commit 1752938529c614a8ed4432ecce6ebc95d3b87207 Author: Greg Kroah-Hartman Date: Tue Dec 29 13:47:12 2020 +0100 Linux 4.14.213 Tested-by: Jon Hunter Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Link: https://lore.kernel.org/r/20201228124904.654293249@linuxfoundation.org Signed-off-by: Greg Kroah-Hartman commit 845c8f20ef1babb5c047891342c5f8fe83e06d10 Author: Jubin Zhong Date: Wed Dec 2 10:33:42 2020 +0800 PCI: Fix pci_slot_release() NULL pointer dereference commit 4684709bf81a2d98152ed6b610e3d5c403f9bced upstream. If kobject_init_and_add() fails, pci_slot_release() is called to delete slot->list from parent->slots. But slot->list hasn't been initialized yet, so we dereference a NULL pointer: Unable to handle kernel NULL pointer dereference at virtual address 00000000 ... CPU: 10 PID: 1 Comm: swapper/0 Not tainted 4.4.240 #197 task: ffffeb398a45ef10 task.stack: ffffeb398a470000 PC is at __list_del_entry_valid+0x5c/0xb0 LR is at pci_slot_release+0x84/0xe4 ... __list_del_entry_valid+0x5c/0xb0 pci_slot_release+0x84/0xe4 kobject_put+0x184/0x1c4 pci_create_slot+0x17c/0x1b4 __pci_hp_initialize+0x68/0xa4 pciehp_probe+0x1a4/0x2fc pcie_port_probe_service+0x58/0x84 driver_probe_device+0x320/0x470 Initialize slot->list before calling kobject_init_and_add() to avoid this. Fixes: 8a94644b440e ("PCI: Fix pci_create_slot() reference count leak") Link: https://lore.kernel.org/r/1606876422-117457-1-git-send-email-zhongjubin@huawei.com Signed-off-by: Jubin Zhong Signed-off-by: Bjorn Helgaas Cc: stable@vger.kernel.org # v5.9+ Signed-off-by: Greg Kroah-Hartman commit c4ab54f86ad4c0a3f17648a92f022a4fad14d209 Author: Dan Williams Date: Fri Nov 20 08:50:07 2020 -0800 libnvdimm/namespace: Fix reaping of invalidated block-window-namespace labels commit 2dd2a1740ee19cd2636d247276cf27bfa434b0e2 upstream. A recent change to ndctl to attempt to reconfigure namespaces in place uncovered a label accounting problem in block-window-type namespaces. The ndctl "create.sh" test is able to trigger this signature: WARNING: CPU: 34 PID: 9167 at drivers/nvdimm/label.c:1100 __blk_label_update+0x9a3/0xbc0 [libnvdimm] [..] RIP: 0010:__blk_label_update+0x9a3/0xbc0 [libnvdimm] [..] Call Trace: uuid_store+0x21b/0x2f0 [libnvdimm] kernfs_fop_write+0xcf/0x1c0 vfs_write+0xcc/0x380 ksys_write+0x68/0xe0 When allocated capacity for a namespace is renamed (new UUID) the labels with the old UUID need to be deleted. The ndctl behavior to always destroy namespaces on reconfiguration hid this problem. The immediate impact of this bug is limited since block-window-type namespaces only seem to exist in the specification and not in any shipping products. However, the label handling code is being reused for other technologies like CXL region labels, so there is a benefit to making sure both vertical labels sets (block-window) and horizontal label sets (pmem) have a functional reference implementation in libnvdimm. Fixes: c4703ce11c23 ("libnvdimm/namespace: Fix label tracking error") Cc: Cc: Vishal Verma Cc: Dave Jiang Cc: Ira Weiny Signed-off-by: Dan Williams Signed-off-by: Greg Kroah-Hartman commit 16366fd3e526789f65e7de8e55fe3b2e2f7bc67b Author: SeongJae Park Date: Mon Dec 14 10:08:40 2020 +0100 xenbus/xenbus_backend: Disallow pending watch messages commit 9996bd494794a2fe393e97e7a982388c6249aa76 upstream. 'xenbus_backend' watches 'state' of devices, which is writable by guests. Hence, if guests intensively updates it, dom0 will have lots of pending events that exhausting memory of dom0. In other words, guests can trigger dom0 memory pressure. This is known as XSA-349. However, the watch callback of it, 'frontend_changed()', reads only 'state', so doesn't need to have the pending events. To avoid the problem, this commit disallows pending watch messages for 'xenbus_backend' using the 'will_handle()' watch callback. This is part of XSA-349 Cc: stable@vger.kernel.org Signed-off-by: SeongJae Park Reported-by: Michael Kurth Reported-by: Pawel Wieczorkiewicz Reviewed-by: Juergen Gross Signed-off-by: Juergen Gross Signed-off-by: Greg Kroah-Hartman commit af1b891bc383dc1a92d07e4e7ecf826f41391fa6 Author: SeongJae Park Date: Mon Dec 14 10:07:13 2020 +0100 xen/xenbus: Count pending messages for each watch commit 3dc86ca6b4c8cfcba9da7996189d1b5a358a94fc upstream. This commit adds a counter of pending messages for each watch in the struct. It is used to skip unnecessary pending messages lookup in 'unregister_xenbus_watch()'. It could also be used in 'will_handle' callback. This is part of XSA-349 Cc: stable@vger.kernel.org Signed-off-by: SeongJae Park Reported-by: Michael Kurth Reported-by: Pawel Wieczorkiewicz Reviewed-by: Juergen Gross Signed-off-by: Juergen Gross Signed-off-by: Greg Kroah-Hartman commit 21c50179d93712b812c37ac8dbc59bb733010147 Author: SeongJae Park Date: Mon Dec 14 10:05:47 2020 +0100 xen/xenbus/xen_bus_type: Support will_handle watch callback commit be987200fbaceaef340872841d4f7af2c5ee8dc3 upstream. This commit adds support of the 'will_handle' watch callback for 'xen_bus_type' users. This is part of XSA-349 Cc: stable@vger.kernel.org Signed-off-by: SeongJae Park Reported-by: Michael Kurth Reported-by: Pawel Wieczorkiewicz Reviewed-by: Juergen Gross Signed-off-by: Juergen Gross Signed-off-by: Greg Kroah-Hartman commit b4f08f32301ce32f0b8416dc8ccabca4ba14439e Author: SeongJae Park Date: Mon Dec 14 10:04:18 2020 +0100 xen/xenbus: Add 'will_handle' callback support in xenbus_watch_path() commit 2e85d32b1c865bec703ce0c962221a5e955c52c2 upstream. Some code does not directly make 'xenbus_watch' object and call 'register_xenbus_watch()' but use 'xenbus_watch_path()' instead. This commit adds support of 'will_handle' callback in the 'xenbus_watch_path()' and it's wrapper, 'xenbus_watch_pathfmt()'. This is part of XSA-349 Cc: stable@vger.kernel.org Signed-off-by: SeongJae Park Reported-by: Michael Kurth Reported-by: Pawel Wieczorkiewicz Reviewed-by: Juergen Gross Signed-off-by: Juergen Gross Signed-off-by: Greg Kroah-Hartman commit 92d4ced9881361aefa2f7bc58dab19aa4d28ddf8 Author: SeongJae Park Date: Mon Dec 14 10:02:45 2020 +0100 xen/xenbus: Allow watches discard events before queueing commit fed1755b118147721f2c87b37b9d66e62c39b668 upstream. If handling logics of watch events are slower than the events enqueue logic and the events can be created from the guests, the guests could trigger memory pressure by intensively inducing the events, because it will create a huge number of pending events that exhausting the memory. Fortunately, some watch events could be ignored, depending on its handler callback. For example, if the callback has interest in only one single path, the watch wouldn't want multiple pending events. Or, some watches could ignore events to same path. To let such watches to volutarily help avoiding the memory pressure situation, this commit introduces new watch callback, 'will_handle'. If it is not NULL, it will be called for each new event just before enqueuing it. Then, if the callback returns false, the event will be discarded. No watch is using the callback for now, though. This is part of XSA-349 Cc: stable@vger.kernel.org Signed-off-by: SeongJae Park Reported-by: Michael Kurth Reported-by: Pawel Wieczorkiewicz Reviewed-by: Juergen Gross Signed-off-by: Juergen Gross Signed-off-by: Greg Kroah-Hartman commit 62afce1adda51bd9d033dbec1dfe413891021bae Author: Pawel Wieczorkiewicz Date: Mon Dec 14 10:25:57 2020 +0100 xen-blkback: set ring->xenblkd to NULL after kthread_stop() commit 1c728719a4da6e654afb9cc047164755072ed7c9 upstream. When xen_blkif_disconnect() is called, the kernel thread behind the block interface is stopped by calling kthread_stop(ring->xenblkd). The ring->xenblkd thread pointer being non-NULL determines if the thread has been already stopped. Normally, the thread's function xen_blkif_schedule() sets the ring->xenblkd to NULL, when the thread's main loop ends. However, when the thread has not been started yet (i.e. wake_up_process() has not been called on it), the xen_blkif_schedule() function would not be called yet. In such case the kthread_stop() call returns -EINTR and the ring->xenblkd remains dangling. When this happens, any consecutive call to xen_blkif_disconnect (for example in frontend_changed() callback) leads to a kernel crash in kthread_stop() (e.g. NULL pointer dereference in exit_creds()). This is XSA-350. Cc: # 4.12 Fixes: a24fa22ce22a ("xen/blkback: don't use xen_blkif_get() in xen-blkback kthread") Reported-by: Olivier Benjamin Reported-by: Pawel Wieczorkiewicz Signed-off-by: Pawel Wieczorkiewicz Reviewed-by: Julien Grall Reviewed-by: Juergen Gross Signed-off-by: Juergen Gross Signed-off-by: Greg Kroah-Hartman commit 201ec6f9b72d92ebe0f0ce7ffcdb73f93422a1fc Author: Terry Zhou Date: Fri Nov 6 11:00:39 2020 +0100 clk: mvebu: a3700: fix the XTAL MODE pin to MPP1_9 commit 6f37689cf6b38fff96de52e7f0d3e78f22803ba0 upstream. There is an error in the current code that the XTAL MODE pin was set to NB MPP1_31 which should be NB MPP1_9. The latch register of NB MPP1_9 has different offset of 0x8. Signed-off-by: Terry Zhou [pali: Fix pin name in commit message] Signed-off-by: Pali Rohár Fixes: 7ea8250406a6 ("clk: mvebu: Add the xtal clock for Armada 3700 SoC") Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20201106100039.11385-1-pali@kernel.org Reviewed-by: Marek Behún Signed-off-by: Stephen Boyd Signed-off-by: Greg Kroah-Hartman commit dcbda41ad7427cf377f86b1ecf039083e6d7e2f0 Author: Zhao Heming Date: Thu Nov 19 19:41:34 2020 +0800 md/cluster: fix deadlock when node is doing resync job commit bca5b0658020be90b6b504ca514fd80110204f71 upstream. md-cluster uses MD_CLUSTER_SEND_LOCK to make node can exclusively send msg. During sending msg, node can concurrently receive msg from another node. When node does resync job, grab token_lockres:EX may trigger a deadlock: ``` nodeA nodeB -------------------- -------------------- a. send METADATA_UPDATED held token_lockres:EX b. md_do_sync resync_info_update send RESYNCING + set MD_CLUSTER_SEND_LOCK + wait for holding token_lockres:EX c. mdadm /dev/md0 --remove /dev/sdg + held reconfig_mutex + send REMOVE + wait_event(MD_CLUSTER_SEND_LOCK) d. recv_daemon //METADATA_UPDATED from A process_metadata_update + (mddev_trylock(mddev) || MD_CLUSTER_HOLDING_MUTEX_FOR_RECVD) //this time, both return false forever ``` Explaination: a. A send METADATA_UPDATED This will block another node to send msg b. B does sync jobs, which will send RESYNCING at intervals. This will be block for holding token_lockres:EX lock. c. B do "mdadm --remove", which will send REMOVE. This will be blocked by step : MD_CLUSTER_SEND_LOCK is 1. d. B recv METADATA_UPDATED msg, which send from A in step . This will be blocked by step : holding mddev lock, it makes wait_event can't hold mddev lock. (btw, MD_CLUSTER_HOLDING_MUTEX_FOR_RECVD keep ZERO in this scenario.) There is a similar deadlock in commit 0ba959774e93 ("md-cluster: use sync way to handle METADATA_UPDATED msg") In that commit, step c is "update sb". This patch step c is "mdadm --remove". For fixing this issue, we can refer the solution of function: metadata_update_start. Which does the same grab lock_token action. lock_comm can use the same steps to avoid deadlock. By moving MD_CLUSTER_HOLDING_MUTEX_FOR_RECVD from lock_token to lock_comm. It enlarge a little bit window of MD_CLUSTER_HOLDING_MUTEX_FOR_RECVD, but it is safe & can break deadlock. Repro steps (I only triggered 3 times with hundreds tests): two nodes share 3 iSCSI luns: sdg/sdh/sdi. Each lun size is 1GB. ``` ssh root@node2 "mdadm -S --scan" mdadm -S --scan for i in {g,h,i};do dd if=/dev/zero of=/dev/sd$i oflag=direct bs=1M \ count=20; done mdadm -C /dev/md0 -b clustered -e 1.2 -n 2 -l mirror /dev/sdg /dev/sdh \ --bitmap-chunk=1M ssh root@node2 "mdadm -A /dev/md0 /dev/sdg /dev/sdh" sleep 5 mkfs.xfs /dev/md0 mdadm --manage --add /dev/md0 /dev/sdi mdadm --wait /dev/md0 mdadm --grow --raid-devices=3 /dev/md0 mdadm /dev/md0 --fail /dev/sdg mdadm /dev/md0 --remove /dev/sdg mdadm --grow --raid-devices=2 /dev/md0 ``` test script will hung when executing "mdadm --remove". ``` # dump stacks by "echo t > /proc/sysrq-trigger" md0_cluster_rec D 0 5329 2 0x80004000 Call Trace: __schedule+0x1f6/0x560 ? _cond_resched+0x2d/0x40 ? schedule+0x4a/0xb0 ? process_metadata_update.isra.0+0xdb/0x140 [md_cluster] ? wait_woken+0x80/0x80 ? process_recvd_msg+0x113/0x1d0 [md_cluster] ? recv_daemon+0x9e/0x120 [md_cluster] ? md_thread+0x94/0x160 [md_mod] ? wait_woken+0x80/0x80 ? md_congested+0x30/0x30 [md_mod] ? kthread+0x115/0x140 ? __kthread_bind_mask+0x60/0x60 ? ret_from_fork+0x1f/0x40 mdadm D 0 5423 1 0x00004004 Call Trace: __schedule+0x1f6/0x560 ? __schedule+0x1fe/0x560 ? schedule+0x4a/0xb0 ? lock_comm.isra.0+0x7b/0xb0 [md_cluster] ? wait_woken+0x80/0x80 ? remove_disk+0x4f/0x90 [md_cluster] ? hot_remove_disk+0xb1/0x1b0 [md_mod] ? md_ioctl+0x50c/0xba0 [md_mod] ? wait_woken+0x80/0x80 ? blkdev_ioctl+0xa2/0x2a0 ? block_ioctl+0x39/0x40 ? ksys_ioctl+0x82/0xc0 ? __x64_sys_ioctl+0x16/0x20 ? do_syscall_64+0x5f/0x150 ? entry_SYSCALL_64_after_hwframe+0x44/0xa9 md0_resync D 0 5425 2 0x80004000 Call Trace: __schedule+0x1f6/0x560 ? schedule+0x4a/0xb0 ? dlm_lock_sync+0xa1/0xd0 [md_cluster] ? wait_woken+0x80/0x80 ? lock_token+0x2d/0x90 [md_cluster] ? resync_info_update+0x95/0x100 [md_cluster] ? raid1_sync_request+0x7d3/0xa40 [raid1] ? md_do_sync.cold+0x737/0xc8f [md_mod] ? md_thread+0x94/0x160 [md_mod] ? md_congested+0x30/0x30 [md_mod] ? kthread+0x115/0x140 ? __kthread_bind_mask+0x60/0x60 ? ret_from_fork+0x1f/0x40 ``` At last, thanks for Xiao's solution. Cc: stable@vger.kernel.org Signed-off-by: Zhao Heming Suggested-by: Xiao Ni Reviewed-by: Xiao Ni Signed-off-by: Song Liu Signed-off-by: Greg Kroah-Hartman commit b22fdfd458244b96e200db2c3058121ff0d06cde Author: Jonathan Cameron Date: Sun Sep 20 12:27:38 2020 +0100 iio:imu:bmi160: Fix too large a buffer. commit dc7de42d6b50a07b37feeba4c6b5136290fcee81 upstream. The comment implies this device has 3 sensor types, but it only has an accelerometer and a gyroscope (both 3D). As such the buffer does not need to be as long as stated. Note I've separated this from the following patch which fixes the alignment for passing to iio_push_to_buffers_with_timestamp() as they are different issues even if they affect the same line of code. Signed-off-by: Jonathan Cameron Reviewed-by: Alexandru Ardelean Cc: Daniel Baluta Cc: Link: https://lore.kernel.org/r/20200920112742.170751-5-jic23@kernel.org Signed-off-by: Greg Kroah-Hartman commit 1c7f893a961db5fb75c195e70fc05102a86b0baa Author: Jonathan Cameron Date: Sun Sep 20 12:27:40 2020 +0100 iio:pressure:mpl3115: Force alignment of buffer commit 198cf32f0503d2ad60d320b95ef6fb8243db857f upstream. Whilst this is another case of the issue Lars reported with an array of elements of smaller than 8 bytes being passed to iio_push_to_buffers_with_timestamp(), the solution here is a bit different from the other cases and relies on __aligned working on the stack (true since 4.6?) This one is unusual. We have to do an explicit memset() each time as we are reading 3 bytes into a potential 4 byte channel which may sometimes be a 2 byte channel depending on what is enabled. As such, moving the buffer to the heap in the iio_priv structure doesn't save us much. We can't use a nice explicit structure on the stack either as the data channels have different storage sizes and are all separately controlled. Fixes: cc26ad455f57 ("iio: Add Freescale MPL3115A2 pressure / temperature sensor driver") Reported-by: Lars-Peter Clausen Signed-off-by: Jonathan Cameron Reviewed-by: Andy Shevchenko Reviewed-by: Alexandru Ardelean Cc: Peter Meerwald Cc: Link: https://lore.kernel.org/r/20200920112742.170751-7-jic23@kernel.org Signed-off-by: Greg Kroah-Hartman commit 068ffbbb2480d82b7b7e912a80ae1f7e6cc404b8 Author: Jonathan Cameron Date: Sun Sep 20 12:27:35 2020 +0100 iio:light:rpr0521: Fix timestamp alignment and prevent data leak. commit a61817216bcc755eabbcb1cf281d84ccad267ed1 upstream. One of a class of bugs pointed out by Lars in a recent review. iio_push_to_buffers_with_timestamp() assumes the buffer used is aligned to the size of the timestamp (8 bytes). This is not guaranteed in this driver which uses an array of smaller elements on the stack. As Lars also noted this anti pattern can involve a leak of data to userspace and that indeed can happen here. We close both issues by moving to a suitable structure in the iio_priv(). This data is allocated with kzalloc() so no data can leak apart from previous readings and in this case the status byte from the device. The forced alignment of ts is not necessary in this case but it potentially makes the code less fragile. >From personal communications with Mikko: We could probably split the reading of the int register, but it would mean a significant performance cost of 20 i2c clock cycles. Fixes: e12ffd241c00 ("iio: light: rpr0521 triggered buffer") Signed-off-by: Jonathan Cameron Reviewed-by: Alexandru Ardelean Cc: Mikko Koivunen Cc: Link: https://lore.kernel.org/r/20200920112742.170751-2-jic23@kernel.org Signed-off-by: Greg Kroah-Hartman commit 75eeb06f57923a48bf3c8fa8944cb181d155ff77 Author: Qinglang Miao Date: Tue Nov 3 20:07:43 2020 +0800 iio: adc: rockchip_saradc: fix missing clk_disable_unprepare() on error in rockchip_saradc_resume commit 560c6b914c6ec7d9d9a69fddbb5bf3bf71433e8b upstream. Fix the missing clk_disable_unprepare() of info->pclk before return from rockchip_saradc_resume in the error handling case when fails to prepare and enable info->clk. Suggested-by: Robin Murphy Fixes: 44d6f2ef94f9 ("iio: adc: add driver for Rockchip saradc") Signed-off-by: Qinglang Miao Cc: Link: https://lore.kernel.org/r/20201103120743.110662-1-miaoqinglang@huawei.com Signed-off-by: Jonathan Cameron Signed-off-by: Greg Kroah-Hartman commit 894d77998dab7c4db32042c5e80480c8aada1013 Author: Nuno Sá Date: Thu Nov 12 15:43:22 2020 +0100 iio: buffer: Fix demux update commit 19ef7b70ca9487773c29b449adf0c70f540a0aab upstream. When updating the buffer demux, we will skip a scan element from the device in the case `in_ind != out_ind` and we enter the while loop. in_ind should only be refreshed with `find_next_bit()` in the end of the loop. Note, to cause problems we need a situation where we are skippig over an element (channel not enabled) that happens to not have the same size as the next element. Whilst this is a possible situation we haven't actually identified any cases in mainline where it happens as most drivers have consistent channel storage sizes with the exception of the timestamp which is the last element and hence never skipped over. Fixes: 5ada4ea9be16 ("staging:iio: add demux optionally to path from device to buffer") Signed-off-by: Nuno Sá Link: https://lore.kernel.org/r/20201112144323.28887-1-nuno.sa@analog.com Cc: Signed-off-by: Jonathan Cameron Signed-off-by: Greg Kroah-Hartman commit adf1611a920566e67b4e5ecafd6699dd5023f4fc Author: Sven Eckelmann Date: Tue Nov 24 07:25:06 2020 +0100 mtd: parser: cmdline: Fix parsing of part-names with colons commit 639a82434f16a6df0ce0e7c8595976f1293940fd upstream. Some devices (especially QCA ones) are already using hardcoded partition names with colons in it. The OpenMesh A62 for example provides following mtd relevant information via cmdline: root=31:11 mtdparts=spi0.0:256k(0:SBL1),128k(0:MIBIB),384k(0:QSEE),64k(0:CDT),64k(0:DDRPARAMS),64k(0:APPSBLENV),512k(0:APPSBL),64k(0:ART),64k(custom),64k(0:KEYS),0x002b0000(kernel),0x00c80000(rootfs),15552k(inactive) rootfsname=rootfs rootwait The change to split only on the last colon between mtd-id and partitions will cause newpart to see following string for the first partition: KEYS),0x002b0000(kernel),0x00c80000(rootfs),15552k(inactive) Such a partition list cannot be parsed and thus the device fails to boot. Avoid this behavior by making sure that the start of the first part-name ("(") will also be the last byte the mtd-id split algorithm is using for its colon search. Fixes: eb13fa022741 ("mtd: parser: cmdline: Support MTD names containing one or more colons") Cc: stable@vger.kernel.org Cc: Ron Minnich Signed-off-by: Sven Eckelmann Signed-off-by: Miquel Raynal Link: https://lore.kernel.org/linux-mtd/20201124062506.185392-1-sven@narfation.org Signed-off-by: Greg Kroah-Hartman commit fc7f65e394728ac1d7491b82441b29131d1c73bc Author: Evan Green Date: Tue Sep 29 13:30:57 2020 -0700 soc: qcom: smp2p: Safely acquire spinlock without IRQs commit fc3e62e25c3896855b7c3d72df19ca6be3459c9f upstream. smp2p_update_bits() should disable interrupts when it acquires its spinlock. This is important because without the _irqsave, a priority inversion can occur. This function is called both with interrupts enabled in qcom_q6v5_request_stop(), and with interrupts disabled in ipa_smp2p_panic_notifier(). IRQ handling of spinlocks should be consistent to avoid the panic notifier deadlocking because it's sitting on the thread that's already got the lock via _request_stop(). Found via lockdep. Cc: stable@vger.kernel.org Fixes: 50e99641413e7 ("soc: qcom: smp2p: Qualcomm Shared Memory Point to Point") Reviewed-by: Bjorn Andersson Reviewed-by: Stephen Boyd Signed-off-by: Evan Green Link: https://lore.kernel.org/r/20200929133040.RESEND.1.Ideabf6dcdfc577cf39ce3d95b0e4aa1ac8b38f0c@changeid Signed-off-by: Bjorn Andersson Signed-off-by: Greg Kroah-Hartman commit 7b5e5a7f0f5cac9a40930ab099492729b75814df Author: Lukas Wunner Date: Sun Nov 8 23:41:00 2020 +0100 spi: st-ssc4: Fix unbalanced pm_runtime_disable() in probe error path commit 5ef76dac0f2c26aeae4ee79eb830280f16d5aceb upstream. If the calls to devm_platform_ioremap_resource(), irq_of_parse_and_map() or devm_request_irq() fail on probe of the ST SSC4 SPI driver, the runtime PM disable depth is incremented even though it was not decremented before. Fix it. Fixes: cd050abeba2a ("spi: st-ssc4: add missed pm_runtime_disable") Signed-off-by: Lukas Wunner Cc: # v5.5+ Cc: Chuhong Yuan Link: https://lore.kernel.org/r/fbe8768c30dc829e2d77eabe7be062ca22f84024.1604874488.git.lukas@wunner.de Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 00ce8e9edda060c3f457fe61bb53b0955ea284d8 Author: Lukas Wunner Date: Mon Dec 7 09:17:11 2020 +0100 spi: sc18is602: Don't leak SPI master in probe error path commit 5b8c88462d83331dacb48aeaec8388117fef82e0 upstream. If the call to devm_gpiod_get_optional() fails on probe of the NXP SC18IS602/603 SPI driver, the spi_master struct is erroneously not freed. Fix by switching over to the new devm_spi_alloc_master() helper. Fixes: f99008013e19 ("spi: sc18is602: Add reset control via gpio pin.") Signed-off-by: Lukas Wunner Cc: # v4.9+: 5e844cc37a5c: spi: Introduce device-managed SPI controller allocation Cc: # v4.9+ Cc: Phil Reid Link: https://lore.kernel.org/r/d5f715527b894b91d530fe11a86f51b3184a4e1a.1607286887.git.lukas@wunner.de Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit d1647030ceccc7ab000a47d080442fb8bd6fecab Author: Lukas Wunner Date: Mon Dec 7 09:17:10 2020 +0100 spi: rb4xx: Don't leak SPI master in probe error path commit a4729c3506c3eb1a6ca5c0289f4e7cafa4115065 upstream. If the calls to devm_clk_get(), devm_spi_register_master() or clk_prepare_enable() fail on probe of the Mikrotik RB4xx SPI driver, the spi_master struct is erroneously not freed. Fix by switching over to the new devm_spi_alloc_master() helper. Fixes: 05aec357871f ("spi: Add SPI driver for Mikrotik RB4xx series boards") Signed-off-by: Lukas Wunner Cc: # v4.2+: 5e844cc37a5c: spi: Introduce device-managed SPI controller allocation Cc: # v4.2+ Cc: Bert Vermeulen Link: https://lore.kernel.org/r/369bf26d71927f60943b1d9d8f51810f00b0237d.1607286887.git.lukas@wunner.de Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 140c30462c6f0d4a9bb33303becb94939b60c5a4 Author: Lukas Wunner Date: Sun Nov 8 23:41:00 2020 +0100 spi: pic32: Don't leak DMA channels in probe error path commit c575e9113bff5e024d75481613faed5ef9d465b2 upstream. If the calls to devm_request_irq() or devm_spi_register_master() fail on probe of the PIC32 SPI driver, the DMA channels requested by pic32_spi_dma_prep() are erroneously not released. Plug the leak. Fixes: 1bcb9f8ceb67 ("spi: spi-pic32: Add PIC32 SPI master driver") Signed-off-by: Lukas Wunner Cc: # v4.7+ Cc: Purna Chandra Mandal Link: https://lore.kernel.org/r/9624250e3a7aa61274b38219a62375bac1def637.1604874488.git.lukas@wunner.de Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 631aae36f0a7fe244a97aca0a466bb7f6db57d5e Author: Lukas Wunner Date: Mon Dec 7 09:17:01 2020 +0100 spi: davinci: Fix use-after-free on unbind commit 373afef350a93519b4b8d636b0895da8650b714b upstream. davinci_spi_remove() accesses the driver's private data after it's been freed with spi_master_put(). Fix by moving the spi_master_put() to the end of the function. Fixes: fe5fd2540947 ("spi: davinci: Use dma_request_chan() for requesting DMA channel") Signed-off-by: Lukas Wunner Acked-by: Peter Ujfalusi Cc: # v4.7+ Link: https://lore.kernel.org/r/412f7eb1cf8990e0a3a2153f4c577298deab623e.1607286887.git.lukas@wunner.de Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 483c8fa00e22d4b3d46131bb5886d981caa2b0c8 Author: Lukas Wunner Date: Mon Dec 7 09:17:04 2020 +0100 spi: spi-sh: Fix use-after-free on unbind commit e77df3eca12be4b17f13cf9f215cff248c57d98f upstream. spi_sh_remove() accesses the driver's private data after calling spi_unregister_master() even though that function releases the last reference on the spi_master and thereby frees the private data. Fix by switching over to the new devm_spi_alloc_master() helper which keeps the private data accessible until the driver has unbound. Fixes: 680c1305e259 ("spi/spi_sh: use spi_unregister_master instead of spi_master_put in remove path") Signed-off-by: Lukas Wunner Cc: # v3.0+: 5e844cc37a5c: spi: Introduce device-managed SPI controller allocation Cc: # v3.0+ Cc: Axel Lin Link: https://lore.kernel.org/r/6d97628b536baf01d5e3e39db61108f84d44c8b2.1607286887.git.lukas@wunner.de Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 0df9cfc3f610dfaef91d30f33c9051e0f13336a2 Author: Zwane Mwaikambo Date: Mon Oct 12 22:59:14 2020 -0700 drm/dp_aux_dev: check aux_dev before use in drm_dp_aux_dev_get_by_minor() commit 73b62cdb93b68d7e2c1d373c6a411bc00c53e702 upstream. I observed this when unplugging a DP monitor whilst a computer is asleep and then waking it up. This left DP chardev nodes still being present on the filesystem and accessing these device nodes caused an oops because drm_dp_aux_dev_get_by_minor() assumes a device exists if it is opened. This can also be reproduced by creating a device node with mknod(1) and issuing an open(2) [166164.933198] BUG: kernel NULL pointer dereference, address: 0000000000000018 [166164.933202] #PF: supervisor read access in kernel mode [166164.933204] #PF: error_code(0x0000) - not-present page [166164.933205] PGD 0 P4D 0 [166164.933208] Oops: 0000 [#1] PREEMPT SMP NOPTI [166164.933211] CPU: 4 PID: 99071 Comm: fwupd Tainted: G W 5.8.0-rc6+ #1 [166164.933213] Hardware name: LENOVO 20RD002VUS/20RD002VUS, BIOS R16ET25W (1.11 ) 04/21/2020 [166164.933232] RIP: 0010:drm_dp_aux_dev_get_by_minor+0x29/0x70 [drm_kms_helper] [166164.933234] Code: 00 0f 1f 44 00 00 55 48 89 e5 41 54 41 89 fc 48 c7 c7 60 01 a4 c0 e8 26 ab 30 d7 44 89 e6 48 c7 c7 80 01 a4 c0 e8 47 94 d6 d6 <8b> 50 18 49 89 c4 48 8d 78 18 85 d2 74 33 8d 4a 01 89 d0 f0 0f b1 [166164.933236] RSP: 0018:ffffb7d7c41cbbf0 EFLAGS: 00010246 [166164.933237] RAX: 0000000000000000 RBX: ffff8a90001fe900 RCX: 0000000000000000 [166164.933238] RDX: 0000000000000000 RSI: 0000000000000003 RDI: ffffffffc0a40180 [166164.933239] RBP: ffffb7d7c41cbbf8 R08: 0000000000000000 R09: ffff8a93e157d6d0 [166164.933240] R10: 0000000000000000 R11: ffffffffc0a40188 R12: 0000000000000003 [166164.933241] R13: ffff8a9402200e80 R14: ffff8a90001fe900 R15: 0000000000000000 [166164.933244] FS: 00007f7fb041eb00(0000) GS:ffff8a9411500000(0000) knlGS:0000000000000000 [166164.933245] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [166164.933246] CR2: 0000000000000018 CR3: 00000000352c2003 CR4: 00000000003606e0 [166164.933247] Call Trace: [166164.933264] auxdev_open+0x1b/0x40 [drm_kms_helper] [166164.933278] chrdev_open+0xa7/0x1c0 [166164.933282] ? cdev_put.part.0+0x20/0x20 [166164.933287] do_dentry_open+0x161/0x3c0 [166164.933291] vfs_open+0x2d/0x30 [166164.933297] path_openat+0xb27/0x10e0 [166164.933306] ? atime_needs_update+0x73/0xd0 [166164.933309] do_filp_open+0x91/0x100 [166164.933313] ? __alloc_fd+0xb2/0x150 [166164.933316] do_sys_openat2+0x210/0x2d0 [166164.933318] do_sys_open+0x46/0x80 [166164.933320] __x64_sys_openat+0x20/0x30 [166164.933328] do_syscall_64+0x52/0xc0 [166164.933336] entry_SYSCALL_64_after_hwframe+0x44/0xa9 (gdb) disassemble drm_dp_aux_dev_get_by_minor+0x29 Dump of assembler code for function drm_dp_aux_dev_get_by_minor: 0x0000000000017b10 <+0>: callq 0x17b15 0x0000000000017b15 <+5>: push %rbp 0x0000000000017b16 <+6>: mov %rsp,%rbp 0x0000000000017b19 <+9>: push %r12 0x0000000000017b1b <+11>: mov %edi,%r12d 0x0000000000017b1e <+14>: mov $0x0,%rdi 0x0000000000017b25 <+21>: callq 0x17b2a 0x0000000000017b2a <+26>: mov %r12d,%esi 0x0000000000017b2d <+29>: mov $0x0,%rdi 0x0000000000017b34 <+36>: callq 0x17b39 0x0000000000017b39 <+41>: mov 0x18(%rax),%edx <========= 0x0000000000017b3c <+44>: mov %rax,%r12 0x0000000000017b3f <+47>: lea 0x18(%rax),%rdi 0x0000000000017b43 <+51>: test %edx,%edx 0x0000000000017b45 <+53>: je 0x17b7a 0x0000000000017b47 <+55>: lea 0x1(%rdx),%ecx 0x0000000000017b4a <+58>: mov %edx,%eax 0x0000000000017b4c <+60>: lock cmpxchg %ecx,(%rdi) 0x0000000000017b50 <+64>: jne 0x17b76 0x0000000000017b52 <+66>: test %edx,%edx 0x0000000000017b54 <+68>: js 0x17b6d 0x0000000000017b56 <+70>: test %ecx,%ecx 0x0000000000017b58 <+72>: js 0x17b6d 0x0000000000017b5a <+74>: mov $0x0,%rdi 0x0000000000017b61 <+81>: callq 0x17b66 0x0000000000017b66 <+86>: mov %r12,%rax 0x0000000000017b69 <+89>: pop %r12 0x0000000000017b6b <+91>: pop %rbp 0x0000000000017b6c <+92>: retq 0x0000000000017b6d <+93>: xor %esi,%esi 0x0000000000017b6f <+95>: callq 0x17b74 0x0000000000017b74 <+100>: jmp 0x17b5a 0x0000000000017b76 <+102>: mov %eax,%edx 0x0000000000017b78 <+104>: jmp 0x17b43 0x0000000000017b7a <+106>: xor %r12d,%r12d 0x0000000000017b7d <+109>: jmp 0x17b5a End of assembler dump. (gdb) list *drm_dp_aux_dev_get_by_minor+0x29 0x17b39 is in drm_dp_aux_dev_get_by_minor (drivers/gpu/drm/drm_dp_aux_dev.c:65). 60 static struct drm_dp_aux_dev *drm_dp_aux_dev_get_by_minor(unsigned index) 61 { 62 struct drm_dp_aux_dev *aux_dev = NULL; 63 64 mutex_lock(&aux_idr_mutex); 65 aux_dev = idr_find(&aux_idr, index); 66 if (!kref_get_unless_zero(&aux_dev->refcount)) 67 aux_dev = NULL; 68 mutex_unlock(&aux_idr_mutex); 69 (gdb) p/x &((struct drm_dp_aux_dev *)(0x0))->refcount $8 = 0x18 Looking at the caller, checks on the minor are pushed down to drm_dp_aux_dev_get_by_minor() static int auxdev_open(struct inode *inode, struct file *file) { unsigned int minor = iminor(inode); struct drm_dp_aux_dev *aux_dev; aux_dev = drm_dp_aux_dev_get_by_minor(minor); <==== if (!aux_dev) return -ENODEV; file->private_data = aux_dev; return 0; } Fixes: e94cb37b34eb ("drm/dp: Add a drm_aux-dev module for reading/writing dpcd registers.") Cc: # v4.6+ Signed-off-by: Zwane Mwaikambo Reviewed-by: Lyude Paul [added Cc to stable] Signed-off-by: Lyude Paul Link: https://patchwork.freedesktop.org/patch/msgid/alpine.DEB.2.21.2010122231070.38717@montezuma.home Signed-off-by: Greg Kroah-Hartman commit 4a0809752ef23cd4be99b0cd8f7586c8ed7bd433 Author: Dave Kleikamp Date: Fri Nov 13 14:58:46 2020 -0600 jfs: Fix array index bounds check in dbAdjTree commit c61b3e4839007668360ed8b87d7da96d2e59fc6c upstream. Bounds checking tools can flag a bug in dbAdjTree() for an array index out of bounds in dmt_stree. Since dmt_stree can refer to the stree in both structures dmaptree and dmapctl, use the larger array to eliminate the false positive. Signed-off-by: Dave Kleikamp Reported-by: butt3rflyh4ck Signed-off-by: Greg Kroah-Hartman commit 598618c38a77b43c4b70ab4f14657127a12cbf1e Author: Zhe Li Date: Fri May 29 11:37:11 2020 +0800 jffs2: Fix GC exit abnormally commit 9afc9a8a4909fece0e911e72b1060614ba2f7969 upstream. The log of this problem is: jffs2: Error garbage collecting node at 0x***! jffs2: No space for garbage collection. Aborting GC thread This is because GC believe that it do nothing, so it abort. After going over the image of jffs2, I find a scene that can trigger this problem stably. The scene is: there is a normal dirent node at summary-area, but abnormal at corresponding not-summary-area with error name_crc. The reason that GC exit abnormally is because it find that abnormal dirent node to GC, but when it goes to function jffs2_add_fd_to_list, it cannot meet the condition listed below: if ((*prev)->nhash == new->nhash && !strcmp((*prev)->name, new->name)) So no node is marked obsolete, statistical information of erase_block do not change, which cause GC exit abnormally. The root cause of this problem is: we do not check the name_crc of the abnormal dirent node with summary is enabled. Noticed that in function jffs2_scan_dirent_node, we use function jffs2_scan_dirty_space to deal with the dirent node with error name_crc. So this patch add a checking code in function read_direntry to ensure the correctness of dirent node. If checked failed, the dirent node will be marked obsolete so GC will pass this node and this problem will be fixed. Cc: Signed-off-by: Zhe Li Signed-off-by: Richard Weinberger Signed-off-by: Greg Kroah-Hartman commit 0d00b87138f0af2d6400a39a1a9fd7921eb679e3 Author: Luis Henriques Date: Thu Nov 12 10:45:12 2020 +0000 ceph: fix race in concurrent __ceph_remove_cap invocations commit e5cafce3ad0f8652d6849314d951459c2bff7233 upstream. A NULL pointer dereference may occur in __ceph_remove_cap with some of the callbacks used in ceph_iterate_session_caps, namely trim_caps_cb and remove_session_caps_cb. Those callers hold the session->s_mutex, so they are prevented from concurrent execution, but ceph_evict_inode does not. Since the callers of this function hold the i_ceph_lock, the fix is simply a matter of returning immediately if caps->ci is NULL. Cc: stable@vger.kernel.org URL: https://tracker.ceph.com/issues/43272 Suggested-by: Jeff Layton Signed-off-by: Luis Henriques Reviewed-by: Jeff Layton Signed-off-by: Ilya Dryomov Signed-off-by: Greg Kroah-Hartman commit 07c67ec649e049582b3fbb3418bc5f74b361a541 Author: Roberto Sassu Date: Thu Nov 26 11:34:56 2020 +0100 ima: Don't modify file descriptor mode on the fly commit 207cdd565dfc95a0a5185263a567817b7ebf5467 upstream. Commit a408e4a86b36b ("ima: open a new file instance if no read permissions") already introduced a second open to measure a file when the original file descriptor does not allow it. However, it didn't remove the existing method of changing the mode of the original file descriptor, which is still necessary if the current process does not have enough privileges to open a new one. Changing the mode isn't really an option, as the filesystem might need to do preliminary steps to make the read possible. Thus, this patch removes the code and keeps the second open as the only option to measure a file when it is unreadable with the original file descriptor. Cc: # 4.20.x: 0014cc04e8ec0 ima: Set file->f_mode Fixes: 2fe5d6def1672 ("ima: integrity appraisal extension") Signed-off-by: Roberto Sassu Reviewed-by: Christoph Hellwig Signed-off-by: Mimi Zohar Signed-off-by: Greg Kroah-Hartman commit 3363b1f73f5daa11d9641a26128a65546996a0a0 Author: David Hildenbrand Date: Wed Nov 11 15:53:15 2020 +0100 powerpc/powernv/memtrace: Don't leak kernel memory to user space commit c74cf7a3d59a21b290fe0468f5b470d0b8ee37df upstream. We currently leak kernel memory to user space, because memory offlining doesn't do any implicit clearing of memory and we are missing explicit clearing of memory. Let's keep it simple and clear pages before removing the linear mapping. Reproduced in QEMU/TCG with 10 GiB of main memory: [root@localhost ~]# dd obs=9G if=/dev/urandom of=/dev/null [... wait until "free -m" used counter no longer changes and cancel] 19665802+0 records in 1+0 records out 9663676416 bytes (9.7 GB, 9.0 GiB) copied, 135.548 s, 71.3 MB/s [root@localhost ~]# cat /sys/devices/system/memory/block_size_bytes 40000000 [root@localhost ~]# echo 0x40000000 > /sys/kernel/debug/powerpc/memtrace/enable [ 402.978663][ T1086] page:000000001bc4bc74 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x24900 [ 402.980063][ T1086] flags: 0x7ffff000001000(reserved) [ 402.980415][ T1086] raw: 007ffff000001000 c00c000000924008 c00c000000924008 0000000000000000 [ 402.980627][ T1086] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 402.980845][ T1086] page dumped because: unmovable page [ 402.989608][ T1086] Offlined Pages 16384 [ 403.324155][ T1086] memtrace: Allocated trace memory on node 0 at 0x0000000200000000 Before this patch: [root@localhost ~]# hexdump -C /sys/kernel/debug/powerpc/memtrace/00000000/trace | head 00000000 c8 25 72 51 4d 26 36 c5 5c c2 56 15 d5 1a cd 10 |.%rQM&6.\.V.....| 00000010 19 b9 50 b2 cb e3 60 b8 ec 0a f3 ec 4b 3c 39 f0 |..P...`.....K<9.|$ 00000020 4e 5a 4c cf bd 26 19 ff 37 79 13 67 24 b7 b8 57 |NZL..&..7y.g$..W|$ 00000030 98 3e f5 be 6f 14 6a bd a4 52 bc 6e e9 e0 c1 5d |.>..o.j..R.n...]|$ 00000040 76 b3 ae b5 88 d7 da e3 64 23 85 2c 10 88 07 b6 |v.......d#.,....|$ 00000050 9a d8 91 de f7 50 27 69 2e 64 9c 6f d3 19 45 79 |.....P'i.d.o..Ey|$ 00000060 6a 6f 8a 61 71 19 1f c7 f1 df 28 26 ca 0f 84 55 |jo.aq.....(&...U|$ 00000070 01 3f be e4 e2 e1 da ff 7b 8c 8e 32 37 b4 24 53 |.?......{..27.$S|$ 00000080 1b 70 30 45 56 e6 8c c4 0e b5 4c fb 9f dd 88 06 |.p0EV.....L.....|$ 00000090 ef c4 18 79 f1 60 b1 5c 79 59 4d f4 36 d7 4a 5c |...y.`.\yYM.6.J\|$ After this patch: [root@localhost ~]# hexdump -C /sys/kernel/debug/powerpc/memtrace/00000000/trace | head 00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 40000000 Fixes: 9d5171a8f248 ("powerpc/powernv: Enable removal of memory for in memory tracing") Cc: stable@vger.kernel.org # v4.14+ Reported-by: Michael Ellerman Signed-off-by: David Hildenbrand Reviewed-by: Oscar Salvador Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20201111145322.15793-2-david@redhat.com Signed-off-by: Greg Kroah-Hartman commit cf340b9cfe1cca3180053509b14af371627be878 Author: Christophe Leroy Date: Fri Dec 4 10:35:38 2020 +0000 powerpc/xmon: Change printk() to pr_cont() commit 7c6c86b36a36dd4a13d30bba07718e767aa2e7a1 upstream. Since some time now, printk() adds carriage return, leading to unusable xmon output if there is no udbg backend available: [ 54.288722] sysrq: Entering xmon [ 54.292209] Vector: 0 at [cace3d2c] [ 54.292274] pc: [ 54.292331] c0023650 [ 54.292468] : xmon+0x28/0x58 [ 54.292519] [ 54.292574] lr: [ 54.292630] c0023724 [ 54.292749] : sysrq_handle_xmon+0xa4/0xfc [ 54.292801] [ 54.292867] sp: cace3de8 [ 54.292931] msr: 9032 [ 54.292999] current = 0xc28d0000 [ 54.293072] pid = 377, comm = sh [ 54.293157] Linux version 5.10.0-rc6-s3k-dev-01364-gedf13f0ccd76-dirty (root@po17688vm.idsi0.si.c-s.fr) (powerpc64-linux-gcc (GCC) 10.1.0, GNU ld (GNU Binutils) 2.34) #4211 PREEMPT Fri Dec 4 09:32:11 UTC 2020 [ 54.293287] enter ? for help [ 54.293470] [cace3de8] [ 54.293532] c0023724 [ 54.293654] sysrq_handle_xmon+0xa4/0xfc [ 54.293711] (unreliable) ... [ 54.296002] [ 54.296159] --- Exception: c01 (System Call) at [ 54.296217] 0fd4e784 [ 54.296303] [ 54.296375] SP (7fca6ff0) is in userspace [ 54.296431] mon> [ 54.296484] Use pr_cont() instead. Fixes: 4bcc595ccd80 ("printk: reinstate KERN_CONT for printing continuation lines") Cc: stable@vger.kernel.org # v4.9+ Signed-off-by: Christophe Leroy [mpe: Mention that it only happens when udbg is not available] Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/c8a6ec704416ecd5ff2bd26213c9bc026bdd19de.1607077340.git.christophe.leroy@csgroup.eu Signed-off-by: Greg Kroah-Hartman commit 71d14e7bebe7c89cd3d0e6a33e7e81b9b4c0dd7e Author: Tyrel Datwyler Date: Tue Dec 8 13:54:34 2020 -0600 powerpc/rtas: Fix typo of ibm,open-errinjct in RTAS filter commit f10881a46f8914428110d110140a455c66bdf27b upstream. Commit bd59380c5ba4 ("powerpc/rtas: Restrict RTAS requests from userspace") introduced the following error when invoking the errinjct userspace tool: [root@ltcalpine2-lp5 librtas]# errinjct open [327884.071171] sys_rtas: RTAS call blocked - exploit attempt? [327884.071186] sys_rtas: token=0x26, nargs=0 (called by errinjct) errinjct: Could not open RTAS error injection facility errinjct: librtas: open: Unexpected I/O error The entry for ibm,open-errinjct in rtas_filter array has a typo where the "j" is omitted in the rtas call name. After fixing this typo the errinjct tool functions again as expected. [root@ltcalpine2-lp5 linux]# errinjct open RTAS error injection facility open, token = 1 Fixes: bd59380c5ba4 ("powerpc/rtas: Restrict RTAS requests from userspace") Cc: stable@vger.kernel.org Signed-off-by: Tyrel Datwyler Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20201208195434.8289-1-tyreld@linux.ibm.com Signed-off-by: Greg Kroah-Hartman commit aa81ca1a407804e840af528579fbdb3362e20f84 Author: Nicolas Ferre Date: Thu Dec 3 10:19:49 2020 +0100 ARM: dts: at91: sama5d2: fix CAN message ram offset and size commit 85b8350ae99d1300eb6dc072459246c2649a8e50 upstream. CAN0 and CAN1 instances share the same message ram configured at 0x210000 on sama5d2 Linux systems. According to current configuration of CAN0, we need 0x1c00 bytes so that the CAN1 don't overlap its message ram: 64 x RX FIFO0 elements => 64 x 72 bytes 32 x TXE (TX Event FIFO) elements => 32 x 8 bytes 32 x TXB (TX Buffer) elements => 32 x 72 bytes So a total of 7168 bytes (0x1C00). Fix offset to match this needed size. Make the CAN0 message ram ioremap match exactly this size so that is easily understandable. Adapt CAN1 size accordingly. Fixes: bc6d5d7666b7 ("ARM: dts: at91: sama5d2: add m_can nodes") Reported-by: Dan Sneddon Signed-off-by: Nicolas Ferre Signed-off-by: Alexandre Belloni Tested-by: Cristian Birsan Cc: stable@vger.kernel.org # v4.13+ Link: https://lore.kernel.org/r/20201203091949.9015-1-nicolas.ferre@microchip.com Signed-off-by: Greg Kroah-Hartman commit b287372c5f380d6761dbedc1bf9c3ba5413e932c Author: Marc Zyngier Date: Tue Nov 10 11:10:15 2020 +0000 KVM: arm64: Introduce handling of AArch32 TTBCR2 traps commit ca4e514774930f30b66375a974b5edcbebaf0e7e upstream. ARMv8.2 introduced TTBCR2, which shares TCR_EL1 with TTBCR. Gracefully handle traps to this register when HCR_EL2.TVM is set. Cc: stable@vger.kernel.org Reported-by: James Morse Signed-off-by: Marc Zyngier Signed-off-by: Greg Kroah-Hartman commit f1a79efe1cee0d9e18bc6a52827d7a03c6cd2226 Author: Jan Kara Date: Fri Nov 27 12:06:49 2020 +0100 ext4: fix deadlock with fs freezing and EA inodes commit 46e294efc355c48d1dd4d58501aa56dac461792a upstream. Xattr code using inodes with large xattr data can end up dropping last inode reference (and thus deleting the inode) from places like ext4_xattr_set_entry(). That function is called with transaction started and so ext4_evict_inode() can deadlock against fs freezing like: CPU1 CPU2 removexattr() freeze_super() vfs_removexattr() ext4_xattr_set() handle = ext4_journal_start() ... ext4_xattr_set_entry() iput(old_ea_inode) ext4_evict_inode(old_ea_inode) sb->s_writers.frozen = SB_FREEZE_FS; sb_wait_write(sb, SB_FREEZE_FS); ext4_freeze() jbd2_journal_lock_updates() -> blocks waiting for all handles to stop sb_start_intwrite() -> blocks as sb is already in SB_FREEZE_FS state Generally it is advisable to delete inodes from a separate transaction as it can consume quite some credits however in this case it would be quite clumsy and furthermore the credits for inode deletion are quite limited and already accounted for. So just tweak ext4_evict_inode() to avoid freeze protection if we have transaction already started and thus it is not really needed anyway. Cc: stable@vger.kernel.org Fixes: dec214d00e0d ("ext4: xattr inode deduplication") Signed-off-by: Jan Kara Reviewed-by: Andreas Dilger Link: https://lore.kernel.org/r/20201127110649.24730-1-jack@suse.cz Signed-off-by: Theodore Ts'o Signed-off-by: Greg Kroah-Hartman commit ee05c2c80f8fce5deeda4ca4908f2ee8c51150b9 Author: Chunguang Xu Date: Sat Nov 7 23:58:18 2020 +0800 ext4: fix a memory leak of ext4_free_data commit cca415537244f6102cbb09b5b90db6ae2c953bdd upstream. When freeing metadata, we will create an ext4_free_data and insert it into the pending free list. After the current transaction is committed, the object will be freed. ext4_mb_free_metadata() will check whether the area to be freed overlaps with the pending free list. If true, return directly. At this time, ext4_free_data is leaked. Fortunately, the probability of this problem is small, since it only occurs if the file system is corrupted such that a block is claimed by more one inode and those inodes are deleted within a single jbd2 transaction. Signed-off-by: Chunguang Xu Link: https://lore.kernel.org/r/1604764698-4269-8-git-send-email-brookxu@tencent.com Signed-off-by: Theodore Ts'o Cc: stable@kernel.org Signed-off-by: Greg Kroah-Hartman commit b05bbf7f64df5221873bd633c3810efcd0571529 Author: Pavel Machek Date: Mon Aug 3 11:35:06 2020 +0200 btrfs: fix return value mixup in btrfs_get_extent commit 881a3a11c2b858fe9b69ef79ac5ee9978a266dc9 upstream btrfs_get_extent() sets variable ret, but out: error path expect error to be in variable err so the error code is lost. Fixes: 6bf9e4bd6a27 ("btrfs: inode: Verify inode mode to avoid NULL pointer dereference") CC: stable@vger.kernel.org # 5.4+ Reviewed-by: Nikolay Borisov Signed-off-by: Pavel Machek (CIP) Reviewed-by: David Sterba Signed-off-by: David Sterba Signed-off-by: Sudip Mukherjee Signed-off-by: Greg Kroah-Hartman commit c1528b789816efb09418ecf445555feeb4ea4816 Author: Filipe Manana Date: Wed Sep 18 13:08:52 2019 +0100 Btrfs: fix selftests failure due to uninitialized i_mode in test inodes commit 9f7fec0ba89108b9385f1b9fb167861224912a4a upstream Some of the self tests create a test inode, setup some extents and then do calls to btrfs_get_extent() to test that the corresponding extent maps exist and are correct. However btrfs_get_extent(), since the 5.2 merge window, now errors out when it finds a regular or prealloc extent for an inode that does not correspond to a regular file (its ->i_mode is not S_IFREG). This causes the self tests to fail sometimes, specially when KASAN, slub_debug and page poisoning are enabled: $ modprobe btrfs modprobe: ERROR: could not insert 'btrfs': Invalid argument $ dmesg [ 9414.691648] Btrfs loaded, crc32c=crc32c-intel, debug=on, assert=on, integrity-checker=on, ref-verify=on [ 9414.692655] BTRFS: selftest: sectorsize: 4096 nodesize: 4096 [ 9414.692658] BTRFS: selftest: running btrfs free space cache tests [ 9414.692918] BTRFS: selftest: running extent only tests [ 9414.693061] BTRFS: selftest: running bitmap only tests [ 9414.693366] BTRFS: selftest: running bitmap and extent tests [ 9414.696455] BTRFS: selftest: running space stealing from bitmap to extent tests [ 9414.697131] BTRFS: selftest: running extent buffer operation tests [ 9414.697133] BTRFS: selftest: running btrfs_split_item tests [ 9414.697564] BTRFS: selftest: running extent I/O tests [ 9414.697583] BTRFS: selftest: running find delalloc tests [ 9415.081125] BTRFS: selftest: running find_first_clear_extent_bit test [ 9415.081278] BTRFS: selftest: running extent buffer bitmap tests [ 9415.124192] BTRFS: selftest: running inode tests [ 9415.124195] BTRFS: selftest: running btrfs_get_extent tests [ 9415.127909] BTRFS: selftest: running hole first btrfs_get_extent test [ 9415.128343] BTRFS critical (device (efault)): regular/prealloc extent found for non-regular inode 256 [ 9415.131428] BTRFS: selftest: fs/btrfs/tests/inode-tests.c:904 expected a real extent, got 0 This happens because the test inodes are created without ever initializing the i_mode field of the inode, and neither VFS's new_inode() nor the btrfs callback btrfs_alloc_inode() initialize the i_mode. Initialization of the i_mode is done through the various callbacks used by the VFS to create new inodes (regular files, directories, symlinks, tmpfiles, etc), which all call btrfs_new_inode() which in turn calls inode_init_owner(), which sets the inode's i_mode. Since the tests only uses new_inode() to create the test inodes, the i_mode was never initialized. This always happens on a VM I used with kasan, slub_debug and many other debug facilities enabled. It also happened to someone who reported this on bugzilla (on a 5.3-rc). Fix this by setting i_mode to S_IFREG at btrfs_new_test_inode(). Fixes: 6bf9e4bd6a2778 ("btrfs: inode: Verify inode mode to avoid NULL pointer dereference") Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=204397 Signed-off-by: Filipe Manana Reviewed-by: Qu Wenruo Signed-off-by: David Sterba Signed-off-by: Sudip Mukherjee Signed-off-by: Greg Kroah-Hartman commit 90d0cc80b9642dae6f2f94ddf8945dbe34b485e6 Author: Johan Hovold Date: Sun Oct 25 18:45:52 2020 +0100 USB: serial: keyspan_pda: fix write unthrottling commit 320f9028c7873c3c7710e8e93e5c979f4c857490 upstream. The driver did not update its view of the available device buffer space until write() was called in task context. This meant that write_room() would return 0 even after the device had sent a write-unthrottle notification, something which could lead to blocked writers not being woken up (e.g. when using OPOST). Note that we must also request an unthrottle notification is case a write() request fills the device buffer exactly. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable Acked-by: Sebastian Andrzej Siewior Reviewed-by: Greg Kroah-Hartman Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 50e624f536815d54677a7f71730b23917f452570 Author: Johan Hovold Date: Sun Oct 25 18:45:51 2020 +0100 USB: serial: keyspan_pda: fix tx-unthrottle use-after-free commit 49fbb8e37a961396a5b6c82937c70df91de45e9d upstream. The driver's transmit-unthrottle work was never flushed on disconnect, something which could lead to the driver port data being freed while the unthrottle work is still scheduled. Fix this by cancelling the unthrottle work when shutting down the port. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable@vger.kernel.org Acked-by: Sebastian Andrzej Siewior Reviewed-by: Greg Kroah-Hartman Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 27d7769667a28e21477881a0839adb00e9859f34 Author: Johan Hovold Date: Sun Oct 25 18:45:50 2020 +0100 USB: serial: keyspan_pda: fix write-wakeup use-after-free commit 37faf50615412947868c49aee62f68233307f4e4 upstream. The driver's deferred write wakeup was never flushed on disconnect, something which could lead to the driver port data being freed while the wakeup work is still scheduled. Fix this by using the usb-serial write wakeup which gets cancelled properly on disconnect. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable@vger.kernel.org Acked-by: Sebastian Andrzej Siewior Reviewed-by: Greg Kroah-Hartman Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 73e61d798ea53c0a03414f926a9b0453e38debce Author: Johan Hovold Date: Sun Oct 25 18:45:49 2020 +0100 USB: serial: keyspan_pda: fix stalled writes commit c01d2c58698f710c9e13ba3e2d296328606f74fd upstream. Make sure to clear the write-busy flag also in case no new data was submitted due to lack of device buffer space so that writing is resumed once space again becomes available. Fixes: 507ca9bc0476 ("[PATCH] USB: add ability for usb-serial drivers to determine if their write urb is currently being used.") Cc: stable # 2.6.13 Acked-by: Sebastian Andrzej Siewior Reviewed-by: Greg Kroah-Hartman Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 06d08b408ace4fa06de2f974f14f1bee88745da7 Author: Johan Hovold Date: Sun Oct 25 18:45:48 2020 +0100 USB: serial: keyspan_pda: fix write deadlock commit 7353cad7ee4deaefc16e94727e69285563e219f6 upstream. The write() callback can be called in interrupt context (e.g. when used as a console) so interrupts must be disabled while holding the port lock to prevent a possible deadlock. Fixes: e81ee637e4ae ("usb-serial: possible irq lock inversion (PPP vs. usb/serial)") Fixes: 507ca9bc0476 ("[PATCH] USB: add ability for usb-serial drivers to determine if their write urb is currently being used.") Cc: stable # 2.6.19 Acked-by: Sebastian Andrzej Siewior Reviewed-by: Greg Kroah-Hartman Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 5ce343ad9b03d526c7f819fb3e032eb75b3c4267 Author: Johan Hovold Date: Sun Oct 25 18:45:47 2020 +0100 USB: serial: keyspan_pda: fix dropped unthrottle interrupts commit 696c541c8c6cfa05d65aa24ae2b9e720fc01766e upstream. Commit c528fcb116e6 ("USB: serial: keyspan_pda: fix receive sanity checks") broke write-unthrottle handling by dropping well-formed unthrottle-interrupt packets which are precisely two bytes long. This could lead to blocked writers not being woken up when buffer space again becomes available. Instead, stop unconditionally printing the third byte which is (presumably) only valid on modem-line changes. Fixes: c528fcb116e6 ("USB: serial: keyspan_pda: fix receive sanity checks") Cc: stable # 4.11 Acked-by: Sebastian Andrzej Siewior Reviewed-by: Greg Kroah-Hartman Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 3b04034dc271f6be5754457859b26e676e049dfb Author: Johan Hovold Date: Wed Nov 4 17:47:27 2020 +0100 USB: serial: mos7720: fix parallel-port state restore commit 975323ab8f116667676c30ca3502a6757bd89e8d upstream. The parallel-port restore operations is called when a driver claims the port and is supposed to restore the provided state (e.g. saved when releasing the port). Fixes: b69578df7e98 ("USB: usbserial: mos7720: add support for parallel port on moschip 7715") Cc: stable # 2.6.35 Reviewed-by: Greg Kroah-Hartman Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 68a850b64d72f20f81c5be713cdc81fbcd4c27a3 Author: Borislav Petkov Date: Sun Nov 22 15:57:21 2020 +0100 EDAC/amd64: Fix PCI component registration commit 706657b1febf446a9ba37dc51b89f46604f57ee9 upstream. In order to setup its PCI component, the driver needs any node private instance in order to get a reference to the PCI device and hand that into edac_pci_create_generic_ctl(). For convenience, it uses the 0th memory controller descriptor under the assumption that if any, the 0th will be always present. However, this assumption goes wrong when the 0th node doesn't have memory and the driver doesn't initialize an instance for it: EDAC amd64: F17h detected (node 0). ... EDAC amd64: Node 0: No DIMMs detected. But looking up node instances is not really needed - all one needs is the pointer to the proper device which gets discovered during instance init. So stash that pointer into a variable and use it when setting up the EDAC PCI component. Clear that variable when the driver needs to unwind due to some instances failing init to avoid any registration imbalance. Cc: Signed-off-by: Borislav Petkov Link: https://lkml.kernel.org/r/20201122150815.13808-1-bp@alien8.de Signed-off-by: Greg Kroah-Hartman commit a27249e80348f4be1b94de0e2189ffeecf879392 Author: Ard Biesheuvel Date: Tue Nov 24 11:47:19 2020 +0100 crypto: ecdh - avoid unaligned accesses in ecdh_set_secret() commit 17858b140bf49961b71d4e73f1c3ea9bc8e7dda0 upstream. ecdh_set_secret() casts a void* pointer to a const u64* in order to feed it into ecc_is_key_valid(). This is not generally permitted by the C standard, and leads to actual misalignment faults on ARMv6 cores. In some cases, these are fixed up in software, but this still leads to performance hits that are entirely avoidable. So let's copy the key into the ctx buffer first, which we will do anyway in the common case, and which guarantees correct alignment. Cc: Signed-off-by: Ard Biesheuvel Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit d81fd62fe45f991ead9d9fb2b26b285a9a20a069 Author: Athira Rajeev Date: Wed Nov 25 02:26:55 2020 -0500 powerpc/perf: Exclude kernel samples while counting events in user space. commit aa8e21c053d72b6639ea5a7f1d3a1d0209534c94 upstream. Perf event attritube supports exclude_kernel flag to avoid sampling/profiling in supervisor state (kernel). Based on this event attr flag, Monitor Mode Control Register bit is set to freeze on supervisor state. But sometimes (due to hardware limitation), Sampled Instruction Address Register (SIAR) locks on to kernel address even when freeze on supervisor is set. Patch here adds a check to drop those samples. Cc: stable@vger.kernel.org Signed-off-by: Athira Rajeev Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/1606289215-1433-1-git-send-email-atrajeev@linux.vnet.ibm.com Signed-off-by: Greg Kroah-Hartman commit 5dfe46bf0b2442986ea323631e330d7edade1aec Author: Ian Abbott Date: Mon Dec 7 14:58:06 2020 +0000 staging: comedi: mf6x4: Fix AI end-of-conversion detection commit 56c90457ebfe9422496aac6ef3d3f0f0ea8b2ec2 upstream. I have had reports from two different people that attempts to read the analog input channels of the MF624 board fail with an `ETIMEDOUT` error. After triggering the conversion, the code calls `comedi_timeout()` with `mf6x4_ai_eoc()` as the callback function to check if the conversion is complete. The callback returns 0 if complete or `-EBUSY` if not yet complete. `comedi_timeout()` returns `-ETIMEDOUT` if it has not completed within a timeout period which is propagated as an error to the user application. The existing code considers the conversion to be complete when the EOLC bit is high. However, according to the user manuals for the MF624 and MF634 boards, this test is incorrect because EOLC is an active low signal that goes high when the conversion is triggered, and goes low when the conversion is complete. Fix the problem by inverting the test of the EOLC bit state. Fixes: 04b565021a83 ("comedi: Humusoft MF634 and MF624 DAQ cards driver") Cc: # v4.4+ Cc: Rostislav Lisovy Signed-off-by: Ian Abbott Link: https://lore.kernel.org/r/20201207145806.4046-1-abbotti@mev.co.uk Signed-off-by: Greg Kroah-Hartman commit a957829e9595bfce076b9d82371f6cd5ed22568d Author: Stefan Haberland Date: Thu Dec 17 16:59:07 2020 +0100 s390/dasd: fix list corruption of lcu list commit 53a7f655834c7c335bf683f248208d4fbe4b47bc upstream. In dasd_alias_disconnect_device_from_lcu the device is removed from any list on the LCU. Afterwards the LCU is removed from the lcu list if it does not contain devices any longer. The lcu->lock protects the lcu from parallel updates. But to cancel all workers and wait for completion the lcu->lock has to be unlocked. If two devices are removed in parallel and both are removed from the LCU the first device that takes the lcu->lock again will delete the LCU because it is already empty but the second device also tries to free the LCU which leads to a list corruption of the lcu list. Fix by removing the device right before the lcu is checked without unlocking the lcu->lock in between. Fixes: 8e09f21574ea ("[S390] dasd: add hyper PAV support to DASD device driver, part 1") Cc: stable@vger.kernel.org Signed-off-by: Stefan Haberland Reviewed-by: Jan Hoeppner Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit bc46e8030d6b1c3f6f4fd01c646e81a73f8066af Author: Stefan Haberland Date: Thu Dec 17 16:59:06 2020 +0100 s390/dasd: fix list corruption of pavgroup group list commit 0ede91f83aa335da1c3ec68eb0f9e228f269f6d8 upstream. dasd_alias_add_device() moves devices to the active_devices list in case of a scheduled LCU update regardless if they have previously been in a pavgroup or not. Example: device A and B are in the same pavgroup. Device A has already been in a pavgroup and the private->pavgroup pointer is set and points to a valid pavgroup. While going through dasd_add_device it is moved from the pavgroup to the active_devices list. In parallel device B might be removed from the same pavgroup in remove_device_from_lcu() which in turn checks if the group is empty and deletes it accordingly because device A has already been removed from there. When now device A enters remove_device_from_lcu() it is tried to remove it from the pavgroup again because the pavgroup pointer is still set and again the empty group will be cleaned up which leads to a list corruption. Fix by setting private->pavgroup to NULL in dasd_add_device. If the device has been the last device on the pavgroup an empty pavgroup remains but this will be cleaned up by the scheduled lcu_update which iterates over all existing pavgroups. Fixes: 8e09f21574ea ("[S390] dasd: add hyper PAV support to DASD device driver, part 1") Cc: stable@vger.kernel.org Signed-off-by: Stefan Haberland Reviewed-by: Jan Hoeppner Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit 369b707afb69d804d4dc6237016269a1417056fd Author: Stefan Haberland Date: Thu Dec 17 16:59:05 2020 +0100 s390/dasd: prevent inconsistent LCU device data commit a29ea01653493b94ea12bb2b89d1564a265081b6 upstream. Prevent _lcu_update from adding a device to a pavgroup if the LCU still requires an update. The data is not reliable any longer and in parallel devices might have been moved on the lists already. This might lead to list corruptions or invalid PAV grouping. Only add devices to a pavgroup if the LCU is up to date. Additional steps are taken by the scheduled lcu update. Fixes: 8e09f21574ea ("[S390] dasd: add hyper PAV support to DASD device driver, part 1") Cc: stable@vger.kernel.org Signed-off-by: Stefan Haberland Reviewed-by: Jan Hoeppner Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit aca4660cbebcfb45817bc4bfe2a54a5d5404271e Author: Sven Schnelle Date: Tue Dec 8 07:35:21 2020 +0100 s390/smp: perform initial CPU reset also for SMT siblings commit b5e438ebd7e808d1d2435159ac4742e01a94b8da upstream. Not resetting the SMT siblings might leave them in unpredictable state. One of the observed problems was that the CPU timer wasn't reset and therefore large system time values where accounted during CPU bringup. Cc: # 4.0 Fixes: 10ad34bc76dfb ("s390: add SMT support") Reviewed-by: Heiko Carstens Signed-off-by: Sven Schnelle Signed-off-by: Heiko Carstens Signed-off-by: Greg Kroah-Hartman commit 683e90ddb947a8b97bc086e85512105d2c1da6b5 Author: Takashi Iwai Date: Fri Dec 18 15:58:58 2020 +0100 ALSA: usb-audio: Disable sample read check if firmware doesn't give back commit 9df28edce7c6ab38050235f6f8b43dd7ccd01b6d upstream. Some buggy firmware don't give the current sample rate but leaves zero. Handle this case more gracefully without warning but just skip the current rate verification from the next time. Cc: Link: https://lore.kernel.org/r/20201218145858.2357-1-tiwai@suse.de Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit e35c2215b09e2bd72b858cfeeffa40b3570a0860 Author: Takashi Iwai Date: Fri Dec 18 17:17:30 2020 +0100 ALSA: pcm: oss: Fix a few more UBSAN fixes commit 11cb881bf075cea41092a20236ba708b18e1dbb2 upstream. There are a few places that call round{up|down}_pow_of_two() with the value zero, and this causes undefined behavior warnings. Avoid calling those macros if such a nonsense value is passed; it's a minor optimization as well, as we handle it as either an error or a value to be skipped, instead. Reported-by: syzbot+33ef0b6639a8d2d42b4c@syzkaller.appspotmail.com Cc: Link: https://lore.kernel.org/r/20201218161730.26596-1-tiwai@suse.de Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 7890a2677fea2ff58dcc7ac96cfdf95b78984db6 Author: Chris Chiu Date: Wed Dec 9 12:57:30 2020 +0800 ALSA: hda/realtek - Enable headset mic of ASUS Q524UQK with ALC255 commit 7e413528474d5895e3e315c019fb0c43522eb6d9 upstream. The ASUS laptop Q524UQK with ALC255 codec can't detect the headset microphone until ALC255_FIXUP_ASUS_MIC_NO_PRESENCE quirk applied. Signed-off-by: Chris Chiu Signed-off-by: Jian-Hong Pan Cc: Link: https://lore.kernel.org/r/20201209045730.9972-1-chiu@endlessos.org Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 8a38100818a70c4a3631c5d0a8d00727d0610ab4 Author: Hui Wang Date: Fri Dec 11 10:18:14 2020 +0800 ACPI: PNP: compare the string length in the matching_id() commit b08221c40febcbda9309dd70c61cf1b0ebb0e351 upstream. Recently we met a touchscreen problem on some Thinkpad machines, the touchscreen driver (i2c-hid) is not loaded and the touchscreen can't work. An i2c ACPI device with the name WACF2200 is defined in the BIOS, with the current rule in matching_id(), this device will be regarded as a PNP device since there is WACFXXX in the acpi_pnp_device_ids[] and this PNP device is attached to the acpi device as the 1st physical_node, this will make the i2c bus match fail when i2c bus calls acpi_companion_match() to match the acpi_id_table in the i2c-hid driver. WACF2200 is an i2c device instead of a PNP device, after adding the string length comparing, the matching_id() will return false when matching WACF2200 and WACFXXX, and it is reasonable to compare the string length when matching two IDs. Suggested-by: Rafael J. Wysocki Signed-off-by: Hui Wang Cc: All applicable Signed-off-by: Rafael J. Wysocki Signed-off-by: Greg Kroah-Hartman commit ba8e08cb49d6872fa6a9a246c9ad96a4baa9e6c0 Author: Daniel Scally Date: Sat Dec 5 17:04:03 2020 +0000 Revert "ACPI / resources: Use AE_CTRL_TERMINATE to terminate resources walks" commit 12fc4dad94dfac25599f31257aac181c691ca96f upstream. This reverts commit 8a66790b7850a6669129af078768a1d42076a0ef. Switching this function to AE_CTRL_TERMINATE broke the documented behaviour of acpi_dev_get_resources() - AE_CTRL_TERMINATE does not, in fact, terminate the resource walk because acpi_walk_resource_buffer() ignores it (specifically converting it to AE_OK), referring to that value as "an OK termination by the user function". This means that acpi_dev_get_resources() does not abort processing when the preproc function returns a negative value. Signed-off-by: Daniel Scally Cc: 3.10+ # 3.10+ Signed-off-by: Rafael J. Wysocki Signed-off-by: Greg Kroah-Hartman commit bbf215f6e47a549a1ec6d799d68c4a4a3546143d Author: Rafael J. Wysocki Date: Tue Nov 24 20:44:00 2020 +0100 PM: ACPI: PCI: Drop acpi_pm_set_bridge_wakeup() commit 7482c5cb90e5a7f9e9e12dd154d405e0219656e3 upstream. The idea behind acpi_pm_set_bridge_wakeup() was to allow bridges to be reference counted for wakeup enabling, because they may be enabled to signal wakeup on behalf of their subordinate devices and that may happen for multiple times in a row, whereas for the other devices it only makes sense to enable wakeup signaling once. However, this becomes problematic if the bridge itself is suspended, because it is treated as a "regular" device in that case and the reference counting doesn't work. For instance, suppose that there are two devices below a bridge and they both can signal wakeup. Every time one of them is suspended, wakeup signaling is enabled for the bridge, so when they both have been suspended, the bridge's wakeup reference counter value is 2. Say that the bridge is suspended subsequently and acpi_pci_wakeup() is called for it. Because the bridge can signal wakeup, that function will invoke acpi_pm_set_device_wakeup() to configure it and __acpi_pm_set_device_wakeup() will be called with the last argument equal to 1. This causes __acpi_device_wakeup_enable() invoked by it to omit the reference counting, because the reference counter of the target device (the bridge) is 2 at that time. Now say that the bridge resumes and one of the device below it resumes too, so the bridge's reference counter becomes 0 and wakeup signaling is disabled for it, but there is still the other suspended device which may need the bridge to signal wakeup on its behalf and that is not going to work. To address this scenario, use wakeup enable reference counting for all devices, not just for bridges, so drop the last argument from __acpi_device_wakeup_enable() and __acpi_pm_set_device_wakeup(), which causes acpi_pm_set_device_wakeup() and acpi_pm_set_bridge_wakeup() to become identical, so drop the latter and use the former instead of it everywhere. Fixes: 1ba51a7c1496 ("ACPI / PCI / PM: Rework acpi_pci_propagate_wakeup()") Signed-off-by: Rafael J. Wysocki Reviewed-by: Mika Westerberg Acked-by: Bjorn Helgaas Cc: 4.14+ # 4.14+ Signed-off-by: Greg Kroah-Hartman commit c5988ba2116f27cbf280e3097872297ad70e303c Author: Arnd Bergmann Date: Mon Dec 14 13:37:46 2020 -0800 Input: cyapa_gen6 - fix out-of-bounds stack access commit f051ae4f6c732c231046945b36234e977f8467c6 upstream. gcc -Warray-bounds warns about a serious bug in cyapa_pip_retrieve_data_structure: drivers/input/mouse/cyapa_gen6.c: In function 'cyapa_pip_retrieve_data_structure.constprop': include/linux/unaligned/access_ok.h:40:17: warning: array subscript -1 is outside array bounds of 'struct retrieve_data_struct_cmd[1]' [-Warray-bounds] 40 | *((__le16 *)p) = cpu_to_le16(val); drivers/input/mouse/cyapa_gen6.c:569:13: note: while referencing 'cmd' 569 | } __packed cmd; | ^~~ Apparently the '-2' was added to the pointer instead of the value, writing garbage into the stack next to this variable. Fixes: c2c06c41f700 ("Input: cyapa - add gen6 device module support") Signed-off-by: Arnd Bergmann Link: https://lore.kernel.org/r/20201026161332.3708389-1-arnd@kernel.org Cc: stable@vger.kernel.org Signed-off-by: Dmitry Torokhov Signed-off-by: Greg Kroah-Hartman commit 9892894dff8ca671bf02e488f8bff5ef5417b88f Author: Lukas Wunner Date: Mon Dec 7 09:17:12 2020 +0100 media: netup_unidvb: Don't leak SPI master in probe error path commit e297ddf296de35037fa97f4302782def196d350a upstream. If the call to spi_register_master() fails on probe of the NetUP Universal DVB driver, the spi_master struct is erroneously not freed. Likewise, if spi_new_device() fails, the spi_controller struct is not unregistered. Plug the leaks. While at it, fix an ordering issue in netup_spi_release() wherein spi_unregister_master() is called after fiddling with the IRQ control register. The correct order is to call spi_unregister_master() *before* this teardown step because bus accesses may still be ongoing until that function returns. Fixes: 52b1eaf4c59a ("[media] netup_unidvb: NetUP Universal DVB-S/S2/T/T2/C PCI-E card driver") Signed-off-by: Lukas Wunner Reviewed-by: Mauro Carvalho Chehab Cc: # v4.3+: 5e844cc37a5c: spi: Introduce device-managed SPI controller allocation Cc: # v4.3+ Cc: Kozlov Sergey Link: https://lore.kernel.org/r/c4c24f333fc7840f4a3db24789e6e10dd660bede.1607286887.git.lukas@wunner.de Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit b02b60dabdeb601f8e037b034db490e15fff82f3 Author: Sean Young Date: Mon Nov 9 23:16:52 2020 +0100 media: sunxi-cir: ensure IR is handled when it is continuous commit 3f56df4c8ffeb120ed41906d3aae71799b7e726a upstream. If a user holds a button down on a remote, then no ir idle interrupt will be generated until the user releases the button, depending on how quickly the remote repeats. No IR is processed until that point, which means that holding down a button may not do anything. This also resolves an issue on a Cubieboard 1 where the IR receiver is picking up ambient infrared as IR and spews out endless "rc rc0: IR event FIFO is full!" messages unless you choose to live in the dark. Cc: stable@vger.kernel.org Tested-by: Hans Verkuil Acked-by: Maxime Ripard Reported-by: Hans Verkuil Signed-off-by: Sean Young Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit 429ec49f7b73852ab45d245cc483ef2793863afa Author: Alan Stern Date: Wed Dec 2 18:20:04 2020 +0100 media: gspca: Fix memory leak in probe commit e469d0b09a19496e1972a20974bbf55b728151eb upstream. The gspca driver leaks memory when a probe fails. gspca_dev_probe2() calls v4l2_device_register(), which takes a reference to the underlying device node (in this case, a USB interface). But the failure pathway neglects to call v4l2_device_unregister(), the routine responsible for dropping this reference. Consequently the memory for the USB interface and its device never gets released. This patch adds the missing function call. Reported-and-tested-by: syzbot+44e64397bd81d5e84cba@syzkaller.appspotmail.com Signed-off-by: Alan Stern CC: Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit 376c0145f6454c5ecdfcc5c6353b80d4eb2079b8 Author: Simon Beginn Date: Fri Dec 11 16:17:32 2020 -0800 Input: goodix - add upside-down quirk for Teclast X98 Pro tablet [ Upstream commit cffdd6d90482316e18d686060a4397902ea04bd2 ] The touchscreen on the Teclast x98 Pro is also mounted upside-down in relation to the display orientation. Signed-off-by: Simon Beginn Signed-off-by: Bastien Nocera Link: https://lore.kernel.org/r/20201117004253.27A5A27EFD@localhost Signed-off-by: Dmitry Torokhov Signed-off-by: Sasha Levin commit babcb8ec880d72e33011c6d2331830233ca2e421 Author: Dmitry Torokhov Date: Wed Dec 9 17:59:53 2020 -0800 Input: cros_ec_keyb - send 'scancodes' in addition to key events [ Upstream commit 80db2a087f425b63f0163bc95217abd01c637cb5 ] To let userspace know what 'scancodes' should be used in EVIOCGKEYCODE and EVIOCSKEYCODE ioctls, we should send EV_MSC/MSC_SCAN events in addition to EV_KEY/KEY_* events. The driver already declared MSC_SCAN capability, so it is only matter of actually sending the events. Link: https://lore.kernel.org/r/X87aOaSptPTvZ3nZ@google.com Acked-by: Rajat Jain Signed-off-by: Dmitry Torokhov Signed-off-by: Sasha Levin commit e7f7033799a2e7e3fc020b2fe13d5a29bf1f432d Author: Serge Hallyn Date: Sun Nov 15 21:55:31 2020 -0600 fix namespaced fscaps when !CONFIG_SECURITY [ Upstream commit ed9b25d1970a4787ac6a39c2091e63b127ecbfc1 ] Namespaced file capabilities were introduced in 8db6c34f1dbc . When userspace reads an xattr for a namespaced capability, a virtualized representation of it is returned if the caller is in a user namespace owned by the capability's owning rootid. The function which performs this virtualization was not hooked up if CONFIG_SECURITY=n. Therefore in that case the original xattr was shown instead of the virtualized one. To test this using libcap-bin (*1), $ v=$(mktemp) $ unshare -Ur setcap cap_sys_admin-eip $v $ unshare -Ur setcap -v cap_sys_admin-eip $v /tmp/tmp.lSiIFRvt8Y: OK "setcap -v" verifies the values instead of setting them, and will check whether the rootid value is set. Therefore, with this bug un-fixed, and with CONFIG_SECURITY=n, setcap -v will fail: $ v=$(mktemp) $ unshare -Ur setcap cap_sys_admin=eip $v $ unshare -Ur setcap -v cap_sys_admin=eip $v nsowner[got=1000, want=0],/tmp/tmp.HHDiOOl9fY differs in [] Fix this bug by calling cap_inode_getsecurity() in security_inode_getsecurity() instead of returning -EOPNOTSUPP, when CONFIG_SECURITY=n. *1 - note, if libcap is too old for getcap to have the '-n' option, then use verify-caps instead. Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=209689 Cc: Hervé Guillemet Acked-by: Casey Schaufler Signed-off-by: Serge Hallyn Signed-off-by: Andrew G. Morgan Signed-off-by: James Morris Signed-off-by: Sasha Levin commit 8fff445b5aef9dcd40d17c4824e5f32f5def129d Author: Sara Sharon Date: Sun Nov 29 17:30:44 2020 +0200 cfg80211: initialize rekey_data [ Upstream commit f495acd8851d7b345e5f0e521b2645b1e1f928a0 ] In case we have old supplicant, the akm field is uninitialized. Signed-off-by: Sara Sharon Signed-off-by: Luca Coelho Link: https://lore.kernel.org/r/iwlwifi.20201129172929.930f0ab7ebee.Ic546e384efab3f4a89f318eafddc3eb7d556aecb@changeid Signed-off-by: Johannes Berg Signed-off-by: Sasha Levin commit e34de380496967c10c75072183849c60b9468592 Author: Jernej Skrabec Date: Wed Dec 2 21:38:17 2020 +0100 clk: sunxi-ng: Make sure divider tables have sentinel [ Upstream commit 48f68de00c1405351fa0e7bc44bca067c49cd0a3 ] Two clock divider tables are missing sentinel at the end. Effect of that is that clock framework reads past the last entry. Fix that with adding sentinel at the end. Issue was discovered with KASan. Fixes: 0577e4853bfb ("clk: sunxi-ng: Add H3 clocks") Fixes: c6a0637460c2 ("clk: sunxi-ng: Add A64 clocks") Signed-off-by: Jernej Skrabec Link: https://lore.kernel.org/r/20201202203817.438713-1-jernej.skrabec@siol.net Acked-by: Maxime Ripard Signed-off-by: Stephen Boyd Signed-off-by: Sasha Levin commit ac23ec1bc610e60d9de133cee5a8ac10a0b9834e Author: Christophe JAILLET Date: Sat Dec 12 13:28:18 2020 +0100 clk: s2mps11: Fix a resource leak in error handling paths in the probe function [ Upstream commit d2d94fc567624f96187e8b52083795620f93e69f ] Some resource should be released in the error handling path of the probe function, as already done in the remove function. The remove function was fixed in commit bf416bd45738 ("clk: s2mps11: Add missing of_node_put and of_clk_del_provider") Fixes: 7cc560dea415 ("clk: s2mps11: Add support for s2mps11") Signed-off-by: Christophe JAILLET Link: https://lore.kernel.org/r/20201212122818.86195-1-christophe.jaillet@wanadoo.fr Reviewed-by: Krzysztof Kozlowski Signed-off-by: Stephen Boyd Signed-off-by: Sasha Levin commit c8cc32fde3fa193ae44f0170a6ba1ab27adc7774 Author: Dan Carpenter Date: Wed Dec 16 11:38:04 2020 +0300 qlcnic: Fix error code in probe [ Upstream commit 0d52848632a357948028eab67ff9b7cc0c12a0fb ] Return -EINVAL if we can't find the correct device. Currently it returns success. Fixes: 13159183ec7a ("qlcnic: 83xx base driver") Signed-off-by: Dan Carpenter Link: https://lore.kernel.org/r/X9nHbMqEyI/xPfGd@mwanda Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 48bf1a9af8c144873f93a8e424de41917b93b63c Author: Zheng Zengkai Date: Fri Jul 3 17:33:44 2020 +0800 perf record: Fix memory leak when using '--user-regs=?' to list registers [ Upstream commit 2eb5dd418034ecea2f7031e3d33f2991a878b148 ] When using 'perf record's option '-I' or '--user-regs=' along with argument '?' to list available register names, memory of variable 'os' allocated by strdup() needs to be released before __parse_regs() returns, otherwise memory leak will occur. Fixes: bcc84ec65ad1 ("perf record: Add ability to name registers to record") Signed-off-by: Zheng Zengkai Acked-by: Jiri Olsa Cc: Alexander Shishkin Cc: Li Bin Cc: Mark Rutland Cc: Namhyung Kim Link: https://lore.kernel.org/r/20200703093344.189450-1-zhengzengkai@huawei.com Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Sasha Levin commit e514cfc38f53a2c72940999d1e8ef1d002e6dfed Author: Lokesh Vutla Date: Fri Oct 30 19:11:35 2020 +0530 pwm: lp3943: Dynamically allocate PWM chip base [ Upstream commit 1f0f1e80fdd3aa9631f6c22cda4f8550cfcfcc3e ] When there are other PWM controllers enabled along with pwm-lp3943, pwm-lp3942 is failing to probe with -EEXIST error. This is because other PWM controllers are probed first and assigned PWM base 0 and pwm-lp3943 is requesting for 0 again. In order to avoid this, assign the chip base with -1, so that it is dynamically allocated. Fixes: af66b3c0934e ("pwm: Add LP3943 PWM driver") Signed-off-by: Lokesh Vutla Reviewed-by: Uwe Kleine-König Signed-off-by: Thierry Reding Signed-off-by: Sasha Levin commit 1bac99796304584cf17766323c3b52c091fe46fb Author: Uwe Kleine-König Date: Tue Oct 13 10:13:21 2020 +0200 pwm: zx: Add missing cleanup in error path [ Upstream commit 269effd03f6142df4c74814cfdd5f0b041b30bf9 ] zx_pwm_probe() called clk_prepare_enable() before; this must be undone in the error path. Fixes: 4836193c435c ("pwm: Add ZTE ZX PWM device driver") Signed-off-by: Uwe Kleine-König Acked-by: Shawn Guo Signed-off-by: Thierry Reding Signed-off-by: Sasha Levin commit 36237bb655e9038c47974636e92ecc7b9835e090 Author: Zhang Qilong Date: Fri Nov 13 21:16:23 2020 +0800 clk: ti: Fix memleak in ti_fapll_synth_setup [ Upstream commit 8c6239f6e95f583bb763d0228e02d4dd0fb3d492 ] If clk_register fails, we should goto free branch before function returns to prevent memleak. Fixes: 163152cbbe321 ("clk: ti: Add support for FAPLL on dm816x") Reported-by: Hulk Robot Signed-off-by: Zhang Qilong Link: https://lore.kernel.org/r/20201113131623.2098222-1-zhangqilong3@huawei.com Acked-by: Tony Lindgren Signed-off-by: Stephen Boyd Signed-off-by: Sasha Levin commit 06995f950e2713ec4b428371030893aa638bb278 Author: Arnd Bergmann Date: Thu Dec 3 23:33:42 2020 +0100 watchdog: coh901327: add COMMON_CLK dependency [ Upstream commit 36c47df85ee8e1f8a35366ac11324f8875de00eb ] clang produces a build failure in configurations without COMMON_CLK when a timeout calculation goes wrong: arm-linux-gnueabi-ld: drivers/watchdog/coh901327_wdt.o: in function `coh901327_enable': coh901327_wdt.c:(.text+0x50): undefined reference to `__bad_udelay' Add a Kconfig dependency to only do build testing when COMMON_CLK is enabled. Fixes: da2a68b3eb47 ("watchdog: Enable COMPILE_TEST where possible") Signed-off-by: Arnd Bergmann Reviewed-by: Guenter Roeck Link: https://lore.kernel.org/r/20201203223358.1269372-1-arnd@kernel.org Signed-off-by: Guenter Roeck Signed-off-by: Wim Van Sebroeck Signed-off-by: Sasha Levin commit c15260acca4aaef2a0d63b23eb735e813d9fd33c Author: Manivannan Sadhasivam Date: Mon Dec 7 11:30:05 2020 +0530 watchdog: qcom: Avoid context switch in restart handler [ Upstream commit 7948fab26bcc468aa2a76462f441291b5fb0d5c7 ] The use of msleep() in the restart handler will cause scheduler to induce a context switch which is not desirable. This generates below warning on SDX55 when WDT is the only available restart source: [ 39.800188] reboot: Restarting system [ 39.804115] ------------[ cut here ]------------ [ 39.807855] WARNING: CPU: 0 PID: 678 at kernel/rcu/tree_plugin.h:297 rcu_note_context_switch+0x190/0x764 [ 39.812538] Modules linked in: [ 39.821954] CPU: 0 PID: 678 Comm: reboot Not tainted 5.10.0-rc1-00063-g33a9990d1d66-dirty #47 [ 39.824854] Hardware name: Generic DT based system [ 39.833470] [] (unwind_backtrace) from [] (show_stack+0x10/0x14) [ 39.838154] [] (show_stack) from [] (dump_stack+0x8c/0xa0) [ 39.846049] [] (dump_stack) from [] (__warn+0xd8/0xf0) [ 39.853058] [] (__warn) from [] (warn_slowpath_fmt+0x64/0xc8) [ 39.859925] [] (warn_slowpath_fmt) from [] (rcu_note_context_switch+0x190/0x764) [ 39.867503] [] (rcu_note_context_switch) from [] (__schedule+0x84/0x640) [ 39.876685] [] (__schedule) from [] (schedule+0x58/0x10c) [ 39.885095] [] (schedule) from [] (schedule_timeout+0x1e8/0x3d4) [ 39.892135] [] (schedule_timeout) from [] (msleep+0x2c/0x38) [ 39.899947] [] (msleep) from [] (qcom_wdt_restart+0xc4/0xcc) [ 39.907319] [] (qcom_wdt_restart) from [] (watchdog_restart_notifier+0x18/0x28) [ 39.914715] [] (watchdog_restart_notifier) from [] (atomic_notifier_call_chain+0x60/0x84) [ 39.923487] [] (atomic_notifier_call_chain) from [] (machine_restart+0x78/0x7c) [ 39.933551] [] (machine_restart) from [] (__do_sys_reboot+0xdc/0x1e0) [ 39.942397] [] (__do_sys_reboot) from [] (ret_fast_syscall+0x0/0x54) [ 39.950721] Exception stack(0xc3e0bfa8 to 0xc3e0bff0) [ 39.958855] bfa0: 0001221c bed2fe24 fee1dead 28121969 01234567 00000000 [ 39.963832] bfc0: 0001221c bed2fe24 00000003 00000058 000225e0 00000000 00000000 00000000 [ 39.971985] bfe0: b6e62560 bed2fc84 00010fd8 b6e62580 [ 39.980124] ---[ end trace 3f578288bad866e4 ]--- Hence, replace msleep() with mdelay() to fix this issue. Fixes: 05e487d905ab ("watchdog: qcom: register a restart notifier") Signed-off-by: Manivannan Sadhasivam Reviewed-by: Guenter Roeck Link: https://lore.kernel.org/r/20201207060005.21293-1-manivannan.sadhasivam@linaro.org Signed-off-by: Guenter Roeck Signed-off-by: Wim Van Sebroeck Signed-off-by: Sasha Levin commit d9ee6f8412b0a472bd5fa475a2eef4f07059c2d4 Author: Vincent Stehlé Date: Mon Dec 14 23:09:52 2020 +0100 net: korina: fix return value [ Upstream commit 7eb000bdbe7c7da811ef51942b356f6e819b13ba ] The ndo_start_xmit() method must not attempt to free the skb to transmit when returning NETDEV_TX_BUSY. Therefore, make sure the korina_send_packet() function returns NETDEV_TX_OK when it frees a packet. Fixes: ef11291bcd5f ("Add support the Korina (IDT RC32434) Ethernet MAC") Suggested-by: Jakub Kicinski Signed-off-by: Vincent Stehlé Acked-by: Florian Fainelli Link: https://lore.kernel.org/r/20201214220952.19935-1-vincent.stehle@laposte.net Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 6885636a7485abebeec79c27605624a38e2ef3a2 Author: Christophe JAILLET Date: Mon Dec 14 21:21:17 2020 +0100 net: allwinner: Fix some resources leak in the error handling path of the probe and in the remove function [ Upstream commit 322e53d1e2529ae9d501f5e0f20604a79b873aef ] 'irq_of_parse_and_map()' should be balanced by a corresponding 'irq_dispose_mapping()' call. Otherwise, there is some resources leaks. Add such a call in the error handling path of the probe function and in the remove function. Fixes: 492205050d77 ("net: Add EMAC ethernet driver found on Allwinner A10 SoC's") Signed-off-by: Christophe JAILLET Link: https://lore.kernel.org/r/20201214202117.146293-1-christophe.jaillet@wanadoo.fr Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 980f10055aace012af1f644737b8474395bd388c Author: Christophe JAILLET Date: Sat Dec 12 19:20:05 2020 +0100 net: bcmgenet: Fix a resource leak in an error handling path in the probe functin [ Upstream commit 4375ada01963d1ebf733d60d1bb6e5db401e1ac6 ] If the 'register_netdev()' call fails, we must undo a previous 'bcmgenet_mii_init()' call. Fixes: 1c1008c793fa ("net: bcmgenet: add main driver file") Signed-off-by: Christophe JAILLET Acked-by: Florian Fainelli Link: https://lore.kernel.org/r/20201212182005.120437-1-christophe.jaillet@wanadoo.fr Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit c3d842a3873a6b9fcab4dae0b8d85b753fa52baa Author: Dwaipayan Ray Date: Tue Dec 15 20:45:02 2020 -0800 checkpatch: fix unescaped left brace [ Upstream commit 03f4935135b9efeb780b970ba023c201f81cf4e6 ] There is an unescaped left brace in a regex in OPEN_BRACE check. This throws a runtime error when checkpatch is run with --fix flag and the OPEN_BRACE check is executed. Fix it by escaping the left brace. Link: https://lkml.kernel.org/r/20201115202928.81955-1-dwaipayanray1@gmail.com Fixes: 8d1824780f2f ("checkpatch: add --fix option for a couple OPEN_BRACE misuses") Signed-off-by: Dwaipayan Ray Acked-by: Joe Perches Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit 3c1e57a98271779ccc0ece03ef667d3a5af0bf1f Author: Vincent Stehlé Date: Sun Dec 13 19:26:22 2020 +0100 powerpc/ps3: use dma_mapping_error() [ Upstream commit d0edaa28a1f7830997131cbce87b6c52472825d1 ] The DMA address returned by dma_map_single() should be checked with dma_mapping_error(). Fix the ps3stor_setup() function accordingly. Fixes: 80071802cb9c ("[POWERPC] PS3: Storage Driver Core") Signed-off-by: Vincent Stehlé Reviewed-by: Geert Uytterhoeven Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20201213182622.23047-1-vincent.stehle@laposte.net Signed-off-by: Sasha Levin commit 5d5827c7bf79bcaf43cdb7f4d4d24dc8fb9e5b5c Author: Bongsu Jeon Date: Sun Dec 13 18:58:50 2020 +0900 nfc: s3fwrn5: Release the nfc firmware [ Upstream commit a4485baefa1efa596702ebffd5a9c760d42b14b5 ] add the code to release the nfc firmware when the firmware image size is wrong. Fixes: c04c674fadeb ("nfc: s3fwrn5: Add driver for Samsung S3FWRN5 NFC Chip") Signed-off-by: Bongsu Jeon Reviewed-by: Krzysztof Kozlowski Link: https://lore.kernel.org/r/20201213095850.28169-1-bongsu.jeon@samsung.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 6774d7c562bce6d2ae166db41d2eb3a8342eae8d Author: Anton Ivanov Date: Mon Dec 7 17:19:40 2020 +0000 um: chan_xterm: Fix fd leak [ Upstream commit 9431f7c199ab0d02da1482d62255e0b4621cb1b5 ] xterm serial channel was leaking a fd used in setting up the port helper This bug is prehistoric - it predates switching to git. The "fixes" header here is really just to mark all the versions we would like this to apply to which is "Anything from the Cretaceous period onwards". No dinosaurs were harmed in fixing this bug. Fixes: b40997b872cd ("um: drivers/xterm.c: fix a file descriptor leak") Signed-off-by: Anton Ivanov Signed-off-by: Richard Weinberger Signed-off-by: Sasha Levin commit ba4231d5acf213e3769eff504c237ef2f9b2a5fa Author: Guenter Roeck Date: Sun Nov 8 08:25:50 2020 -0800 watchdog: sirfsoc: Add missing dependency on HAS_IOMEM [ Upstream commit 8ae2511112d2e18bc7d324b77f965d34083a25a2 ] If HAS_IOMEM is not defined and SIRFSOC_WATCHDOG is enabled, the build fails with the following error. drivers/watchdog/sirfsoc_wdt.o: in function `sirfsoc_wdt_probe': sirfsoc_wdt.c:(.text+0x112): undefined reference to `devm_platform_ioremap_resource' Reported-by: Necip Fazil Yildiran Fixes: da2a68b3eb47 ("watchdog: Enable COMPILE_TEST where possible") Link: https://lore.kernel.org/r/20201108162550.27660-2-linux@roeck-us.net Signed-off-by: Guenter Roeck Signed-off-by: Wim Van Sebroeck Signed-off-by: Sasha Levin commit 38cbc6d06a37449fdf563c03111604f22effaac6 Author: Marc Zyngier Date: Sun Nov 29 13:55:25 2020 +0000 irqchip/alpine-msi: Fix freeing of interrupts on allocation error path [ Upstream commit 3841245e8498a789c65dedd7ffa8fb2fee2c0684 ] The alpine-msi driver has an interesting allocation error handling, where it frees the same interrupts repeatedly. Hilarity follows. This code is probably never executed, but let's fix it nonetheless. Fixes: e6b78f2c3e14 ("irqchip: Add the Alpine MSIX interrupt controller") Signed-off-by: Marc Zyngier Reviewed-by: Antoine Tenart Cc: Tsahee Zidenberg Cc: Antoine Tenart Link: https://lore.kernel.org/r/20201129135525.396671-1-maz@kernel.org Signed-off-by: Sasha Levin commit 69a41aa29f2e51e3b2fe1d12c04d06e83d24def0 Author: Dan Carpenter Date: Wed Dec 9 09:54:09 2020 +0300 ASoC: wm_adsp: remove "ctl" from list on error in wm_adsp_create_control() [ Upstream commit 85a7555575a0e48f9b73db310d0d762a08a46d63 ] The error handling frees "ctl" but it's still on the "dsp->ctl_list" list so that could result in a use after free. Remove it from the list before returning. Fixes: 2323736dca72 ("ASoC: wm_adsp: Add basic support for rev 1 firmware file format") Signed-off-by: Dan Carpenter Acked-by: Charles Keepax Link: https://lore.kernel.org/r/X9B0keV/02wrx9Xs@mwanda Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 8e601b501fcab24bf4d5751afb2fb09c622448b9 Author: Marek Szyprowski Date: Tue Dec 8 14:36:27 2020 +0100 extcon: max77693: Fix modalias string [ Upstream commit e1efdb604f5c9903a5d92ef42244009d3c04880f ] The platform device driver name is "max77693-muic", so advertise it properly in the modalias string. This fixes automated module loading when this driver is compiled as a module. Fixes: db1b9037424b ("extcon: MAX77693: Add extcon-max77693 driver to support Maxim MAX77693 MUIC device") Signed-off-by: Marek Szyprowski Signed-off-by: Chanwoo Choi Signed-off-by: Sasha Levin commit 2cb90cf04bc6085cd625d2c78e259fca5f1fe6b2 Author: Dmitry Osipenko Date: Mon Oct 26 01:42:12 2020 +0300 clk: tegra: Fix duplicated SE clock entry [ Upstream commit 5bf5861d6ea6c3f4b38fc8fda2062b2dc44ac63d ] The periph_clks[] array contains duplicated entry for Security Engine clock which was meant to be defined for T210, but it wasn't added properly. This patch corrects the T210 SE entry and fixes the following error message on T114/T124: "Tegra clk 127: register failed with -17". Fixes: dc37fec48314 ("clk: tegra: periph: Add new periph clks and muxes for Tegra210") Tested-by Nicolas Chauvet Reported-by Nicolas Chauvet Signed-off-by: Dmitry Osipenko Link: https://lore.kernel.org/r/20201025224212.7790-1-digetx@gmail.com Acked-by: Thierry Reding Signed-off-by: Stephen Boyd Signed-off-by: Sasha Levin commit e1f98fe3521c4a7be4cc3acf47f54edf064ee266 Author: Masami Hiramatsu Date: Wed Oct 28 23:31:10 2020 +0900 x86/kprobes: Restore BTF if the single-stepping is cancelled [ Upstream commit 78ff2733ff352175eb7f4418a34654346e1b6cd2 ] Fix to restore BTF if single-stepping causes a page fault and it is cancelled. Usually the BTF flag was restored when the single stepping is done (in resume_execution()). However, if a page fault happens on the single stepping instruction, the fault handler is invoked and the single stepping is cancelled. Thus, the BTF flag is not restored. Fixes: 1ecc798c6764 ("x86: debugctlmsr kprobes") Signed-off-by: Masami Hiramatsu Signed-off-by: Peter Zijlstra (Intel) Link: https://lkml.kernel.org/r/160389546985.106936.12727996109376240993.stgit@devnote2 Signed-off-by: Sasha Levin commit f2fa0444627df738f7d92f40c6ae82897b16826a Author: Cheng Lin Date: Tue Dec 1 07:06:35 2020 -0500 nfs_common: need lock during iterate through the list [ Upstream commit 4a9d81caf841cd2c0ae36abec9c2963bf21d0284 ] If the elem is deleted during be iterated on it, the iteration process will fall into an endless loop. kernel: NMI watchdog: BUG: soft lockup - CPU#4 stuck for 22s! [nfsd:17137] PID: 17137  TASK: ffff8818d93c0000  CPU: 4   COMMAND: "nfsd"     [exception RIP: __state_in_grace+76]     RIP: ffffffffc00e817c  RSP: ffff8818d3aefc98  RFLAGS: 00000246     RAX: ffff881dc0c38298  RBX: ffffffff81b03580  RCX: ffff881dc02c9f50     RDX: ffff881e3fce8500  RSI: 0000000000000001  RDI: ffffffff81b03580     RBP: ffff8818d3aefca0   R8: 0000000000000020   R9: ffff8818d3aefd40     R10: ffff88017fc03800  R11: ffff8818e83933c0  R12: ffff8818d3aefd40     R13: 0000000000000000  R14: ffff8818e8391068  R15: ffff8818fa6e4000     CS: 0010  SS: 0018  #0 [ffff8818d3aefc98] opens_in_grace at ffffffffc00e81e3 [grace]  #1 [ffff8818d3aefca8] nfs4_preprocess_stateid_op at ffffffffc02a3e6c [nfsd]  #2 [ffff8818d3aefd18] nfsd4_write at ffffffffc028ed5b [nfsd]  #3 [ffff8818d3aefd80] nfsd4_proc_compound at ffffffffc0290a0d [nfsd]  #4 [ffff8818d3aefdd0] nfsd_dispatch at ffffffffc027b800 [nfsd]  #5 [ffff8818d3aefe08] svc_process_common at ffffffffc02017f3 [sunrpc]  #6 [ffff8818d3aefe70] svc_process at ffffffffc0201ce3 [sunrpc]  #7 [ffff8818d3aefe98] nfsd at ffffffffc027b117 [nfsd]  #8 [ffff8818d3aefec8] kthread at ffffffff810b88c1  #9 [ffff8818d3aeff50] ret_from_fork at ffffffff816d1607 The troublemake elem: crash> lock_manager ffff881dc0c38298 struct lock_manager {   list = {     next = 0xffff881dc0c38298,     prev = 0xffff881dc0c38298   },   block_opens = false } Fixes: c87fb4a378f9 ("lockd: NLM grace period shouldn't block NFSv4 opens") Signed-off-by: Cheng Lin  Signed-off-by: Yi Wang  Signed-off-by: Chuck Lever Signed-off-by: Sasha Levin commit 0e9942d23848f55a0bc83386f34c623571fd5845 Author: kazuo ito Date: Fri Nov 27 15:26:59 2020 +0900 nfsd: Fix message level for normal termination [ Upstream commit 4420440c57892779f265108f46f83832a88ca795 ] The warning message from nfsd terminating normally can confuse system adminstrators or monitoring software. Though it's not exactly fair to pin-point a commit where it originated, the current form in the current place started to appear in: Fixes: e096bbc6488d ("knfsd: remove special handling for SIGHUP") Signed-off-by: kazuo ito Signed-off-by: Chuck Lever Signed-off-by: Sasha Levin commit 4d5bbc8f633cb53c50b4fd308f94bbe078241bf4 Author: Yang Yingliang Date: Tue Nov 17 09:22:29 2020 +0800 speakup: fix uninitialized flush_lock [ Upstream commit d1b928ee1cfa965a3327bbaa59bfa005d97fa0fe ] The flush_lock is uninitialized, use DEFINE_SPINLOCK to define and initialize flush_lock. Fixes: c6e3fd22cd53 ("Staging: add speakup to the staging directory") Reported-by: Hulk Robot Reviewed-by: Samuel Thibault Signed-off-by: Yang Yingliang Link: https://lore.kernel.org/r/20201117012229.3395186-1-yangyingliang@huawei.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 5e64d12b9b4d2adc2a3abc59a86de4b456c8cee7 Author: Zhang Qilong Date: Mon Nov 23 22:58:09 2020 +0800 usb: oxu210hp-hcd: Fix memory leak in oxu_create [ Upstream commit e5548b05631ec3e6bfdaef1cad28c799545b791b ] usb_create_hcd will alloc memory for hcd, and we should call usb_put_hcd to free it when adding fails to prevent memory leak. Fixes: b92a78e582b1a ("usb host: Oxford OXU210HP HCD driver") Reported-by: Hulk Robot Signed-off-by: Zhang Qilong Link: https://lore.kernel.org/r/20201123145809.1456541-1-zhangqilong3@huawei.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit c6591cf3ff6b657f78771b5bb4460a86409aa4f1 Author: Zhang Qilong Date: Mon Nov 23 22:57:19 2020 +0800 usb: ehci-omap: Fix PM disable depth umbalance in ehci_hcd_omap_probe [ Upstream commit d6ff32478d7e95d6ca199b5c852710d6964d5811 ] The pm_runtime_enable will decrement the power disable depth. Imbalance depth will resulted in enabling runtime PM of device fails later. Thus a pairing decrement must be needed on the error handling path to keep it balanced. Fixes: 6c984b066d84b ("ARM: OMAP: USBHOST: Replace usbhs core driver APIs by Runtime pm APIs") Acked-by: Alan Stern Signed-off-by: Zhang Qilong Link: https://lore.kernel.org/r/20201123145719.1455849-1-zhangqilong3@huawei.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 61af2b04d0ff371985e68cce6fe30dfa15ee3230 Author: Nathan Lynch Date: Mon Dec 7 15:51:56 2020 -0600 powerpc/pseries/hibernation: remove redundant cacheinfo update [ Upstream commit b866459489fe8ef0e92cde3cbd6bbb1af6c4e99b ] Partitions with cache nodes in the device tree can encounter the following warning on resume: CPU 0 already accounted in PowerPC,POWER9@0(Data) WARNING: CPU: 0 PID: 3177 at arch/powerpc/kernel/cacheinfo.c:197 cacheinfo_cpu_online+0x640/0x820 These calls to cacheinfo_cpu_offline/online have been redundant since commit e610a466d16a ("powerpc/pseries/mobility: rebuild cacheinfo hierarchy post-migration"). Fixes: e610a466d16a ("powerpc/pseries/mobility: rebuild cacheinfo hierarchy post-migration") Signed-off-by: Nathan Lynch Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20201207215200.1785968-25-nathanl@linux.ibm.com Signed-off-by: Sasha Levin commit b7c1ee5025b48fe25418d36e72b6bfb0c7078f3e Author: Nathan Lynch Date: Mon Dec 7 15:51:49 2020 -0600 powerpc/pseries/hibernation: drop pseries_suspend_begin() from suspend ops [ Upstream commit 52719fce3f4c7a8ac9eaa191e8d75a697f9fbcbc ] There are three ways pseries_suspend_begin() can be reached: 1. When "mem" is written to /sys/power/state: kobj_attr_store() -> state_store() -> pm_suspend() -> suspend_devices_and_enter() -> pseries_suspend_begin() This never works because there is no way to supply a valid stream id using this interface, and H_VASI_STATE is called with a stream id of zero. So this call path is useless at best. 2. When a stream id is written to /sys/devices/system/power/hibernate. pseries_suspend_begin() is polled directly from store_hibernate() until the stream is in the "Suspending" state (i.e. the platform is ready for the OS to suspend execution): dev_attr_store() -> store_hibernate() -> pseries_suspend_begin() 3. When a stream id is written to /sys/devices/system/power/hibernate (continued). After #2, pseries_suspend_begin() is called once again from the pm core: dev_attr_store() -> store_hibernate() -> pm_suspend() -> suspend_devices_and_enter() -> pseries_suspend_begin() This is redundant because the VASI suspend state is already known to be Suspending. The begin() callback of platform_suspend_ops is optional, so we can simply remove that assignment with no loss of function. Fixes: 32d8ad4e621d ("powerpc/pseries: Partition hibernation support") Signed-off-by: Nathan Lynch Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20201207215200.1785968-18-nathanl@linux.ibm.com Signed-off-by: Sasha Levin commit ee7c2a9d451e13680144e91634b45787b6f7373d Author: Zhang Changzhong Date: Fri Dec 4 15:47:39 2020 +0800 scsi: fnic: Fix error return code in fnic_probe() [ Upstream commit d4fc94fe65578738ded138e9fce043db6bfc3241 ] Return a negative error code from the error handling case instead of 0 as done elsewhere in this function. Link: https://lore.kernel.org/r/1607068060-31203-1-git-send-email-zhangchangzhong@huawei.com Fixes: 5df6d737dd4b ("[SCSI] fnic: Add new Cisco PCI-Express FCoE HBA") Reported-by: Hulk Robot Reviewed-by: Karan Tilak Kumar Signed-off-by: Zhang Changzhong Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit acccf78f6d06dddb3d424729f202c9a80b22bd8b Author: Arnd Bergmann Date: Mon Oct 26 17:10:58 2020 +0100 seq_buf: Avoid type mismatch for seq_buf_init [ Upstream commit d9a9280a0d0ae51dc1d4142138b99242b7ec8ac6 ] Building with W=2 prints a number of warnings for one function that has a pointer type mismatch: linux/seq_buf.h: In function 'seq_buf_init': linux/seq_buf.h:35:12: warning: pointer targets in assignment from 'unsigned char *' to 'char *' differ in signedness [-Wpointer-sign] Change the type in the function prototype according to the type in the structure. Link: https://lkml.kernel.org/r/20201026161108.3707783-1-arnd@kernel.org Fixes: 9a7777935c34 ("tracing: Convert seq_buf fields to be like seq_file fields") Reviewed-by: Cezary Rojewski Signed-off-by: Arnd Bergmann Signed-off-by: Steven Rostedt (VMware) Signed-off-by: Sasha Levin commit bd9f0b38718ab2116d906c466f3b9151a009cb94 Author: Zhang Qilong Date: Sat Dec 5 19:55:51 2020 +0800 scsi: pm80xx: Fix error return in pm8001_pci_probe() [ Upstream commit 97031ccffa4f62728602bfea8439dd045cd3aeb2 ] The driver did not return an error in the case where pm8001_configure_phy_settings() failed. Use rc to store the return value of pm8001_configure_phy_settings(). Link: https://lore.kernel.org/r/20201205115551.2079471-1-zhangqilong3@huawei.com Fixes: 279094079a44 ("[SCSI] pm80xx: Phy settings support for motherboard controller.") Acked-by: Jack Wang Signed-off-by: Zhang Qilong Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 00fc83950a1d80a02414b0b6cb7e1798ac44da4e Author: Qinglang Miao Date: Mon Nov 9 17:15:18 2020 +0800 scsi: qedi: Fix missing destroy_workqueue() on error in __qedi_probe [ Upstream commit 62eebd5247c4e4ce08826ad5995cf4dd7ce919dd ] Add the missing destroy_workqueue() before return from __qedi_probe in the error handling case when fails to create workqueue qedi->offload_thread. Link: https://lore.kernel.org/r/20201109091518.55941-1-miaoqinglang@huawei.com Fixes: ace7f46ba5fd ("scsi: qedi: Add QLogic FastLinQ offload iSCSI driver framework.") Reviewed-by: Mike Christie Signed-off-by: Qinglang Miao Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 42685b4522253b5e4c161da24f68b5d242cc1e51 Author: Pali Rohár Date: Tue Nov 3 16:11:38 2020 +0100 cpufreq: scpi: Add missing MODULE_ALIAS [ Upstream commit c0382d049d2def37b81e907a8b22661a4a4a6eb5 ] This patch adds missing MODULE_ALIAS for automatic loading of this cpufreq driver when it is compiled as an external module. Signed-off-by: Pali Rohár Fixes: 8def31034d033 ("cpufreq: arm_big_little: add SCPI interface driver") Signed-off-by: Viresh Kumar Signed-off-by: Sasha Levin commit e08e2383ab6759bdd5ef4a27a9488324ebc280e1 Author: Pali Rohár Date: Tue Nov 3 16:11:37 2020 +0100 cpufreq: loongson1: Add missing MODULE_ALIAS [ Upstream commit b9acab091842ca8b288882798bb809f7abf5408a ] This patch adds missing MODULE_ALIAS for automatic loading of this cpufreq driver when it is compiled as an external module. Signed-off-by: Pali Rohár Fixes: a0a22cf14472f ("cpufreq: Loongson1: Add cpufreq driver for Loongson1B") Signed-off-by: Viresh Kumar Signed-off-by: Sasha Levin commit 67175426777ce29e9d2a5d2ec1f6b76c6f870934 Author: Pali Rohár Date: Tue Nov 3 16:11:35 2020 +0100 cpufreq: st: Add missing MODULE_DEVICE_TABLE [ Upstream commit 183747ab52654eb406fc6b5bfb40806b75d31811 ] This patch adds missing MODULE_DEVICE_TABLE definition which generates correct modalias for automatic loading of this cpufreq driver when it is compiled as an external module. Signed-off-by: Pali Rohár Fixes: ab0ea257fc58d ("cpufreq: st: Provide runtime initialised driver for ST's platforms") Signed-off-by: Viresh Kumar Signed-off-by: Sasha Levin commit 5bf3f2a4a277d27502fe88767600c1276e7d4b82 Author: Pali Rohár Date: Tue Nov 3 16:11:33 2020 +0100 cpufreq: mediatek: Add missing MODULE_DEVICE_TABLE [ Upstream commit af6eca06501118af3e2ad46eee8edab20624b74e ] This patch adds missing MODULE_DEVICE_TABLE definition which generates correct modalias for automatic loading of this cpufreq driver when it is compiled as an external module. Signed-off-by: Pali Rohár Fixes: 501c574f4e3a5 ("cpufreq: mediatek: Add support of cpufreq to MT2701/MT7623 SoC") Signed-off-by: Viresh Kumar Signed-off-by: Sasha Levin commit 176c470470507f7208020bc9acb5c643a98b8ed9 Author: Pali Rohár Date: Tue Nov 3 16:11:32 2020 +0100 cpufreq: highbank: Add missing MODULE_DEVICE_TABLE [ Upstream commit 9433777a6e0aae27468d3434b75cd51bb88ff711 ] This patch adds missing MODULE_DEVICE_TABLE definition which generates correct modalias for automatic loading of this cpufreq driver when it is compiled as an external module. Signed-off-by: Pali Rohár Fixes: 6754f556103be ("cpufreq / highbank: add support for highbank cpufreq") Signed-off-by: Viresh Kumar Signed-off-by: Sasha Levin commit 290a79f8afdd6ded217f3d5981c3c10143c4d551 Author: Keqian Zhu Date: Fri Dec 4 15:31:26 2020 +0800 clocksource/drivers/arm_arch_timer: Correct fault programming of CNTKCTL_EL1.EVNTI [ Upstream commit 8b7770b877d187bfdae1eaf587bd2b792479a31c ] ARM virtual counter supports event stream, it can only trigger an event when the trigger bit (the value of CNTKCTL_EL1.EVNTI) of CNTVCT_EL0 changes, so the actual period of event stream is 2^(cntkctl_evnti + 1). For example, when the trigger bit is 0, then virtual counter trigger an event for every two cycles. While we're at it, rework the way we compute the trigger bit position by making it more obvious that when bits [n:n-1] are both set (with n being the most significant bit), we pick bit (n + 1). Fixes: 037f637767a8 ("drivers: clocksource: add support for ARM architected timer event stream") Suggested-by: Marc Zyngier Signed-off-by: Keqian Zhu Acked-by: Marc Zyngier Signed-off-by: Daniel Lezcano Link: https://lore.kernel.org/r/20201204073126.6920-3-zhukeqian1@huawei.com Signed-off-by: Sasha Levin commit 961b1dff00a0d108e64bcbd2b757d5f00bff5112 Author: Qinglang Miao Date: Sat Nov 28 18:19:59 2020 +0800 dm ioctl: fix error return code in target_message [ Upstream commit 4d7659bfbe277a43399a4a2d90fca141e70f29e1 ] Fix to return a negative error code from the error handling case instead of 0, as done elsewhere in this function. Fixes: 2ca4c92f58f9 ("dm ioctl: prevent empty message") Reported-by: Hulk Robot Signed-off-by: Qinglang Miao Signed-off-by: Mike Snitzer Signed-off-by: Sasha Levin commit 1d3b3ff7904e6a37b1cbbe870e8e69a4e801794c Author: Chuhong Yuan Date: Thu Dec 3 22:42:27 2020 +0800 ASoC: jz4740-i2s: add missed checks for clk_get() [ Upstream commit 1c1fb2653a0c2e3f310c07eacd8fc3a10e08c97a ] jz4740_i2s_set_sysclk() does not check the return values of clk_get(), while the file dereferences the pointers in clk_put(). Add the missed checks to fix it. Fixes: 11bd3dd1b7c2 ("ASoC: Add JZ4740 ASoC support") Signed-off-by: Chuhong Yuan Link: https://lore.kernel.org/r/20201203144227.418194-1-hslester96@gmail.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 9d721c893dd1d7739f9b506c903ef07627f835e5 Author: Leon Romanovsky Date: Thu Oct 15 14:52:00 2020 +0300 net/mlx5: Properly convey driver version to firmware [ Upstream commit 907af0f0cab4ee5d5604f182ecec2c5b5119d294 ] mlx5 firmware expects driver version in specific format X.X.X, so make it always correct and based on real kernel version aligned with the driver. Fixes: 012e50e109fd ("net/mlx5: Set driver version into firmware") Signed-off-by: Leon Romanovsky Signed-off-by: Sasha Levin commit 4b6f80fb2902a5eaf69a3518881d9692c94e58e6 Author: Jing Xiangfeng Date: Wed Nov 25 09:47:18 2020 +0800 memstick: r592: Fix error return in r592_probe() [ Upstream commit db29d3d1c2451e673e29c7257471e3ce9d50383a ] Fix to return a error code from the error handling case instead of 0. Fixes: 926341250102 ("memstick: add driver for Ricoh R5C592 card reader") Signed-off-by: Jing Xiangfeng Link: https://lore.kernel.org/r/20201125014718.153563-1-jingxiangfeng@huawei.com Signed-off-by: Ulf Hansson Signed-off-by: Sasha Levin commit 06bfebfa88d9b91883ba45cf5264ff4f1e010a16 Author: Chen-Yu Tsai Date: Fri Dec 4 14:48:05 2020 +0800 arm64: dts: rockchip: Fix UART pull-ups on rk3328 [ Upstream commit 94dad6bed3c86c00050bf7c2b2ad6b630facae31 ] For UARTs, the local pull-ups should be on the RX pin, not the TX pin. UARTs transmit active-low, so a disconnected RX pin should be pulled high instead of left floating to prevent noise being interpreted as transmissions. This gets rid of bogus sysrq events when the UART console is not connected. Fixes: 52e02d377a72 ("arm64: dts: rockchip: add core dtsi file for RK3328 SoCs") Signed-off-by: Chen-Yu Tsai Link: https://lore.kernel.org/r/20201204064805.6480-1-wens@kernel.org Signed-off-by: Heiko Stuebner Signed-off-by: Sasha Levin commit 7cc1056d2cc5caa8236139ef56e3688e869647b8 Author: Yu Kuai Date: Thu Nov 19 09:12:19 2020 +0800 pinctrl: falcon: add missing put_device() call in pinctrl_falcon_probe() [ Upstream commit 89cce2b3f247a434ee174ab6803698041df98014 ] if of_find_device_by_node() succeed, pinctrl_falcon_probe() doesn't have a corresponding put_device(). Thus add put_device() to fix the exception handling for this function implementation. Fixes: e316cb2b16bb ("OF: pinctrl: MIPS: lantiq: adds support for FALCON SoC") Signed-off-by: Yu Kuai Link: https://lore.kernel.org/r/20201119011219.2248232-1-yukuai3@huawei.com Signed-off-by: Linus Walleij Signed-off-by: Sasha Levin commit 3a49b50a7fdd12679c5c9b1fd2fc8ae2fb9269df Author: Claudiu Beznea Date: Wed Dec 2 11:57:05 2020 +0200 ARM: dts: at91: sama5d2: map securam as device [ Upstream commit 9b5dcc8d427e2bcb84c49eb03ffefe11e7537a55 ] Due to strobe signal not being propagated from CPU to securam the securam needs to be mapped as device or strongly ordered memory to work properly. Otherwise, updating to one offset may affect the adjacent locations in securam. Fixes: d4ce5f44d4409 ("ARM: dts: at91: sama5d2: Add securam node") Signed-off-by: Claudiu Beznea Signed-off-by: Alexandre Belloni Acked-by: Nicolas Ferre Link: https://lore.kernel.org/r/1606903025-14197-3-git-send-email-claudiu.beznea@microchip.com Signed-off-by: Sasha Levin commit 6b909b090c9a96147bd0217d06886a003a8fb058 Author: Yu Kuai Date: Mon Nov 16 21:51:23 2020 +0800 clocksource/drivers/cadence_ttc: Fix memory leak in ttc_setup_clockevent() [ Upstream commit eee422c46e6840a81c9db18a497b74387a557b29 ] If clk_notifier_register() failed, ttc_setup_clockevent() will return without freeing 'ttcce', which will leak memory. Fixes: 70504f311d4b ("clocksource/drivers/cadence_ttc: Convert init function to return error") Reported-by: Hulk Robot Signed-off-by: Yu Kuai Signed-off-by: Daniel Lezcano Link: https://lore.kernel.org/r/20201116135123.2164033-1-yukuai3@huawei.com Signed-off-by: Sasha Levin commit 49eee6e8d0ec388d1b7bd341577a6704b5a22173 Author: Dan Carpenter Date: Tue Nov 17 08:23:40 2020 +0100 media: saa7146: fix array overflow in vidioc_s_audio() [ Upstream commit 8e4d86e241cf035d6d3467cd346e7ce490681937 ] The "a->index" value comes from the user via the ioctl. The problem is that the shift can wrap resulting in setting "mxb->cur_audinput" to an invalid value, which later results in an array overflow. Fixes: 6680427791c9 ("[media] mxb: fix audio handling") Signed-off-by: Dan Carpenter Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit fd92357861bba91f4d8b3028d3a59e9547a52aad Author: Jason Gunthorpe Date: Thu Nov 5 12:34:58 2020 -0400 vfio-pci: Use io_remap_pfn_range() for PCI IO memory [ Upstream commit 7b06a56d468b756ad6bb43ac21b11e474ebc54a0 ] commit f8f6ae5d077a ("mm: always have io_remap_pfn_range() set pgprot_decrypted()") allows drivers using mmap to put PCI memory mapped BAR space into userspace to work correctly on AMD SME systems that default to all memory encrypted. Since vfio_pci_mmap_fault() is working with PCI memory mapped BAR space it should be calling io_remap_pfn_range() otherwise it will not work on SME systems. Fixes: 11c4cd07ba11 ("vfio-pci: Fault mmaps to enable vma tracking") Signed-off-by: Jason Gunthorpe Acked-by: Peter Xu Tested-by: Tom Lendacky Signed-off-by: Alex Williamson Signed-off-by: Sasha Levin commit fdfb060d5eba141bac4a2b24405afda9141a267e Author: NeilBrown Date: Fri Nov 27 11:24:33 2020 +1100 NFS: switch nfsiod to be an UNBOUND workqueue. [ Upstream commit bf701b765eaa82dd164d65edc5747ec7288bb5c3 ] nfsiod is currently a concurrency-managed workqueue (CMWQ). This means that workitems scheduled to nfsiod on a given CPU are queued behind all other work items queued on any CMWQ on the same CPU. This can introduce unexpected latency. Occaionally nfsiod can even cause excessive latency. If the work item to complete a CLOSE request calls the final iput() on an inode, the address_space of that inode will be dismantled. This takes time proportional to the number of in-memory pages, which on a large host working on large files (e.g.. 5TB), can be a large number of pages resulting in a noticable number of seconds. We can avoid these latency problems by switching nfsiod to WQ_UNBOUND. This causes each concurrent work item to gets a dedicated thread which can be scheduled to an idle CPU. There is precedent for this as several other filesystems use WQ_UNBOUND workqueue for handling various async events. Signed-off-by: NeilBrown Fixes: ada609ee2ac2 ("workqueue: use WQ_MEM_RECLAIM instead of WQ_RESCUER") Signed-off-by: Trond Myklebust Signed-off-by: Sasha Levin commit 4c73fdfad17fce17567f59a97f8e9dfd851e50dd Author: Calum Mackay Date: Wed Oct 28 20:16:27 2020 +0000 lockd: don't use interval-based rebinding over TCP [ Upstream commit 9b82d88d5976e5f2b8015d58913654856576ace5 ] NLM uses an interval-based rebinding, i.e. it clears the transport's binding under certain conditions if more than 60 seconds have elapsed since the connection was last bound. This rebinding is not necessary for an autobind RPC client over a connection-oriented protocol like TCP. It can also cause problems: it is possible for nlm_bind_host() to clear XPRT_BOUND whilst a connection worker is in the middle of trying to reconnect, after it had already been checked in xprt_connect(). When the connection worker notices that XPRT_BOUND has been cleared under it, in xs_tcp_finish_connecting(), that results in: xs_tcp_setup_socket: connect returned unhandled error -107 Worse, it's possible that the two can get into lockstep, resulting in the same behaviour repeated indefinitely, with the above error every 300 seconds, without ever recovering, and the connection never being established. This has been seen in practice, with a large number of NLM client tasks, following a server restart. The existing callers of nlm_bind_host & nlm_rebind_host should not need to force the rebind, for TCP, so restrict the interval-based rebinding to UDP only. For TCP, we will still rebind when needed, e.g. on timeout, and connection error (including closure), since connection-related errors on an existing connection, ECONNREFUSED when trying to connect, and rpc_check_timeout(), already unconditionally clear XPRT_BOUND. To avoid having to add the fix, and explanation, to both nlm_bind_host() and nlm_rebind_host(), remove the duplicate code from the former, and have it call the latter. Drop the dprintk, which adds no value over a trace. Signed-off-by: Calum Mackay Fixes: 35f5a422ce1a ("SUNRPC: new interface to force an RPC rebind") Signed-off-by: Trond Myklebust Signed-off-by: Sasha Levin commit 145319025727fce713592f8be50dbda196f3b632 Author: Trond Myklebust Date: Fri Nov 6 16:33:38 2020 -0500 SUNRPC: xprt_load_transport() needs to support the netid "rdma6" [ Upstream commit d5aa6b22e2258f05317313ecc02efbb988ed6d38 ] According to RFC5666, the correct netid for an IPv6 addressed RDMA transport is "rdma6", which we've supported as a mount option since Linux-4.7. The problem is when we try to load the module "xprtrdma6", that will fail, since there is no modulealias of that name. Fixes: 181342c5ebe8 ("xprtrdma: Add rdma6 option to support NFS/RDMA IPv6") Signed-off-by: Trond Myklebust Signed-off-by: Sasha Levin commit b49908be74e9270789b37c7ee5c507638b927569 Author: Olga Kornievskaia Date: Fri Nov 6 16:03:38 2020 -0500 NFSv4.2: condition READDIR's mask for security label based on LSM state [ Upstream commit 05ad917561fca39a03338cb21fe9622f998b0f9c ] Currently, the client will always ask for security_labels if the server returns that it supports that feature regardless of any LSM modules (such as Selinux) enforcing security policy. This adds performance penalty to the READDIR operation. Client adjusts superblock's support of the security_label based on the server's support but also current client's configuration of the LSM modules. Thus, prior to using the default bitmask in READDIR, this patch checks the server's capabilities and then instructs READDIR to remove FATTR4_WORD2_SECURITY_LABEL from the bitmask. v5: fixing silly mistakes of the rushed v4 v4: simplifying logic v3: changing label's initialization per Ondrej's comment v2: dropping selinux hook and using the sb cap. Suggested-by: Ondrej Mosnacek Suggested-by: Scott Mayhew Signed-off-by: Olga Kornievskaia Fixes: 2b0143b5c986 ("VFS: normal filesystems (and lustre): d_inode() annotations") Signed-off-by: Trond Myklebust Signed-off-by: Sasha Levin commit f3e4dc31829a45f86219a85cb1cb050eb981425c Author: Christophe JAILLET Date: Tue Nov 24 17:59:18 2020 +0200 ath10k: Release some resources in an error handling path [ Upstream commit 6364e693f4a7a89a2fb3dd2cbd6cc06d5fd6e26d ] Should an error occur after calling 'ath10k_usb_create()', it should be undone by a corresponding 'ath10k_usb_destroy()' call Fixes: 4db66499df91 ("ath10k: add initial USB support") Signed-off-by: Christophe JAILLET Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20201122170358.1346065-1-christophe.jaillet@wanadoo.fr Signed-off-by: Sasha Levin commit bb4184ac69a85728a72b34a3d51fefd00c4e2573 Author: Christophe JAILLET Date: Tue Nov 24 17:59:18 2020 +0200 ath10k: Fix an error handling path [ Upstream commit ed3573bc3943c27d2d8e405a242f87ed14572ca1 ] If 'ath10k_usb_create()' fails, we should release some resources and report an error instead of silently continuing. Fixes: 4db66499df91 ("ath10k: add initial USB support") Signed-off-by: Christophe JAILLET Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20201122170342.1346011-1-christophe.jaillet@wanadoo.fr Signed-off-by: Sasha Levin commit 406032a23ed582464deedb4ea66d10f7be163f26 Author: Alexandre Belloni Date: Sat Nov 28 23:28:17 2020 +0100 ARM: dts: at91: at91sam9rl: fix ADC triggers [ Upstream commit 851a95da583c26e2ddeb7281e9b61f0d76ea5aba ] The triggers for the ADC were taken from at91sam9260 dtsi but are not correct. Fixes: a4c1d6c75822 ("ARM: at91/dt: sam9rl: add lcd, adc, usb gadget and pwm support") Signed-off-by: Alexandre Belloni Link: https://lore.kernel.org/r/20201128222818.1910764-10-alexandre.belloni@bootlin.com Signed-off-by: Sasha Levin commit 7fcf95151446fc15af699b9e559318c804b70d78 Author: Bharat Gooty Date: Thu Oct 1 11:30:52 2020 +0530 PCI: iproc: Fix out-of-bound array accesses [ Upstream commit a3ff529f5d368a17ff35ada8009e101162ebeaf9 ] Declare the full size array for all revisions of PAX register sets to avoid potentially out of bound access of the register array when they are being initialized in iproc_pcie_rev_init(). Link: https://lore.kernel.org/r/20201001060054.6616-2-srinath.mannam@broadcom.com Fixes: 06324ede76cdf ("PCI: iproc: Improve core register population") Signed-off-by: Bharat Gooty Signed-off-by: Lorenzo Pieralisi Signed-off-by: Sasha Levin commit d1874e36cb3d00ba53f9e7bc3ca58d3058659cee Author: Marc Zyngier Date: Sun Nov 29 13:55:51 2020 +0000 genirq/irqdomain: Don't try to free an interrupt that has no mapping [ Upstream commit 4615fbc3788ddc8e7c6d697714ad35a53729aa2c ] When an interrupt allocation fails for N interrupts, it is pretty common for the error handling code to free the same number of interrupts, no matter how many interrupts have actually been allocated. This may result in the domain freeing code to be unexpectedly called for interrupts that have no mapping in that domain. Things end pretty badly. Instead, add some checks to irq_domain_free_irqs_hierarchy() to make sure that thiss does not follow the hierarchy if no mapping exists for a given interrupt. Fixes: 6a6544e520abe ("genirq/irqdomain: Remove auto-recursive hierarchy support") Signed-off-by: Marc Zyngier Signed-off-by: Thomas Gleixner Link: https://lore.kernel.org/r/20201129135551.396777-1-maz@kernel.org Signed-off-by: Sasha Levin commit b2a2eea570d19ec0ec93dab18c78beb62d80fe78 Author: Zhang Qilong Date: Mon Nov 2 22:33:21 2020 +0800 power: supply: bq24190_charger: fix reference leak [ Upstream commit b2f6cb78eaa1cad57dd3fe11d0458cd4fae9a584 ] pm_runtime_get_sync will increment pm usage counter even it failed. Forgetting to call pm_runtime_put_noidle will result in reference leak in callers(bq24190_sysfs_show, bq24190_charger_get_property, bq24190_charger_set_property, bq24190_battery_get_property, bq24190_battery_set_property), so we should fix it. Fixes: f385e6e2a1532 ("power: bq24190_charger: Use PM runtime autosuspend") Signed-off-by: Zhang Qilong Signed-off-by: Sebastian Reichel Signed-off-by: Sasha Levin commit 0849d36184202130dd287389cd547030e167550e Author: Chris Packham Date: Tue Sep 8 09:17:11 2020 +1200 ARM: dts: Remove non-existent i2c1 from 98dx3236 [ Upstream commit 7f24479ead579459106bb55c2320a000135731f9 ] The switches with integrated CPUs have only got a single i2c controller. They incorrectly gained one when they were split from the Armada-XP. Fixes: 43e28ba87708 ("ARM: dts: Use armada-370-xp as a base for armada-xp-98dx3236") Signed-off-by: Chris Packham Reviewed-by: Andrew Lunn Signed-off-by: Gregory CLEMENT Signed-off-by: Sasha Levin commit e28b2e0660029ab7d0f4f052d8f4cfeb4960cdd2 Author: Jing Xiangfeng Date: Mon Oct 12 10:56:43 2020 +0800 HSI: omap_ssi: Don't jump to free ID in ssi_add_controller() [ Upstream commit 41fff6e19bc8d6d8bca79ea388427c426e72e097 ] In current code, it jumps to ida_simple_remove() when ida_simple_get() failes to allocate an ID. Just return to fix it. Fixes: 0fae198988b8 ("HSI: omap_ssi: built omap_ssi and omap_ssi_port into one module") Signed-off-by: Jing Xiangfeng Signed-off-by: Sebastian Reichel Signed-off-by: Sasha Levin commit 210c83dfa978c0cd83b9385f26eede4df1ac7dea Author: Dan Carpenter Date: Wed Mar 4 15:23:12 2020 +0100 media: max2175: fix max2175_set_csm_mode() error code [ Upstream commit 9b1b0cb0636166187478ef68d5b95f5caea062ec ] This is supposed to return negative error codes but the type is bool so it returns true instead. Fixes: b47b79d8a231 ("[media] media: i2c: max2175: Add MAX2175 support") Signed-off-by: Dan Carpenter Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 40306ef7a2328203618e36de442ea8bcfc9c3cc5 Author: Qinglang Miao Date: Fri Nov 20 15:48:47 2020 +0800 mips: cdmm: fix use-after-free in mips_cdmm_bus_discover [ Upstream commit f0e82242b16826077a2775eacfe201d803bb7a22 ] kfree(dev) has been called inside put_device so anther kfree would cause a use-after-free bug/ Fixes: 8286ae03308c ("MIPS: Add CDMM bus support") Reported-by: Hulk Robot Signed-off-by: Qinglang Miao Acked-by: Serge Semin Signed-off-by: Thomas Bogendoerfer Signed-off-by: Sasha Levin commit a3234493efd00f5de2e11906763e20d83fbea36c Author: Daniel T. Lee Date: Tue Nov 24 09:03:09 2020 +0000 samples: bpf: Fix lwt_len_hist reusing previous BPF map [ Upstream commit 0afe0a998c40085a6342e1aeb4c510cccba46caf ] Currently, lwt_len_hist's map lwt_len_hist_map is uses pinning, and the map isn't cleared on test end. This leds to reuse of that map for each test, which prevents the results of the test from being accurate. This commit fixes the problem by removing of pinned map from bpffs. Also, this commit add the executable permission to shell script files. Fixes: f74599f7c5309 ("bpf: Add tests and samples for LWT-BPF") Signed-off-by: Daniel T. Lee Signed-off-by: Andrii Nakryiko Link: https://lore.kernel.org/bpf/20201124090310.24374-7-danieltimlee@gmail.com Signed-off-by: Sasha Levin commit baa2d9f9ac23936801b5e862e68e2ae9636c2d2d Author: Keita Suzuki Date: Wed Sep 9 14:56:57 2020 +0200 media: siano: fix memory leak of debugfs members in smsdvb_hotplug [ Upstream commit abf287eeff4c6da6aa804bbd429dfd9d0dfb6ea7 ] When dvb_create_media_graph fails, the debugfs kept inside client should be released. However, the current implementation does not release them. Fix this by adding a new goto label to call smsdvb_debugfs_release. Fixes: 0d3ab8410dcb ("[media] dvb core: must check dvb_create_media_graph()") Signed-off-by: Keita Suzuki Signed-off-by: Sean Young Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 81dfcd5256280cdc45823a9484df9f0baf0511e6 Author: Qinglang Miao Date: Thu Nov 19 15:08:42 2020 +0800 cw1200: fix missing destroy_workqueue() on error in cw1200_init_common [ Upstream commit 7ec8a926188eb8e7a3cbaca43ec44f2d7146d71b ] Add the missing destroy_workqueue() before return from cw1200_init_common in the error handling case. Fixes: a910e4a94f69 ("cw1200: add driver for the ST-E CW1100 & CW1200 WLAN chipsets") Reported-by: Hulk Robot Signed-off-by: Qinglang Miao Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20201119070842.1011-1-miaoqinglang@huawei.com Signed-off-by: Sasha Levin commit 82f8873d22eb0c7144dc42d9638bd95f33c758cb Author: Sebastian Andrzej Siewior Date: Fri Nov 13 22:22:43 2020 +0100 orinoco: Move context allocation after processing the skb [ Upstream commit a31eb615646a63370aa1da1053c45439c7653d83 ] ezusb_xmit() allocates a context which is leaked if orinoco_process_xmit_skb() returns an error. Move ezusb_alloc_ctx() after the invocation of orinoco_process_xmit_skb() because the context is not needed so early. ezusb_access_ltv() will cleanup the context in case of an error. Fixes: bac6fafd4d6a0 ("orinoco: refactor xmit path") Signed-off-by: Sebastian Andrzej Siewior Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20201113212252.2243570-2-bigeasy@linutronix.de Signed-off-by: Sasha Levin commit 4a3ed2f2f8082037ecaf16caa6394404e7ada895 Author: Cristian Birsan Date: Wed Nov 18 14:00:19 2020 +0200 ARM: dts: at91: sama5d3_xplained: add pincontrol for USB Host [ Upstream commit e1062fa7292f1e3744db0a487c4ac0109e09b03d ] The pincontrol node is needed for USB Host since Linux v5.7-rc1. Without it the driver probes but VBus is not powered because of wrong pincontrol configuration. Fixes: b7c2b61570798 ("ARM: at91: add Atmel's SAMA5D3 Xplained board") Signed-off-by: Cristian Birsan Signed-off-by: Alexandre Belloni Acked-by: Ludovic Desroches Link: https://lore.kernel.org/r/20201118120019.1257580-4-cristian.birsan@microchip.com Signed-off-by: Sasha Levin commit d17726a5a7386105ce5f0a06af3a2ee2a7ffe916 Author: Cristian Birsan Date: Wed Nov 18 14:00:18 2020 +0200 ARM: dts: at91: sama5d4_xplained: add pincontrol for USB Host [ Upstream commit be4dd2d448816a27c1446f8f37fce375daf64148 ] The pincontrol node is needed for USB Host since Linux v5.7-rc1. Without it the driver probes but VBus is not powered because of wrong pincontrol configuration. Fixes: 38153a017896f ("ARM: at91/dt: sama5d4: add dts for sama5d4 xplained board") Signed-off-by: Cristian Birsan Signed-off-by: Alexandre Belloni Acked-by: Ludovic Desroches Link: https://lore.kernel.org/r/20201118120019.1257580-3-cristian.birsan@microchip.com Signed-off-by: Sasha Levin commit ba327081d8bdc40b2b4843fd852680f2dabfdd70 Author: Qinglang Miao Date: Fri Nov 20 15:48:46 2020 +0800 memstick: fix a double-free bug in memstick_check [ Upstream commit e3e9ced5c93803d5b2ea1942c4bf0192622531d6 ] kfree(host->card) has been called in put_device so that another kfree would raise cause a double-free bug. Fixes: 0193383a5833 ("memstick: core: fix device_register() error handling") Reported-by: Hulk Robot Signed-off-by: Qinglang Miao Link: https://lore.kernel.org/r/20201120074846.31322-1-miaoqinglang@huawei.com Signed-off-by: Ulf Hansson Signed-off-by: Sasha Levin commit 44ada2f76ae761de80de7cb1f14b814a5c91da0a Author: Kamal Heib Date: Sun Nov 8 15:20:07 2020 +0200 RDMA/cxgb4: Validate the number of CQEs [ Upstream commit 6d8285e604e0221b67bd5db736921b7ddce37d00 ] Before create CQ, make sure that the requested number of CQEs is in the supported range. Fixes: cfdda9d76436 ("RDMA/cxgb4: Add driver for Chelsio T4 RNIC") Link: https://lore.kernel.org/r/20201108132007.67537-1-kamalheib1@gmail.com Signed-off-by: Kamal Heib Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit b07741c68fd7405aec9428542512e7124187f54d Author: Zhang Qilong Date: Fri Nov 20 16:36:49 2020 -0800 Input: omap4-keypad - fix runtime PM error handling [ Upstream commit 59bbf83835f591b95c3bdd09d900f3584fa227af ] In omap4_keypad_probe, the patch fix several bugs. 1) pm_runtime_get_sync will increment pm usage counter even it failed. Forgetting to pm_runtime_put_noidle will result in reference leak. 2) In err_unmap, forget to disable runtime of device, pm_runtime_enable will increase power disable depth. Thus a pairing decrement is needed on the error handling path to keep it balanced. 3) In err_pm_disable, it will call pm_runtime_put_sync twice not one time. To fix this we factor out code reading revision and disabling touchpad, and drop PM reference once we are done talking to the device. Fixes: f77621cc640a7 ("Input: omap-keypad - dynamically handle register offsets") Fixes: 5ad567ffbaf20 ("Input: omap4-keypad - wire up runtime PM handling") Signed-off-by: Zhang Qilong Link: https://lore.kernel.org/r/20201120133918.2559681-1-zhangqilong3@huawei.com Signed-off-by: Dmitry Torokhov Signed-off-by: Sasha Levin commit 2bdb7907b12b99126c1ff64f55dbb089c640d192 Author: Zhihao Cheng Date: Sat Nov 21 19:22:38 2020 -0800 drivers: soc: ti: knav_qmss_queue: Fix error return code in knav_queue_probe [ Upstream commit 4cba398f37f868f515ff12868418dc28574853a1 ] Fix to return the error code from of_get_child_by_name() instaed of 0 in knav_queue_probe(). Fixes: 41f93af900a20d1a0a ("soc: ti: add Keystone Navigator QMSS driver") Reported-by: Hulk Robot Signed-off-by: Zhihao Cheng Signed-off-by: Santosh Shilimkar Signed-off-by: Sasha Levin commit 0477232db1bc5ac481e627d594fc0735ec618d1b Author: Zhang Qilong Date: Sat Nov 21 19:22:37 2020 -0800 soc: ti: Fix reference imbalance in knav_dma_probe [ Upstream commit b4fa73358c306d747a2200aec6f7acb97e5750e6 ] The patch fix two reference leak. 1) pm_runtime_get_sync will increment pm usage counter even it failed. Forgetting to call put operation will result in reference leak. 2) The pm_runtime_enable will increase power disable depth. Thus a pairing decrement is needed on the error handling path to keep it balanced. We fix it by: 1) adding call pm_runtime_put_noidle or pm_runtime_put_sync in error handling. 2) adding pm_runtime_disable in error handling, to keep usage counter and disable depth balanced. Fixes: 88139ed030583 ("soc: ti: add Keystone Navigator DMA support") Signed-off-by: Zhang Qilong Signed-off-by: Santosh Shilimkar Signed-off-by: Sasha Levin commit 4f3670e788ad1b281b921f6969f9f434a940713f Author: Zhang Qilong Date: Sat Nov 21 19:22:00 2020 -0800 soc: ti: knav_qmss: fix reference leak in knav_queue_probe [ Upstream commit ec8684847d8062496c4619bc3fcff31c19d56847 ] pm_runtime_get_sync will increment pm usage counter even it failed. Forgetting to pm_runtime_put_noidle will result in reference leak in knav_queue_probe, so we should fix it. Fixes: 41f93af900a20 ("soc: ti: add Keystone Navigator QMSS driver") Signed-off-by: Zhang Qilong Signed-off-by: Santosh Shilimkar Signed-off-by: Sasha Levin commit 91accbe92aa77ef03530b27ac21af333afb3aea3 Author: Zhang Qilong Date: Fri Nov 13 21:17:28 2020 +0800 crypto: omap-aes - Fix PM disable depth imbalance in omap_aes_probe [ Upstream commit ff8107200367f4abe0e5bce66a245e8d0f2d229e ] The pm_runtime_enable will increase power disable depth. Thus a pairing decrement is needed on the error handling path to keep it balanced according to context. Fixes: f7b2b5dd6a62a ("crypto: omap-aes - add error check for pm_runtime_get_sync") Signed-off-by: Zhang Qilong Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit 606e7de7844f5880ab8339b70a81ea9312773f3f Author: Christophe Leroy Date: Tue Nov 3 18:07:12 2020 +0000 powerpc/feature: Fix CPU_FTRS_ALWAYS by removing CPU_FTRS_GENERIC_32 [ Upstream commit 78665179e569c7e1fe102fb6c21d0f5b6951f084 ] On 8xx, we get the following features: [ 0.000000] cpu_features = 0x0000000000000100 [ 0.000000] possible = 0x0000000000000120 [ 0.000000] always = 0x0000000000000000 This is not correct. As CONFIG_PPC_8xx is mutually exclusive with all other configurations, the three lines should be equal. The problem is due to CPU_FTRS_GENERIC_32 which is taken when CONFIG_BOOK3S_32 is NOT selected. This CPU_FTRS_GENERIC_32 is pointless because there is no generic configuration supporting all 32 bits but book3s/32. Remove this pointless generic features definition to unbreak the calculation of 'possible' features and 'always' features. Fixes: 76bc080ef5a3 ("[POWERPC] Make default cputable entries reflect selected CPU family") Signed-off-by: Christophe Leroy Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/76a85f30bf981d1aeaae00df99321235494da254.1604426550.git.christophe.leroy@csgroup.eu Signed-off-by: Sasha Levin commit 3fcdb76ad9ab04fdd6c601a22753572a25debbf4 Author: Dmitry Torokhov Date: Wed Nov 11 17:17:11 2020 -0800 Input: ads7846 - fix unaligned access on 7845 [ Upstream commit 03e2c9c782f721b661a0e42b1b58f394b5298544 ] req->sample[1] is not naturally aligned at word boundary, and therefore we should use get_unaligned_be16() when accessing it. Fixes: 3eac5c7e44f3 ("Input: ads7846 - extend the driver for ads7845 controller support") Signed-off-by: Dmitry Torokhov Signed-off-by: Sasha Levin commit 792d9e75649e77221d4ee1053b0fc9050d59cc44 Author: Oleksij Rempel Date: Tue Nov 17 15:33:24 2020 -0800 Input: ads7846 - fix integer overflow on Rt calculation [ Upstream commit 820830ec918f6c3dcd77a54a1c6198ab57407916 ] In some rare cases the 32 bit Rt value will overflow if z2 and x is max, z1 is minimal value and x_plate_ohms is relatively high (for example 800 ohm). This would happen on some screen age with low pressure. There are two possible fixes: - make Rt 64bit - reorder calculation to avoid overflow The second variant seems to be preferable, since 64 bit calculation on 32 bit system is a bit more expensive. Fixes: ffa458c1bd9b6f653008d450f337602f3d52a646 ("spi: ads7846 driver") Co-developed-by: David Jander Signed-off-by: David Jander Signed-off-by: Oleksij Rempel Link: https://lore.kernel.org/r/20201113112240.1360-1-o.rempel@pengutronix.de Signed-off-by: Dmitry Torokhov Signed-off-by: Sasha Levin commit 9f2dadeb11603ab0994c8353817b4cb90d22d2e7 Author: David Jander Date: Wed Nov 11 11:00:59 2020 -0800 Input: ads7846 - fix race that causes missing releases [ Upstream commit e52cd628a03f72a547dbf90ccb703ee64800504a ] If touchscreen is released while busy reading HWMON device, the release can be missed. The IRQ thread is not started because no touch is active and BTN_TOUCH release event is never sent. Fixes: f5a28a7d4858f94a ("Input: ads7846 - avoid pen up/down when reading hwmon") Co-developed-by: Oleksij Rempel Signed-off-by: David Jander Signed-off-by: Oleksij Rempel Link: https://lore.kernel.org/r/20201027105416.18773-1-o.rempel@pengutronix.de Signed-off-by: Dmitry Torokhov Signed-off-by: Sasha Levin commit 8c2031e5c0700ea30df3beae92d70f5f053f5cdb Author: Yang Yingliang Date: Tue Nov 17 14:10:45 2020 +0800 drm/omap: dmm_tiler: fix return error code in omap_dmm_probe() [ Upstream commit 723ae803218da993143387bf966042eccefac077 ] Return -ENOMEM when allocating refill memory failed. Fixes: 71e8831f6407 ("drm/omap: DMM/TILER support for OMAP4+ platform") Reported-by: Hulk Robot Signed-off-by: Yang Yingliang Signed-off-by: Thomas Zimmermann Link: https://patchwork.freedesktop.org/patch/msgid/20201117061045.3452287-1-yangyingliang@huawei.com Signed-off-by: Sasha Levin commit 64c9494d5edd4d6fdf524d7d96684d1a6f7d082b Author: Qinglang Miao Date: Wed Nov 11 04:22:01 2020 +0100 media: solo6x10: fix missing snd_card_free in error handling case [ Upstream commit dcdff74fa6bc00c32079d0bebd620764c26f2d89 ] Fix to goto snd_error in error handling case when fails to do snd_ctl_add, as done elsewhere in this function. Fixes: 28cae868cd24 ("[media] solo6x10: move out of staging into drivers/media/pci.") Reported-by: Hulk Robot Signed-off-by: Qinglang Miao Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 29f360c2807e9a27ea6da3453b16770dbf54bf8e Author: Martin Wilck Date: Thu Oct 29 18:08:45 2020 +0100 scsi: core: Fix VPD LUN ID designator priorities [ Upstream commit 2e4209b3806cda9b89c30fd5e7bfecb7044ec78b ] The current implementation of scsi_vpd_lun_id() uses the designator length as an implicit measure of priority. This works most of the time, but not always. For example, some Hitachi storage arrays return this in VPD 0x83: VPD INQUIRY: Device Identification page Designation descriptor number 1, descriptor length: 24 designator_type: T10 vendor identification, code_set: ASCII associated with the Addressed logical unit vendor id: HITACHI vendor specific: 5030C3502025 Designation descriptor number 2, descriptor length: 6 designator_type: vendor specific [0x0], code_set: Binary associated with the Target port vendor specific: 08 03 Designation descriptor number 3, descriptor length: 20 designator_type: NAA, code_set: Binary associated with the Addressed logical unit NAA 6, IEEE Company_id: 0x60e8 Vendor Specific Identifier: 0x7c35000 Vendor Specific Identifier Extension: 0x30c35000002025 [0x60060e8007c350000030c35000002025] The current code would use the first descriptor because it's longer than the NAA descriptor. But this is wrong, the kernel is supposed to prefer NAA descriptors over T10 vendor ID. Designator length should only be used to compare designators of the same type. This patch addresses the issue by separating designator priority and length. Link: https://lore.kernel.org/r/20201029170846.14786-1-mwilck@suse.com Fixes: 9983bed3907c ("scsi: Add scsi_vpd_lun_id()") Reviewed-by: Hannes Reinecke Signed-off-by: Martin Wilck Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit aa2c75ce06dc79c12639ffbf469d4507f8dfc068 Author: Yu Kuai Date: Fri Oct 9 14:38:02 2020 +0200 media: mtk-vcodec: add missing put_device() call in mtk_vcodec_release_dec_pm() [ Upstream commit 27c3943683f74e35e1d390ceb2e3639eff616ad6 ] mtk_vcodec_release_dec_pm() will be called in two places: a. mtk_vcodec_init_dec_pm() succeed while mtk_vcodec_probe() return error. b. mtk_vcodec_dec_remove(). In both cases put_device() call is needed, since of_find_device_by_node() was called in mtk_vcodec_init_dec_pm() previously. Thus add put_devices() call in mtk_vcodec_release_dec_pm() Fixes: 590577a4e525 ("[media] vcodec: mediatek: Add Mediatek V4L2 Video Decoder Driver") Signed-off-by: Yu Kuai Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 57080b740dd211892da38520434e6dbd7b0a1ce7 Author: Zhang Qilong Date: Mon Nov 9 21:13:46 2020 +0800 staging: greybus: codecs: Fix reference counter leak in error handling [ Upstream commit 3952659a6108f77a0d062d8e8487bdbdaf52a66c ] gb_pm_runtime_get_sync has increased the usage counter of the device here. Forgetting to call gb_pm_runtime_put_noidle will result in usage counter leak in the error branch of (gbcodec_hw_params and gbcodec_prepare). We fixed it by adding it. Fixes: c388ae7696992 ("greybus: audio: Update pm runtime support in dai_ops callback") Signed-off-by: Zhang Qilong Link: https://lore.kernel.org/r/20201109131347.1725288-2-zhangqilong3@huawei.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 71da483c1d89e2f4153cf86c25e1cbfe7198bc45 Author: Necip Fazil Yildiran Date: Tue Nov 3 00:34:01 2020 +0300 MIPS: BCM47XX: fix kconfig dependency bug for BCM47XX_BCMA [ Upstream commit 3a5fe2fb9635c43359c9729352f45044f3c8df6b ] When BCM47XX_BCMA is enabled and BCMA_DRIVER_PCI is disabled, it results in the following Kbuild warning: WARNING: unmet direct dependencies detected for BCMA_DRIVER_PCI_HOSTMODE Depends on [n]: MIPS [=y] && BCMA_DRIVER_PCI [=n] && PCI_DRIVERS_LEGACY [=y] && BCMA [=y]=y Selected by [y]: - BCM47XX_BCMA [=y] && BCM47XX [=y] && PCI [=y] The reason is that BCM47XX_BCMA selects BCMA_DRIVER_PCI_HOSTMODE without depending on or selecting BCMA_DRIVER_PCI while BCMA_DRIVER_PCI_HOSTMODE depends on BCMA_DRIVER_PCI. This can also fail building the kernel. Honor the kconfig dependency to remove unmet direct dependency warnings and avoid any potential build failures. Fixes: c1d1c5d4213e ("bcm47xx: add support for bcma bus") Link: https://bugzilla.kernel.org/show_bug.cgi?id=209879 Signed-off-by: Necip Fazil Yildiran Signed-off-by: Thomas Bogendoerfer Signed-off-by: Sasha Levin commit 070e410c4cbdc698e4dcca47cc741c87d69c411b Author: Arnd Bergmann Date: Mon Oct 26 22:12:30 2020 +0100 RDMa/mthca: Work around -Wenum-conversion warning [ Upstream commit fbb7dc5db6dee553b5a07c27e86364a5223e244c ] gcc points out a suspicious mixing of enum types in a function that converts from MTHCA_OPCODE_* values to IB_WC_* values: drivers/infiniband/hw/mthca/mthca_cq.c: In function 'mthca_poll_one': drivers/infiniband/hw/mthca/mthca_cq.c:607:21: warning: implicit conversion from 'enum ' to 'enum ib_wc_opcode' [-Wenum-conversion] 607 | entry->opcode = MTHCA_OPCODE_INVALID; Nothing seems to ever check for MTHCA_OPCODE_INVALID again, no idea if this is meaningful, but it seems harmless as it deals with an invalid input. Remove MTHCA_OPCODE_INVALID and set the ib_wc_opcode to 0xFF, which is still bogus, but at least doesn't make compiler warnings. Fixes: 2a4443a69934 ("[PATCH] IB/mthca: fill in opcode field for send completions") Link: https://lore.kernel.org/r/20201026211311.3887003-1-arnd@kernel.org Signed-off-by: Arnd Bergmann Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit 524321a0ef36caf0b7a9d3e63812724bc5723ee6 Author: Zhang Qilong Date: Wed Nov 11 21:09:20 2020 +0800 ASoC: arizona: Fix a wrong free in wm8997_probe [ Upstream commit 5e7aace13df24ff72511f29c14ebbfe638ef733c ] In the normal path, we should not free the arizona, we should return immediately. It will be free when call remove operation. Fixes: 31833ead95c2c ("ASoC: arizona: Move request of speaker IRQs into bus probe") Reported-by: Richard Fitzgerald Signed-off-by: Zhang Qilong Acked-by: Richard Fitzgerald Link: https://lore.kernel.org/r/20201111130923.220186-2-zhangqilong3@huawei.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit bfb632881b41bed999055f450b2730a1a40bce88 Author: Zhang Qilong Date: Wed Nov 11 12:13:26 2020 +0800 ASoC: wm8998: Fix PM disable depth imbalance on error [ Upstream commit 193aa0a043645220d2a2f783ba06ae13d4601078 ] The pm_runtime_enable will increase power disable depth. Thus a pairing decrement is needed on the error handling path to keep it balanced according to context. Fixes: 31833ead95c2c ("ASoC: arizona: Move request of speaker IRQs into bus probe") Signed-off-by: Zhang Qilong Reviewed-by: Richard Fitzgerald Link: https://lore.kernel.org/r/20201111041326.1257558-4-zhangqilong3@huawei.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit ec2851c66adf14f29fe02746113e57bad4815084 Author: Tsuchiya Yuto Date: Wed Oct 28 23:21:09 2020 +0900 mwifiex: fix mwifiex_shutdown_sw() causing sw reset failure [ Upstream commit fa74cb1dc0f4da46c441b735ca865ac52de42c0e ] When a PCIe function level reset (FLR) is performed but without fw reset for some reasons (e.g., on Microsoft Surface devices, fw reset requires other quirks), it fails to reset wifi properly. You can trigger the issue on such devices via debugfs entry for reset: $ echo 1 | sudo tee /sys/kernel/debug/mwifiex/mlan0/reset and the resulting dmesg log: [ 45.740508] mwifiex_pcie 0000:03:00.0: Resetting per request [ 45.742937] mwifiex_pcie 0000:03:00.0: info: successfully disconnected from [BSSID]: reason code 3 [ 45.744666] mwifiex_pcie 0000:03:00.0: info: shutdown mwifiex... [ 45.751530] mwifiex_pcie 0000:03:00.0: PREP_CMD: card is removed [ 45.751539] mwifiex_pcie 0000:03:00.0: PREP_CMD: card is removed [ 45.771691] mwifiex_pcie 0000:03:00.0: PREP_CMD: card is removed [ 45.771695] mwifiex_pcie 0000:03:00.0: deleting the crypto keys [ 45.771697] mwifiex_pcie 0000:03:00.0: PREP_CMD: card is removed [ 45.771698] mwifiex_pcie 0000:03:00.0: deleting the crypto keys [ 45.771699] mwifiex_pcie 0000:03:00.0: PREP_CMD: card is removed [ 45.771701] mwifiex_pcie 0000:03:00.0: deleting the crypto keys [ 45.771702] mwifiex_pcie 0000:03:00.0: PREP_CMD: card is removed [ 45.771703] mwifiex_pcie 0000:03:00.0: deleting the crypto keys [ 45.771704] mwifiex_pcie 0000:03:00.0: PREP_CMD: card is removed [ 45.771705] mwifiex_pcie 0000:03:00.0: deleting the crypto keys [ 45.771707] mwifiex_pcie 0000:03:00.0: PREP_CMD: card is removed [ 45.771708] mwifiex_pcie 0000:03:00.0: deleting the crypto keys [ 53.099343] mwifiex_pcie 0000:03:00.0: info: trying to associate to '[SSID]' bssid [BSSID] [ 53.241870] mwifiex_pcie 0000:03:00.0: info: associated to bssid [BSSID] successfully [ 75.377942] mwifiex_pcie 0000:03:00.0: cmd_wait_q terminated: -110 [ 85.385491] mwifiex_pcie 0000:03:00.0: info: successfully disconnected from [BSSID]: reason code 15 [ 87.539408] mwifiex_pcie 0000:03:00.0: cmd_wait_q terminated: -110 [ 87.539412] mwifiex_pcie 0000:03:00.0: deleting the crypto keys [ 99.699917] mwifiex_pcie 0000:03:00.0: cmd_wait_q terminated: -110 [ 99.699925] mwifiex_pcie 0000:03:00.0: deleting the crypto keys [ 111.859802] mwifiex_pcie 0000:03:00.0: cmd_wait_q terminated: -110 [ 111.859808] mwifiex_pcie 0000:03:00.0: deleting the crypto keys [...] When comparing mwifiex_shutdown_sw() with mwifiex_pcie_remove(), it lacks mwifiex_init_shutdown_fw(). This commit fixes mwifiex_shutdown_sw() by adding the missing mwifiex_init_shutdown_fw(). Fixes: 4c5dae59d2e9 ("mwifiex: add PCIe function level reset support") Signed-off-by: Tsuchiya Yuto Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20201028142110.18144-2-kitakar@gmail.com Signed-off-by: Sasha Levin commit 8b564332bd89af8c75fd099c3dacd1e083880379 Author: Zhang Qilong Date: Tue Nov 3 22:13:06 2020 +0800 spi: tegra114: fix reference leak in tegra spi ops [ Upstream commit a042184c7fb99961ea083d4ec192614bec671969 ] pm_runtime_get_sync will increment pm usage counter even it failed. Forgetting to pm_runtime_put_noidle will result in reference leak in two callers(tegra_spi_setup and tegra_spi_resume), so we should fix it. Fixes: f333a331adfac ("spi/tegra114: add spi driver") Signed-off-by: Zhang Qilong Link: https://lore.kernel.org/r/20201103141306.5607-1-zhangqilong3@huawei.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 70a7d4e41de6433535040034064703e68ef8bfbb Author: Zhang Qilong Date: Tue Nov 3 22:13:23 2020 +0800 spi: tegra20-sflash: fix reference leak in tegra_sflash_resume [ Upstream commit 3482e797ab688da6703fe18d8bad52f94199f4f2 ] pm_runtime_get_sync will increment pm usage counter even it failed. Forgetting to pm_runtime_put_noidle will result in reference leak in tegra_sflash_resume, so we should fix it. Fixes: 8528547bcc336 ("spi: tegra: add spi driver for sflash controller") Signed-off-by: Zhang Qilong Link: https://lore.kernel.org/r/20201103141323.5841-1-zhangqilong3@huawei.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 345f6b3bfc9f41f00a4837139d7e04f8a245abfc Author: Zhang Qilong Date: Tue Nov 3 22:13:45 2020 +0800 spi: tegra20-slink: fix reference leak in slink ops of tegra20 [ Upstream commit 763eab7074f6e71babd85d796156f05a675f9510 ] pm_runtime_get_sync will increment pm usage counter even it failed. Forgetting to pm_runtime_put_noidle will result in reference leak in two callers(tegra_slink_setup and tegra_slink_resume), so we should fix it. Fixes: dc4dc36056392 ("spi: tegra: add spi driver for SLINK controller") Signed-off-by: Zhang Qilong Link: https://lore.kernel.org/r/20201103141345.6188-1-zhangqilong3@huawei.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 1d0d30e1e5e6b846e919418111e9f2a959201179 Author: Zhang Qilong Date: Tue Nov 3 22:09:47 2020 +0800 spi: spi-ti-qspi: fix reference leak in ti_qspi_setup [ Upstream commit 45c0cba753641e5d7c3207f04241bd0e7a021698 ] pm_runtime_get_sync will increment pm usage counter even it failed. Forgetting to pm_runtime_put_noidle will result in reference leak in ti_qspi_setup, so we should fix it. Fixes: 505a14954e2d7 ("spi/qspi: Add qspi flash controller") Signed-off-by: Zhang Qilong Link: https://lore.kernel.org/r/20201103140947.3815-1-zhangqilong3@huawei.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 4113f6f73f6e8d215609bde8c0c14ca9f8a476c5 Author: Anmol Karn Date: Wed Sep 30 19:48:13 2020 +0530 Bluetooth: Fix null pointer dereference in hci_event_packet() [ Upstream commit 6dfccd13db2ff2b709ef60a50163925d477549aa ] AMP_MGR is getting derefernced in hci_phy_link_complete_evt(), when called from hci_event_packet() and there is a possibility, that hcon->amp_mgr may not be found when accessing after initialization of hcon. - net/bluetooth/hci_event.c:4945 The bug seems to get triggered in this line: bredr_hcon = hcon->amp_mgr->l2cap_conn->hcon; Fix it by adding a NULL check for the hcon->amp_mgr before checking the ev-status. Fixes: d5e911928bd8 ("Bluetooth: AMP: Process Physical Link Complete evt") Reported-and-tested-by: syzbot+0bef568258653cff272f@syzkaller.appspotmail.com Link: https://syzkaller.appspot.com/bug?extid=0bef568258653cff272f Signed-off-by: Anmol Karn Signed-off-by: Marcel Holtmann Signed-off-by: Sasha Levin commit 9054435396d7e99e6ddece2c8481afc5e0f418dd Author: Paweł Chmiel Date: Sat Nov 7 14:39:26 2020 +0100 arm64: dts: exynos: Correct psci compatible used on Exynos7 [ Upstream commit e1e47fbca668507a81bb388fcae044b89d112ecc ] It's not possible to reboot or poweroff Exynos7420 using PSCI. Instead we need to use syscon reboot/poweroff drivers, like it's done for other Exynos SoCs. This was confirmed by checking vendor source and testing it on Samsung Galaxy S6 device based on this SoC. To be able to use custom restart/poweroff handlers instead of PSCI functions, we need to correct psci compatible. This also requires us to provide function ids for CPU_ON and CPU_OFF. Fixes: fb026cb65247 ("arm64: dts: Add reboot node for exynos7") Fixes: b9024cbc937d ("arm64: dts: Add initial device tree support for exynos7") Signed-off-by: Paweł Chmiel Link: https://lore.kernel.org/r/20201107133926.37187-2-pawel.mikolaj.chmiel@gmail.com Signed-off-by: Krzysztof Kozlowski Signed-off-by: Sasha Levin commit 44f5d9fecd8038d79342e0d03e9acbd120c4621f Author: Paul Moore Date: Tue Nov 3 11:49:38 2020 -0500 selinux: fix inode_doinit_with_dentry() LABEL_INVALID error handling [ Upstream commit 200ea5a2292dc444a818b096ae6a32ba3caa51b9 ] A previous fix, commit 83370b31a915 ("selinux: fix error initialization in inode_doinit_with_dentry()"), changed how failures were handled before a SELinux policy was loaded. Unfortunately that patch was potentially problematic for two reasons: it set the isec->initialized state without holding a lock, and it didn't set the inode's SELinux label to the "default" for the particular filesystem. The later can be a problem if/when a later attempt to revalidate the inode fails and SELinux reverts to the existing inode label. This patch should restore the default inode labeling that existed before the original fix, without affecting the LABEL_INVALID marking such that revalidation will still be attempted in the future. Fixes: 83370b31a915 ("selinux: fix error initialization in inode_doinit_with_dentry()") Reported-by: Sven Schnelle Tested-by: Sven Schnelle Reviewed-by: Ondrej Mosnacek Signed-off-by: Paul Moore Signed-off-by: Sasha Levin commit 00a2ac6000203a0dc7d6ebf6be4fe288445d90de Author: Cezary Rojewski Date: Mon Oct 26 11:01:29 2020 +0100 ASoC: pcm: DRAIN support reactivation [ Upstream commit 4c22b80f61540ea99d9b4af0127315338755f05b ] soc-pcm's dpcm_fe_dai_do_trigger() supported DRAIN commnad up to kernel v5.4 where explicit switch(cmd) has been introduced which takes into account all SNDRV_PCM_TRIGGER_xxx but SNDRV_PCM_TRIGGER_DRAIN. Update switch statement to reactive support for it. As DRAIN is somewhat unique by lacking negative/stop counterpart, bring behaviour of dpcm_fe_dai_do_trigger() for said command back to its pre-v5.4 state by adding it to START/RESUME/PAUSE_RELEASE group. Fixes: acbf27746ecf ("ASoC: pcm: update FE/BE trigger order based on the command") Signed-off-by: Cezary Rojewski Reviewed-by: Ranjani Sridharan Link: https://lore.kernel.org/r/20201026100129.8216-1-cezary.rojewski@intel.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 2e1efddfd9c40c022d7055b83ada90dadf93f9de Author: Zhang Qilong Date: Mon Nov 2 22:56:51 2020 +0800 spi: img-spfi: fix reference leak in img_spfi_resume [ Upstream commit ee5558a9084584015c8754ffd029ce14a5827fa8 ] pm_runtime_get_sync will increment pm usage counter even it failed. Forgetting to pm_runtime_put_noidle will result in reference leak in img_spfi_resume, so we should fix it. Fixes: deba25800a12b ("spi: Add driver for IMG SPFI controller") Signed-off-by: Zhang Qilong Link: https://lore.kernel.org/r/20201102145651.3875-1-zhangqilong3@huawei.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit fea0cdd44706b9c499df4f7cde40f6f75f501f7f Author: Christophe Leroy Date: Thu Oct 8 09:34:56 2020 +0000 crypto: talitos - Fix return type of current_desc_hdr() [ Upstream commit 0237616173fd363a54bd272aa3bd376faa1d7caa ] current_desc_hdr() returns a u32 but in fact this is a __be32, leading to a lot of sparse warnings. Change the return type to __be32 and ensure it is handled as sure by the caller. Fixes: 3e721aeb3df3 ("crypto: talitos - handle descriptor not found in error path") Signed-off-by: Christophe Leroy Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit 1295b6d7e4c958c1667ea9641890c328ec5d822b Author: Thomas Gleixner Date: Tue Oct 20 16:46:55 2020 +0200 sched: Reenable interrupts in do_sched_yield() [ Upstream commit 345a957fcc95630bf5535d7668a59ed983eb49a7 ] do_sched_yield() invokes schedule() with interrupts disabled which is not allowed. This goes back to the pre git era to commit a6efb709806c ("[PATCH] irqlock patch 2.5.27-H6") in the history tree. Reenable interrupts and remove the misleading comment which "explains" it. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Thomas Gleixner Signed-off-by: Peter Zijlstra (Intel) Link: https://lkml.kernel.org/r/87r1pt7y5c.fsf@nanos.tec.linutronix.de Signed-off-by: Sasha Levin commit f4689cad10f5c92d1a2f5589ce1fba1c84b724e2 Author: Peng Liu Date: Thu Oct 8 23:49:42 2020 +0800 sched/deadline: Fix sched_dl_global_validate() [ Upstream commit a57415f5d1e43c3a5c5d412cd85e2792d7ed9b11 ] When change sched_rt_{runtime, period}_us, we validate that the new settings should at least accommodate the currently allocated -dl bandwidth: sched_rt_handler() --> sched_dl_bandwidth_validate() { new_bw = global_rt_runtime()/global_rt_period(); for_each_possible_cpu(cpu) { dl_b = dl_bw_of(cpu); if (new_bw < dl_b->total_bw) <------- ret = -EBUSY; } } But under CONFIG_SMP, dl_bw is per root domain , but not per CPU, dl_b->total_bw is the allocated bandwidth of the whole root domain. Instead, we should compare dl_b->total_bw against "cpus*new_bw", where 'cpus' is the number of CPUs of the root domain. Also, below annotation(in kernel/sched/sched.h) implied implementation only appeared in SCHED_DEADLINE v2[1], then deadline scheduler kept evolving till got merged(v9), but the annotation remains unchanged, meaningless and misleading, update it. * With respect to SMP, the bandwidth is given on a per-CPU basis, * meaning that: * - dl_bw (< 100%) is the bandwidth of the system (group) on each CPU; * - dl_total_bw array contains, in the i-eth element, the currently * allocated bandwidth on the i-eth CPU. [1]: https://lore.kernel.org/lkml/1267385230.13676.101.camel@Palantir/ Fixes: 332ac17ef5bf ("sched/deadline: Add bandwidth management for SCHED_DEADLINE tasks") Signed-off-by: Peng Liu Signed-off-by: Peter Zijlstra (Intel) Reviewed-by: Daniel Bristot de Oliveira Acked-by: Juri Lelli Link: https://lkml.kernel.org/r/db6bbda316048cda7a1bbc9571defde193a8d67e.1602171061.git.iwtbavbm@gmail.com Signed-off-by: Sasha Levin commit 93543a276647d0bfebfbca80f05367dc6c107b90 Author: Ard Biesheuvel Date: Mon Sep 21 00:10:16 2020 +0200 ARM: p2v: fix handling of LPAE translation in BE mode [ Upstream commit 4e79f0211b473f8e1eab8211a9fd50cc41a3a061 ] When running in BE mode on LPAE hardware with a PA-to-VA translation that exceeds 4 GB, we patch bits 39:32 of the offset into the wrong byte of the opcode. So fix that, by rotating the offset in r0 to the right by 8 bits, which will put the 8-bit immediate in bits 31:24. Note that this will also move bit #22 in its correct place when applying the rotation to the constant #0x400000. Fixes: d9a790df8e984 ("ARM: 7883/1: fix mov to mvn conversion in case of 64 bit phys_addr_t and BE") Acked-by: Nicolas Pitre Reviewed-by: Linus Walleij Signed-off-by: Ard Biesheuvel Signed-off-by: Sasha Levin commit 3d0db14d7b9513a72567191feb33de7ee89b055b Author: Arvind Sankar Date: Tue Oct 27 19:06:48 2020 -0400 x86/mm/ident_map: Check for errors from ident_pud_init() [ Upstream commit 1fcd009102ee02e217f2e7635ab65517d785da8e ] Commit ea3b5e60ce80 ("x86/mm/ident_map: Add 5-level paging support") added ident_p4d_init() to support 5-level paging, but this function doesn't check and return errors from ident_pud_init(). For example, the decompressor stub uses this code to create an identity mapping. If it runs out of pages while trying to allocate a PMD pagetable, the error will be currently ignored. Fix this to propagate errors. [ bp: Space out statements for better readability. ] Fixes: ea3b5e60ce80 ("x86/mm/ident_map: Add 5-level paging support") Signed-off-by: Arvind Sankar Signed-off-by: Borislav Petkov Reviewed-by: Joerg Roedel Acked-by: Kirill A. Shutemov Link: https://lkml.kernel.org/r/20201027230648.1885111-1-nivedita@alum.mit.edu Signed-off-by: Sasha Levin commit 1100b71de7e5ebe01a73b7a162666568839b10fa Author: Bob Pearson Date: Tue Oct 13 12:07:42 2020 -0500 RDMA/rxe: Compute PSN windows correctly [ Upstream commit bb3ab2979fd69db23328691cb10067861df89037 ] The code which limited the number of unacknowledged PSNs was incorrect. The PSNs are limited to 24 bits and wrap back to zero from 0x00ffffff. The test was computing a 32 bit value which wraps at 32 bits so that qp->req.psn can appear smaller than the limit when it is actually larger. Replace '>' test with psn_compare which is used for other PSN comparisons and correctly handles the 24 bit size. Fixes: 8700e3e7c485 ("Soft RoCE driver") Link: https://lore.kernel.org/r/20201013170741.3590-1-rpearson@hpe.com Signed-off-by: Bob Pearson Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit ce7acf72db8c4dbf7e9e9aa942ab26342a60ab7c Author: Tianyue Ren Date: Fri Oct 9 09:36:30 2020 +0800 selinux: fix error initialization in inode_doinit_with_dentry() [ Upstream commit 83370b31a915493231e5b9addc72e4bef69f8d31 ] Mark the inode security label as invalid if we cannot find a dentry so that we will retry later rather than marking it initialized with the unlabeled SID. Fixes: 9287aed2ad1f ("selinux: Convert isec->lock into a spinlock") Signed-off-by: Tianyue Ren [PM: minor comment tweaks] Signed-off-by: Paul Moore Signed-off-by: Sasha Levin commit 604f1f43d62f1841c472cab2c82f73d04e32eeed Author: Kamal Heib Date: Wed Oct 21 14:49:52 2020 +0300 RDMA/bnxt_re: Set queue pair state when being queried [ Upstream commit 53839b51a7671eeb3fb44d479d541cf3a0f2dd45 ] The API for ib_query_qp requires the driver to set cur_qp_state on return, add the missing set. Fixes: 1ac5a4047975 ("RDMA/bnxt_re: Add bnxt_re RoCE driver") Link: https://lore.kernel.org/r/20201021114952.38876-1-kamalheib1@gmail.com Signed-off-by: Kamal Heib Acked-by: Selvin Xavier Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit fd37413964cc11368db3f55f7bba2637db98e823 Author: Nicolas Boichat Date: Mon Sep 28 11:31:35 2020 +0800 soc: mediatek: Check if power domains can be powered on at boot time [ Upstream commit 4007844b05815717f522c7ea9914e24ad0ff6c79 ] In the error case, where a power domain cannot be powered on successfully at boot time (in mtk_register_power_domains), pm_genpd_init would still be called with is_off=false, and the system would later try to disable the power domain again, triggering warnings as disabled clocks are disabled again (and other potential issues). Also print a warning splat in that case, as this should never happen. Fixes: c84e358718a66f7 ("soc: Mediatek: Add SCPSYS power domain driver") Signed-off-by: Nicolas Boichat Link: https://lore.kernel.org/r/20200928113107.v2.1.I5e6f8c262031d0451fe7241b744f4f3111c1ce71@changeid Signed-off-by: Matthias Brugger Signed-off-by: Sasha Levin commit 579f8b9015bd14a67f5b32245e1a30a479833d44 Author: Dan Carpenter Date: Wed Sep 23 14:31:42 2020 +0300 soc: renesas: rmobile-sysc: Fix some leaks in rmobile_init_pm_domains() [ Upstream commit cf25d802e029c31efac8bdc979236927f37183bd ] This code needs to call iounmap() on one error path. Fixes: 2173fc7cb681 ("ARM: shmobile: R-Mobile: Add DT support for PM domains") Signed-off-by: Dan Carpenter Link: https://lore.kernel.org/r/20200923113142.GC1473821@mwanda Signed-off-by: Geert Uytterhoeven Signed-off-by: Sasha Levin commit 5631c037547ff706fdcd67df51f8b1539eb1c976 Author: Tom Rix Date: Sat Oct 3 12:39:28 2020 -0700 drm/gma500: fix double free of gma_connector [ Upstream commit 4e19d51ca5b28a1d435a844c7b2a8e1b1b6fa237 ] clang static analysis reports this problem: cdv_intel_dp.c:2101:2: warning: Attempt to free released memory kfree(gma_connector); ^~~~~~~~~~~~~~~~~~~~ In cdv_intel_dp_init() when the call to cdv_intel_edp_panel_vdd_off() fails, the handler calls cdv_intel_dp_destroy(connector) which does the first free of gma_connector. So adjust the goto label and skip the second free. Fixes: d112a8163f83 ("gma500/cdv: Add eDP support") Signed-off-by: Tom Rix Signed-off-by: Daniel Vetter Link: https://patchwork.freedesktop.org/patch/msgid/20201003193928.18869-1-trix@redhat.com Signed-off-by: Sasha Levin commit 7ee2cd49f7220b1069e23a65d3ab59526bda9821 Author: Peilin Ye Date: Wed Sep 9 03:17:00 2020 -0400 Bluetooth: Fix slab-out-of-bounds read in hci_le_direct_adv_report_evt() commit f7e0e8b2f1b0a09b527885babda3e912ba820798 upstream. `num_reports` is not being properly checked. A malformed event packet with a large `num_reports` number makes hci_le_direct_adv_report_evt() read out of bounds. Fix it. Cc: stable@vger.kernel.org Fixes: 2f010b55884e ("Bluetooth: Add support for handling LE Direct Advertising Report events") Reported-and-tested-by: syzbot+24ebd650e20bd263ca01@syzkaller.appspotmail.com Link: https://syzkaller.appspot.com/bug?extid=24ebd650e20bd263ca01 Signed-off-by: Peilin Ye Signed-off-by: Marcel Holtmann Signed-off-by: Greg Kroah-Hartman commit 13b25b55a2dd728fa5af9165a8c30433d5c799b2 Author: Dae R. Jeong Date: Thu Oct 22 10:21:28 2020 +0900 md: fix a warning caused by a race between concurrent md_ioctl()s commit c731b84b51bf7fe83448bea8f56a6d55006b0615 upstream. Syzkaller reports a warning as belows. WARNING: CPU: 0 PID: 9647 at drivers/md/md.c:7169 ... Call Trace: ... RIP: 0010:md_ioctl+0x4017/0x5980 drivers/md/md.c:7169 RSP: 0018:ffff888096027950 EFLAGS: 00010293 RAX: ffff88809322c380 RBX: 0000000000000932 RCX: ffffffff84e266f2 RDX: 0000000000000000 RSI: ffffffff84e299f7 RDI: 0000000000000007 RBP: ffff888096027bc0 R08: ffff88809322c380 R09: ffffed101341a482 R10: ffff888096027940 R11: ffff88809a0d240f R12: 0000000000000932 R13: ffff8880a2c14100 R14: ffff88809a0d2268 R15: ffff88809a0d2408 __blkdev_driver_ioctl block/ioctl.c:304 [inline] blkdev_ioctl+0xece/0x1c10 block/ioctl.c:606 block_ioctl+0xee/0x130 fs/block_dev.c:1930 vfs_ioctl fs/ioctl.c:46 [inline] file_ioctl fs/ioctl.c:509 [inline] do_vfs_ioctl+0xd5f/0x1380 fs/ioctl.c:696 ksys_ioctl+0xab/0xd0 fs/ioctl.c:713 __do_sys_ioctl fs/ioctl.c:720 [inline] __se_sys_ioctl fs/ioctl.c:718 [inline] __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:718 do_syscall_64+0xfd/0x680 arch/x86/entry/common.c:301 entry_SYSCALL_64_after_hwframe+0x49/0xbe This is caused by a race between two concurrenct md_ioctl()s closing the array. CPU1 (md_ioctl()) CPU2 (md_ioctl()) ------ ------ set_bit(MD_CLOSING, &mddev->flags); did_set_md_closing = true; WARN_ON_ONCE(test_bit(MD_CLOSING, &mddev->flags)); if(did_set_md_closing) clear_bit(MD_CLOSING, &mddev->flags); Fix the warning by returning immediately if the MD_CLOSING bit is set in &mddev->flags which indicates that the array is being closed. Fixes: 065e519e71b2 ("md: MD_CLOSING needs to be cleared after called md_set_readonly or do_md_stop") Reported-by: syzbot+1e46a0864c1a6e9bd3d8@syzkaller.appspotmail.com Cc: stable@vger.kernel.org Signed-off-by: Dae R. Jeong Signed-off-by: Song Liu Signed-off-by: Greg Kroah-Hartman commit d770afcdf11b2ebcac54ab69f9423e8d2dc8c9ae Author: Eric Biggers Date: Mon Oct 26 13:07:15 2020 -0700 crypto: af_alg - avoid undefined behavior accessing salg_name commit 92eb6c3060ebe3adf381fd9899451c5b047bb14d upstream. Commit 3f69cc60768b ("crypto: af_alg - Allow arbitrarily long algorithm names") made the kernel start accepting arbitrarily long algorithm names in sockaddr_alg. However, the actual length of the salg_name field stayed at the original 64 bytes. This is broken because the kernel can access indices >= 64 in salg_name, which is undefined behavior -- even though the memory that is accessed is still located within the sockaddr structure. It would only be defined behavior if the array were properly marked as arbitrary-length (either by making it a flexible array, which is the recommended way these days, or by making it an array of length 0 or 1). We can't simply change salg_name into a flexible array, since that would break source compatibility with userspace programs that embed sockaddr_alg into another struct, or (more commonly) declare a sockaddr_alg like 'struct sockaddr_alg sa = { .salg_name = "foo" };'. One solution would be to change salg_name into a flexible array only when '#ifdef __KERNEL__'. However, that would keep userspace without an easy way to actually use the longer algorithm names. Instead, add a new structure 'sockaddr_alg_new' that has the flexible array field, and expose it to both userspace and the kernel. Make the kernel use it correctly in alg_bind(). This addresses the syzbot report "UBSAN: array-index-out-of-bounds in alg_bind" (https://syzkaller.appspot.com/bug?extid=92ead4eb8e26a26d465e). Reported-by: syzbot+92ead4eb8e26a26d465e@syzkaller.appspotmail.com Fixes: 3f69cc60768b ("crypto: af_alg - Allow arbitrarily long algorithm names") Cc: # v4.12+ Signed-off-by: Eric Biggers Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit 37e7d9aa24bd40c62062df0fa1a0a2f245519d96 Author: Antti Palosaari Date: Sat Aug 17 03:12:10 2019 +0200 media: msi2500: assign SPI bus number dynamically commit 9c60cc797cf72e95bb39f32316e9f0e5f85435f9 upstream. SPI bus number must be assigned dynamically for each device, otherwise it will crash when multiple devices are plugged to system. Reported-and-tested-by: syzbot+c60ddb60b685777d9d59@syzkaller.appspotmail.com Cc: stable@vger.kernel.org Signed-off-by: Antti Palosaari Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit a9c625fcddc078624e1e7a673443b29c71be3431 Author: Jan Kara Date: Mon Nov 2 16:16:29 2020 +0100 quota: Sanity-check quota file headers on load commit 11c514a99bb960941535134f0587102855e8ddee upstream. Perform basic sanity checks of quota headers to avoid kernel crashes on corrupted quota files. CC: stable@vger.kernel.org Reported-by: syzbot+f816042a7ae2225f25ba@syzkaller.appspotmail.com Reviewed-by: Andreas Dilger Signed-off-by: Jan Kara Signed-off-by: Greg Kroah-Hartman commit cf394db8b470c41589a7e8a2da0192b7a49c9cac Author: Alexey Kardashevskiy Date: Thu Dec 3 16:58:34 2020 +1100 serial_core: Check for port state when tty is in error state commit 2f70e49ed860020f5abae4f7015018ebc10e1f0e upstream. At the moment opening a serial device node (such as /dev/ttyS3) succeeds even if there is no actual serial device behind it. Reading/writing/ioctls fail as expected because the uart port is not initialized (the type is PORT_UNKNOWN) and the TTY_IO_ERROR error state bit is set fot the tty. However setting line discipline does not have these checks 8250_port.c (8250 is the default choice made by univ8250_console_init()). As the result of PORT_UNKNOWN, uart_port::iobase is NULL which a platform translates onto some address accessing which produces a crash like below. This adds tty_port_initialized() to uart_set_ldisc() to prevent the crash. Found by syzkaller. Signed-off-by: Alexey Kardashevskiy Link: https://lore.kernel.org/r/20201203055834.45838-1-aik@ozlabs.ru Cc: stable Signed-off-by: Greg Kroah-Hartman commit 860efdef5d99d66dcb7749bf0ed2490a66322a3c Author: Julian Sax Date: Thu Nov 26 18:51:58 2020 +0100 HID: i2c-hid: add Vero K147 to descriptor override commit c870d50ce387d84b6438211a7044c60afbd5d60a upstream. This device uses the SIPODEV SP1064 touchpad, which does not supply descriptors, so it has to be added to the override list. Cc: stable@vger.kernel.org Signed-off-by: Julian Sax Reviewed-by: Hans de Goede Signed-off-by: Jiri Kosina Signed-off-by: Greg Kroah-Hartman commit 81ad6b09b27f34d668174fe19715bbc00c4eda82 Author: Krzysztof Kozlowski Date: Thu Oct 15 20:20:43 2020 +0200 ARM: dts: exynos: fix USB 3.0 pins supply being turned off on Odroid XU commit bd7e7ff56feea7810df900fb09c9741d259861d9 upstream. On Odroid XU LDO12 and LDO15 supplies the power to USB 3.0 blocks but the GPK GPIO pins are supplied by LDO7 (VDDQ_LCD). LDO7 also supplies GPJ GPIO pins. The Exynos pinctrl driver does not take any supplies, so to have entire GPIO block always available, make the regulator always on. Fixes: 88644b4c750b ("ARM: dts: exynos: Configure PWM, usb3503, PMIC and thermal on Odroid XU board") Signed-off-by: Krzysztof Kozlowski Cc: Link: https://lore.kernel.org/r/20201015182044.480562-3-krzk@kernel.org Tested-by: Gabriel Ribba Esteva Signed-off-by: Greg Kroah-Hartman commit 58ab20e19f70337259b272d2252f77b73dce9099 Author: Krzysztof Kozlowski Date: Thu Oct 15 20:20:42 2020 +0200 ARM: dts: exynos: fix USB 3.0 VBUS control and over-current pins on Exynos5410 commit 3d992fd8f4e0f09c980726308d2f2725587b32d6 upstream. The VBUS control (PWREN) and over-current pins of USB 3.0 DWC3 controllers are on Exynos5410 regular GPIOs. This is different than for example on Exynos5422 where these are special ETC pins with proper reset values (pulls, functions). Therefore these pins should be configured to enable proper USB 3.0 peripheral and host modes. This also fixes over-current warning: [ 6.024658] usb usb4-port1: over-current condition [ 6.028271] usb usb3-port1: over-current condition Fixes: cb0896562228 ("ARM: dts: exynos: Add USB to Exynos5410") Signed-off-by: Krzysztof Kozlowski Cc: Link: https://lore.kernel.org/r/20201015182044.480562-2-krzk@kernel.org Tested-by: Gabriel Ribba Esteva Signed-off-by: Greg Kroah-Hartman commit 27ea2f575c847ca63de8fb4da8ec831baab23227 Author: Krzysztof Kozlowski Date: Thu Oct 15 20:20:41 2020 +0200 ARM: dts: exynos: fix roles of USB 3.0 ports on Odroid XU commit ecc1ff532b499d20304a4f682247137025814c34 upstream. On Odroid XU board the USB3-0 port is a microUSB and USB3-1 port is USB type A (host). The roles were copied from Odroid XU3 (Exynos5422) design which has it reversed. Fixes: 8149afe4dbf9 ("ARM: dts: exynos: Add initial support for Odroid XU board") Signed-off-by: Krzysztof Kozlowski Cc: Link: https://lore.kernel.org/r/20201015182044.480562-1-krzk@kernel.org Tested-by: Gabriel Ribba Esteva Signed-off-by: Greg Kroah-Hartman commit 0361d65da296e70d0b49b806f5540d3df71bdb6a Author: Fabio Estevam Date: Mon Dec 7 10:09:09 2020 +0800 usb: chipidea: ci_hdrc_imx: Pass DISABLE_DEVICE_STREAMING flag to imx6ul commit c7721e15f434920145c376e8fe77e1c079fc3726 upstream. According to the i.MX6UL Errata document: https://www.nxp.com/docs/en/errata/IMX6ULCE.pdf ERR007881 also affects i.MX6UL, so pass the CI_HDRC_DISABLE_DEVICE_STREAMING flag to workaround the issue. Fixes: 52fe568e5d71 ("usb: chipidea: imx: add imx6ul usb support") Cc: Signed-off-by: Fabio Estevam Signed-off-by: Peter Chen Link: https://lore.kernel.org/r/20201207020909.22483-2-peter.chen@kernel.org Signed-off-by: Greg Kroah-Hartman commit 3a44954de1eec378640a6da83778a9c478a1a0eb Author: Will McVicker Date: Fri Nov 27 15:05:55 2020 +0100 USB: gadget: f_rndis: fix bitrate for SuperSpeed and above commit b00f444f9add39b64d1943fa75538a1ebd54a290 upstream. Align the SuperSpeed Plus bitrate for f_rndis to match f_ncm's ncm_bitrate defined by commit 1650113888fe ("usb: gadget: f_ncm: add SuperSpeed descriptors for CDC NCM"). Cc: Felipe Balbi Cc: EJ Hsu Cc: Peter Chen Cc: stable Signed-off-by: Will McVicker Reviewed-by: Peter Chen Link: https://lore.kernel.org/r/20201127140559.381351-2-gregkh@linuxfoundation.org Signed-off-by: Greg Kroah-Hartman commit 27e1b18af55f85c57dddaf4c0d4d99d507a00b84 Author: Jack Pham Date: Tue Oct 27 16:07:31 2020 -0700 usb: gadget: f_fs: Re-use SS descriptors for SuperSpeedPlus commit a353397b0d5dfa3c99b372505db3378fc919c6c6 upstream. In many cases a function that supports SuperSpeed can very well operate in SuperSpeedPlus, if a gadget controller supports it, as the endpoint descriptors (and companion descriptors) are generally identical and can be re-used. This is true for two commonly used functions: Android's ADB and MTP. So we can simply assign the usb_function's ssp_descriptors array to point to its ss_descriptors, if available. Similarly, we need to allow an epfile's ioctl for FUNCTIONFS_ENDPOINT_DESC to correctly return the corresponding SuperSpeed endpoint descriptor in case the connected speed is SuperSpeedPlus as well. The only exception is if a function wants to implement an Isochronous endpoint capable of transferring more than 48KB per service interval when operating at greater than USB 3.1 Gen1 speed, in which case it would require an additional SuperSpeedPlus Isochronous Endpoint Companion descriptor to be returned as part of the Configuration Descriptor. Support for that would need to be separately added to the userspace-facing FunctionFS API which may not be a trivial task--likely a new descriptor format (v3?) may need to be devised to allow for separate SS and SSP descriptors to be supplied. Signed-off-by: Jack Pham Cc: stable Link: https://lore.kernel.org/r/20201027230731.9073-1-jackp@codeaurora.org Signed-off-by: Greg Kroah-Hartman commit e368d856104b98d3913a4826f5c72d05523e61a8 Author: Will McVicker Date: Fri Nov 27 15:05:57 2020 +0100 USB: gadget: f_midi: setup SuperSpeed Plus descriptors commit 457a902ba1a73b7720666b21ca038cd19764db18 upstream. Needed for SuperSpeed Plus support for f_midi. This allows the gadget to work properly without crashing at SuperSpeed rates. Cc: Felipe Balbi Cc: stable Signed-off-by: Will McVicker Reviewed-by: Peter Chen Link: https://lore.kernel.org/r/20201127140559.381351-4-gregkh@linuxfoundation.org Signed-off-by: Greg Kroah-Hartman commit 64138c4f7a372951cd7d1884ee87137caeb700f0 Author: taehyun.cho Date: Fri Nov 27 15:05:56 2020 +0100 USB: gadget: f_acm: add support for SuperSpeed Plus commit 3ee05c20656782387aa9eb010fdb9bb16982ac3f upstream. Setup the SuperSpeed Plus descriptors for f_acm. This allows the gadget to work properly without crashing at SuperSpeed rates. Cc: Felipe Balbi Cc: stable Signed-off-by: taehyun.cho Signed-off-by: Will McVicker Reviewed-by: Peter Chen Link: https://lore.kernel.org/r/20201127140559.381351-3-gregkh@linuxfoundation.org Signed-off-by: Greg Kroah-Hartman commit bf0c09de2ea17f49121a9a2f740b8b9742bcc96b Author: Johan Hovold Date: Wed Dec 9 11:42:21 2020 +0100 USB: serial: option: add interface-number sanity check to flag handling commit a251963f76fa0226d0fdf0c4f989496f18d9ae7f upstream. Add an interface-number sanity check before testing the device flags to avoid relying on undefined behaviour when left shifting in case a device uses an interface number greater than or equal to BITS_PER_LONG (i.e. 64 or 32). Reported-by: syzbot+8881b478dad0a7971f79@syzkaller.appspotmail.com Fixes: c3a65808f04a ("USB: serial: option: reimplement interface masking") Cc: stable@vger.kernel.org Reviewed-by: Greg Kroah-Hartman Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 7ed6876b4b5c5e100c8d3df06c5abd837c2768d8 Author: Nicolin Chen Date: Wed Nov 18 20:44:57 2020 -0800 soc/tegra: fuse: Fix index bug in get_process_id commit b9ce9b0f83b536a4ac7de7567a265d28d13e5bea upstream. This patch simply fixes a bug of referencing speedos[num] in every for-loop iteration in get_process_id function. Fixes: 0dc5a0d83675 ("soc/tegra: fuse: Add Tegra210 support") Cc: Signed-off-by: Nicolin Chen Signed-off-by: Thierry Reding Signed-off-by: Greg Kroah-Hartman commit 13b76e837c700c567b88705dc7d35bba19785201 Author: Thomas Gleixner Date: Fri Nov 13 15:19:10 2020 +0100 dm table: Remove BUG_ON(in_interrupt()) [ Upstream commit e7b624183d921b49ef0a96329f21647d38865ee9 ] The BUG_ON(in_interrupt()) in dm_table_event() is a historic leftover from a rework of the dm table code which changed the calling context. Issuing a BUG for a wrong calling context is frowned upon and in_interrupt() is deprecated and only covering parts of the wrong contexts. The sanity check for the context is covered by CONFIG_DEBUG_ATOMIC_SLEEP and other debug facilities already. Signed-off-by: Thomas Gleixner Signed-off-by: Sebastian Andrzej Siewior Signed-off-by: Mike Snitzer Signed-off-by: Sasha Levin commit b3c6894d18da3975267cf9da8fa7d67af3ff7f41 Author: Sreekanth Reddy Date: Mon Nov 30 13:57:33 2020 +0530 scsi: mpt3sas: Increase IOCInit request timeout to 30s [ Upstream commit 85dad327d9b58b4c9ce08189a2707167de392d23 ] Currently the IOCInit request message timeout is set to 10s. This is not sufficient in some scenarios such as during HBA FW downgrade operations. Increase the IOCInit request timeout to 30s. Link: https://lore.kernel.org/r/20201130082733.26120-1-sreekanth.reddy@broadcom.com Signed-off-by: Sreekanth Reddy Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 2673eb2aa39293f08fa5ee60c5775d9ac183cbb2 Author: Sven Eckelmann Date: Thu Nov 26 13:52:47 2020 +0100 vxlan: Copy needed_tailroom from lowerdev [ Upstream commit a5e74021e84bb5eadf760aaf2c583304f02269be ] While vxlan doesn't need any extra tailroom, the lowerdev might need it. In that case, copy it over to reduce the chance for additional (re)allocations in the transmit path. Signed-off-by: Sven Eckelmann Link: https://lore.kernel.org/r/20201126125247.1047977-2-sven@narfation.org Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 951481c52a94ba646e35b99fdb93177ab580555b Author: Sven Eckelmann Date: Thu Nov 26 13:52:46 2020 +0100 vxlan: Add needed_headroom for lower device [ Upstream commit 0a35dc41fea67ac4495ce7584406bf9557a6e7d0 ] It was observed that sending data via batadv over vxlan (on top of wireguard) reduced the performance massively compared to raw ethernet or batadv on raw ethernet. A check of perf data showed that the vxlan_build_skb was calling all the time pskb_expand_head to allocate enough headroom for: min_headroom = LL_RESERVED_SPACE(dst->dev) + dst->header_len + VXLAN_HLEN + iphdr_len; But the vxlan_config_apply only requested needed headroom for: lowerdev->hard_header_len + VXLAN6_HEADROOM or VXLAN_HEADROOM So it completely ignored the needed_headroom of the lower device. The first caller of net_dev_xmit could therefore never make sure that enough headroom was allocated for the rest of the transmit path. Cc: Annika Wickert Signed-off-by: Sven Eckelmann Tested-by: Annika Wickert Link: https://lore.kernel.org/r/20201126125247.1047977-1-sven@narfation.org Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit d022341d2218cc7b142b83ae514f4d186b68e8c0 Author: Qinglang Miao Date: Fri Oct 30 09:34:24 2020 +0800 drm/tegra: sor: Disable clocks on error in tegra_sor_init() [ Upstream commit bf3a3cdcad40e5928a22ea0fd200d17fd6d6308d ] Fix the missing clk_disable_unprepare() before return from tegra_sor_init() in the error handling case. Signed-off-by: Qinglang Miao Signed-off-by: Thierry Reding Signed-off-by: Sasha Levin commit 8859f5899ab92da690d6287dd339805155fa4fb6 Author: Nicholas Piggin Date: Thu Nov 26 20:25:29 2020 +1000 kernel/cpu: add arch override for clear_tasks_mm_cpumask() mm handling [ Upstream commit 8ff00399b153440c1c83e20c43020385b416415b ] powerpc/64s keeps a counter in the mm which counts bits set in mm_cpumask as well as other things. This means it can't use generic code to clear bits out of the mask and doesn't adjust the arch specific counter. Add an arch override that allows powerpc/64s to use clear_tasks_mm_cpumask(). Signed-off-by: Nicholas Piggin Reviewed-by: Aneesh Kumar K.V Acked-by: Peter Zijlstra (Intel) Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20201126102530.691335-4-npiggin@gmail.com Signed-off-by: Sasha Levin commit 4b9ea5d4198794e4bdd9a1226cb22302f6d805a1 Author: Leon Romanovsky Date: Fri Dec 4 08:42:05 2020 +0200 RDMA/cm: Fix an attempt to use non-valid pointer when cleaning timewait [ Upstream commit 340b940ea0ed12d9adbb8f72dea17d516b2019e8 ] If cm_create_timewait_info() fails, the timewait_info pointer will contain an error value and will be used in cm_remove_remote() later. general protection fault, probably for non-canonical address 0xdffffc0000000024: 0000 [#1] SMP KASAN PTI KASAN: null-ptr-deref in range [0×0000000000000120-0×0000000000000127] CPU: 2 PID: 12446 Comm: syz-executor.3 Not tainted 5.10.0-rc5-5d4c0742a60e #27 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 RIP: 0010:cm_remove_remote.isra.0+0x24/0×170 drivers/infiniband/core/cm.c:978 Code: 84 00 00 00 00 00 41 54 55 53 48 89 fb 48 8d ab 2d 01 00 00 e8 7d bf 4b fe 48 89 ea 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <0f> b6 04 02 48 89 ea 83 e2 07 38 d0 7f 08 84 c0 0f 85 fc 00 00 00 RSP: 0018:ffff888013127918 EFLAGS: 00010006 RAX: dffffc0000000000 RBX: fffffffffffffff4 RCX: ffffc9000a18b000 RDX: 0000000000000024 RSI: ffffffff82edc573 RDI: fffffffffffffff4 RBP: 0000000000000121 R08: 0000000000000001 R09: ffffed1002624f1d R10: 0000000000000003 R11: ffffed1002624f1c R12: ffff888107760c70 R13: ffff888107760c40 R14: fffffffffffffff4 R15: ffff888107760c9c FS: 00007fe1ffcc1700(0000) GS:ffff88811a600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000001b2ff21000 CR3: 000000010f504001 CR4: 0000000000370ee0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: cm_destroy_id+0x189/0×15b0 drivers/infiniband/core/cm.c:1155 cma_connect_ib drivers/infiniband/core/cma.c:4029 [inline] rdma_connect_locked+0x1100/0×17c0 drivers/infiniband/core/cma.c:4107 rdma_connect+0x2a/0×40 drivers/infiniband/core/cma.c:4140 ucma_connect+0x277/0×340 drivers/infiniband/core/ucma.c:1069 ucma_write+0x236/0×2f0 drivers/infiniband/core/ucma.c:1724 vfs_write+0x220/0×830 fs/read_write.c:603 ksys_write+0x1df/0×240 fs/read_write.c:658 do_syscall_64+0x33/0×40 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Fixes: a977049dacde ("[PATCH] IB: Add the kernel CM implementation") Link: https://lore.kernel.org/r/20201204064205.145795-1-leon@kernel.org Reviewed-by: Maor Gottlieb Reported-by: Amit Matityahu Signed-off-by: Leon Romanovsky Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit 5e407c3a2a8e41ab8978c8b06b29473082e6160a Author: Zhang Qilong Date: Fri Dec 4 14:35:06 2020 +0100 can: softing: softing_netdev_open(): fix error handling [ Upstream commit 4d1be581ec6b92a338bb7ed23e1381f45ddf336f ] If softing_netdev_open() fails, we should call close_candev() to avoid reference leak. Fixes: 03fd3cf5a179d ("can: add driver for Softing card") Signed-off-by: Zhang Qilong Acked-by: Kurt Van Dijck Link: https://lore.kernel.org/r/20201202151632.1343786-1-zhangqilong3@huawei.com Signed-off-by: Marc Kleine-Budde Link: https://lore.kernel.org/r/20201204133508.742120-2-mkl@pengutronix.de Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit e851f16a2d741179b63b4e011b260861a3672c63 Author: Randy Dunlap Date: Sat Nov 28 23:09:16 2020 -0800 scsi: bnx2i: Requires MMU [ Upstream commit 2d586494c4a001312650f0b919d534e429dd1e09 ] The SCSI_BNX2_ISCSI kconfig symbol selects CNIC and CNIC selects UIO, which depends on MMU. Since 'select' does not follow dependency chains, add the same MMU dependency to SCSI_BNX2_ISCSI. Quietens this kconfig warning: WARNING: unmet direct dependencies detected for CNIC Depends on [n]: NETDEVICES [=y] && ETHERNET [=y] && NET_VENDOR_BROADCOM [=y] && PCI [=y] && (IPV6 [=m] || IPV6 [=m]=n) && MMU [=n] Selected by [m]: - SCSI_BNX2_ISCSI [=m] && SCSI_LOWLEVEL [=y] && SCSI [=y] && NET [=y] && PCI [=y] && (IPV6 [=m] || IPV6 [=m]=n) Link: https://lore.kernel.org/r/20201129070916.3919-1-rdunlap@infradead.org Fixes: cf4e6363859d ("[SCSI] bnx2i: Add bnx2i iSCSI driver.") Cc: linux-scsi@vger.kernel.org Cc: Nilesh Javali Cc: Manish Rangankar Cc: GR-QLogic-Storage-Upstream@marvell.com Cc: "James E.J. Bottomley" Cc: "Martin K. Petersen" Signed-off-by: Randy Dunlap Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 9113982fd75964c6302b42d3f768dbd6eaaf7851 Author: Baruch Siach Date: Wed Dec 2 09:15:32 2020 +0200 gpio: mvebu: fix potential user-after-free on probe [ Upstream commit 7ee1a01e47403f72b9f38839a737692f6991263e ] When mvebu_pwm_probe() fails IRQ domain is not released. Move pwm probe before IRQ domain allocation. Add pwm cleanup code to the failure path. Fixes: 757642f9a584 ("gpio: mvebu: Add limited PWM support") Reported-by: Andrew Lunn Signed-off-by: Baruch Siach Signed-off-by: Bartosz Golaszewski Signed-off-by: Sasha Levin commit 1857f945a250137d92e736a4c6b880c4a6234bd1 Author: Icenowy Zheng Date: Fri Nov 20 13:08:51 2020 +0800 ARM: dts: sun8i: v3s: fix GIC node memory range [ Upstream commit a98fd117a2553ab1a6d2fe3c7acae88c1eca4372 ] Currently the GIC node in V3s DTSI follows some old DT examples, and being broken. This leads a warning at boot. Fix this. Fixes: f989086ccbc6 ("ARM: dts: sunxi: add dtsi file for V3s SoC") Signed-off-by: Icenowy Zheng Signed-off-by: Maxime Ripard Link: https://lore.kernel.org/r/20201120050851.4123759-1-icenowy@aosc.io Signed-off-by: Sasha Levin commit 4db800e8fc790bb1d21aa502e1042b08c660729f Author: Andy Shevchenko Date: Thu Nov 12 21:03:01 2020 +0200 pinctrl: baytrail: Avoid clearing debounce value when turning it off [ Upstream commit 0b74e40a4e41f3cbad76dff4c50850d47b525b26 ] Baytrail pin control has a common register to set up debounce timeout. When a pin configuration requested debounce to be disabled, the rest of the pins may still want to have debounce enabled and thus rely on the common timeout value. Avoid clearing debounce value when turning it off for one pin while others may still use it. Fixes: 658b476c742f ("pinctrl: baytrail: Add debounce configuration") Depends-on: 04ff5a095d66 ("pinctrl: baytrail: Rectify debounce support") Depends-on: 827e1579e1d5 ("pinctrl: baytrail: Rectify debounce support (part 2)") Signed-off-by: Andy Shevchenko Acked-by: Mika Westerberg Signed-off-by: Sasha Levin commit d24e447e9127e11ec2d3e2bdbd067223d8186f3b Author: Andy Shevchenko Date: Wed Nov 11 14:06:05 2020 +0200 pinctrl: merrifield: Set default bias in case no particular value given [ Upstream commit 0fa86fc2e28227f1e64f13867e73cf864c6d25ad ] When GPIO library asks pin control to set the bias, it doesn't pass any value of it and argument is considered boolean (and this is true for ACPI GpioIo() / GpioInt() resources, by the way). Thus, individual drivers must behave well, when they got the resistance value of 1 Ohm, i.e. transforming it to sane default. In case of Intel Merrifield pin control hardware the 20 kOhm sounds plausible because it gives a good trade off between weakness and minimization of leakage current (will be only 50 uA with the above choice). Fixes: 4e80c8f50574 ("pinctrl: intel: Add Intel Merrifield pin controller support") Depends-on: 2956b5d94a76 ("pinctrl / gpio: Introduce .set_config() callback for GPIO chips") Signed-off-by: Andy Shevchenko Acked-by: Mika Westerberg Signed-off-by: Sasha Levin commit cbca15cf1a951f989a823c3d99d339a866e388e6 Author: Xin Xiong Date: Sun Jul 19 23:45:45 2020 +0800 drm: fix drm_dp_mst_port refcount leaks in drm_dp_mst_allocate_vcpi commit a34a0a632dd991a371fec56431d73279f9c54029 upstream drm_dp_mst_allocate_vcpi() invokes drm_dp_mst_topology_get_port_validated(), which increases the refcount of the "port". These reference counting issues take place in two exception handling paths separately. Either when “slots” is less than 0 or when drm_dp_init_vcpi() returns a negative value, the function forgets to reduce the refcnt increased drm_dp_mst_topology_get_port_validated(), which results in a refcount leak. Fix these issues by pulling up the error handling when "slots" is less than 0, and calling drm_dp_mst_topology_put_port() before termination when drm_dp_init_vcpi() returns a negative value. Fixes: 1e797f556c61 ("drm/dp: Split drm_dp_mst_allocate_vcpi") Cc: # v4.12+ Signed-off-by: Xiyu Yang Signed-off-by: Xin Tan Signed-off-by: Xin Xiong Reviewed-by: Lyude Paul Signed-off-by: Lyude Paul Link: https://patchwork.freedesktop.org/patch/msgid/20200719154545.GA41231@xin-virtual-machine [sudip: use old functions before rename] Signed-off-by: Sudip Mukherjee Signed-off-by: Greg Kroah-Hartman commit cb099fdd0c309f743949d760993a76fc000b0e93 Author: Alexander Sverdlin Date: Thu Dec 10 06:52:57 2020 +0100 serial: 8250_omap: Avoid FIFO corruption caused by MDR1 access commit d96f04d347e4011977abdbb4da5d8f303ebd26f8 upstream. It has been observed that once per 300-1300 port openings the first transmitted byte is being corrupted on AM3352 ("v" written to FIFO appeared as "e" on the wire). It only happened if single byte has been transmitted right after port open, which means, DMA is not used for this transfer and the corruption never happened afterwards. Therefore I've carefully re-read the MDR1 errata (link below), which says "when accessing the MDR1 registers that causes a dummy under-run condition that will freeze the UART in IrDA transmission. In UART mode, this may corrupt the transferred data". Strictly speaking, omap_8250_mdr1_errataset() performs a read access and if the value is the same as should be written, exits without errata-recommended FIFO reset. A brief check of the serial_omap_mdr1_errataset() from the competing omap-serial driver showed it has no read access of MDR1. After removing the read access from omap_8250_mdr1_errataset() the data corruption never happened any more. Link: https://www.ti.com/lit/er/sprz360i/sprz360i.pdf Fixes: 61929cf0169d ("tty: serial: Add 8250-core based omap driver") Cc: stable@vger.kernel.org Signed-off-by: Alexander Sverdlin Link: https://lore.kernel.org/r/20201210055257.1053028-1-alexander.sverdlin@gmail.com Signed-off-by: Greg Kroah-Hartman commit 1c25dcb12392b49158b5c9b43f0b6dc2b5cf7567 Author: Takashi Iwai Date: Wed Dec 9 09:45:52 2020 +0100 ALSA: pcm: oss: Fix potential out-of-bounds shift commit 175b8d89fe292796811fdee87fa39799a5b6b87a upstream. syzbot spotted a potential out-of-bounds shift in the PCM OSS layer where it calculates the buffer size with the arbitrary shift value given via an ioctl. Add a range check for avoiding the undefined behavior. As the value can be treated by a signed integer, the max shift should be 30. Reported-by: syzbot+df7dc146ebdd6435eea3@syzkaller.appspotmail.com Cc: Link: https://lore.kernel.org/r/20201209084552.17109-2-tiwai@suse.de Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 2fe986f75f52768280b364f272d0362739025cd4 Author: Thomas Gleixner Date: Mon Oct 19 12:06:30 2020 +0200 USB: sisusbvga: Make console support depend on BROKEN commit 862ee699fefe1e6d6f2c1518395f0b999b8beb15 upstream. The console part of sisusbvga is broken vs. printk(). It uses in_atomic() to detect contexts in which it cannot sleep despite the big fat comment in preempt.h which says: Do not use in_atomic() in driver code. in_atomic() does not work on kernels with CONFIG_PREEMPT_COUNT=n which means that spin/rw_lock held regions are not detected by it. There is no way to make this work by handing context information through to the driver and this only can be solved once the core printk infrastructure supports sleepable console drivers. Make it depend on BROKEN for now. Fixes: 1bbb4f2035d9 ("[PATCH] USB: sisusb[vga] update") Signed-off-by: Thomas Gleixner Cc: Thomas Winischhofer Cc: Greg Kroah-Hartman Cc: linux-usb@vger.kernel.org Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20201019101109.603244207@linutronix.de Signed-off-by: Greg Kroah-Hartman commit 17d28c91822e93ef45cdf4a22489536fb1767b46 Author: Oliver Neukum Date: Wed Dec 9 16:26:39 2020 +0100 USB: UAS: introduce a quirk to set no_write_same commit 8010622c86ca5bb44bc98492f5968726fc7c7a21 upstream. UAS does not share the pessimistic assumption storage is making that devices cannot deal with WRITE_SAME. A few devices supported by UAS, are reported to not deal well with WRITE_SAME. Those need a quirk. Add it to the device that needs it. Reported-by: David C. Partridge Signed-off-by: Oliver Neukum Cc: stable Link: https://lore.kernel.org/r/20201209152639.9195-1-oneukum@suse.com Signed-off-by: Greg Kroah-Hartman commit aded7e821a4c390f47e0539a084dbaf9cbad0a55 Author: Li Jun Date: Tue Dec 8 11:29:12 2020 +0200 xhci: Give USB2 ports time to enter U3 in bus suspend commit c1373f10479b624fb6dba0805d673e860f1b421d upstream. If a USB2 device wakeup is not enabled/supported the link state may still be in U0 in xhci_bus_suspend(), where it's then manually put to suspended U3 state. Just as with selective suspend the device needs time to enter U3 suspend before continuing with further suspend operations (e.g. system suspend), otherwise we may enter system suspend with link state in U0. [commit message rewording -Mathias] Cc: Signed-off-by: Li Jun Signed-off-by: Mathias Nyman Link: https://lore.kernel.org/r/20201208092912.1773650-6-mathias.nyman@linux.intel.com Signed-off-by: Greg Kroah-Hartman commit 6dcda2aaab3c673132afa8c6fcf81a0023d9947d Author: Takashi Iwai Date: Fri Dec 11 14:00:48 2020 +0100 ALSA: usb-audio: Fix control 'access overflow' errors from chmap commit c6dde8ffd071aea9d1ce64279178e470977b235c upstream. The current channel-map control implementation in USB-audio driver may lead to an error message like "control 3:0:0:Playback Channel Map:0: access overflow" when CONFIG_SND_CTL_VALIDATION is set. It's because the chmap get callback clears the whole array no matter which count is set, and rather the false-positive detection. This patch fixes the problem by clearing only the needed array range at usb_chmap_ctl_get(). Cc: Link: https://lore.kernel.org/r/20201211130048.6358-1-tiwai@suse.de Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit b5ac73ed84d634a0ba528435ffaeefa2a81f2253 Author: Takashi Iwai Date: Wed Dec 9 09:45:51 2020 +0100 ALSA: usb-audio: Fix potential out-of-bounds shift commit 43d5ca88dfcd35e43010fdd818e067aa9a55f5ba upstream. syzbot spotted a potential out-of-bounds shift in the USB-audio format parser that receives the arbitrary shift value from the USB descriptor. Add a range check for avoiding the undefined behavior. Reported-by: syzbot+df7dc146ebdd6435eea3@syzkaller.appspotmail.com Cc: Link: https://lore.kernel.org/r/20201209084552.17109-1-tiwai@suse.de Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 230f33f3cb954aacadc2cb90396f10269129b19c Author: Oliver Neukum Date: Mon Dec 7 14:03:23 2020 +0100 USB: add RESET_RESUME quirk for Snapscan 1212 commit 08a02f954b0def3ada8ed6d4b2c7bcb67e885e9c upstream. I got reports that some models of this old scanner need this when using runtime PM. Signed-off-by: Oliver Neukum Cc: stable Link: https://lore.kernel.org/r/20201207130323.23857-1-oneukum@suse.com Signed-off-by: Greg Kroah-Hartman commit 7dce946e51e3979db4191e49f524f53f3c5a95ac Author: Bui Quang Minh Date: Fri Dec 4 06:24:49 2020 +0000 USB: dummy-hcd: Fix uninitialized array use in init() commit e90cfa813da7a527785033a0b247594c2de93dd8 upstream. This error path err_add_pdata: for (i = 0; i < mod_data.num; i++) kfree(dum[i]); can be triggered when not all dum's elements are initialized. Fix this by initializing all dum's elements to NULL. Acked-by: Alan Stern Cc: stable Signed-off-by: Bui Quang Minh Link: https://lore.kernel.org/r/1607063090-3426-1-git-send-email-minhquangbui99@gmail.com Signed-off-by: Greg Kroah-Hartman commit 42a387dc80c334ad78e604e0522b3d7a3f7113a5 Author: Eric Dumazet Date: Fri Dec 4 08:24:28 2020 -0800 mac80211: mesh: fix mesh_pathtbl_init() error path [ Upstream commit 905b2032fa424f253d9126271439cc1db2b01130 ] If tbl_mpp can not be allocated, we call mesh_table_free(tbl_path) while tbl_path rhashtable has not yet been initialized, which causes panics. Simply factorize the rhashtable_init() call into mesh_table_alloc() WARNING: CPU: 1 PID: 8474 at kernel/workqueue.c:3040 __flush_work kernel/workqueue.c:3040 [inline] WARNING: CPU: 1 PID: 8474 at kernel/workqueue.c:3040 __cancel_work_timer+0x514/0x540 kernel/workqueue.c:3136 Modules linked in: CPU: 1 PID: 8474 Comm: syz-executor663 Not tainted 5.10.0-rc6-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:__flush_work kernel/workqueue.c:3040 [inline] RIP: 0010:__cancel_work_timer+0x514/0x540 kernel/workqueue.c:3136 Code: 5d c3 e8 bf ae 29 00 0f 0b e9 f0 fd ff ff e8 b3 ae 29 00 0f 0b 43 80 3c 3e 00 0f 85 31 ff ff ff e9 34 ff ff ff e8 9c ae 29 00 <0f> 0b e9 dc fe ff ff 89 e9 80 e1 07 80 c1 03 38 c1 0f 8c 7d fd ff RSP: 0018:ffffc9000165f5a0 EFLAGS: 00010293 RAX: ffffffff814b7064 RBX: 0000000000000001 RCX: ffff888021c80000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: ffff888024039ca0 R08: dffffc0000000000 R09: fffffbfff1dd3e64 R10: fffffbfff1dd3e64 R11: 0000000000000000 R12: 1ffff920002cbebd R13: ffff888024039c88 R14: 1ffff11004807391 R15: dffffc0000000000 FS: 0000000001347880(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020000140 CR3: 000000002cc0a000 CR4: 00000000001506e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: rhashtable_free_and_destroy+0x25/0x9c0 lib/rhashtable.c:1137 mesh_table_free net/mac80211/mesh_pathtbl.c:69 [inline] mesh_pathtbl_init+0x287/0x2e0 net/mac80211/mesh_pathtbl.c:785 ieee80211_mesh_init_sdata+0x2ee/0x530 net/mac80211/mesh.c:1591 ieee80211_setup_sdata+0x733/0xc40 net/mac80211/iface.c:1569 ieee80211_if_add+0xd5c/0x1cd0 net/mac80211/iface.c:1987 ieee80211_add_iface+0x59/0x130 net/mac80211/cfg.c:125 rdev_add_virtual_intf net/wireless/rdev-ops.h:45 [inline] nl80211_new_interface+0x563/0xb40 net/wireless/nl80211.c:3855 genl_family_rcv_msg_doit net/netlink/genetlink.c:739 [inline] genl_family_rcv_msg net/netlink/genetlink.c:783 [inline] genl_rcv_msg+0xe4e/0x1280 net/netlink/genetlink.c:800 netlink_rcv_skb+0x190/0x3a0 net/netlink/af_netlink.c:2494 genl_rcv+0x24/0x40 net/netlink/genetlink.c:811 netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline] netlink_unicast+0x780/0x930 net/netlink/af_netlink.c:1330 netlink_sendmsg+0x9a8/0xd40 net/netlink/af_netlink.c:1919 sock_sendmsg_nosec net/socket.c:651 [inline] sock_sendmsg net/socket.c:671 [inline] ____sys_sendmsg+0x519/0x800 net/socket.c:2353 ___sys_sendmsg net/socket.c:2407 [inline] __sys_sendmsg+0x2b1/0x360 net/socket.c:2440 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Fixes: 60854fd94573 ("mac80211: mesh: convert path table to rhashtable") Signed-off-by: Eric Dumazet Reported-by: syzbot Reviewed-by: Johannes Berg Link: https://lore.kernel.org/r/20201204162428.2583119-1-eric.dumazet@gmail.com Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit 97b46062905025f53570a72e4e1274af36446833 Author: Zhang Changzhong Date: Fri Dec 4 16:48:56 2020 +0800 net: bridge: vlan: fix error return code in __vlan_add() [ Upstream commit ee4f52a8de2c6f78b01f10b4c330867d88c1653a ] Fix to return a negative error code from the error handling case instead of 0, as done elsewhere in this function. Fixes: f8ed289fab84 ("bridge: vlan: use br_vlan_(get|put)_master to deal with refcounts") Reported-by: Hulk Robot Signed-off-by: Zhang Changzhong Acked-by: Nikolay Aleksandrov Link: https://lore.kernel.org/r/1607071737-33875-1-git-send-email-zhangchangzhong@huawei.com Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit 213da138fe3d529ebfef5c187c1b391afc8e6513 Author: Martin Blumenstingl Date: Sat Dec 5 22:32:07 2020 +0100 net: stmmac: dwmac-meson8b: fix mask definition of the m250_sel mux [ Upstream commit 82ca4c922b8992013a238d65cf4e60cc33e12f36 ] The m250_sel mux clock uses bit 4 in the PRG_ETH0 register. Fix this by shifting the PRG_ETH0_CLK_M250_SEL_MASK accordingly as the "mask" in struct clk_mux expects the mask relative to the "shift" field in the same struct. While here, get rid of the PRG_ETH0_CLK_M250_SEL_SHIFT macro and use __ffs() to determine it from the existing PRG_ETH0_CLK_M250_SEL_MASK macro. Fixes: 566e8251625304 ("net: stmmac: add a glue driver for the Amlogic Meson 8b / GXBB DWMAC") Signed-off-by: Martin Blumenstingl Reviewed-by: Jerome Brunet Link: https://lore.kernel.org/r/20201205213207.519341-1-martin.blumenstingl@googlemail.com Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit 6ccb22ebd1976d2d68b21285600f033d96626728 Author: Fugang Duan Date: Mon Dec 7 18:51:40 2020 +0800 net: stmmac: delete the eee_ctrl_timer after napi disabled [ Upstream commit 5f58591323bf3f342920179f24515935c4b5fd60 ] There have chance to re-enable the eee_ctrl_timer and fire the timer in napi callback after delete the timer in .stmmac_release(), which introduces to access eee registers in the timer function after clocks are disabled then causes system hang. Found this issue when do suspend/resume and reboot stress test. It is safe to delete the timer after napi disabled and disable lpi mode. Fixes: d765955d2ae0b ("stmmac: add the Energy Efficient Ethernet support") Signed-off-by: Fugang Duan Signed-off-by: Joakim Zhang Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 371bf703e3922ab467c5ae7b7b8767144318e7a4 Author: Moshe Shemesh Date: Wed Dec 9 15:03:39 2020 +0200 net/mlx4_en: Handle TX error CQE [ Upstream commit ba603d9d7b1215c72513d7c7aa02b6775fd4891b ] In case error CQE was found while polling TX CQ, the QP is in error state and all posted WQEs will generate error CQEs without any data transmitted. Fix it by reopening the channels, via same method used for TX timeout handling. In addition add some more info on error CQE and WQE for debug. Fixes: bd2f631d7c60 ("net/mlx4_en: Notify user when TX ring in error state") Signed-off-by: Moshe Shemesh Signed-off-by: Tariq Toukan Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit a6ab45c45c6c96d262cdc7acc5c357e1978a6171 Author: Moshe Shemesh Date: Wed Dec 9 15:03:38 2020 +0200 net/mlx4_en: Avoid scheduling restart task if it is already running [ Upstream commit fed91613c9dd455dd154b22fa8e11b8526466082 ] Add restarting state flag to avoid scheduling another restart task while such task is already running. Change task name from watchdog_task to restart_task to better fit the task role. Fixes: 1e338db56e5a ("mlx4_en: Fix a race at restart task") Signed-off-by: Moshe Shemesh Signed-off-by: Tariq Toukan Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 6f856f083bf4457557b999c5a439faaf5675ff4a Author: Neal Cardwell Date: Tue Dec 8 22:57:59 2020 -0500 tcp: fix cwnd-limited bug for TSO deferral where we send nothing [ Upstream commit 299bcb55ecd1412f6df606e9dc0912d55610029e ] When cwnd is not a multiple of the TSO skb size of N*MSS, we can get into persistent scenarios where we have the following sequence: (1) ACK for full-sized skb of N*MSS arrives -> tcp_write_xmit() transmit full-sized skb with N*MSS -> move pacing release time forward -> exit tcp_write_xmit() because pacing time is in the future (2) TSQ callback or TCP internal pacing timer fires -> try to transmit next skb, but TSO deferral finds remainder of available cwnd is not big enough to trigger an immediate send now, so we defer sending until the next ACK. (3) repeat... So we can get into a case where we never mark ourselves as cwnd-limited for many seconds at a time, even with bulk/infinite-backlog senders, because: o In case (1) above, every time in tcp_write_xmit() we have enough cwnd to send a full-sized skb, we are not fully using the cwnd (because cwnd is not a multiple of the TSO skb size). So every time we send data, we are not cwnd limited, and so in the cwnd-limited tracking code in tcp_cwnd_validate() we mark ourselves as not cwnd-limited. o In case (2) above, every time in tcp_write_xmit() that we try to transmit the "remainder" of the cwnd but defer, we set the local variable is_cwnd_limited to true, but we do not send any packets, so sent_pkts is zero, so we don't call the cwnd-limited logic to update tp->is_cwnd_limited. Fixes: ca8a22634381 ("tcp: make cwnd-limited checks measurement-based, and gentler") Reported-by: Ingemar Johansson Signed-off-by: Neal Cardwell Signed-off-by: Yuchung Cheng Acked-by: Soheil Hassas Yeganeh Signed-off-by: Eric Dumazet Link: https://lore.kernel.org/r/20201209035759.1225145-1-ncardwell.kernel@gmail.com Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit ad025bfdcd4429e638c3e845f3dd70a98c83c357 Author: Fugang Duan Date: Mon Dec 7 18:51:39 2020 +0800 net: stmmac: free tx skb buffer in stmmac_resume() [ Upstream commit 4ec236c7c51f89abb0224a4da4a6b77f9beb6600 ] When do suspend/resume test, there have WARN_ON() log dump from stmmac_xmit() funciton, the code logic: entry = tx_q->cur_tx; first_entry = entry; WARN_ON(tx_q->tx_skbuff[first_entry]); In normal case, tx_q->tx_skbuff[txq->cur_tx] should be NULL because the skb should be handled and freed in stmmac_tx_clean(). But stmmac_resume() reset queue parameters like below, skb buffers may not be freed. tx_q->cur_tx = 0; tx_q->dirty_tx = 0; So free tx skb buffer in stmmac_resume() to avoid warning and memory leak. log: [ 46.139824] ------------[ cut here ]------------ [ 46.144453] WARNING: CPU: 0 PID: 0 at drivers/net/ethernet/stmicro/stmmac/stmmac_main.c:3235 stmmac_xmit+0x7a0/0x9d0 [ 46.154969] Modules linked in: crct10dif_ce vvcam(O) flexcan can_dev [ 46.161328] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G O 5.4.24-2.1.0+g2ad925d15481 #1 [ 46.170369] Hardware name: NXP i.MX8MPlus EVK board (DT) [ 46.175677] pstate: 80000005 (Nzcv daif -PAN -UAO) [ 46.180465] pc : stmmac_xmit+0x7a0/0x9d0 [ 46.184387] lr : dev_hard_start_xmit+0x94/0x158 [ 46.188913] sp : ffff800010003cc0 [ 46.192224] x29: ffff800010003cc0 x28: ffff000177e2a100 [ 46.197533] x27: ffff000176ef0840 x26: ffff000176ef0090 [ 46.202842] x25: 0000000000000000 x24: 0000000000000000 [ 46.208151] x23: 0000000000000003 x22: ffff8000119ddd30 [ 46.213460] x21: ffff00017636f000 x20: ffff000176ef0cc0 [ 46.218769] x19: 0000000000000003 x18: 0000000000000000 [ 46.224078] x17: 0000000000000000 x16: 0000000000000000 [ 46.229386] x15: 0000000000000079 x14: 0000000000000000 [ 46.234695] x13: 0000000000000003 x12: 0000000000000003 [ 46.240003] x11: 0000000000000010 x10: 0000000000000010 [ 46.245312] x9 : ffff00017002b140 x8 : 0000000000000000 [ 46.250621] x7 : ffff00017636f000 x6 : 0000000000000010 [ 46.255930] x5 : 0000000000000001 x4 : ffff000176ef0000 [ 46.261238] x3 : 0000000000000003 x2 : 00000000ffffffff [ 46.266547] x1 : ffff000177e2a000 x0 : 0000000000000000 [ 46.271856] Call trace: [ 46.274302] stmmac_xmit+0x7a0/0x9d0 [ 46.277874] dev_hard_start_xmit+0x94/0x158 [ 46.282056] sch_direct_xmit+0x11c/0x338 [ 46.285976] __qdisc_run+0x118/0x5f0 [ 46.289549] net_tx_action+0x110/0x198 [ 46.293297] __do_softirq+0x120/0x23c [ 46.296958] irq_exit+0xb8/0xd8 [ 46.300098] __handle_domain_irq+0x64/0xb8 [ 46.304191] gic_handle_irq+0x5c/0x148 [ 46.307936] el1_irq+0xb8/0x180 [ 46.311076] cpuidle_enter_state+0x84/0x360 [ 46.315256] cpuidle_enter+0x34/0x48 [ 46.318829] call_cpuidle+0x18/0x38 [ 46.322314] do_idle+0x1e0/0x280 [ 46.325539] cpu_startup_entry+0x24/0x40 [ 46.329460] rest_init+0xd4/0xe0 [ 46.332687] arch_call_rest_init+0xc/0x14 [ 46.336695] start_kernel+0x420/0x44c [ 46.340353] ---[ end trace bc1ee695123cbacd ]--- Fixes: 47dd7a540b8a0 ("net: add support for STMicroelectronics Ethernet controllers.") Signed-off-by: Fugang Duan Signed-off-by: Joakim Zhang Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit a4dafa88e55dc4cd908421dea960f15feb1d0510 Author: Ansuel Smith Date: Mon Jun 15 23:06:00 2020 +0200 PCI: qcom: Add missing reset for ipq806x commit ee367e2cdd2202b5714982739e684543cd2cee0e upstream Add missing ext reset used by ipq8064 SoC in PCIe qcom driver. Link: https://lore.kernel.org/r/20200615210608.21469-5-ansuelsmth@gmail.com Fixes: 82a823833f4e ("PCI: qcom: Add Qualcomm PCIe controller driver") Signed-off-by: Sham Muthayyan Signed-off-by: Ansuel Smith Signed-off-by: Lorenzo Pieralisi Reviewed-by: Rob Herring Reviewed-by: Philipp Zabel Acked-by: Stanimir Varbanov Cc: stable@vger.kernel.org # v4.5+ [sudip: manual backport] Signed-off-by: Sudip Mukherjee Signed-off-by: Greg Kroah-Hartman commit cf1785ea9752ca6347f2102b06d86668ae2b36ca Author: Arvind Sankar Date: Wed Nov 11 11:09:45 2020 -0500 x86/mm/mem_encrypt: Fix definition of PMD_FLAGS_DEC_WP commit 29ac40cbed2bc06fa218ca25d7f5e280d3d08a25 upstream. The PAT bit is in different locations for 4k and 2M/1G page table entries. Add a definition for _PAGE_LARGE_CACHE_MASK to represent the three caching bits (PWT, PCD, PAT), similar to _PAGE_CACHE_MASK for 4k pages, and use it in the definition of PMD_FLAGS_DEC_WP to get the correct PAT index for write-protected pages. Fixes: 6ebcb060713f ("x86/mm: Add support to encrypt the kernel in-place") Signed-off-by: Arvind Sankar Signed-off-by: Borislav Petkov Tested-by: Tom Lendacky Cc: stable@vger.kernel.org Link: https://lkml.kernel.org/r/20201111160946.147341-1-nivedita@alum.mit.edu Signed-off-by: Greg Kroah-Hartman commit bb4ee532e955c8d3c66e57ce5dd72027994664bd Author: Dan Carpenter Date: Thu Dec 3 15:18:26 2020 +0300 scsi: be2iscsi: Revert "Fix a theoretical leak in beiscsi_create_eqs()" commit eeaf06af6f87e1dba371fbe42674e6f963220b9c upstream. My patch caused kernel Oopses and delays in boot. Revert it. The problem was that I moved the "mem->dma = paddr;" before the call to be_fill_queue(). But the first thing that the be_fill_queue() function does is memset the whole struct to zero which overwrites the assignment. Link: https://lore.kernel.org/r/X8jXkt6eThjyVP1v@mwanda Fixes: 38b2db564d9a ("scsi: be2iscsi: Fix a theoretical leak in beiscsi_create_eqs()") Cc: stable Reported-by: Thomas Lamprecht Signed-off-by: Dan Carpenter Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit 436b01c4447e74d729a3ed6090ae223bb7d56ffc Author: Arnd Bergmann Date: Fri Dec 11 13:36:38 2020 -0800 kbuild: avoid static_assert for genksyms commit 14dc3983b5dff513a90bd5a8cc90acaf7867c3d0 upstream. genksyms does not know or care about the _Static_assert() built-in, and sometimes falls back to ignoring the later symbols, which causes undefined behavior such as WARNING: modpost: EXPORT symbol "ethtool_set_ethtool_phy_ops" [vmlinux] version generation failed, symbol will not be versioned. ld: net/ethtool/common.o: relocation R_AARCH64_ABS32 against `__crc_ethtool_set_ethtool_phy_ops' can not be used when making a shared object net/ethtool/common.o:(_ftrace_annotated_branch+0x0): dangerous relocation: unsupported relocation Redefine static_assert for genksyms to avoid that. Link: https://lkml.kernel.org/r/20201203230955.1482058-1-arnd@kernel.org Signed-off-by: Arnd Bergmann Suggested-by: Ard Biesheuvel Cc: Masahiro Yamada Cc: Michal Marek Cc: Kees Cook Cc: Rikard Falkeborn Cc: Marco Elver Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit d2ed13ece6ba5ac37bb7e19f35c1d32dac6e06ce Author: Coiby Xu Date: Wed Nov 25 21:03:19 2020 +0800 pinctrl: amd: remove debounce filter setting in IRQ type setting commit 47a0001436352c9853d72bf2071e85b316d688a2 upstream. Debounce filter setting should be independent from IRQ type setting because according to the ACPI specs, there are separate arguments for specifying debounce timeout and IRQ type in GpioIo() and GpioInt(). Together with commit 06abe8291bc31839950f7d0362d9979edc88a666 ("pinctrl: amd: fix incorrect way to disable debounce filter") and Andy's patch "gpiolib: acpi: Take into account debounce settings" [1], this will fix broken touchpads for laptops whose BIOS set the debounce timeout to a relatively large value. For example, the BIOS of Lenovo AMD gaming laptops including Legion-5 15ARH05 (R7000), Legion-5P (R7000P) and IdeaPad Gaming 3 15ARH05, set the debounce timeout to 124.8ms. This led to the kernel receiving only ~7 HID reports per second from the Synaptics touchpad (MSFT0001:00 06CB:7F28). Existing touchpads like [2][3] are not troubled by this bug because the debounce timeout has been set to 0 by the BIOS before enabling the debounce filter in setting IRQ type. [1] https://lore.kernel.org/linux-gpio/20201111222008.39993-11-andriy.shevchenko@linux.intel.com/ 8dcb7a15a585 ("gpiolib: acpi: Take into account debounce settings") [2] https://github.com/Syniurge/i2c-amd-mp2/issues/11#issuecomment-721331582 [3] https://forum.manjaro.org/t/random-short-touchpad-freezes/30832/28 Signed-off-by: Coiby Xu Reviewed-by: Andy Shevchenko Cc: Hans de Goede Cc: Andy Shevchenko Cc: Benjamin Tissoires Cc: stable@vger.kernel.org Link: https://lore.kernel.org/linux-gpio/CAHp75VcwiGREBUJ0A06EEw-SyabqYsp%2Bdqs2DpSrhaY-2GVdAA%40mail.gmail.com/ BugLink: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1887190 Link: https://lore.kernel.org/r/20201125130320.311059-1-coiby.xu@gmail.com Signed-off-by: Linus Walleij Signed-off-by: Greg Kroah-Hartman commit 861257c7bd032a12763143d6c0472fb2e858772c Author: Chris Chiu Date: Wed Dec 9 20:24:47 2020 -0800 Input: i8042 - add Acer laptops to the i8042 reset list commit ce6520b0eafad5962ffc21dc47cd7bd3250e9045 upstream. The touchpad operates in Basic Mode by default in the Acer BIOS setup, but some Aspire/TravelMate models require the i8042 to be reset in order to be correctly detected. Signed-off-by: Chris Chiu Link: https://lore.kernel.org/r/20201207071250.15021-1-chiu@endlessos.org Cc: stable@vger.kernel.org Signed-off-by: Dmitry Torokhov Signed-off-by: Greg Kroah-Hartman commit faed9d0fd9afeb0ff3ccb59d655de4d4ac9a23d0 Author: Dmitry Torokhov Date: Wed Dec 9 20:13:24 2020 -0800 Input: cm109 - do not stomp on control URB commit 82e06090473289ce63e23fdeb8737aad59b10645 upstream. We need to make sure we are not stomping on the control URB that was issued when opening the device when attempting to toggle buzzer. To do that we need to mark it as pending in cm109_open(). Reported-and-tested-by: syzbot+150f793ac5bc18eee150@syzkaller.appspotmail.com Cc: stable@vger.kernel.org Signed-off-by: Dmitry Torokhov Signed-off-by: Greg Kroah-Hartman commit 8de429bb0bc7547ab49bd3b140791d89fcd52a64 Author: Timo Witte Date: Tue Aug 4 02:14:23 2020 +0200 platform/x86: acer-wmi: add automatic keyboard background light toggle key as KEY_LIGHTS_TOGGLE [ Upstream commit 9e7a005ad56aa7d6ea5830c5ffcc60bf35de380b ] Got a dmesg message on my AMD Renoir based Acer laptop: "acer_wmi: Unknown key number - 0x84" when toggling keyboard background light Signed-off-by: Timo Witte Reviewed-by: "Lee, Chun-Yi" Link: https://lore.kernel.org/r/20200804001423.36778-1-timo.witte@gmail.com Signed-off-by: Hans de Goede Signed-off-by: Sasha Levin commit 7ab9713a697ebe48eea7ec82b32c8b2122a07bc1 Author: Hao Si Date: Tue Oct 20 10:18:32 2020 +0800 soc: fsl: dpio: Get the cpumask through cpumask_of(cpu) [ Upstream commit 2663b3388551230cbc4606a40fabf3331ceb59e4 ] The local variable 'cpumask_t mask' is in the stack memory, and its address is assigned to 'desc->affinity' in 'irq_set_affinity_hint()'. But the memory area where this variable is located is at risk of being modified. During LTP testing, the following error was generated: Unable to handle kernel paging request at virtual address ffff000012e9b790 Mem abort info: ESR = 0x96000007 Exception class = DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 Data abort info: ISV = 0, ISS = 0x00000007 CM = 0, WnR = 0 swapper pgtable: 4k pages, 48-bit VAs, pgdp = 0000000075ac5e07 [ffff000012e9b790] pgd=00000027dbffe003, pud=00000027dbffd003, pmd=00000027b6d61003, pte=0000000000000000 Internal error: Oops: 96000007 [#1] PREEMPT SMP Modules linked in: xt_conntrack Process read_all (pid: 20171, stack limit = 0x0000000044ea4095) CPU: 14 PID: 20171 Comm: read_all Tainted: G B W Hardware name: NXP Layerscape LX2160ARDB (DT) pstate: 80000085 (Nzcv daIf -PAN -UAO) pc : irq_affinity_hint_proc_show+0x54/0xb0 lr : irq_affinity_hint_proc_show+0x4c/0xb0 sp : ffff00001138bc10 x29: ffff00001138bc10 x28: 0000ffffd131d1e0 x27: 00000000007000c0 x26: ffff8025b9480dc0 x25: ffff8025b9480da8 x24: 00000000000003ff x23: ffff8027334f8300 x22: ffff80272e97d000 x21: ffff80272e97d0b0 x20: ffff8025b9480d80 x19: ffff000009a49000 x18: 0000000000000000 x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000040 x11: 0000000000000000 x10: ffff802735b79b88 x9 : 0000000000000000 x8 : 0000000000000000 x7 : ffff000009a49848 x6 : 0000000000000003 x5 : 0000000000000000 x4 : ffff000008157d6c x3 : ffff00001138bc10 x2 : ffff000012e9b790 x1 : 0000000000000000 x0 : 0000000000000000 Call trace: irq_affinity_hint_proc_show+0x54/0xb0 seq_read+0x1b0/0x440 proc_reg_read+0x80/0xd8 __vfs_read+0x60/0x178 vfs_read+0x94/0x150 ksys_read+0x74/0xf0 __arm64_sys_read+0x24/0x30 el0_svc_common.constprop.0+0xd8/0x1a0 el0_svc_handler+0x34/0x88 el0_svc+0x10/0x14 Code: f9001bbf 943e0732 f94066c2 b4000062 (f9400041) ---[ end trace b495bdcb0b3b732b ]--- Kernel panic - not syncing: Fatal exception SMP: stopping secondary CPUs SMP: failed to stop secondary CPUs 0,2-4,6,8,11,13-15 Kernel Offset: disabled CPU features: 0x0,21006008 Memory Limit: none ---[ end Kernel panic - not syncing: Fatal exception ]--- Fix it by using 'cpumask_of(cpu)' to get the cpumask. Signed-off-by: Hao Si Signed-off-by: Lin Chen Signed-off-by: Yi Wang Signed-off-by: Li Yang Signed-off-by: Sasha Levin commit 29ad0fa9733c27f8497d16fd4fa003f13ec751df Author: Can Guo Date: Tue Sep 22 00:09:04 2020 -0700 scsi: ufs: Make sure clk scaling happens only when HBA is runtime ACTIVE [ Upstream commit 73cc291c270248567245f084dcdf5078069af6b5 ] If someone plays with the UFS clk scaling devfreq governor through sysfs, ufshcd_devfreq_scale may be called even when HBA is not runtime ACTIVE. This can lead to unexpected error. We cannot just protect it by calling pm_runtime_get_sync() because that may cause a race condition since HBA runtime suspend ops need to suspend clk scaling. To fix this call pm_runtime_get_noresume() and check HBA's runtime status. Only proceed if HBA is runtime ACTIVE, otherwise just bail. governor_store devfreq_performance_handler update_devfreq devfreq_set_target ufshcd_devfreq_target ufshcd_devfreq_scale Link: https://lore.kernel.org/r/1600758548-28576-1-git-send-email-cang@codeaurora.org Reviewed-by: Stanley Chu Signed-off-by: Can Guo Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 48c56c9d5191c9e7c3f0b2546304ce4a770e44a6 Author: Vineet Gupta Date: Fri Nov 6 16:59:27 2020 -0800 ARC: stack unwinding: don't assume non-current task is sleeping [ Upstream commit e42404fa10fd11fe72d0a0e149a321d10e577715 ] To start stack unwinding (SP, PC and BLINK) are needed. When the explicit execution context (pt_regs etc) is not available, unwinder assumes the task is sleeping (in __switch_to()) and fetches SP and BLINK from kernel mode stack. But this assumption is not true, specially in a SMP system, when top runs on 1 core, there may be active running processes on all cores. So when unwinding non courrent tasks, ensure they are NOT running. And while at it, handle the self unwinding case explicitly. This came out of investigation of a customer reported hang with rcutorture+top Link: https://github.com/foss-for-synopsys-dwc-arc-processors/linux/issues/31 Signed-off-by: Vineet Gupta Signed-off-by: Sasha Levin commit e09fd8360b2a01e68b485ca0d78198b7cbf6b71b Author: Sara Sharon Date: Sat Nov 7 10:50:11 2020 +0200 iwlwifi: mvm: fix kernel panic in case of assert during CSA [ Upstream commit fe56d05ee6c87f6a1a8c7267affd92c9438249cc ] During CSA, we briefly nullify the phy context, in __iwl_mvm_unassign_vif_chanctx. In case we have a FW assert right after it, it remains NULL though. We end up running into endless loop due to mac80211 trying repeatedly to move us to ASSOC state, and we keep returning -EINVAL. Later down the road we hit a kernel panic. Detect and avoid this endless loop. Signed-off-by: Sara Sharon Signed-off-by: Luca Coelho Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/iwlwifi.20201107104557.d64de2c17bff.Iedd0d2afa20a2aacba5259a5cae31cb3a119a4eb@changeid Signed-off-by: Sasha Levin commit 6e58ef480cfe81f70a63d8972b65826382503a48 Author: Markus Reichl Date: Wed Nov 4 17:23:55 2020 +0100 arm64: dts: rockchip: Assign a fixed index to mmc devices on rk3399 boards. [ Upstream commit 0011c6d182774fc781fb9e115ebe8baa356029ae ] Recently introduced async probe on mmc devices can shuffle block IDs. Pin them to fixed values to ease booting in environments where UUIDs are not practical. Use newly introduced aliases for mmcblk devices from [1]. [1] https://patchwork.kernel.org/patch/11747669/ Signed-off-by: Markus Reichl Reviewed-by: Douglas Anderson Link: https://lore.kernel.org/r/20201104162356.1251-1-m.reichl@fivetechno.de Signed-off-by: Heiko Stuebner Signed-off-by: Sasha Levin commit c04d5a3d004273878029cbbc238d7c16881df36f Author: Johannes Berg Date: Thu Oct 22 16:51:03 2020 +0300 iwlwifi: pcie: limit memory read spin time [ Upstream commit 04516706bb99889986ddfa3a769ed50d2dc7ac13 ] When we read device memory, we lock a spinlock, write the address we want to read from the device and then spin in a loop reading the data in 32-bit quantities from another register. As the description makes clear, this is rather inefficient, incurring a PCIe bus transaction for every read. In a typical device today, we want to read 786k SMEM if it crashes, leading to 192k register reads. Occasionally, we've seen the whole loop take over 20 seconds and then triggering the soft lockup detector. Clearly, it is unreasonable to spin here for such extended periods of time. To fix this, break the loop down into an outer and an inner loop, and break out of the inner loop if more than half a second elapsed. To avoid too much overhead, check for that only every 128 reads, though there's no particular reason for that number. Then, unlock and relock to obtain NIC access again, reprogram the start address and continue. This will keep (interrupt) latencies on the CPU down to a reasonable time. Signed-off-by: Johannes Berg Signed-off-by: Mordechay Goodstein Signed-off-by: Luca Coelho Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/iwlwifi.20201022165103.45878a7e49aa.I3b9b9c5a10002915072312ce75b68ed5b3dc6e14@changeid Signed-off-by: Sasha Levin commit 6bc96c1bb2090603aa3e15077400347fa07d79d0 Author: Nathan Chancellor Date: Thu Dec 10 20:20:02 2020 +0100 spi: bcm2835aux: Restore err assignment in bcm2835aux_spi_probe [ Upstream commit d853b3406903a7dc5b14eb5bada3e8cd677f66a2 ] Clang warns: drivers/spi/spi-bcm2835aux.c:532:50: warning: variable 'err' is uninitialized when used here [-Wuninitialized] dev_err(&pdev->dev, "could not get clk: %d\n", err); ^~~ ./include/linux/dev_printk.h:112:32: note: expanded from macro 'dev_err' _dev_err(dev, dev_fmt(fmt), ##__VA_ARGS__) ^~~~~~~~~~~ drivers/spi/spi-bcm2835aux.c:495:9: note: initialize the variable 'err' to silence this warning int err; ^ = 0 1 warning generated. Restore the assignment so that the error value can be used in the dev_err statement and there is no uninitialized memory being leaked. Fixes: e13ee6cc4781 ("spi: bcm2835aux: Fix use-after-free on unbind") Link: https://github.com/ClangBuiltLinux/linux/issues/1199 Signed-off-by: Nathan Chancellor Link: https://lore.kernel.org/r/20201113180701.455541-1-natechancellor@gmail.com Signed-off-by: Mark Brown [lukas: backport to 4.19-stable, add stable designation] Signed-off-by: Lukas Wunner Cc: # v4.4+: e13ee6cc4781: spi: bcm2835aux: Fix use-after-free on unbind Cc: # v4.4+ Signed-off-by: Greg Kroah-Hartman commit a3d4350cc84902e725ca11928c4e73ecdf3c3d4b Author: Lukas Wunner Date: Thu Dec 10 20:20:01 2020 +0100 spi: bcm2835aux: Fix use-after-free on unbind [ Upstream commit e13ee6cc4781edaf8c7321bee19217e3702ed481 ] bcm2835aux_spi_remove() accesses the driver's private data after calling spi_unregister_master() even though that function releases the last reference on the spi_master and thereby frees the private data. Fix by switching over to the new devm_spi_alloc_master() helper which keeps the private data accessible until the driver has unbound. Fixes: b9dd3f6d4172 ("spi: bcm2835aux: Fix controller unregister order") Signed-off-by: Lukas Wunner Cc: # v4.4+: 5e844cc37a5c: spi: Introduce device-managed SPI controller allocation Cc: # v4.4+: b9dd3f6d4172: spi: bcm2835aux: Fix controller unregister order Cc: # v4.4+ Link: https://lore.kernel.org/r/b290b06357d0c0bdee9cecc539b840a90630f101.1605121038.git.lukas@wunner.de Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman