commit 475d90ca735ce524de49d9fbe3f1a3fd5655caeb Author: Greg Kroah-Hartman Date: Wed Jan 29 10:21:53 2020 +0100 Linux 4.4.212 commit 4d7f4d383230f6ef4f8a32e1fbfa4eb7c682522f Author: Wen Huang Date: Thu Nov 28 18:51:04 2019 +0800 libertas: Fix two buffer overflows at parsing bss descriptor commit e5e884b42639c74b5b57dc277909915c0aefc8bb upstream. add_ie_rates() copys rates without checking the length in bss descriptor from remote AP.when victim connects to remote attacker, this may trigger buffer overflow. lbs_ibss_join_existing() copys rates without checking the length in bss descriptor from remote IBSS node.when victim connects to remote attacker, this may trigger buffer overflow. Fix them by putting the length check before performing copy. This fix addresses CVE-2019-14896 and CVE-2019-14897. This also fix build warning of mixed declarations and code. Reported-by: kbuild test robot Signed-off-by: Wen Huang Signed-off-by: Kalle Valo Signed-off-by: Greg Kroah-Hartman commit 52a9551156693ae6fd7ce7962e76e22b890d4335 Author: Martin Schiller Date: Thu Jan 9 07:31:14 2020 +0100 net/x25: fix nonblocking connect commit e21dba7a4df4d93da237da65a096084b4f2e87b4 upstream. This patch fixes 2 issues in x25_connect(): 1. It makes absolutely no sense to reset the neighbour and the connection state after a (successful) nonblocking call of x25_connect. This prevents any connection from being established, since the response (call accept) cannot be processed. 2. Any further calls to x25_connect() while a call is pending should simply return, instead of creating new Call Request (on different logical channels). This patch should also fix the "KASAN: null-ptr-deref Write in x25_connect" and "BUG: unable to handle kernel NULL pointer dereference in x25_connect" bugs reported by syzbot. Signed-off-by: Martin Schiller Reported-by: syzbot+429c200ffc8772bfe070@syzkaller.appspotmail.com Reported-by: syzbot+eec0c87f31a7c3b66f7b@syzkaller.appspotmail.com Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 2348440cfde4422e4ccec56f5d5cdd0a699cec80 Author: Kadlecsik József Date: Sun Jan 19 22:06:49 2020 +0100 netfilter: ipset: use bitmap infrastructure completely commit 32c72165dbd0e246e69d16a3ad348a4851afd415 upstream. The bitmap allocation did not use full unsigned long sizes when calculating the required size and that was triggered by KASAN as slab-out-of-bounds read in several places. The patch fixes all of them. Reported-by: syzbot+fabca5cbf5e54f3fe2de@syzkaller.appspotmail.com Reported-by: syzbot+827ced406c9a1d9570ed@syzkaller.appspotmail.com Reported-by: syzbot+190d63957b22ef673ea5@syzkaller.appspotmail.com Reported-by: syzbot+dfccdb2bdb4a12ad425e@syzkaller.appspotmail.com Reported-by: syzbot+df0d0f5895ef1f41a65b@syzkaller.appspotmail.com Reported-by: syzbot+b08bd19bb37513357fd4@syzkaller.appspotmail.com Reported-by: syzbot+53cdd0ec0bbabd53370a@syzkaller.appspotmail.com Signed-off-by: Jozsef Kadlecsik Signed-off-by: Pablo Neira Ayuso Signed-off-by: Greg Kroah-Hartman commit ce30078e1c56e9b6659d185762964de8c6c0877f Author: Andy Shevchenko Date: Wed Aug 1 15:42:56 2018 -0700 bitmap: Add bitmap_alloc(), bitmap_zalloc() and bitmap_free() commit c42b65e363ce97a828f81b59033c3558f8fa7f70 upstream. A lot of code become ugly because of open coding allocations for bitmaps. Introduce three helpers to allow users be more clear of intention and keep their code neat. Note, due to multiple circular dependencies we may not provide the helpers as inliners. For now we keep them exported and, perhaps, at some point in the future we will sort out header inclusion and inheritance. Signed-off-by: Andy Shevchenko Signed-off-by: Dmitry Torokhov Signed-off-by: Greg Kroah-Hartman commit e531b76de9b6b3f003714ca9a651276a65238d7c Author: Andy Shevchenko Date: Tue Jan 28 12:49:12 2020 +0100 md: Avoid namespace collision with bitmap API commit e64e4018d572710c44f42c923d4ac059f0a23320 upstream. bitmap API (include/linux/bitmap.h) has 'bitmap' prefix for its methods. On the other hand MD bitmap API is special case. Adding 'md' prefix to it to avoid name space collision. No functional changes intended. Signed-off-by: Andy Shevchenko Acked-by: Shaohua Li Signed-off-by: Dmitry Torokhov [only take the bitmap_free change for stable - gregkh] Signed-off-by: Greg Kroah-Hartman commit 4f35b1beb33088188102336cfe99add63328863d Author: Bo Wu Date: Wed Nov 20 13:26:17 2019 +0000 scsi: iscsi: Avoid potential deadlock in iscsi_if_rx func commit bba340c79bfe3644829db5c852fdfa9e33837d6d upstream. In iscsi_if_rx func, after receiving one request through iscsi_if_recv_msg func, iscsi_if_send_reply will be called to try to reply to the request in a do-while loop. If the iscsi_if_send_reply function keeps returning -EAGAIN, a deadlock will occur. For example, a client only send msg without calling recvmsg func, then it will result in the watchdog soft lockup. The details are given as follows: sock_fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_ISCSI); retval = bind(sock_fd, (struct sock addr*) & src_addr, sizeof(src_addr); while (1) { state_msg = sendmsg(sock_fd, &msg, 0); //Note: recvmsg(sock_fd, &msg, 0) is not processed here. } close(sock_fd); watchdog: BUG: soft lockup - CPU#7 stuck for 22s! [netlink_test:253305] Sample time: 4000897528 ns(HZ: 250) Sample stat: curr: user: 675503481560, nice: 321724050, sys: 448689506750, idle: 4654054240530, iowait: 40885550700, irq: 14161174020, softirq: 8104324140, st: 0 deta: user: 0, nice: 0, sys: 3998210100, idle: 0, iowait: 0, irq: 1547170, softirq: 242870, st: 0 Sample softirq: TIMER: 992 SCHED: 8 Sample irqstat: irq 2: delta 1003, curr: 3103802, arch_timer CPU: 7 PID: 253305 Comm: netlink_test Kdump: loaded Tainted: G OE Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015 pstate: 40400005 (nZcv daif +PAN -UAO) pc : __alloc_skb+0x104/0x1b0 lr : __alloc_skb+0x9c/0x1b0 sp : ffff000033603a30 x29: ffff000033603a30 x28: 00000000000002dd x27: ffff800b34ced810 x26: ffff800ba7569f00 x25: 00000000ffffffff x24: 0000000000000000 x23: ffff800f7c43f600 x22: 0000000000480020 x21: ffff0000091d9000 x20: ffff800b34eff200 x19: ffff800ba7569f00 x18: 0000000000000000 x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 x14: 0001000101000100 x13: 0000000101010000 x12: 0101000001010100 x11: 0001010101010001 x10: 00000000000002dd x9 : ffff000033603d58 x8 : ffff800b34eff400 x7 : ffff800ba7569200 x6 : ffff800b34eff400 x5 : 0000000000000000 x4 : 00000000ffffffff x3 : 0000000000000000 x2 : 0000000000000001 x1 : ffff800b34eff2c0 x0 : 0000000000000300 Call trace: __alloc_skb+0x104/0x1b0 iscsi_if_rx+0x144/0x12bc [scsi_transport_iscsi] netlink_unicast+0x1e0/0x258 netlink_sendmsg+0x310/0x378 sock_sendmsg+0x4c/0x70 sock_write_iter+0x90/0xf0 __vfs_write+0x11c/0x190 vfs_write+0xac/0x1c0 ksys_write+0x6c/0xd8 __arm64_sys_write+0x24/0x30 el0_svc_common+0x78/0x130 el0_svc_handler+0x38/0x78 el0_svc+0x8/0xc Link: https://lore.kernel.org/r/EDBAAA0BBBA2AC4E9C8B6B81DEEE1D6915E3D4D2@dggeml505-mbx.china.huawei.com Signed-off-by: Bo Wu Reviewed-by: Zhiqiang Liu Reviewed-by: Lee Duncan Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit 2dd55100d12c08fbabdd8ad1c18b60906fdb9d5d Author: Lars Möllendorf Date: Fri Dec 13 14:50:55 2019 +0100 iio: buffer: align the size of scan bytes to size of the largest element commit 883f616530692d81cb70f8a32d85c0d2afc05f69 upstream. Previous versions of `iio_compute_scan_bytes` only aligned each element to its own length (i.e. its own natural alignment). Because multiple consecutive sets of scan elements are buffered this does not work in case the computed scan bytes do not align with the natural alignment of the first scan element in the set. This commit fixes this by aligning the scan bytes to the natural alignment of the largest scan element in the set. Fixes: 959d2952d124 ("staging:iio: make iio_sw_buffer_preenable much more general.") Signed-off-by: Lars Möllendorf Reviewed-by: Lars-Peter Clausen Cc: Signed-off-by: Jonathan Cameron Signed-off-by: Greg Kroah-Hartman commit 0da89b1691602089be04e0c413567b7ce9582b21 Author: Al Viro Date: Sun Jan 26 09:29:34 2020 -0500 do_last(): fetch directory ->i_mode and ->i_uid before it's too late commit d0cb50185ae942b03c4327be322055d622dc79f6 upstream. may_create_in_sticky() call is done when we already have dropped the reference to dir. Fixes: 30aba6656f61e (namei: allow restricted O_CREAT of FIFOs and regular files) Signed-off-by: Al Viro Signed-off-by: Greg Kroah-Hartman commit 28414404dd0773ba51200e91c4eb5f8119d5fcd3 Author: Changbin Du Date: Sun Jan 12 11:42:31 2020 +0800 tracing: xen: Ordered comparison of function pointers commit d0695e2351102affd8efae83989056bc4b275917 upstream. Just as commit 0566e40ce7 ("tracing: initcall: Ordered comparison of function pointers"), this patch fixes another remaining one in xen.h found by clang-9. In file included from arch/x86/xen/trace.c:21: In file included from ./include/trace/events/xen.h:475: In file included from ./include/trace/define_trace.h:102: In file included from ./include/trace/trace_events.h:473: ./include/trace/events/xen.h:69:7: warning: ordered comparison of function \ pointers ('xen_mc_callback_fn_t' (aka 'void (*)(void *)') and 'xen_mc_callback_fn_t') [-Wordered-compare-function-pointers] __field(xen_mc_callback_fn_t, fn) ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ./include/trace/trace_events.h:421:29: note: expanded from macro '__field' ^ ./include/trace/trace_events.h:407:6: note: expanded from macro '__field_ext' is_signed_type(type), filter_type); \ ^ ./include/linux/trace_events.h:554:44: note: expanded from macro 'is_signed_type' ^ Fixes: c796f213a6934 ("xen/trace: add multicall tracing") Signed-off-by: Changbin Du Signed-off-by: Steven Rostedt (VMware) Signed-off-by: Greg Kroah-Hartman commit 1c90e57caa476623c8d9a30b747ab5911105c46a Author: Bart Van Assche Date: Wed Jan 15 20:47:37 2020 -0800 scsi: RDMA/isert: Fix a recently introduced regression related to logout commit 04060db41178c7c244f2c7dcd913e7fd331de915 upstream. iscsit_close_connection() calls isert_wait_conn(). Due to commit e9d3009cb936 both functions call target_wait_for_sess_cmds() although that last function should be called only once. Fix this by removing the target_wait_for_sess_cmds() call from isert_wait_conn() and by only calling isert_wait_conn() after target_wait_for_sess_cmds(). Fixes: e9d3009cb936 ("scsi: target: iscsi: Wait for all commands to finish before freeing a session"). Link: https://lore.kernel.org/r/20200116044737.19507-1-bvanassche@acm.org Reported-by: Rahul Kundu Signed-off-by: Bart Van Assche Tested-by: Mike Marciniszyn Acked-by: Sagi Grimberg Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit 31710ab4b2d0c66fdcaba87f8cdb0fe4f88e3bb8 Author: Gilles Buloz Date: Wed Nov 27 18:09:34 2019 +0100 hwmon: (nct7802) Fix voltage limits to wrong registers commit 7713e62c8623c54dac88d1fa724aa487a38c3efb upstream. in0 thresholds are written to the in2 thresholds registers in2 thresholds to in3 thresholds in3 thresholds to in4 thresholds in4 thresholds to in0 thresholds Signed-off-by: Gilles Buloz Link: https://lore.kernel.org/r/5de0f509.rc0oEvPOMjbfPW1w%gilles.buloz@kontron.com Fixes: 3434f3783580 ("hwmon: Driver for Nuvoton NCT7802Y") Signed-off-by: Guenter Roeck Signed-off-by: Greg Kroah-Hartman commit 71befe0afded1980f351f126c133cd0aa40b98d6 Author: Johan Hovold Date: Fri Jan 10 11:59:32 2020 -0800 Input: aiptek - fix endpoint sanity check commit 3111491fca4f01764e0c158c5e0f7ced808eef51 upstream. The driver was checking the number of endpoints of the first alternate setting instead of the current one, something which could lead to the driver binding to an invalid interface. This in turn could cause the driver to misbehave or trigger a WARN() in usb_submit_urb() that kernels with panic_on_warn set would choke on. Fixes: 8e20cf2bce12 ("Input: aiptek - fix crash on detecting device without endpoints") Signed-off-by: Johan Hovold Acked-by: Vladis Dronov Link: https://lore.kernel.org/r/20191210113737.4016-3-johan@kernel.org Signed-off-by: Dmitry Torokhov Signed-off-by: Greg Kroah-Hartman commit 4ada19cf3890fcd6a59d05c33c5884efb037352b Author: Johan Hovold Date: Fri Jan 10 12:00:18 2020 -0800 Input: gtco - fix endpoint sanity check commit a8eeb74df5a6bdb214b2b581b14782c5f5a0cf83 upstream. The driver was checking the number of endpoints of the first alternate setting instead of the current one, something which could lead to the driver binding to an invalid interface. This in turn could cause the driver to misbehave or trigger a WARN() in usb_submit_urb() that kernels with panic_on_warn set would choke on. Fixes: 162f98dea487 ("Input: gtco - fix crash on detecting device without endpoints") Signed-off-by: Johan Hovold Acked-by: Vladis Dronov Link: https://lore.kernel.org/r/20191210113737.4016-5-johan@kernel.org Signed-off-by: Dmitry Torokhov Signed-off-by: Greg Kroah-Hartman commit dc738295b82485263336d7f880219c43ff589907 Author: Johan Hovold Date: Fri Jan 10 12:01:27 2020 -0800 Input: sur40 - fix interface sanity checks commit 6b32391ed675827f8425a414abbc6fbd54ea54fe upstream. Make sure to use the current alternate setting when verifying the interface descriptors to avoid binding to an invalid interface. This in turn could cause the driver to misbehave or trigger a WARN() in usb_submit_urb() that kernels with panic_on_warn set would choke on. Fixes: bdb5c57f209c ("Input: add sur40 driver for Samsung SUR40 (aka MS Surface 2.0/Pixelsense)") Signed-off-by: Johan Hovold Acked-by: Vladis Dronov Link: https://lore.kernel.org/r/20191210113737.4016-8-johan@kernel.org Signed-off-by: Dmitry Torokhov Signed-off-by: Greg Kroah-Hartman commit 131df943a46880f4e9a512a25bc0da55164165e1 Author: Michał Mirosław Date: Wed Jan 15 10:54:35 2020 +0100 mmc: sdhci: fix minimum clock rate for v3 controller commit 2a187d03352086e300daa2044051db00044cd171 upstream. For SDHCIv3+ with programmable clock mode, minimal clock frequency is still base clock / max(divider). Minimal programmable clock frequency is always greater than minimal divided clock frequency. Without this patch, SDHCI uses out-of-spec initial frequency when multiplier is big enough: mmc1: mmc_rescan_try_freq: trying to init card at 468750 Hz [for 480 MHz source clock divided by 1024] The code in sdhci_calc_clk() already chooses a correct SDCLK clock mode. Fixes: c3ed3877625f ("mmc: sdhci: add support for programmable clock mode") Cc: # 4f6aa3264af4: mmc: tegra: Only advertise UHS modes if IO regulator is present Cc: Signed-off-by: Michał Mirosław Acked-by: Adrian Hunter Link: https://lore.kernel.org/r/ffb489519a446caffe7a0a05c4b9372bd52397bb.1579082031.git.mirq-linux@rere.qmqm.pl Signed-off-by: Ulf Hansson Signed-off-by: Greg Kroah-Hartman commit f2b7596f90124f60e36ffb8bea4f93061f5e94f4 Author: Alex Sverdlin Date: Wed Jan 8 15:57:47 2020 +0100 ARM: 8950/1: ftrace/recordmcount: filter relocation types commit 927d780ee371d7e121cea4fc7812f6ef2cea461c upstream. Scenario 1, ARMv7 ================= If code in arch/arm/kernel/ftrace.c would operate on mcount() pointer the following may be generated: 00000230 : 230: b5f8 push {r3, r4, r5, r6, r7, lr} 232: b500 push {lr} 234: f7ff fffe bl 0 <__gnu_mcount_nc> 234: R_ARM_THM_CALL __gnu_mcount_nc 238: f240 0600 movw r6, #0 238: R_ARM_THM_MOVW_ABS_NC __gnu_mcount_nc 23c: f8d0 1180 ldr.w r1, [r0, #384] ; 0x180 FTRACE currently is not able to deal with it: WARNING: CPU: 0 PID: 0 at .../kernel/trace/ftrace.c:1979 ftrace_bug+0x1ad/0x230() ... CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.4.116-... #1 ... [] (unwind_backtrace) from [] (show_stack+0x11/0x14) [] (show_stack) from [] (dump_stack+0x81/0xa8) [] (dump_stack) from [] (warn_slowpath_common+0x69/0x90) [] (warn_slowpath_common) from [] (warn_slowpath_null+0x17/0x1c) [] (warn_slowpath_null) from [] (ftrace_bug+0x1ad/0x230) [] (ftrace_bug) from [] (ftrace_process_locs+0x27d/0x444) [] (ftrace_process_locs) from [] (ftrace_init+0x91/0xe8) [] (ftrace_init) from [] (start_kernel+0x34b/0x358) [] (start_kernel) from [<00308095>] (0x308095) ---[ end trace cb88537fdc8fa200 ]--- ftrace failed to modify [] prealloc_fixed_plts+0x8/0x60 actual: 44:f2:e1:36 ftrace record flags: 0 (0) expected tramp: c03143e9 Scenario 2, ARMv4T ================== ftrace: allocating 14435 entries in 43 pages ------------[ cut here ]------------ WARNING: CPU: 0 PID: 0 at kernel/trace/ftrace.c:2029 ftrace_bug+0x204/0x310 CPU: 0 PID: 0 Comm: swapper Not tainted 4.19.5 #1 Hardware name: Cirrus Logic EDB9302 Evaluation Board [] (unwind_backtrace) from [] (show_stack+0x20/0x2c) [] (show_stack) from [] (dump_stack+0x20/0x30) [] (dump_stack) from [] (__warn+0xdc/0x104) [] (__warn) from [] (warn_slowpath_null+0x4c/0x5c) [] (warn_slowpath_null) from [] (ftrace_bug+0x204/0x310) [] (ftrace_bug) from [] (ftrace_init+0x3b4/0x4d4) [] (ftrace_init) from [] (start_kernel+0x20c/0x410) [] (start_kernel) from [<00000000>] ( (null)) ---[ end trace 0506a2f5dae6b341 ]--- ftrace failed to modify [] perf_trace_sys_exit+0x5c/0xe8 actual: 1e:ff:2f:e1 Initializing ftrace call sites ftrace record flags: 0 (0) expected tramp: c000fb24 The analysis for this problem has been already performed previously, refer to the link below. Fix the above problems by allowing only selected reloc types in __mcount_loc. The list itself comes from the legacy recordmcount.pl script. Link: https://lore.kernel.org/lkml/56961010.6000806@pengutronix.de/ Cc: stable@vger.kernel.org Fixes: ed60453fa8f8 ("ARM: 6511/1: ftrace: add ARM support for C version of recordmcount") Signed-off-by: Alexander Sverdlin Acked-by: Steven Rostedt (VMware) Signed-off-by: Russell King Signed-off-by: Greg Kroah-Hartman commit 64847abe3c2c0205ea83a994849d9708ced8d666 Author: Johan Hovold Date: Mon Jan 13 10:38:57 2020 -0800 Input: keyspan-remote - fix control-message timeouts commit ba9a103f40fc4a3ec7558ec9b0b97d4f92034249 upstream. The driver was issuing synchronous uninterruptible control requests without using a timeout. This could lead to the driver hanging on probe due to a malfunctioning (or malicious) device until the device is physically disconnected. While sleeping in probe the driver prevents other devices connected to the same hub from being added to (or removed from) the bus. The USB upper limit of five seconds per request should be more than enough. Fixes: 99f83c9c9ac9 ("[PATCH] USB: add driver for Keyspan Digital Remote") Signed-off-by: Johan Hovold Reviewed-by: Greg Kroah-Hartman Cc: stable # 2.6.13 Link: https://lore.kernel.org/r/20200113171715.30621-1-johan@kernel.org Signed-off-by: Dmitry Torokhov Signed-off-by: Greg Kroah-Hartman commit 594b9cf229448818cd3173d33f4ef027c562ff6d Author: Luuk Paulussen Date: Fri Dec 6 12:16:59 2019 +1300 hwmon: (adt7475) Make volt2reg return same reg as reg2volt input commit cf3ca1877574a306c0207cbf7fdf25419d9229df upstream. reg2volt returns the voltage that matches a given register value. Converting this back the other way with volt2reg didn't return the same register value because it used truncation instead of rounding. This meant that values read from sysfs could not be written back to sysfs to set back the same register value. With this change, volt2reg will return the same value for every voltage previously returned by reg2volt (for the set of possible input values) Signed-off-by: Luuk Paulussen Link: https://lore.kernel.org/r/20191205231659.1301-1-luuk.paulussen@alliedtelesis.co.nz cc: stable@vger.kernel.org Signed-off-by: Guenter Roeck Signed-off-by: Greg Kroah-Hartman commit fd5bfca78b807929aaa76f29cd39ee3c03781cf5 Author: James Hughes Date: Mon Jan 20 11:12:40 2020 +0000 net: usb: lan78xx: Add .ndo_features_check [ Upstream commit ce896476c65d72b4b99fa09c2f33436b4198f034 ] As reported by Eric Dumazet, there are still some outstanding cases where the driver does not handle TSO correctly when skb's are over a certain size. Most cases have been fixed, this patch should ensure that forwarded SKB's that are greater than MAX_SINGLE_PACKET_SIZE - TX_OVERHEAD are software segmented and handled correctly. Signed-off-by: James Hughes Reviewed-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 9bfa1646d70b01eea470bbd15dca3e3c0e29aff1 Author: Cong Wang Date: Wed Jan 22 15:42:02 2020 -0800 net_sched: fix datalen for ematch [ Upstream commit 61678d28d4a45ef376f5d02a839cc37509ae9281 ] syzbot reported an out-of-bound access in em_nbyte. As initially analyzed by Eric, this is because em_nbyte sets its own em->datalen in em_nbyte_change() other than the one specified by user, but this value gets overwritten later by its caller tcf_em_validate(). We should leave em->datalen untouched to respect their choices. I audit all the in-tree ematch users, all of those implement ->change() set em->datalen, so we can just avoid setting it twice in this case. Reported-and-tested-by: syzbot+5af9a90dad568aa9f611@syzkaller.appspotmail.com Reported-by: syzbot+2f07903a5b05e7f36410@syzkaller.appspotmail.com Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: Eric Dumazet Signed-off-by: Cong Wang Reviewed-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 108ba5cfafcd9e7acf9ba632d70b298675076b11 Author: William Dauchy Date: Tue Jan 21 15:26:24 2020 +0100 net, ip_tunnel: fix namespaces move [ Upstream commit d0f418516022c32ecceaf4275423e5bd3f8743a9 ] in the same manner as commit 690afc165bb3 ("net: ip6_gre: fix moving ip6gre between namespaces"), fix namespace moving as it was broken since commit 2e15ea390e6f ("ip_gre: Add support to collect tunnel metadata."). Indeed, the ip6_gre commit removed the local flag for collect_md condition, so there is no reason to keep it for ip_gre/ip_tunnel. this patch will fix both ip_tunnel and ip_gre modules. Fixes: 2e15ea390e6f ("ip_gre: Add support to collect tunnel metadata.") Signed-off-by: William Dauchy Acked-by: Nicolas Dichtel Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 8e562bd9ada2b65d71f18881543d9555e3b96063 Author: Michael Ellerman Date: Fri Jan 24 20:41:44 2020 +1100 net: cxgb3_main: Add CAP_NET_ADMIN check to CHELSIO_GET_MEM [ Upstream commit 3546d8f1bbe992488ed91592cf6bf76e7114791a = The cxgb3 driver for "Chelsio T3-based gigabit and 10Gb Ethernet adapters" implements a custom ioctl as SIOCCHIOCTL/SIOCDEVPRIVATE in cxgb_extension_ioctl(). One of the subcommands of the ioctl is CHELSIO_GET_MEM, which appears to read memory directly out of the adapter and return it to userspace. It's not entirely clear what the contents of the adapter memory contains, but the assumption is that it shouldn't be accessible to all users. So add a CAP_NET_ADMIN check to the CHELSIO_GET_MEM case. Put it after the is_offload() check, which matches two of the other subcommands in the same function which also check for is_offload() and CAP_NET_ADMIN. Found by Ilja by code inspection, not tested as I don't have the required hardware. Reported-by: Ilja Van Sprundel Signed-off-by: Michael Ellerman Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 787095646bb8f6adde76821477e1bd9368771b71 Author: Wenwen Wang Date: Sat Jan 25 14:33:29 2020 +0000 firestream: fix memory leaks [ Upstream commit fa865ba183d61c1ec8cbcab8573159c3b72b89a4 ] In fs_open(), 'vcc' is allocated through kmalloc() and assigned to 'atm_vcc->dev_data.' In the following execution, if an error occurs, e.g., there is no more free channel, an error code EBUSY or ENOMEM will be returned. However, 'vcc' is not deallocated, leading to memory leaks. Note that, in normal cases where fs_open() returns 0, 'vcc' will be deallocated in fs_close(). But, if fs_open() fails, there is no guarantee that fs_close() will be invoked. To fix this issue, deallocate 'vcc' before the error code is returned. Signed-off-by: Wenwen Wang Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 6169e11e1f14dd272ec9c746050820e5cc2cf853 Author: Richard Palethorpe Date: Tue Jan 21 14:42:58 2020 +0100 can, slip: Protect tty->disc_data in write_wakeup and close with RCU [ Upstream commit 0ace17d56824165c7f4c68785d6b58971db954dd ] write_wakeup can happen in parallel with close/hangup where tty->disc_data is set to NULL and the netdevice is freed thus also freeing disc_data. write_wakeup accesses disc_data so we must prevent close from freeing the netdev while write_wakeup has a non-NULL view of tty->disc_data. We also need to make sure that accesses to disc_data are atomic. Which can all be done with RCU. This problem was found by Syzkaller on SLCAN, but the same issue is reproducible with the SLIP line discipline using an LTP test based on the Syzkaller reproducer. A fix which didn't use RCU was posted by Hillf Danton. Fixes: 661f7fda21b1 ("slip: Fix deadlock in write_wakeup") Fixes: a8e83b17536a ("slcan: Port write_wakeup deadlock fix from slip") Reported-by: syzbot+017e491ae13c0068598a@syzkaller.appspotmail.com Signed-off-by: Richard Palethorpe Cc: Wolfgang Grandegger Cc: Marc Kleine-Budde Cc: "David S. Miller" Cc: Tyler Hall Cc: linux-can@vger.kernel.org Cc: netdev@vger.kernel.org Cc: linux-kernel@vger.kernel.org Cc: syzkaller@googlegroups.com Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit eb0d764eb0f5663b1d93935a72c29c496ec4f5cc Author: Finn Thain Date: Sat Dec 1 11:53:10 2018 +1100 m68k: Call timer_interrupt() with interrupts disabled [ Upstream commit 1efdd4bd254311498123a15fa0acd565f454da97 ] Some platforms execute their timer handler with the interrupt priority level set below 6. That means the handler could be interrupted by another driver and this could lead to re-entry of the timer core. Avoid this by use of local_irq_save/restore for timer interrupt dispatch. This provides mutual exclusion around the timer interrupt flag access which is needed later in this series for the clocksource conversion. Reported-by: Thomas Gleixner Link: http://lkml.kernel.org/r/alpine.DEB.2.21.1811131407120.2697@nanos.tec.linutronix.de Signed-off-by: Finn Thain Signed-off-by: Geert Uytterhoeven Signed-off-by: Sasha Levin commit 0f8e73eb058750c8cd38be8cbfa048d71c7e2ec5 Author: Andre Przywara Date: Tue Nov 19 12:03:31 2019 +0000 arm64: dts: juno: Fix UART frequency [ Upstream commit 39a1a8941b27c37f79508426e27a2ec29829d66c ] Older versions of the Juno *SoC* TRM [1] recommended that the UART clock source should be 7.2738 MHz, whereas the *system* TRM [2] stated a more correct value of 7.3728 MHz. Somehow the wrong value managed to end up in our DT. Doing a prime factorisation, a modulo divide by 115200 and trying to buy a 7.2738 MHz crystal at your favourite electronics dealer suggest that the old value was actually a typo. The actual UART clock is driven by a PLL, configured via a parameter in some board.txt file in the firmware, which reads 7.37 MHz (sic!). Fix this to correct the baud rate divisor calculation on the Juno board. [1] http://infocenter.arm.com/help/topic/com.arm.doc.ddi0515b.b/DDI0515B_b_juno_arm_development_platform_soc_trm.pdf [2] http://infocenter.arm.com/help/topic/com.arm.doc.100113_0000_07_en/arm_versatile_express_juno_development_platform_(v2m_juno)_technical_reference_manual_100113_0000_07_en.pdf Fixes: 71f867ec130e ("arm64: Add Juno board device tree.") Signed-off-by: Andre Przywara Acked-by: Liviu Dudau Signed-off-by: Sudeep Holla Signed-off-by: Sasha Levin commit 6394d187511303b91e5e3b1c562117bf427a71ef Author: Sam Bobroff Date: Mon Nov 18 10:53:53 2019 +1100 drm/radeon: fix bad DMA from INTERRUPT_CNTL2 [ Upstream commit 62d91dd2851e8ae2ca552f1b090a3575a4edf759 ] The INTERRUPT_CNTL2 register expects a valid DMA address, but is currently set with a GPU MC address. This can cause problems on systems that detect the resulting DMA read from an invalid address (found on a Power8 guest). Instead, use the DMA address of the dummy page because it will always be safe. Fixes: d8f60cfc9345 ("drm/radeon/kms: Add support for interrupts on r6xx/r7xx chips (v3)") Fixes: 25a857fbe973 ("drm/radeon/kms: add support for interrupts on SI") Fixes: a59781bbe528 ("drm/radeon: add support for interrupts on CIK (v5)") Signed-off-by: Sam Bobroff Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit fe1787af161f91dffcef3a0248b85f0cefdea64b Author: Chuhong Yuan Date: Mon Nov 18 15:38:02 2019 +0800 dmaengine: ti: edma: fix missed failure handling [ Upstream commit 340049d453682a9fe8d91fe794dd091730f4bb25 ] When devm_kcalloc fails, it forgets to call edma_free_slot. Replace direct return with failure handler to fix it. Fixes: 1be5336bc7ba ("dmaengine: edma: New device tree binding") Signed-off-by: Chuhong Yuan Link: https://lore.kernel.org/r/20191118073802.28424-1-hslester96@gmail.com Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit 496f5e2f62f5865919cacbf3b75d8f575b09d1f4 Author: Eric Dumazet Date: Fri Nov 8 05:07:46 2019 -0800 packet: fix data-race in fanout_flow_is_huge() [ Upstream commit b756ad928d98e5ef0b74af7546a6a31a8dadde00 ] KCSAN reported the following data-race [1] Adding a couple of READ_ONCE()/WRITE_ONCE() should silence it. Since the report hinted about multiple cpus using the history concurrently, I added a test avoiding writing on it if the victim slot already contains the desired value. [1] BUG: KCSAN: data-race in fanout_demux_rollover / fanout_demux_rollover read to 0xffff8880b01786cc of 4 bytes by task 18921 on cpu 1: fanout_flow_is_huge net/packet/af_packet.c:1303 [inline] fanout_demux_rollover+0x33e/0x3f0 net/packet/af_packet.c:1353 packet_rcv_fanout+0x34e/0x490 net/packet/af_packet.c:1453 deliver_skb net/core/dev.c:1888 [inline] dev_queue_xmit_nit+0x15b/0x540 net/core/dev.c:1958 xmit_one net/core/dev.c:3195 [inline] dev_hard_start_xmit+0x3f5/0x430 net/core/dev.c:3215 __dev_queue_xmit+0x14ab/0x1b40 net/core/dev.c:3792 dev_queue_xmit+0x21/0x30 net/core/dev.c:3825 neigh_direct_output+0x1f/0x30 net/core/neighbour.c:1530 neigh_output include/net/neighbour.h:511 [inline] ip6_finish_output2+0x7a2/0xec0 net/ipv6/ip6_output.c:116 __ip6_finish_output net/ipv6/ip6_output.c:142 [inline] __ip6_finish_output+0x2d7/0x330 net/ipv6/ip6_output.c:127 ip6_finish_output+0x41/0x160 net/ipv6/ip6_output.c:152 NF_HOOK_COND include/linux/netfilter.h:294 [inline] ip6_output+0xf2/0x280 net/ipv6/ip6_output.c:175 dst_output include/net/dst.h:436 [inline] ip6_local_out+0x74/0x90 net/ipv6/output_core.c:179 ip6_send_skb+0x53/0x110 net/ipv6/ip6_output.c:1795 udp_v6_send_skb.isra.0+0x3ec/0xa70 net/ipv6/udp.c:1173 udpv6_sendmsg+0x1906/0x1c20 net/ipv6/udp.c:1471 inet6_sendmsg+0x6d/0x90 net/ipv6/af_inet6.c:576 sock_sendmsg_nosec net/socket.c:637 [inline] sock_sendmsg+0x9f/0xc0 net/socket.c:657 ___sys_sendmsg+0x2b7/0x5d0 net/socket.c:2311 __sys_sendmmsg+0x123/0x350 net/socket.c:2413 __do_sys_sendmmsg net/socket.c:2442 [inline] __se_sys_sendmmsg net/socket.c:2439 [inline] __x64_sys_sendmmsg+0x64/0x80 net/socket.c:2439 do_syscall_64+0xcc/0x370 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x44/0xa9 write to 0xffff8880b01786cc of 4 bytes by task 18922 on cpu 0: fanout_flow_is_huge net/packet/af_packet.c:1306 [inline] fanout_demux_rollover+0x3a4/0x3f0 net/packet/af_packet.c:1353 packet_rcv_fanout+0x34e/0x490 net/packet/af_packet.c:1453 deliver_skb net/core/dev.c:1888 [inline] dev_queue_xmit_nit+0x15b/0x540 net/core/dev.c:1958 xmit_one net/core/dev.c:3195 [inline] dev_hard_start_xmit+0x3f5/0x430 net/core/dev.c:3215 __dev_queue_xmit+0x14ab/0x1b40 net/core/dev.c:3792 dev_queue_xmit+0x21/0x30 net/core/dev.c:3825 neigh_direct_output+0x1f/0x30 net/core/neighbour.c:1530 neigh_output include/net/neighbour.h:511 [inline] ip6_finish_output2+0x7a2/0xec0 net/ipv6/ip6_output.c:116 __ip6_finish_output net/ipv6/ip6_output.c:142 [inline] __ip6_finish_output+0x2d7/0x330 net/ipv6/ip6_output.c:127 ip6_finish_output+0x41/0x160 net/ipv6/ip6_output.c:152 NF_HOOK_COND include/linux/netfilter.h:294 [inline] ip6_output+0xf2/0x280 net/ipv6/ip6_output.c:175 dst_output include/net/dst.h:436 [inline] ip6_local_out+0x74/0x90 net/ipv6/output_core.c:179 ip6_send_skb+0x53/0x110 net/ipv6/ip6_output.c:1795 udp_v6_send_skb.isra.0+0x3ec/0xa70 net/ipv6/udp.c:1173 udpv6_sendmsg+0x1906/0x1c20 net/ipv6/udp.c:1471 inet6_sendmsg+0x6d/0x90 net/ipv6/af_inet6.c:576 sock_sendmsg_nosec net/socket.c:637 [inline] sock_sendmsg+0x9f/0xc0 net/socket.c:657 ___sys_sendmsg+0x2b7/0x5d0 net/socket.c:2311 __sys_sendmmsg+0x123/0x350 net/socket.c:2413 __do_sys_sendmmsg net/socket.c:2442 [inline] __se_sys_sendmmsg net/socket.c:2439 [inline] __x64_sys_sendmmsg+0x64/0x80 net/socket.c:2439 do_syscall_64+0xcc/0x370 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Reported by Kernel Concurrency Sanitizer on: CPU: 0 PID: 18922 Comm: syz-executor.3 Not tainted 5.4.0-rc6+ #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Fixes: 3b3a5b0aab5b ("packet: rollover huge flows before small flows") Signed-off-by: Eric Dumazet Cc: Willem de Bruijn Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit ca3e3364d1b1f6faa2a736b0b8a7a9b23b65dd4a Author: Eric Dumazet Date: Tue Nov 5 14:11:49 2019 -0800 net: neigh: use long type to store jiffies delta [ Upstream commit 9d027e3a83f39b819e908e4e09084277a2e45e95 ] A difference of two unsigned long needs long storage. Fixes: c7fb64db001f ("[NETLINK]: Neighbour table configuration and statistics via rtnetlink") Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 3a70aa656eb91842d88ac39fa71ed7d6d98f5d1c Author: Tiezhu Yang Date: Mon Nov 4 21:33:50 2019 +0800 MIPS: Loongson: Fix return value of loongson_hwmon_init [ Upstream commit dece3c2a320b0a6d891da6ff774ab763969b6860 ] When call function hwmon_device_register failed, use the actual return value instead of always -ENOMEM. Fixes: 64f09aa967e1 ("MIPS: Loongson-3: Add CPU Hwmon platform driver") Signed-off-by: Tiezhu Yang Signed-off-by: Paul Burton Cc: Ralf Baechle Cc: James Hogan Cc: Huacai Chen Cc: Jiaxun Yang Cc: linux-mips@vger.kernel.org Cc: linux-kernel@vger.kernel.org Signed-off-by: Sasha Levin commit d71e2360d23c4a0c92518e011dd96768221fbb5a Author: Janusz Krzysztofik Date: Tue Sep 3 17:11:41 2019 -0300 media: ov6650: Fix .get_fmt() V4L2_SUBDEV_FORMAT_TRY support [ Upstream commit 39034bb0c26b76a2c3abc54aa28c185f18b40c2f ] Commit da298c6d98d5 ("[media] v4l2: replace video op g_mbus_fmt by pad op get_fmt") converted a former ov6650_g_fmt() video operation callback to an ov6650_get_fmt() pad operation callback. However, the converted function disregards a format->which flag that pad operations should obey and always returns active frame format settings. That can be fixed by always responding to V4L2_SUBDEV_FORMAT_TRY with -EINVAL, or providing the response from a pad config argument, likely updated by a former user call to V4L2_SUBDEV_FORMAT_TRY .set_fmt(). Since implementation of the latter is trivial, go for it. Fixes: da298c6d98d5 ("[media] v4l2: replace video op g_mbus_fmt by pad op get_fmt") Signed-off-by: Janusz Krzysztofik Signed-off-by: Sakari Ailus Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 3fd13fc6ecc37009ab172ad7067580ec4cbd8a6e Author: Janusz Krzysztofik Date: Tue Sep 3 17:11:40 2019 -0300 media: ov6650: Fix some format attributes not under control [ Upstream commit 1c6a2b63095154bbf9e8f38d79487a728331bf65 ] User arguments passed to .get/set_fmt() pad operation callbacks may contain unsupported values. The driver takes control over frame size and pixel code as well as colorspace and field attributes but has never cared for remainig format attributes, i.e., ycbcr_enc, quantization and xfer_func, introduced by commit 11ff030c7365 ("[media] v4l2-mediabus: improve colorspace support"). Fix it. Set up a static v4l2_mbus_framefmt structure with attributes initialized to reasonable defaults and use it for updating content of user provided arguments. In case of V4L2_SUBDEV_FORMAT_ACTIVE, postpone frame size update, now performed from inside ov6650_s_fmt() helper, util the user argument is first updated in ov6650_set_fmt() with default frame format content. For V4L2_SUBDEV_FORMAT_TRY, don't copy all attributes to pad config, only those handled by the driver, then fill the response with the default frame format updated with resulting pad config format code and frame size. Fixes: 11ff030c7365 ("[media] v4l2-mediabus: improve colorspace support") Signed-off-by: Janusz Krzysztofik Signed-off-by: Sakari Ailus Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 3498854e43ead36ad0b82690265aa6f23606f6fd Author: Janusz Krzysztofik Date: Tue Sep 3 17:11:39 2019 -0300 media: ov6650: Fix incorrect use of JPEG colorspace [ Upstream commit 12500731895ef09afc5b66b86b76c0884fb9c7bf ] Since its initial submission, the driver selects V4L2_COLORSPACE_JPEG for supported formats other than V4L2_MBUS_FMT_SBGGR8_1X8. According to v4l2-compliance test program, V4L2_COLORSPACE_JPEG applies exclusively to V4L2_PIX_FMT_JPEG. Since the sensor does not support JPEG format, fix it to always select V4L2_COLORSPACE_SRGB. Fixes: 2f6e2404799a ("[media] SoC Camera: add driver for OV6650 sensor") Signed-off-by: Janusz Krzysztofik Signed-off-by: Sakari Ailus Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 77530583741b6261fd9b10a24b356dda1e30a395 Author: Stefan Wahren Date: Wed Nov 20 18:29:13 2019 +0100 net: qca_spi: Move reset_count to struct qcaspi [ Upstream commit bc19c32904e36548335b35fdce6ce734e20afc0a ] The reset counter is specific for every QCA700x chip. So move this into the private driver struct. Otherwise we get unpredictable reset behavior in setups with multiple QCA700x chips. Fixes: 291ab06ecf67 (net: qualcomm: new Ethernet over SPI driver for QCA7000) Signed-off-by: Stefan Wahren Signed-off-by: Stefan Wahren Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit c6fe228aa2cbb4c6553ecc3f0d2815f03b3ab973 Author: Robin Gong Date: Tue Sep 24 09:49:18 2019 +0000 dmaengine: imx-sdma: fix size check for sdma script_number [ Upstream commit bd73dfabdda280fc5f05bdec79b6721b4b2f035f ] Illegal memory will be touch if SDMA_SCRIPT_ADDRS_ARRAY_SIZE_V3 (41) exceed the size of structure sdma_script_start_addrs(40), thus cause memory corrupt such as slob block header so that kernel trap into while() loop forever in slob_free(). Please refer to below code piece in imx-sdma.c: for (i = 0; i < sdma->script_number; i++) if (addr_arr[i] > 0) saddr_arr[i] = addr_arr[i]; /* memory corrupt here */ That issue was brought by commit a572460be9cf ("dmaengine: imx-sdma: Add support for version 3 firmware") because SDMA_SCRIPT_ADDRS_ARRAY_SIZE_V3 (38->41 3 scripts added) not align with script number added in sdma_script_start_addrs(2 scripts). Fixes: a572460be9cf ("dmaengine: imx-sdma: Add support for version 3 firmware") Cc: stable@vger.kernel Link: https://www.spinics.net/lists/arm-kernel/msg754895.html Signed-off-by: Robin Gong Reported-by: Jurgen Lambrecht Link: https://lore.kernel.org/r/1569347584-3478-1-git-send-email-yibin.gong@nxp.com [vkoul: update the patch title] Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit b78a491abe05d8063d4e9c39042681d87bc4633a Author: Jeffrey Hugo Date: Fri Oct 11 06:39:39 2019 -0700 drm/msm/dsi: Implement reset correctly [ Upstream commit 78e31c42261779a01bc73472d0f65f15378e9de3 ] On msm8998, vblank timeouts are observed because the DSI controller is not reset properly, which ends up stalling the MDP. This is because the reset logic is not correct per the hardware documentation. The documentation states that after asserting reset, software should wait some time (no indication of how long), or poll the status register until it returns 0 before deasserting reset. wmb() is insufficient for this purpose since it just ensures ordering, not timing between writes. Since asserting and deasserting reset occurs on the same register, ordering is already guaranteed by the architecture, making the wmb extraneous. Since we would define a timeout for polling the status register to avoid a possible infinite loop, lets just use a static delay of 20 ms, since 16.666 ms is the time available to process one frame at 60 fps. Fixes: a689554ba6ed ("drm/msm: Initial add DSI connector support") Cc: Hai Li Cc: Rob Clark Signed-off-by: Jeffrey Hugo Reviewed-by: Sean Paul [seanpaul renamed RESET_DELAY to DSI_RESET_TOGGLE_DELAY_MS] Signed-off-by: Sean Paul Link: https://patchwork.freedesktop.org/patch/msgid/20191011133939.16551-1-jeffrey.l.hugo@gmail.com Signed-off-by: Sasha Levin commit ff88731ea9938468bd8f176909793ffbafe03260 Author: Antonio Borneo Date: Mon Oct 7 17:43:04 2019 +0200 net: stmmac: fix length of PTP clock's name string [ Upstream commit 5da202c88f8c355ad79bc2e8eb582e6d433060e7 ] The field "name" in struct ptp_clock_info has a fixed size of 16 chars and is used as zero terminated string by clock_name_show() in drivers/ptp/ptp_sysfs.c The current initialization value requires 17 chars to fit also the null termination, and this causes overflow to the next bytes in the struct when the string is read as null terminated: hexdump -C /sys/class/ptp/ptp0/clock_name 00000000 73 74 6d 6d 61 63 5f 70 74 70 5f 63 6c 6f 63 6b |stmmac_ptp_clock| 00000010 a0 ac b9 03 0a |.....| where the extra 4 bytes (excluding the newline) after the string represent the integer 0x03b9aca0 = 62500000 assigned to the field "max_adj" that follows "name" in the same struct. There is no strict requirement for the "name" content and in the comment in ptp_clock_kernel.h it's reported it should just be 'A short "friendly name" to identify the clock'. Replace it with "stmmac ptp". Signed-off-by: Antonio Borneo Fixes: 92ba6888510c ("stmmac: add the support for PTP hw clock driver") Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 038dda455e70e7df121ed226705bd4b997f199c5 Author: Eric Biggers Date: Sun Oct 6 14:24:27 2019 -0700 llc: fix sk_buff refcounting in llc_conn_state_process() [ Upstream commit 36453c852816f19947ca482a595dffdd2efa4965 ] If llc_conn_state_process() sees that llc_conn_service() put the skb on a list, it will drop one fewer references to it. This is wrong because the current behavior is that llc_conn_service() never consumes a reference to the skb. The code also makes the number of skb references being dropped conditional on which of ind_prim and cfm_prim are nonzero, yet neither of these affects how many references are *acquired*. So there is extra code that tries to fix this up by sometimes taking another reference. Remove the unnecessary/broken refcounting logic and instead just add an skb_get() before the only two places where an extra reference is actually consumed. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Eric Biggers Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit e9423fc5d9434f8a70019b6586ec8974cb0841c2 Author: Eric Biggers Date: Sun Oct 6 14:24:26 2019 -0700 llc: fix another potential sk_buff leak in llc_ui_sendmsg() [ Upstream commit fc8d5db10cbe1338a52ebc74e7feab9276721774 ] All callers of llc_conn_state_process() except llc_build_and_send_pkt() (via llc_ui_sendmsg() -> llc_ui_send_data()) assume that it always consumes a reference to the skb. Fix this caller to do the same. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Eric Biggers Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 264dbaf015c43b8a99cce44584cf92857699cd0b Author: Johannes Berg Date: Fri Oct 4 15:37:05 2019 +0300 mac80211: accept deauth frames in IBSS mode [ Upstream commit 95697f9907bfe3eab0ef20265a766b22e27dde64 ] We can process deauth frames and all, but we drop them very early in the RX path today - this could never have worked. Fixes: 2cc59e784b54 ("mac80211: reply to AUTH with DEAUTH if sta allocation fails in IBSS") Signed-off-by: Johannes Berg Signed-off-by: Luca Coelho Link: https://lore.kernel.org/r/20191004123706.15768-2-luca@coelho.fi Signed-off-by: Johannes Berg Signed-off-by: Sasha Levin commit cc3db046c0e393556b9ba82151e69a3d3343a4fe Author: Dan Carpenter Date: Wed Sep 25 14:05:54 2019 +0300 net: ethernet: stmmac: Fix signedness bug in ipq806x_gmac_of_parse() [ Upstream commit 231042181dc9d6122c6faba64e99ccb25f13cc6c ] The "gmac->phy_mode" variable is an enum and in this context GCC will treat it as an unsigned int so the error handling will never be triggered. Fixes: b1c17215d718 ("stmmac: add ipq806x glue layer") Signed-off-by: Dan Carpenter Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 3f2a1b543304e7a4814e3b33dd7dabd6b5018ede Author: Dan Carpenter Date: Wed Sep 25 13:56:04 2019 +0300 net: broadcom/bcmsysport: Fix signedness in bcm_sysport_probe() [ Upstream commit 25a584955f020d6ec499c513923fb220f3112d2b ] The "priv->phy_interface" variable is an enum and in this context GCC will treat it as unsigned so the error handling will never be triggered. Fixes: 80105befdb4b ("net: systemport: add Broadcom SYSTEMPORT Ethernet MAC driver") Signed-off-by: Dan Carpenter Acked-by: Florian Fainelli Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 3b8fdd22f5bcf2db7457432a6f7524355bb6ef5f Author: Dan Carpenter Date: Wed Sep 25 13:55:32 2019 +0300 net: hisilicon: Fix signedness bug in hix5hd2_dev_probe() [ Upstream commit 002dfe8085255b7bf1e0758c3d195c5412d35be9 ] The "priv->phy_mode" variable is an enum and in this context GCC will treat it as unsigned to the error handling will never trigger. Fixes: 57c5bc9ad7d7 ("net: hisilicon: add hix5hd2 mac driver") Signed-off-by: Dan Carpenter Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit c362201c51b92b382798a06c610ea599aff00673 Author: Filippo Sironi Date: Tue Sep 10 19:49:21 2019 +0200 iommu/amd: Wait for completion of IOTLB flush in attach_device [ Upstream commit 0b15e02f0cc4fb34a9160de7ba6db3a4013dc1b7 ] To make sure the domain tlb flush completes before the function returns, explicitly wait for its completion. Signed-off-by: Filippo Sironi Fixes: 42a49f965a8d ("amd-iommu: flush domain tlb when attaching a new device") [joro: Added commit message and fixes tag] Signed-off-by: Joerg Roedel Signed-off-by: Sasha Levin commit 48d127dbeee236a161cdb3e05055b2a8e645afe4 Author: Gerd Rausch Date: Thu Sep 12 13:49:41 2019 -0700 net/rds: Fix 'ib_evt_handler_call' element in 'rds_ib_stat_names' [ Upstream commit 05a82481a3024b94db00b8c816bb3d526b5209e0 ] All entries in 'rds_ib_stat_names' are stringified versions of the corresponding "struct rds_ib_statistics" element without the "s_"-prefix. Fix entry 'ib_evt_handler_call' to do the same. Fixes: f4f943c958a2 ("RDS: IB: ack more receive completions to improve performance") Signed-off-by: Gerd Rausch Acked-by: Santosh Shilimkar Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit f6180121f3310835fd0ff25f53a952be96c690a7 Author: Mao Wenan Date: Wed Sep 11 09:36:23 2019 +0800 net: sonic: replace dev_kfree_skb in sonic_send_packet [ Upstream commit 49f6c90bf6805948b597eabb499e500a47cf24be ] sonic_send_packet will be processed in irq or non-irq context, so it would better use dev_kfree_skb_any instead of dev_kfree_skb. Fixes: d9fb9f384292 ("*sonic/natsemi/ns83829: Move the National Semi-conductor drivers") Signed-off-by: Mao Wenan Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit b9e9f89ed4668833f3318c0124df105926e8eb9f Author: Dan Robertson Date: Thu Sep 5 01:45:54 2019 +0000 hwmon: (shtc1) fix shtc1 and shtw1 id mask [ Upstream commit fdc7d8e829ec755c5cfb2f5a8d8c0cdfb664f895 ] Fix an error in the bitmaskfor the shtc1 and shtw1 bitmask used to retrieve the chip ID from the ID register. See section 5.7 of the shtw1 or shtc1 datasheet for details. Fixes: 1a539d372edd9832444e7a3daa710c444c014dc9 ("hwmon: add support for Sensirion SHTC1 sensor") Signed-off-by: Dan Robertson Link: https://lore.kernel.org/r/20190905014554.21658-3-dan@dlrobertson.com [groeck: Reordered to be first in series and adjusted accordingly] Signed-off-by: Guenter Roeck Signed-off-by: Sasha Levin commit 1c5e85e695c5f7f3d87cd46cb521ee282929949f Author: Filipe Manana Date: Thu Jul 4 16:24:09 2019 +0100 Btrfs: fix hang when loading existing inode cache off disk [ Upstream commit 7764d56baa844d7f6206394f21a0e8c1f303c476 ] If we are able to load an existing inode cache off disk, we set the state of the cache to BTRFS_CACHE_FINISHED, but we don't wake up any one waiting for the cache to be available. This means that anyone waiting for the cache to be available, waiting on the condition that either its state is BTRFS_CACHE_FINISHED or its available free space is greather than zero, can hang forever. This could be observed running fstests with MOUNT_OPTIONS="-o inode_cache", in particular test case generic/161 triggered it very frequently for me, producing a trace like the following: [63795.739712] BTRFS info (device sdc): enabling inode map caching [63795.739714] BTRFS info (device sdc): disk space caching is enabled [63795.739716] BTRFS info (device sdc): has skinny extents [64036.653886] INFO: task btrfs-transacti:3917 blocked for more than 120 seconds. [64036.654079] Not tainted 5.2.0-rc4-btrfs-next-50 #1 [64036.654143] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. [64036.654232] btrfs-transacti D 0 3917 2 0x80004000 [64036.654239] Call Trace: [64036.654258] ? __schedule+0x3ae/0x7b0 [64036.654271] schedule+0x3a/0xb0 [64036.654325] btrfs_commit_transaction+0x978/0xae0 [btrfs] [64036.654339] ? remove_wait_queue+0x60/0x60 [64036.654395] transaction_kthread+0x146/0x180 [btrfs] [64036.654450] ? btrfs_cleanup_transaction+0x620/0x620 [btrfs] [64036.654456] kthread+0x103/0x140 [64036.654464] ? kthread_create_worker_on_cpu+0x70/0x70 [64036.654476] ret_from_fork+0x3a/0x50 [64036.654504] INFO: task xfs_io:3919 blocked for more than 120 seconds. [64036.654568] Not tainted 5.2.0-rc4-btrfs-next-50 #1 [64036.654617] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. [64036.654685] xfs_io D 0 3919 3633 0x00000000 [64036.654691] Call Trace: [64036.654703] ? __schedule+0x3ae/0x7b0 [64036.654716] schedule+0x3a/0xb0 [64036.654756] btrfs_find_free_ino+0xa9/0x120 [btrfs] [64036.654764] ? remove_wait_queue+0x60/0x60 [64036.654809] btrfs_create+0x72/0x1f0 [btrfs] [64036.654822] lookup_open+0x6bc/0x790 [64036.654849] path_openat+0x3bc/0xc00 [64036.654854] ? __lock_acquire+0x331/0x1cb0 [64036.654869] do_filp_open+0x99/0x110 [64036.654884] ? __alloc_fd+0xee/0x200 [64036.654895] ? do_raw_spin_unlock+0x49/0xc0 [64036.654909] ? do_sys_open+0x132/0x220 [64036.654913] do_sys_open+0x132/0x220 [64036.654926] do_syscall_64+0x60/0x1d0 [64036.654933] entry_SYSCALL_64_after_hwframe+0x49/0xbe Fix this by adding a wake_up() call right after setting the cache state to BTRFS_CACHE_FINISHED, at start_caching(), when we are able to load the cache from disk. Fixes: 82d5902d9c681b ("Btrfs: Support reading/writing on disk free ino cache") Reviewed-by: Nikolay Borisov Signed-off-by: Filipe Manana Signed-off-by: David Sterba Signed-off-by: Sasha Levin commit 42b59e28e1e984935914280fe963731fa6d9d8f2 Author: Mao Wenan Date: Thu Sep 5 09:57:12 2019 +0800 net: sonic: return NETDEV_TX_OK if failed to map buffer [ Upstream commit 6e1cdedcf0362fed3aedfe051d46bd7ee2a85fe1 ] NETDEV_TX_BUSY really should only be used by drivers that call netif_tx_stop_queue() at the wrong moment. If dma_map_single() is failed to map tx DMA buffer, it might trigger an infinite loop. This patch use NETDEV_TX_OK instead of NETDEV_TX_BUSY, and change printk to pr_err_ratelimited. Fixes: d9fb9f384292 ("*sonic/natsemi/ns83829: Move the National Semi-conductor drivers") Signed-off-by: Mao Wenan Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit fc535dc4977631b7ee8aefd6534173d94b270657 Author: Lorenzo Bianconi Date: Mon Aug 19 09:41:39 2019 +0200 ath9k: dynack: fix possible deadlock in ath_dynack_node_{de}init [ Upstream commit e1aa1a1db3b01c9890e82cf065cee99962ba1ed9 ] Fix following lockdep warning disabling bh in ath_dynack_node_init/ath_dynack_node_deinit [ 75.955878] -------------------------------- [ 75.955880] inconsistent {SOFTIRQ-ON-W} -> {IN-SOFTIRQ-W} usage. [ 75.955884] swapper/0/0 [HC0[0]:SC1[3]:HE1:SE0] takes: [ 75.955888] 00000000792a7ee0 (&(&da->qlock)->rlock){+.?.}, at: ath_dynack_sample_ack_ts+0x4d/0xa0 [ath9k_hw] [ 75.955905] {SOFTIRQ-ON-W} state was registered at: [ 75.955912] lock_acquire+0x9a/0x160 [ 75.955917] _raw_spin_lock+0x2c/0x70 [ 75.955927] ath_dynack_node_init+0x2a/0x60 [ath9k_hw] [ 75.955934] ath9k_sta_state+0xec/0x160 [ath9k] [ 75.955976] drv_sta_state+0xb2/0x740 [mac80211] [ 75.956008] sta_info_insert_finish+0x21a/0x420 [mac80211] [ 75.956039] sta_info_insert_rcu+0x12b/0x2c0 [mac80211] [ 75.956069] sta_info_insert+0x7/0x70 [mac80211] [ 75.956093] ieee80211_prep_connection+0x42e/0x730 [mac80211] [ 75.956120] ieee80211_mgd_auth.cold+0xb9/0x15c [mac80211] [ 75.956152] cfg80211_mlme_auth+0x143/0x350 [cfg80211] [ 75.956169] nl80211_authenticate+0x25e/0x2b0 [cfg80211] [ 75.956172] genl_family_rcv_msg+0x198/0x400 [ 75.956174] genl_rcv_msg+0x42/0x90 [ 75.956176] netlink_rcv_skb+0x35/0xf0 [ 75.956178] genl_rcv+0x1f/0x30 [ 75.956180] netlink_unicast+0x154/0x200 [ 75.956182] netlink_sendmsg+0x1bf/0x3d0 [ 75.956186] ___sys_sendmsg+0x2c2/0x2f0 [ 75.956187] __sys_sendmsg+0x44/0x80 [ 75.956190] do_syscall_64+0x55/0x1a0 [ 75.956192] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 75.956194] irq event stamp: 2357092 [ 75.956196] hardirqs last enabled at (2357092): [] _raw_spin_unlock_irqrestore+0x3e/0x50 [ 75.956199] hardirqs last disabled at (2357091): [] _raw_spin_lock_irqsave+0x11/0x80 [ 75.956202] softirqs last enabled at (2357072): [] irq_enter+0x59/0x60 [ 75.956204] softirqs last disabled at (2357073): [] irq_exit+0xae/0xc0 [ 75.956206] other info that might help us debug this: [ 75.956207] Possible unsafe locking scenario: [ 75.956208] CPU0 [ 75.956209] ---- [ 75.956210] lock(&(&da->qlock)->rlock); [ 75.956213] [ 75.956214] lock(&(&da->qlock)->rlock); [ 75.956216] *** DEADLOCK *** [ 75.956217] 1 lock held by swapper/0/0: [ 75.956219] #0: 000000003bb5675c (&(&sc->sc_pcu_lock)->rlock){+.-.}, at: ath9k_tasklet+0x55/0x240 [ath9k] [ 75.956225] stack backtrace: [ 75.956228] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.3.0-rc1-wdn+ #13 [ 75.956229] Hardware name: Dell Inc. Studio XPS 1340/0K183D, BIOS A11 09/08/2009 [ 75.956231] Call Trace: [ 75.956233] [ 75.956236] dump_stack+0x67/0x90 [ 75.956239] mark_lock+0x4c1/0x640 [ 75.956242] ? check_usage_backwards+0x130/0x130 [ 75.956245] ? sched_clock_local+0x12/0x80 [ 75.956247] __lock_acquire+0x484/0x7a0 [ 75.956250] ? __lock_acquire+0x3b9/0x7a0 [ 75.956252] lock_acquire+0x9a/0x160 [ 75.956259] ? ath_dynack_sample_ack_ts+0x4d/0xa0 [ath9k_hw] [ 75.956262] _raw_spin_lock_bh+0x34/0x80 [ 75.956268] ? ath_dynack_sample_ack_ts+0x4d/0xa0 [ath9k_hw] [ 75.956275] ath_dynack_sample_ack_ts+0x4d/0xa0 [ath9k_hw] [ 75.956280] ath_rx_tasklet+0xd09/0xe90 [ath9k] [ 75.956286] ath9k_tasklet+0x102/0x240 [ath9k] [ 75.956288] tasklet_action_common.isra.0+0x6d/0x170 [ 75.956291] __do_softirq+0xcc/0x425 [ 75.956294] irq_exit+0xae/0xc0 [ 75.956296] do_IRQ+0x8a/0x110 [ 75.956298] common_interrupt+0xf/0xf [ 75.956300] [ 75.956303] RIP: 0010:cpuidle_enter_state+0xb2/0x400 [ 75.956308] RSP: 0018:ffffffff82203e70 EFLAGS: 00000202 ORIG_RAX: ffffffffffffffd7 [ 75.956310] RAX: ffffffff82219800 RBX: ffffffff822bd0a0 RCX: 0000000000000000 [ 75.956312] RDX: 0000000000000046 RSI: 0000000000000006 RDI: ffffffff82219800 [ 75.956314] RBP: ffff888155a01c00 R08: 00000011af51aabe R09: 0000000000000000 [ 75.956315] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000002 [ 75.956317] R13: 00000011af51aabe R14: 0000000000000003 R15: ffffffff82219800 [ 75.956321] cpuidle_enter+0x24/0x40 [ 75.956323] do_idle+0x1ac/0x220 [ 75.956326] cpu_startup_entry+0x14/0x20 [ 75.956329] start_kernel+0x482/0x489 [ 75.956332] secondary_startup_64+0xa4/0xb0 Fixes: c774d57fd47c ("ath9k: add dynamic ACK timeout estimation") Signed-off-by: Lorenzo Bianconi Tested-by: Koen Vandeputte Signed-off-by: Kalle Valo Signed-off-by: Sasha Levin commit 24cc265fd93c563add31130b8c40fb5733095aad Author: Colin Ian King Date: Thu Aug 15 12:58:46 2019 +0100 iio: dac: ad5380: fix incorrect assignment to val [ Upstream commit b1e18768ef1214c0a8048327918a182cabe09f9d ] Currently the pointer val is being incorrectly incremented instead of the value pointed to by val. Fix this by adding in the missing * indirection operator. Addresses-Coverity: ("Unused value") Fixes: c03f2c536818 ("staging:iio:dac: Add AD5380 driver") Signed-off-by: Colin Ian King Reviewed-by: Alexandru Ardelean Signed-off-by: Jonathan Cameron Signed-off-by: Sasha Levin commit 7d05de194a7e2e57a710b966707819f1477a3392 Author: Colin Ian King Date: Tue Aug 27 09:16:20 2019 +0100 bcma: fix incorrect update of BCMA_CORE_PCI_MDIO_DATA [ Upstream commit 420c20be08a4597404d272ae9793b642401146eb ] An earlier commit re-worked the setting of the bitmask and is now assigning v with some bit flags rather than bitwise or-ing them into v, consequently the earlier bit-settings of v are being lost. Fix this by replacing an assignment with the bitwise or instead. Addresses-Coverity: ("Unused value") Fixes: 2be25cac8402 ("bcma: add constants for PCI and use them") Signed-off-by: Colin Ian King Signed-off-by: Kalle Valo Signed-off-by: Sasha Levin commit b73696ee98b52241fd6cfc1da73c6a8de1d5d800 Author: Masami Hiramatsu Date: Sun Sep 1 12:03:08 2019 +0900 x86, perf: Fix the dependency of the x86 insn decoder selftest [ Upstream commit 7720804a2ae46c90265a32c81c45fb6f8d2f4e8b ] Since x86 instruction decoder is not only for kprobes, it should be tested when the insn.c is compiled. (e.g. perf is enabled but kprobes is disabled) Signed-off-by: Masami Hiramatsu Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Thomas Gleixner Fixes: cbe5c34c8c1f ("x86: Compile insn.c and inat.c only for KPROBES") Signed-off-by: Ingo Molnar Signed-off-by: Sasha Levin commit af843446da4591b856520b9588de2d967f04c210 Author: Stephen Boyd Date: Thu Aug 1 14:33:30 2019 -0700 power: supply: Init device wakeup after device_add() [ Upstream commit 8288022284859acbcc3cf1a073a1e2692d6c2543 ] We may want to use the device pointer in device_init_wakeup() with functions that expect the device to already be added with device_add(). For example, if we were to link the device initializing wakeup to something in sysfs such as a class for wakeups we'll run into an error. It looks like this code was written with the assumption that the device would be added before initializing wakeup due to the order of operations in power_supply_unregister(). Let's change the order of operations so we don't run into problems here. Fixes: 948dcf966228 ("power_supply: Prevent suspend until power supply events are processed") Cc: Greg Kroah-Hartman Cc: Tri Vo Cc: Kalesh Singh Cc: Ravi Chandra Sadineni Cc: Viresh Kumar Signed-off-by: Stephen Boyd Acked-by: Rafael J. Wysocki Signed-off-by: Sebastian Reichel Signed-off-by: Sasha Levin commit 87b4f63406f61eb6ae217db157ac8140147dd5b0 Author: Linus Torvalds Date: Fri Aug 30 18:47:15 2019 -0700 Partially revert "kfifo: fix kfifo_alloc() and kfifo_init()" [ Upstream commit ab9bb6318b0967671e0c9b6537c1537d51ca4f45 ] Commit dfe2a77fd243 ("kfifo: fix kfifo_alloc() and kfifo_init()") made the kfifo code round the number of elements up. That was good for __kfifo_alloc(), but it's actually wrong for __kfifo_init(). The difference? __kfifo_alloc() will allocate the rounded-up number of elements, but __kfifo_init() uses an allocation done by the caller. We can't just say "use more elements than the caller allocated", and have to round down. The good news? All the normal cases will be using power-of-two arrays anyway, and most users of kfifo's don't use kfifo_init() at all, but one of the helper macros to declare a KFIFO that enforce the proper power-of-two behavior. But it looks like at least ibmvscsis might be affected. The bad news? Will Deacon refers to an old thread and points points out that the memory ordering in kfifo's is questionable. See https://lore.kernel.org/lkml/20181211034032.32338-1-yuleixzhang@tencent.com/ for more. Fixes: dfe2a77fd243 ("kfifo: fix kfifo_alloc() and kfifo_init()") Reported-by: laokz Cc: Stefani Seibold Cc: Andrew Morton Cc: Dan Carpenter Cc: Greg KH Cc: Kees Cook Cc: Will Deacon Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit 667acf9a72279e04fdd011fd7f5e7670e066e0d4 Author: Andy Shevchenko Date: Fri Aug 30 22:42:55 2019 +0300 ahci: Do not export local variable ahci_em_messages [ Upstream commit 60fc35f327e0a9e60b955c0f3c3ed623608d1baa ] The commit ed08d40cdec4 ("ahci: Changing two module params with static and __read_mostly") moved ahci_em_messages to be static while missing the fact of exporting it. WARNING: "ahci_em_messages" [vmlinux] is a static EXPORT_SYMBOL_GPL Drop export for the local variable ahci_em_messages. Fixes: ed08d40cdec4 ("ahci: Changing two module params with static and __read_mostly") Cc: Chuansheng Liu Signed-off-by: Andy Shevchenko Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit 442eda6e7151593ec202baecb3d30f1b09b30501 Author: Nick Desaulniers Date: Mon Jul 29 14:10:12 2019 -0700 mips: avoid explicit UB in assignment of mips_io_port_base [ Upstream commit 12051b318bc3ce5b42d6d786191008284b067d83 ] The code in question is modifying a variable declared const through pointer manipulation. Such code is explicitly undefined behavior, and is the lone issue preventing malta_defconfig from booting when built with Clang: If an attempt is made to modify an object defined with a const-qualified type through use of an lvalue with non-const-qualified type, the behavior is undefined. LLVM is removing such assignments. A simple fix is to not declare variables const that you plan on modifying. Limiting the scope would be a better method of preventing unwanted writes to such a variable. Further, the code in question mentions "compiler bugs" without any links to bug reports, so it is difficult to know if the issue is resolved in GCC. The patch was authored in 2006, which would have been GCC 4.0.3 or 4.1.1. The minimal supported version of GCC in the Linux kernel is currently 4.6. For what its worth, there was UB before the commit in question, it just added a barrier and got lucky IRT codegen. I don't think there's any actual compiler bugs related, just runtime bugs due to UB. Link: https://github.com/ClangBuiltLinux/linux/issues/610 Fixes: 966f4406d903 ("[MIPS] Work around bad code generation for .") Reported-by: Nathan Chancellor Debugged-by: Nathan Chancellor Suggested-by: Eli Friedman Signed-off-by: Nick Desaulniers Reviewed-by: Nathan Chancellor Tested-by: Nathan Chancellor Signed-off-by: Paul Burton Cc: ralf@linux-mips.org Cc: jhogan@kernel.org Cc: Maciej W. Rozycki Cc: Hassan Naveed Cc: Stephen Kitt Cc: Serge Semin Cc: Mike Rapoport Cc: Andrew Morton Cc: Michal Hocko Cc: linux-mips@vger.kernel.org Cc: linux-kernel@vger.kernel.org Cc: clang-built-linux@googlegroups.com Signed-off-by: Sasha Levin commit 3e725e4c7284c3f4ae858061b573cd230946cab4 Author: Felix Fietkau Date: Tue Aug 20 11:54:46 2019 +0200 mac80211: minstrel_ht: fix per-group max throughput rate initialization [ Upstream commit 56dd918ff06e3ee24d8067e93ed12b2a39e71394 ] The group number needs to be multiplied by the number of rates per group to get the full rate index Fixes: 5935839ad735 ("mac80211: improve minstrel_ht rate sorting by throughput & probability") Signed-off-by: Felix Fietkau Link: https://lore.kernel.org/r/20190820095449.45255-1-nbd@nbd.name Signed-off-by: Johannes Berg Signed-off-by: Sasha Levin commit 5437f62fa2a9792711e576a87b0e1ab65ecf3a74 Author: Andy Shevchenko Date: Tue Aug 20 16:15:43 2019 +0300 dmaengine: dw: platform: Switch to acpi_dma_controller_register() [ Upstream commit e7b8514e4d68bec21fc6385fa0a66797ddc34ac9 ] There is a possibility to have registered ACPI DMA controller while it has been gone already. To avoid the potential crash, move to non-managed acpi_dma_controller_register(). Fixes: 42c91ee71d6d ("dw_dmac: add ACPI support") Signed-off-by: Andy Shevchenko Link: https://lore.kernel.org/r/20190820131546.75744-8-andriy.shevchenko@linux.intel.com Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit a1800bbb992418c5572d7136b59624a967ccf055 Author: Eric W. Biederman Date: Fri Aug 16 12:33:54 2019 -0500 signal: Allow cifs and drbd to receive their terminating signals [ Upstream commit 33da8e7c814f77310250bb54a9db36a44c5de784 ] My recent to change to only use force_sig for a synchronous events wound up breaking signal reception cifs and drbd. I had overlooked the fact that by default kthreads start out with all signals set to SIG_IGN. So a change I thought was safe turned out to have made it impossible for those kernel thread to catch their signals. Reverting the work on force_sig is a bad idea because what the code was doing was very much a misuse of force_sig. As the way force_sig ultimately allowed the signal to happen was to change the signal handler to SIG_DFL. Which after the first signal will allow userspace to send signals to these kernel threads. At least for wake_ack_receiver in drbd that does not appear actively wrong. So correct this problem by adding allow_kernel_signal that will allow signals whose siginfo reports they were sent by the kernel through, but will not allow userspace generated signals, and update cifs and drbd to call allow_kernel_signal in an appropriate place so that their thread can receive this signal. Fixing things this way ensures that userspace won't be able to send signals and cause problems, that it is clear which signals the threads are expecting to receive, and it guarantees that nothing else in the system will be affected. This change was partly inspired by similar cifs and drbd patches that added allow_signal. Reported-by: ronnie sahlberg Reported-by: Christoph Böhmwalder Tested-by: Christoph Böhmwalder Cc: Steve French Cc: Philipp Reisner Cc: David Laight Fixes: 247bc9470b1e ("cifs: fix rmmod regression in cifs.ko caused by force_sig changes") Fixes: 72abe3bcf091 ("signal/cifs: Fix cifs_put_tcp_session to call send_sig instead of force_sig") Fixes: fee109901f39 ("signal/drbd: Use send_sig not force_sig") Fixes: 3cf5d076fb4d ("signal: Remove task parameter from force_sig") Signed-off-by: "Eric W. Biederman" Signed-off-by: Sasha Levin commit 2a5af07ab0448cf5005d81e288664d3d2ea8c122 Author: YueHaibing Date: Thu Aug 15 17:19:20 2019 +0800 ASoC: wm8737: Fix copy-paste error in wm8737_snd_controls [ Upstream commit 554b75bde64bcad9662530726d1483f7ef012069 ] sound/soc/codecs/wm8737.c:112:29: warning: high_3d defined but not used [-Wunused-const-variable=] 'high_3d' should be used for 3D High Cut-off. Reported-by: Hulk Robot Fixes: 2a9ae13a2641 ("ASoC: Add initial WM8737 driver") Signed-off-by: YueHaibing Acked-by: Charles Keepax Link: https://lore.kernel.org/r/20190815091920.64480-1-yuehaibing@huawei.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 0ea7bee3f327d1e2b777a50bda774440bf6aa63e Author: YueHaibing Date: Thu Aug 15 17:01:57 2019 +0800 ASoC: cs4349: Use PM ops 'cs4349_runtime_pm' [ Upstream commit 9b4275c415acca6264a3d7f1182589959c93d530 ] sound/soc/codecs/cs4349.c:358:32: warning: cs4349_runtime_pm defined but not used [-Wunused-const-variable=] cs4349_runtime_pm ops already defined, it seems we should enable it. Reported-by: Hulk Robot Fixes: e40da86 ("ASoC: cs4349: Add support for Cirrus Logic CS4349") Signed-off-by: YueHaibing Link: https://lore.kernel.org/r/20190815090157.70036-1-yuehaibing@huawei.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit b4e12a3a66e2846909b804a332fcb83f07cbf316 Author: YueHaibing Date: Thu Aug 15 17:23:00 2019 +0800 ASoC: es8328: Fix copy-paste error in es8328_right_line_controls [ Upstream commit 630742c296341a8cfe00dfd941392025ba8dd4e8 ] It seems 'es8328_rline_enum' should be used in es8328_right_line_controls Fixes: 567e4f98922c ("ASoC: add es8328 codec driver") Signed-off-by: YueHaibing Link: https://lore.kernel.org/r/20190815092300.68712-1-yuehaibing@huawei.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 6072e7f72dcd459de87907a0fd32d0fbc65f3073 Author: Colin Ian King Date: Mon Aug 12 14:29:38 2019 -0400 ext4: set error return correctly when ext4_htree_store_dirent fails [ Upstream commit 7a14826ede1d714f0bb56de8167c0e519041eeda ] Currently when the call to ext4_htree_store_dirent fails the error return variable 'ret' is is not being set to the error code and variable count is instead, hence the error code is not being returned. Fix this by assigning ret to the error return code. Addresses-Coverity: ("Unused value") Fixes: 8af0f0822797 ("ext4: fix readdir error in the case of inline_data+dir_index") Signed-off-by: Colin Ian King Signed-off-by: Theodore Ts'o Signed-off-by: Sasha Levin commit 8badac0c617bf866e5ba4792cb843258be19d7c3 Author: Iuliana Prodan Date: Wed Jul 31 16:08:12 2019 +0300 crypto: caam - free resources in case caam_rng registration failed [ Upstream commit c59a1d41672a89b5cac49db1a472ff889e35a2d2 ] Check the return value of the hardware registration for caam_rng and free resources in case of failure. Fixes: e24f7c9e87d4 ("crypto: caam - hwrng support") Signed-off-by: Iuliana Prodan Reviewed-by: Horia Geanta Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit d0aa2a57c141f9f8b8eeb8938716bcd0ab4d3ec1 Author: Steve French Date: Tue Jul 23 22:14:29 2019 -0500 cifs: fix rmmod regression in cifs.ko caused by force_sig changes [ Upstream commit 247bc9470b1eeefc7b58cdf2c39f2866ba651509 ] Fixes: 72abe3bcf091 ("signal/cifs: Fix cifs_put_tcp_session to call send_sig instead of force_sig") The global change from force_sig caused module unloading of cifs.ko to fail (since the cifsd process could not be killed, "rmmod cifs" now would always fail) Signed-off-by: Steve French Reviewed-by: Ronnie Sahlberg CC: Eric W. Biederman Signed-off-by: Sasha Levin commit 09deaf6acad81fffcbf11c4c7f86cdf83854aff1 Author: Johannes Berg Date: Mon Jul 29 09:14:22 2019 +0200 ALSA: aoa: onyx: always initialize register read value [ Upstream commit f474808acb3c4b30552d9c59b181244e0300d218 ] A lot of places in the driver use onyx_read_register() without checking the return value, and it's been working OK for ~10 years or so, so probably never fails ... Rather than trying to check the return value everywhere, which would be relatively intrusive, at least make sure we don't use an uninitialized value. Fixes: f3d9478b2ce4 ("[ALSA] snd-aoa: add snd-aoa") Reported-by: Stephen Rothwell Signed-off-by: Johannes Berg Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit 7638131006ea80bb4fffa7d01c8038490062d7d0 Author: Thomas Gleixner Date: Mon Jul 22 20:47:06 2019 +0200 x86/kgbd: Use NMI_VECTOR not APIC_DM_NMI [ Upstream commit 2591bc4e8d70b4e1330d327fb7e3921f4e070a51 ] apic->send_IPI_allbutself() takes a vector number as argument. APIC_DM_NMI is clearly not a vector number. It's defined to 0x400 which is outside the vector space. Use NMI_VECTOR instead as that's what it is intended to be. Fixes: 82da3ff89dc2 ("x86: kgdb support") Signed-off-by: Thomas Gleixner Acked-by: Peter Zijlstra (Intel) Link: https://lkml.kernel.org/r/20190722105218.855189979@linutronix.de Signed-off-by: Sasha Levin commit 9d876de69dd18860ad1dd50bcc8327b72077ee4e Author: Arnd Bergmann Date: Fri Jul 12 11:24:09 2019 +0200 mic: avoid statically declaring a 'struct device'. [ Upstream commit bc83f79bd2119230888fb8574639d5a51b38f903 ] Generally, declaring a platform device as a static variable is a bad idea and can cause all kinds of problems, in particular with the DMA configuration and lifetime rules. A specific problem we hit here is from a bug in clang that warns about certain (otherwise valid) macros when used in static variables: drivers/misc/mic/card/mic_x100.c:285:27: warning: shift count >= width of type [-Wshift-count-overflow] static u64 mic_dma_mask = DMA_BIT_MASK(64); ^~~~~~~~~~~~~~~~ include/linux/dma-mapping.h:141:54: note: expanded from macro 'DMA_BIT_MASK' #define DMA_BIT_MASK(n) (((n) == 64) ? ~0ULL : ((1ULL<<(n))-1)) ^ ~~~ A slightly better way here is to create the platform device dynamically and set the dma mask in the probe function. This avoids the warning and some other problems, but is still not ideal because the device creation should really be separated from the driver, and the fact that the device has no parent means we have to force the dma mask rather than having it set up from the bus that the device is actually on. Fixes: dd8d8d44df64 ("misc: mic: MIC card driver specific changes to enable SCIF") Signed-off-by: Arnd Bergmann Link: https://lore.kernel.org/r/20190712092426.872625-1-arnd@arndb.de Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 022017da2274e301918aba1cf51ea07174229933 Author: Ruslan Bilovol Date: Sun Jul 7 15:17:19 2019 +0300 usb: host: xhci-hub: fix extra endianness conversion [ Upstream commit 6269e4c76eacabaea0d0099200ae1a455768d208 ] Don't do extra cpu_to_le32 conversion for put_unaligned_le32 because it is already implemented in this function. Fixes sparse error: xhci-hub.c:1152:44: warning: incorrect type in argument 1 (different base types) xhci-hub.c:1152:44: expected unsigned int [usertype] val xhci-hub.c:1152:44: got restricted __le32 [usertype] Fixes: 395f540 "xhci: support new USB 3.1 hub request to get extended port status" Cc: Mathias Nyman Signed-off-by: Ruslan Bilovol Link: https://lore.kernel.org/r/1562501839-26522-1-git-send-email-ruslan.bilovol@gmail.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 572cf7e0d1e133b17fdc9bcf0393d5ae21686470 Author: YueHaibing Date: Tue Jul 16 22:42:18 2019 +0800 libertas_tf: Use correct channel range in lbtf_geo_init [ Upstream commit 2ec4ad49b98e4a14147d04f914717135eca7c8b1 ] It seems we should use 'range' instead of 'priv->range' in lbtf_geo_init(), because 'range' is the corret one related to current regioncode. Reported-by: Hulk Robot Fixes: 691cdb49388b ("libertas_tf: command helper functions for libertas_tf") Signed-off-by: YueHaibing Signed-off-by: Kalle Valo Signed-off-by: Sasha Levin commit 8b87ccd33657a5c3a30b0abf348b0d19b9256627 Author: Colin Ian King Date: Tue Jul 2 10:18:35 2019 +0100 scsi: libfc: fix null pointer dereference on a null lport [ Upstream commit 41a6bf6529edd10a6def42e3b2c34a7474bcc2f5 ] Currently if lport is null then the null lport pointer is dereference when printing out debug via the FC_LPORT_DB macro. Fix this by using the more generic FC_LIBFC_DBG debug macro instead that does not use lport. Addresses-Coverity: ("Dereference after null check") Fixes: 7414705ea4ae ("libfc: Add runtime debugging with debug_logging module parameter") Signed-off-by: Colin Ian King Reviewed-by: Hannes Reinecke Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit b669c3d684d5a45279f2b712e0ddc8a27b69c2a5 Author: Wen Yang Date: Sat Jul 6 12:23:41 2019 +0800 net: pasemi: fix an use-after-free in pasemi_mac_phy_init() [ Upstream commit faf5577f2498cea23011b5c785ef853ded22700b ] The phy_dn variable is still being used in of_phy_connect() after the of_node_put() call, which may result in use-after-free. Fixes: 1dd2d06c0459 ("net: Rework pasemi_mac driver to use of_mdio infrastructure") Signed-off-by: Wen Yang Cc: "David S. Miller" Cc: Thomas Gleixner Cc: Luis Chamberlain Cc: Michael Ellerman Cc: netdev@vger.kernel.org Cc: linux-kernel@vger.kernel.org Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit b0ef3c242a24cad4e7612a06a8213840e51c6a18 Author: Arnd Bergmann Date: Fri Jun 28 16:59:45 2019 +0200 devres: allow const resource arguments [ Upstream commit 9dea44c91469512d346e638694c22c30a5273992 ] devm_ioremap_resource() does not currently take 'const' arguments, which results in a warning from the first driver trying to do it anyway: drivers/gpio/gpio-amd-fch.c: In function 'amd_fch_gpio_probe': drivers/gpio/gpio-amd-fch.c:171:49: error: passing argument 2 of 'devm_ioremap_resource' discards 'const' qualifier from pointer target type [-Werror=discarded-qualifiers] priv->base = devm_ioremap_resource(&pdev->dev, &amd_fch_gpio_iores); ^~~~~~~~~~~~~~~~~~~ Change the prototype to allow it, as there is no real reason not to. Fixes: 9bb2e0452508 ("gpio: amd: Make resource struct const") Signed-off-by: Arnd Bergmann Link: https://lore.kernel.org/r/20190628150049.1108048-1-arnd@arndb.de Acked-by: Greg Kroah-Hartman Reviwed-By: Enrico Weigelt Signed-off-by: Linus Walleij Signed-off-by: Sasha Levin commit e3a803cde7adcc68ab496216b849f736ba4072a8 Author: Andy Shevchenko Date: Fri Jun 21 15:56:31 2019 +0300 mfd: intel-lpss: Release IDA resources [ Upstream commit 02f36911c1b41fcd8779fa0c135aab0554333fa5 ] ida instances allocate some internal memory for ->free_bitmap in addition to the base 'struct ida'. Use ida_destroy() to release that memory at module_exit(). Fixes: 4b45efe85263 ("mfd: Add support for Intel Sunrisepoint LPSS devices") Signed-off-by: Andy Shevchenko Signed-off-by: Lee Jones Signed-off-by: Sasha Levin commit 1a49e9e284199fad043bd81628435b0bae714afb Author: Kevin Mitchell Date: Wed Jun 12 14:52:03 2019 -0700 iommu/amd: Make iommu_disable safer [ Upstream commit 3ddbe913e55516d3e2165d43d4d5570761769878 ] Make it safe to call iommu_disable during early init error conditions before mmio_base is set, but after the struct amd_iommu has been added to the amd_iommu_list. For example, this happens if firmware fails to fill in mmio_phys in the ACPI table leading to a NULL pointer dereference in iommu_feature_disable. Fixes: 2c0ae1720c09c ('iommu/amd: Convert iommu initialization to state machine') Signed-off-by: Kevin Mitchell Signed-off-by: Joerg Roedel Signed-off-by: Sasha Levin commit eddade2cae78d54e9f1a3d026bae39af02182941 Author: Rob Clark Date: Mon Jun 24 09:09:47 2019 -0700 drm/msm/a3xx: remove TPL1 regs from snapshot [ Upstream commit f47bee2ba447bebc304111c16ef1e1a73a9744dd ] These regs are write-only, and the hw throws a hissy-fit (ie. reboots) when we try to read them for GPU state snapshot, in response to a GPU hang. It is rather impolite when GPU recovery triggers an insta- reboot, so lets remove the TPL1 registers from the snapshot. Fixes: 7198e6b03155 drm/msm: add a3xx gpu support Signed-off-by: Rob Clark Reviewed-by: Jordan Crouse Signed-off-by: Sasha Levin commit 0d0561ace22099ca30d72fbadfa5d0c2fe8fd157 Author: Chen-Yu Tsai Date: Tue Jun 4 12:23:36 2019 +0800 rtc: pcf8563: Clear event flags and disable interrupts before requesting irq [ Upstream commit 3572e8aea3bf925dac1dbf86127657c39fe5c254 ] Besides the alarm, the PCF8563 also has a timer triggered interrupt. In cases where the previous system left the timer and interrupts on, or somehow the bits got enabled, the interrupt would keep triggering as the kernel doesn't know about it. Clear both the alarm and timer event flags, and disable the interrupts, before requesting the interrupt line. Fixes: ede3e9d47cca ("drivers/rtc/rtc-pcf8563.c: add alarm support") Fixes: a45d528aab8b ("rtc: pcf8563: clear expired alarm at boot time") Signed-off-by: Chen-Yu Tsai Signed-off-by: Alexandre Belloni Signed-off-by: Sasha Levin commit b63c849cad9b318bc41085b6c155a6d08fc0bac7 Author: Peter Ujfalusi Date: Thu Jun 20 12:20:02 2019 +0300 ASoC: ti: davinci-mcasp: Fix slot mask settings when using multiple AXRs [ Upstream commit fd14f4436fd47d5418023c90e933e66d3645552e ] If multiple serializers are connected in the system and the number of channels will need to use more than one serializer the mask to enable the serializers were left to 0 if tdm_mask is provided Fixes: dd55ff8346a97 ("ASoC: davinci-mcasp: Add set_tdm_slots() support") Signed-off-by: Peter Ujfalusi Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 363df59c69f87a51e8c13dccf5da342cb3f46f64 Author: Julian Wiedmann Date: Tue Jun 18 20:43:01 2019 +0200 net/af_iucv: always register net_device notifier [ Upstream commit 06996c1d4088a0d5f3e7789d7f96b4653cc947cc ] Even when running as VM guest (ie pr_iucv != NULL), af_iucv can still open HiperTransport-based connections. For robust operation these connections require the af_iucv_netdev_notifier, so register it unconditionally. Also handle any error that register_netdevice_notifier() returns. Fixes: 9fbd87d41392 ("af_iucv: handle netdev events") Signed-off-by: Julian Wiedmann Reviewed-by: Ursula Braun Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit edfcab71278d5f2949e5dccc092ba7486508594f Author: Jeffrey Hugo Date: Tue May 21 08:00:30 2019 -0700 drm/msm/mdp5: Fix mdp5_cfg_init error return [ Upstream commit fc19cbb785d7bbd1a1af26229b5240a3ab332744 ] If mdp5_cfg_init fails because of an unknown major version, a null pointer dereference occurs. This is because the caller of init expects error pointers, but init returns NULL on error. Fix this by returning the expected values on error. Fixes: 2e362e1772b8 (drm/msm/mdp5: introduce mdp5_cfg module) Signed-off-by: Jeffrey Hugo Reviewed-by: Bjorn Andersson Signed-off-by: Rob Clark Signed-off-by: Sasha Levin commit fb5c1d13a7ec4c9609379640dbde96e90deb0509 Author: Nathan Lynch Date: Tue Jun 11 23:45:04 2019 -0500 powerpc/cacheinfo: add cacheinfo_teardown, cacheinfo_rebuild [ Upstream commit d4aa219a074a5abaf95a756b9f0d190b5c03a945 ] Allow external callers to force the cacheinfo code to release all its references to cache nodes, e.g. before processing device tree updates post-migration, and to rebuild the hierarchy afterward. CPU online/offline must be blocked by callers; enforce this. Fixes: 410bccf97881 ("powerpc/pseries: Partition migration in the kernel") Signed-off-by: Nathan Lynch Reviewed-by: Gautham R. Shenoy Signed-off-by: Michael Ellerman Signed-off-by: Sasha Levin commit a1ab56ebe4785a2aa9a6afab3fe8c20e4325e713 Author: Colin Ian King Date: Tue Jun 4 10:55:15 2019 -0400 media: vivid: fix incorrect assignment operation when setting video mode [ Upstream commit d4ec9550e4b2d2e357a46fdc65d8ef3d4d15984c ] The assigment of FB_VMODE_NONINTERLACE to var->vmode should be a bit-wise or of FB_VMODE_NONINTERLACE instead of an assignment, otherwise the previous clearing of the FB_VMODE_MASK bits of var->vmode makes no sense and is redundant. Addresses-Coverity: ("Unused value") Fixes: ad4e02d5081d ("[media] vivid: add a simple framebuffer device for overlay testing") Signed-off-by: Colin Ian King Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 28dd951dc30615799a1b23e456444494ae80edc0 Author: Eric Dumazet Date: Mon May 27 16:56:48 2019 -0700 inet: frags: call inet_frags_fini() after unregister_pernet_subsys() [ Upstream commit ae7352d384a552d8c799c242e74a934809990a71 ] Both IPv6 and 6lowpan are calling inet_frags_fini() too soon. inet_frags_fini() is dismantling a kmem_cache, that might be needed later when unregister_pernet_subsys() eventually has to remove frags queues from hash tables and free them. This fixes potential use-after-free, and is a prereq for the following patch. Fixes: d4ad4d22e7ac ("inet: frags: use kmem_cache for inet_frag_queue") Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 8abf19b6ab8bc65cb28e9595cce61274c6e4d88b Author: Eric W. Biederman Date: Wed May 15 12:33:50 2019 -0500 signal/cifs: Fix cifs_put_tcp_session to call send_sig instead of force_sig [ Upstream commit 72abe3bcf0911d69b46c1e8bdb5612675e0ac42c ] The locking in force_sig_info is not prepared to deal with a task that exits or execs (as sighand may change). The is not a locking problem in force_sig as force_sig is only built to handle synchronous exceptions. Further the function force_sig_info changes the signal state if the signal is ignored, or blocked or if SIGNAL_UNKILLABLE will prevent the delivery of the signal. The signal SIGKILL can not be ignored and can not be blocked and SIGNAL_UNKILLABLE won't prevent it from being delivered. So using force_sig rather than send_sig for SIGKILL is confusing and pointless. Because it won't impact the sending of the signal and and because using force_sig is wrong, replace force_sig with send_sig. Cc: Namjae Jeon Cc: Jeff Layton Cc: Steve French Fixes: a5c3e1c725af ("Revert "cifs: No need to send SIGKILL to demux_thread during umount"") Fixes: e7ddee9037e7 ("cifs: disable sharing session and tcon and add new TCP sharing code") Signed-off-by: "Eric W. Biederman" Signed-off-by: Sasha Levin commit 0e1a75ff1f6288d95c21ca688a8e6326b47b1c8a Author: Lu Baolu Date: Tue May 21 15:27:35 2019 +0800 iommu: Use right function to get group for device [ Upstream commit 57274ea25736496ee019a5c40479855b21888839 ] The iommu_group_get_for_dev() will allocate a group for a device if it isn't in any group. This isn't the use case in iommu_request_dm_for_dev(). Let's use iommu_group_get() instead. Fixes: d290f1e70d85a ("iommu: Introduce iommu_request_dm_for_dev()") Signed-off-by: Lu Baolu Signed-off-by: Joerg Roedel Signed-off-by: Sasha Levin commit a6ba95a3d42442872aa5d520e55c44f9f1d536e9 Author: Nathan Chancellor Date: Fri May 24 09:15:17 2019 -0700 misc: sgi-xp: Properly initialize buf in xpc_get_rsvd_page_pa [ Upstream commit b0576f9ecb5c51e9932531d23c447b2739261841 ] Clang warns: drivers/misc/sgi-xp/xpc_partition.c:73:14: warning: variable 'buf' is uninitialized when used within its own initialization [-Wuninitialized] void *buf = buf; ~~~ ^~~ 1 warning generated. Arnd's explanation during review: /* * Returns the physical address of the partition's reserved page through * an iterative number of calls. * * On first call, 'cookie' and 'len' should be set to 0, and 'addr' * set to the nasid of the partition whose reserved page's address is * being sought. * On subsequent calls, pass the values, that were passed back on the * previous call. * * While the return status equals SALRET_MORE_PASSES, keep calling * this function after first copying 'len' bytes starting at 'addr' * into 'buf'. Once the return status equals SALRET_OK, 'addr' will * be the physical address of the partition's reserved page. If the * return status equals neither of these, an error as occurred. */ static inline s64 sn_partition_reserved_page_pa(u64 buf, u64 *cookie, u64 *addr, u64 *len) so *len is set to zero on the first call and tells the bios how many bytes are accessible at 'buf', and it does get updated by the BIOS to tell us how many bytes it needs, and then we allocate that and try again. Fixes: 279290294662 ("[IA64-SGI] cleanup the way XPC locates the reserved page") Link: https://github.com/ClangBuiltLinux/linux/issues/466 Suggested-by: Stephen Hines Reviewed-by: Arnd Bergmann Reviewed-by: Nick Desaulniers Signed-off-by: Nathan Chancellor Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 2389e920738ff75f298277b19345c80a05dc4ada Author: Christophe Leroy Date: Wed May 22 11:00:36 2019 +0000 spi: spi-fsl-spi: call spi_finalize_current_message() at the end [ Upstream commit 44a042182cb1e9f7916e015c836967bf638b33c4 ] spi_finalize_current_message() shall be called once all actions are finished, otherwise the last actions might step over a newly started transfer. Fixes: c592becbe704 ("spi: fsl-(e)spi: migrate to generic master queueing") Signed-off-by: Christophe Leroy Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit d7a22c3b13abb1bb9021171b0bd1abfe7bca15dd Author: Matthias Kaehlcke Date: Thu May 2 11:32:38 2019 -0700 thermal: cpu_cooling: Actually trace CPU load in thermal_power_cpu_get_power [ Upstream commit bf45ac18b78038e43af3c1a273cae4ab5704d2ce ] The CPU load values passed to the thermal_power_cpu_get_power tracepoint are zero for all CPUs, unless, unless the thermal_power_cpu_limit tracepoint is enabled too: irq/41-rockchip-98 [000] .... 290.972410: thermal_power_cpu_get_power: cpus=0000000f freq=1800000 load={{0x0,0x0,0x0,0x0}} dynamic_power=4815 vs irq/41-rockchip-96 [000] .... 95.773585: thermal_power_cpu_get_power: cpus=0000000f freq=1800000 load={{0x56,0x64,0x64,0x5e}} dynamic_power=4959 irq/41-rockchip-96 [000] .... 95.773596: thermal_power_cpu_limit: cpus=0000000f freq=408000 cdev_state=10 power=416 There seems to be no good reason for omitting the CPU load information depending on another tracepoint. My guess is that the intention was to check whether thermal_power_cpu_get_power is (still) enabled, however 'load_cpu != NULL' already indicates that it was at least enabled when cpufreq_get_requested_power() was entered, there seems little gain from omitting the assignment if the tracepoint was just disabled, so just remove the check. Fixes: 6828a4711f99 ("thermal: add trace events to the power allocator governor") Signed-off-by: Matthias Kaehlcke Reviewed-by: Daniel Lezcano Acked-by: Javi Merino Acked-by: Viresh Kumar Signed-off-by: Eduardo Valentin Signed-off-by: Sasha Levin commit a5dad3ac3c5722b8f31c05cf72297ba19998309b Author: Brian Masney Date: Wed Apr 24 05:25:03 2019 -0400 backlight: lm3630a: Return 0 on success in update_status functions [ Upstream commit d3f48ec0954c6aac736ab21c34a35d7554409112 ] lm3630a_bank_a_update_status() and lm3630a_bank_b_update_status() both return the brightness value if the brightness was successfully updated. Writing to these attributes via sysfs would cause a 'Bad address' error to be returned. These functions should return 0 on success, so let's change it to correct that error. Fixes: 28e64a68a2ef ("backlight: lm3630: apply chip revision") Signed-off-by: Brian Masney Acked-by: Pavel Machek Acked-by: Daniel Thompson Signed-off-by: Lee Jones Signed-off-by: Sasha Levin commit bfe9388e57f525d10a556ac476f55a4143f68413 Author: Dan Carpenter Date: Mon May 6 15:50:18 2019 +0300 kdb: do a sanity check on the cpu in kdb_per_cpu() [ Upstream commit b586627e10f57ee3aa8f0cfab0d6f7dc4ae63760 ] The "whichcpu" comes from argv[3]. The cpu_online() macro looks up the cpu in a bitmap of online cpus, but if the value is too high then it could read beyond the end of the bitmap and possibly Oops. Fixes: 5d5314d6795f ("kdb: core for kgdb back end (1 of 2)") Signed-off-by: Dan Carpenter Reviewed-by: Douglas Anderson Signed-off-by: Daniel Thompson Signed-off-by: Sasha Levin commit 15e94dd34af65b4a16857a572bab54893df5321d Author: Russell King Date: Sat Apr 27 22:43:49 2019 +0100 ARM: riscpc: fix lack of keyboard interrupts after irq conversion [ Upstream commit 63a0666bca9311f35017be454587f3ba903644b8 ] Fix lack of keyboard interrupts for RiscPC due to incorrect conversion. Fixes: e8d36d5dbb6a ("ARM: kill off set_irq_flags usage") Signed-off-by: Russell King Signed-off-by: Sasha Levin commit 45c7a78e84c126862a8d60646989dc7e61bdc656 Author: Florian Westphal Date: Sun May 5 18:47:33 2019 +0200 netfilter: ebtables: CONFIG_COMPAT: reject trailing data after last rule [ Upstream commit 680f6af5337c98d116e4f127cea7845339dba8da ] If userspace provides a rule blob with trailing data after last target, we trigger a splat, then convert ruleset to 64bit format (with trailing data), then pass that to do_replace_finish() which then returns -EINVAL. Erroring out right away avoids the splat plus unneeded translation and error unwind. Fixes: 81e675c227ec ("netfilter: ebtables: add CONFIG_COMPAT support") Reported-by: Tetsuo Handa Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin commit fa99c9a3a86809d95eaab47a32b4410ad6cecbaa Author: Dan Carpenter Date: Wed Apr 24 12:44:18 2019 +0300 platform/x86: alienware-wmi: printing the wrong error code [ Upstream commit 6d1f8b3d75419a8659ac916a1e9543bb3513a882 ] The "out_data" variable is uninitialized at the point. Originally, this used to print "status" instead and that seems like the correct thing to print. Fixes: bc2ef884320b ("alienware-wmi: For WMAX HDMI method, introduce a way to query HDMI cable status") Signed-off-by: Dan Carpenter Reviewed-by: Mario Limonciello Signed-off-by: Andy Shevchenko Signed-off-by: Sasha Levin commit 7aa9ac350e773146592920099f0613883e4a7abd Author: Dan Carpenter Date: Wed Apr 24 05:46:27 2019 -0400 media: davinci/vpbe: array underflow in vpbe_enum_outputs() [ Upstream commit b72845ee5577b227131b1fef23f9d9a296621d7b ] In vpbe_enum_outputs() we check if (temp_index >= cfg->num_outputs) but the problem is that "temp_index" can be negative. This patch changes the types to unsigned to address this array underflow bug. Fixes: 66715cdc3224 ("[media] davinci vpbe: VPBE display driver") Signed-off-by: Dan Carpenter Acked-by: "Lad, Prabhakar" Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 92c81b011775600c665ce0d9b0cb576c4c62b65b Author: Dan Carpenter Date: Thu Apr 11 05:01:57 2019 -0400 media: omap_vout: potential buffer overflow in vidioc_dqbuf() [ Upstream commit dd6e2a981bfe83aa4a493143fd8cf1edcda6c091 ] The "b->index" is a u32 the comes from the user in the ioctl. It hasn't been checked. We aren't supposed to use it but we're instead supposed to use the value that gets written to it when we call videobuf_dqbuf(). The videobuf_dqbuf() first memsets it to zero and then re-initializes it inside the videobuf_status() function. It's this final value which we want. Hans Verkuil pointed out that we need to check the return from videobuf_dqbuf(). I ended up doing a little cleanup related to that as well. Fixes: 72915e851da9 ("[media] V4L2: OMAP: VOUT: dma map and unmap v4l2 buffers in qbuf and dqbuf") Signed-off-by: Dan Carpenter Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 4b9842ccc89ad94dcaedaba37ab627ebbca62a0f Author: Lu Baolu Date: Thu May 2 09:34:26 2019 +0800 iommu/vt-d: Make kernel parameter igfx_off work with vIOMMU [ Upstream commit 5daab58043ee2bca861068e2595564828f3bc663 ] The kernel parameter igfx_off is used by users to disable DMA remapping for the Intel integrated graphic device. It was designed for bare metal cases where a dedicated IOMMU is used for graphic. This doesn't apply to virtual IOMMU case where an include-all IOMMU is used. This makes the kernel parameter work with virtual IOMMU as well. Cc: Ashok Raj Cc: Jacob Pan Suggested-by: Kevin Tian Fixes: c0771df8d5297 ("intel-iommu: Export a flag indicating that the IOMMU is used for iGFX.") Signed-off-by: Lu Baolu Tested-by: Zhenyu Wang Signed-off-by: Joerg Roedel Signed-off-by: Sasha Levin commit 3fdae480f46efefa691ee73502e066df40a9eb23 Author: Jack Morgenstein Date: Wed May 1 08:38:30 2019 +0300 IB/mlx5: Add missing XRC options to QP optional params mask [ Upstream commit 8f4426aa19fcdb9326ac44154a117b1a3a5ae126 ] The QP transition optional parameters for the various transition for XRC QPs are identical to those for RC QPs. Many of the XRC QP transition optional parameter bits are missing from the QP optional mask table. These omissions caused failures when doing XRC QP state transitions. For example, when trying to change the response timer of an XRC receive QP via the RTS2RTS transition, the new timer value was ignored because MLX5_QP_OPTPAR_RNR_TIMEOUT bit was missing from the optional params mask for XRC qps for the RTS2RTS transition. Fix this by adding the missing XRC optional parameters for all QP transitions to the opt_mask table. Fixes: e126ba97dba9 ("mlx5: Add driver for Mellanox Connect-IB adapters") Fixes: a4774e9095de ("IB/mlx5: Fix opt param mask according to firmware spec") Signed-off-by: Jack Morgenstein Signed-off-by: Leon Romanovsky Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit 79bd1f896eb19d2df01aa2323273b4515b940ffc Author: Jerome Brunet Date: Mon Apr 29 11:47:49 2019 +0200 ASoC: fix valid stream condition [ Upstream commit 6a7c59c6d9f3b280e81d7a04bbe4e55e90152dce ] A stream may specify a rate range using 'rate_min' and 'rate_max', so a stream may be valid and not specify any rates. However, as stream cannot be valid and not have any channel. Let's use this condition instead to determine if a stream is valid or not. Fixes: cde79035c6cf ("ASoC: Handle multiple codecs with split playback / capture") Signed-off-by: Jerome Brunet Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 44deffb6beb951214db88f14e192b5e6b6f1ad4e Author: Willem de Bruijn Date: Mon Apr 29 11:46:55 2019 -0400 packet: in recvmsg msg_name return at least sizeof sockaddr_ll [ Upstream commit b2cf86e1563e33a14a1c69b3e508d15dc12f804c ] Packet send checks that msg_name is at least sizeof sockaddr_ll. Packet recv must return at least this length, so that its output can be passed unmodified to packet send. This ceased to be true since adding support for lladdr longer than sll_addr. Since, the return value uses true address length. Always return at least sizeof sockaddr_ll, even if address length is shorter. Zero the padding bytes. Change v1->v2: do not overwrite zeroed padding again. use copy_len. Fixes: 0fb375fb9b93 ("[AF_PACKET]: Allow for > 8 byte hardware addresses.") Suggested-by: David Laight Signed-off-by: Willem de Bruijn Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit ca94fad7cff0c43952e82199dbe0de5889934d9d Author: Takashi Iwai Date: Wed Apr 24 13:00:03 2019 +0200 ALSA: usb-audio: Handle the error from snd_usb_mixer_apply_create_quirk() [ Upstream commit 328e9f6973be2ee67862cb17bf6c0c5c5918cd72 ] The error from snd_usb_mixer_apply_create_quirk() is ignored in the current usb-audio driver code, which will continue the probing even after the error. Let's take it more serious. Fixes: 7b1eda223deb ("ALSA: usb-mixer: factor out quirks") Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit 5e44371ca7febd42f3fa9d372e4071d0e6b27bc9 Author: Alexandru Ardelean Date: Tue Mar 26 16:05:20 2019 +0200 dmaengine: axi-dmac: Don't check the number of frames for alignment [ Upstream commit 648865a79d8ee3d1aa64aab5eb2a9d12eeed14f9 ] In 2D transfers (for the AXI DMAC), the number of frames (numf) represents Y_LENGTH, and the length of a frame is X_LENGTH. 2D transfers are useful for video transfers where screen resolutions ( X * Y ) are typically aligned for X, but not for Y. There is no requirement for Y_LENGTH to be aligned to the bus-width (or anything), and this is also true for AXI DMAC. Checking the Y_LENGTH for alignment causes false errors when initiating DMA transfers. This change fixes this by checking only that the Y_LENGTH is non-zero. Fixes: 0e3b67b348b8 ("dmaengine: Add support for the Analog Devices AXI-DMAC DMA controller") Signed-off-by: Alexandru Ardelean Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit 4271d07335ff71bc6e0f257b73221d08cd3ecb09 Author: Dan Carpenter Date: Wed Apr 3 08:34:16 2019 +0300 6lowpan: Off by one handling ->nexthdr [ Upstream commit f57c4bbf34439531adccd7d3a4ecc14f409c1399 ] NEXTHDR_MAX is 255. What happens here is that we take a u8 value "hdr->nexthdr" from the network and then look it up in lowpan_nexthdr_nhcs[]. The problem is that if hdr->nexthdr is 0xff then we read one element beyond the end of the array so the array needs to be one element larger. Fixes: 92aa7c65d295 ("6lowpan: add generic nhc layer interface") Signed-off-by: Dan Carpenter Acked-by: Jukka Rissanen Acked-by: Alexander Aring Signed-off-by: Marcel Holtmann Signed-off-by: Sasha Levin commit ad584317ddab405113663e13b322ff91e1e67ddd Author: Akinobu Mita Date: Sat Mar 30 10:01:32 2019 -0400 media: ov2659: fix unbalanced mutex_lock/unlock [ Upstream commit 384538bda10913e5c94ec5b5d34bd3075931bcf4 ] Avoid returning with mutex locked. Fixes: fa8cb6444c32 ("[media] ov2659: Don't depend on subdev API") Cc: "Lad, Prabhakar" Signed-off-by: Akinobu Mita Acked-by: Lad, Prabhakar Signed-off-by: Sakari Ailus Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 8f84ab785918a524907844aa4cf6cd34ffea65d3 Author: Ben Hutchings Date: Fri Mar 22 04:24:37 2019 +0000 powerpc: vdso: Make vdso32 installation conditional in vdso_install [ Upstream commit ff6d27823f619892ab96f7461764840e0d786b15 ] The 32-bit vDSO is not needed and not normally built for 64-bit little-endian configurations. However, the vdso_install target still builds and installs it. Add the same config condition as is normally used for the build. Fixes: e0d005916994 ("powerpc/vdso: Disable building the 32-bit VDSO ...") Signed-off-by: Ben Hutchings Signed-off-by: Michael Ellerman Signed-off-by: Sasha Levin commit ab6276c251b5c5d8ef194d67445936e4f83be818 Author: Jie Liu Date: Tue Apr 16 13:10:09 2019 +0800 tipc: set sysctl_tipc_rmem and named_timeout right range [ Upstream commit 4bcd4ec1017205644a2697bccbc3b5143f522f5f ] We find that sysctl_tipc_rmem and named_timeout do not have the right minimum setting. sysctl_tipc_rmem should be larger than zero, like sysctl_tcp_rmem. And named_timeout as a timeout setting should be not less than zero. Fixes: cc79dd1ba9c10 ("tipc: change socket buffer overflow control to respect sk_rcvbuf") Fixes: a5325ae5b8bff ("tipc: add name distributor resiliency queue") Signed-off-by: Jie Liu Reported-by: Qiang Ning Reviewed-by: Zhiqiang Liu Reviewed-by: Miaohe Lin Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 55865d61eda4f53658620b5239ff7af257713cdb Author: Guenter Roeck Date: Fri Apr 5 08:44:41 2019 -0700 hwmon: (w83627hf) Use request_muxed_region for Super-IO accesses [ Upstream commit e95fd518d05bfc087da6fcdea4900a57cfb083bd ] Super-IO accesses may fail on a system with no or unmapped LPC bus. Also, other drivers may attempt to access the LPC bus at the same time, resulting in undefined behavior. Use request_muxed_region() to ensure that IO access on the requested address space is supported, and to ensure that access by multiple drivers is synchronized. Fixes: b72656dbc491 ("hwmon: (w83627hf) Stop using globals for I/O port numbers") Signed-off-by: Guenter Roeck Signed-off-by: Sasha Levin commit 4c6cf62c5c574e12687922b6490ff980a1082d39 Author: YueHaibing Date: Tue Jan 29 16:03:24 2019 +0800 ARM: pxa: ssp: Fix "WARNING: invalid free of devm_ allocated data" [ Upstream commit 9ee8578d953023cc57e7e736ae48502c707c0210 ] Since commit 1c459de1e645 ("ARM: pxa: ssp: use devm_ functions") kfree, iounmap, clk_put etc are not needed anymore in remove path. Fixes: 1c459de1e645 ("ARM: pxa: ssp: use devm_ functions") Signed-off-by: YueHaibing [ commit message spelling fix ] Signed-off-by: Robert Jarzmik Signed-off-by: Sasha Levin commit de398a5536f7b2727f1f25ba4a00c5c8097e3467 Author: Bart Van Assche Date: Thu Apr 4 12:44:46 2019 -0700 scsi: qla2xxx: Unregister chrdev if module initialization fails [ Upstream commit c794d24ec9eb6658909955772e70f34bef5b5b91 ] If module initialization fails after the character device has been registered, unregister the character device. Additionally, avoid duplicating error path code. Cc: Himanshu Madhani Cc: Giridhar Malavali Fixes: 6a03b4cd78f3 ("[SCSI] qla2xxx: Add char device to increase driver use count") # v2.6.35. Signed-off-by: Bart Van Assche Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 10d3c35e174f971cafa03fdbb7520b8596becfc8 Author: YueHaibing Date: Wed Apr 3 15:47:59 2019 +0800 ehea: Fix a copy-paste err in ehea_init_port_res [ Upstream commit c8f191282f819ab4e9b47b22a65c6c29734cefce ] pr->tx_bytes should be assigned to tx_bytes other than rx_bytes. Reported-by: Hulk Robot Fixes: ce45b873028f ("ehea: Fixing statistics") Signed-off-by: YueHaibing Reviewed-by: Mukesh Ojha Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit d81311b3575ff27b40dab8d798e4e32dd58faf10 Author: Martin Sperl Date: Sat Mar 30 09:31:02 2019 +0000 spi: bcm2835aux: fix driver to not allow 65535 (=-1) cs-gpios [ Upstream commit 509c583620e9053e43d611bf1614fc3d3abafa96 ] The original driver by default defines num_chipselects as -1. This actually allicates an array of 65535 entries in of_spi_register_master. There is a side-effect for buggy device trees that (contrary to dt-binding documentation) have no cs-gpio defined. This mode was never supported by the driver due to limitations of native cs and additional code complexity and is explicitly not stated to be implemented. To keep backwards compatibility with such buggy DTs we limit the number of chip_selects to 1, as for all practical purposes it is only ever realistic to use a single chip select in native cs mode without negative side-effects. Fixes: 1ea29b39f4c812ec ("spi: bcm2835aux: add bcm2835 auxiliary spi device...") Signed-off-by: Martin Sperl Acked-by: Stefan Wahren Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 0edaf8b195db6f11eec1eb2c12ba5b5ae6cc6df6 Author: Dan Carpenter Date: Thu Mar 28 17:18:41 2019 +0300 soc/fsl/qe: Fix an error code in qe_pin_request() [ Upstream commit 5674a92ca4b7e5a6a19231edd10298d30324cd27 ] We forgot to set "err" on this error path. Fixes: 1a2d397a6eb5 ("gpio/powerpc: Eliminate duplication of of_get_named_gpio_flags()") Signed-off-by: Dan Carpenter Signed-off-by: Li Yang Signed-off-by: Sasha Levin commit a56dd081672c2b0bc932b11f1c1c38041bda8dfb Author: Sowjanya Komatineni Date: Tue Mar 26 22:56:24 2019 -0700 spi: tegra114: fix for unpacked mode transfers [ Upstream commit 1a89ac5b91895127f7c586ec5075c3753ca25501 ] Fixes: computation of actual bytes to fill/receive in/from FIFO in unpacked mode when transfer length is not a multiple of requested bits per word. unpacked mode transfers fails when the transfer includes partial bytes in the last word. Total words to be written/read to/from FIFO is computed based on transfer length and bits per word. Unpacked mode includes 0 padding bytes for partial words to align with bits per word and these extra bytes are also accounted for calculating bytes left to transfer in the current driver. This causes extra bytes access of tx/rx buffers along with buffer index position crossing actual length where remain_len becomes negative and due to unsigned type, negative value is a 32 bit representation of signed value and transferred bytes never meets the actual transfer length resulting in transfer timeout and a hang. This patch fixes this with proper computation of the actual bytes to fill in FIFO during transmit and the actual bytes to read from FIFO during receive ignoring 0 padded bytes. Signed-off-by: Sowjanya Komatineni Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 980fc8d0379e96b3655e1a61206c94e5794d7c60 Author: Sowjanya Komatineni Date: Tue Mar 26 22:56:23 2019 -0700 spi: tegra114: clear packed bit for unpacked mode [ Upstream commit 7b3d10cdf54b8bc1dc0da21faed9789ac4da3684 ] Fixes: Clear packed bit when not using packed mode. Packed bit is not cleared when not using packed mode. This results in transfer timeouts for the unpacked mode transfers followed by the packed mode transfers. Signed-off-by: Sowjanya Komatineni Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit f58b53315ed48ce5e56673523632f1797c4e5a03 Author: Arnd Bergmann Date: Fri Mar 22 10:34:22 2019 -0400 media: davinci-isif: avoid uninitialized variable use [ Upstream commit 0e633f97162c1c74c68e2eb20bbd9259dce87cd9 ] clang warns about a possible variable use that gcc never complained about: drivers/media/platform/davinci/isif.c:982:32: error: variable 'frame_size' is uninitialized when used here [-Werror,-Wuninitialized] dm365_vpss_set_pg_frame_size(frame_size); ^~~~~~~~~~ drivers/media/platform/davinci/isif.c:887:2: note: variable 'frame_size' is declared here struct vpss_pg_frame_size frame_size; ^ 1 error generated. There is no initialization for this variable at all, and there has never been one in the mainline kernel, so we really should not put that stack data into an mmio register. On the other hand, I suspect that gcc checks the condition more closely and notices that the global isif_cfg.bayer.config_params.test_pat_gen flag is initialized to zero and never written to from any code path, so anything depending on it can be eliminated. To shut up the clang warning, just remove the dead code manually, it has probably never been used because any attempt to do so would have resulted in undefined behavior. Fixes: 63e3ab142fa3 ("V4L/DVB: V4L - vpfe capture - source for ISIF driver on DM365") Signed-off-by: Arnd Bergmann Reviewed-by: Nathan Chancellor Acked-by: Lad, Prabhakar Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit d3263a55cbec60cde2bae3ce0828f6afe25afdf1 Author: Tony Lindgren Date: Thu Mar 21 11:00:21 2019 -0700 ARM: OMAP2+: Fix potentially uninitialized return value for _setup_reset() [ Upstream commit 7f0d078667a494466991aa7133f49594f32ff6a2 ] Commit 747834ab8347 ("ARM: OMAP2+: hwmod: revise hardreset behavior") made the call to _enable() conditional based on no oh->rst_lines_cnt. This caused the return value to be potentially uninitialized. Curiously we see no compiler warnings for this, probably as this gets inlined. We call _setup_reset() from _setup() and only _setup_postsetup() if the return value is zero. Currently the return value can be uninitialized for cases where oh->rst_lines_cnt is set and HWMOD_INIT_NO_RESET is not set. Fixes: 747834ab8347 ("ARM: OMAP2+: hwmod: revise hardreset behavior") Cc: Paul Walmsley Cc: Tero Kristo Signed-off-by: Tony Lindgren Signed-off-by: Sasha Levin commit 1f4738fa3e743a3bb29d64efbb8f428b1720c145 Author: Finn Thain Date: Sat Dec 1 11:53:10 2018 +1100 m68k: mac: Fix VIA timer counter accesses [ Upstream commit 0ca7ce7db771580433bf24454f7a1542bd326078 ] This resolves some bugs that affect VIA timer counter accesses. Avoid lost interrupts caused by reading the counter low byte register. Make allowance for the fact that the counter will be decremented to 0xFFFF before being reloaded. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Finn Thain Signed-off-by: Geert Uytterhoeven Signed-off-by: Sasha Levin commit 6427ae06e4026d1e7dc75d8bc1c211f75b3ca0fc Author: Arnd Bergmann Date: Fri Mar 22 15:19:16 2019 +0100 jfs: fix bogus variable self-initialization [ Upstream commit a5fdd713d256887b5f012608701149fa939e5645 ] A statement was originally added in 2006 to shut up a gcc warning, now but now clang warns about it: fs/jfs/jfs_txnmgr.c:1932:15: error: variable 'pxd' is uninitialized when used within its own initialization [-Werror,-Wuninitialized] pxd_t pxd = pxd; /* truncated extent of xad */ ~~~ ^~~ Modern versions of gcc are fine without the silly assignment, so just drop it. Tested with gcc-4.6 (released 2011), 4.7, 4.8, and 4.9. Fixes: c9e3ad6021e5 ("JFS: Get rid of "may be used uninitialized" warnings") Signed-off-by: Arnd Bergmann Signed-off-by: Dave Kleikamp Signed-off-by: Sasha Levin commit cd3e61eee354e97ca3ca6aba5578790288960921 Author: Nicholas Mc Guire Date: Sat Jan 19 22:52:23 2019 -0500 media: cx23885: check allocation return [ Upstream commit a3d7f22ef34ec4206b50ee121384d5c8bebd5591 ] Checking of kmalloc() seems to have been committed - as cx23885_dvb_register() is checking for != 0 return, returning -ENOMEM should be fine here. While at it address the coccicheck suggestion to move to kmemdup rather than using kmalloc+memcpy. Fixes: 46b21bbaa8a8 ("[media] Add support for DViCO FusionHDTV DVB-T Dual Express2") Signed-off-by: Nicholas Mc Guire Signed-off-by: Sean Young Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 7b75beadcde0f67db33a6e5af9860f47ab3374ec Author: Dan Carpenter Date: Wed Mar 6 02:27:43 2019 -0500 media: wl128x: Fix an error code in fm_download_firmware() [ Upstream commit ef4bb63dc1f7213c08e13f6943c69cd27f69e4a3 ] We forgot to set "ret" on this error path. Fixes: e8454ff7b9a4 ("[media] drivers:media:radio: wl128x: FM Driver Common sources") Signed-off-by: Dan Carpenter Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 3ce032f4969319e9a8620a5fb40f990f240ad569 Author: Dan Carpenter Date: Fri Feb 22 01:37:02 2019 -0500 media: cx18: update *pos correctly in cx18_read_pos() [ Upstream commit 7afb0df554292dca7568446f619965fb8153085d ] We should be updating *pos. The current code is a no-op. Fixes: 1c1e45d17b66 ("V4L/DVB (7786): cx18: new driver for the Conexant CX23418 MPEG encoder chip") Signed-off-by: Dan Carpenter Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit bfc0cc59f8966968d2837c40777f65ffad2c942c Author: Dan Carpenter Date: Fri Feb 22 01:36:41 2019 -0500 media: ivtv: update *pos correctly in ivtv_read_pos() [ Upstream commit f8e579f3ca0973daef263f513da5edff520a6c0d ] We had intended to update *pos, but the current code is a no-op. Fixes: 1a0adaf37c30 ("V4L/DVB (5345): ivtv driver for Conexant cx23416/cx23415 MPEG encoder/decoder") Signed-off-by: Dan Carpenter Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 4cd8874e3348ed27931de2427c637127b2b23fa4 Author: Kangjie Lu Date: Tue Mar 12 02:43:18 2019 -0500 net: sh_eth: fix a missing check of of_get_phy_mode [ Upstream commit 035a14e71f27eefa50087963b94cbdb3580d08bf ] of_get_phy_mode may fail and return a negative error code; the fix checks the return value of of_get_phy_mode and returns NULL of it fails. Fixes: b356e978e92f ("sh_eth: add device tree support") Signed-off-by: Kangjie Lu Reviewed-by: Sergei Shtylyov Reviewed-by: Geert Uytterhoeven Tested-by: Geert Uytterhoeven Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 7c7d32d6927bf5b3f5434f73e03d58827b42b184 Author: Dan Carpenter Date: Thu Mar 7 08:41:22 2019 +0300 xen, cpu_hotplug: Prevent an out of bounds access [ Upstream commit 201676095dda7e5b31a5e1d116d10fc22985075e ] The "cpu" variable comes from the sscanf() so Smatch marks it as untrusted data. We can't pass a higher value than "nr_cpu_ids" to cpu_possible() or it results in an out of bounds access. Fixes: d68d82afd4c8 ("xen: implement CPU hotplugging") Signed-off-by: Dan Carpenter Reviewed-by: Juergen Gross Signed-off-by: Juergen Gross Signed-off-by: Sasha Levin commit 7a00814a95209e7d2e3fc3932d24d679de83576e Author: Steve Sistare Date: Fri Mar 1 06:46:28 2019 -0800 scsi: megaraid_sas: reduce module load time [ Upstream commit 31b6a05f86e690e1818116fd23c3be915cc9d9ed ] megaraid_sas takes 1+ seconds to load while waiting for firmware: [2.822603] megaraid_sas 0000:03:00.0: Waiting for FW to come to ready state [3.871003] megaraid_sas 0000:03:00.0: FW now in Ready state This is due to the following loop in megasas_transition_to_ready(), which waits a minimum of 1 second, even though the FW becomes ready in tens of millisecs: /* * The cur_state should not last for more than max_wait secs */ for (i = 0; i < max_wait; i++) { ... msleep(1000); ... dev_info(&instance->pdev->dev, "FW now in Ready state\n"); This is a regression, caused by a change of the msleep granularity from 1 to 1000 due to concern about waiting too long on systems with coarse jiffies. To fix, increase iterations and use msleep(20), which results in: [2.670627] megaraid_sas 0000:03:00.0: Waiting for FW to come to ready state [2.739386] megaraid_sas 0000:03:00.0: FW now in Ready state Fixes: fb2f3e96d80f ("scsi: megaraid_sas: Fix msleep granularity") Signed-off-by: Steve Sistare Acked-by: Sumit Saxena Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 33146a67a126bc469439ca6f25c0fe7fc1ad00e9 Author: Guenter Roeck Date: Wed Nov 7 10:36:10 2018 +0800 nios2: ksyms: Add missing symbol exports [ Upstream commit 0f8ed994575429d6042cf5d7ef70081c94091587 ] Building nios2:allmodconfig fails as follows (each symbol is only listed once). ERROR: "__ashldi3" [drivers/md/dm-writecache.ko] undefined! ERROR: "__ashrdi3" [fs/xfs/xfs.ko] undefined! ERROR: "__ucmpdi2" [drivers/media/i2c/adv7842.ko] undefined! ERROR: "__lshrdi3" [drivers/md/dm-zoned.ko] undefined! ERROR: "flush_icache_range" [drivers/misc/lkdtm/lkdtm.ko] undefined! ERROR: "empty_zero_page" [drivers/md/dm-mod.ko] undefined! The problem is seen with gcc 7.3.0. Export the missing symbols. Fixes: 2fc8483fdcde ("nios2: Build infrastructure") Signed-off-by: Guenter Roeck Signed-off-by: Ley Foon Tan Signed-off-by: Sasha Levin commit eaadc0d5f809c29da9ce7367305adddac5e2cba8 Author: Axel Lin Date: Sun Feb 24 21:16:51 2019 +0800 regulator: wm831x-dcdc: Fix list of wm831x_dcdc_ilim from mA to uA [ Upstream commit c25d47888f0fb3d836d68322d4aea2caf31a75a6 ] The wm831x_dcdc_ilim entries needs to be uA because it is used to compare with min_uA and max_uA. While at it also make the array const and change to use unsigned int. Fixes: e4ee831f949a ("regulator: Add WM831x DC-DC buck convertor support") Signed-off-by: Axel Lin Acked-by: Charles Keepax Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 865c87979315c668133451226dfc7ed8e733cf9f Author: Marek Szyprowski Date: Mon Feb 18 09:31:41 2019 +0100 ARM: 8847/1: pm: fix HYP/SVC mode mismatch when MCPM is used [ Upstream commit ca70ea43f80c98582f5ffbbd1e6f4da2742da0c4 ] MCPM does a soft reset of the CPUs and uses common cpu_resume() routine to perform low-level platform initialization. This results in a try to install HYP stubs for the second time for each CPU and results in false HYP/SVC mode mismatch detection. The HYP stubs are already installed at the beginning of the kernel initialization on the boot CPU (head.S) or in the secondary_startup() for other CPUs. To fix this issue MCPM code should use a cpu_resume() routine without HYP stubs installation. This change fixes HYP/SVC mode mismatch on Samsung Exynos5422-based Odroid XU3/XU4/HC1 boards. Fixes: 3721924c8154 ("ARM: 8081/1: MCPM: provide infrastructure to allow for MCPM loopback") Signed-off-by: Marek Szyprowski Acked-by: Nicolas Pitre Tested-by: Anand Moon Signed-off-by: Russell King Signed-off-by: Sasha Levin commit 40ae643c0790d6e22a10dd7865bc75090b04ff6a Author: Chen-Yu Tsai Date: Thu Jan 10 14:22:07 2019 +0800 clocksource/drivers/sun5i: Fail gracefully when clock rate is unavailable [ Upstream commit e7e7e0d7beafebd11b0c065cd5fbc1e5759c5aab ] If the clock tree is not fully populated when the timer-sun5i init code is called, attempts to get the clock rate for the timer would fail and return 0. Make the init code for both clock events and clocksource check the returned clock rate and fail gracefully if the result is 0, instead of causing a divide by 0 exception later on. Fixes: 4a59058f0b09 ("clocksource/drivers/sun5i: Refactor the current code") Signed-off-by: Chen-Yu Tsai Acked-by: Maxime Ripard Signed-off-by: Daniel Lezcano Signed-off-by: Sasha Levin commit 983f90b9ccb944bd12866faf151900679d95f17d Author: Eric W. Biederman Date: Wed Jan 30 07:58:38 2019 -0600 fs/nfs: Fix nfs_parse_devname to not modify it's argument [ Upstream commit 40cc394be1aa18848b8757e03bd8ed23281f572e ] In the rare and unsupported case of a hostname list nfs_parse_devname will modify dev_name. There is no need to modify dev_name as the all that is being computed is the length of the hostname, so the computed length can just be shorted. Fixes: dc04589827f7 ("NFS: Use common device name parsing logic for NFSv4 and NFSv2/v3") Signed-off-by: "Eric W. Biederman" Signed-off-by: Trond Myklebust Signed-off-by: Sasha Levin commit 00b71397e89d5a8b0bbfeccc92110d05d6bf11eb Author: Takashi Iwai Date: Tue Feb 19 16:46:50 2019 +0100 ASoC: qcom: Fix of-node refcount unbalance in apq8016_sbc_parse_of() [ Upstream commit 8d1667200850f8753c0265fa4bd25c9a6e5f94ce ] The apq8016 driver leaves the of-node refcount at aborting from the loop of for_each_child_of_node() in the error path. Not only the iterator node of for_each_child_of_node(), the children nodes referred from it for codec and cpu have to be properly unreferenced. Fixes: bdb052e81f62 ("ASoC: qcom: add apq8016 sound card support") Cc: Patrick Lai Cc: Banajit Goswami Signed-off-by: Takashi Iwai Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit dac3ac0c9c146f9de4a6eb5c9d71365dde95bb16 Author: Colin Ian King Date: Wed Dec 19 15:29:49 2018 +0000 drm/nouveau/pmu: don't print reply values if exec is false [ Upstream commit b1d03fc36ec9834465a08c275c8d563e07f6f6bf ] Currently the uninitialized values in the array reply are printed out when exec is false and nvkm_pmu_send has not updated the array. Avoid confusion by only dumping out these values if they have been actually updated. Detected by CoverityScan, CID#1271291 ("Uninitialized scaler variable") Fixes: ebb58dc2ef8c ("drm/nouveau/pmu: rename from pwr (no binary change)") Signed-off-by: Colin Ian King Signed-off-by: Ben Skeggs Signed-off-by: Sasha Levin commit c83057a12e352608bfc490c044ba8954946b5a39 Author: Colin Ian King Date: Sun Nov 25 17:09:18 2018 +0000 drm/nouveau/bios/ramcfg: fix missing parentheses when calculating RON [ Upstream commit 13649101a25c53c87f4ab98a076dfe61f3636ab1 ] Currently, the expression for calculating RON is always going to result in zero no matter the value of ram->mr[1] because the ! operator has higher precedence than the shift >> operator. I believe the missing parentheses around the expression before appying the ! operator will result in the desired result. [ Note, not tested ] Detected by CoveritScan, CID#1324005 ("Operands don't affect result") Fixes: c25bf7b6155c ("drm/nouveau/bios/ramcfg: Separate out RON pull value") Signed-off-by: Colin Ian King Signed-off-by: Ben Skeggs Signed-off-by: Sasha Levin commit e03cf0b6b3e7540d7a9445c62fa38db59bd806ad Author: YueHaibing Date: Mon Feb 18 22:34:51 2019 +0800 cdc-wdm: pass return value of recover_from_urb_loss [ Upstream commit 0742a338f5b3446a26de551ad8273fb41b2787f2 ] 'rv' is the correct return value, pass it upstream instead of 0 Fixes: 17d80d562fd7 ("USB: autosuspend for cdc-wdm") Signed-off-by: YueHaibing Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 700983bf02309fd4417d8bcab91dc0ff758c1c03 Author: Eric Auger Date: Fri Feb 15 17:16:06 2019 +0100 vfio_pci: Enable memory accesses before calling pci_map_rom [ Upstream commit 0cfd027be1d6def4a462cdc180c055143af24069 ] pci_map_rom/pci_get_rom_size() performs memory access in the ROM. In case the Memory Space accesses were disabled, readw() is likely to trigger a synchronous external abort on some platforms. In case memory accesses were disabled, re-enable them before the call and disable them back again just after. Fixes: 89e1f7d4c66d ("vfio: Add PCI device driver") Signed-off-by: Eric Auger Suggested-by: Alex Williamson Signed-off-by: Alex Williamson Signed-off-by: Sasha Levin commit 3880087c26c4c26698fbb1c05f3265f674554aab Author: Ming Lei Date: Fri Feb 15 19:13:08 2019 +0800 block: don't use bio->bi_vcnt to figure out segment number [ Upstream commit 1a67356e9a4829da2935dd338630a550c59c8489 ] It is wrong to use bio->bi_vcnt to figure out how many segments there are in the bio even though CLONED flag isn't set on this bio, because this bio may be splitted or advanced. So always use bio_segments() in blk_recount_segments(), and it shouldn't cause any performance loss now because the physical segment number is figured out in blk_queue_split() and BIO_SEG_VALID is set meantime since bdced438acd83ad83a6c ("block: setup bi_phys_segments after splitting"). Reviewed-by: Omar Sandoval Reviewed-by: Christoph Hellwig Fixes: 76d8137a3113 ("blk-merge: recaculate segment if it isn't less than max segments") Signed-off-by: Ming Lei Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit 7851ef08d7404db0ae1a3d2d41705c0d772ace5b Author: Geert Uytterhoeven Date: Wed Jan 23 16:51:21 2019 +0100 pinctrl: sh-pfc: sh73a0: Fix fsic_spdif pin groups [ Upstream commit 0e6e448bdcf896d001a289a6112a704542d51516 ] There are two pin groups for the FSIC SPDIF signal, but the FSIC pin group array lists only one, and it refers to a nonexistent group. Fixes: 2ecd4154c906b7d6 ("sh-pfc: sh73a0: Add FSI pin groups and functions") Signed-off-by: Geert Uytterhoeven Reviewed-by: Simon Horman Signed-off-by: Sasha Levin commit fec766621509079aab26fcaa0d6217217cd864b1 Author: Geert Uytterhoeven Date: Wed Jan 23 17:07:43 2019 +0100 pinctrl: sh-pfc: r8a7791: Fix scifb2_data_c pin group [ Upstream commit a4b0350047f1b10207e25e72d7cd3f7826e93769 ] The entry for "scifb2_data_c" in the SCIFB2 pin group array contains a typo, thus the group cannot be selected. Fixes: 5088451962389924 ("pinctrl: sh-pfc: r8a7791 PFC support") Signed-off-by: Geert Uytterhoeven Reviewed-by: Simon Horman Signed-off-by: Sasha Levin commit d5abc3f25da37884ac04491eae4530a9a48f595f Author: Geert Uytterhoeven Date: Thu Jan 24 13:04:52 2019 +0100 pinctrl: sh-pfc: emev2: Add missing pinmux functions [ Upstream commit 1ecd8c9cb899ae277e6986ae134635cb1a50f5de ] The err_rst_reqb, ext_clki, lowpwr, and ref_clko pin groups are present, but no pinmux functions refer to them, hence they can not be selected. Fixes: 1e7d5d849cf4f0c5 ("sh-pfc: Add emev2 pinmux support") Signed-off-by: Geert Uytterhoeven Reviewed-by: Simon Horman Signed-off-by: Sasha Levin commit d770aa5b6bbf69ba3f86f1bb30af5cd0104bc1e2 Author: YueHaibing Date: Fri Feb 8 19:24:45 2019 +0100 fbdev: chipsfb: remove set but not used variable 'size' [ Upstream commit 8e71fa5e4d86bedfd26df85381d65d6b4c860020 ] Fixes gcc '-Wunused-but-set-variable' warning: drivers/video/fbdev/chipsfb.c: In function 'chipsfb_pci_init': drivers/video/fbdev/chipsfb.c:352:22: warning: variable 'size' set but not used [-Wunused-but-set-variable] Fixes: 8c8709334cec ("[PATCH] ppc32: Remove CONFIG_PMAC_PBOOK"). Signed-off-by: YueHaibing Acked-by: Michael Ellerman Cc: Daniel Vetter Cc: Christophe Leroy [b.zolnierkie: minor commit summary and description fixups] Signed-off-by: Bartlomiej Zolnierkiewicz Signed-off-by: Sasha Levin commit 6ef64386c92cfb1fa756adbb4375c94154b74bce Author: Colin Ian King Date: Wed Feb 6 10:31:02 2019 +0000 rtc: pm8xxx: fix unintended sign extension [ Upstream commit e42280886018c6f77f0a90190f7cba344b0df3e0 ] Shifting a u8 by 24 will cause the value to be promoted to an integer. If the top bit of the u8 is set then the following conversion to an unsigned long will sign extend the value causing the upper 32 bits to be set in the result. Fix this by casting the u8 value to an unsigned long before the shift. Detected by CoverityScan, CID#1309693 ("Unintended sign extension") Fixes: 9a9a54ad7aa2 ("drivers/rtc: add support for Qualcomm PMIC8xxx RTC") Signed-off-by: Colin Ian King Signed-off-by: Alexandre Belloni Signed-off-by: Sasha Levin commit 5c2c02e4a841ad902e8537467e0254e1ebd15e2f Author: Colin Ian King Date: Wed Feb 6 10:08:11 2019 +0000 rtc: 88pm80x: fix unintended sign extension [ Upstream commit fb0b322537a831b5b0cb948c56f8f958ce493d3a ] Shifting a u8 by 24 will cause the value to be promoted to an integer. If the top bit of the u8 is set then the following conversion to an unsigned long will sign extend the value causing the upper 32 bits to be set in the result. Fix this by casting the u8 value to an unsigned long before the shift. Detected by CoverityScan, CID#714646-714649 ("Unintended sign extension") Fixes: 2985c29c1964 ("rtc: Add rtc support to 88PM80X PMIC") Signed-off-by: Colin Ian King Signed-off-by: Alexandre Belloni Signed-off-by: Sasha Levin commit 0800bfa87f68342fc030d31fb3756b2a669eab33 Author: Colin Ian King Date: Wed Feb 6 09:50:53 2019 +0000 rtc: 88pm860x: fix unintended sign extension [ Upstream commit dc9e47160626cdb58d5c39a4f43dcfdb27a5c004 ] Shifting a u8 by 24 will cause the value to be promoted to an integer. If the top bit of the u8 is set then the following conversion to an unsigned long will sign extend the value causing the upper 32 bits to be set in the result. Fix this by casting the u8 value to an unsigned long before the shift. Detected by CoverityScan, CID#144925-144928 ("Unintended sign extension") Fixes: 008b30408c40 ("mfd: Add rtc support to 88pm860x") Signed-off-by: Colin Ian King Signed-off-by: Alexandre Belloni Signed-off-by: Sasha Levin commit 2ae344cd19ee293565975688a2cd2093596856a0 Author: Colin Ian King Date: Tue Feb 5 18:04:49 2019 +0000 rtc: ds1672: fix unintended sign extension [ Upstream commit f0c04c276739ed8acbb41b4868e942a55b128dca ] Shifting a u8 by 24 will cause the value to be promoted to an integer. If the top bit of the u8 is set then the following conversion to an unsigned long will sign extend the value causing the upper 32 bits to be set in the result. Fix this by casting the u8 value to an unsigned long before the shift. Detected by CoverityScan, CID#138801 ("Unintended sign extension") Fixes: edf1aaa31fc5 ("[PATCH] RTC subsystem: DS1672 driver") Signed-off-by: Colin Ian King Signed-off-by: Alexandre Belloni Signed-off-by: Sasha Levin commit 938d29820972c81b0be36a362900825ec3d88c62 Author: YueHaibing Date: Wed Jan 30 18:30:51 2019 +0800 tty: ipwireless: Fix potential NULL pointer dereference [ Upstream commit 7dd50e205b3348dc7784efbdf85723551de64a25 ] There is a potential NULL pointer dereference in case alloc_ctrl_packet() fails and returns NULL. Fixes: 099dc4fb6265 ("ipwireless: driver for PC Card 3G/UMTS modem") Signed-off-by: YueHaibing Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit fb1778eb8031a1c08f929737ed40a197bcbc35c0 Author: Eric Wong Date: Sun Jan 6 08:21:03 2019 +0000 rtc: cmos: ignore bogus century byte [ Upstream commit 2a4daadd4d3e507138f8937926e6a4df49c6bfdc ] Older versions of Libreboot and Coreboot had an invalid value (`3' in my case) in the century byte affecting the GM45 in the Thinkpad X200. Not everybody's updated their firmwares, and Linux <= 4.2 was able to read the RTC without problems, so workaround this by ignoring invalid values. Fixes: 3c217e51d8a272b9 ("rtc: cmos: century support") Cc: Alexandre Belloni Cc: Alessandro Zummo Cc: Sylvain Chouleur Cc: Patrick McDermott Cc: linux-rtc@vger.kernel.org Signed-off-by: Eric Wong Signed-off-by: Alexandre Belloni Signed-off-by: Sasha Levin commit 20e89037cf48eb3facb90715dfb183bf53ffd46c Author: Stefan Agner Date: Fri Jan 18 10:06:52 2019 +0100 ASoC: imx-sgtl5000: put of nodes if finding codec fails [ Upstream commit d9866572486802bc598a3e8576a5231378d190de ] Make sure to properly put the of node in case finding the codec fails. Fixes: 81e8e4926167 ("ASoC: fsl: add sgtl5000 clock support for imx-sgtl5000") Signed-off-by: Stefan Agner Reviewed-by: Daniel Baluta Acked-by: Nicolin Chen Reviewed-by: Fabio Estevam Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit e6d0ba386d3a010c6385ee14c6a97d0f338422dc Author: Eric Biggers Date: Thu Jan 10 12:17:58 2019 -0800 crypto: tgr192 - fix unaligned memory access [ Upstream commit f990f7fb58ac8ac9a43316f09a48cff1a49dda42 ] Fix an unaligned memory access in tgr192_transform() by using the unaligned access helpers. Fixes: 06ace7a9bafe ("[CRYPTO] Use standard byte order macros wherever possible") Signed-off-by: Eric Biggers Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit 0c2854c273dee5022581b7bbaf6ab08573d9d88b Author: Pawe? Chmiel Date: Wed Jan 9 13:00:41 2019 -0500 media: s5p-jpeg: Correct step and max values for V4L2_CID_JPEG_RESTART_INTERVAL [ Upstream commit 19c624c6b29e244c418f8b44a711cbf5e82e3cd4 ] This commit corrects max and step values for v4l2 control for V4L2_CID_JPEG_RESTART_INTERVAL. Max should be 0xffff and step should be 1. It was found by using v4l2-compliance tool and checking result of VIDIOC_QUERY_EXT_CTRL/QUERYMENU test. Previously it was complaining that step was bigger than difference between max and min. Fixes: 15f4bc3b1f42 ("[media] s5p-jpeg: Add JPEG controls support") Signed-off-by: Pawe? Chmiel Reviewed-by: Jacek Anaszewski Reviewed-by: Sylwester Nawrocki Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 3240a3a1de32c18d3eb0140523de659717edb98e Author: Gal Pressman Date: Mon Jan 7 17:27:55 2019 +0200 RDMA/ocrdma: Fix out of bounds index check in query pkey [ Upstream commit b188940796c7be31c1b8c25a9a0e0842c2e7a49e ] The pkey table size is one element, index should be tested for > 0 instead of > 1. Fixes: fe2caefcdf58 ("RDMA/ocrdma: Add driver for Emulex OneConnect IBoE RDMA adapter") Signed-off-by: Gal Pressman Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit 4a87975ec461becc5b08396b24b6c62b71d41811 Author: Gal Pressman Date: Mon Jan 7 17:27:54 2019 +0200 IB/usnic: Fix out of bounds index check in query pkey [ Upstream commit 4959d5da5737dd804255c75b8cea0a2929ce279a ] The pkey table size is one element, index should be tested for > 0 instead of > 1. Fixes: e3cf00d0a87f ("IB/usnic: Add Cisco VIC low-level hardware driver") Signed-off-by: Gal Pressman Acked-by: Parvi Kaustubhi Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit 0e1cef32bde2ad8493809075832f4860fffcf228 Author: Yangtao Li Date: Wed Dec 26 08:42:26 2018 -0500 clk: armada-xp: fix refcount leak in axp_clk_init() [ Upstream commit db20a90a4b6745dad62753f8bd2f66afdd5abc84 ] The of_find_compatible_node() returns a node pointer with refcount incremented, but there is the lack of use of the of_node_put() when done. Add the missing of_node_put() to release the refcount. Signed-off-by: Yangtao Li Reviewed-by: Gregory CLEMENT Fixes: 0a11a6ae9437 ("clk: mvebu: armada-xp: maintain clock init order") Signed-off-by: Stephen Boyd Signed-off-by: Sasha Levin commit 0023d105fc47c6a5c29049422763568646a62c2c Author: Yangtao Li Date: Wed Dec 26 08:40:19 2018 -0500 clk: kirkwood: fix refcount leak in kirkwood_clk_init() [ Upstream commit e7beeab9c61591cd0e690d8733d534c3f4278ff8 ] The of_find_compatible_node() returns a node pointer with refcount incremented, but there is the lack of use of the of_node_put() when done. Add the missing of_node_put() to release the refcount. Signed-off-by: Yangtao Li Reviewed-by: Gregory CLEMENT Fixes: 58d516ae95cb ("clk: mvebu: kirkwood: maintain clock init order") Signed-off-by: Stephen Boyd Signed-off-by: Sasha Levin commit f26005984a5086ba4bdcf21df0e7b4c503c4eec4 Author: Yangtao Li Date: Wed Dec 26 08:36:58 2018 -0500 clk: armada-370: fix refcount leak in a370_clk_init() [ Upstream commit a3c24050bdf70c958a8d98c2823b66ea761e6a31 ] The of_find_compatible_node() returns a node pointer with refcount incremented, but there is the lack of use of the of_node_put() when done. Add the missing of_node_put() to release the refcount. Signed-off-by: Yangtao Li Reviewed-by: Gregory CLEMENT Fixes: 07ad6836fa21 ("clk: mvebu: armada-370: maintain clock init order") Signed-off-by: Stephen Boyd Signed-off-by: Sasha Levin commit 88b3c6d3d83bd3fdf32e6d5aa6f02860fcc9bdc1 Author: Yangtao Li Date: Wed Dec 26 08:59:36 2018 -0500 clk: vf610: fix refcount leak in vf610_clocks_init() [ Upstream commit 567177024e0313e4f0dcba7ba10c0732e50e655d ] The of_find_compatible_node() returns a node pointer with refcount incremented, but there is the lack of use of the of_node_put() when done. Add the missing of_node_put() to release the refcount. Signed-off-by: Yangtao Li Fixes: 1f2c5fd5f048 ("ARM: imx: add VF610 clock support") Signed-off-by: Stephen Boyd Signed-off-by: Sasha Levin commit dafb093a3db5303d4ab840cd9cedfd193d542475 Author: Yangtao Li Date: Wed Dec 26 08:57:16 2018 -0500 clk: imx7d: fix refcount leak in imx7d_clocks_init() [ Upstream commit 5f8c183a996b76bb09748073c856e4246fd4ce95 ] The of_find_compatible_node() returns a node pointer with refcount incremented, but there is the lack of use of the of_node_put() when done. Add the missing of_node_put() to release the refcount. Signed-off-by: Yangtao Li Fixes: 8f6d8094b215 ("ARM: imx: add imx7d clk tree support") Signed-off-by: Stephen Boyd Signed-off-by: Sasha Levin commit dc123f2d48b422368b7e7a5f9c95bd01b18aaba2 Author: Yangtao Li Date: Wed Dec 26 08:55:10 2018 -0500 clk: imx6sx: fix refcount leak in imx6sx_clocks_init() [ Upstream commit 1731e14fb30212dd8c1e9f8fc1af061e56498c55 ] The of_find_compatible_node() returns a node pointer with refcount incremented, but there is the lack of use of the of_node_put() when done. Add the missing of_node_put() to release the refcount. Signed-off-by: Yangtao Li Fixes: d55135689019 ("ARM: imx: add clock driver for imx6sx") Signed-off-by: Stephen Boyd Signed-off-by: Sasha Levin commit effc2febc81fedc2477513b2184cce3e9339f7ff Author: Yangtao Li Date: Wed Dec 26 08:53:00 2018 -0500 clk: imx6q: fix refcount leak in imx6q_clocks_init() [ Upstream commit c9ec1d8fef31b5fc9e90e99f9bd685db5caa7c5e ] The of_find_compatible_node() returns a node pointer with refcount incremented, but there is the lack of use of the of_node_put() when done. Add the missing of_node_put() to release the refcount. Signed-off-by: Yangtao Li Fixes: 2acd1b6f889c ("ARM: i.MX6: implement clocks using common clock framework") Signed-off-by: Stephen Boyd Signed-off-by: Sasha Levin commit 7ad0d219cbf1a3c6f7a4c96ecee1ab8feee22770 Author: Yangtao Li Date: Wed Dec 26 08:32:15 2018 -0500 clk: samsung: exynos4: fix refcount leak in exynos4_get_xom() [ Upstream commit cee82eb9532090cd1dc953e845d71f9b1445c84e ] The of_find_compatible_node() returns a node pointer with refcount incremented, but there is the lack of use of the of_node_put() when done. Add the missing of_node_put() to release the refcount. Signed-off-by: Yangtao Li Fixes: e062b571777f ("clk: exynos4: register clocks using common clock framework") Signed-off-by: Stephen Boyd Signed-off-by: Sasha Levin commit 20b422401ed72d1a7839cd8b073d0d26534f358b Author: Yangtao Li Date: Wed Dec 26 08:29:02 2018 -0500 clk: socfpga: fix refcount leak [ Upstream commit 7f9705beeb3759e69165e7aff588f6488ff6c1ac ] The of_find_compatible_node() returns a node pointer with refcount incremented, but there is the lack of use of the of_node_put() when done. Add the missing of_node_put() to release the refcount. Signed-off-by: Yangtao Li Fixes: 5343325ff3dd ("clk: socfpga: add a clock driver for the Arria 10 platform") Fixes: a30d27ed739b ("clk: socfpga: fix clock driver for 3.15") Signed-off-by: Stephen Boyd Signed-off-by: Sasha Levin commit d2e0e2234a9ee479f0902e46fe4c14cb69d0bd9f Author: Yangtao Li Date: Wed Dec 26 08:14:42 2018 -0500 clk: qoriq: fix refcount leak in clockgen_init() [ Upstream commit 70af6c5b5270e8101f318c4b69cc98a726edfab9 ] The of_find_compatible_node() returns a node pointer with refcount incremented, but there is the lack of use of the of_node_put() when done. Add the missing of_node_put() to release the refcount. Signed-off-by: Yangtao Li Fixes: 0dfc86b3173f ("clk: qoriq: Move chip-specific knowledge into driver") Signed-off-by: Stephen Boyd Signed-off-by: Sasha Levin commit 72dbfd616b642e2e6ea78bba6655a8f2959dc706 Author: Yangtao Li Date: Wed Dec 26 08:10:01 2018 -0500 clk: highbank: fix refcount leak in hb_clk_init() [ Upstream commit 5eb8ba90958de1285120dae5d3a5d2b1a360b3b4 ] The of_find_compatible_node() returns a node pointer with refcount incremented, but there is the lack of use of the of_node_put() when done. Add the missing of_node_put() to release the refcount. Signed-off-by: Yangtao Li Fixes: 26cae166cff9 ("ARM: highbank: remove custom .init_time hook") Signed-off-by: Stephen Boyd Signed-off-by: Sasha Levin commit 56a82d61dbf62f8b91fb382fa287eb0dc56d84c1 Author: Dan Carpenter Date: Fri Dec 21 00:38:30 2018 -0800 Input: nomadik-ske-keypad - fix a loop timeout test [ Upstream commit 4d8f727b83bcd6702c2d210330872c9122d2d360 ] The loop exits with "timeout" set to -1 not to 0. Fixes: 1158f0f16224 ("Input: add support for Nomadik SKE keypad controller") Signed-off-by: Dan Carpenter Signed-off-by: Dmitry Torokhov Signed-off-by: Sasha Levin commit 690f137a9d3be8672c236ff1c385e1d1624fd6fb Author: Geert Uytterhoeven Date: Thu Dec 13 14:32:34 2018 +0100 pinctrl: sh-pfc: sh7734: Remove bogus IPSR10 value [ Upstream commit 4d374bacd7c9665179f9752a52d5d602c45d8190 ] The IP10[5:3] field in Peripheral Function Select Register 10 has a width of 3 bits, i.e. it allows programming one out of 8 different configurations. However, 9 values are provided instead of 8, overflowing into the subsequent field in the register, and thus breaking the configuration of the latter. Fix this by dropping a bogus zero value. Fixes: ac1ebc2190f575fc ("sh-pfc: Add sh7734 pinmux support") Signed-off-by: Geert Uytterhoeven Reviewed-by: Simon Horman Signed-off-by: Sasha Levin commit 0fe6c17cbc723684721babbb31864e96c507f608 Author: Geert Uytterhoeven Date: Thu Dec 13 14:27:56 2018 +0100 pinctrl: sh-pfc: sh7269: Add missing PCIOR0 field [ Upstream commit 9540cbdfcd861caf67a6f0e4bb7f46d41c4aad86 ] The Port C I/O Register 0 contains 7 reserved bits, but the descriptor contains only dummy configuration values for 6 reserved bits, thus breaking the configuration of all subsequent fields in the register. Fix this by adding the two missing configuration values. Fixes: f5e811f2a43117b2 ("sh-pfc: Add sh7269 pinmux support") Signed-off-by: Geert Uytterhoeven Reviewed-by: Simon Horman Signed-off-by: Sasha Levin commit 9301ae8a9d17a3607e96211d82d67c93f82d864e Author: Geert Uytterhoeven Date: Wed Dec 12 14:42:16 2018 +0100 pinctrl: sh-pfc: sh7734: Add missing IPSR11 field [ Upstream commit 94482af7055e1ffa211c1135256b85590ebcac99 ] The Peripheral Function Select Register 11 contains 3 reserved bits and 15 variable-width fields, but the variable field descriptor does not contain the 3-bit field IP11[25:23]. Fixes: 856cb4bb337ee504 ("sh: Add support pinmux for SH7734") Signed-off-by: Geert Uytterhoeven Reviewed-by: Simon Horman Signed-off-by: Sasha Levin commit 1ac9cfbba7523f9f8892f88c877c0be9059b4f50 Author: Geert Uytterhoeven Date: Wed Dec 12 14:21:16 2018 +0100 pinctrl: sh-pfc: r8a7794: Remove bogus IPSR9 field [ Upstream commit 6a6c195d98a1a5e70faa87f594d7564af1dd1bed ] The Peripheral Function Select Register 9 contains 12 fields, but the variable field descriptor contains a 13th bogus field of 3 bits. Fixes: 43c4436e2f1890a7 ("pinctrl: sh-pfc: add R8A7794 PFC support") Signed-off-by: Geert Uytterhoeven Reviewed-by: Simon Horman Signed-off-by: Sasha Levin commit 7048bbad1a2b54f51908b17ae9e1ccab2f435fc8 Author: Geert Uytterhoeven Date: Wed Dec 12 11:20:14 2018 +0100 pinctrl: sh-pfc: sh73a0: Add missing TO pin to tpu4_to3 group [ Upstream commit 124cde98f856b6206b804acbdec3b7c80f8c3427 ] The tpu4_to3_mux[] array contains the TPU4TO3 pin mark, but the tpu4_to3_pins[] array lacks the corresponding pin number. Add the missing pin number, for non-GPIO pin F26. Fixes: 5da4eb049de803c7 ("sh-pfc: sh73a0: Add TPU pin groups and functions") Signed-off-by: Geert Uytterhoeven Reviewed-by: Simon Horman Signed-off-by: Sasha Levin commit 61421d802484620e7784e99433700ebd6ee50d9a Author: Geert Uytterhoeven Date: Wed Dec 12 11:12:20 2018 +0100 pinctrl: sh-pfc: r8a7791: Remove bogus marks from vin1_b_data18 group [ Upstream commit 0d6256cb880166a4111bebce35790019e56b6e1b ] The vin1_b_data18_mux[] arrays contains pin marks for the 2 LSB bits of the color components. The vin1_b_data18_pins[] array rightfully does not include the corresponding pin numbers, as RGB18 is subset of RGB24, containing only the 6 MSB bits of each component. Fixes: 8e32c9671f84acd8 ("pinctrl: sh-pfc: r8a7791: Add VIN pins") Signed-off-by: Geert Uytterhoeven Reviewed-by: Simon Horman Signed-off-by: Sasha Levin commit c76f1d8191854303c7f4a3e07b06679b90dbe395 Author: Geert Uytterhoeven Date: Wed Dec 12 11:05:57 2018 +0100 pinctrl: sh-pfc: r8a7791: Remove bogus ctrl marks from qspi_data4_b group [ Upstream commit 884fa25fb6e5e63ab970d612a628313bb68f37cc ] The qspi_data4_b_mux[] array contains pin marks for the clock and chip select pins. The qspi_data4_b_pins[] array rightfully does not contain the corresponding pin numbers, as the control pins are provided by a separate group (qspi_ctrl_b). Fixes: 2d0c386f135e4186 ("pinctrl: sh-pfc: r8a7791: Add QSPI pin groups") Signed-off-by: Geert Uytterhoeven Reviewed-by: Simon Horman Signed-off-by: Sasha Levin commit 51102d67245eb211b6973310dc7ffc66c39f33c7 Author: Geert Uytterhoeven Date: Wed Dec 12 11:00:27 2018 +0100 pinctrl: sh-pfc: r8a7740: Add missing LCD0 marks to lcd0_data24_1 group [ Upstream commit 96bb2a6ab4eca10e5b6490b3f0738e9f7ec22c2b ] The lcd0_data24_1_pins[] array contains the LCD0 D1[2-5] pin numbers, but the lcd0_data24_1_mux[] array lacks the corresponding pin marks. Fixes: 06c7dd866da70f6c ("sh-pfc: r8a7740: Add LCDC0 and LCDC1 pin groups and functions") Signed-off-by: Geert Uytterhoeven Reviewed-by: Simon Horman Signed-off-by: Sasha Levin commit 5354636d415e5ac2dc2b748839202c92cf07292c Author: Geert Uytterhoeven Date: Wed Dec 12 10:57:27 2018 +0100 pinctrl: sh-pfc: r8a7740: Add missing REF125CK pin to gether_gmii group [ Upstream commit 1ebc589a7786f17f97b9e87b44e0fb4d0290d8f8 ] The gether_gmii_mux[] array contains the REF125CK pin mark, but the gether_gmii_pins[] array lacks the corresponding pin number. Fixes: bae11d30d0cafdc5 ("sh-pfc: r8a7740: Add GETHER pin groups and functions") Signed-off-by: Geert Uytterhoeven Reviewed-by: Simon Horman Signed-off-by: Sasha Levin commit 05d994f68019544a8ad88dac7cdcc4ecb6b17e7d Author: Lyude Paul Date: Tue Nov 13 17:46:14 2018 -0500 drm/dp_mst: Skip validating ports during destruction, just ref [ Upstream commit c54c7374ff44de5e609506aca7c0deae4703b6d1 ] Jerry Zuo pointed out a rather obscure hotplugging issue that it seems I accidentally introduced into DRM two years ago. Pretend we have a topology like this: |- DP-1: mst_primary |- DP-4: active display |- DP-5: disconnected |- DP-6: active hub |- DP-7: active display |- DP-8: disconnected |- DP-9: disconnected If we unplug DP-6, the topology starting at DP-7 will be destroyed but it's payloads will live on in DP-1's VCPI allocations and thus require removal. However, this removal currently fails because drm_dp_update_payload_part1() will (rightly so) try to validate the port before accessing it, fail then abort. If we keep going, eventually we run the MST hub out of bandwidth and all new allocations will start to fail (or in my case; all new displays just start flickering a ton). We could just teach drm_dp_update_payload_part1() not to drop the port ref in this case, but then we also need to teach drm_dp_destroy_payload_step1() to do the same thing, then hope no one ever adds anything to the that requires a validated port reference in drm_dp_destroy_connector_work(). Kind of sketchy. So let's go with a more clever solution: any port that drm_dp_destroy_connector_work() interacts with is guaranteed to still exist in memory until we say so. While said port might not be valid we don't really care: that's the whole reason we're destroying it in the first place! So, teach drm_dp_get_validated_port_ref() to use the all mighty current_work() function to avoid attempting to validate ports from the context of mgr->destroy_connector_work. I can't see any situation where this wouldn't be safe, and this avoids having to play whack-a-mole in the future of trying to work around port validation. Signed-off-by: Lyude Paul Fixes: 263efde31f97 ("drm/dp/mst: Get validated port ref in drm_dp_update_payload_part1()") Reported-by: Jerry Zuo Cc: Jerry Zuo Cc: Harry Wentland Cc: # v4.6+ Reviewed-by: Dave Airlie Link: https://patchwork.freedesktop.org/patch/msgid/20181113224613.28809-1-lyude@redhat.com Signed-off-by: Sean Paul Signed-off-by: Sasha Levin commit 2ed9c501c49f2d6997d0d9d9ea545b4d79a46df6 Author: YueHaibing Date: Mon Nov 19 11:32:41 2018 +0800 exportfs: fix 'passing zero to ERR_PTR()' warning [ Upstream commit 909e22e05353a783c526829427e9a8de122fba9c ] Fix a static code checker warning: fs/exportfs/expfs.c:171 reconnect_one() warn: passing zero to 'ERR_PTR' The error path for lookup_one_len_unlocked failure should set err to PTR_ERR. Fixes: bbf7a8a3562f ("exportfs: move most of reconnect_path to helper function") Signed-off-by: YueHaibing Signed-off-by: Al Viro Signed-off-by: Sasha Levin commit 14bddd38a509551ffb9b6479430aefbebe7602f5 Author: Colin Ian King Date: Sat Oct 27 15:49:26 2018 +0100 pcrypt: use format specifier in kobject_add [ Upstream commit b1e3874c75ab15288f573b3532e507c37e8e7656 ] Passing string 'name' as the format specifier is potentially hazardous because name could (although very unlikely to) have a format specifier embedded in it causing issues when parsing the non-existent arguments to these. Follow best practice by using the "%s" format string for the string 'name'. Cleans up clang warning: crypto/pcrypt.c:397:40: warning: format string is not a string literal (potentially insecure) [-Wformat-security] Fixes: a3fb1e330dd2 ("pcrypt: Added sysfs interface to pcrypt") Signed-off-by: Colin Ian King Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit 4c812e6ae76fe7aa659fab6f7edb1a599863d027 Author: Spencer E. Olson Date: Wed Oct 3 14:54:16 2018 -0600 staging: comedi: ni_mio_common: protect register write overflow [ Upstream commit 1cbca5852d6c16e85a21487a15d211195aacd4a1 ] Fixes two problems introduced as early as commit 03aef4b6dc12 ("Staging: comedi: add ni_mio_common code"): (1) Ensures that the last four bits of NISTC_RTSI_TRIGB_OUT_REG register is not unduly overwritten on e-series devices. On e-series devices, the first three of the last four bits are reserved. The last bit defines the output selection of the RGOUT0 pin, otherwise known as RTSI_Sub_Selection. For m-series devices, these last four bits are indeed used as the output selection of the RTSI7 pin (and the RTSI_Sub_Selection bit for the RGOUT0 pin is moved to the RTSI_Trig_Direction register. (2) Allows all 4 RTSI_BRD lines to be treated as valid sources for RTSI lines. This patch also cleans up the ni_get_rtsi_routing command for readability. Fixes: 03aef4b6dc12 ("Staging: comedi: add ni_mio_common code") Signed-off-by: Spencer E. Olson Reviewed-by: Ian Abbott Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 5a4a7d5b57ab24a810487045a49ba067a0c1ea93 Author: Nicolas Huaman Date: Thu Oct 4 16:42:05 2018 +0200 ALSA: usb-audio: update quirk for B&W PX to remove microphone [ Upstream commit c369c8db15d51fa175d2ba85928f79d16af6b562 ] A quirk in snd-usb-audio was added to automate setting sample rate to 4800k and remove the previously exposed nonfunctional microphone for the Bowers & Wilkins PX: commit 240a8af929c7c57dcde28682725b29cf8474e8e5 https://lore.kernel.org/patchwork/patch/919689/ However the headphones where updated shortly after that to remove the unintentional microphone functionality. I guess because of this the headphones now crash when connecting them via USB while the quirk is active. Dmesg: snd-usb-audio: probe of 2-3:1.0 failed with error -22 usb 2-3: 2:1: cannot get min/max values for control 2 (id 2) This patch removes the microfone and allows the headphones to connect and work out of the box. It is based on the current mainline kernel and successfully applied an tested on my machine (4.18.10.arch1-1). Fixes: 240a8af929c7 ("ALSA: usb-audio: Add a quirck for B&W PX headphones") Signed-off-by: Nicolas Huaman Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit d6fec56efa4918aed9c07f59bf5bebe3c5e80fd9 Author: Anders Roxell Date: Tue Sep 11 16:18:36 2018 +0200 ALSA: hda: fix unused variable warning [ Upstream commit 5b03006d5c58ddd31caf542eef4d0269bcf265b3 ] When CONFIG_X86=n function azx_snoop doesn't use the variable chip it only returns true. sound/pci/hda/hda_intel.c: In function ‘dma_alloc_pages’: sound/pci/hda/hda_intel.c:2002:14: warning: unused variable ‘chip’ [-Wunused-variable] struct azx *chip = bus_to_azx(bus); ^~~~ Create a inline function of azx_snoop. Fixes: a41d122449be ("ALSA: hda - Embed bus into controller object") Signed-off-by: Anders Roxell Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit 2b85c83c6ec16e417cc987e695037c3ae2faa010 Author: Dan Carpenter Date: Wed Jul 4 12:42:50 2018 +0300 drm/virtio: fix bounds check in virtio_gpu_cmd_get_capset() [ Upstream commit 09c4b49457434fa74749ad6194ef28464d9f5df9 ] This doesn't affect runtime because in the current code "idx" is always valid. First, we read from "vgdev->capsets[idx].max_size" before checking whether "idx" is within bounds. And secondly the bounds check is off by one so we could end up reading one element beyond the end of the vgdev->capsets[] array. Fixes: 62fb7a5e1096 ("virtio-gpu: add 3d/virgl support") Signed-off-by: Dan Carpenter Link: http://patchwork.freedesktop.org/patch/msgid/20180704094250.m7sgvvzg3dhcvv3h@kili.mountain Signed-off-by: Gerd Hoffmann Signed-off-by: Sasha Levin commit af266e1fd4aeae3e45e48bb54142b043d20abc85 Author: Lorenzo Bianconi Date: Sat Sep 21 10:44:01 2019 +0200 mt7601u: fix bbp version check in mt7601u_wait_bbp_ready commit 15e14f76f85f4f0eab3b8146e1cd3c58ce272823 upstream. Fix bbp ready check in mt7601u_wait_bbp_ready. The issue is reported by coverity with the following error: Logical vs. bitwise operator The expression's value does not depend on the operands; inadvertent use of the wrong operator is a likely logic error. Addresses-Coverity-ID: 1309441 ("Logical vs. bitwise operator") Fixes: c869f77d6abb ("add mt7601u driver") Acked-by: Jakub Kicinski Signed-off-by: Lorenzo Bianconi Signed-off-by: Kalle Valo Signed-off-by: Greg Kroah-Hartman commit 25f0407a14cdd3f7fae62e37b582eda600dab162 Author: Ard Biesheuvel Date: Wed Dec 4 11:50:15 2019 +0000 powerpc/archrandom: fix arch_get_random_seed_int() commit b6afd1234cf93aa0d71b4be4788c47534905f0be upstream. Commit 01c9348c7620ec65 powerpc: Use hardware RNG for arch_get_random_seed_* not arch_get_random_* updated arch_get_random_[int|long]() to be NOPs, and moved the hardware RNG backing to arch_get_random_seed_[int|long]() instead. However, it failed to take into account that arch_get_random_int() was implemented in terms of arch_get_random_long(), and so we ended up with a version of the former that is essentially a NOP as well. Fix this by calling arch_get_random_seed_long() from arch_get_random_seed_int() instead. Fixes: 01c9348c7620ec65 ("powerpc: Use hardware RNG for arch_get_random_seed_* not arch_get_random_*") Signed-off-by: Ard Biesheuvel Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20191204115015.18015-1-ardb@kernel.org Signed-off-by: Greg Kroah-Hartman commit e7877cd45ffd097dc344a51b30778bff58786ad3 Author: Jan Kara Date: Wed Oct 23 17:00:45 2019 -0700 xfs: Sanity check flags of Q_XQUOTARM call commit 3dd4d40b420846dd35869ccc8f8627feef2cff32 upstream. Flags passed to Q_XQUOTARM were not sanity checked for invalid values. Fix that. Fixes: 9da93f9b7cdf ("xfs: fix Q_XQUOTARM ioctl") Reported-by: Yang Xu Signed-off-by: Jan Kara Reviewed-by: Eric Sandeen Reviewed-by: Darrick J. Wong Signed-off-by: Darrick J. Wong Signed-off-by: Greg Kroah-Hartman