 8b 55 c0 48 8b 75 c8 41 54 41 57 41 56 41 55 e8 75 dc 7a ff <0f> 0b 0f 1f 44 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 RSP: 0018:ffff888059ddf0b0 EFLAGS: 00010286 RAX: 0000000000000086 RBX: ffff888060a315c0 RCX: ffffffff8abe4822 RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffff88806c9a79cc RBP: ffff888059ddf118 R08: ffffed100d9361b1 R09: ffffed100d9361b0 R10: ffff88805c68aee3 R11: ffffed100d9361b1 R12: ffff88805d218000 R13: ffff88805c689fec R14: 000000000000003c R15: 0000000000000ec0 FS: 00007f6af184b700(0000) GS:ffff88806c980000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007ffc8204a000 CR3: 0000000057b40006 CR4: 0000000000360ee0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: skb_push+0x7e/0x80 ipmr_get_route+0x459/0x6fa rt_fill_info+0x692/0x9f0 inet_rtm_getroute+0xd26/0xf20 rtnetlink_rcv_msg+0x45d/0x630 netlink_rcv_skb+0x1a5/0x220 rtnetlink_rcv+0x15/0x20 netlink_unicast+0x305/0x3a0 netlink_sendmsg+0x575/0x730 sock_sendmsg+0xb5/0xc0 ___sys_sendmsg+0x497/0x4f0 __sys_sendmsg+0xcb/0x150 __x64_sys_sendmsg+0x48/0x50 do_syscall_64+0xd2/0xac0 entry_SYSCALL_64_after_hwframe+0x49/0xbe Actually the original skb used to have enough headroom, but the reserve_skb() call was lost with the introduction of inet_rtm_getroute_build_skb() by commit 404eb77ea766 ("ipv4: support sport, dport and ip_proto in RTM_GETROUTE"). We could reserve some headroom again in inet_rtm_getroute_build_skb(), but this function shouldn't be responsible for handling the special case of ipmr_get_route(). Let's handle that directly in ipmr_get_route() by calling skb_realloc_headroom() instead of skb_clone(). Fixes: 404eb77ea766 ("ipv4: support sport, dport and ip_proto in RTM_GETROUTE") Signed-off-by: Guillaume Nault Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 20beeb30083e873929728f33113972945c558373 Author: Oliver Neukum Date: Thu Nov 14 11:16:01 2019 +0100 ax88172a: fix information leak on short answers [ Upstream commit a9a51bd727d141a67b589f375fe69d0e54c4fe22 ] If a malicious device gives a short MAC it can elicit up to 5 bytes of leaked memory out of the driver. We need to check for ETH_ALEN instead. Reported-by: syzbot+a8d4acdad35e6bbca308@syzkaller.appspotmail.com Signed-off-by: Oliver Neukum Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit c4a0f567e652be1c4a90c8b278ef12b06724cb4d Author: Michael Schmitz Date: Tue Nov 5 15:49:10 2019 +1300 scsi: core: Handle drivers which set sg_tablesize to zero commit 9393c8de628cf0968d81a17cc11841e42191e041 upstream. In scsi_mq_setup_tags(), cmd_size is calculated based on zero size for the scatter-gather list in case the low level driver uses SG_NONE in its host template. cmd_size is passed on to the block layer for calculation of the request size, and we've seen NULL pointer dereference errors from the block layer in drivers where SG_NONE is used and a mq IO scheduler is active, apparently as a consequence of this (see commit 68ab2d76e4be ("scsi: cxlflash: Set sg_tablesize to 1 instead of SG_NONE"), and a recent patch by Finn Thain converting the three m68k NFR5380 drivers to avoid setting SG_NONE). Try to avoid these errors by accounting for at least one sg list entry when calculating cmd_size, regardless of whether the low level driver set a zero sg_tablesize. Tested on 030 m68k with the atari_scsi driver - setting sg_tablesize to SG_NONE no longer results in a crash when loading this driver. CC: Finn Thain Link: https://lore.kernel.org/r/1572922150-4358-1-git-send-email-schmitzmic@gmail.com Signed-off-by: Michael Schmitz Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit 81adf034d5d67773ed38c7b1d5443a67ac3d9ea5 Author: Jonas Gorski Date: Mon Dec 10 12:40:38 2018 +0100 MIPS: BCM63XX: fix switch core reset on BCM6368 commit 8a38dacf87180738d42b058334c951eba15d2d47 upstream. The Ethernet Switch core mask was set to 0, causing the switch core to be not reset on BCM6368 on boot. Provide the proper mask so the switch core gets reset to a known good state. Fixes: 799faa626c71 ("MIPS: BCM63XX: add core reset helper") Signed-off-by: Jonas Gorski Signed-off-by: Paul Burton Cc: linux-mips@vger.kernel.org Cc: Ralf Baechle Cc: James Hogan Cc: Florian Fainelli Signed-off-by: Amit Pundir Signed-off-by: Greg Kroah-Hartman commit dbf1ef2dc0d53af8fcf2b23a75b2e449ccb22cb8 Author: Paolo Bonzini Date: Mon Nov 11 14:54:23 2019 -0800 KVM: x86: introduce is_pae_paging [ Upstream commit bf03d4f9334728bf7c8ffc7de787df48abd6340e ] Checking for 32-bit PAE is quite common around code that fiddles with the PDPTRs. Add a function to compress all checks into a single invocation. Moving to the common helper also fixes a subtle bug in kvm_set_cr3() where it fails to check is_long_mode() and results in KVM incorrectly attempting to load PDPTRs for a 64-bit guest. Reviewed-by: Sean Christopherson Signed-off-by: Paolo Bonzini [sean: backport to 4.x; handle vmx.c split in 5.x, call out the bugfix] Signed-off-by: Sean Christopherson Acked-by: Paolo Bonzini Tested-by: Thomas Lamprecht Signed-off-by: Sasha Levin commit c555efaf14026c7751fa68d87403a5eb5ae7dcaf Author: Greg Kroah-Hartman Date: Tue Nov 12 19:21:46 2019 +0100 Linux 4.19.84 commit 46a4a014c48e64e28970ca775bb7adf4778821af Author: Junaid Shahid Date: Fri Nov 1 00:14:14 2019 +0100 kvm: x86: mmu: Recovery of shattered NX large pages commit 1aa9b9572b10529c2e64e2b8f44025d86e124308 upstream. The page table pages corresponding to broken down large pages are zapped in FIFO order, so that the large page can potentially be recovered, if it is not longer being used for execution. This removes the performance penalty for walking deeper EPT page tables. By default, one large page will last about one hour once the guest reaches a steady state. Signed-off-by: Junaid Shahid Signed-off-by: Paolo Bonzini Signed-off-by: Thomas Gleixner Signed-off-by: Paolo Bonzini Signed-off-by: Thomas Gleixner Signed-off-by: Greg Kroah-Hartman commit 6082f2e28887bcef66d9b3b5710fd3491a722f0b Author: Junaid Shahid Date: Fri Nov 1 00:14:08 2019 +0100 kvm: Add helper function for creating VM worker threads commit c57c80467f90e5504c8df9ad3555d2c78800bf94 upstream. Add a function to create a kernel thread associated with a given VM. In particular, it ensures that the worker thread inherits the priority and cgroups of the calling thread. Signed-off-by: Junaid Shahid Signed-off-by: Paolo Bonzini Signed-off-by: Thomas Gleixner Signed-off-by: Paolo Bonzini Signed-off-by: Thomas Gleixner Signed-off-by: Greg Kroah-Hartman commit 5219505fcbb640e273a0d51c19c38de0100ec5a9 Author: Paolo Bonzini Date: Mon Nov 4 12:22:02 2019 +0100 kvm: mmu: ITLB_MULTIHIT mitigation commit b8e8c8303ff28c61046a4d0f6ea99aea609a7dc0 upstream. With some Intel processors, putting the same virtual address in the TLB as both a 4 KiB and 2 MiB page can confuse the instruction fetch unit and cause the processor to issue a machine check resulting in a CPU lockup. Unfortunately when EPT page tables use huge pages, it is possible for a malicious guest to cause this situation. Add a knob to mark huge pages as non-executable. When the nx_huge_pages parameter is enabled (and we are using EPT), all huge pages are marked as NX. If the guest attempts to execute in one of those pages, the page is broken down into 4K pages, which are then marked executable. This is not an issue for shadow paging (except nested EPT), because then the host is in control of TLB flushes and the problematic situation cannot happen. With nested EPT, again the nested guest can cause problems shadow and direct EPT is treated in the same way. [ tglx: Fixup default to auto and massage wording a bit ] Originally-by: Junaid Shahid Signed-off-by: Paolo Bonzini Signed-off-by: Thomas Gleixner Signed-off-by: Paolo Bonzini Signed-off-by: Thomas Gleixner Signed-off-by: Greg Kroah-Hartman commit db77548b16521501a287f0e5c8e7754ba35c0193 Author: Paolo Bonzini Date: Sun Oct 27 09:36:37 2019 +0100 KVM: vmx, svm: always run with EFER.NXE=1 when shadow paging is active commit 9167ab79936206118cc60e47dcb926c3489f3bd5 upstream. VMX already does so if the host has SMEP, in order to support the combination of CR0.WP=1 and CR4.SMEP=1. However, it is perfectly safe to always do so, and in fact VMX also ends up running with EFER.NXE=1 on old processors that lack the "load EFER" controls, because it may help avoiding a slow MSR write. SVM does not have similar code, but it should since recent AMD processors do support SMEP. So this patch makes the code for the two vendors simpler and more similar, while fixing an issue with CR0.WP=1 and CR4.SMEP=1 on AMD. Signed-off-by: Paolo Bonzini Signed-off-by: Thomas Gleixner Cc: Joerg Roedel Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman commit 37dfbc8ba7631c3e8fa249056318cad1d7f09f7c Author: Paolo Bonzini Date: Thu Jul 4 05:14:13 2019 -0400 KVM: x86: add tracepoints around __direct_map and FNAME(fetch) commit 335e192a3fa415e1202c8b9ecdaaecd643f823cc upstream. These are useful in debugging shadow paging. Signed-off-by: Paolo Bonzini Signed-off-by: Thomas Gleixner Signed-off-by: Greg Kroah-Hartman commit 9ef1fae24d58dbd2aac8386dbac1c0dba708fd29 Author: Paolo Bonzini Date: Sun Jun 30 08:36:21 2019 -0400 KVM: x86: change kvm_mmu_page_get_gfn BUG_ON to WARN_ON commit e9f2a760b158551bfbef6db31d2cae45ab8072e5 upstream. Note that in such a case it is quite likely that KVM will BUG_ON in __pte_list_remove when the VM is closed. However, there is no immediate risk of memory corruption in the host so a WARN_ON is enough and it lets you gather traces for debugging. Signed-off-by: Paolo Bonzini Signed-off-by: Thomas Gleixner Signed-off-by: Greg Kroah-Hartman commit b182093d1c7012e0d5dd756ce4b4636d0e7c8c39 Author: Paolo Bonzini Date: Sun Jun 23 19:15:49 2019 +0200 KVM: x86: remove now unneeded hugepage gfn adjustment commit d679b32611c0102ce33b9e1a4e4b94854ed1812a upstream. After the previous patch, the low bits of the gfn are masked in both FNAME(fetch) and __direct_map, so we do not need to clear them in transparent_hugepage_adjust. Signed-off-by: Paolo Bonzini Signed-off-by: Thomas Gleixner Signed-off-by: Greg Kroah-Hartman commit e79234ce5765dd9ce329746cea88cc5b903b1254 Author: Paolo Bonzini Date: Mon Jun 24 13:06:21 2019 +0200 KVM: x86: make FNAME(fetch) and __direct_map more similar commit 3fcf2d1bdeb6a513523cb2c77012a6b047aa859c upstream. These two functions are basically doing the same thing through kvm_mmu_get_page, link_shadow_page and mmu_set_spte; yet, for historical reasons, their code looks very different. This patch tries to take the best of each and make them very similar, so that it is easy to understand changes that apply to both of them. Signed-off-by: Paolo Bonzini Signed-off-by: Thomas Gleixner Signed-off-by: Greg Kroah-Hartman commit 8aaac30686233108e8a8648f95dd4ec0e0123389 Author: Junaid Shahid Date: Thu Jan 3 16:22:21 2019 -0800 kvm: mmu: Do not release the page inside mmu_set_spte() commit 43fdcda96e2550c6d1c46fb8a78801aa2f7276ed upstream. Release the page at the call-site where it was originally acquired. This makes the exit code cleaner for most call sites, since they do not need to duplicate code between success and the failure label. Signed-off-by: Junaid Shahid Signed-off-by: Paolo Bonzini Signed-off-by: Thomas Gleixner Signed-off-by: Greg Kroah-Hartman commit 30d8d8d6cd928b5bc8547aca6d8eb30b334d5451 Author: Junaid Shahid Date: Thu Jan 3 17:14:28 2019 -0800 kvm: Convert kvm_lock to a mutex commit 0d9ce162cf46c99628cc5da9510b959c7976735b upstream. It doesn't seem as if there is any particular need for kvm_lock to be a spinlock, so convert the lock to a mutex so that sleepable functions (in particular cond_resched()) can be called while holding it. Signed-off-by: Junaid Shahid Signed-off-by: Paolo Bonzini Signed-off-by: Thomas Gleixner Signed-off-by: Greg Kroah-Hartman commit a991063ce57684a2259688886643cf1c430f8188 Author: Paolo Bonzini Date: Fri Oct 11 11:59:48 2019 +0200 kvm: x86, powerpc: do not allow clearing largepages debugfs entry commit 833b45de69a6016c4b0cebe6765d526a31a81580 upstream. The largepages debugfs entry is incremented/decremented as shadow pages are created or destroyed. Clearing it will result in an underflow, which is harmless to KVM but ugly (and could be misinterpreted by tools that use debugfs information), so make this particular statistic read-only. Signed-off-by: Paolo Bonzini Signed-off-by: Thomas Gleixner Cc: kvm-ppc@vger.kernel.org Signed-off-by: Greg Kroah-Hartman commit 580c79e7e3e50afbd5a69b2b6ab2c61c5225f48e Author: Gomez Iglesias, Antonio Date: Mon Nov 4 12:22:03 2019 +0100 Documentation: Add ITLB_MULTIHIT documentation commit 7f00cc8d4a51074eb0ad4c3f16c15757b1ddfb7d upstream. Add the initial ITLB_MULTIHIT documentation. [ tglx: Add it to the index so it gets actually built. ] Signed-off-by: Antonio Gomez Iglesias Signed-off-by: Nelson D'Souza Signed-off-by: Paolo Bonzini Signed-off-by: Thomas Gleixner Signed-off-by: Greg Kroah-Hartman commit db5ae6596ae2ba03f66cfeceea4b65e35785600a Author: Tyler Hicks Date: Mon Nov 4 12:22:02 2019 +0100 cpu/speculation: Uninline and export CPU mitigations helpers commit 731dc9df975a5da21237a18c3384f811a7a41cc6 upstream. A kernel module may need to check the value of the "mitigations=" kernel command line parameter as part of its setup when the module needs to perform software mitigations for a CPU flaw. Uninline and export the helper functions surrounding the cpu_mitigations enum to allow for their usage from a module. Lastly, privatize the enum and cpu_mitigations variable since the value of cpu_mitigations can be checked with the exported helper functions. Signed-off-by: Tyler Hicks Signed-off-by: Paolo Bonzini Signed-off-by: Thomas Gleixner Signed-off-by: Greg Kroah-Hartman commit 955607466ace0455164cf391a93c23918022e8e8 Author: Pawan Gupta Date: Mon Nov 4 12:22:01 2019 +0100 x86/cpu: Add Tremont to the cpu vulnerability whitelist commit cad14885a8d32c1c0d8eaa7bf5c0152a22b6080e upstream. Add the new cpu family ATOM_TREMONT_D to the cpu vunerability whitelist. ATOM_TREMONT_D is not affected by X86_BUG_ITLB_MULTIHIT. ATOM_TREMONT_D might have mitigations against other issues as well, but only the ITLB multihit mitigation is confirmed at this point. Signed-off-by: Pawan Gupta Signed-off-by: Paolo Bonzini Signed-off-by: Thomas Gleixner Signed-off-by: Greg Kroah-Hartman commit f9aa6b73a407b714c9aac44734eb4045c893c6f7 Author: Vineela Tummalapalli Date: Mon Nov 4 12:22:01 2019 +0100 x86/bugs: Add ITLB_MULTIHIT bug infrastructure commit db4d30fbb71b47e4ecb11c4efa5d8aad4b03dfae upstream. Some processors may incur a machine check error possibly resulting in an unrecoverable CPU lockup when an instruction fetch encounters a TLB multi-hit in the instruction TLB. This can occur when the page size is changed along with either the physical address or cache type. The relevant erratum can be found here: https://bugzilla.kernel.org/show_bug.cgi?id=205195 There are other processors affected for which the erratum does not fully disclose the impact. This issue affects both bare-metal x86 page tables and EPT. It can be mitigated by either eliminating the use of large pages or by using careful TLB invalidations when changing the page size in the page tables. Just like Spectre, Meltdown, L1TF and MDS, a new bit has been allocated in MSR_IA32_ARCH_CAPABILITIES (PSCHANGE_MC_NO) and will be set on CPUs which are mitigated against this issue. Signed-off-by: Vineela Tummalapalli Co-developed-by: Pawan Gupta Signed-off-by: Pawan Gupta Signed-off-by: Paolo Bonzini Signed-off-by: Thomas Gleixner Signed-off-by: Greg Kroah-Hartman commit 415bb221a07038f7a54c4187f1aef1e8e2a4925f Author: Josh Poimboeuf Date: Wed Nov 6 20:26:46 2019 -0600 x86/speculation/taa: Fix printing of TAA_MSG_SMT on IBRS_ALL CPUs commit 012206a822a8b6ac09125bfaa210a95b9eb8f1c1 upstream. For new IBRS_ALL CPUs, the Enhanced IBRS check at the beginning of cpu_bugs_smt_update() causes the function to return early, unintentionally skipping the MDS and TAA logic. This is not a problem for MDS, because there appears to be no overlap between IBRS_ALL and MDS-affected CPUs. So the MDS mitigation would be disabled and nothing would need to be done in this function anyway. But for TAA, the TAA_MSG_SMT string will never get printed on Cascade Lake and newer. The check is superfluous anyway: when 'spectre_v2_enabled' is SPECTRE_V2_IBRS_ENHANCED, 'spectre_v2_user' is always SPECTRE_V2_USER_NONE, and so the 'spectre_v2_user' switch statement handles it appropriately by doing nothing. So just remove the check. Fixes: 1b42f017415b ("x86/speculation/taa: Add mitigation for TSX Async Abort") Signed-off-by: Josh Poimboeuf Signed-off-by: Thomas Gleixner Reviewed-by: Tyler Hicks Reviewed-by: Borislav Petkov Signed-off-by: Greg Kroah-Hartman commit 4ad7466ddf2d78ad2e3f700ed69b694b9f232896 Author: Michal Hocko Date: Wed Oct 23 12:35:50 2019 +0200 x86/tsx: Add config options to set tsx=on|off|auto commit db616173d787395787ecc93eef075fa975227b10 upstream. There is a general consensus that TSX usage is not largely spread while the history shows there is a non trivial space for side channel attacks possible. Therefore the tsx is disabled by default even on platforms that might have a safe implementation of TSX according to the current knowledge. This is a fair trade off to make. There are, however, workloads that really do benefit from using TSX and updating to a newer kernel with TSX disabled might introduce a noticeable regressions. This would be especially a problem for Linux distributions which will provide TAA mitigations. Introduce config options X86_INTEL_TSX_MODE_OFF, X86_INTEL_TSX_MODE_ON and X86_INTEL_TSX_MODE_AUTO to control the TSX feature. The config setting can be overridden by the tsx cmdline options. [ bp: Text cleanups from Josh. ] Suggested-by: Borislav Petkov Signed-off-by: Michal Hocko Signed-off-by: Pawan Gupta Signed-off-by: Borislav Petkov Signed-off-by: Thomas Gleixner Reviewed-by: Josh Poimboeuf Signed-off-by: Greg Kroah-Hartman commit e3bf6b3ff55a549cef225bb25724aa7858377c15 Author: Pawan Gupta Date: Wed Oct 23 12:32:55 2019 +0200 x86/speculation/taa: Add documentation for TSX Async Abort commit a7a248c593e4fd7a67c50b5f5318fe42a0db335e upstream. Add the documenation for TSX Async Abort. Include the description of the issue, how to check the mitigation state, control the mitigation, guidance for system administrators. [ bp: Add proper SPDX tags, touch ups by Josh and me. ] Co-developed-by: Antonio Gomez Iglesias Signed-off-by: Pawan Gupta Signed-off-by: Antonio Gomez Iglesias Signed-off-by: Borislav Petkov Signed-off-by: Thomas Gleixner Reviewed-by: Mark Gross Reviewed-by: Tony Luck Reviewed-by: Josh Poimboeuf Signed-off-by: Greg Kroah-Hartman commit 2402432d55576a2c35546c72d19893a21edbf133 Author: Pawan Gupta Date: Wed Oct 23 12:28:57 2019 +0200 x86/tsx: Add "auto" option to the tsx= cmdline parameter commit 7531a3596e3272d1f6841e0d601a614555dc6b65 upstream. Platforms which are not affected by X86_BUG_TAA may want the TSX feature enabled. Add "auto" option to the TSX cmdline parameter. When tsx=auto disable TSX when X86_BUG_TAA is present, otherwise enable TSX. More details on X86_BUG_TAA can be found here: https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/tsx_async_abort.html [ bp: Extend the arg buffer to accommodate "auto\0". ] Signed-off-by: Pawan Gupta Signed-off-by: Borislav Petkov Signed-off-by: Thomas Gleixner Reviewed-by: Tony Luck Reviewed-by: Josh Poimboeuf Signed-off-by: Greg Kroah-Hartman commit a0808f06dfa1adca8e81716cf773db8c8f1c07b9 Author: Pawan Gupta Date: Wed Oct 23 12:23:33 2019 +0200 kvm/x86: Export MDS_NO=0 to guests when TSX is enabled commit e1d38b63acd843cfdd4222bf19a26700fd5c699e upstream. Export the IA32_ARCH_CAPABILITIES MSR bit MDS_NO=0 to guests on TSX Async Abort(TAA) affected hosts that have TSX enabled and updated microcode. This is required so that the guests don't complain, "Vulnerable: Clear CPU buffers attempted, no microcode" when the host has the updated microcode to clear CPU buffers. Microcode update also adds support for MSR_IA32_TSX_CTRL which is enumerated by the ARCH_CAP_TSX_CTRL bit in IA32_ARCH_CAPABILITIES MSR. Guests can't do this check themselves when the ARCH_CAP_TSX_CTRL bit is not exported to the guests. In this case export MDS_NO=0 to the guests. When guests have CPUID.MD_CLEAR=1, they deploy MDS mitigation which also mitigates TAA. Signed-off-by: Pawan Gupta Signed-off-by: Borislav Petkov Signed-off-by: Thomas Gleixner Tested-by: Neelima Krishnan Reviewed-by: Tony Luck Reviewed-by: Josh Poimboeuf Signed-off-by: Greg Kroah-Hartman commit 15dfa5d706df85506a527c5572be5ff322031a01 Author: Pawan Gupta Date: Wed Oct 23 12:19:51 2019 +0200 x86/speculation/taa: Add sysfs reporting for TSX Async Abort commit 6608b45ac5ecb56f9e171252229c39580cc85f0f upstream. Add the sysfs reporting file for TSX Async Abort. It exposes the vulnerability and the mitigation state similar to the existing files for the other hardware vulnerabilities. Sysfs file path is: /sys/devices/system/cpu/vulnerabilities/tsx_async_abort Signed-off-by: Pawan Gupta Signed-off-by: Borislav Petkov Signed-off-by: Thomas Gleixner Tested-by: Neelima Krishnan Reviewed-by: Mark Gross Reviewed-by: Tony Luck Reviewed-by: Greg Kroah-Hartman Reviewed-by: Josh Poimboeuf Signed-off-by: Greg Kroah-Hartman commit 6c58ea8525bf6df7f4df2692784d2ce315201895 Author: Pawan Gupta Date: Wed Oct 23 11:30:45 2019 +0200 x86/speculation/taa: Add mitigation for TSX Async Abort commit 1b42f017415b46c317e71d41c34ec088417a1883 upstream. TSX Async Abort (TAA) is a side channel vulnerability to the internal buffers in some Intel processors similar to Microachitectural Data Sampling (MDS). In this case, certain loads may speculatively pass invalid data to dependent operations when an asynchronous abort condition is pending in a TSX transaction. This includes loads with no fault or assist condition. Such loads may speculatively expose stale data from the uarch data structures as in MDS. Scope of exposure is within the same-thread and cross-thread. This issue affects all current processors that support TSX, but do not have ARCH_CAP_TAA_NO (bit 8) set in MSR_IA32_ARCH_CAPABILITIES. On CPUs which have their IA32_ARCH_CAPABILITIES MSR bit MDS_NO=0, CPUID.MD_CLEAR=1 and the MDS mitigation is clearing the CPU buffers using VERW or L1D_FLUSH, there is no additional mitigation needed for TAA. On affected CPUs with MDS_NO=1 this issue can be mitigated by disabling the Transactional Synchronization Extensions (TSX) feature. A new MSR IA32_TSX_CTRL in future and current processors after a microcode update can be used to control the TSX feature. There are two bits in that MSR: * TSX_CTRL_RTM_DISABLE disables the TSX sub-feature Restricted Transactional Memory (RTM). * TSX_CTRL_CPUID_CLEAR clears the RTM enumeration in CPUID. The other TSX sub-feature, Hardware Lock Elision (HLE), is unconditionally disabled with updated microcode but still enumerated as present by CPUID(EAX=7).EBX{bit4}. The second mitigation approach is similar to MDS which is clearing the affected CPU buffers on return to user space and when entering a guest. Relevant microcode update is required for the mitigation to work. More details on this approach can be found here: https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html The TSX feature can be controlled by the "tsx" command line parameter. If it is force-enabled then "Clear CPU buffers" (MDS mitigation) is deployed. The effective mitigation state can be read from sysfs. [ bp: - massage + comments cleanup - s/TAA_MITIGATION_TSX_DISABLE/TAA_MITIGATION_TSX_DISABLED/g - Josh. - remove partial TAA mitigation in update_mds_branch_idle() - Josh. - s/tsx_async_abort_cmdline/tsx_async_abort_parse_cmdline/g ] Signed-off-by: Pawan Gupta Signed-off-by: Borislav Petkov Signed-off-by: Thomas Gleixner Reviewed-by: Josh Poimboeuf Signed-off-by: Greg Kroah-Hartman commit b8eb348ae40878a5a0a4de444fa5d2ea8a539f6c Author: Pawan Gupta Date: Wed Oct 23 11:01:53 2019 +0200 x86/cpu: Add a "tsx=" cmdline option with TSX disabled by default commit 95c5824f75f3ba4c9e8e5a4b1a623c95390ac266 upstream. Add a kernel cmdline parameter "tsx" to control the Transactional Synchronization Extensions (TSX) feature. On CPUs that support TSX control, use "tsx=on|off" to enable or disable TSX. Not specifying this option is equivalent to "tsx=off". This is because on certain processors TSX may be used as a part of a speculative side channel attack. Carve out the TSX controlling functionality into a separate compilation unit because TSX is a CPU feature while the TSX async abort control machinery will go to cpu/bugs.c. [ bp: - Massage, shorten and clear the arg buffer. - Clarifications of the tsx= possible options - Josh. - Expand on TSX_CTRL availability - Pawan. ] Signed-off-by: Pawan Gupta Signed-off-by: Borislav Petkov Signed-off-by: Thomas Gleixner Reviewed-by: Josh Poimboeuf Signed-off-by: Greg Kroah-Hartman commit 37cf9ef900ccb3183c84b2181291b23927cf8002 Author: Pawan Gupta Date: Wed Oct 23 10:52:35 2019 +0200 x86/cpu: Add a helper function x86_read_arch_cap_msr() commit 286836a70433fb64131d2590f4bf512097c255e1 upstream. Add a helper function to read the IA32_ARCH_CAPABILITIES MSR. Signed-off-by: Pawan Gupta Signed-off-by: Borislav Petkov Signed-off-by: Thomas Gleixner Tested-by: Neelima Krishnan Reviewed-by: Mark Gross Reviewed-by: Tony Luck Reviewed-by: Josh Poimboeuf Signed-off-by: Greg Kroah-Hartman commit 4002d16a2ae1e3bdc0aa36ce5089bd62b4b9eab6 Author: Pawan Gupta Date: Wed Oct 23 10:45:50 2019 +0200 x86/msr: Add the IA32_TSX_CTRL MSR commit c2955f270a84762343000f103e0640d29c7a96f3 upstream. Transactional Synchronization Extensions (TSX) may be used on certain processors as part of a speculative side channel attack. A microcode update for existing processors that are vulnerable to this attack will add a new MSR - IA32_TSX_CTRL to allow the system administrator the option to disable TSX as one of the possible mitigations. The CPUs which get this new MSR after a microcode upgrade are the ones which do not set MSR_IA32_ARCH_CAPABILITIES.MDS_NO (bit 5) because those CPUs have CPUID.MD_CLEAR, i.e., the VERW implementation which clears all CPU buffers takes care of the TAA case as well. [ Note that future processors that are not vulnerable will also support the IA32_TSX_CTRL MSR. ] Add defines for the new IA32_TSX_CTRL MSR and its bits. TSX has two sub-features: 1. Restricted Transactional Memory (RTM) is an explicitly-used feature where new instructions begin and end TSX transactions. 2. Hardware Lock Elision (HLE) is implicitly used when certain kinds of "old" style locks are used by software. Bit 7 of the IA32_ARCH_CAPABILITIES indicates the presence of the IA32_TSX_CTRL MSR. There are two control bits in IA32_TSX_CTRL MSR: Bit 0: When set, it disables the Restricted Transactional Memory (RTM) sub-feature of TSX (will force all transactions to abort on the XBEGIN instruction). Bit 1: When set, it disables the enumeration of the RTM and HLE feature (i.e. it will make CPUID(EAX=7).EBX{bit4} and CPUID(EAX=7).EBX{bit11} read as 0). The other TSX sub-feature, Hardware Lock Elision (HLE), is unconditionally disabled by the new microcode but still enumerated as present by CPUID(EAX=7).EBX{bit4}, unless disabled by IA32_TSX_CTRL_MSR[1] - TSX_CTRL_CPUID_CLEAR. Signed-off-by: Pawan Gupta Signed-off-by: Borislav Petkov Signed-off-by: Thomas Gleixner Tested-by: Neelima Krishnan Reviewed-by: Mark Gross Reviewed-by: Tony Luck Reviewed-by: Josh Poimboeuf Signed-off-by: Greg Kroah-Hartman commit dbf38b17a892bd1cd06eda6a11b88bbae1875bac Author: Paolo Bonzini Date: Mon Aug 19 17:24:07 2019 +0200 KVM: x86: use Intel speculation bugs and features as derived in generic x86 code commit 0c54914d0c52a15db9954a76ce80fee32cf318f4 upstream. Similar to AMD bits, set the Intel bits from the vendor-independent feature and bug flags, because KVM_GET_SUPPORTED_CPUID does not care about the vendor and they should be set on AMD processors as well. Suggested-by: Jim Mattson Reviewed-by: Jim Mattson Signed-off-by: Paolo Bonzini Signed-off-by: Thomas Gleixner Signed-off-by: Greg Kroah-Hartman commit fee619bb813648ea90bf024171acfaaec2f031fc Author: Ben Hutchings Date: Mon Nov 11 08:13:24 2019 -0800 drm/i915/cmdparser: Fix jump whitelist clearing commit ea0b163b13ffc52818c079adb00d55e227a6da6f upstream. When a jump_whitelist bitmap is reused, it needs to be cleared. Currently this is done with memset() and the size calculation assumes bitmaps are made of 32-bit words, not longs. So on 64-bit architectures, only the first half of the bitmap is cleared. If some whitelist bits are carried over between successive batches submitted on the same context, this will presumably allow embedding the rogue instructions that we're trying to reject. Use bitmap_zero() instead, which gets the calculation right. Fixes: f8c08d8faee5 ("drm/i915/cmdparser: Add support for backward jumps") Signed-off-by: Ben Hutchings Signed-off-by: Jon Bloomfield Signed-off-by: Greg Kroah-Hartman commit 255ed51599dea571ac15afc676b2705cf2f83975 Author: Imre Deak Date: Mon Jul 9 18:24:27 2018 +0300 drm/i915/gen8+: Add RC6 CTX corruption WA commit 7e34f4e4aad3fd34c02b294a3cf2321adf5b4438 upstream. In some circumstances the RC6 context can get corrupted. We can detect this and take the required action, that is disable RC6 and runtime PM. The HW recovers from the corrupted state after a system suspend/resume cycle, so detect the recovery and re-enable RC6 and runtime PM. v2: rebase (Mika) v3: - Move intel_suspend_gt_powersave() to the end of the GEM suspend sequence. - Add commit message. v4: - Rebased on intel_uncore_forcewake_put(i915->uncore, ...) API change. v5: rebased on gem/gt split (Mika) Signed-off-by: Imre Deak Signed-off-by: Mika Kuoppala Signed-off-by: Greg Kroah-Hartman commit 011b7173cbdbd1a5f1826656693ea51516f15dc1 Author: Uma Shankar Date: Tue Aug 7 21:15:35 2018 +0530 drm/i915: Lower RM timeout to avoid DSI hard hangs commit 1d85a299c4db57c55e0229615132c964d17aa765 upstream. In BXT/APL, device 2 MMIO reads from MIPI controller requires its PLL to be turned ON. When MIPI PLL is turned off (MIPI Display is not active or connected), and someone (host or GT engine) tries to read MIPI registers, it causes hard hang. This is a hardware restriction or limitation. Driver by itself doesn't read MIPI registers when MIPI display is off. But any userspace application can submit unprivileged batch buffer for execution. In that batch buffer there can be mmio reads. And these reads are allowed even for unprivileged applications. If these register reads are for MIPI DSI controller and MIPI display is not active during that time, then the MMIO read operation causes system hard hang and only way to recover is hard reboot. A genuine process/application won't submit batch buffer like this and doesn't cause any issue. But on a compromised system, a malign userspace process/app can generate such batch buffer and can trigger system hard hang (denial of service attack). The fix is to lower the internal MMIO timeout value to an optimum value of 950us as recommended by hardware team. If the timeout is beyond 1ms (which will hit for any value we choose if MMIO READ on a DSI specific register is performed without PLL ON), it causes the system hang. But if the timeout value is lower than it will be below the threshold (even if timeout happens) and system will not get into a hung state. This will avoid a system hang without losing any programming or GT interrupts, taking the worst case of lowest CDCLK frequency and early DC5 abort into account. Signed-off-by: Uma Shankar Reviewed-by: Jon Bloomfield Signed-off-by: Greg Kroah-Hartman commit a7bda639a17fe92b66b8bb28e81b558cb8678c85 Author: Jon Bloomfield Date: Thu Sep 20 09:45:10 2018 -0700 drm/i915/cmdparser: Ignore Length operands during command matching commit 926abff21a8f29ef159a3ac893b05c6e50e043c3 upstream. Some of the gen instruction macros (e.g. MI_DISPLAY_FLIP) have the length directly encoded in them. Since these are used directly in the tables, the Length becomes part of the comparison used for matching during parsing. Thus, if the cmd being parsed has a different length to that in the table, it is not matched and the cmd is accepted via the default variable length path. Fix by masking out everything except the Opcode in the cmd tables Cc: Tony Luck Cc: Dave Airlie Cc: Takashi Iwai Cc: Tyler Hicks Signed-off-by: Jon Bloomfield Reviewed-by: Chris Wilson Signed-off-by: Greg Kroah-Hartman commit 6e53c71a69138059c8a4dcd1f9a2967c85fede64 Author: Jon Bloomfield Date: Thu Sep 20 09:58:36 2018 -0700 drm/i915/cmdparser: Add support for backward jumps commit f8c08d8faee5567803c8c533865296ca30286bbf upstream. To keep things manageable, the pre-gen9 cmdparser does not attempt to track any form of nested BB_START's. This did not prevent usermode from using nested starts, or even chained batches because the cmdparser is not strictly enforced pre gen9. Instead, the existence of a nested BB_START would cause the batch to be emitted in insecure mode, and any privileged capabilities would not be available. For Gen9, the cmdparser becomes mandatory (for BCS at least), and so not providing any form of nested BB_START support becomes overly restrictive. Any such batch will simply not run. We make heavy use of backward jumps in igt, and it is much easier to add support for this restricted subset of nested jumps, than to rewrite the whole of our test suite to avoid them. Add the required logic to support limited backward jumps, to instructions that have already been validated by the parser. Note that it's not sufficient to simply approve any BB_START that jumps backwards in the buffer because this would allow an attacker to embed a rogue instruction sequence within the operand words of a harmless instruction (say LRI) and jump to that. We introduce a bit array to track every instr offset successfully validated, and test the target of BB_START against this. If the target offset hits, it is re-written to the same offset in the shadow buffer and the BB_START cmd is allowed. Note: This patch deliberately ignores checkpatch issues in the cmdtables, in order to match the style of the surrounding code. We'll correct the entire file in one go in a later patch. v2: set dispatch secure late (Mika) v3: rebase (Mika) v4: Clear whitelist on each parse Minor review updates (Chris) v5: Correct backward jump batching v6: fix compilation error due to struct eb shuffle (Mika) Cc: Tony Luck Cc: Dave Airlie Cc: Takashi Iwai Cc: Tyler Hicks Signed-off-by: Jon Bloomfield Signed-off-by: Mika Kuoppala Reviewed-by: Chris Wilson Signed-off-by: Greg Kroah-Hartman commit f27bc2b5950dccac563706a764aa0c2d387db8e9 Author: Jon Bloomfield Date: Thu Sep 27 10:23:17 2018 -0700 drm/i915/cmdparser: Use explicit goto for error paths commit 0546a29cd884fb8184731c79ab008927ca8859d0 upstream. In the next patch we will be adding a second valid termination condition which will require a small amount of refactoring to share logic with the BB_END case. Refactor all error conditions to jump to a dedicated exit path, with 'break' reserved only for a successful parse. Cc: Tony Luck Cc: Dave Airlie Cc: Takashi Iwai Cc: Tyler Hicks Signed-off-by: Jon Bloomfield Reviewed-by: Chris Wilson Signed-off-by: Greg Kroah-Hartman commit cdd77c6b4be41d35000611e2dc9a17a3db808976 Author: Jon Bloomfield Date: Mon Apr 23 11:12:15 2018 -0700 drm/i915: Add gen9 BCS cmdparsing commit 0f2f39758341df70202ae1c42d5a1e4ee392b6d3 upstream. For gen9 we enable cmdparsing on the BCS ring, specifically to catch inadvertent accesses to sensitive registers Unlike gen7/hsw, we use the parser only to block certain registers. We can rely on h/w to block restricted commands, so the command tables only provide enough info to allow the parser to delineate each command, and identify commands that access registers. Note: This patch deliberately ignores checkpatch issues in favour of matching the style of the surrounding code. We'll correct the entire file in one go in a later patch. Signed-off-by: Jon Bloomfield Cc: Tony Luck Cc: Dave Airlie Cc: Takashi Iwai Cc: Tyler Hicks Signed-off-by: Mika Kuoppala Reviewed-by: Chris Wilson Signed-off-by: Greg Kroah-Hartman commit fea688c5dd8197fe1ad14a5a2596fee36f993bb8 Author: Jon Bloomfield Date: Wed Aug 1 09:45:50 2018 -0700 drm/i915: Allow parsing of unsized batches commit 435e8fc059dbe0eec823a75c22da2972390ba9e0 upstream. In "drm/i915: Add support for mandatory cmdparsing" we introduced the concept of mandatory parsing. This allows the cmdparser to be invoked even when user passes batch_len=0 to the execbuf ioctl's. However, the cmdparser needs to know the extents of the buffer being scanned. Refactor the code to ensure the cmdparser uses the actual object size, instead of the incoming length, if user passes 0. Signed-off-by: Jon Bloomfield Cc: Tony Luck Cc: Dave Airlie Cc: Takashi Iwai Cc: Tyler Hicks Reviewed-by: Chris Wilson Signed-off-by: Greg Kroah-Hartman commit 7ce726b61c577344655436d6bf49a13e911b6f0a Author: Jon Bloomfield Date: Tue May 22 13:59:06 2018 -0700 drm/i915: Support ro ppgtt mapped cmdparser shadow buffers commit 4f7af1948abcb18b4772fe1bcd84d7d27d96258c upstream. For Gen7, the original cmdparser motive was to permit limited use of register read/write instructions in unprivileged BB's. This worked by copying the user supplied bb to a kmd owned bb, and running it in secure mode, from the ggtt, only if the scanner finds no unsafe commands or registers. For Gen8+ we can't use this same technique because running bb's from the ggtt also disables access to ppgtt space. But we also do not actually require 'secure' execution since we are only trying to reduce the available command/register set. Instead we will copy the user buffer to a kmd owned read-only bb in ppgtt, and run in the usual non-secure mode. Note that ro pages are only supported by ppgtt (not ggtt), but luckily that's exactly what we need. Add the required paths to map the shadow buffer to ppgtt ro for Gen8+ v2: IS_GEN7/IS_GEN (Mika) v3: rebase v4: rebase v5: rebase Signed-off-by: Jon Bloomfield Cc: Tony Luck Cc: Dave Airlie Cc: Takashi Iwai Cc: Tyler Hicks Signed-off-by: Mika Kuoppala Reviewed-by: Chris Wilson Signed-off-by: Greg Kroah-Hartman commit fc3510fe6f6bcee80279238daf1c5de4d6570210 Author: Jon Bloomfield Date: Wed Aug 1 09:33:59 2018 -0700 drm/i915: Add support for mandatory cmdparsing commit 311a50e76a33d1e029563c24b2ff6db0c02b5afe upstream. The existing cmdparser for gen7 can be bypassed by specifying batch_len=0 in the execbuf call. This is safe because bypassing simply reduces the cmd-set available. In a later patch we will introduce cmdparsing for gen9, as a security measure, which must be strictly enforced since without it we are vulnerable to DoS attacks. Introduce the concept of 'required' cmd parsing that cannot be bypassed by submitting zero-length bb's. v2: rebase (Mika) v2: rebase (Mika) v3: fix conflict on engine flags (Mika) Signed-off-by: Jon Bloomfield Cc: Tony Luck Cc: Dave Airlie Cc: Takashi Iwai Cc: Tyler Hicks Signed-off-by: Mika Kuoppala Reviewed-by: Chris Wilson Signed-off-by: Greg Kroah-Hartman commit fba4207cf15e462c8b388bde1dabb1b64eca21b0 Author: Jon Bloomfield Date: Fri Jun 8 10:05:26 2018 -0700 drm/i915: Remove Master tables from cmdparser commit 66d8aba1cd6db34af10de465c0d52af679288cb6 upstream. The previous patch has killed support for secure batches on gen6+, and hence the cmdparsers master tables are now dead code. Remove them. Signed-off-by: Jon Bloomfield Cc: Tony Luck Cc: Dave Airlie Cc: Takashi Iwai Cc: Tyler Hicks Reviewed-by: Chris Wilson Signed-off-by: Greg Kroah-Hartman commit f1ff77080fa1828dfd67b3082053da1fbb80dfff Author: Jon Bloomfield Date: Fri Jun 8 08:53:46 2018 -0700 drm/i915: Disable Secure Batches for gen6+ commit 44157641d448cbc0c4b73c5231d2b911f0cb0427 upstream. Retroactively stop reporting support for secure batches through the api for gen6+ so that older binaries trigger the fallback path instead. Older binaries use secure batches pre gen6 to access resources that are not available to normal usermode processes. However, all known userspace explicitly checks for HAS_SECURE_BATCHES before relying on the secure batch feature. Since there are no known binaries relying on this for newer gens we can kill secure batches from gen6, via I915_PARAM_HAS_SECURE_BATCHES. v2: rebase (Mika) v3: rebase (Mika) Signed-off-by: Jon Bloomfield Cc: Tony Luck Cc: Dave Airlie Cc: Takashi Iwai Cc: Tyler Hicks Signed-off-by: Mika Kuoppala Reviewed-by: Chris Wilson Signed-off-by: Greg Kroah-Hartman commit b4b1abdc6b181cb78a072b95557ae392d423c3eb Author: Jon Bloomfield Date: Fri Apr 20 14:26:01 2018 -0700 drm/i915: Rename gen7 cmdparser tables commit 0a2f661b6c21815a7fa60e30babe975fee8e73c6 upstream. We're about to introduce some new tables for later gens, and the current naming for the gen7 tables will no longer make sense. v2: rebase Signed-off-by: Jon Bloomfield Cc: Tony Luck Cc: Dave Airlie Cc: Takashi Iwai Cc: Tyler Hicks Signed-off-by: Mika Kuoppala Reviewed-by: Chris Wilson Signed-off-by: Greg Kroah-Hartman commit e238e05ec2dc714a32955c3a7e316f462e6743c9 Author: Stefano Garzarella Date: Fri Nov 8 17:08:50 2019 +0100 vsock/virtio: fix sock refcnt holding during the shutdown [ Upstream commit ad8a7220355d39cddce8eac1cea9677333e8b821 ] The "42f5cda5eaf4" commit rightly set SOCK_DONE on peer shutdown, but there is an issue if we receive the SHUTDOWN(RDWR) while the virtio_transport_close_timeout() is scheduled. In this case, when the timeout fires, the SOCK_DONE is already set and the virtio_transport_close_timeout() will not call virtio_transport_reset() and virtio_transport_do_close(). This causes that both sockets remain open and will never be released, preventing the unloading of [virtio|vhost]_transport modules. This patch fixes this issue, calling virtio_transport_reset() and virtio_transport_do_close() when we receive the SHUTDOWN(RDWR) and there is nothing left to read. Fixes: 42f5cda5eaf4 ("vsock/virtio: set SOCK_DONE on peer shutdown") Cc: Stephen Barber Signed-off-by: Stefano Garzarella Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 2e7e3f16901d7575b9455d84587ba911f04e875f Author: Steve Moskovchenko Date: Tue Apr 2 23:28:56 2019 -0700 iio: imu: mpu6050: Fix FIFO layout for ICM20602 [ Upstream commit 1615fe41a1959a2ee2814ba62736b2bb54e9802a ] The MPU6050 driver has recently gained support for the ICM20602 IMU, which is very similar to MPU6xxx. However, the ICM20602's FIFO data specifically includes temperature readings, which were not present on MPU6xxx parts. As a result, the driver will under-read the ICM20602's FIFO register, causing the same (partial) sample to be returned for all reads, until the FIFO overflows. Fix this by adding a table of scan elements specifically for the ICM20602, which takes the extra temperature data into consideration. While we're at it, fix the temperature offset and scaling on ICM20602, since it uses different scale/offset constants than the rest of the MPU6xxx devices. Signed-off-by: Steve Moskovchenko Fixes: 22904bdff978 ("iio: imu: mpu6050: Add support for the ICM 20602 IMU") Signed-off-by: Jonathan Cameron Signed-off-by: Sasha Levin commit 99ea48af7bd9366633b1887f8463027268254a56 Author: Eric Dumazet Date: Mon Nov 4 21:38:43 2019 -0800 net: prevent load/store tearing on sk->sk_stamp [ Upstream commit f75359f3ac855940c5718af10ba089b8977bf339 ] Add a couple of READ_ONCE() and WRITE_ONCE() to prevent load-tearing and store-tearing in sock_read_timestamp() and sock_write_timestamp() This might prevent another KCSAN report. Fixes: 3a0ed3e96197 ("sock: Make sock->sk_stamp thread-safe") Signed-off-by: Eric Dumazet Cc: Deepa Dinamani Acked-by: Deepa Dinamani Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit d32629dcd1e5de76185dbff8fb2b1f3f28a2aa52 Author: Stefano Brivio Date: Thu Oct 10 19:18:14 2019 +0200 netfilter: ipset: Copy the right MAC address in hash:ip,mac IPv6 sets [ Upstream commit 97664bc2c77e2b65cdedddcae2643fc93291d958 ] Same as commit 1b4a75108d5b ("netfilter: ipset: Copy the right MAC address in bitmap:ip,mac and hash:ip,mac sets"), another copy and paste went wrong in commit 8cc4ccf58379 ("netfilter: ipset: Allow matching on destination MAC address for mac and ipmac sets"). When I fixed this for IPv4 in 1b4a75108d5b, I didn't realise that hash:ip,mac sets also support IPv6 as family, and this is covered by a separate function, hash_ipmac6_kadt(). In hash:ip,mac sets, the first dimension is the IP address, and the second dimension is the MAC address: check the IPSET_DIM_TWO_SRC flag in flags while deciding which MAC address to copy, destination or source. This way, mixing source and destination matches for the two dimensions of ip,mac hash type works as expected, also for IPv6. With this setup: ip netns add A ip link add veth1 type veth peer name veth2 netns A ip addr add 2001:db8::1/64 dev veth1 ip -net A addr add 2001:db8::2/64 dev veth2 ip link set veth1 up ip -net A link set veth2 up dst=$(ip netns exec A cat /sys/class/net/veth2/address) ip netns exec A ipset create test_hash hash:ip,mac family inet6 ip netns exec A ipset add test_hash 2001:db8::1,${dst} ip netns exec A ip6tables -A INPUT -p icmpv6 --icmpv6-type 135 -j ACCEPT ip netns exec A ip6tables -A INPUT -m set ! --match-set test_hash src,dst -j DROP ipset now correctly matches a test packet: # ping -c1 2001:db8::2 >/dev/null # echo $? 0 Reported-by: Chen, Yi Fixes: 8cc4ccf58379 ("netfilter: ipset: Allow matching on destination MAC address for mac and ipmac sets") Signed-off-by: Stefano Brivio Signed-off-by: Jozsef Kadlecsik Signed-off-by: Sasha Levin commit 5833560d54fdf7a33bdde78bf45bfdc67a297e86 Author: Suwan Kim Date: Tue Oct 22 18:30:17 2019 +0900 usbip: Fix free of unallocated memory in vhci tx [ Upstream commit d4d8257754c3300ea2a465dadf8d2b02c713c920 ] iso_buffer should be set to NULL after use and free in the while loop. In the case of isochronous URB in the while loop, iso_buffer is allocated and after sending it to server, buffer is deallocated. And then, if the next URB in the while loop is not a isochronous pipe, iso_buffer still holds the previously deallocated buffer address and kfree tries to free wrong buffer address. Fixes: ea44d190764b ("usbip: Implement SG support to vhci-hcd and stub driver") Reported-by: kbuild test robot Reported-by: Julia Lawall Signed-off-by: Suwan Kim Reviewed-by: Julia Lawall Acked-by: Shuah Khan Link: https://lore.kernel.org/r/20191022093017.8027-1-suwan.kim027@gmail.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 6890b4bc3d2bd1716f63d1c1db91a397876cd82a Author: Tejun Heo Date: Fri Nov 8 12:18:29 2019 -0800 cgroup,writeback: don't switch wbs immediately on dead wbs if the memcg is dead commit 65de03e251382306a4575b1779c57c87889eee49 upstream. cgroup writeback tries to refresh the associated wb immediately if the current wb is dead. This is to avoid keeping issuing IOs on the stale wb after memcg - blkcg association has changed (ie. when blkcg got disabled / enabled higher up in the hierarchy). Unfortunately, the logic gets triggered spuriously on inodes which are associated with dead cgroups. When the logic is triggered on dead cgroups, the attempt fails only after doing quite a bit of work allocating and initializing a new wb. While c3aab9a0bd91 ("mm/filemap.c: don't initiate writeback if mapping has no dirty pages") alleviated the issue significantly as it now only triggers when the inode has dirty pages. However, the condition can still be triggered before the inode is switched to a different cgroup and the logic simply doesn't make sense. Skip the immediate switching if the associated memcg is dying. This is a simplified version of the following two patches: * https://lore.kernel.org/linux-mm/20190513183053.GA73423@dennisz-mbp/ * http://lkml.kernel.org/r/156355839560.2063.5265687291430814589.stgit@buzz Cc: Konstantin Khlebnikov Fixes: e8a7abf5a5bd ("writeback: disassociate inodes from dying bdi_writebacks") Acked-by: Dennis Zhou Signed-off-by: Tejun Heo Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit d3b3c0a14615c495118acc4bdca23d53eea46ed2 Author: Konstantin Khlebnikov Date: Mon Sep 23 15:34:45 2019 -0700 mm/filemap.c: don't initiate writeback if mapping has no dirty pages commit c3aab9a0bd91b696a852169479b7db1ece6cbf8c upstream. Functions like filemap_write_and_wait_range() should do nothing if inode has no dirty pages or pages currently under writeback. But they anyway construct struct writeback_control and this does some atomic operations if CONFIG_CGROUP_WRITEBACK=y - on fast path it locks inode->i_lock and updates state of writeback ownership, on slow path might be more work. Current this path is safely avoided only when inode mapping has no pages. For example generic_file_read_iter() calls filemap_write_and_wait_range() at each O_DIRECT read - pretty hot path. This patch skips starting new writeback if mapping has no dirty tags set. If writeback is already in progress filemap_write_and_wait_range() will wait for it. Link: http://lkml.kernel.org/r/156378816804.1087.8607636317907921438.stgit@buzz Signed-off-by: Konstantin Khlebnikov Reviewed-by: Jan Kara Cc: Tejun Heo Cc: Jens Axboe Cc: Johannes Weiner Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 285eb6af435179562bcff22da727bf23532943e1 Author: Jean-Baptiste Maneyrol Date: Wed Oct 16 14:43:28 2019 +0000 iio: imu: inv_mpu6050: fix no data on MPU6050 [ Upstream commit 6e82ae6b8d11b948b74e71396efd8e074c415f44 ] Some chips have a fifo overflow bit issue where the bit is always set. The result is that every data is dropped. Change fifo overflow management by checking fifo count against a maximum value. Add fifo size in chip hardware set of values. Fixes: f5057e7b2dba ("iio: imu: inv_mpu6050: better fifo overflow handling") Cc: stable@vger.kernel.org Signed-off-by: Jean-Baptiste Maneyrol Signed-off-by: Jonathan Cameron Signed-off-by: Sasha Levin commit d888a80727ab578761be2217c397308383614cad Author: Randolph Maaßen Date: Mon Jan 28 19:50:03 2019 +0100 iio: imu: mpu6050: Add support for the ICM 20602 IMU [ Upstream commit 22904bdff97839960bd98b3452a583b1daee628b ] The Invensense ICM-20602 is a 6-axis MotionTracking device that combines a 3-axis gyroscope and an 3-axis accelerometer. It is very similar to the ICM-20608 imu which is already supported by the mpu6050 driver. The main difference is that the ICM-20602 has the i2c bus disable bit in a separate register. Signed-off-by: Randolph Maaßen Signed-off-by: Jonathan Cameron Signed-off-by: Sasha Levin commit 522128128dec59914af58649c1be87ea9841743e Author: Tejun Heo Date: Tue Nov 5 08:09:51 2019 -0800 blkcg: make blkcg_print_stat() print stats only for online blkgs [ Upstream commit b0814361a25cba73a224548843ed92d8ea78715a ] blkcg_print_stat() iterates blkgs under RCU and doesn't test whether the blkg is online. This can call into pd_stat_fn() on a pd which is still being initialized leading to an oops. The heaviest operation - recursively summing up rwstat counters - is already done while holding the queue_lock. Expand queue_lock to cover the other operations and skip the blkg if it isn't online yet. The online state is protected by both blkcg and queue locks, so this guarantees that only online blkgs are processed. Signed-off-by: Tejun Heo Reported-by: Roman Gushchin Cc: Josef Bacik Fixes: 903d23f0a354 ("blk-cgroup: allow controllers to output their own stats") Cc: stable@vger.kernel.org # v4.19+ Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit 30b969392cf25a586a856a5de73cb8acbe6345da Author: Hans de Goede Date: Fri Oct 18 11:08:42 2019 +0200 pinctrl: cherryview: Fix irq_valid_mask calculation [ Upstream commit 63bdef6cd6941917c823b9cc9aa0219d19fcb716 ] Commit 03c4749dd6c7 ("gpio / ACPI: Drop unnecessary ACPI GPIO to Linux GPIO translation") has made the cherryview gpio numbers sparse, to get a 1:1 mapping between ACPI pin numbers and gpio numbers in Linux. This has greatly simplified things, but the code setting the irq_valid_mask was not updated for this, so the valid mask is still in the old "compressed" numbering with the gaps in the pin numbers skipped, which is wrong as irq_valid_mask needs to be expressed in gpio numbers. This results in the following error on devices using pin 24 (0x0018) on the north GPIO controller as an ACPI event source: [ 0.422452] cherryview-pinctrl INT33FF:01: Failed to translate GPIO to IRQ This has been reported (by email) to be happening on a Caterpillar CAT T20 tablet and I've reproduced this myself on a Medion Akoya e2215t 2-in-1. This commit uses the pin number instead of the compressed index into community->pins to clear the correct bits in irq_valid_mask for GPIOs using GPEs for interrupts, fixing these errors and in case of the Medion Akoya e2215t also fixing the LID switch not working. Cc: stable@vger.kernel.org Fixes: 03c4749dd6c7 ("gpio / ACPI: Drop unnecessary ACPI GPIO to Linux GPIO translation") Signed-off-by: Hans de Goede Reviewed-by: Andy Shevchenko Signed-off-by: Mika Westerberg Signed-off-by: Sasha Levin commit ca79bb7e1168726a64f5dfbe409e9d9b3e1350e1 Author: Shuning Zhang Date: Tue Nov 5 21:16:34 2019 -0800 ocfs2: protect extent tree in ocfs2_prepare_inode_for_write() [ Upstream commit e74540b285569d2b1e14fe7aee92297078f235ce ] When the extent tree is modified, it should be protected by inode cluster lock and ip_alloc_sem. The extent tree is accessed and modified in the ocfs2_prepare_inode_for_write, but isn't protected by ip_alloc_sem. The following is a case. The function ocfs2_fiemap is accessing the extent tree, which is modified at the same time. kernel BUG at fs/ocfs2/extent_map.c:475! invalid opcode: 0000 [#1] SMP Modules linked in: tun ocfs2 ocfs2_nodemanager configfs ocfs2_stackglue [...] CPU: 16 PID: 14047 Comm: o2info Not tainted 4.1.12-124.23.1.el6uek.x86_64 #2 Hardware name: Oracle Corporation ORACLE SERVER X7-2L/ASM, MB MECH, X7-2L, BIOS 42040600 10/19/2018 task: ffff88019487e200 ti: ffff88003daa4000 task.ti: ffff88003daa4000 RIP: ocfs2_get_clusters_nocache.isra.11+0x390/0x550 [ocfs2] Call Trace: ocfs2_fiemap+0x1e3/0x430 [ocfs2] do_vfs_ioctl+0x155/0x510 SyS_ioctl+0x81/0xa0 system_call_fastpath+0x18/0xd8 Code: 18 48 c7 c6 60 7f 65 a0 31 c0 bb e2 ff ff ff 48 8b 4a 40 48 8b 7a 28 48 c7 c2 78 2d 66 a0 e8 38 4f 05 00 e9 28 fe ff ff 0f 1f 00 <0f> 0b 66 0f 1f 44 00 00 bb 86 ff ff ff e9 13 fe ff ff 66 0f 1f RIP ocfs2_get_clusters_nocache.isra.11+0x390/0x550 [ocfs2] ---[ end trace c8aa0c8180e869dc ]--- Kernel panic - not syncing: Fatal exception Kernel Offset: disabled This issue can be reproduced every week in a production environment. This issue is related to the usage mode. If others use ocfs2 in this mode, the kernel will panic frequently. [akpm@linux-foundation.org: coding style fixes] [Fix new warning due to unused function by removing said function - Linus ] Link: http://lkml.kernel.org/r/1568772175-2906-2-git-send-email-sunny.s.zhang@oracle.com Signed-off-by: Shuning Zhang Reviewed-by: Junxiao Bi Reviewed-by: Gang He Cc: Mark Fasheh Cc: Joel Becker Cc: Joseph Qi Cc: Changwei Ge Cc: Jun Piao Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit 2c655a11196899636a03d4d3d989c08c017fa24b Author: Andy Shevchenko Date: Mon Oct 14 12:51:04 2019 +0300 pinctrl: intel: Avoid potential glitches if pin is in GPIO mode [ Upstream commit 29c2c6aa32405dfee4a29911a51ba133edcedb0f ] When consumer requests a pin, in order to be on the safest side, we switch it first to GPIO mode followed by immediate transition to the input state. Due to posted writes it's luckily to be a single I/O transaction. However, if firmware or boot loader already configures the pin to the GPIO mode, user expects no glitches for the requested pin. We may check if the pin is pre-configured and leave it as is till the actual consumer toggles its state to avoid glitches. Fixes: 7981c0015af2 ("pinctrl: intel: Add Intel Sunrisepoint pin controller and GPIO support") Depends-on: f5a26acf0162 ("pinctrl: intel: Initialize GPIO properly when used through irqchip") Cc: stable@vger.kernel.org Cc: fei.yang@intel.com Reported-by: Oliver Barta Reported-by: Malin Jonsson Signed-off-by: Andy Shevchenko Signed-off-by: Mika Westerberg Signed-off-by: Sasha Levin commit 713adf6dd32723d8d8b1dbb0d1d36c46adf722d5 Author: Wenwen Wang Date: Mon Aug 12 00:59:21 2019 -0500 e1000: fix memory leaks [ Upstream commit 8472ba62154058b64ebb83d5f57259a352d28697 ] In e1000_set_ringparam(), 'tx_old' and 'rx_old' are not deallocated if e1000_up() fails, leading to memory leaks. Refactor the code to fix this issue. Signed-off-by: Wenwen Wang Tested-by: Aaron Brown Signed-off-by: Jeff Kirsher Signed-off-by: Sasha Levin commit 4a05571772cc9a002542ff14a1adff6908a851ee Author: Manfred Rudigier Date: Thu Aug 15 13:55:20 2019 -0700 igb: Fix constant media auto sense switching when no cable is connected [ Upstream commit 8d5cfd7f76a2414e23c74bb8858af7540365d985 ] At least on the i350 there is an annoying behavior that is maybe also present on 82580 devices, but was probably not noticed yet as MAS is not widely used. If no cable is connected on both fiber/copper ports the media auto sense code will constantly swap between them as part of the watchdog task and produce many unnecessary kernel log messages. The swap code responsible for this behavior (switching to fiber) should not be executed if the current media type is copper and there is no signal detected on the fiber port. In this case we can safely wait until the AUTOSENSE_EN bit is cleared. Signed-off-by: Manfred Rudigier Tested-by: Aaron Brown Signed-off-by: Jeff Kirsher Signed-off-by: Sasha Levin commit 1baab8352d80e7ac2b2d2785b7962c6af10c633c Author: Chuhong Yuan Date: Fri Nov 1 20:17:25 2019 +0800 net: ethernet: arc: add the missed clk_disable_unprepare [ Upstream commit 4202e219edd6cc164c042e16fa327525410705ae ] The remove misses to disable and unprepare priv->macclk like what is done when probe fails. Add the missed call in remove. Signed-off-by: Chuhong Yuan Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 24523745ed41373c7d62b1556525623e5b0c5c6a Author: Trond Myklebust Date: Thu Oct 31 18:40:32 2019 -0400 NFSv4: Don't allow a cached open with a revoked delegation [ Upstream commit be3df3dd4c70ee020587a943a31b98a0fb4b6424 ] If the delegation is marked as being revoked, we must not use it for cached opens. Fixes: 869f9dfa4d6d ("NFSv4: Fix races between nfs_remove_bad_delegation() and delegation return") Signed-off-by: Trond Myklebust Signed-off-by: Anna Schumaker Signed-off-by: Sasha Levin commit 440a748ed6df3dc0f1488e0e704821d159295eab Author: Felipe Balbi Date: Thu Oct 31 11:07:13 2019 +0200 usb: dwc3: gadget: fix race when disabling ep with cancelled xfers [ Upstream commit d8eca64eec7103ab1fbabc0a187dbf6acfb2af93 ] When disabling an endpoint which has cancelled requests, we should make sure to giveback requests that are currently pending in the cancelled list, otherwise we may fall into a situation where command completion interrupt fires after endpoint has been disabled, therefore causing a splat. Fixes: fec9095bdef4 "usb: dwc3: gadget: remove wait_end_transfer" Reported-by: Roger Quadros Signed-off-by: Felipe Balbi Link: https://lore.kernel.org/r/20191031090713.1452818-1-felipe.balbi@linux.intel.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit e66f52eb3f292b7f70376c512d8e11d9d58241a0 Author: Haiyang Zhang Date: Wed Oct 30 15:32:13 2019 +0000 hv_netvsc: Fix error handling in netvsc_attach() [ Upstream commit 719b85c336ed35565d0f3982269d6f684087bb00 ] If rndis_filter_open() fails, we need to remove the rndis device created in earlier steps, before returning an error code. Otherwise, the retry of netvsc_attach() from its callers will fail and hang. Fixes: 7b2ee50c0cd5 ("hv_netvsc: common detach logic") Signed-off-by: Haiyang Zhang Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 99d5f18cebbf3f01f269368923e9b9c3ac134700 Author: Michael Strauss Date: Thu Oct 3 11:54:15 2019 -0400 drm/amd/display: Passive DP->HDMI dongle detection fix [ Upstream commit bc2fde42e2418808dbfc04de1a6da91d7d31cf1a ] [WHY] i2c_read is called to differentiate passive DP->HDMI and DP->DVI-D dongles The call is expected to fail in DVI-D case but pass in HDMI case Some HDMI dongles have a chance to fail as well, causing misdetection as DVI-D [HOW] Retry i2c_read to ensure failed result is valid Signed-off-by: Michael Strauss Reviewed-by: Tony Cheng Acked-by: Leo Li Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit e5edbf9c45cec143526d9d1708d216228a197cd8 Author: Andrey Grodzovsky Date: Thu Oct 24 15:44:10 2019 -0400 drm/amdgpu: If amdgpu_ib_schedule fails return back the error. [ Upstream commit 57c0f58e9f562089de5f0b60da103677d232374c ] Use ERR_PTR to return back the error happened during amdgpu_ib_schedule. Signed-off-by: Andrey Grodzovsky Reviewed-by: Christian König Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit b651ddc15e7adfe6ce969a5dc2787281ac12214a Author: Takashi Iwai Date: Mon Oct 21 17:17:21 2019 +0200 iommu/amd: Apply the same IVRS IOAPIC workaround to Acer Aspire A315-41 [ Upstream commit ad3e8da2d422c63c13819a53d3c5ea9312cc0b9d ] Acer Aspire A315-41 requires the very same workaround as the existing quirk for Dell Latitude 5495. Add the new entry for that. BugLink: https://bugzilla.suse.com/show_bug.cgi?id=1137799 Signed-off-by: Takashi Iwai Signed-off-by: Joerg Roedel Signed-off-by: Sasha Levin commit 214e4f0ecdd1e697387f738d84cf56619dd17f86 Author: Vladimir Oltean Date: Sat Oct 26 21:04:27 2019 +0300 net: mscc: ocelot: refuse to overwrite the port's native vlan [ Upstream commit b9cd75e6689560140dadaed98eb4b41aad75d55d ] The switch driver keeps a "vid" variable per port, which signifies _the_ VLAN ID that is stripped on that port's egress (aka the native VLAN on a trunk port). That is the way the hardware is designed (mostly). The port->vid is programmed into REW:PORT:PORT_VLAN_CFG:PORT_VID and the rewriter is told to send all traffic as tagged except the one having port->vid. There exists a possibility of finer-grained egress untagging decisions: using the VCAP IS1 engine, one rule can be added to match every VLAN-tagged frame whose VLAN should be untagged, and set POP_CNT=1 as action. However, the IS1 can hold at most 512 entries, and the VLANs are in the order of 6 * 4096. So the code is fine for now. But this sequence of commands: $ bridge vlan add dev swp0 vid 1 pvid untagged $ bridge vlan add dev swp0 vid 2 untagged makes untagged and pvid-tagged traffic be sent out of swp0 as tagged with VID 1, despite user's request. Prevent that from happening. The user should temporarily remove the existing untagged VLAN (1 in this case), add it back as tagged, and then add the new untagged VLAN (2 in this case). Cc: Antoine Tenart Cc: Alexandre Belloni Fixes: 7142529f1688 ("net: mscc: ocelot: add VLAN filtering") Signed-off-by: Vladimir Oltean Reviewed-by: Florian Fainelli Acked-by: Alexandre Belloni Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 5aedcc8aa8be3e0bb280a812e1a08e767cda70f2 Author: Vladimir Oltean Date: Sat Oct 26 21:04:26 2019 +0300 net: mscc: ocelot: fix vlan_filtering when enslaving to bridge before link is up [ Upstream commit 1c44ce560b4de639f237b458be1729489ff44d0a ] Background information: the driver operates the hardware in a mode where a single VLAN can be transmitted as untagged on a particular egress port. That is the "native VLAN on trunk port" use case. Its value is held in port->vid. Consider the following command sequence (no network manager, all interfaces are down, debugging prints added by me): $ ip link add dev br0 type bridge vlan_filtering 1 $ ip link set dev swp0 master br0 Kernel code path during last command: br_add_slave -> ocelot_netdevice_port_event (NETDEV_CHANGEUPPER): [ 21.401901] ocelot_vlan_port_apply: port 0 vlan aware 0 pvid 0 vid 0 br_add_slave -> nbp_vlan_init -> switchdev_port_attr_set -> ocelot_port_attr_set (SWITCHDEV_ATTR_ID_BRIDGE_VLAN_FILTERING): [ 21.413335] ocelot_vlan_port_apply: port 0 vlan aware 1 pvid 0 vid 0 br_add_slave -> nbp_vlan_init -> nbp_vlan_add -> br_switchdev_port_vlan_add -> switchdev_port_obj_add -> ocelot_port_obj_add -> ocelot_vlan_vid_add [ 21.667421] ocelot_vlan_port_apply: port 0 vlan aware 1 pvid 1 vid 1 So far so good. The bridge has replaced the driver's default pvid used in standalone mode (0) with its own default_pvid (1). The port's vid (native VLAN) has also changed from 0 to 1. $ ip link set dev swp0 up [ 31.722956] 8021q: adding VLAN 0 to HW filter on device swp0 do_setlink -> dev_change_flags -> vlan_vid_add -> ocelot_vlan_rx_add_vid -> ocelot_vlan_vid_add: [ 31.728700] ocelot_vlan_port_apply: port 0 vlan aware 1 pvid 1 vid 0 The 8021q module uses the .ndo_vlan_rx_add_vid API on .ndo_open to make ports be able to transmit and receive 802.1p-tagged traffic by default. This API is supposed to offload a VLAN sub-interface, which for a switch port means to add a VLAN that is not a pvid, and tagged on egress. But the driver implementation of .ndo_vlan_rx_add_vid is wrong: it adds back vid 0 as "egress untagged". Now back to the initial paragraph: there is a single untagged VID that the driver keeps track of, and that has just changed from 1 (the pvid) to 0. So this breaks the bridge core's expectation, because it has changed vid 1 from untagged to tagged, when what the user sees is. $ bridge vlan port vlan ids swp0 1 PVID Egress Untagged br0 1 PVID Egress Untagged But curiously, instead of manifesting itself as "untagged and pvid-tagged traffic gets sent as tagged on egress", the bug: - is hidden when vlan_filtering=0 - manifests as dropped traffic when vlan_filtering=1, due to this setting: if (port->vlan_aware && !port->vid) /* If port is vlan-aware and tagged, drop untagged and priority * tagged frames. */ val |= ANA_PORT_DROP_CFG_DROP_UNTAGGED_ENA | ANA_PORT_DROP_CFG_DROP_PRIO_S_TAGGED_ENA | ANA_PORT_DROP_CFG_DROP_PRIO_C_TAGGED_ENA; which would have made sense if it weren't for this bug. The setting's intention was "this is a trunk port with no native VLAN, so don't accept untagged traffic". So the driver was never expecting to set VLAN 0 as the value of the native VLAN, 0 was just encoding for "invalid". So the fix is to not send 802.1p traffic as untagged, because that would change the port's native vlan to 0, unbeknownst to the bridge, and trigger unexpected code paths in the driver. Cc: Antoine Tenart Cc: Alexandre Belloni Fixes: 7142529f1688 ("net: mscc: ocelot: add VLAN filtering") Signed-off-by: Vladimir Oltean Reviewed-by: Florian Fainelli Acked-by: Alexandre Belloni Reviewed-by: Horatiu Vultur Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 3b956e63e2f39ac3a17e1064546c30d331dc85b0 Author: Jiangfeng Xiao Date: Fri Oct 25 21:48:22 2019 +0800 net: hisilicon: Fix "Trying to free already-free IRQ" [ Upstream commit 63a41746827cb16dc6ad0d4d761ab4e7dda7a0c3 ] When rmmod hip04_eth.ko, we can get the following warning: Task track: rmmod(1623)>bash(1591)>login(1581)>init(1) ------------[ cut here ]------------ WARNING: CPU: 0 PID: 1623 at kernel/irq/manage.c:1557 __free_irq+0xa4/0x2ac() Trying to free already-free IRQ 200 Modules linked in: ping(O) pramdisk(O) cpuinfo(O) rtos_snapshot(O) interrupt_ctrl(O) mtdblock mtd_blkdevrtfs nfs_acl nfs lockd grace sunrpc xt_tcpudp ipt_REJECT iptable_filter ip_tables x_tables nf_reject_ipv CPU: 0 PID: 1623 Comm: rmmod Tainted: G O 4.4.193 #1 Hardware name: Hisilicon A15 [] (rtos_unwind_backtrace) from [] (show_stack+0x10/0x14) [] (show_stack) from [] (dump_stack+0xa0/0xd8) [] (dump_stack) from [] (warn_slowpath_common+0x84/0xb0) [] (warn_slowpath_common) from [] (warn_slowpath_fmt+0x3c/0x68) [] (warn_slowpath_fmt) from [] (__free_irq+0xa4/0x2ac) [] (__free_irq) from [] (free_irq+0x60/0x7c) [] (free_irq) from [] (release_nodes+0x1c4/0x1ec) [] (release_nodes) from [] (__device_release_driver+0xa8/0x104) [] (__device_release_driver) from [] (driver_detach+0xd0/0xf8) [] (driver_detach) from [] (bus_remove_driver+0x64/0x8c) [] (bus_remove_driver) from [] (SyS_delete_module+0x198/0x1e0) [] (SyS_delete_module) from [] (__sys_trace_return+0x0/0x10) ---[ end trace bb25d6123d849b44 ]--- Currently "rmmod hip04_eth.ko" call free_irq more than once as devres_release_all and hip04_remove both call free_irq. This results in a 'Trying to free already-free IRQ' warning. To solve the problem free_irq has been moved out of hip04_remove. Signed-off-by: Jiangfeng Xiao Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit f09b99c883e82fd5d28a529e11e66c2e887da636 Author: Will Deacon Date: Fri Oct 25 12:06:02 2019 +0100 fjes: Handle workqueue allocation failure [ Upstream commit 85ac30fa2e24f628e9f4f9344460f4015d33fd7d ] In the highly unlikely event that we fail to allocate either of the "/txrx" or "/control" workqueues, we should bail cleanly rather than blindly march on with NULL queue pointer(s) installed in the 'fjes_adapter' instance. Cc: "David S. Miller" Reported-by: Nicolas Waisman Link: https://lore.kernel.org/lkml/CADJ_3a8WFrs5NouXNqS5WYe7rebFP+_A5CheeqAyD_p7DFJJcg@mail.gmail.com/ Signed-off-by: Will Deacon Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 6376736d016f71ed1d70ee0eb78583c8b29d0852 Author: Anton Eidelman Date: Fri Oct 18 11:32:50 2019 -0700 nvme-multipath: fix possible io hang after ctrl reconnect [ Upstream commit af8fd0424713a2adb812d10d55e86718152cf656 ] The following scenario results in an IO hang: 1) ctrl completes a request with NVME_SC_ANA_TRANSITION. NVME_NS_ANA_PENDING bit in ns->flags is set and ana_work is triggered. 2) ana_work: nvme_read_ana_log() tries to get the ANA log page from the ctrl. This fails because ctrl disconnects. Therefore nvme_update_ns_ana_state() is not called and NVME_NS_ANA_PENDING bit in ns->flags is not cleared. 3) ctrl reconnects: nvme_mpath_init(ctrl,...) calls nvme_read_ana_log(ctrl, groups_only=true). However, nvme_update_ana_state() does not update namespaces because nr_nsids = 0 (due to groups_only mode). 4) scan_work calls nvme_validate_ns() finds the ns and re-validates OK. Result: The ctrl is now live but NVME_NS_ANA_PENDING bit in ns->flags is still set. Consequently ctrl will never be considered a viable path by __nvme_find_path(). IO will hang if ctrl is the only or the last path to the namespace. More generally, while ctrl is reconnecting, its ANA state may change. And because nvme_mpath_init() requests ANA log in groups_only mode, these changes are not propagated to the existing ctrl namespaces. This may result in a mal-function or an IO hang. Solution: nvme_mpath_init() will nvme_read_ana_log() with groups_only set to false. This will not harm the new ctrl case (no namespaces present), and will make sure the ANA state of namespaces gets updated after reconnect. Note: Another option would be for nvme_mpath_init() to invoke nvme_parse_ana_log(..., nvme_set_ns_ana_state) for each existing namespace. Reviewed-by: Sagi Grimberg Signed-off-by: Anton Eidelman Signed-off-by: Keith Busch Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit 1372527e6876d36786f9f56b9e71ce97bf0dd5d8 Author: Nicholas Piggin Date: Thu Oct 24 16:38:04 2019 +1000 scsi: qla2xxx: stop timer in shutdown path [ Upstream commit d3566abb1a1e7772116e4d50fb6a58d19c9802e5 ] In shutdown/reboot paths, the timer is not stopped: qla2x00_shutdown pci_device_shutdown device_shutdown kernel_restart_prepare kernel_restart sys_reboot This causes lockups (on powerpc) when firmware config space access calls are interrupted by smp_send_stop later in reboot. Fixes: e30d1756480dc ("[SCSI] qla2xxx: Addition of shutdown callback handler.") Link: https://lore.kernel.org/r/20191024063804.14538-1-npiggin@gmail.com Signed-off-by: Nicholas Piggin Acked-by: Himanshu Madhani Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit f2bab3ed456cc405471f8735e1c325491ca7278b Author: Lijun Ou Date: Sat Oct 26 14:56:35 2019 +0800 RDMA/hns: Prevent memory leaks of eq->buf_list [ Upstream commit b681a0529968d2261aa15d7a1e78801b2c06bb07 ] eq->buf_list->buf and eq->buf_list should also be freed when eqe_hop_num is set to 0, or there will be memory leaks. Fixes: a5073d6054f7 ("RDMA/hns: Add eq support of hip08") Link: https://lore.kernel.org/r/1572072995-11277-3-git-send-email-liweihang@hisilicon.com Signed-off-by: Lijun Ou Signed-off-by: Weihang Li Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit 55ca083474872de81033ec64585005fcf3cb0304 Author: Potnuri Bharat Teja Date: Fri Oct 25 18:04:40 2019 +0530 RDMA/iw_cxgb4: Avoid freeing skb twice in arp failure case [ Upstream commit d4934f45693651ea15357dd6c7c36be28b6da884 ] _put_ep_safe() and _put_pass_ep_safe() free the skb before it is freed by process_work(). fix double free by freeing the skb only in process_work(). Fixes: 1dad0ebeea1c ("iw_cxgb4: Avoid touch after free error in ARP failure handlers") Link: https://lore.kernel.org/r/1572006880-5800-1-git-send-email-bharat@chelsio.com Signed-off-by: Dakshaja Uppalapati Signed-off-by: Potnuri Bharat Teja Reviewed-by: Jason Gunthorpe Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit e36be7959326f3b49653e64f46612ca6a5b98fd2 Author: GwanYeong Kim Date: Fri Oct 18 03:22:23 2019 +0000 usbip: tools: Fix read_usb_vudc_device() error path handling [ Upstream commit 28df0642abbf6d66908a2858922a7e4b21cdd8c2 ] This isn't really accurate right. fread() doesn't always return 0 in error. It could return < number of elements and set errno. Signed-off-by: GwanYeong Kim Acked-by: Shuah Khan Link: https://lore.kernel.org/r/20191018032223.4644-1-gy741.kim@gmail.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit cd9561a53d263745f48768e23b02d08bdde1c5b3 Author: Johan Hovold Date: Tue Oct 22 16:32:03 2019 +0200 USB: ldusb: use unsigned size format specifiers [ Upstream commit 88f6bf3846ee90bf33aa1ce848cd3bfb3229f4a4 ] A recent info-leak bug manifested itself along with warning about a negative buffer overflow: ldusb 1-1:0.28: Read buffer overflow, -131383859965943 bytes dropped when it was really a rather large positive one. A sanity check that prevents this has now been put in place, but let's fix up the size format specifiers, which should all be unsigned. Signed-off-by: Johan Hovold Link: https://lore.kernel.org/r/20191022143203.5260-3-johan@kernel.org Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit c753113ae714e0329e5fe926da07e325c83aad66 Author: Alan Stern Date: Mon Oct 28 10:52:35 2019 -0400 USB: Skip endpoints with 0 maxpacket length [ Upstream commit d482c7bb0541d19dea8bff437a9f3c5563b5b2d2 ] Endpoints with a maxpacket length of 0 are probably useless. They can't transfer any data, and it's not at all unlikely that an HCD will crash or hang when trying to handle an URB for such an endpoint. Currently the USB core does not check for endpoints having a maxpacket value of 0. This patch adds a check, printing a warning and skipping over any endpoints it catches. Now, the USB spec does not rule out endpoints having maxpacket = 0. But since they wouldn't have any practical use, there doesn't seem to be any good reason for us to accept them. Signed-off-by: Alan Stern Link: https://lore.kernel.org/r/Pine.LNX.4.44L0.1910281050420.1485-100000@iolanthe.rowland.org Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit ef38f4d123d069abad8ef4bf73a3dfcafe69f2be Author: Kan Liang Date: Fri Oct 25 07:43:13 2019 -0700 perf/x86/uncore: Fix event group support [ Upstream commit 75be6f703a141b048590d659a3954c4fedd30bba ] The events in the same group don't start or stop simultaneously. Here is the ftrace when enabling event group for uncore_iio_0: # perf stat -e "{uncore_iio_0/event=0x1/,uncore_iio_0/event=0xe/}" -0 [000] d.h. 8959.064832: read_msr: a41, value b2b0b030 //Read counter reg of IIO unit0 counter0 -0 [000] d.h. 8959.064835: write_msr: a48, value 400001 //Write Ctrl reg of IIO unit0 counter0 to enable counter0. <------ Although counter0 is enabled, Unit Ctrl is still freezed. Nothing will count. We are still good here. -0 [000] d.h. 8959.064836: read_msr: a40, value 30100 //Read Unit Ctrl reg of IIO unit0 -0 [000] d.h. 8959.064838: write_msr: a40, value 30000 //Write Unit Ctrl reg of IIO unit0 to enable all counters in the unit by clear Freeze bit <------Unit0 is un-freezed. Counter0 has been enabled. Now it starts counting. But counter1 has not been enabled yet. The issue starts here. -0 [000] d.h. 8959.064846: read_msr: a42, value 0 //Read counter reg of IIO unit0 counter1 -0 [000] d.h. 8959.064847: write_msr: a49, value 40000e //Write Ctrl reg of IIO unit0 counter1 to enable counter1. <------ Now, counter1 just starts to count. Counter0 has been running for a while. Current code un-freezes the Unit Ctrl right after the first counter is enabled. The subsequent group events always loses some counter values. Implement pmu_enable and pmu_disable support for uncore, which can help to batch hardware accesses. No one uses uncore_enable_box and uncore_disable_box. Remove them. Signed-off-by: Kan Liang Signed-off-by: Peter Zijlstra (Intel) Cc: Alexander Shishkin Cc: Arnaldo Carvalho de Melo Cc: Jiri Olsa Cc: Linus Torvalds Cc: Mark Rutland Cc: Namhyung Kim Cc: Stephane Eranian Cc: Thomas Gleixner Cc: Vince Weaver Cc: linux-drivers-review@eclists.intel.com Cc: linux-perf@eclists.intel.com Fixes: 087bfbb03269 ("perf/x86: Add generic Intel uncore PMU support") Link: https://lkml.kernel.org/r/1572014593-31591-1-git-send-email-kan.liang@linux.intel.com Signed-off-by: Ingo Molnar Signed-off-by: Sasha Levin commit f14751658a015cd74deb06d7650ce4ff857d9fad Author: Kim Phillips Date: Wed Oct 23 10:09:55 2019 -0500 perf/x86/amd/ibs: Handle erratum #420 only on the affected CPU family (10h) [ Upstream commit e431e79b60603079d269e0c2a5177943b95fa4b6 ] This saves us writing the IBS control MSR twice when disabling the event. I searched revision guides for all families since 10h, and did not find occurrence of erratum #420, nor anything remotely similar: so we isolate the secondary MSR write to family 10h only. Also unconditionally update the count mask for IBS Op implementations that have read & writeable current count (CurCnt) fields in addition to the MaxCnt field. These bits were reserved on prior implementations, and therefore shouldn't have negative impact. Signed-off-by: Kim Phillips Signed-off-by: Peter Zijlstra (Intel) Cc: Alexander Shishkin Cc: Arnaldo Carvalho de Melo Cc: Arnaldo Carvalho de Melo Cc: Borislav Petkov Cc: H. Peter Anvin Cc: Jiri Olsa Cc: Linus Torvalds Cc: Mark Rutland Cc: Namhyung Kim Cc: Stephane Eranian Cc: Thomas Gleixner Cc: Vince Weaver Fixes: c9574fe0bdb9 ("perf/x86-ibs: Implement workaround for IBS erratum #420") Link: https://lkml.kernel.org/r/20191023150955.30292-2-kim.phillips@amd.com Signed-off-by: Ingo Molnar Signed-off-by: Sasha Levin commit 5b99e97b275a1be576f1e900c105081c102ae45a Author: Kim Phillips Date: Wed Oct 23 10:09:54 2019 -0500 perf/x86/amd/ibs: Fix reading of the IBS OpData register and thus precise RIP validity [ Upstream commit 317b96bb14303c7998dbcd5bc606bd8038fdd4b4 ] The loop that reads all the IBS MSRs into *buf stopped one MSR short of reading the IbsOpData register, which contains the RipInvalid status bit. Fix the offset_max assignment so the MSR gets read, so the RIP invalid evaluation is based on what the IBS h/w output, instead of what was left in memory. Signed-off-by: Kim Phillips Signed-off-by: Peter Zijlstra (Intel) Cc: Alexander Shishkin Cc: Arnaldo Carvalho de Melo Cc: Arnaldo Carvalho de Melo Cc: Borislav Petkov Cc: H. Peter Anvin Cc: Jiri Olsa Cc: Linus Torvalds Cc: Mark Rutland Cc: Namhyung Kim Cc: Stephane Eranian Cc: Thomas Gleixner Cc: Vince Weaver Fixes: d47e8238cd76 ("perf/x86-ibs: Take instruction pointer from ibs sample") Link: https://lkml.kernel.org/r/20191023150955.30292-1-kim.phillips@amd.com Signed-off-by: Ingo Molnar Signed-off-by: Sasha Levin commit 45944c4a7743e4d4b8fd9a66407aa3d3047a73a3 Author: Yinbo Zhu Date: Mon Jul 29 14:46:07 2019 +0800 usb: dwc3: remove the call trace of USBx_GFLADJ [ Upstream commit a7d9874c6f3fbc8d25cd9ceba35b6822612c4ebf ] layerscape board sometimes reported some usb call trace, that is due to kernel sent LPM tokerns automatically when it has no pending transfers and think that the link is idle enough to enter L1, which procedure will ask usb register has a recovery,then kernel will compare USBx_GFLADJ and set GFLADJ_30MHZ, GFLADJ_30MHZ_REG until GFLADJ_30MHZ is equal 0x20, if the conditions were met then issue occur, but whatever the conditions whether were met that usb is all need keep GFLADJ_30MHZ of value is 0x20 (xhci spec ask use GFLADJ_30MHZ to adjust any offset from clock source that generates the clock that drives the SOF counter, 0x20 is default value of it)That is normal logic, so need remove the call trace. Signed-off-by: Yinbo Zhu Signed-off-by: Felipe Balbi Signed-off-by: Sasha Levin commit dff38149cec4e0ddf78280540393e1fb5268397f Author: Peter Chen Date: Mon Aug 26 15:10:55 2019 -0400 usb: gadget: configfs: fix concurrent issue between composite APIs [ Upstream commit 1a1c851bbd706ea9f3a9756c2d3db28523506d3b ] We meet several NULL pointer issues if configfs_composite_unbind and composite_setup (or composite_disconnect) are running together. These issues occur when do the function switch stress test, the configfs_compsoite_unbind is called from user mode by echo "" to /sys/../UDC entry, and meanwhile, the setup interrupt or disconnect interrupt occurs by hardware. The composite_setup will get the cdev from get_gadget_data, but configfs_composite_unbind will set gadget data as NULL, so the NULL pointer issue occurs. This concurrent is hard to reproduce by native kernel, but can be reproduced by android kernel. In this commit, we introduce one spinlock belongs to structure gadget_info since we can't use the same spinlock in usb_composite_dev due to exclusive running together between composite_setup and configfs_composite_unbind. And one bit flag 'unbind' to indicate the code is at unbind routine, this bit is needed due to we release the lock at during configfs_composite_unbind sometimes, and composite_setup may be run at that time. Several oops: oops 1: android_work: sent uevent USB_STATE=CONNECTED configfs-gadget gadget: super-speed config #1: b android_work: sent uevent USB_STATE=CONFIGURED init: Received control message 'start' for 'adbd' from pid: 3515 (system_server) Unable to handle kernel NULL pointer dereference at virtual address 0000002a init: Received control message 'stop' for 'adbd' from pid: 3375 (/vendor/bin/hw/android.hardware.usb@1.1-servic) Mem abort info: Exception class = DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 Data abort info: ISV = 0, ISS = 0x00000004 CM = 0, WnR = 0 user pgtable: 4k pages, 48-bit VAs, pgd = ffff8008f1b7f000 [000000000000002a] *pgd=0000000000000000 Internal error: Oops: 96000004 [#1] PREEMPT SMP Modules linked in: CPU: 4 PID: 2457 Comm: irq/125-5b11000 Not tainted 4.14.98-07846-g0b40a9b-dirty #16 Hardware name: Freescale i.MX8QM MEK (DT) task: ffff8008f2a98000 task.stack: ffff00000b7b8000 PC is at composite_setup+0x44/0x1508 LR is at android_setup+0xb8/0x13c pc : [] lr : [] pstate: 800001c5 sp : ffff00000b7bbb80 x29: ffff00000b7bbb80 x28: ffff8008f2a3c010 x27: 0000000000000001 x26: 0000000000000000 [1232/1897] audit: audit_lost=25791 audit_rate_limit=5 audit_backlog_limit=64 x25: 00000000ffffffa1 x24: ffff8008f2a3c010 audit: rate limit exceeded x23: 0000000000000409 x22: ffff000009c8e000 x21: ffff8008f7a8b428 x20: ffff00000afae000 x19: ffff0000089ff000 x18: 0000000000000000 x17: 0000000000000000 x16: ffff0000082b7c9c x15: 0000000000000000 x14: f1866f5b952aca46 x13: e35502e30d44349c x12: 0000000000000008 x11: 0000000000000008 x10: 0000000000000a30 x9 : ffff00000b7bbd00 x8 : ffff8008f2a98a90 x7 : ffff8008f27a9c90 x6 : 0000000000000001 x5 : 0000000000000000 x4 : 0000000000000001 x3 : 0000000000000000 x2 : 0000000000000006 x1 : ffff0000089ff8d0 x0 : 732a010310b9ed00 X7: 0xffff8008f27a9c10: 9c10 00000002 00000000 00000001 00000000 13110000 ffff0000 00000002 00208040 9c30 00000000 00000000 00000000 00000000 00000000 00000005 00000029 00000000 9c50 00051778 00000001 f27a8e00 ffff8008 00000005 00000000 00000078 00000078 9c70 00000078 00000000 09031d48 ffff0000 00100000 00000000 00400000 00000000 9c90 00000001 00000000 00000000 00000000 00000000 00000000 ffefb1a0 ffff8008 9cb0 f27a9ca8 ffff8008 00000000 00000000 b9d88037 00000173 1618a3eb 00000001 9cd0 870a792a 0000002e 16188fe6 00000001 0000242b 00000000 00000000 00000000 using random self ethernet address 9cf0 019a4646 00000000 000547f3 00000000 ecfd6c33 00000002 00000000 using random host ethernet address 00000000 X8: 0xffff8008f2a98a10: 8a10 00000000 00000000 f7788d00 ffff8008 00000001 00000000 00000000 00000000 8a30 eb218000 ffff8008 f2a98000 ffff8008 f2a98000 ffff8008 09885000 ffff0000 8a50 f34df480 ffff8008 00000000 00000000 f2a98648 ffff8008 09c8e000 ffff0000 8a70 fff2c800 ffff8008 09031d48 ffff0000 0b7bbd00 ffff0000 0b7bbd00 ffff0000 8a90 080861bc ffff0000 00000000 00000000 00000000 00000000 00000000 00000000 8ab0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 8ad0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 8af0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 X21: 0xffff8008f7a8b3a8: b3a8 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 b3c8 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 b3e8 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 b408 00000000 00000000 00000000 00000000 00000000 00000000 00000001 00000000 b428 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 b448 0053004d 00540046 00300031 00010030 eb07b520 ffff8008 20011201 00000003 b468 e418d109 0104404e 00010302 00000000 eb07b558 ffff8008 eb07b558 ffff8008 b488 f7a8b488 ffff8008 f7a8b488 ffff8008 f7a8b300 ffff8008 00000000 00000000 X24: 0xffff8008f2a3bf90: bf90 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 bfb0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 bfd0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 bff0 00000000 00000000 00000000 00000000 f76c8010 ffff8008 f76c8010 ffff8008 c010 00000000 00000000 f2a3c018 ffff8008 f2a3c018 ffff8008 08a067dc ffff0000 c030 f2a5a000 ffff8008 091c3650 ffff0000 f716fd18 ffff8008 f716fe30 ffff8008 c050 f2ce4a30 ffff8008 00000000 00000005 00000000 00000000 095d1568 ffff0000 c070 f76c8010 ffff8008 f2ce4b00 ffff8008 095cac68 ffff0000 f2a5a028 ffff8008 X28: 0xffff8008f2a3bf90: bf90 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 bfb0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 bfd0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 bff0 00000000 00000000 00000000 00000000 f76c8010 ffff8008 f76c8010 ffff8008 c010 00000000 00000000 f2a3c018 ffff8008 f2a3c018 ffff8008 08a067dc ffff0000 c030 f2a5a000 ffff8008 091c3650 ffff0000 f716fd18 ffff8008 f716fe30 ffff8008 c050 f2ce4a30 ffff8008 00000000 00000005 00000000 00000000 095d1568 ffff0000 c070 f76c8010 ffff8008 f2ce4b00 ffff8008 095cac68 ffff0000 f2a5a028 ffff8008 Process irq/125-5b11000 (pid: 2457, stack limit = 0xffff00000b7b8000) Call trace: Exception stack(0xffff00000b7bba40 to 0xffff00000b7bbb80) ba40: 732a010310b9ed00 ffff0000089ff8d0 0000000000000006 0000000000000000 ba60: 0000000000000001 0000000000000000 0000000000000001 ffff8008f27a9c90 ba80: ffff8008f2a98a90 ffff00000b7bbd00 0000000000000a30 0000000000000008 baa0: 0000000000000008 e35502e30d44349c f1866f5b952aca46 0000000000000000 bac0: ffff0000082b7c9c 0000000000000000 0000000000000000 ffff0000089ff000 bae0: ffff00000afae000 ffff8008f7a8b428 ffff000009c8e000 0000000000000409 bb00: ffff8008f2a3c010 00000000ffffffa1 0000000000000000 0000000000000001 bb20: ffff8008f2a3c010 ffff00000b7bbb80 ffff000008a032fc ffff00000b7bbb80 bb40: ffff0000089ffb3c 00000000800001c5 ffff00000b7bbb80 732a010310b9ed00 bb60: ffffffffffffffff ffff0000080f777c ffff00000b7bbb80 ffff0000089ffb3c [] composite_setup+0x44/0x1508 [] android_setup+0xb8/0x13c [] cdns3_ep0_delegate_req+0x44/0x70 [] cdns3_check_ep0_interrupt_proceed+0x33c/0x654 [] cdns3_device_thread_irq_handler+0x4b0/0x4bc [] cdns3_thread_irq+0x48/0x68 [] irq_thread_fn+0x28/0x88 [] irq_thread+0x13c/0x228 [] kthread+0x104/0x130 [] ret_from_fork+0x10/0x18 oops2: composite_disconnect: Calling disconnect on a Gadget that is not connected android_work: did not send uevent (0 0 (null)) init: Received control message 'stop' for 'adbd' from pid: 3359 (/vendor/bin/hw/android.hardware.usb@1.1-service.imx) init: Sending signal 9 to service 'adbd' (pid 22343) process group... ------------[ cut here ]------------ audit: audit_lost=180038 audit_rate_limit=5 audit_backlog_limit=64 audit: rate limit exceeded WARNING: CPU: 0 PID: 3468 at kernel_imx/drivers/usb/gadget/composite.c:2009 composite_disconnect+0x80/0x88 Modules linked in: CPU: 0 PID: 3468 Comm: HWC-UEvent-Thre Not tainted 4.14.98-07846-g0b40a9b-dirty #16 Hardware name: Freescale i.MX8QM MEK (DT) task: ffff8008f2349c00 task.stack: ffff00000b0a8000 PC is at composite_disconnect+0x80/0x88 LR is at composite_disconnect+0x80/0x88 pc : [] lr : [] pstate: 600001c5 sp : ffff000008003dd0 x29: ffff000008003dd0 x28: ffff8008f2349c00 x27: ffff000009885018 x26: ffff000008004000 Timeout for IPC response! x25: ffff000009885018 x24: ffff000009c8e280 x23: ffff8008f2d98010 x22: 00000000000001c0 x21: ffff8008f2d98394 x20: ffff8008f2d98010 x19: 0000000000000000 x18: 0000e3956f4f075a fxos8700 4-001e: i2c block read acc failed x17: 0000e395735727e8 x16: ffff00000829f4d4 x15: ffffffffffffffff x14: 7463656e6e6f6320 x13: 746f6e2009090920 x12: 7369207461687420 x11: 7465676461472061 x10: 206e6f207463656e x9 : 6e6f637369642067 x8 : ffff000009c8e280 x7 : ffff0000086ca6cc x6 : ffff000009f15e78 x5 : 0000000000000000 x4 : 0000000000000000 x3 : ffffffffffffffff x2 : c3f28b86000c3900 x1 : c3f28b86000c3900 x0 : 000000000000004e X20: 0xffff8008f2d97f90: 7f90 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 7fb0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 libprocessgroup: Failed to kill process cgroup uid 0 pid 22343 in 215ms, 1 processes remain 7fd0 Timeout for IPC response! 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 using random self ethernet address 7ff0 00000000 00000000 00000000 00000000 f76c8010 ffff8008 f76c8010 ffff8008 8010 00000100 00000000 f2d98018 ffff8008 f2d98018 ffff8008 08a067dc using random host ethernet address ffff0000 8030 f206d800 ffff8008 091c3650 ffff0000 f7957b18 ffff8008 f7957730 ffff8008 8050 f716a630 ffff8008 00000000 00000005 00000000 00000000 095d1568 ffff0000 8070 f76c8010 ffff8008 f716a800 ffff8008 095cac68 ffff0000 f206d828 ffff8008 X21: 0xffff8008f2d98314: 8314 ffff8008 00000000 00000000 00000000 00000000 00000000 00000000 00000000 8334 00000000 00000000 00000000 00000000 00000000 08a04cf4 ffff0000 00000000 8354 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 8374 00000000 00000000 00000000 00001001 00000000 00000000 00000000 00000000 8394 e4bbe4bb 0f230000 ffff0000 0afae000 ffff0000 ae001000 00000000 f206d400 Timeout for IPC response! 83b4 ffff8008 00000000 00000000 f7957b18 ffff8008 f7957718 ffff8008 f7957018 83d4 ffff8008 f7957118 ffff8008 f7957618 ffff8008 f7957818 ffff8008 f7957918 83f4 ffff8008 f7957d18 ffff8008 00000000 00000000 00000000 00000000 00000000 X23: 0xffff8008f2d97f90: 7f90 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 7fb0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 7fd0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 7ff0 00000000 00000000 00000000 00000000 f76c8010 ffff8008 f76c8010 ffff8008 8010 00000100 00000000 f2d98018 ffff8008 f2d98018 ffff8008 08a067dc ffff0000 8030 f206d800 ffff8008 091c3650 ffff0000 f7957b18 ffff8008 f7957730 ffff8008 8050 f716a630 ffff8008 00000000 00000005 00000000 00000000 095d1568 ffff0000 8070 f76c8010 ffff8008 f716a800 ffff8008 095cac68 ffff0000 f206d828 ffff8008 X28: 0xffff8008f2349b80: 9b80 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 9ba0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 9bc0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 9be0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 9c00 00000022 00000000 ffffffff ffffffff 00010001 00000000 00000000 00000000 9c20 0b0a8000 ffff0000 00000002 00404040 00000000 00000000 00000000 00000000 9c40 00000001 00000000 00000001 00000000 001ebd44 00000001 f390b800 ffff8008 9c60 00000000 00000001 00000070 00000070 00000070 00000000 09031d48 ffff0000 Call trace: Exception stack(0xffff000008003c90 to 0xffff000008003dd0) 3c80: 000000000000004e c3f28b86000c3900 3ca0: c3f28b86000c3900 ffffffffffffffff 0000000000000000 0000000000000000 3cc0: ffff000009f15e78 ffff0000086ca6cc ffff000009c8e280 6e6f637369642067 3ce0: 206e6f207463656e 7465676461472061 7369207461687420 746f6e2009090920 3d00: 7463656e6e6f6320 ffffffffffffffff ffff00000829f4d4 0000e395735727e8 3d20: 0000e3956f4f075a 0000000000000000 ffff8008f2d98010 ffff8008f2d98394 3d40: 00000000000001c0 ffff8008f2d98010 ffff000009c8e280 ffff000009885018 3d60: ffff000008004000 ffff000009885018 ffff8008f2349c00 ffff000008003dd0 3d80: ffff0000089ff9b0 ffff000008003dd0 ffff0000089ff9b0 00000000600001c5 3da0: ffff8008f33f2cd8 0000000000000000 0000ffffffffffff 0000000000000000 init: Received control message 'start' for 'adbd' from pid: 3359 (/vendor/bin/hw/android.hardware.usb@1.1-service.imx) 3dc0: ffff000008003dd0 ffff0000089ff9b0 [] composite_disconnect+0x80/0x88 [] android_disconnect+0x3c/0x68 [] cdns3_device_irq_handler+0xfc/0x2c8 [] cdns3_irq+0x44/0x94 [] __handle_irq_event_percpu+0x60/0x24c [] handle_irq_event+0x58/0xc0 [] handle_fasteoi_irq+0x98/0x180 [] generic_handle_irq+0x24/0x38 [] __handle_domain_irq+0x60/0xac [] gic_handle_irq+0xd4/0x17c Signed-off-by: Peter Chen Signed-off-by: Felipe Balbi Signed-off-by: Sasha Levin commit 10eb9abd21bad2a9726f50557b38924cb8d81ccd Author: Navid Emamdoost Date: Sun Sep 29 21:41:45 2019 -0500 usb: dwc3: pci: prevent memory leak in dwc3_pci_probe [ Upstream commit 9bbfceea12a8f145097a27d7c7267af25893c060 ] In dwc3_pci_probe a call to platform_device_alloc allocates a device which is correctly put in case of error except one case: when the call to platform_device_add_properties fails it directly returns instead of going to error handling. This commit replaces return with the goto. Fixes: 1a7b12f69a94 ("usb: dwc3: pci: Supply device properties via driver data") Signed-off-by: Navid Emamdoost Signed-off-by: Felipe Balbi Signed-off-by: Sasha Levin commit c73ccf65e1696662d3a5ea38a7647f515890c299 Author: Chandana Kishori Chiluveru Date: Tue Oct 1 13:16:48 2019 +0530 usb: gadget: composite: Fix possible double free memory bug [ Upstream commit 1c20c89b0421b52b2417bb0f62a611bc669eda1d ] composite_dev_cleanup call from the failure of configfs_composite_bind frees up the cdev->os_desc_req and cdev->req. If the previous calls of bind and unbind is successful these will carry stale values. Consider the below sequence of function calls: configfs_composite_bind() composite_dev_prepare() - Allocate cdev->req, cdev->req->buf composite_os_desc_req_prepare() - Allocate cdev->os_desc_req, cdev->os_desc_req->buf configfs_composite_unbind() composite_dev_cleanup() - free the cdev->os_desc_req->buf and cdev->req->buf Next composition switch configfs_composite_bind() - If it fails goto err_comp_cleanup will call the composite_dev_cleanup() function composite_dev_cleanup() - calls kfree up with the stale values of cdev->req->buf and cdev->os_desc_req from the previous configfs_composite_bind call. The free call on these stale values leads to double free. Hence, Fix this issue by setting request and buffer pointer to NULL after kfree. Signed-off-by: Chandana Kishori Chiluveru Signed-off-by: Felipe Balbi Signed-off-by: Sasha Levin commit 26d31e1c3ab299cbccc077f6beb3535892aad345 Author: Cristian Birsan Date: Fri Oct 4 20:10:54 2019 +0300 usb: gadget: udc: atmel: Fix interrupt storm in FIFO mode. [ Upstream commit ba3a1a915c49cc3023e4ddfc88f21e7514e82aa4 ] Fix interrupt storm generated by endpoints when working in FIFO mode. The TX_COMPLETE interrupt is used only by control endpoints processing. Do not enable it for other types of endpoints. Fixes: 914a3f3b3754 ("USB: add atmel_usba_udc driver") Signed-off-by: Cristian Birsan Signed-off-by: Felipe Balbi Signed-off-by: Sasha Levin commit 88912019b49ca22ff10f34550e162d9e791130ae Author: Nikhil Badola Date: Mon Oct 21 18:21:51 2019 +0800 usb: fsl: Check memory resource before releasing it [ Upstream commit bc1e3a2dd0c9954fd956ac43ca2876bbea018c01 ] Check memory resource existence before releasing it to avoid NULL pointer dereference Signed-off-by: Nikhil Badola Reviewed-by: Ran Wang Reviewed-by: Peter Chen Signed-off-by: Felipe Balbi Signed-off-by: Sasha Levin commit 3a2675a2d97a68332fa5c33043038bfeb31455a8 Author: Taehee Yoo Date: Mon Oct 21 18:47:55 2019 +0000 macsec: fix refcnt leak in module exit routine [ Upstream commit 2bce1ebed17da54c65042ec2b962e3234bad5b47 ] When a macsec interface is created, it increases a refcnt to a lower device(real device). when macsec interface is deleted, the refcnt is decreased in macsec_free_netdev(), which is ->priv_destructor() of macsec interface. The problem scenario is this. When nested macsec interfaces are exiting, the exit routine of the macsec module makes refcnt leaks. Test commands: ip link add dummy0 type dummy ip link add macsec0 link dummy0 type macsec ip link add macsec1 link macsec0 type macsec modprobe -rv macsec [ 208.629433] unregister_netdevice: waiting for macsec0 to become free. Usage count = 1 Steps of exit routine of macsec module are below. 1. Calls ->dellink() in __rtnl_link_unregister(). 2. Checks refcnt and wait refcnt to be 0 if refcnt is not 0 in netdev_run_todo(). 3. Calls ->priv_destruvtor() in netdev_run_todo(). Step2 checks refcnt, but step3 decreases refcnt. So, step2 waits forever. This patch makes the macsec module do not hold a refcnt of the lower device because it already holds a refcnt of the lower device with netdev_upper_dev_link(). Fixes: c09440f7dcb3 ("macsec: introduce IEEE 802.1AE driver") Signed-off-by: Taehee Yoo Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 0d0ca85ad4241c83abd10a61070353f53dd8023f Author: Taehee Yoo Date: Mon Oct 21 18:47:52 2019 +0000 bonding: fix unexpected IFF_BONDING bit unset [ Upstream commit 65de65d9033750d2cf1b336c9d6e9da3a8b5cc6e ] The IFF_BONDING means bonding master or bonding slave device. ->ndo_add_slave() sets IFF_BONDING flag and ->ndo_del_slave() unsets IFF_BONDING flag. bond0<--bond1 Both bond0 and bond1 are bonding device and these should keep having IFF_BONDING flag until they are removed. But bond1 would lose IFF_BONDING at ->ndo_del_slave() because that routine do not check whether the slave device is the bonding type or not. This patch adds the interface type check routine before removing IFF_BONDING flag. Test commands: ip link add bond0 type bond ip link add bond1 type bond ip link set bond1 master bond0 ip link set bond1 nomaster ip link del bond1 type bond ip link add bond1 type bond Splat looks like: [ 226.665555] proc_dir_entry 'bonding/bond1' already registered [ 226.666440] WARNING: CPU: 0 PID: 737 at fs/proc/generic.c:361 proc_register+0x2a9/0x3e0 [ 226.667571] Modules linked in: bonding af_packet sch_fq_codel ip_tables x_tables unix [ 226.668662] CPU: 0 PID: 737 Comm: ip Not tainted 5.4.0-rc3+ #96 [ 226.669508] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006 [ 226.670652] RIP: 0010:proc_register+0x2a9/0x3e0 [ 226.671612] Code: 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 39 01 00 00 48 8b 04 24 48 89 ea 48 c7 c7 a0 0b 14 9f 48 8b b0 e 0 00 00 00 e8 07 e7 88 ff <0f> 0b 48 c7 c7 40 2d a5 9f e8 59 d6 23 01 48 8b 4c 24 10 48 b8 00 [ 226.675007] RSP: 0018:ffff888050e17078 EFLAGS: 00010282 [ 226.675761] RAX: dffffc0000000008 RBX: ffff88805fdd0f10 RCX: ffffffff9dd344e2 [ 226.676757] RDX: 0000000000000001 RSI: 0000000000000008 RDI: ffff88806c9f6b8c [ 226.677751] RBP: ffff8880507160f3 R08: ffffed100d940019 R09: ffffed100d940019 [ 226.678761] R10: 0000000000000001 R11: ffffed100d940018 R12: ffff888050716008 [ 226.679757] R13: ffff8880507160f2 R14: dffffc0000000000 R15: ffffed100a0e2c1e [ 226.680758] FS: 00007fdc217cc0c0(0000) GS:ffff88806c800000(0000) knlGS:0000000000000000 [ 226.681886] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 226.682719] CR2: 00007f49313424d0 CR3: 0000000050e46001 CR4: 00000000000606f0 [ 226.683727] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 226.684725] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 226.685681] Call Trace: [ 226.687089] proc_create_seq_private+0xb3/0xf0 [ 226.687778] bond_create_proc_entry+0x1b3/0x3f0 [bonding] [ 226.691458] bond_netdev_event+0x433/0x970 [bonding] [ 226.692139] ? __module_text_address+0x13/0x140 [ 226.692779] notifier_call_chain+0x90/0x160 [ 226.693401] register_netdevice+0x9b3/0xd80 [ 226.694010] ? alloc_netdev_mqs+0x854/0xc10 [ 226.694629] ? netdev_change_features+0xa0/0xa0 [ 226.695278] ? rtnl_create_link+0x2ed/0xad0 [ 226.695849] bond_newlink+0x2a/0x60 [bonding] [ 226.696422] __rtnl_newlink+0xb9f/0x11b0 [ 226.696968] ? rtnl_link_unregister+0x220/0x220 [ ... ] Fixes: 0b680e753724 ("[PATCH] bonding: Add priv_flag to avoid event mishandling") Signed-off-by: Taehee Yoo Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 50e31318b5259ac66e177d324b4410215823cfa7 Author: Eric Dumazet Date: Wed Oct 23 09:53:03 2019 -0700 ipvs: move old_secure_tcp into struct netns_ipvs [ Upstream commit c24b75e0f9239e78105f81c5f03a751641eb07ef ] syzbot reported the following issue : BUG: KCSAN: data-race in update_defense_level / update_defense_level read to 0xffffffff861a6260 of 4 bytes by task 3006 on cpu 1: update_defense_level+0x621/0xb30 net/netfilter/ipvs/ip_vs_ctl.c:177 defense_work_handler+0x3d/0xd0 net/netfilter/ipvs/ip_vs_ctl.c:225 process_one_work+0x3d4/0x890 kernel/workqueue.c:2269 worker_thread+0xa0/0x800 kernel/workqueue.c:2415 kthread+0x1d4/0x200 drivers/block/aoe/aoecmd.c:1253 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:352 write to 0xffffffff861a6260 of 4 bytes by task 7333 on cpu 0: update_defense_level+0xa62/0xb30 net/netfilter/ipvs/ip_vs_ctl.c:205 defense_work_handler+0x3d/0xd0 net/netfilter/ipvs/ip_vs_ctl.c:225 process_one_work+0x3d4/0x890 kernel/workqueue.c:2269 worker_thread+0xa0/0x800 kernel/workqueue.c:2415 kthread+0x1d4/0x200 drivers/block/aoe/aoecmd.c:1253 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:352 Reported by Kernel Concurrency Sanitizer on: CPU: 0 PID: 7333 Comm: kworker/0:5 Not tainted 5.4.0-rc3+ #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: events defense_work_handler Indeed, old_secure_tcp is currently a static variable, while it needs to be a per netns variable. Fixes: a0840e2e165a ("IPVS: netns, ip_vs_ctl local vars moved to ipvs struct.") Signed-off-by: Eric Dumazet Reported-by: syzbot Signed-off-by: Simon Horman Signed-off-by: Sasha Levin commit 102f4078fbdded8407f59d6e0b022ea89e20f33a Author: Davide Caratti Date: Sat Oct 19 17:34:35 2019 +0200 ipvs: don't ignore errors in case refcounting ip_vs module fails [ Upstream commit 62931f59ce9cbabb934a431f48f2f1f441c605ac ] if the IPVS module is removed while the sync daemon is starting, there is a small gap where try_module_get() might fail getting the refcount inside ip_vs_use_count_inc(). Then, the refcounts of IPVS module are unbalanced, and the subsequent call to stop_sync_thread() causes the following splat: WARNING: CPU: 0 PID: 4013 at kernel/module.c:1146 module_put.part.44+0x15b/0x290 Modules linked in: ip_vs(-) nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 veth ip6table_filter ip6_tables iptable_filter binfmt_misc intel_rapl_msr intel_rapl_common crct10dif_pclmul crc32_pclmul ext4 mbcache jbd2 ghash_clmulni_intel snd_hda_codec_generic ledtrig_audio snd_hda_intel snd_intel_nhlt snd_hda_codec snd_hda_core snd_hwdep snd_seq snd_seq_device snd_pcm aesni_intel crypto_simd cryptd glue_helper joydev pcspkr snd_timer virtio_balloon snd soundcore i2c_piix4 nfsd auth_rpcgss nfs_acl lockd grace sunrpc ip_tables xfs libcrc32c ata_generic pata_acpi virtio_net net_failover virtio_blk failover virtio_console qxl drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ata_piix ttm crc32c_intel serio_raw drm virtio_pci libata virtio_ring virtio floppy dm_mirror dm_region_hash dm_log dm_mod [last unloaded: nf_defrag_ipv6] CPU: 0 PID: 4013 Comm: modprobe Tainted: G W 5.4.0-rc1.upstream+ #741 Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011 RIP: 0010:module_put.part.44+0x15b/0x290 Code: 04 25 28 00 00 00 0f 85 18 01 00 00 48 83 c4 68 5b 5d 41 5c 41 5d 41 5e 41 5f c3 89 44 24 28 83 e8 01 89 c5 0f 89 57 ff ff ff <0f> 0b e9 78 ff ff ff 65 8b 1d 67 83 26 4a 89 db be 08 00 00 00 48 RSP: 0018:ffff888050607c78 EFLAGS: 00010297 RAX: 0000000000000003 RBX: ffffffffc1420590 RCX: ffffffffb5db0ef9 RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffffffffc1420590 RBP: 00000000ffffffff R08: fffffbfff82840b3 R09: fffffbfff82840b3 R10: 0000000000000001 R11: fffffbfff82840b2 R12: 1ffff1100a0c0f90 R13: ffffffffc1420200 R14: ffff88804f533300 R15: ffff88804f533ca0 FS: 00007f8ea9720740(0000) GS:ffff888053800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f3245abe000 CR3: 000000004c28a006 CR4: 00000000001606f0 Call Trace: stop_sync_thread+0x3a3/0x7c0 [ip_vs] ip_vs_sync_net_cleanup+0x13/0x50 [ip_vs] ops_exit_list.isra.5+0x94/0x140 unregister_pernet_operations+0x29d/0x460 unregister_pernet_device+0x26/0x60 ip_vs_cleanup+0x11/0x38 [ip_vs] __x64_sys_delete_module+0x2d5/0x400 do_syscall_64+0xa5/0x4e0 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x7f8ea8bf0db7 Code: 73 01 c3 48 8b 0d b9 80 2c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 b0 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 89 80 2c 00 f7 d8 64 89 01 48 RSP: 002b:00007ffcd38d2fe8 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0 RAX: ffffffffffffffda RBX: 0000000002436240 RCX: 00007f8ea8bf0db7 RDX: 0000000000000000 RSI: 0000000000000800 RDI: 00000000024362a8 RBP: 0000000000000000 R08: 00007f8ea8eba060 R09: 00007f8ea8c658a0 R10: 00007ffcd38d2a60 R11: 0000000000000206 R12: 0000000000000000 R13: 0000000000000001 R14: 00000000024362a8 R15: 0000000000000000 irq event stamp: 4538 hardirqs last enabled at (4537): [] quarantine_put+0x9e/0x170 hardirqs last disabled at (4538): [] trace_hardirqs_off_thunk+0x1a/0x20 softirqs last enabled at (4522): [] sk_common_release+0x169/0x2d0 softirqs last disabled at (4520): [] sk_common_release+0xbe/0x2d0 Check the return value of ip_vs_use_count_inc() and let its caller return proper error. Inside do_ip_vs_set_ctl() the module is already refcounted, we don't need refcount/derefcount there. Finally, in register_ip_vs_app() and start_sync_thread(), take the module refcount earlier and ensure it's released in the error path. Change since v1: - better return values in case of failure of ip_vs_use_count_inc(), thanks to Julian Anastasov - no need to increase/decrease the module refcount in ip_vs_set_ctl(), thanks to Julian Anastasov Signed-off-by: Davide Caratti Signed-off-by: Julian Anastasov Signed-off-by: Simon Horman Signed-off-by: Sasha Levin commit 81de0b500baa16de7dbd30577445851ef93743f4 Author: Pablo Neira Ayuso Date: Mon Oct 14 11:03:15 2019 +0200 netfilter: nf_flow_table: set timeout before insertion into hashes [ Upstream commit daf61b026f4686250e6afa619e6d7b49edc61df7 ] Other garbage collector might remove an entry not fully set up yet. [570953.958293] RIP: 0010:memcmp+0x9/0x50 [...] [570953.958567] flow_offload_hash_cmp+0x1e/0x30 [nf_flow_table] [570953.958585] flow_offload_lookup+0x8c/0x110 [nf_flow_table] [570953.958606] nf_flow_offload_ip_hook+0x135/0xb30 [nf_flow_table] [570953.958624] nf_flow_offload_inet_hook+0x35/0x37 [nf_flow_table_inet] [570953.958646] nf_hook_slow+0x3c/0xb0 [570953.958664] __netif_receive_skb_core+0x90f/0xb10 [570953.958678] ? ip_rcv_finish+0x82/0xa0 [570953.958692] __netif_receive_skb_one_core+0x3b/0x80 [570953.958711] __netif_receive_skb+0x18/0x60 [570953.958727] netif_receive_skb_internal+0x45/0xf0 [570953.958741] napi_gro_receive+0xcd/0xf0 [570953.958764] ixgbe_clean_rx_irq+0x432/0xe00 [ixgbe] [570953.958782] ixgbe_poll+0x27b/0x700 [ixgbe] [570953.958796] net_rx_action+0x284/0x3c0 [570953.958817] __do_softirq+0xcc/0x27c [570953.959464] irq_exit+0xe8/0x100 [570953.960097] do_IRQ+0x59/0xe0 [570953.960734] common_interrupt+0xf/0xf Fixes: 43c8f131184f ("netfilter: nf_flow_table: fix missing error check for rhashtable_insert_fast") Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin commit d45fc2ed472b25649e3086713ba09227915ca8a6 Author: Himanshu Madhani Date: Tue Oct 22 12:36:42 2019 -0700 scsi: qla2xxx: Initialized mailbox to prevent driver load failure [ Upstream commit c2ff2a36eff60efb5e123c940115216d6bf65684 ] This patch fixes issue with Gen7 adapter in a blade environment where one of the ports will not be detected by driver. Firmware expects mailbox 11 to be set or cleared by driver for newer ISP. Following message is seen in the log file: [ 18.810892] qla2xxx [0000:d8:00.0]-1820:1: **** Failed=102 mb[0]=4005 mb[1]=37 mb[2]=20 mb[3]=8 [ 18.819596] cmd=2 **** [mkp: typos] Link: https://lore.kernel.org/r/20191022193643.7076-2-hmadhani@marvell.com Signed-off-by: Himanshu Madhani Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit b6612a3dbad8dbc2d6b7d6892d24fa8b77fa8d65 Author: Daniel Wagner Date: Tue Oct 22 09:21:12 2019 +0200 scsi: lpfc: Honor module parameter lpfc_use_adisc [ Upstream commit 0fd103ccfe6a06e40e2d9d8c91d96332cc9e1239 ] The initial lpfc_desc_set_adisc implementation in commit dea3101e0a5c ("lpfc: add Emulex FC driver version 8.0.28") enabled ADISC if cfg_use_adisc && RSCN_MODE && FCP_2_DEVICE In commit 92d7f7b0cde3 ("[SCSI] lpfc: NPIV: add NPIV support on top of SLI-3") this changed to (cfg_use_adisc && RSC_MODE) || FCP_2_DEVICE and later in commit ffc954936b13 ("[SCSI] lpfc 8.3.13: FC Discovery Fixes and enhancements.") to (cfg_use_adisc && RSC_MODE) || (FCP_2_DEVICE && FCP_TARGET) A customer reports that after a devloss, an ADISC failure is logged. It turns out the ADISC flag is set even the user explicitly set lpfc_use_adisc = 0. [Sat Dec 22 22:55:58 2018] lpfc 0000:82:00.0: 2:(0):0203 Devloss timeout on WWPN 50:01:43:80:12:8e:40:20 NPort x05df00 Data: x82000000 x8 xa [Sat Dec 22 23:08:20 2018] lpfc 0000:82:00.0: 2:(0):2755 ADISC failure DID:05DF00 Status:x9/x70000 [mkp: fixed Hannes' email] Fixes: 92d7f7b0cde3 ("[SCSI] lpfc: NPIV: add NPIV support on top of SLI-3") Cc: Dick Kennedy Cc: James Smart Link: https://lore.kernel.org/r/20191022072112.132268-1-dwagner@suse.de Reviewed-by: Hannes Reinecke Reviewed-by: James Smart Signed-off-by: Daniel Wagner Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 4e80e5614770524c07b680edf70f533af308c56e Author: Hillf Danton Date: Mon Oct 21 12:01:57 2019 +0200 net: openvswitch: free vport unless register_netdevice() succeeds [ Upstream commit 9464cc37f3671ee69cb1c00662b5e1f113a96b23 ] syzbot found the following crash on: HEAD commit: 1e78030e Merge tag 'mmc-v5.3-rc1' of git://git.kernel.org/.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=148d3d1a600000 kernel config: https://syzkaller.appspot.com/x/.config?x=30cef20daf3e9977 dashboard link: https://syzkaller.appspot.com/bug?extid=13210896153522fe1ee5 compiler: gcc (GCC) 9.0.0 20181231 (experimental) syz repro: https://syzkaller.appspot.com/x/repro.syz?x=136aa8c4600000 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=109ba792600000 ===================================================================== BUG: memory leak unreferenced object 0xffff8881207e4100 (size 128): comm "syz-executor032", pid 7014, jiffies 4294944027 (age 13.830s) hex dump (first 32 bytes): 00 70 16 18 81 88 ff ff 80 af 8c 22 81 88 ff ff .p.........".... 00 b6 23 17 81 88 ff ff 00 00 00 00 00 00 00 00 ..#............. backtrace: [<000000000eb78212>] kmemleak_alloc_recursive include/linux/kmemleak.h:43 [inline] [<000000000eb78212>] slab_post_alloc_hook mm/slab.h:522 [inline] [<000000000eb78212>] slab_alloc mm/slab.c:3319 [inline] [<000000000eb78212>] kmem_cache_alloc_trace+0x145/0x2c0 mm/slab.c:3548 [<00000000006ea6c6>] kmalloc include/linux/slab.h:552 [inline] [<00000000006ea6c6>] kzalloc include/linux/slab.h:748 [inline] [<00000000006ea6c6>] ovs_vport_alloc+0x37/0xf0 net/openvswitch/vport.c:130 [<00000000f9a04a7d>] internal_dev_create+0x24/0x1d0 net/openvswitch/vport-internal_dev.c:164 [<0000000056ee7c13>] ovs_vport_add+0x81/0x190 net/openvswitch/vport.c:199 [<000000005434efc7>] new_vport+0x19/0x80 net/openvswitch/datapath.c:194 [<00000000b7b253f1>] ovs_dp_cmd_new+0x22f/0x410 net/openvswitch/datapath.c:1614 [<00000000e0988518>] genl_family_rcv_msg+0x2ab/0x5b0 net/netlink/genetlink.c:629 [<00000000d0cc9347>] genl_rcv_msg+0x54/0x9c net/netlink/genetlink.c:654 [<000000006694b647>] netlink_rcv_skb+0x61/0x170 net/netlink/af_netlink.c:2477 [<0000000088381f37>] genl_rcv+0x29/0x40 net/netlink/genetlink.c:665 [<00000000dad42a47>] netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline] [<00000000dad42a47>] netlink_unicast+0x1ec/0x2d0 net/netlink/af_netlink.c:1328 [<0000000067e6b079>] netlink_sendmsg+0x270/0x480 net/netlink/af_netlink.c:1917 [<00000000aab08a47>] sock_sendmsg_nosec net/socket.c:637 [inline] [<00000000aab08a47>] sock_sendmsg+0x54/0x70 net/socket.c:657 [<000000004cb7c11d>] ___sys_sendmsg+0x393/0x3c0 net/socket.c:2311 [<00000000c4901c63>] __sys_sendmsg+0x80/0xf0 net/socket.c:2356 [<00000000c10abb2d>] __do_sys_sendmsg net/socket.c:2365 [inline] [<00000000c10abb2d>] __se_sys_sendmsg net/socket.c:2363 [inline] [<00000000c10abb2d>] __x64_sys_sendmsg+0x23/0x30 net/socket.c:2363 BUG: memory leak unreferenced object 0xffff88811723b600 (size 64): comm "syz-executor032", pid 7014, jiffies 4294944027 (age 13.830s) hex dump (first 32 bytes): 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 02 00 00 00 05 35 82 c1 .............5.. backtrace: [<00000000352f46d8>] kmemleak_alloc_recursive include/linux/kmemleak.h:43 [inline] [<00000000352f46d8>] slab_post_alloc_hook mm/slab.h:522 [inline] [<00000000352f46d8>] slab_alloc mm/slab.c:3319 [inline] [<00000000352f46d8>] __do_kmalloc mm/slab.c:3653 [inline] [<00000000352f46d8>] __kmalloc+0x169/0x300 mm/slab.c:3664 [<000000008e48f3d1>] kmalloc include/linux/slab.h:557 [inline] [<000000008e48f3d1>] ovs_vport_set_upcall_portids+0x54/0xd0 net/openvswitch/vport.c:343 [<00000000541e4f4a>] ovs_vport_alloc+0x7f/0xf0 net/openvswitch/vport.c:139 [<00000000f9a04a7d>] internal_dev_create+0x24/0x1d0 net/openvswitch/vport-internal_dev.c:164 [<0000000056ee7c13>] ovs_vport_add+0x81/0x190 net/openvswitch/vport.c:199 [<000000005434efc7>] new_vport+0x19/0x80 net/openvswitch/datapath.c:194 [<00000000b7b253f1>] ovs_dp_cmd_new+0x22f/0x410 net/openvswitch/datapath.c:1614 [<00000000e0988518>] genl_family_rcv_msg+0x2ab/0x5b0 net/netlink/genetlink.c:629 [<00000000d0cc9347>] genl_rcv_msg+0x54/0x9c net/netlink/genetlink.c:654 [<000000006694b647>] netlink_rcv_skb+0x61/0x170 net/netlink/af_netlink.c:2477 [<0000000088381f37>] genl_rcv+0x29/0x40 net/netlink/genetlink.c:665 [<00000000dad42a47>] netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline] [<00000000dad42a47>] netlink_unicast+0x1ec/0x2d0 net/netlink/af_netlink.c:1328 [<0000000067e6b079>] netlink_sendmsg+0x270/0x480 net/netlink/af_netlink.c:1917 [<00000000aab08a47>] sock_sendmsg_nosec net/socket.c:637 [inline] [<00000000aab08a47>] sock_sendmsg+0x54/0x70 net/socket.c:657 [<000000004cb7c11d>] ___sys_sendmsg+0x393/0x3c0 net/socket.c:2311 [<00000000c4901c63>] __sys_sendmsg+0x80/0xf0 net/socket.c:2356 BUG: memory leak unreferenced object 0xffff8881228ca500 (size 128): comm "syz-executor032", pid 7015, jiffies 4294944622 (age 7.880s) hex dump (first 32 bytes): 00 f0 27 18 81 88 ff ff 80 ac 8c 22 81 88 ff ff ..'........".... 40 b7 23 17 81 88 ff ff 00 00 00 00 00 00 00 00 @.#............. backtrace: [<000000000eb78212>] kmemleak_alloc_recursive include/linux/kmemleak.h:43 [inline] [<000000000eb78212>] slab_post_alloc_hook mm/slab.h:522 [inline] [<000000000eb78212>] slab_alloc mm/slab.c:3319 [inline] [<000000000eb78212>] kmem_cache_alloc_trace+0x145/0x2c0 mm/slab.c:3548 [<00000000006ea6c6>] kmalloc include/linux/slab.h:552 [inline] [<00000000006ea6c6>] kzalloc include/linux/slab.h:748 [inline] [<00000000006ea6c6>] ovs_vport_alloc+0x37/0xf0 net/openvswitch/vport.c:130 [<00000000f9a04a7d>] internal_dev_create+0x24/0x1d0 net/openvswitch/vport-internal_dev.c:164 [<0000000056ee7c13>] ovs_vport_add+0x81/0x190 net/openvswitch/vport.c:199 [<000000005434efc7>] new_vport+0x19/0x80 net/openvswitch/datapath.c:194 [<00000000b7b253f1>] ovs_dp_cmd_new+0x22f/0x410 net/openvswitch/datapath.c:1614 [<00000000e0988518>] genl_family_rcv_msg+0x2ab/0x5b0 net/netlink/genetlink.c:629 [<00000000d0cc9347>] genl_rcv_msg+0x54/0x9c net/netlink/genetlink.c:654 [<000000006694b647>] netlink_rcv_skb+0x61/0x170 net/netlink/af_netlink.c:2477 [<0000000088381f37>] genl_rcv+0x29/0x40 net/netlink/genetlink.c:665 [<00000000dad42a47>] netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline] [<00000000dad42a47>] netlink_unicast+0x1ec/0x2d0 net/netlink/af_netlink.c:1328 [<0000000067e6b079>] netlink_sendmsg+0x270/0x480 net/netlink/af_netlink.c:1917 [<00000000aab08a47>] sock_sendmsg_nosec net/socket.c:637 [inline] [<00000000aab08a47>] sock_sendmsg+0x54/0x70 net/socket.c:657 [<000000004cb7c11d>] ___sys_sendmsg+0x393/0x3c0 net/socket.c:2311 [<00000000c4901c63>] __sys_sendmsg+0x80/0xf0 net/socket.c:2356 [<00000000c10abb2d>] __do_sys_sendmsg net/socket.c:2365 [inline] [<00000000c10abb2d>] __se_sys_sendmsg net/socket.c:2363 [inline] [<00000000c10abb2d>] __x64_sys_sendmsg+0x23/0x30 net/socket.c:2363 ===================================================================== The function in net core, register_netdevice(), may fail with vport's destruction callback either invoked or not. After commit 309b66970ee2 ("net: openvswitch: do not free vport if register_netdevice() is failed."), the duty to destroy vport is offloaded from the driver OTOH, which ends up in the memory leak reported. It is fixed by releasing vport unless device is registered successfully. To do that, the callback assignment is defered until device is registered. Reported-by: syzbot+13210896153522fe1ee5@syzkaller.appspotmail.com Fixes: 309b66970ee2 ("net: openvswitch: do not free vport if register_netdevice() is failed.") Cc: Taehee Yoo Cc: Greg Rose Cc: Eric Dumazet Cc: Marcelo Ricardo Leitner Cc: Ying Xue Cc: Andrey Konovalov Signed-off-by: Hillf Danton Acked-by: Pravin B Shelar [sbrivio: this was sent to dev@openvswitch.org and never made its way to netdev -- resending original patch] Signed-off-by: Stefano Brivio Reviewed-by: Greg Rose Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 027253315d70bb5e69d007428563d2679e1ce014 Author: Dan Carpenter Date: Fri Oct 11 16:34:19 2019 +0300 RDMA/uverbs: Prevent potential underflow [ Upstream commit a9018adfde809d44e71189b984fa61cc89682b5e ] The issue is in drivers/infiniband/core/uverbs_std_types_cq.c in the UVERBS_HANDLER(UVERBS_METHOD_CQ_CREATE) function. We check that: if (attr.comp_vector >= attrs->ufile->device->num_comp_vectors) { But we don't check if "attr.comp_vector" is negative. It could potentially lead to an array underflow. My concern would be where cq->vector is used in the create_cq() function from the cxgb4 driver. And really "attr.comp_vector" is appears as a u32 to user space so that's the right type to use. Fixes: 9ee79fce3642 ("IB/core: Add completion queue (cq) object actions") Link: https://lore.kernel.org/r/20191011133419.GA22905@mwanda Signed-off-by: Dan Carpenter Reviewed-by: Jason Gunthorpe Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit d582769add688a4c0760873a3492f03ac4471539 Author: Hannes Reinecke Date: Fri Oct 18 16:04:58 2019 +0200 scsi: qla2xxx: fixup incorrect usage of host_byte [ Upstream commit 66cf50e65b183c863825f5c28a818e3f47a72e40 ] DRIVER_ERROR is a a driver byte setting, not a host byte. The qla2xxx driver should rather return DID_ERROR here to be in line with the other drivers. Link: https://lore.kernel.org/r/20191018140458.108278-1-hare@suse.de Signed-off-by: Hannes Reinecke Acked-by: Himanshu Madhani Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 42de3a902443b64c6e3cf9c61d9cd6f30b2c0d67 Author: Navid Emamdoost Date: Tue Sep 24 22:20:34 2019 -0500 net/mlx5: prevent memory leak in mlx5_fpga_conn_create_cq [ Upstream commit c8c2a057fdc7de1cd16f4baa51425b932a42eb39 ] In mlx5_fpga_conn_create_cq if mlx5_vector2eqn fails the allocated memory should be released. Fixes: 537a50574175 ("net/mlx5: FPGA, Add high-speed connection routines") Signed-off-by: Navid Emamdoost Signed-off-by: Saeed Mahameed Signed-off-by: Sasha Levin commit 7dfdcd9407f30ea86acb3b43fcfd3a92ce6a41fa Author: Tariq Toukan Date: Tue Sep 24 11:29:09 2019 +0300 net/mlx5e: TX, Fix consumer index of error cqe dump [ Upstream commit 61ea02d2c13106116c6e4916ac5d9dd41151c959 ] The completion queue consumer index increments upon a call to mlx5_cqwq_pop(). When dumping an error CQE, the index is already incremented. Decrease one for the print command. Fixes: 16cc14d81733 ("net/mlx5e: Dump xmit error completions") Signed-off-by: Tariq Toukan Signed-off-by: Saeed Mahameed Signed-off-by: Sasha Levin commit 48dd71289ca3594002910c24f26cc37c46a5dd44 Author: Kamal Heib Date: Tue Oct 8 00:07:30 2019 +0300 RDMA/qedr: Fix reported firmware version [ Upstream commit b806c94ee44e53233b8ce6c92d9078d9781786a5 ] Remove spaces from the reported firmware version string. Actual value: $ cat /sys/class/infiniband/qedr0/fw_ver 8. 37. 7. 0 Expected value: $ cat /sys/class/infiniband/qedr0/fw_ver 8.37.7.0 Fixes: ec72fce401c6 ("qedr: Add support for RoCE HW init") Signed-off-by: Kamal Heib Acked-by: Michal Kalderon  Link: https://lore.kernel.org/r/20191007210730.7173-1-kamalheib1@gmail.com Signed-off-by: Doug Ledford Signed-off-by: Sasha Levin commit 6208c2bfe2249df0156e6f1df5ea4e71ad496839 Author: Potnuri Bharat Teja Date: Thu Oct 3 16:13:53 2019 +0530 iw_cxgb4: fix ECN check on the passive accept [ Upstream commit 612e0486ad0845c41ac10492e78144f99e326375 ] pass_accept_req() is using the same skb for handling accept request and sending accept reply to HW. Here req and rpl structures are pointing to same skb->data which is over written by INIT_TP_WR() and leads to accessing corrupt req fields in accept_cr() while checking for ECN flags. Reordered code in accept_cr() to fetch correct req fields. Fixes: 92e7ae7172 ("iw_cxgb4: Choose appropriate hw mtu index and ISS for iWARP connections") Signed-off-by: Potnuri Bharat Teja Link: https://lore.kernel.org/r/20191003104353.11590-1-bharat@chelsio.com Signed-off-by: Doug Ledford Signed-off-by: Sasha Levin commit 89aa9e2626f409ebef9153373cc66c07c635c59a Author: Rafi Wiener Date: Wed Oct 2 15:02:43 2019 +0300 RDMA/mlx5: Clear old rate limit when closing QP [ Upstream commit c8973df2da677f375f8b12b6eefca2f44c8884d5 ] Before QP is closed it changes to ERROR state, when this happens the QP was left with old rate limit that was already removed from the table. Fixes: 7d29f349a4b9 ("IB/mlx5: Properly adjust rate limit on QP state transitions") Signed-off-by: Rafi Wiener Signed-off-by: Oleg Kuporosov Signed-off-by: Leon Romanovsky Link: https://lore.kernel.org/r/20191002120243.16971-1-leon@kernel.org Signed-off-by: Doug Ledford Signed-off-by: Sasha Levin commit d6706b2ec108f9a026d36457b0242acd4823723b Author: Zhang Lixu Date: Wed Oct 16 08:15:59 2019 +0800 HID: intel-ish-hid: fix wrong error handling in ishtp_cl_alloc_tx_ring() [ Upstream commit 16ff7bf6dbcc6f77d2eec1ac9120edf44213c2f1 ] When allocating tx ring buffers failed, should free tx buffers, not rx buffers. Signed-off-by: Zhang Lixu Acked-by: Srinivas Pandruvada Signed-off-by: Jiri Kosina Signed-off-by: Sasha Levin commit 113a154ef2f23980edc9605c0da294de5567eb51 Author: Baolin Wang Date: Wed Oct 9 17:11:30 2019 +0800 dmaengine: sprd: Fix the possible memory leak issue [ Upstream commit ec1ac309596a7bdf206743b092748205f6cd5720 ] If we terminate the channel to free all descriptors associated with this channel, we will leak the memory of current descriptor if the current descriptor is not completed, since it had been deteled from the desc_issued list and have not been added into the desc_completed list. Thus we should check if current descriptor is completed or not, when freeing the descriptors associated with one channel, if not, we should free it to avoid this issue. Fixes: 9b3b8171f7f4 ("dmaengine: sprd: Add Spreadtrum DMA driver") Reported-by: Zhenfang Wang Tested-by: Zhenfang Wang Signed-off-by: Baolin Wang Link: https://lore.kernel.org/r/170dbbc6d5366b6fa974ce2d366652e23a334251.1570609788.git.baolin.wang@linaro.org Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit 6040f96d5147046499a155f8e40eee03146eccb1 Author: Radhey Shyam Pandey Date: Thu Sep 26 16:20:58 2019 +0530 dmaengine: xilinx_dma: Fix control reg update in vdma_channel_set_config [ Upstream commit 6c6de1ddb1be3840f2ed5cc9d009a622720940c9 ] In vdma_channel_set_config clear the delay, frame count and master mask before updating their new values. It avoids programming incorrect state when input parameters are different from default. Signed-off-by: Radhey Shyam Pandey Acked-by: Appana Durga Kedareswara rao Signed-off-by: Michal Simek Link: https://lore.kernel.org/r/1569495060-18117-3-git-send-email-radhey.shyam.pandey@xilinx.com Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit 78e7e0248eb82bd14b8c2738fbde7646abab2d42 Author: Nicolas Boichat Date: Thu Oct 3 11:17:59 2019 +0800 HID: google: add magnemite/masterball USB ids [ Upstream commit 9e4dbc4646a84b2562ea7c64a542740687ff7daf ] Add 2 additional hammer-like devices. Signed-off-by: Nicolas Boichat Signed-off-by: Jiri Kosina Signed-off-by: Sasha Levin commit 8181146cd7de890cdfdda68ddc3730250887d7fc Author: Vidya Sagar Date: Thu Jul 4 20:34:28 2019 +0530 PCI: tegra: Enable Relaxed Ordering only for Tegra20 & Tegra30 commit 7be142caabc4780b13a522c485abc806de5c4114 upstream. The PCI Tegra controller conversion to a device tree configurable driver in commit d1523b52bff3 ("PCI: tegra: Move PCIe driver to drivers/pci/host") implied that code for the driver can be compiled in for a kernel supporting multiple platforms. Unfortunately, a blind move of the code did not check that some of the quirks that were applied in arch/arm (eg enabling Relaxed Ordering on all PCI devices - since the quirk hook erroneously matches PCI_ANY_ID for both Vendor-ID and Device-ID) are now applied in all kernels that compile the PCI Tegra controlled driver, DT and ACPI alike. This is completely wrong, in that enablement of Relaxed Ordering is only required by default in Tegra20 platforms as described in the Tegra20 Technical Reference Manual (available at https://developer.nvidia.com/embedded/downloads#?search=tegra%202 in Section 34.1, where it is mentioned that Relaxed Ordering bit needs to be enabled in its root ports to avoid deadlock in hardware) and in the Tegra30 platforms for the same reasons (unfortunately not documented in the TRM). There is no other strict requirement on PCI devices Relaxed Ordering enablement on any other Tegra platforms or PCI host bridge driver. Fix this quite upsetting situation by limiting the vendor and device IDs to which the Relaxed Ordering quirk applies to the root ports in question, reported above. Signed-off-by: Vidya Sagar [lorenzo.pieralisi@arm.com: completely rewrote the commit log/fixes tag] Signed-off-by: Lorenzo Pieralisi Acked-by: Thierry Reding Signed-off-by: Greg Kroah-Hartman commit e2dd254bde5cdac24e7774584d6f3c2c61fe09e5 Author: Suwan Kim Date: Wed Aug 28 12:27:41 2019 +0900 usbip: Implement SG support to vhci-hcd and stub driver commit ea44d190764b4422af4d1c29eaeb9e69e353b406 upstream. There are bugs on vhci with usb 3.0 storage device. In USB, each SG list entry buffer should be divisible by the bulk max packet size. But with native SG support, this problem doesn't matter because the SG buffer is treated as contiguous buffer. But without native SG support, USB storage driver breaks SG list into several URBs and the error occurs because of a buffer size of URB that cannot be divided by the bulk max packet size. The error situation is as follows. When USB Storage driver requests 31.5 KB data and has SG list which has 3584 bytes buffer followed by 7 4096 bytes buffer for some reason. USB Storage driver splits this SG list into several URBs because VHCI doesn't support SG and sends them separately. So the first URB buffer size is 3584 bytes. When receiving data from device, USB 3.0 device sends data packet of 1024 bytes size because the max packet size of BULK pipe is 1024 bytes. So device sends 4096 bytes. But the first URB buffer has only 3584 bytes buffer size. So host controller terminates the transfer even though there is more data to receive. So, vhci needs to support SG transfer to prevent this error. In this patch, vhci supports SG regardless of whether the server's host controller supports SG or not, because stub driver splits SG list into several URBs if the server's host controller doesn't support SG. To support SG, vhci sets URB_DMA_MAP_SG flag in urb->transfer_flags if URB has SG list and this flag will tell stub driver to use SG list. After receiving urb from stub driver, vhci clear URB_DMA_MAP_SG flag to avoid unnecessary DMA unmapping in HCD. vhci sends each SG list entry to stub driver. Then, stub driver sees the total length of the buffer and allocates SG table and pages according to the total buffer length calling sgl_alloc(). After stub driver receives completed URB, it again sends each SG list entry to vhci. If the server's host controller doesn't support SG, stub driver breaks a single SG request into several URBs and submits them to the server's host controller. When all the split URBs are completed, stub driver reassembles the URBs into a single return command and sends it to vhci. Moreover, in the situation where vhci supports SG, but stub driver does not, or vice versa, usbip works normally. Because there is no protocol modification, there is no problem in communication between server and client even if the one has a kernel without SG support. In the case of vhci supports SG and stub driver doesn't, because vhci sends only the total length of the buffer to stub driver as it did before the patch applied, stub driver only needs to allocate the required length of buffers using only kmalloc() regardless of whether vhci supports SG or not. But stub driver has to allocate buffer with kmalloc() as much as the total length of SG buffer which is quite huge when vhci sends SG request, so it has overhead in buffer allocation in this situation. If stub driver needs to send data buffer to vhci because of IN pipe, stub driver also sends only total length of buffer as metadata and then sends real data as vhci does. Then vhci receive data from stub driver and store it to the corresponding buffer of SG list entry. And for the case of stub driver supports SG and vhci doesn't, since the USB storage driver checks that vhci doesn't support SG and sends the request to stub driver by splitting the SG list into multiple URBs, stub driver allocates a buffer for each URB with kmalloc() as it did before this patch. * Test environment Test uses two difference machines and two different kernel version to make mismatch situation between the client and the server where vhci supports SG, but stub driver does not, or vice versa. All tests are conducted in both full SG support that both vhci and stub support SG and half SG support that is the mismatch situation. Test kernel version is 5.3-rc6 with commit "usb: add a HCD_DMA flag instead of guestimating DMA capabilities" to avoid unnecessary DMA mapping and unmapping. - Test kernel version - 5.3-rc6 with SG support - 5.1.20-200.fc29.x86_64 without SG support * SG support test - Test devices - Super-speed storage device - SanDisk Ultra USB 3.0 - High-speed storage device - SMI corporation USB 2.0 flash drive - Test description Test read and write operation of mass storage device that uses the BULK transfer. In test, the client reads and writes files whose size is over 1G and it works normally. * Regression test - Test devices - Super-speed device - Logitech Brio webcam - High-speed device - Logitech C920 HD Pro webcam - Full-speed device - Logitech bluetooth mouse - Britz BR-Orion speaker - Low-speed device - Logitech wired mouse - Test description Moving and click test for mouse. To test the webcam, use gnome-cheese. To test the speaker, play music and video on the client. All works normally. * VUDC compatibility test VUDC also works well with this patch. Tests are done with two USB gadget created by CONFIGFS USB gadget. Both use the BULK pipe. 1. Serial gadget 2. Mass storage gadget - Serial gadget test Serial gadget on the host sends and receives data using cat command on the /dev/ttyGS. The client uses minicom to communicate with the serial gadget. - Mass storage gadget test After connecting the gadget with vhci, use "dd" to test read and write operation on the client side. Read - dd if=/dev/sd iflag=direct of=/dev/null bs=1G count=1 Write - dd if= iflag=direct of=/dev/sd bs=1G count=1 Signed-off-by: Suwan Kim Acked-by: Shuah khan Link: https://lore.kernel.org/r/20190828032741.12234-1-suwan.kim027@gmail.com Signed-off-by: Greg Kroah-Hartman commit f865ae473c16fb2b8b8601fa04f4f6517ad557b3 Author: Shuah Khan Date: Thu Jan 24 14:46:42 2019 -0700 usbip: Fix vhci_urb_enqueue() URB null transfer buffer error path commit 2c904963b1dd2acd4bc785b6c72e10a6283c2081 upstream. Fix vhci_urb_enqueue() to print debug msg and return error instead of failing with BUG_ON. Signed-off-by: Shuah Khan Signed-off-by: Greg Kroah-Hartman commit e9c0fc4a7ccd9fc28e78685d17c1943839c5579a Author: Qian Cai Date: Tue Aug 20 14:40:55 2019 -0400 sched/fair: Fix -Wunused-but-set-variable warnings commit 763a9ec06c409dcde2a761aac4bb83ff3938e0b3 upstream. Commit: de53fd7aedb1 ("sched/fair: Fix low cpu usage with high throttling by removing expiration of cpu-local slices") introduced a few compilation warnings: kernel/sched/fair.c: In function '__refill_cfs_bandwidth_runtime': kernel/sched/fair.c:4365:6: warning: variable 'now' set but not used [-Wunused-but-set-variable] kernel/sched/fair.c: In function 'start_cfs_bandwidth': kernel/sched/fair.c:4992:6: warning: variable 'overrun' set but not used [-Wunused-but-set-variable] Also, __refill_cfs_bandwidth_runtime() does no longer update the expiration time, so fix the comments accordingly. Signed-off-by: Qian Cai Signed-off-by: Peter Zijlstra (Intel) Reviewed-by: Ben Segall Reviewed-by: Dave Chiluk Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Thomas Gleixner Cc: pauld@redhat.com Fixes: de53fd7aedb1 ("sched/fair: Fix low cpu usage with high throttling by removing expiration of cpu-local slices") Link: https://lkml.kernel.org/r/1566326455-8038-1-git-send-email-cai@lca.pw Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 502bd151448c2c76a927b26783e5538875c534ff Author: Dave Chiluk Date: Tue Jul 23 11:44:26 2019 -0500 sched/fair: Fix low cpu usage with high throttling by removing expiration of cpu-local slices commit de53fd7aedb100f03e5d2231cfce0e4993282425 upstream. It has been observed, that highly-threaded, non-cpu-bound applications running under cpu.cfs_quota_us constraints can hit a high percentage of periods throttled while simultaneously not consuming the allocated amount of quota. This use case is typical of user-interactive non-cpu bound applications, such as those running in kubernetes or mesos when run on multiple cpu cores. This has been root caused to cpu-local run queue being allocated per cpu bandwidth slices, and then not fully using that slice within the period. At which point the slice and quota expires. This expiration of unused slice results in applications not being able to utilize the quota for which they are allocated. The non-expiration of per-cpu slices was recently fixed by 'commit 512ac999d275 ("sched/fair: Fix bandwidth timer clock drift condition")'. Prior to that it appears that this had been broken since at least 'commit 51f2176d74ac ("sched/fair: Fix unlocked reads of some cfs_b->quota/period")' which was introduced in v3.16-rc1 in 2014. That added the following conditional which resulted in slices never being expired. if (cfs_rq->runtime_expires != cfs_b->runtime_expires) { /* extend local deadline, drift is bounded above by 2 ticks */ cfs_rq->runtime_expires += TICK_NSEC; Because this was broken for nearly 5 years, and has recently been fixed and is now being noticed by many users running kubernetes (https://github.com/kubernetes/kubernetes/issues/67577) it is my opinion that the mechanisms around expiring runtime should be removed altogether. This allows quota already allocated to per-cpu run-queues to live longer than the period boundary. This allows threads on runqueues that do not use much CPU to continue to use their remaining slice over a longer period of time than cpu.cfs_period_us. However, this helps prevent the above condition of hitting throttling while also not fully utilizing your cpu quota. This theoretically allows a machine to use slightly more than its allotted quota in some periods. This overflow would be bounded by the remaining quota left on each per-cpu runqueueu. This is typically no more than min_cfs_rq_runtime=1ms per cpu. For CPU bound tasks this will change nothing, as they should theoretically fully utilize all of their quota in each period. For user-interactive tasks as described above this provides a much better user/application experience as their cpu utilization will more closely match the amount they requested when they hit throttling. This means that cpu limits no longer strictly apply per period for non-cpu bound applications, but that they are still accurate over longer timeframes. This greatly improves performance of high-thread-count, non-cpu bound applications with low cfs_quota_us allocation on high-core-count machines. In the case of an artificial testcase (10ms/100ms of quota on 80 CPU machine), this commit resulted in almost 30x performance improvement, while still maintaining correct cpu quota restrictions. That testcase is available at https://github.com/indeedeng/fibtest. Fixes: 512ac999d275 ("sched/fair: Fix bandwidth timer clock drift condition") Signed-off-by: Dave Chiluk Signed-off-by: Peter Zijlstra (Intel) Reviewed-by: Phil Auld Reviewed-by: Ben Segall Cc: Ingo Molnar Cc: John Hammond Cc: Jonathan Corbet Cc: Kyle Anderson Cc: Gabriel Munos Cc: Peter Oskolkov Cc: Cong Wang Cc: Brendan Gregg Link: https://lkml.kernel.org/r/1563900266-19734-2-git-send-email-chiluk+linux@indeed.com Signed-off-by: Greg Kroah-Hartman commit 4ebee4875eab0dd55d68ee61beaed55561377e01 Author: Takashi Iwai Date: Tue Oct 22 17:45:14 2019 +0200 ALSA: usb-audio: Fix copy&paste error in the validator commit ba8bf0967a154796be15c4983603aad0b05c3138 upstream. The recently introduced USB-audio descriptor validator had a stupid copy&paste error that may lead to an unexpected overlook of too short descriptors for processing and extension units. It's likely the cause of the report triggered by syzkaller fuzzer. Let's fix it. Fixes: 57f8770620e9 ("ALSA: usb-audio: More validations of descriptor units") Reported-by: syzbot+0620f79a1978b1133fd7@syzkaller.appspotmail.com Link: https://lore.kernel.org/r/s5hsgnkdbsl.wl-tiwai@suse.de Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit e0051889243d34bcf834396be3a255b529b29f1e Author: Dan Carpenter Date: Mon Aug 26 16:45:50 2019 +0300 ALSA: usb-audio: remove some dead code commit b39e077fcb283dd96dd251a3abeba585402c61fe upstream. We recently cleaned up the error handling in commit 52c3e317a857 ("ALSA: usb-audio: Unify the release of usb_mixer_elem_info objects") but accidentally left this stray return. Fixes: 52c3e317a857 ("ALSA: usb-audio: Unify the release of usb_mixer_elem_info objects") Signed-off-by: Dan Carpenter Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 4f6c5200269998f0066e1bd4db931297b7b2b906 Author: Takashi Iwai Date: Mon Aug 26 13:55:21 2019 +0200 ALSA: usb-audio: Fix possible NULL dereference at create_yamaha_midi_quirk() commit 60849562a5db4a1eee2160167e4dce4590d3eafe upstream. The previous addition of descriptor validation may lead to a NULL dereference at create_yamaha_midi_quirk() when either injd or outjd is NULL. Add proper non-NULL checks. Fixes: 57f8770620e9 ("ALSA: usb-audio: More validations of descriptor units") Reported-by: Dan Carpenter Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 3a0cdf210b94f1cfbbab6687c82421784242702b Author: Takashi Iwai Date: Fri Aug 23 12:38:07 2019 +0200 ALSA: usb-audio: Clean up check_input_term() commit e0ccdef92653f8867e2d1667facfd3c23699f540 upstream. The primary changes in this patch are cleanups of __check_input_term() and move to a non-nested switch-case block by evaluating the pair of UAC version and the unit type, as we've done for parse_audio_unit(). Also each parser is split into the function for readability. Now, a slight behavior change by this cleanup is the handling of processing and extension units. Formerly we've dealt with them differently between UAC1/2 and UAC3; the latter returns an error if no input sources are available, while the former continues to parse. In this patch, unify the behavior in all cases: when input sources are available, it parses recursively, then override the type and the id, as well as channel information if not provided yet. Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 9feeaa50e5b4b0b71259d918a36ecf9059e60796 Author: Takashi Iwai Date: Thu Aug 22 09:25:27 2019 +0200 ALSA: usb-audio: Remove superfluous bLength checks commit b8e4f1fdfa422398c2d6c47bfb7d1feb3046d70a upstream. Now that we got the more comprehensive validation code for USB-audio descriptors, the check of overflow in each descriptor unit parser became superfluous. Drop some of the obvious cases. Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit f0e164f66e7515d8e01ca1bf256107bd8a38d177 Author: Takashi Iwai Date: Thu Aug 22 08:23:10 2019 +0200 ALSA: usb-audio: Unify the release of usb_mixer_elem_info objects commit 52c3e317a857091fd746e15179a637f32be4d337 upstream. Instead of the direct kfree() calls, introduce a new local helper to release the usb_mixer_elem_info object. This will be extended to do more than a single kfree() in the later patches. Also, use the standard goto instead of multiple calls in parse_audio_selector_unit() error paths. Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit dae4d839e54923da529eb77406acd92b3ce1037a Author: Takashi Iwai Date: Thu Aug 15 16:30:39 2019 +0200 ALSA: usb-audio: Simplify parse_audio_unit() commit 68e9fde245591d18200f8a9054cac22339437adb upstream. Minor code refactoring by combining the UAC version and the type in the switch-case flow, so that we reduce the indentation and redundancy. One good bonus is that the duplicated definition of the same type value (e.g. UAC2_EFFECT_UNIT) can be handled more cleanly. Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 17821e2fb16752f5d363fb5c3f8aab4df41b9bcc Author: Takashi Iwai Date: Tue Aug 20 17:17:09 2019 +0200 ALSA: usb-audio: More validations of descriptor units commit 57f8770620e9b51c61089751f0b5ad3dbe376ff2 upstream. Introduce a new helper to validate each audio descriptor unit before and check the unit before actually accessing it. This should harden against the OOB access cases with malformed descriptors that have been recently frequently reported by fuzzers. The existing descriptor checks are still kept although they become superfluous after this patch. They'll be cleaned up eventually later. Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 5e36cf8edb5812e378b57511263d1a0a9172eeb9 Author: Al Viro Date: Sat Aug 3 11:51:18 2019 -0400 configfs: fix a deadlock in configfs_symlink() commit 351e5d869e5ac10cb40c78b5f2d7dfc816ad4587 upstream. Configfs abuses symlink(2). Unlike the normal filesystems, it wants the target resolved at symlink(2) time, like link(2) would've done. The problem is that ->symlink() is called with the parent directory locked exclusive, so resolving the target inside the ->symlink() is easily deadlocked. Short of really ugly games in sys_symlink() itself, all we can do is to unlock the parent before resolving the target and relock it after. However, that invalidates the checks done by the caller of ->symlink(), so we have to * check that dentry is still where it used to be (it couldn't have been moved, but it could've been unhashed) * recheck that it's still negative (somebody else might've successfully created a symlink with the same name while we were looking the target up) * recheck the permissions on the parent directory. Cc: stable@vger.kernel.org Signed-off-by: Al Viro Signed-off-by: Christoph Hellwig Signed-off-by: Greg Kroah-Hartman commit 0dfc45be875a378c2a3a4d6ed8e668ec8eb75073 Author: Al Viro Date: Sat Aug 31 09:43:43 2019 +0200 configfs: provide exclusion between IO and removals commit b0841eefd9693827afb9888235e26ddd098f9cef upstream. Make sure that attribute methods are not called after the item has been removed from the tree. To do so, we * at the point of no return in removals, grab ->frag_sem exclusive and mark the fragment dead. * call the methods of attributes with ->frag_sem taken shared and only after having verified that the fragment is still alive. The main benefit is for method instances - they are guaranteed that the objects they are accessing *and* all ancestors are still there. Another win is that we don't need to bother with extra refcount on config_item when opening a file - the item will be alive for as long as it stays in the tree, and we won't touch it/attributes/any associated data after it's been removed from the tree. Signed-off-by: Al Viro Signed-off-by: Christoph Hellwig Signed-off-by: Greg Kroah-Hartman commit 25c118d8d158655513b25f7861e84d10820c0987 Author: Al Viro Date: Sun Aug 25 19:56:13 2019 -0400 configfs: new object reprsenting tree fragments commit 47320fbe11a6059ae502c9c16b668022fdb4cf76 upstream. Refcounted, hangs of configfs_dirent, created by operations that add fragments to configfs tree (mkdir and configfs_register_{subsystem,group}). Will be used in the next commit to provide exclusion between fragment removal and ->show/->store calls. Signed-off-by: Al Viro Signed-off-by: Christoph Hellwig Signed-off-by: Greg Kroah-Hartman commit 65524d647e9d7c185a33701ced4ef0dbf581ea5a Author: Al Viro Date: Thu Aug 29 23:13:30 2019 -0400 configfs_register_group() shouldn't be (and isn't) called in rmdirable parts commit f19e4ed1e1edbfa3c9ccb9fed17759b7d6db24c6 upstream. revert cc57c07343bd "configfs: fix registered group removal" It was an attempt to handle something that fundamentally doesn't work - configfs_register_group() should never be done in a part of tree that can be rmdir'ed. And in mainline it never had been, so let's not borrow trouble; the fix was racy anyway, it would take a lot more to make that work and desired semantics is not clear. Signed-off-by: Al Viro Signed-off-by: Christoph Hellwig Signed-off-by: Greg Kroah-Hartman commit 2bd63490c1ddc72c96c363e1ae828ebed6aa2b86 Author: Al Viro Date: Fri Aug 30 11:30:03 2019 -0400 configfs: stash the data we need into configfs_buffer at open time commit ff4dd081977da56566a848f071aed8fa92d604a1 upstream. simplifies the ->read()/->write()/->release() instances nicely Signed-off-by: Al Viro Signed-off-by: Christoph Hellwig Signed-off-by: Greg Kroah-Hartman commit a7be2debb769092c7c07b9a866b055d8bee5afaf Author: Johan Hovold Date: Wed Oct 23 10:27:05 2019 +0200 can: peak_usb: fix slab info leak commit f7a1337f0d29b98733c8824e165fca3371d7d4fd upstream. Fix a small slab info leak due to a failure to clear the command buffer at allocation. The first 16 bytes of the command buffer are always sent to the device in pcan_usb_send_cmd() even though only the first two may have been initialised in case no argument payload is provided (e.g. when waiting for a response). Fixes: bb4785551f64 ("can: usb: PEAK-System Technik USB adapters driver core") Cc: stable # 3.4 Reported-by: syzbot+863724e7128e14b26732@syzkaller.appspotmail.com Signed-off-by: Johan Hovold Signed-off-by: Marc Kleine-Budde Signed-off-by: Greg Kroah-Hartman commit ce9b94da0e043b7b0ec1bd3d0e451d956acff9c1 Author: Johan Hovold Date: Tue Oct 1 12:29:13 2019 +0200 can: mcba_usb: fix use-after-free on disconnect commit 4d6636498c41891d0482a914dd570343a838ad79 upstream. The driver was accessing its driver data after having freed it. Fixes: 51f3baad7de9 ("can: mcba_usb: Add support for Microchip CAN BUS Analyzer") Cc: stable # 4.12 Cc: Remigiusz Kołłątaj Reported-by: syzbot+e29b17e5042bbc56fae9@syzkaller.appspotmail.com Signed-off-by: Johan Hovold Signed-off-by: Marc Kleine-Budde Signed-off-by: Greg Kroah-Hartman commit 5a9e37f2029ffb888bf913722fc2086f1fdec2a7 Author: Wen Yang Date: Sat Sep 28 22:29:05 2019 +0800 can: dev: add missing of_node_put() after calling of_get_child_by_name() commit db9ee384f6f71f7c5296ce85b7c1a2a2527e7c72 upstream. of_node_put() needs to be called when the device node which is got from of_get_child_by_name() finished using. Fixes: 2290aefa2e90 ("can: dev: Add support for limiting configured bitrate") Cc: Franklin S Cooper Jr Signed-off-by: Wen Yang Cc: linux-stable Signed-off-by: Marc Kleine-Budde Signed-off-by: Greg Kroah-Hartman commit 9289226f69822de0b716c0fbfc31db0283f14e2b Author: Navid Emamdoost Date: Thu Sep 19 21:44:38 2019 -0500 can: gs_usb: gs_can_open(): prevent memory leak commit fb5be6a7b4863ecc44963bb80ca614584b6c7817 upstream. In gs_can_open() if usb_submit_urb() fails the allocated urb should be released. Fixes: d08e973a77d1 ("can: gs_usb: Added support for the GS_USB CAN devices") Cc: linux-stable Signed-off-by: Navid Emamdoost Signed-off-by: Marc Kleine-Budde Signed-off-by: Greg Kroah-Hartman commit 9f5c59428843cef2a5cab4504f81ed21d1fcd9fa Author: Marc Kleine-Budde Date: Wed Oct 9 15:48:48 2019 +0200 can: rx-offload: can_rx_offload_queue_sorted(): fix error handling, avoid skb mem leak commit ca913f1ac024559ebc17f0b599af262f0ad997c9 upstream. If the rx-offload skb_queue is full can_rx_offload_queue_sorted() will not queue the skb and return with an error. None of the callers of this function, issue a kfree_skb() to free the not queued skb. This results in a memory leak. This patch fixes the problem by freeing the skb in case of a full queue. The return value is adjusted to -ENOBUFS to better reflect the actual problem. The device stats handling is left to the callers, as this function might be used in both the rx and tx path. Fixes: 55059f2b7f86 ("can: rx-offload: introduce can_rx_offload_get_echo_skb() and can_rx_offload_queue_sorted() functions") Cc: linux-stable Cc: Martin Hundebøll Reported-by: Martin Hundebøll Signed-off-by: Marc Kleine-Budde Signed-off-by: Greg Kroah-Hartman commit ef502d5a84d6cee904d18759f6069a34f6ff8098 Author: Stephane Grosjean Date: Tue Oct 8 10:35:44 2019 +0200 can: peak_usb: fix a potential out-of-sync while decoding packets commit de280f403f2996679e2607384980703710576fed upstream. When decoding a buffer received from PCAN-USB, the first timestamp read in a packet is a 16-bit coded time base, and the next ones are an 8-bit offset to this base, regardless of the type of packet read. This patch corrects a potential loss of synchronization by using a timestamp index read from the buffer, rather than an index of received data packets, to determine on the sizeof the timestamp to be read from the packet being decoded. Signed-off-by: Stephane Grosjean Fixes: 46be265d3388 ("can: usb: PEAK-System Technik PCAN-USB specific part") Cc: linux-stable Signed-off-by: Marc Kleine-Budde Signed-off-by: Greg Kroah-Hartman commit 7ae08111ca70d31813b26b12231793080da4b4e9 Author: Kurt Van Dijck Date: Tue Oct 1 09:40:36 2019 +0200 can: c_can: c_can_poll(): only read status register after status IRQ commit 3cb3eaac52c0f145d895f4b6c22834d5f02b8569 upstream. When the status register is read without the status IRQ pending, the chip may not raise the interrupt line for an upcoming status interrupt and the driver may miss a status interrupt. It is critical that the BUSOFF status interrupt is forwarded to the higher layers, since no more interrupts will follow without intervention. Thanks to Wolfgang and Joe for bringing up the first idea. Signed-off-by: Kurt Van Dijck Cc: Wolfgang Grandegger Cc: Joe Burmeister Fixes: fa39b54ccf28 ("can: c_can: Get rid of pointless interrupts") Cc: linux-stable Signed-off-by: Marc Kleine-Budde Signed-off-by: Greg Kroah-Hartman commit 0327c7818da27b018464c0b9f541c5d276c57172 Author: Joakim Zhang Date: Thu Aug 15 08:00:26 2019 +0000 can: flexcan: disable completely the ECC mechanism commit 5e269324db5adb2f5f6ec9a93a9c7b0672932b47 upstream. The ECC (memory error detection and correction) mechanism can be activated or not, controlled by the ECCDIS bit in CAN_MECR. When disabled, updates on indications and reporting registers are stopped. So if want to disable ECC completely, had better assert ECCDIS bit, not just mask the related interrupts. Fixes: cdce844865be ("can: flexcan: add vf610 support for FlexCAN") Signed-off-by: Joakim Zhang Cc: linux-stable Signed-off-by: Marc Kleine-Budde Signed-off-by: Greg Kroah-Hartman commit 46265660e5baea9d2120c55a887f89835c43b717 Author: Johan Hovold Date: Tue Oct 1 12:29:14 2019 +0200 can: usb_8dev: fix use-after-free on disconnect commit 3759739426186a924675651b388d1c3963c5710e upstream. The driver was accessing its driver data after having freed it. Fixes: 0024d8ad1639 ("can: usb_8dev: Add support for USB2CAN interface from 8 devices") Cc: stable # 3.9 Cc: Bernd Krumboeck Cc: Wolfgang Grandegger Signed-off-by: Johan Hovold Signed-off-by: Marc Kleine-Budde Signed-off-by: Greg Kroah-Hartman commit d8a76e300e37fea82662b9aadbb1f01514e78feb Author: Pavel Shilovsky Date: Wed Nov 6 13:58:15 2019 -0800 SMB3: Fix persistent handles reconnect commit d243af7ab9feb49f11f2c0050d2077e2d9556f9b upstream. When the client hits a network reconnect, it re-opens every open file with a create context to reconnect a persistent handle. All create context types should be 8-bytes aligned but the padding was missed for that one. As a result, some servers don't allow us to reconnect handles and return an error. The problem occurs when the problematic context is not at the end of the create request packet. Fix this by adding a proper padding at the end of the reconnect persistent handle context. Cc: Stable # 4.19.x Signed-off-by: Pavel Shilovsky Signed-off-by: Steve French Signed-off-by: Greg Kroah-Hartman commit caddaf43b02403d42a2f6c5c05f7ca12da79cff4 Author: Jan Beulich Date: Tue Oct 29 10:34:19 2019 +0100 x86/apic/32: Avoid bogus LDR warnings commit fe6f85ca121e9c74e7490fe66b0c5aae38e332c3 upstream. The removal of the LDR initialization in the bigsmp_32 APIC code unearthed a problem in setup_local_APIC(). The code checks unconditionally for a mismatch of the logical APIC id by comparing the early APIC id which was initialized in get_smp_config() with the actual LDR value in the APIC. Due to the removal of the bogus LDR initialization the check now can trigger on bigsmp_32 APIC systems emitting a warning for every booting CPU. This is of course a false positive because the APIC is not using logical destination mode. Restrict the check and the possibly resulting fixup to systems which are actually using the APIC in logical destination mode. [ tglx: Massaged changelog and added Cc stable ] Fixes: bae3a8d3308 ("x86/apic: Do not initialize LDR and DFR for bigsmp") Signed-off-by: Jan Beulich Signed-off-by: Thomas Gleixner Cc: stable@vger.kernel.org Link: https://lkml.kernel.org/r/666d8f91-b5a8-1afd-7add-821e72a35f03@suse.com Signed-off-by: Greg Kroah-Hartman commit dc1a91dc4917c81a5a090a61fae0f4db57dda7bc Author: Alexander Shishkin Date: Mon Oct 28 09:06:51 2019 +0200 intel_th: pci: Add Jasper Lake PCH support commit 9d55499d8da49e9261e95a490f3fda41d955f505 upstream. This adds support for Intel TH on Jasper Lake PCH. Signed-off-by: Alexander Shishkin Reviewed-by: Andy Shevchenko Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20191028070651.9770-8-alexander.shishkin@linux.intel.com Signed-off-by: Greg Kroah-Hartman commit f9d3aea1dca2ef51bce371cd684d412d67775778 Author: Alexander Shishkin Date: Mon Oct 28 09:06:50 2019 +0200 intel_th: pci: Add Comet Lake PCH support commit 3adbb5718dd5264666ddbc2b9b43799d292e9cb6 upstream. This adds support for Intel TH on Comet Lake PCH. Signed-off-by: Alexander Shishkin Reviewed-by: Andy Shevchenko Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20191028070651.9770-7-alexander.shishkin@linux.intel.com Signed-off-by: Greg Kroah-Hartman commit 64997ee49c8cd3b374e62e2ecaebdfc213510215 Author: Dan Carpenter Date: Sat Aug 24 17:49:55 2019 +0300 netfilter: ipset: Fix an error code in ip_set_sockfn_get() commit 30b7244d79651460ff114ba8f7987ed94c86b99a upstream. The copy_to_user() function returns the number of bytes remaining to be copied. In this code, that positive return is checked at the end of the function and we return zero/success. What we should do instead is return -EFAULT. Fixes: a7b4f989a629 ("netfilter: ipset: IP set core support") Signed-off-by: Dan Carpenter Signed-off-by: Jozsef Kadlecsik Signed-off-by: Greg Kroah-Hartman commit 1b0e60f6a48bc07ef694347ed15b163bf9c76ff8 Author: Lukas Wunner Date: Thu Oct 31 11:06:24 2019 +0100 netfilter: nf_tables: Align nft_expr private data to 64-bit commit 250367c59e6ba0d79d702a059712d66edacd4a1a upstream. Invoking the following commands on a 32-bit architecture with strict alignment requirements (such as an ARMv7-based Raspberry Pi) results in an alignment exception: # nft add table ip test-ip4 # nft add chain ip test-ip4 output { type filter hook output priority 0; } # nft add rule ip test-ip4 output quota 1025 bytes Alignment trap: not handling instruction e1b26f9f at [<7f4473f8>] Unhandled fault: alignment exception (0x001) at 0xb832e824 Internal error: : 1 [#1] PREEMPT SMP ARM Hardware name: BCM2835 [<7f4473fc>] (nft_quota_do_init [nft_quota]) [<7f447448>] (nft_quota_init [nft_quota]) [<7f4260d0>] (nf_tables_newrule [nf_tables]) [<7f4168dc>] (nfnetlink_rcv_batch [nfnetlink]) [<7f416bd0>] (nfnetlink_rcv [nfnetlink]) [<8078b334>] (netlink_unicast) [<8078b664>] (netlink_sendmsg) [<8071b47c>] (sock_sendmsg) [<8071bd18>] (___sys_sendmsg) [<8071ce3c>] (__sys_sendmsg) [<8071ce94>] (sys_sendmsg) The reason is that nft_quota_do_init() calls atomic64_set() on an atomic64_t which is only aligned to 32-bit, not 64-bit, because it succeeds struct nft_expr in memory which only contains a 32-bit pointer. Fix by aligning the nft_expr private data to 64-bit. Fixes: 96518518cc41 ("netfilter: add nftables") Signed-off-by: Lukas Wunner Cc: stable@vger.kernel.org # v3.13+ Signed-off-by: Pablo Neira Ayuso Signed-off-by: Greg Kroah-Hartman commit 2dae80b5b666550f8f544bdf638c11fa86edafd0 Author: Ondrej Jirman Date: Mon Oct 28 22:49:14 2019 +0100 ARM: sunxi: Fix CPU powerdown on A83T commit e690053e97e7a9c968df9a97cef9089dfa8e6a44 upstream. PRCM_PWROFF_GATING_REG has CPU0 at bit 4 on A83T. So without this patch, instead of gating the CPU0, the whole cluster was power gated, when shutting down first CPU in the cluster. Fixes: 6961275e72a8c1 ("ARM: sun8i: smp: Add support for A83T") Signed-off-by: Ondrej Jirman Acked-by: Chen-Yu Tsai Cc: stable@vger.kernel.org Signed-off-by: Maxime Ripard Signed-off-by: Greg Kroah-Hartman commit 20b9e094dcd342bbd029cc6129abd559e406b9f0 Author: Andreas Klinger Date: Sun Oct 6 16:29:56 2019 +0200 iio: srf04: fix wrong limitation in distance measuring commit 431f7667bd6889a274913162dfd19cce9d84848e upstream. The measured time value in the driver is limited to the maximum distance which can be read by the sensor. This limitation was wrong and is fixed by this patch. It also takes into account that we are supporting a variety of sensors today and that the recently added sensors have a higher maximum distance range. Changes in v2: - Added a Tested-by Suggested-by: Zbyněk Kocur Tested-by: Zbyněk Kocur Signed-off-by: Andreas Klinger Cc: Signed-off-by: Jonathan Cameron Signed-off-by: Greg Kroah-Hartman commit bee45b44b13e97ee4a646d48004fb6db18f90a16 Author: Alexandru Ardelean Date: Tue Oct 8 17:15:37 2019 +0300 iio: imu: adis16480: make sure provided frequency is positive commit 24e1eb5c0d78cfb9750b690bbe997d4d59170258 upstream. It could happen that either `val` or `val2` [provided from userspace] is negative. In that case the computed frequency could get a weird value. Fix this by checking that neither of the 2 variables is negative, and check that the computed result is not-zero. Fixes: e4f959390178 ("iio: imu: adis16480 switch sampling frequency attr to core support") Signed-off-by: Alexandru Ardelean Cc: Signed-off-by: Jonathan Cameron Signed-off-by: Greg Kroah-Hartman commit a428996147e2bc4d011cc69f12627cc14e23da72 Author: Fabrice Gasnier Date: Fri Oct 25 17:04:20 2019 +0200 iio: adc: stm32-adc: fix stopping dma commit e6afcf6c598d6f3a0c9c408bfeddb3f5730608b0 upstream. There maybe a race when using dmaengine_terminate_all(). The predisable routine may call iio_triggered_buffer_predisable() prior to a pending DMA callback. Adopt dmaengine_terminate_sync() to ensure there's no pending DMA request before calling iio_triggered_buffer_predisable(). Fixes: 2763ea0585c9 ("iio: adc: stm32: add optional dma support") Signed-off-by: Fabrice Gasnier Cc: Signed-off-by: Jonathan Cameron Signed-off-by: Greg Kroah-Hartman commit 78a1d6cdd3021715d431df617304c290036faae4 Author: Al Viro Date: Tue Oct 29 13:53:29 2019 +0000 ceph: add missing check in d_revalidate snapdir handling commit 1f08529c84cfecaf1261ed9b7e17fab18541c58f upstream. We should not play with dcache without parent locked... Cc: stable@vger.kernel.org Signed-off-by: Al Viro Signed-off-by: Jeff Layton Signed-off-by: Ilya Dryomov Signed-off-by: Greg Kroah-Hartman commit 6f9657793a6eea9d9e1f27b26deda0f77ecc4684 Author: Luis Henriques Date: Fri Oct 25 14:05:24 2019 +0100 ceph: fix use-after-free in __ceph_remove_cap() commit ea60ed6fcf29eebc78f2ce91491e6309ee005a01 upstream. KASAN reports a use-after-free when running xfstest generic/531, with the following trace: [ 293.903362] kasan_report+0xe/0x20 [ 293.903365] rb_erase+0x1f/0x790 [ 293.903370] __ceph_remove_cap+0x201/0x370 [ 293.903375] __ceph_remove_caps+0x4b/0x70 [ 293.903380] ceph_evict_inode+0x4e/0x360 [ 293.903386] evict+0x169/0x290 [ 293.903390] __dentry_kill+0x16f/0x250 [ 293.903394] dput+0x1c6/0x440 [ 293.903398] __fput+0x184/0x330 [ 293.903404] task_work_run+0xb9/0xe0 [ 293.903410] exit_to_usermode_loop+0xd3/0xe0 [ 293.903413] do_syscall_64+0x1a0/0x1c0 [ 293.903417] entry_SYSCALL_64_after_hwframe+0x44/0xa9 This happens because __ceph_remove_cap() may queue a cap release (__ceph_queue_cap_release) which can be scheduled before that cap is removed from the inode list with rb_erase(&cap->ci_node, &ci->i_caps); And, when this finally happens, the use-after-free will occur. This can be fixed by removing the cap from the inode list before being removed from the session list, and thus eliminating the risk of an UAF. Cc: stable@vger.kernel.org Signed-off-by: Luis Henriques Reviewed-by: Jeff Layton Signed-off-by: Ilya Dryomov Signed-off-by: Greg Kroah-Hartman commit 3840610d60b2e80bf49dba78d5dd9711cfd2207b Author: Catalin Marinas Date: Wed Nov 6 15:41:05 2019 +0000 arm64: Do not mask out PTE_RDONLY in pte_same() commit 6767df245f4736d0cf0c6fb7cf9cf94b27414245 upstream. Following commit 73e86cb03cf2 ("arm64: Move PTE_RDONLY bit handling out of set_pte_at()"), the PTE_RDONLY bit is no longer managed by set_pte_at() but built into the PAGE_* attribute definitions. Consequently, pte_same() must include this bit when checking two PTEs for equality. Remove the arm64-specific pte_same() function, practically reverting commit 747a70e60b72 ("arm64: Fix copy-on-write referencing in HugeTLB") Fixes: 73e86cb03cf2 ("arm64: Move PTE_RDONLY bit handling out of set_pte_at()") Cc: # 4.14.x- Cc: Will Deacon Cc: Steve Capper Reported-by: John Stultz Signed-off-by: Catalin Marinas Signed-off-by: Will Deacon Signed-off-by: Greg Kroah-Hartman commit 56f270a1d72c6afcdfd92385682d96965305bc0f Author: Bard Liao Date: Fri Aug 30 02:11:35 2019 +0800 soundwire: bus: set initial value to port_status commit f1fac63af678b2fc1044ca71fedf1f2ae8bf7c3b upstream. port_status[port_num] are assigned for each port_num in some if conditions. So some of the port_status may not be initialized. Signed-off-by: Bard Liao Reviewed-by: Pierre-Louis Bossart Link: https://lore.kernel.org/r/20190829181135.16049-1-yung-chuan.liao@linux.intel.com Signed-off-by: Vinod Koul Signed-off-by: Greg Kroah-Hartman commit 9a06efc745c37e62888142671e23624f136c3117 Author: Michal Suchanek Date: Thu Oct 3 12:13:54 2019 +0200 soundwire: depend on ACPI commit 52eb063d153ac310058fbaa91577a72c0e7a7169 upstream. The device cannot be probed on !ACPI and gives this warning: drivers/soundwire/slave.c:16:12: warning: ‘sdw_slave_add’ defined but not used [-Wunused-function] static int sdw_slave_add(struct sdw_bus *bus, ^~~~~~~~~~~~~ Cc: stable@vger.kernel.org Fixes: 7c3cd189b86d ("soundwire: Add Master registration") Signed-off-by: Michal Suchanek Link: https://lore.kernel.org/r/bd685232ea511251eeb9554172f1524eabf9a46e.1570097621.git.msuchanek@suse.de Signed-off-by: Vinod Koul Signed-off-by: Greg Kroah-Hartman commit a81a4637456b75e6e2b2a81911c4ea960c7f8cae Author: Jason Gerecke Date: Wed Nov 6 11:59:46 2019 -0800 HID: wacom: generic: Treat serial number and related fields as unsigned commit ff479731c3859609530416a18ddb3db5db019b66 upstream. The HID descriptors for most Wacom devices oddly declare the serial number and other related fields as signed integers. When these numbers are ingested by the HID subsystem, they are automatically sign-extended into 32-bit integers. We treat the fields as unsigned elsewhere in the kernel and userspace, however, so this sign-extension causes problems. In particular, the sign-extended tool ID sent to userspace as ABS_MISC does not properly match unsigned IDs used by xf86-input-wacom and libwacom. We introduce a function 'wacom_s32tou' that can undo the automatic sign extension performed by 'hid_snto32'. We call this function when processing the serial number and related fields to ensure that we are dealing with and reporting the unsigned form. We opt to use this method rather than adding a descriptor fixup in 'wacom_hid_usage_quirk' since it should be more robust in the face of future devices. Ref: https://github.com/linuxwacom/input-wacom/issues/134 Fixes: f85c9dc678 ("HID: wacom: generic: Support tool ID and additional tool types") CC: # v4.10+ Signed-off-by: Jason Gerecke Reviewed-by: Aaron Armstrong Skomra Signed-off-by: Jiri Kosina Signed-off-by: Greg Kroah-Hartman commit e3fdd0c1a3d0d15d3367216e60304ca28475f66b Author: Alex Deucher Date: Wed Oct 30 10:21:28 2019 -0400 drm/radeon: fix si_enable_smc_cac() failed issue commit 2c409ba81be25516afe05ae27a4a15da01740b01 upstream. Need to set the dte flag on this asic. Port the fix from amdgpu: 5cb818b861be114 ("drm/amd/amdgpu: fix si_enable_smc_cac() failed issue") Reviewed-by: Yong Zhao Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman commit f39fbd05f921636c84b997e34b0c644759ee68c6 Author: Jiri Olsa Date: Tue Nov 5 00:27:11 2019 +0100 perf tools: Fix time sorting commit 722ddfde366fd46205456a9c5ff9b3359dc9a75e upstream. The final sort might get confused when the comparison is done over bigger numbers than int like for -s time. Check the following report for longer workloads: $ perf report -s time -F time,overhead --stdio Fix hist_entry__sort() to properly return int64_t and not possible cut int. Fixes: 043ca389a318 ("perf tools: Use hpp formats to sort final output") Signed-off-by: Jiri Olsa Reviewed-by: Andi Kleen Cc: Alexander Shishkin Cc: Michael Petlan Cc: Namhyung Kim Cc: Peter Zijlstra Cc: stable@vger.kernel.org # v3.16+ Link: http://lore.kernel.org/lkml/20191104232711.16055-1-jolsa@kernel.org Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Greg Kroah-Hartman commit 66d53cd683a82eabecdc1367bfa9a0abce5d1e13 Author: Shuah Khan Date: Thu Sep 26 19:16:41 2019 -0600 tools: gpio: Use !building_out_of_srctree to determine srctree commit 4a6a6f5c4aeedb72db871d60bfcca89835f317aa upstream. make TARGETS=gpio kselftest fails with: Makefile:23: tools/build/Makefile.include: No such file or directory When the gpio tool make is invoked from tools Makefile, srctree is cleared and the current logic check for srctree equals to empty string to determine srctree location from CURDIR. When the build in invoked from selftests/gpio Makefile, the srctree is set to "." and the same logic used for srctree equals to empty is needed to determine srctree. Check building_out_of_srctree undefined as the condition for both cases to fix "make TARGETS=gpio kselftest" build failure. Cc: stable@vger.kernel.org Signed-off-by: Shuah Khan Signed-off-by: Bartosz Golaszewski Signed-off-by: Greg Kroah-Hartman commit 8e358a02761106abcfaac5eb8c59e44ba923e8ca Author: Kevin Hao Date: Tue Nov 5 21:16:57 2019 -0800 dump_stack: avoid the livelock of the dump_lock commit 5cbf2fff3bba8d3c6a4d47c1754de1cf57e2b01f upstream. In the current code, we use the atomic_cmpxchg() to serialize the output of the dump_stack(), but this implementation suffers the thundering herd problem. We have observed such kind of livelock on a Marvell cn96xx board(24 cpus) when heavily using the dump_stack() in a kprobe handler. Actually we can let the competitors to wait for the releasing of the lock before jumping to atomic_cmpxchg(). This will definitely mitigate the thundering herd problem. Thanks Linus for the suggestion. [akpm@linux-foundation.org: fix comment] Link: http://lkml.kernel.org/r/20191030031637.6025-1-haokexin@gmail.com Fixes: b58d977432c8 ("dump_stack: serialize the output from dump_stack()") Signed-off-by: Kevin Hao Suggested-by: Linus Torvalds Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 6c944fc51f0a798071967288144c9f9859864259 Author: Michal Hocko Date: Tue Nov 5 21:16:40 2019 -0800 mm, vmstat: hide /proc/pagetypeinfo from normal users commit abaed0112c1db08be15a784a2c5c8a8b3063cdd3 upstream. /proc/pagetypeinfo is a debugging tool to examine internal page allocator state wrt to fragmentation. It is not very useful for any other use so normal users really do not need to read this file. Waiman Long has noticed that reading this file can have negative side effects because zone->lock is necessary for gathering data and that a) interferes with the page allocator and its users and b) can lead to hard lockups on large machines which have very long free_list. Reduce both issues by simply not exporting the file to regular users. Link: http://lkml.kernel.org/r/20191025072610.18526-2-mhocko@kernel.org Fixes: 467c996c1e19 ("Print out statistics in relation to fragmentation avoidance to /proc/pagetypeinfo") Signed-off-by: Michal Hocko Reported-by: Waiman Long Acked-by: Mel Gorman Acked-by: Vlastimil Babka Acked-by: Waiman Long Acked-by: Rafael Aquini Acked-by: David Rientjes Reviewed-by: Andrew Morton Cc: David Hildenbrand Cc: Johannes Weiner Cc: Roman Gushchin Cc: Konstantin Khlebnikov Cc: Jann Horn Cc: Song Liu Cc: Greg Kroah-Hartman Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 2686f71fdcc5533bb5cecda8caeff5fedb6f1da1 Author: Yang Shi Date: Tue Nov 5 21:16:30 2019 -0800 mm: thp: handle page cache THP correctly in PageTransCompoundMap commit 169226f7e0d275c1879551f37484ef6683579a5c upstream. We have a usecase to use tmpfs as QEMU memory backend and we would like to take the advantage of THP as well. But, our test shows the EPT is not PMD mapped even though the underlying THP are PMD mapped on host. The number showed by /sys/kernel/debug/kvm/largepage is much less than the number of PMD mapped shmem pages as the below: 7f2778200000-7f2878200000 rw-s 00000000 00:14 262232 /dev/shm/qemu_back_mem.mem.Hz2hSf (deleted) Size: 4194304 kB [snip] AnonHugePages: 0 kB ShmemPmdMapped: 579584 kB [snip] Locked: 0 kB cat /sys/kernel/debug/kvm/largepages 12 And some benchmarks do worse than with anonymous THPs. By digging into the code we figured out that commit 127393fbe597 ("mm: thp: kvm: fix memory corruption in KVM with THP enabled") checks if there is a single PTE mapping on the page for anonymous THP when setting up EPT map. But the _mapcount < 0 check doesn't work for page cache THP since every subpage of page cache THP would get _mapcount inc'ed once it is PMD mapped, so PageTransCompoundMap() always returns false for page cache THP. This would prevent KVM from setting up PMD mapped EPT entry. So we need handle page cache THP correctly. However, when page cache THP's PMD gets split, kernel just remove the map instead of setting up PTE map like what anonymous THP does. Before KVM calls get_user_pages() the subpages may get PTE mapped even though it is still a THP since the page cache THP may be mapped by other processes at the mean time. Checking its _mapcount and whether the THP has PTE mapped or not. Although this may report some false negative cases (PTE mapped by other processes), it looks not trivial to make this accurate. With this fix /sys/kernel/debug/kvm/largepage would show reasonable pages are PMD mapped by EPT as the below: 7fbeaee00000-7fbfaee00000 rw-s 00000000 00:14 275464 /dev/shm/qemu_back_mem.mem.SKUvat (deleted) Size: 4194304 kB [snip] AnonHugePages: 0 kB ShmemPmdMapped: 557056 kB [snip] Locked: 0 kB cat /sys/kernel/debug/kvm/largepages 271 And the benchmarks are as same as anonymous THPs. [yang.shi@linux.alibaba.com: v4] Link: http://lkml.kernel.org/r/1571865575-42913-1-git-send-email-yang.shi@linux.alibaba.com Link: http://lkml.kernel.org/r/1571769577-89735-1-git-send-email-yang.shi@linux.alibaba.com Fixes: dd78fedde4b9 ("rmap: support file thp") Signed-off-by: Yang Shi Reported-by: Gang Deng Tested-by: Gang Deng Suggested-by: Hugh Dickins Acked-by: Kirill A. Shutemov Cc: Andrea Arcangeli Cc: Matthew Wilcox Cc: [4.8+] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 7dfa51beacac6616dc460746238ecc5fe658b676 Author: Mel Gorman Date: Tue Nov 5 21:16:27 2019 -0800 mm, meminit: recalculate pcpu batch and high limits after init completes commit 3e8fc0075e24338b1117cdff6a79477427b8dbed upstream. Deferred memory initialisation updates zone->managed_pages during the initialisation phase but before that finishes, the per-cpu page allocator (pcpu) calculates the number of pages allocated/freed in batches as well as the maximum number of pages allowed on a per-cpu list. As zone->managed_pages is not up to date yet, the pcpu initialisation calculates inappropriately low batch and high values. This increases zone lock contention quite severely in some cases with the degree of severity depending on how many CPUs share a local zone and the size of the zone. A private report indicated that kernel build times were excessive with extremely high system CPU usage. A perf profile indicated that a large chunk of time was lost on zone->lock contention. This patch recalculates the pcpu batch and high values after deferred initialisation completes for every populated zone in the system. It was tested on a 2-socket AMD EPYC 2 machine using a kernel compilation workload -- allmodconfig and all available CPUs. mmtests configuration: config-workload-kernbench-max Configuration was modified to build on a fresh XFS partition. kernbench 5.4.0-rc3 5.4.0-rc3 vanilla resetpcpu-v2 Amean user-256 13249.50 ( 0.00%) 16401.31 * -23.79%* Amean syst-256 14760.30 ( 0.00%) 4448.39 * 69.86%* Amean elsp-256 162.42 ( 0.00%) 119.13 * 26.65%* Stddev user-256 42.97 ( 0.00%) 19.15 ( 55.43%) Stddev syst-256 336.87 ( 0.00%) 6.71 ( 98.01%) Stddev elsp-256 2.46 ( 0.00%) 0.39 ( 84.03%) 5.4.0-rc3 5.4.0-rc3 vanilla resetpcpu-v2 Duration User 39766.24 49221.79 Duration System 44298.10 13361.67 Duration Elapsed 519.11 388.87 The patch reduces system CPU usage by 69.86% and total build time by 26.65%. The variance of system CPU usage is also much reduced. Before, this was the breakdown of batch and high values over all zones was: 256 batch: 1 256 batch: 63 512 batch: 7 256 high: 0 256 high: 378 512 high: 42 512 pcpu pagesets had a batch limit of 7 and a high limit of 42. After the patch: 256 batch: 1 768 batch: 63 256 high: 0 768 high: 378 [mgorman@techsingularity.net: fix merge/linkage snafu] Link: http://lkml.kernel.org/r/20191023084705.GD3016@techsingularity.netLink: http://lkml.kernel.org/r/20191021094808.28824-2-mgorman@techsingularity.net Signed-off-by: Mel Gorman Acked-by: Michal Hocko Acked-by: Vlastimil Babka Acked-by: David Hildenbrand Cc: Matt Fleming Cc: Thomas Gleixner Cc: Borislav Petkov Cc: Qian Cai Cc: [4.1+] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 8e6bf4bc3a88e4b84e5c4ec50143a71a61503336 Author: Johannes Weiner Date: Tue Nov 5 21:17:13 2019 -0800 mm: memcontrol: fix network errors from failing __GFP_ATOMIC charges commit 869712fd3de5a90b7ba23ae1272278cddc66b37b upstream. While upgrading from 4.16 to 5.2, we noticed these allocation errors in the log of the new kernel: SLUB: Unable to allocate memory on node -1, gfp=0xa20(GFP_ATOMIC) cache: tw_sock_TCPv6(960:helper-logs), object size: 232, buffer size: 240, default order: 1, min order: 0 node 0: slabs: 5, objs: 170, free: 0 slab_out_of_memory+1 ___slab_alloc+969 __slab_alloc+14 kmem_cache_alloc+346 inet_twsk_alloc+60 tcp_time_wait+46 tcp_fin+206 tcp_data_queue+2034 tcp_rcv_state_process+784 tcp_v6_do_rcv+405 __release_sock+118 tcp_close+385 inet_release+46 __sock_release+55 sock_close+17 __fput+170 task_work_run+127 exit_to_usermode_loop+191 do_syscall_64+212 entry_SYSCALL_64_after_hwframe+68 accompanied by an increase in machines going completely radio silent under memory pressure. One thing that changed since 4.16 is e699e2c6a654 ("net, mm: account sock objects to kmemcg"), which made these slab caches subject to cgroup memory accounting and control. The problem with that is that cgroups, unlike the page allocator, do not maintain dedicated atomic reserves. As a cgroup's usage hovers at its limit, atomic allocations - such as done during network rx - can fail consistently for extended periods of time. The kernel is not able to operate under these conditions. We don't want to revert the culprit patch, because it indeed tracks a potentially substantial amount of memory used by a cgroup. We also don't want to implement dedicated atomic reserves for cgroups. There is no point in keeping a fixed margin of unused bytes in the cgroup's memory budget to accomodate a consumer that is impossible to predict - we'd be wasting memory and get into configuration headaches, not unlike what we have going with min_free_kbytes. We do this for physical mem because we have to, but cgroups are an accounting game. Instead, account these privileged allocations to the cgroup, but let them bypass the configured limit if they have to. This way, we get the benefits of accounting the consumed memory and have it exert pressure on the rest of the cgroup, but like with the page allocator, we shift the burden of reclaimining on behalf of atomic allocations onto the regular allocations that can block. Link: http://lkml.kernel.org/r/20191022233708.365764-1-hannes@cmpxchg.org Fixes: e699e2c6a654 ("net, mm: account sock objects to kmemcg") Signed-off-by: Johannes Weiner Reviewed-by: Shakeel Butt Cc: Suleiman Souhlal Cc: Michal Hocko Cc: [4.18+] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 6ecc16351a841de64541165481ad61fd6a3d1aee Author: Takashi Iwai Date: Tue Nov 5 14:43:16 2019 +0100 ALSA: hda/ca0132 - Fix possible workqueue stall commit 15c2b3cc09a31620914955cb2a89c277c18ee999 upstream. The unsolicited event handler for the headphone jack on CA0132 codec driver tries to reschedule the another delayed work with cancel_delayed_work_sync(). It's no good idea, unfortunately, especially after we changed the work queue to the standard global one; this may lead to a stall because both works are using the same global queue. Fix it by dropping the _sync but does call cancel_delayed_work() instead. Fixes: 993884f6a26c ("ALSA: hda/ca0132 - Delay HP amp turnon.") BugLink: https://bugzilla.suse.com/show_bug.cgi?id=1155836 Cc: Link: https://lore.kernel.org/r/20191105134316.19294-1-tiwai@suse.de Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 6921b160991223665642594d9ce64652e8c06a9a Author: Takashi Sakamoto Date: Sun Nov 3 00:09:20 2019 +0900 ALSA: bebob: fix to detect configured source of sampling clock for Focusrite Saffire Pro i/o series commit 706ad6746a66546daf96d4e4a95e46faf6cf689a upstream. For Focusrite Saffire Pro i/o, the lowest 8 bits of register represents configured source of sampling clock. The next lowest 8 bits represents whether the configured source is actually detected or not just after the register is changed for the source. Current implementation evaluates whole the register to detect configured source. This results in failure due to the next lowest 8 bits when the source is connected in advance. This commit fixes the bug. Fixes: 25784ec2d034 ("ALSA: bebob: Add support for Focusrite Saffire/SaffirePro series") Cc: # v3.16+ Signed-off-by: Takashi Sakamoto Link: https://lore.kernel.org/r/20191102150920.20367-1-o-takashi@sakamocchi.jp Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit b85472244b7051538047ddd32ae0a897928df35b Author: Takashi Iwai Date: Wed Nov 6 17:55:47 2019 +0100 ALSA: timer: Fix incorrectly assigned timer instance commit e7af6307a8a54f0b873960b32b6a644f2d0fbd97 upstream. The clean up commit 41672c0c24a6 ("ALSA: timer: Simplify error path in snd_timer_open()") unified the error handling code paths with the standard goto, but it introduced a subtle bug: the timer instance is stored in snd_timer_open() incorrectly even if it returns an error. This may eventually lead to UAF, as spotted by fuzzer. The culprit is the snd_timer_open() code checks the SNDRV_TIMER_IFLG_EXCLUSIVE flag with the common variable timeri. This variable is supposed to be the newly created instance, but we (ab-)used it for a temporary check before the actual creation of a timer instance. After that point, there is another check for the max number of instances, and it bails out if over the threshold. Before the refactoring above, it worked fine because the code returned directly from that point. After the refactoring, however, it jumps to the unified error path that stores the timeri variable in return -- even if it returns an error. Unfortunately this stored value is kept in the caller side (snd_timer_user_tselect()) in tu->timeri. This causes inconsistency later, as if the timer was successfully assigned. In this patch, we fix it by not re-using timeri variable but a temporary variable for testing the exclusive connection, so timeri remains NULL at that point. Fixes: 41672c0c24a6 ("ALSA: timer: Simplify error path in snd_timer_open()") Reported-and-tested-by: Tristan Madani Cc: Link: https://lore.kernel.org/r/20191106165547.23518-1-tiwai@suse.de Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 107451b87ea548b9ac6a744d0f2fb14ee962f3aa Author: Salil Mehta Date: Thu Nov 7 17:09:53 2019 +0000 net: hns: Fix the stray netpoll locks causing deadlock in NAPI path [ Upstream commit bf5a6b4c474c589244dc25ee1af2c3c829228ef8 ] This patch fixes the problem of the spin locks, originally meant for the netpoll path of hns driver, causing deadlock in the normal NAPI poll path. The issue happened due to the presence of the stray leftover spin lock code related to the netpoll, whose support was earlier removed from the HNS[1], got activated due to enabling of NET_POLL_CONTROLLER switch. Earlier background: The netpoll handling code originally had this bug(as identified by Marc Zyngier[2]) of wrong spin lock API being used which did not disable the interrupts and hence could cause locking issues. i.e. if the lock were first acquired in context to thread like 'ip' util and this lock if ever got later acquired again in context to the interrupt context like TX/RX (Interrupts could always pre-empt the lock holding task and acquire the lock again) and hence could cause deadlock. Proposed Solution: 1. If the netpoll was enabled in the HNS driver, which is not right now, we could have simply used spin_[un]lock_irqsave() 2. But as netpoll is disabled, therefore, it is best to get rid of the existing locks and stray code for now. This should solve the problem reported by Marc. [1] https://git.kernel.org/torvalds/c/4bd2c03be7 [2] https://patchwork.ozlabs.org/patch/1189139/ Fixes: 4bd2c03be707 ("net: hns: remove ndo_poll_controller") Cc: lipeng Cc: Yisen Zhuang Cc: Eric Dumazet Cc: David S. Miller Reported-by: Marc Zyngier Acked-by: Marc Zyngier Tested-by: Marc Zyngier Signed-off-by: Salil Mehta Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 26e398dcb3f1b80817bfd6e66745ce5ffdaf7357 Author: Eric Dumazet Date: Thu Nov 7 09:26:19 2019 -0800 ipv6: fixes rt6_probe() and fib6_nh->last_probe init [ Upstream commit 1bef4c223b8588cf50433bdc2c6953d82949b3b3 ] While looking at a syzbot KCSAN report [1], I found multiple issues in this code : 1) fib6_nh->last_probe has an initial value of 0. While probably okay on 64bit kernels, this causes an issue on 32bit kernels since the time_after(jiffies, 0 + interval) might be false ~24 days after boot (for HZ=1000) 2) The data-race found by KCSAN I could use READ_ONCE() and WRITE_ONCE(), but we also can take the opportunity of not piling-up too many rt6_probe_deferred() works by using instead cmpxchg() so that only one cpu wins the race. [1] BUG: KCSAN: data-race in find_match / find_match write to 0xffff8880bb7aabe8 of 8 bytes by interrupt on cpu 1: rt6_probe net/ipv6/route.c:663 [inline] find_match net/ipv6/route.c:757 [inline] find_match+0x5bd/0x790 net/ipv6/route.c:733 __find_rr_leaf+0xe3/0x780 net/ipv6/route.c:831 find_rr_leaf net/ipv6/route.c:852 [inline] rt6_select net/ipv6/route.c:896 [inline] fib6_table_lookup+0x383/0x650 net/ipv6/route.c:2164 ip6_pol_route+0xee/0x5c0 net/ipv6/route.c:2200 ip6_pol_route_output+0x48/0x60 net/ipv6/route.c:2452 fib6_rule_lookup+0x3d6/0x470 net/ipv6/fib6_rules.c:117 ip6_route_output_flags_noref+0x16b/0x230 net/ipv6/route.c:2484 ip6_route_output_flags+0x50/0x1a0 net/ipv6/route.c:2497 ip6_dst_lookup_tail+0x25d/0xc30 net/ipv6/ip6_output.c:1049 ip6_dst_lookup_flow+0x68/0x120 net/ipv6/ip6_output.c:1150 inet6_csk_route_socket+0x2f7/0x420 net/ipv6/inet6_connection_sock.c:106 inet6_csk_xmit+0x91/0x1f0 net/ipv6/inet6_connection_sock.c:121 __tcp_transmit_skb+0xe81/0x1d60 net/ipv4/tcp_output.c:1169 tcp_transmit_skb net/ipv4/tcp_output.c:1185 [inline] tcp_xmit_probe_skb+0x19b/0x1d0 net/ipv4/tcp_output.c:3735 read to 0xffff8880bb7aabe8 of 8 bytes by interrupt on cpu 0: rt6_probe net/ipv6/route.c:657 [inline] find_match net/ipv6/route.c:757 [inline] find_match+0x521/0x790 net/ipv6/route.c:733 __find_rr_leaf+0xe3/0x780 net/ipv6/route.c:831 find_rr_leaf net/ipv6/route.c:852 [inline] rt6_select net/ipv6/route.c:896 [inline] fib6_table_lookup+0x383/0x650 net/ipv6/route.c:2164 ip6_pol_route+0xee/0x5c0 net/ipv6/route.c:2200 ip6_pol_route_output+0x48/0x60 net/ipv6/route.c:2452 fib6_rule_lookup+0x3d6/0x470 net/ipv6/fib6_rules.c:117 ip6_route_output_flags_noref+0x16b/0x230 net/ipv6/route.c:2484 ip6_route_output_flags+0x50/0x1a0 net/ipv6/route.c:2497 ip6_dst_lookup_tail+0x25d/0xc30 net/ipv6/ip6_output.c:1049 ip6_dst_lookup_flow+0x68/0x120 net/ipv6/ip6_output.c:1150 inet6_csk_route_socket+0x2f7/0x420 net/ipv6/inet6_connection_sock.c:106 inet6_csk_xmit+0x91/0x1f0 net/ipv6/inet6_connection_sock.c:121 __tcp_transmit_skb+0xe81/0x1d60 net/ipv4/tcp_output.c:1169 Reported by Kernel Concurrency Sanitizer on: CPU: 0 PID: 18894 Comm: udevd Not tainted 5.4.0-rc3+ #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Fixes: cc3a86c802f0 ("ipv6: Change rt6_probe to take a fib6_nh") Fixes: f547fac624be ("ipv6: rate-limit probes for neighbourless routes") Signed-off-by: Eric Dumazet Reported-by: syzbot Reviewed-by: David Ahern Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 05b761423d67c06252a858d3cc14e80aead36773 Author: Claudiu Manoil Date: Tue Nov 5 23:50:14 2019 +0200 net: mscc: ocelot: fix NULL pointer on LAG slave removal [ Upstream commit 3b3eed8eec47259939ee6c3d58aea1c311ddee3b ] lag_upper_info may be NULL on slave removal. Fixes: dc96ee3730fc ("net: mscc: ocelot: add bonding support") Signed-off-by: Claudiu Manoil Signed-off-by: Vladimir Oltean Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 1cfc967ef584ad0e514e6445d599d254db777530 Author: Claudiu Manoil Date: Tue Nov 5 23:50:13 2019 +0200 net: mscc: ocelot: don't handle netdev events for other netdevs [ Upstream commit 7afb3e575e5aa9f5a200a3eb3f45d8130f6d6601 ] The check that the event is actually for this device should be moved from the "port" handler to the net device handler. Otherwise the port handler will deny bonding configuration for other net devices in the same system (like enetc in the LS1028A) that don't have the lag_upper_info->tx_type restriction that ocelot has. Fixes: dc96ee3730fc ("net: mscc: ocelot: add bonding support") Signed-off-by: Claudiu Manoil Signed-off-by: Vladimir Oltean Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit a6fdbaeef1f2e76c11ef466513a12b5f77ee6da9 Author: Manish Chopra Date: Fri Nov 8 02:42:30 2019 -0800 qede: fix NULL pointer deref in __qede_remove() [ Upstream commit deabc87111c690097c03765ea017cd500f7376fc ] While rebooting the system with SR-IOV vfs enabled leads to below crash due to recurrence of __qede_remove() on the VF devices (first from .shutdown() flow of the VF itself and another from PF's .shutdown() flow executing pci_disable_sriov()) This patch adds a safeguard in __qede_remove() flow to fix this, so that driver doesn't attempt to remove "already removed" devices. [ 194.360134] BUG: unable to handle kernel NULL pointer dereference at 00000000000008dc [ 194.360227] IP: [] __qede_remove+0x24/0x130 [qede] [ 194.360304] PGD 0 [ 194.360325] Oops: 0000 [#1] SMP [ 194.360360] Modules linked in: tcp_lp fuse tun bridge stp llc devlink bonding ip_set nfnetlink ib_isert iscsi_target_mod ib_srpt target_core_mod ib_srp scsi_transport_srp scsi_tgt ib_ipoib ib_umad rpcrdma sunrpc rdma_ucm ib_uverbs ib_iser rdma_cm iw_cm ib_cm libiscsi scsi_transport_iscsi dell_smbios iTCO_wdt iTCO_vendor_support dell_wmi_descriptor dcdbas vfat fat pcc_cpufreq skx_edac intel_powerclamp coretemp intel_rapl iosf_mbi kvm_intel kvm irqbypass crc32_pclmul ghash_clmulni_intel aesni_intel lrw gf128mul glue_helper ablk_helper cryptd qedr ib_core pcspkr ses enclosure joydev ipmi_ssif sg i2c_i801 lpc_ich mei_me mei wmi ipmi_si ipmi_devintf ipmi_msghandler tpm_crb acpi_pad acpi_power_meter xfs libcrc32c sd_mod crc_t10dif crct10dif_generic crct10dif_pclmul crct10dif_common crc32c_intel mgag200 [ 194.361044] qede i2c_algo_bit drm_kms_helper qed syscopyarea sysfillrect nvme sysimgblt fb_sys_fops ttm nvme_core mpt3sas crc8 ptp drm pps_core ahci raid_class scsi_transport_sas libahci libata drm_panel_orientation_quirks nfit libnvdimm dm_mirror dm_region_hash dm_log dm_mod [last unloaded: ip_tables] [ 194.361297] CPU: 51 PID: 7996 Comm: reboot Kdump: loaded Not tainted 3.10.0-1062.el7.x86_64 #1 [ 194.361359] Hardware name: Dell Inc. PowerEdge MX840c/0740HW, BIOS 2.4.6 10/15/2019 [ 194.361412] task: ffff9cea9b360000 ti: ffff9ceabebdc000 task.ti: ffff9ceabebdc000 [ 194.361463] RIP: 0010:[] [] __qede_remove+0x24/0x130 [qede] [ 194.361534] RSP: 0018:ffff9ceabebdfac0 EFLAGS: 00010282 [ 194.361570] RAX: 0000000000000000 RBX: ffff9cd013846098 RCX: 0000000000000000 [ 194.361621] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff9cd013846098 [ 194.361668] RBP: ffff9ceabebdfae8 R08: 0000000000000000 R09: 0000000000000000 [ 194.361715] R10: 00000000bfe14201 R11: ffff9ceabfe141e0 R12: 0000000000000000 [ 194.361762] R13: ffff9cd013846098 R14: 0000000000000000 R15: ffff9ceab5e48000 [ 194.361810] FS: 00007f799c02d880(0000) GS:ffff9ceacb0c0000(0000) knlGS:0000000000000000 [ 194.361865] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 194.361903] CR2: 00000000000008dc CR3: 0000001bdac76000 CR4: 00000000007607e0 [ 194.361953] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 194.362002] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 194.362051] PKRU: 55555554 [ 194.362073] Call Trace: [ 194.362109] [] qede_remove+0x10/0x20 [qede] [ 194.362180] [] pci_device_remove+0x3e/0xc0 [ 194.362240] [] __device_release_driver+0x82/0xf0 [ 194.362285] [] device_release_driver+0x23/0x30 [ 194.362343] [] pci_stop_bus_device+0x84/0xa0 [ 194.362388] [] pci_stop_and_remove_bus_device+0x12/0x20 [ 194.362450] [] pci_iov_remove_virtfn+0xaf/0x160 [ 194.362496] [] sriov_disable+0x3c/0xf0 [ 194.362534] [] pci_disable_sriov+0x23/0x30 [ 194.362599] [] qed_sriov_disable+0x5e3/0x650 [qed] [ 194.362658] [] ? kfree+0x106/0x140 [ 194.362709] [] ? qed_free_stream_mem+0x70/0x90 [qed] [ 194.362754] [] ? kfree+0x106/0x140 [ 194.362803] [] qed_slowpath_stop+0x1a9/0x1d0 [qed] [ 194.362854] [] __qede_remove+0xae/0x130 [qede] [ 194.362904] [] qede_shutdown+0x10/0x20 [qede] [ 194.362956] [] pci_device_shutdown+0x3a/0x60 [ 194.363010] [] device_shutdown+0xfb/0x1f0 [ 194.363066] [] kernel_restart_prepare+0x36/0x40 [ 194.363107] [] kernel_restart+0x12/0x60 [ 194.363146] [] SYSC_reboot+0x229/0x260 [ 194.363196] [] ? handle_mm_fault+0x39d/0x9b0 [ 194.363253] [] ? __switch_to+0x151/0x580 [ 194.363304] [] ? __schedule+0x448/0x9c0 [ 194.363343] [] SyS_reboot+0xe/0x10 [ 194.363387] [] system_call_fastpath+0x25/0x2a [ 194.363430] Code: f9 e9 37 ff ff ff 90 0f 1f 44 00 00 55 48 89 e5 41 57 41 56 41 55 4c 8d af 98 00 00 00 41 54 4c 89 ef 41 89 f4 53 e8 4c e4 55 f9 <80> b8 dc 08 00 00 01 48 89 c3 4c 8d b8 c0 08 00 00 4c 8b b0 c0 [ 194.363712] RIP [] __qede_remove+0x24/0x130 [qede] [ 194.363764] RSP [ 194.363791] CR2: 00000000000008dc Signed-off-by: Manish Chopra Signed-off-by: Ariel Elior Signed-off-by: Sudarsana Kalluru Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 956b38853517d55af18b6c74039f485f9b3fcd96 Author: Pan Bian Date: Thu Nov 7 09:33:20 2019 +0800 NFC: st21nfca: fix double free [ Upstream commit 99a8efbb6e30b72ac98cecf81103f847abffb1e5 ] The variable nfcid_skb is not changed in the callee nfc_hci_get_param() if error occurs. Consequently, the freed variable nfcid_skb will be freed again, resulting in a double free bug. Set nfcid_skb to NULL after releasing it to fix the bug. Signed-off-by: Pan Bian Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 1143496c9632f36ebed57312877b92fd4082d886 Author: Pan Bian Date: Thu Nov 7 14:29:50 2019 +0800 nfc: netlink: fix double device reference drop [ Upstream commit 025ec40b81d785a98f76b8bdb509ac10773b4f12 ] The function nfc_put_device(dev) is called twice to drop the reference to dev when there is no associated local llcp. Remove one of them to fix the bug. Fixes: 52feb444a903 ("NFC: Extend netlink interface for LTO, RW, and MIUX parameters support") Fixes: d9b8d8e19b07 ("NFC: llcp: Service Name Lookup netlink interface") Signed-off-by: Pan Bian Reviewed-by: Johan Hovold Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 760a1f7f22ee8f7636a00a57707df5095364f0e0 Author: Pan Bian Date: Tue Nov 5 16:34:07 2019 +0800 NFC: fdp: fix incorrect free object [ Upstream commit 517ce4e93368938b204451285e53014549804868 ] The address of fw_vsc_cfg is on stack. Releasing it with devm_kfree() is incorrect, which may result in a system crash or other security impacts. The expected object to free is *fw_vsc_cfg. Signed-off-by: Pan Bian Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 5580091ce7d9555447c06508b55b95c0b79c6266 Author: Aleksander Morgado Date: Thu Nov 7 11:57:01 2019 +0100 net: usb: qmi_wwan: add support for DW5821e with eSIM support [ Upstream commit e497df686e8fed8c1dd69179010656362858edb3 ] Exactly same layout as the default DW5821e module, just a different vid/pid. The QMI interface is exposed in USB configuration #1: P: Vendor=413c ProdID=81e0 Rev=03.18 S: Manufacturer=Dell Inc. S: Product=DW5821e-eSIM Snapdragon X20 LTE S: SerialNumber=0123456789ABCDEF C: #Ifs= 6 Cfg#= 1 Atr=a0 MxPwr=500mA I: If#=0x0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan I: If#=0x1 Alt= 0 #EPs= 1 Cls=03(HID ) Sub=00 Prot=00 Driver=usbhid I: If#=0x2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option I: If#=0x3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option I: If#=0x4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option I: If#=0x5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option Signed-off-by: Aleksander Morgado Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 4fd218071f2148e0bcf2122ea5d481cf209a5aa7 Author: Sean Tranchetti Date: Mon Nov 4 17:54:22 2019 -0700 net: qualcomm: rmnet: Fix potential UAF when unregistering [ Upstream commit e7a86c687e64ab24f88330ad24ecc9442ce40c5a ] During the exit/unregistration process of the RmNet driver, the function rmnet_unregister_real_device() is called to handle freeing the driver's internal state and removing the RX handler on the underlying physical device. However, the order of operations this function performs is wrong and can lead to a use after free of the rmnet_port structure. Before calling netdev_rx_handler_unregister(), this port structure is freed with kfree(). If packets are received on any RmNet devices before synchronize_net() completes, they will attempt to use this already-freed port structure when processing the packet. As such, before cleaning up any other internal state, the RX handler must be unregistered in order to guarantee that no further packets will arrive on the device. Fixes: ceed73a2cf4a ("drivers: net: ethernet: qualcomm: rmnet: Initial implementation") Signed-off-by: Sean Tranchetti Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit b9bda52f8f3ed21fbec800d682141bf7d2858111 Author: Eric Dumazet Date: Thu Nov 7 20:08:19 2019 -0800 net: fix data-race in neigh_event_send() [ Upstream commit 1b53d64435d56902fc234ff2507142d971a09687 ] KCSAN reported the following data-race [1] The fix will also prevent the compiler from optimizing out the condition. [1] BUG: KCSAN: data-race in neigh_resolve_output / neigh_resolve_output write to 0xffff8880a41dba78 of 8 bytes by interrupt on cpu 1: neigh_event_send include/net/neighbour.h:443 [inline] neigh_resolve_output+0x78/0x480 net/core/neighbour.c:1474 neigh_output include/net/neighbour.h:511 [inline] ip_finish_output2+0x4af/0xe40 net/ipv4/ip_output.c:228 __ip_finish_output net/ipv4/ip_output.c:308 [inline] __ip_finish_output+0x23a/0x490 net/ipv4/ip_output.c:290 ip_finish_output+0x41/0x160 net/ipv4/ip_output.c:318 NF_HOOK_COND include/linux/netfilter.h:294 [inline] ip_output+0xdf/0x210 net/ipv4/ip_output.c:432 dst_output include/net/dst.h:436 [inline] ip_local_out+0x74/0x90 net/ipv4/ip_output.c:125 __ip_queue_xmit+0x3a8/0xa40 net/ipv4/ip_output.c:532 ip_queue_xmit+0x45/0x60 include/net/ip.h:237 __tcp_transmit_skb+0xe81/0x1d60 net/ipv4/tcp_output.c:1169 tcp_transmit_skb net/ipv4/tcp_output.c:1185 [inline] __tcp_retransmit_skb+0x4bd/0x15f0 net/ipv4/tcp_output.c:2976 tcp_retransmit_skb+0x36/0x1a0 net/ipv4/tcp_output.c:2999 tcp_retransmit_timer+0x719/0x16d0 net/ipv4/tcp_timer.c:515 tcp_write_timer_handler+0x42d/0x510 net/ipv4/tcp_timer.c:598 tcp_write_timer+0xd1/0xf0 net/ipv4/tcp_timer.c:618 read to 0xffff8880a41dba78 of 8 bytes by interrupt on cpu 0: neigh_event_send include/net/neighbour.h:442 [inline] neigh_resolve_output+0x57/0x480 net/core/neighbour.c:1474 neigh_output include/net/neighbour.h:511 [inline] ip_finish_output2+0x4af/0xe40 net/ipv4/ip_output.c:228 __ip_finish_output net/ipv4/ip_output.c:308 [inline] __ip_finish_output+0x23a/0x490 net/ipv4/ip_output.c:290 ip_finish_output+0x41/0x160 net/ipv4/ip_output.c:318 NF_HOOK_COND include/linux/netfilter.h:294 [inline] ip_output+0xdf/0x210 net/ipv4/ip_output.c:432 dst_output include/net/dst.h:436 [inline] ip_local_out+0x74/0x90 net/ipv4/ip_output.c:125 __ip_queue_xmit+0x3a8/0xa40 net/ipv4/ip_output.c:532 ip_queue_xmit+0x45/0x60 include/net/ip.h:237 __tcp_transmit_skb+0xe81/0x1d60 net/ipv4/tcp_output.c:1169 tcp_transmit_skb net/ipv4/tcp_output.c:1185 [inline] __tcp_retransmit_skb+0x4bd/0x15f0 net/ipv4/tcp_output.c:2976 tcp_retransmit_skb+0x36/0x1a0 net/ipv4/tcp_output.c:2999 tcp_retransmit_timer+0x719/0x16d0 net/ipv4/tcp_timer.c:515 tcp_write_timer_handler+0x42d/0x510 net/ipv4/tcp_timer.c:598 Reported by Kernel Concurrency Sanitizer on: CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.4.0-rc3+ #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Signed-off-by: Eric Dumazet Reported-by: syzbot Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 2fbfdb2de4a1ae9680641358ca3d09a1c6286c48 Author: Alexander Sverdlin Date: Fri Nov 8 10:00:44 2019 +0000 net: ethernet: octeon_mgmt: Account for second possible VLAN header [ Upstream commit e4dd5608033efe7b6030cde359bfdbaeb73bc22d ] Octeon's input ring-buffer entry has 14 bits-wide size field, so to account for second possible VLAN header max_mtu must be further reduced. Fixes: 109cc16526c6d ("ethernet/cavium: use core min/max MTU checking") Signed-off-by: Alexander Sverdlin Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 88f8c39912bc727e2531a5fab0361a1caa9d1a35 Author: David Ahern Date: Thu Nov 7 18:29:52 2019 +0000 ipv4: Fix table id reference in fib_sync_down_addr [ Upstream commit e0a312629fefa943534fc46f7bfbe6de3fdaf463 ] Hendrik reported routes in the main table using source address are not removed when the address is removed. The problem is that fib_sync_down_addr does not account for devices in the default VRF which are associated with the main table. Fix by updating the table id reference. Fixes: 5a56a0b3a45d ("net: Don't delete routes in different VRFs") Reported-by: Hendrik Donner Signed-off-by: David Ahern Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 0ddabef8906706dbec4dcac8c5507c6349c61aea Author: Oliver Neukum Date: Thu Nov 7 09:48:01 2019 +0100 CDC-NCM: handle incomplete transfer of MTU [ Upstream commit 332f989a3b0041b810836c5c3747e59aad7e9d0b ] A malicious device may give half an answer when asked for its MTU. The driver will proceed after this with a garbage MTU. Anything but a complete answer must be treated as an error. V2: used sizeof as request by Alexander Reported-and-tested-by: syzbot+0631d878823ce2411636@syzkaller.appspotmail.com Signed-off-by: Oliver Neukum Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 27b5f4bf5ba95b452d98ecaec4eed67ff2e05f67 Author: Jay Vosburgh Date: Fri Nov 1 21:56:42 2019 -0700 bonding: fix state transition issue in link monitoring [ Upstream commit 1899bb325149e481de31a4f32b59ea6f24e176ea ] Since de77ecd4ef02 ("bonding: improve link-status update in mii-monitoring"), the bonding driver has utilized two separate variables to indicate the next link state a particular slave should transition to. Each is used to communicate to a different portion of the link state change commit logic; one to the bond_miimon_commit function itself, and another to the state transition logic. Unfortunately, the two variables can become unsynchronized, resulting in incorrect link state transitions within bonding. This can cause slaves to become stuck in an incorrect link state until a subsequent carrier state transition. The issue occurs when a special case in bond_slave_netdev_event sets slave->link directly to BOND_LINK_FAIL. On the next pass through bond_miimon_inspect after the slave goes carrier up, the BOND_LINK_FAIL case will set the proposed next state (link_new_state) to BOND_LINK_UP, but the new_link to BOND_LINK_DOWN. The setting of the final link state from new_link comes after that from link_new_state, and so the slave will end up incorrectly in _DOWN state. Resolve this by combining the two variables into one. Reported-by: Aleksei Zakharov Reported-by: Sha Zhang Cc: Mahesh Bandewar Fixes: de77ecd4ef02 ("bonding: improve link-status update in mii-monitoring") Signed-off-by: Jay Vosburgh Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman