commit f0fae702de30331a8ce913cdb87ac0bdf990d85f Author: Greg Kroah-Hartman Date: Tue Jun 25 11:34:56 2019 +0800 Linux 5.1.15 commit 1d7446deafa4111acbbeca0ac8ae7ac4340577fa Author: Michael Ellerman Date: Wed Jun 12 23:35:07 2019 +1000 powerpc/mm/64s/hash: Reallocate context ids on fork commit ca72d88378b2f2444d3ec145dd442d449d3fefbc upstream. When using the Hash Page Table (HPT) MMU, userspace memory mappings are managed at two levels. Firstly in the Linux page tables, much like other architectures, and secondly in the SLB (Segment Lookaside Buffer) and HPT. It's the SLB and HPT that are actually used by the hardware to do translations. As part of the series adding support for 4PB user virtual address space using the hash MMU, we added support for allocating multiple "context ids" per process, one for each 512TB chunk of address space. These are tracked in an array called extended_id in the mm_context_t of a process that has done a mapping above 512TB. If such a process forks (ie. clone(2) without CLONE_VM set) it's mm is copied, including the mm_context_t, and then init_new_context() is called to reinitialise parts of the mm_context_t as appropriate to separate the address spaces of the two processes. The key step in ensuring the two processes have separate address spaces is to allocate a new context id for the process, this is done at the beginning of hash__init_new_context(). If we didn't allocate a new context id then the two processes would share mappings as far as the SLB and HPT are concerned, even though their Linux page tables would be separate. For mappings above 512TB, which use the extended_id array, we neglected to allocate new context ids on fork, meaning the parent and child use the same ids and therefore share those mappings even though they're supposed to be separate. This can lead to the parent seeing writes done by the child, which is essentially memory corruption. There is an additional exposure which is that if the child process exits, all its context ids are freed, including the context ids that are still in use by the parent for mappings above 512TB. One or more of those ids can then be reallocated to a third process, that process can then read/write to the parent's mappings above 512TB. Additionally if the freed id is used for the third process's primary context id, then the parent is able to read/write to the third process's mappings *below* 512TB. All of these are fundamental failures to enforce separation between processes. The only mitigating factor is that the bug only occurs if a process creates mappings above 512TB, and most applications still do not create such mappings. Only machines using the hash page table MMU are affected, eg. PowerPC 970 (G5), PA6T, Power5/6/7/8/9. By default Power9 bare metal machines (powernv) use the Radix MMU and are not affected, unless the machine has been explicitly booted in HPT mode (using disable_radix on the kernel command line). KVM guests on Power9 may be affected if the host or guest is configured to use the HPT MMU. LPARs under PowerVM on Power9 are affected as they always use the HPT MMU. Kernels built with PAGE_SIZE=4K are not affected. The fix is relatively simple, we need to reallocate context ids for all extended mappings on fork. Fixes: f384796c40dc ("powerpc/mm: Add support for handling > 512TB address in SLB miss") Cc: stable@vger.kernel.org # v4.17+ Signed-off-by: Michael Ellerman Signed-off-by: Greg Kroah-Hartman commit d0dcce78db667c7c1d37df0de077aad86fe84d54 Author: James Morse Date: Mon Jun 3 18:25:31 2019 +0100 x86/resctrl: Don't stop walking closids when a locksetup group is found commit 87d3aa28f345bea77c396855fa5d5fec4c24461f upstream. When a new control group is created __init_one_rdt_domain() walks all the other closids to calculate the sets of used and unused bits. If it discovers a pseudo_locksetup group, it breaks out of the loop. This means any later closid doesn't get its used bits added to used_b. These bits will then get set in unused_b, and added to the new control group's configuration, even if they were marked as exclusive for a later closid. When encountering a pseudo_locksetup group, we should continue. This is because "a resource group enters 'pseudo-locked' mode after the schemata is written while the resource group is in 'pseudo-locksetup' mode." When we find a pseudo_locksetup group, its configuration is expected to be overwritten, we can skip it. Fixes: dfe9674b04ff6 ("x86/intel_rdt: Enable entering of pseudo-locksetup mode") Signed-off-by: James Morse Signed-off-by: Thomas Gleixner Acked-by: Reinette Chatre Cc: Fenghua Yu Cc: Borislav Petkov Cc: H Peter Avin Cc: Link: https://lkml.kernel.org/r/20190603172531.178830-1-james.morse@arm.com [Dropped comment due to lack of space] Signed-off-by: James Morse Signed-off-by: Greg Kroah-Hartman commit 7a6638862b1dc1b15b0069a70779f9c924697b7d Author: Jouni Malinen Date: Tue May 28 01:46:43 2019 +0300 mac80211: Do not use stack memory with scatterlist for GMAC commit a71fd9dac23613d96ba3c05619a8ef4fd6cdf9b9 upstream. ieee80211_aes_gmac() uses the mic argument directly in sg_set_buf() and that does not allow use of stack memory (e.g., BUG_ON() is hit in sg_set_buf() with CONFIG_DEBUG_SG). BIP GMAC TX side is fine for this since it can use the skb data buffer, but the RX side was using a stack variable for deriving the local MIC value to compare against the received one. Fix this by allocating heap memory for the mic buffer. This was found with hwsim test case ap_cipher_bip_gmac_128 hitting that BUG_ON() and kernel panic. Cc: stable@vger.kernel.org Signed-off-by: Jouni Malinen Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman commit 34e22e35d487eb5024d5bf2ad046e99fbd35f55c Author: Andy Strohman Date: Fri May 24 23:27:29 2019 -0700 nl80211: fix station_info pertid memory leak commit f77bf4863dc2218362f4227d56af4a5f3f08830c upstream. When dumping stations, memory allocated for station_info's pertid member will leak if the nl80211 header cannot be added to the sk_buff due to insufficient tail room. I noticed this leak in the kmalloc-2048 cache. Cc: stable@vger.kernel.org Fixes: 8689c051a201 ("cfg80211: dynamically allocate per-tid stats for station info") Signed-off-by: Andy Strohman Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman commit b8caf5aae52f7a8e258eceae4f622841ee504bf5 Author: Yu Wang Date: Fri May 10 17:04:52 2019 +0800 mac80211: handle deauthentication/disassociation from TDLS peer commit 79c92ca42b5a3e0ea172ea2ce8df8e125af237da upstream. When receiving a deauthentication/disassociation frame from a TDLS peer, a station should not disconnect the current AP, but only disable the current TDLS link if it's enabled. Without this change, a TDLS issue can be reproduced by following the steps as below: 1. STA-1 and STA-2 are connected to AP, bidirection traffic is running between STA-1 and STA-2. 2. Set up TDLS link between STA-1 and STA-2, stay for a while, then teardown TDLS link. 3. Repeat step #2 and monitor the connection between STA and AP. During the test, one STA may send a deauthentication/disassociation frame to another, after TDLS teardown, with reason code 6/7, which means: Class 2/3 frame received from nonassociated STA. On receive this frame, the receiver STA will disconnect the current AP and then reconnect. It's not a expected behavior, purpose of this frame should be disabling the TDLS link, not the link with AP. Cc: stable@vger.kernel.org Signed-off-by: Yu Wang Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman commit 0dd7d335f896e2f8d6b154fa2c07c6b9b5ccd00d Author: Manikanta Pubbisetty Date: Wed May 8 14:55:33 2019 +0530 {nl,mac}80211: allow 4addr AP operation on crypto controlled devices commit 33d915d9e8ce811d8958915ccd18d71a66c7c495 upstream. As per the current design, in the case of sw crypto controlled devices, it is the device which advertises the support for AP/VLAN iftype based on it's ability to tranmsit packets encrypted in software (In VLAN functionality, group traffic generated for a specific VLAN group is always encrypted in software). Commit db3bdcb9c3ff ("mac80211: allow AP_VLAN operation on crypto controlled devices") has introduced this change. Since 4addr AP operation also uses AP/VLAN iftype, this conditional way of advertising AP/VLAN support has broken 4addr AP mode operation on crypto controlled devices which do not support VLAN functionality. In the case of ath10k driver, not all firmwares have support for VLAN functionality but all can support 4addr AP operation. Because AP/VLAN support is not advertised for these devices, 4addr AP operations are also blocked. Fix this by allowing 4addr operation on devices which do not support AP/VLAN iftype but can support 4addr AP operation (decision is based on the wiphy flag WIPHY_FLAG_4ADDR_AP). Cc: stable@vger.kernel.org Fixes: db3bdcb9c3ff ("mac80211: allow AP_VLAN operation on crypto controlled devices") Signed-off-by: Manikanta Pubbisetty Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman commit 61113ed908d86ad06319a9c774800cfa3f6f8766 Author: Johannes Berg Date: Wed Feb 13 15:13:30 2019 +0100 mac80211: drop robust management frames from unknown TA commit 588f7d39b3592a36fb7702ae3b8bdd9be4621e2f upstream. When receiving a robust management frame, drop it if we don't have rx->sta since then we don't have a security association and thus couldn't possibly validate the frame. Cc: stable@vger.kernel.org Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman commit 4a6d3e2fcada25b61745c71afb09c35383ef0b3f Author: Eric Biggers Date: Mon Jun 10 13:02:19 2019 -0700 cfg80211: fix memory leak of wiphy device name commit 4f488fbca2a86cc7714a128952eead92cac279ab upstream. In wiphy_new_nm(), if an error occurs after dev_set_name() and device_initialize() have already been called, it's necessary to call put_device() (via wiphy_free()) to avoid a memory leak. Reported-by: syzbot+7fddca22578bc67c3fe4@syzkaller.appspotmail.com Fixes: 1f87f7d3a3b4 ("cfg80211: add rfkill support") Cc: stable@vger.kernel.org Signed-off-by: Eric Biggers Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman commit 4bb1bedcf3479b05567513ee21734524b838d794 Author: Christian Brauner Date: Mon Jun 17 23:22:14 2019 +0200 fs/namespace: fix unprivileged mount propagation commit d728cf79164bb38e9628d15276e636539f857ef1 upstream. When propagating mounts across mount namespaces owned by different user namespaces it is not possible anymore to move or umount the mount in the less privileged mount namespace. Here is a reproducer: sudo mount -t tmpfs tmpfs /mnt sudo --make-rshared /mnt # create unprivileged user + mount namespace and preserve propagation unshare -U -m --map-root --propagation=unchanged # now change back to the original mount namespace in another terminal: sudo mkdir /mnt/aaa sudo mount -t tmpfs tmpfs /mnt/aaa # now in the unprivileged user + mount namespace mount --move /mnt/aaa /opt Unfortunately, this is a pretty big deal for userspace since this is e.g. used to inject mounts into running unprivileged containers. So this regression really needs to go away rather quickly. The problem is that a recent change falsely locked the root of the newly added mounts by setting MNT_LOCKED. Fix this by only locking the mounts on copy_mnt_ns() and not when adding a new mount. Fixes: 3bd045cc9c4b ("separate copying and locking mount tree on cross-userns copies") Cc: Linus Torvalds Cc: Al Viro Cc: Tested-by: Christian Brauner Acked-by: Christian Brauner Signed-off-by: "Eric W. Biederman" Signed-off-by: Christian Brauner Signed-off-by: Al Viro Signed-off-by: Greg Kroah-Hartman commit cf37b1a0902944f17ac95eb62177219b65c413cb Author: Andy Lutomirski Date: Fri Jun 21 08:43:04 2019 -0700 x86/vdso: Prevent segfaults due to hoisted vclock reads commit ff17bbe0bb405ad8b36e55815d381841f9fdeebc upstream. GCC 5.5.0 sometimes cleverly hoists reads of the pvclock and/or hvclock pages before the vclock mode checks. This creates a path through vclock_gettime() in which no vclock is enabled at all (due to disabled TSC on old CPUs, for example) but the pvclock or hvclock page nevertheless read. This will segfault on bare metal. This fixes commit 459e3a21535a ("gcc-9: properly declare the {pv,hv}clock_page storage") in the sense that, before that commit, GCC didn't seem to generate the offending code. There was nothing wrong with that commit per se, and -stable maintainers should backport this to all supported kernels regardless of whether the offending commit was present, since the same crash could just as easily be triggered by the phase of the moon. On GCC 9.1.1, this doesn't seem to affect the generated code at all, so I'm not too concerned about performance regressions from this fix. Cc: stable@vger.kernel.org Cc: x86@kernel.org Cc: Borislav Petkov Reported-by: Duncan Roe Signed-off-by: Andy Lutomirski Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit df2d313511bdb39ac6b11bc61ea65feba8acac05 Author: Steve French Date: Mon Jun 17 14:49:07 2019 -0500 SMB3: retry on STATUS_INSUFFICIENT_RESOURCES instead of failing write commit 8d526d62db907e786fd88948c75d1833d82bd80e upstream. Some servers such as Windows 10 will return STATUS_INSUFFICIENT_RESOURCES as the number of simultaneous SMB3 requests grows (even though the client has sufficient credits). Return EAGAIN on STATUS_INSUFFICIENT_RESOURCES so that we can retry writes which fail with this status code. This (for example) fixes large file copies to Windows 10 on fast networks. Signed-off-by: Steve French CC: Stable Reviewed-by: Ronnie Sahlberg Reviewed-by: Pavel Shilovsky Signed-off-by: Greg Kroah-Hartman commit caf37f6d6a29827acae2ae415645e96dff5c25f1 Author: Marcel Holtmann Date: Sat Jun 22 15:47:01 2019 +0200 Bluetooth: Fix regression with minimum encryption key size alignment commit 693cd8ce3f882524a5d06f7800dd8492411877b3 upstream. When trying to align the minimum encryption key size requirement for Bluetooth connections, it turns out doing this in a central location in the HCI connection handling code is not possible. Original Bluetooth version up to 2.0 used a security model where the L2CAP service would enforce authentication and encryption. Starting with Bluetooth 2.1 and Secure Simple Pairing that model has changed into that the connection initiator is responsible for providing an encrypted ACL link before any L2CAP communication can happen. Now connecting Bluetooth 2.1 or later devices with Bluetooth 2.0 and before devices are causing a regression. The encryption key size check needs to be moved out of the HCI connection handling into the L2CAP channel setup. To achieve this, the current check inside hci_conn_security() has been moved into l2cap_check_enc_key_size() helper function and then called from four decisions point inside L2CAP to cover all combinations of Secure Simple Pairing enabled devices and device using legacy pairing and legacy service security model. Fixes: d5bb334a8e17 ("Bluetooth: Align minimum encryption key size for LE and BR/EDR connections") Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=203643 Signed-off-by: Marcel Holtmann Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 640a7f2a52610efbfdffcb4a8b165da954e86a3c Author: Marcel Holtmann Date: Wed Apr 24 22:19:17 2019 +0200 Bluetooth: Align minimum encryption key size for LE and BR/EDR connections commit d5bb334a8e171b262e48f378bd2096c0ea458265 upstream. The minimum encryption key size for LE connections is 56 bits and to align LE with BR/EDR, enforce 56 bits of minimum encryption key size for BR/EDR connections as well. Signed-off-by: Marcel Holtmann Signed-off-by: Johan Hedberg Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman commit 3d327913b274d2866a94fed817d01592ea66a269 Author: Gao Xiang Date: Thu Jun 13 16:35:41 2019 +0800 staging: erofs: add requirements field in superblock commit 5efe5137f05bbb4688890620934538c005e7d1d6 upstream. There are some backward incompatible features pending for months, mainly due to on-disk format expensions. However, we should ensure that it cannot be mounted with old kernels. Otherwise, it will causes unexpected behaviors. Fixes: ba2b77a82022 ("staging: erofs: add super block operations") Cc: # 4.19+ Reviewed-by: Chao Yu Signed-off-by: Gao Xiang Signed-off-by: Greg Kroah-Hartman commit 0e3b977a8f1be01dcfa0baae68851b1f55f2a0a9 Author: Todd Kjos Date: Wed Jun 12 13:29:27 2019 -0700 binder: fix possible UAF when freeing buffer commit a370003cc301d4361bae20c9ef615f89bf8d1e8a upstream. There is a race between the binder driver cleaning up a completed transaction via binder_free_transaction() and a user calling binder_ioctl(BC_FREE_BUFFER) to release a buffer. It doesn't matter which is first but they need to be protected against running concurrently which can result in a UAF. Signed-off-by: Todd Kjos Cc: stable Signed-off-by: Greg Kroah-Hartman commit 91a7616a65da342d57b1c3fbef45d3a352158032 Author: Ville Syrjälä Date: Wed Jun 19 15:09:29 2019 +0300 drm/i915: Don't clobber M/N values during fastset check commit 475df5d0f3eb2d031e4505f84d8fba75baaf2e80 upstream. We're now calling intel_pipe_config_compare(..., true) uncoditionally which means we're always going clobber the calculated M/N values with the old values if the fuzzy M/N check passes. That causes problems because the fuzzy check allows for a huge difference in the values. I'm actually tempted to just make the M/N checks exact, but that might prevent fastboot from kicking in when people want it. So for now let's overwrite the computed values with the old values only if decide to skip the modeset. v2: Copy has_drrs along with M/N M2/N2 values Cc: stable@vger.kernel.org Cc: Blubberbub@protonmail.com Cc: Maarten Lankhorst Cc: Hans de Goede Tested-by: Blubberbub@protonmail.com Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=110782 Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=110675 Fixes: d19f958db23c ("drm/i915: Enable fastset for non-boot modesets.") Signed-off-by: Ville Syrjälä Link: https://patchwork.freedesktop.org/patch/msgid/20190612172423.25231-1-ville.syrjala@linux.intel.com Reviewed-by: Imre Deak (cherry picked from commit f0521558a2a89d58a08745e225025d338572e60a) Signed-off-by: Jani Nikula Link: https://patchwork.freedesktop.org/patch/msgid/20190619120929.4057-1-ville.syrjala@linux.intel.com Signed-off-by: Greg Kroah-Hartman commit 9f7779fc33da24b592f4e10d54e936dea965de46 Author: Thomas Hellstrom Date: Wed May 29 08:15:19 2019 +0200 drm/vmwgfx: Use the backdoor port if the HB port is not available commit cc0ba0d8624f210995924bb57a8b181ce8976606 upstream. The HB port may not be available for various reasons. Either it has been disabled by a config option or by the hypervisor for other reasons. In that case, make sure we have a backup plan and use the backdoor port instead with a performance penalty. Cc: stable@vger.kernel.org Fixes: 89da76fde68d ("drm/vmwgfx: Add VMWare host messaging capability") Signed-off-by: Thomas Hellstrom Reviewed-by: Deepak Rawat Signed-off-by: Greg Kroah-Hartman commit e10e064bf6c263d760fcc8f842e89bb1bd3cdf89 Author: Amir Goldstein Date: Sun Jun 9 19:03:44 2019 +0300 ovl: make i_ino consistent with st_ino in more cases commit 6dde1e42f497b2d4e22466f23019016775607947 upstream. Relax the condition that overlayfs supports nfs export, to require that i_ino is consistent with st_ino/d_ino. It is enough to require that st_ino and d_ino are consistent. This fixes the failure of xfstest generic/504, due to mismatch of st_ino to inode number in the output of /proc/locks. Fixes: 12574a9f4c9c ("ovl: consistent i_ino for non-samefs with xino") Cc: # v4.19 Signed-off-by: Amir Goldstein Signed-off-by: Miklos Szeredi Signed-off-by: Greg Kroah-Hartman commit 480776dd3cb5fb97d01d154c85ddacf332176dbe Author: Sean Christopherson Date: Thu Jun 13 10:22:23 2019 -0700 KVM: x86/mmu: Allocate PAE root array when using SVM's 32-bit NPT commit b6b80c78af838bef17501416d5d383fedab0010a upstream. SVM's Nested Page Tables (NPT) reuses x86 paging for the host-controlled page walk. For 32-bit KVM, this means PAE paging is used even when TDP is enabled, i.e. the PAE root array needs to be allocated. Fixes: ee6268ba3a68 ("KVM: x86: Skip pae_root shadow allocation if tdp enabled") Cc: stable@vger.kernel.org Reported-by: Jiri Palecek Signed-off-by: Sean Christopherson Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman commit ba867ef4081c6ad19b65d3c7b3ccf8387e4c1b36 Author: Anisse Astier Date: Mon Jun 17 15:22:21 2019 +0200 arm64: ssbd: explicitly depend on commit adeaa21a4b6954e878f3f7d1c5659ed9c1fe567a upstream. Fix ssbd.c which depends implicitly on asm/ptrace.h including linux/prctl.h (through for example linux/compat.h, then linux/time.h, linux/seqlock.h, linux/spinlock.h and linux/irqflags.h), and uses PR_SPEC* defines. This is an issue since we'll soon be removing the include from asm/ptrace.h. Fixes: 9cdc0108baa8 ("arm64: ssbd: Add prctl interface for per-thread mitigation") Cc: stable@vger.kernel.org Signed-off-by: Anisse Astier Signed-off-by: Will Deacon Signed-off-by: Greg Kroah-Hartman commit ea352712b0738205d8220ec2fc705b192a59a3ee Author: Anisse Astier Date: Mon Jun 17 15:22:22 2019 +0200 arm64/sve: should not depend on commit 35341ca0614ab13e1ef34ad4f29a39e15ef31fa8 upstream. Pulling linux/prctl.h into asm/ptrace.h in the arm64 UAPI headers causes userspace build issues for any program (e.g. strace and qemu) that includes both and when using musl libc: | error: redefinition of 'struct prctl_mm_map' | struct prctl_mm_map { See https://github.com/foundriesio/meta-lmp/commit/6d4a106e191b5d79c41b9ac78fd321316d3013c0 for a public example of people working around this issue. Although it's a bit grotty, fix this breakage by duplicating the prctl constant definitions. Since these are part of the kernel ABI, they cannot be changed in future and so it's not the end of the world to have them open-coded. Fixes: 43d4da2c45b2 ("arm64/sve: ptrace and ELF coredump support") Cc: stable@vger.kernel.org Acked-by: Dave Martin Signed-off-by: Anisse Astier Signed-off-by: Will Deacon Signed-off-by: Greg Kroah-Hartman commit e56759725d6e9b641296bcd8deead47d572a162e Author: Faiz Abbas Date: Thu May 2 14:17:48 2019 +0530 ARM: dts: am57xx-idk: Remove support for voltage switching for SD card commit 88a748419b84187fd1da05637b8e5928b04a1e06 upstream. If UHS speed modes are enabled, a compatible SD card switches down to 1.8V during enumeration. If after this a software reboot/crash takes place and on-chip ROM tries to enumerate the SD card, the difference in IO voltages (host @ 3.3V and card @ 1.8V) may end up damaging the card. The fix for this is to have support for power cycling the card in hardware (with a PORz/soft-reset line causing a power cycle of the card). Since am571x-, am572x- and am574x-idk don't have this capability, disable voltage switching for these boards. The major effect of this is that the maximum supported speed mode is now high speed(50 MHz) down from SDR104(200 MHz). Cc: Signed-off-by: Faiz Abbas Signed-off-by: Tony Lindgren Signed-off-by: Greg Kroah-Hartman commit 5cf95590ecee866791172ff4cb273eb6a8e96b34 Author: Faiz Abbas Date: Tue Apr 30 11:38:56 2019 +0530 ARM: dts: dra76x: Update MMC2_HS200_MANUAL1 iodelay values commit c3c0b70cd3f801bded7a548198ee1c9851a0ca82 upstream. Update the MMC2_HS200_MANUAL1 iodelay values to match with the latest dra76x data manual[1]. The new iodelay values will have better marginality and should prevent issues in corner cases. Also this particular pinctrl-array is using spaces instead of tabs for spacing between the values and the comments. Fix this as well. [1] http://www.ti.com/lit/ds/symlink/dra76p.pdf Cc: Signed-off-by: Faiz Abbas [tony@atomide.com: updated description with a bit more info] Signed-off-by: Tony Lindgren Signed-off-by: Greg Kroah-Hartman commit 092686925bf5026e2d517aa5593ca9a2a313af6f Author: Jan Kundrát Date: Fri May 17 17:01:42 2019 +0200 ARM: mvebu_v7_defconfig: fix Ethernet on Clearfog commit cc538ca4308372e81b824be08561c466b1d73b72 upstream. Compared to kernel 5.0, patches merged for 5.1 added support for A38x' PHY guarded by a config option which was not enabled by default. As a result, there was no eth1 and eth2 on a Solid Run Clearfog Base. Ensure that A38x PHY is enabled on mvebu. [gregory: issue appeared in 5.1 not in 5.2 and added Fixes tag] Signed-off-by: Jan Kundrát Cc: Baruch Siach Cc: Gregory CLEMENT Cc: Russell King Cc: David S. Miller Cc: Maxime Chevallier Fixes: a10c1c8191e0 ("net: marvell: neta: add comphy support") Cc: stable@kernel.org Signed-off-by: Gregory CLEMENT Signed-off-by: Greg Kroah-Hartman commit 84d2456e0c0cadb7843339f61eeabb005401f328 Author: Fabio Estevam Date: Mon May 13 00:15:31 2019 -0300 ARM: imx: cpuidle-imx6sx: Restrict the SW2ISO increase to i.MX6SX commit b25af2ff7c07bd19af74e3f64ff82e2880d13d81 upstream. Since commit 1e434b703248 ("ARM: imx: update the cpu power up timing setting on i.mx6sx") some characters loss is noticed on i.MX6ULL UART as reported by Christoph Niedermaier. The intention of such commit was to increase the SW2ISO field for i.MX6SX only, but since cpuidle-imx6sx is also used on i.MX6UL/i.MX6ULL this caused unintended side effects on other SoCs. Fix this problem by keeping the original SW2ISO value for i.MX6UL/i.MX6ULL and only increase SW2ISO in the i.MX6SX case. Cc: stable@vger.kernel.org Fixes: 1e434b703248 ("ARM: imx: update the cpu power up timing setting on i.mx6sx") Reported-by: Christoph Niedermaier Signed-off-by: Fabio Estevam Tested-by: Sébastien Szymanski Tested-by: Christoph Niedermaier Signed-off-by: Shawn Guo Signed-off-by: Greg Kroah-Hartman commit e0d9022a587742f0ea91f683b1b3737748fd7c3d Author: Naveen N. Rao Date: Thu Jun 13 00:21:40 2019 +0530 powerpc/bpf: use unsigned division instruction for 64-bit operations commit 758f2046ea040773ae8ea7f72dd3bbd8fa984501 upstream. BPF_ALU64 div/mod operations are currently using signed division, unlike BPF_ALU32 operations. Fix the same. DIV64 and MOD64 overflow tests pass with this fix. Fixes: 156d0e290e969c ("powerpc/ebpf/jit: Implement JIT compiler for extended BPF") Cc: stable@vger.kernel.org # v4.8+ Signed-off-by: Naveen N. Rao Signed-off-by: Daniel Borkmann Signed-off-by: Greg Kroah-Hartman commit 1243385929aec703ff57ad0bc1eed3fead3a351d Author: ShihPo Hung Date: Mon Jun 17 12:26:17 2019 +0800 riscv: mm: synchronize MMU after pte change commit bf587caae305ae3b4393077fb22c98478ee55755 upstream. Because RISC-V compliant implementations can cache invalid entries in TLB, an SFENCE.VMA is necessary after changes to the page table. This patch adds an SFENCE.vma for the vmalloc_fault path. Signed-off-by: ShihPo Hung [paul.walmsley@sifive.com: reversed tab->whitespace conversion, wrapped comment lines] Signed-off-by: Paul Walmsley Cc: Palmer Dabbelt Cc: Albert Ou Cc: Paul Walmsley Cc: linux-riscv@lists.infradead.org Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman commit 3688ea1f176b148149460a8f7321ecd764cda4ae Author: Willem de Bruijn Date: Fri Jun 7 16:46:07 2019 -0400 can: purge socket error queue on sock destruct commit fd704bd5ee749d560e86c4f1fd2ef486d8abf7cf upstream. CAN supports software tx timestamps as of the below commit. Purge any queued timestamp packets on socket destroy. Fixes: 51f31cabe3ce ("ip: support for TX timestamps on UDP and RAW sockets") Reported-by: syzbot+a90604060cb40f5bdd16@syzkaller.appspotmail.com Signed-off-by: Willem de Bruijn Cc: linux-stable Signed-off-by: Marc Kleine-Budde Signed-off-by: Greg Kroah-Hartman commit 1d4258f850f6eb3f5ed8b18b36827680d669c81c Author: Joakim Zhang Date: Thu Jan 31 09:37:22 2019 +0000 can: flexcan: fix timeout when set small bitrate commit 247e5356a709eb49a0d95ff2a7f07dac05c8252c upstream. Current we can meet timeout issue when setting a small bitrate like 10000 as follows on i.MX6UL EVK board (ipg clock = 66MHZ, per clock = 30MHZ): | root@imx6ul7d:~# ip link set can0 up type can bitrate 10000 A link change request failed with some changes committed already. Interface can0 may have been left with an inconsistent configuration, please check. | RTNETLINK answers: Connection timed out It is caused by calling of flexcan_chip_unfreeze() timeout. Originally the code is using usleep_range(10, 20) for unfreeze operation, but the patch (8badd65 can: flexcan: avoid calling usleep_range from interrupt context) changed it into udelay(10) which is only a half delay of before, there're also some other delay changes. After double to FLEXCAN_TIMEOUT_US to 100 can fix the issue. Meanwhile, Rasmus Villemoes reported that even with a timeout of 100, flexcan_probe() fails on the MPC8309, which requires a value of at least 140 to work reliably. 250 works for everyone. Signed-off-by: Joakim Zhang Reviewed-by: Dong Aisheng Cc: linux-stable Signed-off-by: Marc Kleine-Budde Signed-off-by: Greg Kroah-Hartman commit 2e2e23c33be8015ac2a8bfdece183588e92dcbf2 Author: Anssi Hannula Date: Tue Sep 11 14:47:46 2018 +0300 can: xilinx_can: use correct bittiming_const for CAN FD core commit 904044dd8fff43e289c11a2f90fa532e946a1d8b upstream. Commit 9e5f1b273e6a ("can: xilinx_can: add support for Xilinx CAN FD core") added a new can_bittiming_const structure for CAN FD cores that support larger values for tseg1, tseg2, and sjw than previous Xilinx CAN cores, but the commit did not actually take that into use. Fix that. Tested with CAN FD core on a ZynqMP board. Fixes: 9e5f1b273e6a ("can: xilinx_can: add support for Xilinx CAN FD core") Reported-by: Shubhrajyoti Datta Signed-off-by: Anssi Hannula Cc: Michal Simek Reviewed-by: Shubhrajyoti Datta Cc: linux-stable Signed-off-by: Marc Kleine-Budde Signed-off-by: Greg Kroah-Hartman commit 2e15e6f7922c695fb6e9387a18e5bd8cb7d6c02a Author: Naohiro Aota Date: Thu Jun 6 16:54:44 2019 +0900 btrfs: start readahead also in seed devices commit c4e0540d0ad49c8ceab06cceed1de27c4fe29f6e upstream. Currently, btrfs does not consult seed devices to start readahead. As a result, if readahead zone is added to the seed devices, btrfs_reada_wait() indefinitely wait for the reada_ctl to finish. You can reproduce the hung by modifying btrfs/163 to have larger initial file size (e.g. xfs_io pwrite 4M instead of current 256K). Fixes: 7414a03fbf9e ("btrfs: initial readahead code and prototypes") Cc: stable@vger.kernel.org # 3.2+: ce7791ffee1e: Btrfs: fix race between readahead and device replace/removal Cc: stable@vger.kernel.org # 3.2+ Reviewed-by: Filipe Manana Signed-off-by: Naohiro Aota Signed-off-by: David Sterba Signed-off-by: Greg Kroah-Hartman commit 9b8bd98e23a92b4fa6b1f3dd9e381c47ce575642 Author: Arnd Bergmann Date: Mon Jun 17 14:39:29 2019 +0200 ovl: fix bogus -Wmaybe-unitialized warning [ Upstream commit 1dac6f5b0ed2601be21bb4e27a44b0c3e667b7f4 ] gcc gets a bit confused by the logic in ovl_setup_trap() and can't figure out whether the local 'trap' variable in the caller was initialized or not: fs/overlayfs/super.c: In function 'ovl_fill_super': fs/overlayfs/super.c:1333:4: error: 'trap' may be used uninitialized in this function [-Werror=maybe-uninitialized] iput(trap); ^~~~~~~~~~ fs/overlayfs/super.c:1312:17: note: 'trap' was declared here Reword slightly to make it easier for the compiler to understand. Fixes: 146d62e5a586 ("ovl: detect overlapping layers") Signed-off-by: Arnd Bergmann Signed-off-by: Miklos Szeredi Signed-off-by: Sasha Levin commit 168835bbb0bff4c6294b7040e006251f105f7599 Author: Miklos Szeredi Date: Tue Jun 18 15:06:16 2019 +0200 ovl: don't fail with disconnected lower NFS [ Upstream commit 9179c21dc6ed1c993caa5fe4da876a6765c26af7 ] NFS mounts can be disconnected from fs root. Don't fail the overlapping layer check because of this. The check is not authoritative anyway, since topology can change during or after the check. Reported-by: Antti Antinoja Signed-off-by: Miklos Szeredi Fixes: 146d62e5a586 ("ovl: detect overlapping layers") Signed-off-by: Sasha Levin commit 99eb836cd9a4df455ae90807bc00ee635be342f0 Author: Amir Goldstein Date: Thu Apr 18 17:42:08 2019 +0300 ovl: detect overlapping layers [ Upstream commit 146d62e5a5867fbf84490d82455718bfb10fe824 ] Overlapping overlay layers are not supported and can cause unexpected behavior, but overlayfs does not currently check or warn about these configurations. User is not supposed to specify the same directory for upper and lower dirs or for different lower layers and user is not supposed to specify directories that are descendants of each other for overlay layers, but that is exactly what this zysbot repro did: https://syzkaller.appspot.com/x/repro.syz?x=12c7a94f400000 Moving layer root directories into other layers while overlayfs is mounted could also result in unexpected behavior. This commit places "traps" in the overlay inode hash table. Those traps are dummy overlay inodes that are hashed by the layers root inodes. On mount, the hash table trap entries are used to verify that overlay layers are not overlapping. While at it, we also verify that overlay layers are not overlapping with directories "in-use" by other overlay instances as upperdir/workdir. On lookup, the trap entries are used to verify that overlay layers root inodes have not been moved into other layers after mount. Some examples: $ ./run --ov --samefs -s ... ( mkdir -p base/upper/0/u base/upper/0/w base/lower lower upper mnt mount -o bind base/lower lower mount -o bind base/upper upper mount -t overlay none mnt ... -o lowerdir=lower,upperdir=upper/0/u,workdir=upper/0/w) $ umount mnt $ mount -t overlay none mnt ... -o lowerdir=base,upperdir=upper/0/u,workdir=upper/0/w [ 94.434900] overlayfs: overlapping upperdir path mount: mount overlay on mnt failed: Too many levels of symbolic links $ mount -t overlay none mnt ... -o lowerdir=upper/0/u,upperdir=upper/0/u,workdir=upper/0/w [ 151.350132] overlayfs: conflicting lowerdir path mount: none is already mounted or mnt busy $ mount -t overlay none mnt ... -o lowerdir=lower:lower/a,upperdir=upper/0/u,workdir=upper/0/w [ 201.205045] overlayfs: overlapping lowerdir path mount: mount overlay on mnt failed: Too many levels of symbolic links $ mount -t overlay none mnt ... -o lowerdir=lower,upperdir=upper/0/u,workdir=upper/0/w $ mv base/upper/0/ base/lower/ $ find mnt/0 mnt/0 mnt/0/w find: 'mnt/0/w/work': Too many levels of symbolic links find: 'mnt/0/u': Too many levels of symbolic links Reported-by: syzbot+9c69c282adc4edd2b540@syzkaller.appspotmail.com Signed-off-by: Amir Goldstein Signed-off-by: Miklos Szeredi Signed-off-by: Sasha Levin commit ac4ff52d177195e7e8baff20164e8c3449b11372 Author: Jaesoo Lee Date: Mon Jun 3 16:42:28 2019 -0700 nvme: Fix u32 overflow in the number of namespace list calculation [ Upstream commit c8e8c77b3bdbade6e26e8e76595f141ede12b692 ] The Number of Namespaces (nn) field in the identify controller data structure is defined as u32 and the maximum allowed value in NVMe specification is 0xFFFFFFFEUL. This change fixes the possible overflow of the DIV_ROUND_UP() operation used in nvme_scan_ns_list() by casting the nn to u64. Signed-off-by: Jaesoo Lee Reviewed-by: Christoph Hellwig Signed-off-by: Sagi Grimberg Signed-off-by: Sasha Levin commit ae4e62064756dba432c3691360ba80bba7a1191e Author: Dave Martin Date: Thu Jun 6 11:33:43 2019 +0100 arm64: Silence gcc warnings about arch ABI drift [ Upstream commit ebcc5928c5d925b1c8d968d9c89cdb0d0186db17 ] Since GCC 9, the compiler warns about evolution of the platform-specific ABI, in particular relating for the marshaling of certain structures involving bitfields. The kernel is a standalone binary, and of course nobody would be so stupid as to expose structs containing bitfields as function arguments in ABI. (Passing a pointer to such a struct, however inadvisable, should be unaffected by this change. perf and various drivers rely on that.) So these warnings do more harm than good: turn them off. We may miss warnings about future ABI drift, but that's too bad. Future ABI breaks of this class will have to be debugged and fixed the traditional way unless the compiler evolves finer-grained diagnostics. Signed-off-by: Dave Martin Signed-off-by: Will Deacon Signed-off-by: Sasha Levin commit 4cfd8b68135572f0ac45e2e12eaea07bbefe6155 Author: Robert Hancock Date: Wed Jun 5 13:49:00 2019 -0600 hwmon: (pmbus/core) Treat parameters as paged if on multiple pages [ Upstream commit 4a60570dce658e3f8885bbcf852430b99f65aca5 ] Some chips have attributes which exist on more than one page but the attribute is not presently marked as paged. This causes the attributes to be generated with the same label, which makes it impossible for userspace to tell them apart. Marking all such attributes as paged would result in the page suffix being added regardless of whether they were present on more than one page or not, which might break existing setups. Therefore, we add a second check which treats the attribute as paged, even if not marked as such, if it is present on multiple pages. Fixes: b4ce237b7f7d ("hwmon: (pmbus) Introduce infrastructure to detect sensors and limit registers") Signed-off-by: Robert Hancock Signed-off-by: Guenter Roeck Signed-off-by: Sasha Levin commit e15a3690c332bc73d60ffedf52811fa5d03c8d13 Author: Eduardo Valentin Date: Wed May 29 19:56:04 2019 -0700 hwmon: (core) add thermal sensors only if dev->of_node is present [ Upstream commit c41dd48e21fae3e55b3670ccf2eb562fc1f6a67d ] Drivers may register to hwmon and request for also registering with the thermal subsystem (HWMON_C_REGISTER_TZ). However, some of these driver, e.g. marvell phy, may be probed from Device Tree or being dynamically allocated, and in the later case, it will not have a dev->of_node entry. Registering with hwmon without the dev->of_node may result in different outcomes depending on the device tree, which may be a bit misleading. If the device tree blob has no 'thermal-zones' node, the *hwmon_device_register*() family functions are going to gracefully succeed, because of-thermal, *thermal_zone_of_sensor_register() return -ENODEV in this case, and the hwmon error path handles this error code as success to cover for the case where CONFIG_THERMAL_OF is not set. However, if the device tree blob has the 'thermal-zones' entry, the *hwmon_device_register*() will always fail on callers with no dev->of_node, propagating -EINVAL. If dev->of_node is not present, calling of-thermal does not make sense. For this reason, this patch checks first if the device has a of_node before going over the process of registering with the thermal subsystem of-thermal interface. And in this case, when a caller of *hwmon_device_register*() with HWMON_C_REGISTER_TZ and no dev->of_node will still register with hwmon, but not with the thermal subsystem. If all the hwmon part bits are in place, the registration will succeed. Fixes: d560168b5d0f ("hwmon: (core) New hwmon registration API") Cc: Jean Delvare Cc: Guenter Roeck Cc: linux-hwmon@vger.kernel.org Cc: linux-kernel@vger.kernel.org Signed-off-by: Eduardo Valentin Signed-off-by: Guenter Roeck Signed-off-by: Sasha Levin commit 62ba45885be16f1e5f3fd909086640a1fb4f7e01 Author: Alexandra Winter Date: Wed Jun 5 13:48:50 2019 +0200 s390/qeth: fix VLAN attribute in bridge_hostnotify udev event [ Upstream commit 335726195e460cb6b3f795b695bfd31f0ea70ef0 ] Enabling sysfs attribute bridge_hostnotify triggers a series of udev events for the MAC addresses of all currently connected peers. In case no VLAN is set for a peer, the device reports the corresponding MAC addresses with VLAN ID 4096. This currently results in attribute VLAN=4096 for all non-VLAN interfaces in the initial series of events after host-notify is enabled. Instead, no VLAN attribute should be reported in the udev event for non-VLAN interfaces. Only the initial events face this issue. For dynamic changes that are reported later, the device uses a validity flag. This also changes the code so that it now sets the VLAN attribute for MAC addresses with VID 0. On Linux, no qeth interface will ever be registered with VID 0: Linux kernel registers VID 0 on all network interfaces initially, but qeth will drop .ndo_vlan_rx_add_vid for VID 0. Peers with other OSs could register MACs with VID 0. Fixes: 9f48b9db9a22 ("qeth: bridgeport support - address notifications") Signed-off-by: Alexandra Winter Signed-off-by: Julian Wiedmann Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit a4c17bff212972577d13a302e713c9cbf9869509 Author: Julian Wiedmann Date: Wed Jun 5 13:48:49 2019 +0200 s390/qeth: check dst entry before use [ Upstream commit 0cd6783d3c7d40be165d1f3c811cedf0e3dfcdf1 ] While qeth_l3 uses netif_keep_dst() to hold onto the dst, a skb's dst may still have been obsoleted (via dst_dev_put()) by the time that we end up using it. The dst then points to the loopback interface, which means the neighbour lookup in qeth_l3_get_cast_type() determines a bogus cast type of RTN_BROADCAST. For IQD interfaces this causes us to place such skbs on the wrong HW queue, resulting in TX errors. Fix-up the various call sites to first validate the dst entry with dst_check(), and fall back accordingly. Signed-off-by: Julian Wiedmann Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit b9dfa6fba5ae1c984c71367d63788606b88c05c7 Author: Julian Wiedmann Date: Wed Jun 5 13:48:48 2019 +0200 s390/qeth: handle limited IPv4 broadcast in L3 TX path [ Upstream commit 72c87976c5abbf8a834ad85f10d03c0cd58b985c ] When selecting the cast type of a neighbourless IPv4 skb (eg. on a raw socket), qeth_l3 falls back to the packet's destination IP address. For this case we should classify traffic sent to 255.255.255.255 as broadcast. This fixes DHCP requests, which were misclassified as unicast (and for IQD interfaces thus ended up on the wrong HW queue). Signed-off-by: Julian Wiedmann Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit d6accdd40a49d3715497336afd8e71ad3b14eee5 Author: Christian Brauner Date: Wed Jun 5 15:06:32 2019 +0200 tests: fix pidfd-test compilation [ Upstream commit 1fcd0eb356ad56c4e405f06e31dd9fde2109d5ab ] Define __NR_pidfd_send_signal if it isn't to prevent a potential compilation error. To make pidfd-test compile on all arches, irrespective of whether or not syscall numbers are assigned, define the syscall number to -1. If it isn't defined this will cause the kernel to return -ENOSYS. Fixes: 575a0ae9744d ("selftests: add tests for pidfd_send_signal()") Signed-off-by: Christian Brauner Signed-off-by: Sasha Levin commit 4fe18137a3575d9e46c7fd6d4f435c5eae5d89d7 Author: Lucas Stach Date: Tue Jun 4 22:23:31 2019 +0200 udmabuf: actually unmap the scatterlist [ Upstream commit 283f1e383e91d96fe652fad549537ae15cf31d60 ] unmap_udmabuf fails to actually unmap the scatterlist, leaving dangling mappings around. Fixes: fbb0de795078 ("Add udmabuf misc device") Signed-off-by: Lucas Stach Link: http://patchwork.freedesktop.org/patch/msgid/20190604202331.17482-1-l.stach@pengutronix.de Signed-off-by: Gerd Hoffmann Signed-off-by: Sasha Levin commit 08f02cc91dfae4670c3163d31f8b24e318f1f72e Author: Miaohe Lin Date: Tue Jun 4 06:07:34 2019 +0000 net: ipvlan: Fix ipvlan device tso disabled while NETIF_F_IP_CSUM is set [ Upstream commit ceae266bf0ae6564ac16d086bf749a096fa90ded ] There's some NICs, such as hinic, with NETIF_F_IP_CSUM and NETIF_F_TSO on but NETIF_F_HW_CSUM off. And ipvlan device features will be NETIF_F_TSO on with NETIF_F_IP_CSUM and NETIF_F_IP_CSUM both off as IPVLAN_FEATURES only care about NETIF_F_HW_CSUM. So TSO will be disabled in netdev_fix_features. For example: Features for enp129s0f0: rx-checksumming: on tx-checksumming: on tx-checksum-ipv4: on tx-checksum-ip-generic: off [fixed] tx-checksum-ipv6: on Fixes: a188222b6ed2 ("net: Rename NETIF_F_ALL_CSUM to NETIF_F_CSUM_MASK") Signed-off-by: Miaohe Lin Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 0c36d7ee19a9449c696f7d5c58f0a803b16c84b6 Author: Dan Carpenter Date: Wed May 29 14:07:39 2019 +0300 scsi: smartpqi: unlock on error in pqi_submit_raid_request_synchronous() [ Upstream commit cc8f52609bb4177febade24d11713e20c0893b0a ] We need to drop the "ctrl_info->sync_request_sem" lock before returning. Fixes: 6c223761eb54 ("smartpqi: initial commit of Microsemi smartpqi driver") Signed-off-by: Dan Carpenter Acked-by: Don Brace Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 284be68326b748ae365aec651da1f8a83f51da45 Author: Avri Altman Date: Tue May 21 11:24:22 2019 +0300 scsi: ufs: Check that space was properly alloced in copy_query_response [ Upstream commit 1c90836f70f9a8ef7b7ad9e1fdd8961903e6ced6 ] struct ufs_dev_cmd is the main container that supports device management commands. In the case of a read descriptor request, we assume that the proper space was allocated in dev_cmd to hold the returning descriptor. This is no longer true, as there are flows that doesn't use dev_cmd for device management requests, and was wrong in the first place. Fixes: d44a5f98bb49 (ufs: query descriptor API) Signed-off-by: Avri Altman Reviewed-by: Alim Akhtar Acked-by: Bean Huo Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit f193786d78af356cfff0a5dd478c2a0e81ca3a1c Author: Russell King Date: Sun Jun 2 15:12:54 2019 +0100 net: phylink: avoid reducing support mask [ Upstream commit 77316763321ee4050f0576ffd472183aa90dcb30 ] Avoid reducing the support mask as a result of the interface type selected for SFP modules, or when setting the link settings through ethtool - this should only change when the supported link modes of the hardware combination change. Signed-off-by: Russell King Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit f743ff59ea4586f0603c9db2f39177a18fe45047 Author: George G. Davis Date: Mon Jun 3 10:30:39 2019 -0400 scripts/checkstack.pl: Fix arm64 wrong or unknown architecture [ Upstream commit 4f45d62a52297b10ded963412a158685647ecdec ] The following error occurs for the `make ARCH=arm64 checkstack` case: aarch64-linux-gnu-objdump -d vmlinux $(find . -name '*.ko') | \ perl ./scripts/checkstack.pl arm64 wrong or unknown architecture "arm64" As suggested by Masahiro Yamada, fix the above error using regular expressions in the same way it was fixed for the `ARCH=x86` case via commit fda9f9903be6 ("scripts/checkstack.pl: automatically handle 32-bit and 64-bit mode for ARCH=x86"). Suggested-by: Masahiro Yamada Signed-off-by: George G. Davis Signed-off-by: Masahiro Yamada Signed-off-by: Sasha Levin commit 89dd8c09ff047139d6d220d4cdcf0aca97d2dadd Author: Trevor Bourget Date: Mon May 27 16:54:23 2019 -0700 kbuild: tar-pkg: enable communication with jobserver [ Upstream commit a6e0487709ded7cd1ba0c390d9771e5cb76a8453 ] The buildtar script might want to invoke a make, so tell the parent make to pass the jobserver token pipe to the subcommand by prefixing the command with a +. This addresses the issue seen here: /bin/sh ../scripts/package/buildtar tar-pkg make[3]: warning: jobserver unavailable: using -j1. Add '+' to parent make rule. See https://www.gnu.org/software/make/manual/html_node/Job-Slots.html for more information. Signed-off-by: Trevor Bourget Signed-off-by: Masahiro Yamada Signed-off-by: Sasha Levin commit e3d4c4a7a0900daf246cfb713101f4044e9b97fa Author: Minwoo Im Date: Sun Jun 2 12:43:39 2019 +0900 nvmet: fix data_len to 0 for bdev-backed write_zeroes [ Upstream commit 3562f5d9f21e7779ae442a45197fed6cb247fd22 ] The WRITE ZEROES command has no data transfer so that we need to initialize the struct (nvmet_req *req)->data_len to 0x0. While (nvmet_req *req)->transfer_len is initialized in nvmet_req_init(), data_len will be initialized by nowhere which might cause the failure with status code NVME_SC_SGL_INVALID_DATA | NVME_SC_DNR randomly. It's because nvmet_req_execute() checks like: if (unlikely(req->data_len != req->transfer_len)) { req->error_loc = offsetof(struct nvme_common_command, dptr); nvmet_req_complete(req, NVME_SC_SGL_INVALID_DATA | NVME_SC_DNR); } else req->execute(req); This patch fixes req->data_len not to be a randomly assigned by initializing it to 0x0 when preparing the command in nvmet_bdev_parse_io_cmd(). nvmet_file_parse_io_cmd() which is for file-backed I/O has already initialized the data_len field to 0x0, though. Cc: Christoph Hellwig Cc: Sagi Grimberg Cc: Chaitanya Kulkarni Signed-off-by: Minwoo Im Reviewed-by: Chaitanya Kulkarni Reviewed-by: Christoph Hellwig Signed-off-by: Sagi Grimberg Signed-off-by: Sasha Levin commit 7185d1119d26fce15d044730c8b09363136c06b7 Author: Robin Murphy Date: Fri May 17 17:37:22 2019 +0100 drm/arm/hdlcd: Allow a bit of clock tolerance [ Upstream commit 1c810739097fdeb31b393b67a0a1e3d7ffdd9f63 ] On the Arm Juno platform, the HDLCD pixel clock is constrained to 250KHz resolution in order to avoid the tiny System Control Processor spending aeons trying to calculate exact PLL coefficients. This means that modes like my oddball 1600x1200 with 130.89MHz clock get rejected since the rate cannot be matched exactly. In practice, though, this mode works quite happily with the clock at 131MHz, so let's relax the check to allow a little bit of slop. Signed-off-by: Robin Murphy Signed-off-by: Liviu Dudau Signed-off-by: Sasha Levin commit a3f7b4ee7a947778f1f4dd3e82f5e1c68c2e99be Author: Robin Murphy Date: Fri May 17 17:37:21 2019 +0100 drm/arm/hdlcd: Actually validate CRTC modes [ Upstream commit b96151edced4edb6a18aa89a5fa02c7066efff45 ] Rather than allowing any old mode through, then subsequently refusing unmatchable clock rates in atomic_check when it's too late to back out and pick a different mode, let's do that validation up-front where it will cause unsupported modes to be correctly pruned in the first place. This also eliminates an issue whereby a perceived clock rate of 0 would cause atomic disable to fail and prevent the module from being unloaded. Signed-off-by: Robin Murphy Signed-off-by: Liviu Dudau Signed-off-by: Sasha Levin commit acff41657b2f422aa8079334709b3a1739d78657 Author: Wen He Date: Wed May 8 10:58:18 2019 +0000 drm/arm/mali-dp: Add a loop around the second set CVAL and try 5 times [ Upstream commit 6a88e0c14813d00f8520d0e16cd4136c6cf8b4d4 ] This patch trying to fix monitor freeze issue caused by drm error 'flip_done timed out' on LS1028A platform. this set try is make a loop around the second setting CVAL and try like 5 times before giveing up. Signed-off-by: Wen He Signed-off-by: Liviu Dudau Signed-off-by: Sasha Levin commit 2ee5cb63850542814875e247ee3ad2655f5a006e Author: Xin Long Date: Sun Jun 2 19:09:55 2019 +0800 selftests: set sysctl bc_forwarding properly in router_broadcast.sh [ Upstream commit 67c0aaa1eaec60e9dab301012bdebe6726ae04bd ] sysctl setting bc_forwarding for $rp2 is needed when ping_test_from h2, otherwise the bc packets from $rp2 won't be forwarded. This patch is to add this setting for $rp2. Also, as ping_test_from does grep "$from" only, which could match some unexpected output, some test case doesn't really work, like: # ping_test_from $h2 198.51.200.255 198.51.200.2 PING 198.51.200.255 from 198.51.100.2 veth3: 56(84) bytes of data. 64 bytes from 198.51.100.1: icmp_seq=1 ttl=64 time=0.336 ms When doing grep $form (198.51.200.2), the output could still match. So change to grep "bytes from $from" instead. Fixes: 40f98b9af943 ("selftests: add a selftest for directed broadcast forwarding") Signed-off-by: Xin Long Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit b9bf84c0f6d542751e6f03142778c1d6c2a039a3 Author: Sean Wang Date: Sat Jun 1 08:16:27 2019 +0800 net: ethernet: mediatek: Use NET_IP_ALIGN to judge if HW RX_2BYTE_OFFSET is enabled [ Upstream commit 880c2d4b2fdfd580ebcd6bb7240a8027a1d34751 ] Should only enable HW RX_2BYTE_OFFSET function in the case NET_IP_ALIGN equals to 2. Signed-off-by: Mark Lee Signed-off-by: Sean Wang Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 3e04ea19909b659a287714d81ba019d8c488d767 Author: Sean Wang Date: Sat Jun 1 08:16:26 2019 +0800 net: ethernet: mediatek: Use hw_feature to judge if HWLRO is supported [ Upstream commit 9e4f56f1a7f3287718d0083b5cb85298dc05a5fd ] Should hw_feature as hardware capability flags to check if hardware LRO got support. Signed-off-by: Mark Lee Signed-off-by: Sean Wang Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 65c5080a059c549b0463489c503167d56b717421 Author: Young Xiao <92siuyang@gmail.com> Date: Wed May 29 10:21:48 2019 +0800 sparc: perf: fix updated event period in response to PERF_EVENT_IOC_PERIOD [ Upstream commit 56cd0aefa475079e9613085b14a0f05037518fed ] The PERF_EVENT_IOC_PERIOD ioctl command can be used to change the sample period of a running perf_event. Consequently, when calculating the next event period, the new period will only be considered after the previous one has overflowed. This patch changes the calculation of the remaining event ticks so that they are offset if the period has changed. See commit 3581fe0ef37c ("ARM: 7556/1: perf: fix updated event period in response to PERF_EVENT_IOC_PERIOD") for details. Signed-off-by: Young Xiao <92siuyang@gmail.com> Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 910282a17f7329bf0d6c5027f1951bc19452b164 Author: Gen Zhang Date: Fri May 31 09:24:18 2019 +0800 mdesc: fix a missing-check bug in get_vdev_port_node_info() [ Upstream commit 80caf43549e7e41a695c6d1e11066286538b336f ] In get_vdev_port_node_info(), 'node_info->vdev_port.name' is allcoated by kstrdup_const(), and it returns NULL when fails. So 'node_info->vdev_port.name' should be checked. Signed-off-by: Gen Zhang Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit d3c0d72279e1576e404a7e7b92b2bdb668bc0c59 Author: Yonglong Liu Date: Fri May 31 16:59:50 2019 +0800 net: hns: Fix loopback test failed at copper ports [ Upstream commit 2e1f164861e500f4e068a9d909bbd3fcc7841483 ] When doing a loopback test at copper ports, the serdes loopback and the phy loopback will fail, because of the adjust link had not finished, and phy not ready. Adds sleep between adjust link and test process to fix it. Signed-off-by: Yonglong Liu Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 03217ebb9114bf8c2db4ba3faa709ef2590c74d2 Author: Nikita Yushchenko Date: Fri May 31 10:35:14 2019 +0300 net: dsa: mv88e6xxx: avoid error message on remove from VLAN 0 [ Upstream commit 62394708f3e01c9f2be6be74eb6305bae1ed924f ] When non-bridged, non-vlan'ed mv88e6xxx port is moving down, error message is logged: failed to kill vid 0081/0 for device eth_cu_1000_4 This is caused by call from __vlan_vid_del() with vin set to zero, over call chain this results into _mv88e6xxx_port_vlan_del() called with vid=0, and mv88e6xxx_vtu_get() called from there returns -EINVAL. On symmetric path moving port up, call goes through mv88e6xxx_port_vlan_prepare() that calls mv88e6xxx_port_check_hw_vlan() that returns -EOPNOTSUPP for zero vid. This patch changes mv88e6xxx_vtu_get() to also return -EOPNOTSUPP for zero vid, then this error code is explicitly cleared in dsa_slave_vlan_rx_kill_vid() and error message is no longer logged. Signed-off-by: Nikita Yushchenko Reviewed-by: Vivien Didelot Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 3eaf80d71360d095ff07d2cb7032e987a6ec0b3a Author: Naresh Kamboju Date: Tue May 28 13:18:09 2019 +0100 selftests: vm: install test_vmalloc.sh for run_vmtests [ Upstream commit bc2cce3f2ebcae02aa4bb29e3436bf75ee674c32 ] Add test_vmalloc.sh to TEST_FILES to make sure it gets installed for run_vmtests. Fixed below error: ./run_vmtests: line 217: ./test_vmalloc.sh: No such file or directory Tested with: make TARGETS=vm install INSTALL_PATH=$PWD/x Signed-off-by: Naresh Kamboju Signed-off-by: Shuah Khan Signed-off-by: Sasha Levin commit eec43bb04ade2c817c174a246586f5ca27623ce6 Author: Alakesh Haloi Date: Mon May 27 15:18:59 2019 +0000 userfaultfd: selftest: fix compiler warning [ Upstream commit 98a13a8d253999cf25eb16d901c35fbd2a8455c4 ] Fixes following compiler warning userfaultfd.c: In function ‘usage’: userfaultfd.c:126:2: warning: format not a string literal and no format arguments [-Wformat-security] fprintf(stderr, examples); Signed-off-by: Alakesh Haloi Reviewed-by: Peter Xu Reviewed-by: Mike Rapoport Signed-off-by: Shuah Khan Signed-off-by: Sasha Levin commit 8af55656e2b00fa44789b365e638856127ba2b53 Author: Alex Shi Date: Mon May 27 14:28:07 2019 +0800 kselftest/cgroup: fix incorrect test_core skip [ Upstream commit f97f3f8839eb9de5843066d80819884f7722c8c5 ] The test_core will skip the test_cgcore_no_internal_process_constraint_on_threads test case if the 'cpu' controller missing in root's subtree_control. In fact we need to set the 'cpu' in subtree_control, to make the testing meaningful. ./test_core ... ok 4 # skip test_cgcore_no_internal_process_constraint_on_threads ... Signed-off-by: Alex Shi Cc: Shuah Khan Cc: Tejun Heo Cc: Roman Gushchin Cc: Claudio Zumbo Cc: Claudio Cc: linux-kselftest@vger.kernel.org Cc: linux-kernel@vger.kernel.org Reviewed-by: Roman Gushchin Acked-by: Tejun Heo Signed-off-by: Shuah Khan Signed-off-by: Sasha Levin commit 003724b3eba573502d13499d49617be1e2b53251 Author: Alex Shi Date: Mon May 27 14:28:06 2019 +0800 kselftest/cgroup: fix unexpected testing failure on test_core [ Upstream commit 00e38a5d753d7788852f81703db804a60a84c26e ] The cgroup testing relys on the root cgroup's subtree_control setting, If the 'memory' controller isn't set, some test cases will be failed as following: $sudo ./test_core not ok 1 test_cgcore_internal_process_constraint ok 2 test_cgcore_top_down_constraint_enable not ok 3 test_cgcore_top_down_constraint_disable ... To correct this unexpected failure, this patch write the 'memory' to subtree_control of root to get a right result. Signed-off-by: Alex Shi Cc: Shuah Khan Cc: Tejun Heo Cc: Roman Gushchin Cc: Claudio Zumbo Cc: Claudio Cc: linux-kselftest@vger.kernel.org Cc: linux-kernel@vger.kernel.org Reviewed-by: Roman Gushchin Acked-by: Tejun Heo Signed-off-by: Shuah Khan Signed-off-by: Sasha Levin commit ed5082e72569c1eae5654688c9d31faab255403a Author: Alex Shi Date: Mon May 27 14:28:05 2019 +0800 kselftest/cgroup: fix unexpected testing failure on test_memcontrol [ Upstream commit f6131f28057d4fd8922599339e701a2504e0f23d ] The cgroup testing relies on the root cgroup's subtree_control setting, If the 'memory' controller isn't set, all test cases will be failed as following: $ sudo ./test_memcontrol not ok 1 test_memcg_subtree_control not ok 2 test_memcg_current ok 3 # skip test_memcg_min not ok 4 test_memcg_low not ok 5 test_memcg_high not ok 6 test_memcg_max not ok 7 test_memcg_oom_events ok 8 # skip test_memcg_swap_max not ok 9 test_memcg_sock not ok 10 test_memcg_oom_group_leaf_events not ok 11 test_memcg_oom_group_parent_events not ok 12 test_memcg_oom_group_score_events To correct this unexpected failure, this patch write the 'memory' to subtree_control of root to get a right result. Signed-off-by: Alex Shi Cc: Shuah Khan Cc: Roman Gushchin Cc: Tejun Heo Cc: Mike Rapoport Cc: Jay Kamat Cc: linux-kselftest@vger.kernel.org Cc: linux-kernel@vger.kernel.org Reviewed-by: Roman Gushchin Acked-by: Tejun Heo Signed-off-by: Shuah Khan Signed-off-by: Sasha Levin commit 5eb93bd2f9de6aada07d12601ef8eb8cccbae050 Author: Guenter Roeck Date: Thu May 30 05:41:38 2019 -0700 xtensa: Fix section mismatch between memblock_reserve and mem_reserve [ Upstream commit adefd051a6707a6ca0ebad278d3c1c05c960fc3b ] Since commit 9012d011660ea5cf2 ("compiler: allow all arches to enable CONFIG_OPTIMIZE_INLINING"), xtensa:tinyconfig fails to build with section mismatch errors. WARNING: vmlinux.o(.text.unlikely+0x68): Section mismatch in reference from the function ___pa() to the function .meminit.text:memblock_reserve() WARNING: vmlinux.o(.text.unlikely+0x74): Section mismatch in reference from the function mem_reserve() to the function .meminit.text:memblock_reserve() FATAL: modpost: Section mismatches detected. This was not seen prior to the above mentioned commit because mem_reserve() was always inlined. Mark mem_reserve(() as __init_memblock to have it reside in the same section as memblock_reserve(). Signed-off-by: Guenter Roeck Message-Id: <1559220098-9955-1-git-send-email-linux@roeck-us.net> Signed-off-by: Max Filippov Signed-off-by: Sasha Levin commit 7348616edde5ea7f98c9b58893e953e228c25a4b Author: Eric Biggers Date: Wed May 22 12:42:29 2019 -0700 crypto: hmac - fix memory leak in hmac_init_tfm() [ Upstream commit 7829a0c1cb9c80debfb4fdb49b4d90019f2ea1ac ] When I added the sanity check of 'descsize', I missed that the child hash tfm needs to be freed if the sanity check fails. Of course this should never happen, hence the use of WARN_ON(), but it should be fixed. Fixes: e1354400b25d ("crypto: hash - fix incorrect HASH_MAX_DESCSIZE") Signed-off-by: Eric Biggers Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit 62e5facae8997c6dba85c3e2f9474017f6a9fe05 Author: YueHaibing Date: Sat May 25 20:20:24 2019 +0800 MIPS: uprobes: remove set but not used variable 'epc' [ Upstream commit f532beeeff0c0a3586cc15538bc52d249eb19e7c ] Fixes gcc '-Wunused-but-set-variable' warning: arch/mips/kernel/uprobes.c: In function 'arch_uprobe_pre_xol': arch/mips/kernel/uprobes.c:115:17: warning: variable 'epc' set but not used [-Wunused-but-set-variable] It's never used since introduction in commit 40e084a506eb ("MIPS: Add uprobes support.") Signed-off-by: YueHaibing Signed-off-by: Paul Burton Cc: Cc: Cc: Cc: Signed-off-by: Sasha Levin commit f17c4c68e9b736f24d225f6c9218abe00a6e5d97 Author: Kamenee Arumugam Date: Fri May 24 11:45:04 2019 -0400 IB/hfi1: Validate page aligned for a given virtual address [ Upstream commit 97736f36dbebf2cda2799db3b54717ba5b388255 ] User applications can register memory regions for TID buffers that are not aligned on page boundaries. Hfi1 is expected to pin those pages in memory and cache the pages with mmu_rb. The rb tree will fail to insert pages that are not aligned correctly. Validate whether a given virtual address is page aligned before pinning. Fixes: 7e7a436ecb6e ("staging/hfi1: Add TID entry program function body") Reviewed-by: Michael J. Ruhl Signed-off-by: Kamenee Arumugam Signed-off-by: Dennis Dalessandro Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit 1ac3c4dbb126174a84b10ce95123c1546ad884d8 Author: Mike Marciniszyn Date: Fri May 24 11:44:51 2019 -0400 IB/{qib, hfi1, rdmavt}: Correct ibv_devinfo max_mr value [ Upstream commit 35164f5259a47ea756fa1deb3e463ac2a4f10dc9 ] The command 'ibv_devinfo -v' reports 0 for max_mr. Fix by assigning the query values after the mr lkey_table has been built rather than early on in the driver. Fixes: 7b1e2099adc8 ("IB/rdmavt: Move memory registration into rdmavt") Reviewed-by: Josh Collier Signed-off-by: Mike Marciniszyn Signed-off-by: Dennis Dalessandro Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit 52a1322ae30f47411c938a372a80cd939c13509d Author: Mike Marciniszyn Date: Fri May 24 11:44:45 2019 -0400 IB/hfi1: Insure freeze_work work_struct is canceled on shutdown [ Upstream commit 6d517353c70bb0818b691ca003afdcb5ee5ea44e ] By code inspection, the freeze_work is never canceled. Fix by adding a cancel_work_sync in the shutdown path to insure it is no longer running. Fixes: 7724105686e7 ("IB/hfi1: add driver files") Reviewed-by: Michael J. Ruhl Reviewed-by: Dennis Dalessandro Signed-off-by: Mike Marciniszyn Signed-off-by: Dennis Dalessandro Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit 5a8810db7baa9e25fc852b6ecd03d74dd412fd2a Author: Mike Marciniszyn Date: Fri May 24 11:44:38 2019 -0400 IB/rdmavt: Fix alloc_qpn() WARN_ON() [ Upstream commit 2abae62a26a265129b364d8c1ef3be55e2c01309 ] The qpn allocation logic has a WARN_ON() that intends to detect the use of an index that will introduce bits in the lower order bits of the QOS bits in the QPN. Unfortunately, it has the following bugs: - it misfires when wrapping QPN allocation for non-QOS - it doesn't correctly detect low order QOS bits (despite the comment) The WARN_ON() should not be applied to non-QOS (qos_shift == 1). Additionally, it SHOULD test the qpn bits per the table below: 2 data VLs: [qp7, qp6, qp5, qp4, qp3, qp2, qp1] ^ [ 0, 0, 0, 0, 0, 0, sc0], qp bit 1 always 0* 3-4 data VLs: [qp7, qp6, qp5, qp4, qp3, qp2, qp1] ^ [ 0, 0, 0, 0, 0, sc1, sc0], qp bits [21] always 0 5-8 data VLs: [qp7, qp6, qp5, qp4, qp3, qp2, qp1] ^ [ 0, 0, 0, 0, sc2, sc1, sc0] qp bits [321] always 0 Fix by qualifying the warning for qos_shift > 1 and producing the correct mask to insure the above bits are zero without generating a superfluous warning. Fixes: 501edc42446e ("IB/rdmavt: Correct warning during QPN allocation") Reviewed-by: Kaike Wan Signed-off-by: Mike Marciniszyn Signed-off-by: Dennis Dalessandro Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit e787555f1bd0c6248b57957780a5c05e58765c71 Author: Oded Gabbay Date: Tue May 28 23:03:54 2019 +0300 habanalabs: fix bug in checking huge page optimization [ Upstream commit d724170160f800fa8dfd3c0cdebb8b093570b504 ] This patch fix a bug in the mmu code that checks whether we can use huge page mappings for host pages. The code is supposed to enable huge page mappings only if ALL DMA addresses are aligned to 2MB AND the number of pages in each DMA chunk is a modulo of the number of pages in 2MB. However, the code ignored the first requirement for the first DMA chunk. This patch fix that issue by making sure the requirement of address alignment is validated against all DMA chunks. Signed-off-by: Oded Gabbay Signed-off-by: Sasha Levin commit 97ff3f30338b29ecebf384facb1a5495b2c052ec Author: Helge Deller Date: Fri May 24 23:16:25 2019 +0200 parisc: Fix compiler warnings in float emulation code [ Upstream commit 6b98d9134e14f5ef4bcf64b27eedf484ed19a1ec ] Avoid such compiler warnings: arch/parisc/math-emu/cnv_float.h:71:27: warning: ‘<<’ in boolean context, did you mean ‘<’ ? [-Wint-in-bool-context] ((Dintp1(dint_valueA) << 33 - SGL_EXP_LENGTH) || Dintp2(dint_valueB)) arch/parisc/math-emu/fcnvxf.c:257:6: note: in expansion of macro ‘Dint_isinexact_to_sgl’ if (Dint_isinexact_to_sgl(srcp1,srcp2)) { Signed-off-by: Helge Deller Signed-off-by: Sasha Levin commit 9b2c6ad567c7458ee1c296a5a4ec10cae65f0175 Author: YueHaibing Date: Tue May 14 23:24:37 2019 +0800 parport: Fix mem leak in parport_register_dev_model [ Upstream commit 1c7ebeabc9e5ee12e42075a597de40fdb9059530 ] BUG: memory leak unreferenced object 0xffff8881df48cda0 (size 16): comm "syz-executor.0", pid 5077, jiffies 4295994670 (age 22.280s) hex dump (first 16 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [<00000000d2d0d5fe>] parport_register_dev_model+0x141/0x6e0 [parport] [<00000000782f6dab>] 0xffffffffc15d1196 [<00000000d2ca6ae4>] platform_drv_probe+0x7e/0x100 [<00000000628c2a94>] really_probe+0x342/0x4d0 [<000000006874f5da>] driver_probe_device+0x8c/0x170 [<00000000424de37a>] __device_attach_driver+0xda/0x100 [<000000002acab09a>] bus_for_each_drv+0xfe/0x170 [<000000003d9e5f31>] __device_attach+0x190/0x230 [<0000000035d32f80>] bus_probe_device+0x123/0x140 [<00000000a05ba627>] device_add+0x7cc/0xce0 [<000000003f7560bf>] platform_device_add+0x230/0x3c0 [<000000002a0be07d>] 0xffffffffc15d0949 [<000000007361d8d2>] port_check+0x3b/0x50 [parport] [<000000004d67200f>] bus_for_each_dev+0x115/0x180 [<000000003ccfd11c>] __parport_register_driver+0x1f0/0x210 [parport] [<00000000987f06fc>] 0xffffffffc15d803e After commit 4e5a74f1db8d ("parport: Revert "parport: fix memory leak""), free_pardevice do not free par_dev->state, we should free it in error path of parport_register_dev_model before return. Reported-by: Hulk Robot Fixes: 4e5a74f1db8d ("parport: Revert "parport: fix memory leak"") Signed-off-by: YueHaibing Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 8b31d306aa9ba9bd90a03e235a5e706ff4f99e13 Author: Scott Wood Date: Thu May 9 16:08:28 2019 -0500 fpga: dfl: Add lockdep classes for pdata->lock [ Upstream commit dfe3de8d397bf878b31864d4e489d41118ec475f ] struct dfl_feature_platform_data (and it's mutex) is used by both fme and port devices, and when lockdep is enabled it complains about nesting between these locks. Tell lockdep about the difference so it can track each class separately. Here's the lockdep complaint: [ 409.680668] WARNING: possible recursive locking detected [ 409.685983] 5.1.0-rc3.fpga+ #1 Tainted: G E [ 409.691469] -------------------------------------------- [ 409.696779] fpgaconf/9348 is trying to acquire lock: [ 409.701746] 00000000a443fe2e (&pdata->lock){+.+.}, at: port_enable_set+0x24/0x60 [dfl_afu] [ 409.710006] [ 409.710006] but task is already holding lock: [ 409.715837] 0000000063b78782 (&pdata->lock){+.+.}, at: fme_pr_ioctl+0x21d/0x330 [dfl_fme] [ 409.724012] [ 409.724012] other info that might help us debug this: [ 409.730535] Possible unsafe locking scenario: [ 409.730535] [ 409.736457] CPU0 [ 409.738910] ---- [ 409.741360] lock(&pdata->lock); [ 409.744679] lock(&pdata->lock); [ 409.747999] [ 409.747999] *** DEADLOCK *** [ 409.747999] [ 409.753920] May be due to missing lock nesting notation [ 409.753920] [ 409.760704] 4 locks held by fpgaconf/9348: [ 409.764805] #0: 0000000063b78782 (&pdata->lock){+.+.}, at: fme_pr_ioctl+0x21d/0x330 [dfl_fme] [ 409.773408] #1: 00000000213c8a66 (®ion->mutex){+.+.}, at: fpga_region_program_fpga+0x24/0x200 [fpga_region] [ 409.783489] #2: 00000000fe63afb9 (&mgr->ref_mutex){+.+.}, at: fpga_mgr_lock+0x15/0x40 [fpga_mgr] [ 409.792354] #3: 000000000b2285c5 (&bridge->mutex){+.+.}, at: __fpga_bridge_get+0x26/0xa0 [fpga_bridge] [ 409.801740] [ 409.801740] stack backtrace: [ 409.806102] CPU: 45 PID: 9348 Comm: fpgaconf Kdump: loaded Tainted: G E 5.1.0-rc3.fpga+ #1 [ 409.815658] Hardware name: Intel Corporation S2600BT/S2600BT, BIOS SE5C620.86B.01.00.0763.022420181017 02/24/2018 [ 409.825911] Call Trace: [ 409.828369] dump_stack+0x5e/0x8b [ 409.831686] __lock_acquire+0xf3d/0x10e0 [ 409.835612] ? find_held_lock+0x3c/0xa0 [ 409.839451] lock_acquire+0xbc/0x1d0 [ 409.843030] ? port_enable_set+0x24/0x60 [dfl_afu] [ 409.847823] ? port_enable_set+0x24/0x60 [dfl_afu] [ 409.852616] __mutex_lock+0x86/0x970 [ 409.856195] ? port_enable_set+0x24/0x60 [dfl_afu] [ 409.860989] ? port_enable_set+0x24/0x60 [dfl_afu] [ 409.865777] ? __mutex_unlock_slowpath+0x4b/0x290 [ 409.870486] port_enable_set+0x24/0x60 [dfl_afu] [ 409.875106] fpga_bridges_disable+0x36/0x50 [fpga_bridge] [ 409.880502] fpga_region_program_fpga+0xea/0x200 [fpga_region] [ 409.886338] fme_pr_ioctl+0x13e/0x330 [dfl_fme] [ 409.890870] fme_ioctl+0x66/0xe0 [dfl_fme] [ 409.894973] do_vfs_ioctl+0xa9/0x720 [ 409.898548] ? lockdep_hardirqs_on+0xf0/0x1a0 [ 409.902907] ksys_ioctl+0x60/0x90 [ 409.906225] __x64_sys_ioctl+0x16/0x20 [ 409.909981] do_syscall_64+0x5a/0x220 [ 409.913644] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 409.918698] RIP: 0033:0x7f9d31b9b8d7 [ 409.922276] Code: 44 00 00 48 8b 05 b9 15 2d 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 89 15 2d 00 f7 d8 64 89 01 48 [ 409.941020] RSP: 002b:00007ffe4cae0d68 EFLAGS: 00000202 ORIG_RAX: 0000000000000010 [ 409.948588] RAX: ffffffffffffffda RBX: 00007f9d32ade6a0 RCX: 00007f9d31b9b8d7 [ 409.955719] RDX: 00007ffe4cae0df0 RSI: 000000000000b680 RDI: 0000000000000003 [ 409.962852] RBP: 0000000000000003 R08: 00007f9d2b70a177 R09: 00007ffe4cae0e40 [ 409.969984] R10: 00007ffe4cae0160 R11: 0000000000000202 R12: 00007ffe4cae0df0 [ 409.977115] R13: 000000000000b680 R14: 0000000000000000 R15: 00007ffe4cae0f60 Signed-off-by: Scott Wood Acked-by: Wu Hao Acked-by: Alan Tull Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 940ec88924e597e245cd2a6b1fdfcc806872c883 Author: Scott Wood Date: Thu May 9 16:08:27 2019 -0500 fpga: dfl: afu: Pass the correct device to dma_mapping_error() [ Upstream commit 13069847a475b60069918dc9971f5adb42811ce3 ] dma_mapping_error() was being called on a different device struct than what was passed to map/unmap. Besides rendering the error checking ineffective, it caused a debug splat with CONFIG_DMA_API_DEBUG. Signed-off-by: Scott Wood Acked-by: Wu Hao Acked-by: Moritz Fischer Acked-by: Alan Tull Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit f42d43aed4d3853e1a8cd0e0230762ac5e38e5c0 Author: Wen Yang Date: Thu May 9 16:08:26 2019 -0500 fpga: stratix10-soc: fix use-after-free on s10_init() [ Upstream commit f5dd87326fefe42a4b1a4b1a1a695060c33a88d6 ] The refcount of fw_np has already been decreased by of_find_matching_node() so it shouldn't be used anymore. This patch adds an of_node_get() before of_find_matching_node() to avoid the use-after-free problem. Fixes: e7eef1d7633a ("fpga: add intel stratix10 soc fpga manager driver") Signed-off-by: Wen Yang Cc: Alan Tull Cc: Moritz Fischer Cc: Nicolas Saenz Julienne Cc: linux-fpga@vger.kernel.org Cc: linux-kernel@vger.kernel.org Reviewed-by: Moritz Fischer Reviewed-by: Nicolas Saenz Julienne Acked-by: Alan Tull Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 6ff0a7300513b526ea3bc95b4c91f8113e1a9a92 Author: Masahiro Yamada Date: Tue May 21 15:20:39 2019 +0900 MIPS: mark ginvt() as __always_inline [ Upstream commit 6074c33c6b2eabc70867ef76d57ca256e9ea9da7 ] To meet the 'i' (immediate) constraint for the asm operands, this function must be always inlined. Signed-off-by: Masahiro Yamada Signed-off-by: Paul Burton Cc: linux-mips@vger.kernel.org Cc: Ralf Baechle Cc: James Hogan Cc: linux-kernel@vger.kernel.org Signed-off-by: Sasha Levin commit b131e9d10384d2230f2d8de8f01612cf76f80e7f Author: Jose Abreu Date: Mon May 20 15:43:13 2019 +0200 ARC: [plat-hsdk]: Add missing FIFO size entry in GMAC node [ Upstream commit 4c70850aeb2e40016722cd1abd43c679666d3ca0 ] Add the binding for RX/TX fifo size of GMAC node. Cc: Joao Pinto Cc: Rob Herring Cc: Mark Rutland Cc: Vineet Gupta Tested-by: Eugeniy Paltsev Acked-by: Alexey Brodkin Signed-off-by: Jose Abreu Signed-off-by: Vineet Gupta Signed-off-by: Sasha Levin commit cb9e8a827e35280710ded59e56b9e6c4e0ad9e9e Author: Jose Abreu Date: Mon May 20 15:43:12 2019 +0200 ARC: [plat-hsdk]: Add missing multicast filter bins number to GMAC node [ Upstream commit ecc906a11c2a0940e1a380debd8bd5bc09faf454 ] GMAC controller on HSDK boards supports 256 Hash Table size so we need to add the multicast filter bins property. This allows for the Hash filter to work properly using stmmac driver. Cc: Joao Pinto Cc: Rob Herring Cc: Mark Rutland Cc: Eugeniy Paltsev Acked-by: Alexey Brodkin Signed-off-by: Jose Abreu Signed-off-by: Vineet Gupta Signed-off-by: Sasha Levin commit ce7d789bb90bd2b53065bf097310d563044cf232 Author: Eric Long Date: Mon May 6 15:28:32 2019 +0800 dmaengine: sprd: Fix the right place to configure 2-stage transfer [ Upstream commit c434e377dad1dec05cad1870ce21bc539e1e024f ] Move the 2-stage configuration before configuring the link-list mode, since we will use some 2-stage configuration to fill the link-list configuration. Signed-off-by: Eric Long Signed-off-by: Baolin Wang Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit 544671fac56e69b646664311c9790b89dfb3d328 Author: Eric Long Date: Mon May 6 15:28:31 2019 +0800 dmaengine: sprd: Fix block length overflow [ Upstream commit 89d03b3c126d683f7b2cd5b07178493993d12448 ] The maximum value of block length is 0xffff, so if the configured transfer length is more than 0xffff, that will cause block length overflow to lead a configuration error. Thus we can set block length as the maximum burst length to avoid this issue, since the maximum burst length will not be a big value which is more than 0xffff. Signed-off-by: Eric Long Signed-off-by: Baolin Wang Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit 3ef397924060d1431a1a2e4aa09964276da97d92 Author: Eric Long Date: Mon May 6 15:28:30 2019 +0800 dmaengine: sprd: Fix the incorrect start for 2-stage destination channels [ Upstream commit 3d626a97f0303e9c30d063434b749de3f0f91fb5 ] The 2-stage destination channel will be triggered by source channel automatically, which means we should not trigger it by software request. Signed-off-by: Eric Long Signed-off-by: Baolin Wang Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit 36090046e762aa70c118b501bdf2b3aa79c112d5 Author: Baolin Wang Date: Mon May 6 15:28:29 2019 +0800 dmaengine: sprd: Add validation of current descriptor in irq handler [ Upstream commit 58152b0e573e5581c4b9ef7cf06d2e9fafae27d4 ] When user terminates one DMA channel to free all its descriptors, but at the same time one transaction interrupt was triggered possibly, now we should not handle this interrupt by validating if the 'schan->cur_desc' was set as NULL to avoid crashing the kernel. Signed-off-by: Baolin Wang Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit af410491e083806859c7d43f5d2ddf6eef947942 Author: Baolin Wang Date: Mon May 6 15:28:28 2019 +0800 dmaengine: sprd: Fix the possible crash when getting descriptor status [ Upstream commit 16d0f85e45b99411ac10cb12cdd9279204a72381 ] We will get a NULL virtual descriptor by vchan_find_desc() when the descriptor has been submitted, that will crash the kernel when getting the descriptor status. In this case, since the descriptor has been submitted to process, but it is not completed now, which means the descriptor is listed into the 'vc->desc_submitted' list now. So we can not get current processing descriptor by vchan_find_desc(), but the pointer 'schan->cur_desc' will point to the current processing descriptor, then we can use 'schan->cur_desc' to get current processing descriptor's status to avoid this issue. Signed-off-by: Baolin Wang Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit 644d39260f9af967f92171088380b906ecd69e28 Author: Dan Carpenter Date: Thu May 9 13:09:23 2019 +0300 dmaengine: mediatek-cqdma: sleeping in atomic context [ Upstream commit 069b3c4214f27b130d0642f32438560db30f452e ] The mtk_cqdma_poll_engine_done() function takes a true/false parameter where true means it's called from atomic context. There are a couple places where it was set to false but it's actually in atomic context so it should be true. All the callers for mtk_cqdma_hard_reset() are holding a spin_lock and in mtk_cqdma_free_chan_resources() we take a spin_lock before calling the mtk_cqdma_poll_engine_done() function. Fixes: b1f01e48df5a ("dmaengine: mediatek: Add MediaTek Command-Queue DMA controller for MT6765 SoC") Signed-off-by: Dan Carpenter Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit 09167890636f32760cc6f90cb8e701cc85b16c3f Author: Colin Ian King Date: Wed May 8 23:33:29 2019 +0100 dmaengine: dw-axi-dmac: fix null dereference when pointer first is null [ Upstream commit 0788611c9a0925c607de536b2449de5ed98ef8df ] In the unlikely event that axi_desc_get returns a null desc in the very first iteration of the while-loop the error exit path ends up calling axi_desc_put on a null pointer 'first' and this causes a null pointer dereference. Fix this by adding a null check on pointer 'first' before calling axi_desc_put. Addresses-Coverity: ("Explicit null dereference") Fixes: 1fe20f1b8454 ("dmaengine: Introduce DW AXI DMAC driver") Signed-off-by: Colin Ian King Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit 4bd19c830b31676d854b24d967727618d47417e0 Author: Paul Cercueil Date: Sat May 4 23:37:57 2019 +0200 dmaengine: jz4780: Fix transfers being ACKed too soon [ Upstream commit 4e4106f5e942bff65548e82fc330d40385c89220 ] When a multi-descriptor DMA transfer is in progress, the "IRQ pending" flag will apparently be set for that channel as soon as the last descriptor loads, way before the IRQ actually happens. This behaviour has been observed on the JZ4725B, but maybe other SoCs are affected. In the case where another DMA transfer is running into completion on a separate channel, the IRQ handler would then run the completion handler for our previous channel even if the transfer didn't actually finish. Fix this by checking in the completion handler that we're indeed done; if not the interrupted DMA transfer will simply be resumed. Signed-off-by: Paul Cercueil Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit f23dc2c3ad8587cb2308c3f9647bd31d50b185d8 Author: Vineet Gupta Date: Tue May 7 10:45:24 2019 -0700 ARC: fix build warnings [ Upstream commit 89c92142f75eb80064f5b9f1111484b1b4d81790 ] | arch/arc/mm/tlb.c:914:2: warning: variable length array 'pd0' is used [-Wvla] | arch/arc/include/asm/cmpxchg.h:95:29: warning: value computed is not used [-Wunused-value] Signed-off-by: Vineet Gupta Signed-off-by: Sasha Levin commit 3656dca39b5367ceb51bfd0fa448d9bfc7012972 Author: Kees Cook Date: Sat Apr 6 08:52:11 2019 -0700 lkdtm/usercopy: Moves the KERNEL_DS test to non-canonical [ Upstream commit 2bf8496f6e9b7e9a557f65eb95eab16fea7958c7 ] The prior implementation of the KERNEL_DS fault checking would work on any unmapped kernel address, but this was narrowed to the non-canonical range instead. This adjusts the LKDTM test to match. Fixes: 00c42373d397 ("x86-64: add warning for non-canonical user access address dereferences") Signed-off-by: Kees Cook Signed-off-by: Sasha Levin commit 226fe899656a6dddf35a336ac4df67d2224fdf91 Author: Douglas Anderson Date: Mon Jun 17 10:56:53 2019 -0700 brcmfmac: sdio: Don't tune while the card is off commit 65dade6044079a5c206fd1803642ff420061417a upstream. When Broadcom SDIO cards are idled they go to sleep and a whole separate subsystem takes over their SDIO communication. This is the Always-On-Subsystem (AOS) and it can't handle tuning requests. Specifically, as tested on rk3288-veyron-minnie (which reports having BCM4354/1 in dmesg), if I force a retune in brcmf_sdio_kso_control() when "on = 1" (aka we're transition from sleep to wake) by whacking: bus->sdiodev->func1->card->host->need_retune = 1 ...then I can often see tuning fail. In this case dw_mmc reports "All phases bad!"). Note that I don't get 100% failure, presumably because sometimes the card itself has already transitioned away from the AOS itself by the time we try to wake it up. If I force retuning when "on = 0" (AKA force retuning right before sending the command to go to sleep) then retuning is always OK. NOTE: we need _both_ this patch and the patch to avoid triggering tuning due to CRC errors in the sleep/wake transition, AKA ("brcmfmac: sdio: Disable auto-tuning around commands expected to fail"). Though both patches handle issues with Broadcom's AOS, the problems are distinct: 1. We want to defer (but not ignore) asynchronous (like timer-requested) tuning requests till the card is awake. However, we want to ignore CRC errors during the transition, we don't want to queue deferred tuning request. 2. You could imagine that the AOS could implement retuning but we could still get errors while transitioning in and out of the AOS. Similarly you could imagine a seamless transition into and out of the AOS (with no CRC errors) even if the AOS couldn't handle tuning. ALSO NOTE: presumably there is never a desperate need to retune in order to wake up the card, since doing so is impossible. Luckily the only way the card can get into sleep state is if we had a good enough tuning to send it the command to put it into sleep, so presumably that "good enough" tuning is enough to wake us up, at least with a few retries. Cc: stable@vger.kernel.org #v4.18+ Signed-off-by: Douglas Anderson Acked-by: Adrian Hunter Reviewed-by: Arend van Spriel Acked-by: Kalle Valo Signed-off-by: Ulf Hansson Signed-off-by: Greg Kroah-Hartman commit 0fb27eff18a612896b83550c6bad2746f0c56223 Author: Douglas Anderson Date: Mon Jun 17 10:56:51 2019 -0700 brcmfmac: sdio: Disable auto-tuning around commands expected to fail commit 2de0b42da263c97d330d276f5ccf7c4470e3324f upstream. There are certain cases, notably when transitioning between sleep and active state, when Broadcom SDIO WiFi cards will produce errors on the SDIO bus. This is evident from the source code where you can see that we try commands in a loop until we either get success or we've tried too many times. The comment in the code reinforces this by saying "just one write attempt may fail" Unfortunately these failures sometimes end up causing an "-EILSEQ" back to the core which triggers a retuning of the SDIO card and that blocks all traffic to the card until it's done. Let's disable retuning around the commands we expect might fail. Cc: stable@vger.kernel.org #v4.18+ Signed-off-by: Douglas Anderson Acked-by: Adrian Hunter Reviewed-by: Arend van Spriel Acked-by: Kalle Valo Signed-off-by: Ulf Hansson Signed-off-by: Greg Kroah-Hartman commit 56f92e344c81d26d6bb0a11e2394beb15407b22f Author: Douglas Anderson Date: Mon Jun 17 10:56:49 2019 -0700 Revert "brcmfmac: disable command decode in sdio_aos" commit abdd5dcc00207e7c38680f3754d1bfffafff1093 upstream. This reverts commit 29f6589140a10ece8c1d73f58043ea5b3473ab3e. After that patch landed I find that my kernel log on rk3288-veyron-minnie and rk3288-veyron-speedy is filled with: brcmfmac: brcmf_sdio_bus_sleep: error while changing bus sleep state -110 This seems to happen every time the Broadcom WiFi transitions out of sleep mode. Reverting the commit fixes the problem for me, so that's what this patch does. Note that, in general, the justification in the original commit seemed a little weak. It looked like someone was testing on a SD card controller that would sometimes die if there were CRC errors on the bus. This used to happen back in early days of dw_mmc (the controller on my boards), but we fixed it. Disabling a feature on all boards just because one SD card controller is broken seems bad. Fixes: 29f6589140a1 ("brcmfmac: disable command decode in sdio_aos") Cc: Wright Feng Cc: Double Lo Cc: Madhan Mohan R Cc: Chi-Hsien Lin Signed-off-by: Douglas Anderson Cc: stable@vger.kernel.org Acked-by: Kalle Valo Signed-off-by: Ulf Hansson Signed-off-by: Greg Kroah-Hartman commit db71d6e6f770246f75febc2d2d19cfbf1686012e Author: Mike Salvatore Date: Wed Jun 12 14:55:14 2019 -0700 apparmor: reset pos on failure to unpack for various functions commit 156e42996bd84eccb6acf319f19ce0cb140d00e3 upstream. Each function that manipulates the aa_ext struct should reset it's "pos" member on failure. This ensures that, on failure, no changes are made to the state of the aa_ext struct. There are paths were elements are optional and the error path is used to indicate the optional element is not present. This means instead of just aborting on error the unpack stream can become unsynchronized on optional elements, if using one of the affected functions. Cc: stable@vger.kernel.org Fixes: 736ec752d95e ("AppArmor: policy routines for loading and unpacking policy") Signed-off-by: Mike Salvatore Signed-off-by: John Johansen Signed-off-by: Greg Kroah-Hartman commit e3fd819edcca48a4f5d4e1bbcf392450912a0f2f Author: Jann Horn Date: Tue May 28 17:32:26 2019 +0200 apparmor: enforce nullbyte at end of tag string commit 8404d7a674c49278607d19726e0acc0cae299357 upstream. A packed AppArmor policy contains null-terminated tag strings that are read by unpack_nameX(). However, unpack_nameX() uses string functions on them without ensuring that they are actually null-terminated, potentially leading to out-of-bounds accesses. Make sure that the tag string is null-terminated before passing it to strcmp(). Cc: stable@vger.kernel.org Fixes: 736ec752d95e ("AppArmor: policy routines for loading and unpacking policy") Signed-off-by: Jann Horn Signed-off-by: John Johansen Signed-off-by: Greg Kroah-Hartman commit 80118c5ab6cfe6e9113a57425dbae095095f66eb Author: John Johansen Date: Sun May 26 06:42:23 2019 -0700 apparmor: fix PROFILE_MEDIATES for untrusted input commit 23375b13f98c5464c2b4d15f983cc062940f1f4e upstream. While commit 11c236b89d7c2 ("apparmor: add a default null dfa") ensure every profile has a policy.dfa it does not resize the policy.start[] to have entries for every possible start value. Which means PROFILE_MEDIATES is not safe to use on untrusted input. Unforunately commit b9590ad4c4f2 ("apparmor: remove POLICY_MEDIATES_SAFE") did not take into account the start value usage. The input string in profile_query_cb() is user controlled and is not properly checked to be within the limited start[] entries, even worse it can't be as userspace policy is allowed to make us of entries types the kernel does not know about. This mean usespace can currently cause the kernel to access memory up to 240 entries beyond the start array bounds. Cc: stable@vger.kernel.org Fixes: b9590ad4c4f2 ("apparmor: remove POLICY_MEDIATES_SAFE") Signed-off-by: John Johansen Signed-off-by: Greg Kroah-Hartman commit 9665c361daa7d75d5b9e2a31fb53a2a18cdad622 Author: Daniel Smith Date: Thu May 23 12:54:18 2019 -0700 Input: silead - add MSSL0017 to acpi_device_id commit 0e658060e5fc50dc282885dc424a94b5d95547e5 upstream. On Chuwi Hi10 Plus, the Silead device id is MSSL0017. Signed-off-by: Daniel Smith Reviewed-by: Hans de Goede Cc: stable@vger.kernel.org Signed-off-by: Dmitry Torokhov Signed-off-by: Greg Kroah-Hartman commit 251d1bd93738a23e2d257803e469b57eb69e62e8 Author: Andrey Smirnov Date: Thu May 23 12:55:26 2019 -0700 Input: uinput - add compat ioctl number translation for UI_*_FF_UPLOAD commit 7c7da40da1640ce6814dab1e8031b44e19e5a3f6 upstream. In the case of compat syscall ioctl numbers for UI_BEGIN_FF_UPLOAD and UI_END_FF_UPLOAD need to be adjusted before being passed on uinput_ioctl_handler() since code built with -m32 will be passing slightly different values. Extend the code already covering UI_SET_PHYS to cover UI_BEGIN_FF_UPLOAD and UI_END_FF_UPLOAD as well. Reported-by: Pierre-Loup A. Griffais Signed-off-by: Andrey Smirnov Cc: stable@vger.kernel.org Signed-off-by: Dmitry Torokhov Signed-off-by: Greg Kroah-Hartman commit d36869b3ede316039438ab37e166885efdb99b55 Author: Alexander Mikhaylenko Date: Wed Jun 12 14:59:46 2019 -0700 Input: synaptics - enable SMBus on ThinkPad E480 and E580 commit 9843f3e08e2144724be7148e08d77a195dea257a upstream. They are capable of using intertouch and it works well with psmouse.synaptics_intertouch=1, so add them to the list. Without it, scrolling and gestures are jumpy, three-finger pinch gesture doesn't work and three- or four-finger swipes sometimes get stuck. Signed-off-by: Alexander Mikhaylenko Reviewed-by: Benjamin Tissoires Cc: stable@vger.kernel.org Signed-off-by: Dmitry Torokhov Signed-off-by: Greg Kroah-Hartman commit 5229f10241c2562c66aca68b75d39297db5d8222 Author: Crt Mori Date: Thu May 23 14:07:22 2019 +0200 iio: temperature: mlx90632 Relax the compatibility check commit 389fc70b60f534d679aea9a3f05146040ce20d77 upstream. Register EE_VERSION contains mixture of calibration information and DSP version. So far, because calibrations were definite, the driver compatibility depended on whole contents, but in the newer production process the calibration part changes. Because of that, value in EE_VERSION will be changed and to avoid that calibration value is same as DSP version the MSB in calibration part was fixed to 1. That means existing calibrations (medical and consumer) will now have hex values (bits 8 to 15) of 83 and 84 respectively. Driver compatibility should be based only on DSP version part of the EE_VERSION (bits 0 to 7) register. Signed-off-by: Crt Mori Cc: Signed-off-by: Jonathan Cameron Signed-off-by: Greg Kroah-Hartman commit 0a9be6a8e87b2d04516c1548e665ba5925e3c938 Author: Lorenzo Bianconi Date: Sun May 19 10:58:23 2019 +0200 iio: imu: st_lsm6dsx: fix PM support for st_lsm6dsx i2c controller commit bce0d57db388cdb1c1931d0aa7d31c77b590e0f0 upstream. Properly suspend/resume i2c slaves connected to st_lsm6dsx master controller if the CPU goes in suspended state Fixes: c91c1c844ebd ("imu: st_lsm6dsx: add i2c embedded controller support") Signed-off-by: Lorenzo Bianconi Cc: Signed-off-by: Jonathan Cameron Signed-off-by: Greg Kroah-Hartman commit 0875fd7da38f9100ac74b1a2a8d0af79adc72a30 Author: Mike Marciniszyn Date: Fri Jun 14 12:32:32 2019 -0400 IB/hfi1: Silence txreq allocation warnings commit 3230f4a8d44e4a0bb7afea814b280b5129521f52 upstream. The following warning can happen when a memory shortage occurs during txreq allocation: [10220.939246] SLUB: Unable to allocate memory on node -1, gfp=0xa20(GFP_ATOMIC) [10220.939246] Hardware name: Intel Corporation S2600WT2R/S2600WT2R, BIOS SE5C610.86B.01.01.0018.C4.072020161249 07/20/2016 [10220.939247] cache: mnt_cache, object size: 384, buffer size: 384, default order: 2, min order: 0 [10220.939260] Workqueue: hfi0_0 _hfi1_do_send [hfi1] [10220.939261] node 0: slabs: 1026568, objs: 43115856, free: 0 [10220.939262] Call Trace: [10220.939262] node 1: slabs: 820872, objs: 34476624, free: 0 [10220.939263] dump_stack+0x5a/0x73 [10220.939265] warn_alloc+0x103/0x190 [10220.939267] ? wake_all_kswapds+0x54/0x8b [10220.939268] __alloc_pages_slowpath+0x86c/0xa2e [10220.939270] ? __alloc_pages_nodemask+0x2fe/0x320 [10220.939271] __alloc_pages_nodemask+0x2fe/0x320 [10220.939273] new_slab+0x475/0x550 [10220.939275] ___slab_alloc+0x36c/0x520 [10220.939287] ? hfi1_make_rc_req+0x90/0x18b0 [hfi1] [10220.939299] ? __get_txreq+0x54/0x160 [hfi1] [10220.939310] ? hfi1_make_rc_req+0x90/0x18b0 [hfi1] [10220.939312] __slab_alloc+0x40/0x61 [10220.939323] ? hfi1_make_rc_req+0x90/0x18b0 [hfi1] [10220.939325] kmem_cache_alloc+0x181/0x1b0 [10220.939336] hfi1_make_rc_req+0x90/0x18b0 [hfi1] [10220.939348] ? hfi1_verbs_send_dma+0x386/0xa10 [hfi1] [10220.939359] ? find_prev_entry+0xb0/0xb0 [hfi1] [10220.939371] hfi1_do_send+0x1d9/0x3f0 [hfi1] [10220.939372] process_one_work+0x171/0x380 [10220.939374] worker_thread+0x49/0x3f0 [10220.939375] kthread+0xf8/0x130 [10220.939377] ? max_active_store+0x80/0x80 [10220.939378] ? kthread_bind+0x10/0x10 [10220.939379] ret_from_fork+0x35/0x40 [10220.939381] SLUB: Unable to allocate memory on node -1, gfp=0xa20(GFP_ATOMIC) The shortage is handled properly so the message isn't needed. Silence by adding the no warn option to the slab allocation. Fixes: 45842abbb292 ("staging/rdma/hfi1: move txreq header code") Cc: Reviewed-by: Dennis Dalessandro Signed-off-by: Mike Marciniszyn Signed-off-by: Dennis Dalessandro Signed-off-by: Doug Ledford Signed-off-by: Greg Kroah-Hartman commit 065d452e1ffc27ef797df550c29482e09ce80e99 Author: Mike Marciniszyn Date: Mon Jun 10 12:28:18 2019 -0400 IB/hfi1: Correct tid qp rcd to match verbs context commit cc78076af14e1478c1a8fb18997674b5f8cbe3c8 upstream. The qp priv rcd pointer doesn't match the context being used for verbs causing issues when 9B and kdeth packets are processed by different receive contexts and hence different CPUs. When running on different CPUs the following panic can occur: WARNING: CPU: 3 PID: 2584 at lib/list_debug.c:59 __list_del_entry+0xa1/0xd0 list_del corruption. prev->next should be ffff9a7ac31f7a30, but was ffff9a7c3bc89230 CPU: 3 PID: 2584 Comm: z_wr_iss Kdump: loaded Tainted: P OE ------------ 3.10.0-862.2.3.el7_lustre.x86_64 #1 Call Trace: [] dump_stack+0x19/0x1b [] __warn+0xd8/0x100 [] warn_slowpath_fmt+0x5f/0x80 [] __list_del_entry+0xa1/0xd0 [] process_rcv_qp_work+0xb5/0x160 [hfi1] [] handle_receive_interrupt_nodma_rtail+0x20b/0x2b0 [hfi1] [] receive_context_interrupt+0x23/0x40 [hfi1] [] __handle_irq_event_percpu+0x44/0x1c0 [] handle_irq_event_percpu+0x32/0x80 [] handle_irq_event+0x3c/0x60 [] handle_edge_irq+0x7f/0x150 [] handle_irq+0xe4/0x1a0 [] do_IRQ+0x4d/0xf0 [] common_interrupt+0x162/0x162 [] ? memcpy+0x6/0x110 [] ? abd_copy_from_buf_off_cb+0x1d/0x30 [zfs] [] ? abd_copy_to_buf_off_cb+0x30/0x30 [zfs] [] abd_iterate_func+0x97/0x120 [zfs] [] abd_copy_from_buf_off+0x39/0x60 [zfs] [] arc_write_ready+0x178/0x300 [zfs] [] ? mutex_lock+0x12/0x2f [] ? mutex_lock+0x12/0x2f [] zio_ready+0x65/0x3d0 [zfs] [] ? tsd_get_by_thread+0x2e/0x50 [spl] [] ? taskq_member+0x18/0x30 [spl] [] zio_execute+0xa2/0x100 [zfs] [] taskq_thread+0x2ac/0x4f0 [spl] [] ? wake_up_state+0x20/0x20 [] ? zio_taskq_member.isra.7.constprop.10+0x80/0x80 [zfs] [] ? taskq_thread_spawn+0x60/0x60 [spl] [] kthread+0xd1/0xe0 [] ? insert_kthread_work+0x40/0x40 [] ret_from_fork_nospec_begin+0x21/0x21 [] ? insert_kthread_work+0x40/0x40 Fix by reading the map entry in the same manner as the hardware so that the kdeth and verbs contexts match. Cc: Fixes: 5190f052a365 ("IB/hfi1: Allow the driver to initialize QP priv struct") Reviewed-by: Kaike Wan Signed-off-by: Mike Marciniszyn Signed-off-by: Dennis Dalessandro Signed-off-by: Jason Gunthorpe Signed-off-by: Greg Kroah-Hartman commit 3db7d8f09caf7c818ffd4de95803f95f7b16d6cc Author: Mike Marciniszyn Date: Fri Jun 14 12:32:26 2019 -0400 IB/hfi1: Avoid hardlockup with flushlist_lock commit cf131a81967583ae737df6383a0893b9fee75b4e upstream. Heavy contention of the sde flushlist_lock can cause hard lockups at extreme scale when the flushing logic is under stress. Mitigate by replacing the item at a time copy to the local list with an O(1) list_splice_init() and using the high priority work queue to do the flushes. Fixes: 7724105686e7 ("IB/hfi1: add driver files") Cc: Reviewed-by: Dennis Dalessandro Signed-off-by: Mike Marciniszyn Signed-off-by: Dennis Dalessandro Signed-off-by: Doug Ledford Signed-off-by: Greg Kroah-Hartman commit c2df772b397a120b10deae3d070e209a5581cfbe Author: Mike Marciniszyn Date: Fri Jun 7 08:25:31 2019 -0400 IB/hfi1: Close PSM sdma_progress sleep window commit da9de5f8527f4b9efc82f967d29a583318c034c7 upstream. The call to sdma_progress() is called outside the wait lock. In this case, there is a race condition where sdma_progress() can return false and the sdma_engine can idle. If that happens, there will be no more sdma interrupts to cause the wakeup and the user_sdma xmit will hang. Fix by moving the lock to enclose the sdma_progress() call. Also, delete busycount. The need for this was removed by: commit bcad29137a97 ("IB/hfi1: Serve the most starved iowait entry first") Cc: Fixes: 7724105686e7 ("IB/hfi1: add driver files") Reviewed-by: Gary Leshner Signed-off-by: Mike Marciniszyn Signed-off-by: Dennis Dalessandro Signed-off-by: Jason Gunthorpe Signed-off-by: Greg Kroah-Hartman commit d7a285f7c2e70e0c9be871a100b1c96af820f295 Author: Kaike Wan Date: Fri Jun 7 08:25:25 2019 -0400 IB/hfi1: Validate fault injection opcode user input commit 5f90677ed31963abb184ee08ebee4a4a68225dd8 upstream. The opcode range for fault injection from user should be validated before it is applied to the fault->opcodes[] bitmap to avoid out-of-bound error. Cc: Fixes: a74d5307caba ("IB/hfi1: Rework fault injection machinery") Reported-by: Dan Carpenter Reviewed-by: Mike Marciniszyn Signed-off-by: Kaike Wan Signed-off-by: Dennis Dalessandro Signed-off-by: Jason Gunthorpe Signed-off-by: Greg Kroah-Hartman commit 1e4fd61d08e41df508ce06efb3c4db9de2eddc08 Author: Ronnie Sahlberg Date: Fri Jun 14 13:02:29 2019 +1000 cifs: fix GlobalMid_Lock bug in cifs_reconnect commit 61cabc7b0a5cf0d3c532cfa96594c801743fe7f6 upstream. We can not hold the GlobalMid_Lock spinlock during the dfs processing in cifs_reconnect since it invokes things that may sleep and thus trigger : BUG: sleeping function called from invalid context at kernel/locking/rwsem.c:23 Thus we need to drop the spinlock during this code block. RHBZ: 1716743 Cc: stable@vger.kernel.org Signed-off-by: Ronnie Sahlberg Acked-by: Pavel Shilovsky Signed-off-by: Steve French Signed-off-by: Greg Kroah-Hartman commit 4e941b47b47276d95d5670e3f131a798ed9dacad Author: Ronnie Sahlberg Date: Wed Jun 5 10:38:38 2019 +1000 cifs: add spinlock for the openFileList to cifsInodeInfo commit 487317c99477d00f22370625d53be3239febabbe upstream. We can not depend on the tcon->open_file_lock here since in multiuser mode we may have the same file/inode open via multiple different tcons. The current code is race prone and will crash if one user deletes a file at the same time a different user opens/create the file. To avoid this we need to have a spinlock attached to the inode and not the tcon. RHBZ: 1580165 CC: Stable Signed-off-by: Ronnie Sahlberg Signed-off-by: Steve French Reviewed-by: Pavel Shilovsky Signed-off-by: Greg Kroah-Hartman commit 7a79a60f05cffb98111cad4d53a8caa822ef263e Author: Mathias Nyman Date: Tue Jun 18 17:27:47 2019 +0300 usb: xhci: Don't try to recover an endpoint if port is in error state. commit b8c3b718087bf7c3c8e388eb1f72ac1108a4926e upstream. A USB3 device needs to be reset and re-enumarated if the port it connects to goes to a error state, with link state inactive. There is no use in trying to recover failed transactions by resetting endpoints at this stage. Tests show that in rare cases, after multiple endpoint resets of a roothub port the whole host controller might stop completely. Several retries to recover from transaction error can happen as it can take a long time before the hub thread discovers the USB3 port error and inactive link. We can't reliably detect the port error from slot or endpoint context due to a limitation in xhci, see xhci specs section 4.8.3: "There are several cases where the EP State field in the Output Endpoint Context may not reflect the current state of an endpoint" and "Software should maintain an accurate value for EP State, by tracking it with an internal variable that is driven by Events and Doorbell accesses" Same appears to be true for slot state. set a flag to the corresponding slot if a USB3 roothub port link goes inactive to prevent both queueing new URBs and resetting endpoints. Reported-by: Rapolu Chiranjeevi Tested-by: Rapolu Chiranjeevi Cc: Signed-off-by: Mathias Nyman Signed-off-by: Greg Kroah-Hartman Signed-off-by: Greg Kroah-Hartman commit ee742005831ce1ab34cefe7e9a9183609735cadc Author: Mathias Nyman Date: Tue Jun 18 17:27:48 2019 +0300 xhci: detect USB 3.2 capable host controllers correctly commit ddd57980a0fde30f7b5d14b888a2cc84d01610e8 upstream. USB 3.2 capability in a host can be detected from the xHCI Supported Protocol Capability major and minor revision fields. If major is 0x3 and minor 0x20 then the host is USB 3.2 capable. For USB 3.2 capable hosts set the root hub lane count to 2. The Major Revision and Minor Revision fields contain a BCD version number. The value of the Major Revision field is JJh and the value of the Minor Revision field is MNh for version JJ.M.N, where JJ = major revision number, M - minor version number, N = sub-minor version number, e.g. version 3.1 is represented with a value of 0310h. Also fix the extra whitespace printed out when announcing regular SuperSpeed hosts. Cc: # v4.18+ Signed-off-by: Mathias Nyman Signed-off-by: Greg Kroah-Hartman commit 94207779337a5cf47dbb3218995c33a4041ebd12 Author: Peter Chen Date: Mon Jun 17 09:49:07 2019 +0800 usb: chipidea: udc: workaround for endpoint conflict issue commit c19dffc0a9511a7d7493ec21019aefd97e9a111b upstream. An endpoint conflict occurs when the USB is working in device mode during an isochronous communication. When the endpointA IN direction is an isochronous IN endpoint, and the host sends an IN token to endpointA on another device, then the OUT transaction may be missed regardless the OUT endpoint number. Generally, this occurs when the device is connected to the host through a hub and other devices are connected to the same hub. The affected OUT endpoint can be either control, bulk, isochronous, or an interrupt endpoint. After the OUT endpoint is primed, if an IN token to the same endpoint number on another device is received, then the OUT endpoint may be unprimed (cannot be detected by software), which causes this endpoint to no longer respond to the host OUT token, and thus, no corresponding interrupt occurs. There is no good workaround for this issue, the only thing the software could do is numbering isochronous IN from the highest endpoint since we have observed most of device number endpoint from the lowest. Cc: #v3.14+ Cc: Fabio Estevam Cc: Greg KH Cc: Sergei Shtylyov Cc: Jun Li Signed-off-by: Peter Chen Signed-off-by: Greg Kroah-Hartman commit c0d4c85bc39fb5639cf6377eff98cee03af2d5a5 Author: Stanley Chu Date: Wed Jun 12 23:19:05 2019 +0800 scsi: ufs: Avoid runtime suspend possibly being blocked forever commit 24e2e7a19f7e4b83d0d5189040d997bce3596473 upstream. UFS runtime suspend can be triggered after pm_runtime_enable() is invoked in ufshcd_pltfrm_init(). However if the first runtime suspend is triggered before binding ufs_hba structure to ufs device structure via platform_set_drvdata(), then UFS runtime suspend will be no longer triggered in the future because its dev->power.runtime_error was set in the first triggering and does not have any chance to be cleared. To be more clear, dev->power.runtime_error is set if hba is NULL in ufshcd_runtime_suspend() which returns -EINVAL to rpm_callback() where dev->power.runtime_error is set as -EINVAL. In this case, any future rpm_suspend() for UFS device fails because rpm_check_suspend_allowed() fails due to non-zero dev->power.runtime_error. To resolve this issue, make sure the first UFS runtime suspend get valid "hba" in ufshcd_runtime_suspend(): Enable UFS runtime PM only after hba is successfully bound to UFS device structure. Fixes: 62694735ca95 ([SCSI] ufs: Add runtime PM support for UFS host controller driver) Cc: stable@vger.kernel.org Signed-off-by: Stanley Chu Reviewed-by: Avri Altman Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit ec959de3d3a45a24c9ffb2a4aaa6c3b5df61031f Author: Ulf Hansson Date: Tue Jun 18 14:05:17 2019 +0200 mmc: core: Prevent processing SDIO IRQs when the card is suspended commit 83293386bc95cf5e9f0c0175794455835bd1cb4a upstream. Processing of SDIO IRQs must obviously be prevented while the card is system suspended, otherwise we may end up trying to communicate with an uninitialized SDIO card. Reports throughout the years shows that this is not only a theoretical problem, but a real issue. So, let's finally fix this problem, by keeping track of the state for the card and bail out before processing the SDIO IRQ, in case the card is suspended. Cc: stable@vger.kernel.org Reported-by: Douglas Anderson Tested-by: Douglas Anderson Signed-off-by: Ulf Hansson Signed-off-by: Greg Kroah-Hartman commit 55dc448847c9edaf128234bc6f14ac9d16c11e6c Author: Douglas Anderson Date: Mon Jun 17 10:56:52 2019 -0700 mmc: core: Add sdio_retune_hold_now() and sdio_retune_release() commit b4c9f938d542d5f88c501744d2d12fad4fd2915f upstream. We want SDIO drivers to be able to temporarily stop retuning when the driver knows that the SDIO card is not in a state where retuning will work (maybe because the card is asleep). We'll move the relevant functions to a place where drivers can call them. Cc: stable@vger.kernel.org #v4.18+ Signed-off-by: Douglas Anderson Acked-by: Adrian Hunter Acked-by: Kalle Valo Signed-off-by: Ulf Hansson Signed-off-by: Greg Kroah-Hartman commit 2ea454840793b8c8022d242cba3ad8f92cae5313 Author: Douglas Anderson Date: Mon Jun 17 10:56:50 2019 -0700 mmc: core: API to temporarily disable retuning for SDIO CRC errors commit 0a55f4ab9678413a01e740c86e9367ba0c612b36 upstream. Normally when the MMC core sees an "-EILSEQ" error returned by a host controller then it will trigger a retuning of the card. This is generally a good idea. However, if a command is expected to sometimes cause transfer errors then these transfer errors shouldn't cause a re-tuning. This re-tuning will be a needless waste of time. One example case where a transfer is expected to cause errors is when transitioning between idle (sometimes referred to as "sleep" in Broadcom code) and active state on certain Broadcom WiFi SDIO cards. Specifically if the card was already transitioning between states when the command was sent it could cause an error on the SDIO bus. Let's add an API that the SDIO function drivers can call that will temporarily disable the auto-tuning functionality. Then we can add a call to this in the Broadcom WiFi driver and any other driver that might have similar needs. NOTE: this makes the assumption that the card is already tuned well enough that it's OK to disable the auto-retuning during one of these error-prone situations. Presumably the driver code performing the error-prone transfer knows how to recover / retry from errors. ...and after we can get back to a state where transfers are no longer error-prone then we can enable the auto-retuning again. If we truly find ourselves in a case where the card needs to be retuned sometimes to handle one of these error-prone transfers then we can always try a few transfers first without auto-retuning and then re-try with auto-retuning if the first few fail. Without this change on rk3288-veyron-minnie I periodically see this in the logs of a machine just sitting there idle: dwmmc_rockchip ff0d0000.dwmmc: Successfully tuned phase to XYZ Cc: stable@vger.kernel.org #v4.18+ Signed-off-by: Douglas Anderson Acked-by: Adrian Hunter Acked-by: Kalle Valo Signed-off-by: Ulf Hansson Signed-off-by: Greg Kroah-Hartman commit 0e9ff1ef4f32432ba7ee8f6cfc9a4eaee3472698 Author: jjian zhou Date: Mon Jun 17 19:04:08 2019 +0800 mmc: mediatek: fix SDIO IRQ detection issue commit 20314ce30af197963b0c239f0952db6aaef73f99 upstream. If cmd19 timeout or response crcerr occurs during execute_tuning(), it need invoke msdc_reset_hw(). Otherwise SDIO IRQ can't be detected. Signed-off-by: jjian zhou Signed-off-by: Chaotian Jing Signed-off-by: Yong Mao Fixes: 5215b2e952f3 ("mmc: mediatek: Add MMC_CAP_SDIO_IRQ support") Cc: stable@vger.kernel.org Signed-off-by: Ulf Hansson Signed-off-by: Greg Kroah-Hartman commit 121d0ccd34e6f009965b4d4faac73f4ce621d07c Author: jjian zhou Date: Mon Jun 17 19:04:07 2019 +0800 mmc: mediatek: fix SDIO IRQ interrupt handle flow commit 8a5df8ac628f4febea1e6cd3044bff2d536dd096 upstream. SDIO IRQ is triggered by low level. It need disable SDIO IRQ detected function. Otherwise the interrupt register can't be cleared. It will process the interrupt more. Signed-off-by: Jjian Zhou Signed-off-by: Chaotian Jing Signed-off-by: Yong Mao Fixes: 5215b2e952f3 ("mmc: mediatek: Add MMC_CAP_SDIO_IRQ support") Cc: stable@vger.kernel.org Signed-off-by: Ulf Hansson Signed-off-by: Greg Kroah-Hartman commit 952202198396c47bc42144fa6f7bde8510eee9e5 Author: Wolfram Sang Date: Thu Jun 6 13:35:35 2019 +0200 mmc: sdhi: disallow HS400 for M3-W ES1.2, RZ/G2M, and V3H commit 97bf85b6ec9e6597ce81c79b26a28f7918fc4eaf upstream. Our HW engineers informed us that HS400 is not working on these SoC revisions. Fixes: 0f4e2054c971 ("mmc: renesas_sdhi: disable HS400 on H3 ES1.x and M3-W ES1.[012]") Signed-off-by: Wolfram Sang Reviewed-by: Geert Uytterhoeven Reviewed-by: Fabrizio Castro Reviewed-by: Niklas Söderlund Cc: stable@vger.kernel.org Signed-off-by: Ulf Hansson Signed-off-by: Greg Kroah-Hartman commit a7f0a215d7d351f009d05563a56252d424c99c5e Author: Raul E Rangel Date: Mon Jun 17 14:10:12 2019 -0600 mmc: sdhci: sdhci-pci-o2micro: Correctly set bus width when tuning commit 0f7b79a44e7d7dd3ef1f59758c1a341f217ff5e5 upstream. The O2Micro controller only supports tuning at 4-bits. So the host driver needs to change the bus width while tuning and then set it back when done. There was a bug in the original implementation in that mmc->ios.bus_width also wasn't updated. Thus setting the incorrect blocksize in sdhci_send_tuning which results in a tuning failure. Signed-off-by: Raul E Rangel Fixes: 0086fc217d5d7 ("mmc: sdhci: Add support for O2 hardware tuning") Acked-by: Adrian Hunter Cc: stable@vger.kernel.org Signed-off-by: Ulf Hansson Signed-off-by: Greg Kroah-Hartman commit c64cefcb9e959efb2c6dd20460fce17e21ea6b4a Author: Miguel Ojeda Date: Thu May 23 14:45:35 2019 +0200 tracing: Silence GCC 9 array bounds warning commit 0c97bf863efce63d6ab7971dad811601e6171d2f upstream. Starting with GCC 9, -Warray-bounds detects cases when memset is called starting on a member of a struct but the size to be cleared ends up writing over further members. Such a call happens in the trace code to clear, at once, all members after and including `seq` on struct trace_iterator: In function 'memset', inlined from 'ftrace_dump' at kernel/trace/trace.c:8914:3: ./include/linux/string.h:344:9: warning: '__builtin_memset' offset [8505, 8560] from the object at 'iter' is out of the bounds of referenced subobject 'seq' with type 'struct trace_seq' at offset 4368 [-Warray-bounds] 344 | return __builtin_memset(p, c, size); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~ In order to avoid GCC complaining about it, we compute the address ourselves by adding the offsetof distance instead of referring directly to the member. Since there are two places doing this clear (trace.c and trace_kdb.c), take the chance to move the workaround into a single place in the internal header. Link: http://lkml.kernel.org/r/20190523124535.GA12931@gmail.com Signed-off-by: Miguel Ojeda [ Removed unnecessary parenthesis around "iter" ] Signed-off-by: Steven Rostedt (VMware) Signed-off-by: Greg Kroah-Hartman