1. 01 Dec, 2019 40 commits
    • Takashi Iwai's avatar
      ALSA: usb-audio: Fix NULL dereference at parsing BADD · 3510fb79
      Takashi Iwai authored
      commit 9435f2bb upstream.
      
      snd_usb_mixer_controls_badd() that parses UAC3 BADD profiles misses a
      NULL check for the given interfaces.  When a malformed USB descriptor
      is passed, this may lead to an Oops, as spotted by syzkaller.
      Skip the iteration if the interface doesn't exist for avoiding the
      crash.
      
      Fixes: 17156f23 ("ALSA: usb: add UAC3 BADD profiles support")
      Reported-by: syzbot+a36ab65c6653d7ccdd62@syzkaller.appspotmail.com
      Suggested-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Cc: <stable@vger.kernel.org>
      Link: https://lore.kernel.org/r/20191122112840.24797-1-tiwai@suse.deSigned-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3510fb79
    • Yang Tao's avatar
      futex: Prevent robust futex exit race · 2819f403
      Yang Tao authored
      commit ca16d5be upstream.
      
      Robust futexes utilize the robust_list mechanism to allow the kernel to
      release futexes which are held when a task exits. The exit can be voluntary
      or caused by a signal or fault. This prevents that waiters block forever.
      
      The futex operations in user space store a pointer to the futex they are
      either locking or unlocking in the op_pending member of the per task robust
      list.
      
      After a lock operation has succeeded the futex is queued in the robust list
      linked list and the op_pending pointer is cleared.
      
      After an unlock operation has succeeded the futex is removed from the
      robust list linked list and the op_pending pointer is cleared.
      
      The robust list exit code checks for the pending operation and any futex
      which is queued in the linked list. It carefully checks whether the futex
      value is the TID of the exiting task. If so, it sets the OWNER_DIED bit and
      tries to wake up a potential waiter.
      
      This is race free for the lock operation but unlock has two race scenarios
      where waiters might not be woken up. These issues can be observed with
      regular robust pthread mutexes. PI aware pthread mutexes are not affected.
      
      (1) Unlocking task is killed after unlocking the futex value in user space
          before being able to wake a waiter.
      
              pthread_mutex_unlock()
                      |
                      V
              atomic_exchange_rel (&mutex->__data.__lock, 0)
                              <------------------------killed
                  lll_futex_wake ()                   |
                                                      |
                                                      |(__lock = 0)
                                                      |(enter kernel)
                                                      |
                                                      V
                                                  do_exit()
                                                  exit_mm()
                                                mm_release()
                                              exit_robust_list()
                                              handle_futex_death()
                                                      |
                                                      |(__lock = 0)
                                                      |(uval = 0)
                                                      |
                                                      V
              if ((uval & FUTEX_TID_MASK) != task_pid_vnr(curr))
                      return 0;
      
          The sanity check which ensures that the user space futex is owned by
          the exiting task prevents the wakeup of waiters which in consequence
          block infinitely.
      
      (2) Waiting task is killed after a wakeup and before it can acquire the
          futex in user space.
      
              OWNER                         WAITER
      				futex_wait()
         pthread_mutex_unlock()               |
                      |                       |
                      |(__lock = 0)           |
                      |                       |
                      V                       |
               futex_wake() ------------>  wakeup()
                                              |
                                              |(return to userspace)
                                              |(__lock = 0)
                                              |
                                              V
                              oldval = mutex->__data.__lock
                                                <-----------------killed
          atomic_compare_and_exchange_val_acq (&mutex->__data.__lock,  |
                              id | assume_other_futex_waiters, 0)      |
                                                                       |
                                                                       |
                                                         (enter kernel)|
                                                                       |
                                                                       V
                                                               do_exit()
                                                              |
                                                              |
                                                              V
                                              handle_futex_death()
                                              |
                                              |(__lock = 0)
                                              |(uval = 0)
                                              |
                                              V
              if ((uval & FUTEX_TID_MASK) != task_pid_vnr(curr))
                      return 0;
      
          The sanity check which ensures that the user space futex is owned
          by the exiting task prevents the wakeup of waiters, which seems to
          be correct as the exiting task does not own the futex value, but
          the consequence is that other waiters wont be woken up and block
          infinitely.
      
      In both scenarios the following conditions are true:
      
         - task->robust_list->list_op_pending != NULL
         - user space futex value == 0
         - Regular futex (not PI)
      
      If these conditions are met then it is reasonably safe to wake up a
      potential waiter in order to prevent the above problems.
      
      As this might be a false positive it can cause spurious wakeups, but the
      waiter side has to handle other types of unrelated wakeups, e.g. signals
      gracefully anyway. So such a spurious wakeup will not affect the
      correctness of these operations.
      
      This workaround must not touch the user space futex value and cannot set
      the OWNER_DIED bit because the lock value is 0, i.e. uncontended. Setting
      OWNER_DIED in this case would result in inconsistent state and subsequently
      in malfunction of the owner died handling in user space.
      
      The rest of the user space state is still consistent as no other task can
      observe the list_op_pending entry in the exiting tasks robust list.
      
      The eventually woken up waiter will observe the uncontended lock value and
      take it over.
      
      [ tglx: Massaged changelog and comment. Made the return explicit and not
        	depend on the subsequent check and added constants to hand into
        	handle_futex_death() instead of plain numbers. Fixed a few coding
      	style issues. ]
      
      Fixes: 0771dfef ("[PATCH] lightweight robust futexes: core")
      Signed-off-by: default avatarYang Tao <yang.tao172@zte.com.cn>
      Signed-off-by: default avatarYi Wang <wang.yi59@zte.com.cn>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Reviewed-by: default avatarIngo Molnar <mingo@kernel.org>
      Acked-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Cc: stable@vger.kernel.org
      Link: https://lkml.kernel.org/r/1573010582-35297-1-git-send-email-wang.yi59@zte.com.cn
      Link: https://lkml.kernel.org/r/20191106224555.943191378@linutronix.deSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2819f403
    • Arnd Bergmann's avatar
      y2038: futex: Move compat implementation into futex.c · d3f8c58d
      Arnd Bergmann authored
      commit 04e7712f upstream.
      
      We are going to share the compat_sys_futex() handler between 64-bit
      architectures and 32-bit architectures that need to deal with both 32-bit
      and 64-bit time_t, and this is easier if both entry points are in the
      same file.
      
      In fact, most other system call handlers do the same thing these days, so
      let's follow the trend here and merge all of futex_compat.c into futex.c.
      
      In the process, a few minor changes have to be done to make sure everything
      still makes sense: handle_futex_death() and futex_cmpxchg_enabled() become
      local symbol, and the compat version of the fetch_robust_entry() function
      gets renamed to compat_fetch_robust_entry() to avoid a symbol clash.
      
      This is intended as a purely cosmetic patch, no behavior should
      change.
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d3f8c58d
    • Navid Emamdoost's avatar
      nbd: prevent memory leak · 344966da
      Navid Emamdoost authored
      commit 03bf73c3 upstream.
      
      In nbd_add_socket when krealloc succeeds, if nsock's allocation fail the
      reallocted memory is leak. The correct behaviour should be assigning the
      reallocted memory to config->socks right after success.
      Reviewed-by: default avatarJosef Bacik <josef@toxicpanda.com>
      Signed-off-by: default avatarNavid Emamdoost <navid.emamdoost@gmail.com>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      344966da
    • Waiman Long's avatar
      x86/speculation: Fix redundant MDS mitigation message · ed7a3dde
      Waiman Long authored
      commit cd5a2aa8 upstream.
      
      Since MDS and TAA mitigations are inter-related for processors that are
      affected by both vulnerabilities, the followiing confusing messages can
      be printed in the kernel log:
      
        MDS: Vulnerable
        MDS: Mitigation: Clear CPU buffers
      
      To avoid the first incorrect message, defer the printing of MDS
      mitigation after the TAA mitigation selection has been done. However,
      that has the side effect of printing TAA mitigation first before MDS
      mitigation.
      
       [ bp: Check box is affected/mitigations are disabled first before
         printing and massage. ]
      Suggested-by: default avatarPawan Gupta <pawan.kumar.gupta@linux.intel.com>
      Signed-off-by: default avatarWaiman Long <longman@redhat.com>
      Signed-off-by: default avatarBorislav Petkov <bp@suse.de>
      Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
      Cc: "H. Peter Anvin" <hpa@zytor.com>
      Cc: Ingo Molnar <mingo@redhat.com>
      Cc: Josh Poimboeuf <jpoimboe@redhat.com>
      Cc: Mark Gross <mgross@linux.intel.com>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Tim Chen <tim.c.chen@linux.intel.com>
      Cc: Tony Luck <tony.luck@intel.com>
      Cc: Tyler Hicks <tyhicks@canonical.com>
      Cc: x86-ml <x86@kernel.org>
      Link: https://lkml.kernel.org/r/20191115161445.30809-3-longman@redhat.comSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ed7a3dde
    • Waiman Long's avatar
      x86/speculation: Fix incorrect MDS/TAA mitigation status · 0af5ae26
      Waiman Long authored
      commit 64870ed1 upstream.
      
      For MDS vulnerable processors with TSX support, enabling either MDS or
      TAA mitigations will enable the use of VERW to flush internal processor
      buffers at the right code path. IOW, they are either both mitigated
      or both not. However, if the command line options are inconsistent,
      the vulnerabilites sysfs files may not report the mitigation status
      correctly.
      
      For example, with only the "mds=off" option:
      
        vulnerabilities/mds:Vulnerable; SMT vulnerable
        vulnerabilities/tsx_async_abort:Mitigation: Clear CPU buffers; SMT vulnerable
      
      The mds vulnerabilities file has wrong status in this case. Similarly,
      the taa vulnerability file will be wrong with mds mitigation on, but
      taa off.
      
      Change taa_select_mitigation() to sync up the two mitigation status
      and have them turned off if both "mds=off" and "tsx_async_abort=off"
      are present.
      
      Update documentation to emphasize the fact that both "mds=off" and
      "tsx_async_abort=off" have to be specified together for processors that
      are affected by both TAA and MDS to be effective.
      
       [ bp: Massage and add kernel-parameters.txt change too. ]
      
      Fixes: 1b42f017 ("x86/speculation/taa: Add mitigation for TSX Async Abort")
      Signed-off-by: default avatarWaiman Long <longman@redhat.com>
      Signed-off-by: default avatarBorislav Petkov <bp@suse.de>
      Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
      Cc: "H. Peter Anvin" <hpa@zytor.com>
      Cc: Ingo Molnar <mingo@redhat.com>
      Cc: Jiri Kosina <jkosina@suse.cz>
      Cc: Jonathan Corbet <corbet@lwn.net>
      Cc: Josh Poimboeuf <jpoimboe@redhat.com>
      Cc: linux-doc@vger.kernel.org
      Cc: Mark Gross <mgross@linux.intel.com>
      Cc: <stable@vger.kernel.org>
      Cc: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Tim Chen <tim.c.chen@linux.intel.com>
      Cc: Tony Luck <tony.luck@intel.com>
      Cc: Tyler Hicks <tyhicks@canonical.com>
      Cc: x86-ml <x86@kernel.org>
      Link: https://lkml.kernel.org/r/20191115161445.30809-2-longman@redhat.comSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0af5ae26
    • Alexander Kapshuk's avatar
      x86/insn: Fix awk regexp warnings · ed731209
      Alexander Kapshuk authored
      commit 700c1018 upstream.
      
      gawk 5.0.1 generates the following regexp warnings:
      
        GEN      /home/sasha/torvalds/tools/objtool/arch/x86/lib/inat-tables.c
        awk: ../arch/x86/tools/gen-insn-attr-x86.awk:260: warning: regexp escape sequence `\:' is not a known regexp operator
        awk: ../arch/x86/tools/gen-insn-attr-x86.awk:350: (FILENAME=../arch/x86/lib/x86-opcode-map.txt FNR=41) warning: regexp escape sequence `\&' is  not a known regexp operator
      
      Ealier versions of gawk are not known to generate these warnings. The
      gawk manual referenced below does not list characters ':' and '&' as
      needing escaping, so 'unescape' them. See
      
        https://www.gnu.org/software/gawk/manual/html_node/Escape-Sequences.html
      
      for more info.
      
      Running diff on the output generated by the script before and after
      applying the patch reported no differences.
      
       [ bp: Massage commit message. ]
      
      [ Caught the respective tools header discrepancy. ]
      Reported-by: default avatarkbuild test robot <lkp@intel.com>
      Signed-off-by: default avatarAlexander Kapshuk <alexander.kapshuk@gmail.com>
      Signed-off-by: default avatarBorislav Petkov <bp@suse.de>
      Acked-by: default avatarMasami Hiramatsu <mhiramat@kernel.org>
      Cc: "H. Peter Anvin" <hpa@zytor.com>
      Cc: "Peter Zijlstra (Intel)" <peterz@infradead.org>
      Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
      Cc: Ingo Molnar <mingo@redhat.com>
      Cc: Josh Poimboeuf <jpoimboe@redhat.com>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: x86-ml <x86@kernel.org>
      Link: https://lkml.kernel.org/r/20190924044659.3785-1-alexander.kapshuk@gmail.comSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ed731209
    • Alexey Brodkin's avatar
      ARC: perf: Accommodate big-endian CPU · 99b933bb
      Alexey Brodkin authored
      commit 5effc09c upstream.
      
      8-letter strings representing ARC perf events are stores in two
      32-bit registers as ASCII characters like that: "IJMP", "IALL", "IJMPTAK" etc.
      
      And the same order of bytes in the word is used regardless CPU endianness.
      
      Which means in case of big-endian CPU core we need to swap bytes to get
      the same order as if it was on little-endian CPU.
      
      Otherwise we're seeing the following error message on boot:
      ------------------------->8----------------------
      ARC perf        : 8 counters (32 bits), 40 conditions, [overflow IRQ support]
      sysfs: cannot create duplicate filename '/devices/arc_pct/events/pmji'
      CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.2.18 #3
      Stack Trace:
        arc_unwind_core+0xd4/0xfc
        dump_stack+0x64/0x80
        sysfs_warn_dup+0x46/0x58
        sysfs_add_file_mode_ns+0xb2/0x168
        create_files+0x70/0x2a0
      ------------[ cut here ]------------
      WARNING: CPU: 0 PID: 1 at kernel/events/core.c:12144 perf_event_sysfs_init+0x70/0xa0
      Failed to register pmu: arc_pct, reason -17
      Modules linked in:
      CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.2.18 #3
      Stack Trace:
        arc_unwind_core+0xd4/0xfc
        dump_stack+0x64/0x80
        __warn+0x9c/0xd4
        warn_slowpath_fmt+0x22/0x2c
        perf_event_sysfs_init+0x70/0xa0
      ---[ end trace a75fb9a9837bd1ec ]---
      ------------------------->8----------------------
      
      What happens here we're trying to register more than one raw perf event
      with the same name "PMJI". Why? Because ARC perf events are 4 to 8 letters
      and encoded into two 32-bit words. In this particular case we deal with 2
      events:
       * "IJMP____" which counts all jump & branch instructions
       * "IJMPC___" which counts only conditional jumps & branches
      
      Those strings are split in two 32-bit words this way "IJMP" + "____" &
      "IJMP" + "C___" correspondingly. Now if we read them swapped due to CPU core
      being big-endian then we read "PMJI" + "____" & "PMJI" + "___C".
      
      And since we interpret read array of ASCII letters as a null-terminated string
      on big-endian CPU we end up with 2 events of the same name "PMJI".
      Signed-off-by: default avatarAlexey Brodkin <abrodkin@synopsys.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarVineet Gupta <vgupta@synopsys.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      
      
      99b933bb
    • Chester Lin's avatar
      ARM: 8904/1: skip nomap memblocks while finding the lowmem/highmem boundary · e02f1448
      Chester Lin authored
      commit 1d31999c upstream.
      
      adjust_lowmem_bounds() checks every memblocks in order to find the boundary
      between lowmem and highmem. However some memblocks could be marked as NOMAP
      so they are not used by kernel, which should be skipped while calculating
      the boundary.
      Signed-off-by: default avatarChester Lin <clin@suse.com>
      Reviewed-by: default avatarMike Rapoport <rppt@linux.ibm.com>
      Signed-off-by: default avatarRussell King <rmk+kernel@armlinux.org.uk>
      Signed-off-by: default avatarLee Jones <lee.jones@linaro.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e02f1448
    • Gang He's avatar
      ocfs2: remove ocfs2_is_o2cb_active() · 046f0fcf
      Gang He authored
      commit a6346447 upstream.
      
      Remove ocfs2_is_o2cb_active().  We have similar functions to identify
      which cluster stack is being used via osb->osb_cluster_stack.
      
      Secondly, the current implementation of ocfs2_is_o2cb_active() is not
      totally safe.  Based on the design of stackglue, we need to get
      ocfs2_stack_lock before using ocfs2_stack related data structures, and
      that active_stack pointer can be NULL in the case of mount failure.
      
      Link: http://lkml.kernel.org/r/1495441079-11708-1-git-send-email-ghe@suse.comSigned-off-by: default avatarGang He <ghe@suse.com>
      Reviewed-by: default avatarJoseph Qi <jiangqi903@gmail.com>
      Reviewed-by: default avatarEric Ren <zren@suse.com>
      Acked-by: default avatarChangwei Ge <ge.changwei@h3c.com>
      Cc: Mark Fasheh <mark@fasheh.com>
      Cc: Joel Becker <jlbec@evilplan.org>
      Cc: Junxiao Bi <junxiao.bi@oracle.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarLee Jones <lee.jones@linaro.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      046f0fcf
    • Max Uvarov's avatar
      net: phy: dp83867: increase SGMII autoneg timer duration · 36bef080
      Max Uvarov authored
      commit 1a97a477 upstream.
      
      After reset SGMII Autoneg timer is set to 2us (bits 6 and 5 are 01).
      That is not enough to finalize autonegatiation on some devices.
      Increase this timer duration to maximum supported 16ms.
      Signed-off-by: default avatarMax Uvarov <muvarov@gmail.com>
      Cc: Heiner Kallweit <hkallweit1@gmail.com>
      Reviewed-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      [ adapted for kernels without phy_modify_mmd ]
      Signed-off-by: default avatarAdrian Bunk <bunk@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      36bef080
    • Max Uvarov's avatar
      net: phy: dp83867: fix speed 10 in sgmii mode · 87997a78
      Max Uvarov authored
      commit 333061b9 upstream.
      
      For supporting 10Mps speed in SGMII mode DP83867_10M_SGMII_RATE_ADAPT bit
      of DP83867_10M_SGMII_CFG register has to be cleared by software.
      That does not affect speeds 100 and 1000 so can be done on init.
      Signed-off-by: default avatarMax Uvarov <muvarov@gmail.com>
      Cc: Heiner Kallweit <hkallweit1@gmail.com>
      Reviewed-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      [ adapted for kernels without phy_modify_mmd ]
      Signed-off-by: default avatarAdrian Bunk <bunk@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      87997a78
    • David Hildenbrand's avatar
      mm/memory_hotplug: don't access uninitialized memmaps in shrink_zone_span() · 5779cbc9
      David Hildenbrand authored
      commit 7ce700bf upstream.
      
      Let's limit shrinking to !ZONE_DEVICE so we can fix the current code.
      We should never try to touch the memmap of offline sections where we
      could have uninitialized memmaps and could trigger BUGs when calling
      page_to_nid() on poisoned pages.
      
      There is no reliable way to distinguish an uninitialized memmap from an
      initialized memmap that belongs to ZONE_DEVICE, as we don't have
      anything like SECTION_IS_ONLINE we can use similar to
      pfn_to_online_section() for !ZONE_DEVICE memory.
      
      E.g., set_zone_contiguous() similarly relies on pfn_to_online_section()
      and will therefore never set a ZONE_DEVICE zone consecutive.  Stopping
      to shrink the ZONE_DEVICE therefore results in no observable changes,
      besides /proc/zoneinfo indicating different boundaries - something we
      can totally live with.
      
      Before commit d0dc12e8 ("mm/memory_hotplug: optimize memory
      hotplug"), the memmap was initialized with 0 and the node with the right
      value.  So the zone might be wrong but not garbage.  After that commit,
      both the zone and the node will be garbage when touching uninitialized
      memmaps.
      
      Toshiki reported a BUG (race between delayed initialization of
      ZONE_DEVICE memmaps without holding the memory hotplug lock and
      concurrent zone shrinking).
      
        https://lkml.org/lkml/2019/11/14/1040
      
      "Iteration of create and destroy namespace causes the panic as below:
      
            kernel BUG at mm/page_alloc.c:535!
            CPU: 7 PID: 2766 Comm: ndctl Not tainted 5.4.0-rc4 #6
            Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.11.0-0-g63451fca13-prebuilt.qemu-project.org 04/01/2014
            RIP: 0010:set_pfnblock_flags_mask+0x95/0xf0
            Call Trace:
             memmap_init_zone_device+0x165/0x17c
             memremap_pages+0x4c1/0x540
             devm_memremap_pages+0x1d/0x60
             pmem_attach_disk+0x16b/0x600 [nd_pmem]
             nvdimm_bus_probe+0x69/0x1c0
             really_probe+0x1c2/0x3e0
             driver_probe_device+0xb4/0x100
             device_driver_attach+0x4f/0x60
             bind_store+0xc9/0x110
             kernfs_fop_write+0x116/0x190
             vfs_write+0xa5/0x1a0
             ksys_write+0x59/0xd0
             do_syscall_64+0x5b/0x180
             entry_SYSCALL_64_after_hwframe+0x44/0xa9
      
        While creating a namespace and initializing memmap, if you destroy the
        namespace and shrink the zone, it will initialize the memmap outside
        the zone and trigger VM_BUG_ON_PAGE(!zone_spans_pfn(page_zone(page),
        pfn), page) in set_pfnblock_flags_mask()."
      
      This BUG is also mitigated by this commit, where we for now stop to
      shrink the ZONE_DEVICE zone until we can do it in a safe and clean way.
      
      Link: http://lkml.kernel.org/r/20191006085646.5768-5-david@redhat.com
      Fixes: f1dd2cd1 ("mm, memory_hotplug: do not associate hotadded memory to zones until online")	[visible after d0dc12e8]
      Signed-off-by: default avatarDavid Hildenbrand <david@redhat.com>
      Reported-by: default avatarAneesh Kumar K.V <aneesh.kumar@linux.ibm.com>
      Reported-by: default avatarToshiki Fukasawa <t-fukasawa@vx.jp.nec.com>
      Cc: Oscar Salvador <osalvador@suse.de>
      Cc: David Hildenbrand <david@redhat.com>
      Cc: Michal Hocko <mhocko@suse.com>
      Cc: Pavel Tatashin <pasha.tatashin@soleen.com>
      Cc: Dan Williams <dan.j.williams@intel.com>
      Cc: Alexander Duyck <alexander.h.duyck@linux.intel.com>
      Cc: Alexander Potapenko <glider@google.com>
      Cc: Andy Lutomirski <luto@kernel.org>
      Cc: Anshuman Khandual <anshuman.khandual@arm.com>
      Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: Catalin Marinas <catalin.marinas@arm.com>
      Cc: Christian Borntraeger <borntraeger@de.ibm.com>
      Cc: Christophe Leroy <christophe.leroy@c-s.fr>
      Cc: Damian Tometzki <damian.tometzki@gmail.com>
      Cc: Dave Hansen <dave.hansen@linux.intel.com>
      Cc: Fenghua Yu <fenghua.yu@intel.com>
      Cc: Gerald Schaefer <gerald.schaefer@de.ibm.com>
      Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
      Cc: Halil Pasic <pasic@linux.ibm.com>
      Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
      Cc: "H. Peter Anvin" <hpa@zytor.com>
      Cc: Ingo Molnar <mingo@redhat.com>
      Cc: Ira Weiny <ira.weiny@intel.com>
      Cc: Jason Gunthorpe <jgg@ziepe.ca>
      Cc: Jun Yao <yaojun8558363@gmail.com>
      Cc: Logan Gunthorpe <logang@deltatee.com>
      Cc: Mark Rutland <mark.rutland@arm.com>
      Cc: Masahiro Yamada <yamada.masahiro@socionext.com>
      Cc: "Matthew Wilcox (Oracle)" <willy@infradead.org>
      Cc: Mel Gorman <mgorman@techsingularity.net>
      Cc: Michael Ellerman <mpe@ellerman.id.au>
      Cc: Mike Rapoport <rppt@linux.ibm.com>
      Cc: Pankaj Gupta <pagupta@redhat.com>
      Cc: Paul Mackerras <paulus@samba.org>
      Cc: Pavel Tatashin <pavel.tatashin@microsoft.com>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Qian Cai <cai@lca.pw>
      Cc: Rich Felker <dalias@libc.org>
      Cc: Robin Murphy <robin.murphy@arm.com>
      Cc: Steve Capper <steve.capper@arm.com>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Tom Lendacky <thomas.lendacky@amd.com>
      Cc: Tony Luck <tony.luck@intel.com>
      Cc: Vasily Gorbik <gor@linux.ibm.com>
      Cc: Vlastimil Babka <vbabka@suse.cz>
      Cc: Wei Yang <richard.weiyang@gmail.com>
      Cc: Wei Yang <richardw.yang@linux.intel.com>
      Cc: Will Deacon <will@kernel.org>
      Cc: Yoshinori Sato <ysato@users.sourceforge.jp>
      Cc: Yu Zhao <yuzhao@google.com>
      Cc: <stable@vger.kernel.org>	[4.13+]
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarDavid Hildenbrand <david@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5779cbc9
    • John Pittman's avatar
      md/raid10: prevent access of uninitialized resync_pages offset · a268d985
      John Pittman authored
      commit 45422b70 upstream.
      
      Due to unneeded multiplication in the out_free_pages portion of
      r10buf_pool_alloc(), when using a 3-copy raid10 layout, it is
      possible to access a resync_pages offset that has not been
      initialized.  This access translates into a crash of the system
      within resync_free_pages() while passing a bad pointer to
      put_page().  Remove the multiplication, preventing access to the
      uninitialized area.
      
      Fixes: f0250618 ("md: raid10: don't use bio's vec table to manage resync pages")
      Cc: stable@vger.kernel.org # 4.12+
      Signed-off-by: default avatarJohn Pittman <jpittman@redhat.com>
      Suggested-by: default avatarDavid Jeffery <djeffery@redhat.com>
      Reviewed-by: default avatarLaurence Oberman <loberman@redhat.com>
      Signed-off-by: default avatarSong Liu <songliubraving@fb.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a268d985
    • Denis Efremov's avatar
      ath9k_hw: fix uninitialized variable data · f8dc0350
      Denis Efremov authored
      commit 80e84f36 upstream.
      
      Currently, data variable in ar9003_hw_thermo_cal_apply() could be
      uninitialized if ar9300_otp_read_word() will fail to read the value.
      Initialize data variable with 0 to prevent an undefined behavior. This
      will be enough to handle error case when ar9300_otp_read_word() fails.
      
      Fixes: 80fe43f2 ("ath9k_hw: Read and configure thermocal for AR9462")
      Cc: Rajkumar Manoharan <rmanohar@qca.qualcomm.com>
      Cc: John W. Linville <linville@tuxdriver.com>
      Cc: Kalle Valo <kvalo@codeaurora.org>
      Cc: "David S. Miller" <davem@davemloft.net>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarDenis Efremov <efremov@linux.com>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f8dc0350
    • Hui Peng's avatar
      ath10k: Fix a NULL-ptr-deref bug in ath10k_usb_alloc_urb_from_pipe · f0cfe983
      Hui Peng authored
      commit bfd6e6e6 upstream.
      
      The `ar_usb` field of `ath10k_usb_pipe_usb_pipe` objects
      are initialized to point to the containing `ath10k_usb` object
      according to endpoint descriptors read from the device side, as shown
      below in `ath10k_usb_setup_pipe_resources`:
      
      for (i = 0; i < iface_desc->desc.bNumEndpoints; ++i) {
              endpoint = &iface_desc->endpoint[i].desc;
      
              // get the address from endpoint descriptor
              pipe_num = ath10k_usb_get_logical_pipe_num(ar_usb,
                                                      endpoint->bEndpointAddress,
                                                      &urbcount);
              ......
              // select the pipe object
              pipe = &ar_usb->pipes[pipe_num];
      
              // initialize the ar_usb field
              pipe->ar_usb = ar_usb;
      }
      
      The driver assumes that the addresses reported in endpoint
      descriptors from device side  to be complete. If a device is
      malicious and does not report complete addresses, it may trigger
      NULL-ptr-deref `ath10k_usb_alloc_urb_from_pipe` and
      `ath10k_usb_free_urb_to_pipe`.
      
      This patch fixes the bug by preventing potential NULL-ptr-deref.
      Signed-off-by: default avatarHui Peng <benquike@gmail.com>
      Reported-by: default avatarHui Peng <benquike@gmail.com>
      Reported-by: default avatarMathias Payer <mathias.payer@nebelwelt.net>
      Reviewed-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      [groeck: Add driver tag to subject, fix build warning]
      Signed-off-by: default avatarGuenter Roeck <linux@roeck-us.net>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f0cfe983
    • Sean Christopherson's avatar
      KVM: MMU: Do not treat ZONE_DEVICE pages as being reserved · 4ae7392a
      Sean Christopherson authored
      commit a78986aa upstream.
      
      Explicitly exempt ZONE_DEVICE pages from kvm_is_reserved_pfn() and
      instead manually handle ZONE_DEVICE on a case-by-case basis.  For things
      like page refcounts, KVM needs to treat ZONE_DEVICE pages like normal
      pages, e.g. put pages grabbed via gup().  But for flows such as setting
      A/D bits or shifting refcounts for transparent huge pages, KVM needs to
      to avoid processing ZONE_DEVICE pages as the flows in question lack the
      underlying machinery for proper handling of ZONE_DEVICE pages.
      
      This fixes a hang reported by Adam Borowski[*] in dev_pagemap_cleanup()
      when running a KVM guest backed with /dev/dax memory, as KVM straight up
      doesn't put any references to ZONE_DEVICE pages acquired by gup().
      
      Note, Dan Williams proposed an alternative solution of doing put_page()
      on ZONE_DEVICE pages immediately after gup() in order to simplify the
      auditing needed to ensure is_zone_device_page() is called if and only if
      the backing device is pinned (via gup()).  But that approach would break
      kvm_vcpu_{un}map() as KVM requires the page to be pinned from map() 'til
      unmap() when accessing guest memory, unlike KVM's secondary MMU, which
      coordinates with mmu_notifier invalidations to avoid creating stale
      page references, i.e. doesn't rely on pages being pinned.
      
      [*] http://lkml.kernel.org/r/20190919115547.GA17963@angband.plReported-by: default avatarAdam Borowski <kilobyte@angband.pl>
      Analyzed-by: default avatarDavid Hildenbrand <david@redhat.com>
      Acked-by: default avatarDan Williams <dan.j.williams@intel.com>
      Cc: stable@vger.kernel.org
      Fixes: 3565fce3 ("mm, x86: get_user_pages() for dax mappings")
      Signed-off-by: default avatarSean Christopherson <sean.j.christopherson@intel.com>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      [sean: backport to 4.x; resolve conflict in mmu.c]
      Signed-off-by: default avatarSean Christopherson <sean.j.christopherson@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4ae7392a
    • Tomas Bortoli's avatar
      Bluetooth: Fix invalid-free in bcsp_close() · 03bf4876
      Tomas Bortoli authored
      commit cf94da6f upstream.
      
      Syzbot reported an invalid-free that I introduced fixing a memleak.
      
      bcsp_recv() also frees bcsp->rx_skb but never nullifies its value.
      Nullify bcsp->rx_skb every time it is freed.
      Signed-off-by: default avatarTomas Bortoli <tomasbortoli@gmail.com>
      Reported-by: syzbot+a0d209a4676664613e76@syzkaller.appspotmail.com
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      Cc: Alexander Potapenko <glider@google.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      03bf4876
    • Vinayak Menon's avatar
      mm/page_io.c: do not free shared swap slots · 006360ec
      Vinayak Menon authored
      [ Upstream commit 5df373e9 ]
      
      The following race is observed due to which a processes faulting on a
      swap entry, finds the page neither in swapcache nor swap.  This causes
      zram to give a zero filled page that gets mapped to the process,
      resulting in a user space crash later.
      
      Consider parent and child processes Pa and Pb sharing the same swap slot
      with swap_count 2.  Swap is on zram with SWP_SYNCHRONOUS_IO set.
      Virtual address 'VA' of Pa and Pb points to the shared swap entry.
      
      Pa                                       Pb
      
      fault on VA                              fault on VA
      do_swap_page                             do_swap_page
      lookup_swap_cache fails                  lookup_swap_cache fails
                                               Pb scheduled out
      swapin_readahead (deletes zram entry)
      swap_free (makes swap_count 1)
                                               Pb scheduled in
                                               swap_readpage (swap_count == 1)
                                               Takes SWP_SYNCHRONOUS_IO path
                                               zram enrty absent
                                               zram gives a zero filled page
      
      Fix this by making sure that swap slot is freed only when swap count
      drops down to one.
      
      Link: http://lkml.kernel.org/r/1571743294-14285-1-git-send-email-vinmenon@codeaurora.org
      Fixes: aa8d22a1 ("mm: swap: SWP_SYNCHRONOUS_IO: skip swapcache only if swapped page has no other reference")
      Signed-off-by: default avatarVinayak Menon <vinmenon@codeaurora.org>
      Suggested-by: default avatarMinchan Kim <minchan@google.com>
      Acked-by: default avatarMinchan Kim <minchan@kernel.org>
      Cc: Michal Hocko <mhocko@suse.com>
      Cc: Hugh Dickins <hughd@google.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      006360ec
    • Johannes Berg's avatar
      cfg80211: call disconnect_wk when AP stops · 16a300fb
      Johannes Berg authored
      [ Upstream commit e005bd7d ]
      
      Since we now prevent regulatory restore during STA disconnect
      if concurrent AP interfaces are active, we need to reschedule
      this check when the AP state changes. This fixes never doing
      a restore when an AP is the last interface to stop. Or to put
      it another way: we need to re-check after anything we check
      here changes.
      
      Cc: stable@vger.kernel.org
      Fixes: 113f3aaa ("cfg80211: Prevent regulatory restore during STA disconnect in concurrent interfaces")
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      16a300fb
    • David Ahern's avatar
      ipv6: Fix handling of LLA with VRF and sockets bound to VRF · 2b3541ff
      David Ahern authored
      [ Upstream commit c2027d1e ]
      
      A recent commit allows sockets bound to a VRF to receive ipv6 link local
      packets. However, it only works for UDP and worse TCP connection attempts
      to the LLA with the only listener bound to the VRF just hang where as
      before the client gets a reset and connection refused. Fix by adjusting
      ir_iif for LL addresses and packets received through a device enslaved
      to a VRF.
      
      Fixes: 6f12fa77 ("vrf: mark skb for multicast or link-local as enslaved to VRF")
      Reported-by: default avatarDonald Sharp <sharpd@cumulusnetworks.com>
      Cc: Mike Manning <mmanning@vyatta.att-mail.com>
      Signed-off-by: default avatarDavid Ahern <dsahern@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      2b3541ff
    • zhong jiang's avatar
      mm/memory_hotplug: Do not unlock when fails to take the device_hotplug_lock · 091ed093
      zhong jiang authored
      [ Upstream commit d2ab9940 ]
      
      When adding the memory by probing memory block in sysfs interface, there is an
      obvious issue that we will unlock the device_hotplug_lock when fails to takes it.
      
      That issue was introduced in Commit 8df1d0e4
      ("mm/memory_hotplug: make add_memory() take the device_hotplug_lock")
      
      We should drop out in time when fails to take the device_hotplug_lock.
      
      Fixes: 8df1d0e4 ("mm/memory_hotplug: make add_memory() take the device_hotplug_lock")
      Reported-by: default avatarYang yingliang <yangyingliang@huawei.com>
      Signed-off-by: default avatarzhong jiang <zhongjiang@huawei.com>
      Reviewed-by: default avatarOscar Salvador <osalvador@suse.de>
      Reviewed-by: default avatarDavid Hildenbrand <david@redhat.com>
      Acked-by: default avatarMichal Hocko <mhocko@suse.com>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      091ed093
    • Masahiro Yamada's avatar
      i2c: uniphier-f: fix timeout error after reading 8 bytes · 896f7398
      Masahiro Yamada authored
      [ Upstream commit c2a653de ]
      
      I was totally screwed up in commit eaba6878 ("i2c: uniphier-f:
      fix race condition when IRQ is cleared"). Since that commit, if the
      number of read bytes is multiple of the FIFO size (8, 16, 24... bytes),
      the STOP condition could be issued twice, depending on the timing.
      If this happens, the controller will go wrong, resulting in the timeout
      error.
      
      It was more than 3 years ago when I wrote this driver, so my memory
      about this hardware was vague. Please let me correct the description
      in the commit log of eaba6878.
      
      Clearing the IRQ status on exiting the IRQ handler is absolutely
      fine. This controller makes a pause while any IRQ status is asserted.
      If the IRQ status is cleared first, the hardware may start the next
      transaction before the IRQ handler finishes what it supposed to do.
      
      This partially reverts the bad commit with clear comments so that I
      will never repeat this mistake.
      
      I also investigated what is happening at the last moment of the read
      mode. The UNIPHIER_FI2C_INT_RF interrupt is asserted a bit earlier
      (by half a period of the clock cycle) than UNIPHIER_FI2C_INT_RB.
      
      I consulted a hardware engineer, and I got the following information:
      
      UNIPHIER_FI2C_INT_RF
          asserted at the falling edge of SCL at the 8th bit.
      
      UNIPHIER_FI2C_INT_RB
          asserted at the rising edge of SCL at the 9th (ACK) bit.
      
      In order to avoid calling uniphier_fi2c_stop() twice, check the latter
      interrupt. I also commented this because it is obscure hardware internal.
      
      Fixes: eaba6878 ("i2c: uniphier-f: fix race condition when IRQ is cleared")
      Signed-off-by: default avatarMasahiro Yamada <yamada.masahiro@socionext.com>
      Signed-off-by: default avatarWolfram Sang <wsa@the-dreams.de>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      896f7398
    • Vignesh R's avatar
      spi: omap2-mcspi: Fix DMA and FIFO event trigger size mismatch · 1efa17ab
      Vignesh R authored
      [ Upstream commit baf8b9f8 ]
      
      Commit b682cffa ("spi: omap2-mcspi: Set FIFO DMA trigger level to word length")
      broke SPI transfers where bits_per_word != 8. This is because of
      mimsatch between McSPI FIFO level event trigger size (SPI word length) and
      DMA request size(word length * maxburst). This leads to data
      corruption, lockup and errors like:
      
      	spi1.0: EOW timed out
      
      Fix this by setting DMA maxburst size to 1 so that
      McSPI FIFO level event trigger size matches DMA request size.
      
      Fixes: b682cffa ("spi: omap2-mcspi: Set FIFO DMA trigger level to word length")
      Cc: stable@vger.kernel.org
      Reported-by: default avatarDavid Lechner <david@lechnology.com>
      Tested-by: default avatarDavid Lechner <david@lechnology.com>
      Signed-off-by: default avatarVignesh R <vigneshr@ti.com>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      1efa17ab
    • Igor Konopko's avatar
      nvme-pci: fix surprise removal · 1b0f1b2d
      Igor Konopko authored
      [ Upstream commit 751a0cc0 ]
      
      When a PCIe NVMe device is not present, nvme_dev_remove_admin() calls
      blk_cleanup_queue() on the admin queue, which frees the hctx for that
      queue.  Moments later, on the same path nvme_kill_queues() calls
      blk_mq_unquiesce_queue() on admin queue and tries to access hctx of it,
      which leads to following OOPS:
      
      Oops: 0000 [#1] SMP PTI
      RIP: 0010:sbitmap_any_bit_set+0xb/0x40
      Call Trace:
       blk_mq_run_hw_queue+0xd5/0x150
       blk_mq_run_hw_queues+0x3a/0x50
       nvme_kill_queues+0x26/0x50
       nvme_remove_namespaces+0xb2/0xc0
       nvme_remove+0x60/0x140
       pci_device_remove+0x3b/0xb0
      
      Fixes: cb4bfda6 ("nvme-pci: fix hot removal during error handling")
      Signed-off-by: default avatarIgor Konopko <igor.j.konopko@intel.com>
      Reviewed-by: default avatarKeith Busch <keith.busch@intel.com>
      Signed-off-by: default avatarChristoph Hellwig <hch@lst.de>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      1b0f1b2d
    • Kishon Vijay Abraham I's avatar
      PCI: keystone: Use quirk to limit MRRS for K2G · 597a37d0
      Kishon Vijay Abraham I authored
      [ Upstream commit 148e340c ]
      
      PCI controller in K2G also has a limitation that memory read request
      size (MRRS) must not exceed 256 bytes. Use the quirk to limit MRRS
      (added for K2HK, K2L and K2E) for K2G as well.
      Signed-off-by: default avatarKishon Vijay Abraham I <kishon@ti.com>
      Signed-off-by: default avatarLorenzo Pieralisi <lorenzo.pieralisi@arm.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      597a37d0
    • Nathan Chancellor's avatar
      pinctrl: zynq: Use define directive for PIN_CONFIG_IO_STANDARD · c0418c4a
      Nathan Chancellor authored
      [ Upstream commit cd8a145a ]
      
      Clang warns when one enumerated type is implicitly converted to another:
      
      drivers/pinctrl/pinctrl-zynq.c:985:18: warning: implicit conversion from
      enumeration type 'enum zynq_pin_config_param' to different enumeration
      type 'enum pin_config_param' [-Wenum-conversion]
              {"io-standard", PIN_CONFIG_IOSTANDARD, zynq_iostd_lvcmos18},
              ~               ^~~~~~~~~~~~~~~~~~~~~
      drivers/pinctrl/pinctrl-zynq.c:990:16: warning: implicit conversion from
      enumeration type 'enum zynq_pin_config_param' to different enumeration
      type 'enum pin_config_param' [-Wenum-conversion]
              = { PCONFDUMP(PIN_CONFIG_IOSTANDARD, "IO-standard", NULL, true),
                  ~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      ./include/linux/pinctrl/pinconf-generic.h:163:11: note: expanded from
      macro 'PCONFDUMP'
              .param = a, .display = b, .format = c, .has_arg = d     \
                       ^
      2 warnings generated.
      
      It is expected that pinctrl drivers can extend pin_config_param because
      of the gap between PIN_CONFIG_END and PIN_CONFIG_MAX so this conversion
      isn't an issue. Most drivers that take advantage of this define the
      PIN_CONFIG variables as constants, rather than enumerated values. Do the
      same thing here so that Clang no longer warns.
      Signed-off-by: default avatarNathan Chancellor <natechancellor@gmail.com>
      Acked-by: default avatarMichal Simek <michal.simek@xilinx.com>
      Signed-off-by: default avatarLinus Walleij <linus.walleij@linaro.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      c0418c4a
    • Nathan Chancellor's avatar
      pinctrl: lpc18xx: Use define directive for PIN_CONFIG_GPIO_PIN_INT · 0858006c
      Nathan Chancellor authored
      [ Upstream commit f24bfb39 ]
      
      Clang warns when one enumerated type is implicitly converted to another:
      
      drivers/pinctrl/pinctrl-lpc18xx.c:643:29: warning: implicit conversion
      from enumeration type 'enum lpc18xx_pin_config_param' to different
      enumeration type 'enum pin_config_param' [-Wenum-conversion]
              {"nxp,gpio-pin-interrupt", PIN_CONFIG_GPIO_PIN_INT, 0},
              ~                          ^~~~~~~~~~~~~~~~~~~~~~~
      drivers/pinctrl/pinctrl-lpc18xx.c:648:12: warning: implicit conversion
      from enumeration type 'enum lpc18xx_pin_config_param' to different
      enumeration type 'enum pin_config_param' [-Wenum-conversion]
              PCONFDUMP(PIN_CONFIG_GPIO_PIN_INT, "gpio pin int", NULL, true),
              ~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      ./include/linux/pinctrl/pinconf-generic.h:163:11: note: expanded from
      macro 'PCONFDUMP'
              .param = a, .display = b, .format = c, .has_arg = d     \
                       ^
      2 warnings generated.
      
      It is expected that pinctrl drivers can extend pin_config_param because
      of the gap between PIN_CONFIG_END and PIN_CONFIG_MAX so this conversion
      isn't an issue. Most drivers that take advantage of this define the
      PIN_CONFIG variables as constants, rather than enumerated values. Do the
      same thing here so that Clang no longer warns.
      
      Link: https://github.com/ClangBuiltLinux/linux/issues/140Signed-off-by: default avatarNathan Chancellor <natechancellor@gmail.com>
      Signed-off-by: default avatarLinus Walleij <linus.walleij@linaro.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      0858006c
    • Nathan Chancellor's avatar
      pinctrl: bcm2835: Use define directive for BCM2835_PINCONF_PARAM_PULL · 5efa36e7
      Nathan Chancellor authored
      [ Upstream commit b40ac08f ]
      
      Clang warns when one enumerated type is implicitly converted to another:
      
      drivers/pinctrl/bcm/pinctrl-bcm2835.c:707:40: warning: implicit
      conversion from enumeration type 'enum bcm2835_pinconf_param' to
      different enumeration type 'enum pin_config_param' [-Wenum-conversion]
              configs[0] = pinconf_to_config_packed(BCM2835_PINCONF_PARAM_PULL, pull);
                           ~~~~~~~~~~~~~~~~~~~~~~~~ ^~~~~~~~~~~~~~~~~~~~~~~~~~
      1 warning generated.
      
      It is expected that pinctrl drivers can extend pin_config_param because
      of the gap between PIN_CONFIG_END and PIN_CONFIG_MAX so this conversion
      isn't an issue. Most drivers that take advantage of this define the
      PIN_CONFIG variables as constants, rather than enumerated values. Do the
      same thing here so that Clang no longer warns.
      Signed-off-by: default avatarNathan Chancellor <natechancellor@gmail.com>
      Acked-by: default avatarStefan Wahren <stefan.wahren@i2se.com>
      Signed-off-by: default avatarLinus Walleij <linus.walleij@linaro.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      5efa36e7
    • Brian Masney's avatar
      pinctrl: qcom: spmi-gpio: fix gpio-hog related boot issues · bad4da12
      Brian Masney authored
      [ Upstream commit 149a9604 ]
      
      When attempting to setup up a gpio hog, device probing would repeatedly
      fail with -EPROBE_DEFERED errors. It was caused by a circular dependency
      between the gpio and pinctrl frameworks. If the gpio-ranges property is
      present in device tree, then the gpio framework will handle the gpio pin
      registration and eliminate the circular dependency.
      
      See Christian Lamparter's commit a86caa9b ("pinctrl: msm: fix
      gpio-hog related boot issues") for a detailed commit message that
      explains the issue in much more detail. The code comment in this commit
      came from Christian's commit.
      Signed-off-by: default avatarBrian Masney <masneyb@onstation.org>
      Signed-off-by: default avatarLinus Walleij <linus.walleij@linaro.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      bad4da12
    • Sriram R's avatar
      cfg80211: Prevent regulatory restore during STA disconnect in concurrent interfaces · c24fe780
      Sriram R authored
      [ Upstream commit 113f3aaa ]
      
      Currently when an AP and STA interfaces are active in the same or different
      radios, regulatory settings are restored whenever the STA disconnects. This
      restores all channel information including dfs states in all radios.
      For example, if an AP interface is active in one radio and STA in another,
      when radar is detected on the AP interface, the dfs state of the channel
      will be changed to UNAVAILABLE. But when the STA interface disconnects,
      this issues a regulatory disconnect hint which restores all regulatory
      settings in all the radios attached and thereby losing the stored dfs
      state on the other radio where the channel was marked as unavailable
      earlier. Hence prevent such regulatory restore whenever another active
      beaconing interface is present in the same or other radios.
      Signed-off-by: default avatarSriram R <srirrama@codeaurora.org>
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      c24fe780
    • Quentin Monnet's avatar
      tools: bpftool: pass an argument to silence open_obj_pinned() · ee7d2473
      Quentin Monnet authored
      [ Upstream commit f120919f ]
      
      Function open_obj_pinned() prints error messages when it fails to open a
      link in the BPF virtual file system. However, in some occasions it is
      not desirable to print an error, for example when we parse all links
      under the bpffs root, and the error is due to some paths actually being
      symbolic links.
      
      Example output:
      
          # ls -l /sys/fs/bpf/
          lrwxrwxrwx 1 root root 0 Oct 18 19:00 ip -> /sys/fs/bpf/tc/
          drwx------ 3 root root 0 Oct 18 19:00 tc
          lrwxrwxrwx 1 root root 0 Oct 18 19:00 xdp -> /sys/fs/bpf/tc/
      
          # bpftool --bpffs prog show
          Error: bpf obj get (/sys/fs/bpf): Permission denied
          Error: bpf obj get (/sys/fs/bpf): Permission denied
      
          # strace -e bpf bpftool --bpffs prog show
          bpf(BPF_OBJ_GET, {pathname="/sys/fs/bpf/ip", bpf_fd=0}, 72) = -1 EACCES (Permission denied)
          Error: bpf obj get (/sys/fs/bpf): Permission denied
          bpf(BPF_OBJ_GET, {pathname="/sys/fs/bpf/xdp", bpf_fd=0}, 72) = -1 EACCES (Permission denied)
          Error: bpf obj get (/sys/fs/bpf): Permission denied
          ...
      
      To fix it, pass a bool as a second argument to the function, and prevent
      it from printing an error when the argument is set to true.
      Signed-off-by: default avatarQuentin Monnet <quentin.monnet@netronome.com>
      Reviewed-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      ee7d2473
    • Frank Rowand's avatar
      of: unittest: initialize args before calling of_*parse_*() · 367e64ce
      Frank Rowand authored
      [ Upstream commit eeb07c57 ]
      
      Callers of of_irq_parse_one() blindly use the pointer args.np
      without checking whether of_irq_parse_one() had an error and
      thus did not set the value of args.np.  Initialize args to
      zero so that using the format "%pOF" to show the value of
      args.np will show "(null)" when of_irq_parse_one() has an
      error.  This prevents the dereference of a random value.
      
      Make the same fix for callers of of_parse_phandle_with_args()
      and of_parse_phandle_with_args_map().
      Reported-by: default avatarGuenter Roeck <linux@roeck-us.net>
      Tested-by: default avatarAlan Tull <atull@kernel.org>
      Signed-off-by: default avatarFrank Rowand <frank.rowand@sony.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      367e64ce
    • Frank Rowand's avatar
      of: unittest: allow base devicetree to have symbol metadata · e4547e02
      Frank Rowand authored
      [ Upstream commit 5babefb7 ]
      
      The overlay metadata nodes in the FDT created from testcases.dts
      are not handled properly.
      
      The __fixups__ and __local_fixups__ node were added to the live
      devicetree, but should not be.
      
      Only the first property in the /__symbols__ node was added to the
      live devicetree if the live devicetree already contained a
      /__symbols node.  All of the node's properties must be added.
      Tested-by: default avatarAlan Tull <atull@kernel.org>
      Signed-off-by: default avatarFrank Rowand <frank.rowand@sony.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      e4547e02
    • YueHaibing's avatar
      net: bcmgenet: return correct value 'ret' from bcmgenet_power_down · 1303c938
      YueHaibing authored
      [ Upstream commit 0db55093 ]
      
      Fixes gcc '-Wunused-but-set-variable' warning:
      
      drivers/net/ethernet/broadcom/genet/bcmgenet.c: In function 'bcmgenet_power_down':
      drivers/net/ethernet/broadcom/genet/bcmgenet.c:1136:6: warning:
       variable 'ret' set but not used [-Wunused-but-set-variable]
      
      bcmgenet_power_down should return 'ret' instead of 0.
      
      Fixes: ca8cf341 ("net: bcmgenet: propagate errors from bcmgenet_power_down")
      Signed-off-by: default avatarYueHaibing <yuehaibing@huawei.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      1303c938
    • Colin Ian King's avatar
      ACPICA: Use %d for signed int print formatting instead of %u · 1d6a0dd6
      Colin Ian King authored
      [ Upstream commit f8ddf49b ]
      
      Fix warnings found using static analysis with cppcheck, use %d printf
      format specifier for signed ints rather than %u
      Signed-off-by: default avatarColin Ian King <colin.king@canonical.com>
      Signed-off-by: default avatarErik Schmauss <erik.schmauss@intel.com>
      Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      1d6a0dd6
    • Dmitry Osipenko's avatar
      clk: tegra20: Turn EMC clock gate into divider · d15b8b69
      Dmitry Osipenko authored
      [ Upstream commit 514fddba ]
      
      Kernel should never gate the EMC clock as it causes immediate lockup, so
      removing clk-gate functionality doesn't affect anything. Turning EMC clk
      gate into divider allows to implement glitch-less EMC scaling, avoiding
      reparenting to a backup clock.
      Signed-off-by: default avatarDmitry Osipenko <digetx@gmail.com>
      Acked-by: default avatarPeter De Schrijver <pdeschrijver@nvidia.com>
      Acked-by: default avatarStephen Boyd <sboyd@kernel.org>
      Signed-off-by: default avatarThierry Reding <treding@nvidia.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      d15b8b69
    • Mike Manning's avatar
      vrf: mark skb for multicast or link-local as enslaved to VRF · 91c5f99d
      Mike Manning authored
      [ Upstream commit 6f12fa77 ]
      
      The skb for packets that are multicast or to a link-local address are
      not marked as being enslaved to a VRF, if they are received on a socket
      bound to the VRF. This is needed for ND and it is preferable for the
      kernel not to have to deal with the additional use-cases if ll or mcast
      packets are handled as enslaved. However, this does not allow service
      instances listening on unbound and bound to VRF sockets to distinguish
      the VRF used, if packets are sent as multicast or to a link-local
      address. The fix is for the VRF driver to also mark these skb as being
      enslaved to the VRF.
      Signed-off-by: default avatarMike Manning <mmanning@vyatta.att-mail.com>
      Reviewed-by: default avatarDavid Ahern <dsahern@gmail.com>
      Tested-by: default avatarDavid Ahern <dsahern@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      91c5f99d
    • Tycho Andersen's avatar
      dlm: don't leak kernel pointer to userspace · 5c2a3997
      Tycho Andersen authored
      [ Upstream commit 9de30f3f ]
      
      In copy_result_to_user(), we first create a struct dlm_lock_result, which
      contains a struct dlm_lksb, the last member of which is a pointer to the
      lvb. Unfortunately, we copy the entire struct dlm_lksb to the result
      struct, which is then copied to userspace at the end of the function,
      leaking the contents of sb_lvbptr, which is a valid kernel pointer in some
      cases (indeed, later in the same function the data it points to is copied
      to userspace).
      
      It is an error to leak kernel pointers to userspace, as it undermines KASLR
      protections (see e.g. 65eea8ed ("floppy: Do not copy a kernel pointer to
      user memory in FDGETPRM ioctl") for another example of this).
      Signed-off-by: default avatarTycho Andersen <tycho@tycho.ws>
      Signed-off-by: default avatarDavid Teigland <teigland@redhat.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      5c2a3997
    • Tycho Andersen's avatar
      dlm: fix invalid free · afb4717a
      Tycho Andersen authored
      [ Upstream commit d968b4e2 ]
      
      dlm_config_nodes() does not allocate nodes on failure, so we should not
      free() nodes when it fails.
      Signed-off-by: default avatarTycho Andersen <tycho@tycho.ws>
      Signed-off-by: default avatarDavid Teigland <teigland@redhat.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      afb4717a