commit 48a16935fdcdb0926ed5e743a9d8d238bbc9c243 Author: Greg Kroah-Hartman Date: Mon Nov 25 15:54:52 2019 +0100 Linux 4.4.203 commit f811dcf49abfcc96e93360db790d7e6b90ad4c91 Author: Pavel Tatashin Date: Tue Nov 19 17:10:06 2019 -0500 arm64: uaccess: Ensure PAN is re-enabled after unhandled uaccess fault commit 94bb804e1e6f0a9a77acf20d7c70ea141c6c821e upstream. A number of our uaccess routines ('__arch_clear_user()' and '__arch_copy_{in,from,to}_user()') fail to re-enable PAN if they encounter an unhandled fault whilst accessing userspace. For CPUs implementing both hardware PAN and UAO, this bug has no effect when both extensions are in use by the kernel. For CPUs implementing hardware PAN but not UAO, this means that a kernel using hardware PAN may execute portions of code with PAN inadvertently disabled, opening us up to potential security vulnerabilities that rely on userspace access from within the kernel which would usually be prevented by this mechanism. In other words, parts of the kernel run the same way as they would on a CPU without PAN implemented/emulated at all. For CPUs not implementing hardware PAN and instead relying on software emulation via 'CONFIG_ARM64_SW_TTBR0_PAN=y', the impact is unfortunately much worse. Calling 'schedule()' with software PAN disabled means that the next task will execute in the kernel using the page-table and ASID of the previous process even after 'switch_mm()', since the actual hardware switch is deferred until return to userspace. At this point, or if there is a intermediate call to 'uaccess_enable()', the page-table and ASID of the new process are installed. Sadly, due to the changes introduced by KPTI, this is not an atomic operation and there is a very small window (two instructions) where the CPU is configured with the page-table of the old task and the ASID of the new task; a speculative access in this state is disastrous because it would corrupt the TLB entries for the new task with mappings from the previous address space. As Pavel explains: | I was able to reproduce memory corruption problem on Broadcom's SoC | ARMv8-A like this: | | Enable software perf-events with PERF_SAMPLE_CALLCHAIN so userland's | stack is accessed and copied. | | The test program performed the following on every CPU and forking | many processes: | | unsigned long *map = mmap(NULL, PAGE_SIZE, PROT_READ|PROT_WRITE, | MAP_SHARED | MAP_ANONYMOUS, -1, 0); | map[0] = getpid(); | sched_yield(); | if (map[0] != getpid()) { | fprintf(stderr, "Corruption detected!"); | } | munmap(map, PAGE_SIZE); | | From time to time I was getting map[0] to contain pid for a | different process. Ensure that PAN is re-enabled when returning after an unhandled user fault from our uaccess routines. Cc: Catalin Marinas Reviewed-by: Mark Rutland Tested-by: Mark Rutland Cc: Fixes: 338d4f49d6f7 ("arm64: kernel: Add support for Privileged Access Never") Signed-off-by: Pavel Tatashin [will: rewrote commit message] [will: backport for 4.4.y stable kernels] Signed-off-by: Will Deacon Signed-off-by: Greg Kroah-Hartman commit 736d201a590941a95aefb037238f867ca7edbb20 Author: Huibin Hong Date: Wed Oct 10 11:00:32 2018 +0200 spi: rockchip: initialize dma_slave_config properly [ Upstream commit dd8fd2cbc73f8650f651da71fc61a6e4f30c1566 ] The rxconf and txconf structs are allocated on the stack, so make sure we zero them before filling out the relevant fields. Signed-off-by: Huibin Hong Signed-off-by: Emil Renner Berthing Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 344823879808142fe0fc9900f6e7ee77da7841e5 Author: Felix Fietkau Date: Sat Oct 6 19:35:04 2018 +0200 mac80211: minstrel: fix CCK rate group streams value [ Upstream commit 80df9be67c44cb636bbc92caeddad8caf334c53c ] Fixes a harmless underflow issue when CCK rates are actively being used Signed-off-by: Felix Fietkau Signed-off-by: Johannes Berg Signed-off-by: Sasha Levin commit 673f7373bd5860f0fbd3325f256131f73b9fc09a Author: Thierry Reding Date: Fri Sep 21 12:10:47 2018 +0200 hwmon: (pwm-fan) Silence error on probe deferral [ Upstream commit 9f67f7583e77fe5dc57aab3a6159c2642544eaad ] Probe deferrals aren't actual errors, so silence the error message in case the PWM cannot yet be acquired. Signed-off-by: Thierry Reding Signed-off-by: Guenter Roeck Signed-off-by: Sasha Levin commit 08fdf5bd19bf13ff41714b6707b1ee690c650bfb Author: Timothy E Baldwin Date: Mon Oct 8 19:26:48 2018 +0100 ARM: 8802/1: Call syscall_trace_exit even when system call skipped [ Upstream commit f18aef742c8fbd68e280dff0a63ba0ca6ee8ad85 ] On at least x86 and ARM64, and as documented in the ptrace man page a skipped system call will still cause a syscall exit ptrace stop. Previous to this commit 32-bit ARM did not, resulting in strace being confused when seccomp skips system calls. This change also impacts programs that use ptrace to skip system calls. Fixes: ad75b51459ae ("ARM: 7579/1: arch/allow a scno of -1 to not cause a SIGILL") Signed-off-by: Timothy E Baldwin Signed-off-by: Eugene Syromyatnikov Reviewed-by: Kees Cook Tested-by: Kees Cook Tested-by: Eugene Syromyatnikov Signed-off-by: Russell King Signed-off-by: Sasha Levin commit 91a9d24e3f04b78e844a302177b753cd37ac3851 Author: Trent Piepho Date: Thu Sep 20 19:18:34 2018 +0000 spi: spidev: Fix OF tree warning logic [ Upstream commit 605b3bec73cbd74b4ac937b580cd0b47d1300484 ] spidev will make a big fuss if a device tree node binds a device by using "spidev" as the node's compatible property. However, the logic for this isn't looking for "spidev" in the compatible, but rather checking that the device is NOT compatible with spidev's list of devices. This causes a false positive if a device not named "rohm,dh2228fv", etc. binds to spidev, even if a means other than putting "spidev" in the device tree was used. E.g., the sysfs driver_override attribute. Signed-off-by: Trent Piepho Reviewed-by: Jan Kundrát Tested-by: Jan Kundrát Reviewed-by: Geert Uytterhoeven Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 6d49b0992d02f620a5356a6420dc4ce82a2705e5 Author: Marek Vasut Date: Thu Oct 4 00:52:52 2018 +0200 gpio: syscon: Fix possible NULL ptr usage [ Upstream commit 70728c29465bc4bfa7a8c14304771eab77e923c7 ] The priv->data->set can be NULL while flags contains GPIO_SYSCON_FEAT_OUT and chip->set is valid pointer. This happens in case the controller uses the default GPIO setter. Always use chip->set to access the setter to avoid possible NULL pointer dereferencing. Signed-off-by: Marek Vasut Signed-off-by: Linus Walleij Signed-off-by: Sasha Levin commit df3de9e92c3b0f268b0479c452b4710cf39380ff Author: Bjorn Helgaas Date: Thu Sep 27 09:21:55 2018 -0500 x86/kexec: Correct KEXEC_BACKUP_SRC_END off-by-one error [ Upstream commit 51fbf14f2528a8c6401290e37f1c893a2412f1d3 ] The only use of KEXEC_BACKUP_SRC_END is as an argument to walk_system_ram_res(): int crash_load_segments(struct kimage *image) { ... walk_system_ram_res(KEXEC_BACKUP_SRC_START, KEXEC_BACKUP_SRC_END, image, determine_backup_region); walk_system_ram_res() expects "start, end" arguments that are inclusive, i.e., the range to be walked includes both the start and end addresses. KEXEC_BACKUP_SRC_END was previously defined as (640 * 1024UL), which is the first address *past* the desired 0-640KB range. Define KEXEC_BACKUP_SRC_END as (640 * 1024UL - 1) so the KEXEC_BACKUP_SRC region is [0-0x9ffff], not [0-0xa0000]. Fixes: dd5f726076cc ("kexec: support for kexec on panic using new system call") Signed-off-by: Bjorn Helgaas Signed-off-by: Borislav Petkov CC: "H. Peter Anvin" CC: Andrew Morton CC: Brijesh Singh CC: Greg Kroah-Hartman CC: Ingo Molnar CC: Lianbo Jiang CC: Takashi Iwai CC: Thomas Gleixner CC: Tom Lendacky CC: Vivek Goyal CC: baiyaowei@cmss.chinamobile.com CC: bhe@redhat.com CC: dan.j.williams@intel.com CC: dyoung@redhat.com CC: kexec@lists.infradead.org Link: http://lkml.kernel.org/r/153805811578.1157.6948388946904655969.stgit@bhelgaas-glaptop.roam.corp.google.com Signed-off-by: Sasha Levin commit 0e74fb6274ff2465205616997465d7b26b29a664 Author: Colin Ian King Date: Sat Oct 6 14:01:42 2018 -0400 media: cx231xx: fix potential sign-extension overflow on large shift [ Upstream commit 32ae592036d7aeaabcccb2b1715373a68639a768 ] Shifting the u8 value[3] by an int can lead to sign-extension overflow. For example, if value[3] is 0xff and the shift is 24 then it is promoted to int and then the top bit is sign-extended so that all upper 32 bits are set. Fix this by casting value[3] to a u32 before the shift. Detected by CoverityScan, CID#1016522 ("Unintended sign extension") Fixes: e0d3bafd0258 ("V4L/DVB (10954): Add cx231xx USB driver") Signed-off-by: Colin Ian King Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 560976f5b8d068d92251de339b2794aae5f59d76 Author: Tim Smith Date: Mon Oct 8 12:15:40 2018 -0500 GFS2: Flush the GFS2 delete workqueue before stopping the kernel threads [ Upstream commit 1eb8d7387908022951792a46fa040ad3942b3b08 ] Flushing the workqueue can cause operations to happen which might call gfs2_log_reserve(), or get stuck waiting for locks taken by such operations. gfs2_log_reserve() can io_schedule(). If this happens, it will never wake because the only thing which can wake it is gfs2_logd() which was already stopped. This causes umount of a gfs2 filesystem to wedge permanently if, for example, the umount immediately follows a large delete operation. When this occured, the following stack trace was obtained from the umount command [] flush_workqueue+0x1c8/0x520 [] gfs2_make_fs_ro+0x69/0x160 [gfs2] [] gfs2_put_super+0xa9/0x1c0 [gfs2] [] generic_shutdown_super+0x6f/0x100 [] kill_block_super+0x27/0x70 [] gfs2_kill_sb+0x71/0x80 [gfs2] [] deactivate_locked_super+0x3b/0x70 [] deactivate_super+0x59/0x60 [] cleanup_mnt+0x58/0x80 [] __cleanup_mnt+0x12/0x20 [] task_work_run+0x7d/0xa0 [] exit_to_usermode_loop+0x73/0x98 [] syscall_return_slowpath+0x41/0x50 [] int_ret_from_sys_call+0x25/0x8f [] 0xffffffffffffffff Signed-off-by: Tim Smith Signed-off-by: Mark Syms Signed-off-by: Bob Peterson Signed-off-by: Sasha Levin commit cc1c305ccaabf2b8ef7679cfe09fb3ca0b84dcd9 Author: Wenwen Wang Date: Thu Oct 4 11:44:02 2018 -0400 media: isif: fix a NULL pointer dereference bug [ Upstream commit a26ac6c1bed951b2066cc4b2257facd919e35c0b ] In isif_probe(), there is a while loop to get the ISIF base address and linearization table0 and table1 address. In the loop body, the function platform_get_resource() is called to get the resource. If platform_get_resource() returns NULL, the loop is terminated and the execution goes to 'fail_nobase_res'. Suppose the loop is terminated at the first iteration because platform_get_resource() returns NULL and the execution goes to 'fail_nobase_res'. Given that there is another while loop at 'fail_nobase_res' and i equals to 0, one iteration of the second while loop will be executed. However, the second while loop does not check the return value of platform_get_resource(). This can cause a NULL pointer dereference bug if the return value is a NULL pointer. This patch avoids the above issue by adding a check in the second while loop after the call to platform_get_resource(). Signed-off-by: Wenwen Wang Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 55b2c1ccb82143be1ed9e1922976dbe63917fe68 Author: He Zhe Date: Sun Sep 30 00:45:53 2018 +0800 printk: Give error on attempt to set log buffer length to over 2G [ Upstream commit e6fe3e5b7d16e8f146a4ae7fe481bc6e97acde1e ] The current printk() is ready to handle log buffer size up to 2G. Give an explicit error for users who want to use larger log buffer. Also fix printk formatting to show the 2G as a positive number. Link: http://lkml.kernel.org/r/20181008135916.gg4kkmoki5bgtco5@pathway.suse.cz Cc: rostedt@goodmis.org Cc: linux-kernel@vger.kernel.org Suggested-by: Sergey Senozhatsky Signed-off-by: He Zhe Reviewed-by: Sergey Senozhatsky [pmladek: Fixed to the really safe limit 2GB.] Signed-off-by: Petr Mladek Signed-off-by: Sasha Levin commit 4e132c761b445795133d3a94cbbe857ac695998a Author: Nathan Chancellor Date: Fri Sep 21 13:21:31 2018 -0700 backlight: lm3639: Unconditionally call led_classdev_unregister [ Upstream commit 7cea645ae9c5a54aa7904fddb2cdf250acd63a6c ] Clang warns that the address of a pointer will always evaluated as true in a boolean context. drivers/video/backlight/lm3639_bl.c:403:14: warning: address of 'pchip->cdev_torch' will always evaluate to 'true' [-Wpointer-bool-conversion] if (&pchip->cdev_torch) ~~ ~~~~~~~^~~~~~~~~~ drivers/video/backlight/lm3639_bl.c:405:14: warning: address of 'pchip->cdev_flash' will always evaluate to 'true' [-Wpointer-bool-conversion] if (&pchip->cdev_flash) ~~ ~~~~~~~^~~~~~~~~~ 2 warnings generated. These statements have been present since 2012, introduced by commit 0f59858d5119 ("backlight: add new lm3639 backlight driver"). Given that they have been called unconditionally since then presumably without any issues, removing the always true if statements to fix the warnings without any real world changes. Link: https://github.com/ClangBuiltLinux/linux/issues/119 Signed-off-by: Nathan Chancellor Reviewed-by: Daniel Thompson Signed-off-by: Lee Jones Signed-off-by: Sasha Levin commit 6c6ccfb816582ea3331f474dc545cb53e967f7f4 Author: Borislav Petkov Date: Mon Oct 8 10:05:20 2018 +0200 proc/vmcore: Fix i386 build error of missing copy_oldmem_page_encrypted() [ Upstream commit cf089611f4c446285046fcd426d90c18f37d2905 ] Lianbo reported a build error with a particular 32-bit config, see Link below for details. Provide a weak copy_oldmem_page_encrypted() function which architectures can override, in the same manner other functionality in that file is supplied. Reported-by: Lianbo Jiang Signed-off-by: Borislav Petkov CC: x86@kernel.org Link: http://lkml.kernel.org/r/710b9d95-2f70-eadf-c4a1-c3dc80ee4ebb@redhat.com Signed-off-by: Sasha Levin commit d6767e1f8eedaf6c635ead453e91629885ce4f5c Author: Shenghui Wang Date: Mon Oct 8 20:41:15 2018 +0800 bcache: recal cached_dev_sectors on detach [ Upstream commit 46010141da6677b81cc77f9b47f8ac62bd1cbfd3 ] Recal cached_dev_sectors on cached_dev detached, as recal done on cached_dev attached. Update the cached_dev_sectors before bcache_device_detach called as bcache_device_detach will set bcache_device->c to NULL. Signed-off-by: Shenghui Wang Signed-off-by: Coly Li Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit c0dea2024671239aa31b4921e61fab67295d1517 Author: Dan Carpenter Date: Mon Oct 8 12:57:36 2018 +0200 fbdev: sbuslib: integer overflow in sbusfb_ioctl_helper() [ Upstream commit e5017716adb8aa5c01c52386c1b7470101ffe9c5 ] The "index + count" addition can overflow. Both come directly from the user. This bug leads to an information leak. Signed-off-by: Dan Carpenter Cc: Peter Malone Cc: Philippe Ombredanne Cc: Mathieu Malaterre Signed-off-by: Bartlomiej Zolnierkiewicz Signed-off-by: Sasha Levin commit 6fc10fb9663d45eaafc353bcfae09badb8585a7f Author: Dan Carpenter Date: Mon Oct 8 12:57:36 2018 +0200 fbdev: sbuslib: use checked version of put_user() [ Upstream commit d8bad911e5e55e228d59c0606ff7e6b8131ca7bf ] I'm not sure why the code assumes that only the first put_user() needs an access_ok() check. I have made all the put_user() and get_user() calls checked. Signed-off-by: Dan Carpenter Cc: Philippe Ombredanne Cc: Mathieu Malaterre Cc: Peter Malone , Signed-off-by: Bartlomiej Zolnierkiewicz Signed-off-by: Sasha Levin commit 682e2ea0ca94e4cd8d244fd6c276ab3f6d9c51ab Author: Ronald Tschalär Date: Sun Sep 30 19:53:13 2018 -0700 ACPI / SBS: Fix rare oops when removing modules [ Upstream commit 757c968c442397f1249bb775a7c8c03842e3e0c7 ] There was a small race when removing the sbshc module where smbus_alarm() had queued acpi_smbus_callback() for deferred execution but it hadn't been run yet, so that when it did run hc had been freed and the module unloaded, resulting in an invalid paging request. A similar race existed when removing the sbs module with regards to acpi_sbs_callback() (which is called from acpi_smbus_callback()). We therefore need to ensure no callbacks are pending or executing before the cleanups are done and the modules are removed. Signed-off-by: Ronald Tschalär Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin commit b88fa52436cf15db28e65b75e9ed6fc5a4d9b0ab Author: Radu Solea Date: Tue Oct 2 19:01:52 2018 +0000 crypto: mxs-dcp - Fix AES issues [ Upstream commit fadd7a6e616b89c7f4f7bfa7b824f290bab32c3c ] The DCP driver does not obey cryptlen, when doing android CTS this results in passing to hardware input stream lengths which are not multiple of block size. Add a check to prevent future erroneous stream lengths from reaching the hardware and adjust the scatterlist walking code to obey cryptlen. Also properly copy-out the IV for chaining. Signed-off-by: Radu Solea Signed-off-by: Franck LENORMAND Signed-off-by: Leonard Crestez Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit 33378afbd12b2e7f10b911dd2869b0ff7b21b1ed Author: Radu Solea Date: Tue Oct 2 19:01:50 2018 +0000 crypto: mxs-dcp - Fix SHA null hashes and output length [ Upstream commit c709eebaf5c5faa8a0f140355f9cfe67e8f7afb1 ] DCP writes at least 32 bytes in the output buffer instead of hash length as documented. Add intermediate buffer to prevent write out of bounds. When requested to produce null hashes DCP fails to produce valid output. Add software workaround to bypass hardware and return valid output. Signed-off-by: Radu Solea Signed-off-by: Leonard Crestez Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit 429382a0177819b65b2ff641c04fbd557cbb848a Author: Borislav Petkov Date: Fri Oct 5 15:13:07 2018 +0200 x86/olpc: Fix build error with CONFIG_MFD_CS5535=m [ Upstream commit fa112cf1e8bc693d5a666b1c479a2859c8b6e0f1 ] When building a 32-bit config which has the above MFD item as module but OLPC_XO1_PM is enabled =y - which is bool, btw - the kernel fails building with: ld: arch/x86/platform/olpc/olpc-xo1-pm.o: in function `xo1_pm_remove': /home/boris/kernel/linux/arch/x86/platform/olpc/olpc-xo1-pm.c:159: undefined reference to `mfd_cell_disable' ld: arch/x86/platform/olpc/olpc-xo1-pm.o: in function `xo1_pm_probe': /home/boris/kernel/linux/arch/x86/platform/olpc/olpc-xo1-pm.c:133: undefined reference to `mfd_cell_enable' make: *** [Makefile:1030: vmlinux] Error 1 Force MFD_CS5535 to y if OLPC_XO1_PM is enabled. Signed-off-by: Borislav Petkov Cc: Lubomir Rintel Cc: x86@kernel.org Link: http://lkml.kernel.org/r/20181005131750.GA5366@zn.tnic Signed-off-by: Sasha Levin commit 12b6054e29f4254b79f17d5ac973271865606613 Author: Martin Kepplinger Date: Fri Oct 5 11:44:45 2018 -0700 Input: st1232 - set INPUT_PROP_DIRECT property [ Upstream commit 20bbb312079494a406c10c90932e3c80837c9d94 ] This is how userspace checks for touchscreen devices most reliably. Signed-off-by: Martin Kepplinger Signed-off-by: Dmitry Torokhov Signed-off-by: Sasha Levin commit 9a8fb6b85ba142d0b02046eb30ee2c56e0607ec7 Author: Rami Rosen Date: Fri Oct 5 00:03:10 2018 +0300 dmaengine: ioat: fix prototype of ioat_enumerate_channels [ Upstream commit f4d34aa8c887a8a2d23ef546da0efa10e3f77241 ] Signed-off-by: Rami Rosen Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit f3ec47899154bd64ac393203a4b0e67691f9bc7f Author: Olga Kornievskaia Date: Thu Oct 4 14:45:00 2018 -0400 NFSv4.x: fix lock recovery during delegation recall [ Upstream commit 44f411c353bf6d98d5a34f8f1b8605d43b2e50b8 ] Running "./nfstest_delegation --runtest recall26" uncovers that client doesn't recover the lock when we have an appending open, where the initial open got a write delegation. Instead of checking for the passed in open context against the file lock's open context. Check that the state is the same. Signed-off-by: Olga Kornievskaia Signed-off-by: Trond Myklebust Signed-off-by: Sasha Levin commit 0deab3d2d62d51aaa26971f641262d8e32c180a0 Author: Chung-Hsien Hsu Date: Thu Sep 27 14:59:49 2018 +0000 brcmfmac: fix full timeout waiting for action frame on-channel tx [ Upstream commit fbf07000960d9c8a13fdc17c6de0230d681c7543 ] The driver sends an action frame down and waits for a completion signal triggered by the received BRCMF_E_ACTION_FRAME_OFF_CHAN_COMPLETE event to continue the process. However, the action frame could be transmitted either on the current channel or on an off channel. For the on-channel case, only BRCMF_E_ACTION_FRAME_COMPLETE event will be received when the frame is transmitted, which make the driver always wait a full timeout duration. This patch has the completion signal be triggered by receiving the BRCMF_E_ACTION_FRAME_COMPLETE event for the on-channel case. This change fixes WFA p2p certification 5.1.19 failure. Signed-off-by: Chung-Hsien Hsu Signed-off-by: Chi-Hsien Lin Signed-off-by: Kalle Valo Signed-off-by: Sasha Levin commit 45a948f3b3dfc905f8520837cb9e9c46c53fe865 Author: Ricardo Ribalda Delgado Date: Thu Oct 4 15:34:45 2018 +0200 mtd: physmap_of: Release resources on error [ Upstream commit ef0de747f7ad179c7698a5b0e28db05f18ecbf57 ] During probe, if there was an error the memory region and the memory map were not properly released.This can lead a system unusable if deferred probe is in use. Replace mem_request and map with devm_ioremap_resource Signed-off-by: Ricardo Ribalda Delgado Signed-off-by: Boris Brezillon Signed-off-by: Sasha Levin commit 3983567fba3c597c81acab72ef071782103e369d Author: Johan Hovold Date: Sun Sep 30 18:03:11 2018 +0200 USB: serial: cypress_m8: fix interrupt-out transfer length [ Upstream commit 56445eef55cb5904096fed7a73cf87b755dfffc7 ] Fix interrupt-out transfer length which was being set to the transfer-buffer length rather than the size of the outgoing packet. Note that no slab data was leaked as the whole transfer buffer is always cleared before each transfer. Fixes: 9aa8dae7b1fa ("cypress_m8: use usb_fill_int_urb where appropriate") Signed-off-by: Johan Hovold Signed-off-by: Sasha Levin commit 54a1440e13e5fc7ed1b443deacf9630c25bd924c Author: Cameron Kaiser Date: Tue Jul 31 07:39:21 2018 -0700 KVM: PPC: Book3S PR: Exiting split hack mode needs to fixup both PC and LR [ Upstream commit 1006284c5e411872333967b1970c2ca46a9e225f ] When an OS (currently only classic Mac OS) is running in KVM-PR and makes a linked jump from code with split hack addressing enabled into code that does not, LR is not correctly updated and reflects the previously munged PC. To fix this, this patch undoes the address munge when exiting split hack mode so that code relying on LR being a proper address will now execute. This does not affect OS X or other operating systems running on KVM-PR. Signed-off-by: Cameron Kaiser Signed-off-by: Paul Mackerras Signed-off-by: Sasha Levin commit 3ab6458a1cdfdbf3f2a7e483c2c9ebe07d79040d Author: Michael Pobega Date: Thu Oct 4 14:58:21 2018 -0400 ALSA: hda/sigmatel - Disable automute for Elo VuPoint [ Upstream commit d153135e93a50cdb6f1b52e238909e9965b56056 ] The Elo VuPoint 15MX has two headphone jacks of which neither work by default. Disabling automute allows ALSA to work normally with the speakers & left headphone jack. Future pin configuration changes may be required in the future to get the right headphone jack working in tandem. Signed-off-by: Michael Pobega Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit c4503c8ec56d38c17052e2129668f3b454559c58 Author: Nathan Chancellor Date: Wed Oct 3 19:37:54 2018 -0700 ata: ep93xx: Use proper enums for directions [ Upstream commit 6adde4a36f1b6a562a1057fbb1065007851050e7 ] Clang warns when one enumerated type is implicitly converted to another. drivers/ata/pata_ep93xx.c:662:36: warning: implicit conversion from enumeration type 'enum dma_data_direction' to different enumeration type 'enum dma_transfer_direction' [-Wenum-conversion] drv_data->dma_rx_data.direction = DMA_FROM_DEVICE; ~ ^~~~~~~~~~~~~~~ drivers/ata/pata_ep93xx.c:670:36: warning: implicit conversion from enumeration type 'enum dma_data_direction' to different enumeration type 'enum dma_transfer_direction' [-Wenum-conversion] drv_data->dma_tx_data.direction = DMA_TO_DEVICE; ~ ^~~~~~~~~~~~~ drivers/ata/pata_ep93xx.c:681:19: warning: implicit conversion from enumeration type 'enum dma_data_direction' to different enumeration type 'enum dma_transfer_direction' [-Wenum-conversion] conf.direction = DMA_FROM_DEVICE; ~ ^~~~~~~~~~~~~~~ drivers/ata/pata_ep93xx.c:692:19: warning: implicit conversion from enumeration type 'enum dma_data_direction' to different enumeration type 'enum dma_transfer_direction' [-Wenum-conversion] conf.direction = DMA_TO_DEVICE; ~ ^~~~~~~~~~~~~ Use the equivalent valued enums from the expected type so that Clang no longer warns about a conversion. DMA_TO_DEVICE = DMA_MEM_TO_DEV = 1 DMA_FROM_DEVICE = DMA_DEV_TO_MEM = 2 Acked-by: Bartlomiej Zolnierkiewicz Signed-off-by: Nathan Chancellor Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit 74a73932b86186a801b5f6188c14872a9cc8e285 Author: Wei Yongjun Date: Sat Sep 29 03:55:16 2018 +0000 IB/mthca: Fix error return code in __mthca_init_one() [ Upstream commit 39f2495618c5e980d2873ea3f2d1877dd253e07a ] Fix to return a negative error code from the mthca_cmd_init() error handling case instead of 0, as done elsewhere in this function. Fixes: 80fd8238734c ("[PATCH] IB/mthca: Encapsulate command interface init") Signed-off-by: Wei Yongjun Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit 957758e16f996f46e53227a0c5ab036bf5683c96 Author: Radoslaw Tyl Date: Mon Sep 24 09:24:20 2018 +0200 ixgbe: Fix crash with VFs and flow director on interface flap [ Upstream commit 5d826d209164b0752c883607be4cdbbcf7cab494 ] This patch fix crash when we have restore flow director filters after reset adapter. In ixgbe_fdir_filter_restore() filter->action is outside of the rx_ring array, as it has a VF identifier in the upper 32 bits. Signed-off-by: Radoslaw Tyl Tested-by: Andrew Bowers Signed-off-by: Jeff Kirsher Signed-off-by: Sasha Levin commit a43519c4322f290d2fcb0bead44a9af392407ab6 Author: Nathan Chancellor Date: Thu Sep 20 16:30:25 2018 -0700 mtd: rawnand: sh_flctl: Use proper enum for flctl_dma_fifo0_transfer [ Upstream commit e2bfa4ca23d9b5a7bdfcf21319fad9b59e38a05c ] Clang warns when one enumerated type is converted implicitly to another: drivers/mtd/nand/raw/sh_flctl.c:483:46: warning: implicit conversion from enumeration type 'enum dma_transfer_direction' to different enumeration type 'enum dma_data_direction' [-Wenum-conversion] flctl_dma_fifo0_transfer(flctl, buf, rlen, DMA_DEV_TO_MEM) > 0) ~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~ drivers/mtd/nand/raw/sh_flctl.c:542:46: warning: implicit conversion from enumeration type 'enum dma_transfer_direction' to different enumeration type 'enum dma_data_direction' [-Wenum-conversion] flctl_dma_fifo0_transfer(flctl, buf, rlen, DMA_MEM_TO_DEV) > 0) ~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~ 2 warnings generated. Use the proper enums from dma_data_direction to satisfy Clang. DMA_MEM_TO_DEV = DMA_TO_DEVICE = 1 DMA_DEV_TO_MEM = DMA_FROM_DEVICE = 2 Reported-by: Nick Desaulniers Signed-off-by: Nathan Chancellor Reviewed-by: Nick Desaulniers Signed-off-by: Miquel Raynal Signed-off-by: Sasha Levin commit 95ce46919f513a5226e76c4d0d2170d0ec8710c4 Author: Naveen N. Rao Date: Thu Sep 27 13:40:58 2018 +0530 powerpc/pseries: Fix how we iterate over the DTL entries [ Upstream commit 9258227e9dd1da8feddb07ad9702845546a581c9 ] When CONFIG_VIRT_CPU_ACCOUNTING_NATIVE is not set, we look up dtl_idx in the lppaca to determine the number of entries in the buffer. Since lppaca is in big endian, we need to do an endian conversion before using this in our calculation to determine the number of entries in the buffer. Without this, we do not iterate over the existing entries in the DTL buffer properly. Fixes: 7c105b63bd98 ("powerpc: Add CONFIG_CPU_LITTLE_ENDIAN kernel config option.") Signed-off-by: Naveen N. Rao Signed-off-by: Michael Ellerman Signed-off-by: Sasha Levin commit eb6ad2c2713691db9d3a2fa084395b1d0fd0ccde Author: Naveen N. Rao Date: Thu Sep 27 13:40:57 2018 +0530 powerpc/pseries: Fix DTL buffer registration [ Upstream commit db787af1b8a6b4be428ee2ea7d409dafcaa4a43c ] When CONFIG_VIRT_CPU_ACCOUNTING_NATIVE is not set, we register the DTL buffer for a cpu when the associated file under powerpc/dtl in debugfs is opened. When doing so, we need to set the size of the buffer being registered in the second u32 word of the buffer. This needs to be in big endian, but we are not doing the conversion resulting in the below error showing up in dmesg: dtl_start: DTL registration for cpu 0 (hw 0) failed with -4 Fix this in the obvious manner. Fixes: 7c105b63bd98 ("powerpc: Add CONFIG_CPU_LITTLE_ENDIAN kernel config option.") Signed-off-by: Naveen N. Rao Signed-off-by: Michael Ellerman Signed-off-by: Sasha Levin commit e045a47841c9f0437b95196afd2bcdc949527fa8 Author: Nathan Chancellor Date: Sun Sep 30 20:47:38 2018 -0700 cxgb4: Use proper enum in IEEE_FAUX_SYNC [ Upstream commit 258b6d141878530ba1f8fc44db683822389de914 ] Clang warns when one enumerated type is implicitly converted to another. drivers/net/ethernet/chelsio/cxgb4/cxgb4_dcb.c:390:4: warning: implicit conversion from enumeration type 'enum cxgb4_dcb_state' to different enumeration type 'enum cxgb4_dcb_state_input' [-Wenum-conversion] IEEE_FAUX_SYNC(dev, dcb); ^~~~~~~~~~~~~~~~~~~~~~~~ drivers/net/ethernet/chelsio/cxgb4/cxgb4_dcb.h:70:10: note: expanded from macro 'IEEE_FAUX_SYNC' CXGB4_DCB_STATE_FW_ALLSYNCED); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~ Use the equivalent value of the expected type to silence Clang while resulting in no functional change. CXGB4_DCB_STATE_FW_ALLSYNCED = CXGB4_DCB_INPUT_FW_ALLSYNCED = 3 Signed-off-by: Nathan Chancellor Reviewed-by: Nick Desaulniers Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 5ae0133d65b32d41a47e620bc938be1d395bd698 Author: Nathan Chancellor Date: Sun Sep 30 20:51:43 2018 -0700 cxgb4: Use proper enum in cxgb4_dcb_handle_fw_update [ Upstream commit 3b0b8f0d9a259f6a428af63e7a77547325f8e081 ] Clang warns when one enumerated type is implicitly converted to another. drivers/net/ethernet/chelsio/cxgb4/cxgb4_dcb.c:303:7: warning: implicit conversion from enumeration type 'enum cxgb4_dcb_state' to different enumeration type 'enum cxgb4_dcb_state_input' [-Wenum-conversion] ? CXGB4_DCB_STATE_FW_ALLSYNCED ^~~~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/net/ethernet/chelsio/cxgb4/cxgb4_dcb.c:304:7: warning: implicit conversion from enumeration type 'enum cxgb4_dcb_state' to different enumeration type 'enum cxgb4_dcb_state_input' [-Wenum-conversion] : CXGB4_DCB_STATE_FW_INCOMPLETE); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 2 warnings generated. Use the equivalent value of the expected type to silence Clang while resulting in no functional change. CXGB4_DCB_STATE_FW_INCOMPLETE = CXGB4_DCB_INPUT_FW_INCOMPLETE = 2 CXGB4_DCB_STATE_FW_ALLSYNCED = CXGB4_DCB_INPUT_FW_ALLSYNCED = 3 Signed-off-by: Nathan Chancellor Reviewed-by: Nick Desaulniers Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit d094c54945e3a0c247aa458e8322e35b8cb1cd00 Author: Dan Carpenter Date: Mon Oct 1 19:44:41 2018 +0300 mei: samples: fix a signedness bug in amt_host_if_call() [ Upstream commit 185647813cac080453cb73a2e034a8821049f2a7 ] "out_buf_sz" needs to be signed for the error handling to work. Signed-off-by: Dan Carpenter Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 208302af92112ff13cd47e2e6902fc365326c588 Author: Nathan Chancellor Date: Tue Sep 11 16:20:25 2018 -0700 dmaengine: timb_dma: Use proper enum in td_prep_slave_sg [ Upstream commit 5e621f5d538985f010035c6f3e28c22829d36db1 ] Clang warns when implicitly converting from one enumerated type to another. Avoid this by using the equivalent value from the expected type. drivers/dma/timb_dma.c:548:27: warning: implicit conversion from enumeration type 'enum dma_transfer_direction' to different enumeration type 'enum dma_data_direction' [-Wenum-conversion] td_desc->desc_list_len, DMA_MEM_TO_DEV); ^~~~~~~~~~~~~~ 1 warning generated. Reported-by: Nick Desaulniers Signed-off-by: Nathan Chancellor Reviewed-by: Nick Desaulniers Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit 1d6b58f039f159cc81ad7bdcb142c85f5ac988a1 Author: Nathan Chancellor Date: Tue Sep 11 16:40:20 2018 -0700 dmaengine: ep93xx: Return proper enum in ep93xx_dma_chan_direction [ Upstream commit 9524d6b265f9b2b9a61fceb2ee2ce1c2a83e39ca ] Clang warns when implicitly converting from one enumerated type to another. Avoid this by using the equivalent value from the expected type. In file included from drivers/dma/ep93xx_dma.c:30: ./include/linux/platform_data/dma-ep93xx.h:88:10: warning: implicit conversion from enumeration type 'enum dma_data_direction' to different enumeration type 'enum dma_transfer_direction' [-Wenum-conversion] return DMA_NONE; ~~~~~~ ^~~~~~~~ 1 warning generated. Reported-by: Nick Desaulniers Signed-off-by: Nathan Chancellor Reviewed-by: Nick Desaulniers Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit 97779e462452963e51b1c559da1d8bd807b4ab57 Author: Andrew Zaborowski Date: Mon Sep 24 18:10:22 2018 +0200 nl80211: Fix a GET_KEY reply attribute [ Upstream commit efdfce7270de85a8706d1ea051bef3a7486809ff ] Use the NL80211_KEY_IDX attribute inside the NL80211_ATTR_KEY in NL80211_CMD_GET_KEY responses to comply with nl80211_key_policy. This is unlikely to affect existing userspace. Signed-off-by: Andrew Zaborowski Signed-off-by: Johannes Berg Signed-off-by: Sasha Levin commit c3f29441b1035c23f5ae1d775d2a09c97ceb6a04 Author: Jia-Ju Bai Date: Sat Sep 15 11:04:40 2018 +0800 usb: gadget: udc: fotg210-udc: Fix a sleep-in-atomic-context bug in fotg210_get_status() [ Upstream commit 2337a77c1cc86bc4e504ecf3799f947659c86026 ] The driver may sleep in an interrupt handler. The function call path (from bottom to top) in Linux-4.17 is: [FUNC] fotg210_ep_queue(GFP_KERNEL) drivers/usb/gadget/udc/fotg210-udc.c, 744: fotg210_ep_queue in fotg210_get_status drivers/usb/gadget/udc/fotg210-udc.c, 768: fotg210_get_status in fotg210_setup_packet drivers/usb/gadget/udc/fotg210-udc.c, 949: fotg210_setup_packet in fotg210_irq (interrupt handler) To fix this bug, GFP_KERNEL is replaced with GFP_ATOMIC. If possible, spin_unlock() and spin_lock() around fotg210_ep_queue() can be also removed. This bug is found by my static analysis tool DSAC. Signed-off-by: Jia-Ju Bai Signed-off-by: Felipe Balbi Signed-off-by: Sasha Levin commit 6a9820f17c104598a19ae93cfe6fbf58e937c2d7 Author: Simon Wunderlich Date: Mon Oct 1 17:26:59 2018 +0300 ath9k: fix reporting calculated new FFT upper max [ Upstream commit 4fb5837ac2bd46a85620b297002c704e9958f64d ] Since the debug print code is outside of the loop, it shouldn't use the loop iterator anymore but instead print the found maximum index. Cc: Nick Kossifidis Signed-off-by: Simon Wunderlich Signed-off-by: Kalle Valo Signed-off-by: Sasha Levin commit e12df1dc496b986201586e3dc4ae03533c246651 Author: Ben Greear Date: Thu Sep 6 19:46:20 2018 +0300 ath10k: fix vdev-start timeout on error [ Upstream commit 833fd34d743c728afe6d127ef7bee67e7d9199a8 ] The vdev-start-response message should cause the completion to fire, even in the error case. Otherwise, the user still gets no useful information and everything is blocked until the timeout period. Add some warning text to print out the invalid status code to aid debugging, and propagate failure code. Signed-off-by: Ben Greear Signed-off-by: Kalle Valo Signed-off-by: Sasha Levin commit 20cebfcc831224655050a9a1fe837997067e7179 Author: Trond Myklebust Date: Sat Sep 8 22:09:48 2018 -0400 SUNRPC: Fix priority queue fairness [ Upstream commit f42f7c283078ce3c1e8368b140e270755b1ae313 ] Fix up the priority queue to not batch by owner, but by queue, so that we allow '1 << priority' elements to be dequeued before switching to the next priority queue. The owner field is still used to wake up requests in round robin order by owner to avoid single processes hogging the RPC layer by loading the queues. Signed-off-by: Trond Myklebust Signed-off-by: Sasha Levin commit 8669a2782c055ac090fe51b672f669b73685b716 Author: Jaegeuk Kim Date: Tue Sep 25 15:25:21 2018 -0700 f2fs: return correct errno in f2fs_gc [ Upstream commit 61f7725aa148ee870436a29d3a24d5c00ab7e9af ] This fixes overriding error number in f2fs_gc. Reviewed-by: Chao Yu Signed-off-by: Jaegeuk Kim Signed-off-by: Sasha Levin commit e50b2964e3830b707fdadda1b4b47cd175672b42 Author: YueHaibing Date: Wed Sep 26 17:15:38 2018 +0800 net: ovs: fix return type of ndo_start_xmit function [ Upstream commit eddf11e18dff0e8671e06ce54e64cfc843303ab9 ] The method ndo_start_xmit() is defined as returning an 'netdev_tx_t', which is a typedef for an enum type, so make sure the implementation in this driver has returns 'netdev_tx_t' value, and change the function return type to netdev_tx_t. Found by coccinelle. Signed-off-by: YueHaibing Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 5d784a2d4a0e302f51f6d96f44f5c21de47d6f19 Author: Jens Axboe Date: Wed Aug 7 12:20:52 2019 -0600 libata: have ata_scsi_rw_xlat() fail invalid passthrough requests commit 2d7271501720038381d45fb3dcbe4831228fc8cc upstream. For passthrough requests, libata-scsi takes what the user passes in as gospel. This can be problematic if the user fills in the CDB incorrectly. One example of that is in request sizes. For read/write commands, the CDB contains fields describing the transfer length of the request. These should match with the SG_IO header fields, but libata-scsi currently does no validation of that. Check that the number of blocks in the CDB for passthrough requests matches what was mapped into the request. If the CDB asks for more data then the validated SG_IO header fields, error it. Reported-by: Krishna Ram Prakash R Reviewed-by: Kees Cook Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit 642fa50e555d2cb7812cdc470257b0251a3947af Author: Christoph Hellwig Date: Tue Jan 31 16:57:29 2017 +0100 block: introduce blk_rq_is_passthrough commit 57292b58ddb58689e8c3b4c6eadbef10d9ca44dd upstream. This can be used to check for fs vs non-fs requests and basically removes all knowledge of BLOCK_PC specific from the block layer, as well as preparing for removing the cmd_type field in struct request. Signed-off-by: Christoph Hellwig Signed-off-by: Jens Axboe [only take the blkdev.h changes as we only want the function for backported patches - gregkh] Signed-off-by: Greg Kroah-Hartman commit b4ca3857b8e7bc876453c24ad0e76bf744ef8af0 Author: Daniel Vetter Date: Sun Jul 21 22:19:56 2019 +0200 fbdev: Ditch fb_edid_add_monspecs commit 3b8720e63f4a1fc6f422a49ecbaa3b59c86d5aaf upstream. It's dead code ever since commit 34280340b1dc74c521e636f45cd728f9abf56ee2 Author: Geert Uytterhoeven Date: Fri Dec 4 17:01:43 2015 +0100 fbdev: Remove unused SH-Mobile HDMI driver Also with this gone we can remove the cea_modes db. This entire thing is massively incomplete anyway, compared to the CEA parsing that drm_edid.c does. Acked-by: Linus Torvalds Cc: Tavis Ormandy Signed-off-by: Daniel Vetter Signed-off-by: Bartlomiej Zolnierkiewicz Link: https://patchwork.freedesktop.org/patch/msgid/20190721201956.941-1-daniel.vetter@ffwll.ch Signed-off-by: Greg Kroah-Hartman commit 91b8ab30ff542397483f8095736cbfdd23582c5c Author: Geert Uytterhoeven Date: Fri Dec 4 17:01:43 2015 +0100 fbdev: Remove unused SH-Mobile HDMI driver commit 34280340b1dc74c521e636f45cd728f9abf56ee2 upstream. As of commit 44d88c754e57a6d9 ("ARM: shmobile: Remove legacy SoC code for R-Mobile A1"), the SH-Mobile HDMI driver is no longer used. In theory it could still be used on R-Mobile A1 SoCs, but that requires adding DT support to the driver, which is not planned. Remove the driver, it can be resurrected from git history when needed. Signed-off-by: Geert Uytterhoeven Acked-by: Simon Horman Signed-off-by: Tomi Valkeinen Signed-off-by: Greg Kroah-Hartman commit 9b309cbd6fedf493267751558e3181a0c8995d44 Author: Masami Hiramatsu Date: Wed May 9 21:58:45 2018 +0900 uprobes/x86: Prohibit probing on MOV SS instruction commit 13ebe18c94f5b0665c01ae7fad2717ae959f4212 upstream. Since MOV SS and POP SS instructions will delay the exceptions until the next instruction is executed, single-stepping on it by uprobes must be prohibited. uprobe already rejects probing on POP SS (0x1f), but allows probing on MOV SS (0x8e and reg == 2). This checks the target instruction and if it is MOV SS or POP SS, returns -ENOTSUPP to reject probing. Signed-off-by: Masami Hiramatsu Signed-off-by: Thomas Gleixner Acked-by: Oleg Nesterov Cc: Ricardo Neri Cc: Francis Deslauriers Cc: Alexei Starovoitov Cc: Steven Rostedt Cc: Andy Lutomirski Cc: "H . Peter Anvin" Cc: Yonghong Song Cc: Borislav Petkov Cc: Linus Torvalds Cc: "David S . Miller" Link: https://lkml.kernel.org/r/152587072544.17316.5950935243917346341.stgit@devbox Signed-off-by: Greg Kroah-Hartman commit 7ea99b43ef29e13c77dea15332c2ad8f3216ee93 Author: Masami Hiramatsu Date: Wed May 9 21:58:15 2018 +0900 kprobes/x86: Prohibit probing on exception masking instructions commit ee6a7354a3629f9b65bc18dbe393503e9440d6f5 upstream. Since MOV SS and POP SS instructions will delay the exceptions until the next instruction is executed, single-stepping on it by kprobes must be prohibited. However, kprobes usually executes those instructions directly on trampoline buffer (a.k.a. kprobe-booster), except for the kprobes which has post_handler. Thus if kprobe user probes MOV SS with post_handler, it will do single-stepping on the MOV SS. This means it is safe that if it is used via ftrace or perf/bpf since those don't use the post_handler. Anyway, since the stack switching is a rare case, it is safer just rejecting kprobes on such instructions. Signed-off-by: Masami Hiramatsu Signed-off-by: Thomas Gleixner Cc: Ricardo Neri Cc: Francis Deslauriers Cc: Oleg Nesterov Cc: Alexei Starovoitov Cc: Steven Rostedt Cc: Andy Lutomirski Cc: "H . Peter Anvin" Cc: Yonghong Song Cc: Borislav Petkov Cc: Linus Torvalds Cc: "David S . Miller" Link: https://lkml.kernel.org/r/152587069574.17316.3311695234863248641.stgit@devbox Signed-off-by: Greg Kroah-Hartman commit 04b029c35949ab52b389f9b3ac06d3517eb8e035 Author: John Johansen Date: Wed Jun 22 18:01:08 2016 -0700 apparmor: fix module parameters can be changed after policy is locked commit 58acf9d911c8831156634a44d0b022d683e1e50c upstream. the policy_lock parameter is a one way switch that prevents policy from being further modified. Unfortunately some of the module parameters can effectively modify policy by turning off enforcement. split policy_admin_capable into a view check and a full admin check, and update the admin check to test the policy_lock parameter. Signed-off-by: John Johansen Signed-off-by: Greg Kroah-Hartman commit 3e6dec86bcd4e8f39ab577431f346f6ad2b23af2 Author: John Johansen Date: Fri Jul 25 04:01:56 2014 -0700 apparmor: fix update the mtime of the profile file on replacement commit d671e890205a663429da74e1972e652bea4d73ab upstream. Signed-off-by: John Johansen Acked-by: Seth Arnold Signed-off-by: Greg Kroah-Hartman commit 1c374c2c1a1a52cab1c1cd4260af0d77ffdc81f2 Author: John Johansen Date: Sun Jun 8 11:20:54 2014 -0700 apparmor: fix uninitialized lsm_audit member commit b6b1b81b3afba922505b57f4c812bba022f7c4a9 upstream. BugLink: http://bugs.launchpad.net/bugs/1268727 The task field in the lsm_audit struct needs to be initialized if a change_hat fails, otherwise the following oops will occur BUG: unable to handle kernel paging request at 0000002fbead7d08 IP: [] _raw_spin_lock+0xe/0x50 PGD 1e3f35067 PUD 0 Oops: 0002 [#1] SMP Modules linked in: pppox crc_ccitt p8023 p8022 psnap llc ax25 btrfs raid6_pq xor xfs libcrc32c dm_multipath scsi_dh kvm_amd dcdbas kvm microcode amd64_edac_mod joydev edac_core psmouse edac_mce_amd serio_raw k10temp sp5100_tco i2c_piix4 ipmi_si ipmi_msghandler acpi_power_meter mac_hid lp parport hid_generic usbhid hid pata_acpi mpt2sas ahci raid_class pata_atiixp bnx2 libahci scsi_transport_sas [last unloaded: tipc] CPU: 2 PID: 699 Comm: changehat_twice Tainted: GF O 3.13.0-7-generic #25-Ubuntu Hardware name: Dell Inc. PowerEdge R415/08WNM9, BIOS 1.8.6 12/06/2011 task: ffff8802135c6000 ti: ffff880212986000 task.ti: ffff880212986000 RIP: 0010:[] [] _raw_spin_lock+0xe/0x50 RSP: 0018:ffff880212987b68 EFLAGS: 00010006 RAX: 0000000000020000 RBX: 0000002fbead7500 RCX: 0000000000000000 RDX: 0000000000000292 RSI: ffff880212987ba8 RDI: 0000002fbead7d08 RBP: ffff880212987b68 R08: 0000000000000246 R09: ffff880216e572a0 R10: ffffffff815fd677 R11: ffffea0008469580 R12: ffffffff8130966f R13: ffff880212987ba8 R14: 0000002fbead7d08 R15: ffff8800d8c6b830 FS: 00002b5e6c84e7c0(0000) GS:ffff880216e40000(0000) knlGS:0000000055731700 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000002fbead7d08 CR3: 000000021270f000 CR4: 00000000000006e0 Stack: ffff880212987b98 ffffffff81075f17 ffffffff8130966f 0000000000000009 0000000000000000 0000000000000000 ffff880212987bd0 ffffffff81075f7c 0000000000000292 ffff880212987c08 ffff8800d8c6b800 0000000000000026 Call Trace: [] __lock_task_sighand+0x47/0x80 [] ? apparmor_cred_prepare+0x2f/0x50 [] do_send_sig_info+0x2c/0x80 [] send_sig_info+0x1e/0x30 [] aa_audit+0x13d/0x190 [] aa_audit_file+0xbc/0x130 [] ? apparmor_cred_prepare+0x2f/0x50 [] aa_change_hat+0x202/0x530 [] aa_setprocattr_changehat+0x116/0x1d0 [] apparmor_setprocattr+0x25d/0x300 [] security_setprocattr+0x16/0x20 [] proc_pid_attr_write+0x107/0x130 [] vfs_write+0xb4/0x1f0 [] SyS_write+0x49/0xa0 [] tracesys+0xe1/0xe6 Signed-off-by: John Johansen Acked-by: Seth Arnold Signed-off-by: Greg Kroah-Hartman commit 80989fa23c9f8766bb6c1dad6f673a77f860737a Author: Peter Zijlstra Date: Wed Apr 24 13:38:23 2019 +0200 x86/atomic: Fix smp_mb__{before,after}_atomic() commit 69d927bba39517d0980462efc051875b7f4db185 upstream. Recent probing at the Linux Kernel Memory Model uncovered a 'surprise'. Strongly ordered architectures where the atomic RmW primitive implies full memory ordering and smp_mb__{before,after}_atomic() are a simple barrier() (such as x86) fail for: *x = 1; atomic_inc(u); smp_mb__after_atomic(); r0 = *y; Because, while the atomic_inc() implies memory order, it (surprisingly) does not provide a compiler barrier. This then allows the compiler to re-order like so: atomic_inc(u); *x = 1; smp_mb__after_atomic(); r0 = *y; Which the CPU is then allowed to re-order (under TSO rules) like: atomic_inc(u); r0 = *y; *x = 1; And this very much was not intended. Therefore strengthen the atomic RmW ops to include a compiler barrier. NOTE: atomic_{or,and,xor} and the bitops already had the compiler barrier. Signed-off-by: Peter Zijlstra (Intel) Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Thomas Gleixner Signed-off-by: Ingo Molnar Signed-off-by: Jari Ruusu Signed-off-by: Greg Kroah-Hartman commit d940eddc823283d943eca72dd6672577c6fd2156 Author: Dan Carpenter Date: Wed Nov 13 21:28:31 2019 +0300 net: cdc_ncm: Signedness bug in cdc_ncm_set_dgram_size() commit a56dcc6b455830776899ce3686735f1172e12243 upstream. This code is supposed to test for negative error codes and partial reads, but because sizeof() is size_t (unsigned) type then negative error codes are type promoted to high positive values and the condition doesn't work as expected. Fixes: 332f989a3b00 ("CDC-NCM: handle incomplete transfer of MTU") Signed-off-by: Dan Carpenter Signed-off-by: David S. Miller Signed-off-by: Nobuhiro Iwamatsu Signed-off-by: Greg Kroah-Hartman commit c581f60b988679a40e801f9adeb5accc4c118d99 Author: Jouni Hogander Date: Wed Nov 13 12:08:01 2019 +0200 slcan: Fix memory leak in error path commit ed50e1600b4483c049ce76e6bd3b665a6a9300ed upstream. This patch is fixing memory leak reported by Syzkaller: BUG: memory leak unreferenced object 0xffff888067f65500 (size 4096): comm "syz-executor043", pid 454, jiffies 4294759719 (age 11.930s) hex dump (first 32 bytes): 73 6c 63 61 6e 30 00 00 00 00 00 00 00 00 00 00 slcan0.......... 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [<00000000a06eec0d>] __kmalloc+0x18b/0x2c0 [<0000000083306e66>] kvmalloc_node+0x3a/0xc0 [<000000006ac27f87>] alloc_netdev_mqs+0x17a/0x1080 [<0000000061a996c9>] slcan_open+0x3ae/0x9a0 [<000000001226f0f9>] tty_ldisc_open.isra.1+0x76/0xc0 [<0000000019289631>] tty_set_ldisc+0x28c/0x5f0 [<000000004de5a617>] tty_ioctl+0x48d/0x1590 [<00000000daef496f>] do_vfs_ioctl+0x1c7/0x1510 [<0000000059068dbc>] ksys_ioctl+0x99/0xb0 [<000000009a6eb334>] __x64_sys_ioctl+0x78/0xb0 [<0000000053d0332e>] do_syscall_64+0x16f/0x580 [<0000000021b83b99>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [<000000008ea75434>] 0xffffffffffffffff Cc: Wolfgang Grandegger Cc: Marc Kleine-Budde Cc: Lukas Bulwahn Signed-off-by: Jouni Hogander Signed-off-by: Marc Kleine-Budde Cc: Oliver Hartkopp Signed-off-by: Greg Kroah-Hartman commit 905bf98eb3381615bda17951fddb48076588e0b5 Author: zhong jiang Date: Mon Nov 18 11:26:09 2019 +0800 memfd: Use radix_tree_deref_slot_protected to avoid the warning. The commit eb4058d8daf8 ("memfd: Fix locking when tagging pins") introduces the following warning messages. *WARNING: suspicious RCU usage in memfd_wait_for_pins* It is because we still use radix_tree_deref_slot without read_rcu_lock. We should use radix_tree_deref_slot_protected instead in the case. Cc: stable@vger.kernel.org Fixes: eb4058d8daf8 ("memfd: Fix locking when tagging pins") Signed-off-by: zhong jiang Reviewed-by: Matthew Wilcox (Oracle) Signed-off-by: Greg Kroah-Hartman commit 29d9c5714096a47ed8d2a1632e382c949b089563 Author: Kefeng Wang Date: Sat Feb 23 12:33:27 2019 +0800 Bluetooth: hci_ldisc: Postpone HCI_UART_PROTO_READY bit set in hci_uart_set_proto() commit 56897b217a1d0a91c9920cb418d6b3fe922f590a upstream. task A: task B: hci_uart_set_proto flush_to_ldisc - p->open(hu) -> h5_open //alloc h5 - receive_buf - set_bit HCI_UART_PROTO_READY - tty_port_default_receive_buf - hci_uart_register_dev - tty_ldisc_receive_buf - hci_uart_tty_receive - test_bit HCI_UART_PROTO_READY - h5_recv - clear_bit HCI_UART_PROTO_READY while() { - p->open(hu) -> h5_close //free h5 - h5_rx_3wire_hdr - h5_reset() //use-after-free } It could use ioctl to set hci uart proto, but there is a use-after-free issue when hci_uart_register_dev() fail in hci_uart_set_proto(), see stack above, fix this by setting HCI_UART_PROTO_READY bit only when hci_uart_register_dev() return success. Reported-by: syzbot+899a33dc0fa0dbaf06a6@syzkaller.appspotmail.com Signed-off-by: Kefeng Wang Reviewed-by: Jeremy Cline Signed-off-by: Marcel Holtmann Cc: Ralph Siemsen Signed-off-by: Greg Kroah-Hartman commit eec0a9e1ca410b02de831b1795848e360672a9bc Author: Loic Poulain Date: Mon Apr 4 10:48:13 2016 +0200 Bluetooth: hci_ldisc: Fix null pointer derefence in case of early data commit 84cb3df02aea4b00405521e67c4c67c2d525c364 upstream. HCI_UART_PROTO_SET flag is set before hci_uart_set_proto call. If we receive data from tty layer during this procedure, proto pointer may not be assigned yet, leading to null pointer dereference in rx method hci_uart_tty_receive. This patch fixes this issue by introducing HCI_UART_PROTO_READY flag in order to avoid any proto operation before proto opening and assignment. Signed-off-by: Loic Poulain Signed-off-by: Marcel Holtmann Cc: Ralph Siemsen Signed-off-by: Greg Kroah-Hartman commit 67f038ba9cb75fed99052f6e5b6f124a02db8162 Author: Kirill Tkhai Date: Mon Aug 27 18:29:29 2018 +0300 fuse: use READ_ONCE on congestion_threshold and max_background [ Upstream commit 2a23f2b8adbe4bd584f936f7ac17a99750eed9d7 ] Since they are of unsigned int type, it's allowed to read them unlocked during reporting to userspace. Let's underline this fact with READ_ONCE() macroses. Signed-off-by: Kirill Tkhai Signed-off-by: Miklos Szeredi Signed-off-by: Sasha Levin commit 3670e11857f936ab56338f70145ec0842a680447 Author: Rob Herring Date: Thu Sep 13 13:12:40 2018 -0500 arm64: dts: amd: Fix SPI bus warnings [ Upstream commit e9f0878c4b2004ac19581274c1ae4c61ae3ca70e ] dtc has new checks for SPI buses. Fix the warnings in node names. arch/arm64/boot/dts/amd/amd-overdrive.dtb: Warning (spi_bus_bridge): /smb/ssp@e1030000: node name for SPI buses should be 'spi' arch/arm64/boot/dts/amd/amd-overdrive-rev-b0.dtb: Warning (spi_bus_bridge): /smb/ssp@e1030000: node name for SPI buses should be 'spi' arch/arm64/boot/dts/amd/amd-overdrive-rev-b1.dtb: Warning (spi_bus_bridge): /smb/ssp@e1030000: node name for SPI buses should be 'spi' Cc: Brijesh Singh Cc: Suravee Suthikulpanit Cc: Tom Lendacky Signed-off-by: Rob Herring Signed-off-by: Arnd Bergmann Signed-off-by: Sasha Levin commit 101125811f5bbc7bc90940bb184e3db4802ed4cc Author: Luiz Augusto von Dentz Date: Tue Sep 4 13:39:22 2018 +0300 Bluetooth: L2CAP: Detect if remote is not able to use the whole MPS [ Upstream commit a5c3021bb62b970713550db3f7fd08aa70665d7e ] If the remote is not able to fully utilize the MPS choosen recalculate the credits based on the actual amount it is sending that way it can still send packets of MTU size without credits dropping to 0. Signed-off-by: Luiz Augusto von Dentz Signed-off-by: Marcel Holtmann Signed-off-by: Sasha Levin commit d4740658aba1fdaf3b3de4ece52695b66bf27064 Author: Justin Ernst Date: Tue Sep 25 09:34:49 2018 -0500 EDAC: Raise the maximum number of memory controllers [ Upstream commit 6b58859419554fb824e09cfdd73151a195473cbc ] We observe an oops in the skx_edac module during boot: EDAC MC0: Giving out device to module skx_edac controller Skylake Socket#0 IMC#0 EDAC MC1: Giving out device to module skx_edac controller Skylake Socket#0 IMC#1 EDAC MC2: Giving out device to module skx_edac controller Skylake Socket#1 IMC#0 ... EDAC MC13: Giving out device to module skx_edac controller Skylake Socket#0 IMC#1 EDAC MC14: Giving out device to module skx_edac controller Skylake Socket#1 IMC#0 EDAC MC15: Giving out device to module skx_edac controller Skylake Socket#1 IMC#1 Too many memory controllers: 16 EDAC MC: Removed device 0 for skx_edac Skylake Socket#0 IMC#0 We observe there are two memory controllers per socket, with a limit of 16. Raise the maximum number of memory controllers from 16 to 2 * MAX_NUMNODES (1024). [ bp: This is just a band-aid fix until we've sorted out the whole issue with the bus_type association and handling in EDAC and can get rid of this arbitrary limit. ] Signed-off-by: Justin Ernst Signed-off-by: Borislav Petkov Acked-by: Russ Anderson Cc: Mauro Carvalho Chehab Cc: linux-edac@vger.kernel.org Link: https://lkml.kernel.org/r/20180925143449.284634-1-justin.ernst@hpe.com Signed-off-by: Sasha Levin commit 06da9c6f7c7e9aad4881cc300a616b98d88132e9 Author: YueHaibing Date: Wed Sep 26 17:06:29 2018 +0800 net: smsc: fix return type of ndo_start_xmit function [ Upstream commit 6323d57f335ce1490d025cacc83fc10b07792130 ] The method ndo_start_xmit() is defined as returning an 'netdev_tx_t', which is a typedef for an enum type, so make sure the implementation in this driver has returns 'netdev_tx_t' value, and change the function return type to netdev_tx_t. Found by coccinelle. Signed-off-by: YueHaibing Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit baa4ca05d975259dcea681dda16164c5779fabea Author: Marcel Ziswiler Date: Fri Aug 31 18:37:43 2018 +0200 ARM: tegra: apalis_t30: fix mmc1 cmd pull-up [ Upstream commit 1c997fe4becdc6fcbc06e23982ceb65621e6572a ] Fix MMC1 cmd pin pull-up causing issues on carrier boards without external pull-up. Signed-off-by: Marcel Ziswiler Signed-off-by: Thierry Reding Signed-off-by: Sasha Levin commit 5aa891408eb1989b60f0c427ca87de31ec8bbaf7 Author: Marcel Ziswiler Date: Fri Aug 31 14:42:33 2018 +0200 ARM: dts: tegra30: fix xcvr-setup-use-fuses [ Upstream commit 564706f65cda3de52b09e51feb423a43940fe661 ] There was a dot instead of a comma. Fix this. Signed-off-by: Marcel Ziswiler Signed-off-by: Thierry Reding Signed-off-by: Sasha Levin commit fdb5e9d2c2d3ad11b0a8edd6a2d6fc84aa87dc50 Author: Jason Yan Date: Tue Sep 25 10:56:52 2018 +0800 scsi: libsas: always unregister the old device if going to discover new [ Upstream commit 32c850bf587f993b2620b91e5af8a64a7813f504 ] If we went into sas_rediscover_dev() the attached_sas_addr was already insured not to be zero. So it's unnecessary to check if the attached_sas_addr is zero. And although if the sas address is not changed, we always have to unregister the old device when we are going to register a new one. We cannot just leave the device there and bring up the new. Signed-off-by: Jason Yan CC: chenxiang CC: John Garry CC: Johannes Thumshirn CC: Ewan Milne CC: Christoph Hellwig CC: Tomas Henzl CC: Dan Williams CC: Hannes Reinecke Reviewed-by: Johannes Thumshirn Reviewed-by: Hannes Reinecke Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit ac370e3d1f3b01519d2705cd5815d1c9d0a8812b Author: Li Qiang Date: Tue Sep 25 13:01:27 2018 -0600 vfio/pci: Fix potential memory leak in vfio_msi_cap_len [ Upstream commit 30ea32ab1951c80c6113f300fce2c70cd12659e4 ] Free allocated vdev->msi_perm in error path. Signed-off-by: Li Qiang Reviewed-by: Eric Auger Signed-off-by: Alex Williamson Signed-off-by: Sasha Levin commit 76817839784fd1ea2efc9293c14979a43c834047 Author: zhong jiang Date: Thu Sep 20 10:29:13 2018 +0800 misc: genwqe: should return proper error value. [ Upstream commit 02241995b004faa7d9ff628e97f24056190853f8 ] The function should return -EFAULT when copy_from_user fails. Even though the caller does not distinguish them. but we should keep backward compatibility. Signed-off-by: zhong jiang Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit dcfef35ef1a7371129fa964cddb3cc54359243cc Author: Laura Abbott Date: Tue Sep 11 10:44:03 2018 -0700 misc: kgdbts: Fix restrict error [ Upstream commit fa0218ef733e6f247a1a3986e3eb12460064ac77 ] kgdbts current fails when compiled with restrict: drivers/misc/kgdbts.c: In function ‘configure_kgdbts’: drivers/misc/kgdbts.c:1070:2: error: ‘strcpy’ source argument is the same as destination [-Werror=restrict] strcpy(config, opt); ^~~~~~~~~~~~~~~~~~~ As the error says, config is being used in both the source and destination. Refactor the code to avoid the extra copy and put the parsing closer to the actual location. Signed-off-by: Laura Abbott Acked-by: Daniel Thompson Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit cc3ec27ddebedbb76f8a3c586ecc3461e14a2cef Author: Laurent Pinchart Date: Fri Aug 10 15:44:57 2018 +0300 usb: gadget: uvc: Only halt video streaming endpoint in bulk mode [ Upstream commit 8dbf9c7abefd5c1434a956d5c6b25e11183061a3 ] When USB requests for video data fail to be submitted, the driver signals a problem to the host by halting the video streaming endpoint. This is only valid in bulk mode, as isochronous transfers have no handshake phase and can't thus report a stall. The usb_ep_set_halt() call returns an error when using isochronous endpoints, which we happily ignore, but some UDCs complain in the kernel log. Fix this by only trying to halt the endpoint in bulk mode. Signed-off-by: Laurent Pinchart Reviewed-by: Paul Elder Tested-by: Paul Elder Reviewed-by: Kieran Bingham Signed-off-by: Sasha Levin commit e47af9e7c8f168a429df7ba111b907fffd6d253c Author: Laurent Pinchart Date: Fri Aug 10 15:42:03 2018 +0300 usb: gadget: uvc: Factor out video USB request queueing [ Upstream commit 9d1ff5dcb3cd3390b1e56f1c24ae42c72257c4a3 ] USB requests for video data are queued from two different locations in the driver, with the same code block occurring twice. Factor it out to a function. Signed-off-by: Laurent Pinchart Reviewed-by: Paul Elder Tested-by: Paul Elder Reviewed-by: Kieran Bingham Signed-off-by: Sasha Levin commit 66fc927508a01f133ac164d637800c198834ab35 Author: Joel Pepper Date: Tue May 29 21:02:12 2018 +0200 usb: gadget: uvc: configfs: Prevent format changes after linking header [ Upstream commit cb2200f7af8341aaf0c6abd7ba37e4c667c41639 ] While checks are in place to avoid attributes and children of a format being manipulated after the format is linked into the streaming header, the linked flag was never actually set, invalidating the protections. Update the flag as appropriate in the header link calls. Signed-off-by: Joel Pepper Reviewed-by: Kieran Bingham Signed-off-by: Laurent Pinchart Signed-off-by: Sasha Levin commit 3adae6c6d3f4997f611751310b8df42166ea96d1 Author: Laurent Pinchart Date: Thu Aug 2 00:14:00 2018 +0300 usb: gadget: uvc: configfs: Drop leaked references to config items [ Upstream commit 86f3daed59bceb4fa7981d85e89f63ebbae1d561 ] Some of the .allow_link() and .drop_link() operations implementations call config_group_find_item() and then leak the reference to the returned item. Fix this by dropping those references where needed. Signed-off-by: Laurent Pinchart Reviewed-by: Kieran Bingham Signed-off-by: Sasha Levin commit ba863f0d77fb4af25355e28313f7735aff717aac Author: Nathan Chancellor Date: Sat Sep 15 02:16:15 2018 -0400 media: davinci: Fix implicit enum conversion warning [ Upstream commit 4158757395b300b6eb308fc20b96d1d231484413 ] Clang warns when one enumerated type is implicitly converted to another. drivers/media/platform/davinci/vpbe_display.c:524:24: warning: implicit conversion from enumeration type 'enum osd_v_exp_ratio' to different enumeration type 'enum osd_h_exp_ratio' [-Wenum-conversion] layer_info->h_exp = V_EXP_6_OVER_5; ~ ^~~~~~~~~~~~~~ 1 warning generated. This appears to be a copy and paste error judging from the couple of lines directly above this statement and the way that height is handled in the if block above this one. Reported-by: Nick Desaulniers Signed-off-by: Nathan Chancellor Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit af9f80fa1e5a5866bf511609c084434a14fd49af Author: Jia-Ju Bai Date: Sat Sep 1 07:44:09 2018 -0400 media: pci: ivtv: Fix a sleep-in-atomic-context bug in ivtv_yuv_init() [ Upstream commit 8d11eb847de7d89c2754988c944d51a4f63e219b ] The driver may sleep in a interrupt handler. The function call paths (from bottom to top) in Linux-4.16 are: [FUNC] kzalloc(GFP_KERNEL) drivers/media/pci/ivtv/ivtv-yuv.c, 938: kzalloc in ivtv_yuv_init drivers/media/pci/ivtv/ivtv-yuv.c, 960: ivtv_yuv_init in ivtv_yuv_next_free drivers/media/pci/ivtv/ivtv-yuv.c, 1126: ivtv_yuv_next_free in ivtv_yuv_setup_stream_frame drivers/media/pci/ivtv/ivtv-irq.c, 827: ivtv_yuv_setup_stream_frame in ivtv_irq_dec_data_req drivers/media/pci/ivtv/ivtv-irq.c, 1013: ivtv_irq_dec_data_req in ivtv_irq_handler To fix this bug, GFP_KERNEL is replaced with GFP_ATOMIC. This bug is found by my static analysis tool DSAC. Signed-off-by: Jia-Ju Bai Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit fce9612b5f495cc3051ead904c75157e37004071 Author: Dengcheng Zhu Date: Tue Sep 11 14:49:23 2018 -0700 MIPS: kexec: Relax memory restriction [ Upstream commit a6da4d6fdf8bd512c98d3ac7f1d16bc4bb282919 ] We can rely on the system kernel and the dump capture kernel themselves in memory usage. Being restrictive with 512MB limit may cause kexec tool failure on some platforms. Tested-by: Rachel Mozes Reported-by: Rachel Mozes Signed-off-by: Dengcheng Zhu Signed-off-by: Paul Burton Patchwork: https://patchwork.linux-mips.org/patch/20568/ Cc: pburton@wavecomp.com Cc: ralf@linux-mips.org Cc: linux-mips@linux-mips.org Signed-off-by: Sasha Levin commit d1b548815f6127b60610ee1ce6fa0f2451ac7392 Author: Matthew Whitehead Date: Fri Sep 21 17:20:40 2018 -0400 x86/CPU: Use correct macros for Cyrix calls [ Upstream commit 03b099bdcdf7125d4a63dc9ddeefdd454e05123d ] There are comments in processor-cyrix.h advising you to _not_ make calls using the deprecated macros in this style: setCx86_old(CX86_CCR4, getCx86_old(CX86_CCR4) | 0x80); This is because it expands the macro into a non-functioning calling sequence. The calling order must be: outb(CX86_CCR2, 0x22); inb(0x23); From the comments: * When using the old macros a line like * setCx86(CX86_CCR2, getCx86(CX86_CCR2) | 0x88); * gets expanded to: * do { * outb((CX86_CCR2), 0x22); * outb((({ * outb((CX86_CCR2), 0x22); * inb(0x23); * }) | 0x88), 0x23); * } while (0); The new macros fix this problem, so use them instead. Signed-off-by: Matthew Whitehead Signed-off-by: Borislav Petkov Reviewed-by: Andy Lutomirski Cc: Greg Kroah-Hartman Cc: "H. Peter Anvin" Cc: Ingo Molnar Cc: Jia Zhang Cc: Peter Zijlstra Cc: Philippe Ombredanne Cc: Thomas Gleixner Link: http://lkml.kernel.org/r/20180921212041.13096-2-tedheadster@gmail.com Signed-off-by: Sasha Levin commit 819f6d97470d03571a5bf8aa663ddee2139c8bbd Author: YueHaibing Date: Fri Sep 21 10:42:15 2018 +0800 net: micrel: fix return type of ndo_start_xmit function [ Upstream commit 2b49117a5abee8478b0470cba46ac74f93b4a479 ] The method ndo_start_xmit() is defined as returning an 'netdev_tx_t', which is a typedef for an enum type, so make sure the implementation in this driver has returns 'netdev_tx_t' value, and change the function return type to netdev_tx_t. Found by coccinelle. Signed-off-by: YueHaibing Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 8f64a1a7ff428a5f43a87433f5a39b222ac0b32a Author: Shahed Shaikh Date: Thu Sep 20 11:22:51 2018 -0700 bnx2x: Ignore bandwidth attention in single function mode [ Upstream commit 75a110a1783ef8324ffd763b24f4ac268253cbca ] This is a workaround for FW bug - MFW generates bandwidth attention in single function mode, which is only expected to be generated in multi function mode. This undesired attention in SF mode results in incorrect HW configuration and resulting into Tx timeout. Signed-off-by: Shahed Shaikh Signed-off-by: Ariel Elior Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 9d8e2f352c16847d036001c5f8a8bc3440b18bb1 Author: Stefan Agner Date: Sat Sep 15 21:38:24 2018 -0700 cpufeature: avoid warning when compiling with clang [ Upstream commit c785896b21dd8e156326ff660050b0074d3431df ] The table id (second) argument to MODULE_DEVICE_TABLE is often referenced otherwise. This is not the case for CPU features. This leads to warnings when building the kernel with Clang: arch/arm/crypto/aes-ce-glue.c:450:1: warning: variable 'cpu_feature_match_AES' is not needed and will not be emitted [-Wunneeded-internal-declaration] module_cpu_feature_match(AES, aes_init); ^ Avoid warnings by using __maybe_unused, similar to commit 1f318a8bafcf ("modules: mark __inittest/__exittest as __maybe_unused"). Fixes: 67bad2fdb754 ("cpu: add generic support for CPU feature based module autoloading") Signed-off-by: Stefan Agner Acked-by: Ard Biesheuvel Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit a6298e915763fa678bb10a2e90819974d852e6e3 Author: Rob Herring Date: Thu Sep 13 13:12:34 2018 -0500 ARM: dts: ste: Fix SPI controller node names [ Upstream commit 2f967f9e9fa076affb711da1a8389b5d33814fc6 ] SPI controller nodes should be named 'spi' rather than 'ssp'. Fixing the name enables dtc SPI bus checks. Signed-off-by: Rob Herring Signed-off-by: Linus Walleij Signed-off-by: Sasha Levin commit 448d70e74bfa99bf242349321a8150ea3e9ffe08 Author: Linus Walleij Date: Tue Jul 3 10:30:03 2018 +0200 ARM: dts: ux500: Fix LCDA clock line muxing [ Upstream commit ecde29569e3484e1d0a032bf4074449bce4d4a03 ] The "lcdaclk_b_1" group is muxed with the function "lcd" but needs a separate entry to be muxed in with "lcda" rather than "lcd". Signed-off-by: Linus Walleij Signed-off-by: Sasha Levin commit 1c4ec0531ee38ea2cd3fc9a9ae691b9474bb3c4d Author: Geert Uytterhoeven Date: Tue Jun 26 09:50:09 2018 +0200 ARM: dts: ux500: Correct SCU unit address [ Upstream commit 2f217d24ecaec2012e628d21e244eef0608656a4 ] The unit address of the Cortex-A9 SCU device node contains one zero too many. Remove it. Signed-off-by: Geert Uytterhoeven Signed-off-by: Linus Walleij Signed-off-by: Sasha Levin commit 68865d163c20cadeb5483e6f5d26c812c6d9f68e Author: Grygorii Strashko Date: Sat Sep 8 17:33:40 2018 -0500 ARM: dts: am335x-evm: fix number of cpsw [ Upstream commit dcbf6b18d81bcdc51390ca1b258c17e2e13b7d0c ] am335x-evm has only one CPSW external port physically wired, but DT defines 2 ext. ports. As result, PHY connection failure reported for the second ext. port. Update DT to reflect am335x-evm board HW configuration, and, while here, switch to use phy-handle instead of phy_id. Signed-off-by: Grygorii Strashko Signed-off-by: Tony Lindgren Signed-off-by: Sasha Levin commit 7e15c978362559a8e0f9dc5bd0d0030dd980bf84 Author: Loic Poulain Date: Tue Sep 4 17:18:58 2018 +0200 usb: chipidea: Fix otg event handler [ Upstream commit 59739131e0ca06db7560f9073fff2fb83f6bc2a5 ] At OTG work running time, it's possible that several events need to be addressed (e.g. ID and VBUS events). The current implementation handles only one event at a time which leads to ignoring the other one. Fix it. Signed-off-by: Loic Poulain Signed-off-by: Peter Chen Signed-off-by: Sasha Levin commit 945536fb45e8914f139ab381dd1e1ac8b82000b9 Author: YueHaibing Date: Wed Sep 19 18:50:17 2018 +0800 net: amd: fix return type of ndo_start_xmit function [ Upstream commit fe72352e37ae8478f4c97975a9831f0c50f22e73 ] The method ndo_start_xmit() is defined as returning an 'netdev_tx_t', which is a typedef for an enum type, so make sure the implementation in this driver has returns 'netdev_tx_t' value, and change the function return type to netdev_tx_t. Found by coccinelle. Signed-off-by: YueHaibing Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 166135e4cdaa3506ff26ee6208a807e9c0adf83c Author: YueHaibing Date: Wed Sep 19 18:45:12 2018 +0800 net: broadcom: fix return type of ndo_start_xmit function [ Upstream commit 0c13b8d1aee87c35a2fbc1d85a1f766227cf54b5 ] The method ndo_start_xmit() is defined as returning an 'netdev_tx_t', which is a typedef for an enum type, so make sure the implementation in this driver has returns 'netdev_tx_t' value, and change the function return type to netdev_tx_t. Found by coccinelle. Signed-off-by: YueHaibing Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 9431f720b8209d61d9701e410965e364bd88a501 Author: YueHaibing Date: Wed Sep 19 18:32:40 2018 +0800 net: xilinx: fix return type of ndo_start_xmit function [ Upstream commit 81255af8d9d5565004792c295dde49344df450ca ] The method ndo_start_xmit() is defined as returning an 'netdev_tx_t', which is a typedef for an enum type, so make sure the implementation in this driver has returns 'netdev_tx_t' value, and change the function return type to netdev_tx_t. Found by coccinelle. Signed-off-by: YueHaibing Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit a2e4caeac47b47af044b9a7518cbb31e3ad1bf92 Author: YueHaibing Date: Wed Sep 19 18:23:39 2018 +0800 net: toshiba: fix return type of ndo_start_xmit function [ Upstream commit bacade822524e02f662d88f784d2ae821a5546fb ] The method ndo_start_xmit() is defined as returning an 'netdev_tx_t', which is a typedef for an enum type, so make sure the implementation in this driver has returns 'netdev_tx_t' value, and change the function return type to netdev_tx_t. Found by coccinelle. Signed-off-by: YueHaibing Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 6aa5efca2ba003cbd99f3489a82ee8e69611bfcc Author: Andreas Kemnade Date: Mon Sep 17 07:00:07 2018 +0200 power: supply: twl4030_charger: disable eoc interrupt on linear charge [ Upstream commit 079cdff3d0a09c5da10ae1be35def7a116776328 ] This avoids getting woken up from suspend after power interruptions when the bci wrongly thinks the battery is full just because of input current going low because of low input power Signed-off-by: Andreas Kemnade Signed-off-by: Sebastian Reichel Signed-off-by: Sasha Levin commit 4e42816ac16bb15b58e3304b4c5036141cc38ef5 Author: Andreas Kemnade Date: Mon Sep 17 07:20:35 2018 +0200 power: supply: twl4030_charger: fix charging current out-of-bounds [ Upstream commit 8314c212f995bc0d06b54ad02ef0ab4089781540 ] the charging current uses unsigned int variables, if we step back if the current is still low, we would run into negative which means setting the target to a huge value. Better add checks here. Signed-off-by: Andreas Kemnade Signed-off-by: Sebastian Reichel Signed-off-by: Sasha Levin commit 657f4204b23c061fdc572c5fd249ac4a51f0c062 Author: Rob Herring Date: Thu Sep 13 15:16:22 2018 -0500 libfdt: Ensure INT_MAX is defined in libfdt_env.h [ Upstream commit 53dd9dce6979bc54d64a3a09a2fb20187a025be7 ] The next update of libfdt has a new dependency on INT_MAX. Update the instances of libfdt_env.h in the kernel to either include the necessary header with the definition or define it locally. Cc: Russell King Cc: Benjamin Herrenschmidt Cc: Paul Mackerras Cc: Michael Ellerman Cc: linux-arm-kernel@lists.infradead.org Cc: linuxppc-dev@lists.ozlabs.org Signed-off-by: Rob Herring Signed-off-by: Sasha Levin commit 092e18f0c326b7f36c42958a6549c1f0329a9efa Author: Nathan Fontenot Date: Mon Sep 17 14:14:02 2018 -0500 powerpc/pseries: Disable CPU hotplug across migrations [ Upstream commit 85a88cabad57d26d826dd94ea34d3a785824d802 ] When performing partition migrations all present CPUs must be online as all present CPUs must make the H_JOIN call as part of the migration process. Once all present CPUs make the H_JOIN call, one CPU is returned to make the rtas call to perform the migration to the destination system. During testing of migration and changing the SMT state we have found instances where CPUs are offlined, as part of the SMT state change, before they make the H_JOIN call. This results in a hung system where every CPU is either in H_JOIN or offline. To prevent this this patch disables CPU hotplug during the migration process. Signed-off-by: Nathan Fontenot Reviewed-by: Tyrel Datwyler Signed-off-by: Michael Ellerman Signed-off-by: Sasha Levin commit b5693ef77f1466bc30292f9728addebfad803e92 Author: Nicholas Piggin Date: Sat Sep 15 01:30:45 2018 +1000 powerpc/64s/hash: Fix stab_rr off by one initialization [ Upstream commit 09b4438db13fa83b6219aee5993711a2aa2a0c64 ] This causes SLB alloation to start 1 beyond the start of the SLB. There is no real problem because after it wraps it stats behaving properly, it's just surprisig to see when looking at SLB traces. Signed-off-by: Nicholas Piggin Signed-off-by: Michael Ellerman Signed-off-by: Sasha Levin commit 6eb5dfdd45645da7a023fea95865dab51a4f1a39 Author: Breno Leitao Date: Tue Aug 21 15:44:48 2018 -0300 powerpc/iommu: Avoid derefence before pointer check [ Upstream commit 984ecdd68de0fa1f63ce205d6c19ef5a7bc67b40 ] The tbl pointer is being derefenced by IOMMU_PAGE_SIZE prior the check if it is not NULL. Just moving the dereference code to after the check, where there will be guarantee that 'tbl' will not be NULL. Signed-off-by: Breno Leitao Signed-off-by: Michael Ellerman Signed-off-by: Sasha Levin commit 3b767de18989f8f13bbd3d944b791674a8a1416d Author: Anton Vasilyev Date: Tue Aug 7 13:59:05 2018 +0300 serial: mxs-auart: Fix potential infinite loop [ Upstream commit 5963e8a3122471cadfe0eba41c4ceaeaa5c8bb4d ] On the error path of mxs_auart_request_gpio_irq() is performed backward iterating with index i of enum type. Underline enum type may be unsigned char. In this case check (--i >= 0) will be always true and error handling goes into infinite loop. The patch changes the check so that it is valid for signed and unsigned types. Found by Linux Driver Verification project (linuxtesting.org). Signed-off-by: Anton Vasilyev Acked-by: Uwe Kleine-König Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit f94cdf46eabb7dc408327ea99708873bbd4258cd Author: Sinan Kaya Date: Fri Aug 10 04:32:11 2018 +0000 PCI/ACPI: Correct error message for ASPM disabling [ Upstream commit 1ad61b612b95980a4d970c52022aa01dfc0f6068 ] If _OSC execution fails today for platforms without an _OSC entry, code is printing a misleading message saying disabling ASPM as follows: acpi PNP0A03:00: _OSC failed (AE_NOT_FOUND); disabling ASPM We need to ensure that platform supports ASPM to begin with. Reported-by: Michael Kelley Signed-off-by: Sinan Kaya Signed-off-by: Bjorn Helgaas Signed-off-by: Sasha Levin commit 83672bfe1cd59d39b0e7a87c66a53a4cbc0bc1db Author: Julian Wiedmann Date: Mon Sep 17 17:36:06 2018 +0200 s390/qeth: invoke softirqs after napi_schedule() [ Upstream commit 4d19db777a2f32c9b76f6fd517ed8960576cb43e ] Calling napi_schedule() from process context does not ensure that the NET_RX softirq is run in a timely fashion. So trigger it manually. This is no big issue with current code. A call to ndo_open() is usually followed by a ndo_set_rx_mode() call, and for qeth this contains a spin_unlock_bh(). Except for OSN, where qeth_l2_set_rx_mode() bails out early. Nevertheless it's best to not depend on this behaviour, and just fix the issue at its source like all other drivers do. For instance see commit 83a0c6e58901 ("i40e: Invoke softirqs after napi_reschedule"). Fixes: a1c3ed4c9ca0 ("qeth: NAPI support for l2 and l3 discipline") Signed-off-by: Julian Wiedmann Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 39bd6a7496fc9aca3a9611082e272b4e38c4dded Author: Bernd Edlinger Date: Sat Jul 7 17:52:47 2018 +0000 kernfs: Fix range checks in kernfs_get_target_path [ Upstream commit a75e78f21f9ad4b810868c89dbbabcc3931591ca ] The terminating NUL byte is only there because the buffer is allocated with kzalloc(PAGE_SIZE, GFP_KERNEL), but since the range-check is off-by-one, and PAGE_SIZE==PATH_MAX, the returned string may not be zero-terminated if it is exactly PATH_MAX characters long. Furthermore also the initial loop may theoretically exceed PATH_MAX and cause a fault. Signed-off-by: Bernd Edlinger Acked-by: Tejun Heo Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 709426fc57462a42618ac3d63db852b292d19e49 Author: Tomasz Figa Date: Tue Jul 17 18:05:07 2018 +0200 power: supply: max8998-charger: Fix platform data retrieval [ Upstream commit cb90a2c6f77fe9b43d1e3f759bb2f13fe7fa1811 ] Since the max8998 MFD driver supports instantiation by DT, platform data retrieval is handled in MFD probe and cell drivers should get use the pdata field of max8998_dev struct to obtain them. Fixes: ee999fb3f17f ("mfd: max8998: Add support for Device Tree") Signed-off-by: Tomasz Figa Signed-off-by: Paweł Chmiel Signed-off-by: Sebastian Reichel Signed-off-by: Sasha Levin commit 52741990fa566179fa2cedce505f3e56e0a32433 Author: Dan Carpenter Date: Mon Sep 10 11:39:04 2018 +0300 power: supply: ab8500_fg: silence uninitialized variable warnings [ Upstream commit 54baff8d4e5dce2cef61953b1dc22079cda1ddb1 ] If kstrtoul() fails then we print "charge_full" when it's uninitialized. The debug printk doesn't add anything so I deleted it and cleaned these two functions up a bit. Signed-off-by: Dan Carpenter Signed-off-by: Sebastian Reichel Signed-off-by: Sasha Levin commit 1f6a7105b15be93b5ee84039d8466fb6e7a61004 Author: Ganesh Goudar Date: Fri Sep 14 14:36:27 2018 +0530 cxgb4: Fix endianness issue in t4_fwcache() [ Upstream commit 0dc235afc59a226d951352b0adf4a89b532a9d13 ] Do not put host-endian 0 or 1 into big endian feild. Reported-by: Al Viro Signed-off-by: Ganesh Goudar Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 1a66e50c45e6abb6fc14509a44d2eb210f7f2957 Author: Ludovic Desroches Date: Thu Sep 13 14:42:13 2018 +0200 pinctrl: at91: don't use the same irqchip with multiple gpiochips [ Upstream commit 0c3dfa176912b5f87732545598200fb55e9c1978 ] Sharing the same irqchip with multiple gpiochips is not a good practice. For instance, when installing hooks, we change the state of the irqchip. The initial state of the irqchip for the second gpiochip to register is then disrupted. Signed-off-by: Ludovic Desroches Signed-off-by: Linus Walleij Signed-off-by: Sasha Levin commit a05541487b89f3f8e475bce6f57543a64e13228d Author: Dinh Nguyen Date: Thu Sep 13 23:52:49 2018 -0500 ARM: dts: socfpga: Fix I2C bus unit-address error [ Upstream commit cbbc488ed85061a765cf370c3e41f383c1e0add6 ] dtc has new checks for I2C buses. Fix the warnings in unit-addresses. arch/arm/boot/dts/socfpga_cyclone5_de0_sockit.dtb: Warning (i2c_bus_reg): /soc/i2c@ffc04000/adxl345@0: I2C bus unit address format error, expected "53" Signed-off-by: Rob Herring Signed-off-by: Dinh Nguyen Signed-off-by: Sasha Levin commit 0b7600db547a532f8bf0b6a222c3eec73931febc Author: Alan Modra Date: Fri Sep 14 13:10:04 2018 +0930 powerpc/vdso: Correct call frame information [ Upstream commit 56d20861c027498b5a1112b4f9f05b56d906fdda ] Call Frame Information is used by gdb for back-traces and inserting breakpoints on function return for the "finish" command. This failed when inside __kernel_clock_gettime. More concerning than difficulty debugging is that CFI is also used by stack frame unwinding code to implement exceptions. If you have an app that needs to handle asynchronous exceptions for some reason, and you are unlucky enough to get one inside the VDSO time functions, your app will crash. What's wrong: There is control flow in __kernel_clock_gettime that reaches label 99 without saving lr in r12. CFI info however is interpreted by the unwinder without reference to control flow: It's a simple matter of "Execute all the CFI opcodes up to the current address". That means the unwinder thinks r12 contains the return address at label 99. Disabuse it of that notion by resetting CFI for the return address at label 99. Note that the ".cfi_restore lr" could have gone anywhere from the "mtlr r12" a few instructions earlier to the instruction at label 99. I put the CFI as late as possible, because in general that's best practice (and if possible grouped with other CFI in order to reduce the number of CFI opcodes executed when unwinding). Using r12 as the return address is perfectly fine after the "mtlr r12" since r12 on that code path still contains the return address. __get_datapage also has a CFI error. That function temporarily saves lr in r0, and reflects that fact with ".cfi_register lr,r0". A later use of r0 means the CFI at that point isn't correct, as r0 no longer contains the return address. Fix that too. Signed-off-by: Alan Modra Tested-by: Reza Arbab Signed-off-by: Paul Mackerras Signed-off-by: Sasha Levin commit db70320a71fbd38a560335a47613ac33d61eb5a7 Author: Cong Wang Date: Tue Sep 11 11:42:06 2018 -0700 llc: avoid blocking in llc_sap_close() [ Upstream commit 9708d2b5b7c648e8e0a40d11e8cea12f6277f33c ] llc_sap_close() is called by llc_sap_put() which could be called in BH context in llc_rcv(). We can't block in BH. There is no reason to block it here, kfree_rcu() should be sufficient. Signed-off-by: Cong Wang Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 7c235b44dc99b4237fc0a54301eda60acc7a0af6 Author: Dan Carpenter Date: Mon Sep 10 11:37:45 2018 +0300 pinctrl: at91-pio4: fix has_config check in atmel_pctl_dt_subnode_to_map() [ Upstream commit b97760ae8e3dc8bb91881c13425a0bff55f2bd85 ] Smatch complains about this condition: if (has_config && num_pins >= 1) The "has_config" variable is either uninitialized or true. The "num_pins" variable is unsigned and we verified that it is non-zero on the lines before so we know "num_pines >= 1" is true. Really, we could just check "num_configs" directly and remove the "has_config" variable. Fixes: 776180848b57 ("pinctrl: introduce driver for Atmel PIO4 controller") Signed-off-by: Dan Carpenter Acked-by: Ludovic Desroches Signed-off-by: Linus Walleij Signed-off-by: Sasha Levin commit 9df76cb7ec80ff41298c0cfcc842ee3688e78b51 Author: Takashi Iwai Date: Tue Aug 28 16:39:10 2018 +0200 ALSA: intel8x0m: Register irq handler after register initializations [ Upstream commit 7064f376d4a10686f51c879401a569bb4babf9c6 ] The interrupt handler has to be acquired after the other resource initialization when allocated with IRQF_SHARED. Otherwise it's triggered before the resource gets ready, and may lead to unpleasant behavior. Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit 24293b23bca5c05b4e047daaed37d3d38d50a8dc Author: Lao Wei Date: Mon Jul 9 08:15:53 2018 -0400 media: fix: media: pci: meye: validate offset to avoid arbitrary access [ Upstream commit eac7230fdb4672c2cb56f6a01a1744f562c01f80 ] Motion eye video4linux driver for Sony Vaio PictureBook desn't validate user-controlled parameter 'vma->vm_pgoff', a malicious process might access all of kernel memory from user space by trying pass different arbitrary address. Discussion: http://www.openwall.com/lists/oss-security/2018/07/06/1 Signed-off-by: Lao Wei Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit cdf4e8eae639d9fc085f974aa9958b8eaeb1fd02 Author: Srinivas Kandagatla Date: Tue Aug 7 13:19:35 2018 +0100 nvmem: core: return error code instead of NULL from nvmem_device_get [ Upstream commit ca6ac25cecf0e740d7cc8e03e0ebbf8acbeca3df ] nvmem_device_get() should return ERR_PTR() on error or valid pointer on success, but one of the code path seems to return NULL, so fix it. Reported-by: Niklas Cassel Signed-off-by: Srinivas Kandagatla Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit b99fc345d90878bd4adbabdb2cb5800e30e11ff5 Author: Masami Hiramatsu Date: Tue Sep 11 19:21:09 2018 +0900 kprobes: Don't call BUG_ON() if there is a kprobe in use on free list [ Upstream commit cbdd96f5586151e48317d90a403941ec23f12660 ] Instead of calling BUG_ON(), if we find a kprobe in use on free kprobe list, just remove it from the list and keep it on kprobe hash list as same as other in-use kprobes. Signed-off-by: Masami Hiramatsu Cc: Anil S Keshavamurthy Cc: David S . Miller Cc: Linus Torvalds Cc: Naveen N . Rao Cc: Peter Zijlstra Cc: Thomas Gleixner Link: http://lkml.kernel.org/r/153666126882.21306.10738207224288507996.stgit@devbox Signed-off-by: Ingo Molnar Signed-off-by: Sasha Levin commit 3d7ff04aae05c93857604ae0910a4f329d1221ff Author: Deepak Ukey Date: Tue Sep 11 14:18:04 2018 +0530 scsi: pm80xx: Fixed system hang issue during kexec boot [ Upstream commit 72349b62a571effd6faadd0600b8e657dd87afbf ] When the firmware is not responding, execution of kexec boot causes a system hang. When firmware assertion happened, driver get notified with interrupt vector updated in MPI configuration table. Then, the driver will read scratchpad register and set controller_fatal_error flag to true. Signed-off-by: Deepak Ukey Signed-off-by: Viswas G Acked-by: Jack Wang Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 29e5cc0f417ba64281f7b41d3bb4eca5a7fbf1ea Author: Deepak Ukey Date: Tue Sep 11 14:18:03 2018 +0530 scsi: pm80xx: Corrected dma_unmap_sg() parameter [ Upstream commit 76cb25b058034d37244be6aca97a2ad52a5fbcad ] For the function dma_unmap_sg(), the parameter should be number of elements in the scatter list prior to the mapping, not after the mapping. Signed-off-by: Deepak Ukey Signed-off-by: Viswas G Acked-by: Jack Wang Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 103e46a0e177886ee41f78c4038b687fd088125f Author: Oleksij Rempel Date: Thu Aug 2 12:34:21 2018 +0200 ARM: imx6: register pm_power_off handler if "fsl,pmic-stby-poweroff" is set [ Upstream commit 8148d2136002da2e2887caf6a07bbd9c033f14f3 ] One of the Freescale recommended sequences for power off with external PMIC is the following: ... 3. SoC is programming PMIC for power off when standby is asserted. 4. In CCM STOP mode, Standby is asserted, PMIC gates SoC supplies. See: http://www.nxp.com/assets/documents/data/en/reference-manuals/IMX6DQRM.pdf page 5083 This patch implements step 4. of this sequence. Signed-off-by: Oleksij Rempel Signed-off-by: Shawn Guo Signed-off-by: Sasha Levin commit 9ddc4bd10d8acc37b9986be58cd1a4d1df1934a5 Author: George Kennedy Date: Wed Aug 29 11:38:16 2018 -0400 scsi: sym53c8xx: fix NULL pointer dereference panic in sym_int_sir() [ Upstream commit 288315e95264b6355e26609e9dec5dc4563d4ab0 ] sym_int_sir() in sym_hipd.c does not check the command pointer for NULL before using it in debug message prints. Suggested-by: Matthew Wilcox Signed-off-by: George Kennedy Reviewed-by: Mark Kanda Acked-by: Matthew Wilcox Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 79b1b5ec76bb3ca7186e9c6886b81399d573acf2 Author: Eric W. Biederman Date: Thu Jul 19 20:48:30 2018 -0500 signal: Properly deliver SIGSEGV from x86 uprobes [ Upstream commit 4a63c1ffd384ebdce40aac9c997dab68379137be ] For userspace to tell the difference between an random signal and an exception, the exception must include siginfo information. Using SEND_SIG_FORCED for SIGSEGV is thus wrong, and it will result in userspace seeing si_code == SI_USER (like a random signal) instead of si_code == SI_KERNEL or a more specific si_code as all exceptions deliver. Therefore replace force_sig_info(SIGSEGV, SEND_SIG_FORCE, current) with force_sig(SIG_SEGV, current) which gets this right and is shorter and easier to type. Fixes: 791eca10107f ("uretprobes/x86: Hijack return address") Reviewed-by: Thomas Gleixner Signed-off-by: "Eric W. Biederman" Signed-off-by: Sasha Levin commit dc9c09f5edc5aeaa1e04bc63b15c56b81bb6ee92 Author: Eric W. Biederman Date: Thu Jul 19 20:33:53 2018 -0500 signal: Properly deliver SIGILL from uprobes [ Upstream commit 55a3235fc71bf34303e34a95eeee235b2d2a35dd ] For userspace to tell the difference between a random signal and an exception, the exception must include siginfo information. Using SEND_SIG_FORCED for SIGILL is thus wrong, and it will result in userspace seeing si_code == SI_USER (like a random signal) instead of si_code == SI_KERNEL or a more specific si_code as all exceptions deliver. Therefore replace force_sig_info(SIGILL, SEND_SIG_FORCE, current) with force_sig(SIG_ILL, current) which gets this right and is shorter and easier to type. Fixes: 014940bad8e4 ("uprobes/x86: Send SIGILL if arch_uprobe_post_xol() fails") Fixes: 0b5256c7f173 ("uprobes: Send SIGILL if handle_trampoline() fails") Reviewed-by: Thomas Gleixner Signed-off-by: "Eric W. Biederman" Signed-off-by: Sasha Levin commit bbf66e0d4239f43434816e7d58746edc2e344257 Author: Eric W. Biederman Date: Thu Jul 19 19:47:27 2018 -0500 signal: Always ignore SIGKILL and SIGSTOP sent to the global init [ Upstream commit 86989c41b5ea08776c450cb759592532314a4ed6 ] If the first process started (aka /sbin/init) receives a SIGKILL it will panic the system if it is delivered. Making the system unusable and undebugable. It isn't much better if the first process started receives SIGSTOP. So always ignore SIGSTOP and SIGKILL sent to init. This is done in a separate clause in sig_task_ignored as force_sig_info can clear SIG_UNKILLABLE and this protection should work even then. Reviewed-by: Thomas Gleixner Signed-off-by: "Eric W. Biederman" Signed-off-by: Sasha Levin commit 8f0c1696ecd01ede1539c4e6a3f2a6850216b4e9 Author: Daniel Silsby Date: Wed Aug 29 23:32:56 2018 +0200 dmaengine: dma-jz4780: Further residue status fix [ Upstream commit 83ef4fb7556b6a673f755da670cbacab7e2c7f1b ] Func jz4780_dma_desc_residue() expects the index to the next hw descriptor as its last parameter. Caller func jz4780_dma_tx_status(), however, applied modulus before passing it. When the current hw descriptor was last in the list, the index passed became zero. The resulting excess of reported residue especially caused problems with cyclic DMA transfer clients, i.e. ALSA AIC audio output, which rely on this for determining current DMA location within buffer. Combined with the recent and related residue-reporting fixes, spurious ALSA audio underruns on jz4770 hardware are now fixed. Signed-off-by: Daniel Silsby Signed-off-by: Paul Cercueil Tested-by: Mathieu Malaterre Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit b8fac3d96f46cde91b64a1bead0a1cbfc40133be Author: H. Nikolaus Schaller Date: Tue Jul 31 09:11:14 2018 +0200 ARM: dts: omap3-gta04: keep vpll2 always on [ Upstream commit 1ae00833e30c9b4af5cbfda65d75b1de12f74013 ] This is needed to make the display and venc work properly. Compare to omap3-beagle.dts. Signed-off-by: H. Nikolaus Schaller Signed-off-by: Tony Lindgren Signed-off-by: Sasha Levin commit 9f7ff806378540d67ca03acfc0e94a9be41022f8 Author: H. Nikolaus Schaller Date: Tue Jul 31 09:11:12 2018 +0200 ARM: dts: omap3-gta04: make NAND partitions compatible with recent U-Boot [ Upstream commit fa99c21ecb3cd4021a60d0e8bf880e78b5bd0729 ] Vendor defined U-Boot has changed the partition scheme a while ago: * kernel partition 6MB * file system partition uses the remainder up to end of the NAND * increased size of the environment partition (to get an OneNAND compatible base address) * shrink the U-Boot partition Let's be compatible (e.g. Debian kernel built from upstream). Signed-off-by: H. Nikolaus Schaller Signed-off-by: Tony Lindgren Signed-off-by: Sasha Levin commit 3a846792ca6d22072afc6104ea3b2e1865b6e0a9 Author: H. Nikolaus Schaller Date: Tue Jul 31 09:11:09 2018 +0200 ARM: dts: omap3-gta04: tvout: enable as display1 alias [ Upstream commit 8905592b6e50cec905e6c6035bbd36201a3bfac1 ] The omap dss susbystem takes the display aliases to find out which displays exist. To enable tv-out we must define an alias. Signed-off-by: H. Nikolaus Schaller Signed-off-by: Tony Lindgren Signed-off-by: Sasha Levin commit 93d1d8095d1634c75ecd02b92024bec917c03a98 Author: H. Nikolaus Schaller Date: Tue Jul 31 09:11:06 2018 +0200 ARM: dts: omap3-gta04: give spi_lcd node a label so that we can overwrite in other DTS files [ Upstream commit fa0d7dc355c890725b6178dab0cc11b194203afa ] needed for device variants based on GTA04 board but with different display panel (driver). Signed-off-by: H. Nikolaus Schaller Signed-off-by: Tony Lindgren Signed-off-by: Sasha Levin commit 1cbb52c15fff0470a1ae20a3b58f47de21be55c9 Author: Rob Herring Date: Mon Aug 27 09:50:09 2018 -0500 of: make PowerMac cache node search conditional on CONFIG_PPC_PMAC [ Upstream commit f6707fd6241e483f6fea2caae82d876e422bb11a ] Cache nodes under the cpu node(s) is PowerMac specific according to the comment above, so make the code enforce that. Signed-off-by: Rob Herring Signed-off-by: Sasha Levin commit 1f2952dd752e0918e0a85eef0eb4ec343d17fffb Author: Ding Xiang Date: Thu Sep 6 12:19:19 2018 +0800 mips: txx9: fix iounmap related issue [ Upstream commit c6e1241a82e6e74d1ae5cc34581dab2ffd6022d0 ] if device_register return error, iounmap should be called, also iounmap need to call before put_device. Signed-off-by: Ding Xiang Reviewed-by: Atsushi Nemoto Signed-off-by: Paul Burton Patchwork: https://patchwork.linux-mips.org/patch/20476/ Cc: ralf@linux-mips.org Cc: jhogan@kernel.org Cc: linux-mips@linux-mips.org Cc: linux-kernel@vger.kernel.org Signed-off-by: Sasha Levin commit 62396b1bfec4764245d99d13f21504bc6cc68fd9 Author: Erik Stromdahl Date: Tue Sep 4 15:07:07 2018 +0300 ath10k: wmi: disable softirq's while calling ieee80211_rx [ Upstream commit 37f62c0d5822f631b786b29a1b1069ab714d1a28 ] This is done in order not to trig the below warning in ieee80211_rx_napi: WARN_ON_ONCE(softirq_count() == 0); ieee80211_rx_napi requires that softirq's are disabled during execution. The High latency bus drivers (SDIO and USB) sometimes call the wmi ep_rx_complete callback from non softirq context, resulting in a trigger of the above warning. Calling ieee80211_rx_ni with softirq's already disabled (e.g., from softirq context) should be safe as the local_bh_disable and local_bh_enable functions (called from ieee80211_rx_ni) are fully reentrant. Signed-off-by: Erik Stromdahl Signed-off-by: Kalle Valo Signed-off-by: Sasha Levin commit 2792933670dd893796b6f159dc28c5b7d08d915b Author: Colin Ian King Date: Thu Sep 6 11:41:52 2018 +0100 ASoC: sgtl5000: avoid division by zero if lo_vag is zero [ Upstream commit 9ab708aef61f5620113269a9d1bdb1543d1207d0 ] In the case where lo_vag <= SGTL5000_LINE_OUT_GND_BASE, lo_vag is set to zero and later vol_quot is computed by dividing by lo_vag causing a division by zero error. Fix this by avoiding a zero division and set vol_quot to zero in this specific case so that the lowest setting for i is correctly set. Signed-off-by: Colin Ian King Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit adb5b0917f69970e48db91256e95f3df457388bb Author: Stefan Wahren Date: Tue Sep 4 19:29:09 2018 +0200 net: lan78xx: Bail out if lan78xx_get_endpoints fails [ Upstream commit fa8cd98c06407b5798b927cd7fd14d30f360ed02 ] We need to bail out if lan78xx_get_endpoints() fails, otherwise the result is overwritten. Fixes: 55d7de9de6c3 ("Microchip's LAN7800 family USB 2/3 to 10/100/1000 Ethernet") Signed-off-by: Stefan Wahren Reviewed-by: Raghuram Chary Jallipalli Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 3b63b0c7ceaeba6eb00be9502179d6c634c8cb1f Author: Larry Finger Date: Mon Aug 20 13:48:31 2018 -0500 rtl8187: Fix warning generated when strncpy() destination length matches the sixe argument [ Upstream commit 199ba9faca909e77ac533449ecd1248123ce89e7 ] In gcc8, when the 3rd argument (size) of a call to strncpy() matches the length of the first argument, the compiler warns of the possibility of an unterminated string. Using strlcpy() forces a null at the end. Signed-off-by: Larry Finger Signed-off-by: Kalle Valo Signed-off-by: Sasha Levin commit 321cf3b60eeec8f652a44fbcad7c1bdfbf0130ac Author: Marcel Ziswiler Date: Fri Aug 31 14:03:09 2018 +0200 ARM: dts: pxa: fix power i2c base address [ Upstream commit 8a1ecc01a473b75ab97be9b36f623e4551a6e9ae ] There is one too many zeroes in the Power I2C base address. Fix this. Signed-off-by: Marcel Ziswiler Signed-off-by: Robert Jarzmik Signed-off-by: Sasha Levin commit 5b20928b65e2e6f76b212e7dec611e69f0d11c9e Author: Patryk Małek Date: Tue Aug 28 10:16:09 2018 -0700 i40e: Prevent deleting MAC address from VF when set by PF [ Upstream commit 5907cf6c5bbe78be2ed18b875b316c6028b20634 ] To prevent VF from deleting MAC address that was assigned by the PF we need to check for that scenario when we try to delete a MAC address from a VF. Signed-off-by: Patryk Małek Tested-by: Andrew Bowers Signed-off-by: Jeff Kirsher Signed-off-by: Sasha Levin commit 0ef9b8f0b8ae00d0d1cacf370e39e167208e276c Author: Patryk Małek Date: Tue Aug 28 10:16:03 2018 -0700 i40e: hold the rtnl lock on clearing interrupt scheme [ Upstream commit 5cba17b14182696d6bb0ec83a1d087933f252241 ] Hold the rtnl lock when we're clearing interrupt scheme in i40e_shutdown and in i40e_remove. Signed-off-by: Patryk Małek Tested-by: Andrew Bowers Signed-off-by: Jeff Kirsher Signed-off-by: Sasha Levin commit 4e86098dbd1b87722206f68a60273f465237b1a4 Author: Mitch Williams Date: Mon Aug 20 08:12:30 2018 -0700 i40e: use correct length for strncpy [ Upstream commit 7eb74ff891b4e94b8bac48f648a21e4b94ddee64 ] Caught by GCC 8. When we provide a length for strncpy, we should not include the terminating null. So we must tell it one less than the size of the destination buffer. Signed-off-by: Mitch Williams Tested-by: Andrew Bowers Signed-off-by: Jeff Kirsher Signed-off-by: Sasha Levin commit 420cb453d1b65e809a660e35c538e87a6ac1bdd7 Author: Marek Szyprowski Date: Fri Aug 3 12:55:32 2018 +0200 ARM: dts: exynos: Fix sound in Snow-rev5 Chromebook [ Upstream commit 64858773d78e820003a94e5a7179d368213655d6 ] This patch adds missing properties to the CODEC and sound nodes, so the audio will work also on Snow rev5 Chromebook. This patch is an extension to the commit e9eefc3f8ce0 ("ARM: dts: exynos: Add missing clock and DAI properties to the max98095 node in Snow Chromebook") and commit 6ab569936d60 ("ARM: dts: exynos: Enable HDMI audio on Snow Chromebook"). It has been reported that such changes work fine on the rev5 board too. Signed-off-by: Marek Szyprowski [krzk: Fixed typo in phandle to &max98090] Signed-off-by: Krzysztof Kozlowski Signed-off-by: Sasha Levin commit 78dbc2d2bb0b96464a4af8182148d5fb6d1c45d7 Author: Tuomas Tynkkynen Date: Sun Aug 19 22:20:23 2018 +0300 MIPS: BCM47XX: Enable USB power on Netgear WNDR3400v3 [ Upstream commit feef7918667b84f9d5653c501542dd8d84ae32af ] Setting GPIO 21 high seems to be required to enable power to USB ports on the WNDR3400v3. As there is already similar code for WNR3500L, make the existing USB power GPIO code generic and use that. Signed-off-by: Tuomas Tynkkynen Acked-by: Hauke Mehrtens Signed-off-by: Paul Burton Patchwork: https://patchwork.linux-mips.org/patch/20259/ Cc: Rafał Miłecki Cc: linux-mips@linux-mips.org Cc: linux-kernel@vger.kernel.org Signed-off-by: Sasha Levin commit e6a06024e068c4795d1c2ab54614e8805fc02174 Author: Charles Keepax Date: Mon Aug 27 14:26:47 2018 +0100 ASoC: dpcm: Properly initialise hw->rate_max [ Upstream commit e33ffbd9cd39da09831ce62c11025d830bf78d9e ] If the CPU DAI does not initialise rate_max, say if using using KNOT or CONTINUOUS, then the rate_max field will be initialised to 0. A value of zero in the rate_max field of the hardware runtime will cause the sound card to support no sample rates at all. Obviously this is not desired, just a different mechanism is being used to apply the constraints. As such update the setting of rate_max in dpcm_init_runtime_hw to be consistent with the non-DPCM cases and set rate_max to UINT_MAX if nothing is defined on the CPU DAI. Signed-off-by: Charles Keepax Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 0a7edede513d2e82472921dd17e0c5d215964726 Author: Bob Peterson Date: Thu Aug 16 10:32:13 2018 -0500 gfs2: Don't set GFS2_RDF_UPTODATE when the lvb is updated [ Upstream commit 4f36cb36c9d14340bb200d2ad9117b03ce992cfe ] The GFS2_RDF_UPTODATE flag in the rgrp is used to determine when a rgrp buffer is valid. It's cleared when the glock is invalidated, signifying that the buffer data is now invalid. But before this patch, function update_rgrp_lvb was setting the flag when it determined it had a valid lvb. But that's an invalid assumption: just because you have a valid lvb doesn't mean you have valid buffers. After all, another node may have made the lvb valid, and this node just fetched it from the glock via dlm. Consider this scenario: 1. The file system is mounted with RGRPLVB option. 2. In gfs2_inplace_reserve it locks the rgrp glock EX, but thanks to GL_SKIP, it skips the gfs2_rgrp_bh_get. 3. Since loops == 0 and the allocation target (ap->target) is bigger than the largest known chunk of blocks in the rgrp (rs->rs_rbm.rgd->rd_extfail_pt) it skips that rgrp and bypasses the call to gfs2_rgrp_bh_get there as well. 4. update_rgrp_lvb sees the lvb MAGIC number is valid, so bypasses gfs2_rgrp_bh_get, but it still sets sets GFS2_RDF_UPTODATE due to this invalid assumption. 5. The next time update_rgrp_lvb is called, it sees the bit is set and just returns 0, assuming both the lvb and rgrp are both uptodate. But since this is a smaller allocation, or space has been freed by another node, thus adjusting the lvb values, it decides to use the rgrp for allocations, with invalid rd_free due to the fact it was never updated. This patch changes update_rgrp_lvb so it doesn't set the UPTODATE flag anymore. That way, it has no choice but to fetch the latest values. Signed-off-by: Bob Peterson Signed-off-by: Sasha Levin commit 39b3ce44939aa75355357bfe0f2a23083a474e8f Author: Takashi Iwai Date: Tue Aug 28 12:49:43 2018 +0200 ALSA: seq: Do error checks at creating system ports [ Upstream commit b8e131542b47b81236ecf6768c923128e1f5db6e ] snd_seq_system_client_init() doesn't check the errors returned from its port creations. Let's do it properly and handle the error paths. Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit 8ad73373b8a7468d03f77fc78134e073a882f951 Author: Jay Foster Date: Mon Aug 20 11:42:01 2018 +0200 ARM: dts: at91/trivial: Fix USART1 definition for at91sam9g45 [ Upstream commit 10af10db8c76fa5b9bf1f52a895c1cb2c0ac24da ] Fix a typo. No functional change made by this patch. Signed-off-by: Jay Foster Signed-off-by: Nicolas Ferre Signed-off-by: Alexandre Belloni Signed-off-by: Sasha Levin commit 6d9c2f7832a917bb496a90e004beffb0beb9ba6f Author: Dan Carpenter Date: Mon Aug 27 12:21:45 2018 +0300 ALSA: pcm: signedness bug in snd_pcm_plug_alloc() [ Upstream commit 6f128fa41f310e1f39ebcea9621d2905549ecf52 ] The "frames" variable is unsigned so the error handling doesn't work properly. Signed-off-by: Dan Carpenter Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit cca358eaa474087f4665d3a0fe149ae48e958506 Author: Marcus Folkesson Date: Fri Aug 24 22:24:40 2018 +0200 iio: dac: mcp4922: fix error handling in mcp4922_write_raw [ Upstream commit 0833627fc3f757a0dca11e2a9c46c96335a900ee ] Do not try to write negative values and make sure that the write goes well. Signed-off-by: Marcus Folkesson Signed-off-by: Jonathan Cameron Signed-off-by: Sasha Levin commit b827e2fa580bbada46fff51d712748bb4aa92208 Author: Eugen Hristev Date: Thu Nov 14 12:59:26 2019 +0000 mmc: sdhci-of-at91: fix quirk2 overwrite commit fed23c5829ecab4ddc712d7b0046e59610ca3ba4 upstream. The quirks2 are parsed and set (e.g. from DT) before the quirk for broken HS200 is set in the driver. The driver needs to enable just this flag, not rewrite the whole quirk set. Fixes: 7871aa60ae00 ("mmc: sdhci-of-at91: add quirk for broken HS200") Signed-off-by: Eugen Hristev Acked-by: Adrian Hunter Cc: stable@vger.kernel.org Signed-off-by: Ulf Hansson Signed-off-by: Greg Kroah-Hartman commit 69ab55f2bb3fc1c57d3107224e65aefc00b1276a Author: Roman Gushchin Date: Fri Nov 15 17:34:46 2019 -0800 mm: hugetlb: switch to css_tryget() in hugetlb_cgroup_charge_cgroup() commit 0362f326d86c645b5e96b7dbc3ee515986ed019d upstream. An exiting task might belong to an offline cgroup. In this case an attempt to grab a cgroup reference from the task can end up with an infinite loop in hugetlb_cgroup_charge_cgroup(), because neither the cgroup will become online, neither the task will be migrated to a live cgroup. Fix this by switching over to css_tryget(). As css_tryget_online() can't guarantee that the cgroup won't go offline, in most cases the check doesn't make sense. In this particular case users of hugetlb_cgroup_charge_cgroup() are not affected by this change. A similar problem is described by commit 18fa84a2db0e ("cgroup: Use css_tryget() instead of css_tryget_online() in task_get_css()"). Link: http://lkml.kernel.org/r/20191106225131.3543616-2-guro@fb.com Signed-off-by: Roman Gushchin Acked-by: Johannes Weiner Acked-by: Tejun Heo Reviewed-by: Shakeel Butt Cc: Michal Hocko Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit f023333e92cb69472a0eaf8e2c41dab657770b33 Author: Roman Gushchin Date: Fri Nov 15 17:34:43 2019 -0800 mm: memcg: switch to css_tryget() in get_mem_cgroup_from_mm() commit 00d484f354d85845991b40141d40ba9e5eb60faf upstream. We've encountered a rcu stall in get_mem_cgroup_from_mm(): rcu: INFO: rcu_sched self-detected stall on CPU rcu: 33-....: (21000 ticks this GP) idle=6c6/1/0x4000000000000002 softirq=35441/35441 fqs=5017 (t=21031 jiffies g=324821 q=95837) NMI backtrace for cpu 33 <...> RIP: 0010:get_mem_cgroup_from_mm+0x2f/0x90 <...> __memcg_kmem_charge+0x55/0x140 __alloc_pages_nodemask+0x267/0x320 pipe_write+0x1ad/0x400 new_sync_write+0x127/0x1c0 __kernel_write+0x4f/0xf0 dump_emit+0x91/0xc0 writenote+0xa0/0xc0 elf_core_dump+0x11af/0x1430 do_coredump+0xc65/0xee0 get_signal+0x132/0x7c0 do_signal+0x36/0x640 exit_to_usermode_loop+0x61/0xd0 do_syscall_64+0xd4/0x100 entry_SYSCALL_64_after_hwframe+0x44/0xa9 The problem is caused by an exiting task which is associated with an offline memcg. We're iterating over and over in the do {} while (!css_tryget_online()) loop, but obviously the memcg won't become online and the exiting task won't be migrated to a live memcg. Let's fix it by switching from css_tryget_online() to css_tryget(). As css_tryget_online() cannot guarantee that the memcg won't go offline, the check is usually useless, except some rare cases when for example it determines if something should be presented to a user. A similar problem is described by commit 18fa84a2db0e ("cgroup: Use css_tryget() instead of css_tryget_online() in task_get_css()"). Johannes: : The bug aside, it doesn't matter whether the cgroup is online for the : callers. It used to matter when offlining needed to evacuate all charges : from the memcg, and so needed to prevent new ones from showing up, but we : don't care now. Link: http://lkml.kernel.org/r/20191106225131.3543616-1-guro@fb.com Signed-off-by: Roman Gushchin Acked-by: Johannes Weiner Acked-by: Tejun Heo Reviewed-by: Shakeel Butt Cc: Michal Hocko Cc: Michal Koutn Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 41ca23069f1215bfdc0961413ec5c819d4f93ad7 Author: Eric Auger Date: Fri Nov 8 16:58:03 2019 +0100 iommu/vt-d: Fix QI_DEV_IOTLB_PFSID and QI_DEV_EIOTLB_PFSID macros commit 4e7120d79edb31e4ee68e6f8421448e4603be1e9 upstream. For both PASID-based-Device-TLB Invalidate Descriptor and Device-TLB Invalidate Descriptor, the Physical Function Source-ID value is split according to this layout: PFSID[3:0] is set at offset 12 and PFSID[15:4] is put at offset 52. Fix the part laid out at offset 52. Fixes: 0f725561e1684 ("iommu/vt-d: Add definitions for PFSID") Signed-off-by: Eric Auger Acked-by: Jacob Pan Cc: stable@vger.kernel.org # v4.19+ Acked-by: Lu Baolu Signed-off-by: Joerg Roedel Signed-off-by: Greg Kroah-Hartman commit 44b4e78bb3278e81ff48047871c935bbbbb5f280 Author: Al Viro Date: Sun Nov 3 13:55:43 2019 -0500 ecryptfs_lookup_interpose(): lower_dentry->d_parent is not stable either commit 762c69685ff7ad5ad7fee0656671e20a0c9c864d upstream. We need to get the underlying dentry of parent; sure, absent the races it is the parent of underlying dentry, but there's nothing to prevent losing a timeslice to preemtion in the middle of evaluation of lower_dentry->d_parent->d_inode, having another process move lower_dentry around and have its (ex)parent not pinned anymore and freed on memory pressure. Then we regain CPU and try to fetch ->d_inode from memory that is freed by that point. dentry->d_parent *is* stable here - it's an argument of ->lookup() and we are guaranteed that it won't be moved anywhere until we feed it to d_add/d_splice_alias. So we safely go that way to get to its underlying dentry. Cc: stable@vger.kernel.org # since 2009 or so Signed-off-by: Al Viro Signed-off-by: Greg Kroah-Hartman commit c3c7cfbe975cf1b0b5f3c5fa7745851a4afa1053 Author: Al Viro Date: Sun Nov 3 13:45:04 2019 -0500 ecryptfs_lookup_interpose(): lower_dentry->d_inode is not stable commit e72b9dd6a5f17d0fb51f16f8685f3004361e83d0 upstream. lower_dentry can't go from positive to negative (we have it pinned), but it *can* go from negative to positive. So fetching ->d_inode into a local variable, doing a blocking allocation, checking that now ->d_inode is non-NULL and feeding the value we'd fetched earlier to a function that won't accept NULL is not a good idea. Cc: stable@vger.kernel.org Signed-off-by: Al Viro Signed-off-by: Greg Kroah-Hartman commit af618124c69794bf215bf8cefb67890f95246ef8 Author: Oliver Neukum Date: Fri Nov 15 11:35:05 2019 -0800 Input: ff-memless - kill timer in destroy() commit fa3a5a1880c91bb92594ad42dfe9eedad7996b86 upstream. No timer must be left running when the device goes away. Signed-off-by: Oliver Neukum Reported-and-tested-by: syzbot+b6c55daa701fc389e286@syzkaller.appspotmail.com Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/1573726121.17351.3.camel@suse.com Signed-off-by: Dmitry Torokhov Signed-off-by: Greg Kroah-Hartman commit d99926e1ae70fb604b6891b8b7efefe8f32a5f3f Author: Henry Lin Date: Wed Nov 13 10:14:19 2019 +0800 ALSA: usb-audio: not submit urb for stopped endpoint commit 528699317dd6dc722dccc11b68800cf945109390 upstream. While output urb's snd_complete_urb() is executing, calling prepare_outbound_urb() may cause endpoint stopped before prepare_outbound_urb() returns and result in next urb submitted to stopped endpoint. usb-audio driver cannot re-use it afterwards as the urb is still hold by usb stack. This change checks EP_FLAG_RUNNING flag after prepare_outbound_urb() again to let snd_complete_urb() know the endpoint already stopped and does not submit next urb. Below kind of error will be fixed: [ 213.153103] usb 1-2: timeout: still 1 active urbs on EP #1 [ 213.164121] usb 1-2: cannot submit urb 0, error -16: unknown error Signed-off-by: Henry Lin Cc: Link: https://lore.kernel.org/r/20191113021420.13377-1-henryl@nvidia.com Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 66aeb2294c223b8c7e098794466602c04c96affd Author: Takashi Iwai Date: Sat Nov 9 19:16:58 2019 +0100 ALSA: usb-audio: Fix missing error check at mixer resolution test commit 167beb1756791e0806365a3f86a0da10d7a327ee upstream. A check of the return value from get_cur_mix_raw() is missing at the resolution test code in get_min_max_with_quirks(), which may leave the variable untouched, leading to a random uninitialized value, as detected by syzkaller fuzzer. Add the missing return error check for fixing that. Reported-and-tested-by: syzbot+abe1ab7afc62c6bb6377@syzkaller.appspotmail.com Cc: Link: https://lore.kernel.org/r/20191109181658.30368-1-tiwai@suse.de Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 602ff39cf2b646d4ddc2085e4715b0ada72e2875 Author: Oliver Neukum Date: Thu Nov 14 11:16:01 2019 +0100 ax88172a: fix information leak on short answers [ Upstream commit a9a51bd727d141a67b589f375fe69d0e54c4fe22 ] If a malicious device gives a short MAC it can elicit up to 5 bytes of leaked memory out of the driver. We need to check for ETH_ALEN instead. Reported-by: syzbot+a8d4acdad35e6bbca308@syzkaller.appspotmail.com Signed-off-by: Oliver Neukum Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 329cb706daabb0fff52b4ca5256213f429221fa1 Author: Jouni Hogander Date: Wed Nov 13 13:45:02 2019 +0200 slip: Fix memory leak in slip_open error path [ Upstream commit 3b5a39979dafea9d0cd69c7ae06088f7a84cdafa ] Driver/net/can/slcan.c is derived from slip.c. Memory leak was detected by Syzkaller in slcan. Same issue exists in slip.c and this patch is addressing the leak in slip.c. Here is the slcan memory leak trace reported by Syzkaller: BUG: memory leak unreferenced object 0xffff888067f65500 (size 4096): comm "syz-executor043", pid 454, jiffies 4294759719 (age 11.930s) hex dump (first 32 bytes): 73 6c 63 61 6e 30 00 00 00 00 00 00 00 00 00 00 slcan0.......... 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [<00000000a06eec0d>] __kmalloc+0x18b/0x2c0 [<0000000083306e66>] kvmalloc_node+0x3a/0xc0 [<000000006ac27f87>] alloc_netdev_mqs+0x17a/0x1080 [<0000000061a996c9>] slcan_open+0x3ae/0x9a0 [<000000001226f0f9>] tty_ldisc_open.isra.1+0x76/0xc0 [<0000000019289631>] tty_set_ldisc+0x28c/0x5f0 [<000000004de5a617>] tty_ioctl+0x48d/0x1590 [<00000000daef496f>] do_vfs_ioctl+0x1c7/0x1510 [<0000000059068dbc>] ksys_ioctl+0x99/0xb0 [<000000009a6eb334>] __x64_sys_ioctl+0x78/0xb0 [<0000000053d0332e>] do_syscall_64+0x16f/0x580 [<0000000021b83b99>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [<000000008ea75434>] 0xfffffffffffffff Cc: "David S. Miller" Cc: Oliver Hartkopp Cc: Lukas Bulwahn Signed-off-by: Jouni Hogander Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman