commit 312017a460d5ea31d646e7148e400e13db799ddc Author: Greg Kroah-Hartman Date: Fri Dec 13 08:52:59 2019 +0100 Linux 4.19.89 commit b136eeb65de081668061c35f70e95309e97a54cf Author: YueHaibing Date: Tue Apr 30 19:34:08 2019 +0800 appletalk: Set error code if register_snap_client failed commit c93ad1337ad06a718890a89cdd85188ff9a5a5cc upstream. If register_snap_client fails in atalk_init, error code should be set, otherwise it will triggers NULL pointer dereference while unloading module. Fixes: 9804501fa122 ("appletalk: Fix potential NULL pointer dereference in unregister_snap_client") Signed-off-by: YueHaibing Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 0977763a13fd87a7aebe376dc96385758de3aa9e Author: YueHaibing Date: Thu Mar 14 13:47:59 2019 +0800 appletalk: Fix potential NULL pointer dereference in unregister_snap_client commit 9804501fa1228048857910a6bf23e085aade37cc upstream. register_snap_client may return NULL, all the callers check it, but only print a warning. This will result in NULL pointer dereference in unregister_snap_client and other places. It has always been used like this since v2.6 Reported-by: Dan Carpenter Signed-off-by: YueHaibing Signed-off-by: David S. Miller Cc: Ben Hutchings Signed-off-by: Greg Kroah-Hartman commit 754e3c0c31c96cf3a4a54ed2a8c63cca28109136 Author: Navid Emamdoost Date: Wed Sep 11 10:09:02 2019 -0500 net: qrtr: fix memort leak in qrtr_tun_write_iter commit a21b7f0cff1906a93a0130b74713b15a0b36481d upstream. In qrtr_tun_write_iter the allocated kbuf should be release in case of error or success return. v2 Update: Thanks to David Miller for pointing out the release on success path as well. Signed-off-by: Navid Emamdoost Signed-off-by: David S. Miller Cc: Ben Hutchings Signed-off-by: Greg Kroah-Hartman commit 5119ffd480b644d8bc9af741cc8ef435a7ec5ff7 Author: Paolo Bonzini Date: Wed Dec 4 10:28:54 2019 +0100 KVM: x86: fix out-of-bounds write in KVM_GET_EMULATED_CPUID (CVE-2019-19332) commit 433f4ba1904100da65a311033f17a9bf586b287e upstream. The bounds check was present in KVM_GET_SUPPORTED_CPUID but not KVM_GET_EMULATED_CPUID. Reported-by: syzbot+e3f4897236c4eeb8af4f@syzkaller.appspotmail.com Fixes: 84cffe499b94 ("kvm: Emulate MOVBE", 2013-10-29) Signed-off-by: Paolo Bonzini Cc: Ben Hutchings Signed-off-by: Greg Kroah-Hartman commit 9852d0c67678dd5f8ade26c15f80ae0b9e565962 Author: Kuninori Morimoto Date: Fri Feb 1 16:49:30 2019 +0900 ASoC: rsnd: fixup MIX kctrl registration commit 7aea8a9d71d54f449f49e20324df06341cc18395 upstream. Renesas sound device has many IPs and many situations. If platform/board uses MIXer, situation will be more complex. To avoid duplicate DVC kctrl registration when MIXer was used, it had original flags. But it was issue when sound card was re-binded, because no one can't cleanup this flags then. To solve this issue, commit 9c698e8481a15237a ("ASoC: rsnd: tidyup registering method for rsnd_kctrl_new()") checks registered card->controls, because if card was re-binded, these were cleanuped automatically. This patch could solve re-binding issue. But, it start to avoid MIX kctrl. To solve these issues, we need below. To avoid card re-binding issue: check registered card->controls To avoid duplicate DVC registration: check registered rsnd_kctrl_cfg To allow multiple MIX registration: check registered rsnd_kctrl_cfg This patch do it. Fixes: 9c698e8481a15237a ("ASoC: rsnd: tidyup registering method for rsnd_kctrl_new()") Reported-by: Jiada Wang Signed-off-by: Kuninori Morimoto Tested-By: Jiada Wang Signed-off-by: Mark Brown Cc: Nobuhiro Iwamatsu Signed-off-by: Greg Kroah-Hartman commit 17559e35fc97b62d4a2b4f7f0893bd3394358f23 Author: Brian Foster Date: Fri Apr 26 07:30:24 2019 -0700 xfs: add missing error check in xfs_prepare_shift() commit 1749d1ea89bdf3181328b7d846e609d5a0e53e50 upstream. xfs_prepare_shift() fails to check the error return from xfs_flush_unmap_range(). If the latter fails, that could lead to an insert/collapse range operation over a delalloc range, which is not supported. Add an error check and return appropriately. This is reproduced rarely by generic/475. Fixes: 7f9f71be84bc ("xfs: extent shifting doesn't fully invalidate page cache") Signed-off-by: Brian Foster Reviewed-by: Darrick J. Wong Signed-off-by: Darrick J. Wong Reviewed-by: Allison Collins Reviewed-by: Dave Chinner Cc: Nobuhiro Iwamatsu Signed-off-by: Greg Kroah-Hartman commit 4c67dbea4d2b335634ab37daa148dca8e0e18555 Author: Darrick J. Wong Date: Sun Dec 2 08:38:07 2018 -0800 iomap: partially revert 4721a601099 (simulated directio short read on EFAULT) [ Upstream commit 8f67b5adc030553fbc877124306f3f3bdab89aa8 ] In commit 4721a601099, we tried to fix a problem wherein directio reads into a splice pipe will bounce EFAULT/EAGAIN all the way out to userspace by simulating a zero-byte short read. This happens because some directio read implementations (xfs) will call bio_iov_iter_get_pages to grab pipe buffer pages and issue asynchronous reads, but as soon as we run out of pipe buffers that _get_pages call returns EFAULT, which the splice code translates to EAGAIN and bounces out to userspace. In that commit, the iomap code catches the EFAULT and simulates a zero-byte read, but that causes assertion errors on regular splice reads because xfs doesn't allow short directio reads. This causes infinite splice() loops and assertion failures on generic/095 on overlayfs because xfs only permit total success or total failure of a directio operation. The underlying issue in the pipe splice code has now been fixed by changing the pipe splice loop to avoid avoid reading more data than there is space in the pipe. Therefore, it's no longer necessary to simulate the short directio, so remove the hack from iomap. Fixes: 4721a601099 ("iomap: dio data corruption and spurious errors when pipes fill") Reported-by: Murphy Zhou Ranted-by: Amir Goldstein Reviewed-by: Christoph Hellwig Signed-off-by: Darrick J. Wong Signed-off-by: Sasha Levin commit 019b63253f8651ed305683368d3ddfe56082dcac Author: Darrick J. Wong Date: Fri Nov 30 10:37:49 2018 -0800 splice: don't read more than available pipe space [ Upstream commit 17614445576b6af24e9cf36607c6448164719c96 ] In commit 4721a601099, we tried to fix a problem wherein directio reads into a splice pipe will bounce EFAULT/EAGAIN all the way out to userspace by simulating a zero-byte short read. This happens because some directio read implementations (xfs) will call bio_iov_iter_get_pages to grab pipe buffer pages and issue asynchronous reads, but as soon as we run out of pipe buffers that _get_pages call returns EFAULT, which the splice code translates to EAGAIN and bounces out to userspace. In that commit, the iomap code catches the EFAULT and simulates a zero-byte read, but that causes assertion errors on regular splice reads because xfs doesn't allow short directio reads. The brokenness is compounded by splice_direct_to_actor immediately bailing on do_splice_to returning <= 0 without ever calling ->actor (which empties out the pipe), so if userspace calls back we'll EFAULT again on the full pipe, and nothing ever gets copied. Therefore, teach splice_direct_to_actor to clamp its requests to the amount of free space in the pipe and remove the simulated short read from the iomap directio code. Fixes: 4721a601099 ("iomap: dio data corruption and spurious errors when pipes fill") Reported-by: Murphy Zhou Ranted-by: Amir Goldstein Reviewed-by: Christoph Hellwig Signed-off-by: Darrick J. Wong Signed-off-by: Sasha Levin commit 484c4d9a9cce1fc457ed45b597672c822857b037 Author: Adrian Hunter Date: Wed Nov 27 11:56:31 2019 +0200 perf script: Fix invalid LBR/binary mismatch error [ Upstream commit 5172672da02e483d9b3c4d814c3482d0c8ffb1a6 ] The 'len' returned by grab_bb() includes an extra MAXINSN bytes to allow for the last instruction, so the the final 'offs' will not be 'len'. Fix the error condition logic accordingly. Before: $ perf record -e '{intel_pt//,cpu/mem_inst_retired.all_loads,aux-sample-size=8192/pp}:u' grep -rqs jhgjhg /boot [ perf record: Woken up 19 times to write data ] [ perf record: Captured and wrote 2.274 MB perf.data ] $ perf script -F +brstackinsn --xed --itrace=i1usl100 | head grep 13759 [002] 8091.310257: 1862 instructions:uH: 5641d58069eb bmexec+0x86b (/bin/grep) bmexec+2485: 00005641d5806b35 jnz 0x5641d5806bd0 # MISPRED 00005641d5806bd0 movzxb (%r13,%rdx,1), %eax 00005641d5806bd6 add %rdi, %rax 00005641d5806bd9 movzxb -0x1(%rax), %edx 00005641d5806bdd cmp %rax, %r14 00005641d5806be0 jnb 0x5641d58069c0 # MISPRED mismatch of LBR data and executable 00005641d58069c0 movzxb (%r13,%rdx,1), %edi After: $ perf script -F +brstackinsn --xed --itrace=i1usl100 | head grep 13759 [002] 8091.310257: 1862 instructions:uH: 5641d58069eb bmexec+0x86b (/bin/grep) bmexec+2485: 00005641d5806b35 jnz 0x5641d5806bd0 # MISPRED 00005641d5806bd0 movzxb (%r13,%rdx,1), %eax 00005641d5806bd6 add %rdi, %rax 00005641d5806bd9 movzxb -0x1(%rax), %edx 00005641d5806bdd cmp %rax, %r14 00005641d5806be0 jnb 0x5641d58069c0 # MISPRED 00005641d58069c0 movzxb (%r13,%rdx,1), %edi 00005641d58069c6 add %rax, %rdi Fixes: e98df280bc2a ("perf script brstackinsn: Fix recovery from LBR/binary mismatch") Reported-by: Andi Kleen Signed-off-by: Adrian Hunter Cc: Jiri Olsa Link: http://lore.kernel.org/lkml/20191127095631.15663-1-adrian.hunter@intel.com Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Sasha Levin commit 5cdbe243008392b324ee77e19e7e2961dda3d931 Author: Joel Stanley Date: Fri Nov 8 13:59:05 2019 +1030 watchdog: aspeed: Fix clock behaviour for ast2600 [ Upstream commit c04571251b3d842096f1597f5d4badb508be016d ] The ast2600 no longer uses bit 4 in the control register to indicate a 1MHz clock (It now controls whether this watchdog is reset by a SOC reset). This means we do not want to set it. It also does not need to be set for the ast2500, as it is read-only on that SoC. The comment next to the clock rate selection wandered away from where it was set, so put it back next to the register setting it's describing. Fixes: b3528b487448 ("watchdog: aspeed: Add support for AST2600") Signed-off-by: Joel Stanley Reviewed-by: Cédric Le Goater Reviewed-by: Guenter Roeck Link: https://lore.kernel.org/r/20191108032905.22463-1-joel@jms.id.au Signed-off-by: Guenter Roeck Signed-off-by: Wim Van Sebroeck Signed-off-by: Sasha Levin commit 23c81ea6b13647abbf218e50de9b5bdda2de7863 Author: Dan Carpenter Date: Sat Sep 21 09:00:31 2019 +0300 md/raid0: Fix an error message in raid0_make_request() [ Upstream commit e3fc3f3d0943b126f76b8533960e4168412d9e5a ] The first argument to WARN() is supposed to be a condition. The original code will just print the mdname() instead of the full warning message. Fixes: c84a1372df92 ("md/raid0: avoid RAID0 data corruption due to layout confusion.") Signed-off-by: Dan Carpenter Signed-off-by: Song Liu Signed-off-by: Sasha Levin commit ba2247f90d8dd10e35080886255a2a5244d45bed Author: Takashi Iwai Date: Mon Oct 28 11:58:03 2019 +0100 ALSA: hda - Fix pending unsol events at shutdown [ Upstream commit ca58f55108fee41d87c9123f85ad4863e5de7f45 ] This is an alternative fix attemp for the issue reported in the commit caa8422d01e9 ("ALSA: hda: Flush interrupts on disabling") that was reverted later due to regressions. Instead of tweaking the hardware disablement order and the enforced irq flushing, do calling cancel_work_sync() of the unsol work early enough, and explicitly ignore the unsol events during the shutdown by checking the bus->shutdown flag. Fixes: caa8422d01e9 ("ALSA: hda: Flush interrupts on disabling") Cc: Chris Wilson Link: https://lore.kernel.org/r/s5h1ruxt9cz.wl-tiwai@suse.de Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit af0174a63c45bd25c7fd7ece5f93e5f166256d1c Author: Jann Horn Date: Fri Oct 18 22:56:31 2019 +0200 binder: Handle start==NULL in binder_update_page_range() commit 2a9edd056ed4fbf9d2e797c3fc06335af35bccc4 upstream. The old loop wouldn't stop when reaching `start` if `start==NULL`, instead continuing backwards to index -1 and crashing. Luckily you need to be highly privileged to map things at NULL, so it's not a big problem. Fix it by adjusting the loop so that the loop variable is always in bounds. This patch is deliberately minimal to simplify backporting, but IMO this function could use a refactor. The jump labels in the second loop body are horrible (the error gotos should be jumping to free_range instead), and both loops would look nicer if they just iterated upwards through indices. And the up_read()+mmput() shouldn't be duplicated like that. Cc: stable@vger.kernel.org Fixes: 457b9a6f09f0 ("Staging: android: add binder driver") Signed-off-by: Jann Horn Acked-by: Christian Brauner Link: https://lore.kernel.org/r/20191018205631.248274-3-jannh@google.com Signed-off-by: Greg Kroah-Hartman commit fe0d31eddb9e6404dc1847648e388953e194557c Author: Jann Horn Date: Fri Oct 18 22:56:29 2019 +0200 binder: Fix race between mmap() and binder_alloc_print_pages() commit 8eb52a1ee37aafd9b796713aa0b3ab9cbc455be3 upstream. binder_alloc_print_pages() iterates over alloc->pages[0..alloc->buffer_size-1] under alloc->mutex. binder_alloc_mmap_handler() writes alloc->pages and alloc->buffer_size without holding that lock, and even writes them before the last bailout point. Unfortunately we can't take the alloc->mutex in the ->mmap() handler because mmap_sem can be taken while alloc->mutex is held. So instead, we have to locklessly check whether the binder_alloc has been fully initialized with binder_alloc_get_vma(), like in binder_alloc_new_buf_locked(). Fixes: 8ef4665aa129 ("android: binder: Add page usage in binder stats") Cc: stable@vger.kernel.org Signed-off-by: Jann Horn Acked-by: Christian Brauner Link: https://lore.kernel.org/r/20191018205631.248274-1-jannh@google.com Signed-off-by: Greg Kroah-Hartman commit 627f3b9e4dd812dac9d93e578af80de751e704a4 Author: Nicolas Pitre Date: Tue Nov 5 10:33:16 2019 +0100 vcs: prevent write access to vcsu devices commit 0c9acb1af77a3cb8707e43f45b72c95266903cee upstream. Commit d21b0be246bf ("vt: introduce unicode mode for /dev/vcs") guarded against using devices containing attributes as this is not yet implemented. It however failed to guard against writes to any devices as this is also unimplemented. Reported-by: Or Cohen Signed-off-by: Nicolas Pitre Cc: # v4.19+ Cc: Jiri Slaby Fixes: d21b0be246bf ("vt: introduce unicode mode for /dev/vcs") Link: https://lore.kernel.org/r/nycvar.YSQ.7.76.1911051030580.30289@knanqh.ubzr Signed-off-by: Greg Kroah-Hartman commit fe46db764fb1a55caf2a87932414da7edb868ff1 Author: Wei Wang Date: Tue Nov 12 12:42:23 2019 -0800 thermal: Fix deadlock in thermal thermal_zone_device_check commit 163b00cde7cf2206e248789d2780121ad5e6a70b upstream. 1851799e1d29 ("thermal: Fix use-after-free when unregistering thermal zone device") changed cancel_delayed_work to cancel_delayed_work_sync to avoid a use-after-free issue. However, cancel_delayed_work_sync could be called insides the WQ causing deadlock. [54109.642398] c0 1162 kworker/u17:1 D 0 11030 2 0x00000000 [54109.642437] c0 1162 Workqueue: thermal_passive_wq thermal_zone_device_check [54109.642447] c0 1162 Call trace: [54109.642456] c0 1162 __switch_to+0x138/0x158 [54109.642467] c0 1162 __schedule+0xba4/0x1434 [54109.642480] c0 1162 schedule_timeout+0xa0/0xb28 [54109.642492] c0 1162 wait_for_common+0x138/0x2e8 [54109.642511] c0 1162 flush_work+0x348/0x40c [54109.642522] c0 1162 __cancel_work_timer+0x180/0x218 [54109.642544] c0 1162 handle_thermal_trip+0x2c4/0x5a4 [54109.642553] c0 1162 thermal_zone_device_update+0x1b4/0x25c [54109.642563] c0 1162 thermal_zone_device_check+0x18/0x24 [54109.642574] c0 1162 process_one_work+0x3cc/0x69c [54109.642583] c0 1162 worker_thread+0x49c/0x7c0 [54109.642593] c0 1162 kthread+0x17c/0x1b0 [54109.642602] c0 1162 ret_from_fork+0x10/0x18 [54109.643051] c0 1162 kworker/u17:2 D 0 16245 2 0x00000000 [54109.643067] c0 1162 Workqueue: thermal_passive_wq thermal_zone_device_check [54109.643077] c0 1162 Call trace: [54109.643085] c0 1162 __switch_to+0x138/0x158 [54109.643095] c0 1162 __schedule+0xba4/0x1434 [54109.643104] c0 1162 schedule_timeout+0xa0/0xb28 [54109.643114] c0 1162 wait_for_common+0x138/0x2e8 [54109.643122] c0 1162 flush_work+0x348/0x40c [54109.643131] c0 1162 __cancel_work_timer+0x180/0x218 [54109.643141] c0 1162 handle_thermal_trip+0x2c4/0x5a4 [54109.643150] c0 1162 thermal_zone_device_update+0x1b4/0x25c [54109.643159] c0 1162 thermal_zone_device_check+0x18/0x24 [54109.643167] c0 1162 process_one_work+0x3cc/0x69c [54109.643177] c0 1162 worker_thread+0x49c/0x7c0 [54109.643186] c0 1162 kthread+0x17c/0x1b0 [54109.643195] c0 1162 ret_from_fork+0x10/0x18 [54109.644500] c0 1162 cat D 0 7766 1 0x00000001 [54109.644515] c0 1162 Call trace: [54109.644524] c0 1162 __switch_to+0x138/0x158 [54109.644536] c0 1162 __schedule+0xba4/0x1434 [54109.644546] c0 1162 schedule_preempt_disabled+0x80/0xb0 [54109.644555] c0 1162 __mutex_lock+0x3a8/0x7f0 [54109.644563] c0 1162 __mutex_lock_slowpath+0x14/0x20 [54109.644575] c0 1162 thermal_zone_get_temp+0x84/0x360 [54109.644586] c0 1162 temp_show+0x30/0x78 [54109.644609] c0 1162 dev_attr_show+0x5c/0xf0 [54109.644628] c0 1162 sysfs_kf_seq_show+0xcc/0x1a4 [54109.644636] c0 1162 kernfs_seq_show+0x48/0x88 [54109.644656] c0 1162 seq_read+0x1f4/0x73c [54109.644664] c0 1162 kernfs_fop_read+0x84/0x318 [54109.644683] c0 1162 __vfs_read+0x50/0x1bc [54109.644692] c0 1162 vfs_read+0xa4/0x140 [54109.644701] c0 1162 SyS_read+0xbc/0x144 [54109.644708] c0 1162 el0_svc_naked+0x34/0x38 [54109.845800] c0 1162 D 720.000s 1->7766->7766 cat [panic] Fixes: 1851799e1d29 ("thermal: Fix use-after-free when unregistering thermal zone device") Cc: stable@vger.kernel.org Signed-off-by: Wei Wang Signed-off-by: Zhang Rui Signed-off-by: Greg Kroah-Hartman commit b59116ffe8a63edc394a723077272bd4ba876401 Author: Jan Kara Date: Thu Nov 21 16:14:38 2019 -0800 iomap: Fix pipe page leakage during splicing commit 419e9c38aa075ed0cd3c13d47e15954b686bcdb6 upstream. When splicing using iomap_dio_rw() to a pipe, we may leak pipe pages because bio_iov_iter_get_pages() records that the pipe will have full extent worth of data however if file size is not block size aligned iomap_dio_rw() returns less than what bio_iov_iter_get_pages() set up and splice code gets confused leaking a pipe page with the file tail. Handle the situation similarly to the old direct IO implementation and revert iter to actually returned read amount which makes iter consistent with value returned from iomap_dio_rw() and thus the splice code is happy. Fixes: ff6a9292e6f6 ("iomap: implement direct I/O") CC: stable@vger.kernel.org Reported-by: syzbot+991400e8eba7e00a26e1@syzkaller.appspotmail.com Signed-off-by: Jan Kara Reviewed-by: Darrick J. Wong Signed-off-by: Darrick J. Wong Reviewed-by: Christoph Hellwig Signed-off-by: Greg Kroah-Hartman commit 18a236223bb7c9a5234d2e52a2fc1a021041104c Author: Viresh Kumar Date: Thu Nov 7 08:50:25 2019 +0530 RDMA/qib: Validate ->show()/store() callbacks before calling them commit 7ee23491b39259ae83899dd93b2a29ef0f22f0a7 upstream. The permissions of the read-only or write-only sysfs files can be changed (as root) and the user can then try to read a write-only file or write to a read-only file which will lead to kernel crash here. Protect against that by always validating the show/store callbacks. Link: https://lore.kernel.org/r/d45cc26361a174ae12dbb86c994ef334d257924b.1573096807.git.viresh.kumar@linaro.org Signed-off-by: Viresh Kumar Reviewed-by: Greg Kroah-Hartman Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 42bd3e78afd00f60002001c56fb3700aa5050004 Author: Johan Hovold Date: Thu Nov 28 19:26:03 2019 +0100 can: ucan: fix non-atomic allocation in completion handler commit 870db5d1015c8bd63e93b579e857223c96249ff7 upstream. USB completion handlers are called in atomic context and must specifically not allocate memory using GFP_KERNEL. Fixes: 9f2d3eae88d2 ("can: ucan: add driver for Theobroma Systems UCAN devices") Cc: stable # 4.19 Cc: Jakob Unterwurzacher Cc: Martin Elshuber Cc: Philipp Tomsich Signed-off-by: Johan Hovold Signed-off-by: Marc Kleine-Budde Signed-off-by: Greg Kroah-Hartman commit 59101399e156104b31373c83a715284f7a919a95 Author: Sharvari Harisangam Date: Wed Jun 12 20:42:11 2019 +0530 mwifiex: update set_mac_address logic commit 7afb94da3cd8a28ed7ae268143117bf1ac8a3371 upstream. In set_mac_address, driver check for interfaces with same bss_type For first STA entry, this would return 3 interfaces since all priv's have bss_type as 0 due to kzalloc. Thus mac address gets changed for STA unexpected. This patch adds check for first STA and avoids mac address change. This patch also adds mac_address change for p2p based on bss_num type. Signed-off-by: Sharvari Harisangam Signed-off-by: Ganapathi Bhat Signed-off-by: Kalle Valo Cc: Brian Norris Signed-off-by: Greg Kroah-Hartman commit a1371a6113a99fd625d207f9f90cc2063ce0d20c Author: Gregory CLEMENT Date: Thu Oct 17 16:18:41 2019 +0200 spi: atmel: Fix CS high support commit 7cbb16b2122c09f2ae393a1542fed628505b9da6 upstream. Until a few years ago, this driver was only used with CS GPIO. The only exception is CS0 on AT91RM9200 which has to use internal CS. A limitation of the internal CS is that they don't support CS High. So by using the CS GPIO the CS high configuration was available except for the particular case CS0 on RM9200. When the support for the internal chip-select was added, the check of the CS high support was not updated. Due to this the driver accepts this configuration for all the SPI controller v2 (used by all SoCs excepting the AT91RM9200) whereas the hardware doesn't support it for infernal CS. This patch fixes the test to match the hardware capabilities. Fixes: 4820303480a1 ("spi: atmel: add support for the internal chip-select of the spi controller") Cc: Signed-off-by: Gregory CLEMENT Link: https://lore.kernel.org/r/20191017141846.7523-3-gregory.clement@bootlin.com Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 351a567ebf2482de4dd5e5bbd539f2175540b717 Author: Navid Emamdoost Date: Fri Oct 4 14:29:16 2019 -0500 crypto: user - fix memory leak in crypto_report commit ffdde5932042600c6807d46c1550b28b0db6a3bc upstream. In crypto_report, a new skb is created via nlmsg_new(). This skb should be released if crypto_report_alg() fails. Fixes: a38f7907b926 ("crypto: Add userspace configuration API") Cc: Signed-off-by: Navid Emamdoost Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit cdaeaea6aa1bc6de2974c9058ed98dac59209d5b Author: Ard Biesheuvel Date: Wed Oct 23 11:50:44 2019 +0200 crypto: ecdh - fix big endian bug in ECC library commit f398243e9fd6a3a059c1ea7b380c40628dbf0c61 upstream. The elliptic curve arithmetic library used by the EC-DH KPP implementation assumes big endian byte order, and unconditionally reverses the byte and word order of multi-limb quantities. On big endian systems, the byte reordering is not necessary, while the word ordering needs to be retained. So replace the __swab64() invocation with a call to be64_to_cpu() which should do the right thing for both little and big endian builds. Fixes: 3c4b23901a0c ("crypto: ecdh - Add ECDH software support") Cc: # v4.9+ Signed-off-by: Ard Biesheuvel Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit be7993dd8e8ce27f0f66b5079de8fe7219a6883e Author: Mark Salter Date: Mon Oct 21 11:29:49 2019 -0400 crypto: ccp - fix uninitialized list head commit 691505a803a7f223b2af621848d581259c61f77d upstream. A NULL-pointer dereference was reported in fedora bz#1762199 while reshaping a raid6 array after adding a fifth drive to an existing array. [ 47.343549] md/raid:md0: raid level 6 active with 3 out of 5 devices, algorithm 2 [ 47.804017] md0: detected capacity change from 0 to 7885289422848 [ 47.822083] Unable to handle kernel read from unreadable memory at virtual address 0000000000000000 ... [ 47.940477] CPU: 1 PID: 14210 Comm: md0_raid6 Tainted: G W 5.2.18-200.fc30.aarch64 #1 [ 47.949594] Hardware name: AMD Overdrive/Supercharger/To be filled by O.E.M., BIOS ROD1002C 04/08/2016 [ 47.958886] pstate: 00400085 (nzcv daIf +PAN -UAO) [ 47.963668] pc : __list_del_entry_valid+0x2c/0xa8 [ 47.968366] lr : ccp_tx_submit+0x84/0x168 [ccp] [ 47.972882] sp : ffff00001369b970 [ 47.976184] x29: ffff00001369b970 x28: ffff00001369bdb8 [ 47.981483] x27: 00000000ffffffff x26: ffff8003b758af70 [ 47.986782] x25: ffff8003b758b2d8 x24: ffff8003e6245818 [ 47.992080] x23: 0000000000000000 x22: ffff8003e62450c0 [ 47.997379] x21: ffff8003dfd6add8 x20: 0000000000000003 [ 48.002678] x19: ffff8003e6245100 x18: 0000000000000000 [ 48.007976] x17: 0000000000000000 x16: 0000000000000000 [ 48.013274] x15: 0000000000000000 x14: 0000000000000000 [ 48.018572] x13: ffff7e000ef83a00 x12: 0000000000000001 [ 48.023870] x11: ffff000010eff998 x10: 00000000000019a0 [ 48.029169] x9 : 0000000000000000 x8 : ffff8003e6245180 [ 48.034467] x7 : 0000000000000000 x6 : 000000000000003f [ 48.039766] x5 : 0000000000000040 x4 : ffff8003e0145080 [ 48.045064] x3 : dead000000000200 x2 : 0000000000000000 [ 48.050362] x1 : 0000000000000000 x0 : ffff8003e62450c0 [ 48.055660] Call trace: [ 48.058095] __list_del_entry_valid+0x2c/0xa8 [ 48.062442] ccp_tx_submit+0x84/0x168 [ccp] [ 48.066615] async_tx_submit+0x224/0x368 [async_tx] [ 48.071480] async_trigger_callback+0x68/0xfc [async_tx] [ 48.076784] ops_run_biofill+0x178/0x1e8 [raid456] [ 48.081566] raid_run_ops+0x248/0x818 [raid456] [ 48.086086] handle_stripe+0x864/0x1208 [raid456] [ 48.090781] handle_active_stripes.isra.0+0xb0/0x278 [raid456] [ 48.096604] raid5d+0x378/0x618 [raid456] [ 48.100602] md_thread+0xa0/0x150 [ 48.103905] kthread+0x104/0x130 [ 48.107122] ret_from_fork+0x10/0x18 [ 48.110686] Code: d2804003 f2fbd5a3 eb03003f 54000320 (f9400021) [ 48.116766] ---[ end trace 23f390a527f7ad77 ]--- ccp_tx_submit is passed a dma_async_tx_descriptor which is contained in a ccp_dma_desc and adds it to a ccp channel's pending list: list_del(&desc->entry); list_add_tail(&desc->entry, &chan->pending); The problem is that desc->entry may be uninitialized in the async_trigger_callback path where the descriptor was gotten from ccp_prep_dma_interrupt which got it from ccp_alloc_dma_desc which doesn't initialize the desc->entry list head. So, just initialize the list head to avoid the problem. Cc: Reported-by: Sahaj Sarup Signed-off-by: Mark Salter Acked-by: Gary R Hook Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit dac11877298e3264d1e59656a0907d77404e49ef Author: Ayush Sawal Date: Fri Oct 4 10:50:58 2019 -0700 crypto: af_alg - cast ki_complete ternary op to int commit 64e7f852c47ce99f6c324c46d6a299a5a7ebead9 upstream. when libkcapi test is executed using HW accelerator, cipher operation return -74.Since af_alg_async_cb->ki_complete treat err as unsigned int, libkcapi receive 429467222 even though it expect -ve value. Hence its required to cast resultlen to int so that proper error is returned to libkcapi. AEAD one shot non-aligned test 2(libkcapi test) ./../bin/kcapi -x 10 -c "gcm(aes)" -i 7815d4b06ae50c9c56e87bd7 -k ea38ac0c9b9998c80e28fb496a2b88d9 -a "853f98a750098bec1aa7497e979e78098155c877879556bb51ddeb6374cbaefc" -t "c4ce58985b7203094be1d134c1b8ab0b" -q "b03692f86d1b8b39baf2abb255197c98" Fixes: d887c52d6ae4 ("crypto: algif_aead - overhaul memory management") Cc: Signed-off-by: Ayush Sawal Signed-off-by: Atul Gupta Signed-off-by: Herbert Xu Signed-off-by: Ayush Sawal Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit 1e475dc405337200ac743f9d84e13edb01cfd048 Author: Tudor Ambarus Date: Fri Oct 4 08:55:37 2019 +0000 crypto: atmel-aes - Fix IV handling when req->nbytes < ivsize commit 86ef1dfcb561473fbf5e199d58d18c55554d78be upstream. commit 394a9e044702 ("crypto: cfb - add missing 'chunksize' property") adds a test vector where the input length is smaller than the IV length (the second test vector). This revealed a NULL pointer dereference in the atmel-aes driver, that is caused by passing an incorrect offset in scatterwalk_map_and_copy() when atmel_aes_complete() is called. Do not save the IV in req->info of ablkcipher_request (or equivalently req->iv of skcipher_request) when req->nbytes < ivsize, because the IV will not be further used. While touching the code, modify the type of ivsize from int to unsigned int, to comply with the return type of crypto_ablkcipher_ivsize(). Fixes: 91308019ecb4 ("crypto: atmel-aes - properly set IV after {en,de}crypt") Cc: Signed-off-by: Tudor Ambarus Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit 0d51b4d823a9c89d49c52b61e28d3365bbd50c0b Author: Christian Lamparter Date: Thu Oct 31 17:14:38 2019 +0100 crypto: crypto4xx - fix double-free in crypto4xx_destroy_sdr commit 746c908c4d72e49068ab216c3926d2720d71a90d upstream. This patch fixes a crash that can happen during probe when the available dma memory is not enough (this can happen if the crypto4xx is built as a module). The descriptor window mapping would end up being free'd twice, once in crypto4xx_build_pdr() and the second time in crypto4xx_destroy_sdr(). Fixes: 5d59ad6eea82 ("crypto: crypto4xx - fix crypto4xx_build_pdr, crypto4xx_build_sdr leak") Cc: Signed-off-by: Christian Lamparter Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit 5cbc7ff56097659c5e41e884cff34731ea03e23a Author: Sean Christopherson Date: Fri Nov 22 08:58:18 2019 -0800 KVM: x86: Grab KVM's srcu lock when setting nested state commit ad5996d9a0e8019c3ae5151e687939369acfe044 upstream. Acquire kvm->srcu for the duration of ->set_nested_state() to fix a bug where nVMX derefences ->memslots without holding ->srcu or ->slots_lock. The other half of nested migration, ->get_nested_state(), does not need to acquire ->srcu as it is a purely a dump of internal KVM (and CPU) state to userspace. Detected as an RCU lockdep splat that is 100% reproducible by running KVM's state_test selftest with CONFIG_PROVE_LOCKING=y. Note that the failing function, kvm_is_visible_gfn(), is only checking the validity of a gfn, it's not actually accessing guest memory (which is more or less unsupported during vmx_set_nested_state() due to incorrect MMU state), i.e. vmx_set_nested_state() itself isn't fundamentally broken. In any case, setting nested state isn't a fast path so there's no reason to go out of our way to avoid taking ->srcu. ============================= WARNING: suspicious RCU usage 5.4.0-rc7+ #94 Not tainted ----------------------------- include/linux/kvm_host.h:626 suspicious rcu_dereference_check() usage! other info that might help us debug this: rcu_scheduler_active = 2, debug_locks = 1 1 lock held by evmcs_test/10939: #0: ffff88826ffcb800 (&vcpu->mutex){+.+.}, at: kvm_vcpu_ioctl+0x85/0x630 [kvm] stack backtrace: CPU: 1 PID: 10939 Comm: evmcs_test Not tainted 5.4.0-rc7+ #94 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 Call Trace: dump_stack+0x68/0x9b kvm_is_visible_gfn+0x179/0x180 [kvm] mmu_check_root+0x11/0x30 [kvm] fast_cr3_switch+0x40/0x120 [kvm] kvm_mmu_new_cr3+0x34/0x60 [kvm] nested_vmx_load_cr3+0xbd/0x1f0 [kvm_intel] nested_vmx_enter_non_root_mode+0xab8/0x1d60 [kvm_intel] vmx_set_nested_state+0x256/0x340 [kvm_intel] kvm_arch_vcpu_ioctl+0x491/0x11a0 [kvm] kvm_vcpu_ioctl+0xde/0x630 [kvm] do_vfs_ioctl+0xa2/0x6c0 ksys_ioctl+0x66/0x70 __x64_sys_ioctl+0x16/0x20 do_syscall_64+0x54/0x200 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x7f59a2b95f47 Fixes: 8fcc4b5923af5 ("kvm: nVMX: Introduce KVM_CAP_NESTED_STATE") Cc: stable@vger.kernel.org Signed-off-by: Sean Christopherson Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman commit 6a10f818a9adbe394eb36d223814e207e5121236 Author: Paolo Bonzini Date: Mon Nov 18 18:58:26 2019 +0100 KVM: x86: fix presentation of TSX feature in ARCH_CAPABILITIES commit cbbaa2727aa3ae9e0a844803da7cef7fd3b94f2b upstream. KVM does not implement MSR_IA32_TSX_CTRL, so it must not be presented to the guests. It is also confusing to have !ARCH_CAP_TSX_CTRL_MSR && !RTM && ARCH_CAP_TAA_NO: lack of MSR_IA32_TSX_CTRL suggests TSX was not hidden (it actually was), yet the value says that TSX is not vulnerable to microarchitectural data sampling. Fix both. Cc: stable@vger.kernel.org Tested-by: Jim Mattson Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman commit 5efbd9a9d9c5492fb467bfaf55b77085898645c1 Author: Paolo Bonzini Date: Mon Nov 18 12:23:00 2019 -0500 KVM: x86: do not modify masked bits of shared MSRs commit de1fca5d6e0105c9d33924e1247e2f386efc3ece upstream. "Shared MSRs" are guest MSRs that are written to the host MSRs but keep their value until the next return to userspace. They support a mask, so that some bits keep the host value, but this mask is only used to skip an unnecessary MSR write and the value written to the MSR is always the guest MSR. Fix this and, while at it, do not update smsr->values[slot].curr if for whatever reason the wrmsr fails. This should only happen due to reserved bits, so the value written to smsr->values[slot].curr will not match when the user-return notifier and the host value will always be restored. However, it is untidy and in rare cases this can actually avoid spurious WRMSRs on return to userspace. Cc: stable@vger.kernel.org Reviewed-by: Jim Mattson Tested-by: Jim Mattson Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman commit 66f8ca55eb8131fde0b63239d7462a0dbb5cb1d2 Author: Zenghui Yu Date: Tue Oct 29 15:19:19 2019 +0800 KVM: arm/arm64: vgic: Don't rely on the wrong pending table commit ca185b260951d3b55108c0b95e188682d8a507b7 upstream. It's possible that two LPIs locate in the same "byte_offset" but target two different vcpus, where their pending status are indicated by two different pending tables. In such a scenario, using last_byte_offset optimization will lead KVM relying on the wrong pending table entry. Let us use last_ptr instead, which can be treated as a byte index into a pending table and also, can be vcpu specific. Fixes: 280771252c1b ("KVM: arm64: vgic-v3: KVM_DEV_ARM_VGIC_SAVE_PENDING_TABLES") Cc: stable@vger.kernel.org Signed-off-by: Zenghui Yu Signed-off-by: Marc Zyngier Acked-by: Eric Auger Link: https://lore.kernel.org/r/20191029071919.177-4-yuzenghui@huawei.com Signed-off-by: Greg Kroah-Hartman commit e8d9825d557367bdebc0f8d2c1aa27814ac7319f Author: Marek Szyprowski Date: Thu Sep 12 09:36:02 2019 +0200 arm64: dts: exynos: Revert "Remove unneeded address space mapping for soc node" commit bed903167ae5b5532eda5d7db26de451bd232da5 upstream. Commit ef72171b3621 ("arm64: dts: exynos: Remove unneeded address space mapping for soc node") changed the address and size cells in root node from 2 to 1, but /memory nodes for the affected boards were not updated. This went unnoticed on Exynos5433-based TM2(e) boards, because they use u-boot, which updates /memory node to the correct values. On the other hand, the mentioned commit broke boot on Exynos7-based Espresso board, which bootloader doesn't touch /memory node at all. This patch reverts commit ef72171b3621 ("arm64: dts: exynos: Remove unneeded address space mapping for soc node"), so Exynos5433 and Exynos7 SoCs again matches other ARM64 platforms with 64bit mappings in root node. Reported-by: Alim Akhtar Fixes: ef72171b3621 ("arm64: dts: exynos: Remove unneeded address space mapping for soc node") Signed-off-by: Marek Szyprowski Cc: # 5.3.x: 72ddcf6aa224 arm64: dts: exynos: Move GPU under /soc node for Exynos5433 Cc: # 5.3.x: ede87c3a2bdb arm64: dts: exynos: Move GPU under /soc node for Exynos7 Cc: # 4.18.x Tested-by: Alim Akhtar Signed-off-by: Krzysztof Kozlowski Signed-off-by: Greg Kroah-Hartman commit 9a0511abab590d18c19e71e24f37bb1db2bda4ec Author: Dan Carpenter Date: Fri Oct 4 13:22:51 2019 +0300 drm/i810: Prevent underflow in ioctl commit 4f69851fbaa26b155330be35ce8ac393e93e7442 upstream. The "used" variables here come from the user in the ioctl and it can be negative. It could result in an out of bounds write. Signed-off-by: Dan Carpenter Reviewed-by: Chris Wilson Signed-off-by: Chris Wilson Link: https://patchwork.freedesktop.org/patch/msgid/20191004102251.GC823@mwanda Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman commit 8e47f51af8bb504953952973404b51578d8f8e7a Author: Johan Hovold Date: Thu Oct 10 15:13:30 2019 +0200 drm/msm: fix memleak on release commit a64fc11b9a520c55ca34d82e5ca32274f49b6b15 upstream. If a process is interrupted while accessing the "gpu" debugfs file and the drm device struct_mutex is contended, release() could return early and fail to free related resources. Note that the return value from release() is ignored. Fixes: 4f776f4511c7 ("drm/msm/gpu: Convert the GPU show function to use the GPU state") Cc: stable # 4.18 Cc: Jordan Crouse Cc: Rob Clark Reviewed-by: Rob Clark Signed-off-by: Johan Hovold Signed-off-by: Sean Paul Link: https://patchwork.freedesktop.org/patch/msgid/20191010131333.23635-2-johan@kernel.org Signed-off-by: Greg Kroah-Hartman commit 3152fcd479eeae2eeaa44b553adf05a1ccac7637 Author: Jan Kara Date: Tue Nov 5 17:44:07 2019 +0100 jbd2: Fix possible overflow in jbd2_log_space_left() commit add3efdd78b8a0478ce423bb9d4df6bd95e8b335 upstream. When number of free space in the journal is very low, the arithmetic in jbd2_log_space_left() could underflow resulting in very high number of free blocks and thus triggering assertion failure in transaction commit code complaining there's not enough space in the journal: J_ASSERT(journal->j_free > 1); Properly check for the low number of free blocks. CC: stable@vger.kernel.org Reviewed-by: Theodore Ts'o Signed-off-by: Jan Kara Link: https://lore.kernel.org/r/20191105164437.32602-1-jack@suse.cz Signed-off-by: Theodore Ts'o Signed-off-by: Greg Kroah-Hartman commit 18493bac1ae0fd613243c885503142559ec5f1ac Author: Tejun Heo Date: Mon Nov 4 15:54:29 2019 -0800 kernfs: fix ino wrap-around detection commit e23f568aa63f64cd6b355094224cc9356c0f696b upstream. When the 32bit ino wraps around, kernfs increments the generation number to distinguish reused ino instances. The wrap-around detection tests whether the allocated ino is lower than what the cursor but the cursor is pointing to the next ino to allocate so the condition never triggers. Fix it by remembering the last ino and comparing against that. Signed-off-by: Tejun Heo Reviewed-by: Greg Kroah-Hartman Fixes: 4a3ef68acacf ("kernfs: implement i_generation") Cc: Namhyung Kim Cc: stable@vger.kernel.org # v4.14+ Signed-off-by: Greg Kroah-Hartman commit ea57322ae9d7c692c8b2e5ced1eba56065514e4a Author: Jouni Hogander Date: Wed Nov 27 08:40:26 2019 +0200 can: slcan: Fix use-after-free Read in slcan_open commit 9ebd796e24008f33f06ebea5a5e6aceb68b51794 upstream. Slcan_open doesn't clean-up device which registration failed from the slcan_devs device list. On next open this list is iterated and freed device is accessed. Fix this by calling slc_free_netdev in error path. Driver/net/can/slcan.c is derived from slip.c. Use-after-free error was identified in slip_open by syzboz. Same bug is in slcan.c. Here is the trace from the Syzbot slip report: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x197/0x210 lib/dump_stack.c:118 print_address_description.constprop.0.cold+0xd4/0x30b mm/kasan/report.c:374 __kasan_report.cold+0x1b/0x41 mm/kasan/report.c:506 kasan_report+0x12/0x20 mm/kasan/common.c:634 __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:132 sl_sync drivers/net/slip/slip.c:725 [inline] slip_open+0xecd/0x11b7 drivers/net/slip/slip.c:801 tty_ldisc_open.isra.0+0xa3/0x110 drivers/tty/tty_ldisc.c:469 tty_set_ldisc+0x30e/0x6b0 drivers/tty/tty_ldisc.c:596 tiocsetd drivers/tty/tty_io.c:2334 [inline] tty_ioctl+0xe8d/0x14f0 drivers/tty/tty_io.c:2594 vfs_ioctl fs/ioctl.c:46 [inline] file_ioctl fs/ioctl.c:509 [inline] do_vfs_ioctl+0xdb6/0x13e0 fs/ioctl.c:696 ksys_ioctl+0xab/0xd0 fs/ioctl.c:713 __do_sys_ioctl fs/ioctl.c:720 [inline] __se_sys_ioctl fs/ioctl.c:718 [inline] __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:718 do_syscall_64+0xfa/0x760 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe Fixes: ed50e1600b44 ("slcan: Fix memory leak in error path") Cc: Wolfgang Grandegger Cc: Marc Kleine-Budde Cc: David Miller Cc: Oliver Hartkopp Cc: Lukas Bulwahn Signed-off-by: Jouni Hogander Cc: linux-stable # >= v5.4 Acked-by: Oliver Hartkopp Signed-off-by: Marc Kleine-Budde Signed-off-by: Greg Kroah-Hartman commit 9eadcebe8c87ac6b5c32a655bc8466e096b82496 Author: Dmitry Torokhov Date: Fri Nov 22 12:42:20 2019 -0800 tty: vt: keyboard: reject invalid keycodes commit b2b2dd71e0859436d4e05b2f61f86140250ed3f8 upstream. Do not try to handle keycodes that are too big, otherwise we risk doing out-of-bounds writes: BUG: KASAN: global-out-of-bounds in clear_bit include/asm-generic/bitops-instrumented.h:56 [inline] BUG: KASAN: global-out-of-bounds in kbd_keycode drivers/tty/vt/keyboard.c:1411 [inline] BUG: KASAN: global-out-of-bounds in kbd_event+0xe6b/0x3790 drivers/tty/vt/keyboard.c:1495 Write of size 8 at addr ffffffff89a1b2d8 by task syz-executor108/1722 ... kbd_keycode drivers/tty/vt/keyboard.c:1411 [inline] kbd_event+0xe6b/0x3790 drivers/tty/vt/keyboard.c:1495 input_to_handler+0x3b6/0x4c0 drivers/input/input.c:118 input_pass_values.part.0+0x2e3/0x720 drivers/input/input.c:145 input_pass_values drivers/input/input.c:949 [inline] input_set_keycode+0x290/0x320 drivers/input/input.c:954 evdev_handle_set_keycode_v2+0xc4/0x120 drivers/input/evdev.c:882 evdev_do_ioctl drivers/input/evdev.c:1150 [inline] In this case we were dealing with a fuzzed HID device that declared over 12K buttons, and while HID layer should not be reporting to us such big keycodes, we should also be defensive and reject invalid data ourselves as well. Reported-by: syzbot+19340dff067c2d3835c0@syzkaller.appspotmail.com Signed-off-by: Dmitry Torokhov Cc: stable Link: https://lore.kernel.org/r/20191122204220.GA129459@dtor-ws Signed-off-by: Greg Kroah-Hartman commit d4785d88459eac631347e445793c7c5bccd26e86 Author: Pavel Shilovsky Date: Thu Oct 31 14:18:57 2019 -0700 CIFS: Fix SMB2 oplock break processing commit fa9c2362497fbd64788063288dc4e74daf977ebb upstream. Even when mounting modern protocol version the server may be configured without supporting SMB2.1 leases and the client uses SMB2 oplock to optimize IO performance through local caching. However there is a problem in oplock break handling that leads to missing a break notification on the client who has a file opened. It latter causes big latencies to other clients that are trying to open the same file. The problem reproduces when there are multiple shares from the same server mounted on the client. The processing code tries to match persistent and volatile file ids from the break notification with an open file but it skips all share besides the first one. Fix this by looking up in all shares belonging to the server that issued the oplock break. Cc: Stable Signed-off-by: Pavel Shilovsky Signed-off-by: Steve French Signed-off-by: Greg Kroah-Hartman commit df871e551d0a81d3336ecc0790f978a9903e2564 Author: Pavel Shilovsky Date: Wed Nov 27 16:18:39 2019 -0800 CIFS: Fix NULL-pointer dereference in smb2_push_mandatory_locks commit 6f582b273ec23332074d970a7fb25bef835df71f upstream. Currently when the client creates a cifsFileInfo structure for a newly opened file, it allocates a list of byte-range locks with a pointer to the new cfile and attaches this list to the inode's lock list. The latter happens before initializing all other fields, e.g. cfile->tlink. Thus a partially initialized cifsFileInfo structure becomes available to other threads that walk through the inode's lock list. One example of such a thread may be an oplock break worker thread that tries to push all cached byte-range locks. This causes NULL-pointer dereference in smb2_push_mandatory_locks() when accessing cfile->tlink: [598428.945633] BUG: kernel NULL pointer dereference, address: 0000000000000038 ... [598428.945749] Workqueue: cifsoplockd cifs_oplock_break [cifs] [598428.945793] RIP: 0010:smb2_push_mandatory_locks+0xd6/0x5a0 [cifs] ... [598428.945834] Call Trace: [598428.945870] ? cifs_revalidate_mapping+0x45/0x90 [cifs] [598428.945901] cifs_oplock_break+0x13d/0x450 [cifs] [598428.945909] process_one_work+0x1db/0x380 [598428.945914] worker_thread+0x4d/0x400 [598428.945921] kthread+0x104/0x140 [598428.945925] ? process_one_work+0x380/0x380 [598428.945931] ? kthread_park+0x80/0x80 [598428.945937] ret_from_fork+0x35/0x40 Fix this by reordering initialization steps of the cifsFileInfo structure: initialize all the fields first and then add the new byte-range lock list to the inode's lock list. Cc: Stable Signed-off-by: Pavel Shilovsky Reviewed-by: Aurelien Aptel Signed-off-by: Steve French Signed-off-by: Greg Kroah-Hartman commit 153bd25686d069083734ff9ce216b8dd2891da79 Author: Nicolas Dichtel Date: Mon Jul 15 12:00:23 2019 +0200 xfrm interface: fix management of phydev commit 22d6552f827ef76ade3edf6bbb3f05048a0a7d8b upstream. With the current implementation, phydev cannot be removed: $ ip link add dummy type dummy $ ip link add xfrm1 type xfrm dev dummy if_id 1 $ ip l d dummy kernel:[77938.465445] unregister_netdevice: waiting for dummy to become free. Usage count = 1 Manage it like in ip tunnels, ie just keep the ifindex. Not that the side effect, is that the phydev is now optional. Fixes: f203b76d7809 ("xfrm: Add virtual xfrm interfaces") Signed-off-by: Nicolas Dichtel Tested-by: Julien Floret Signed-off-by: Steffen Klassert Signed-off-by: Greg Kroah-Hartman commit cbb629783d9252f5a5eb4585d5844e6ae1ccafd4 Author: Nicolas Dichtel Date: Mon Jul 15 12:00:22 2019 +0200 xfrm interface: fix list corruption for x-netns commit c5d1030f23002430c2a336b2b629b9d6f72b3564 upstream. dev_net(dev) is the netns of the device and xi->net is the link netns, where the device has been linked. changelink() must operate in the link netns to avoid a corruption of the xfrm lists. Note that xi->net and dev_net(xi->physdev) are always the same. Before the patch, the xfrmi lists may be corrupted and can later trigger a kernel panic. Fixes: f203b76d7809 ("xfrm: Add virtual xfrm interfaces") Reported-by: Julien Floret Signed-off-by: Nicolas Dichtel Tested-by: Julien Floret Signed-off-by: Steffen Klassert Signed-off-by: Greg Kroah-Hartman commit f04f067aaa38246cc8d7392ee27da80ed8d19289 Author: Nicolas Dichtel Date: Mon Jul 15 12:00:20 2019 +0200 xfrm interface: avoid corruption on changelink commit e9e7e85d75f3731079ffd77c1a66f037aef04fe7 upstream. The new parameters must not be stored in the netdev_priv() before validation, it may corrupt the interface. Note also that if data is NULL, only a memset() is done. $ ip link add xfrm1 type xfrm dev lo if_id 1 $ ip link add xfrm2 type xfrm dev lo if_id 2 $ ip link set xfrm1 type xfrm dev lo if_id 2 RTNETLINK answers: File exists $ ip -d link list dev xfrm1 5: xfrm1@lo: mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000 link/none 00:00:00:00:00:00 brd 00:00:00:00:00:00 promiscuity 0 minmtu 68 maxmtu 1500 xfrm if_id 0x2 addrgenmode eui64 numtxqueues 1 numrxqueues 1 gso_max_size 65536 gso_max_segs 65535 => "if_id 0x2" Fixes: f203b76d7809 ("xfrm: Add virtual xfrm interfaces") Signed-off-by: Nicolas Dichtel Tested-by: Julien Floret Signed-off-by: Steffen Klassert Signed-off-by: Greg Kroah-Hartman commit 28655c632ee0090ae01576e234118ee983a4afa3 Author: Nicolas Dichtel Date: Tue Jul 2 17:51:39 2019 +0200 xfrm interface: fix memory leak on creation commit 56c5ee1a5823e9cf5288b84ae6364cb4112f8225 upstream. The following commands produce a backtrace and return an error but the xfrm interface is created (in the wrong netns): $ ip netns add foo $ ip netns add bar $ ip -n foo netns set bar 0 $ ip -n foo link add xfrmi0 link-netnsid 0 type xfrm dev lo if_id 23 RTNETLINK answers: Invalid argument $ ip -n bar link ls xfrmi0 2: xfrmi0@lo: mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000 link/none 00:00:00:00:00:00 brd 00:00:00:00:00:00 Here is the backtrace: [ 79.879174] WARNING: CPU: 0 PID: 1178 at net/core/dev.c:8172 rollback_registered_many+0x86/0x3c1 [ 79.880260] Modules linked in: xfrm_interface nfsv3 nfs_acl auth_rpcgss nfsv4 nfs lockd grace sunrpc fscache button parport_pc parport serio_raw evdev pcspkr loop ext4 crc16 mbcache jbd2 crc32c_generic ide_cd_mod ide_gd_mod cdrom ata_$ eneric ata_piix libata scsi_mod 8139too piix psmouse i2c_piix4 ide_core 8139cp mii i2c_core floppy [ 79.883698] CPU: 0 PID: 1178 Comm: ip Not tainted 5.2.0-rc6+ #106 [ 79.884462] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014 [ 79.885447] RIP: 0010:rollback_registered_many+0x86/0x3c1 [ 79.886120] Code: 01 e8 d7 7d c6 ff 0f 0b 48 8b 45 00 4c 8b 20 48 8d 58 90 49 83 ec 70 48 8d 7b 70 48 39 ef 74 44 8a 83 d0 04 00 00 84 c0 75 1f <0f> 0b e8 61 cd ff ff 48 b8 00 01 00 00 00 00 ad de 48 89 43 70 66 [ 79.888667] RSP: 0018:ffffc900015ab740 EFLAGS: 00010246 [ 79.889339] RAX: ffff8882353e5700 RBX: ffff8882353e56a0 RCX: ffff8882353e5710 [ 79.890174] RDX: ffffc900015ab7e0 RSI: ffffc900015ab7e0 RDI: ffff8882353e5710 [ 79.891029] RBP: ffffc900015ab7e0 R08: ffffc900015ab7e0 R09: ffffc900015ab7e0 [ 79.891866] R10: ffffc900015ab7a0 R11: ffffffff82233fec R12: ffffc900015ab770 [ 79.892728] R13: ffffffff81eb7ec0 R14: ffff88822ed6cf00 R15: 00000000ffffffea [ 79.893557] FS: 00007ff350f31740(0000) GS:ffff888237a00000(0000) knlGS:0000000000000000 [ 79.894581] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 79.895317] CR2: 00000000006c8580 CR3: 000000022c272000 CR4: 00000000000006f0 [ 79.896137] Call Trace: [ 79.896464] unregister_netdevice_many+0x12/0x6c [ 79.896998] __rtnl_newlink+0x6e2/0x73b [ 79.897446] ? __kmalloc_node_track_caller+0x15e/0x185 [ 79.898039] ? pskb_expand_head+0x5f/0x1fe [ 79.898556] ? stack_access_ok+0xd/0x2c [ 79.899009] ? deref_stack_reg+0x12/0x20 [ 79.899462] ? stack_access_ok+0xd/0x2c [ 79.899927] ? stack_access_ok+0xd/0x2c [ 79.900404] ? __module_text_address+0x9/0x4f [ 79.900910] ? is_bpf_text_address+0x5/0xc [ 79.901390] ? kernel_text_address+0x67/0x7b [ 79.901884] ? __kernel_text_address+0x1a/0x25 [ 79.902397] ? unwind_get_return_address+0x12/0x23 [ 79.903122] ? __cmpxchg_double_slab.isra.37+0x46/0x77 [ 79.903772] rtnl_newlink+0x43/0x56 [ 79.904217] rtnetlink_rcv_msg+0x200/0x24c In fact, each time a xfrm interface was created, a netdev was allocated by __rtnl_newlink()/rtnl_create_link() and then another one by xfrmi_newlink()/xfrmi_create(). Only the second one was registered, it's why the previous commands produce a backtrace: dev_change_net_namespace() was called on a netdev with reg_state set to NETREG_UNINITIALIZED (the first one). CC: Lorenzo Colitti CC: Benedict Wong CC: Steffen Klassert CC: Shannon Nelson CC: Antony Antony CC: Eyal Birger Fixes: f203b76d7809 ("xfrm: Add virtual xfrm interfaces") Reported-by: Julien Floret Signed-off-by: Nicolas Dichtel Signed-off-by: Steffen Klassert Signed-off-by: Greg Kroah-Hartman commit 2e5c738a25dbc1f9eb03139a03724267bbe70c49 Author: Kai-Heng Feng Date: Mon Sep 2 22:52:52 2019 +0800 x86/PCI: Avoid AMD FCH XHCI USB PME# from D0 defect commit 7e8ce0e2b036dbc6617184317983aea4f2c52099 upstream. The AMD FCH USB XHCI Controller advertises support for generating PME# while in D0. When in D0, it does signal PME# for USB 3.0 connect events, but not for USB 2.0 or USB 1.1 connect events, which means the controller doesn't wake correctly for those events. 00:10.0 USB controller [0c03]: Advanced Micro Devices, Inc. [AMD] FCH USB XHCI Controller [1022:7914] (rev 20) (prog-if 30 [XHCI]) Subsystem: Dell FCH USB XHCI Controller [1028:087e] Capabilities: [50] Power Management version 3 Flags: PMEClk- DSI- D1- D2- AuxCurrent=0mA PME(D0+,D1-,D2-,D3hot+,D3cold+) Clear PCI_PM_CAP_PME_D0 in dev->pme_support to indicate the device will not assert PME# from D0 so we don't rely on it. Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=203673 Link: https://lore.kernel.org/r/20190902145252.32111-1-kai.heng.feng@canonical.com Signed-off-by: Kai-Heng Feng Signed-off-by: Bjorn Helgaas Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman commit 37d080a40575dd62a5caf55ec27c8030361cb3d6 Author: Joerg Roedel Date: Tue Nov 26 11:09:42 2019 +0100 x86/mm/32: Sync only to VMALLOC_END in vmalloc_sync_all() commit 9a62d20027da3164a22244d9f022c0c987261687 upstream. The job of vmalloc_sync_all() is to help the lazy freeing of vmalloc() ranges: before such vmap ranges are reused we make sure that they are unmapped from every task's page tables. This is really easy on pagetable setups where the kernel page tables are shared between all tasks - this is the case on 32-bit kernels with SHARED_KERNEL_PMD = 1. But on !SHARED_KERNEL_PMD 32-bit kernels this involves iterating over the pgd_list and clearing all pmd entries in the pgds that are cleared in the init_mm.pgd, which is the reference pagetable that the vmalloc() code uses. In that context the current practice of vmalloc_sync_all() iterating until FIX_ADDR_TOP is buggy: for (address = VMALLOC_START & PMD_MASK; address >= TASK_SIZE_MAX && address < FIXADDR_TOP; address += PMD_SIZE) { struct page *page; Because iterating up to FIXADDR_TOP will involve a lot of non-vmalloc address ranges: VMALLOC -> PKMAP -> LDT -> CPU_ENTRY_AREA -> FIX_ADDR This is mostly harmless for the FIX_ADDR and CPU_ENTRY_AREA ranges that don't clear their pmds, but it's lethal for the LDT range, which relies on having different mappings in different processes, and 'synchronizing' them in the vmalloc sense corrupts those pagetable entries (clearing them). This got particularly prominent with PTI, which turns SHARED_KERNEL_PMD off and makes this the dominant mapping mode on 32-bit. To make LDT working again vmalloc_sync_all() must only iterate over the volatile parts of the kernel address range that are identical between all processes. So the correct check in vmalloc_sync_all() is "address < VMALLOC_END" to make sure the VMALLOC areas are synchronized and the LDT mapping is not falsely overwritten. The CPU_ENTRY_AREA and the FIXMAP area are no longer synced either, but this is not really a proplem since their PMDs get established during bootup and never change. This change fixes the ldt_gdt selftest in my setup. [ mingo: Fixed up the changelog to explain the logic and modified the copying to only happen up until VMALLOC_END. ] Reported-by: Borislav Petkov Tested-by: Borislav Petkov Signed-off-by: Joerg Roedel Cc: Cc: Andy Lutomirski Cc: Borislav Petkov Cc: Dave Hansen Cc: Joerg Roedel Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Thomas Gleixner Cc: hpa@zytor.com Fixes: 7757d607c6b3: ("x86/pti: Allow CONFIG_PAGE_TABLE_ISOLATION for x86_32") Link: https://lkml.kernel.org/r/20191126111119.GA110513@gmail.com Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 79f08904592c18921969cfcff851b627d69da7bf Author: Navid Emamdoost Date: Thu Nov 21 14:01:11 2019 -0600 Input: Fix memory leak in psxpad_spi_probe In the implementation of psxpad_spi_probe() the allocated memory for pdev is leaked if psxpad_spi_init_ff() or input_register_polled_device() fail. The solution is using device managed allocation, like the one used for pad. Perform the allocation using devm_input_allocate_polled_device(). Fixes: 8be193c7b1f4 ("Input: add support for PlayStation 1/2 joypads connected via SPI") Signed-off-by: Navid Emamdoost Acked-by: Dmitry Torokhov Signed-off-by: Greg Kroah-Hartman commit 7c193ed6e1a1276a1b3f6b8b0430cb2892e31740 Author: Mike Leach Date: Mon Nov 4 11:12:42 2019 -0700 coresight: etm4x: Fix input validation for sysfs. commit 2fe6899e36aa174abefd017887f9cfe0cb60c43a upstream. A number of issues are fixed relating to sysfs input validation:- 1) bb_ctrl_store() - incorrect compare of bit select field to absolute value. Reworked per ETMv4 specification. 2) seq_event_store() - incorrect mask value - register has two event values. 3) cyc_threshold_store() - must mask with max before checking min otherwise wrapped values can set illegal value below min. 4) res_ctrl_store() - update to mask off all res0 bits. Reviewed-by: Leo Yan Reviewed-by: Mathieu Poirier Signed-off-by: Mike Leach Fixes: a77de2637c9eb ("coresight: etm4x: moving sysFS entries to a dedicated file") Cc: stable # 4.9+ Signed-off-by: Mathieu Poirier Link: https://lore.kernel.org/r/20191104181251.26732-6-mathieu.poirier@linaro.org Signed-off-by: Greg Kroah-Hartman commit 1d01bae86690323e163260287e59689d5782081a Author: Hans de Goede Date: Mon Dec 2 09:36:15 2019 -0800 Input: goodix - add upside-down quirk for Teclast X89 tablet commit df5b5e555b356662a5e4a23c6774fdfce8547d54 upstream. The touchscreen on the Teclast X89 is mounted upside down in relation to the display orientation (the touchscreen itself is mounted upright, but the display is mounted upside-down). Add a quirk for this so that we send coordinates which match the display orientation. Signed-off-by: Hans de Goede Reviewed-by: Bastien Nocera Link: https://lore.kernel.org/r/20191202085636.6650-1-hdegoede@redhat.com Cc: stable@vger.kernel.org Signed-off-by: Dmitry Torokhov Signed-off-by: Greg Kroah-Hartman commit 29fef2fe327f65a3da2c9d977bd534f721db8b32 Author: Hans Verkuil Date: Mon Dec 2 10:08:12 2019 -0800 Input: synaptics-rmi4 - don't increment rmiaddr for SMBus transfers commit a284e11c371e446371675668d8c8120a27227339 upstream. This increment of rmi_smbus in rmi_smb_read/write_block() causes garbage to be read/written. The first read of SMB_MAX_COUNT bytes is fine, but after that it is nonsense. Trial-and-error showed that by dropping the increment of rmiaddr everything is fine and the F54 function properly works. I tried a hack with rmi_smb_write_block() as well (writing to the same F54 touchpad data area, then reading it back), and that suggests that there too the rmiaddr increment has to be dropped. It makes sense that if it has to be dropped for read, then it has to be dropped for write as well. It looks like the initial work with F54 was done using i2c, not smbus, and it seems nobody ever tested F54 with smbus. The other functions all read/write less than SMB_MAX_COUNT as far as I can tell, so this issue was never noticed with non-F54 functions. With this change I can read out the touchpad data correctly on my Lenovo X1 Carbon 6th Gen laptop. Signed-off-by: Hans Verkuil Link: https://lore.kernel.org/r/8dd22e21-4933-8e9c-a696-d281872c8de7@xs4all.nl Cc: stable@vger.kernel.org Signed-off-by: Dmitry Torokhov Signed-off-by: Greg Kroah-Hartman commit 29116a86d746680d73a1252c9b092af5b8c62f54 Author: Lucas Stach Date: Mon Dec 2 09:37:00 2019 -0800 Input: synaptics-rmi4 - re-enable IRQs in f34v7_do_reflash commit 86bcd3a12999447faad60ec59c2d64d18d8e61ac upstream. F34 is a bit special as it reinitializes the device and related driver structs during the firmware update. This clears the fn_irq_mask which will then prevent F34 from receiving further interrupts, leading to timeouts during the firmware update. Make sure to reinitialize the IRQ enables at the appropriate times. The issue is in F34 code, but the commit in the fixes tag exposed the issue, as before this commit things would work by accident. Fixes: 363c53875aef (Input: synaptics-rmi4 - avoid processing unknown IRQs) Signed-off-by: Lucas Stach Link: https://lore.kernel.org/r/20191129133514.23224-1-l.stach@pengutronix.de Cc: stable@vger.kernel.org Signed-off-by: Dmitry Torokhov Signed-off-by: Greg Kroah-Hartman commit 2ef2441c49859001d562b1c40635d4d7bc74f758 Author: Hans Verkuil Date: Fri Nov 22 16:17:08 2019 -0800 Input: synaptics - switch another X1 Carbon 6 to RMI/SMbus commit fc1156f373e3927e0dcf06678906c367588bfdd6 upstream. Some Lenovo X1 Carbon Gen 6 laptops report LEN0091. Add this to the smbus_pnp_ids list. Signed-off-by: Hans Verkuil Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20191119105118.54285-2-hverkuil-cisco@xs4all.nl Signed-off-by: Dmitry Torokhov Signed-off-by: Greg Kroah-Hartman commit 1760cf232b5cb77f9eeff11411401857976d0d12 Author: Kai-Heng Feng Date: Wed Nov 20 16:20:35 2019 +0800 ALSA: hda - Add mute led support for HP ProBook 645 G4 commit e190de6941db14813032af87873f5550ad5764fe upstream. Mic mute led does not work on HP ProBook 645 G4. We can use CXT_FIXUP_MUTE_LED_GPIO fixup to support it. Signed-off-by: Kai-Heng Feng Cc: Link: https://lore.kernel.org/r/20191120082035.18937-1-kai.heng.feng@canonical.com Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit c6bebccd3c6293e49a291a3339f1230b3e49630a Author: Takashi Iwai Date: Wed Dec 4 15:48:24 2019 +0100 ALSA: pcm: oss: Avoid potential buffer overflows commit 4cc8d6505ab82db3357613d36e6c58a297f57f7c upstream. syzkaller reported an invalid access in PCM OSS read, and this seems to be an overflow of the internal buffer allocated for a plugin. Since the rate plugin adjusts its transfer size dynamically, the calculation for the chained plugin might be bigger than the given buffer size in some extreme cases, which lead to such an buffer overflow as caught by KASAN. Fix it by limiting the max transfer size properly by checking against the destination size in each plugin transfer callback. Reported-by: syzbot+f153bde47a62e0b05f83@syzkaller.appspotmail.com Cc: Link: https://lore.kernel.org/r/20191204144824.17801-1-tiwai@suse.de Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit f9f56eb9c8412fa62131e6ed0ac8cb7ab7d15d77 Author: Kailang Yang Date: Tue Nov 26 17:04:23 2019 +0800 ALSA: hda/realtek - Dell headphone has noise on unmute for ALC236 commit e1e8c1fdce8b00fce08784d9d738c60ebf598ebc upstream. headphone have noise even the volume is very small. Let it fill up pcbeep hidden register to default value. The issue was gone. Fixes: 4344aec84bd8 ("ALSA: hda/realtek - New codec support for ALC256") Fixes: 736f20a70608 ("ALSA: hda/realtek - Add support for ALC236/ALC3204") Signed-off-by: Kailang Yang Cc: Link: https://lore.kernel.org/r/9ae47f23a64d4e41a9c81e263cd8a250@realtek.com Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit fa77bf0cf96c54de226463a6fe9d8dd4be5c115a Author: Hui Wang Date: Thu Nov 21 10:54:27 2019 +0800 ALSA: hda/realtek - Enable the headset-mic on a Xiaomi's laptop commit 695d1ec3994f9de2cefae80ee2087c95d2e5a2f3 upstream. The headset on this machine is not defined, after applying the quirk ALC256_FIXUP_ASUS_HEADSET_MIC, the headset-mic works well BugLink: https://bugs.launchpad.net/bugs/1846148 Cc: Signed-off-by: Hui Wang Link: https://lore.kernel.org/r/20191121025427.8856-1-hui.wang@canonical.com Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 3bf78033c0441691cf1ba250a4020043ee5069d9 Author: Jian-Hong Pan Date: Mon Nov 25 17:34:06 2019 +0800 ALSA: hda/realtek - Enable internal speaker of ASUS UX431FLC commit 436e25505f3458cc92c7f3c985e9cbc198a98209 upstream. Laptops like ASUS UX431FLC and UX431FL can share the same audio quirks. But UX431FLC needs one more step to enable the internal speaker: Pull the GPIO from CODEC to initialize the AMP. Fixes: 60083f9e94b2 ("ALSA: hda/realtek - Enable internal speaker & headset mic of ASUS UX431FL") Signed-off-by: Jian-Hong Pan Cc: Link: https://lore.kernel.org/r/20191125093405.5702-1-jian-hong@endlessm.com Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 710c33adef4ebe46b351988d3fccb0d225ba466c Author: Miklos Szeredi Date: Tue Nov 12 11:49:04 2019 +0100 fuse: verify attributes commit eb59bd17d2fa6e5e84fba61a5ebdea984222e6d5 upstream. If a filesystem returns negative inode sizes, future reads on the file were causing the cpu to spin on truncate_pagecache. Create a helper to validate the attributes. This now does two things: - check the file mode - check if the file size fits in i_size without overflowing Reported-by: Arijit Banerjee Fixes: d8a5ba45457e ("[PATCH] FUSE - core") Cc: # v2.6.14 Signed-off-by: Miklos Szeredi Signed-off-by: Greg Kroah-Hartman commit 9f435a5e3f5f28e20a6b6cfc2301cf5310f6238a Author: Miklos Szeredi Date: Tue Nov 12 11:49:04 2019 +0100 fuse: verify nlink commit c634da718db9b2fac201df2ae1b1b095344ce5eb upstream. When adding a new hard link, make sure that i_nlink doesn't overflow. Fixes: ac45d61357e8 ("fuse: fix nlink after unlink") Cc: # v3.4 Signed-off-by: Miklos Szeredi Signed-off-by: Greg Kroah-Hartman commit 742f2319cbd61d9a051f532ad8c83bb33b48f442 Author: Xuewei Zhang Date: Thu Oct 3 17:12:43 2019 -0700 sched/fair: Scale bandwidth quota and period without losing quota/period ratio precision commit 4929a4e6faa0f13289a67cae98139e727f0d4a97 upstream. The quota/period ratio is used to ensure a child task group won't get more bandwidth than the parent task group, and is calculated as: normalized_cfs_quota() = [(quota_us << 20) / period_us] If the quota/period ratio was changed during this scaling due to precision loss, it will cause inconsistency between parent and child task groups. See below example: A userspace container manager (kubelet) does three operations: 1) Create a parent cgroup, set quota to 1,000us and period to 10,000us. 2) Create a few children cgroups. 3) Set quota to 1,000us and period to 10,000us on a child cgroup. These operations are expected to succeed. However, if the scaling of 147/128 happens before step 3, quota and period of the parent cgroup will be changed: new_quota: 1148437ns, 1148us new_period: 11484375ns, 11484us And when step 3 comes in, the ratio of the child cgroup will be 104857, which will be larger than the parent cgroup ratio (104821), and will fail. Scaling them by a factor of 2 will fix the problem. Tested-by: Phil Auld Signed-off-by: Xuewei Zhang Signed-off-by: Peter Zijlstra (Intel) Acked-by: Phil Auld Cc: Anton Blanchard Cc: Ben Segall Cc: Dietmar Eggemann Cc: Juri Lelli Cc: Linus Torvalds Cc: Mel Gorman Cc: Peter Zijlstra Cc: Steven Rostedt Cc: Thomas Gleixner Cc: Vincent Guittot Fixes: 2e8e19226398 ("sched/fair: Limit sched_cfs_period_timer() loop to avoid hard lockup") Link: https://lkml.kernel.org/r/20191004001243.140897-1-xueweiz@google.com Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit b73b5eedddfac178e4db917183b49d0ab7f63210 Author: Dmitry Bogdanov Date: Fri Dec 7 14:00:11 2018 +0000 net: aquantia: fix RSS table and key sizes [ Upstream commit 474fb1150d40780e71f0b569aeac4f375df3af3d ] Set RSS indirection table and RSS hash key sizes to their real size. Signed-off-by: Dmitry Bogdanov Signed-off-by: Igor Russkikh Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 21a16d1ac916baca3dfeba17788c40dba4303cc3 Author: Helen Fornazier Date: Fri Dec 7 12:56:41 2018 -0500 media: vimc: fix start stream when link is disabled [ Upstream commit e159b6074c82fe31b79aad672e02fa204dbbc6d8 ] If link is disabled, media_entity_remote_pad returns NULL, causing a NULL pointer deference. Ignore links that are not enabled instead. Signed-off-by: Helen Koike Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit fb2f4385fca4972afaf8d25dee34383f7446f72c Author: Felix Brack Date: Fri Nov 30 15:54:46 2018 +0100 ARM: dts: am335x-pdu001: Fix polarity of card detection input [ Upstream commit 5760367298a37c459ef0b1364463d70fd9a1f972 ] When a micro SD card is inserted in the PDU001 card cage, the card detection switch is opened and the corresponding GPIO input is driven by a pull-up. Hence change the active level of the card detection input from low to high. Signed-off-by: Felix Brack Signed-off-by: Tony Lindgren Signed-off-by: Sasha Levin commit e60d4b917a7a23ce1326b310451a73201499126c Author: Rob Herring Date: Thu Dec 6 13:11:42 2018 -0600 ARM: dts: sunxi: Fix PMU compatible strings [ Upstream commit 5719ac19fc32d892434939c1756c2f9a8322e6ef ] "arm,cortex-a15-pmu" is not a valid fallback compatible string for an Cortex-A7 PMU, so drop it. Cc: Maxime Ripard Cc: Chen-Yu Tsai Signed-off-by: Rob Herring Acked-by: Will Deacon Signed-off-by: Maxime Ripard Signed-off-by: Sasha Levin commit 6539e282bd945118093be174573e624d4655b625 Author: Ladislav Michl Date: Tue Dec 4 19:19:51 2018 +0100 ASoC: max9867: Fix power management [ Upstream commit 29f58ff06795a923407d011d4721eaf3e8d39acc ] Implement set_bias_level to drive shutdown bit, so device is put to sleep when unused. Signed-off-by: Ladislav Michl Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 1f8d72a2e23efb279435c4e0ca58ec5d796b5d84 Author: Niklas Söderlund Date: Thu Nov 29 01:15:38 2018 +0100 clk: renesas: rcar-gen3: Set state when registering SD clocks [ Upstream commit ecda0a09fa9933bcd67e33c952f778f0872392ed ] The driver tries to figure out which state a SD clock is in when the clock is registered, instead of setting a known state. This can be problematic for two reasons. 1. If the clock driver can't figure out the state of the clock, registration of the clock fails, and setting of a known state by a clock user is not possible. 2. The state of the clock depends on if and how the bootloader configured it. The driver only checks that the rate is known, not if the clock is stopped or not for example. Fix this by setting a known state and making sure the clock is stopped. Signed-off-by: Niklas Söderlund Tested-by: Wolfram Sang Acked-by: Wolfram Sang Signed-off-by: Geert Uytterhoeven Signed-off-by: Sasha Levin commit a4c104a35e0b912b44841fd8a85edb4cea53587d Author: YueHaibing Date: Fri Dec 7 03:52:43 2018 +0000 usb: mtu3: fix dbginfo in qmu_tx_zlp_error_handler [ Upstream commit f770e3bc236ee954a3b4052bdf55739e26ee25db ] Fixes gcc '-Wunused-but-set-variable' warning: drivers/usb/mtu3/mtu3_qmu.c: In function 'qmu_tx_zlp_error_handler': drivers/usb/mtu3/mtu3_qmu.c:385:22: warning: variable 'req' set but not used [-Wunused-but-set-variable] It seems dbginfo original intention is print 'req' other than 'mreq' Acked-by: Chunfeng Yun Signed-off-by: YueHaibing Signed-off-by: Felipe Balbi Signed-off-by: Sasha Levin commit 49ef54a3523dfb86d91116b595fab554f417bfb9 Author: Qian Cai Date: Thu Nov 29 21:18:07 2018 -0500 mlx4: Use snprintf instead of complicated strcpy [ Upstream commit 0fbc9b8b4ea3f688a5da141a64f97aa33ad02ae9 ] This fixes a compilation warning in sysfs.c drivers/infiniband/hw/mlx4/sysfs.c:360:2: warning: 'strncpy' output may be truncated copying 8 bytes from a string of length 31 [-Wstringop-truncation] By eliminating the temporary stack buffer. Signed-off-by: Qian Cai Reviewed-by: Leon Romanovsky Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit 647ded863b5a3733679e402e3d17bc149bb16f3e Author: Mike Marciniszyn Date: Wed Nov 28 10:32:48 2018 -0800 IB/hfi1: Close VNIC sdma_progress sleep window [ Upstream commit 18912c4524385dd6532c682cb9d4f6aa39ba8d47 ] The call to sdma_progress() is called outside the wait lock. In this case, there is a race condition where sdma_progress() can return false and the sdma_engine can idle. If that happens, there will be no more sdma interrupts to cause the wakeup and the vnic_sdma xmit will hang. Fix by moving the lock to enclose the sdma_progress() call. Also, delete the tx_retry. The need for this was removed by: commit bcad29137a97 ("IB/hfi1: Serve the most starved iowait entry first") Fixes: 64551ede6cd1 ("IB/hfi1: VNIC SDMA support") Reviewed-by: Gary Leshner Signed-off-by: Mike Marciniszyn Signed-off-by: Dennis Dalessandro Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit 46824288a5fc7b7e5166be2b6c303d98a41bd631 Author: Kaike Wan Date: Wed Nov 28 10:19:04 2018 -0800 IB/hfi1: Ignore LNI errors before DC8051 transitions to Polling state [ Upstream commit c1a797c0818e0122c7ec8422edd971cfec9b15ea ] When it is requested to change its physical state back to Offline while in the process to go up, DC8051 will set the ERROR field in the DC8051_DBG_ERR_INFO_SET_BY_8051 register. This ERROR field will remain until the next time when DC8051 transitions from Offline to Polling. Subsequently, when the host requests DC8051 to change its physical state to Polling again, it may receive a DC8051 interrupt with the stale ERROR field still in DC8051_DBG_ERR_INFO_SET_BY_8051. If the host link state has been changed to Polling, this stale ERROR will force the host to transition to Offline state, resulting in a vicious cycle of Polling ->Offline->Polling->Offline. On the other hand, if the host link state is still Offline when the stale ERROR is received, the stale ERROR will be ignored, and the link will come up correctly. This patch implements the correct behavior by changing host link state to Polling only after DC8051 changes its physical state to Polling. Reviewed-by: Mike Marciniszyn Signed-off-by: Krzysztof Goreczny Signed-off-by: Kaike Wan Signed-off-by: Dennis Dalessandro Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit 6b1f6d02f0846290b15ed1fdb1ed06b6d9f819f7 Author: Nir Dotan Date: Thu Dec 6 17:44:52 2018 +0000 mlxsw: spectrum_router: Relax GRE decap matching check [ Upstream commit da93d2913fdf43d5cde3c5a53ac9cc29684d5c7c ] GRE decap offload is configured when local routes prefix correspond to the local address of one of the offloaded GRE tunnels. The matching check was found to be too strict, such that for a flat GRE configuration, in which the overlay and underlay traffic share the same non-default VRF, decap flow was not offloaded. Relax the check for decap flow offloading. A match occurs if the local address of the tunnel matches the local route address while both share the same VRF table. Fixes: 4607f6d26950 ("mlxsw: spectrum_router: Support IPv4 underlay decap") Signed-off-by: Nir Dotan Signed-off-by: Ido Schimmel Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 24e9c85c6ea0c37015f39250ac07955000521ef4 Author: Geert Uytterhoeven Date: Wed Dec 5 16:39:42 2018 +0100 soc: renesas: r8a77990-sysc: Fix initialization order of 3DG-{A,B} [ Upstream commit b0d7fbf8b174168c580bb310964c3c809e5569a9 ] The workaround for the wrong hierarchy of the 3DG-{A,B} power domains on R-Car E3 ES1.0 corrected the parent domains. However, the 3DG-{A,B} power domains were still initialized and powered in the wrong order, causing 3DG operation to fail. Fix this by changing the order in the table at runtime, when running on an affected SoC. Fixes: 086b399965a7ee7e ("soc: renesas: r8a77990-sysc: Add workaround for 3DG-{A,B}") Signed-off-by: Geert Uytterhoeven Signed-off-by: Simon Horman Signed-off-by: Sasha Levin commit f033651fba25689f1bfa87bed8140add1b5adeab Author: Jakub Audykowicz Date: Tue Dec 4 20:27:41 2018 +0100 sctp: frag_point sanity check [ Upstream commit afd0a8006e98b1890908f81746c94ca5dae29d7c ] If for some reason an association's fragmentation point is zero, sctp_datamsg_from_user will try to endlessly try to divide a message into zero-sized chunks. This eventually causes kernel panic due to running out of memory. Although this situation is quite unlikely, it has occurred before as reported. I propose to add this simple last-ditch sanity check due to the severity of the potential consequences. Signed-off-by: Jakub Audykowicz Acked-by: Neil Horman Acked-by: Marcelo Ricardo Leitner Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 253c617ea626cb569c91215b7bbdfb53f2205a2b Author: Bjorn Andersson Date: Mon Dec 3 10:33:29 2018 -0800 clk: qcom: gcc-msm8998: Disable halt check of UFS clocks [ Upstream commit 2abf856202fd3e4883e4c518acaa9a023b0dbe54 ] Drop the halt check of the UFS symbol clocks, in accordance with other platforms. This makes clk_disable_unused() happy and makes it possible to turn the clocks on again without an error. Signed-off-by: Bjorn Andersson Signed-off-by: Stephen Boyd Signed-off-by: Sasha Levin commit b6f4e1caf426b1978c1afdbade18d094aed4e3ce Author: Jonathan Marek Date: Wed Nov 21 21:32:25 2018 -0500 firmware: qcom: scm: fix compilation error when disabled [ Upstream commit 16ad9501b1f2edebe24f8cf3c09da0695871986b ] This fixes the case when CONFIG_QCOM_SCM is not enabled, and linux/errno.h has not been included previously. Signed-off-by: Jonathan Marek Reviewed-by: Bjorn Andersson Signed-off-by: Andy Gross Signed-off-by: Sasha Levin commit 8eccf35a6ff771f831587953dd5b3c659ad16e11 Author: Andreas Pape Date: Fri Nov 23 11:14:54 2018 -0500 media: stkwebcam: Bugfix for wrong return values [ Upstream commit 3c28b91380dd1183347d32d87d820818031ebecf ] usb_control_msg returns in case of a successfully sent message the number of sent bytes as a positive number. Don't use this value as a return value for stk_camera_read_reg, as a non-zero return value is used as an error condition in some cases when stk_camera_read_reg is called. Signed-off-by: Andreas Pape Reviewed-by: Kieran Bingham Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 50e9fda8654bf1c4a9239c253f99350b392842c1 Author: Dmitry Safonov Date: Thu Nov 1 00:24:48 2018 +0000 tty: Don't block on IO when ldisc change is pending [ Upstream commit c96cf923a98d1b094df9f0cf97a83e118817e31b ] There might be situations where tty_ldisc_lock() has blocked, but there is already IO on tty and it prevents line discipline changes. It might theoretically turn into dead-lock. Basically, provide more priority to pending tty_ldisc_lock() than to servicing reads/writes over tty. User-visible issue was reported by Mikulas where on pa-risc with Debian 5 reboot took either 80 seconds, 3 minutes or 3:25 after proper locking in tty_reopen(). Cc: Jiri Slaby Reported-by: Mikulas Patocka Signed-off-by: Dmitry Safonov Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 01e5d17964947f52808a2908a972918223c4b4d0 Author: Paul Kocialkowski Date: Wed Dec 5 10:24:30 2018 +0100 ARM: dts: sun8i: h3: Fix the system-control register range [ Upstream commit 925c5afd78c40169c7e0e6adec52d5119ff43751 ] Unlike in previous generations, the system-control register range is not limited to a size of 0x30 on the H3. In particular, the EMAC clock configuration register (accessed through syscon) is at offset 0x30 in that range. Extend the register size to its full range (0x1000) as a result. Signed-off-by: Paul Kocialkowski Acked-by: Chen-Yu Tsai Signed-off-by: Maxime Ripard Signed-off-by: Sasha Levin commit 6854d02bcb67d0b768b25b2e54482e3e4cc046a1 Author: Ryan Case Date: Thu Nov 29 18:18:40 2018 -0800 tty: serial: qcom_geni_serial: Fix softlock [ Upstream commit a1fee899e5bed457afc20a6a2ff3915a95cc5942 ] Transfers were being divided into device FIFO sized (64 byte max) operations which would poll for completion within a spin_lock_irqsave / spin_unlock_irqrestore block. This both made things slow by waiting for the FIFO to completely drain before adding further data and would also result in softlocks on large transmissions. This patch allows larger transfers with continuous FIFO additions as space becomes available and removes polling from the interrupt handler. Signed-off-by: Ryan Case Reviewed-by: Stephen Boyd Reviewed-by: Douglas Anderson Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 5146add60adf31ae4d02cfac0150eb8f8d3aa9b7 Author: Kieran Bingham Date: Fri Nov 9 09:26:10 2018 -0500 media: uvcvideo: Abstract streaming object lifetime [ Upstream commit ece41454c6a5ed8f301ef1c37710ab222e577823 ] The streaming object is a key part of handling the UVC device. Although not critical, we are currently missing a call to destroy the mutex on clean up paths, and we are due to extend the objects complexity in the near future. Facilitate easy management of a stream object by creating a pair of functions to handle creating and destroying the allocation. The new uvc_stream_delete() function also performs the missing mutex_destroy() operation. Previously a failed streaming object allocation would cause uvc_parse_streaming() to return -EINVAL, which is inappropriate. If the constructor failes, we will instead return -ENOMEM. While we're here, fix the trivial spelling error in the function banner of uvc_delete(). Signed-off-by: Kieran Bingham Signed-off-by: Laurent Pinchart Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 1ff89e6d4b2332801bfaf5ab3cfd6660b7096bd0 Author: zhengbin Date: Fri Nov 30 16:04:25 2018 +0800 nfsd: Return EPERM, not EACCES, in some SETATTR cases [ Upstream commit 255fbca65137e25b12bced18ec9a014dc77ecda0 ] As the man(2) page for utime/utimes states, EPERM is returned when the second parameter of utime or utimes is not NULL, the caller's effective UID does not match the owner of the file, and the caller is not privileged. However, in a NFS directory mounted from knfsd, it will return EACCES (from nfsd_setattr-> fh_verify->nfsd_permission). This patch fixes that. Signed-off-by: zhengbin Signed-off-by: J. Bruce Fields Signed-off-by: Sasha Levin commit ef51042de4b497e2c2baaabfd176815cd6e8b5c1 Author: Aaro Koskinen Date: Tue Dec 4 22:12:17 2018 +0200 MIPS: OCTEON: cvmx_pko_mem_debug8: use oldest forward compatible definition [ Upstream commit 1c6121c39677175bd372076020948e184bad4b6b ] cn58xx is compatible with cn50xx, so use the latter. Signed-off-by: Aaro Koskinen [paul.burton@mips.com: s/cn52xx/cn50xx/ in commit message.] Signed-off-by: Paul Burton Cc: Ralf Baechle Cc: James Hogan Cc: linux-mips@vger.kernel.org Signed-off-by: Sasha Levin commit 66371d5356d38d61cbea61711569b55948fae075 Author: Geert Uytterhoeven Date: Thu Nov 29 11:06:37 2018 +0100 clk: renesas: r8a77995: Correct parent clock of DU [ Upstream commit 515b2915ee08060ad4f6a3b3de38c5c2c5258e8b ] According to the R-Car Gen3 Hardware Manual Rev 1.00, the parent clock of the DU module clocks on R-Car D3 is S1D1. Fixes: d71e851d82c6cfe5 ("clk: renesas: cpg-mssr: Add R8A77995 support") Signed-off-by: Geert Uytterhoeven Acked-by: Stephen Boyd Reviewed-by: Laurent Pinchart Tested-by: Laurent Pinchart Signed-off-by: Sasha Levin commit 7718f9e818d7c8abb401ea5144ede10465b3c053 Author: Takeshi Kihara Date: Fri Oct 12 16:48:34 2018 +0900 clk: renesas: r8a77990: Correct parent clock of DU [ Upstream commit 7cf3a216a2b3a672cad3e498c186c9333bdff90a ] According to the R-Car Gen3 Hardware Manual Rev 1.00, the parent clock of the DU module clocks on R-Car E3 is S1D1. Signed-off-by: Takeshi Kihara Fixes: 3570a2af473789c5 ("clk: renesas: cpg-mssr: Add support for R-Car E3") Signed-off-by: Geert Uytterhoeven Acked-by: Stephen Boyd Reviewed-by: Laurent Pinchart Signed-off-by: Sasha Levin commit 7ad0c78bb317358639c3af35783442fd7bfd5f2b Author: Joel Stanley Date: Tue Dec 4 09:37:46 2018 +1030 powerpc/math-emu: Update macros from GCC [ Upstream commit b682c8692442711684befe413cf93cf01c5324ea ] The add_ssaaaa, sub_ddmmss, umul_ppmm and udiv_qrnnd macros originate from GCC's longlong.h which in turn was copied from GMP's longlong.h a few decades ago. This was found when compiling with clang: arch/powerpc/math-emu/fnmsub.c:46:2: error: invalid use of a cast in a inline asm context requiring an l-value: remove the cast or build with -fheinous-gnu-extensions FP_ADD_D(R, T, B); ^~~~~~~~~~~~~~~~~ ... ./arch/powerpc/include/asm/sfp-machine.h:283:27: note: expanded from macro 'sub_ddmmss' : "=r" ((USItype)(sh)), \ ~~~~~~~~~~^~~ Segher points out: this was fixed in GCC over 16 years ago ( https://gcc.gnu.org/r56600 ), and in GMP (where it comes from) presumably before that. Update the add_ssaaaa, sub_ddmmss, umul_ppmm and udiv_qrnnd macros to the latest GCC version in order to git rid of the invalid casts. These were taken as-is from GCC's longlong in order to make future syncs obvious. Other parts of sfp-machine.h were left as-is as the file contains more features than present in longlong.h. Link: https://github.com/ClangBuiltLinux/linux/issues/260 Signed-off-by: Joel Stanley Reviewed-by: Nick Desaulniers Reviewed-by: Segher Boessenkool Signed-off-by: Michael Ellerman Signed-off-by: Sasha Levin commit 6b6f6030afd29f3470a3cf2630d9afdc1ec8a241 Author: Kees Cook Date: Mon Dec 3 16:39:01 2018 -0800 pstore/ram: Avoid NULL deref in ftrace merging failure path [ Upstream commit 8665569e97dd52920713b95675409648986b5b0d ] Given corruption in the ftrace records, it might be possible to allocate tmp_prz without assigning prz to it, but still marking it as needing to be freed, which would cause at least a NULL dereference. smatch warnings: fs/pstore/ram.c:340 ramoops_pstore_read() error: we previously assumed 'prz' could be null (see line 255) https://lists.01.org/pipermail/kbuild-all/2018-December/055528.html Reported-by: Dan Carpenter Fixes: 2fbea82bbb89 ("pstore: Merge per-CPU ftrace records into one") Cc: "Joel Fernandes (Google)" Signed-off-by: Kees Cook Signed-off-by: Sasha Levin commit 9c6ca33f12cd4b678676c0a9e152c0e2c4e2a277 Author: Erez Alfasi Date: Sun Dec 2 17:40:25 2018 +0200 net/mlx4_core: Fix return codes of unsupported operations [ Upstream commit 95aac2cdafd8c8298c9b2589c52f44db0d824e0e ] Functions __set_port_type and mlx4_check_port_params returned -EINVAL while the proper return code is -EOPNOTSUPP as a result of an unsupported operation. All drivers should generate this and all users should check for it when detecting an unsupported functionality. Signed-off-by: Erez Alfasi Signed-off-by: Tariq Toukan Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 446a04d879a0ca9fc58195050ea6117d1f9bd22a Author: David Teigland Date: Mon Dec 3 15:27:37 2018 -0600 dlm: fix invalid cluster name warning [ Upstream commit 3595c559326d0b660bb088a88e22e0ca630a0e35 ] The warning added in commit 3b0e761ba83 "dlm: print log message when cluster name is not set" did not account for the fact that lockspaces created from userland do not supply a cluster name, so bogus warnings are printed every time a userland lockspace is created. Signed-off-by: David Teigland Signed-off-by: Sasha Levin commit ab9d56dace3bdd7ed6957923b85c6cb29f959d68 Author: Rob Herring Date: Mon Dec 3 13:12:48 2018 -0600 ARM: dts: realview: Fix some more duplicate regulator nodes [ Upstream commit f3b2f758ec1e6cdb13c925647cbd8ad4938b78fb ] There's a bug in dtc in checking for duplicate node names when there's another section (e.g. "/ { };"). In this case, skeleton.dtsi provides another section. Upon removal of skeleton.dtsi, the dtb fails to build due to a duplicate node 'fixedregulator@0'. As both nodes were pretty much the same 3.3V fixed regulator, it hasn't really mattered. Fix this by renaming the nodes to something unique. In the process, drop the unit-address which shouldn't be present wtihout reg property. Signed-off-by: Rob Herring Reviewed-by: Linus Walleij Signed-off-by: Olof Johansson Signed-off-by: Sasha Levin commit 82bfaec726d3e0a5318c9cd17ad0a24a6007e479 Author: Neil Armstrong Date: Thu Nov 8 07:44:48 2018 -0500 media: cxd2880-spi: fix probe when dvb_attach fails [ Upstream commit 458ffce1cb46e46e3cec48b625ed142250475708 ] When dvb_attach fails, probe returns 0, and remove crashes afterwards. This patch sets the return value to -ENODEV when attach fails. Fixes: bd24fcddf6b8 ("media: cxd2880-spi: Add support for CXD2880 SPI interface") Signed-off-by: Neil Armstrong Acked-by: Yasunari Takiguchi Signed-off-by: Sean Young Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 7f095bd0326b486011d6a0b1637e1fe6c6d40326 Author: Jeffrey Hugo Date: Mon Dec 3 09:13:43 2018 -0700 clk: qcom: Fix MSM8998 resets [ Upstream commit 4f89f7b59a6ea17e81cff212c18a0b580ff5ff27 ] The offsets for the defined BCR reset registers does not match the hardware documentation. Update the values to match the hardware documentation. Fixes: b5f5f525c547 (clk: qcom: Add MSM8998 Global Clock Control (GCC) driver) Signed-off-by: Jeffrey Hugo Reviewed-by: Bjorn Andersson Signed-off-by: Stephen Boyd Signed-off-by: Sasha Levin commit 5c6493d2ee8e855c82dcc218151ecd92934cdd32 Author: Chen-Yu Tsai Date: Fri Nov 30 13:33:28 2018 +0800 clk: sunxi-ng: h3/h5: Fix CSI_MCLK parent [ Upstream commit 7bb7d29cffdd24bf419516d14b6768591e74069e ] The third parent of CSI_MCLK is PLL_PERIPH1, not PLL_PERIPH0. Fix it. Fixes: 0577e4853bfb ("clk: sunxi-ng: Add H3 clocks") Acked-by: Stephen Boyd Signed-off-by: Chen-Yu Tsai Signed-off-by: Sasha Levin commit 9122845dc398e1ab3316e18dc10b469c689c85ce Author: Martin Blumenstingl Date: Sun Dec 2 22:42:18 2018 +0100 clk: meson: meson8b: fix the offset of vid_pll_dco's N value [ Upstream commit 376d8c45bd6ac79f02ecf9ca1606dc5d1b271bc0 ] Unlike the other PLLs on Meson8b the N value "vid_pll_dco" (a better name would be hdmi_pll_dco or - as the datasheet calls it - HPLL) is located at HHI_VID_PLL_CNTL[14:10] instead of [13:9]. This results in an incorrect calculation of the rate of this PLL because the value seen by the kernel is double the actual N (divider) value. Update the offset of the N value to fix the calculation of the PLL rate. Fixes: 28b9fcd016126e ("clk: meson8b: Add support for Meson8b clocks") Reported-by: Jianxin Pan Signed-off-by: Martin Blumenstingl Signed-off-by: Neil Armstrong Link: https://lkml.kernel.org/r/20181202214220.7715-2-martin.blumenstingl@googlemail.com Signed-off-by: Sasha Levin commit 90ac7278e652660bd7ffd2e23bfa13893237a344 Author: Daniel Mack Date: Sat Dec 1 14:54:51 2018 +0100 ARM: dts: pxa: clean up USB controller nodes [ Upstream commit c40ad24254f1dbd54f2df5f5f524130dc1862122 ] PXA25xx SoCs don't have a USB controller, so drop the node from the common pxa2xx.dtsi base file. Both pxa27x and pxa3xx have a dedicated node already anyway. While at it, unify the names for the nodes across all pxa platforms. Signed-off-by: Daniel Mack Reported-by: Sergey Yanovich Link: https://patchwork.kernel.org/patch/8375421/ Signed-off-by: Robert Jarzmik Signed-off-by: Sasha Levin commit 75fecd8d71dba8bde48e5a0edebe1f3847b883b2 Author: Miquel Raynal Date: Sun Nov 18 21:18:30 2018 +0100 mtd: fix mtd_oobavail() incoherent returned value [ Upstream commit 4348433d8c0234f44adb6e12112e69343f50f0c5 ] mtd_oobavail() returns either mtd->oovabail or mtd->oobsize. Both values are unsigned 32-bit entities, so there is no reason to pretend returning a signed one. Signed-off-by: Miquel Raynal Signed-off-by: Boris Brezillon Signed-off-by: Sasha Levin commit f7a5ed083e71b700ee9a5c89fcb37cfc22e3731a Author: Masahiro Yamada Date: Thu Nov 22 08:11:54 2018 +0900 kbuild: fix single target build for external module [ Upstream commit e07db28eea38ed4e332b3a89f3995c86b713cb5b ] Building a single target in an external module fails due to missing .tmp_versions directory. For example, $ make -C /lib/modules/$(uname -r)/build M=$PWD foo.o will fail in the following way: CC [M] /home/masahiro/foo/foo.o /bin/sh: 1: cannot create /home/masahiro/foo/.tmp_versions/foo.mod: Directory nonexistent This is because $(cmd_crmodverdir) is executed only before building /, %/, %.ko single targets of external modules. Create .tmp_versions in the 'prepare' target. Signed-off-by: Masahiro Yamada Signed-off-by: Sasha Levin commit f28d930810ee3b4483a76712478279370b7f0281 Author: Paul Walmsley Date: Wed Nov 21 13:14:13 2018 -0800 modpost: skip ELF local symbols during section mismatch check [ Upstream commit a4d26f1a0958bb1c2b60c6f1e67c6f5d43e2647b ] During development of a serial console driver with a gcc 8.2.0 toolchain for RISC-V, the following modpost warning appeared: ---- WARNING: vmlinux.o(.data+0x19b10): Section mismatch in reference from the variable .LANCHOR1 to the function .init.text:sifive_serial_console_setup() The variable .LANCHOR1 references the function __init sifive_serial_console_setup() If the reference is valid then annotate the variable with __init* or __refdata (see linux/init.h) or name the variable: *_template, *_timer, *_sht, *_ops, *_probe, *_probe_one, *_console ---- ".LANCHOR1" is an ELF local symbol, automatically created by gcc's section anchor generation code: https://gcc.gnu.org/onlinedocs/gccint/Anchored-Addresses.html https://gcc.gnu.org/git/?p=gcc.git;a=blob;f=gcc/varasm.c;h=cd9591a45617464946dcf9a126dde277d9de9804;hb=9fb89fa845c1b2e0a18d85ada0b077c84508ab78#l7473 This was verified by compiling the kernel with -fno-section-anchors and observing that the ".LANCHOR1" ELF local symbol disappeared, and modpost no longer warned about the section mismatch. The serial driver code idiom triggering the warning is standard Linux serial driver practice that has a specific whitelist inclusion in modpost.c. I'm neither a modpost nor an ELF expert, but naively, it doesn't seem useful for modpost to report section mismatch warnings caused by ELF local symbols by default. Local symbols have compiler-generated names, and thus bypass modpost's whitelisting algorithm, which relies on the presence of a non-autogenerated symbol name. This increases the likelihood that false positive warnings will be generated (as in the above case). Thus, disable section mismatch reporting on ELF local symbols. The rationale here is similar to that of commit 2e3a10a1551d ("ARM: avoid ARM binutils leaking ELF local symbols") and of similar code already present in modpost.c: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/scripts/mod/modpost.c?h=v4.19-rc4&id=7876320f88802b22d4e2daf7eb027dd14175a0f8#n1256 This third version of the patch implements a suggestion from Masahiro Yamada to restructure the code as an additional pattern matching step inside secref_whitelist(), and further improves the patch description. Signed-off-by: Paul Walmsley Signed-off-by: Paul Walmsley Acked-by: Sam Ravnborg Signed-off-by: Masahiro Yamada Signed-off-by: Sasha Levin commit 01775a8dc616d465cfb28ee1b928803179bec440 Author: Yuchung Cheng Date: Wed Nov 28 16:06:45 2018 -0800 tcp: fix SNMP TCP timeout under-estimation [ Upstream commit e1561fe2dd69dc5dddd69bd73aa65355bdfb048b ] Previously the SNMP TCPTIMEOUTS counter has inconsistent accounting: 1. It counts all SYN and SYN-ACK timeouts 2. It counts timeouts in other states except recurring timeouts and timeouts after fast recovery or disorder state. Such selective accounting makes analysis difficult and complicated. For example the monitoring system needs to collect many other SNMP counters to infer the total amount of timeout events. This patch makes TCPTIMEOUTS counter simply counts all the retransmit timeout (SYN or data or FIN). Signed-off-by: Yuchung Cheng Signed-off-by: Eric Dumazet Signed-off-by: Neal Cardwell Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit a5f37a687f3fc7c3cea674287642424ebf9764a1 Author: Yuchung Cheng Date: Wed Nov 28 16:06:44 2018 -0800 tcp: fix SNMP under-estimation on failed retransmission [ Upstream commit ec641b39457e17774313b66697a8a1dc070257bd ] Previously the SNMP counter LINUX_MIB_TCPRETRANSFAIL is not counting the TSO/GSO properly on failed retransmission. This patch fixes that. Signed-off-by: Yuchung Cheng Signed-off-by: Eric Dumazet Signed-off-by: Neal Cardwell Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 85b03cfe31befc481e1da603d888517da2e30409 Author: Yuchung Cheng Date: Wed Nov 28 16:06:43 2018 -0800 tcp: fix off-by-one bug on aborting window-probing socket [ Upstream commit 3976535af0cb9fe34a55f2ffb8d7e6b39a2f8188 ] Previously there is an off-by-one bug on determining when to abort a stalled window-probing socket. This patch fixes that so it is consistent with tcp_write_timeout(). Signed-off-by: Yuchung Cheng Signed-off-by: Eric Dumazet Signed-off-by: Neal Cardwell Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 47d83feb885e2dfa625f0cd50829ea10bd5902e2 Author: Rob Herring Date: Thu Nov 29 19:05:47 2018 -0600 ARM: dts: realview-pbx: Fix duplicate regulator nodes [ Upstream commit 7f4b001b7f6e0480b5bdab9cd8ce1711e43e5cb5 ] There's a bug in dtc in checking for duplicate node names when there's another section (e.g. "/ { };"). In this case, skeleton.dtsi provides another section. Upon removal of skeleton.dtsi, the dtb fails to build due to a duplicate node 'fixedregulator@0'. As both nodes were pretty much the same 3.3V fixed regulator, it hasn't really mattered. Fix this by renaming the nodes to something unique. In the process, drop the unit-address which shouldn't be present wtihout reg property. Cc: Linus Walleij Signed-off-by: Rob Herring Signed-off-by: Olof Johansson Signed-off-by: Sasha Levin commit 3ab2e27ba4463d45118457cf9e0bc856ec2a122c Author: Lubomir Rintel Date: Wed Nov 28 18:53:06 2018 +0100 ARM: dts: mmp2: fix the gpio interrupt cell number [ Upstream commit 400583983f8a8e95ec02c9c9e2b50188753a87fb ] gpio-pxa uses two cell to encode the interrupt source: the pin number and the trigger type. Adjust the device node accordingly. Signed-off-by: Lubomir Rintel Acked-by: Pavel Machek Signed-off-by: Olof Johansson Signed-off-by: Sasha Levin commit 3ad3a9a24207dd868bdd20c42e23f2eed6c4cfdd Author: Eric Dumazet Date: Tue Nov 27 14:42:02 2018 -0800 tcp: make tcp_space() aware of socket backlog [ Upstream commit 85bdf7db5b53cdcc7a901db12bcb3d0063e3866d ] Jean-Louis Dupond reported poor iscsi TCP receive performance that we tracked to backlog drops. Apparently we fail to send window updates reflecting the fact that we are under stress. Note that we might lack a proper window increase when backlog is fully processed, since __release_sock() clears sk->sk_backlog.len _after_ all skbs have been processed. This should not matter in practice. If we had a significant load through socket backlog, we are in a dangerous situation. Reported-by: Jean-Louis Dupond Signed-off-by: Eric Dumazet Acked-by: Neal Cardwell Acked-by: Yuchung Cheng Tested-by: Jean-Louis Dupond Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 5db05cf0f6e698c11bc7dbfc0f31fb0bb23c458e Author: Rob Herring Date: Wed Nov 28 19:11:50 2018 -0600 kbuild: disable dtc simple_bus_reg warnings by default [ Upstream commit 70523a3ce5ff928faa43bb2cad554dc63438e3e7 ] The updated version of dtc has a bug fix for simple_bus_reg warnings and lots of warnings are generated now. So disable this warning by default. Signed-off-by: Rob Herring Signed-off-by: Sasha Levin commit 82df606be888193dc7bbfb29e9fc624feb05500f Author: Geert Uytterhoeven Date: Thu Nov 29 11:56:18 2018 +0100 soc: renesas: r8a77980-sysc: Correct A3VIP[012] power domain hierarchy [ Upstream commit 160bfa7c724b348a90a12dd9694f351927a15b8e ] The R-Car Gen3 HardWare Manual Errata for Rev. 0.80 (Feb 28, 2018) renamed the A3VIP power domain on R-Car V3H to A3VIP0, and clarified the power domain hierarchy for the A3VIP[012] power domains. As the definition for the A3VIP0 domain is not yet used from DT, it can just be renamed. Fixes: 7755b40d07a8dba7 ("dt-bindings: power: add R8A77980 SYSC power domain definitions") Fixes: 41d6d8bd8ae94ca9 ("soc: renesas: rcar-sysc: add R8A77980 support") Signed-off-by: Geert Uytterhoeven Signed-off-by: Simon Horman Signed-off-by: Sasha Levin commit 1b43a008d371110a8d031109cf7f4bc6d7d1fc70 Author: Geert Uytterhoeven Date: Thu Nov 29 11:56:17 2018 +0100 soc: renesas: r8a77980-sysc: Correct names of A2DP[01] power domains [ Upstream commit 97473bc85b22ac610b1810b6a9a4669a6cb0b7b0 ] The R-Car Gen3 HardWare Manual Errata for Rev. 0.80 (Feb 28, 2018) renamed the A2PD0 and A2DP0 power domains on R-Car V3H to A2DP0 resp. A2DP1. As these definitions are not yet used from DT, they can just be renamed. Fixes: 7755b40d07a8dba7 ("dt-bindings: power: add R8A77980 SYSC power domain definitions") Fixes: 41d6d8bd8ae94ca9 ("soc: renesas: rcar-sysc: add R8A77980 support") Signed-off-by: Geert Uytterhoeven Signed-off-by: Simon Horman Signed-off-by: Sasha Levin commit 9a04bfc7594ccea27880292a6059725933610472 Author: Geert Uytterhoeven Date: Thu Nov 29 11:56:16 2018 +0100 soc: renesas: r8a77970-sysc: Correct names of A2DP/A2CN power domains [ Upstream commit b5eb730e031acaba2d25e8f522ac5966a70885ae ] The R-Car Gen3 HardWare Manual Errata for Rev. 0.80 (Feb 28, 2018) renamed the A2IR2 and A2IR3 power domains on R-Car V3M to A2DP resp. A2CN. As these definitions are not yet used from DT, they can just be renamed. While at it, fix the indentation of the A3IR definition. Fixes: 833bdb47c826a1a6 ("dt-bindings: power: add R8A77970 SYSC power domain definitions") Fixes: bab9b2a74fe9da96 ("soc: renesas: rcar-sysc: add R8A77970 support") Signed-off-by: Geert Uytterhoeven Signed-off-by: Simon Horman Signed-off-by: Sasha Levin commit 5f21842def7442706aa9ba7802b5c4287d6eaa3f Author: Stephen Boyd Date: Fri Nov 30 00:36:33 2018 -0800 clk: mediatek: Drop more __init markings for driver probe [ Upstream commit 553604c041b8c18cd6a8e1d785a77f3e4be61cdb ] This function is called from driver probe, which isn't the same as __init code because driver probe can happen later. Drop the __init marking here to fix this potential problem. Cc: Sean Wang Cc: Ryder Lee Cc: Rob Herring Cc: Wenzhen Yu Cc: Weiyi Lu Fixes: 2fc0a509e4ee ("clk: mediatek: add clock support for MT7622 SoC") Signed-off-by: Stephen Boyd Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 3d4343f89c7141d91b18a46e2c8ced18a0c3a301 Author: Stephen Boyd Date: Fri Nov 30 00:34:33 2018 -0800 clk: mediatek: Drop __init from mtk_clk_register_cpumuxes() commit 28f1186a26f7e4e5df7be454710da26c810effb6 upstream. This function is used from more places than just __init code. Removing __init silences a section mismatch warning here. Cc: Sean Wang Cc: Ryder Lee Cc: Rob Herring Cc: Wenzhen Yu Cc: Weiyi Lu Signed-off-by: Stephen Boyd Signed-off-by: Greg Kroah-Hartman commit 043a7151d23c5c1171c1e0084d7402e230b56e0a Author: Yonghong Song Date: Thu Nov 29 15:31:45 2018 -0800 tools/bpf: make libbpf _GNU_SOURCE friendly [ Upstream commit b42699547fc9fb1057795bccc21a6445743a7fde ] During porting libbpf to bcc, I got some warnings like below: ... [ 2%] Building C object src/cc/CMakeFiles/bpf-shared.dir/libbpf/src/libbpf.c.o /home/yhs/work/bcc2/src/cc/libbpf/src/libbpf.c:12:0: warning: "_GNU_SOURCE" redefined [enabled by default] #define _GNU_SOURCE ... [ 3%] Building C object src/cc/CMakeFiles/bpf-shared.dir/libbpf/src/libbpf_errno.c.o /home/yhs/work/bcc2/src/cc/libbpf/src/libbpf_errno.c: In function ‘libbpf_strerror’: /home/yhs/work/bcc2/src/cc/libbpf/src/libbpf_errno.c:45:7: warning: assignment makes integer from pointer without a cast [enabled by default] ret = strerror_r(err, buf, size); ... bcc is built with _GNU_SOURCE defined and this caused the above warning. This patch intends to make libpf _GNU_SOURCE friendly by . define _GNU_SOURCE in libbpf.c unless it is not defined . undefine _GNU_SOURCE as non-gnu version of strerror_r is expected. Signed-off-by: Yonghong Song Acked-by: Jakub Kicinski Signed-off-by: Daniel Borkmann Signed-off-by: Sasha Levin commit d094d6510231b1ebafe6cc651507a62206f0ca72 Author: Martin Schiller Date: Tue Nov 27 09:50:28 2018 +0100 net/x25: fix null_x25_address handling [ Upstream commit 06137619f061f498c2924f6543fa45b7d39f0501 ] o x25_find_listener(): the compare for the null_x25_address was wrong. We have to check the x25_addr of the listener socket instead of the x25_addr of the incomming call. o x25_bind(): it was not possible to bind a socket to null_x25_address Signed-off-by: Martin Schiller Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 12fc4bcc89ef5b34a8fdd8df6b674e055be09a17 Author: Martin Schiller Date: Tue Nov 27 09:50:27 2018 +0100 net/x25: fix called/calling length calculation in x25_parse_address_block [ Upstream commit d449ba3d581ed29f751a59792fdc775572c66904 ] The length of the called and calling address was not calculated correctly (BCD encoding). Signed-off-by: Martin Schiller Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit b7950442f2977363b53d567ab723c92cf47279fb Author: Neil Armstrong Date: Wed Nov 7 11:45:50 2018 +0100 arm64: dts: meson-gxl-khadas-vim: fix GPIO lines names [ Upstream commit 5b78012636f537344bd551934387f5772c38ba80 ] The gpio line names were set in the pinctrl node instead of the gpio node, at the time it was merged, it worked, but was obviously wrong. This patch moves the properties to the gpio nodes. Fixes: 60795933b709 ("ARM64: dts: meson-gxl-khadas-vim: Add GPIO lines names") Signed-off-by: Neil Armstrong Signed-off-by: Kevin Hilman Signed-off-by: Sasha Levin commit f7979e85d40774ef84df368450c2a09aa8264555 Author: Neil Armstrong Date: Wed Nov 7 11:45:49 2018 +0100 arm64: dts: meson-gxbb-odroidc2: fix GPIO lines names [ Upstream commit 2165b006b65d609140dafafcb14cce5a4aaacbab ] The gpio line names were set in the pinctrl node instead of the gpio node, at the time it was merged, it worked, but was obviously wrong. This patch moves the properties to the gpio nodes. Fixes: b03c7d6438bb ("ARM64: dts: meson-gxbb-odroidc2: Add GPIO lines names") Signed-off-by: Neil Armstrong Signed-off-by: Kevin Hilman Signed-off-by: Sasha Levin commit f9737040b24c6f33c64275aad69b4fecd7105e1e Author: Neil Armstrong Date: Wed Nov 7 11:45:48 2018 +0100 arm64: dts: meson-gxbb-nanopi-k2: fix GPIO lines names [ Upstream commit f0783f5edb52af14ecaae6c5ce4f38e0a358f5d8 ] The gpio line names were set in the pinctrl node instead of the gpio node, at the time it was merged, it worked, but was obviously wrong. This patch moves the properties to the gpio nodes. Fixes: 12ada0513d7a ("ARM64: dts: meson-gxbb-nanopi-k2: Add GPIO lines names") Signed-off-by: Neil Armstrong Signed-off-by: Kevin Hilman Signed-off-by: Sasha Levin commit e99194333f3c48406e8b1cb41dd2da05b248e4d3 Author: Neil Armstrong Date: Wed Nov 7 11:45:47 2018 +0100 arm64: dts: meson-gxl-libretech-cc: fix GPIO lines names [ Upstream commit 11fa9774612decea87144d7f950a9c53a4fe3050 ] The gpio line names were set in the pinctrl node instead of the gpio node, at the time it was merged, it worked, but was obviously wrong. This patch moves the properties to the gpio nodes. Fixes: 47884c5c746e ("ARM64: dts: meson-gxl-libretech-cc: Add GPIO lines names") Signed-off-by: Neil Armstrong Signed-off-by: Kevin Hilman Signed-off-by: Sasha Levin commit 9cd0da478f1d65e43b15f83bcba1bfa0098a7b41 Author: Aaro Koskinen Date: Mon Nov 19 21:46:41 2018 +0200 ARM: OMAP1/2: fix SoC name printing [ Upstream commit 04a92358b3964988c78dfe370a559ae550383886 ] Currently we get extra newlines on OMAP1/2 when the SoC name is printed: [ 0.000000] OMAP1510 [ 0.000000] revision 2 handled as 15xx id: bc058c9b93111a16 [ 0.000000] OMAP2420 [ 0.000000] Fix by using pr_cont. Signed-off-by: Aaro Koskinen Signed-off-by: Tony Lindgren Signed-off-by: Sasha Levin commit 833ca57bf485969973cb56408377230599796b30 Author: Young_X Date: Tue Nov 27 06:33:16 2018 +0000 ASoC: au8540: use 64-bit arithmetic instead of 32-bit [ Upstream commit cd7fdc45bc69a62b4e22c6e875f1f1aea566256d ] Add suffix ULL to constant 256 in order to give the compiler complete information about the proper arithmetic to use. Notice that such constant is used in a context that expects an expression of type u64 (64 bits, unsigned) and the following expression is currently being evaluated using 32-bit arithmetic: 256 * fs * 2 * mclk_src_scaling[i].param Signed-off-by: Young_X Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 29e704b7a7b119291511a9f18bd2c46da50cf4f7 Author: Yonghong Song Date: Wed Nov 28 09:38:23 2018 -0800 tools: bpftool: fix a bitfield pretty print issue [ Upstream commit 528bff0cdb6649f97f2c4802e4ac7a4b50645f2f ] Commit b12d6ec09730 ("bpf: btf: add btf print functionality") added btf pretty print functionality to bpftool. There is a problem though in printing a bitfield whose type has modifiers. For example, for a type like typedef int ___int; struct tmp_t { int a:3; ___int b:3; }; Suppose we have a map struct bpf_map_def SEC("maps") tmpmap = { .type = BPF_MAP_TYPE_HASH, .key_size = sizeof(__u32), .value_size = sizeof(struct tmp_t), .max_entries = 1, }; and the hash table is populated with one element with key 0 and value (.a = 1 and .b = 2). In BTF, the struct member "b" will have a type "typedef" which points to an int type. The current implementation does not pass the bit offset during transition from typedef to int type, hence incorrectly print the value as $ bpftool m d id 79 [{ "key": 0, "value": { "a": 0x1, "b": 0x1 } } ] This patch fixed the issue by carrying bit_offset along the type chain during bit_field print. The correct result can be printed as $ bpftool m d id 76 [{ "key": 0, "value": { "a": 0x1, "b": 0x2 } } ] The kernel pretty print is implemented correctly and does not have this issue. Fixes: b12d6ec09730 ("bpf: btf: add btf print functionality") Signed-off-by: Yonghong Song Acked-by: Song Liu Signed-off-by: Alexei Starovoitov Signed-off-by: Sasha Levin commit 12c49ac4cfa935ba76cde8f717c49d422e05e7bb Author: Yonghong Song Date: Tue Nov 27 13:23:28 2018 -0800 bpf: btf: check name validity for various types [ Upstream commit eb04bbb608e683f8fd3ef7f716e2fa32dd90861f ] This patch added name checking for the following types: . BTF_KIND_PTR, BTF_KIND_ARRAY, BTF_KIND_VOLATILE, BTF_KIND_CONST, BTF_KIND_RESTRICT: the name must be null . BTF_KIND_STRUCT, BTF_KIND_UNION: the struct/member name is either null or a valid identifier . BTF_KIND_ENUM: the enum type name is either null or a valid identifier; the enumerator name must be a valid identifier. . BTF_KIND_FWD: the name must be a valid identifier . BTF_KIND_TYPEDEF: the name must be a valid identifier For those places a valid name is required, the name must be a valid C identifier. This can be relaxed later if we found use cases for a different (non-C) frontend. Fixes: 69b693f0aefa ("bpf: btf: Introduce BPF Type Format (BTF)") Acked-by: Martin KaFai Lau Signed-off-by: Yonghong Song Signed-off-by: Alexei Starovoitov Signed-off-by: Sasha Levin commit 2f3e380d494c2126f7a9520ceeccbff00ab3e82f Author: Yonghong Song Date: Tue Nov 27 13:23:27 2018 -0800 bpf: btf: implement btf_name_valid_identifier() [ Upstream commit cdbb096adddb3f42584cecb5ec2e07c26815b71f ] Function btf_name_valid_identifier() have been implemented in bpf-next commit 2667a2626f4d ("bpf: btf: Add BTF_KIND_FUNC and BTF_KIND_FUNC_PROTO"). Backport this function so later patch can use it. Fixes: 69b693f0aefa ("bpf: btf: Introduce BPF Type Format (BTF)") Signed-off-by: Yonghong Song Signed-off-by: Alexei Starovoitov Signed-off-by: Sasha Levin commit 3ff6af8e0a6ad7526789808a6b2867fce16331a2 Author: Scott Mayhew Date: Tue Nov 6 13:35:08 2018 -0500 nfsd: fix a warning in __cld_pipe_upcall() [ Upstream commit b493fd31c0b89d9453917e977002de58bebc3802 ] __cld_pipe_upcall() emits a "do not call blocking ops when !TASK_RUNNING" warning due to the dput() call in rpc_queue_upcall(). Fix it by using a completion instead of hand coding the wait. Signed-off-by: Scott Mayhew Signed-off-by: J. Bruce Fields Signed-off-by: Sasha Levin commit a57b3ecc06d4dbc3b327a98a6ce5e432112e1f95 Author: YueHaibing Date: Wed Sep 26 18:32:29 2018 +0800 can: xilinx: fix return type of ndo_start_xmit function [ Upstream commit 81de0cd60fd492575b24d97667f38b8b833fb058 ] The method ndo_start_xmit() is defined as returning an 'netdev_tx_t', which is a typedef for an enum type, so make sure the implementation in this driver has returns 'netdev_tx_t' value, and change the function return type to netdev_tx_t. Found by coccinelle. Signed-off-by: YueHaibing Signed-off-by: Marc Kleine-Budde Signed-off-by: Sasha Levin commit 614348676cb945b8dfccaa37cff491880be01277 Author: Clément Péron Date: Tue Oct 9 13:28:37 2018 +0200 ARM: debug: enable UART1 for socfpga Cyclone5 [ Upstream commit f6628486c8489e91c513b62608f89ccdb745600d ] Cyclone5 and Arria10 doesn't have the same memory map for UART1. Split the SOCFPGA_UART1 into 2 options to allow debugging on UART1 for Cyclone5. Signed-off-by: Clément Péron Signed-off-by: Dinh Nguyen Signed-off-by: Sasha Levin commit 3b0107ca80fbd03991ad568ef14fe13199703592 Author: Wen Yang Date: Wed Nov 28 15:25:00 2018 +0800 dlm: NULL check before kmem_cache_destroy is not needed [ Upstream commit f31a89692830061bceba8469607e4e4b0f900159 ] kmem_cache_destroy(NULL) is safe, so removes NULL check before freeing the mem. This patch also fix ifnullfree.cocci warnings. Signed-off-by: Wen Yang Signed-off-by: David Teigland Signed-off-by: Sasha Levin commit 980cd9a18b16ba1ff07d60101c1d836d7df5e18f Author: Maxime Ripard Date: Wed Nov 7 10:58:01 2018 +0100 ARM: dts: sun8i: v3s: Change pinctrl nodes to avoid warning [ Upstream commit 438a44ce7e51ce571f942433c6c7cb87c4c0effd ] All our pinctrl nodes were using a node name convention with a unit-address to differentiate the different muxing options. However, since those nodes didn't have a reg property, they were generating warnings in DTC. In order to accomodate for this, convert the old nodes to the syntax we've been using for the new SoCs, including removing the letter suffix of the node labels to the bank of those pins to make things more readable. Signed-off-by: Maxime Ripard Acked-by: Chen-Yu Tsai Signed-off-by: Sasha Levin commit 7e79de528afa68176ba5f131f2185f443a9f6ad1 Author: Maxime Ripard Date: Wed Nov 21 09:51:04 2018 +0100 ARM: dts: sun8i: a23/a33: Fix OPP DTC warnings [ Upstream commit a858f569b80a69076c521532a289097af905cf1e ] DTC will emit a warning on our OPPs nodes for the common DTSI between the A23 and A33 since those nodes use the frequency as unit addresses, but don't have a matching reg property. Fix this by moving the frequency to the node name instead. Signed-off-by: Maxime Ripard Acked-by: Chen-Yu Tsai Signed-off-by: Sasha Levin commit 1ff8cb13835d5fedd7ad9c54bf38ed52763ad108 Author: Maxime Ripard Date: Fri Sep 7 16:00:22 2018 +0200 ARM: dts: sun7i: Fix HDMI output DTC warning [ Upstream commit 4d9a06979b1ae0c802440cb4433dfcd85fc7bdd3 ] Our HDMI output endpoint on the A10s DTSI has a warning under DTC: "graph node has single child node 'endpoint', #address-cells/#size-cells are not necessary". Fix this by removing those properties. Signed-off-by: Maxime Ripard Acked-by: Chen-Yu Tsai Signed-off-by: Sasha Levin commit 05a8d2ab6604943b0349508308c5170c5d940e49 Author: Laurent Pinchart Date: Wed Oct 17 20:48:01 2018 +0300 ARM: dts: r8a779[01]: Disable unconnected LVDS encoders [ Upstream commit 89862542fab10fed8a3c2f9c167622ef4287351d ] The LVDS0 encoder on Koelsh and Porter, and the LVDS1 encoder on Lager, are enabled in DT but have no device connected to their output. This result in spurious messages being printed to the kernel log such as rcar-du feb00000.display: no connector for encoder /soc/lvds@feb90000, skipping Fix it by disabling the encoders. Fixes: 15a1ff30d8f9 ("ARM: dts: r8a7790: Convert to new LVDS DT bindings") Fixes: e5c3f4707f39 ("ARM: dts: r8a7791: Convert to new LVDS DT bindings") Reported-by: Geert Uytterhoeven Signed-off-by: Laurent Pinchart Signed-off-by: Simon Horman Signed-off-by: Sasha Levin commit 0b3d71d82a852563f8002221820eba6d7d6c55e4 Author: Maxime Ripard Date: Fri Sep 7 16:00:22 2018 +0200 ARM: dts: sun5i: a10s: Fix HDMI output DTC warning [ Upstream commit ed5fc60b909427be6ca93d3e07a0a5f296d7000a ] Our HDMI output endpoint on the A10s DTSI has a warning under DTC: "graph node has single child node 'endpoint', #address-cells/#size-cells are not necessary". Fix this by removing those properties. Signed-off-by: Maxime Ripard Acked-by: Chen-Yu Tsai Signed-off-by: Sasha Levin commit b00d8fc54ab4496bd3d4ba4d680e68b13bbf2e9c Author: Maxime Ripard Date: Fri Sep 7 16:00:22 2018 +0200 ARM: dts: sun4i: Fix HDMI output DTC warning [ Upstream commit 123b796d3fac60d69a3737d81901ab483c4efd6e ] Our HDMI output endpoint on the A10 DTSI has a warning under DTC: "graph node has single child node 'endpoint', #address-cells/#size-cells are not necessary". Fix this by removing those properties. Signed-off-by: Maxime Ripard Acked-by: Chen-Yu Tsai Signed-off-by: Sasha Levin commit 6f1560992075b162c3dcf144e6a35922e6b245b5 Author: Maxime Ripard Date: Fri Sep 7 15:59:30 2018 +0200 ARM: dts: sun4i: Fix gpio-keys warning [ Upstream commit c9b543404c5e1fd51a7ac375294519be5064bf80 ] Fix the 'unnecessary #address-cells/#size-cells without "ranges" or child "reg" property' DTC warning for the gpio-keys DT node on A10 boards. Signed-off-by: Maxime Ripard Acked-by: Chen-Yu Tsai Signed-off-by: Sasha Levin commit df799def8c3e91bdc9e37f13ac346ca3e84688ee Author: Kuninori Morimoto Date: Tue Nov 27 07:35:34 2018 +0000 ASoC: rsnd: tidyup registering method for rsnd_kctrl_new() [ Upstream commit 9c698e8481a15237a5b1db5f8391dd66d59e42a4 ] Current rsnd dvc.c is using flags to avoid duplicating register for MIXer case. OTOH, commit e894efef9ac7 ("ASoC: core: add support to card rebind") allows to rebind sound card without rebinding all drivers. Because of above patch and dvc.c flags, it can't re-register kctrl if only sound card was rebinded, because dvc is keeping old flags. (Of course it will be no problem if rsnd driver also be rebinded, but it is not purpose of above patch). This patch checks current card registered kctrl when registering. In MIXer case, it can avoid duplicate register if card already has same kctrl. In rebind case, it can re-register kctrl because card registered kctl had been removed when unbinding. This patch is updated version of commit b918f1bc7f1ce ("ASoC: rsnd: DVC kctrl sets once") Reported-by: Nguyen Viet Dung Signed-off-by: Kuninori Morimoto Tested-by: Nguyen Viet Dung Cc: Hiroyuki Yokoyama Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit d18e7c216a3b348f4b747a73c8e35ce2dc42436c Author: Joerg Roedel Date: Tue Nov 27 16:43:57 2018 +0100 iommu/amd: Fix line-break in error log reporting [ Upstream commit 1a21ee1aabf7ff9484f2eb122476d80c7f60a620 ] With the switch to dev_err for reporting errors from the iommu log there was an unwanted newline introduced. The reason was that the reporting was done in multiple dev_err() calls, and dev_err adds a newline after every call. Fix it by printing the log messages with only one dev_err() call. Signed-off-by: Joerg Roedel Signed-off-by: Sasha Levin commit 52cc7ea79741bcd91d5eb093ac6b351a56307493 Author: Xin Long Date: Mon Nov 26 14:52:44 2018 +0800 sctp: increase sk_wmem_alloc when head->truesize is increased [ Upstream commit 0d32f17717e65e76cbdb248374dd162acdfe2fff ] I changed to count sk_wmem_alloc by skb truesize instead of 1 to fix the sk_wmem_alloc leak caused by later truesize's change in xfrm in Commit 02968ccf0125 ("sctp: count sk_wmem_alloc by skb truesize in sctp_packet_transmit"). But I should have also increased sk_wmem_alloc when head->truesize is increased in sctp_packet_gso_append() as xfrm does. Otherwise, sctp gso packet will cause sk_wmem_alloc underflow. Fixes: 02968ccf0125 ("sctp: count sk_wmem_alloc by skb truesize in sctp_packet_transmit") Signed-off-by: Xin Long Acked-by: Marcelo Ricardo Leitner Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit a2b7010f76ea67963a098095318a9552297478e6 Author: J. Bruce Fields Date: Mon Nov 26 11:36:52 2018 -0500 lockd: fix decoding of TEST results [ Upstream commit b8db159239b3f51e2b909859935cc25cb3ff3eed ] We fail to advance the read pointer when reading the stat.oh field that identifies the lock-holder in a TEST result. This turns out not to matter if the server is knfsd, which always returns a zero-length field. But other servers (Ganesha is an example) may not do this. The result is bad values in fcntl F_GETLK results. Fix this. Signed-off-by: J. Bruce Fields Signed-off-by: Sasha Levin commit 5f7d707b15885cb039477d91867e653b243f7c2f Author: Thierry Reding Date: Mon Nov 19 11:31:30 2018 +0100 gpu: host1x: Fix syncpoint ID field size on Tegra186 [ Upstream commit 2fc777ba8422e4a38cae61537ad6a26435a86fb8 ] The number of syncpoints on Tegra186 is 576 and therefore no longer fits into 8 bits. Increase the size of the syncpoint ID field to 10 in order to accomodate all syncpoints. Reviewed-by: Mikko Perttunen Signed-off-by: Thierry Reding Signed-off-by: Sasha Levin commit 0dcdd33f8e13380b11965491bdefc29eca3f69ec Author: Neil Armstrong Date: Wed Nov 21 12:19:22 2018 +0100 clk: meson: Fix GXL HDMI PLL fractional bits width [ Upstream commit 21310c39ec01e82ef3ef9bf8ac385b53ccdc158c ] The GXL Documentation specifies 12 bits for the Fractional bit field, bit the last bits have a different purpose that we cannot handle right now, so update the bitwidth to have correct fractional calculations. Signed-off-by: Neil Armstrong [narmstrong: added comment on GXL HHI_HDMI_PLL_CNTL register shift] Acked-by: Martin Blumenstingl Link: https://lkml.kernel.org/r/20181121111922.1277-1-narmstrong@baylibre.com Signed-off-by: Sasha Levin commit a976029de2525fe3a06776f4bb3d62f2c2936d17 Author: Lucas Stach Date: Wed Nov 14 18:29:13 2018 +0100 i2c: imx: don't print error message on probe defer [ Upstream commit fece4978510e43f09c8cd386fee15210e8c68493 ] Probe deferral is a normal operating condition in the probe function, so don't spam the log with an error in this case. Signed-off-by: Lucas Stach Acked-by: Uwe Kleine-König Signed-off-by: Wolfram Sang Signed-off-by: Sasha Levin commit 33b629d41c47c0d348b88c5d2dbb3a416e48f294 Author: Stefan Agner Date: Wed Nov 14 18:49:38 2018 +0100 serial: imx: fix error handling in console_setup [ Upstream commit 63fd4b94b948c14eeb27a3bbf50ea0f7f0593bad ] The ipg clock only needs to be unprepared in case preparing per clock fails. The ipg clock has already disabled at the point. Fixes: 1cf93e0d5488 ("serial: imx: remove the uart_console() check") Signed-off-by: Stefan Agner Reviewed-by: Uwe Kleine-König Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit f6ea3c03ec082abfe2b6519e93f10fe9ec37c5a2 Author: Colin Ian King Date: Sat Nov 24 12:34:10 2018 +0000 altera-stapl: check for a null key before strcasecmp'ing it [ Upstream commit 9ccb645683ef46e3c52c12c088a368baa58447d4 ] Currently the null check on key is occurring after the strcasecmp on the key, hence there is a potential null pointer dereference on key. Fix this by checking if key is null first. Also replace the == 0 check on strcasecmp with just the ! operator. Detected by CoverityScan, CID#1248787 ("Dereference before null check") Fixes: fa766c9be58b ("[media] Altera FPGA firmware download module") Signed-off-by: Colin Ian King Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit d7e82b903dbd5f0295dad4a807ae1faf4ed5461e Author: Srinivas Kandagatla Date: Mon Nov 12 12:25:25 2018 +0000 slimbus: ngd: Fix build error on x86 [ Upstream commit 458a445deb9c9fb13cec46fe9b179a84d2ff514f ] on non DT platforms like x86 of_match_node is set to NULL, dereferencing directly would throw an error. Fix this by doing this in two steps, get the match then the data. Reported-by: Greg KH Signed-off-by: Srinivas Kandagatla Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 0c40b942f6a99f2ade4d43ed5186bbba1c88d9f6 Author: Niklas Söderlund Date: Wed Aug 29 23:29:21 2018 +0200 dma-mapping: fix return type of dma_set_max_seg_size() [ Upstream commit c9d76d0655c06b8c1f944e46c4fd9e9cf4b331c0 ] The function dma_set_max_seg_size() can return either 0 on success or -EIO on error. Change its return type from unsigned int to int to capture this. Signed-off-by: Niklas Söderlund Reviewed-by: Geert Uytterhoeven Signed-off-by: Christoph Hellwig Signed-off-by: Sasha Levin commit 0e6ec8b39105ef5f63a9af25a60fc2f7d2a682a2 Author: Keith Busch Date: Mon Nov 26 16:39:47 2018 -0700 nvme: Free ctrl device name on init failure [ Upstream commit d6a2b9535d1e52bea269c138614c4801469d10e1 ] Free the kobject name that was allocated for the controller device on failure rather than its parent. Fixes: d22524a4782a9 ("nvme: switch controller refcounting to use struct device") Signed-off-by: Keith Busch Signed-off-by: Christoph Hellwig Signed-off-by: Sasha Levin commit a4d121d90e28daf1619781ee1eb098705a474ec9 Author: David Miller Date: Mon Nov 26 14:52:18 2018 -0800 sparc: Correct ctx->saw_frame_pointer logic. [ Upstream commit e2ac579a7a18bcd9e8cf14cf42eac0b8a2ba6c4b ] We need to initialize the frame pointer register not just if it is seen as a source operand, but also if it is seen as the destination operand of a store or an atomic instruction (which effectively is a source operand). This is exercised by test_verifier's "non-invalid fp arithmetic" Signed-off-by: David S. Miller Signed-off-by: Alexei Starovoitov Signed-off-by: Sasha Levin commit d4926994be7f5669a57ff796cbd3213f4178a40a Author: David Miller Date: Mon Nov 26 13:03:46 2018 -0800 sparc: Fix JIT fused branch convergance. [ Upstream commit c44768a33da81b4a0986e79bbf0588f1a0651dec ] On T4 and later sparc64 cpus we can use the fused compare and branch instruction. However, it can only be used if the branch destination is in the range of a signed 10-bit immediate offset. This amounts to 1024 instructions forwards or backwards. After the commit referenced in the Fixes: tag, the largest possible size program seen by the JIT explodes by a significant factor. As a result of this convergance takes many more passes since the expanded "BPF_LDX | BPF_MSH | BPF_B" code sequence, for example, contains several embedded branch on condition instructions. On each pass, as suddenly new fused compare and branch instances become valid, this makes thousands more in range for the next pass. And so on and so forth. This is most greatly exemplified by "BPF_MAXINSNS: exec all MSH" which takes 35 passes to converge, and shrinks the image by about 64K. To decrease the cost of this number of convergance passes, do the convergance pass before we have the program image allocated, just like other JITs (such as x86) do. Fixes: e0cea7ce988c ("bpf: implement ld_abs/ld_ind in native bpf") Signed-off-by: David S. Miller Signed-off-by: Alexei Starovoitov Signed-off-by: Sasha Levin commit c8aa27cf7e946da7d6c065dab3dbb7c5325f4b2c Author: Sahitya Tummala Date: Mon Nov 26 13:31:41 2018 +0530 f2fs: fix to allow node segment for GC by ioctl path [ Upstream commit 08ac9a3870f6babb2b1fff46118536ca8a71ef19 ] Allow node type segments also to be GC'd via f2fs ioctl F2FS_IOC_GARBAGE_COLLECT_RANGE. Signed-off-by: Sahitya Tummala Reviewed-by: Chao Yu Signed-off-by: Jaegeuk Kim Signed-off-by: Sasha Levin commit 2a34b42f08006c630a73610672703fe3969968d8 Author: Otavio Salvador Date: Mon Nov 26 15:35:04 2018 -0200 ARM: dts: rockchip: Assign the proper GPIO clocks for rv1108 [ Upstream commit efc2e0bd9594060915696a418564aefd0270b1d6 ] It is not correct to assign the 24MHz clock oscillator to the GPIO ports. Fix it by assigning the proper GPIO clocks instead. Signed-off-by: Otavio Salvador Tested-by: Fabio Berton Signed-off-by: Heiko Stuebner Signed-off-by: Sasha Levin commit 42953e7c6b64be38f0ec89e73233bd510b26a5ee Author: Otavio Salvador Date: Mon Nov 26 15:35:03 2018 -0200 ARM: dts: rockchip: Fix the PMU interrupt number for rv1108 [ Upstream commit c955b7aec510145129ca7aaea6ecbf6d748f5ebf ] According to the Rockchip vendor tree the PMU interrupt number is 76, so fix it accordingly. Signed-off-by: Otavio Salvador Tested-by: Fabio Berton Signed-off-by: Heiko Stuebner Signed-off-by: Sasha Levin commit 313f1fef6650b76d194b2e9071aa64b43194b0c4 Author: Yunlong Song Date: Tue Oct 30 20:37:55 2018 +0800 f2fs: change segment to section in f2fs_ioc_gc_range [ Upstream commit 67b0e42b768c9ddc3fd5ca1aee3db815cfaa635c ] f2fs_ioc_gc_range skips blocks_per_seg each time, however, f2fs_gc moves blocks of section each time, so fix it from segment to section. Signed-off-by: Yunlong Song Reviewed-by: Chao Yu Signed-off-by: Jaegeuk Kim Signed-off-by: Sasha Levin commit 859c93a04b61de9aa9d75f8f09a7f9ab0b6af3a5 Author: Yunlong Song Date: Wed Oct 24 16:08:30 2018 +0800 f2fs: fix count of seg_freed to make sec_freed correct [ Upstream commit d6c66cd19ef322fe0d51ba09ce1b7f386acab04a ] When sbi->segs_per_sec > 1, and if some segno has 0 valid blocks before gc starts, do_garbage_collect will skip counting seg_freed++, and this will cause seg_freed < sbi->segs_per_sec and finally skip sec_freed++. Signed-off-by: Yunlong Song Signed-off-by: Chao Yu Reviewed-by: Chao Yu Signed-off-by: Jaegeuk Kim Signed-off-by: Sasha Levin commit c1054aeba939e7b14b1dc5137474fc38242cba11 Author: Chao Yu Date: Wed Oct 24 17:24:10 2018 +0800 f2fs: fix to account preflush command for noflush_merge mode [ Upstream commit a8075dc484cf10ebdb07bee2b17322fb0a846309 ] Previously, we only account preflush command for flush_merge mode, so for noflush_merge mode, we can not know in-flight preflush command count, fix it. Signed-off-by: Chao Yu Signed-off-by: Jaegeuk Kim Signed-off-by: Sasha Levin commit 2ba4f54b60e149cf447bec8b7136e7f84b74eb26 Author: Alexey Dobriyan Date: Fri Nov 23 23:07:14 2018 +0300 ACPI: fix acpi_find_child_device() invocation in acpi_preset_companion() [ Upstream commit f8c6d1402b89f22a3647705d63cbd171aa19a77e ] acpi_find_child_device() accepts boolean not pointer as last argument. Signed-off-by: Alexey Dobriyan [ rjw: Subject ] Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin commit 497411c5a43f5778fbd17b12f1c290f3e6bf009c Author: Brian Norris Date: Wed Nov 7 12:40:29 2018 -0800 usb: dwc3: don't log probe deferrals; but do log other error codes [ Upstream commit 408d3ba006af57380fa48858b39f72fde6405031 ] It's not very useful to repeat a bunch of probe deferral errors. And it's also not very useful to log "failed" without telling the error code. Signed-off-by: Brian Norris Signed-off-by: Felipe Balbi Signed-off-by: Sasha Levin commit 184bc0d73bdc82ba5a45c6ca94365b9ae7a584f4 Author: Thinh Nguyen Date: Wed Nov 7 17:55:19 2018 -0800 usb: dwc3: debugfs: Properly print/set link state for HS [ Upstream commit 0d36dede457873404becd7c9cb9d0f2bcfd0dcd9 ] Highspeed device and below has different state names than superspeed and higher. Add proper checks and printouts of link states for highspeed and below. Signed-off-by: Thinh Nguyen Signed-off-by: Felipe Balbi Signed-off-by: Sasha Levin commit 5aba77393e6f1e5a09a7bdd6ed8442d18484a399 Author: Breno Leitao Date: Wed Oct 31 11:38:22 2018 -0300 selftests/powerpc: Skip test instead of failing [ Upstream commit eafcd8e3fbad4f426a40ed2b6a8c697c3a4ef36a ] Current core-pkey selftest fails if the test runs without privileges to write into the core pattern file (/proc/sys/kernel/core_pattern). This causes the test to fail and give the impression that the subsystem being tested is broken, when, in fact, the test is being executed without the proper privileges. This is the current error: test: core_pkey tags: git_version:v4.19-3-g9e3363be9bce-dirty Error writing to core_pattern file: Permission denied failure: core_pkey This patch simply skips this test if it runs without the proper privileges, avoiding this undesired failure. CC: Tyrel Datwyler CC: Thiago Jung Bauermann Signed-off-by: Breno Leitao Reviewed-by: Thiago Jung Bauermann Signed-off-by: Michael Ellerman Signed-off-by: Sasha Levin commit 104d0d63a1268301c35caca9b701d4b9b1af13e8 Author: Breno Leitao Date: Wed Oct 31 11:38:20 2018 -0300 selftests/powerpc: Allocate base registers [ Upstream commit 5249497a7bb6334fcc128588d6a7e1e21786515a ] Some ptrace selftests are passing input operands using a constraint that can allocate any register for the operand, and using these registers on load/store operations. If the register allocated by the compiler happens to be zero (r0), it might cause an invalid memory address access, since load and store operations consider the content of 0x0 address if the base register is r0, instead of the content of the r0 register. For example: r1 := 0xdeadbeef r0 := 0xdeadbeef ld r2, 0(1) /* will load into r2 the content of r1 address */ ld r2, 0(0) /* will load into r2 the content of 0x0 */ In order to avoid this possible problem, the inline assembly constraint should be aware that these registers will be used as a base register, thus, r0 should not be allocated. Other than that, this patch removes inline assembly operands that are not used by the tests. Signed-off-by: Breno Leitao Reviewed-by: Segher Boessenkool Signed-off-by: Michael Ellerman Signed-off-by: Sasha Levin commit baf4915acc2a9c1e117693da08f9856da64d271d Author: Colin Ian King Date: Sat Nov 24 15:03:02 2018 +0000 net: qualcomm: rmnet: move null check on dev before dereferecing it [ Upstream commit 3c18aa1464f9232d6abac8d7b4540f61b0658d62 ] Currently dev is dereferenced by the call dev_net(dev) before dev is null checked. Fix this by null checking dev before the potential null pointer dereference. Detected by CoverityScan, CID#1462955 ("Dereference before null check") Fixes: 23790ef12082 ("net: qualcomm: rmnet: Allow to configure flags for existing devices") Signed-off-by: Colin Ian King Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit c2160296f10fe42e74a936e6cf5e6ff99edecf9a Author: Christian Lamparter Date: Sat Nov 17 17:17:21 2018 +0100 dmaengine: dw-dmac: implement dma protection control setting [ Upstream commit 7b0c03ecc42fb223baf015877fee9d517c2c8af1 ] This patch adds a new device-tree property that allows to specify the dma protection control bits for the all of the DMA controller's channel uniformly. Setting the "correct" bits can have a huge impact on the PPC460EX and APM82181 that use this DMA engine in combination with a DesignWare' SATA-II core (sata_dwc_460ex driver). In the OpenWrt Forum, the user takimata reported that: |It seems your patch unleashed the full power of the SATA port. |Where I was previously hitting a really hard limit at around |82 MB/s for reading and 27 MB/s for writing, I am now getting this: | |root@OpenWrt:/mnt# time dd if=/dev/zero of=tempfile bs=1M count=1024 |1024+0 records in |1024+0 records out |real 0m 13.65s |user 0m 0.01s |sys 0m 11.89s | |root@OpenWrt:/mnt# time dd if=tempfile of=/dev/null bs=1M count=1024 |1024+0 records in |1024+0 records out |real 0m 8.41s |user 0m 0.01s |sys 0m 4.70s | |This means: 121 MB/s reading and 75 MB/s writing! | |The drive is a WD Green WD10EARX taken from an older MBL Single. |I repeated the test a few times with even larger files to rule out |any caching, I'm still seeing the same great performance. OpenWrt is |now completely on par with the original MBL firmware's performance. Another user And.short reported: |I can report that your fix worked! Boots up fine with two |drives even with more partitions, and no more reboot on |concurrent disk access! A closer look into the sata_dwc_460ex code revealed that the driver did initally set the correct protection control bits. However, this feature was lost when the sata_dwc_460ex driver was converted to the generic DMA driver framework. BugLink: https://forum.openwrt.org/t/wd-mybook-live-duo-two-disks/16195/55 BugLink: https://forum.openwrt.org/t/wd-mybook-live-duo-two-disks/16195/50 Fixes: 8b3444852a2b ("sata_dwc_460ex: move to generic DMA driver") Reviewed-by: Andy Shevchenko Signed-off-by: Christian Lamparter Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit cffba72c1a09d973d53b313490a0d065c5f5d8ed Author: Vinod Koul Date: Mon Nov 26 13:34:15 2018 +0530 dmaengine: coh901318: Remove unused variable commit 35faaf0df42d285b40f8a6310afbe096720f7758 upstream. Commit 627469e4445b ("dmaengine: coh901318: Fix a double-lock bug") left flags variable unused, so remove it to fix the warning. drivers/dma/coh901318.c: In function 'coh901318_config': drivers/dma/coh901318.c:1805:16: warning: unused variable 'flags' [-Wunused-variable] unsigned long flags; ^~~~~ Fixes: 627469e4445b ("dmaengine: coh901318: Fix a double-lock bug") Reported-By: Stephen Rothwell Signed-off-by: Vinod Koul Signed-off-by: Greg Kroah-Hartman commit 213ca8b833cc032336f0061ac814c55623ae49d7 Author: Jia-Ju Bai Date: Tue Nov 6 11:33:48 2018 +0800 dmaengine: coh901318: Fix a double-lock bug [ Upstream commit 627469e4445b9b12e0229b3bdf8564d5ce384dd7 ] The function coh901318_alloc_chan_resources() calls spin_lock_irqsave() before calling coh901318_config(). But coh901318_config() calls spin_lock_irqsave() again in its definition, which may cause a double-lock bug. Because coh901318_config() is only called by coh901318_alloc_chan_resources(), the bug fix is to remove the calls to spin-lock and -unlock functions in coh901318_config(). Signed-off-by: Jia-Ju Bai Reviewed-by: Linus Walleij Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 2a35fdf64649c618243fefc24aa154937dc57a7c Author: Hangbin Liu Date: Wed Nov 21 21:52:33 2018 +0800 net/ipv6: re-do dad when interface has IFF_NOARP flag change [ Upstream commit 896585d48e8e9ba44cd1754fbce8537feffcc1a5 ] When we add a new IPv6 address, we should also join corresponding solicited-node multicast address, unless the interface has IFF_NOARP flag, as function addrconf_join_solict() did. But if we remove IFF_NOARP flag later, we do not do dad and add the mcast address. So we will drop corresponding neighbour discovery message that came from other nodes. A typical example is after creating a ipvlan with mode l3, setting up an ipv6 address and changing the mode to l2. Then we will not be able to ping this address as the interface doesn't join related solicited-node mcast address. Fix it by re-doing dad when interface changed IFF_NOARP flag. Then we will add corresponding mcast group and check if there is a duplicate address on the network. Reported-by: Jianlin Shi Reviewed-by: Stefano Brivio Signed-off-by: Hangbin Liu Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit c0e9153e42ffb168fdfffb7031f36b3b175906a6 Author: Magnus Damm Date: Wed Nov 21 20:21:26 2018 +0900 ravb: Clean up duplex handling [ Upstream commit 08b43857804dd0eca48f5c5a84885cf0079586e0 ] Since only full-duplex operation is supported by the hardware, remove duplex handling code and keep the register setting of ECMR.DM fixed at 1. This updates the driver implementation to follow the data sheet text "This bit should always be set to 1." Fixes: c156633f1353 ("Renesas Ethernet AVB driver proper") Signed-off-by: Magnus Damm Reviewed-by: Sergei Shtylyov Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 052cedfaba15a2d047fcc9dde1e37d5be33e576a Author: Luca Coelho Date: Sat Aug 4 14:45:42 2018 +0300 iwlwifi: fix cfg structs for 22000 with different RF modules [ Upstream commit b1bbc1a636505ebdd6336ff781e417123226d4f7 ] We have to choose different configuration and different firmwares depending on the external RF module that is installed. Since the external module is not represented in the PCI IDs, we need to change the configuration at runtime, after checking the RF ID of the module installed. We have a bit of a mess in the code that does this, because it applies cfg's according to the RF ID only, ignoring the integrated module that is in use. Fix that for some devices by adding correct configurations for them and not ignoring the integrated module's type when making the decision. Signed-off-by: Luca Coelho Signed-off-by: Sasha Levin commit bc82b92116d755d377187f49055e1ae5d5ebfc6e Author: Hans Verkuil Date: Tue Oct 16 03:44:20 2018 -0400 media: cec: report Vendor ID after initialization [ Upstream commit 7f02ac77c768ba2bcdd0ce719c1fca0870ffe2fb ] The CEC specification requires that the Vendor ID (if any) is reported after a logical address was claimed. This was never done, so add support for this. Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 137ab853ad89f0eb58d437da1a6b1be9e9ce6d74 Author: Hans Verkuil Date: Wed Nov 14 08:25:53 2018 -0500 media: pulse8-cec: return 0 when invalidating the logical address [ Upstream commit 2e84eb9affac43eeaf834992888b72426a8cd442 ] Return 0 when invalidating the logical address. The cec core produces a warning for drivers that do this. Signed-off-by: Hans Verkuil Reported-by: Torbjorn Jansson Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit d9e046de6e12f89641408df5c6892e271ab2fce6 Author: Philipp Zabel Date: Tue Nov 6 05:40:54 2018 -0500 media: coda: fix memory corruption in case more than 32 instances are opened [ Upstream commit 649cfc2bdfeeb98ff7d8fdff0af3f8fb9c8da50f ] The ffz() return value is undefined if the instance mask does not contain any zeros. If it returned 32, the following set_bit would corrupt the debugfs_root pointer. Switch to IDA for context index allocation. This also removes the artificial 32 instance limit for all except CodaDx6. Signed-off-by: Philipp Zabel Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit fbb4503e55b8e8a338f2cf8495b440980639b0a3 Author: Marek Szyprowski Date: Tue Nov 20 16:54:28 2018 +0100 ARM: dts: exynos: Use Samsung SoC specific compatible for DWC2 module [ Upstream commit 6035cbcceb069f87296b3cd0bc4736ad5618bf47 ] DWC2 hardware module integrated in Samsung SoCs requires some quirks to operate properly, so use Samsung SoC specific compatible to notify driver to apply respective fixes. Signed-off-by: Marek Szyprowski Signed-off-by: Krzysztof Kozlowski Signed-off-by: Sasha Levin commit 0281b46b529a4f648f5fc5aadebc7dab7c4c0c76 Author: Baruch Siach Date: Mon Nov 19 14:34:02 2018 +0200 rtc: dt-binding: abx80x: fix resistance scale [ Upstream commit 73852e56827f5cb5db9d6e8dd8191fc2f2e8f424 ] The abracon,tc-resistor property value is in kOhm. Signed-off-by: Baruch Siach Signed-off-by: Alexandre Belloni Signed-off-by: Sasha Levin commit e1669a130f681c47b1ee0d7838c612fdc4ae0a33 Author: Christophe JAILLET Date: Wed Nov 14 18:19:51 2018 +0100 rtc: max8997: Fix the returned value in case of error in 'max8997_rtc_read_alarm()' [ Upstream commit 41ef3878203cd9218d92eaa07df4b85a2cb128fb ] In case of error, we return 0. This is spurious and not consistent with the other functions of the driver. Propagate the error code instead. Signed-off-by: Christophe JAILLET Signed-off-by: Alexandre Belloni Signed-off-by: Sasha Levin commit a346307acbc477fd82c64859532482248dd8d601 Author: Nylon Chen Date: Thu Nov 8 19:28:05 2018 +0800 nds32: Fix the items of hwcap_str ordering issue. [ Upstream commit a5234068e6dc18ae5300d678fbf3e129d9b93f78 ] The hwcap_str should be set in a correct order according to HWCAP_xx. We also add the missing "fpu_dp" to it. Signed-off-by: Nylon Chen Acked-by: Greentime Hu Signed-off-by: Greentime Hu Signed-off-by: Sasha Levin commit 8f56c6c72013f07856f58cbfa69af946c7ed8c1a Author: Vincent Chen Date: Thu Nov 22 11:14:38 2018 +0800 math-emu/soft-fp.h: (_FP_ROUND_ZERO) cast 0 to void to fix warning [ Upstream commit 83312f1b7ae205dca647bf52bbe2d51303cdedfb ] _FP_ROUND_ZERO is defined as 0 and used as a statemente in macro _FP_ROUND. This generates "error: statement with no effect [-Werror=unused-value]" from gcc. Defining _FP_ROUND_ZERO as (void)0 to fix it. This modification is quoted from glibc 'commit (8ed1e7d5894000c155acbd06f)' Signed-off-by: Vincent Chen Acked-by: Greentime Hu Signed-off-by: Greentime Hu Signed-off-by: Sasha Levin commit 78e6704dd6b2848ebc3406d2de1304b387acc779 Author: Ursula Braun Date: Tue Nov 20 16:46:43 2018 +0100 net/smc: use after free fix in smc_wr_tx_put_slot() [ Upstream commit e438bae43c1e08e688c09c410407b59fc1c173b4 ] In smc_wr_tx_put_slot() field pend->idx is used after being cleared. That means always idx 0 is cleared in the wr_tx_mask. This results in a broken administration of available WR send payload buffers. Signed-off-by: Ursula Braun Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 7ff2e42795cb68667a484f640fdc0ba21042c7e1 Author: Aaro Koskinen Date: Thu Nov 22 00:37:29 2018 +0200 MIPS: OCTEON: octeon-platform: fix typing [ Upstream commit 2cf1c8933dd93088cfb5f8f58b3bb9bbdf1781b9 ] Use correct type for fdt_property nameoff field. Signed-off-by: Aaro Koskinen Signed-off-by: Paul Burton Patchwork: https://patchwork.linux-mips.org/patch/21204/ Cc: Ralf Baechle Cc: James Hogan Cc: linux-mips@linux-mips.org Signed-off-by: Sasha Levin commit cd69bcc07ac1be675ba976917163318858668d1f Author: Steve Wise Date: Sat Nov 10 05:27:39 2018 -0800 iw_cxgb4: only reconnect with MPAv1 if the peer aborts [ Upstream commit 9828ca654b52848e7eb7dcc9b0994ff130dd4546 ] Only retry connection setup with MPAv1 if the peer actually aborted the connection upon receiving the MPAv2 start message. This avoids retrying with MPAv1 in the case where the connection was aborted due to retransmit timeouts. Fixes: d2fe99e86bb2 ("RDMA/cxgb4: Add support for MPAv2 Enhanced RDMA Negotiation") Signed-off-by: Steve Wise Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit c3a62b651d74fc541989e5c7b20bd3a24c396a50 Author: Dave Chinner Date: Wed Nov 21 08:06:37 2018 -0800 iomap: readpages doesn't zero page tail beyond EOF [ Upstream commit 8c110d43c6bca4b24dd13272a9d4e0ba6f2ec957 ] When we read the EOF page of the file via readpages, we need to zero the region beyond EOF that we either do not read or should not contain data so that mmap does not expose stale data to user applications. However, iomap_adjust_read_range() fails to detect EOF correctly, and so fsx on 1k block size filesystems fails very quickly with mapreads exposing data beyond EOF. There are two problems here. Firstly, when calculating the end block of the EOF byte, we have to round the size by one to avoid a block aligned EOF from reporting a block too large. i.e. a size of 1024 bytes is 1 block, which in index terms is block 0. Therefore we have to calculate the end block from (isize - 1), not isize. The second bug is determining if the current page spans EOF, and so whether we need split it into two half, one for the IO, and the other for zeroing. Unfortunately, the code that checks whether we should split the block doesn't actually check if we span EOF, it just checks if the read spans the /offset in the page/ that EOF sits on. So it splits every read into two if EOF is not page aligned, regardless of whether we are reading the EOF block or not. Hence we need to restrict the "does the read span EOF" check to just the page that spans EOF, not every page we read. This patch results in correct EOF detection through readpages: xfs_vm_readpages: dev 259:0 ino 0x43 nr_pages 24 xfs_iomap_found: dev 259:0 ino 0x43 size 0x66c00 offset 0x4f000 count 98304 type hole startoff 0x13c startblock 1368 blockcount 0x4 iomap_readpage_actor: orig pos 323584 pos 323584, length 4096, poff 0 plen 4096, isize 420864 xfs_iomap_found: dev 259:0 ino 0x43 size 0x66c00 offset 0x50000 count 94208 type hole startoff 0x140 startblock 1497 blockcount 0x5c iomap_readpage_actor: orig pos 327680 pos 327680, length 94208, poff 0 plen 4096, isize 420864 iomap_readpage_actor: orig pos 331776 pos 331776, length 90112, poff 0 plen 4096, isize 420864 iomap_readpage_actor: orig pos 335872 pos 335872, length 86016, poff 0 plen 4096, isize 420864 iomap_readpage_actor: orig pos 339968 pos 339968, length 81920, poff 0 plen 4096, isize 420864 iomap_readpage_actor: orig pos 344064 pos 344064, length 77824, poff 0 plen 4096, isize 420864 iomap_readpage_actor: orig pos 348160 pos 348160, length 73728, poff 0 plen 4096, isize 420864 iomap_readpage_actor: orig pos 352256 pos 352256, length 69632, poff 0 plen 4096, isize 420864 iomap_readpage_actor: orig pos 356352 pos 356352, length 65536, poff 0 plen 4096, isize 420864 iomap_readpage_actor: orig pos 360448 pos 360448, length 61440, poff 0 plen 4096, isize 420864 iomap_readpage_actor: orig pos 364544 pos 364544, length 57344, poff 0 plen 4096, isize 420864 iomap_readpage_actor: orig pos 368640 pos 368640, length 53248, poff 0 plen 4096, isize 420864 iomap_readpage_actor: orig pos 372736 pos 372736, length 49152, poff 0 plen 4096, isize 420864 iomap_readpage_actor: orig pos 376832 pos 376832, length 45056, poff 0 plen 4096, isize 420864 iomap_readpage_actor: orig pos 380928 pos 380928, length 40960, poff 0 plen 4096, isize 420864 iomap_readpage_actor: orig pos 385024 pos 385024, length 36864, poff 0 plen 4096, isize 420864 iomap_readpage_actor: orig pos 389120 pos 389120, length 32768, poff 0 plen 4096, isize 420864 iomap_readpage_actor: orig pos 393216 pos 393216, length 28672, poff 0 plen 4096, isize 420864 iomap_readpage_actor: orig pos 397312 pos 397312, length 24576, poff 0 plen 4096, isize 420864 iomap_readpage_actor: orig pos 401408 pos 401408, length 20480, poff 0 plen 4096, isize 420864 iomap_readpage_actor: orig pos 405504 pos 405504, length 16384, poff 0 plen 4096, isize 420864 iomap_readpage_actor: orig pos 409600 pos 409600, length 12288, poff 0 plen 4096, isize 420864 iomap_readpage_actor: orig pos 413696 pos 413696, length 8192, poff 0 plen 4096, isize 420864 iomap_readpage_actor: orig pos 417792 pos 417792, length 4096, poff 0 plen 3072, isize 420864 iomap_readpage_actor: orig pos 420864 pos 420864, length 1024, poff 3072 plen 1024, isize 420864 As you can see, it now does full page reads until the last one which is split correctly at the block aligned EOF, reading 3072 bytes and zeroing the last 1024 bytes. The original version of the patch got this right, but it got another case wrong. The EOF detection crossing really needs to the the original length as plen, while it starts at the end of the block, will be shortened as up-to-date blocks are found on the page. This means "orig_pos + plen" no longer points to the end of the page, and so will not correctly detect EOF crossing. Hence we have to use the length passed in to detect this partial page case: xfs_filemap_fault: dev 259:1 ino 0x43 write_fault 0 xfs_vm_readpage: dev 259:1 ino 0x43 nr_pages 1 xfs_iomap_found: dev 259:1 ino 0x43 size 0x2cc00 offset 0x2c000 count 4096 type hole startoff 0xb0 startblock 282 blockcount 0x4 iomap_readpage_actor: orig pos 180224 pos 181248, length 4096, poff 1024 plen 2048, isize 183296 xfs_iomap_found: dev 259:1 ino 0x43 size 0x2cc00 offset 0x2cc00 count 1024 type hole startoff 0xb3 startblock 285 blockcount 0x1 iomap_readpage_actor: orig pos 183296 pos 183296, length 1024, poff 3072 plen 1024, isize 183296 Heere we see a trace where the first block on the EOF page is up to date, hence poff = 1024 bytes. The offset into the page of EOF is 3072, so the range we want to read is 1024 - 3071, and the range we want to zero is 3072 - 4095. You can see this is split correctly now. This fixes the stale data beyond EOF problem that fsx quickly uncovers on 1k block size filesystems. Signed-off-by: Dave Chinner Reviewed-by: Christoph Hellwig Reviewed-by: Darrick J. Wong Signed-off-by: Darrick J. Wong Signed-off-by: Sasha Levin commit 807a59723109cf6e6bc4c081c8e9e505a9143bca Author: Dave Chinner Date: Mon Nov 19 13:31:11 2018 -0800 iomap: dio data corruption and spurious errors when pipes fill [ Upstream commit 4721a6010990971440b4ffefbdf014976b8eda2f ] When doing direct IO to a pipe for do_splice_direct(), then pipe is trivial to fill up and overflow as it can only hold 16 pages. At this point bio_iov_iter_get_pages() then returns -EFAULT, and we abort the IO submission process. Unfortunately, iomap_dio_rw() propagates the error back up the stack. The error is converted from the EFAULT to EAGAIN in generic_file_splice_read() to tell the splice layers that the pipe is full. do_splice_direct() completely fails to handle EAGAIN errors (it aborts on error) and returns EAGAIN to the caller. copy_file_write() then completely fails to handle EAGAIN as well, and so returns EAGAIN to userspace, having failed to copy the data it was asked to. Avoid this whole steaming pile of fail by having iomap_dio_rw() silently swallow EFAULT errors and so do short reads. To make matters worse, iomap_dio_actor() has a stale data exposure bug bio_iov_iter_get_pages() fails - it does not zero the tail block that it may have been left uncovered by partial IO. Fix the error handling case to drop to the sub-block zeroing rather than immmediately returning the -EFAULT error. Signed-off-by: Dave Chinner Reviewed-by: Darrick J. Wong Reviewed-by: Christoph Hellwig Signed-off-by: Darrick J. Wong Signed-off-by: Sasha Levin commit b61fdcdbdad97639dfb9c605ab89e2d33d5d6aa0 Author: Dave Chinner Date: Mon Nov 19 13:31:10 2018 -0800 iomap: sub-block dio needs to zeroout beyond EOF [ Upstream commit b450672fb66b4a991a5b55ee24209ac7ae7690ce ] If we are doing sub-block dio that extends EOF, we need to zero the unused tail of the block to initialise the data in it it. If we do not zero the tail of the block, then an immediate mmap read of the EOF block will expose stale data beyond EOF to userspace. Found with fsx running sub-block DIO sizes vs MAPREAD/MAPWRITE operations. Fix this by detecting if the end of the DIO write is beyond EOF and zeroing the tail if necessary. Signed-off-by: Dave Chinner Reviewed-by: Christoph Hellwig Reviewed-by: Darrick J. Wong Signed-off-by: Darrick J. Wong Signed-off-by: Sasha Levin commit ac3ec5a40ec9b63208d661319536451f0f93f16c Author: Dave Chinner Date: Mon Nov 19 13:31:10 2018 -0800 iomap: FUA is wrong for DIO O_DSYNC writes into unwritten extents [ Upstream commit 0929d8580071c6a1cec1a7916a8f674c243ceee1 ] When we write into an unwritten extent via direct IO, we dirty metadata on IO completion to convert the unwritten extent to written. However, when we do the FUA optimisation checks, the inode may be clean and so we issue a FUA write into the unwritten extent. This means we then bypass the generic_write_sync() call after unwritten extent conversion has ben done and we don't force the modified metadata to stable storage. This violates O_DSYNC semantics. The window of exposure is a single IO, as the next DIO write will see the inode has dirty metadata and hence will not use the FUA optimisation. Calling generic_write_sync() after completion of the second IO will also sync the first write and it's metadata. Fix this by avoiding the FUA optimisation when writing to unwritten extents. Signed-off-by: Dave Chinner Reviewed-by: Christoph Hellwig Reviewed-by: Darrick J. Wong Signed-off-by: Darrick J. Wong Signed-off-by: Sasha Levin commit 388682b7bdde5d87fd4c316762677c0c103e728c Author: Bruce Allan Date: Wed Nov 7 10:19:35 2018 -0800 ice: Fix possible NULL pointer de-reference [ Upstream commit f25dad19ba70f7cc135da78ec013325042cd8c52 ] A recent update to smatch is causing it to report the error "we previously assumed 'm_entry->vsi_list_info' could be null". Fix that. Signed-off-by: Bruce Allan Signed-off-by: Anirudh Venkataramanan Tested-by: Andrew Bowers Signed-off-by: Jeff Kirsher Signed-off-by: Sasha Levin commit e0cf32be082a6ef5688f6d2d66672898ef3cd993 Author: Dave Ertman Date: Fri Oct 26 11:44:43 2018 -0700 ice: Fix return value from NAPI poll [ Upstream commit e0c9fd9b77a7334032ec407d9e14d7c3cac1ac4f ] ice_napi_poll is hard-coded to return zero when it's done. It should instead return the work done (if any work was done). The only time it should return zero is if an interrupt or poll is handled and no work is performed. So change the return value to be the minimum of work done or budget-1. Signed-off-by: Dave Ertman Signed-off-by: Anirudh Venkataramanan Tested-by: Andrew Bowers Signed-off-by: Jeff Kirsher Signed-off-by: Sasha Levin commit f04eee4042ab74a240fb39daf0e089cf3cee35c5 Author: Xue Chaojing Date: Tue Nov 20 05:47:34 2018 +0000 net-next/hinic: fix a bug in rx data flow [ Upstream commit b1a200484143a727ce293e0f200a543cc7584152 ] In rx_alloc_pkts(), there is a loop call of tasklet, which causes 100% cpu utilization, even no packets are being received. This patch fixes this bug. Signed-off-by: Xue Chaojing Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 25c748238d0addec29f3af531ace0a721e16fed8 Author: Xue Chaojing Date: Tue Nov 20 05:47:33 2018 +0000 net-next/hinic:fix a bug in set mac address [ Upstream commit 9ea72dc9430306b77c73a8a21beb51437cde1d6d ] In add_mac_addr(), if the MAC address is a muliticast address, it will not be set, which causes the network card fail to receive the multicast packet. This patch fixes this bug. Signed-off-by: Xue Chaojing Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 249279c677aff01d6c4eaa99c1fb0bb6f8edd3f9 Author: Dave Chinner Date: Mon Nov 19 13:31:09 2018 -0800 xfs: extent shifting doesn't fully invalidate page cache [ Upstream commit 7f9f71be84bcab368e58020a42f6d0dd97adf0ce ] The extent shifting code uses a flush and invalidate mechainsm prior to shifting extents around. This is similar to what xfs_free_file_space() does, but it doesn't take into account things like page cache vs block size differences, and it will fail if there is a page that it currently busy. xfs_flush_unmap_range() handles all of these cases, so just convert xfs_prepare_shift() to us that mechanism rather than having it's own special sauce. Signed-off-by: Dave Chinner Reviewed-by: Christoph Hellwig Reviewed-by: Darrick J. Wong Signed-off-by: Darrick J. Wong Signed-off-by: Sasha Levin commit 5e28bbc7c8643c3d4b259e50b6b365b3a60db43c Author: Ji-Ze Hong (Peter Hong) Date: Thu Nov 15 10:58:44 2018 +0800 USB: serial: f81534: fix reading old/new IC config [ Upstream commit ab60075f2a4eebca1abb04f712569963fb4d9d6c ] The F81532/534 had a internal configuration space to save & control IC state with address F81534_CUSTOM_ADDRESS_START (0x2f00). Layout as following: +00h: to indicate the section is valid +01h~04h: UART Mode & port availability +05h~08h: Output pin control on IC power on +09h~12h: Output pin control on working <-- New added Old driver will use +05~08h as default on working, but newer IC will configed with shutdown mode(7) in 05h~08h and working mode with RS232(1) in 09h~12h. It'll make mainstream driver not working. This patch will make mainstream driver compatible older and newer IC. If using a old IC, the +05h~08h will be 00h~06h, we'll direct apply it. If using a new IC, the +05h~08h will be 07h or larger, we'll read +09h~12h to apply newer configuration. Signed-off-by: Ji-Ze Hong (Peter Hong) Signed-off-by: Johan Hovold Signed-off-by: Sasha Levin commit eaef0135705e19f0fb6a6c584757790671aed890 Author: Mark Brown Date: Fri Nov 16 19:19:30 2018 -0800 regulator: Fix return value of _set_load() stub [ Upstream commit f1abf67217de91f5cd3c757ae857632ca565099a ] The stub implementation of _set_load() returns a mode value which is within the bounds of valid return codes for success (the documentation just says that failures are negative error codes) but not sensible or what the actual implementation does. Fix it to just return 0. Reported-by: Cheng-Yi Chiang Signed-off-by: Mark Brown Reviewed-by: Douglas Anderson Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 94b4e528b152d24db7d92db0dfaa4f577d78be3f Author: Xin Long Date: Sun Nov 18 15:07:38 2018 +0800 sctp: count sk_wmem_alloc by skb truesize in sctp_packet_transmit [ Upstream commit 02968ccf0125d39b08ecef5946300a8a873c0942 ] Now sctp increases sk_wmem_alloc by 1 when doing set_owner_w for the skb allocked in sctp_packet_transmit and decreases by 1 when freeing this skb. But when this skb goes through networking stack, some subcomponents might change skb->truesize and add the same amount on sk_wmem_alloc. However sctp doesn't know the amount to decrease by, it would cause a leak on sk->sk_wmem_alloc and the sock can never be freed. Xiumei found this issue when it hit esp_output_head() by using sctp over ipsec, where skb->truesize is added and so is sk->sk_wmem_alloc. Since sctp has used sk_wmem_queued to count for writable space since Commit cd305c74b0f8 ("sctp: use sk_wmem_queued to check for writable space"), it's ok to fix it by counting sk_wmem_alloc by skb truesize in sctp_packet_transmit. Fixes: cac2661c53f3 ("esp4: Avoid skb_cow_data whenever possible") Reported-by: Xiumei Mu Signed-off-by: Xin Long Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 959f19ffa49e65c91c7280ded7978c03d90ba6c6 Author: Katsuhiro Suzuki Date: Sun Nov 18 13:18:02 2018 +0900 clk: rockchip: fix ID of 8ch clock of I2S1 for rk3328 [ Upstream commit df7b1f2e0a4ae0fceff261e29cde63dafcf2360f ] This patch fixes mistakes in HCLK_I2S1_8CH for running I2S1 successfully. Signed-off-by: Katsuhiro Suzuki Signed-off-by: Heiko Stuebner Signed-off-by: Sasha Levin commit 66bee515e3c202397e876861d9e69ff0c1fda532 Author: Katsuhiro Suzuki Date: Sun Nov 18 13:16:12 2018 +0900 clk: rockchip: fix I2S1 clock gate register for rk3328 [ Upstream commit 5c73ac2f8b70834a603eb2d92eb0bb464634420b ] This patch fixes definition of I2S1 clock gate register for rk3328. Current setting is not related I2S clocks. - bit6 of CRU_CLKGATE_CON0 means clk_ddrmon_en - bit6 of CRU_CLKGATE_CON1 means clk_i2s1_en Signed-off-by: Katsuhiro Suzuki Signed-off-by: Heiko Stuebner Signed-off-by: Sasha Levin commit 7d0ef9419d6f2704b1381cbd85ee0b32eb6d751b Author: Janne Huttunen Date: Fri Nov 16 15:08:32 2018 -0800 mm/vmstat.c: fix NUMA statistics updates [ Upstream commit 13c9aaf7fa01cc7600c61981609feadeef3354ec ] Scan through the whole array to see if an update is needed. While we're at it, use sizeof() to be safe against any possible type changes in the future. The bug here is that we wouldn't sync per-cpu counters into global ones if there was an update of numa_stats for higher cpus. Highly theoretical one though because it is much more probable that zone_stats are updated so we would refresh anyway. So I wouldn't bother to mark this for stable, yet something nice to fix. [mhocko@suse.com: changelog enhancement] Link: http://lkml.kernel.org/r/1541601517-17282-1-git-send-email-janne.huttunen@nokia.com Fixes: 1d90ca897cb0 ("mm: update NUMA counter threshold size") Signed-off-by: Janne Huttunen Acked-by: Michal Hocko Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit 20148a17cd0203ab4e90730055579c04cb1436cb Author: James Hughes Date: Fri Nov 16 14:39:07 2018 +0000 firmware: raspberrypi: Fix firmware calls with large buffers [ Upstream commit 91c6ada69f396e663acb2b713e8acb8a9463557d ] Commit a1547e0bca51 ("firmware: raspberrypi: Remove VLA usage") moved away from VLA's to a fixed maximum size for mailbox data. However, some mailbox calls use larger data buffers than the maximum allowed in that change. This fix therefor moves from using fixed buffers to kmalloc to ensure all sizes are catered for. There is some documentation, which is somewhat out of date, on the mailbox calls here : https://github.com/raspberrypi/firmware/wiki/Mailbox-property-interface Fixes: a1547e0bca51 ("firmware: raspberrypi: Remove VLA usage") Signed-off-by: James Hughes Reviewed-by: Eric Anholt Signed-off-by: Stefan Wahren Signed-off-by: Sasha Levin commit b0db2672b398f16aa982807615e20639d23e3a34 Author: Shreeya Patel Date: Sat Nov 17 04:19:07 2018 +0530 Staging: iio: adt7316: Fix i2c data reading, set the data field [ Upstream commit 688cd642ba0c393344c802647848da5f0d925d0e ] adt7316_i2c_read function nowhere sets the data field. It is necessary to have an appropriate value for it. Hence, assign the value stored in 'ret' variable to data field. This is an ancient bug, and as no one seems to have noticed, probably no sense in applying it to stable. Signed-off-by: Shreeya Patel Signed-off-by: Jonathan Cameron Signed-off-by: Sasha Levin commit 095fe9307550b70ea35432f540be1a71cd9aba23 Author: Brian Masney Date: Sat Nov 10 20:34:11 2018 -0500 pinctrl: qcom: ssbi-gpio: fix gpio-hog related boot issues [ Upstream commit 7ed07855773814337b9814f1c3e866df52ebce68 ] When attempting to setup up a gpio hog, device probing will repeatedly fail with -EPROBE_DEFERED errors. It is caused by a circular dependency between the gpio and pinctrl frameworks. If the gpio-ranges property is present in device tree, then the gpio framework will handle the gpio pin registration and eliminate the circular dependency. See Christian Lamparter's commit a86caa9ba5d7 ("pinctrl: msm: fix gpio-hog related boot issues") for a detailed commit message that explains the issue in much more detail. The code comment in this commit came from Christian's commit. I did not test this change against any hardware supported by this particular driver, however I was able to validate this same fix works for pinctrl-spmi-gpio.c using a LG Nexus 5 (hammerhead) phone. Signed-off-by: Brian Masney Reviewed-by: Bjorn Andersson Signed-off-by: Linus Walleij Signed-off-by: Sasha Levin commit 702155b1f84ebee8d0a38e335b72d860a2b79d85 Author: Michal Simek Date: Thu Nov 8 10:06:53 2018 +0100 arm64: dts: zynqmp: Fix node names which contain "_" [ Upstream commit d1d4445abffb2b17e841d37b555b6f1364b571c1 ] s/_/-/ for node names. It fixes warnings like this: ... Warning (node_name_chars_strict): /cpu_opp_table: Character '_' not recommended in node name ... Issues reported by make dtbs W=12 Signed-off-by: Michal Simek Signed-off-by: Sasha Levin commit b0465a7187368f8e12221cb82f3f4c5e799569f1 Author: Raveendra Padasalagi Date: Tue Nov 6 13:58:58 2018 +0530 crypto: bcm - fix normal/non key hash algorithm failure [ Upstream commit 4f0129d13e69bad0363fd75553fb22897b32c379 ] Remove setkey() callback handler for normal/non key hash algorithms and keep it for AES-CBC/CMAC which needs key. Fixes: 9d12ba86f818 ("crypto: brcm - Add Broadcom SPU driver") Signed-off-by: Raveendra Padasalagi Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit a2b797bbec6f7dffcee554f5a7398f510d36e16d Author: Vitaly Chikunov Date: Mon Nov 5 11:36:18 2018 +0300 crypto: ecc - check for invalid values in the key verification test [ Upstream commit 2eb4942b6609d35a4e835644a33203b0aef7443d ] Currently used scalar multiplication algorithm (Matthieu Rivain, 2011) have invalid values for scalar == 1, n-1, and for regularized version n-2, which was previously not checked. Verify that they are not used as private keys. Signed-off-by: Vitaly Chikunov Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit f38b78cf6f7dc39722f55003c10abf9f8695a97b Author: Lucas Stach Date: Mon Nov 5 18:31:56 2018 +0100 ARM: dts: imx6: RDU2: fix eGalax touchscreen node [ Upstream commit 749a5068f2e2453a38777b1d5fc322d503cabf1d ] Use the correct compatible for the new protocol used by the firmware on the touch controller, the GPIO wakeup isn't used in that case. Also eGalax touch needs axis swapping, just as with the RMI4 touch. Signed-off-by: Lucas Stach Signed-off-by: Shawn Guo Signed-off-by: Sasha Levin commit 65930054756acfbacddf6f80bd55a6f23a8937f6 Author: Tony Lindgren Date: Thu Nov 15 14:46:52 2018 -0800 bus: ti-sysc: Fix getting optional clocks in clock_roles [ Upstream commit 7b4f8ac2f1acdff3c0cce23d8c3b86434a6e768a ] We can have holes in clock_roles with interface clock missing for example. Currently getting an optional clock will fail if there are only a functional clock and an optional clock. Fixes: 09dfe5810762 ("bus: ti-sysc: Add handling for clkctrl opt clocks") Signed-off-by: Tony Lindgren Signed-off-by: Sasha Levin commit ed973f15f445352cd92efadfa47135c237561b5e Author: Maxime Jourdan Date: Mon Nov 12 17:46:54 2018 +0100 drivers: soc: Allow building the amlogic drivers without ARCH_MESON [ Upstream commit 41bb5769b7f4b7a85e4b92c37429228279b4f569 ] The current condition makes it difficult to compile the amlogic/ drivers with COMPILE_TEST, or without ARCH_MESON in general. Fixes kbuild errors with patch series that depend on drivers in that directory, for instance the meson video decoder. Signed-off-by: Maxime Jourdan Signed-off-by: Kevin Hilman Signed-off-by: Sasha Levin commit 45c2f3f7e1a1e47502b70694d4957f19ec30a9a3 Author: Steffen Maier Date: Thu Nov 8 15:44:57 2018 +0100 scsi: zfcp: drop default switch case which might paper over missing case [ Upstream commit 0c902936e55cff9335b27ed632fc45e7115ced75 ] This was introduced with v4.18 commit 8c3d20aada70 ("scsi: zfcp: fix missing REC trigger trace for all objects in ERP_FAILED") but would now suppress helpful -Wswitch compiler warnings when building with W=1 such as the following forced example: drivers/s390/scsi/zfcp_erp.c: In function 'zfcp_erp_handle_failed': drivers/s390/scsi/zfcp_erp.c:126:2: warning: enumeration value 'ZFCP_ERP_ACTION_REOPEN_PORT_FORCED' not handled in switch [-Wswitch] switch (want) { ^~~~~~ But then again, only with W=1 we would notice unhandled enum cases. Without the default cases and a missed unhandled enum case, the code might perform unforeseen things we might not want... As of today, we never run through the removed default case, so removing it is no functional change. In the future, we never should run through a default case but introduce the necessary specific case(s) to handle new functionality. Signed-off-by: Steffen Maier Reviewed-by: Benjamin Block Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 96f4a86c4bf76f990c39e318322c934b4396298a Author: Steffen Maier Date: Thu Nov 8 15:44:47 2018 +0100 scsi: zfcp: update kernel message for invalid FCP_CMND length, it's not the CDB [ Upstream commit 724e144387f4d7e7668d3da913d0efc44a9b4664 ] The CDB is just a part inside of FCP_CMND, see zfcp_fc_scsi_to_fcp(). While at it, fix the device driver reaction: adapter not LUN shutdown. Signed-off-by: Steffen Maier Reviewed-by: Benjamin Block Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 381b6e9257dc10199142763aaf26488262b726a4 Author: Andrew Lunn Date: Mon Nov 12 18:51:01 2018 +0100 net: dsa: mv88e6xxx: Work around mv886e6161 SERDES missing MII_PHYSID2 [ Upstream commit ddc49acb659a2d8bfc5fdb0de0ef197712c11d75 ] We already have a workaround for a couple of switches whose internal PHYs only have the Marvel OUI, but no model number. We detect such PHYs and give them the 6390 ID as the model number. However the mv88e6161 has two SERDES interfaces in the same address range as its internal PHYs. These suffer from the same problem, the Marvell OUI, but no model number. As a result, these SERDES interfaces were getting the same PHY ID as the mv88e6390, even though they are not PHYs, and the Marvell PHY driver was trying to drive them. Add a special case to stop this from happen. Reported-by: Chris Healy Signed-off-by: Andrew Lunn Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 1181b6965fe36a96b2c8e6aa922ba3039e516ca5 Author: Maciej W. Rozycki Date: Tue Nov 13 22:42:37 2018 +0000 MIPS: SiByte: Enable ZONE_DMA32 for LittleSur [ Upstream commit 756d6d836dbfb04a5a486bc2ec89397aa4533737 ] The LittleSur board is marked for high memory support and therefore clearly must provide a way to have enough memory installed for some to be present outside the low 4GiB physical address range. With the memory map of the BCM1250 SOC it has been built around it means over 1GiB of actual DRAM, as only the first 1GiB is mapped in the low 4GiB physical address range[1]. Complement commit cce335ae47e2 ("[MIPS] 64-bit Sibyte kernels need DMA32.") then and also enable ZONE_DMA32 for LittleSur. References: [1] "BCM1250/BCM1125/BCM1125H User Manual", Revision 1250_1125-UM100-R, Broadcom Corporation, 21 Oct 2002, Section 3: "System Overview", "Memory Map", pp. 34-38 Signed-off-by: Maciej W. Rozycki Signed-off-by: Paul Burton Reviewed-by: Christoph Hellwig Patchwork: https://patchwork.linux-mips.org/patch/21107/ Fixes: cce335ae47e2 ("[MIPS] 64-bit Sibyte kernels need DMA32.") Cc: Ralf Baechle Cc: linux-mips@linux-mips.org Cc: linux-kernel@vger.kernel.org Signed-off-by: Sasha Levin commit 1bcac298b943ebe41143f2b8ccb6ffd1d77155b9 Author: David Teigland Date: Thu Nov 15 11:17:40 2018 -0600 dlm: fix missing idr_destroy for recover_idr [ Upstream commit 8fc6ed9a3508a0435b9270c313600799d210d319 ] Which would leak memory for the idr internals. Signed-off-by: David Teigland Signed-off-by: Sasha Levin commit 8b01af683df2b381dfbd232455711cfbf2386b50 Author: John Keeping Date: Tue Nov 13 15:24:13 2018 +0000 ARM: dts: rockchip: Fix rk3288-rock2 vcc_flash name [ Upstream commit 03d9f8fa2bfdc791865624d3adc29070cf67814e ] There is no functional change from this, but it is confusing to find two copies of vcc_sys and no vcc_flash when looking in /sys/class/regulator/*/name. Signed-off-by: John Keeping Signed-off-by: Heiko Stuebner Signed-off-by: Sasha Levin commit e9ad6c940e1b1358615b9b2acd49ed9d7c6622af Author: Heiko Stuebner Date: Thu Nov 15 12:17:30 2018 +0100 clk: rockchip: fix rk3188 sclk_mac_lbtest parameter ordering [ Upstream commit ac8cb53829a6ba119082e067f5bc8fab3611ce6a ] Similar to commit a9f0c0e56371 ("clk: rockchip: fix rk3188 sclk_smc gate data") there is one other gate clock in the rk3188 clock driver with a similar wrong ordering, the sclk_mac_lbtest. So fix it as well. Signed-off-by: Heiko Stuebner Signed-off-by: Sasha Levin commit d499bc748dbb805dcbb75d8436e0f5ec944475d3 Author: Finley Xiao Date: Wed Nov 14 15:45:49 2018 +0000 clk: rockchip: fix rk3188 sclk_smc gate data [ Upstream commit a9f0c0e563717b9f63b3bb1c4a7c2df436a206d9 ] Fix sclk_smc gate data. Change variable order, flags come before the register address. Signed-off-by: Finley Xiao Signed-off-by: Johan Jonker Signed-off-by: Heiko Stuebner Signed-off-by: Sasha Levin commit d5be9df0679440bdca7412e2c303aca1f561696a Author: Alice Michael Date: Fri Oct 26 14:33:31 2018 -0700 virtchnl: Fix off by one error [ Upstream commit 843faff87af261bf55eda719a06087af0486a168 ] When calculating the valid length for a VIRTCHNL_OP_ENABLE_CHANNELS message, we accidentally allowed messages with one extra virtchnl_channel_info structure on the end. This happened due to an off by one error, because we forgot that valid_len already accounted for one virtchnl_channel_info structure, so we need to subtract one from the num_tc value. Signed-off-by: Alice Michael Tested-by: Andrew Bowers Signed-off-by: Jeff Kirsher Signed-off-by: Sasha Levin commit ea962fa132b6633479835b83aeb7944c958ccb8d Author: Mitch Williams Date: Fri Oct 26 14:33:28 2018 -0700 i40e: don't restart nway if autoneg not supported [ Upstream commit 7c3758f7839377ab67529cc50264a640636c47af ] On link types that do not support autoneg, we cannot attempt to restart nway negotiation. This results in a dead link that requires a power cycle to remedy. Fix this by saving off the autoneg state and checking this value before we try to restart nway. Signed-off-by: Mitch Williams Tested-by: Andrew Bowers Signed-off-by: Jeff Kirsher Signed-off-by: Sasha Levin commit 2538bbb0daf6cd31bdd9675b10eb0974330ba6ba Author: Christophe JAILLET Date: Wed Nov 14 00:36:45 2018 +0100 rtc: max77686: Fix the returned value in case of error in 'max77686_rtc_read_time()' [ Upstream commit b28cc6cec3d814f5184cbebb2d1f987e769f534a ] In case of error, we return 0. This is spurious and not consistent with the other functions of the driver. Commit e115a2bf1426 has modified more than what is said in the commit message. Reverse part of it znd return an error when needed, as it was previously. Fixes: e115a2bf1426 ("rtc: max77686: stop validating rtc_time in .read_time") Signed-off-by: Christophe JAILLET Reviewed-by: Chanwoo Choi Signed-off-by: Alexandre Belloni Signed-off-by: Sasha Levin commit eb5b255e3c29a2b32ee354d0b3a4ae0d5bc5291e Author: Marek Szyprowski Date: Tue Nov 13 12:32:50 2018 +0100 rtc: s3c-rtc: Avoid using broken ALMYEAR register [ Upstream commit 50c8aec4212a966817e868056efc9bfbb73337c0 ] (RTC,ALM)YEAR registers of Exynos built-in RTC device contains 3 BCD characters. s3c-rtc driver uses only 2 lower of them and supports years from 2000..2099 range. The third BCD value is typically set to 0, but it looks that handling of it is broken in the hardware. It sometimes defaults to a random (even non-BCD) value. This is not an issue for handling RTCYEAR register, because bcd2bin() properly handles only 8bit values (2 BCD characters, the third one is skipped). The problem is however with ALMYEAR register and proper RTC alarm operation. When YEAREN bit is set for the configured alarm, RTC hardware triggers alarm only when ALMYEAR and RTCYEAR matches. This usually doesn't happen because of the random noise on the third BCD character. Fix this by simply skipping setting ALMYEAR register in alarm configuration. This workaround fixes broken alarm operation on Exynos built-in rtc device. My tests revealed that the issue happens on the following Exynos series: 3250, 4210, 4412, 5250 and 5410. Signed-off-by: Marek Szyprowski Signed-off-by: Alexandre Belloni Signed-off-by: Sasha Levin commit 22a6ec0ab11768b78742fcc2d2f05f3af2836fb3 Author: Ivan Khoronzhuk Date: Mon Nov 12 16:00:20 2018 +0200 net: ethernet: ti: cpts: correct debug for expired txq skb [ Upstream commit d0e14c4d9bcef0d4aa1057d2959adaa6f18d4a17 ] The msgtype and seqid that is smth that belongs to event for comparison but not for staled txq skb. Signed-off-by: Ivan Khoronzhuk Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 644fde1c387f63047fba9c95a72bc9a0f080cbde Author: Marek Szyprowski Date: Tue Nov 13 16:38:47 2018 +0100 extcon: max8997: Fix lack of path setting in USB device mode [ Upstream commit a2dc50914744eea9f83a70a5db0486be625e5dc0 ] MAX8997 driver disables automatic path selection from MicroUSB connector and manually sets path to either UART or USB lines. However the code for setting USB path worked only for USB host mode (when ID pin is set to ground). When standard USB cable (USB device mode) is connected, path registers are not touched. This means that once the non-USB accessory is connected to MAX8997-operated micro USB port, the path is no longer set to USB and USB device mode doesn't work. This patch fixes it by setting USB path both for USB and USB host modes. Signed-off-by: Marek Szyprowski Signed-off-by: Chanwoo Choi Signed-off-by: Sasha Levin commit 2c0ba7706a2cd4fa625316f5220e04189c383367 Author: Anand Moon Date: Thu Sep 27 14:07:34 2018 +0000 ARM: dts: exynos: Fix LDO13 min values on Odroid XU3/XU4/HC1 [ Upstream commit 8fe325fa9d065aa54db4914fdaccab2169fd67a8 ] From Odroid XU3/XU4/HC1 schematics the LDO13 regulator for SD2, can be set on 1.8V or 2.8V so the minimal value should be fixed to 1.8V. This is necessary to support UHS-I tuning (otherwise card won't be detected during boot). Signed-off-by: Anand Moon Signed-off-by: Krzysztof Kozlowski Signed-off-by: Sasha Levin commit ed22415081ed7d76846d50d8bfa5b30eeb3ad830 Author: Denis V. Lunev Date: Tue Nov 13 20:39:50 2018 +0300 dlm: fix possible call to kfree() for non-initialized pointer [ Upstream commit 58a923adf4d9aca8bf7205985c9c8fc531c65d72 ] Technically dlm_config_nodes() could return error and keep nodes uninitialized. After that on the fail path of we'll call kfree() for that uninitialized value. The patch is simple - we should just initialize nodes with NULL. Signed-off-by: Denis V. Lunev Signed-off-by: David Teigland Signed-off-by: Sasha Levin commit fd12b061f2b9270854f3dfc18dec1b087a61764e Author: Lev Faerman Date: Fri Oct 26 10:41:05 2018 -0700 ice: Fix NVM mask defines [ Upstream commit 6263e811f4d4418660c20b36a08063c6d2c3fb9d ] Fixes bad masks that would break compilation when evaluated. Signed-off-by: Lev Faerman Signed-off-by: Anirudh Venkataramanan Tested-by: Andrew Bowers Signed-off-by: Jeff Kirsher Signed-off-by: Sasha Levin commit ac3750e9bfe1cc656ce6b868d4cf90ea2c6c038d Author: Jagan Teki Date: Tue Nov 13 16:46:08 2018 +0530 clk: sunxi-ng: a64: Fix gate bit of DSI DPHY [ Upstream commit ee678706e46d0d185c27cc214ad97828e0643159 ] DSI DPHY gate bit on MIPI DSI clock register is bit 15 not bit 30. Signed-off-by: Jagan Teki Acked-by: Stephen Boyd Signed-off-by: Maxime Ripard Signed-off-by: Sasha Levin commit a26a44691eee2667fd9ec92ce1f9867c4953c87c Author: Moni Shoua Date: Thu Nov 8 21:10:08 2018 +0200 net/mlx5: Release resource on error flow [ Upstream commit 698114968a22f6c0c9f42e983ba033cc36bb7217 ] Fix reference counting leakage when the event handler aborts due to an unsupported event for the resource type. Fixes: a14c2d4beee5 ("net/mlx5_core: Warn on unsupported events of QP/RQ/SQ") Signed-off-by: Moni Shoua Reviewed-by: Majd Dibbiny Signed-off-by: Leon Romanovsky Signed-off-by: Sasha Levin commit 705d1e733142b188b6b98f707c8e78b3badf13db Author: Eugeniy Paltsev Date: Thu Oct 4 16:12:12 2018 +0300 ARC: IOC: panic if kernel was started with previously enabled IOC [ Upstream commit 3624379d90ad2b65f9dbb30d7f7ce5498d2fe322 ] If IOC was already enabled (due to bootloader) it technically needs to be reconfigured with aperture base,size corresponding to Linux memory map which will certainly be different than uboot's. But disabling and reenabling IOC when DMA might be potentially active is tricky business. To avoid random memory issues later, just panic here and ask user to upgrade bootloader to one which doesn't enable IOC This was actually seen as issue on some of the HSDK board with a version of uboot which enabled IOC. There were random issues later with starting of X or peripherals etc. Also while I'm at it, replace hardcoded bits in ARC_REG_IO_COH_PARTIAL and ARC_REG_IO_COH_ENABLE registers by definitions. Inspired by: https://lkml.org/lkml/2018/1/19/557 Signed-off-by: Eugeniy Paltsev Signed-off-by: Vineet Gupta Signed-off-by: Sasha Levin commit 2d484087a00c267c25ad33b2e09ac6cfe48457e8 Author: Florian Westphal Date: Sun Nov 4 12:07:14 2018 +0100 netfilter: nf_tables: don't use position attribute on rule replacement [ Upstream commit 447750f281abef547be44fdcfe3bc4447b3115a8 ] Its possible to set both HANDLE and POSITION when replacing a rule. In this case, the rule at POSITION gets replaced using the userspace-provided handle. Rule handles are supposed to be generated by the kernel only. Duplicate handles should be harmless, however better disable this "feature" by only checking for the POSITION attribute on insert operations. Fixes: 5e94846686d0 ("netfilter: nf_tables: add insert operation") Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin commit 6ce317fdc212aa0cae3c0b375d6273161caad2e5 Author: Jan Kara Date: Mon Nov 12 09:54:48 2018 -0500 audit: Embed key into chunk [ Upstream commit 8d20d6e9301d7b3777d66d47dd5b89acd645cd39 ] Currently chunk hash key (which is in fact pointer to the inode) is derived as chunk->mark.conn->obj. It is tricky to make this dereference reliable for hash table lookups only under RCU as mark can get detached from the connector and connector gets freed independently of the running lookup. Thus there is a possible use after free / NULL ptr dereference issue: CPU1 CPU2 untag_chunk() ... audit_tree_lookup() list_for_each_entry_rcu(p, list, hash) { list_del_rcu(&chunk->hash); fsnotify_destroy_mark(entry); fsnotify_put_mark(entry) chunk_to_key(p) if (!chunk->mark.connector) ... hlist_del_init_rcu(&mark->obj_list); if (hlist_empty(&conn->list)) { inode = fsnotify_detach_connector_from_object(conn); mark->connector = NULL; ... frees connector from workqueue chunk->mark.connector->obj This race is probably impossible to hit in practice as the race window on CPU1 is very narrow and CPU2 has a lot of code to execute. Still it's better to have this fixed. Since the inode the chunk is attached to is constant during chunk's lifetime it is easy to cache the key in the chunk itself and thus avoid these issues. Reviewed-by: Richard Guy Briggs Signed-off-by: Jan Kara Signed-off-by: Paul Moore Signed-off-by: Sasha Levin commit b8252ec6ddd1067e6fce5abc84f7f15f5830b619 Author: Vincent Whitchurch Date: Fri Nov 9 10:12:30 2018 +0100 ARM: 8813/1: Make aligned 2-byte getuser()/putuser() atomic on ARMv6+ [ Upstream commit 344eb5539abf3e0b6ce22568c03e86450073e097 ] getuser() and putuser() (and there underscored variants) use two strb[t]/ldrb[t] instructions when they are asked to get/put 16-bits. This means that the read/write is not atomic even when performed to a 16-bit-aligned address. This leads to problems with vhost: vhost uses __getuser() to read the vring's 16-bit avail.index field, and if it happens to observe a partial update of the index, wrong descriptors will be used which will lead to a breakdown of the virtio communication. A similar problem exists for __putuser() which is used to write to the vring's used.index field. The reason these functions use strb[t]/ldrb[t] is because strht/ldrht instructions did not exist until ARMv6T2/ARMv7. So we should be easily able to fix this on ARMv7. Also, since all ARMv6 processors also don't actually use the unprivileged instructions anymore for uaccess (since CONFIG_CPU_USE_DOMAINS is not used) we can easily fix them too. Signed-off-by: Vincent Whitchurch Signed-off-by: Russell King Signed-off-by: Sasha Levin commit d0426a344cf62993d1427035223f616fc1a6be0f Author: Andrei Otcheretianski Date: Tue Jul 24 21:57:50 2018 +0300 iwlwifi: mvm: Send non offchannel traffic via AP sta [ Upstream commit dc1aca22f8f38b7e2ad7b118db87404d11e68771 ] TDLS discovery response frame is a unicast direct frame to the peer. Since we don't have a STA for this peer, this frame goes through iwl_tx_skb_non_sta(). As the result aux_sta and some completely arbitrary queue would be selected for this frame, resulting in a queue hang. Fix that by sending such frames through AP sta instead. Signed-off-by: Andrei Otcheretianski Signed-off-by: Luca Coelho Signed-off-by: Sasha Levin commit 698d71cba6873d6bc4627e6af291aeec51edc6de Author: Shahar S Matityahu Date: Wed Jul 4 15:31:36 2018 +0300 iwlwifi: trans: Clear persistence bit when starting the FW [ Upstream commit 8954e1eb2270fa2effffd031b4839253952c76f2 ] In D3 suspend flow in 9260 gen2 HW, the NIC receives two PERST signals. The first PERST is expected and indicates the device on coming resume flow. The second PERST causes FW restart FW restart. In order to avoid this issue, the FW set the persistence bit on. Once this bit is set, the FW ignores reset attempts. The problem is when the FW gets assert during D3 and then the persistence bit is set and causes the FW to ignore reset. To handle this issue, the FW opens the preg bit which allows access to the persistence bit, so that the driver clear the persistence bit and reset the NIC. The flow is as follows: the driver checks if the persistence bit is set. If the bit is set, the driver checks if he can clear the bit. If the driver can not clear the bit then there is no point to continue configuring the NIC since it will fail. The fix was added is in start HW flow instead of the resume flow since in general, if the persistence bit is set, the driver can not start the FW. So it is good to check it when we start configuring the NIC. The driver does not need to close the preg bit since the FW close it during the start flow. Signed-off-by: Shahar S Matityahu Signed-off-by: Luca Coelho Signed-off-by: Sasha Levin commit 26632a077366e3b929076dc1105f15e000379691 Author: Johannes Berg Date: Wed Jul 4 23:12:33 2018 +0200 iwlwifi: mvm: synchronize TID queue removal [ Upstream commit 06bc6f6ed4ae0246a5e52094d1be90906a1361c7 ] When we mark a TID as no longer having a queue, there's no guarantee the TX path isn't using this txq_id right now, having accessed it just before we reset the value. To fix this, add synchronize_net() when we change the TIDs from having a queue to not having one, so that we can then be sure that the TX path is no longer accessing that queue. Signed-off-by: Johannes Berg Signed-off-by: Luca Coelho Signed-off-by: Sasha Levin commit cdec9eec4e356fef3805c854ceb90e72887d63e1 Author: Arjun Vynipadath Date: Fri Nov 9 14:52:01 2018 +0530 cxgb4vf: fix memleak in mac_hlist initialization [ Upstream commit 24357e06ba511ad874d664d39475dbb01c1ca450 ] mac_hlist was initialized during adapter_up, which will be called every time a vf device is first brought up, or every time when device is brought up again after bringing all devices down. This means our state of previous list is lost, causing a memleak if entries are present in the list. To fix that, move list init to the condition that performs initial one time adapter setup. Signed-off-by: Arjun Vynipadath Signed-off-by: Ganesh Goudar Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 2c299a22f47c3891b3ab3e1266be50e89ac7150d Author: Douglas Anderson Date: Tue Oct 30 15:11:04 2018 -0700 serial: core: Allow processing sysrq at port unlock time [ Upstream commit d6e1935819db0c91ce4a5af82466f3ab50d17346 ] Right now serial drivers process sysrq keys deep in their character receiving code. This means that they've already grabbed their port->lock spinlock. This can end up getting in the way if we've go to do serial stuff (especially kgdb) in response to the sysrq. Serial drivers have various hacks in them to handle this. Looking at '8250_port.c' you can see that the console_write() skips locking if we're in the sysrq handler. Looking at 'msm_serial.c' you can see that the port lock is dropped around uart_handle_sysrq_char(). It turns out that these hacks aren't exactly perfect. If you have lockdep turned on and use something like the 8250_port hack you'll get a splat that looks like: WARNING: possible circular locking dependency detected [...] is trying to acquire lock: ... (console_owner){-.-.}, at: console_unlock+0x2e0/0x5e4 but task is already holding lock: ... (&port_lock_key){-.-.}, at: serial8250_handle_irq+0x30/0xe4 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #1 (&port_lock_key){-.-.}: _raw_spin_lock_irqsave+0x58/0x70 serial8250_console_write+0xa8/0x250 univ8250_console_write+0x40/0x4c console_unlock+0x528/0x5e4 register_console+0x2c4/0x3b0 uart_add_one_port+0x350/0x478 serial8250_register_8250_port+0x350/0x3a8 dw8250_probe+0x67c/0x754 platform_drv_probe+0x58/0xa4 really_probe+0x150/0x294 driver_probe_device+0xac/0xe8 __driver_attach+0x98/0xd0 bus_for_each_dev+0x84/0xc8 driver_attach+0x2c/0x34 bus_add_driver+0xf0/0x1ec driver_register+0xb4/0x100 __platform_driver_register+0x60/0x6c dw8250_platform_driver_init+0x20/0x28 ... -> #0 (console_owner){-.-.}: lock_acquire+0x1e8/0x214 console_unlock+0x35c/0x5e4 vprintk_emit+0x230/0x274 vprintk_default+0x7c/0x84 vprintk_func+0x190/0x1bc printk+0x80/0xa0 __handle_sysrq+0x104/0x21c handle_sysrq+0x30/0x3c serial8250_read_char+0x15c/0x18c serial8250_rx_chars+0x34/0x74 serial8250_handle_irq+0x9c/0xe4 dw8250_handle_irq+0x98/0xcc serial8250_interrupt+0x50/0xe8 ... other info that might help us debug this: Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&port_lock_key); lock(console_owner); lock(&port_lock_key); lock(console_owner); *** DEADLOCK *** The hack used in 'msm_serial.c' doesn't cause the above splats but it seems a bit ugly to unlock / lock our spinlock deep in our irq handler. It seems like we could defer processing the sysrq until the end of the interrupt handler right after we've unlocked the port. With this scheme if a whole batch of sysrq characters comes in one irq then we won't handle them all, but that seems like it should be a fine compromise. Signed-off-by: Douglas Anderson Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit c3563c3ed77d0d8667640b3645c7753b1854d8fc Author: Wen Yang Date: Fri Nov 8 16:36:48 2019 +0800 i2c: core: fix use after free in of_i2c_notify [ Upstream commit a4c2fec16f5e6a5fee4865e6e0e91e2bc2d10f37 ] We can't use "adap->dev" after it has been freed. Fixes: 5bf4fa7daea6 ("i2c: break out OF support into separate file") Signed-off-by: Wen Yang Signed-off-by: Wolfram Sang Signed-off-by: Sasha Levin commit d228e1e35419df3ca9ca58f81e80f6055ea5fe5b Author: Chuhong Yuan Date: Thu Nov 14 23:43:24 2019 +0800 net: ep93xx_eth: fix mismatch of request_mem_region in remove [ Upstream commit 3df70afe8d33f4977d0e0891bdcfb639320b5257 ] The driver calls release_resource in remove to match request_mem_region in probe, which is incorrect. Fix it by using the right one, release_mem_region. Signed-off-by: Chuhong Yuan Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 6eb6e800188e7363d959bd68e55c750c59707730 Author: Chuhong Yuan Date: Wed Nov 13 14:38:47 2019 +0800 rsxx: add missed destroy_workqueue calls in remove [ Upstream commit dcb77e4b274b8f13ac6482dfb09160cd2fae9a40 ] The driver misses calling destroy_workqueue in remove like what is done when probe fails. Add the missed calls to fix it. Signed-off-by: Chuhong Yuan Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit a806e2a35dc10f77765ed5b0efaa460ab899779c Author: Vitaly Kuznetsov Date: Wed Nov 13 13:51:15 2019 +0100 selftests: kvm: fix build with glibc >= 2.30 [ Upstream commit e37f9f139f62deddff90c7298ae3a85026a71067 ] Glibc-2.30 gained gettid() wrapper, selftests fail to compile: lib/assert.c:58:14: error: static declaration of ‘gettid’ follows non-static declaration 58 | static pid_t gettid(void) | ^~~~~~ In file included from /usr/include/unistd.h:1170, from include/test_util.h:18, from lib/assert.c:10: /usr/include/bits/unistd_ext.h:34:16: note: previous declaration of ‘gettid’ was here 34 | extern __pid_t gettid (void) __THROW; | ^~~~~~ Signed-off-by: Vitaly Kuznetsov Signed-off-by: Paolo Bonzini Signed-off-by: Sasha Levin commit 15479dd156acd90b709b31893567e83f0386c3c0 Author: Yunhao Tian Date: Wed Nov 13 13:27:25 2019 +0000 drm/sun4i: tcon: Set min division of TCON0_DCLK to 1. [ Upstream commit 0b8e7bbde5e7e2c419567e1ee29587dae3b78ee3 ] The datasheet of V3s (and various other chips) wrote that TCON0_DCLK_DIV can be >= 1 if only dclk is used, and must >= 6 if dclk1 or dclk2 is used. As currently neither dclk1 nor dclk2 is used (no writes to these bits), let's set minimal division to 1. If this minimal division is 6, some common dot clock frequencies can't be produced (e.g. 30MHz will not be possible and will fallback to 25MHz), which is obviously not an expected behaviour. Signed-off-by: Yunhao Tian Signed-off-by: Maxime Ripard Link: https://lore.kernel.org/linux-arm-kernel/MN2PR08MB57905AD8A00C08DA219377C989760@MN2PR08MB5790.namprd08.prod.outlook.com/ Signed-off-by: Sasha Levin commit e41ca81e46b957a9f46bad0b3cf7e38f2ad110d1 Author: paulhsia Date: Wed Nov 13 01:17:14 2019 +0800 ALSA: pcm: Fix stream lock usage in snd_pcm_period_elapsed() [ Upstream commit f5cdc9d4003a2f66ea57b3edd3e04acc2b1a4439 ] If the nullity check for `substream->runtime` is outside of the lock region, it is possible to have a null runtime in the critical section if snd_pcm_detach_substream is called right before the lock. Signed-off-by: paulhsia Link: https://lore.kernel.org/r/20191112171715.128727-2-paulhsia@chromium.org Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit 78a917bea6ede80a0635a4fb4f87d713bb6fbeb1 Author: Alexander Shishkin Date: Tue Nov 5 09:57:02 2019 +0200 perf/core: Consistently fail fork on allocation failures [ Upstream commit 697d877849d4b34ab58d7078d6930bad0ef6fc66 ] Commit: 313ccb9615948 ("perf: Allocate context task_ctx_data for child event") makes the inherit path skip over the current event in case of task_ctx_data allocation failure. This, however, is inconsistent with allocation failures in perf_event_alloc(), which would abort the fork. Correct this by returning an error code on task_ctx_data allocation failure and failing the fork in that case. Signed-off-by: Alexander Shishkin Signed-off-by: Peter Zijlstra (Intel) Cc: Arnaldo Carvalho de Melo Cc: David Ahern Cc: Jiri Olsa Cc: Jiri Olsa Cc: Linus Torvalds Cc: Mark Rutland Cc: Namhyung Kim Cc: Stephane Eranian Cc: Thomas Gleixner Cc: Vince Weaver Link: https://lkml.kernel.org/r/20191105075702.60319-1-alexander.shishkin@linux.intel.com Signed-off-by: Ingo Molnar Signed-off-by: Sasha Levin commit 870083b6af3585601b69232f2ffdd362ac1bde7b Author: Peter Zijlstra Date: Tue Oct 1 11:18:37 2019 +0200 sched/core: Avoid spurious lock dependencies [ Upstream commit ff51ff84d82aea5a889b85f2b9fb3aa2b8691668 ] While seemingly harmless, __sched_fork() does hrtimer_init(), which, when DEBUG_OBJETS, can end up doing allocations. This then results in the following lock order: rq->lock zone->lock.rlock batched_entropy_u64.lock Which in turn causes deadlocks when we do wakeups while holding that batched_entropy lock -- as the random code does. Solve this by moving __sched_fork() out from under rq->lock. This is safe because nothing there relies on rq->lock, as also evident from the other __sched_fork() callsite. Signed-off-by: Peter Zijlstra (Intel) Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Qian Cai Cc: Thomas Gleixner Cc: akpm@linux-foundation.org Cc: bigeasy@linutronix.de Cc: cl@linux.com Cc: keescook@chromium.org Cc: penberg@kernel.org Cc: rientjes@google.com Cc: thgarnie@google.com Cc: tytso@mit.edu Cc: will@kernel.org Fixes: b7d5dc21072c ("random: add a spinlock_t to struct batched_entropy") Link: https://lkml.kernel.org/r/20191001091837.GK4536@hirez.programming.kicks-ass.net Signed-off-by: Ingo Molnar Signed-off-by: Sasha Levin commit 41415da3aa6ec235e8cbd365e6b61ac357b3d73e Author: Pan Bian Date: Tue Nov 12 17:04:54 2019 -0800 Input: cyttsp4_core - fix use after free bug [ Upstream commit 79aae6acbef16f720a7949f8fc6ac69816c79d62 ] The device md->input is used after it is released. Setting the device data to NULL is unnecessary as the device is never used again. Instead, md->input should be assigned NULL to avoid accessing the freed memory accidently. Besides, checking md->si against NULL is superfluous as it points to a variable address, which cannot be NULL. Signed-off-by: Pan Bian Link: https://lore.kernel.org/r/1572936379-6423-1-git-send-email-bianpan2016@163.com Signed-off-by: Dmitry Torokhov Signed-off-by: Sasha Levin commit e31f97a04f0aaf3516c3fad156e679051d19b9d7 Author: Xiaodong Xu Date: Mon Nov 11 15:05:46 2019 -0800 xfrm: release device reference for invalid state [ Upstream commit 4944a4b1077f74d89073624bd286219d2fcbfce3 ] An ESP packet could be decrypted in async mode if the input handler for this packet returns -EINPROGRESS in xfrm_input(). At this moment the device reference in skb is held. Later xfrm_input() will be invoked again to resume the processing. If the transform state is still valid it would continue to release the device reference and there won't be a problem; however if the transform state is not valid when async resumption happens, the packet will be dropped while the device reference is still being held. When the device is deleted for some reason and the reference to this device is not properly released, the kernel will keep logging like: unregister_netdevice: waiting for ppp2 to become free. Usage count = 1 The issue is observed when running IPsec traffic over a PPPoE device based on a bridge interface. By terminating the PPPoE connection on the server end for multiple times, the PPPoE device on the client side will eventually get stuck on the above warning message. This patch will check the async mode first and continue to release device reference in async resumption, before it is dropped due to invalid state. v2: Do not assign address family from outer_mode in the transform if the state is invalid v3: Release device reference in the error path instead of jumping to resume Fixes: 4ce3dbe397d7b ("xfrm: Fix xfrm_input() to verify state is valid when (encap_type < 0)") Signed-off-by: Xiaodong Xu Reported-by: Bo Chen Tested-by: Bo Chen Signed-off-by: Steffen Klassert Signed-off-by: Sasha Levin commit 3c5f6ba0f90e840086cc5114276f1d0493c14009 Author: Stephan Gerhold Date: Sun Nov 10 17:19:15 2019 +0100 NFC: nxp-nci: Fix NULL pointer dereference after I2C communication error [ Upstream commit a71a29f50de1ef97ab55c151a1598eb12dde379d ] I2C communication errors (-EREMOTEIO) during the IRQ handler of nxp-nci result in a NULL pointer dereference at the moment: BUG: kernel NULL pointer dereference, address: 0000000000000000 Oops: 0002 [#1] PREEMPT SMP NOPTI CPU: 1 PID: 355 Comm: irq/137-nxp-nci Not tainted 5.4.0-rc6 #1 RIP: 0010:skb_queue_tail+0x25/0x50 Call Trace: nci_recv_frame+0x36/0x90 [nci] nxp_nci_i2c_irq_thread_fn+0xd1/0x285 [nxp_nci_i2c] ? preempt_count_add+0x68/0xa0 ? irq_forced_thread_fn+0x80/0x80 irq_thread_fn+0x20/0x60 irq_thread+0xee/0x180 ? wake_threads_waitq+0x30/0x30 kthread+0xfb/0x130 ? irq_thread_check_affinity+0xd0/0xd0 ? kthread_park+0x90/0x90 ret_from_fork+0x1f/0x40 Afterward the kernel must be rebooted to work properly again. This happens because it attempts to call nci_recv_frame() with skb == NULL. However, unlike nxp_nci_fw_recv_frame(), nci_recv_frame() does not have any NULL checks for skb, causing the NULL pointer dereference. Change the code to call only nxp_nci_fw_recv_frame() in case of an error. Make sure to log it so it is obvious that a communication error occurred. The error above then becomes: nxp-nci_i2c i2c-NXP1001:00: NFC: Read failed with error -121 nci: __nci_request: wait_for_completion_interruptible_timeout failed 0 nxp-nci_i2c i2c-NXP1001:00: NFC: Read failed with error -121 Fixes: 6be88670fc59 ("NFC: nxp-nci_i2c: Add I2C support to NXP NCI driver") Signed-off-by: Stephan Gerhold Reviewed-by: Andy Shevchenko Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 7fb6ef16efc014acbc09db2ed36970dcaca416e5 Author: Al Viro Date: Sat Nov 2 13:11:41 2019 -0400 audit_get_nd(): don't unlock parent too early [ Upstream commit 69924b89687a2923e88cc42144aea27868913d0e ] if the child has been negative and just went positive under us, we want coherent d_is_positive() and ->d_inode. Don't unlock the parent until we'd done that work... Signed-off-by: Al Viro Signed-off-by: Sasha Levin commit af17e1fc7cb773c7f22f7343323cf102ea52a50b Author: Al Viro Date: Fri Nov 8 22:08:29 2019 -0500 exportfs_decode_fh(): negative pinned may become positive without the parent locked [ Upstream commit a2ece088882666e1dc7113744ac912eb161e3f87 ] Signed-off-by: Al Viro Signed-off-by: Sasha Levin commit dadd71d18abff387cd4fd9a091eea50dfab7f781 Author: Mordechay Goodstein Date: Thu Nov 7 13:51:47 2019 +0200 iwlwifi: pcie: don't consider IV len in A-MSDU [ Upstream commit cb1a4badf59275eb7221dcec621e8154917eabd1 ] From gen2 PN is totally offloaded to hardware (also the space for the IV isn't part of the skb). As you can see in mvm/mac80211.c:3545, the MAC for cipher types CCMP/GCMP doesn't set IEEE80211_KEY_FLAG_PUT_IV_SPACE for gen2 NICs. This causes all the AMSDU data to be corrupted with cipher enabled. Signed-off-by: Mordechay Goodstein Signed-off-by: Luca Coelho Signed-off-by: Kalle Valo Signed-off-by: Sasha Levin commit 65e5e9913161e3c0d61528b6a1745e568635d94e Author: Sirong Wang Date: Fri Nov 1 10:33:29 2019 +0800 RDMA/hns: Correct the value of HNS_ROCE_HEM_CHUNK_LEN [ Upstream commit 531eb45b3da4267fc2a64233ba256c8ffb02edd2 ] Size of pointer to buf field of struct hns_roce_hem_chunk should be considered when calculating HNS_ROCE_HEM_CHUNK_LEN, or sg table size will be larger than expected when allocating hem. Fixes: 9a4435375cd1 ("IB/hns: Add driver files for hns RoCE driver") Link: https://lore.kernel.org/r/1572575610-52530-2-git-send-email-liweihang@hisilicon.com Signed-off-by: Sirong Wang Signed-off-by: Weihang Li Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit d4bc855afd2e1b93bbc94f67e98b8ce867d89f09 Author: Al Viro Date: Fri Oct 25 00:03:11 2019 -0400 autofs: fix a leak in autofs_expire_indirect() [ Upstream commit 03ad0d703df75c43f78bd72e16124b5b94a95188 ] if the second call of should_expire() in there ends up grabbing and returning a new reference to dentry, we need to drop it before continuing. Signed-off-by: Al Viro Signed-off-by: Sasha Levin commit c44d21f8227e3919d5282d861352a91957b6743c Author: Chuhong Yuan Date: Mon Nov 18 10:48:33 2019 +0800 serial: ifx6x60: add missed pm_runtime_disable commit 50b2b571c5f3df721fc81bf9a12c521dfbe019ba upstream. The driver forgets to call pm_runtime_disable in remove. Add the missed calls to fix it. Signed-off-by: Chuhong Yuan Cc: stable Link: https://lore.kernel.org/r/20191118024833.21587-1-hslester96@gmail.com Signed-off-by: Greg Kroah-Hartman commit bd95aea990a40c3a386e387722f3a6253b4c07a5 Author: Jiangfeng Xiao Date: Wed Nov 20 23:18:53 2019 +0800 serial: serial_core: Perform NULL checks for break_ctl ops commit 7d73170e1c282576419f8b50a771f1fcd2b81a94 upstream. Doing fuzz test on sbsa uart device, causes a kernel crash due to NULL pointer dereference: ------------[ cut here ]------------ Unable to handle kernel paging request at virtual address fffffffffffffffc pgd = ffffffe331723000 [fffffffffffffffc] *pgd=0000002333595003, *pud=0000002333595003, *pmd=00000 Internal error: Oops: 96000005 [#1] PREEMPT SMP Modules linked in: ping(O) jffs2 rtos_snapshot(O) pramdisk(O) hisi_sfc(O) Drv_Nandc_K(O) Drv_SysCtl_K(O) Drv_SysClk_K(O) bsp_reg(O) hns3(O) hns3_uio_enet(O) hclgevf(O) hclge(O) hnae3(O) mdio_factory(O) mdio_registry(O) mdio_dev(O) mdio(O) hns3_info(O) rtos_kbox_panic(O) uart_suspend(O) rsm(O) stp llc tunnel4 xt_tcpudp ipt_REJECT nf_reject_ipv4 iptable_filter ip_tables x_tables sd_mod xhci_plat_hcd xhci_pci xhci_hcd usbmon usbhid usb_storage ohci_platform ohci_pci ohci_hcd hid_generic hid ehci_platform ehci_pci ehci_hcd vfat fat usbcore usb_common scsi_mod yaffs2multi(O) ext4 jbd2 ext2 mbcache ofpart i2c_dev i2c_core uio ubi nand nand_ecc nand_ids cfi_cmdset_0002 cfi_cmdset_0001 cfi_probe gen_probe cmdlinepart chipreg mtdblock mtd_blkdevs mtd nfsd auth_rpcgss oid_registry nfsv3 nfs nfs_acl lockd sunrpc grace autofs4 CPU: 2 PID: 2385 Comm: tty_fuzz_test Tainted: G O 4.4.193 #1 task: ffffffe32b23f110 task.stack: ffffffe32bda4000 PC is at uart_break_ctl+0x44/0x84 LR is at uart_break_ctl+0x34/0x84 pc : [] lr : [] pstate: 80000005 sp : ffffffe32bda7cc0 x29: ffffffe32bda7cc0 x28: ffffffe32b23f110 x27: ffffff8393402000 x26: 0000000000000000 x25: ffffffe32b233f40 x24: ffffffc07a8ec680 x23: 0000000000005425 x22: 00000000ffffffff x21: ffffffe33ed73c98 x20: 0000000000000000 x19: ffffffe33ed94168 x18: 0000000000000004 x17: 0000007f92ae9d30 x16: ffffff8392fa6064 x15: 0000000000000010 x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 x11: 0000000000000020 x10: 0000007ffdac1708 x9 : 0000000000000078 x8 : 000000000000001d x7 : 0000000052a64887 x6 : ffffffe32bda7e08 x5 : ffffffe32b23c000 x4 : 0000005fbc5b0000 x3 : ffffff83938d5018 x2 : 0000000000000080 x1 : ffffffe32b23c040 x0 : ffffff83934428f8 virtual start addr offset is 38ac00000 module base offset is 2cd4cf1000 linear region base offset is : 0 Process tty_fuzz_test (pid: 2385, stack limit = 0xffffffe32bda4000) Stack: (0xffffffe32bda7cc0 to 0xffffffe32bda8000) 7cc0: ffffffe32bda7cf0 ffffff8393177718 ffffffc07a8ec680 ffffff8393196054 7ce0: 000000001739f2e0 0000007ffdac1978 ffffffe32bda7d20 ffffff8393179a1c 7d00: 0000000000000000 ffffff8393c0a000 ffffffc07a8ec680 cb88537fdc8ba600 7d20: ffffffe32bda7df0 ffffff8392fa5a40 ffffff8393c0a000 0000000000005425 7d40: 0000007ffdac1978 ffffffe32b233f40 ffffff8393178dcc 0000000000000003 7d60: 000000000000011d 000000000000001d ffffffe32b23f110 000000000000029e 7d80: ffffffe34fe8d5d0 0000000000000000 ffffffe32bda7e14 cb88537fdc8ba600 7da0: ffffffe32bda7e30 ffffff8393042cfc ffffff8393c41720 ffffff8393c46410 7dc0: ffffff839304fa68 ffffffe32b233f40 0000000000005425 0000007ffdac1978 7de0: 000000000000011d cb88537fdc8ba600 ffffffe32bda7e70 ffffff8392fa60cc 7e00: 0000000000000000 ffffffe32b233f40 ffffffe32b233f40 0000000000000003 7e20: 0000000000005425 0000007ffdac1978 ffffffe32bda7e70 ffffff8392fa60b0 7e40: 0000000000000280 ffffffe32b233f40 ffffffe32b233f40 0000000000000003 7e60: 0000000000005425 cb88537fdc8ba600 0000000000000000 ffffff8392e02e78 7e80: 0000000000000280 0000005fbc5b0000 ffffffffffffffff 0000007f92ae9d3c 7ea0: 0000000060000000 0000000000000015 0000000000000003 0000000000005425 7ec0: 0000007ffdac1978 0000000000000000 00000000a54c910e 0000007f92b95014 7ee0: 0000007f92b95090 0000000052a64887 000000000000001d 0000000000000078 7f00: 0000007ffdac1708 0000000000000020 0000000000000000 0000000000000000 7f20: 0000000000000000 0000000000000010 000000556acf0090 0000007f92ae9d30 7f40: 0000000000000004 000000556acdef10 0000000000000000 000000556acdebd0 7f60: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 7f80: 0000000000000000 0000000000000000 0000000000000000 0000007ffdac1840 7fa0: 000000556acdedcc 0000007ffdac1840 0000007f92ae9d3c 0000000060000000 7fc0: 0000000000000000 0000000000000000 0000000000000003 000000000000001d 7fe0: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 Call trace: Exception stack(0xffffffe32bda7ab0 to 0xffffffe32bda7bf0) 7aa0: 0000000000001000 0000007fffffffff 7ac0: ffffffe32bda7cc0 ffffff8393196098 0000000080000005 0000000000000025 7ae0: ffffffe32b233f40 ffffff83930d777c ffffffe32bda7b30 ffffff83930d777c 7b00: ffffffe32bda7be0 ffffff83938d5000 ffffffe32bda7be0 ffffffe32bda7c20 7b20: ffffffe32bda7b60 ffffff83930d777c ffffffe32bda7c10 ffffff83938d5000 7b40: ffffffe32bda7c10 ffffffe32bda7c50 ffffff8393c0a000 ffffffe32b23f110 7b60: ffffffe32bda7b70 ffffff8392e09df4 ffffffe32bda7bb0 cb88537fdc8ba600 7b80: ffffff83934428f8 ffffffe32b23c040 0000000000000080 ffffff83938d5018 7ba0: 0000005fbc5b0000 ffffffe32b23c000 ffffffe32bda7e08 0000000052a64887 7bc0: 000000000000001d 0000000000000078 0000007ffdac1708 0000000000000020 7be0: 0000000000000000 0000000000000000 [] uart_break_ctl+0x44/0x84 [] send_break+0xa0/0x114 [] tty_ioctl+0xc50/0xe84 [] do_vfs_ioctl+0xc4/0x6e8 [] SyS_ioctl+0x68/0x9c [] __sys_trace_return+0x0/0x4 Code: b9410ea0 34000160 f9408aa0 f9402814 (b85fc280) ---[ end trace 8606094f1960c5e0 ]--- Kernel panic - not syncing: Fatal exception Fix this problem by adding NULL checks prior to calling break_ctl ops. Signed-off-by: Jiangfeng Xiao Cc: stable Link: https://lore.kernel.org/r/1574263133-28259-1-git-send-email-xiaojiangfeng@huawei.com Signed-off-by: Greg Kroah-Hartman commit 4fca520233920314bd13446890af558c3260d836 Author: Vincent Whitchurch Date: Mon Nov 18 10:25:47 2019 +0100 serial: pl011: Fix DMA ->flush_buffer() commit f6a196477184b99a31d16366a8e826558aa11f6d upstream. PL011's ->flush_buffer() implementation releases and reacquires the port lock. Due to a race condition here, data can end up being added to the circular buffer but neither being discarded nor being sent out. This leads to, for example, tcdrain(2) waiting indefinitely. Process A Process B uart_flush_buffer() - acquire lock - circ_clear - pl011_flush_buffer() -- release lock -- dmaengine_terminate_all() uart_write() - acquire lock - add chars to circ buffer - start_tx() -- start DMA - release lock -- acquire lock -- turn off DMA -- release lock // Data in circ buffer but DMA is off According to the comment in the code, the releasing of the lock around dmaengine_terminate_all() is to avoid a deadlock with the DMA engine callback. However, since the time this code was written, the DMA engine API documentation seems to have been clarified to say that dmaengine_terminate_all() (in the identically implemented but differently named dmaengine_terminate_async() variant) does not wait for any running complete callback to be completed and can even be called from a complete callback. So there is no possibility of deadlock if the DMA engine driver implements this API correctly. So we should be able to just remove this release and reacquire of the lock to prevent the aforementioned race condition. Signed-off-by: Vincent Whitchurch Cc: stable Link: https://lore.kernel.org/r/20191118092547.32135-1-vincent.whitchurch@axis.com Signed-off-by: Greg Kroah-Hartman commit 4f7294890ac39130277243aebd5a3d33f4feebba Author: Jeffrey Hugo Date: Mon Oct 21 08:46:16 2019 -0700 tty: serial: msm_serial: Fix flow control commit b027ce258369cbfa88401a691c23dad01deb9f9b upstream. hci_qca interfaces to the wcn3990 via a uart_dm on the msm8998 mtp and Lenovo Miix 630 laptop. As part of initializing the wcn3990, hci_qca disables flow, configures the uart baudrate, and then reenables flow - at which point an event is expected to be received over the uart from the wcn3990. It is observed that this event comes after the baudrate change but before hci_qca re-enables flow. This is unexpected, and is a result of msm_reset() being broken. According to the uart_dm hardware documentation, it is recommended that automatic hardware flow control be enabled by setting RX_RDY_CTL. Auto hw flow control will manage RFR based on the configured watermark. When there is space to receive data, the hw will assert RFR. When the watermark is hit, the hw will de-assert RFR. The hardware documentation indicates that RFR can me manually managed via CR when RX_RDY_CTL is not set. SET_RFR asserts RFR, and RESET_RFR de-asserts RFR. msm_reset() is broken because after resetting the hardware, it unconditionally asserts RFR via SET_RFR. This enables flow regardless of the current configuration, and would undo a previous flow disable operation. It should instead de-assert RFR via RESET_RFR to block flow until the hardware is reconfigured. msm_serial should rely on the client to specify that flow should be enabled, either via mctrl() or the termios structure, and only assert RFR in response to those triggers. Fixes: 04896a77a97b ("msm_serial: serial driver for MSM7K onboard serial peripheral.") Signed-off-by: Jeffrey Hugo Reviewed-by: Bjorn Andersson Cc: stable Reviewed-by: Andy Gross Link: https://lore.kernel.org/r/20191021154616.25457-1-jeffrey.l.hugo@gmail.com Signed-off-by: Greg Kroah-Hartman commit 8f7600e2db0caeaf0427eaca02a8f7e1126bb342 Author: Peng Fan Date: Tue Nov 5 05:51:10 2019 +0000 tty: serial: fsl_lpuart: use the sg count from dma_map_sg commit 487ee861de176090b055eba5b252b56a3b9973d6 upstream. The dmaengine_prep_slave_sg needs to use sg count returned by dma_map_sg, not use sport->dma_tx_nents, because the return value of dma_map_sg is not always same with "nents". When enabling iommu for lpuart + edma, iommu framework may concatenate two sgs into one. Fixes: 6250cc30c4c4e ("tty: serial: fsl_lpuart: Use scatter/gather DMA for Tx") Cc: Signed-off-by: Peng Fan Link: https://lore.kernel.org/r/1572932977-17866-1-git-send-email-peng.fan@nxp.com Signed-off-by: Greg Kroah-Hartman commit c5a309dc42f1891c8c00a704d5d206702a047a42 Author: Michał Mirosław Date: Sat Aug 10 10:42:48 2019 +0200 usb: gadget: u_serial: add missing port entry locking commit daf82bd24e308c5a83758047aff1bd81edda4f11 upstream. gserial_alloc_line() misses locking (for a release barrier) while resetting port entry on TTY allocation failure. Fix this. Cc: stable@vger.kernel.org Signed-off-by: Michał Mirosław Reviewed-by: Greg Kroah-Hartman Tested-by: Ladislav Michl Signed-off-by: Felipe Balbi Signed-off-by: Greg Kroah-Hartman commit c35cac9280113e2dcf78f9a5bfa85321b62a9610 Author: Arnd Bergmann Date: Fri Nov 8 21:34:29 2019 +0100 lp: fix sparc64 LPSETTIMEOUT ioctl commit 45a2d64696b11913bcf1087b041740edbade3e21 upstream. The layout of struct timeval is different on sparc64 from anything else, and the patch I did long ago failed to take this into account. Change it now to handle sparc64 user space correctly again. Quite likely nobody cares about parallel ports on sparc64, but there is no reason not to fix it. Cc: stable@vger.kernel.org Fixes: 9a450484089d ("lp: support 64-bit time_t user space") Signed-off-by: Arnd Bergmann Link: https://lore.kernel.org/r/20191108203435.112759-7-arnd@arndb.de Signed-off-by: Greg Kroah-Hartman commit a59c5bc79eea008a7141200332323e4041e2fbeb Author: Tuowen Zhao Date: Wed Oct 16 15:06:27 2019 -0600 sparc64: implement ioremap_uc commit 38e45d81d14e5f78cd67922596b1c37b4c22ec74 upstream. On sparc64, the whole physical IO address space is accessible using physically addressed loads and stores. *_uc does nothing like the others. Cc: # v4.19+ Reported-by: kbuild test robot Signed-off-by: Tuowen Zhao Acked-by: David S. Miller Signed-off-by: Lee Jones Signed-off-by: Greg Kroah-Hartman commit 2f5eb8d64fa587d41d8e8efe24d7c146a5a343e7 Author: Jon Hunter Date: Wed Sep 25 15:12:29 2019 +0100 arm64: tegra: Fix 'active-low' warning for Jetson TX1 regulator commit 1e5e929c009559bd7e898ac8e17a5d01037cb057 upstream. Commit 34993594181d ("arm64: tegra: Enable HDMI on Jetson TX1") added a regulator for HDMI on the Jetson TX1 platform. This regulator has an active high enable, but the GPIO specifier for enabling the regulator incorrectly defines it as active-low. This causes the following warning to occur on boot ... WARNING KERN regulator@10 GPIO handle specifies active low - ignored The fixed-regulator binding does not use the active-low flag from the gpio specifier and purely relies of the presence of the 'enable-active-high' property to determine if it is active high or low (if this property is omitted). Fix this warning by setting the GPIO to active-high in the GPIO specifier which aligns with the presense of the 'enable-active-high' property. Fixes: 34993594181d ("arm64: tegra: Enable HDMI on Jetson TX1") Signed-off-by: Jon Hunter Signed-off-by: Thierry Reding Signed-off-by: Greg Kroah-Hartman commit 5da96cc31633a9076404621ebb89bbe78f2c8676 Author: Navid Emamdoost Date: Fri Sep 13 19:08:11 2019 -0500 rsi: release skb if rsi_prepare_beacon fails commit d563131ef23cbc756026f839a82598c8445bc45f upstream. In rsi_send_beacon, if rsi_prepare_beacon fails the allocated skb should be released. Signed-off-by: Navid Emamdoost Signed-off-by: Kalle Valo Signed-off-by: Greg Kroah-Hartman