commit ba19874032074ca5a3817ae82ebae27bd3343551 Author: Greg Kroah-Hartman Date: Fri Jan 17 19:49:08 2020 +0100 Linux 5.4.13 commit dae87141c88863fd8bc31d68fc5b014c260c3c63 Author: Kai Li Date: Sat Jan 4 13:00:18 2020 -0800 ocfs2: call journal flush to mark journal as empty after journal recovery when mount [ Upstream commit 397eac17f86f404f5ba31d8c3e39ec3124b39fd3 ] If journal is dirty when mount, it will be replayed but jbd2 sb log tail cannot be updated to mark a new start because journal->j_flag has already been set with JBD2_ABORT first in journal_init_common. When a new transaction is committed, it will be recored in block 1 first(journal->j_tail is set to 1 in journal_reset). If emergency restart happens again before journal super block is updated unfortunately, the new recorded trans will not be replayed in the next mount. The following steps describe this procedure in detail. 1. mount and touch some files 2. these transactions are committed to journal area but not checkpointed 3. emergency restart 4. mount again and its journals are replayed 5. journal super block's first s_start is 1, but its s_seq is not updated 6. touch a new file and its trans is committed but not checkpointed 7. emergency restart again 8. mount and journal is dirty, but trans committed in 6 will not be replayed. This exception happens easily when this lun is used by only one node. If it is used by multi-nodes, other node will replay its journal and its journal super block will be updated after recovery like what this patch does. ocfs2_recover_node->ocfs2_replay_journal. The following jbd2 journal can be generated by touching a new file after journal is replayed, and seq 15 is the first valid commit, but first seq is 13 in journal super block. logdump: Block 0: Journal Superblock Seq: 0 Type: 4 (JBD2_SUPERBLOCK_V2) Blocksize: 4096 Total Blocks: 32768 First Block: 1 First Commit ID: 13 Start Log Blknum: 1 Error: 0 Feature Compat: 0 Feature Incompat: 2 block64 Feature RO compat: 0 Journal UUID: 4ED3822C54294467A4F8E87D2BA4BC36 FS Share Cnt: 1 Dynamic Superblk Blknum: 0 Per Txn Block Limit Journal: 0 Data: 0 Block 1: Journal Commit Block Seq: 14 Type: 2 (JBD2_COMMIT_BLOCK) Block 2: Journal Descriptor Seq: 15 Type: 1 (JBD2_DESCRIPTOR_BLOCK) No. Blocknum Flags 0. 587 none UUID: 00000000000000000000000000000000 1. 8257792 JBD2_FLAG_SAME_UUID 2. 619 JBD2_FLAG_SAME_UUID 3. 24772864 JBD2_FLAG_SAME_UUID 4. 8257802 JBD2_FLAG_SAME_UUID 5. 513 JBD2_FLAG_SAME_UUID JBD2_FLAG_LAST_TAG ... Block 7: Inode Inode: 8257802 Mode: 0640 Generation: 57157641 (0x3682809) FS Generation: 2839773110 (0xa9437fb6) CRC32: 00000000 ECC: 0000 Type: Regular Attr: 0x0 Flags: Valid Dynamic Features: (0x1) InlineData User: 0 (root) Group: 0 (root) Size: 7 Links: 1 Clusters: 0 ctime: 0x5de5d870 0x11104c61 -- Tue Dec 3 11:37:20.286280801 2019 atime: 0x5de5d870 0x113181a1 -- Tue Dec 3 11:37:20.288457121 2019 mtime: 0x5de5d870 0x11104c61 -- Tue Dec 3 11:37:20.286280801 2019 dtime: 0x0 -- Thu Jan 1 08:00:00 1970 ... Block 9: Journal Commit Block Seq: 15 Type: 2 (JBD2_COMMIT_BLOCK) The following is journal recovery log when recovering the upper jbd2 journal when mount again. syslog: ocfs2: File system on device (252,1) was not unmounted cleanly, recovering it. fs/jbd2/recovery.c:(do_one_pass, 449): Starting recovery pass 0 fs/jbd2/recovery.c:(do_one_pass, 449): Starting recovery pass 1 fs/jbd2/recovery.c:(do_one_pass, 449): Starting recovery pass 2 fs/jbd2/recovery.c:(jbd2_journal_recover, 278): JBD2: recovery, exit status 0, recovered transactions 13 to 13 Due to first commit seq 13 recorded in journal super is not consistent with the value recorded in block 1(seq is 14), journal recovery will be terminated before seq 15 even though it is an unbroken commit, inode 8257802 is a new file and it will be lost. Link: http://lkml.kernel.org/r/20191217020140.2197-1-li.kai4@h3c.com Signed-off-by: Kai Li Reviewed-by: Joseph Qi Reviewed-by: Changwei Ge Cc: Mark Fasheh Cc: Joel Becker Cc: Junxiao Bi Cc: Gang He Cc: Jun Piao Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit dc5a755f6bc40bb8c65b2bdeb1afeaec086d0a56 Author: Nick Desaulniers Date: Sat Jan 4 13:00:02 2020 -0800 hexagon: work around compiler crash [ Upstream commit 63e80314ab7cf4783526d2e44ee57a90514911c9 ] Clang cannot translate the string "r30" into a valid register yet. Link: https://github.com/ClangBuiltLinux/linux/issues/755 Link: http://lkml.kernel.org/r/20191028155722.23419-1-ndesaulniers@google.com Signed-off-by: Nick Desaulniers Suggested-by: Sid Manning Reviewed-by: Brian Cain Cc: Allison Randal Cc: Greg Kroah-Hartman Cc: Richard Fontana Cc: Thomas Gleixner Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit 93814de5a5e2a016ac819285fcdbd7252c2cfccf Author: Nick Desaulniers Date: Sat Jan 4 12:59:59 2020 -0800 hexagon: parenthesize registers in asm predicates [ Upstream commit 780a0cfda9006a9a22d6473c2d4c527f5c68eb2e ] Hexagon requires that register predicates in assembly be parenthesized. Link: https://github.com/ClangBuiltLinux/linux/issues/754 Link: http://lkml.kernel.org/r/20191209222956.239798-3-ndesaulniers@google.com Signed-off-by: Nick Desaulniers Suggested-by: Sid Manning Acked-by: Brian Cain Cc: Lee Jones Cc: Andy Shevchenko Cc: Tuowen Zhao Cc: Mika Westerberg Cc: Luis Chamberlain Cc: Greg Kroah-Hartman Cc: Alexios Zavras Cc: Allison Randal Cc: Will Deacon Cc: Richard Fontana Cc: Thomas Gleixner Cc: Peter Zijlstra Cc: Boqun Feng Cc: Ingo Molnar Cc: Geert Uytterhoeven Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit 3bc95f564d73754825e8cf373492fecc47a0bbca Author: Ard Biesheuvel Date: Mon Dec 30 15:07:47 2019 +0100 kbuild/deb-pkg: annotate libelf-dev dependency as :native [ Upstream commit 8ffdc54b6f4cd718a45802e645bb853e3a46a078 ] Cross compiling the x86 kernel on a non-x86 build machine produces the following error when CONFIG_UNWINDER_ORC is enabled, regardless of whether libelf-dev is installed or not. dpkg-checkbuilddeps: error: Unmet build dependencies: libelf-dev dpkg-buildpackage: warning: build dependencies/conflicts unsatisfied; aborting dpkg-buildpackage: warning: (Use -d flag to override.) Since this is a build time dependency for a build tool, we need to depend on the native version of libelf-dev so add the appropriate annotation. Signed-off-by: Ard Biesheuvel Signed-off-by: Masahiro Yamada Signed-off-by: Sasha Levin commit 8a235a9edc82106257e8f4bd3d5f74139a22553b Author: Sakari Ailus Date: Wed Nov 6 12:57:07 2019 +0100 media: intel-ipu3: Align struct ipu3_uapi_awb_fr_config_s to 32 bytes [ Upstream commit ce644cf3fa06504c2c71ab1b794160d54aaccbc0 ] A struct that needs to be aligned to 32 bytes has a size of 28. Increase the size to 32. This makes elements of arrays of this struct aligned to 32 as well, and other structs where members are aligned to 32 mixing ipu3_uapi_awb_fr_config_s as well as other types. Fixes: commit dca5ef2aa1e6 ("media: staging/intel-ipu3: remove the unnecessary compiler flags") Signed-off-by: Sakari Ailus Tested-by: Bingbu Cao Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit f1c5e6abd4495bc54055bf3908ad6baa45d12010 Author: changzhu Date: Thu Dec 12 13:46:06 2019 +0800 drm/amdgpu: enable gfxoff for raven1 refresh [ Upstream commit e0c63812352298efbce2a71483c1dab627d0c288 ] When smu version is larger than 0x41e2b, it will load raven_kicker_rlc.bin.To enable gfxoff for raven_kicker_rlc.bin,it needs to avoid adev->pm.pp_feature &= ~PP_GFXOFF_MASK when it loads raven_kicker_rlc.bin. Signed-off-by: changzhu Reviewed-by: Huang Rui Acked-by: Alex Deucher Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 93ed80d6f130cc4a88bc921b92d8164012f70152 Author: Alexander.Barabash@dell.com Date: Wed Dec 25 17:55:30 2019 +0000 ioat: ioat_alloc_ring() failure handling. [ Upstream commit b0b5ce1010ffc50015eaec72b0028aaae3f526bb ] If dma_alloc_coherent() returns NULL in ioat_alloc_ring(), ring allocation must not proceed. Until now, if the first call to dma_alloc_coherent() in ioat_alloc_ring() returned NULL, the processing could proceed, failing with NULL-pointer dereferencing further down the line. Signed-off-by: Alexander Barabash Acked-by: Dave Jiang Link: https://lore.kernel.org/r/75e9c0e84c3345d693c606c64f8b9ab5@x13pwhopdag1307.AMER.DELL.COM Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit 13dc49dae8a7a7cca74def32c735d3c003a97311 Author: Julian Wiedmann Date: Mon Dec 23 15:03:22 2019 +0100 s390/qeth: lock the card while changing its hsuid [ Upstream commit 5b6c7b55cfe26224b0f41b1c226d3534c542787f ] qeth_l3_dev_hsuid_store() initially checks the card state, but doesn't take the conf_mutex to ensure that the card stays in this state while being reconfigured. Rework the code to take this lock, and drop a redundant state check in a helper function. Fixes: b333293058aa ("qeth: add support for af_iucv HiperSockets transport") Signed-off-by: Julian Wiedmann Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit be5fa7e252a2b47b2187790e2ed7fbfa57abf598 Author: John Stultz Date: Wed Dec 18 19:09:06 2019 +0000 dmaengine: k3dma: Avoid null pointer traversal [ Upstream commit 2f42e05b942fe2fbfb9bbc6e34e1dd8c3ce4f3a4 ] In some cases we seem to submit two transactions in a row, which causes us to lose track of the first. If we then cancel the request, we may still get an interrupt, which traverses a null ds_run value. So try to avoid starting a new transaction if the ds_run value is set. While this patch avoids the null pointer crash, I've had some reports of the k3dma driver still getting confused, which suggests the ds_run/ds_done value handling still isn't quite right. However, I've not run into an issue recently with it so I think this patch is worth pushing upstream to avoid the crash. Signed-off-by: John Stultz [add ss tag] Link: https://lore.kernel.org/r/20191218190906.6641-1-john.stultz@linaro.org Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit ff8878461b9ba97eb9dbae3523fa90d11a7b5ba8 Author: David Howells Date: Fri Dec 20 16:17:16 2019 +0000 rxrpc: Fix missing security check on incoming calls [ Upstream commit 063c60d39180cec7c9317f5acfc3071f8fecd705 ] Fix rxrpc_new_incoming_call() to check that we have a suitable service key available for the combination of service ID and security class of a new incoming call - and to reject calls for which we don't. This causes an assertion like the following to appear: rxrpc: Assertion failed - 6(0x6) == 12(0xc) is false kernel BUG at net/rxrpc/call_object.c:456! Where call->state is RXRPC_CALL_SERVER_SECURING (6) rather than RXRPC_CALL_COMPLETE (12). Fixes: 248f219cb8bc ("rxrpc: Rewrite the data and ack handling code") Reported-by: Marc Dionne Signed-off-by: David Howells Signed-off-by: Sasha Levin commit f928970f14cb43d989d56104747dfb19abc29a71 Author: David Howells Date: Fri Dec 20 16:20:56 2019 +0000 rxrpc: Don't take call->user_mutex in rxrpc_new_incoming_call() [ Upstream commit 13b7955a0252e15265386b229b814152f109b234 ] Standard kernel mutexes cannot be used in any way from interrupt or softirq context, so the user_mutex which manages access to a call cannot be a mutex since on a new call the mutex must start off locked and be unlocked within the softirq handler to prevent userspace interfering with a call we're setting up. Commit a0855d24fc22d49cdc25664fb224caee16998683 ("locking/mutex: Complain upon mutex API misuse in IRQ contexts") causes big warnings to be splashed in dmesg for each a new call that comes in from the server. Whilst it *seems* like it should be okay, since the accept path uses trylock, there are issues with PI boosting and marking the wrong task as the owner. Fix this by not taking the mutex in the softirq path at all. It's not obvious that there should be any need for it as the state is set before the first notification is generated for the new call. There's also no particular reason why the link-assessing ping should be triggered inside the mutex. It's not actually transmitted there anyway, but rather it has to be deferred to a workqueue. Further, I don't think that there's any particular reason that the socket notification needs to be done from within rx->incoming_lock, so the amount of time that lock is held can be shortened too and the ping prepared before the new call notification is sent. Fixes: 540b1c48c37a ("rxrpc: Fix deadlock between call creation and sendmsg/recvmsg") Signed-off-by: David Howells cc: Peter Zijlstra (Intel) cc: Ingo Molnar cc: Will Deacon cc: Davidlohr Bueso Signed-off-by: Sasha Levin commit 344b0d8abf2291d690400f1383ff1cdb35dd6251 Author: David Howells Date: Wed Dec 18 16:38:49 2019 +0000 rxrpc: Unlock new call in rxrpc_new_incoming_call() rather than the caller [ Upstream commit f33121cbe91973a08e68e4bde8c3f7e6e4e351c1 ] Move the unlock and the ping transmission for a new incoming call into rxrpc_new_incoming_call() rather than doing it in the caller. This makes it clearer to see what's going on. Suggested-by: Peter Zijlstra Signed-off-by: David Howells Acked-by: Peter Zijlstra (Intel) cc: Ingo Molnar cc: Will Deacon cc: Davidlohr Bueso Signed-off-by: Sasha Levin commit f54802bfc97bff552ec4781293f37f7e26be229e Author: Ben Dooks (Codethink) Date: Tue Dec 17 11:53:09 2019 +0000 drm/arm/mali: make malidp_mw_connector_helper_funcs static [ Upstream commit ac2917b01992c098b8d4e6837115e3ca347fdd90 ] The malidp_mw_connector_helper_funcs is not referenced by name outside of the file it is in, so make it static to avoid the following warning: drivers/gpu/drm/arm/malidp_mw.c:59:41: warning: symbol 'malidp_mw_connector_helper_funcs' was not declared. Should it be static? Signed-off-by: Ben Dooks (Codethink) Signed-off-by: Liviu Dudau Link: https://patchwork.freedesktop.org/patch/msgid/20191217115309.2133503-1-ben.dooks@codethink.co.uk Signed-off-by: Sasha Levin commit 8b4ddd4ec176ac87b81252499e41922bed2592c8 Author: Jouni Hogander Date: Mon Dec 9 14:37:07 2019 +0200 MIPS: Prevent link failure with kcov instrumentation [ Upstream commit a4a3893114a41e365274d5fab5d9ff5acc235ff0 ] __sanitizer_cov_trace_pc() is not linked in and causing link failure if KCOV_INSTRUMENT is enabled. Fix this by disabling instrumentation for compressed image. Signed-off-by: Jouni Hogander Signed-off-by: Paul Burton Cc: Lukas Bulwahn Cc: linux-mips@vger.kernel.org Signed-off-by: Sasha Levin commit 1b32e6ea73782d52b1d92dc805f6f00e19c05803 Author: Tetsuo Handa Date: Mon Dec 16 19:16:48 2019 +0900 tomoyo: Suppress RCU warning at list_for_each_entry_rcu(). [ Upstream commit 6bd5ce6089b561f5392460bfb654dea89356ab1b ] John Garry has reported that allmodconfig kernel on arm64 causes flood of "RCU-list traversed in non-reader section!!" warning. I don't know what change caused this warning, but this warning is safe because TOMOYO uses SRCU lock instead. Let's suppress this warning by explicitly telling that the caller is holding SRCU lock. Reported-and-tested-by: John Garry Signed-off-by: Tetsuo Handa Signed-off-by: Sasha Levin commit 520e3bd3dee4266603b97ad5f5cedb88736a09c5 Author: Vincenzo Frascino Date: Fri Nov 29 14:36:58 2019 +0000 mips: Fix gettimeofday() in the vdso library [ Upstream commit 7d2aa4bb90f5f6f1b8de8848c26042403f2d7bf9 ] The libc provides a discovery mechanism for vDSO library and its symbols. When a symbol is not exposed by the vDSOs the libc falls back on the system calls. With the introduction of the unified vDSO library on mips this behavior is not honored anymore by the kernel in the case of gettimeofday(). The issue has been noticed and reported due to a dhclient failure on the CI20 board: root@letux:~# dhclient ../../../../lib/isc/unix/time.c:200: Operation not permitted root@letux:~# Restore the original behavior fixing gettimeofday() in the vDSO library. Reported-by: H. Nikolaus Schaller Tested-by: H. Nikolaus Schaller # CI20 with JZ4780 Signed-off-by: Vincenzo Frascino Signed-off-by: Paul Burton Cc: mips-creator-ci20-dev@googlegroups.com Cc: letux-kernel@openphoenux.org Cc: linux-mips@vger.kernel.org Cc: linux-kernel@vger.kernel.org Signed-off-by: Sasha Levin commit 7acc6f949d20f88faa2b3ce4b648ac8c4ede13f3 Author: Vladimir Kondratiev Date: Sun Nov 24 16:07:31 2019 +0200 mips: cacheinfo: report shared CPU map [ Upstream commit 3b1313eb32c499d46dc4c3e896d19d9564c879c4 ] Report L1 caches as shared per core; L2 - per cluster. This fixes "perf" that went crazy if shared_cpu_map attribute not reported on sysfs, in form of /sys/devices/system/cpu/cpu*/cache/index*/shared_cpu_list /sys/devices/system/cpu/cpu*/cache/index*/shared_cpu_map Signed-off-by: Vladimir Kondratiev Signed-off-by: Paul Burton Cc: Ralf Baechle Cc: James Hogan Cc: linux-mips@vger.kernel.org Cc: linux-kernel@vger.kernel.org Signed-off-by: Sasha Levin commit ef75fc2e63136be4c1194b0802025eab6241c508 Author: Olof Johansson Date: Mon Dec 16 20:07:04 2019 -0800 riscv: export flush_icache_all to modules [ Upstream commit 1833e327a5ea1d1f356fbf6ded0760c9ff4b0594 ] This is needed by LKDTM (crash dump test module), it calls flush_icache_range(), which on RISC-V turns into flush_icache_all(). On other architectures, the actual implementation is exported, so follow that precedence and export it here too. Fixes build of CONFIG_LKDTM that fails with: ERROR: "flush_icache_all" [drivers/misc/lkdtm/lkdtm.ko] undefined! Signed-off-by: Olof Johansson Signed-off-by: Paul Walmsley Signed-off-by: Sasha Levin commit d32a6cffd2d27b6783a9ed9a7f3e8ce12562dcb8 Author: Mathieu Desnoyers Date: Wed Dec 11 11:28:57 2019 -0500 rseq/selftests: Turn off timeout setting [ Upstream commit af9cb29c5488381083b0b5ccdfb3cd931063384a ] As the rseq selftests can run for a long period of time, disable the timeout that the general selftests have. Signed-off-by: Mathieu Desnoyers Cc: Shuah Khan Cc: Thomas Gleixner Cc: Peter Zijlstra (Intel) Cc: "Paul E. McKenney" Cc: Boqun Feng Cc: "H . Peter Anvin" Cc: Paul Turner Cc: Dmitry Vyukov Signed-off-by: Shuah Khan Signed-off-by: Sasha Levin commit d9afe243a9626d2f4274e4105a953e49e86dcb85 Author: Shuah Khan Date: Thu Dec 12 18:56:06 2019 -0700 selftests: firmware: Fix it to do root uid check and skip [ Upstream commit c65e41538b04e0d64a673828745a00cb68a24371 ] firmware attempts to load test modules that require root access and fail. Fix it to check for root uid and exit with skip code instead. Before this fix: selftests: firmware: fw_run_tests.sh modprobe: ERROR: could not insert 'test_firmware': Operation not permitted You must have the following enabled in your kernel: CONFIG_TEST_FIRMWARE=y CONFIG_FW_LOADER=y CONFIG_FW_LOADER_USER_HELPER=y CONFIG_IKCONFIG=y CONFIG_IKCONFIG_PROC=y not ok 1 selftests: firmware: fw_run_tests.sh # SKIP With this fix: selftests: firmware: fw_run_tests.sh skip all tests: must be run as root not ok 1 selftests: firmware: fw_run_tests.sh # SKIP Signed-off-by: Shuah Khan Reviwed-by: Greg Kroah-Hartman Signed-off-by: Shuah Khan Signed-off-by: Sasha Levin commit 434de487e0df8f3c5b9c1bd4795ddf89dbed8595 Author: Israel Rukshin Date: Wed Dec 11 17:36:02 2019 +0200 scsi: target/iblock: Fix protection error with blocks greater than 512B [ Upstream commit e4dc9a4c31fe10d1751c542702afc85be8a5c56a ] The sector size of the block layer is 512 bytes, but integrity interval size might be different (in case of 4K block size of the media). At the initiator side the virtual start sector is the one that was originally submitted by the block layer (512 bytes) for the Reftag usage. The initiator converts the Reftag to integrity interval units and sends it to the target. So the target virtual start sector should be calculated at integrity interval units. prepare_fn() and complete_fn() don't remap correctly the Reftag when using incorrect units of the virtual start sector, which leads to the following protection error at the device: "blk_update_request: protection error, dev sdb, sector 2048 op 0x0:(READ) flags 0x10000 phys_seg 1 prio class 0" To fix that, set the seed in integrity interval units. Link: https://lore.kernel.org/r/1576078562-15240-1-git-send-email-israelr@mellanox.com Signed-off-by: Israel Rukshin Reviewed-by: Max Gurtovoy Reviewed-by: Sagi Grimberg Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 2921fd9b30a62ec3f8562900cba8ef18a10eeb48 Author: Varun Prakash Date: Wed Dec 18 19:15:31 2019 +0530 scsi: libcxgbi: fix NULL pointer dereference in cxgbi_device_destroy() [ Upstream commit 71482fde704efdd8c3abe0faf34d922c61e8d76b ] If cxgb4i_ddp_init() fails then cdev->cdev2ppm will be NULL, so add a check for NULL pointer before dereferencing it. Link: https://lore.kernel.org/r/1576676731-3068-1-git-send-email-varun@chelsio.com Signed-off-by: Varun Prakash Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit f44e6a300d45ca4ccb10af24974207bbce8bd607 Author: Johnson CH Chen (陳昭勳) Date: Tue Nov 26 06:51:11 2019 +0000 gpio: mpc8xxx: Add platform device to gpiochip->parent [ Upstream commit 322f6a3182d42df18059a89c53b09d33919f755e ] Dear Linus Walleij, In old kernels, some APIs still try to use parent->of_node from struct gpio_chip, and it could be resulted in kernel panic because parent is NULL. Adding platform device to gpiochip->parent can fix this problem. Signed-off-by: Johnson Chen Link: https://patchwork.kernel.org/patch/11234609 Link: https://lore.kernel.org/r/HK0PR01MB3521489269F76467DFD7843FFA450@HK0PR01MB3521.apcprd01.prod.exchangelabs.com Signed-off-by: Linus Walleij Signed-off-by: Sasha Levin commit 70a086b5c359fd45eca09d013a354b0f7a00718f Author: Matti Vaittinen Date: Wed Oct 23 14:47:11 2019 +0300 rtc: bd70528: Add MODULE ALIAS to autoload module commit c3e12e66b14a043daac6b3d0559df80b9ed7679c upstream. The bd70528 RTC driver is probed by MFD driver. Add MODULE_ALIAS in order to allow udev to load the module when MFD sub-device cell for RTC is added. I'm not sure if this is a bugfix or feature addition but I guess fixes tag won't harm in this case. Fixes: 32a4a4ebf768 ("rtc: bd70528: Initial support for ROHM bd70528 RTC") Signed-off-by: Matti Vaittinen Link: https://lore.kernel.org/r/20191023114711.GA13954@localhost.localdomain Signed-off-by: Alexandre Belloni Signed-off-by: Greg Kroah-Hartman commit 419fe70331d1fb7392f995d522d8fcc6c03516be Author: Chuhong Yuan Date: Wed Nov 6 00:00:43 2019 +0800 rtc: brcmstb-waketimer: add missed clk_disable_unprepare commit 94303f8930ed78aea0f189b703c9d79fff9555d7 upstream. This driver forgets to disable and unprepare clock when remove. Add a call to clk_disable_unprepare to fix it. Fixes: c4f07ecee22e ("rtc: brcmstb-waketimer: Add Broadcom STB wake-timer") Signed-off-by: Chuhong Yuan Acked-by: Florian Fainelli Link: https://lore.kernel.org/r/20191105160043.20018-1-hslester96@gmail.com Signed-off-by: Alexandre Belloni Signed-off-by: Greg Kroah-Hartman commit 308c1e408b3295fb4b2cc55a2a697171d0a35324 Author: Kars de Jong Date: Sat Nov 16 12:05:48 2019 +0100 rtc: msm6242: Fix reading of 10-hour digit commit e34494c8df0cd96fc432efae121db3212c46ae48 upstream. The driver was reading the wrong register as the 10-hour digit due to a misplaced ')'. It was in fact reading the 1-second digit register due to this bug. Also remove the use of a magic number for the hour mask and use the define for it which was already present. Fixes: 4f9b9bba1dd1 ("rtc: Add an RTC driver for the Oki MSM6242") Tested-by: Kars de Jong Signed-off-by: Kars de Jong Link: https://lore.kernel.org/r/20191116110548.8562-1-jongk@linux-m68k.org Reviewed-by: Geert Uytterhoeven Signed-off-by: Alexandre Belloni Signed-off-by: Greg Kroah-Hartman commit 4ef359320750f4815e1a1315374662a8bce7e2e5 Author: Olga Kornievskaia Date: Wed Dec 4 15:13:54 2019 -0500 NFSD fixing possible null pointer derefering in copy offload commit 18f428d4e2f7eff162d80b2b21689496c4e82afd upstream. Static checker revealed possible error path leading to possible NULL pointer dereferencing. Reported-by: Dan Carpenter Fixes: e0639dc5805a: ("NFSD introduce async copy feature") Signed-off-by: Olga Kornievskaia Signed-off-by: J. Bruce Fields Signed-off-by: Greg Kroah-Hartman commit 382e63a560a6ef8588661ff0c0fd83baa1d7cfcd Author: Chao Yu Date: Thu Nov 7 17:29:00 2019 +0800 f2fs: fix potential overflow commit 1f0d5c911b64165c9754139a26c8c2fad352c132 upstream. We expect 64-bit calculation result from below statement, however in 32-bit machine, looped left shift operation on pgoff_t type variable may cause overflow issue, fix it by forcing type cast. page->index << PAGE_SHIFT; Fixes: 26de9b117130 ("f2fs: avoid unnecessary updating inode during fsync") Fixes: 0a2aa8fbb969 ("f2fs: refactor __exchange_data_block for speed up") Signed-off-by: Chao Yu Signed-off-by: Jaegeuk Kim Signed-off-by: Greg Kroah-Hartman commit fe07c80f5eb7009675dfac58b9471d703432c315 Author: Victorien Molle Date: Mon Dec 2 15:11:38 2019 +0100 sch_cake: Add missing NLA policy entry TCA_CAKE_SPLIT_GSO commit b3c424eb6a1a3c485de64619418a471dee6ce849 upstream. This field has never been checked since introduction in mainline kernel Signed-off-by: Victorien Molle Signed-off-by: Florent Fourcot Fixes: 2db6dc2662ba "sch_cake: Make gso-splitting configurable from userspace" Acked-by: Toke Høiland-Jørgensen Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 14e7f0da75c4c8ccd8f4b53802f6fe81779914fe Author: Luca Coelho Date: Fri Nov 15 09:27:25 2019 +0200 iwlwifi: mvm: fix support for single antenna diversity commit bb99ff9baa02beb9216c86678999342197c849cc upstream. When the single antenna diversity support was sent upstream, only some definitions were sent, due to a bad revert. Fix this by adding the actual code. Fixes: 5952e0ec3f05 ("iwlwifi: mvm: add support for single antenna diversity") Signed-off-by: Luca Coelho Signed-off-by: Kalle Valo Signed-off-by: Greg Kroah-Hartman commit 83f27b9efe478d44e783a860fb8d07f6a038dd39 Author: Nathan Chancellor Date: Tue Oct 22 17:47:03 2019 -0700 rtlwifi: Remove unnecessary NULL check in rtl_regd_init commit 091c6e9c083f7ebaff00b37ad13562d51464d175 upstream. When building with Clang + -Wtautological-pointer-compare: drivers/net/wireless/realtek/rtlwifi/regd.c:389:33: warning: comparison of address of 'rtlpriv->regd' equal to a null pointer is always false [-Wtautological-pointer-compare] if (wiphy == NULL || &rtlpriv->regd == NULL) ~~~~~~~~~^~~~ ~~~~ 1 warning generated. The address of an array member is never NULL unless it is the first struct member so remove the unnecessary check. This was addressed in the staging version of the driver in commit f986978b32b3 ("Staging: rtlwifi: remove unnecessary NULL check"). While we are here, fix the following checkpatch warning: CHECK: Comparison to NULL could be written "!wiphy" 35: FILE: drivers/net/wireless/realtek/rtlwifi/regd.c:389: + if (wiphy == NULL) Fixes: 0c8173385e54 ("rtl8192ce: Add new driver") Link:https://github.com/ClangBuiltLinux/linux/issues/750 Signed-off-by: Nathan Chancellor Acked-by: Ping-Ke Shih Signed-off-by: Kalle Valo Signed-off-by: Greg Kroah-Hartman commit 1fee31737e9067264a2e476e6b60964cb17b6c4d Author: Mordechay Goodstein Date: Sun Jul 28 20:09:22 2019 +0300 iwlwifi: mvm: consider ieee80211 station max amsdu value commit ee4cce9b9d6421d037ffc002536b918fd7f4aff3 upstream. debugfs amsdu_len sets only the max_amsdu_len for ieee80211 station so take it into consideration while getting max amsdu Fixes: af2984e9e625 ("iwlwifi: mvm: add a debugfs entry to set a fixed size AMSDU for all TX packets") Signed-off-by: Mordechay Goodstein Signed-off-by: Luca Coelho Signed-off-by: Greg Kroah-Hartman commit bf3b4bc7bb03a2b0e67078d42a1d43ce05a14b7b Author: Navid Emamdoost Date: Sun Sep 29 22:46:01 2019 -0500 spi: lpspi: fix memory leak in fsl_lpspi_probe commit 057b8945f78f76d0b04eeb5c27cd9225e5e7ad86 upstream. In fsl_lpspi_probe an SPI controller is allocated either via spi_alloc_slave or spi_alloc_master. In all but one error cases this controller is put by going to error handling code. This commit fixes the case when pm_runtime_get_sync fails and it should go to the error handling path. Fixes: 944c01a889d9 ("spi: lpspi: enable runtime pm for lpspi") Signed-off-by: Navid Emamdoost Link: https://lore.kernel.org/r/20190930034602.1467-1-navid.emamdoost@gmail.com Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 091f7685cbd115b101250be70717e6bce9aa7889 Author: Geert Uytterhoeven Date: Wed Oct 16 16:31:01 2019 +0200 spi: rspi: Use platform_get_irq_byname_optional() for optional irqs commit 2de860b4a7a0bd5a4b5bd3bff0e6a615495df4ba upstream. As platform_get_irq_byname() now prints an error when the interrupt does not exist, scary warnings may be printed for optional interrupts: renesas_spi e6b10000.spi: IRQ rx not found renesas_spi e6b10000.spi: IRQ mux not found Fix this by calling platform_get_irq_byname_optional() instead. Remove the no longer needed printing of platform_get_irq errors, as the remaining calls to platform_get_irq() and platform_get_irq_byname() take care of that. Fixes: 7723f4c5ecdb8d83 ("driver core: platform: Add an error message to platform_get_irq*()") Signed-off-by: Geert Uytterhoeven Reviewed-by: Stephen Boyd Link: https://lore.kernel.org/r/20191016143101.28738-1-geert+renesas@glider.be Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 5a58c8e40ddedb2577c460cefffd309d0fc0081d Author: Mans Rullgard Date: Fri Oct 18 17:35:04 2019 +0200 spi: atmel: fix handling of cs_change set on non-last xfer commit fed8d8c7a6dc2a76d7764842853d81c770b0788e upstream. The driver does the wrong thing when cs_change is set on a non-last xfer in a message. When cs_change is set, the driver deactivates the CS and leaves it off until a later xfer again has cs_change set whereas it should be briefly toggling CS off and on again. This patch brings the behaviour of the driver back in line with the documentation and common sense. The delay of 10 us is the same as is used by the default spi_transfer_one_message() function in spi.c. [gregory: rebased on for-5.5 from spi tree] Fixes: 8090d6d1a415 ("spi: atmel: Refactor spi-atmel to use SPI framework queue") Signed-off-by: Mans Rullgard Acked-by: Nicolas Ferre Signed-off-by: Gregory CLEMENT Link: https://lore.kernel.org/r/20191018153504.4249-1-gregory.clement@bootlin.com Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 07039f34f16e936131c923f30118a8afd359d0ce Author: Daniel Vetter Date: Thu Oct 17 08:44:26 2019 +0200 spi: pxa2xx: Set controller->max_transfer_size in dma mode commit b2662a164f9dc48da8822e56600686d639056282 upstream. In DMA mode we have a maximum transfer size, past that the driver falls back to PIO (see the check at the top of pxa2xx_spi_transfer_one). Falling back to PIO for big transfers defeats the point of a dma engine, hence set the max transfer size to inform spi clients that they need to do something smarter. This was uncovered by the drm_mipi_dbi spi panel code, which does large spi transfers, but stopped splitting them after: commit e143364b4c1774f68e923a5a0bb0fca28ac25888 Author: Noralf Trønnes Date: Fri Jul 19 17:59:10 2019 +0200 drm/tinydrm: Remove tinydrm_spi_max_transfer_size() After this commit the code relied on the spi core to split transfers into max dma-able blocks, which also papered over the PIO fallback issue. Fix this by setting the overall max transfer size to the DMA limit, but only when the controller runs in DMA mode. Fixes: e143364b4c17 ("drm/tinydrm: Remove tinydrm_spi_max_transfer_size()") Cc: Sam Ravnborg Cc: Noralf Trønnes Cc: Andy Shevchenko Reported-and-tested-by: Andy Shevchenko Cc: Daniel Mack Cc: Haojian Zhuang Cc: Robert Jarzmik Cc: Mark Brown Cc: linux-arm-kernel@lists.infradead.org Cc: linux-spi@vger.kernel.org Signed-off-by: Daniel Vetter Link: https://lore.kernel.org/r/20191017064426.30814-1-daniel.vetter@ffwll.ch Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 96dd61cfea3d70a3abf654ba2b2de7bd5324635e Author: Sergei Shtylyov Date: Wed Oct 30 21:53:03 2019 +0300 mtd: spi-nor: fix silent truncation in spi_nor_read_raw() commit 3d63ee5deb466fd66ed6ffb164a87ce36425cf36 upstream. spi_nor_read_raw() assigns the result of 'ssize_t spi_nor_read_data()' to the 'int ret' variable, while 'ssize_t' is a 64-bit type and *int* is a 32-bit type on the 64-bit machines. This silent truncation isn't really valid, so fix up the variable's type. Fixes: f384b352cbf0 ("mtd: spi-nor: parse Serial Flash Discoverable Parameters (SFDP) tables") Signed-off-by: Sergei Shtylyov Signed-off-by: Tudor Ambarus Signed-off-by: Greg Kroah-Hartman commit a1ba92c1bfdf29258d5c01c220ac7d53353fb96a Author: Sergei Shtylyov Date: Wed Oct 30 21:48:59 2019 +0300 mtd: spi-nor: fix silent truncation in spi_nor_read() commit a719a75a7761e4139dd099330d9fe3589d844f9b upstream. spi_nor_read() assigns the result of 'ssize_t spi_nor_read_data()' to the 'int ret' variable, while 'ssize_t' is a 64-bit type and *int* is a 32-bit type on the 64-bit machines. This silent truncation isn't really valid, so fix up the variable's type. Fixes: 59451e1233bd ("mtd: spi-nor: change return value of read/write") Signed-off-by: Sergei Shtylyov Signed-off-by: Tudor Ambarus Signed-off-by: Greg Kroah-Hartman commit 98cb3486aa2b7b7a74ae469315f3976f209f5c76 Author: Huanpeng Xin Date: Wed Dec 4 15:13:59 2019 +0800 spi: sprd: Fix the incorrect SPI register commit 5e9c5236b7b86779b53b762f7e66240c3f18314b upstream. The original code used an incorrect SPI register to initialize the SPI controller in sprd_spi_init_hw(), thus fix it. Fixes: e7d973a31c24 ("spi: sprd: Add SPI driver for Spreadtrum SC9860") Signed-off-by: Huanpeng Xin Signed-off-by: Baolin Wang Link: https://lore.kernel.org/r/b4f7f89ec0fdc595335687bfbd9f962213bc4a1d.1575443510.git.baolin.wang7@gmail.com Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 2d657e3ac543a5c7f2f022e0fe70af02c7d13263 Author: Zhihao Cheng Date: Tue Oct 29 20:58:23 2019 +0800 ubifs: do_kill_orphans: Fix a memory leak bug commit 10256f000932f12596dc043cf880ecf488a32510 upstream. If there are more than one valid snod on the sleb->nodes list, do_kill_orphans will malloc ino more than once without releasing previous ino's memory. Finally, it will trigger memory leak. Fixes: ee1438ce5dc4 ("ubifs: Check link count of inodes when...") Signed-off-by: Zhihao Cheng Signed-off-by: zhangyi (F) Signed-off-by: Richard Weinberger Signed-off-by: Greg Kroah-Hartman commit c7e5f09427d05c43f4c352de2668110829f615d4 Author: Ben Dooks (Codethink) Date: Wed Oct 16 11:08:03 2019 +0100 ubifs: Fixed missed le64_to_cpu() in journal commit df22b5b3ecc6233e33bd27f67f14c0cd1b5a5897 upstream. In the ubifs_jnl_write_inode() functon, it calls ubifs_iget() with xent->inum. The xent->inum is __le64, but the ubifs_iget() takes native cpu endian. I think that this should be changed to passing le64_to_cpu(xent->inum) to fix the following sparse warning: fs/ubifs/journal.c:902:58: warning: incorrect type in argument 2 (different base types) fs/ubifs/journal.c:902:58: expected unsigned long inum fs/ubifs/journal.c:902:58: got restricted __le64 [usertype] inum Fixes: 7959cf3a7506 ("ubifs: journal: Handle xattrs like files") Signed-off-by: Ben Dooks Signed-off-by: Richard Weinberger Signed-off-by: Greg Kroah-Hartman commit e071addacd06c8140fd0bc422dfb3a013000ac2b Author: Richard Weinberger Date: Thu Oct 24 10:25:35 2019 +0200 Revert "ubifs: Fix memory leak bug in alloc_ubifs_info() error path" commit 91cbf01178c37086b32148c53e24b04cb77557cf upstream. This reverts commit 9163e0184bd7d5f779934d34581843f699ad2ffd. At the point when ubifs_fill_super() runs, we have already a reference to the super block. So upon deactivate_locked_super() c will get free()'ed via ->kill_sb(). Cc: Wenwen Wang Fixes: 9163e0184bd7 ("ubifs: Fix memory leak bug in alloc_ubifs_info() error path") Reported-by: https://twitter.com/grsecurity/status/1180609139359277056 Signed-off-by: Richard Weinberger Tested-by: Romain Izard Signed-off-by: Richard Weinberger Signed-off-by: Greg Kroah-Hartman commit d4da9d7d50a5c28c1ababa2e01ac947a19fe451c Author: Yong Wu Date: Wed Oct 9 19:59:33 2019 +0800 memory: mtk-smi: Add PM suspend and resume ops commit fb03082a54acd66c61535edfefe96b2ff88ce7e2 upstream. In the commit 4f0a1a1ae351 ("memory: mtk-smi: Invoke pm runtime_callback to enable clocks"), we use pm_runtime callback to enable/disable the smi larb clocks. It will cause the larb's clock may not be disabled when suspend. That is because device_prepare will call pm_runtime_get_noresume which will keep the larb's PM runtime status still is active when suspend, then it won't enter our pm_runtime suspend callback to disable the corresponding clocks. This patch adds suspend pm_ops to force disable the clocks, Use "LATE" to make sure it disable the larb's clocks after the multimedia devices. Fixes: 4f0a1a1ae351 ("memory: mtk-smi: Invoke pm runtime_callback to enable clocks") Signed-off-by: Anan Sun Signed-off-by: Yong Wu Signed-off-by: Joerg Roedel Signed-off-by: Greg Kroah-Hartman commit f07d3e39f082e7d07d3f085641c35f3b5e553753 Author: Yong Wu Date: Mon Nov 4 15:01:03 2019 +0800 iommu/mediatek: Add a new tlb_lock for tlb_flush commit da3cc91b8db403728cde03c8a95cba268d8cbf1b upstream. The commit 4d689b619445 ("iommu/io-pgtable-arm-v7s: Convert to IOMMU API TLB sync") help move the tlb_sync of unmap from v7s into the iommu framework. It helps add a new function "mtk_iommu_iotlb_sync", But it lacked the lock, then it will cause the variable "tlb_flush_active" may be changed unexpectedly, we could see this warning log randomly: mtk-iommu 10205000.iommu: Partial TLB flush timed out, falling back to full flush The HW requires tlb_flush/tlb_sync in pairs strictly, this patch adds a new tlb_lock for tlb operations to fix this issue. Fixes: 4d689b619445 ("iommu/io-pgtable-arm-v7s: Convert to IOMMU API TLB sync") Signed-off-by: Yong Wu Signed-off-by: Joerg Roedel Signed-off-by: Greg Kroah-Hartman commit e5c3362bc211bd0c38bd7accac690fdd098978a8 Author: Yong Wu Date: Mon Nov 4 15:01:02 2019 +0800 iommu/mediatek: Correct the flush_iotlb_all callback commit 2009122f1d83dd8375572661961eab1e7e86bffe upstream. Use the correct tlb_flush_all instead of the original one. Fixes: 4d689b619445 ("iommu/io-pgtable-arm-v7s: Convert to IOMMU API TLB sync") Signed-off-by: Yong Wu Reviewed-by: Robin Murphy Signed-off-by: Joerg Roedel Signed-off-by: Greg Kroah-Hartman commit ce1b79a598df3b34625f4c4b6118970fae19cbb0 Author: Jonas Karlman Date: Wed Nov 6 23:35:11 2019 +0100 media: hantro: Set H264 FIELDPIC_FLAG_E flag correctly commit a2cbf80a842add9663522bf898cf13cb2ac4e423 upstream. The FIELDPIC_FLAG_E bit should be set when field_pic_flag exists in stream, it is currently set based on field_pic_flag of current frame. The PIC_FIELDMODE_E bit is correctly set based on the field_pic_flag. Fix this by setting the FIELDPIC_FLAG_E bit when frame_mbs_only is not set. Fixes: dea0a82f3d22 ("media: hantro: Add support for H264 decoding on G1") Signed-off-by: Jonas Karlman Reviewed-by: Boris Brezillon Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit 00b31281af6b3012048d254218e39dfae965af63 Author: Navid Emamdoost Date: Sun Nov 10 07:23:38 2019 +0100 media: aspeed-video: Fix memory leaks in aspeed_video_probe commit c3df30a01da4955e04fa068c503cd784b31dad92 upstream. In the implementation of aspeed_video_probe() the allocated memory for video should be released if either devm_ioremap_resource() or aspeed_video_init() or aspeed_video_setup_video() fails. Replace kzalloc() with devm_kzalloc to avoid explicit release for video. Fixes: d2b4387f3bdf ("media: platform: Add Aspeed Video Engine driver") Signed-off-by: Navid Emamdoost Reviewed-by: Jae Hyun Yoo Reviewed-by: Eddie James Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit 9842aa96b5dbc370f553f327e15f80196d220b58 Author: Jonas Karlman Date: Tue Oct 29 01:00:53 2019 +0100 media: hantro: Do not reorder H264 scaling list commit e17f08e3166635d2eaa6a894afeb28ca651ddd35 upstream. Scaling list supplied from userspace should be in matrix order and can be used without applying the inverse scanning process. The HW also only support 8x8 scaling list for the Y component, indices 0 and 1 in the scaling list supplied from userspace. Remove reordering and write the scaling matrix in an order expected by the VPU, also only allocate memory for the two 8x8 lists supported. Fixes: a9471e25629b ("media: hantro: Add core bits to support H264 decoding") Signed-off-by: Jonas Karlman Reviewed-by: Philipp Zabel Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit 5e0a601791be225ebf60abe266d1ec4f11acf43e Author: Jonas Karlman Date: Tue Oct 29 01:00:52 2019 +0100 media: cedrus: Use correct H264 8x8 scaling list commit a6b8feae7c88343212686120740cf7551dd16e08 upstream. Documentation now defines the expected order of scaling lists, change to use correct indices. Fixes: 6eb9b758e307 ("media: cedrus: Add H264 decoding support") Signed-off-by: Jonas Karlman Reviewed-by: Philipp Zabel Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit 03915a22e801e9709146f11619534e22a7338614 Author: Philipp Zabel Date: Thu Oct 24 07:32:11 2019 -0300 media: coda: fix deadlock between decoder picture run and start command commit a3fd80198de6ab98a205cf7fb148d88e9e1c44bb upstream. The BIT decoder picture run temporarily locks the bitstream mutex while the coda device mutex is locked, to refill the bitstream ring buffer. Consequently, the decoder start command, which locks both mutexes when flushing the bitstream ring buffer, must lock the coda device mutex first as well, to avoid an ABBA deadlock. Fixes: e7fd95849b3c ("media: coda: flush bitstream ring buffer on decoder restart") Signed-off-by: Philipp Zabel Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit 7eab724d4aaed030bd222beecd8d0b4fec661595 Author: Seung-Woo Kim Date: Fri Oct 18 07:20:52 2019 -0300 media: exynos4-is: Fix recursive locking in isp_video_release() commit 704c6c80fb471d1bb0ef0d61a94617d1d55743cd upstream. >From isp_video_release(), &isp->video_lock is held and subsequent vb2_fop_release() tries to lock vdev->lock which is same with the previous one. Replace vb2_fop_release() with _vb2_fop_release() to fix the recursive locking. Fixes: 1380f5754cb0 ("[media] videobuf2: Add missing lock held on vb2_fop_release") Signed-off-by: Seung-Woo Kim Reviewed-by: Sylwester Nawrocki Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit 4ccbec2a14cf62a465638ed9d756ce9a6a979e4a Author: Christophe JAILLET Date: Fri Sep 13 16:06:47 2019 -0300 media: v4l: cadence: Fix how unsued lanes are handled in 'csi2rx_start()' commit 2eca8e4c1df4864b937752c3aa2f7925114f4806 upstream. The 2nd parameter of 'find_first_zero_bit()' is a number of bits, not of bytes. So use 'csi2rx->max_lanes' instead of 'sizeof(lanes_used)'. Fixes: 1fc3b37f34f6 ("media: v4l: cadence: Add Cadence MIPI-CSI2 RX driver") Signed-off-by: Christophe JAILLET Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit 602ce9a6f870a15df7202f71ca876d36b87c2f8d Author: Boris Brezillon Date: Mon Sep 9 04:28:15 2019 -0300 media: hantro: h264: Fix the frame_num wraparound case commit 9db5f87f6723678a7e7e5e3165439c5c4378edbb upstream. Step '8.2.4.1 Decoding process for picture numbers' was missing in the reflist creation logic, leading to invalid P reflists when a ->frame_num wraparound happens. Fixes: a9471e25629b ("media: hantro: Add core bits to support H264 decoding") Reported-by: Francois Buergisser Signed-off-by: Boris Brezillon Reviewed-by: Philipp Zabel Tested-by: Philipp Zabel Tested-by: Francois Buergisser Reviewed-by: Tomasz Figa Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit 24b71c411f733ee0dc6680ddc3b1cc5df21a73e9 Author: Niklas Söderlund Date: Wed Sep 4 18:54:04 2019 -0300 media: rcar-vin: Fix incorrect return statement in rvin_try_format() commit a0862a40364e2f87109317e31c51c9d7bc89e33f upstream. While refactoring code the return statement became corrupted, fix it by returning the correct return code. Reported-by: Kieran Bingham Fixes: 897e371389e77514 ("media: rcar-vin: simplify how formats are set and reset" Signed-off-by: Niklas Söderlund Reviewed-by: Laurent Pinchart Reviewed-by: Kieran Bingham Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit 0944da90ee5d0860dd7cd25dcbfd0735809a6ba9 Author: Janusz Krzysztofik Date: Tue Sep 3 17:11:42 2019 -0300 media: ov6650: Fix default format not applied on device probe commit 5439fa9263cb293e41168bc03711ec18c4f11cba upstream. It is not clear what pixel format is actually configured in hardware on reset. MEDIA_BUS_FMT_YUYV8_2X8, assumed on device probe since the driver was intiially submitted, is for sure not the one. Fix it by explicitly applying a known, driver default frame format just after initial device reset. Fixes: 2f6e2404799a ("[media] SoC Camera: add driver for OV6650 sensor") Signed-off-by: Janusz Krzysztofik Signed-off-by: Sakari Ailus Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit 7ad319dd4dd7b5abccd1763fa22f7ae53fa277c1 Author: Janusz Krzysztofik Date: Tue Sep 3 17:11:41 2019 -0300 media: ov6650: Fix .get_fmt() V4L2_SUBDEV_FORMAT_TRY support commit 39034bb0c26b76a2c3abc54aa28c185f18b40c2f upstream. Commit da298c6d98d5 ("[media] v4l2: replace video op g_mbus_fmt by pad op get_fmt") converted a former ov6650_g_fmt() video operation callback to an ov6650_get_fmt() pad operation callback. However, the converted function disregards a format->which flag that pad operations should obey and always returns active frame format settings. That can be fixed by always responding to V4L2_SUBDEV_FORMAT_TRY with -EINVAL, or providing the response from a pad config argument, likely updated by a former user call to V4L2_SUBDEV_FORMAT_TRY .set_fmt(). Since implementation of the latter is trivial, go for it. Fixes: da298c6d98d5 ("[media] v4l2: replace video op g_mbus_fmt by pad op get_fmt") Signed-off-by: Janusz Krzysztofik Signed-off-by: Sakari Ailus Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit 86c03858bf00af6d920fce25c8c42739aca196a3 Author: Janusz Krzysztofik Date: Tue Sep 3 17:11:40 2019 -0300 media: ov6650: Fix some format attributes not under control commit 1c6a2b63095154bbf9e8f38d79487a728331bf65 upstream. User arguments passed to .get/set_fmt() pad operation callbacks may contain unsupported values. The driver takes control over frame size and pixel code as well as colorspace and field attributes but has never cared for remainig format attributes, i.e., ycbcr_enc, quantization and xfer_func, introduced by commit 11ff030c7365 ("[media] v4l2-mediabus: improve colorspace support"). Fix it. Set up a static v4l2_mbus_framefmt structure with attributes initialized to reasonable defaults and use it for updating content of user provided arguments. In case of V4L2_SUBDEV_FORMAT_ACTIVE, postpone frame size update, now performed from inside ov6650_s_fmt() helper, util the user argument is first updated in ov6650_set_fmt() with default frame format content. For V4L2_SUBDEV_FORMAT_TRY, don't copy all attributes to pad config, only those handled by the driver, then fill the response with the default frame format updated with resulting pad config format code and frame size. Fixes: 11ff030c7365 ("[media] v4l2-mediabus: improve colorspace support") Signed-off-by: Janusz Krzysztofik Signed-off-by: Sakari Ailus Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit 956a281b9e5a5874ceceef2daed84c38cca74d11 Author: Janusz Krzysztofik Date: Tue Sep 3 17:11:39 2019 -0300 media: ov6650: Fix incorrect use of JPEG colorspace commit 12500731895ef09afc5b66b86b76c0884fb9c7bf upstream. Since its initial submission, the driver selects V4L2_COLORSPACE_JPEG for supported formats other than V4L2_MBUS_FMT_SBGGR8_1X8. According to v4l2-compliance test program, V4L2_COLORSPACE_JPEG applies exclusively to V4L2_PIX_FMT_JPEG. Since the sensor does not support JPEG format, fix it to always select V4L2_COLORSPACE_SRGB. Fixes: 2f6e2404799a ("[media] SoC Camera: add driver for OV6650 sensor") Signed-off-by: Janusz Krzysztofik Signed-off-by: Sakari Ailus Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit f6c771f16fd492889bac4459c9da50ecb628b43d Author: Dietmar Eggemann Date: Fri Nov 29 16:23:02 2019 +0100 ARM: 8943/1: Fix topology setup in case of CPU hotplug for CONFIG_SCHED_MC commit ff98a5f624d2910de050f1fc7f2a32769da86b51 upstream. Commit ca74b316df96 ("arm: Use common cpu_topology structure and functions.") changed cpu_coregroup_mask() from the ARM32 specific implementation in arch/arm/include/asm/topology.h to the one shared with ARM64 and RISCV in drivers/base/arch_topology.c. Currently on ARM32 (TC2 w/ CONFIG_SCHED_MC) the task scheduler setup code (w/ CONFIG_SCHED_DEBUG) shows this during CPU hotplug: ERROR: groups don't span domain->span It happens to CPUs of the cluster of the CPU which gets hot-plugged out on scheduler domain MC. Turns out that the shared cpu_coregroup_mask() requires that the hot-plugged CPU is removed from the core_sibling mask via remove_cpu_topology(). Otherwise the 'is core_sibling subset of cpumask_of_node()' doesn't work. In this case the task scheduler has to deal with cpumask_of_node instead of core_sibling which is wrong on scheduler domain MC. e.g. CPU3 hot-plugged out on TC2 [cluster0: 0,3-4 cluster1: 1-2]: cpu_coregroup_mask(): CPU3 cpumask_of_node=0-2,4 core_sibling=0,3-4 ^ should be: cpu_coregroup_mask(): CPU3 cpumask_of_node=0-2,4 core_sibling=0,4 Add remove_cpu_topology() to __cpu_disable() to remove the CPU from the topology masks in case of a CPU hotplug out operation. At the same time tweak store_cpu_topology() slightly so it will call update_siblings_masks() in case of CPU hotplug in operation via secondary_start_kernel()->smp_store_cpu_info(). This aligns the ARM32 implementation with the ARM64 one. Guarding remove_cpu_topology() with CONFIG_GENERIC_ARCH_TOPOLOGY is necessary since some Arm32 defconfigs (aspeed_g5_defconfig, milbeaut_m10v_defconfig, spear13xx_defconfig) specify an explicit # CONFIG_ARM_CPU_TOPOLOGY is not set w/ ./arch/arm/Kconfig: select GENERIC_ARCH_TOPOLOGY if ARM_CPU_TOPOLOGY Fixes: ca74b316df96 ("arm: Use common cpu_topology structure and functions") Reviewed-by: Sudeep Holla Reviewed-by: Lukasz Luba Tested-by: Lukasz Luba Tested-by: Ondrej Jirman Signed-off-by: Dietmar Eggemann Signed-off-by: Russell King Signed-off-by: Greg Kroah-Hartman commit 0f049f3e117b6310ea1e6eb9a3237c2e743305ad Author: Peng Fan Date: Wed Nov 13 05:37:42 2019 +0000 tty: serial: pch_uart: correct usage of dma_unmap_sg commit 74887542fdcc92ad06a48c0cca17cdf09fc8aa00 upstream. Per Documentation/DMA-API-HOWTO.txt, To unmap a scatterlist, just call: dma_unmap_sg(dev, sglist, nents, direction); .. note:: The 'nents' argument to the dma_unmap_sg call must be the _same_ one you passed into the dma_map_sg call, it should _NOT_ be the 'count' value _returned_ from the dma_map_sg call. However in the driver, priv->nent is directly assigned with value returned from dma_map_sg, and dma_unmap_sg use priv->nent for unmap, this breaks the API usage. So introduce a new entry orig_nent to remember 'nents'. Fixes: da3564ee027e ("pch_uart: add multi-scatter processing") Signed-off-by: Peng Fan Link: https://lore.kernel.org/r/1573623259-6339-1-git-send-email-peng.fan@nxp.com Signed-off-by: Greg Kroah-Hartman commit 8eac66e1162c6f318dfd2fb517844d364106f83f Author: Peng Fan Date: Thu Nov 7 06:42:53 2019 +0000 tty: serial: imx: use the sg count from dma_map_sg commit 596fd8dffb745afcebc0ec6968e17fe29f02044c upstream. The dmaengine_prep_slave_sg needs to use sg count returned by dma_map_sg, not use sport->dma_tx_nents, because the return value of dma_map_sg is not always same with "nents". Fixes: b4cdc8f61beb ("serial: imx: add DMA support for imx6q") Signed-off-by: Peng Fan Link: https://lore.kernel.org/r/1573108875-26530-1-git-send-email-peng.fan@nxp.com Signed-off-by: Greg Kroah-Hartman commit 363e1fc285f2d7cc82fa8c88e95105dc1e75ed4f Author: Thomas Bogendoerfer Date: Tue Nov 19 12:08:56 2019 +0100 MIPS: SGI-IP27: Fix crash, when CPUs are disabled via nr_cpus parameter commit e3d765a941f6130fd94e47b2064cfee71f4cbadd upstream. If number of CPUs are limited by the kernel commandline parameter nr_cpus assignment of interrupts accourding to numa rules might not be possibe. As a fallback use one of the online CPUs as interrupt destination. Fixes: 69a07a41d908 ("MIPS: SGI-IP27: rework HUB interrupts") Signed-off-by: Thomas Bogendoerfer Signed-off-by: Paul Burton Cc: Ralf Baechle Cc: James Hogan Cc: linux-mips@vger.kernel.org Cc: linux-kernel@vger.kernel.org Signed-off-by: Greg Kroah-Hartman commit 2ca8c763ae0cb517de6058cb9142877c96220a03 Author: Tiezhu Yang Date: Mon Nov 4 21:33:50 2019 +0800 MIPS: Loongson: Fix return value of loongson_hwmon_init commit dece3c2a320b0a6d891da6ff774ab763969b6860 upstream. When call function hwmon_device_register failed, use the actual return value instead of always -ENOMEM. Fixes: 64f09aa967e1 ("MIPS: Loongson-3: Add CPU Hwmon platform driver") Signed-off-by: Tiezhu Yang Signed-off-by: Paul Burton Cc: Ralf Baechle Cc: James Hogan Cc: Huacai Chen Cc: Jiaxun Yang Cc: linux-mips@vger.kernel.org Cc: linux-kernel@vger.kernel.org Signed-off-by: Greg Kroah-Hartman commit 957978aa56f13e6d7493a139edc9cbade78e78c4 Author: Thomas Bogendoerfer Date: Tue Nov 19 12:08:57 2019 +0100 MIPS: PCI: remember nasid changed by set interrupt affinity commit 37640adbefd66491cb8083a438f7bf366ac09bc7 upstream. When changing interrupt affinity remember the possible changed nasid, otherwise an interrupt deactivate/activate sequence will incorrectly setup interrupt. Fixes: e6308b6d35ea ("MIPS: SGI-IP27: abstract chipset irq from bridge") Signed-off-by: Thomas Bogendoerfer Signed-off-by: Paul Burton Cc: Ralf Baechle Cc: James Hogan Cc: linux-mips@vger.kernel.org Cc: linux-kernel@vger.kernel.org Signed-off-by: Greg Kroah-Hartman commit 2264fcac8543b65099061b80d519f7c390a8c7c0 Author: Oliver O'Halloran Date: Mon Nov 18 17:55:53 2019 +1100 powerpc/powernv: Disable native PCIe port management commit 9d72dcef891030545f39ad386a30cf91df517fb2 upstream. On PowerNV the PCIe topology is (currently) managed by the powernv platform code in Linux in cooperation with the platform firmware. Linux's native PCIe port service drivers operate independently of both and this can cause problems. The main issue is that the portbus driver will conflict with the platform specific hotplug driver (pnv_php) over ownership of the MSI used to notify the host when a hotplug event occurs. The portbus driver claims this MSI on behalf of the individual port services because the same interrupt is used for hotplug events, PMEs (on root ports), and link bandwidth change notifications. The portbus driver will always claim the interrupt even if the individual port service drivers, such as pciehp, are compiled out. The second, bigger, problem is that the hotplug port service driver fundamentally does not work on PowerNV. The platform assumes that all PCI devices have a corresponding arch-specific handle derived from the DT node for the device (pci_dn) and without one the platform will not allow a PCI device to be enabled. This problem is largely due to historical baggage, but it can't be resolved without significant re-factoring of the platform PCI support. We can fix these problems in the interim by setting the "pcie_ports_disabled" flag during platform initialisation. The flag indicates the platform owns the PCIe ports which stops the portbus driver from being registered. This does have the side effect of disabling all port services drivers that is: AER, PME, BW notifications, hotplug, and DPC. However, this is not a huge disadvantage on PowerNV since these services are either unused or handled through other means. Fixes: 66725152fb9f ("PCI/hotplug: PowerPC PowerNV PCI hotplug driver") Signed-off-by: Oliver O'Halloran Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20191118065553.30362-1-oohall@gmail.com Signed-off-by: Greg Kroah-Hartman commit 2faf9f497f0b225a389e35b6e240ffe52963c4d7 Author: Bjorn Helgaas Date: Wed Nov 6 15:30:48 2019 -0600 PCI/PTM: Remove spurious "d" from granularity message commit 127a7709495db52a41012deaebbb7afc231dad91 upstream. The granularity message has an extra "d": pci 0000:02:00.0: PTM enabled, 4dns granularity Remove the "d" so the message is simply "PTM enabled, 4ns granularity". Fixes: 8b2ec318eece ("PCI: Add PTM clock granularity information") Link: https://lore.kernel.org/r/20191106222420.10216-2-helgaas@kernel.org Signed-off-by: Bjorn Helgaas Reviewed-by: Andrew Murray Cc: Jonathan Yong Signed-off-by: Greg Kroah-Hartman commit 911e1dcc1b1bf2cbaecc815dff95406173019931 Author: Hewenliang Date: Fri Oct 25 21:35:55 2019 -0400 tools: PCI: Fix fd leakage commit 3c379a59b4795d7279d38c623e74b9790345a32b upstream. We should close fd before the return of run_test. Fixes: 3f2ed8134834 ("tools: PCI: Add a userspace tool to test PCI endpoint") Signed-off-by: Hewenliang Signed-off-by: Lorenzo Pieralisi Acked-by: Kishon Vijay Abraham I Signed-off-by: Greg Kroah-Hartman commit 5611345ef38fb69a7eaeb1d1699799a6251cb374 Author: Bjorn Helgaas Date: Thu Oct 10 16:54:36 2019 -0500 PCI/PM: Clear PCIe PME Status even for legacy power management commit ec6a75ef8e33fe33f963b916fd902c52a0be33ff upstream. Previously, pci_pm_resume_noirq() cleared the PME Status bit in the Root Status register only if the device had no driver or the driver did not implement legacy power management. It should clear PME Status regardless of what sort of power management the driver supports, so do this before checking for legacy power management. This affects Root Ports and Root Complex Event Collectors, for which the usual driver is the PCIe portdrv, which implements new power management, so this change is just on principle, not to fix any actual defects. Fixes: a39bd851dccf ("PCI/PM: Clear PCIe PME Status bit in core, not PCIe port driver") Link: https://lore.kernel.org/r/20191014230016.240912-4-helgaas@kernel.org Signed-off-by: Bjorn Helgaas Reviewed-by: Rafael J. Wysocki Signed-off-by: Greg Kroah-Hartman commit a6aafadb9860795aa34ac5324e25b6bb5a6af496 Author: Rob Herring Date: Mon Oct 7 20:23:25 2019 -0500 PCI: Fix missing bridge dma_ranges resource list cleanup commit 7608158df3ed87a5c938c4a0b91f5b11101a9be1 upstream. Commit e80a91ad302b ("PCI: Add dma_ranges window list") added a dma_ranges resource list, but failed to correctly free the list when devm_pci_alloc_host_bridge() is used. Only the iproc host bridge driver is using the dma_ranges list. Fixes: e80a91ad302b ("PCI: Add dma_ranges window list") Link: https://lore.kernel.org/r/20191008012325.25700-1-robh@kernel.org Signed-off-by: Rob Herring Signed-off-by: Bjorn Helgaas Cc: Srinath Mannam Signed-off-by: Greg Kroah-Hartman commit 9c18c065c30e339da6ca57b74ec432593e6df809 Author: Niklas Cassel Date: Wed Sep 4 18:03:38 2019 +0200 PCI: dwc: Fix find_next_bit() usage commit 1137e61dcb99f7f8b54e77ed83f68b5b485a3e34 upstream. find_next_bit() takes a parameter of size long, and performs arithmetic that assumes that the argument is of size long. Therefore we cannot pass a u32, since this will cause find_next_bit() to read outside the stack buffer and will produce the following print: BUG: KASAN: stack-out-of-bounds in find_next_bit+0x38/0xb0 Fixes: 1b497e6493c4 ("PCI: dwc: Fix uninitialized variable in dw_handle_msi_irq()") Tested-by: Bjorn Andersson Signed-off-by: Niklas Cassel Signed-off-by: Lorenzo Pieralisi Reviewed-by: Andrew Murray Acked-by: Gustavo Pimentel Signed-off-by: Greg Kroah-Hartman commit ec932793848faef450a47e76e3836721aeabe078 Author: Remi Pommarel Date: Fri Jun 14 12:10:59 2019 +0200 PCI: aardvark: Fix PCI_EXP_RTCTL register configuration commit c0f05a6ab52535c1bf5f43272eede3e11c5701a5 upstream. PCI_EXP_RTCTL is used to activate PME interrupt only, so writing into it should not modify other interrupts' mask. The ISR mask polarity was also inverted, when PCI_EXP_RTCTL_PMEIE is set PCIE_MSG_PM_PME_MASK mask bit should actually be cleared. Fixes: 8a3ebd8de328 ("PCI: aardvark: Implement emulated root PCI bridge config space") Signed-off-by: Remi Pommarel Signed-off-by: Lorenzo Pieralisi Acked-by: Thomas Petazzoni Signed-off-by: Greg Kroah-Hartman commit 8bb461eced314e3854232a641533148a5760fe26 Author: Remi Pommarel Date: Wed May 22 23:33:51 2019 +0200 PCI: aardvark: Use LTSSM state to build link training flag commit 364b3f1ff8f096d45f042a9c85daf7a1fc78413e upstream. Aardvark's PCI_EXP_LNKSTA_LT flag in its link status register is not implemented and does not reflect the actual link training state (the flag is always set to 0). In order to support link re-training feature this flag has to be emulated. The Link Training and Status State Machine (LTSSM) flag in Aardvark LMI config register could be used as a link training indicator. Indeed if the LTSSM is in L0 or upper state then link training has completed (see [1]). Unfortunately because after asking a link retraining it takes a while for the LTSSM state to become less than 0x10 (due to L0s to recovery state transition delays), LTSSM can still be in L0 while link training has not finished yet. So this waits for link to be in recovery or lesser state before returning after asking for a link retrain. [1] "PCI Express Base Specification", REV. 4.0 PCI Express, February 19 2014, Table 4-14 Fixes: 8a3ebd8de328 ("PCI: aardvark: Implement emulated root PCI bridge config space") Tested-by: Marc Zyngier Signed-off-by: Remi Pommarel Signed-off-by: Lorenzo Pieralisi Reviewed-by: Andrew Murray Acked-by: Thomas Petazzoni Signed-off-by: Greg Kroah-Hartman commit 8b4b4582d4923f7d10fde369704eb784fe5e3101 Author: Arnd Bergmann Date: Mon Jun 3 23:06:00 2019 +0200 compat_ioctl: handle SIOCOUTQNSD commit 9d7bf41fafa5b5ddd4c13eb39446b0045f0a8167 upstream. Unlike the normal SIOCOUTQ, SIOCOUTQNSD was never handled in compat mode. Add it to the common socket compat handler along with similar ones. Fixes: 2f4e1b397097 ("tcp: ioctl type SIOCOUTQNSD returns amount of data not sent") Cc: Eric Dumazet Cc: netdev@vger.kernel.org Cc: "David S. Miller" Signed-off-by: Arnd Bergmann Signed-off-by: Greg Kroah-Hartman commit 60cc5607bdc0dbbaf3482f540978094f0a127f7e Author: Arnd Bergmann Date: Mon Jun 3 22:03:44 2019 +0200 af_unix: add compat_ioctl support commit 5f6beb9e0f633f3cc845cdd67973c506372931b4 upstream. The af_unix protocol family has a custom ioctl command (inexplicibly based on SIOCPROTOPRIVATE), but never had a compat_ioctl handler for 32-bit applications. Since all commands are compatible here, add a trivial wrapper that performs the compat_ptr() conversion for SIOCOUTQ/SIOCINQ. SIOCUNIXFILE does not use the argument, but it doesn't hurt to also use compat_ptr() here. Fixes: ba94f3088b79 ("unix: add ioctl to open a unix socket file with O_PATH") Cc: netdev@vger.kernel.org Cc: "David S. Miller" Cc: Eric Dumazet Signed-off-by: Arnd Bergmann Signed-off-by: Greg Kroah-Hartman commit de1605c603e6b5e350f0f575e8f038a1e6b65e92 Author: Arnd Bergmann Date: Mon Jun 3 13:40:01 2019 +0200 gfs2: add compat_ioctl support commit 8d0980704842e8a68df2c3164c1c165e5c7ebc08 upstream. Out of the four ioctl commands supported on gfs2, only FITRIM works in compat mode. Add a proper handler based on the ext4 implementation. Fixes: 6ddc5c3ddf25 ("gfs2: getlabel support") Reviewed-by: Bob Peterson Cc: Andreas Gruenbacher Signed-off-by: Arnd Bergmann Signed-off-by: Greg Kroah-Hartman commit 675297d25e87b75710efa4419fa08708522a80a0 Author: Loic Poulain Date: Wed Dec 12 18:13:26 2018 +0100 arm64: dts: apq8096-db820c: Increase load on l21 for SDCARD commit e38161bd325ea541ef2f258d8e28281077dde524 upstream. In the same way as for msm8974-hammerhead, l21 load, used for SDCARD VMMC, needs to be increased in order to prevent any voltage drop issues (due to limited current) happening with some SDCARDS or during specific operations (e.g. write). Reviewed-by: Bjorn Andersson Fixes: 660a9763c6a9 (arm64: dts: qcom: db820c: Add pm8994 regulator node) Signed-off-by: Loic Poulain Signed-off-by: Bjorn Andersson Signed-off-by: Greg Kroah-Hartman commit bdd308d667462434ca61ae734438256bf61ab878 Author: Arnd Bergmann Date: Fri Mar 15 13:46:11 2019 +0100 scsi: sd: enable compat ioctls for sed-opal commit 142b2ac82e31c174936c5719fa12ae28f51a55b7 upstream. The sed_ioctl() function is written to be compatible between 32-bit and 64-bit processes, however compat mode is only wired up for nvme, not for sd. Add the missing call to sed_ioctl() in sd_compat_ioctl(). Fixes: d80210f25ff0 ("sd: add support for TCG OPAL self encrypting disks") Cc: linux-scsi@vger.kernel.org Cc: "James E.J. Bottomley" Cc: "Martin K. Petersen" Signed-off-by: Arnd Bergmann Signed-off-by: Greg Kroah-Hartman commit 0b1eb4058b951daff81ed7d1092b74c8d229a37b Author: Xiaojie Yuan Date: Thu Oct 10 20:44:20 2019 +0800 drm/amdgpu/discovery: reserve discovery data at the top of VRAM commit 5f6a556f98de425fcb7928456839a06f02156633 upstream. IP Discovery data is TMR fenced by the latest PSP BL, so we need to reserve this region. Tested on navi10/12/14 with VBIOS integrated with latest PSP BL. v2: use DISCOVERY_TMR_SIZE macro as bo size use amdgpu_bo_create_kernel_at() to allocate bo Signed-off-by: Xiaojie Yuan Reviewed-by: Hawking Zhang Reviewed-by: Alex Deucher Signed-off-by: Alex Deucher Signed-off-by: Greg Kroah-Hartman commit 1601575529051ee903105054683d202929e07ad5 Author: Christian König Date: Fri Sep 13 13:43:15 2019 +0200 drm/amdgpu: cleanup creating BOs at fixed location (v2) commit de7b45babd9be25138ff5e4a0c34eefffbb226ff upstream. The placement is something TTM/BO internal and the RAS code should avoid touching that directly. Add a helper to create a BO at a fixed location and use that instead. v2: squash in fixes (Alex) Signed-off-by: Christian König Reviewed-by: Guchun Chen Reviewed-by: Alex Deucher Signed-off-by: Alex Deucher Signed-off-by: Greg Kroah-Hartman commit 7f57b0b34e21921eda7d56c41a7c82050f7134c8 Author: Greg Kroah-Hartman Date: Thu Jan 16 20:37:53 2020 +0100 Revert "drm/virtio: switch virtio_gpu_wait_ioctl() to gem helper." This reverts commit e6733ec8948475c4b62574e452135dc629294d75 which is commit 29cf12394c0565d7eb1685bf0c1b4749aa6a8b66 upstream. Alistair writes: After updating to 5.4.7 we noticed that virtio_gpu's wait ioctl stopped working correctly. It looks like 29cf12394c05 ("drm/virtio: switch virtio_gpu_wait_ioctl() to gem helper.") was picked up automatically, but it depends on 889165ad6190 ("drm/virtio: pass gem reservation object to ttm init") from earlier in Gerd's series in Linus's tree, which was not picked up. Cc: Gerd Hoffmann Cc: Daniel Vetter Cc: Chia-I Wu Cc: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit ee30108f7a005f5cd4a07b921deb99c885109bc2 Author: Mika Westerberg Date: Tue Oct 29 20:00:21 2019 +0300 PCI: pciehp: Do not disable interrupt twice on suspend commit 75fcc0ce72e5cea2e357cdde858216c5bad40442 upstream. We try to keep PCIe hotplug ports runtime suspended when entering system suspend. Because the PCIe portdrv sets the DPM_FLAG_NEVER_SKIP flag, the PM core always calls system suspend/resume hooks even if the device is left runtime suspended. Since PCIe hotplug driver re-used the same function for both runtime suspend and system suspend, it ended up disabling hotplug interrupt twice and the second time following was printed: pciehp 0000:03:01.0:pcie204: pcie_do_write_cmd: no response from device Prevent this from happening by checking whether the device is already runtime suspended when the system suspend hook is called. Fixes: 9c62f0bfb832 ("PCI: pciehp: Implement runtime PM callbacks") Link: https://lore.kernel.org/r/20191029170022.57528-1-mika.westerberg@linux.intel.com Reported-by: Kai-Heng Feng Tested-by: Kai-Heng Feng Signed-off-by: Mika Westerberg Signed-off-by: Bjorn Helgaas Reviewed-by: Rafael J. Wysocki Signed-off-by: Greg Kroah-Hartman commit 0830d7d6705c7cb63295f2c76e85ecd1a25068a1 Author: Andy Shevchenko Date: Wed Nov 20 15:37:39 2019 +0200 pinctrl: lewisburg: Update pin list according to v1.1v6 commit e66ff71fd0dba36a53f91f39e4da6c7b84764f2e upstream. Version 1.1v6 of pin list has some changes in pin names for Intel Lewisburg. Update the driver accordingly. Note, it reveals the bug in the driver that misses two pins in GPP_L and has rather two extra ones. That's why the ordering of some groups is changed. Fixes: e480b745386e ("pinctrl: intel: Add Intel Lewisburg GPIO support") Signed-off-by: Andy Shevchenko Link: https://lore.kernel.org/r/20191120133739.54332-1-andriy.shevchenko@linux.intel.com Acked-by: Mika Westerberg Signed-off-by: Linus Walleij Signed-off-by: Greg Kroah-Hartman commit bb0b1fc11c694a2f4bba5899498020028af2c740 Author: Geert Uytterhoeven Date: Wed Oct 16 16:26:01 2019 +0200 pinctrl: sh-pfc: Do not use platform_get_irq() to count interrupts commit ad7fe1a1a35994a201497443b5140bf54b074cca upstream. As platform_get_irq() now prints an error when the interrupt does not exist, counting interrupts by looping until failure causes the printing of scary messages like: sh-pfc e6060000.pin-controller: IRQ index 0 not found Fix this by using the platform_irq_count() helper instead. Fixes: 7723f4c5ecdb8d83 ("driver core: platform: Add an error message to platform_get_irq*()") Signed-off-by: Geert Uytterhoeven Reviewed-by: Yoshihiro Shimoda Reviewed-by: Stephen Boyd Reviewed-by: Niklas Söderlund Tested-by: Yoshihiro Shimoda Link: https://lore.kernel.org/r/20191016142601.28255-1-geert+renesas@glider.be Signed-off-by: Greg Kroah-Hartman commit 5d7da82a5b10cd296b88b7f1afb3e25938e9bf1f Author: Keiya Nobuta Date: Tue Oct 8 15:01:12 2019 +0900 pinctrl: sh-pfc: Fix PINMUX_IPSR_PHYS() to set GPSR commit d30710b8cce3a581c170d69002e311cc18ed47d3 upstream. This patch allows PINMUX_IPSR_PHYS() to set bits in GPSR. When assigning function to pin, GPSR should be set to peripheral function. For example when using SCL3, GPSR2 bit7 (PWM1_A pin) should be set to peripheral function. Signed-off-by: Keiya Nobuta Link: https://lore.kernel.org/r/20191008060112.29819-1-nobuta.keiya@fujitsu.com Fixes: 50d1ba1764b3e00a ("pinctrl: sh-pfc: Add physical pin multiplexing helper macros") Signed-off-by: Geert Uytterhoeven Signed-off-by: Greg Kroah-Hartman commit 7d37e27a8a0bede73697fddaccea69c060a4e299 Author: Colin Ian King Date: Fri Sep 20 14:20:30 2019 +0200 pinctl: ti: iodelay: fix error checking on pinctrl_count_index_with_args call commit 5ff8aca906f3a7a7db79fad92f2a4401107ef50d upstream. The call to pinctrl_count_index_with_args checks for a -EINVAL return however this function calls pinctrl_get_list_and_count and this can return -ENOENT. Rather than check for a specific error, fix this by checking for any error return to catch the -ENOENT case. Addresses-Coverity: ("Improper use of negative") Fixes: 003910ebc83b ("pinctrl: Introduce TI IOdelay configuration driver") Signed-off-by: Colin Ian King Link: https://lore.kernel.org/r/20190920122030.14340-1-colin.king@canonical.com Acked-by: Tony Lindgren Signed-off-by: Linus Walleij Signed-off-by: Greg Kroah-Hartman commit 6bdc0eab880100b9ebdd022df2a38082686cde9b Author: Navid Emamdoost Date: Wed Oct 2 16:52:37 2019 -0500 affs: fix a memory leak in affs_remount commit 450c3d4166837c496ebce03650c08800991f2150 upstream. In affs_remount if data is provided it is duplicated into new_opts. The allocated memory for new_opts is only released if parse_options fails. There's a bit of history behind new_options, originally there was save/replace options on the VFS layer so the 'data' passed must not change (thus strdup), this got cleaned up in later patches. But not completely. There's no reason to do the strdup in cases where the filesystem does not need to reuse the 'data' again, because strsep would modify it directly. Fixes: c8f33d0bec99 ("affs: kstrdup() memory handling") Signed-off-by: Navid Emamdoost [ update changelog ] Signed-off-by: David Sterba Signed-off-by: Greg Kroah-Hartman commit 5412a6fb110de9eb8d80acf1e1dbc911dad78fa3 Author: Denis Efremov Date: Wed Oct 2 20:18:11 2019 +0300 rsi: fix potential null dereference in rsi_probe() commit f170d44bc4ec2feae5f6206980e7ae7fbf0432a0 upstream. The id pointer can be NULL in rsi_probe(). It is checked everywhere except for the else branch in the idProduct condition. The patch adds NULL check before the id dereference in the rsi_dbg() call. Fixes: 54fdb318c111 ("rsi: add new device model for 9116") Cc: Amitkumar Karwar Cc: Siva Rebbagondla Cc: Kalle Valo Signed-off-by: Denis Efremov Signed-off-by: Kalle Valo Signed-off-by: Greg Kroah-Hartman commit 1283ae6333ad45fe04c78d3e3f514504c7587c7d Author: Leonard Crestez Date: Wed Sep 4 12:49:18 2019 +0300 clk: imx: pll14xx: Fix quick switch of S/K parameter commit 094234fcf46146339caaac8282aa15d225a5911a upstream. The PLL14xx on imx8m can change the S and K parameter without requiring a reset and relock of the whole PLL. Fix clk_pll144xx_mp_change register reading and use it for pll1443 as well since no reset+relock is required on K changes either. Signed-off-by: Leonard Crestez Fixes: 8646d4dcc7fb ("clk: imx: Add PLLs driver for imx8mm soc") Signed-off-by: Shawn Guo Signed-off-by: Greg Kroah-Hartman commit 8fa2c2ca23579e299d4c38c0692877353c94e9d7 Author: Andy Shevchenko Date: Tue Sep 24 11:51:16 2019 +0300 dmaengine: dw: platform: Mark 'hclk' clock optional commit f27c22736d133baff0ab3fdc7b015d998267d817 upstream. On some platforms the clock can be fixed rate, always running one and there is no need to do anything with it. In order to support those platforms, switch to use optional clock. Fixes: f8d9ddbc2851 ("dmaengine: dw: platform: Enable iDMA 32-bit on Intel Elkhart Lake") Depends-on: 60b8f0ddf1a9 ("clk: Add (devm_)clk_get_optional() functions") Signed-off-by: Andy Shevchenko Acked-by: Viresh Kumar Link: https://lore.kernel.org/r/20190924085116.83683-1-andriy.shevchenko@linux.intel.com Signed-off-by: Vinod Koul Signed-off-by: Greg Kroah-Hartman commit 5f17dcfa6dea120a18132670df8c65016d7c9d2b Author: Kishon Vijay Abraham I Date: Tue Oct 22 12:41:53 2019 +0530 clk: Fix memory leak in clk_unregister() commit 8247470772beb38822f226c99a2ed8c195f6b438 upstream. Memory allocated in alloc_clk() for 'struct clk' and 'const char *con_id' while invoking clk_register() is never freed in clk_unregister(), resulting in kmemleak showing the following backtrace. backtrace: [<00000000546f5dd0>] kmem_cache_alloc+0x18c/0x270 [<0000000073a32862>] alloc_clk+0x30/0x70 [<0000000082942480>] __clk_register+0xc8/0x760 [<000000005c859fca>] devm_clk_register+0x54/0xb0 [<00000000868834a8>] 0xffff800008c60950 [<00000000d5a80534>] platform_drv_probe+0x50/0xa0 [<000000001b3889fc>] really_probe+0x108/0x348 [<00000000953fa60a>] driver_probe_device+0x58/0x100 [<0000000008acc17c>] device_driver_attach+0x6c/0x90 [<0000000022813df3>] __driver_attach+0x84/0xc8 [<00000000448d5443>] bus_for_each_dev+0x74/0xc8 [<00000000294aa93f>] driver_attach+0x20/0x28 [<00000000e5e52626>] bus_add_driver+0x148/0x1f0 [<000000001de21efc>] driver_register+0x60/0x110 [<00000000af07c068>] __platform_driver_register+0x40/0x48 [<0000000060fa80ee>] 0xffff800008c66020 Fix it here. Cc: Tomi Valkeinen Cc: Tero Kristo Signed-off-by: Kishon Vijay Abraham I Link: https://lkml.kernel.org/r/20191022071153.21118-1-kishon@ti.com Fixes: 1df4046a93e0 ("clk: Combine __clk_get() and __clk_create_clk()") Signed-off-by: Stephen Boyd Signed-off-by: Greg Kroah-Hartman commit 27c65c1e4eed7cdb79de3c366e42548506e8f454 Author: Marian Mihailescu Date: Tue Oct 29 11:20:25 2019 +1030 clk: samsung: exynos5420: Preserve CPU clocks configuration during suspend/resume commit e21be0d1d7bd7f78a77613f6bcb6965e72b22fc1 upstream. Save and restore top PLL related configuration registers for big (APLL) and LITTLE (KPLL) cores during suspend/resume cycle. So far, CPU clocks were reset to default values after suspend/resume cycle and performance after system resume was affected when performance governor has been selected. Fixes: 773424326b51 ("clk: samsung: exynos5420: add more registers to restore list") Signed-off-by: Marian Mihailescu Signed-off-by: Sylwester Nawrocki Signed-off-by: Greg Kroah-Hartman commit 3e1adb4ff0a04fb709466fa7fec8d1219e735aa0 Author: Jerome Brunet Date: Wed Oct 2 11:15:26 2019 +0200 clk: meson: axg-audio: fix regmap last register commit 255cab9d27d78703f7450d720859ee146d0ee6e1 upstream. Since the addition of the g12a, the last register is AUDIO_CLK_SPDIFOUT_B_CTRL. Fixes: 075001385c66 ("clk: meson: axg-audio: add g12a support") Acked-by: Neil Armstrong Signed-off-by: Jerome Brunet Signed-off-by: Greg Kroah-Hartman commit ba556924245a063774065480b3e05ceca0ca2a7d Author: Alexander Usyskin Date: Tue Oct 8 03:57:34 2019 +0300 mei: fix modalias documentation commit 73668309215285366c433489de70d31362987be9 upstream. mei client bus added the client protocol version to the device alias, but ABI documentation was not updated. Fixes: b26864cad1c9 (mei: bus: add client protocol version to the device alias) Signed-off-by: Alexander Usyskin Signed-off-by: Tomas Winkler Link: https://lore.kernel.org/r/20191008005735.12707-1-tomas.winkler@intel.com Signed-off-by: Greg Kroah-Hartman commit c2fa84aca87c12cbfc84707f2485b488e41fd252 Author: Alexandru Ardelean Date: Fri Nov 1 11:35:03 2019 +0200 iio: imu: adis16480: assign bias value only if operation succeeded commit 9b742763d9d4195e823ae6ece760c9ed0500c1dc upstream. This was found only after the whole thing with the inline functions, but the compiler actually found something. The value of the `bias` (in adis16480_get_calibbias()) should only be set if the read operation was successful. No actual known problem occurs as users of this function all ultimately check the return value. Hence probably not stable material. Fixes: 2f3abe6cbb6c9 ("iio:imu: Add support for the ADIS16480 and similar IMUs") Signed-off-by: Alexandru Ardelean Signed-off-by: Jonathan Cameron Signed-off-by: Greg Kroah-Hartman commit 62d701a130476a26c144c4a23d4fcd5b46eb5cfa Author: Lorenzo Bianconi Date: Mon Oct 7 11:12:13 2019 +0200 iio: imu: st_lsm6dsx: fix gyro gain definitions for LSM9DS1 commit 1b3751017e09f0857bc38f9b1be08dce38f3d92c upstream. Fix typos in gyro gain definitions for LSM9DS1 sensor Fixes: 52f4b1f19679 ("iio: imu: st_lsm6dsx: add support for accel/gyro unit of lsm9ds1") Signed-off-by: Lorenzo Bianconi Signed-off-by: Jonathan Cameron Signed-off-by: Greg Kroah-Hartman commit 64a549fa99cb70f3173c0eb4a0d0845ba94ed979 Author: Trond Myklebust Date: Wed Nov 13 09:39:36 2019 +0100 NFSv4.x: Drop the slot if nfs4_delegreturn_prepare waits for layoutreturn commit 5326de9e94bedcf7366e7e7625d4deb8c1f1ca8a upstream. If nfs4_delegreturn_prepare needs to wait for a layoutreturn to complete then make sure we drop the sequence slot if we hold it. Fixes: 1c5bd76d17cc ("pNFS: Enable layoutreturn operation for return-on-close") Signed-off-by: Trond Myklebust Signed-off-by: Greg Kroah-Hartman commit 92f31482e9fac21408e52928fcb7041ac64ddb9e Author: Trond Myklebust Date: Wed Nov 13 08:34:00 2019 +0100 NFSv4.x: Handle bad/dead sessions correctly in nfs41_sequence_process() commit 5c441544f045e679afd6c3c6d9f7aaf5fa5f37b0 upstream. If the server returns a bad or dead session error, the we don't want to update the session slot number, but just immediately schedule recovery and allow it to proceed. We can/should then remove handling in other places Fixes: 3453d5708b33 ("NFSv4.1: Avoid false retries when RPC calls are interrupted") Signed-off-by: Trond Myklebust Signed-off-by: Greg Kroah-Hartman commit b09ed814264c1fdaa7613fe65a38934ff9580909 Author: Scott Mayhew Date: Tue Nov 12 14:01:55 2019 -0500 nfsd: v4 support requires CRYPTO_SHA256 commit a2e2f2dc77a18d2b0f450fb7fcb4871c9f697822 upstream. The new nfsdcld client tracking operations use sha256 to compute hashes of the kerberos principals, so make sure CRYPTO_SHA256 is enabled. Fixes: 6ee95d1c8991 ("nfsd: add support for upcall version 2") Reported-by: Jamie Heilman Signed-off-by: Scott Mayhew Signed-off-by: J. Bruce Fields Signed-off-by: Greg Kroah-Hartman commit 0efb7388f085491b5cf17e81ff6b8ff89ac01521 Author: Scott Mayhew Date: Tue Nov 12 14:01:43 2019 -0500 nfsd: Fix cld_net->cn_tfm initialization commit 18b9a895e652979b70f9c20565394a69354dfebc upstream. Don't assign an error pointer to cld_net->cn_tfm, otherwise an oops will occur in nfsd4_remove_cld_pipe(). Also, move the initialization of cld_net->cn_tfm so that it occurs after the check to see if nfsdcld is running. This is necessary because nfsd4_client_tracking_init() looks for -ETIMEDOUT to determine whether to use the "old" nfsdcld tracking ops. Fixes: 6ee95d1c8991 ("nfsd: add support for upcall version 2") Reported-by: Jamie Heilman Signed-off-by: Scott Mayhew Signed-off-by: J. Bruce Fields Signed-off-by: Greg Kroah-Hartman commit 2455e1b8199c489b58df3710e4be4051a3692b9a Author: Trond Myklebust Date: Fri Oct 4 17:01:54 2019 -0400 NFSv2: Fix a typo in encode_sattr() commit ad97a995d8edff820d4238bd0dfc69f440031ae6 upstream. Encode the mtime correctly. Fixes: 95582b0083883 ("vfs: change inode times to use struct timespec64") Signed-off-by: Trond Myklebust Signed-off-by: Greg Kroah-Hartman commit 6a0336ecaa42ea3d09168930be5bc914b3d6a4ed Author: Eric Biggers Date: Thu Oct 10 21:51:32 2019 -0700 crypto: geode-aes - convert to skcipher API and make thread-safe commit 4549f7e5aa27ffc2cba63b5db8842a3b486f5688 upstream. The geode AES driver is heavily broken because it stores per-request state in the transform context. So it will crash or produce the wrong result if used by any of the many places in the kernel that issue concurrent requests for the same transform object. This driver is also implemented using the deprecated blkcipher API, which makes it difficult to fix, and puts it among the drivers preventing that API from being removed. Convert this driver to use the skcipher API, and change it to not store per-request state in the transform context. Fixes: 9fe757b0cfce ("[PATCH] crypto: Add support for the Geode LX AES hardware") Signed-off-by: Eric Biggers Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit d7835f2b853bae5f6c0edf8bffc1eeff9c858e86 Author: Herbert Xu Date: Tue Sep 10 11:42:05 2019 +1000 crypto: algif_skcipher - Use chunksize instead of blocksize commit 5b0fe9552336338acb52756daf65dd7a4eeca73f upstream. When algif_skcipher does a partial operation it always process data that is a multiple of blocksize. However, for algorithms such as CTR this is wrong because even though it can process any number of bytes overall, the partial block must come at the very end and not in the middle. This is exactly what chunksize is meant to describe so this patch changes blocksize to chunksize. Fixes: 8ff590903d5f ("crypto: algif_skcipher - User-space...") Signed-off-by: Herbert Xu Acked-by: Ard Biesheuvel Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit ea3506e4297276842ca39f0a987dbe757b32a41d Author: Ard Biesheuvel Date: Sat Nov 9 18:09:26 2019 +0100 crypto: virtio - implement missing support for output IVs commit 500e6807ce93b1fdc7d5b827c5cc167cc35630db upstream. In order to allow for CBC to be chained, which is something that the CTS template relies upon, implementations of CBC need to pass the IV to be used for subsequent invocations via the IV buffer. This was not implemented yet for virtio-crypto so implement it now. Fixes: dbaf0624ffa5 ("crypto: add virtio-crypto driver") Cc: "Michael S. Tsirkin" Cc: Jason Wang Cc: Gonglei Cc: virtualization@lists.linux-foundation.org Signed-off-by: Ard Biesheuvel Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit 6584b2b53352f8727fb56299889a5df195ce8cf6 Author: Yunfeng Ye Date: Tue Oct 22 16:11:18 2019 +0800 crypto: arm64/aes-neonbs - add return value of skcipher_walk_done() in __xts_crypt() commit 9b537997b669c42cec67893538037e8d1c83c91c upstream. A warning is found by the static code analysis tool: "Identical condition 'err', second condition is always false" Fix this by adding return value of skcipher_walk_done(). Fixes: 67cfa5d3b721 ("crypto: arm64/aes-neonbs - implement ciphertext stealing for XTS") Signed-off-by: Yunfeng Ye Acked-by: Ard Biesheuvel Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit c53d875335ea53d90ea0bb13687ffe163571e74d Author: Zhou Wang Date: Fri Oct 11 19:18:10 2019 +0800 crypto: hisilicon - select NEED_SG_DMA_LENGTH in qm Kconfig commit b981744ef04f7e8cb6931edab50021fff3c8077e upstream. To avoid compile error in some platforms, select NEED_SG_DMA_LENGTH in qm Kconfig. Fixes: dfed0098ab91 ("crypto: hisilicon - add hardware SGL support") Signed-off-by: Zhou Wang Reported-by: kbuild test robot Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit 54f49fba82f8eb6283c8ef61e44f926c2b97a1c4 Author: Phani Kiran Hemadri Date: Fri Sep 20 06:35:19 2019 +0000 crypto: cavium/nitrox - fix firmware assignment to AE cores commit 6a97a99db848748d582d79447f7c9c330ce1688e upstream. This patch fixes assigning UCD block number of Asymmetric crypto firmware to AE cores of CNN55XX device. Fixes: a7268c4d4205 ("crypto: cavium/nitrox - Add support for loading asymmetric crypto firmware") Signed-off-by: Phani Kiran Hemadri Reviewed-by: Srikanth Jampala Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit 7d261f5fda6744149b5c473a976ced381d2bbbbe Author: Can Guo Date: Tue Dec 3 06:58:40 2019 +0000 scsi: ufs: Give an unique ID to each ufs-bsg commit 8c850a0296004409e7bcb9464712fb2807da656a upstream. Considering there can be multiple UFS hosts in SoC, give each ufs-bsg an unique ID by appending the scsi host number to its device name. Link: https://lore.kernel.org/r/0101016eca8dc9d7-d24468d3-04d2-4ef3-a906-abe8b8cbcd3d-000000@us-west-2.amazonses.com Fixes: df032bf27a41 ("scsi: ufs: Add a bsg endpoint that supports UPIUs") Signed-off-by: Can Guo Reviewed-by: Avri Altman Reviewed-by: Christoph Hellwig Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit 2ed4cb6457ad13e5fb03323ee36e7dabb42f0475 Author: Diego Calleja Date: Tue Nov 26 14:00:31 2019 +0200 dm: add dm-clone to the documentation index commit 484e0d2b11e1fdd0d17702b282eb2ed56148385f upstream. Fixes: 7431b7835f554 ("dm: add clone target") Signed-off-by: Diego Calleja Signed-off-by: Nikos Tsironis Signed-off-by: Mike Snitzer Signed-off-by: Greg Kroah-Hartman commit 2652314c833847a4e3432a5634b61c3462f07fc0 Author: Chuck Lever Date: Fri Jan 3 11:52:22 2020 -0500 xprtrdma: Fix oops in Receive handler after device removal commit 671c450b6fe0680ea1cb1cf1526d764fdd5a3d3f upstream. Since v5.4, a device removal occasionally triggered this oops: Dec 2 17:13:53 manet kernel: BUG: unable to handle page fault for address: 0000000c00000219 Dec 2 17:13:53 manet kernel: #PF: supervisor read access in kernel mode Dec 2 17:13:53 manet kernel: #PF: error_code(0x0000) - not-present page Dec 2 17:13:53 manet kernel: PGD 0 P4D 0 Dec 2 17:13:53 manet kernel: Oops: 0000 [#1] SMP Dec 2 17:13:53 manet kernel: CPU: 2 PID: 468 Comm: kworker/2:1H Tainted: G W 5.4.0-00050-g53717e43af61 #883 Dec 2 17:13:53 manet kernel: Hardware name: Supermicro SYS-6028R-T/X10DRi, BIOS 1.1a 10/16/2015 Dec 2 17:13:53 manet kernel: Workqueue: ib-comp-wq ib_cq_poll_work [ib_core] Dec 2 17:13:53 manet kernel: RIP: 0010:rpcrdma_wc_receive+0x7c/0xf6 [rpcrdma] Dec 2 17:13:53 manet kernel: Code: 6d 8b 43 14 89 c1 89 45 78 48 89 4d 40 8b 43 2c 89 45 14 8b 43 20 89 45 18 48 8b 45 20 8b 53 14 48 8b 30 48 8b 40 10 48 8b 38 <48> 8b 87 18 02 00 00 48 85 c0 75 18 48 8b 05 1e 24 c4 e1 48 85 c0 Dec 2 17:13:53 manet kernel: RSP: 0018:ffffc900035dfe00 EFLAGS: 00010246 Dec 2 17:13:53 manet kernel: RAX: ffff888467290000 RBX: ffff88846c638400 RCX: 0000000000000048 Dec 2 17:13:53 manet kernel: RDX: 0000000000000048 RSI: 00000000f942e000 RDI: 0000000c00000001 Dec 2 17:13:53 manet kernel: RBP: ffff888467611b00 R08: ffff888464e4a3c4 R09: 0000000000000000 Dec 2 17:13:53 manet kernel: R10: ffffc900035dfc88 R11: fefefefefefefeff R12: ffff888865af4428 Dec 2 17:13:53 manet kernel: R13: ffff888466023000 R14: ffff88846c63f000 R15: 0000000000000010 Dec 2 17:13:53 manet kernel: FS: 0000000000000000(0000) GS:ffff88846fa80000(0000) knlGS:0000000000000000 Dec 2 17:13:53 manet kernel: CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 Dec 2 17:13:53 manet kernel: CR2: 0000000c00000219 CR3: 0000000002009002 CR4: 00000000001606e0 Dec 2 17:13:53 manet kernel: Call Trace: Dec 2 17:13:53 manet kernel: __ib_process_cq+0x5c/0x14e [ib_core] Dec 2 17:13:53 manet kernel: ib_cq_poll_work+0x26/0x70 [ib_core] Dec 2 17:13:53 manet kernel: process_one_work+0x19d/0x2cd Dec 2 17:13:53 manet kernel: ? cancel_delayed_work_sync+0xf/0xf Dec 2 17:13:53 manet kernel: worker_thread+0x1a6/0x25a Dec 2 17:13:53 manet kernel: ? cancel_delayed_work_sync+0xf/0xf Dec 2 17:13:53 manet kernel: kthread+0xf4/0xf9 Dec 2 17:13:53 manet kernel: ? kthread_queue_delayed_work+0x74/0x74 Dec 2 17:13:53 manet kernel: ret_from_fork+0x24/0x30 The proximal cause is that this rpcrdma_rep has a rr_rdmabuf that is still pointing to the old ib_device, which has been freed. The only way that is possible is if this rpcrdma_rep was not destroyed by rpcrdma_ia_remove. Debugging showed that was indeed the case: this rpcrdma_rep was still in use by a completing RPC at the time of the device removal, and thus wasn't on the rep free list. So, it was not found by rpcrdma_reps_destroy(). The fix is to introduce a list of all rpcrdma_reps so that they all can be found when a device is removed. That list is used to perform only regbuf DMA unmapping, replacing that call to rpcrdma_reps_destroy(). Meanwhile, to prevent corruption of this list, I've moved the destruction of temp rpcrdma_rep objects to rpcrdma_post_recvs(). rpcrdma_xprt_drain() ensures that post_recvs (and thus rep_destroy) is not invoked while rpcrdma_reps_unmap is walking rb_all_reps, thus protecting the rb_all_reps list. Fixes: b0b227f071a0 ("xprtrdma: Use an llist to manage free rpcrdma_reps") Signed-off-by: Chuck Lever Signed-off-by: Anna Schumaker Signed-off-by: Greg Kroah-Hartman commit 77ee2b2a24757f7044732d4e16aa8539a89867cd Author: Chuck Lever Date: Fri Jan 3 11:52:17 2020 -0500 xprtrdma: Fix completion wait during device removal commit 13cb886c591f341a8759f175292ddf978ef903a1 upstream. I've found that on occasion, "rmmod " will hang while if an NFS is under load. Ensure that ri_remove_done is initialized only just before the transport is woken up to force a close. This avoids the completion possibly getting initialized again while the CM event handler is waiting for a wake-up. Fixes: bebd031866ca ("xprtrdma: Support unplugging an HCA from under an NFS mount") Signed-off-by: Chuck Lever Signed-off-by: Anna Schumaker Signed-off-by: Greg Kroah-Hartman commit ce8980a6337507c18e33ad0062039f99cc95880b Author: Chuck Lever Date: Fri Jan 3 11:52:12 2020 -0500 xprtrdma: Fix create_qp crash on device unload commit b32b9ed493f938e191f790a0991d20b18b38c35b upstream. On device re-insertion, the RDMA device driver crashes trying to set up a new QP: Nov 27 16:32:06 manet kernel: BUG: kernel NULL pointer dereference, address: 00000000000001c0 Nov 27 16:32:06 manet kernel: #PF: supervisor write access in kernel mode Nov 27 16:32:06 manet kernel: #PF: error_code(0x0002) - not-present page Nov 27 16:32:06 manet kernel: PGD 0 P4D 0 Nov 27 16:32:06 manet kernel: Oops: 0002 [#1] SMP Nov 27 16:32:06 manet kernel: CPU: 1 PID: 345 Comm: kworker/u28:0 Tainted: G W 5.4.0 #852 Nov 27 16:32:06 manet kernel: Hardware name: Supermicro SYS-6028R-T/X10DRi, BIOS 1.1a 10/16/2015 Nov 27 16:32:06 manet kernel: Workqueue: xprtiod xprt_rdma_connect_worker [rpcrdma] Nov 27 16:32:06 manet kernel: RIP: 0010:atomic_try_cmpxchg+0x2/0x12 Nov 27 16:32:06 manet kernel: Code: ff ff 48 8b 04 24 5a c3 c6 07 00 0f 1f 40 00 c3 31 c0 48 81 ff 08 09 68 81 72 0c 31 c0 48 81 ff 83 0c 68 81 0f 92 c0 c3 8b 06 0f b1 17 0f 94 c2 84 d2 75 02 89 06 88 d0 c3 53 ba 01 00 00 00 Nov 27 16:32:06 manet kernel: RSP: 0018:ffffc900035abbf0 EFLAGS: 00010046 Nov 27 16:32:06 manet kernel: RAX: 0000000000000000 RBX: 00000000000001c0 RCX: 0000000000000000 Nov 27 16:32:06 manet kernel: RDX: 0000000000000001 RSI: ffffc900035abbfc RDI: 00000000000001c0 Nov 27 16:32:06 manet kernel: RBP: ffffc900035abde0 R08: 000000000000000e R09: ffffffffffffc000 Nov 27 16:32:06 manet kernel: R10: 0000000000000000 R11: 000000000002e800 R12: ffff88886169d9f8 Nov 27 16:32:06 manet kernel: R13: ffff88886169d9f4 R14: 0000000000000246 R15: 0000000000000000 Nov 27 16:32:06 manet kernel: FS: 0000000000000000(0000) GS:ffff88846fa40000(0000) knlGS:0000000000000000 Nov 27 16:32:06 manet kernel: CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 Nov 27 16:32:06 manet kernel: CR2: 00000000000001c0 CR3: 0000000002009006 CR4: 00000000001606e0 Nov 27 16:32:06 manet kernel: Call Trace: Nov 27 16:32:06 manet kernel: do_raw_spin_lock+0x2f/0x5a Nov 27 16:32:06 manet kernel: create_qp_common.isra.47+0x856/0xadf [mlx4_ib] Nov 27 16:32:06 manet kernel: ? slab_post_alloc_hook.isra.60+0xa/0x1a Nov 27 16:32:06 manet kernel: ? __kmalloc+0x125/0x139 Nov 27 16:32:06 manet kernel: mlx4_ib_create_qp+0x57f/0x972 [mlx4_ib] The fix is to copy the qp_init_attr struct that was just created by rpcrdma_ep_create() instead of using the one from the previous connection instance. Fixes: 98ef77d1aaa7 ("xprtrdma: Send Queue size grows after a reconnect") Signed-off-by: Chuck Lever Signed-off-by: Anna Schumaker Signed-off-by: Greg Kroah-Hartman commit b925bcc7942a7b109e96ac359e80aad123912a74 Author: Vadim Pasternak Date: Mon Jan 13 16:28:31 2020 +0000 Documentation/ABI: Add missed attribute for mlxreg-io sysfs interfaces commit f3efc406d67e6236b513c4302133b0c9be74fd99 upstream. Add missed "cpld4_version" attribute. Fixes: 52675da1d087 ("Documentation/ABI: Add new attribute for mlxreg-io sysfs interfaces") Signed-off-by: Vadim Pasternak Signed-off-by: Andy Shevchenko Signed-off-by: Greg Kroah-Hartman commit 8c20e03dc9c246a1117b2694b59ce798f17bf2aa Author: Vadim Pasternak Date: Mon Jan 13 16:28:30 2020 +0000 Documentation/ABI: Fix documentation inconsistency for mlxreg-io sysfs interfaces commit f4094826779dcafe7087e80850513b923eeefdeb upstream. Fix attribute name from "jtag_enable", which described twice to "cpld3_version", which is expected to be instead of second appearance of "jtag_enable". Fixes: 2752e34442b5 ("Documentation/ABI: Add new attribute for mlxreg-io sysfs interfaces") Signed-off-by: Vadim Pasternak Signed-off-by: Andy Shevchenko Signed-off-by: Greg Kroah-Hartman commit ff60c02a97ae93a0da18c2ef904a993311bd491f Author: Mike Rapoport Date: Mon Dec 23 13:00:03 2019 +0200 asm-generic/nds32: don't redefine cacheflush primitives commit 4f0bd808134d73184054ad09173821c84f31dd5d upstream. The commit c296d4dc13ae ("asm-generic: fix a compilation warning") changed asm-generic/cachflush.h to use static inlines instead of macros and as a result the nds32 build with CONFIG_CPU_CACHE_ALIASING=n fails: CC init/main.o In file included from arch/nds32/include/asm/cacheflush.h:43, from include/linux/highmem.h:12, from include/linux/pagemap.h:11, from include/linux/blkdev.h:16, from include/linux/blk-cgroup.h:23, from include/linux/writeback.h:14, from init/main.c:44: include/asm-generic/cacheflush.h:50:20: error: static declaration of 'flush_icache_range' follows non-static declaration static inline void flush_icache_range(unsigned long start, unsigned long end) ^~~~~~~~~~~~~~~~~~ In file included from include/linux/highmem.h:12, from include/linux/pagemap.h:11, from include/linux/blkdev.h:16, from include/linux/blk-cgroup.h:23, from include/linux/writeback.h:14, from init/main.c:44: arch/nds32/include/asm/cacheflush.h:11:6: note: previous declaration of 'flush_icache_range' was here void flush_icache_range(unsigned long start, unsigned long end); ^~~~~~~~~~~~~~~~~~ Surround the inline functions in asm-generic/cacheflush.h by ifdef's so that architectures could override them and add the required overrides to nds32. Fixes: c296d4dc13ae ("asm-generic: fix a compilation warning") Link: https://lore.kernel.org/lkml/201912212139.yptX8CsV%25lkp@intel.com/ Reported-by: kbuild test robot Signed-off-by: Mike Rapoport Reviewed-by: Greentime Hu Signed-off-by: Arnd Bergmann Signed-off-by: Greg Kroah-Hartman commit 3d11eaab07308027db94dfad256d77d6dad13d8f Author: Hans de Goede Date: Mon Jan 6 15:42:18 2020 +0100 platform/x86: GPD pocket fan: Use default values when wrong modparams are given commit 6ae01050e49f0080ae30575d9b45a6d4a3d7ee23 upstream. Use our default values when wrong module-parameters are given, instead of refusing to load. Refusing to load leaves the fan at the BIOS default setting, which is "Off". The CPU's thermal throttling should protect the system from damage, but not-loading is really not the best fallback in this case. This commit fixes this by re-setting module-parameter values to their defaults if they are out of range, instead of failing the probe with -EINVAL. Cc: stable@vger.kernel.org Cc: Jason Anderson Reported-by: Jason Anderson Fixes: 594ce6db326e ("platform/x86: GPD pocket fan: Use a min-speed of 2 while charging") Signed-off-by: Hans de Goede Signed-off-by: Andy Shevchenko Signed-off-by: Greg Kroah-Hartman commit 3e4008fbdf93fae25dd025a157b7126e3639acc7 Author: Jian-Hong Pan Date: Mon Dec 30 16:30:45 2019 +0800 platform/x86: asus-wmi: Fix keyboard brightness cannot be set to 0 commit 176a7fca81c5090a7240664e3002c106d296bf31 upstream. Some of ASUS laptops like UX431FL keyboard backlight cannot be set to brightness 0. According to ASUS' information, the brightness should be 0x80 ~ 0x83. This patch fixes it by following the logic. Fixes: e9809c0b9670 ("asus-wmi: add keyboard backlight support") Signed-off-by: Jian-Hong Pan Reviewed-by: Daniel Drake Signed-off-by: Andy Shevchenko Signed-off-by: Greg Kroah-Hartman commit c79fff3feb7851e1ce735b0826b03200f7b9ace3 Author: Liming Sun Date: Fri Dec 20 12:04:33 2019 -0500 platform/mellanox: fix potential deadlock in the tmfifo driver commit 638bc4ca3d28c25986cce4cbad69d9b8abf1e434 upstream. This commit fixes the potential deadlock caused by the console Rx and Tx processing at the same time. Rx and Tx both take the console and tmfifo spinlock but in different order which causes potential deadlock. The fix is to use different tmfifo spinlock for Rx and Tx since they protect different resources and it's safe to split the lock. Below is the reported call trace when copying/pasting large string in the console. Rx: _raw_spin_lock_irqsave (hvc lock) __hvc_poll hvc_poll in_intr vring_interrupt mlxbf_tmfifo_rxtx_one_desc (tmfifo lock) mlxbf_tmfifo_rxtx mlxbf_tmfifo_work_rxtx Tx: _raw_spin_lock_irqsave (tmfifo lock) mlxbf_tmfifo_virtio_notify virtqueue_notify virtqueue_kick put_chars hvc_push hvc_write (hvc lock) ... do_tty_write tty_write Fixes: 1357dfd7261f ("platform/mellanox: Add TmFifo driver for Mellanox BlueField Soc") Cc: # 5.4+ Reviewed-by: David Woods Signed-off-by: Liming Sun Signed-off-by: Andy Shevchenko Signed-off-by: Greg Kroah-Hartman commit 63154ee1cd53cc7e392febf2f39d801efc369059 Author: Xiang Chen Date: Thu Jan 9 09:12:24 2020 +0800 scsi: sd: Clear sdkp->protection_type if disk is reformatted without PI commit 465f4edaecc6c37f81349233e84d46246bcac11a upstream. If an attached disk with protection information enabled is reformatted to Type 0 the revalidation code does not clear the original protection type and subsequent accesses will keep setting RDPROTECT/WRPROTECT. Set the protection type to 0 if the disk reports PROT_EN=0 in READ CAPACITY(16). [mkp: commit desc] Fixes: fe542396da73 ("[SCSI] sd: Ensure we correctly disable devices with unknown protection type") Link: https://lore.kernel.org/r/1578532344-101668-1-git-send-email-chenxiang66@hisilicon.com Signed-off-by: Xiang Chen Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit a89ab722c79e119ce590f8ce41043d4128d93cf6 Author: James Bottomley Date: Wed Jan 8 17:21:32 2020 -0800 scsi: enclosure: Fix stale device oops with hot replug commit 529244bd1afc102ab164429d338d310d5d65e60d upstream. Doing an add/remove/add on a SCSI device in an enclosure leads to an oops caused by poisoned values in the enclosure device list pointers. The reason is because we are keeping the enclosure device across the enclosed device add/remove/add but the current code is doing a device_add/device_del/device_add on it. This is the wrong thing to do in sysfs, so fix it by not doing a device_del on the enclosure device simply because of a hot remove of the drive in the slot. [mkp: added missing email addresses] Fixes: 43d8eb9cfd0a ("[SCSI] ses: add support for enclosure component hot removal") Link: https://lore.kernel.org/r/1578532892.3852.10.camel@HansenPartnership.com Signed-off-by: James Bottomley Reported-by: Luo Jiaxing Tested-by: John Garry Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit 756f4d2ee8a5ad35b842227e7a269a8ad6128981 Author: David Howells Date: Tue Jan 14 16:06:14 2020 +0000 keys: Fix request_key() cache commit 8379bb84be757d5df2d818509faec5d66adb861d upstream. When the key cached by request_key() and co. is cleaned up on exit(), the code looks in the wrong task_struct, and so clears the wrong cache. This leads to anomalies in key refcounting when doing, say, a kernel build on an afs volume, that then trigger kasan to report a use-after-free when the key is viewed in /proc/keys. Fix this by making exit_creds() look in the passed-in task_struct rather than in current (the task_struct cleanup code is deferred by RCU and potentially run in another task). Fixes: 7743c48e54ee ("keys: Cache result of request_key*() temporarily in task_struct") Signed-off-by: David Howells Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 6410050a09e84dd5bbe7624d6541769e5b92a78d Author: David Howells Date: Tue Jan 14 16:16:54 2020 +0000 afs: Fix afs_lookup() to not clobber the version on a new dentry commit f52b83b0b1c40ada38df917973ab719a4a753951 upstream. Fix afs_lookup() to not clobber the version set on a new dentry by afs_do_lookup() - especially as it's using the wrong version of the version (we need to use the one given to us by whatever op the dir contents correspond to rather than what's in the afs_vnode). Fixes: 9dd0b82ef530 ("afs: Fix missing dentry data version updating") Signed-off-by: David Howells Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 6f262298328f1d13e7563586b41f1f6dcba5072f Author: David Howells Date: Tue Jan 14 16:16:25 2020 +0000 afs: Fix use-after-loss-of-ref commit 40a708bd622b78582ae3d280de29b09b50bd04c0 upstream. afs_lookup() has a tracepoint to indicate the outcome of d_splice_alias(), passing it the inode to retrieve the fid from. However, the function gave up its ref on that inode when it called d_splice_alias(), which may have failed and dropped the inode. Fix this by caching the fid. Fixes: 80548b03991f ("afs: Add more tracepoints") Reported-by: Al Viro Signed-off-by: David Howells Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 01a107542bc3dca213bd59b20a7e8daa9751fde2 Author: Andrii Nakryiko Date: Wed Nov 27 12:01:34 2019 -0800 libbpf: Fix Makefile' libbpf symbol mismatch diagnostic commit b568405856906ee4d9ba6284fd36f2928653a623 upstream. Fix Makefile's diagnostic diff output when there is LIBBPF_API-versioned symbols mismatch. Fixes: 1bd63524593b ("libbpf: handle symbol versioning properly for libbpf.a") Signed-off-by: Andrii Nakryiko Signed-off-by: Daniel Borkmann Acked-by: Yonghong Song Link: https://lore.kernel.org/bpf/20191127200134.1360660-1-andriin@fb.com Signed-off-by: Greg Kroah-Hartman commit c8b4a8e3b6fc23cc39bba94c4f7a535208e07ef5 Author: Stanislav Fomichev Date: Wed Nov 27 08:14:10 2019 -0800 bpf: Support pre-2.25-binutils objcopy for vmlinux BTF commit da5fb18225b49b97bb37c51bcbbb2990a507c364 upstream. If vmlinux BTF generation fails, but CONFIG_DEBUG_INFO_BTF is set, .BTF section of vmlinux is empty and kernel will prohibit BPF loading and return "in-kernel BTF is malformed". --dump-section argument to binutils' objcopy was added in version 2.25. When using pre-2.25 binutils, BTF generation silently fails. Convert to --only-section which is present on pre-2.25 binutils. Documentation/process/changes.rst states that binutils 2.21+ is supported, not sure those standards apply to BPF subsystem. v2: * exit and print an error if gen_btf fails (John Fastabend) v3: * resend with Andrii's Acked-by/Tested-by tags Fixes: 341dfcf8d78ea ("btf: expose BTF info through sysfs") Signed-off-by: Stanislav Fomichev Signed-off-by: Alexei Starovoitov Tested-by: Andrii Nakryiko Acked-by: Andrii Nakryiko Cc: John Fastabend Link: https://lore.kernel.org/bpf/20191127161410.57327-1-sdf@google.com Signed-off-by: Greg Kroah-Hartman commit 6d7c51075ffeb506df6f7a256a3a5f7a2290538a Author: John Fastabend Date: Thu Nov 21 08:25:09 2019 -0800 bpf: skmsg, fix potential psock NULL pointer dereference commit 8163999db445021f2651a8a47b5632483e8722ea upstream. Report from Dan Carpenter, net/core/skmsg.c:792 sk_psock_write_space() error: we previously assumed 'psock' could be null (see line 790) net/core/skmsg.c 789 psock = sk_psock(sk); 790 if (likely(psock && sk_psock_test_state(psock, SK_PSOCK_TX_ENABLED))) Check for NULL 791 schedule_work(&psock->work); 792 write_space = psock->saved_write_space; ^^^^^^^^^^^^^^^^^^^^^^^^ 793 rcu_read_unlock(); 794 write_space(sk); Ensure psock dereference on line 792 only occurs if psock is not null. Reported-by: Dan Carpenter Fixes: 604326b41a6f ("bpf, sockmap: convert to generic sk_msg interface") Signed-off-by: John Fastabend Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 600e9099642bb7584410b1f45eab8371f4c66bc7 Author: Daniel Borkmann Date: Sat Nov 2 00:17:58 2019 +0100 bpf: Make use of probe_user_write in probe write helper commit eb1b66887472eaa7342305b7890ae510dd9d1a79 upstream. Convert the bpf_probe_write_user() helper to probe_user_write() such that writes are not attempted under KERNEL_DS anymore which is buggy as kernel and user space pointers can have overlapping addresses. Also, given we have the access_ok() check inside probe_user_write(), the helper doesn't need to do it twice. Fixes: 96ae52279594 ("bpf: Add bpf_probe_write_user BPF helper to be called in tracers") Signed-off-by: Daniel Borkmann Signed-off-by: Alexei Starovoitov Acked-by: Andrii Nakryiko Link: https://lore.kernel.org/bpf/841c461781874c07a0ee404a454c3bc0459eed30.1572649915.git.daniel@iogearbox.net Signed-off-by: Greg Kroah-Hartman commit e5194ee4bf62f4187c64e8c5755d53066c8851f5 Author: Daniel Borkmann Date: Sat Nov 2 00:17:56 2019 +0100 uaccess: Add non-pagefault user-space write function commit 1d1585ca0f48fe7ed95c3571f3e4a82b2b5045dc upstream. Commit 3d7081822f7f ("uaccess: Add non-pagefault user-space read functions") missed to add probe write function, therefore factor out a probe_write_common() helper with most logic of probe_kernel_write() except setting KERNEL_DS, and add a new probe_user_write() helper so it can be used from BPF side. Again, on some archs, the user address space and kernel address space can co-exist and be overlapping, so in such case, setting KERNEL_DS would mean that the given address is treated as being in kernel address space. Signed-off-by: Daniel Borkmann Signed-off-by: Alexei Starovoitov Acked-by: Andrii Nakryiko Cc: Masami Hiramatsu Link: https://lore.kernel.org/bpf/9df2542e68141bfa3addde631441ee45503856a8.1572649915.git.daniel@iogearbox.net Signed-off-by: Greg Kroah-Hartman commit 8efa2de5fb5bf881e176d0af0f863902b1b2189b Author: Bart Van Assche Date: Tue Nov 5 13:46:32 2019 -0800 RDMA/srpt: Report the SCSI residual to the initiator commit e88982ad1bb12db699de96fbc07096359ef6176c upstream. The code added by this patch is similar to the code that already exists in ibmvscsis_determine_resid(). This patch has been tested by running the following command: strace sg_raw -r 1k /dev/sdb 12 00 00 00 60 00 -o inquiry.bin |& grep resid= Link: https://lore.kernel.org/r/20191105214632.183302-1-bvanassche@acm.org Fixes: a42d985bd5b2 ("ib_srpt: Initial SRP Target merge for v3.3-rc1") Signed-off-by: Bart Van Assche Acked-by: Honggang Li Signed-off-by: Jason Gunthorpe Signed-off-by: Greg Kroah-Hartman commit d73bd8a7bc95af625bda37749c4fe4523f817996 Author: Leon Romanovsky Date: Tue Oct 29 07:57:21 2019 +0200 RDMA/mlx5: Return proper error value commit 546d30099ed204792083f043cd7e016de86016a3 upstream. Returned value from mlx5_mr_cache_alloc() is checked to be error or real pointer. Return proper error code instead of NULL which is not checked later. Fixes: 81713d3788d2 ("IB/mlx5: Add implicit MR support") Link: https://lore.kernel.org/r/20191029055721.7192-1-leon@kernel.org Signed-off-by: Leon Romanovsky Reviewed-by: Jason Gunthorpe Signed-off-by: Jason Gunthorpe Signed-off-by: Greg Kroah-Hartman commit 1b96c468f18830821a99724ac44e8a0a59c37b7d Author: Jason Gunthorpe Date: Thu Oct 24 13:51:03 2019 +0000 rdma: Remove nes ABI header commit 949b452f9cfef17e78055239f978d95ba729eee1 upstream. This was missed when nes was removed. Fixes: 2d3c72ed5041 ("rdma: Remove nes") Link: https://lore.kernel.org/r/20191024135059.GA20084@ziepe.ca Signed-off-by: Jason Gunthorpe Signed-off-by: Greg Kroah-Hartman commit 86933e7e62aeb835fc53339ee26f5d1fffc04dee Author: Yangyang Li Date: Thu Oct 24 17:21:57 2019 +0800 RDMA/hns: Bugfix for qpc/cqc timer configuration commit 887803db866a7a4e1817a3cb8a3eee4e9879fed2 upstream. qpc/cqc timer entry size needs one page, but currently they are fixedly configured to 4096, which is not appropriate in 64K page scenarios. So they should be modified to PAGE_SIZE. Fixes: 0e40dc2f70cd ("RDMA/hns: Add timer allocation support for hip08") Link: https://lore.kernel.org/r/1571908917-16220-3-git-send-email-liweihang@hisilicon.com Signed-off-by: Yangyang Li Signed-off-by: Weihang Li Signed-off-by: Jason Gunthorpe Signed-off-by: Greg Kroah-Hartman commit fe714eaf4221b4c86ed460af3b83ed71cc0bf067 Author: Lijun Ou Date: Thu Oct 24 17:21:56 2019 +0800 RDMA/hns: Fix to support 64K page for srq commit 5c7e76fb7cb5071be800c938ebf2c475e140d3f0 upstream. SRQ's page size configuration of BA and buffer should depend on current PAGE_SHIFT, or it can't work in scenario of 64K page. Fixes: c7bcb13442e1 ("RDMA/hns: Add SRQ support for hip08 kernel mode") Link: https://lore.kernel.org/r/1571908917-16220-2-git-send-email-liweihang@hisilicon.com Signed-off-by: Lijun Ou Signed-off-by: Weihang Li Signed-off-by: Jason Gunthorpe Signed-off-by: Greg Kroah-Hartman commit 3791c5982ba1eebf2900ee7ca7b9a89619c26d54 Author: Chuck Lever Date: Wed Oct 9 13:07:38 2019 -0400 xprtrdma: Close window between waking RPC senders and posting Receives commit 2ae50ad68cd79224198b525f7bd645c9da98b6ff upstream. A recent clean up attempted to separate Receive handling and RPC Reply processing, in the name of clean layering. Unfortunately, we can't do this because the Receive Queue has to be refilled _after_ the most recent credit update from the responder is parsed from the transport header, but _before_ we wake up the next RPC sender. That is right in the middle of rpcrdma_reply_handler(). Usually this isn't a problem because current responder implementations don't vary their credit grant. The one exception is when a connection is established: the grant goes from one to a much larger number on the first Receive. The requester MUST post enough Receives right then so that any outstanding requests can be sent without risking RNR and connection loss. Fixes: 6ceea36890a0 ("xprtrdma: Refactor Receive accounting") Signed-off-by: Chuck Lever Signed-off-by: Anna Schumaker Signed-off-by: Greg Kroah-Hartman commit f69a06529dcb6cf0a1af8646fcf1d78fa363ecf8 Author: Chuck Lever Date: Wed Oct 9 13:07:43 2019 -0400 xprtrdma: Fix MR list handling commit c3700780a096fc66467c81076ddf7f3f11d639b5 upstream. Close some holes introduced by commit 6dc6ec9e04c4 ("xprtrdma: Cache free MRs in each rpcrdma_req") that could result in list corruption. In addition, the result that is tabulated in @count is no longer used, so @count is removed. Fixes: 6dc6ec9e04c4 ("xprtrdma: Cache free MRs in each rpcrdma_req") Signed-off-by: Chuck Lever Signed-off-by: Anna Schumaker Signed-off-by: Greg Kroah-Hartman commit b2b36f91af22955cccbdc04a3bd3f59a8aeb8e0d Author: Chuck Lever Date: Wed Oct 9 13:07:27 2019 -0400 xprtrdma: Connection becomes unstable after a reconnect commit a31b2f939219dd9bffdf01a45bd91f209f8cc369 upstream. This is because xprt_request_get_cong() is allowing more than one RPC Call to be transmitted before the first Receive on the new connection. The first Receive fills the Receive Queue based on the server's credit grant. Before that Receive, there is only a single Receive WR posted because the client doesn't know the server's credit grant. Solution is to clear rq_cong on all outstanding rpc_rqsts when the the cwnd is reset. This is because an RPC/RDMA credit is good for one connection instance only. Fixes: 75891f502f5f ("SUNRPC: Support for congestion control ... ") Signed-off-by: Chuck Lever Signed-off-by: Anna Schumaker Signed-off-by: Greg Kroah-Hartman commit ee978cecd88ede5aed5bb274ccc43bbd162ea39e Author: Chuck Lever Date: Wed Oct 9 13:07:21 2019 -0400 xprtrdma: Add unique trace points for posting Local Invalidate WRs commit 4b93dab36f28e673725e5e6123ebfccf7697f96a upstream. When adding frwr_unmap_async way back when, I re-used the existing trace_xprtrdma_post_send() trace point to record the return code of ib_post_send. Unfortunately there are some cases where re-using that trace point causes a crash. Instead, construct a trace point specific to posting Local Invalidate WRs that will always be safe to use in that context, and will act as a trace log eye-catcher for Local Invalidation. Fixes: 847568942f93 ("xprtrdma: Remove fr_state") Fixes: d8099feda483 ("xprtrdma: Reduce context switching due ... ") Signed-off-by: Chuck Lever Tested-by: Bill Baker Signed-off-by: Anna Schumaker Signed-off-by: Greg Kroah-Hartman commit c249fb6c17e2bec34722fe53222eb5e1fa4946c0 Author: Yangyang Li Date: Wed Oct 9 09:21:50 2019 +0800 RDMA/hns: Release qp resources when failed to destroy qp commit d302c6e3a6895608a5856bc708c47bda1770b24d upstream. Even if no response from hardware, we should make sure that qp related resources are released to avoid memory leaks. Fixes: 926a01dc000d ("RDMA/hns: Add QP operations support for hip08 SoC") Signed-off-by: Yangyang Li Signed-off-by: Weihang Li Link: https://lore.kernel.org/r/1570584110-3659-1-git-send-email-liweihang@hisilicon.com Signed-off-by: Doug Ledford Signed-off-by: Greg Kroah-Hartman commit 89d316d80870f6a524af297d6de52641766f809b Author: Arnd Bergmann Date: Mon Oct 7 23:18:08 2019 +0200 RDMA/hns: Fix build error again commit d5b60e26e86a463ca83bb5ec502dda6ea685159e upstream. This is not the first attempt to fix building random configurations, unfortunately the attempt in commit a07fc0bb483e ("RDMA/hns: Fix build error") caused a new problem when CONFIG_INFINIBAND_HNS_HIP06=m and CONFIG_INFINIBAND_HNS_HIP08=y: drivers/infiniband/hw/hns/hns_roce_main.o:(.rodata+0xe60): undefined reference to `__this_module' Revert commits a07fc0bb483e ("RDMA/hns: Fix build error") and a3e2d4c7e766 ("RDMA/hns: remove obsolete Kconfig comment") to get back to the previous state, then fix the issues described there differently, by adding more specific dependencies: INFINIBAND_HNS can now only be built-in if at least one of HNS or HNS3 are built-in, and the individual back-ends are only available if that code is reachable from the main driver. Fixes: a07fc0bb483e ("RDMA/hns: Fix build error") Fixes: a3e2d4c7e766 ("RDMA/hns: remove obsolete Kconfig comment") Fixes: dd74282df573 ("RDMA/hns: Initialize the PCI device for hip08 RoCE") Fixes: 08805fdbeb2d ("RDMA/hns: Split hw v1 driver from hns roce driver") Link: https://lore.kernel.org/r/20191007211826.3361202-1-arnd@arndb.de Signed-off-by: Arnd Bergmann Signed-off-by: Jason Gunthorpe Signed-off-by: Greg Kroah-Hartman commit 219e92c25299a4de4df300dbb10da370fc9a323e Author: Bart Van Assche Date: Mon Sep 30 16:16:56 2019 -0700 RDMA/siw: Fix port number endianness in a debug message commit 050dbddf249eee3e936b5734c30b2e1b427efdc3 upstream. sin_port and sin6_port are big endian member variables. Convert these port numbers into CPU endianness before printing. Link: https://lore.kernel.org/r/20190930231707.48259-5-bvanassche@acm.org Fixes: 6c52fdc244b5 ("rdma/siw: connection management") Signed-off-by: Bart Van Assche Reviewed-by: Bernard Metzler Signed-off-by: Jason Gunthorpe Signed-off-by: Greg Kroah-Hartman commit 0e990da9bd4435d3f99d6a5df9faa641ac40def9 Author: Mark Zhang Date: Mon Sep 16 10:11:52 2019 +0300 RDMA/counter: Prevent QP counter manual binding in auto mode commit 663912a6378a34fd4f43b8d873f0c6c6322d9d0e upstream. If auto mode is configured, manual counter allocation and QP bind is not allowed. Fixes: 1bd8e0a9d0fd ("RDMA/counter: Allow manual mode configuration support") Link: https://lore.kernel.org/r/20190916071154.20383-3-leon@kernel.org Signed-off-by: Mark Zhang Signed-off-by: Leon Romanovsky Signed-off-by: Jason Gunthorpe Signed-off-by: Greg Kroah-Hartman commit 8328cd6845bbb2076df1fcba945b64f066e041ad Author: Lang Cheng Date: Wed Sep 4 11:14:44 2019 +0800 RDMA/hns: Modify return value of restrack functions commit cfd82da4e741c16d71a12123bf0cb585af2b8796 upstream. The restrack function return EINVAL instead of EMSGSIZE when the driver operation fails. Fixes: 4b42d05d0b2c ("RDMA/hns: Remove unnecessary kzalloc") Signed-off-by: Lang Cheng Signed-off-by: Weihang Li Link: https://lore.kernel.org/r/1567566885-23088-5-git-send-email-liweihang@hisilicon.com Signed-off-by: Doug Ledford Signed-off-by: Greg Kroah-Hartman commit 638148bb72acf541bac5e805de10af23faf531fa Author: Weihang Li Date: Wed Sep 4 11:14:41 2019 +0800 RDMA/hns: remove a redundant le16_to_cpu commit 9f7d7064009c37cb26eee4a83302cf077fe180d6 upstream. Type of ah->av.vlan is u16, there will be a problem using le16_to_cpu on it. Fixes: 82e620d9c3a0 ("RDMA/hns: Modify the data structure of hns_roce_av") Signed-off-by: Weihang Li Link: https://lore.kernel.org/r/1567566885-23088-2-git-send-email-liweihang@hisilicon.com Signed-off-by: Doug Ledford Signed-off-by: Greg Kroah-Hartman commit 9fe3a5a5c082f6531a14e4b3f7766443c0f91e2b Author: Jason Gunthorpe Date: Sat Jun 8 12:25:14 2019 +0300 RDMA/hns: Prevent undefined behavior in hns_roce_set_user_sq_size() commit 515f60004ed985d2b2f03659365752e0b6142986 upstream. The "ucmd->log_sq_bb_count" variable is a user controlled variable in the 0-255 range. If we shift more than then number of bits in an int then it's undefined behavior (it shift wraps), and potentially the int could become negative. Fixes: 9a4435375cd1 ("IB/hns: Add driver files for hns RoCE driver") Link: https://lore.kernel.org/r/20190608092514.GC28890@mwanda Reported-by: Dan Carpenter Signed-off-by: Jason Gunthorpe Reviewed-by: Dan Carpenter Signed-off-by: Greg Kroah-Hartman commit 9677ee580027a8d2db4a579fd65d34a8e5e912f2 Author: Nilkanth Ahirrao Date: Thu Nov 21 12:10:23 2019 +0100 ASoC: rsnd: fix DALIGN register for SSIU commit ef8e14794308a428b194f8b06ad9ae06b43466e4 upstream. The current driver only sets 0x76543210 and 0x67452301 for DALIGN. This doesn’t work well for TDM split and ex-split mode for all SSIU. This patch programs the DALIGN registers based on the SSIU number. Cc: Kuninori Morimoto Cc: Jiada Wang Cc: Andrew Gabbasov Fixes: a914e44693d41b ("ASoC: rsnd: more clear rsnd_get_dalign() for DALIGN") Signed-off-by: Nilkanth Ahirrao Signed-off-by: Eugeniu Rosca Acked-by: Kuninori Morimoto Link: https://lore.kernel.org/r/20191121111023.10976-1-erosca@de.adit-jv.com Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 906ed10bc6871edc35c57a78e3a1da9dcb734545 Author: Takashi Iwai Date: Thu Nov 7 14:48:33 2019 +0100 ASoC: core: Fix compile warning with CONFIG_DEBUG_FS=n commit bd0b609e0c3362cb167c51d4bd4330d79fc00987 upstream. Paper over a compile warning: sound/soc/soc-pcm.c:1185:8: warning: unused variable ‘name’ Fixes: 0632fa042541 ("ASoC: core: Fix pcm code debugfs error") Signed-off-by: Takashi Iwai Link: https://lore.kernel.org/r/20191107134833.1502-1-tiwai@suse.de Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 74de9e7ba7ad398875edc9e3700cb4d0dfcffa23 Author: Pierre-Louis Bossart Date: Fri Nov 1 12:30:36 2019 -0500 ASoC: SOF: Intel: Broadwell: clarify mutual exclusion with legacy driver commit a6955fe0e2309feeab5ec71e4b0dcbe498f4f497 upstream. Some distros select all options blindly, which leads to confusion and bug reports. SOF does not fully support Broadwell due to firmware dependencies, the machine drivers can only support one option, and UCM/topology files are still being propagated to downstream distros, so make SOF on Broadwell an opt-in option that first require distros to opt-out of existing defaults. Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=204237 Fixes: f35bf70f61d3 ('ASoC: Intel: Make sure BDW based machine drivers build for SOF') Signed-off-by: Pierre-Louis Bossart Link: https://lore.kernel.org/r/20191101173045.27099-3-pierre-louis.bossart@linux.intel.com Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit ff05848906416ad6a4e528adc72952fb7576f869 Author: Shengjiu Wang Date: Mon Oct 28 17:11:05 2019 +0800 ASoC: fsl_esai: Add spin lock to protect reset, stop and start commit 35dac627471938eda89fa39ee4ead1f7667e0f57 upstream. xrun may happen at the end of stream, the trigger->fsl_esai_trigger_stop maybe called in the middle of fsl_esai_hw_reset, this may cause esai in wrong state after stop, and there may be endless xrun interrupt. This issue may also happen with trigger->fsl_esai_trigger_start. So Add spin lock to lock those functions. Fixes: 7ccafa2b3879 ("ASoC: fsl_esai: recover the channel swap after xrun") Signed-off-by: Shengjiu Wang Acked-by: Nicolin Chen Link: https://lore.kernel.org/r/52e92c4221a83e39a84a6cd92fc3d5479b44894c.1572252321.git.shengjiu.wang@nxp.com Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 00f4f24ba796cb9f06e53707fd1948714ced8f8e Author: Daniel Baluta Date: Wed Oct 9 18:36:14 2019 +0300 ASoC: simple_card_utils.h: Add missing include commit 4bbee14d8e5487e3d2662138e3767cf4678cdf57 upstream. When debug is enabled compiler cannot find the definition of clk_get_rate resulting in the following error: ./include/sound/simple_card_utils.h:168:40: note: previous implicit declaration of ‘clk_get_rate’ was here dev_dbg(dev, "%s clk %luHz\n", name, clk_get_rate(dai->clk)); ./include/sound/simple_card_utils.h:168:3: note: in expansion of macro ‘dev_dbg’ dev_dbg(dev, "%s clk %luHz\n", name, clk_get_rate(dai->clk)); Fix this by including the appropriate header. Fixes: 0580dde59438686d ("ASoC: simple-card-utils: add asoc_simple_debug_info()") Signed-off-by: Daniel Baluta Link: https://lore.kernel.org/r/20191009153615.32105-2-daniel.baluta@nxp.com Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit b972e5372c92bce3789b26e4a6485779813faebd Author: Tzung-Bi Shih Date: Fri Sep 20 19:23:20 2019 +0800 ASoC: dt-bindings: mt8183: add missing update commit 7cf2804775f8a388411624b3e768e55d08711e9d upstream. Headset codec is optional. Add missing update to DT binding document. Fixes: a962a809e5e4 ("ASoC: mediatek: mt8183: make headset codec optional") Signed-off-by: Tzung-Bi Shih Link: https://lore.kernel.org/r/20190920112320.166052-1-tzungbi@google.com Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 8086a206e009b2ae0de7b2213a7a6f81fc985448 Author: Arnd Bergmann Date: Fri Nov 8 22:32:47 2019 +0100 netfilter: nft_meta: use 64-bit time arithmetic commit 6408c40c39d8eee5caaf97f5219b7dd4e041cc59 upstream. On 32-bit architectures, get_seconds() returns an unsigned 32-bit time value, which also matches the type used in the nft_meta code. This will not overflow in year 2038 as a time_t would, but it still suffers from the overflow problem later on in year 2106. Change this instance to use the time64_t type consistently and avoid the deprecated get_seconds(). The nft_meta_weekday() calculation potentially gets a little slower on 32-bit architectures, but now it has the same behavior as on 64-bit architectures and does not overflow. Fixes: 63d10e12b00d ("netfilter: nft_meta: support for time matching") Signed-off-by: Arnd Bergmann Acked-by: Phil Sutter Signed-off-by: Pablo Neira Ayuso Signed-off-by: Greg Kroah-Hartman commit cf3aabf388ce7826ad1d3e8e3f4062757bbbb221 Author: Pablo Neira Ayuso Date: Thu Nov 14 14:17:24 2019 +0100 netfilter: nf_tables_offload: release flow_rule on error from commit path commit 23403cd8898dbc9808d3eb2f63bc1db8a340b751 upstream. If hardware offload commit path fails, release all flow_rule objects. Fixes: c9626a2cbdb2 ("netfilter: nf_tables: add hardware offload support") Signed-off-by: Pablo Neira Ayuso Signed-off-by: Greg Kroah-Hartman commit 3eb81bbf4e0b8eaf33c8315562f693128f683f02 Author: Goldwyn Rodrigues Date: Wed Sep 11 11:45:15 2019 -0500 btrfs: simplify inode locking for RWF_NOWAIT commit 9cf35f673583ccc9f3e2507498b3079d56614ad3 upstream. This is similar to 942491c9e6d6 ("xfs: fix AIM7 regression"). Apparently our current rwsem code doesn't like doing the trylock, then lock for real scheme. This causes extra contention on the lock and can be measured eg. by AIM7 benchmark. So change our read/write methods to just do the trylock for the RWF_NOWAIT case. Fixes: edf064e7c6fe ("btrfs: nowait aio support") Signed-off-by: Goldwyn Rodrigues Reviewed-by: David Sterba [ update changelog ] Signed-off-by: David Sterba Signed-off-by: Greg Kroah-Hartman commit 8aaefcaa5ee0900524a69983a014e57d57c4326c Author: Taehee Yoo Date: Sat Dec 28 16:28:09 2019 +0000 hsr: fix slab-out-of-bounds Read in hsr_debugfs_rename() commit 04b69426d846cd04ca9acefff1ea39e1c64d2714 upstream. hsr slave interfaces don't have debugfs directory. So, hsr_debugfs_rename() shouldn't be called when hsr slave interface name is changed. Test commands: ip link add dummy0 type dummy ip link add dummy1 type dummy ip link add hsr0 type hsr slave1 dummy0 slave2 dummy1 ip link set dummy0 name ap Splat looks like: [21071.899367][T22666] ap: renamed from dummy0 [21071.914005][T22666] ================================================================== [21071.919008][T22666] BUG: KASAN: slab-out-of-bounds in hsr_debugfs_rename+0xaa/0xb0 [hsr] [21071.923640][T22666] Read of size 8 at addr ffff88805febcd98 by task ip/22666 [21071.926941][T22666] [21071.927750][T22666] CPU: 0 PID: 22666 Comm: ip Not tainted 5.5.0-rc2+ #240 [21071.929919][T22666] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006 [21071.935094][T22666] Call Trace: [21071.935867][T22666] dump_stack+0x96/0xdb [21071.936687][T22666] ? hsr_debugfs_rename+0xaa/0xb0 [hsr] [21071.937774][T22666] print_address_description.constprop.5+0x1be/0x360 [21071.939019][T22666] ? hsr_debugfs_rename+0xaa/0xb0 [hsr] [21071.940081][T22666] ? hsr_debugfs_rename+0xaa/0xb0 [hsr] [21071.940949][T22666] __kasan_report+0x12a/0x16f [21071.941758][T22666] ? hsr_debugfs_rename+0xaa/0xb0 [hsr] [21071.942674][T22666] kasan_report+0xe/0x20 [21071.943325][T22666] hsr_debugfs_rename+0xaa/0xb0 [hsr] [21071.944187][T22666] hsr_netdev_notify+0x1fe/0x9b0 [hsr] [21071.945052][T22666] ? __module_text_address+0x13/0x140 [21071.945897][T22666] notifier_call_chain+0x90/0x160 [21071.946743][T22666] dev_change_name+0x419/0x840 [21071.947496][T22666] ? __read_once_size_nocheck.constprop.6+0x10/0x10 [21071.948600][T22666] ? netdev_adjacent_rename_links+0x280/0x280 [21071.949577][T22666] ? __read_once_size_nocheck.constprop.6+0x10/0x10 [21071.950672][T22666] ? lock_downgrade+0x6e0/0x6e0 [21071.951345][T22666] ? do_setlink+0x811/0x2ef0 [21071.951991][T22666] do_setlink+0x811/0x2ef0 [21071.952613][T22666] ? is_bpf_text_address+0x81/0xe0 [ ... ] Reported-by: syzbot+9328206518f08318a5fd@syzkaller.appspotmail.com Fixes: 4c2d5e33dcd3 ("hsr: rename debugfs file when interface name is changed") Signed-off-by: Taehee Yoo Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 499960fcb86d18c4e55c2edb3e228734d2c89538 Author: Sami Tolvanen Date: Tue Oct 8 15:40:49 2019 -0700 syscalls/x86: Fix function types in COND_SYSCALL commit 6e4847640c6aebcaa2d9b3686cecc91b41f09269 upstream. Define a weak function in COND_SYSCALL instead of a weak alias to sys_ni_syscall(), which has an incompatible type. This fixes indirect call mismatches with Control-Flow Integrity (CFI) checking. Signed-off-by: Sami Tolvanen Acked-by: Andy Lutomirski Cc: Borislav Petkov Cc: H . Peter Anvin Cc: Kees Cook Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Thomas Gleixner Link: https://lkml.kernel.org/r/20191008224049.115427-6-samitolvanen@google.com Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 3ebcb6145a8e384093b992da67b59aa1cbb50557 Author: Sami Tolvanen Date: Tue Oct 8 15:40:48 2019 -0700 syscalls/x86: Use the correct function type for sys_ni_syscall commit f48f01a92cca09e86d46c91d8edf9d5a71c61727 upstream. Use the correct function type for sys_ni_syscall() in system call tables to fix indirect call mismatches with Control-Flow Integrity (CFI) checking. Signed-off-by: Sami Tolvanen Acked-by: Andy Lutomirski Cc: Borislav Petkov Cc: H . Peter Anvin Cc: Kees Cook Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Thomas Gleixner Link: https://lkml.kernel.org/r/20191008224049.115427-5-samitolvanen@google.com Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit ab133a833c7a9ede9dacdb586eda8992aeaeea86 Author: Sami Tolvanen Date: Tue Oct 8 15:40:47 2019 -0700 syscalls/x86: Use COMPAT_SYSCALL_DEFINE0 for IA32 (rt_)sigreturn commit 00198a6eaf66609de5e4de9163bb42c7ca9dd7b7 upstream. Use COMPAT_SYSCALL_DEFINE0 to define (rt_)sigreturn() syscalls to replace sys32_sigreturn() and sys32_rt_sigreturn(). This fixes indirect call mismatches with Control-Flow Integrity (CFI) checking. Signed-off-by: Sami Tolvanen Acked-by: Andy Lutomirski Cc: Borislav Petkov Cc: H . Peter Anvin Cc: Kees Cook Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Thomas Gleixner Link: https://lkml.kernel.org/r/20191008224049.115427-4-samitolvanen@google.com Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 91dec6de72a9cc4a80307b177a943be198ac82f4 Author: Andy Lutomirski Date: Tue Oct 8 15:40:46 2019 -0700 syscalls/x86: Wire up COMPAT_SYSCALL_DEFINE0 commit cf3b83e19d7c928e05a5d193c375463182c6029a upstream. x86 has special handling for COMPAT_SYSCALL_DEFINEx, but there was no override for COMPAT_SYSCALL_DEFINE0. Wire it up so that we can use it for rt_sigreturn. Signed-off-by: Andy Lutomirski Signed-off-by: Sami Tolvanen Cc: Borislav Petkov Cc: H . Peter Anvin Cc: Kees Cook Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Thomas Gleixner Link: https://lkml.kernel.org/r/20191008224049.115427-3-samitolvanen@google.com Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit e0fca6b8dfbef70a66e6143cd6d97cde09ececd8 Author: Ed Maste Date: Thu Dec 12 14:53:46 2019 +0000 perf vendor events s390: Remove name from L1D_RO_EXCL_WRITES description commit 58b3bafff8257c6946df5d6aeb215b8ac839ed2a upstream. In 7fcfa9a2d9 an unintended prefix "Counter:18 Name:" was removed from the description for L1D_RO_EXCL_WRITES, but the extra name remained in the description. Remove it too. Fixes: 7fcfa9a2d9a7 ("perf list: Fix s390 counter long description for L1D_RO_EXCL_WRITES") Signed-off-by: Ed Maste Cc: Alexander Shishkin Cc: Greentime Hu Cc: Jiri Olsa Cc: Mark Rutland Cc: Namhyung Kim Cc: Nick Hu Cc: Peter Zijlstra Cc: Thomas Richter Cc: Vincent Chen Link: http://lore.kernel.org/lkml/20191212145346.5026-1-emaste@freefall.freebsd.org Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Greg Kroah-Hartman commit f6cd94526b5f15f24a05e3602a11fd95a074e3f6 Author: David Howells Date: Wed Dec 11 08:06:08 2019 +0000 afs: Fix missing cell comparison in afs_test_super() commit 106bc79843c3c6f4f00753d1f46e54e815f99377 upstream. Fix missing cell comparison in afs_test_super(). Without this, any pair volumes that have the same volume ID will share a superblock, no matter the cell, unless they're in different network namespaces. Normally, most users will only deal with a single cell and so they won't see this. Even if they do look into a second cell, they won't see a problem unless they happen to hit a volume with the same ID as one they've already got mounted. Before the patch: # ls /afs/grand.central.org/archive linuxdev/ mailman/ moin/ mysql/ pipermail/ stage/ twiki/ # ls /afs/kth.se/ linuxdev/ mailman/ moin/ mysql/ pipermail/ stage/ twiki/ # cat /proc/mounts | grep afs none /afs afs rw,relatime,dyn,autocell 0 0 #grand.central.org:root.cell /afs/grand.central.org afs ro,relatime 0 0 #grand.central.org:root.archive /afs/grand.central.org/archive afs ro,relatime 0 0 #grand.central.org:root.archive /afs/kth.se afs ro,relatime 0 0 After the patch: # ls /afs/grand.central.org/archive linuxdev/ mailman/ moin/ mysql/ pipermail/ stage/ twiki/ # ls /afs/kth.se/ admin/ common/ install/ OldFiles/ service/ system/ bakrestores/ home/ misc/ pkg/ src/ wsadmin/ # cat /proc/mounts | grep afs none /afs afs rw,relatime,dyn,autocell 0 0 #grand.central.org:root.cell /afs/grand.central.org afs ro,relatime 0 0 #grand.central.org:root.archive /afs/grand.central.org/archive afs ro,relatime 0 0 #kth.se:root.cell /afs/kth.se afs ro,relatime 0 0 Fixes: ^1da177e4c3f4 ("Linux-2.6.12-rc2") Reported-by: Carsten Jacobi Signed-off-by: David Howells Reviewed-by: Marc Dionne Tested-by: Jonathan Billings cc: Todd DeSantis Signed-off-by: Greg Kroah-Hartman commit c993cba53c07fba310f3a462762ad100747396a5 Author: Florian Fainelli Date: Mon Nov 4 10:15:02 2019 -0800 reset: brcmstb: Remove resource checks commit ce89d8d3a70fa530e16f0b0f8994385a214cd0c0 upstream. The use of IS_ALIGNED() is incorrect, the typical resource we pass looks like this: start: 0x8404318, size: 0x30. When using IS_ALIGNED() we will get the following 0x8404318 & (0x18 - 1) = 0x10 which is definitively not equal to 0, same goes with the size. These two checks would make the driver fail probing. Remove the resource checks, since there should be no constraint on the base addresse or size. Fixes: 77750bc089e4 ("reset: Add Broadcom STB SW_INIT reset controller driver") Signed-off-by: Florian Fainelli Signed-off-by: Philipp Zabel Signed-off-by: Greg Kroah-Hartman commit 05b41913ac6f48faadab48057437b31646abe7b5 Author: Florian Fainelli Date: Mon Nov 4 10:15:01 2019 -0800 dt-bindings: reset: Fix brcmstb-reset example commit 392a9f63058f2cdcec8363b849a25532ee40da9f upstream. The reset controller has a #reset-cells value of 1, so we should see a phandle plus a register identifier, fix the example. Fixes: 0807caf647dd ("dt-bindings: reset: Add document for Broadcom STB reset controller") Signed-off-by: Florian Fainelli Signed-off-by: Philipp Zabel Signed-off-by: Greg Kroah-Hartman commit ec694e9e3b05feb2fd8306edb4fed24ffc703393 Author: Marc Kleine-Budde Date: Thu Nov 21 10:47:50 2019 +0100 can: j1939: fix address claim code example commit 8ac9d71d601374222a230804e419cd40c4492e1c upstream. During development the define J1939_PGN_ADDRESS_REQUEST was renamed to J1939_PGN_REQUEST. It was forgotten to adjust the documentation accordingly. This patch fixes the name of the symbol. Reported-by: https://github.com/linux-can/can-utils/issues/159#issuecomment-556538798 Fixes: 9d71dd0c7009 ("can: add support of SAE J1939 protocol") Cc: Oleksij Rempel Signed-off-by: Marc Kleine-Budde Signed-off-by: Greg Kroah-Hartman commit 233fe5963d4ac82ea8b6435c5c9a3b2b3879f890 Author: Christian Lamparter Date: Sun Nov 24 15:40:59 2019 +0100 ath9k: use iowrite32 over __raw_writel commit 22d0d5ae7a089967e9295a06694aa3e8a812b15e upstream. This patch changes the ath9k_pci_owl_loader to use the same iowrite32 memory accessor that ath9k_pci is using to communicate with the PCI(e) chip. This will fix endian issues that came up during testing with loaned AVM Fritz!Box 7360 (Lantiq MIPS SoCs + AR9287). Fixes: 5a4f2040fd07 ("ath9k: add loader for AR92XX (and older) pci(e)") Signed-off-by: Christian Lamparter Signed-off-by: Kalle Valo Signed-off-by: Greg Kroah-Hartman commit 6e584d52f196c62134dd316becc54d878828394a Author: Andy Shevchenko Date: Wed Dec 4 14:31:35 2019 +0200 MAINTAINERS: Append missed file to the database commit 44fe5cb32c7599a4059931a98794e0418619aa96 upstream. When gpiolib.h internal header had been split to few, the commit 77cb907abe6c ("gpiolib: acpi: Split ACPI stuff to gpiolib-acpi.h") in particular missed the MAINTAINERS database update. Do it here. Fixes: 77cb907abe6c ("gpiolib: acpi: Split ACPI stuff to gpiolib-acpi.h") Signed-off-by: Andy Shevchenko Acked-by: Mika Westerberg Signed-off-by: Bartosz Golaszewski Signed-off-by: Greg Kroah-Hartman commit a93056ceb53217ebb52791cdb07dfb414d5ce076 Author: Paul Menzel Date: Mon Dec 9 16:06:53 2019 +0100 scsi: smartpqi: Update attribute name to `driver_version` commit a2bdd0c904da12b223c8d7218e98138d4e6d9f4f upstream. The file name in the documentation is currently incorrect, so fix it. Link: https://lore.kernel.org/r/fe264d62-0371-ea59-b66a-6d855290ce65@molgen.mpg.de Fixes: 6d90615f1346 ("scsi: smartpqi: add sysfs entries") Signed-off-by: Paul Menzel Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit 4cd3fe5f155d705be16f850dc26ff8abc042467f Author: Nathan Chancellor Date: Tue Dec 17 20:04:51 2019 -0700 cifs: Adjust indentation in smb2_open_file commit 7935799e041ae10d380d04ea23868240f082bd11 upstream. Clang warns: ../fs/cifs/smb2file.c:70:3: warning: misleading indentation; statement is not part of the previous 'if' [-Wmisleading-indentation] if (oparms->tcon->use_resilient) { ^ ../fs/cifs/smb2file.c:66:2: note: previous statement is here if (rc) ^ 1 warning generated. This warning occurs because there is a space after the tab on this line. Remove it so that the indentation is consistent with the Linux kernel coding style and clang no longer warns. Fixes: 592fafe644bf ("Add resilienthandles mount parm") Link: https://github.com/ClangBuiltLinux/linux/issues/826 Signed-off-by: Nathan Chancellor Signed-off-by: Steve French Signed-off-by: Greg Kroah-Hartman commit 0b3e622f8ccc1f6017b3fb6ae406ebd73489d1f4 Author: Julian Wiedmann Date: Mon Dec 23 15:03:26 2019 +0100 s390/qeth: fix initialization on old HW commit 0b698c838e84149b690c7e979f78cccb6f8aa4b9 upstream. I stumbled over an old OSA model that claims to support DIAG_ASSIST, but then rejects the cmd to query its DIAG capabilities. In the old code this was ok, as the returned raw error code was > 0. Now that we translate the raw codes to errnos, the "rc < 0" causes us to fail the initialization of the device. The fix is trivial: don't bail out when the DIAG query fails. Such an error is not critical, we can still use the device (with a slightly reduced set of features). Fixes: 742d4d40831d ("s390/qeth: convert remaining legacy cmd callbacks") Signed-off-by: Julian Wiedmann Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit ccdd5b39773d2fdecc96804a7db7683469df765d Author: Alexandra Winter Date: Mon Dec 23 15:03:25 2019 +0100 s390/qeth: vnicc Fix init to default commit d1b9ae1864fc3c000e0eb4af8482d78c63e0915a upstream. During vnicc_init wanted_char should be compared to cur_char and not to QETH_VNICC_DEFAULT. Without this patch there is no way to enforce the default values as desired values. Note, that it is expected, that a card comes online with default values. This patch was tested with private card firmware. Fixes: caa1f0b10d18 ("s390/qeth: add VNICC enable/disable support") Signed-off-by: Alexandra Winter Signed-off-by: Julian Wiedmann Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 982d97388e0f661d5acc794e22ac8667ea6c4698 Author: Alexandra Winter Date: Mon Dec 23 15:03:24 2019 +0100 s390/qeth: Fix vnicc_is_in_use if rx_bcast not set commit e8a66d800471e2df7f0b484e2e46898b21d1fa82 upstream. Symptom: After vnicc/rx_bcast has been manually set to 0, bridge_* sysfs parameters can still be set or written. Only occurs on HiperSockets, as OSA doesn't support changing rx_bcast. Vnic characteristics and bridgeport settings are mutually exclusive. rx_bcast defaults to 1, so manually setting it to 0 should disable bridge_* parameters. Instead it makes sense here to check the supported mask. If the card does not support vnicc at all, bridge commands are always allowed. Fixes: caa1f0b10d18 ("s390/qeth: add VNICC enable/disable support") Signed-off-by: Alexandra Winter Signed-off-by: Julian Wiedmann Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit efc8a5d61904d41938fdc1f31d4056f6139dfd82 Author: Alexandra Winter Date: Mon Dec 23 15:03:23 2019 +0100 s390/qeth: fix false reporting of VNIC CHAR config failure commit 68c57bfd52836e31bff33e5e1fc64029749d2c35 upstream. Symptom: Error message "Configuring the VNIC characteristics failed" in dmesg whenever an OSA interface on z15 is set online. The VNIC characteristics get re-programmed when setting a L2 device online. This follows the selected 'wanted' characteristics - with the exception that the INVISIBLE characteristic unconditionally gets switched off. For devices that don't support INVISIBLE (ie. OSA), the resulting IO failure raises a noisy error message ("Configuring the VNIC characteristics failed"). For IQD, INVISIBLE is off by default anyways. So don't unnecessarily special-case the INVISIBLE characteristic, and thereby suppress the misleading error message on OSA devices. Fixes: caa1f0b10d18 ("s390/qeth: add VNICC enable/disable support") Signed-off-by: Alexandra Winter Reviewed-by: Julian Wiedmann Signed-off-by: Julian Wiedmann Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 746b4fbfbcc5a02a9b87dda70967c2f93dc25909 Author: Julian Wiedmann Date: Mon Dec 23 15:03:21 2019 +0100 s390/qeth: fix qdio teardown after early init error commit 8b5026bc16938920e4780b9094c3bf20e1e0939d upstream. qeth_l?_set_online() goes through a number of initialization steps, and on any error uses qeth_l?_stop_card() to tear down the residual state. The first initialization step is qeth_core_hardsetup_card(). When this fails after having established a QDIO context on the device (ie. somewhere after qeth_mpc_initialize()), qeth_l?_stop_card() doesn't shut down this QDIO context again (since the card state hasn't progressed from DOWN at this stage). Even worse, we then call qdio_free() as final teardown step to free the QDIO data structures - while some of them are still hooked into wider QDIO infrastructure such as the IRQ list. This is inevitably followed by use-after-frees and other nastyness. Fix this by unconditionally calling qeth_qdio_clear_card() to shut down the QDIO context, and also to halt/clear any pending activity on the various IO channels. Remove the naive attempt at handling the teardown in qeth_mpc_initialize(), it clearly doesn't suffice and we're handling it properly now in the wider teardown code. Fixes: 4a71df50047f ("qeth: new qeth device driver") Signed-off-by: Julian Wiedmann Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 5e5eaf92b37ab6982921f9dc5ac112eff1f573f9 Author: Taehee Yoo Date: Sun Dec 22 11:27:08 2019 +0000 hsr: reset network header when supervision frame is created commit 3ed0a1d563903bdb4b4c36c58c4d9c1bcb23a6e6 upstream. The supervision frame is L2 frame. When supervision frame is created, hsr module doesn't set network header. If tap routine is enabled, dev_queue_xmit_nit() is called and it checks network_header. If network_header pointer wasn't set(or invalid), it resets network_header and warns. In order to avoid unnecessary warning message, resetting network_header is needed. Test commands: ip netns add nst ip link add veth0 type veth peer name veth1 ip link add veth2 type veth peer name veth3 ip link set veth1 netns nst ip link set veth3 netns nst ip link set veth0 up ip link set veth2 up ip link add hsr0 type hsr slave1 veth0 slave2 veth2 ip a a 192.168.100.1/24 dev hsr0 ip link set hsr0 up ip netns exec nst ip link set veth1 up ip netns exec nst ip link set veth3 up ip netns exec nst ip link add hsr1 type hsr slave1 veth1 slave2 veth3 ip netns exec nst ip a a 192.168.100.2/24 dev hsr1 ip netns exec nst ip link set hsr1 up tcpdump -nei veth0 Splat looks like: [ 175.852292][ C3] protocol 88fb is buggy, dev veth0 Fixes: f421436a591d ("net/hsr: Add support for the High-availability Seamless Redundancy protocol (HSRv0)") Signed-off-by: Taehee Yoo Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 5f3ff068150c3b152d0490f1796d8adae6b087f0 Author: Taehee Yoo Date: Sun Dec 22 11:26:39 2019 +0000 hsr: rename debugfs file when interface name is changed commit 4c2d5e33dcd3a6333a7895be3b542ff3d373177c upstream. hsr interface has own debugfs file, which name is same with interface name. So, interface name is changed, debugfs file name should be changed too. Fixes: fc4ecaeebd26 ("net: hsr: add debugfs support for display node list") Signed-off-by: Taehee Yoo Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 0299f24a9731a00e5cc5f550454793d144b6211b Author: Taehee Yoo Date: Sun Dec 22 11:26:27 2019 +0000 hsr: add hsr root debugfs directory commit c6c4ccd7f96993e106dfea7ef18127f972f2db5e upstream. In current hsr code, when hsr interface is created, it creates debugfs directory /sys/kernel/debug/. If there is same directory or file name in there, it fails. In order to reduce possibility of failure of creation of debugfs, this patch adds root directory. Test commands: ip link add dummy0 type dummy ip link add dummy1 type dummy ip link add hsr0 type hsr slave1 dummy0 slave2 dummy1 Before this patch: /sys/kernel/debug/hsr0/node_table After this patch: /sys/kernel/debug/hsr/hsr0/node_table Signed-off-by: Taehee Yoo Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 0d03645bc4318fb5488ec5671ab3d2d64cd45c3a Author: Thierry Reding Date: Wed Sep 25 13:26:59 2019 +0200 drm/tegra: Fix ordering of cleanup code commit 051172e8c1ceef8749f19faacc1d3bef65d20d8d upstream. Commit Fixes: b9f8b09ce256 ("drm/tegra: Setup shared IOMMU domain after initialization") changed the initialization order of the IOMMU related bits but didn't update the cleanup path accordingly. This asymmetry can cause failures during error recovery. Fixes: b9f8b09ce256 ("drm/tegra: Setup shared IOMMU domain after initialization") Signed-off-by: Thierry Reding Reviewed-by: Dmitry Osipenko Tested-by: Dmitry Osipenko Signed-off-by: Greg Kroah-Hartman commit c66c84b5223134f95e16c05e1d85c50bf8623e7a Author: Neil Armstrong Date: Mon Sep 16 14:50:18 2019 +0200 PCI: amlogic: Fix probed clock names commit eacaf7dcf08eb062a1059c6c115fa3fced3374ae upstream. Fix the clock names used in the probe function according to the bindings. Fixes: 9c0ef6d34fdb ("PCI: amlogic: Add the Amlogic Meson PCIe controller driver") Signed-off-by: Neil Armstrong Signed-off-by: Lorenzo Pieralisi Reviewed-by: Andrew Murray Signed-off-by: Greg Kroah-Hartman commit bfa120840905c94616fd6200a9bf3a37e2ede938 Author: Arnd Bergmann Date: Thu Dec 12 10:56:31 2019 +0900 PM / devfreq: tegra: Add COMMON_CLK dependency commit 5fdb0684b5b0f41402161f068d3d84bf6ed1c3f4 upstream. Compile-testing this driver fails if CONFIG_COMMON_CLK is not set: drivers/devfreq/tegra30-devfreq.o: In function `tegra_devfreq_target': tegra30-devfreq.c:(.text+0x164): undefined reference to `clk_set_min_rate' Fixes: 35f8dbc72721 ("PM / devfreq: tegra: Enable COMPILE_TEST for the driver") Signed-off-by: Arnd Bergmann Reviewed-by: Dmitry Osipenko Signed-off-by: Chanwoo Choi Signed-off-by: Greg Kroah-Hartman commit 2b1e8883b94f5c3bb22ede36546a66fdfaa756bc Author: Geert Uytterhoeven Date: Wed Nov 27 10:59:19 2019 +0100 gpio: Fix error message on out-of-range GPIO in lookup table commit d935bd50dd14a7714cbdba9a76435dbb56edb1ae upstream. When a GPIO offset in a lookup table is out-of-range, the printed error message (1) does not include the actual out-of-range value, and (2) contains an off-by-one error in the upper bound. Avoid user confusion by also printing the actual GPIO offset, and correcting the upper bound of the range. While at it, use "%u" for unsigned int. Sample impact: -requested GPIO 0 is out of range [0..32] for chip e6052000.gpio +requested GPIO 0 (45) is out of range [0..31] for chip e6052000.gpio Fixes: 2a3cf6a3599e9015 ("gpiolib: return -ENOENT if no GPIO mapping exists") Signed-off-by: Geert Uytterhoeven Link: https://lore.kernel.org/r/20191127095919.4214-1-geert+renesas@glider.be Signed-off-by: Linus Walleij Signed-off-by: Greg Kroah-Hartman commit eba97de9f8dc48fa50c9d901d9bfdf31e37719b5 Author: Dan Carpenter Date: Tue Dec 3 12:36:52 2019 +0300 scsi: mpt3sas: Fix double free in attach error handling commit ee560e7bbab0c10cf3f0e71997fbc354ab2ee5cb upstream. The caller also calls _base_release_memory_pools() on error so it leads to a number of double frees: drivers/scsi/mpt3sas/mpt3sas_base.c:7207 mpt3sas_base_attach() warn: 'ioc->chain_dma_pool' double freed drivers/scsi/mpt3sas/mpt3sas_base.c:7207 mpt3sas_base_attach() warn: 'ioc->hpr_lookup' double freed drivers/scsi/mpt3sas/mpt3sas_base.c:7207 mpt3sas_base_attach() warn: 'ioc->internal_lookup' double freed drivers/scsi/mpt3sas/mpt3sas_base.c:7207 mpt3sas_base_attach() warn: 'ioc->pcie_sgl_dma_pool' double freed drivers/scsi/mpt3sas/mpt3sas_base.c:7207 mpt3sas_base_attach() warn: 'ioc->reply_dma_pool' double freed drivers/scsi/mpt3sas/mpt3sas_base.c:7207 mpt3sas_base_attach() warn: 'ioc->reply_free_dma_pool' double freed drivers/scsi/mpt3sas/mpt3sas_base.c:7207 mpt3sas_base_attach() warn: 'ioc->reply_post_free_array_dma_pool' double freed drivers/scsi/mpt3sas/mpt3sas_base.c:7207 mpt3sas_base_attach() warn: 'ioc->reply_post_free_dma_pool' double freed drivers/scsi/mpt3sas/mpt3sas_base.c:7207 mpt3sas_base_attach() warn: 'ioc->sense_dma_pool' double freed Fixes: 74522a92bbf0 ("scsi: mpt3sas: Optimize I/O memory consumption in driver.") Link: https://lore.kernel.org/r/20191203093652.gyntgvnkw2udatyc@kili.mountain Signed-off-by: Dan Carpenter Acked-by: Sreekanth Reddy Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit 3fe209c8432b829a605c5b7c932d39469c25277d Author: Ming Lei Date: Sun Jan 5 09:41:14 2020 +0800 fs: move guard_bio_eod() after bio_set_op_attrs commit 83c9c547168e8b914ea6398430473a4de68c52cc upstream. Commit 85a8ce62c2ea ("block: add bio_truncate to fix guard_bio_eod") adds bio_truncate() for handling bio EOD. However, bio_truncate() doesn't use the passed 'op' parameter from guard_bio_eod's callers. So bio_trunacate() may retrieve wrong 'op', and zering pages may not be done for READ bio. Fixes this issue by moving guard_bio_eod() after bio_set_op_attrs() in submit_bh_wbc() so that bio_truncate() can always retrieve correct op info. Meantime remove the 'op' parameter from guard_bio_eod() because it isn't used any more. Cc: Carlos Maiolino Cc: linux-fsdevel@vger.kernel.org Fixes: 85a8ce62c2ea ("block: add bio_truncate to fix guard_bio_eod") Signed-off-by: Ming Lei Signed-off-by: Greg Kroah-Hartman Fold in kerneldoc and bio_op() change. Signed-off-by: Jens Axboe commit 80a332f418585c817446dee19112527ad78063c0 Author: Roman Gushchin Date: Fri Dec 27 13:50:34 2019 -0800 bpf: cgroup: prevent out-of-order release of cgroup bpf commit e10360f815ca6367357b2c2cfef17fc663e50f7b upstream. Before commit 4bfc0bb2c60e ("bpf: decouple the lifetime of cgroup_bpf from cgroup itself") cgroup bpf structures were released with corresponding cgroup structures. It guaranteed the hierarchical order of destruction: children were always first. It preserved attached programs from being released before their propagated copies. But with cgroup auto-detachment there are no such guarantees anymore: cgroup bpf is released as soon as the cgroup is offline and there are no live associated sockets. It means that an attached program can be detached and released, while its propagated copy is still living in the cgroup subtree. This will obviously lead to an use-after-free bug. To reproduce the issue the following script can be used: #!/bin/bash CGROOT=/sys/fs/cgroup mkdir -p ${CGROOT}/A ${CGROOT}/B ${CGROOT}/A/C sleep 1 ./test_cgrp2_attach ${CGROOT}/A egress & A_PID=$! ./test_cgrp2_attach ${CGROOT}/B egress & B_PID=$! echo $$ > ${CGROOT}/A/C/cgroup.procs iperf -s & S_PID=$! iperf -c localhost -t 100 & C_PID=$! sleep 1 echo $$ > ${CGROOT}/B/cgroup.procs echo ${S_PID} > ${CGROOT}/B/cgroup.procs echo ${C_PID} > ${CGROOT}/B/cgroup.procs sleep 1 rmdir ${CGROOT}/A/C rmdir ${CGROOT}/A sleep 1 kill -9 ${S_PID} ${C_PID} ${A_PID} ${B_PID} On the unpatched kernel the following stacktrace can be obtained: [ 33.619799] BUG: unable to handle page fault for address: ffffbdb4801ab002 [ 33.620677] #PF: supervisor read access in kernel mode [ 33.621293] #PF: error_code(0x0000) - not-present page [ 33.622754] Oops: 0000 [#1] SMP NOPTI [ 33.623202] CPU: 0 PID: 601 Comm: iperf Not tainted 5.5.0-rc2+ #23 [ 33.625545] RIP: 0010:__cgroup_bpf_run_filter_skb+0x29f/0x3d0 [ 33.635809] Call Trace: [ 33.636118] ? __cgroup_bpf_run_filter_skb+0x2bf/0x3d0 [ 33.636728] ? __switch_to_asm+0x40/0x70 [ 33.637196] ip_finish_output+0x68/0xa0 [ 33.637654] ip_output+0x76/0xf0 [ 33.638046] ? __ip_finish_output+0x1c0/0x1c0 [ 33.638576] __ip_queue_xmit+0x157/0x410 [ 33.639049] __tcp_transmit_skb+0x535/0xaf0 [ 33.639557] tcp_write_xmit+0x378/0x1190 [ 33.640049] ? _copy_from_iter_full+0x8d/0x260 [ 33.640592] tcp_sendmsg_locked+0x2a2/0xdc0 [ 33.641098] ? sock_has_perm+0x10/0xa0 [ 33.641574] tcp_sendmsg+0x28/0x40 [ 33.641985] sock_sendmsg+0x57/0x60 [ 33.642411] sock_write_iter+0x97/0x100 [ 33.642876] new_sync_write+0x1b6/0x1d0 [ 33.643339] vfs_write+0xb6/0x1a0 [ 33.643752] ksys_write+0xa7/0xe0 [ 33.644156] do_syscall_64+0x5b/0x1b0 [ 33.644605] entry_SYSCALL_64_after_hwframe+0x44/0xa9 Fix this by grabbing a reference to the bpf structure of each ancestor on the initialization of the cgroup bpf structure, and dropping the reference at the end of releasing the cgroup bpf structure. This will restore the hierarchical order of cgroup bpf releasing, without adding any operations on hot paths. Thanks to Josef Bacik for the debugging and the initial analysis of the problem. Fixes: 4bfc0bb2c60e ("bpf: decouple the lifetime of cgroup_bpf from cgroup itself") Reported-by: Josef Bacik Signed-off-by: Roman Gushchin Acked-by: Song Liu Signed-off-by: Alexei Starovoitov Signed-off-by: Greg Kroah-Hartman commit 297d6a06a8e646c6301153eec2dd2a62cd4ae0ed Author: Jon Derrick Date: Tue Dec 31 13:24:19 2019 -0700 iommu: Remove device link to group on failure commit 7d4e6ccd1fb09dbfbc49746ca82bd5c25ad4bfe4 upstream. This adds the missing teardown step that removes the device link from the group when the device addition fails. Signed-off-by: Jon Derrick Fixes: 797a8b4d768c5 ("iommu: Handle default domain attach failure") Reviewed-by: Lu Baolu Signed-off-by: Joerg Roedel Signed-off-by: Greg Kroah-Hartman commit f9fbac39cf283725772fa491ab0b045e77441d2a Author: Jon Derrick Date: Tue Dec 31 13:24:20 2019 -0700 iommu/vt-d: Unlink device if failed to add to group commit f78947c409204138a4bc0609f98e07ef9d01ac0a upstream. If the device fails to be added to the group, make sure to unlink the reference before returning. Signed-off-by: Jon Derrick Fixes: 39ab9555c2411 ("iommu: Add sysfs bindings for struct iommu_device") Acked-by: Lu Baolu Signed-off-by: Joerg Roedel Signed-off-by: Greg Kroah-Hartman commit be7ef489fe177ac69c793c97157d74d7d5aea436 Author: Hangbin Liu Date: Fri Jan 3 15:41:24 2020 +0800 selftests: loopback.sh: skip this test if the driver does not support commit cc7e3f63d7299dd1119be39aa187b867d6f8aa17 upstream. The loopback feature is only supported on a few drivers like broadcom, mellanox, etc. The default veth driver has not supported it yet. To avoid returning failed and making the runner feel confused, let's just skip the test on drivers that not support loopback. Fixes: ad11340994d5 ("selftests: Add loopback test") Signed-off-by: Hangbin Liu Reviewed-by: Simon Horman Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 24fde17ee89feb5202ac13aecbeba5b32da6e7fe Author: Qianggui Song Date: Thu Dec 26 10:37:34 2019 +0800 pinctrl: meson: Fix wrong shift value when get drive-strength commit 35c60be220572de7d6605c4318f640d133982040 upstream. In meson_pinconf_get_drive_strength, variable bit is calculated by meson_calc_reg_and_bit, this value is the offset from the first pin of a certain bank to current pin, while Meson SoCs use two bits for each pin to depict drive-strength. So a left shift by 1 should be done or node pinconf-pins shows wrong message. Fixes: 6ea3e3bbef37 ("pinctrl: meson: add support of drive-strength-microamp") Signed-off-by: Qianggui Song Link: https://lore.kernel.org/r/20191226023734.9631-1-qianggui.song@amlogic.com Signed-off-by: Linus Walleij Signed-off-by: Greg Kroah-Hartman commit 8457f26af06153affcd358078f78599fbbaaa6f5 Author: Swapna Manupati Date: Thu Dec 26 17:42:11 2019 +0530 gpio: zynq: Fix for bug in zynq_gpio_restore_context API commit 36f2e7207f21a83ca0054116191f119ac64583ab upstream. This patch writes the inverse value of Interrupt Mask Status register into the Interrupt Enable register in zynq_gpio_restore_context API to fix the bug. Fixes: e11de4de28c0 ("gpio: zynq: Add support for suspend resume") Signed-off-by: Swapna Manupati Signed-off-by: Michal Simek Signed-off-by: Srinivas Neeli Link: https://lore.kernel.org/r/1577362338-28744-2-git-send-email-srinivas.neeli@xilinx.com Signed-off-by: Linus Walleij Signed-off-by: Greg Kroah-Hartman commit 0bf0a272d787a3a67c6fd3aae2b232d34ca062bf Author: Peter Ujfalusi Date: Tue Jan 7 10:45:44 2020 +0200 mtd: onenand: omap2: Pass correct flags for prep_dma_memcpy commit 8bcef0d54067077cf9a6cb129022c77559926e8c upstream. The commit converting the driver to DMAengine was missing the flags for the memcpy prepare call. It went unnoticed since the omap-dma driver was ignoring them. Fixes: 3ed6a4d1de2c5 (" mtd: onenand: omap2: Convert to use dmaengine for memcp") Reported-by: Aaro Koskinen Signed-off-by: Peter Ujfalusi Tested-by: H. Nikolaus Schaller Tested-by: Aaro Koskinen Signed-off-by: Miquel Raynal Signed-off-by: Greg Kroah-Hartman commit ac1d5c147f39f2cbe058063c1e71dbbf0453962f Author: Daniel Baluta Date: Fri Dec 20 11:05:31 2019 -0600 ASoC: SOF: imx8: Fix dsp_box offset commit dcf08d0f8f09081b16f69071dd55d51d5e964e84 upstream. dsp_box is used to keep DSP initiated messages. The value of dsp_offset is set by the DSP with the first message, so we need a way to bootstrap it in order to get the first message. We do this by setting the correct default dsp_box offset which on i.MX8 is not zero. Very interesting is why it has worked until now. On i.MX8, DSP communicates with ARM core using a shared SDRAM memory area. Actually, there are two shared areas: * SDRAM0 - starting at 0x92400000, size 0x800000 * SDRAM1 - starting at 0x92C00000, size 0x800000 SDRAM0 keeps the data sections, starting with .rodata. By chance fw_ready structure was placed at the beginning of .rodata. dsp_box_base is defined as SDRAM0 + dsp_box_offset and it is placed at the beginning of SDRAM1 (dsp_box_offset should be 0x800000). But because it is zero initialized by default it points to SDRAM0 where by chance the fw_ready was placed in the SOF firmware. Anyhow, SOF commit 7466bee378dd811b ("clk: make freq arrays constant") fw_ready is no longer at the beginning of SDRAM0 and everything shows how lucky we were until now. Fix this by properly setting the default dsp_box offset. Fixes: 202acc565a1f050 ("ASoC: SOF: imx: Add i.MX8 HW support") Signed-off-by: Daniel Baluta Signed-off-by: Pierre-Louis Bossart Link: https://lore.kernel.org/r/20191220170531.10423-1-pierre-louis.bossart@linux.intel.com Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 54c396574b07f1d93f753edc926ba92efa7e4c78 Author: wenxu Date: Fri Dec 20 17:08:46 2019 +0800 netfilter: nft_flow_offload: fix underflow in flowtable reference counter commit 8ca79606cdfde2e37ee4f0707b9d1874a6f0eb38 upstream. The .deactivate and .activate interfaces already deal with the reference counter. Otherwise, this results in spurious "Device is busy" errors. Fixes: a3c90f7a2323 ("netfilter: nf_tables: flow offload expression") Signed-off-by: wenxu Signed-off-by: Pablo Neira Ayuso Signed-off-by: Greg Kroah-Hartman commit 23d7750ec8fb74a0c3007fa3a7f57e5a5d7ca0c3 Author: Arnd Bergmann Date: Wed Dec 18 17:36:46 2019 +0100 pinctrl: lochnagar: select GPIOLIB commit f7e36e18946b4ec756b9c5cf4fb8891be8d1e4a3 upstream. In a rare randconfig build I came across one configuration that does not enable CONFIG_GPIOLIB, which is needed by lochnagar: ERROR: "devm_gpiochip_add_data" [drivers/pinctrl/cirrus/pinctrl-lochnagar.ko] undefined! ERROR: "gpiochip_generic_free" [drivers/pinctrl/cirrus/pinctrl-lochnagar.ko] undefined! ERROR: "gpiochip_generic_request" [drivers/pinctrl/cirrus/pinctrl-lochnagar.ko] undefined! ERROR: "gpiochip_get_data" [drivers/pinctrl/cirrus/pinctrl-lochnagar.ko] undefined! Add another 'select' like all other pinctrl drivers have. Fixes: 0548448b719a ("pinctrl: lochnagar: Add support for the Cirrus Logic Lochnagar") Signed-off-by: Arnd Bergmann Link: https://lore.kernel.org/r/20191218163701.171914-1-arnd@arndb.de Acked-by: Charles Keepax Signed-off-by: Linus Walleij Signed-off-by: Greg Kroah-Hartman commit 8c475efd6cf3a6ecee9d06eb226bbcfb5d1cd176 Author: Olivier Moysan Date: Wed Dec 4 16:43:33 2019 +0100 ASoC: stm32: spdifrx: fix input pin state management commit 3b7658679d88b5628939f9bdc8e613f79cd821f9 upstream. Changing input state in iec capture control is not safe, as the pin state may be changed concurrently by ASoC framework. Remove pin state handling in iec capture control. Note: This introduces a restriction on capture control, when pin sleep state is defined in device tree. In this case channel status can be captured only when an audio stream capture is active. Fixes: f68c2a682d44 ("ASoC: stm32: spdifrx: add power management") Signed-off-by: Olivier Moysan Link: https://lore.kernel.org/r/20191204154333.7152-4-olivier.moysan@st.com Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 06e929ccb9aa017a7e5a4bfbe47ca7d928f4a34e Author: Olivier Moysan Date: Wed Dec 4 16:43:32 2019 +0100 ASoC: stm32: spdifrx: fix race condition in irq handler commit 86e1956af4c863d653136fd6e5694adf2054dbaa upstream. When snd_pcm_stop() is called in interrupt routine, substream context may have already been released. Add protection on substream context. Fixes: 03e4d5d56fa5 ("ASoC: stm32: Add SPDIFRX support") Signed-off-by: Olivier Moysan Link: https://lore.kernel.org/r/20191204154333.7152-3-olivier.moysan@st.com Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit af3fb3ea167c20d1f4d364bea9f56ae17dfa4858 Author: Olivier Moysan Date: Wed Dec 4 16:43:31 2019 +0100 ASoC: stm32: spdifrx: fix inconsistent lock state commit 2859b1784031b5709446af8f6039c467f136e67d upstream. In current spdifrx driver locks may be requested as follows: - request lock on iec capture control, when starting synchronization. - request lock in interrupt context, when spdifrx stop is called from IRQ handler. Take lock with IRQs disabled, to avoid the possible deadlock. Lockdep report: [ 74.278059] ================================ [ 74.282306] WARNING: inconsistent lock state [ 74.290120] -------------------------------- ... [ 74.314373] CPU0 [ 74.314377] ---- [ 74.314381] lock(&(&spdifrx->lock)->rlock); [ 74.314396] [ 74.314400] lock(&(&spdifrx->lock)->rlock); Fixes: 03e4d5d56fa5 ("ASoC: stm32: Add SPDIFRX support") Signed-off-by: Olivier Moysan Link: https://lore.kernel.org/r/20191204154333.7152-2-olivier.moysan@st.com Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 5585d2a98904c253d9c448e7b2ed2620bf7ec665 Author: Daniel Baluta Date: Wed Dec 4 17:13:33 2019 +0200 ASoC: soc-core: Set dpcm_playback / dpcm_capture commit 218fe9b7ec7f32c10a07539365488d80af7b0084 upstream. When converting a normal link to a DPCM link we need to set dpcm_playback / dpcm_capture otherwise playback/capture streams will not be created resulting in errors like this: [ 36.039111] sai1-wm8960-hifi: ASoC: no backend playback stream Fixes: a655de808cbde ("ASoC: core: Allow topology to override machine driver FE DAI link config") Signed-off-by: Daniel Baluta Link: https://lore.kernel.org/r/20191204151333.26625-1-daniel.baluta@nxp.com Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit d918aacabc45309811791652a0fb8279169c32f9 Author: Colin Ian King Date: Wed Dec 4 12:48:16 2019 +0000 ASoC: SOF: imx8: fix memory allocation failure check on priv->pd_dev commit 98910e1d61384430a080b4bcf986c3b0cf3fdf46 upstream. The memory allocation failure check for priv->pd_dev is incorrectly pointer checking priv instead of priv->pd_dev. Fix this. Addresses-Coverity: ("Logically dead code") Fixes: 202acc565a1f ("ASoC: SOF: imx: Add i.MX8 HW support") Signed-off-by: Colin Ian King Reviewed-by: Daniel Baluta Acked-by: Pierre-Louis Bossart Link: https://lore.kernel.org/r/20191204124816.1415359-1-colin.king@canonical.com Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 0ca980a82c0a65ae2cf8aff021ef6e946c760502 Author: Stefan Wahren Date: Sat Jan 4 16:13:20 2020 +0100 i2c: bcm2835: Store pointer to bus clock commit 3b722da6672df8392f9c43d7c7e04bddd81d7e37 upstream. The commit bebff81fb8b9 ("i2c: bcm2835: Model Divider in CCF") introduced a NULL pointer dereference on driver unload. It seems that we can't fetch the bus clock via devm_clk_get in bcm2835_i2c_remove. As an alternative approach store a pointer to the bus clock in the private driver structure. Fixes: bebff81fb8b9 ("i2c: bcm2835: Model Divider in CCF") Signed-off-by: Stefan Wahren Signed-off-by: Wolfram Sang Signed-off-by: Greg Kroah-Hartman commit ddd9320a5ab5319ec0093bc0f8ca383ead670af7 Author: Christophe Kerello Date: Mon Dec 16 10:01:55 2019 +0100 mtd: rawnand: stm32_fmc2: avoid to lock the CPU bus commit 4114b17af41272e14939b000ce8f3ed7ba937e3c upstream. We are currently using nand_soft_waitrdy to poll the status of the NAND flash. FMC2 enables the wait feature bit (this feature is mandatory for the sequencer mode). By enabling this feature, we can't poll the status of the NAND flash, the read status command is stucked in FMC2 pipeline until R/B# signal is high, and locks the CPU bus. To avoid to lock the CPU bus, we poll FMC2 ISR register. This register reports the status of the R/B# signal. Fixes: 2cd457f328c1 ("mtd: rawnand: stm32_fmc2: add STM32 FMC2 NAND flash controller driver") Signed-off-by: Christophe Kerello Signed-off-by: Miquel Raynal Signed-off-by: Greg Kroah-Hartman commit db8cd32198d9680599c528201623bbae15f3f06a Author: Kaike Wan Date: Thu Dec 19 16:19:41 2019 -0500 IB/hfi1: Don't cancel unused work item commit ca9033ba69c7e3477f207df69867b2ea969197c8 upstream. In the iowait structure, two iowait_work entries were included to queue a given object: one for normal IB operations, and the other for TID RDMA operations. For non-TID RDMA operations, the iowait_work structure for TID RDMA is initialized to contain a NULL function (not used). When the QP is reset, the function iowait_cancel_work will be called to cancel any pending work. The problem is that this function will call cancel_work_sync() for both iowait_work entries, even though the one for TID RDMA is not used at all. Eventually, the call cascades to __flush_work(), wherein a WARN_ON will be triggered due to the fact that work->func is NULL. The WARN_ON was introduced in commit 4d43d395fed1 ("workqueue: Try to catch flush_work() without INIT_WORK().") This patch fixes the issue by making sure that a work function is present for TID RDMA before calling cancel_work_sync in iowait_cancel_work. Fixes: 4d43d395fed1 ("workqueue: Try to catch flush_work() without INIT_WORK().") Fixes: 5da0fc9dbf89 ("IB/hfi1: Prepare resource waits for dual leg") Link: https://lore.kernel.org/r/20191219211941.58387.39883.stgit@awfm-01.aw.intel.com Reviewed-by: Mike Marciniszyn Signed-off-by: Kaike Wan Signed-off-by: Dennis Dalessandro Signed-off-by: Jason Gunthorpe Signed-off-by: Greg Kroah-Hartman commit c119d7738c45a8b2ad8e61cfaaaab96c162992da Author: Selvin Xavier Date: Mon Nov 25 00:39:30 2019 -0800 RDMA/bnxt_re: Fix Send Work Entry state check while polling completions commit c5275723580922e5f3264f96751337661a153c7d upstream. Some adapters need a fence Work Entry to handle retransmission. Currently the driver checks for this condition, only if the Send queue entry is signalled. Implement the condition check, irrespective of the signalled state of the Work queue entries Failure to add the fence can result in access to memory that is already marked as completed, triggering data corruption, transmission failure, IOMMU failures, etc. Fixes: 9152e0b722b2 ("RDMA/bnxt_re: HW workarounds for handling specific conditions") Link: https://lore.kernel.org/r/1574671174-5064-3-git-send-email-selvin.xavier@broadcom.com Signed-off-by: Selvin Xavier Signed-off-by: Jason Gunthorpe Signed-off-by: Greg Kroah-Hartman commit ccde461f066703d4896d6b0ebe6fa8502ce41cf2 Author: Selvin Xavier Date: Mon Nov 25 00:39:29 2019 -0800 RDMA/bnxt_re: Avoid freeing MR resources if dereg fails commit 9a4467a6b282a299b932608ac2c9034f8415359f upstream. The driver returns an error code for MR dereg, but frees the MR structure. When the MR dereg is retried due to previous error, the system crashes as the structure is already freed. BUG: unable to handle kernel NULL pointer dereference at 00000000000001b8 PGD 0 P4D 0 Oops: 0000 [#1] SMP PTI CPU: 7 PID: 12178 Comm: ib_send_bw Kdump: loaded Not tainted 4.18.0-124.el8.x86_64 #1 Hardware name: Dell Inc. PowerEdge R430/03XKDV, BIOS 1.1.10 03/10/2015 RIP: 0010:__dev_printk+0x2a/0x70 Code: 0f 1f 44 00 00 49 89 d1 48 85 f6 0f 84 f6 2b 00 00 4c 8b 46 70 4d 85 c0 75 04 4c 8b 46 10 48 8b 86 a8 00 00 00 48 85 c0 74 16 <48> 8b 08 0f be 7f 01 48 c7 c2 13 ac ac 83 83 ef 30 e9 10 fe ff ff RSP: 0018:ffffaf7c04607a60 EFLAGS: 00010006 RAX: 00000000000001b8 RBX: ffffa0010c91c488 RCX: 0000000000000246 RDX: ffffaf7c04607a68 RSI: ffffa0010c91caa8 RDI: ffffffff83a788eb RBP: ffffaf7c04607ac8 R08: 0000000000000000 R09: ffffaf7c04607a68 R10: 0000000000000000 R11: 0000000000000001 R12: ffffaf7c04607b90 R13: 000000000000000e R14: 0000000000000000 R15: 00000000ffffa001 FS: 0000146fa1f1cdc0(0000) GS:ffffa0012fac0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000000001b8 CR3: 000000007680a003 CR4: 00000000001606e0 Call Trace: dev_err+0x6c/0x90 ? dev_printk_emit+0x4e/0x70 bnxt_qplib_rcfw_send_message+0x594/0x660 [bnxt_re] ? dev_err+0x6c/0x90 bnxt_qplib_free_mrw+0x80/0xe0 [bnxt_re] bnxt_re_dereg_mr+0x2e/0xd0 [bnxt_re] ib_dereg_mr+0x2f/0x50 [ib_core] destroy_hw_idr_uobject+0x20/0x70 [ib_uverbs] uverbs_destroy_uobject+0x2e/0x170 [ib_uverbs] __uverbs_cleanup_ufile+0x6e/0x90 [ib_uverbs] uverbs_destroy_ufile_hw+0x61/0x130 [ib_uverbs] ib_uverbs_close+0x1f/0x80 [ib_uverbs] __fput+0xb7/0x230 task_work_run+0x8a/0xb0 do_exit+0x2da/0xb40 ... RIP: 0033:0x146fa113a387 Code: Bad RIP value. RSP: 002b:00007fff945d1478 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff02 RAX: 0000000000000000 RBX: 000055a248908d70 RCX: 0000000000000000 RDX: 0000146fa1f2b000 RSI: 0000000000000001 RDI: 000055a248906488 RBP: 000055a248909630 R08: 0000000000010000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 000055a248906488 R13: 0000000000000001 R14: 0000000000000000 R15: 000055a2489095f0 Do not free the MR structures, when driver returns error to the stack. Fixes: 872f3578241d ("RDMA/bnxt_re: Add support for MRs with Huge pages") Link: https://lore.kernel.org/r/1574671174-5064-2-git-send-email-selvin.xavier@broadcom.com Signed-off-by: Selvin Xavier Signed-off-by: Jason Gunthorpe Signed-off-by: Greg Kroah-Hartman commit 21b5fa1340cf10dbb6221c7f167d310b63f645ce Author: Tony Lindgren Date: Fri Aug 30 14:43:12 2019 -0700 phy: mapphone-mdm6600: Fix uninitialized status value regression commit af5d44de571811a151510bfd1236407b7f551cd9 upstream. Only the used bits get cleared with bitmap_zero() when we call gpiod_get_array_value_cansleep(). We must mask only the bits we're using for ddata->status as the other bits in the bitmap may not be initialized. And let's also drop useless debug code accidentally left over while at it. Fixes: b9762bebc633 ("gpiolib: Pass bitmaps, not integer arrays, to get/set array") Cc: Jacopo Mondi Cc: Janusz Krzysztofik Cc: Linus Walleij Cc: Marcel Partap Cc: Merlijn Wajer Cc: Michael Scott Cc: NeKit Cc: Pavel Machek Cc: Sebastian Reichel Signed-off-by: Tony Lindgren Signed-off-by: Kishon Vijay Abraham I Signed-off-by: Greg Kroah-Hartman commit b12c83520b6aa7b9aceeda208fc4d532184dac2f Author: Ran Bi Date: Wed Dec 11 17:43:54 2019 +0800 rtc: mt6397: fix alarm register overwrite commit 653997eeecef95c3ead4fba1b2d27e6a5854d6cd upstream. Alarm registers high byte was reserved for other functions. This add mask in alarm registers operation functions. This also fix error condition in interrupt handler. Fixes: fc2979118f3f ("rtc: mediatek: Add MT6397 RTC driver") Signed-off-by: Ran Bi Signed-off-by: Hsin-Hsiung Wang Link: https://lore.kernel.org/r/1576057435-3561-6-git-send-email-hsin-hsiung.wang@mediatek.com Signed-off-by: Alexandre Belloni Signed-off-by: Greg Kroah-Hartman commit 51c5c788d6ef4e2dd461d6bbfc5ae0d788b66f2b Author: Jiri Kosina Date: Fri Jan 10 15:32:51 2020 +0100 HID: hidraw, uhid: Always report EPOLLOUT [ Upstream commit 9e635c2851df6caee651e589fbf937b637973c91 ] hidraw and uhid device nodes are always available for writing so we should always report EPOLLOUT and EPOLLWRNORM bits, not only in the cases when there is nothing to read. Reported-by: Linus Torvalds Fixes: be54e7461ffdc ("HID: uhid: Fix returning EPOLLOUT from uhid_char_poll") Fixes: 9f3b61dc1dd7b ("HID: hidraw: Fix returning EPOLLOUT from hidraw_poll") Signed-off-by: Jiri Kosina Signed-off-by: Sasha Levin