commit ff33472c282e209da54cbc0c7c1c06ddfcc93d33 Author: Greg Kroah-Hartman Date: Sun Jul 21 09:04:43 2019 +0200 Linux 4.14.134 commit a5fb6a7e126484e364786ee1ee41efa689915d96 Author: Dave Airlie Date: Mon Jul 15 13:36:18 2019 -0600 drm/udl: move to embedding drm device inside udl device. commit 6ecac85eadb9d4065b9038fa3d3c66d49038e14b upstream. This should help with some of the lifetime issues, and move us away from load/unload. [rez] Regarding the backport to v4.14.y, the only difference is due to the fact that in v4.14.y the udl_usb_probe() function still uses drm_dev_unref() instead of drm_dev_put(). Backport notes: On Mon, Jul 15, 2019 at 09:13:08PM -0400, Sasha Levin wrote: > Hm, we don't need ac3b35f11a06 here? Why not? I'd love to document that > with the backport. Nope, we don't need that patch in the v4.14 backport. In v4.19.y we have two functions, drm_dev_put() and drm_dev_unref(), which are aliases for one another (drm_dev_unref() just calls drm_dev_put()). drm_dev_unref() is the older of the two, and was introduced back in v4.0. drm_dev_put() was introduced in v4.15 with 9a96f55034e41 drm: introduce drm_dev_{get/put} functions and slowly callers were moved from the old name (_unref) to the new name (_put). The patch you mentioned, ac3b35f11a06, is one such patch where we are replacing a drm_dev_unref() call with a drm_dev_put() call. This doesn't have a functional change, but was necessary so that the third patch in the v4.19.y series I sent would apply cleanly. For the v4.14.y series, though, the drm_dev_put() function hasn't yet been defined and everyone is still using drm_dev_unref(). So, we don't need a backport of ac3b35f11a06, and I also had a small backport change in the last patch of the v4.14.y series where I had to change a drm_dev_put() call with a drm_dev_unref() call. Just for posterity, the drm_dev_unref() calls were eventually all changed to drm_dev_put() in v5.0, and drm_dev_unref() was removed entirely. That happened with the following two patches: 808bad32ea423 drm: replace "drm_dev_unref" function with "drm_dev_put" ba1d345401476 drm: remove deprecated "drm_dev_unref" function Acked-by: Alex Deucher Signed-off-by: Dave Airlie Link: https://patchwork.freedesktop.org/patch/msgid/20190405031715.5959-4-airlied@gmail.com Signed-off-by: Ross Zwisler Signed-off-by: Sasha Levin commit 24cb483b557a141d7bcab2a411809308d37ceaed Author: Dave Airlie Date: Mon Jul 15 13:36:17 2019 -0600 drm/udl: introduce a macro to convert dev to udl. commit fd96e0dba19c53c2d66f2a398716bb74df8ca85e upstream. This just makes it easier to later embed drm into udl. [rez] Regarding the backport to v4.14.y, the only difference is due to the fact that in v4.14.y the udl_gem_mmap() function doesn't have a local 'struct udl_device' pointer so it didn't need to be converted. Reviewed-by: Alex Deucher Signed-off-by: Dave Airlie Link: https://patchwork.freedesktop.org/patch/msgid/20190405031715.5959-3-airlied@gmail.com Signed-off-by: Ross Zwisler Signed-off-by: Sasha Levin commit 772cabe226268eb2e748e661cb6a0ba9d8ab6d22 Author: Haren Myneni Date: Tue Jun 18 12:09:22 2019 -0700 crypto/NX: Set receive window credits to max number of CRBs in RxFIFO commit e52d484d9869eb291140545746ccbe5ffc7c9306 upstream. System gets checkstop if RxFIFO overruns with more requests than the maximum possible number of CRBs in FIFO at the same time. The max number of requests per window is controlled by window credits. So find max CRBs from FIFO size and set it to receive window credits. Fixes: b0d6c9bab5e4 ("crypto/nx: Add P9 NX support for 842 compression engine") CC: stable@vger.kernel.org # v4.14+ Signed-off-by:Haren Myneni Signed-off-by: Greg Kroah-Hartman Signed-off-by: Herbert Xu commit 9583ec77c920639ca220b6091a3e20555890c01d Author: Julian Wiedmann Date: Tue Jun 18 13:12:20 2019 +0200 s390/qdio: don't touch the dsci in tiqdio_add_input_queues() commit ac6639cd3db607d386616487902b4cc1850a7be5 upstream. Current code sets the dsci to 0x00000080. Which doesn't make any sense, as the indicator area is located in the _left-most_ byte. Worse: if the dsci is the _shared_ indicator, this potentially clears the indication of activity for a _different_ device. tiqdio_thinint_handler() will then have no reason to call that device's IRQ handler, and the device ends up stalling. Fixes: d0c9d4a89fff ("[S390] qdio: set correct bit in dsci") Cc: Signed-off-by: Julian Wiedmann Signed-off-by: Vasily Gorbik Signed-off-by: Greg Kroah-Hartman commit a25b1a8fb197b25a59406d0ef6845b902b6fc222 Author: Julian Wiedmann Date: Tue Jun 18 11:25:59 2019 +0200 s390/qdio: (re-)initialize tiqdio list entries commit e54e4785cb5cb4896cf4285964aeef2125612fb2 upstream. When tiqdio_remove_input_queues() removes a queue from the tiq_list as part of qdio_shutdown(), it doesn't re-initialize the queue's list entry and the prev/next pointers go stale. If a subsequent qdio_establish() fails while sending the ESTABLISH cmd, it calls qdio_shutdown() again in QDIO_IRQ_STATE_ERR state and tiqdio_remove_input_queues() will attempt to remove the queue entry a second time. This dereferences the stale pointers, and bad things ensue. Fix this by re-initializing the list entry after removing it from the list. For good practice also initialize the list entry when the queue is first allocated, and remove the quirky checks that papered over this omission. Note that prior to commit e521813468f7 ("s390/qdio: fix access to uninitialized qdio_q fields"), these checks were bogus anyway. setup_queues_misc() clears the whole queue struct, and thus needs to re-init the prev/next pointers as well. Fixes: 779e6e1c724d ("[S390] qdio: new qdio driver.") Cc: Signed-off-by: Julian Wiedmann Signed-off-by: Vasily Gorbik Signed-off-by: Greg Kroah-Hartman commit 6f477767c52fd3aade15cd61e8543e625e49ed7e Author: Heiko Carstens Date: Mon Jun 17 14:02:41 2019 +0200 s390: fix stfle zero padding commit 4f18d869ffd056c7858f3d617c71345cf19be008 upstream. The stfle inline assembly returns the number of double words written (condition code 0) or the double words it would have written (condition code 3), if the memory array it got as parameter would have been large enough. The current stfle implementation assumes that the array is always large enough and clears those parts of the array that have not been written to with a subsequent memset call. If however the array is not large enough memset will get a negative length parameter, which means that memset clears memory until it gets an exception and the kernel crashes. To fix this simply limit the maximum length. Move also the inline assembly to an extra function to avoid clobbering of register 0, which might happen because of the added min_t invocation together with code instrumentation. The bug was introduced with commit 14375bc4eb8d ("[S390] cleanup facility list handling") but was rather harmless, since it would only write to a rather large array. It became a potential problem with commit 3ab121ab1866 ("[S390] kernel: Add z/VM LGR detection"). Since then it writes to an array with only four double words, while some machines already deliver three double words. As soon as machines have a facility bit within the fifth double a crash on IPL would happen. Fixes: 14375bc4eb8d ("[S390] cleanup facility list handling") Cc: # v2.6.37+ Reviewed-by: Vasily Gorbik Signed-off-by: Heiko Carstens Signed-off-by: Vasily Gorbik Signed-off-by: Greg Kroah-Hartman commit 7498108f2b6293c266e829074d5084fac33153a9 Author: Arnd Bergmann Date: Wed Jul 3 15:39:25 2019 +0200 ARC: hide unused function unw_hdr_alloc commit fd5de2721ea7d16e2b16c4049ac49f229551b290 upstream. As kernelci.org reports, this function is not used in vdk_hs38_defconfig: arch/arc/kernel/unwind.c:188:14: warning: 'unw_hdr_alloc' defined but not used [-Wunused-function] Fixes: bc79c9a72165 ("ARC: dw2 unwind: Reinstante unwinding out of modules") Link: https://kernelci.org/build/id/5d1cae3f59b514300340c132/logs/ Cc: stable@vger.kernel.org Signed-off-by: Arnd Bergmann Signed-off-by: Vineet Gupta Signed-off-by: Greg Kroah-Hartman commit 6ad56d51446f9dca44a9868f16a3c5ef0fb36e2d Author: Vinod Koul Date: Fri Jun 28 12:07:21 2019 -0700 linux/kernel.h: fix overflow for DIV_ROUND_UP_ULL [ Upstream commit 8f9fab480c7a87b10bb5440b5555f370272a5d59 ] DIV_ROUND_UP_ULL adds the two arguments and then invokes DIV_ROUND_DOWN_ULL. But on a 32bit system the addition of two 32 bit values can overflow. DIV_ROUND_DOWN_ULL does it correctly and stashes the addition into a unsigned long long so cast the result to unsigned long long here to avoid the overflow condition. [akpm@linux-foundation.org: DIV_ROUND_UP_ULL must be an rval] Link: http://lkml.kernel.org/r/20190625100518.30753-1-vkoul@kernel.org Signed-off-by: Vinod Koul Reviewed-by: Andrew Morton Cc: Bjorn Andersson Cc: Randy Dunlap Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit 8f5e923556d11ee183ca5c4f332afd3b3a5b35bd Author: Eiichi Tsukata Date: Thu Jun 27 11:47:32 2019 +0900 cpu/hotplug: Fix out-of-bounds read when setting fail state [ Upstream commit 33d4a5a7a5b4d02915d765064b2319e90a11cbde ] Setting invalid value to /sys/devices/system/cpu/cpuX/hotplug/fail can control `struct cpuhp_step *sp` address, results in the following global-out-of-bounds read. Reproducer: # echo -2 > /sys/devices/system/cpu/cpu0/hotplug/fail KASAN report: BUG: KASAN: global-out-of-bounds in write_cpuhp_fail+0x2cd/0x2e0 Read of size 8 at addr ffffffff89734438 by task bash/1941 CPU: 0 PID: 1941 Comm: bash Not tainted 5.2.0-rc6+ #31 Call Trace: write_cpuhp_fail+0x2cd/0x2e0 dev_attr_store+0x58/0x80 sysfs_kf_write+0x13d/0x1a0 kernfs_fop_write+0x2bc/0x460 vfs_write+0x1e1/0x560 ksys_write+0x126/0x250 do_syscall_64+0xc1/0x390 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x7f05e4f4c970 The buggy address belongs to the variable: cpu_hotplug_lock+0x98/0xa0 Memory state around the buggy address: ffffffff89734300: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00 ffffffff89734380: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00 >ffffffff89734400: 00 00 00 00 fa fa fa fa 00 00 00 00 fa fa fa fa ^ ffffffff89734480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffffffff89734500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Add a sanity check for the value written from user space. Fixes: 1db49484f21ed ("smp/hotplug: Hotplug state fail injection") Signed-off-by: Eiichi Tsukata Signed-off-by: Thomas Gleixner Cc: peterz@infradead.org Link: https://lkml.kernel.org/r/20190627024732.31672-1-devel@etsukata.com Signed-off-by: Sasha Levin commit 1642b93f1152e4795f67b95226393b442380eab6 Author: Kirill A. Shutemov Date: Thu Jun 20 14:23:45 2019 +0300 x86/boot/64: Fix crash if kernel image crosses page table boundary [ Upstream commit 81c7ed296dcd02bc0b4488246d040e03e633737a ] A kernel which boots in 5-level paging mode crashes in a small percentage of cases if KASLR is enabled. This issue was tracked down to the case when the kernel image unpacks in a way that it crosses an 1G boundary. The crash is caused by an overrun of the PMD page table in __startup_64() and corruption of P4D page table allocated next to it. This particular issue is not visible with 4-level paging as P4D page tables are not used. But the P4D and the PUD calculation have similar problems. The PMD index calculation is wrong due to operator precedence, which fails to confine the PMDs in the PMD array on wrap around. The P4D calculation for 5-level paging and the PUD calculation calculate the first index correctly, but then blindly increment it which causes the same issue when a kernel image is located across a 512G and for 5-level paging across a 46T boundary. This wrap around mishandling was introduced when these parts moved from assembly to C. Restore it to the correct behaviour. Fixes: c88d71508e36 ("x86/boot/64: Rewrite startup_64() in C") Signed-off-by: Kirill A. Shutemov Signed-off-by: Thomas Gleixner Cc: Borislav Petkov Cc: "H. Peter Anvin" Cc: Dave Hansen Cc: Andy Lutomirski Cc: Peter Zijlstra Link: https://lkml.kernel.org/r/20190620112345.28833-1-kirill.shutemov@linux.intel.com Signed-off-by: Sasha Levin commit e5516f59de3c03ed6370f48d3542a248c0e37c2e Author: Milan Broz Date: Thu Jun 20 13:00:19 2019 +0200 dm verity: use message limit for data block corruption message [ Upstream commit 2eba4e640b2c4161e31ae20090a53ee02a518657 ] DM verity should also use DMERR_LIMIT to limit repeat data block corruption messages. Signed-off-by: Milan Broz Signed-off-by: Mike Snitzer Signed-off-by: Sasha Levin commit 387decd695e1ca309f45009d8b242a98e75b66e9 Author: Sébastien Szymanski Date: Tue Jun 18 17:58:34 2019 +0200 ARM: dts: imx6ul: fix PWM[1-4] interrupts [ Upstream commit 3cf10132ac8d536565f2c02f60a3aeb315863a52 ] According to the i.MX6UL/L RM, table 3.1 "ARM Cortex A7 domain interrupt summary", the interrupts for the PWM[1-4] go from 83 to 86. Fixes: b9901fe84f02 ("ARM: dts: imx6ul: add pwm[1-4] nodes") Signed-off-by: Sébastien Szymanski Reviewed-by: Fabio Estevam Signed-off-by: Shawn Guo Signed-off-by: Sasha Levin commit d2bbc75ababde7a6cdbf357058c318c2789d0280 Author: Sergej Benilov Date: Thu Jun 20 11:02:18 2019 +0200 sis900: fix TX completion [ Upstream commit 8ac8a01092b2added0749ef937037bf1912e13e3 ] Since commit 605ad7f184b60cfaacbc038aa6c55ee68dee3c89 "tcp: refine TSO autosizing", outbound throughput is dramatically reduced for some connections, as sis900 is doing TX completion within idle states only. Make TX completion happen after every transmitted packet. Test: netperf before patch: > netperf -H remote -l -2000000 -- -s 1000000 MIGRATED TCP STREAM TEST from 0.0.0.0 () port 0 AF_INET to 95.223.112.76 () port 0 AF_INET : demo Recv Send Send Socket Socket Message Elapsed Size Size Size Time Throughput bytes bytes bytes secs. 10^6bits/sec 87380 327680 327680 253.44 0.06 after patch: > netperf -H remote -l -10000000 -- -s 1000000 MIGRATED TCP STREAM TEST from 0.0.0.0 () port 0 AF_INET to 95.223.112.76 () port 0 AF_INET : demo Recv Send Send Socket Socket Message Elapsed Size Size Size Time Throughput bytes bytes bytes secs. 10^6bits/sec 87380 327680 327680 5.38 14.89 Thx to Dave Miller and Eric Dumazet for helpful hints Signed-off-by: Sergej Benilov Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 297ab0a08b8753d0c64737d31ac38beeee9c727d Author: Takashi Iwai Date: Wed Jun 19 15:34:07 2019 +0200 ppp: mppe: Add softdep to arc4 [ Upstream commit aad1dcc4f011ea409850e040363dff1e59aa4175 ] The arc4 crypto is mandatory at ppp_mppe probe time, so let's put a softdep line, so that the corresponding module gets prepared gracefully. Without this, a simple inclusion to initrd via dracut failed due to the missing dependency, for example. Signed-off-by: Takashi Iwai Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 67320a0d43d7617538b69a67fec707cafdfe260d Author: Petr Oros Date: Wed Jun 19 14:29:42 2019 +0200 be2net: fix link failure after ethtool offline test [ Upstream commit 2e5db6eb3c23e5dc8171eb8f6af7a97ef9fcf3a9 ] Certain cards in conjunction with certain switches need a little more time for link setup that results in ethtool link test failure after offline test. Patch adds a loop that waits for a link setup finish. Changes in v2: - added fixes header Fixes: 4276e47e2d1c ("be2net: Add link test to list of ethtool self tests.") Signed-off-by: Petr Oros Reviewed-by: Ivan Vecera Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 3ef2115d01a22b5971ac48778977420f568a07b8 Author: Arnd Bergmann Date: Wed Jun 19 15:04:54 2019 +0200 ARM: omap2: remove incorrect __init annotation [ Upstream commit 27e23d8975270df6999f8b5b3156fc0c04927451 ] omap3xxx_prm_enable_io_wakeup() is marked __init, but its caller is not, so we get a warning with clang-8: WARNING: vmlinux.o(.text+0x343c8): Section mismatch in reference from the function omap3xxx_prm_late_init() to the function .init.text:omap3xxx_prm_enable_io_wakeup() The function omap3xxx_prm_late_init() references the function __init omap3xxx_prm_enable_io_wakeup(). This is often because omap3xxx_prm_late_init lacks a __init annotation or the annotation of omap3xxx_prm_enable_io_wakeup is wrong. When building with gcc, omap3xxx_prm_enable_io_wakeup() is always inlined, so we never noticed in the past. Signed-off-by: Arnd Bergmann Reviewed-by: Nathan Chancellor Acked-by: Tony Lindgren Reviewed-by: Andrew Murray Signed-off-by: Olof Johansson Signed-off-by: Sasha Levin commit a68c5a52d5a1e42830b0563d7c5421e0153ae636 Author: Peter Zijlstra Date: Wed May 29 14:37:24 2019 +0200 perf/core: Fix perf_sample_regs_user() mm check [ Upstream commit 085ebfe937d7a7a5df1729f35a12d6d655fea68c ] perf_sample_regs_user() uses 'current->mm' to test for the presence of userspace, but this is insufficient, consider use_mm(). A better test is: '!(current->flags & PF_KTHREAD)', exec() clears PF_KTHREAD after it sets the new ->mm but before it drops to userspace for the first time. Possibly obsoletes: bf05fc25f268 ("powerpc/perf: Fix oops when kthread execs user process") Reported-by: Ravi Bangoria Reported-by: Young Xiao <92siuyang@gmail.com> Signed-off-by: Peter Zijlstra (Intel) Acked-by: Will Deacon Cc: Arnaldo Carvalho de Melo Cc: Frederic Weisbecker Cc: Jiri Olsa Cc: Linus Torvalds Cc: Michael Ellerman Cc: Naveen N. Rao Cc: Peter Zijlstra Cc: Stephane Eranian Cc: Thomas Gleixner Fixes: 4018994f3d87 ("perf: Add ability to attach user level registers dump to sample") Signed-off-by: Ingo Molnar Signed-off-by: Sasha Levin commit 555c2ac63cadf2494a129e512b121c0bf63209fb Author: Hans de Goede Date: Wed May 29 15:28:28 2019 +0200 efi/bgrt: Drop BGRT status field reserved bits check [ Upstream commit a483fcab38b43fb34a7f12ab1daadd3907f150e2 ] Starting with ACPI 6.2 bits 1 and 2 of the BGRT status field are no longer reserved. These bits are now used to indicate if the image needs to be rotated before being displayed. The first device using these bits has now shown up (the GPD MicroPC) and the reserved bits check causes us to reject the valid BGRT table on this device. Rather then changing the reserved bits check, allowing only the 2 new bits, instead just completely remove it so that we do not end up with a similar problem when more bits are added in the future. Signed-off-by: Hans de Goede Signed-off-by: Ard Biesheuvel Signed-off-by: Sasha Levin commit 01894d27130c0f7aaf03fce673bcf8d1515b0841 Author: Tony Lindgren Date: Wed May 29 23:55:57 2019 -0700 clk: ti: clkctrl: Fix returning uninitialized data [ Upstream commit 41b3588dba6ef4b7995735a97e47ff0aeea6c276 ] If we do a clk_get() for a clock that does not exists, we have _ti_omap4_clkctrl_xlate() return uninitialized data if no match is found. This can be seen in some cases with SLAB_DEBUG enabled: Unable to handle kernel paging request at virtual address 5a5a5a5a ... clk_hw_create_clk.part.33 sysc_notifier_call notifier_call_chain blocking_notifier_call_chain device_add Let's fix this by setting a found flag only when we find a match. Reported-by: Tomi Valkeinen Fixes: 88a172526c32 ("clk: ti: add support for clkctrl clocks") Signed-off-by: Tony Lindgren Tested-by: Peter Ujfalusi Tested-by: Tomi Valkeinen Signed-off-by: Stephen Boyd Signed-off-by: Sasha Levin commit 8fe38c0e7d1451fb1d89a1e9c6a5a30d3a901aac Author: Sean Young Date: Fri Nov 16 16:09:39 2018 +0000 MIPS: Remove superfluous check for __linux__ commit 1287533d3d95d5ad8b02773733044500b1be06bc upstream. When building BPF code using "clang -target bpf -c", clang does not define __linux__. To build BPF IR decoders the include linux/lirc.h is needed which includes linux/types.h. Currently this workaround is needed: https://git.linuxtv.org/v4l-utils.git/commit/?id=dd3ff81f58c4e1e6f33765dc61ad33c48ae6bb07 This check might otherwise be useful to stop users from using a non-linux compiler, but if you're doing that you are going to have a lot more trouble anyway. Signed-off-by: Sean Young Signed-off-by: Paul Burton Patchwork: https://patchwork.linux-mips.org/patch/21149/ Cc: Ralf Baechle Cc: James Hogan Cc: linux-mips@linux-mips.org Cc: linux-kernel@vger.kernel.org Cc: Hauke Mehrtens Signed-off-by: Greg Kroah-Hartman commit 17fcbc4ad12d6e6f263d900c262d85ce6ae47373 Author: Vishnu DASA Date: Fri May 24 15:13:10 2019 +0000 VMCI: Fix integer overflow in VMCI handle arrays commit 1c2eb5b2853c9f513690ba6b71072d8eb65da16a upstream. The VMCI handle array has an integer overflow in vmci_handle_arr_append_entry when it tries to expand the array. This can be triggered from a guest, since the doorbell link hypercall doesn't impose a limit on the number of doorbell handles that a VM can create in the hypervisor, and these handles are stored in a handle array. In this change, we introduce a mandatory max capacity for handle arrays/lists to avoid excessive memory usage. Signed-off-by: Vishnu Dasa Reviewed-by: Adit Ranadive Reviewed-by: Jorgen Hansen Cc: stable Signed-off-by: Greg Kroah-Hartman commit e178cbbcc803c18aad0301d4ffd92b0bf01c5a11 Author: Christian Lamparter Date: Sat Jun 8 16:49:47 2019 +0200 carl9170: fix misuse of device driver API commit feb09b2933275a70917a869989ea2823e7356be8 upstream. This patch follows Alan Stern's recent patch: "p54: Fix race between disconnect and firmware loading" that overhauled carl9170 buggy firmware loading and driver unbinding procedures. Since the carl9170 code was adapted from p54 it uses the same functions and is likely to have the same problem, but it's just that the syzbot hasn't reproduce them (yet). a summary from the changes (copied from the p54 patch): * Call usb_driver_release_interface() rather than device_release_driver(). * Lock udev (the interface's parent) before unbinding the driver instead of locking udev->parent. * During the firmware loading process, take a reference to the USB interface instead of the USB device. * Don't take an unnecessary reference to the device during probe (and then don't drop it during disconnect). and * Make sure to prevent use-after-free bugs by explicitly setting the driver context to NULL after signaling the completion. Cc: Cc: Alan Stern Signed-off-by: Christian Lamparter Acked-by: Alan Stern Signed-off-by: Kalle Valo Signed-off-by: Greg Kroah-Hartman commit 67f6f4a6d4219ae78198880a17ab74d057449d0f Author: Todd Kjos Date: Fri Jun 21 10:54:15 2019 -0700 binder: fix memory leak in error path commit 1909a671dbc3606685b1daf8b22a16f65ea7edda upstream. syzkallar found a 32-byte memory leak in a rarely executed error case. The transaction complete work item was not freed if put_user() failed when writing the BR_TRANSACTION_COMPLETE to the user command buffer. Fixed by freeing it before put_user() is called. Reported-by: syzbot+182ce46596c3f2e1eb24@syzkaller.appspotmail.com Signed-off-by: Todd Kjos Cc: stable Signed-off-by: Greg Kroah-Hartman commit cea29db65e075585dbc8b58e9119c1447ad1adc4 Author: Ian Abbott Date: Wed Jun 26 14:17:39 2019 +0100 staging: comedi: amplc_pci230: fix null pointer deref on interrupt commit 7379e6baeddf580d01feca650ec1ad508b6ea8ee upstream. The interrupt handler `pci230_interrupt()` causes a null pointer dereference for a PCI260 card. There is no analog output subdevice for a PCI260. The `dev->write_subdev` subdevice pointer and therefore the `s_ao` subdevice pointer variable will be `NULL` for a PCI260. The following call near the end of the interrupt handler results in the null pointer dereference for a PCI260: comedi_handle_events(dev, s_ao); Fix it by only calling the above function if `s_ao` is valid. Note that the other uses of `s_ao` in the calls `pci230_handle_ao_nofifo(dev, s_ao);` and `pci230_handle_ao_fifo(dev, s_ao);` will never be reached for a PCI260, so they are safe. Fixes: 39064f23284c ("staging: comedi: amplc_pci230: use comedi_handle_events()") Cc: # v3.19+ Signed-off-by: Ian Abbott Signed-off-by: Greg Kroah-Hartman commit a1fcfe095c8c22f67aaee0eba7acfd46559b75d5 Author: Ian Abbott Date: Wed Jun 26 14:18:04 2019 +0100 staging: comedi: dt282x: fix a null pointer deref on interrupt commit b8336be66dec06bef518030a0df9847122053ec5 upstream. The interrupt handler `dt282x_interrupt()` causes a null pointer dereference for those supported boards that have no analog output support. For these boards, `dev->write_subdev` will be `NULL` and therefore the `s_ao` subdevice pointer variable will be `NULL`. In that case, the following call near the end of the interrupt handler results in a null pointer dereference: comedi_handle_events(dev, s_ao); Fix it by only calling the above function if `s_ao` is valid. (There are other uses of `s_ao` by the interrupt handler that may or may not be reached depending on values of hardware registers. Trust that they are reliable for now.) Note: commit 4f6f009b204f ("staging: comedi: dt282x: use comedi_handle_events()") propagates an earlier error from commit f21c74fa4cfe ("staging: comedi: dt282x: use cfc_handle_events()"). Fixes: 4f6f009b204f ("staging: comedi: dt282x: use comedi_handle_events()") Cc: # v3.19+ Signed-off-by: Ian Abbott Signed-off-by: Greg Kroah-Hartman commit 769b7aa4fda594ffe693e8d37e9167f4072749da Author: Yoshihiro Shimoda Date: Wed Jun 26 22:06:33 2019 +0900 usb: renesas_usbhs: add a workaround for a race condition of workqueue commit b2357839c56ab7d06bcd4e866ebc2d0e2b7997f3 upstream. The old commit 6e4b74e4690d ("usb: renesas: fix scheduling in atomic context bug") fixed an atomic issue by using workqueue for the shdmac dmaengine driver. However, this has a potential race condition issue between the work pending and usbhsg_ep_free_request() in gadget mode. When usbhsg_ep_free_request() is called while pending the queue, since the work_struct will be freed and then the work handler is called, kernel panic happens on process_one_work(). To fix the issue, if we could call cancel_work_sync() at somewhere before the free request, it could be easy. However, the usbhsg_ep_free_request() is called on atomic (e.g. f_ncm driver calls free request via gether_disconnect()). For now, almost all users are having "USB-DMAC" and the DMAengine driver can be used on atomic. So, this patch adds a workaround for a race condition to call the DMAengine APIs without the workqueue. This means we still have TODO on shdmac environment (SH7724), but since it doesn't have SMP, the race condition might not happen. Fixes: ab330cf3888d ("usb: renesas_usbhs: add support for USB-DMAC") Cc: # v4.1+ Signed-off-by: Yoshihiro Shimoda Signed-off-by: Felipe Balbi Signed-off-by: Greg Kroah-Hartman commit 052a14ec8b31102bc729833fe24a772b32239132 Author: Kiruthika Varadarajan Date: Tue Jun 18 08:39:06 2019 +0000 usb: gadget: ether: Fix race between gether_disconnect and rx_submit commit d29fcf7078bc8be2b6366cbd4418265b53c94fac upstream. On spin lock release in rx_submit, gether_disconnect get a chance to run, it makes port_usb NULL, rx_submit access NULL port USB, hence null pointer crash. Fixed by releasing the lock in rx_submit after port_usb is used. Fixes: 2b3d942c4878 ("usb ethernet gadget: split out network core") Cc: Signed-off-by: Kiruthika Varadarajan Signed-off-by: Felipe Balbi Signed-off-by: Greg Kroah-Hartman commit c760ecb74f84f729ae31b9fbc6b772923cdc78df Author: Alan Stern Date: Mon May 20 10:44:21 2019 -0400 p54usb: Fix race between disconnect and firmware loading commit 6e41e2257f1094acc37618bf6c856115374c6922 upstream. The syzbot fuzzer found a bug in the p54 USB wireless driver. The issue involves a race between disconnect and the firmware-loader callback routine, and it has several aspects. One big problem is that when the firmware can't be loaded, the callback routine tries to unbind the driver from the USB _device_ (by calling device_release_driver) instead of from the USB _interface_ to which it is actually bound (by calling usb_driver_release_interface). The race involves access to the private data structure. The driver's disconnect handler waits for a completion that is signalled by the firmware-loader callback routine. As soon as the completion is signalled, you have to assume that the private data structure may have been deallocated by the disconnect handler -- even if the firmware was loaded without errors. However, the callback routine does access the private data several times after that point. Another problem is that, in order to ensure that the USB device structure hasn't been freed when the callback routine runs, the driver takes a reference to it. This isn't good enough any more, because now that the callback routine calls usb_driver_release_interface, it has to ensure that the interface structure hasn't been freed. Finally, the driver takes an unnecessary reference to the USB device structure in the probe function and drops the reference in the disconnect handler. This extra reference doesn't accomplish anything, because the USB core already guarantees that a device structure won't be deallocated while a driver is still bound to any of its interfaces. To fix these problems, this patch makes the following changes: Call usb_driver_release_interface() rather than device_release_driver(). Don't signal the completion until after the important information has been copied out of the private data structure, and don't refer to the private data at all thereafter. Lock udev (the interface's parent) before unbinding the driver instead of locking udev->parent. During the firmware loading process, take a reference to the USB interface instead of the USB device. Don't take an unnecessary reference to the device during probe (and then don't drop it during disconnect). Signed-off-by: Alan Stern Reported-and-tested-by: syzbot+200d4bb11b23d929335f@syzkaller.appspotmail.com CC: Acked-by: Christian Lamparter Signed-off-by: Kalle Valo Signed-off-by: Greg Kroah-Hartman commit 658a16c5128f57964cb71a86b893b462cd0e2467 Author: Oliver Barta Date: Wed Jun 19 10:16:39 2019 +0200 Revert "serial: 8250: Don't service RX FIFO if interrupts are disabled" commit 3f2640ed7be838c3f05c0d2b0f7c7508e7431e48 upstream. This reverts commit 2e9fe539108320820016f78ca7704a7342788380. Reading LSR unconditionally but processing the error flags only if UART_IIR_RDI bit was set before in IIR may lead to a loss of transmission error information on UARTs where the transmission error flags are cleared by a read of LSR. Information are lost in case an error is detected right before the read of LSR while processing e.g. an UART_IIR_THRI interrupt. Signed-off-by: Oliver Barta Reviewed-by: Andy Shevchenko Fixes: 2e9fe5391083 ("serial: 8250: Don't service RX FIFO if interrupts are disabled") Cc: stable Signed-off-by: Greg Kroah-Hartman commit 771340b0346d996d7445c0c8d7ad8f50fb4199ac Author: Jörgen Storvist Date: Wed Jun 19 00:30:19 2019 +0200 USB: serial: option: add support for GosunCn ME3630 RNDIS mode commit aed2a26283528fb69c38e414f649411aa48fb391 upstream. Added USB IDs for GosunCn ME3630 cellular module in RNDIS mode. T: Bus=03 Lev=01 Prnt=01 Port=01 Cnt=03 Dev#= 18 Spd=480 MxCh= 0 D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 P: Vendor=19d2 ProdID=0601 Rev=03.18 S: Manufacturer=Android S: Product=Android S: SerialNumber=b950269c C: #Ifs= 5 Cfg#= 1 Atr=a0 MxPwr=500mA I: If#=0x0 Alt= 0 #EPs= 1 Cls=e0(wlcon) Sub=01 Prot=03 Driver=rndis_host I: If#=0x1 Alt= 0 #EPs= 2 Cls=0a(data ) Sub=00 Prot=00 Driver=rndis_host I: If#=0x2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option I: If#=0x3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option I: If#=0x4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option Signed-off-by: Jörgen Storvist Cc: stable Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 5b549d502afc86dbc1d6080ab7c15d985dbd08c0 Author: Andreas Fritiofson Date: Fri Jun 28 15:08:34 2019 +0200 USB: serial: ftdi_sio: add ID for isodebug v1 commit f8377eff548170e8ea8022c067a1fbdf9e1c46a8 upstream. This adds the vid:pid of the isodebug v1 isolated JTAG/SWD+UART. Only the second channel is available for use as a serial port. Signed-off-by: Andreas Fritiofson Cc: stable Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit ced121ed856092c4b81d7125b85b04ebeb2c590e Author: Brian Norris Date: Fri Jun 14 17:13:20 2019 -0700 mwifiex: Don't abort on small, spec-compliant vendor IEs commit 63d7ef36103d26f20325a921ecc96a3288560146 upstream. Per the 802.11 specification, vendor IEs are (at minimum) only required to contain an OUI. A type field is also included in ieee80211.h (struct ieee80211_vendor_ie) but doesn't appear in the specification. The remaining fields (subtype, version) are a convention used in WMM headers. Thus, we should not reject vendor-specific IEs that have only the minimum length (3 bytes) -- we should skip over them (since we only want to match longer IEs, that match either WMM or WPA formats). We can reject elements that don't have the minimum-required 3 byte OUI. While we're at it, move the non-standard subtype and version fields into the WMM structs, to avoid this confusion in the future about generic "vendor header" attributes. Fixes: 685c9b7750bf ("mwifiex: Abort at too short BSS descriptor element") Cc: Takashi Iwai Signed-off-by: Brian Norris Reviewed-by: Takashi Iwai Signed-off-by: Kalle Valo Signed-off-by: Greg Kroah-Hartman commit b1459fb34061337efbf0d47a3ba6208f2f59829d Author: Takashi Iwai Date: Fri May 31 15:18:41 2019 +0200 mwifiex: Fix heap overflow in mwifiex_uap_parse_tail_ies() commit 69ae4f6aac1578575126319d3f55550e7e440449 upstream. A few places in mwifiex_uap_parse_tail_ies() perform memcpy() unconditionally, which may lead to either buffer overflow or read over boundary. This patch addresses the issues by checking the read size and the destination size at each place more properly. Along with the fixes, the patch cleans up the code slightly by introducing a temporary variable for the token size, and unifies the error path with the standard goto statement. Reported-by: huangwen Signed-off-by: Takashi Iwai Signed-off-by: Kalle Valo Signed-off-by: Greg Kroah-Hartman commit ebd45bdd74ffe4e199e5af39b4d7765059419a9c Author: Takashi Iwai Date: Wed May 29 14:52:20 2019 +0200 mwifiex: Abort at too short BSS descriptor element commit 685c9b7750bfacd6fc1db50d86579980593b7869 upstream. Currently mwifiex_update_bss_desc_with_ie() implicitly assumes that the source descriptor entries contain the enough size for each type and performs copying without checking the source size. This may lead to read over boundary. Fix this by putting the source size check in appropriate places. Signed-off-by: Takashi Iwai Signed-off-by: Kalle Valo Signed-off-by: Greg Kroah-Hartman commit d30cb648f3ec77ca5f773a9b74d565cca1561aa1 Author: Tim Chen Date: Thu Jun 20 16:10:50 2019 -0700 Documentation: Add section about CPU vulnerabilities for Spectre commit 6e88559470f581741bcd0f2794f9054814ac9740 upstream. Add documentation for Spectre vulnerability and the mitigation mechanisms: - Explain the problem and risks - Document the mitigation mechanisms - Document the command line controls - Document the sysfs files Co-developed-by: Andi Kleen Signed-off-by: Andi Kleen Co-developed-by: Tim Chen Signed-off-by: Tim Chen Reviewed-by: Randy Dunlap Reviewed-by: Thomas Gleixner Cc: stable@vger.kernel.org Signed-off-by: Jonathan Corbet Signed-off-by: Greg Kroah-Hartman commit 30a9b8b4b767c8d4d05c999d7bd1e502fc4df06a Author: Dianzhang Chen Date: Wed Jun 26 12:50:30 2019 +0800 x86/tls: Fix possible spectre-v1 in do_get_thread_area() commit 993773d11d45c90cb1c6481c2638c3d9f092ea5b upstream. The index to access the threads tls array is controlled by userspace via syscall: sys_ptrace(), hence leading to a potential exploitation of the Spectre variant 1 vulnerability. The index can be controlled from: ptrace -> arch_ptrace -> do_get_thread_area. Fix this by sanitizing the user supplied index before using it to access the p->thread.tls_array. Signed-off-by: Dianzhang Chen Signed-off-by: Thomas Gleixner Cc: bp@alien8.de Cc: hpa@zytor.com Cc: stable@vger.kernel.org Link: https://lkml.kernel.org/r/1561524630-3642-1-git-send-email-dianzhangchen0@gmail.com Signed-off-by: Greg Kroah-Hartman commit f41c1f4ead14745f4985a6e2cbe5427e072a823e Author: Dianzhang Chen Date: Tue Jun 25 23:30:17 2019 +0800 x86/ptrace: Fix possible spectre-v1 in ptrace_get_debugreg() commit 31a2fbb390fee4231281b939e1979e810f945415 upstream. The index to access the threads ptrace_bps is controlled by userspace via syscall: sys_ptrace(), hence leading to a potential exploitation of the Spectre variant 1 vulnerability. The index can be controlled from: ptrace -> arch_ptrace -> ptrace_get_debugreg. Fix this by sanitizing the user supplied index before using it access thread->ptrace_bps. Signed-off-by: Dianzhang Chen Signed-off-by: Thomas Gleixner Cc: bp@alien8.de Cc: hpa@zytor.com Cc: stable@vger.kernel.org Link: https://lkml.kernel.org/r/1561476617-3759-1-git-send-email-dianzhangchen0@gmail.com Signed-off-by: Greg Kroah-Hartman commit 340a4da3c16aa73f9ce7b409e3e65786b7abb202 Author: Douglas Anderson Date: Thu Jun 27 21:44:09 2019 -0700 block, bfq: NULL out the bic when it's no longer valid commit dbc3117d4ca9e17819ac73501e914b8422686750 upstream. In reboot tests on several devices we were seeing a "use after free" when slub_debug or KASAN was enabled. The kernel complained about: Unable to handle kernel paging request at virtual address 6b6b6c2b ...which is a classic sign of use after free under slub_debug. The stack crawl in kgdb looked like: 0 test_bit (addr=, nr=) 1 bfq_bfqq_busy (bfqq=) 2 bfq_select_queue (bfqd=) 3 __bfq_dispatch_request (hctx=) 4 bfq_dispatch_request (hctx=) 5 0xc056ef00 in blk_mq_do_dispatch_sched (hctx=0xed249440) 6 0xc056f728 in blk_mq_sched_dispatch_requests (hctx=0xed249440) 7 0xc0568d24 in __blk_mq_run_hw_queue (hctx=0xed249440) 8 0xc0568d94 in blk_mq_run_work_fn (work=) 9 0xc024c5c4 in process_one_work (worker=0xec6d4640, work=0xed249480) 10 0xc024cff4 in worker_thread (__worker=0xec6d4640) Digging in kgdb, it could be found that, though bfqq looked fine, bfqq->bic had been freed. Through further digging, I postulated that perhaps it is illegal to access a "bic" (AKA an "icq") after bfq_exit_icq() had been called because the "bic" can be freed at some point in time after this call is made. I confirmed that there certainly were cases where the exact crashing code path would access the "bic" after bfq_exit_icq() had been called. Sspecifically I set the "bfqq->bic" to (void *)0x7 and saw that the bic was 0x7 at the time of the crash. To understand a bit more about why this crash was fairly uncommon (I saw it only once in a few hundred reboots), you can see that much of the time bfq_exit_icq_fbqq() fully frees the bfqq and thus it can't access the ->bic anymore. The only case it doesn't is if bfq_put_queue() sees a reference still held. However, even in the case when bfqq isn't freed, the crash is still rare. Why? I tracked what happened to the "bic" after the exit routine. It doesn't get freed right away. Rather, put_io_context_active() eventually called put_io_context() which queued up freeing on a workqueue. The freeing then actually happened later than that through call_rcu(). Despite all these delays, some extra debugging showed that all the hoops could be jumped through in time and the memory could be freed causing the original crash. Phew! To make a long story short, assuming it truly is illegal to access an icq after the "exit_icq" callback is finished, this patch is needed. Cc: stable@vger.kernel.org Reviewed-by: Paolo Valente Signed-off-by: Douglas Anderson Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit 1f1d1d8e8941879d7e185f256f95879dbac019b8 Author: Kailang Yang Date: Thu Jul 4 16:02:10 2019 +0800 ALSA: hda/realtek - Headphone Mic can't record after S3 commit d07a9a4f66e944fcc900812cbc2f6817bde6a43d upstream. Dell headset mode platform with ALC236. It doesn't recording after system resume from S3. S3 mode was deep. s2idle was not has this issue. S3 deep will cut of codec power. So, the register will back to default after resume back. This patch will solve this issue. Signed-off-by: Kailang Yang Cc: Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 541cb89c7581d59abeff3e9a51d50e6bf81572cf Author: Steven J. Magnani Date: Sun Jun 30 21:39:35 2019 -0500 udf: Fix incorrect final NOT_ALLOCATED (hole) extent length commit fa33cdbf3eceb0206a4f844fe91aeebcf6ff2b7a upstream. In some cases, using the 'truncate' command to extend a UDF file results in a mismatch between the length of the file's extents (specifically, due to incorrect length of the final NOT_ALLOCATED extent) and the information (file) length. The discrepancy can prevent other operating systems (i.e., Windows 10) from opening the file. Two particular errors have been observed when extending a file: 1. The final extent is larger than it should be, having been rounded up to a multiple of the block size. B. The final extent is not shorter than it should be, due to not having been updated when the file's information length was increased. [JK: simplified udf_do_extend_final_block(), fixed up some types] Fixes: 2c948b3f86e5 ("udf: Avoid IO in udf_clear_inode") CC: stable@vger.kernel.org Signed-off-by: Steven J. Magnani Link: https://lore.kernel.org/r/1561948775-5878-1-git-send-email-steve@digidescorp.com Signed-off-by: Jan Kara Signed-off-by: Greg Kroah-Hartman commit 9f805849e1f14c23c469196508fab7ed104cc2ba Author: Hongjie Fang Date: Wed May 22 10:02:53 2019 +0800 fscrypt: don't set policy for a dead directory commit 5858bdad4d0d0fc18bf29f34c3ac836e0b59441f upstream. The directory may have been removed when entering fscrypt_ioctl_set_policy(). If so, the empty_dir() check will return error for ext4 file system. ext4_rmdir() sets i_size = 0, then ext4_empty_dir() reports an error because 'inode->i_size < EXT4_DIR_REC_LEN(1) + EXT4_DIR_REC_LEN(2)'. If the fs is mounted with errors=panic, it will trigger a panic issue. Add the check IS_DEADDIR() to fix this problem. Fixes: 9bd8212f981e ("ext4 crypto: add encryption policy and password salt support") Cc: # v4.1+ Signed-off-by: Hongjie Fang Signed-off-by: Eric Biggers Signed-off-by: Greg Kroah-Hartman commit 5636cbbe30c5895bc62a3fb030e9992e651141be Author: Lin Yi Date: Mon Jun 10 10:16:56 2019 +0800 net :sunrpc :clnt :Fix xps refcount imbalance on the error path [ Upstream commit b96226148491505318228ac52624956bd98f9e0c ] rpc_clnt_add_xprt take a reference to struct rpc_xprt_switch, but forget to release it before return, may lead to a memory leak. Signed-off-by: Lin Yi Signed-off-by: Anna Schumaker Signed-off-by: Sasha Levin commit 3dc99f53b053cf3993409144845c0b234e0d86d1 Author: Rasmus Villemoes Date: Wed Jun 19 10:02:13 2019 +0000 net: dsa: mv88e6xxx: fix shift of FID bits in mv88e6185_g1_vtu_loadpurge() [ Upstream commit 48620e341659f6e4b978ec229f6944dabe6df709 ] The comment is correct, but the code ends up moving the bits four places too far, into the VTUOp field. Fixes: 11ea809f1a74 (net: dsa: mv88e6xxx: support 256 databases) Signed-off-by: Rasmus Villemoes Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 8907e1a6bbfc2e61b91a83bf9d55d16c659d1686 Author: yangerkun Date: Tue Mar 26 22:00:02 2019 +0800 quota: fix a problem about transfer quota [ Upstream commit c6d9c35d16f1bafd3fec64b865e569e48cbcb514 ] Run below script as root, dquot_add_space will return -EDQUOT since __dquot_transfer call dquot_add_space with flags=0, and dquot_add_space think it's a preallocation. Fix it by set flags as DQUOT_SPACE_WARN. mkfs.ext4 -O quota,project /dev/vdb mount -o prjquota /dev/vdb /mnt setquota -P 23 1 1 0 0 /dev/vdb dd if=/dev/zero of=/mnt/test-file bs=4K count=1 chattr -p 23 test-file Fixes: 7b9ca4c61bc2 ("quota: Reduce contention on dq_data_lock") Signed-off-by: yangerkun Signed-off-by: Jan Kara Signed-off-by: Sasha Levin commit 9bd41f5634118567ae19a6c87029579985e12dc6 Author: Colin Ian King Date: Mon Jun 17 17:12:49 2019 +0100 net: lio_core: fix potential sign-extension overflow on large shift [ Upstream commit 9476274093a0e79b905f4cd6cf6d149f65e02c17 ] Left shifting the signed int value 1 by 31 bits has undefined behaviour and the shift amount oq_no can be as much as 63. Fix this by using BIT_ULL(oq_no) instead. Addresses-Coverity: ("Bad shift operation") Fixes: f21fb3ed364b ("Add support of Cavium Liquidio ethernet adapters") Signed-off-by: Colin Ian King Reviewed-by: Dan Carpenter Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 95a00fa0d43d201bd06422e5208d3b803394adba Author: Xin Long Date: Mon Jun 17 21:34:14 2019 +0800 ip6_tunnel: allow not to count pkts on tstats by passing dev as NULL [ Upstream commit 6f6a8622057c92408930c31698394fae1557b188 ] A similar fix to Patch "ip_tunnel: allow not to count pkts on tstats by setting skb's dev to NULL" is also needed by ip6_tunnel. Signed-off-by: Xin Long Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 8945fba0e3799246bfaf26b15fd28cdad0b26b26 Author: Dan Carpenter Date: Tue Jun 18 16:18:43 2019 +0300 drm: return -EFAULT if copy_to_user() fails [ Upstream commit 74b67efa8d7b4f90137f0ab9a80dd319da050350 ] The copy_from_user() function returns the number of bytes remaining to be copied but we want to return a negative error code. Otherwise the callers treat it as a successful copy. Signed-off-by: Dan Carpenter Signed-off-by: Sean Paul Link: https://patchwork.freedesktop.org/patch/msgid/20190618131843.GA29463@mwanda Signed-off-by: Sasha Levin commit 39e006a60360316ab4ca803bc867fe2160528a93 Author: Mauro S. M. Rodrigues Date: Thu Jun 13 16:25:40 2019 -0300 bnx2x: Check if transceiver implements DDM before access [ Upstream commit cf18cecca911c0db96b868072665347efe6df46f ] Some transceivers may comply with SFF-8472 even though they do not implement the Digital Diagnostic Monitoring (DDM) interface described in the spec. The existence of such area is specified by the 6th bit of byte 92, set to 1 if implemented. Currently, without checking this bit, bnx2x fails trying to read sfp module's EEPROM with the follow message: ethtool -m enP5p1s0f1 Cannot get Module EEPROM data: Input/output error Because it fails to read the additional 256 bytes in which it is assumed to exist the DDM data. This issue was noticed using a Mellanox Passive DAC PN 01FT738. The EEPROM data was confirmed by Mellanox as correct and similar to other Passive DACs from other manufacturers. Signed-off-by: Mauro S. M. Rodrigues Acked-by: Sudarsana Reddy Kalluru Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit a113e3324cded82bfeba4ef84d85ad9b0831f6df Author: Mariusz Tkaczyk Date: Thu Jun 13 16:11:41 2019 +0200 md: fix for divide error in status_resync [ Upstream commit 9642fa73d073527b0cbc337cc17a47d545d82cd2 ] Stopping external metadata arrays during resync/recovery causes retries, loop of interrupting and starting reconstruction, until it hit at good moment to stop completely. While these retries curr_mark_cnt can be small- especially on HDD drives, so subtraction result can be smaller than 0. However it is casted to uint without checking. As a result of it the status bar in /proc/mdstat while stopping is strange (it jumps between 0% and 99%). The real problem occurs here after commit 72deb455b5ec ("block: remove CONFIG_LBDAF"). Sector_div() macro has been changed, now the divisor is casted to uint32. For db = -8 the divisior(db/32-1) becomes 0. Check if db value can be really counted and replace these macro by div64_u64() inline. Signed-off-by: Mariusz Tkaczyk Signed-off-by: Song Liu Signed-off-by: Sasha Levin commit 065cf4159258caf507d96fa5449c601e5a9e865a Author: Reinhard Speyerer Date: Wed Jun 12 19:03:50 2019 +0200 qmi_wwan: extend permitted QMAP mux_id value range [ Upstream commit 36815b416fa48766ac5a98e4b2dc3ebc5887222e ] Permit mux_id values up to 254 to be used in qmimux_register_device() for compatibility with ip(8) and the rmnet driver. Fixes: c6adf77953bc ("net: usb: qmi_wwan: add qmap mux protocol support") Cc: Daniele Palmas Signed-off-by: Reinhard Speyerer Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 4f8544dd54b12faefec3f6c58c2dad28c6b4d37f Author: Reinhard Speyerer Date: Wed Jun 12 19:03:15 2019 +0200 qmi_wwan: avoid RCU stalls on device disconnect when in QMAP mode [ Upstream commit a8fdde1cb830e560208af42b6c10750137f53eb3 ] Switch qmimux_unregister_device() and qmi_wwan_disconnect() to use unregister_netdevice_queue() and unregister_netdevice_many() instead of unregister_netdevice(). This avoids RCU stalls which have been observed on device disconnect in certain setups otherwise. Fixes: c6adf77953bc ("net: usb: qmi_wwan: add qmap mux protocol support") Cc: Daniele Palmas Signed-off-by: Reinhard Speyerer Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 0d34ea83b1c13beb6f939760fe9c7b6b73617997 Author: Reinhard Speyerer Date: Wed Jun 12 19:02:13 2019 +0200 qmi_wwan: add support for QMAP padding in the RX path [ Upstream commit 61356088ace1866a847a727d4d40da7bf00b67fc ] The QMAP code in the qmi_wwan driver is based on the CodeAurora GobiNet driver which does not process QMAP padding in the RX path correctly. Add support for QMAP padding to qmimux_rx_fixup() according to the description of the rmnet driver. Fixes: c6adf77953bc ("net: usb: qmi_wwan: add qmap mux protocol support") Cc: Daniele Palmas Signed-off-by: Reinhard Speyerer Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 4efb3c121b3c9b99f78af1c6fa7cc837752e92f9 Author: Yibo Zhao Date: Fri Jun 14 19:01:52 2019 +0800 mac80211: only warn once on chanctx_conf being NULL [ Upstream commit 563572340173865a9a356e6bb02579e6998a876d ] In multiple SSID cases, it takes time to prepare every AP interface to be ready in initializing phase. If a sta already knows everything it needs to join one of the APs and sends authentication to the AP which is not fully prepared at this point of time, AP's channel context could be NULL. As a result, warning message occurs. Even worse, if the AP is under attack via tools such as MDK3 and massive authentication requests are received in a very short time, console will be hung due to kernel warning messages. WARN_ON_ONCE() could be a better way for indicating warning messages without duplicate messages to flood the console. Johannes: We still need to address the underlying problem, but we don't really have a good handle on it yet. Suppress the worst side-effects for now. Signed-off-by: Zhi Chen Signed-off-by: Yibo Zhao [johannes: add note, change subject] Signed-off-by: Johannes Berg Signed-off-by: Sasha Levin commit 2ec7fa2c45403b935edf0ac52fe960a8564fea7e Author: Bartosz Golaszewski Date: Fri Jun 7 16:33:50 2019 +0200 ARM: davinci: da8xx: specify dma_coherent_mask for lcdc [ Upstream commit 68f2515bb31a664ba3e2bc1eb78dd9f529b10067 ] The lcdc device is missing the dma_coherent_mask definition causing the following warning on da850-evm: da8xx_lcdc da8xx_lcdc.0: found Sharp_LK043T1DG01 panel ------------[ cut here ]------------ WARNING: CPU: 0 PID: 1 at kernel/dma/mapping.c:247 dma_alloc_attrs+0xc8/0x110 Modules linked in: CPU: 0 PID: 1 Comm: swapper Not tainted 5.2.0-rc3-00077-g16d72dd4891f #18 Hardware name: DaVinci DA850/OMAP-L138/AM18x EVM [] (unwind_backtrace) from [] (show_stack+0x10/0x14) [] (show_stack) from [] (__warn+0xec/0x114) [] (__warn) from [] (warn_slowpath_null+0x3c/0x48) [] (warn_slowpath_null) from [] (dma_alloc_attrs+0xc8/0x110) [] (dma_alloc_attrs) from [] (fb_probe+0x228/0x5a8) [] (fb_probe) from [] (platform_drv_probe+0x48/0x9c) [] (platform_drv_probe) from [] (really_probe+0x1d8/0x2d4) [] (really_probe) from [] (driver_probe_device+0x5c/0x168) [] (driver_probe_device) from [] (device_driver_attach+0x58/0x60) [] (device_driver_attach) from [] (__driver_attach+0x80/0xbc) [] (__driver_attach) from [] (bus_for_each_dev+0x64/0xb4) [] (bus_for_each_dev) from [] (bus_add_driver+0xe4/0x1d8) [] (bus_add_driver) from [] (driver_register+0x78/0x10c) [] (driver_register) from [] (do_one_initcall+0x48/0x1bc) [] (do_one_initcall) from [] (kernel_init_freeable+0x10c/0x1d8) [] (kernel_init_freeable) from [] (kernel_init+0x8/0xf4) [] (kernel_init) from [] (ret_from_fork+0x14/0x34) Exception stack(0xc6837fb0 to 0xc6837ff8) 7fa0: 00000000 00000000 00000000 00000000 7fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 7fe0: 00000000 00000000 00000000 00000000 00000013 00000000 ---[ end trace 8a8073511be81dd2 ]--- Add a 32-bit mask to the platform device's definition. Signed-off-by: Bartosz Golaszewski Signed-off-by: Sekhar Nori Signed-off-by: Sasha Levin commit 41c22387d2d1f632cf341da61521c553d4e1a4d1 Author: Bartosz Golaszewski Date: Fri Jun 7 11:02:01 2019 +0200 ARM: davinci: da850-evm: call regulator_has_full_constraints() [ Upstream commit 0c0c9b5753cd04601b17de09da1ed2885a3b42fe ] The BB expander at 0x21 i2c bus 1 fails to probe on da850-evm because the board doesn't set has_full_constraints to true in the regulator API. Call regulator_has_full_constraints() at the end of board registration just like we do in da850-lcdk and da830-evm. Reviewed-by: Linus Walleij Signed-off-by: Bartosz Golaszewski Signed-off-by: Sekhar Nori Signed-off-by: Sasha Levin commit 8fdce8fec4227acd14984afa1f5c3a26dd9f00d6 Author: Ido Schimmel Date: Tue Jun 11 10:19:46 2019 +0300 mlxsw: spectrum: Disallow prio-tagged packets when PVID is removed [ Upstream commit 4b14cc313f076c37b646cee06a85f0db59cf216c ] When PVID is removed from a bridge port, the Linux bridge drops both untagged and prio-tagged packets. Align mlxsw with this behavior. Fixes: 148f472da5db ("mlxsw: reg: Add the Switch Port Acceptable Frame Types register") Acked-by: Jiri Pirko Signed-off-by: Ido Schimmel Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 7a00b9c2f800245f076c4fb969c175ec28ad2d6d Author: Dave Martin Date: Thu Jun 6 11:58:07 2019 +0100 KVM: arm/arm64: vgic: Fix kvm_device leak in vgic_its_destroy [ Upstream commit 4729ec8c1e1145234aeeebad5d96d77f4ccbb00a ] kvm_device->destroy() seems to be supposed to free its kvm_device struct, but vgic_its_destroy() is not currently doing this, resulting in a memory leak, resulting in kmemleak reports such as the following: unreferenced object 0xffff800aeddfe280 (size 128): comm "qemu-system-aar", pid 13799, jiffies 4299827317 (age 1569.844s) [...] backtrace: [<00000000a08b80e2>] kmem_cache_alloc+0x178/0x208 [<00000000dcad2bd3>] kvm_vm_ioctl+0x350/0xbc0 Fix it. Cc: Andre Przywara Fixes: 1085fdc68c60 ("KVM: arm64: vgic-its: Introduce new KVM ITS device") Signed-off-by: Dave Martin Signed-off-by: Marc Zyngier Signed-off-by: Sasha Levin commit b7c93cafd5a7eba38e6e0ef8b5679e43a37b49ad Author: Anson Huang Date: Tue Jun 11 17:50:44 2019 -0700 Input: imx_keypad - make sure keyboard can always wake up system [ Upstream commit ce9a53eb3dbca89e7ad86673d94ab886e9bea704 ] There are several scenarios that keyboard can NOT wake up system from suspend, e.g., if a keyboard is depressed between system device suspend phase and device noirq suspend phase, the keyboard ISR will be called and both keyboard depress and release interrupts will be disabled, then keyboard will no longer be able to wake up system. Another scenario would be, if a keyboard is kept depressed, and then system goes into suspend, the expected behavior would be when keyboard is released, system will be waked up, but current implementation can NOT achieve that, because both depress and release interrupts are disabled in ISR, and the event check is still in progress. To fix these issues, need to make sure keyboard's depress or release interrupt is enabled after noirq device suspend phase, this patch moves the suspend/resume callback to noirq suspend/resume phase, and enable the corresponding interrupt according to current keyboard status. Signed-off-by: Anson Huang Signed-off-by: Dmitry Torokhov Signed-off-by: Sasha Levin commit 0e717dabc81195496d4beb66676c25a491d053db Author: Teresa Remmet Date: Fri May 24 15:19:57 2019 +0200 ARM: dts: am335x phytec boards: Fix cd-gpios active level [ Upstream commit 8a0098c05a272c9a68f6885e09755755b612459c ] Active level of the mmc1 cd gpio needs to be low instead of high. Fix PCM-953 and phyBOARD-WEGA. Signed-off-by: Teresa Remmet Signed-off-by: Tony Lindgren Signed-off-by: Sasha Levin commit ae8524861443d7e7f74145f722d9641883190943 Author: Thomas Falcon Date: Fri Jun 7 16:03:54 2019 -0500 ibmvnic: Refresh device multicast list after reset [ Upstream commit be32a24372cf162e825332da1a7ccef058d4f20b ] It was observed that multicast packets were no longer received after a device reset. The fix is to resend the current multicast list to the backing device after recovery. Signed-off-by: Thomas Falcon Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 7f0359b6bf37a8d13ada0a6db93e54196eb4e08f Author: YueHaibing Date: Thu May 16 22:36:26 2019 +0800 can: af_can: Fix error path of can_init() [ Upstream commit c5a3aed1cd3152429348ee1fe5cdcca65fe901ce ] This patch add error path for can_init() to avoid possible crash if some error occurs. Fixes: 0d66548a10cb ("[CAN]: Add PF_CAN core module") Signed-off-by: YueHaibing Acked-by: Oliver Hartkopp Signed-off-by: Marc Kleine-Budde Signed-off-by: Sasha Levin commit e086121ec28d44c7be58fbc112d67dc1b56313ee Author: Eugen Hristev Date: Mon Mar 4 14:44:13 2019 +0000 can: m_can: implement errata "Needless activation of MRAF irq" [ Upstream commit 3e82f2f34c930a2a0a9e69fdc2de2f2f1388b442 ] During frame reception while the MCAN is in Error Passive state and the Receive Error Counter has thevalue MCAN_ECR.REC = 127, it may happen that MCAN_IR.MRAF is set although there was no Message RAM access failure. If MCAN_IR.MRAF is enabled, an interrupt to the Host CPU is generated. Work around: The Message RAM Access Failure interrupt routine needs to check whether MCAN_ECR.RP = '1' and MCAN_ECR.REC = '127'. In this case, reset MCAN_IR.MRAF. No further action is required. This affects versions older than 3.2.0 Errata explained on Sama5d2 SoC which includes this hardware block: http://ww1.microchip.com/downloads/en/DeviceDoc/SAMA5D2-Family-Silicon-Errata-and-Data-Sheet-Clarification-DS80000803B.pdf chapter 6.2 Reproducibility: If 2 devices with m_can are connected back to back, configuring different bitrate on them will lead to interrupt storm on the receiving side, with error "Message RAM access failure occurred". Another way is to have a bad hardware connection. Bad wire connection can lead to this issue as well. This patch fixes the issue according to provided workaround. Signed-off-by: Eugen Hristev Reviewed-by: Ludovic Desroches Signed-off-by: Marc Kleine-Budde Signed-off-by: Sasha Levin commit 905610fde81cb58338c96f8c02389be531f0c337 Author: Sean Nyekjaer Date: Tue May 7 11:34:36 2019 +0200 can: mcp251x: add support for mcp25625 [ Upstream commit 35b7fa4d07c43ad79b88e6462119e7140eae955c ] Fully compatible with mcp2515, the mcp25625 have integrated transceiver. This patch adds support for the mcp25625 to the existing mcp251x driver. Signed-off-by: Sean Nyekjaer Signed-off-by: Marc Kleine-Budde Signed-off-by: Sasha Levin commit 2b0ce4096f1aad23fdc541156299bd7b00728e68 Author: Sean Nyekjaer Date: Tue May 7 11:34:37 2019 +0200 dt-bindings: can: mcp251x: add mcp25625 support [ Upstream commit 0df82dcd55832a99363ab7f9fab954fcacdac3ae ] Fully compatible with mcp2515, the mcp25625 have integrated transceiver. This patch add the mcp25625 to the device tree bindings documentation. Signed-off-by: Sean Nyekjaer Signed-off-by: Marc Kleine-Budde Signed-off-by: Sasha Levin commit 9f150b4badbf822f0bcdb1e691fbd79419d59575 Author: Guillaume Nault Date: Thu Jun 6 18:04:00 2019 +0200 netfilter: ipv6: nf_defrag: accept duplicate fragments again [ Upstream commit 8a3dca632538c550930ce8bafa8c906b130d35cf ] When fixing the skb leak introduced by the conversion to rbtree, I forgot about the special case of duplicate fragments. The condition under the 'insert_error' label isn't effective anymore as nf_ct_frg6_gather() doesn't override the returned value anymore. So duplicate fragments now get NF_DROP verdict. To accept duplicate fragments again, handle them specially as soon as inet_frag_queue_insert() reports them. Return -EINPROGRESS which will translate to NF_STOLEN verdict, like any accepted fragment. However, such packets don't carry any new information and aren't queued, so we just drop them immediately. Fixes: a0d56cb911ca ("netfilter: ipv6: nf_defrag: fix leakage of unqueued fragments") Signed-off-by: Guillaume Nault Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin commit 55434796882f53da87f05d294ffd1b386953299b Author: Guillaume Nault Date: Sun Jun 2 15:13:47 2019 +0200 netfilter: ipv6: nf_defrag: fix leakage of unqueued fragments [ Upstream commit a0d56cb911ca301de81735f1d73c2aab424654ba ] With commit 997dd9647164 ("net: IP6 defrag: use rbtrees in nf_conntrack_reasm.c"), nf_ct_frag6_reasm() is now called from nf_ct_frag6_queue(). With this change, nf_ct_frag6_queue() can fail after the skb has been added to the fragment queue and nf_ct_frag6_gather() was adapted to handle this case. But nf_ct_frag6_queue() can still fail before the fragment has been queued. nf_ct_frag6_gather() can't handle this case anymore, because it has no way to know if nf_ct_frag6_queue() queued the fragment before failing. If it didn't, the skb is lost as the error code is overwritten with -EINPROGRESS. Fix this by setting -EINPROGRESS directly in nf_ct_frag6_queue(), so that nf_ct_frag6_gather() can propagate the error as is. Fixes: 997dd9647164 ("net: IP6 defrag: use rbtrees in nf_conntrack_reasm.c") Signed-off-by: Guillaume Nault Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin commit 461117876d9087cc018328f6636e4ae82b58b508 Author: Jia-Ju Bai Date: Wed May 29 16:39:54 2019 +0300 iwlwifi: Fix double-free problems in iwl_req_fw_callback() [ Upstream commit a8627176b0de7ba3f4524f641ddff4abf23ae4e4 ] In the error handling code of iwl_req_fw_callback(), iwl_dealloc_ucode() is called to free data. In iwl_drv_stop(), iwl_dealloc_ucode() is called again, which can cause double-free problems. To fix this bug, the call to iwl_dealloc_ucode() in iwl_req_fw_callback() is deleted. This bug is found by a runtime fuzzing tool named FIZZER written by us. Signed-off-by: Jia-Ju Bai Signed-off-by: Luca Coelho Signed-off-by: Kalle Valo Signed-off-by: Sasha Levin commit d50f6b58d7ad30ad8e96c0bbc3e5ecfe9b91ba77 Author: Takashi Iwai Date: Wed May 29 14:52:19 2019 +0200 mwifiex: Fix possible buffer overflows at parsing bss descriptor [ Upstream commit 13ec7f10b87f5fc04c4ccbd491c94c7980236a74 ] mwifiex_update_bss_desc_with_ie() calls memcpy() unconditionally in a couple places without checking the destination size. Since the source is given from user-space, this may trigger a heap buffer overflow. Fix it by putting the length check before performing memcpy(). This fix addresses CVE-2019-3846. Reported-by: huangwen Signed-off-by: Takashi Iwai Signed-off-by: Kalle Valo Signed-off-by: Sasha Levin commit ad3ce300690665da156dd1ee514393e8aabc2b92 Author: Pradeep Kumar Chitrapu Date: Tue May 28 16:36:16 2019 -0700 mac80211: free peer keys before vif down in mesh [ Upstream commit 0112fa557c3bb3a002bc85760dc3761d737264d3 ] freeing peer keys after vif down is resulting in peer key uninstall to fail due to interface lookup failure. so fix that. Signed-off-by: Pradeep Kumar Chitrapu Signed-off-by: Johannes Berg Signed-off-by: Sasha Levin commit b5a48f04c912d31f730e928de8fb7ce147a08bf4 Author: Thomas Pedersen Date: Fri May 24 21:16:24 2019 -0700 mac80211: mesh: fix RCU warning [ Upstream commit 551842446ed695641a00782cd118cbb064a416a1 ] ifmsh->csa is an RCU-protected pointer. The writer context in ieee80211_mesh_finish_csa() is already mutually exclusive with wdev->sdata.mtx, but the RCU checker did not know this. Use rcu_dereference_protected() to avoid a warning. fixes the following warning: [ 12.519089] ============================= [ 12.520042] WARNING: suspicious RCU usage [ 12.520652] 5.1.0-rc7-wt+ #16 Tainted: G W [ 12.521409] ----------------------------- [ 12.521972] net/mac80211/mesh.c:1223 suspicious rcu_dereference_check() usage! [ 12.522928] other info that might help us debug this: [ 12.523984] rcu_scheduler_active = 2, debug_locks = 1 [ 12.524855] 5 locks held by kworker/u8:2/152: [ 12.525438] #0: 00000000057be08c ((wq_completion)phy0){+.+.}, at: process_one_work+0x1a2/0x620 [ 12.526607] #1: 0000000059c6b07a ((work_completion)(&sdata->csa_finalize_work)){+.+.}, at: process_one_work+0x1a2/0x620 [ 12.528001] #2: 00000000f184ba7d (&wdev->mtx){+.+.}, at: ieee80211_csa_finalize_work+0x2f/0x90 [ 12.529116] #3: 00000000831a1f54 (&local->mtx){+.+.}, at: ieee80211_csa_finalize_work+0x47/0x90 [ 12.530233] #4: 00000000fd06f988 (&local->chanctx_mtx){+.+.}, at: ieee80211_csa_finalize_work+0x51/0x90 Signed-off-by: Thomas Pedersen Signed-off-by: Johannes Berg Signed-off-by: Sasha Levin commit d193f70750cec5b59277bf427b9d971532b03174 Author: Melissa Wen Date: Sat May 18 22:04:56 2019 -0300 staging:iio:ad7150: fix threshold mode config bit [ Upstream commit df4d737ee4d7205aaa6275158aeebff87fd14488 ] According to the AD7150 configuration register description, bit 7 assumes value 1 when the threshold mode is fixed and 0 when it is adaptive, however, the operation that identifies this mode was considering the opposite values. This patch renames the boolean variable to describe it correctly and properly replaces it in the places where it is used. Fixes: 531efd6aa0991 ("staging:iio:adc:ad7150: chan_spec conv + i2c_smbus commands + drop unused poweroff timeout control.") Signed-off-by: Melissa Wen Signed-off-by: Jonathan Cameron Signed-off-by: Sasha Levin commit 635e92cfe1ac6b4e0806c08a59d575d5562adccd Author: John Fastabend Date: Fri May 24 08:01:00 2019 -0700 bpf: sockmap, fix use after free from sleep in psock backlog workqueue [ Upstream commit bd95e678e0f6e18351ecdc147ca819145db9ed7b ] Backlog work for psock (sk_psock_backlog) might sleep while waiting for memory to free up when sending packets. However, while sleeping the socket may be closed and removed from the map by the user space side. This breaks an assumption in sk_stream_wait_memory, which expects the wait queue to be still there when it wakes up resulting in a use-after-free shown below. To fix his mark sendmsg as MSG_DONTWAIT to avoid the sleep altogether. We already set the flag for the sendpage case but we missed the case were sendmsg is used. Sockmap is currently the only user of skb_send_sock_locked() so only the sockmap paths should be impacted. ================================================================== BUG: KASAN: use-after-free in remove_wait_queue+0x31/0x70 Write of size 8 at addr ffff888069a0c4e8 by task kworker/0:2/110 CPU: 0 PID: 110 Comm: kworker/0:2 Not tainted 5.0.0-rc2-00335-g28f9d1a3d4fe-dirty #14 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-2.fc27 04/01/2014 Workqueue: events sk_psock_backlog Call Trace: print_address_description+0x6e/0x2b0 ? remove_wait_queue+0x31/0x70 kasan_report+0xfd/0x177 ? remove_wait_queue+0x31/0x70 ? remove_wait_queue+0x31/0x70 remove_wait_queue+0x31/0x70 sk_stream_wait_memory+0x4dd/0x5f0 ? sk_stream_wait_close+0x1b0/0x1b0 ? wait_woken+0xc0/0xc0 ? tcp_current_mss+0xc5/0x110 tcp_sendmsg_locked+0x634/0x15d0 ? tcp_set_state+0x2e0/0x2e0 ? __kasan_slab_free+0x1d1/0x230 ? kmem_cache_free+0x70/0x140 ? sk_psock_backlog+0x40c/0x4b0 ? process_one_work+0x40b/0x660 ? worker_thread+0x82/0x680 ? kthread+0x1b9/0x1e0 ? ret_from_fork+0x1f/0x30 ? check_preempt_curr+0xaf/0x130 ? iov_iter_kvec+0x5f/0x70 ? kernel_sendmsg_locked+0xa0/0xe0 skb_send_sock_locked+0x273/0x3c0 ? skb_splice_bits+0x180/0x180 ? start_thread+0xe0/0xe0 ? update_min_vruntime.constprop.27+0x88/0xc0 sk_psock_backlog+0xb3/0x4b0 ? strscpy+0xbf/0x1e0 process_one_work+0x40b/0x660 worker_thread+0x82/0x680 ? process_one_work+0x660/0x660 kthread+0x1b9/0x1e0 ? __kthread_create_on_node+0x250/0x250 ret_from_fork+0x1f/0x30 Fixes: 20bf50de3028c ("skbuff: Function to send an skbuf on a socket") Reported-by: Jakub Sitnicki Tested-by: Jakub Sitnicki Signed-off-by: John Fastabend Signed-off-by: Daniel Borkmann Signed-off-by: Sasha Levin commit 1772f38b97a22616a503a7d61c921fd72ba1200b Author: Chang-Hsien Tsai Date: Sun May 19 09:05:44 2019 +0000 samples, bpf: fix to change the buffer size for read() [ Upstream commit f7c2d64bac1be2ff32f8e4f500c6e5429c1003e0 ] If the trace for read is larger than 4096, the return value sz will be 4096. This results in off-by-one error on buf: static char buf[4096]; ssize_t sz; sz = read(trace_fd, buf, sizeof(buf)); if (sz > 0) { buf[sz] = 0; puts(buf); } Signed-off-by: Chang-Hsien Tsai Signed-off-by: Daniel Borkmann Signed-off-by: Sasha Levin commit c83caff2c12f18e68e51635eb31fd4e5146ebf55 Author: Aaron Ma Date: Mon May 20 22:09:10 2019 -0700 Input: elantech - enable middle button support on 2 ThinkPads [ Upstream commit aa440de3058a3ef530851f9ef373fbb5f694dbc3 ] Adding 2 new touchpad PNPIDs to enable middle button support. Signed-off-by: Aaron Ma Signed-off-by: Dmitry Torokhov Signed-off-by: Sasha Levin commit abee7cfad6e2b813b209882b46511f1051ea5cca Author: Christophe Leroy Date: Tue May 21 13:34:08 2019 +0000 crypto: talitos - rename alternative AEAD algos. commit a1a42f84011fae6ff08441a91aefeb7febc984fc upstream. The talitos driver has two ways to perform AEAD depending on the HW capability. Some HW support both. It is needed to give them different names to distingish which one it is for instance when a test fails. Signed-off-by: Christophe Leroy Fixes: 7405c8d7ff97 ("crypto: talitos - templates for AEAD using HMAC_SNOOP_NO_AFEU") Cc: stable@vger.kernel.org Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit b6ac72d9ea7698fa36b5a56c98ad40fa5693c96f Author: James Morse Date: Mon Jun 24 18:36:56 2019 +0100 drivers: base: cacheinfo: Ensure cpu hotplug work is done before Intel RDT commit 83b44fe343b5abfcb1b2261289bd0cfcfcfd60a8 upstream. The cacheinfo structures are alloced/freed by cpu online/offline callbacks. Originally these were only used by sysfs to expose the cache topology to user space. Without any in-kernel dependencies CPUHP_AP_ONLINE_DYN was an appropriate choice. resctrl has started using these structures to identify CPUs that share a cache. It updates its 'domain' structures from cpu online/offline callbacks. These depend on the cacheinfo structures (resctrl_online_cpu()->domain_add_cpu()->get_cache_id()-> get_cpu_cacheinfo()). These also run as CPUHP_AP_ONLINE_DYN. Now that there is an in-kernel dependency, move the cacheinfo work earlier so we know its done before resctrl's CPUHP_AP_ONLINE_DYN work runs. Fixes: 2264d9c74dda1 ("x86/intel_rdt: Build structures for each resource based on cache topology") Cc: Cc: Fenghua Yu Cc: Reinette Chatre Signed-off-by: James Morse Link: https://lore.kernel.org/r/20190624173656.202407-1-james.morse@arm.com Signed-off-by: Greg Kroah-Hartman commit fabe505475bb0eb59d84f28c8655bd4331084fdc Author: Masahiro Yamada Date: Thu Jul 11 20:52:18 2019 -0700 nilfs2: do not use unexported cpu_to_le32()/le32_to_cpu() in uapi header commit c32cc30c0544f13982ee0185d55f4910319b1a79 upstream. cpu_to_le32/le32_to_cpu is defined in include/linux/byteorder/generic.h, which is not exported to user-space. UAPI headers must use the ones prefixed with double-underscore. Detected by compile-testing exported headers: include/linux/nilfs2_ondisk.h: In function `nilfs_checkpoint_set_snapshot': include/linux/nilfs2_ondisk.h:536:17: error: implicit declaration of function `cpu_to_le32' [-Werror=implicit-function-declaration] cp->cp_flags = cpu_to_le32(le32_to_cpu(cp->cp_flags) | \ ^ include/linux/nilfs2_ondisk.h:552:1: note: in expansion of macro `NILFS_CHECKPOINT_FNS' NILFS_CHECKPOINT_FNS(SNAPSHOT, snapshot) ^~~~~~~~~~~~~~~~~~~~ include/linux/nilfs2_ondisk.h:536:29: error: implicit declaration of function `le32_to_cpu' [-Werror=implicit-function-declaration] cp->cp_flags = cpu_to_le32(le32_to_cpu(cp->cp_flags) | \ ^ include/linux/nilfs2_ondisk.h:552:1: note: in expansion of macro `NILFS_CHECKPOINT_FNS' NILFS_CHECKPOINT_FNS(SNAPSHOT, snapshot) ^~~~~~~~~~~~~~~~~~~~ include/linux/nilfs2_ondisk.h: In function `nilfs_segment_usage_set_clean': include/linux/nilfs2_ondisk.h:622:19: error: implicit declaration of function `cpu_to_le64' [-Werror=implicit-function-declaration] su->su_lastmod = cpu_to_le64(0); ^~~~~~~~~~~ Link: http://lkml.kernel.org/r/20190605053006.14332-1-yamada.masahiro@socionext.com Fixes: e63e88bc53ba ("nilfs2: move ioctl interface and disk layout to uapi separately") Signed-off-by: Masahiro Yamada Acked-by: Ryusuke Konishi Cc: Arnd Bergmann Cc: Greg KH Cc: Joe Perches Cc: [4.9+] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit a4740bcd6666cc8ff741b54bacdff27766a80840 Author: Cole Rogers Date: Mon Jul 1 00:47:48 2019 -0700 Input: synaptics - enable SMBUS on T480 thinkpad trackpad commit abbe3acd7d72ab4633ade6bd24e8306b67e0add3 upstream. Thinkpad t480 laptops had some touchpad features disabled, resulting in the loss of pinch to activities in GNOME, on wayland, and other touch gestures being slower. This patch adds the touchpad of the t480 to the smbus_pnp_ids whitelist to enable the extra features. In my testing this does not break suspend (on fedora, with wayland, and GNOME, using the rc-6 kernel), while also fixing the feature on a T480. Signed-off-by: Cole Rogers Acked-by: Benjamin Tissoires Cc: stable@vger.kernel.org Signed-off-by: Dmitry Torokhov Signed-off-by: Greg Kroah-Hartman commit 28b6ba947975982a51015645a03d39854211ad46 Author: Konstantin Khlebnikov Date: Wed Apr 17 11:13:20 2019 +0300 e1000e: start network tx queue only when link is up commit d17ba0f616a08f597d9348c372d89b8c0405ccf3 upstream. Driver does not want to keep packets in Tx queue when link is lost. But present code only reset NIC to flush them, but does not prevent queuing new packets. Moreover reset sequence itself could generate new packets via netconsole and NIC falls into endless reset loop. This patch wakes Tx queue only when NIC is ready to send packets. This is proper fix for problem addressed by commit 0f9e980bf5ee ("e1000e: fix cyclic resets at link up with active tx"). Signed-off-by: Konstantin Khlebnikov Suggested-by: Alexander Duyck Tested-by: Joseph Yasi Tested-by: Aaron Brown Tested-by: Oleksandr Natalenko Signed-off-by: Jeff Kirsher Signed-off-by: Greg Kroah-Hartman commit 1e2a2c71e50870e3ed06f5dfcb84ad24c3c4f4b7 Author: Konstantin Khlebnikov Date: Wed Apr 17 11:13:16 2019 +0300 Revert "e1000e: fix cyclic resets at link up with active tx" commit caff422ea81e144842bc44bab408d85ac449377b upstream. This reverts commit 0f9e980bf5ee1a97e2e401c846b2af989eb21c61. That change cased false-positive warning about hardware hang: e1000e: eth0 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: Rx/Tx IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready e1000e 0000:00:1f.6 eth0: Detected Hardware Unit Hang: TDH <0> TDT <1> next_to_use <1> next_to_clean <0> buffer_info[next_to_clean]: time_stamp next_to_watch <0> jiffies next_to_watch.status <0> MAC Status <40080080> PHY Status <7949> PHY 1000BASE-T Status <0> PHY Extended Status <3000> PCI Status <10> e1000e: eth0 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: Rx/Tx Besides warning everything works fine. Original issue will be fixed property in following patch. Signed-off-by: Konstantin Khlebnikov Reported-by: Joseph Yasi Link: https://bugzilla.kernel.org/show_bug.cgi?id=203175 Tested-by: Joseph Yasi Tested-by: Aaron Brown Tested-by: Oleksandr Natalenko Signed-off-by: Jeff Kirsher Signed-off-by: Greg Kroah-Hartman