commit 5752b50477dace442b8ca238a6957918436efeeb Author: Greg Kroah-Hartman Date: Wed Jun 19 08:00:15 2019 +0200 Linux 5.1.12 commit ee6688c1074cc79d710b95faae7b2241f434658d Author: Nicholas Piggin Date: Fri Jun 7 13:56:35 2019 +1000 powerpc/64s: Fix THP PMD collapse serialisation commit 33258a1db165cf43a9e6382587ad06e9b7f8187c upstream. Commit 1b2443a547f9 ("powerpc/book3s64: Avoid multiple endian conversion in pte helpers") changed the actual bitwise tests in pte_access_permitted by using pte_write() and pte_present() helpers rather than raw bitwise testing _PAGE_WRITE and _PAGE_PRESENT bits. The pte_present() change now returns true for PTEs which are !_PAGE_PRESENT and _PAGE_INVALID, which is the combination used by pmdp_invalidate() to synchronize access from lock-free lookups. pte_access_permitted() is used by pmd_access_permitted(), so allowing GUP lock free access to proceed with such PTEs breaks this synchronisation. This bug has been observed on a host using the hash page table MMU, with random crashes and corruption in guests, usually together with bad PMD messages in the host. Fix this by adding an explicit check in pmd_access_permitted(), and documenting the condition explicitly. The pte_write() change should be okay, and would prevent GUP from falling back to the slow path when encountering savedwrite PTEs, which matches what x86 (that does not implement savedwrite) does. Fixes: 1b2443a547f9 ("powerpc/book3s64: Avoid multiple endian conversion in pte helpers") Cc: stable@vger.kernel.org # v4.20+ Signed-off-by: Nicholas Piggin Reviewed-by: Aneesh Kumar K.V Signed-off-by: Michael Ellerman Signed-off-by: Greg Kroah-Hartman commit c3871b75cc572ada47b71900b7bcd3f984f82d38 Author: Christophe Leroy Date: Mon Jun 3 08:20:28 2019 +0000 powerpc: Fix kexec failure on book3s/32 commit 6c284228eb356a1ec62a704b4d2329711831eaed upstream. In the old days, _PAGE_EXEC didn't exist on 6xx aka book3s/32. Therefore, allthough __mapin_ram_chunk() was already mapping kernel text with PAGE_KERNEL_TEXT and the rest with PAGE_KERNEL, the entire memory was executable. Part of the memory (first 512kbytes) was mapped with BATs instead of page table, but it was also entirely mapped as executable. In commit 385e89d5b20f ("powerpc/mm: add exec protection on powerpc 603"), we started adding exec protection to some 6xx, namely the 603, for pages mapped via pagetables. Then, in commit 63b2bc619565 ("powerpc/mm/32s: Use BATs for STRICT_KERNEL_RWX"), the exec protection was extended to BAT mapped memory, so that really only the kernel text could be executed. The problem here is that kexec is based on copying some code into upper part of memory then executing it from there in order to install a fresh new kernel at its definitive location. However, the code is position independant and first part of it is just there to deactivate the MMU and jump to the second part. So it is possible to run this first part inplace instead of running the copy. Once the MMU is off, there is no protection anymore and the second part of the code will just run as before. Reported-by: Aaro Koskinen Fixes: 63b2bc619565 ("powerpc/mm/32s: Use BATs for STRICT_KERNEL_RWX") Cc: stable@vger.kernel.org # v5.1+ Signed-off-by: Christophe Leroy Tested-by: Aaro Koskinen Signed-off-by: Michael Ellerman Signed-off-by: Greg Kroah-Hartman commit f14229b4d3a133e22364be46223d470575741e94 Author: Jani Nikula Date: Mon Jun 10 12:30:54 2019 +0300 drm: add fallback override/firmware EDID modes workaround commit 48eaeb7664c76139438724d520a1ea4a84a3ed92 upstream. We've moved the override and firmware EDID (simply "override EDID" from now on) handling to the low level drm_do_get_edid() function in order to transparently use the override throughout the stack. The idea is that you get the override EDID via the ->get_modes() hook. Unfortunately, there are scenarios where the DDC probe in drm_get_edid() called via ->get_modes() fails, although the preceding ->detect() succeeds. In the case reported by Paul Wise, the ->detect() hook, intel_crt_detect(), relies on hotplug detect, bypassing the DDC. In the case reported by Ilpo Järvinen, there is no ->detect() hook, which is interpreted as connected. The subsequent DDC probe reached via ->get_modes() fails, and we don't even look at the override EDID, resulting in no modes being added. Because drm_get_edid() is used via ->detect() all over the place, we can't trivially remove the DDC probe, as it leads to override EDID effectively meaning connector forcing. The goal is that connector forcing and override EDID remain orthogonal. Generally, the underlying problem here is the conflation of ->detect() and ->get_modes() via drm_get_edid(). The former should just detect, and the latter should just get the modes, typically via reading the EDID. As long as drm_get_edid() is used in ->detect(), it needs to retain the DDC probe. Or such users need to have a separate DDC probe step first. The EDID caching between ->detect() and ->get_modes() done by some drivers is a further complication that prevents us from making drm_do_get_edid() adapt to the two cases. Work around the regression by falling back to a separate attempt at getting the override EDID at drm_helper_probe_single_connector_modes() level. With a working DDC and override EDID, it'll never be called; the override EDID will come via ->get_modes(). There will still be a failing DDC probe attempt in the cases that require the fallback. v2: - Call drm_connector_update_edid_property (Paul) - Update commit message about EDID caching (Daniel) Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=107583 Reported-by: Paul Wise Cc: Paul Wise References: http://mid.mail-archive.com/alpine.DEB.2.20.1905262211270.24390@whs-18.cs.helsinki.fi Reported-by: Ilpo Järvinen Cc: Ilpo Järvinen Suggested-by: Daniel Vetter References: 15f080f08d48 ("drm/edid: respect connector force for drm_get_edid ddc probe") Fixes: 53fd40a90f3c ("drm: handle override and firmware EDID at drm_do_get_edid() level") Cc: # v4.15+ 56a2b7f2a39a drm/edid: abstract override/firmware EDID retrieval Cc: # v4.15+ Cc: Daniel Vetter Cc: Ville Syrjälä Cc: Harish Chegondi Tested-by: Paul Wise Reviewed-by: Daniel Vetter Signed-off-by: Jani Nikula Link: https://patchwork.freedesktop.org/patch/msgid/20190610093054.28445-1-jani.nikula@intel.com Signed-off-by: Greg Kroah-Hartman commit dafaad6728f6f2121533b5ccf6473028cb47d93d Author: Jani Nikula Date: Fri Jun 7 14:05:12 2019 +0300 drm/edid: abstract override/firmware EDID retrieval commit 56a2b7f2a39a8d4b16a628e113decde3d7400879 upstream. Abstract the debugfs override and the firmware EDID retrieval function. We'll be needing it in the follow-up. No functional changes. Cc: Daniel Vetter Cc: Harish Chegondi Reviewed-by: Daniel Vetter Tested-by: Tested-by: Paul Wise Signed-off-by: Jani Nikula Link: https://patchwork.freedesktop.org/patch/msgid/20190607110513.12072-1-jani.nikula@intel.com Signed-off-by: Greg Kroah-Hartman commit 99287843422850a557d46bfba2b923d0c8185ce1 Author: Prarit Bhargava Date: Mon Jun 10 13:15:44 2019 -0400 x86/resctrl: Prevent NULL pointer dereference when local MBM is disabled commit c7563e62a6d720aa3b068e26ddffab5f0df29263 upstream. Booting with kernel parameter "rdt=cmt,mbmtotal,memlocal,l3cat,mba" and executing "mount -t resctrl resctrl -o mba_MBps /sys/fs/resctrl" results in a NULL pointer dereference on systems which do not have local MBM support enabled.. BUG: kernel NULL pointer dereference, address: 0000000000000020 PGD 0 P4D 0 Oops: 0000 [#1] SMP PTI CPU: 0 PID: 722 Comm: kworker/0:3 Not tainted 5.2.0-0.rc3.git0.1.el7_UNSUPPORTED.x86_64 #2 Workqueue: events mbm_handle_overflow RIP: 0010:mbm_handle_overflow+0x150/0x2b0 Only enter the bandwith update loop if the system has local MBM enabled. Fixes: de73f38f7680 ("x86/intel_rdt/mba_sc: Feedback loop to dynamically update mem bandwidth") Signed-off-by: Prarit Bhargava Signed-off-by: Thomas Gleixner Cc: Fenghua Yu Cc: Reinette Chatre Cc: Borislav Petkov Cc: "H. Peter Anvin" Cc: stable@vger.kernel.org Link: https://lkml.kernel.org/r/20190610171544.13474-1-prarit@redhat.com Signed-off-by: Greg Kroah-Hartman commit cb1d946347a8ce782371f6bbeb9a7d5e5250d7a7 Author: Baoquan He Date: Thu May 23 10:57:44 2019 +0800 x86/mm/KASLR: Compute the size of the vmemmap section properly commit 00e5a2bbcc31d5fea853f8daeba0f06c1c88c3ff upstream. The size of the vmemmap section is hardcoded to 1 TB to support the maximum amount of system RAM in 4-level paging mode - 64 TB. However, 1 TB is not enough for vmemmap in 5-level paging mode. Assuming the size of struct page is 64 Bytes, to support 4 PB system RAM in 5-level, 64 TB of vmemmap area is needed: 4 * 1000^5 PB / 4096 bytes page size * 64 bytes per page struct / 1000^4 TB = 62.5 TB. This hardcoding may cause vmemmap to corrupt the following cpu_entry_area section, if KASLR puts vmemmap very close to it and the actual vmemmap size is bigger than 1 TB. So calculate the actual size of the vmemmap region needed and then align it up to 1 TB boundary. In 4-level paging mode it is always 1 TB. In 5-level it's adjusted on demand. The current code reserves 0.5 PB for vmemmap on 5-level. With this change, the space can be saved and thus used to increase entropy for the randomization. [ bp: Spell out how the 64 TB needed for vmemmap is computed and massage commit message. ] Fixes: eedb92abb9bb ("x86/mm: Make virtual memory layout dynamic for CONFIG_X86_5LEVEL=y") Signed-off-by: Baoquan He Signed-off-by: Borislav Petkov Reviewed-by: Kees Cook Acked-by: Kirill A. Shutemov Cc: Andy Lutomirski Cc: Dave Hansen Cc: "H. Peter Anvin" Cc: Ingo Molnar Cc: kirill.shutemov@linux.intel.com Cc: Peter Zijlstra Cc: stable Cc: Thomas Gleixner Cc: x86-ml Link: https://lkml.kernel.org/r/20190523025744.3756-1-bhe@redhat.com Signed-off-by: Greg Kroah-Hartman commit 3fd63c38ed2b14a339ee1e509a77cdaa918b49b0 Author: Andrey Ryabinin Date: Fri Jun 14 17:31:49 2019 +0300 x86/kasan: Fix boot with 5-level paging and KASAN commit f3176ec9420de0c385023afa3e4970129444ac2f upstream. Since commit d52888aa2753 ("x86/mm: Move LDT remap out of KASLR region on 5-level paging") kernel doesn't boot with KASAN on 5-level paging machines. The bug is actually in early_p4d_offset() and introduced by commit 12a8cc7fcf54 ("x86/kasan: Use the same shadow offset for 4- and 5-level paging") early_p4d_offset() tries to convert pgd_val(*pgd) value to a physical address. This doesn't make sense because pgd_val() already contains the physical address. It did work prior to commit d52888aa2753 because the result of "__pa_nodebug(pgd_val(*pgd)) & PTE_PFN_MASK" was the same as "pgd_val(*pgd) & PTE_PFN_MASK". __pa_nodebug() just set some high bits which were masked out by applying PTE_PFN_MASK. After the change of the PAGE_OFFSET offset in commit d52888aa2753 __pa_nodebug(pgd_val(*pgd)) started to return a value with more high bits set and PTE_PFN_MASK wasn't enough to mask out all of them. So it returns a wrong not even canonical address and crashes on the attempt to dereference it. Switch back to pgd_val() & PTE_PFN_MASK to cure the issue. Fixes: 12a8cc7fcf54 ("x86/kasan: Use the same shadow offset for 4- and 5-level paging") Reported-by: Kirill A. Shutemov Signed-off-by: Andrey Ryabinin Signed-off-by: Thomas Gleixner Cc: Borislav Petkov Cc: "H. Peter Anvin" Cc: Alexander Potapenko Cc: Dmitry Vyukov Cc: kasan-dev@googlegroups.com Cc: stable@vger.kernel.org Cc: Link: https://lkml.kernel.org/r/20190614143149.2227-1-aryabinin@virtuozzo.com Signed-off-by: Greg Kroah-Hartman commit 7ce303bd5678bafca266a8e4db56752a87f8fada Author: Borislav Petkov Date: Thu Jun 13 15:49:02 2019 +0200 x86/microcode, cpuhotplug: Add a microcode loader CPU hotplug callback commit 78f4e932f7760d965fb1569025d1576ab77557c5 upstream. Adric Blake reported the following warning during suspend-resume: Enabling non-boot CPUs ... x86: Booting SMP configuration: smpboot: Booting Node 0 Processor 1 APIC 0x2 unchecked MSR access error: WRMSR to 0x10f (tried to write 0x0000000000000000) \ at rIP: 0xffffffff8d267924 (native_write_msr+0x4/0x20) Call Trace: intel_set_tfa intel_pmu_cpu_starting ? x86_pmu_dead_cpu x86_pmu_starting_cpu cpuhp_invoke_callback ? _raw_spin_lock_irqsave notify_cpu_starting start_secondary secondary_startup_64 microcode: sig=0x806ea, pf=0x80, revision=0x96 microcode: updated to revision 0xb4, date = 2019-04-01 CPU1 is up The MSR in question is MSR_TFA_RTM_FORCE_ABORT and that MSR is emulated by microcode. The log above shows that the microcode loader callback happens after the PMU restoration, leading to the conjecture that because the microcode hasn't been updated yet, that MSR is not present yet, leading to the #GP. Add a microcode loader-specific hotplug vector which comes before the PERF vectors and thus executes earlier and makes sure the MSR is present. Fixes: 400816f60c54 ("perf/x86/intel: Implement support for TSX Force Abort") Reported-by: Adric Blake Signed-off-by: Borislav Petkov Reviewed-by: Thomas Gleixner Cc: Peter Zijlstra Cc: Cc: x86@kernel.org Link: https://bugzilla.kernel.org/show_bug.cgi?id=203637 Signed-off-by: Greg Kroah-Hartman commit 4a163bcfef2278d20074f7a11f7d5b94b3f81e4f Author: Borislav Petkov Date: Sat Apr 20 13:27:51 2019 +0200 RAS/CEC: Fix binary search function commit f3c74b38a55aefe1004200d15a83f109b510068c upstream. Switch to using Donald Knuth's binary search algorithm (The Art of Computer Programming, vol. 3, section 6.2.1). This should've been done from the very beginning but the author must've been smoking something very potent at the time. The problem with the current one was that it would return the wrong element index in certain situations: https://lkml.kernel.org/r/CAM_iQpVd02zkVJ846cj-Fg1yUNuz6tY5q1Vpj4LrXmE06dPYYg@mail.gmail.com and the noodling code after the loop was fishy at best. So switch to using Knuth's binary search. The final result is much cleaner and straightforward. Fixes: 011d82611172 ("RAS: Add a Corrected Errors Collector") Reported-by: Cong Wang Signed-off-by: Borislav Petkov Cc: Tony Luck Cc: linux-edac Cc: Signed-off-by: Greg Kroah-Hartman commit f01ebc7a44ce53cc03aad6474d0ae8e7e48243f4 Author: Cong Wang Date: Tue Apr 16 14:33:51 2019 -0700 RAS/CEC: Convert the timer callback to a workqueue commit 0ade0b6240c4853cf9725924c46c10f4251639d7 upstream. cec_timer_fn() is a timer callback which reads ce_arr.array[] and updates its decay values. However, it runs in interrupt context and the mutex protection the CEC uses for that array, is inadequate. Convert the used timer to a workqueue to keep the tasks the CEC performs preemptible and thus low-prio. [ bp: Rewrite commit message. s/timer/decay/gi to make it agnostic as to what facility is used. ] Fixes: 011d82611172 ("RAS: Add a Corrected Errors Collector") Signed-off-by: Cong Wang Signed-off-by: Borislav Petkov Cc: Thomas Gleixner Cc: Tony Luck Cc: linux-edac Cc: Link: https://lkml.kernel.org/r/20190416213351.28999-2-xiyou.wangcong@gmail.com Signed-off-by: Greg Kroah-Hartman commit 53903d9eadad80f669a2405dfb18d5afb06679f5 Author: Thomas Gleixner Date: Thu Jun 13 21:40:45 2019 +0200 timekeeping: Repair ktime_get_coarse*() granularity commit e3ff9c3678b4d80e22d2557b68726174578eaf52 upstream. Jason reported that the coarse ktime based time getters advance only once per second and not once per tick as advertised. The code reads only the monotonic base time, which advances once per second. The nanoseconds are accumulated on every tick in xtime_nsec up to a second and the regular time getters take this nanoseconds offset into account, but the ktime_get_coarse*() implementation fails to do so. Add the accumulated xtime_nsec value to the monotonic base time to get the proper per tick advancing coarse tinme. Fixes: b9ff604cff11 ("timekeeping: Add ktime_get_coarse_with_offset") Reported-by: Jason A. Donenfeld Signed-off-by: Thomas Gleixner Tested-by: Jason A. Donenfeld Cc: Arnd Bergmann Cc: Peter Zijlstra Cc: Clemens Ladisch Cc: Sultan Alsawaf Cc: Waiman Long Cc: stable@vger.kernel.org Link: https://lkml.kernel.org/r/alpine.DEB.2.21.1906132136280.1791@nanos.tec.linutronix.de Signed-off-by: Greg Kroah-Hartman commit ab2986e327e959ab6f2c898d7b95fc6b3bb18d3a Author: Eiichi Tsukata Date: Fri Jun 14 16:40:25 2019 +0900 tracing/uprobe: Fix NULL pointer dereference in trace_uprobe_create() commit f01098c74b5219f3969d4750eeed1a36bfc038e3 upstream. Just like the case of commit 8b05a3a7503c ("tracing/kprobes: Fix NULL pointer dereference in trace_kprobe_create()"), writing an incorrectly formatted string to uprobe_events can trigger NULL pointer dereference. Reporeducer: # echo r > /sys/kernel/debug/tracing/uprobe_events dmesg: BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 8000000079d12067 P4D 8000000079d12067 PUD 7b7ab067 PMD 0 Oops: 0000 [#1] PREEMPT SMP PTI CPU: 0 PID: 1903 Comm: bash Not tainted 5.2.0-rc3+ #15 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-2.fc30 04/01/2014 RIP: 0010:strchr+0x0/0x30 Code: c0 eb 0d 84 c9 74 18 48 83 c0 01 48 39 d0 74 0f 0f b6 0c 07 3a 0c 06 74 ea 19 c0 83 c8 01 c3 31 c0 c3 0f 1f 84 00 00 00 00 00 <0f> b6 07 89 f2 40 38 f0 75 0e eb 13 0f b6 47 01 48 83 c RSP: 0018:ffffb55fc0403d10 EFLAGS: 00010293 RAX: ffff993ffb793400 RBX: 0000000000000000 RCX: ffffffffa4852625 RDX: 0000000000000000 RSI: 000000000000002f RDI: 0000000000000000 RBP: ffffb55fc0403dd0 R08: ffff993ffb793400 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 R13: ffff993ff9cc1668 R14: 0000000000000001 R15: 0000000000000000 FS: 00007f30c5147700(0000) GS:ffff993ffda00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 000000007b628000 CR4: 00000000000006f0 Call Trace: trace_uprobe_create+0xe6/0xb10 ? __kmalloc_track_caller+0xe6/0x1c0 ? __kmalloc+0xf0/0x1d0 ? trace_uprobe_create+0xb10/0xb10 create_or_delete_trace_uprobe+0x35/0x90 ? trace_uprobe_create+0xb10/0xb10 trace_run_command+0x9c/0xb0 trace_parse_run_command+0xf9/0x1eb ? probes_open+0x80/0x80 __vfs_write+0x43/0x90 vfs_write+0x14a/0x2a0 ksys_write+0xa2/0x170 do_syscall_64+0x7f/0x200 entry_SYSCALL_64_after_hwframe+0x49/0xbe Link: http://lkml.kernel.org/r/20190614074026.8045-1-devel@etsukata.com Cc: stable@vger.kernel.org Fixes: 0597c49c69d5 ("tracing/uprobes: Use dyn_event framework for uprobe events") Reviewed-by: Srikar Dronamraju Signed-off-by: Eiichi Tsukata Signed-off-by: Steven Rostedt (VMware) Signed-off-by: Greg Kroah-Hartman commit 1f7add6e9ad8a4148aa07efa76f9c9e27364c624 Author: Daniele Palmas Date: Wed May 15 17:27:49 2019 +0200 USB: serial: option: add Telit 0x1260 and 0x1261 compositions commit f3dfd4072c3ee6e287f501a18b5718b185d6a940 upstream. Added support for Telit LE910Cx 0x1260 and 0x1261 compositions. Signed-off-by: Daniele Palmas Cc: stable Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit f895b3bf94e0faa7f1588e4e6e4332fb621ac2ce Author: Jörgen Storvist Date: Mon May 13 18:37:52 2019 +0200 USB: serial: option: add support for Simcom SIM7500/SIM7600 RNDIS mode commit 5417a7e482962952e622eabd60cd3600dd65dedf upstream. Added IDs for Simcom SIM7500/SIM7600 series cellular module in RNDIS mode. Reserved the interface for ADB. T: Bus=03 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 7 Spd=480 MxCh= 0 D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 P: Vendor=1e0e ProdID=9011 Rev=03.18 S: Manufacturer=SimTech, Incorporated S: Product=SimTech, Incorporated S: SerialNumber=0123456789ABCDEF C: #Ifs= 8 Cfg#= 1 Atr=a0 MxPwr=500mA I: If#=0x0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=02 Prot=ff Driver=rndis_host I: If#=0x1 Alt= 0 #EPs= 2 Cls=0a(data ) Sub=00 Prot=00 Driver=rndis_host I: If#=0x2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option I: If#=0x3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option I: If#=0x4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option I: If#=0x5 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option I: If#=0x6 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option I: If#=0x7 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=(none) Signed-off-by: Jörgen Storvist Cc: stable Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 65cf18ad79465dff46abcdfab169930a03e32562 Author: Chris Packham Date: Tue May 14 17:35:42 2019 +1200 USB: serial: pl2303: add Allied Telesis VT-Kit3 commit c5f81656a18b271976a86724dadd8344e54de74e upstream. This is adds the vendor and device id for the AT-VT-Kit3 which is a pl2303-based device. Signed-off-by: Chris Packham Cc: stable Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit b497d236aaac04358d503c5c29ead6272cc5a03f Author: Kai-Heng Feng Date: Tue Jun 4 00:20:49 2019 +0800 USB: usb-storage: Add new ID to ums-realtek commit 1a6dd3fea131276a4fc44ae77b0f471b0b473577 upstream. There is one more Realtek card reader requires ums-realtek to work correctly. Add the device ID to support it. Signed-off-by: Kai-Heng Feng Cc: stable Signed-off-by: Greg Kroah-Hartman commit 311f94021b09231fc6a17a4e73fa08dc6dc029bd Author: Marco Zatta Date: Sat Jun 1 09:52:57 2019 +0200 USB: Fix chipmunk-like voice when using Logitech C270 for recording audio. commit bd21f0222adab64974b7d1b4b8c7ce6b23e9ea4d upstream. This patch fixes the chipmunk-like voice that manifets randomly when using the integrated mic of the Logitech Webcam HD C270. The issue was solved initially for this device by commit 2394d67e446b ("USB: add RESET_RESUME for webcams shown to be quirky") but it was then reintroduced by e387ef5c47dd ("usb: Add USB_QUIRK_RESET_RESUME for all Logitech UVC webcams"). This patch is to have the fix back. Signed-off-by: Marco Zatta Cc: stable Signed-off-by: Greg Kroah-Hartman commit 81680d2ad09c959d6d821d346db5b40abd614030 Author: Douglas Anderson Date: Fri May 31 13:04:12 2019 -0700 usb: dwc2: host: Fix wMaxPacketSize handling (fix webcam regression) commit babd183915e91a64e976b9e8ab682bb56624df76 upstream. In commit abb621844f6a ("usb: ch9: make usb_endpoint_maxp() return only packet size") the API to usb_endpoint_maxp() changed. It used to just return wMaxPacketSize but after that commit it returned wMaxPacketSize with the high bits (the multiplier) masked off. If you wanted to get the multiplier it was now up to your code to call the new usb_endpoint_maxp_mult() which was introduced in commit 541b6fe63023 ("usb: add helper to extract bits 12:11 of wMaxPacketSize"). Prior to the API change most host drivers were updated, but no update was made to dwc2. Presumably it was assumed that dwc2 was too simplistic to use the multiplier and thus just didn't support a certain class of USB devices. However, it turns out that dwc2 did use the multiplier and many devices using it were working quite nicely. That means that many USB devices have been broken since the API change. One such device is a Logitech HD Pro Webcam C920. Specifically, though dwc2 didn't directly call usb_endpoint_maxp(), it did call usb_maxpacket() which in turn called usb_endpoint_maxp(). Let's update dwc2 to work properly with the new API. Fixes: abb621844f6a ("usb: ch9: make usb_endpoint_maxp() return only packet size") Cc: stable@vger.kernel.org Acked-by: Minas Harutyunyan Reviewed-by: Matthias Kaehlcke Signed-off-by: Douglas Anderson Signed-off-by: Felipe Balbi Signed-off-by: Greg Kroah-Hartman commit 813bd776d11264147b0bbdd41f1bb404e93d81b1 Author: Martin Schiller Date: Mon Feb 18 07:37:30 2019 +0100 usb: dwc2: Fix DMA cache alignment issues commit 4a4863bf2e7932e584a3a462d3c6daf891142ddc upstream. Insert a padding between data and the stored_xfer_buffer pointer to ensure they are not on the same cache line. Otherwise, the stored_xfer_buffer gets corrupted for IN URBs on non-cache-coherent systems. (In my case: Lantiq xRX200 MIPS) Fixes: 3bc04e28a030 ("usb: dwc2: host: Get aligned DMA in a more supported way") Fixes: 56406e017a88 ("usb: dwc2: Fix DMA alignment to start at allocated boundary") Cc: Tested-by: Douglas Anderson Reviewed-by: Douglas Anderson Acked-by: Minas Harutyunyan Signed-off-by: Martin Schiller Signed-off-by: Felipe Balbi Signed-off-by: Greg Kroah-Hartman commit d785b980f1ee369b32a8d1f7baa93f55699a1f62 Author: Murray McAllister Date: Sat May 11 18:01:37 2019 +1200 drm/vmwgfx: NULL pointer dereference from vmw_cmd_dx_view_define() commit bcd6aa7b6cbfd6f985f606c6f76046d782905820 upstream. If SVGA_3D_CMD_DX_DEFINE_RENDERTARGET_VIEW is called with a surface ID of SVGA3D_INVALID_ID, the srf struct will remain NULL after vmw_cmd_res_check(), leading to a null pointer dereference in vmw_view_add(). Cc: Fixes: d80efd5cb3de ("drm/vmwgfx: Initial DX support") Signed-off-by: Murray McAllister Reviewed-by: Thomas Hellstrom Signed-off-by: Thomas Hellstrom Signed-off-by: Greg Kroah-Hartman commit f6802ba1ac0f086ba0f0aa242fc10ecb6058a42f Author: Murray McAllister Date: Mon May 20 21:57:34 2019 +1200 drm/vmwgfx: integer underflow in vmw_cmd_dx_set_shader() leading to an invalid read commit 5ed7f4b5eca11c3c69e7c8b53e4321812bc1ee1e upstream. If SVGA_3D_CMD_DX_SET_SHADER is called with a shader ID of SVGA3D_INVALID_ID, and a shader type of SVGA3D_SHADERTYPE_INVALID, the calculated binding.shader_slot will be 4294967295, leading to an out-of-bounds read in vmw_binding_loc() when the offset is calculated. Cc: Fixes: d80efd5cb3de ("drm/vmwgfx: Initial DX support") Signed-off-by: Murray McAllister Reviewed-by: Thomas Hellstrom Signed-off-by: Thomas Hellstrom Signed-off-by: Greg Kroah-Hartman commit 9fd59946fb156c9932680b8f6fd2ada8c7225c6e Author: Stefan Raspl Date: Sun Apr 21 15:26:24 2019 +0200 tools/kvm_stat: fix fields filter for child events [ Upstream commit 883d25e70b2f699fed9017e509d1ef8e36229b89 ] The fields filter would not work with child fields, as the respective parents would not be included. No parents displayed == no childs displayed. To reproduce, run on s390 (would work on other platforms, too, but would require a different filter name): - Run 'kvm_stat -d' - Press 'f' - Enter 'instruct' Notice that events like instruction_diag_44 or instruction_diag_500 are not displayed - the output remains empty. With this patch, we will filter by matching events and their parents. However, consider the following example where we filter by instruction_diag_44: kvm statistics - summary regex filter: instruction_diag_44 Event Total %Total CurAvg/s exit_instruction 276 100.0 12 instruction_diag_44 256 92.8 11 Total 276 12 Note that the parent ('exit_instruction') displays the total events, but the childs listed do not match its total (256 instead of 276). This is intended (since we're filtering all but one child), but might be confusing on first sight. Signed-off-by: Stefan Raspl Signed-off-by: Paolo Bonzini Signed-off-by: Sasha Levin commit 14be6a9888534e9671ae5a91abfead030bd64a2b Author: Andrew Jones Date: Thu May 23 13:05:46 2019 +0200 kvm: selftests: aarch64: fix default vm mode [ Upstream commit 55eda003f02f075bab0223a188e548dbf3ac8dfe ] VM_MODE_P52V48_4K is not a valid mode for AArch64. Replace its use in vm_create_default() with a mode that works and represents a good AArch64 default. (We didn't ever see a problem with this because we don't have any unit tests using vm_create_default(), but it's good to get it fixed in advance.) Reported-by: Thomas Huth Signed-off-by: Andrew Jones Signed-off-by: Paolo Bonzini Signed-off-by: Sasha Levin commit 59bfd2405a5b9de5b5187e7e1f86297f82a0f6f3 Author: Andrew Jones Date: Thu May 23 11:34:05 2019 +0200 kvm: selftests: aarch64: dirty_log_test: fix unaligned memslot size [ Upstream commit bffed38d4fb536c5d5d6c37846a7fb8fde1452fa ] The memory slot size must be aligned to the host's page size. When testing a guest with a 4k page size on a host with a 64k page size, then 3 guest pages are not host page size aligned. Since we just need a nearly arbitrary number of extra pages to ensure the memslot is not aligned to a 64 host-page boundary for this test, then we can use 16, as that's 64k aligned, but not 64 * 64k aligned. Fixes: 76d58e0f07ec ("KVM: fix KVM_CLEAR_DIRTY_LOG for memory slots of unaligned size", 2019-04-17) Signed-off-by: Andrew Jones Signed-off-by: Paolo Bonzini Signed-off-by: Sasha Levin commit 3b3189503a1f6118f06e01cdbac5b8e9b03d05a8 Author: Christian Borntraeger Date: Fri May 24 16:06:23 2019 +0200 KVM: s390: fix memory slot handling for KVM_SET_USER_MEMORY_REGION [ Upstream commit 19ec166c3f39fe1d3789888a74cc95544ac266d4 ] kselftests exposed a problem in the s390 handling for memory slots. Right now we only do proper memory slot handling for creation of new memory slots. Neither MOVE, nor DELETION are handled properly. Let us implement those. Signed-off-by: Christian Borntraeger Signed-off-by: Paolo Bonzini Signed-off-by: Sasha Levin commit e9545c5d3170e52e735fd797cf33889eae19d115 Author: Paolo Bonzini Date: Mon May 20 17:34:30 2019 +0200 KVM: x86/pmu: do not mask the value that is written to fixed PMUs [ Upstream commit 2924b52117b2812e9633d5ea337333299166d373 ] According to the SDM, for MSR_IA32_PERFCTR0/1 "the lower-order 32 bits of each MSR may be written with any value, and the high-order 8 bits are sign-extended according to the value of bit 31", but the fixed counters in real hardware are limited to the width of the fixed counters ("bits beyond the width of the fixed-function counter are reserved and must be written as zeros"). Fix KVM to do the same. Reported-by: Nadav Amit Signed-off-by: Paolo Bonzini Signed-off-by: Sasha Levin commit a8ecccf28b99bc4872c768085fbaef9b74c896eb Author: Paolo Bonzini Date: Mon May 20 17:20:40 2019 +0200 KVM: x86/pmu: mask the result of rdpmc according to the width of the counters [ Upstream commit 0e6f467ee28ec97f68c7b74e35ec1601bb1368a7 ] This patch will simplify the changes in the next, by enforcing the masking of the counters to RDPMC and RDMSR. Signed-off-by: Paolo Bonzini Signed-off-by: Sasha Levin commit 87444f7aafe5a39146bc5aa99d0b15ca28debdf8 Author: Paolo Bonzini Date: Mon May 20 15:34:35 2019 +0200 KVM: x86: do not spam dmesg with VMCS/VMCB dumps [ Upstream commit 6f2f84532c153d32a5e53b6083b06a3e24368d30 ] Userspace can easily set up invalid processor state in such a way that dmesg will be filled with VMCS or VMCB dumps. Disable this by default using a module parameter. Signed-off-by: Paolo Bonzini Signed-off-by: Sasha Levin commit 0bc54198bacadea467aa447673ecde008e1fb5d4 Author: Wanpeng Li Date: Mon May 20 16:18:06 2019 +0800 KVM: LAPIC: Fix lapic_timer_advance_ns parameter overflow [ Upstream commit 0e6edceb8f18a4e31526d83e6099fef1f29c3af5 ] After commit c3941d9e0 (KVM: lapic: Allow user to disable adaptive tuning of timer advancement), '-1' enables adaptive tuning starting from default advancment of 1000ns. However, we should expose an int instead of an overflow uint module parameter. Before patch: /sys/module/kvm/parameters/lapic_timer_advance_ns:4294967295 After patch: /sys/module/kvm/parameters/lapic_timer_advance_ns:-1 Fixes: c3941d9e0 (KVM: lapic: Allow user to disable adaptive tuning of timer advancement) Cc: Paolo Bonzini Cc: Radim Krčmář Cc: Sean Christopherson Cc: Liran Alon Reviewed-by: Sean Christopherson Signed-off-by: Wanpeng Li Signed-off-by: Paolo Bonzini Signed-off-by: Sasha Levin commit 6b94a1788e174e8adfc114eec752d68ba52e2c7d Author: Yi Wang Date: Mon May 20 12:27:47 2019 +0800 kvm: vmx: Fix -Wmissing-prototypes warnings [ Upstream commit 4d259965655c92053f3255aca14d81aab1e21219 ] We get a warning when build kernel W=1: arch/x86/kvm/vmx/vmx.c:6365:6: warning: no previous prototype for ‘vmx_update_host_rsp’ [-Wmissing-prototypes] void vmx_update_host_rsp(struct vcpu_vmx *vmx, unsigned long host_rsp) Add the missing declaration to fix this. Signed-off-by: Yi Wang Signed-off-by: Paolo Bonzini Signed-off-by: Sasha Levin commit 963ca35a23410068c4235d194963df4f4e9c0e9d Author: Dan Carpenter Date: Tue May 14 13:34:51 2019 +0300 KVM: selftests: Fix a condition in test_hv_cpuid() [ Upstream commit be7fcf1d1701a5266dd36eab4978476f63d1bd57 ] The code is trying to check that all the padding is zeroed out and it does this: entry->padding[0] == entry->padding[1] == entry->padding[2] == 0 Assume everything is zeroed correctly, then the first comparison is true, the next comparison is false and false is equal to zero so the overall condition is true. This bug doesn't affect run time very badly, but the code should instead just check that all three paddings are zero individually. Also the error message was copy and pasted from an earlier error and it wasn't correct. Fixes: 7edcb7343327 ("KVM: selftests: Add hyperv_cpuid test") Signed-off-by: Dan Carpenter Reviewed-by: Vitaly Kuznetsov Reviewed-by: Thomas Huth Signed-off-by: Paolo Bonzini Signed-off-by: Sasha Levin commit 936a2fe983a18841b586fd43fd88d79c9fcfd394 Author: Paolo Bonzini Date: Mon May 20 11:55:36 2019 +0200 KVM: nVMX: really fix the size checks on KVM_SET_NESTED_STATE [ Upstream commit db80927ea1977a845230a161df643b48fd1e1ea4 ] The offset for reading the shadow VMCS is sizeof(*kvm_state)+VMCS12_SIZE, so the correct size must be that plus sizeof(*vmcs12). This could lead to KVM reading garbage data from userspace and not reporting an error, but is otherwise not sensitive. Signed-off-by: Paolo Bonzini Signed-off-by: Sasha Levin commit cf2a3bd43c54b94e4bcd38856c38a164fc43e40c Author: James Morse Date: Wed May 22 18:47:05 2019 +0100 KVM: arm/arm64: Move cc/it checks under hyp's Makefile to avoid instrumentation [ Upstream commit 623e1528d4090bd1abaf93ec46f047dee9a6fb32 ] KVM has helpers to handle the condition codes of trapped aarch32 instructions. These are marked __hyp_text and used from HYP, but they aren't built by the 'hyp' Makefile, which has all the runes to avoid ASAN and KCOV instrumentation. Move this code to a new hyp/aarch32.c to avoid a hyp-panic when starting an aarch32 guest on a host built with the ASAN/KCOV debug options. Fixes: 021234ef3752f ("KVM: arm64: Make kvm_condition_valid32() accessible from EL2") Fixes: 8cebe750c4d9a ("arm64: KVM: Make kvm_skip_instr32 available to HYP") Signed-off-by: James Morse Signed-off-by: Marc Zyngier Signed-off-by: Sasha Levin commit 6e84edc64acdac8daae1cf497c2d8ba74193e79f Author: Jens Axboe Date: Wed May 22 08:47:54 2019 -0600 tools/io_uring: fix Makefile for pthread library link [ Upstream commit 486f069253c3c738dec62daeb16f7232b2cca065 ] Currently fails with: io_uring-bench.o: In function `main': /home/axboe/git/linux-block/tools/io_uring/io_uring-bench.c:560: undefined reference to `pthread_create' /home/axboe/git/linux-block/tools/io_uring/io_uring-bench.c:588: undefined reference to `pthread_join' collect2: error: ld returned 1 exit status Makefile:11: recipe for target 'io_uring-bench' failed make: *** [io_uring-bench] Error 1 Move -lpthread to the end. Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit c15fed5c4a04744912bc8f10fbddf1b0ec232bf3 Author: Keith Busch Date: Tue May 21 10:56:43 2019 -0600 nvme-pci: use blk-mq mapping for unmanaged irqs [ Upstream commit cb9e0e5006064a807b5d722c7e3c42f307193792 ] If a device is providing a single IRQ vector, the IO queue will share that vector with the admin queue. This is an unmanaged vector, so does not have a valid PCI IRQ affinity. Avoid trying to extract a managed affinity in this case and let blk-mq set up the cpu:queue mapping instead. Otherwise we'd hit the following warning when the device is using MSI: WARNING: CPU: 4 PID: 7 at drivers/pci/msi.c:1272 pci_irq_get_affinity+0x66/0x80 Modules linked in: nvme nvme_core serio_raw CPU: 4 PID: 7 Comm: kworker/u16:0 Tainted: G W 5.2.0-rc1+ #494 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014 Workqueue: nvme-reset-wq nvme_reset_work [nvme] RIP: 0010:pci_irq_get_affinity+0x66/0x80 Code: 0b 31 c0 c3 83 e2 10 48 c7 c0 b0 83 35 91 74 2a 48 8b 87 d8 03 00 00 48 85 c0 74 0e 48 8b 50 30 48 85 d2 74 05 39 70 14 77 05 <0f> 0b 31 c0 c3 48 63 f6 48 8d 04 76 48 8d 04 c2 f3 c3 48 8b 40 30 RSP: 0000:ffffb5abc01d3cc8 EFLAGS: 00010246 RAX: ffff9536786a39c0 RBX: 0000000000000000 RCX: 0000000000000080 RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff9536781ed000 RBP: ffff95367346a008 R08: ffff95367d43f080 R09: ffff953678c07800 R10: ffff953678164800 R11: 0000000000000000 R12: 0000000000000000 R13: ffff9536781ed000 R14: 00000000ffffffff R15: ffff95367346a008 FS: 0000000000000000(0000) GS:ffff95367d400000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fdf814a3ff0 CR3: 000000001a20f000 CR4: 00000000000006e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: blk_mq_pci_map_queues+0x37/0xd0 nvme_pci_map_queues+0x80/0xb0 [nvme] blk_mq_alloc_tag_set+0x133/0x2f0 nvme_reset_work+0x105d/0x1590 [nvme] process_one_work+0x291/0x530 worker_thread+0x218/0x3d0 ? process_one_work+0x530/0x530 kthread+0x111/0x130 ? kthread_park+0x90/0x90 ret_from_fork+0x1f/0x30 ---[ end trace 74587339d93c83c0 ]--- Fixes: 22b5560195bd6 ("nvme-pci: Separate IO and admin queue IRQ vectors") Reported-by: Iván Chavero Reviewed-by: Ming Lei Signed-off-by: Keith Busch Signed-off-by: Sasha Levin commit cad9277d17653768139365704a2b10ab15d7b239 Author: Bernd Eckstein <3erndeckstein@gmail.com> Date: Mon May 20 17:31:09 2019 +0200 usbnet: ipheth: fix racing condition [ Upstream commit 94d250fae48e6f873d8362308f5c4d02cd1b1fd2 ] Fix a racing condition in ipheth.c that can lead to slow performance. Bug: In ipheth_tx(), netif_wake_queue() may be called on the callback ipheth_sndbulk_callback(), _before_ netif_stop_queue() is called. When this happens, the queue is stopped longer than it needs to be, thus reducing network performance. Fix: Move netif_stop_queue() in front of usb_submit_urb(). Now the order is always correct. In case, usb_submit_urb() fails, the queue is woken up again as callback will not fire. Testing: This racing condition is usually not noticeable, as it has to occur very frequently to slowdown the network. The callback from the USB is usually triggered slow enough, so the situation does not appear. However, on a Ubuntu Linux on VMWare Workstation, running on Windows 10, the we loose the race quite often and the following speedup can be noticed: Without this patch: Download: 4.10 Mbit/s, Upload: 4.01 Mbit/s With this patch: Download: 36.23 Mbit/s, Upload: 17.61 Mbit/s Signed-off-by: Oliver Zweigle Signed-off-by: Bernd Eckstein <3ernd.Eckstein@gmail.com> Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 2ca801a952688266f8452b7934e9cfb8f8cf5571 Author: Tom Zanussi Date: Thu Apr 18 10:18:50 2019 -0500 tracing: Prevent hist_field_var_ref() from accessing NULL tracing_map_elts [ Upstream commit 55267c88c003a3648567beae7c90512d3e2ab15e ] hist_field_var_ref() is an implementation of hist_field_fn_t(), which can be called with a null tracing_map_elt elt param when assembling a key in event_hist_trigger(). In the case of hist_field_var_ref() this doesn't make sense, because a variable can only be resolved by looking it up using an already assembled key i.e. a variable can't be used to assemble a key since the key is required in order to access the variable. Upper layers should prevent the user from constructing a key using a variable in the first place, but in case one slips through, it shouldn't cause a NULL pointer dereference. Also if one does slip through, we want to know about it, so emit a one-time warning in that case. Link: http://lkml.kernel.org/r/64ec8dc15c14d305295b64cdfcc6b2b9dd14753f.1555597045.git.tom.zanussi@linux.intel.com Reported-by: Vincent Bernat Signed-off-by: Tom Zanussi Signed-off-by: Steven Rostedt (VMware) Signed-off-by: Sasha Levin commit 568b87fde67086600c9d622dbafddebf2c5300b3 Author: Kees Cook Date: Mon May 20 15:37:49 2019 -0700 selftests/timers: Add missing fflush(stdout) calls [ Upstream commit fe48319243a626c860fd666ca032daacc2ba84a5 ] When running under a pipe, some timer tests would not report output in real-time because stdout flushes were missing after printf()s that lacked a newline. This adds them to restore real-time status output that humans can enjoy. Signed-off-by: Kees Cook Signed-off-by: Shuah Khan Signed-off-by: Sasha Levin commit 2c18fc006324fe4ad6777161076711666b1d9659 Author: Hangbin Liu Date: Mon May 20 12:36:54 2019 +0800 selftests: fib_rule_tests: fix local IPv4 address typo [ Upstream commit fc82d93e57e3d41f79eff19031588b262fc3d0b6 ] The IPv4 testing address are all in 192.51.100.0 subnet. It doesn't make sense to set a 198.51.100.1 local address. Should be a typo. Fixes: 65b2b4939a64 ("selftests: net: initial fib rule tests") Signed-off-by: Hangbin Liu Reviewed-by: David Ahern Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 4c19b322d58f3c3d530b61a46dff8e3e4ef3d4cc Author: Qian Cai Date: Thu May 16 12:04:53 2019 -0400 libnvdimm: Fix compilation warnings with W=1 [ Upstream commit c01dafad77fea8d64c4fdca0a6031c980842ad65 ] Several places (dimm_devs.c, core.c etc) include label.h but only label.c uses NSINDEX_SIGNATURE, so move its definition to label.c instead. In file included from drivers/nvdimm/dimm_devs.c:23: drivers/nvdimm/label.h:41:19: warning: 'NSINDEX_SIGNATURE' defined but not used [-Wunused-const-variable=] Also, some places abuse "/**" which is only reserved for the kernel-doc. drivers/nvdimm/bus.c:648: warning: cannot understand function prototype: 'struct attribute_group nd_device_attribute_group = ' drivers/nvdimm/bus.c:677: warning: cannot understand function prototype: 'struct attribute_group nd_numa_attribute_group = ' Those are just some member assignments for the "struct attribute_group" instances and it can't be expressed in the kernel-doc. Reviewed-by: Vishal Verma Signed-off-by: Qian Cai Signed-off-by: Dan Williams Signed-off-by: Sasha Levin commit 2e4bd852418908620292f5204a5bc80a8766cdab Author: Flora Cui Date: Fri May 17 11:33:56 2019 +0800 drm/amdgpu: keep stolen memory on picasso [ Upstream commit 379109351f4f6f2405cf54e7a296055f589c3ad1 ] otherwise screen corrupts during modprobe. Signed-off-by: Flora Cui Reviewed-by: Feifei Xu Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 8193f14fd6b0b14aabb57ab943d6b9b4ca1bda8b Author: Colin Ian King Date: Sat May 4 17:48:29 2019 +0100 scsi: bnx2fc: fix incorrect cast to u64 on shift operation [ Upstream commit d0c0d902339249c75da85fd9257a86cbb98dfaa5 ] Currently an int is being shifted and the result is being cast to a u64 which leads to undefined behaviour if the shift is more than 31 bits. Fix this by casting the integer value 1 to u64 before the shift operation. Addresses-Coverity: ("Bad shift operation") Fixes: 7b594769120b ("[SCSI] bnx2fc: Handle REC_TOV error code from firmware") Signed-off-by: Colin Ian King Acked-by: Saurav Kashyap Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit fe4efeec6d39a62d4f6f5c07e934d485a49a25bd Author: YueHaibing Date: Thu May 9 23:22:47 2019 +0800 scsi: myrs: Fix uninitialized variable [ Upstream commit 41552199b5518fe26bee0829a28dd1880441b430 ] drivers/scsi/myrs.c: In function 'myrs_log_event': drivers/scsi/myrs.c:821:24: warning: 'sshdr.sense_key' may be used uninitialized in this function [-Wmaybe-uninitialized] struct scsi_sense_hdr sshdr; If ev->ev_code is not 0x1C, sshdr.sense_key may be used uninitialized. Fix this by initializing variable 'sshdr' to 0. Fixes: 77266186397c ("scsi: myrs: Add Mylex RAID controller (SCSI interface)") Signed-off-by: YueHaibing Reviewed-by: Hannes Reinecke Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 6c232693ba8330d7e46a9cf2e8f55431b00747ab Author: Steffen Dirkwinkel Date: Thu May 2 15:03:51 2019 +0200 platform/x86: pmc_atom: Add several Beckhoff Automation boards to critclk_systems DMI table [ Upstream commit d6423bd03031c020121da26c41a26bd5cc6d0da3 ] There are several Beckhoff Automation industrial PC boards which use pmc_plt_clk* clocks for ethernet controllers. This adds affected boards to critclk_systems DMI table so the clocks are marked as CLK_CRITICAL and not turned off. Fixes: 648e921888ad ("clk: x86: Stop marking clocks as CLK_IS_CRITICAL") Signed-off-by: Steffen Dirkwinkel Signed-off-by: Andy Shevchenko Signed-off-by: Sasha Levin commit d2e872e282d18ca58fa2eadaaf854e72c6d78c14 Author: Hans de Goede Date: Mon Apr 29 17:01:35 2019 +0200 platform/x86: pmc_atom: Add Lex 3I380D industrial PC to critclk_systems DMI table [ Upstream commit 3d0818f5eba80fbe4c0addbfe6ddb2d19dc82cd4 ] The Lex 3I380D industrial PC has 4 ethernet controllers on board which need pmc_plt_clk0 - 3 to function, add it to the critclk_systems DMI table, so that drivers/clk/x86/clk-pmc-atom.c will mark the clocks as CLK_CRITICAL and they will not get turned off. Fixes: 648e921888ad ("clk: x86: Stop marking clocks as CLK_IS_CRITICAL") Reported-and-tested-by: Semyon Verchenko Signed-off-by: Hans de Goede Acked-by: Andy Shevchenko Signed-off-by: Andy Shevchenko Signed-off-by: Sasha Levin commit c13f28fd2ac3dc86925080722b0915690f647b05 Author: Yufen Yu Date: Thu May 16 19:30:07 2019 -0700 nvme: fix memory leak for power latency tolerance [ Upstream commit 510a405d945bc985abc513fafe45890cac34fafa ] Unconditionally hide device pm latency tolerance when uninitializing the controller to ensure all qos resources are released so that we're not leaking this memory. This is safe to call if none were allocated in the first place, or were previously freed. Fixes: c5552fde102fc("nvme: Enable autonomous power state transitions") Suggested-by: Keith Busch Tested-by: David Milburn Signed-off-by: Yufen Yu [changelog] Signed-off-by: Keith Busch Signed-off-by: Sasha Levin commit e55f7b646073a7b76db1d8453343e462ee1ae890 Author: Christoph Hellwig Date: Fri May 17 11:47:36 2019 +0200 nvme: release namespace SRCU protection before performing controller ioctls [ Upstream commit 5fb4aac756acacf260b9ebd88747251effa3a2f2 ] Holding the SRCU critical section protecting the namespace list can cause deadlocks when using the per-namespace admin passthrough ioctl to delete as namespace. Release it earlier when performing per-controller ioctls to avoid that. Reported-by: Kenneth Heitke Reviewed-by: Chaitanya Kulkarni Reviewed-by: Keith Busch Signed-off-by: Christoph Hellwig Signed-off-by: Sasha Levin commit 44dbc0607fa3c033ba2b074b1e340149b2c92066 Author: Christoph Hellwig Date: Fri May 17 02:47:35 2019 -0700 nvme: merge nvme_ns_ioctl into nvme_ioctl [ Upstream commit 90ec611adcf20b96d0c2b7166497d53e4301a57f ] Merge the two functions to make future changes a little easier. Signed-off-by: Christoph Hellwig Reviewed-by: Keith Busch Reviewed-by: Chaitanya Kulkarni Signed-off-by: Sasha Levin commit 6a798d80322d44816149eb3604ad44412680be22 Author: Christoph Hellwig Date: Fri May 17 02:47:34 2019 -0700 nvme: remove the ifdef around nvme_nvm_ioctl [ Upstream commit 3f98bcc58cd5f1e4668db289dcab771874cc0920 ] We already have a proper stub if lightnvm is not enabled, so don't bother with the ifdef. Signed-off-by: Christoph Hellwig Reviewed-by: Keith Busch Reviewed-by: Chaitanya Kulkarni Signed-off-by: Sasha Levin commit 9dae64651075909ccfeb7157e68d18c49d71e951 Author: Christoph Hellwig Date: Fri May 17 02:47:33 2019 -0700 nvme: fix srcu locking on error return in nvme_get_ns_from_disk [ Upstream commit 100c815cbd56480b3e31518475b04719c363614a ] If we can't get a namespace don't leak the SRCU lock. nvme_ioctl was working around this, but nvme_pr_command wasn't handling this properly. Just do what callers would usually expect. Signed-off-by: Christoph Hellwig Reviewed-by: Keith Busch Reviewed-by: Chaitanya Kulkarni Signed-off-by: Sasha Levin commit 214c22bcce60d28aba44d9f4452bdbfad8c36426 Author: Keith Busch Date: Tue May 14 14:07:38 2019 -0600 nvme-pci: Fix controller freeze wait disabling [ Upstream commit e43269e6e5c49d7fec599e6bba71963935b0e4ba ] If a controller disabling didn't start a freeze, don't wait for the operation to complete. Reviewed-by: Ming Lei Reviewed-by: Christoph Hellwig Signed-off-by: Keith Busch Signed-off-by: Sasha Levin commit 04d71a2f1cc02036b22379d22d9cd9a52f6f76bc Author: Alexei Starovoitov Date: Thu May 16 21:34:11 2019 -0700 selftests/bpf: fix bpf_get_current_task [ Upstream commit 7ed4b4e60bb1dd3df7a45dfbde3a96efce9df7eb ] Fix bpf_get_current_task() declaration. Signed-off-by: Alexei Starovoitov Acked-by: Andrii Nakryiko Signed-off-by: Daniel Borkmann Signed-off-by: Sasha Levin commit 623d4c8a945df0d6cfe850d7a8eb30d8eb80b6af Author: Yonghong Song Date: Thu May 16 10:17:31 2019 -0700 tools/bpftool: move set_max_rlimit() before __bpf_object__open_xattr() [ Upstream commit ac4e0e055fee5751c78bba1fc9ce508a6874d916 ] For a host which has a lower rlimit for max locked memory (e.g., 64KB), the following error occurs in one of our production systems: # /usr/sbin/bpftool prog load /paragon/pods/52877437/home/mark.o \ /sys/fs/bpf/paragon_mark_21 type cgroup/skb \ map idx 0 pinned /sys/fs/bpf/paragon_map_21 libbpf: Error in bpf_object__probe_name():Operation not permitted(1). Couldn't load basic 'r0 = 0' BPF program. Error: failed to open object file The reason is due to low locked memory during bpf_object__probe_name() which probes whether program name is supported in kernel or not during __bpf_object__open_xattr(). bpftool program load already tries to relax mlock rlimit before bpf_object__load(). Let us move set_max_rlimit() before __bpf_object__open_xattr(), which fixed the issue here. Fixes: 47eff61777c7 ("bpf, libbpf: introduce bpf_object__probe_caps to test BPF capabilities") Signed-off-by: Yonghong Song Signed-off-by: Alexei Starovoitov Signed-off-by: Sasha Levin commit 20453017b1d34cd2ddf7ce7a323ad62343a85c05 Author: Mark Rutland Date: Tue May 14 14:30:06 2019 +0530 arm64/mm: Inhibit huge-vmap with ptdump [ Upstream commit 7ba36eccb3f83983a651efd570b4f933ecad1b5c ] The arm64 ptdump code can race with concurrent modification of the kernel page tables. At the time this was added, this was sound as: * Modifications to leaf entries could result in stale information being logged, but would not result in a functional problem. * Boot time modifications to non-leaf entries (e.g. freeing of initmem) were performed when the ptdump code cannot be invoked. * At runtime, modifications to non-leaf entries only occurred in the vmalloc region, and these were strictly additive, as intermediate entries were never freed. However, since commit: commit 324420bf91f6 ("arm64: add support for ioremap() block mappings") ... it has been possible to create huge mappings in the vmalloc area at runtime, and as part of this existing intermediate levels of table my be removed and freed. It's possible for the ptdump code to race with this, and continue to walk tables which have been freed (and potentially poisoned or reallocated). As a result of this, the ptdump code may dereference bogus addresses, which could be fatal. Since huge-vmap is a TLB and memory optimization, we can disable it when the runtime ptdump code is in use to avoid this problem. Cc: Catalin Marinas Fixes: 324420bf91f60582 ("arm64: add support for ioremap() block mappings") Acked-by: Ard Biesheuvel Signed-off-by: Mark Rutland Signed-off-by: Anshuman Khandual Signed-off-by: Will Deacon Signed-off-by: Sasha Levin commit d63eddddcc4d2e73d8c5035f1bea856eb6149c80 Author: John Fastabend Date: Mon May 13 21:42:03 2019 -0700 bpf, tcp: correctly handle DONT_WAIT flags and timeo == 0 [ Upstream commit 5fa2ca7c4a3fc176f31b495e1a704862d8188b53 ] The tcp_bpf_wait_data() routine needs to check timeo != 0 before calling sk_wait_event() otherwise we may see unexpected stalls on receiver. Arika did all the leg work here I just formatted, posted and ran a few tests. Fixes: 604326b41a6fb ("bpf, sockmap: convert to generic sk_msg interface") Reported-by: Arika Chen Suggested-by: Arika Chen Signed-off-by: John Fastabend Signed-off-by: Daniel Borkmann Signed-off-by: Sasha Levin commit 802fcdf906c2698609963a31556daa9a88a2b622 Author: Claudiu Manoil Date: Wed May 15 19:08:56 2019 +0300 enetc: Fix NULL dma address unmap for Tx BD extensions [ Upstream commit f4a0be84d73ec648628bf8094600ceb73cb6073f ] For the unlikely case of TxBD extensions (i.e. ptp) the driver tries to unmap the tx_swbd corresponding to the extension, which is bogus as it has no buffer attached. Signed-off-by: Claudiu Manoil Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 78949aa80248b8ada8dac5f2678c56a751639050 Author: Luca Ceresoli Date: Tue May 14 15:23:07 2019 +0200 net: macb: fix error format in dev_err() [ Upstream commit f413cbb332a0b5251a790f396d0eb4ebcade5dec ] Errors are negative numbers. Using %u shows them as very large positive numbers such as 4294967277 that don't make sense. Use the %d format instead, and get a much nicer -19. Signed-off-by: Luca Ceresoli Fixes: b48e0bab142f ("net: macb: Migrate to devm clock interface") Fixes: 93b31f48b3ba ("net/macb: unify clock management") Fixes: 421d9df0628b ("net/macb: merge at91_ether driver into macb driver") Fixes: aead88bd0e99 ("net: ethernet: macb: Add support for rx_clk") Fixes: f5473d1d44e4 ("net: macb: Support clock management for tsu_clk") Acked-by: Nicolas Ferre Reviewed-by: Andrew Lunn Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 97698af1fd791229299c9c3767c12d54b29b0a6e Author: Will Deacon Date: Tue May 14 12:25:28 2019 +0100 arm64: Print physical address of page table base in show_pte() [ Upstream commit 48caebf7e1313eb9f0a06fe59a07ac05b38a5806 ] When dumping the page table in response to an unexpected kernel page fault, we print the virtual (hashed) address of the page table base, but display physical addresses for everything else. Make the page table dumping code in show_pte() consistent, by printing the page table base pointer as a physical address. Reported-by: Mark Rutland Signed-off-by: Will Deacon Signed-off-by: Sasha Levin commit fd02ab801274e61755a905760dcfd56963af9039 Author: James Smart Date: Mon May 6 17:26:49 2019 -0700 scsi: lpfc: add check for loss of ndlp when sending RRQ [ Upstream commit c8cb261a072c88ca1aff0e804a30db4c7606521b ] There was a missing qualification of a valid ndlp structure when calling to send an RRQ for an abort. Add the check. Signed-off-by: Dick Kennedy Signed-off-by: James Smart Tested-by: Bart Van Assche Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 789e39523d1aad5b40bd58de50392f5cb930be19 Author: James Smart Date: Mon May 6 17:26:48 2019 -0700 scsi: lpfc: correct rcu unlock issue in lpfc_nvme_info_show [ Upstream commit 79080d349f7f58a2e86c56043a3d04184d5f294a ] Many of the exit cases were not releasing the rcu read lock. Corrected the exit paths. Signed-off-by: Dick Kennedy Signed-off-by: James Smart Tested-by: Bart Van Assche Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit e49a4e0fa2c397f1a925065b0530907ddf8fff4d Author: James Smart Date: Mon May 6 17:26:47 2019 -0700 scsi: lpfc: resolve lockdep warnings [ Upstream commit e2a8be5696e706a2fce6edd11e5c74ce14cffec0 ] There were a number of erroneous comments and incorrect older lockdep checks that were causing a number of warnings. Resolve the following: - Inconsistent lock state warnings in lpfc_nvme_info_show(). - Fixed comments and code on sequences where ring lock is now held instead of hbalock. - Reworked calling sequences around lpfc_sli_iocbq_lookup(). Rather than locking prior to the routine and have routine guess on what lock, take the lock within the routine. The lockdep check becomes unnecessary. - Fixed comments and removed erroneous hbalock checks. Signed-off-by: Dick Kennedy Signed-off-by: James Smart CC: Bart Van Assche Tested-by: Bart Van Assche Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 61d5556a91a979ef710423ced0b51651a4049ff3 Author: YueHaibing Date: Wed Apr 24 16:02:56 2019 +0800 scsi: qedi: remove set but not used variables 'cdev' and 'udev' [ Upstream commit d0adee5d12752256ff0c87ad7f002f21fe49d618 ] Fixes gcc '-Wunused-but-set-variable' warning: drivers/scsi/qedi/qedi_iscsi.c: In function 'qedi_ep_connect': drivers/scsi/qedi/qedi_iscsi.c:813:23: warning: variable 'udev' set but not used [-Wunused-but-set-variable] drivers/scsi/qedi/qedi_iscsi.c:812:18: warning: variable 'cdev' set but not used [-Wunused-but-set-variable] These have never been used since introduction. Signed-off-by: YueHaibing Acked-by: Manish Rangankar Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit a5900464c86b9ee80ed418b7562d51d84caf060c Author: YueHaibing Date: Sat Apr 20 12:05:54 2019 +0800 scsi: qedi: remove memset/memcpy to nfunc and use func instead [ Upstream commit c09581a52765a85f19fc35340127396d5e3379cc ] KASAN reports this: BUG: KASAN: global-out-of-bounds in qedi_dbg_err+0xda/0x330 [qedi] Read of size 31 at addr ffffffffc12b0ae0 by task syz-executor.0/2429 CPU: 0 PID: 2429 Comm: syz-executor.0 Not tainted 5.0.0-rc7+ #45 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0xfa/0x1ce lib/dump_stack.c:113 print_address_description+0x1c4/0x270 mm/kasan/report.c:187 kasan_report+0x149/0x18d mm/kasan/report.c:317 memcpy+0x1f/0x50 mm/kasan/common.c:130 qedi_dbg_err+0xda/0x330 [qedi] ? 0xffffffffc12d0000 qedi_init+0x118/0x1000 [qedi] ? 0xffffffffc12d0000 ? 0xffffffffc12d0000 ? 0xffffffffc12d0000 do_one_initcall+0xfa/0x5ca init/main.c:887 do_init_module+0x204/0x5f6 kernel/module.c:3460 load_module+0x66b2/0x8570 kernel/module.c:3808 __do_sys_finit_module+0x238/0x2a0 kernel/module.c:3902 do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x462e99 Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f2d57e55c58 EFLAGS: 00000246 ORIG_RAX: 0000000000000139 RAX: ffffffffffffffda RBX: 000000000073bfa0 RCX: 0000000000462e99 RDX: 0000000000000000 RSI: 00000000200003c0 RDI: 0000000000000003 RBP: 00007f2d57e55c70 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007f2d57e566bc R13: 00000000004bcefb R14: 00000000006f7030 R15: 0000000000000004 The buggy address belongs to the variable: __func__.67584+0x0/0xffffffffffffd520 [qedi] Memory state around the buggy address: ffffffffc12b0980: fa fa fa fa 00 04 fa fa fa fa fa fa 00 00 05 fa ffffffffc12b0a00: fa fa fa fa 00 00 04 fa fa fa fa fa 00 05 fa fa > ffffffffc12b0a80: fa fa fa fa 00 06 fa fa fa fa fa fa 00 02 fa fa ^ ffffffffc12b0b00: fa fa fa fa 00 00 04 fa fa fa fa fa 00 00 03 fa ffffffffc12b0b80: fa fa fa fa 00 00 02 fa fa fa fa fa 00 00 04 fa Currently the qedi_dbg_* family of functions can overrun the end of the source string if it is less than the destination buffer length because of the use of a fixed sized memcpy. Remove the memset/memcpy calls to nfunc and just use func instead as it is always a null terminated string. Reported-by: Hulk Robot Fixes: ace7f46ba5fd ("scsi: qedi: Add QLogic FastLinQ offload iSCSI driver framework.") Signed-off-by: YueHaibing Reviewed-by: Dan Carpenter Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 06363a1a0aa57bb2204c378456f7f32cbc31f3b0 Author: Quinn Tran Date: Mon May 6 13:52:19 2019 -0700 scsi: qla2xxx: Add cleanup for PCI EEH recovery [ Upstream commit 5386a4e6c7fecd282d265a24d930a74ba3c5917b ] During EEH error recovery testing it was discovered that driver's reset() callback partially frees resources used by driver, leaving some stale memory. After reset() is done and when resume() callback in driver uses old data which results into error leaving adapter disabled due to PCIe error. This patch does cleanup for EEH recovery code path and prevents adapter from getting disabled. Signed-off-by: Quinn Tran Signed-off-by: Himanshu Madhani Reviewed-by: Ewan D. Milne Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit eecbe41374e360a6ac4a1b70af2a37e6b4d74441 Author: John Fastabend Date: Mon May 13 07:19:55 2019 -0700 bpf: sockmap fix msg->sg.size account on ingress skb [ Upstream commit cabede8b4f2b746232aa25730a0b752de1cb82ca ] When converting a skb to msg->sg we forget to set the size after the latest ktls/tls code conversion. This patch can be reached by doing a redir into ingress path from BPF skb sock recv hook. Then trying to read the size fails. Fix this by setting the size. Fixes: 604326b41a6fb ("bpf, sockmap: convert to generic sk_msg interface") Signed-off-by: John Fastabend Signed-off-by: Daniel Borkmann Signed-off-by: Sasha Levin commit 3f53d093e5f9227a58776061803b769a761fd8b8 Author: John Fastabend Date: Mon May 13 07:19:37 2019 -0700 bpf: sockmap remove duplicate queue free [ Upstream commit c42253cc88206fd0e9868c8b2fd7f9e79f9e0e03 ] In tcp bpf remove we free the cork list and purge the ingress msg list. However we do this before the ref count reaches zero so it could be possible some other access is in progress. In this case (tcp close and/or tcp_unhash) we happen to also hold the sock lock so no path exists but lets fix it otherwise it is extremely fragile and breaks the reference counting rules. Also we already check the cork list and ingress msg queue and free them once the ref count reaches zero so its wasteful to check twice. Fixes: 604326b41a6fb ("bpf, sockmap: convert to generic sk_msg interface") Signed-off-by: John Fastabend Signed-off-by: Daniel Borkmann Signed-off-by: Sasha Levin commit 298d3dfbc0be2aa4ad901e73a49e60474b4c3d42 Author: John Fastabend Date: Mon May 13 07:19:19 2019 -0700 bpf: sockmap, only stop/flush strp if it was enabled at some point [ Upstream commit 014894360ec95abe868e94416b3dd6569f6e2c0c ] If we try to call strp_done on a parser that has never been initialized, because the sockmap user is only using TX side for example we get the following error. [ 883.422081] WARNING: CPU: 1 PID: 208 at kernel/workqueue.c:3030 __flush_work+0x1ca/0x1e0 ... [ 883.422095] Workqueue: events sk_psock_destroy_deferred [ 883.422097] RIP: 0010:__flush_work+0x1ca/0x1e0 This had been wrapped in a 'if (psock->parser.enabled)' logic which was broken because the strp_done() was never actually being called because we do a strp_stop() earlier in the tear down logic will set parser.enabled to false. This could result in a use after free if work was still in the queue and was resolved by the patch here, 1d79895aef18f ("sk_msg: Always cancel strp work before freeing the psock"). However, calling strp_stop(), done by the patch marked in the fixes tag, only is useful if we never initialized a strp parser program and never initialized the strp to start with. Because if we had initialized a stream parser strp_stop() would have been called by sk_psock_drop() earlier in the tear down process. By forcing the strp to stop we get past the WARNING in strp_done that checks the stopped flag but calling cancel_work_sync on work that has never been initialized is also wrong and generates the warning above. To fix check if the parser program exists. If the program exists then the strp work has been initialized and must be sync'd and cancelled before free'ing any structures. If no program exists we never initialized the stream parser in the first place so skip the sync/cancel logic implemented by strp_done. Finally, remove the strp_done its not needed and in the case where we are using the stream parser has already been called. Fixes: e8e3437762ad9 ("bpf: Stop the psock parser before canceling its work") Signed-off-by: John Fastabend Signed-off-by: Daniel Borkmann Signed-off-by: Sasha Levin commit 212a1e05849d34df95bf56c6e9fb3da8d2dd5678 Author: Will Deacon Date: Mon May 13 17:53:03 2019 +0100 drivers/perf: arm_spe: Don't error on high-order pages for aux buf [ Upstream commit 14ae42a6f0b13130a97d94d23481128961de5d38 ] Since commit 5768402fd9c6 ("perf/ring_buffer: Use high order allocations for AUX buffers optimistically"), the perf core tends to back aux buffer allocations with high-order pages with the order encoded in the PagePrivate data. The Arm SPE driver explicitly rejects such pages, causing the perf tool to fail with: | failed to mmap with 12 (Cannot allocate memory) In actual fact, we can simply treat these pages just like any other since the perf core takes care to populate the page array appropriately. In theory we could try to map with PMDs where possible, but for now, let's just get things working again. Cc: Alexander Shishkin Fixes: 5768402fd9c6 ("perf/ring_buffer: Use high order allocations for AUX buffers optimistically") Reported-by: Hanjun Guo Tested-by: Hanjun Guo Tested-by: Sudeep Holla Signed-off-by: Will Deacon Signed-off-by: Sasha Levin commit 980628e34fef39f05eee1c3a1d575bf181abfdf6 Author: Randall Huang Date: Thu Apr 11 16:26:46 2019 +0800 f2fs: fix to avoid accessing xattr across the boundary [ Upstream commit 2777e654371dd4207a3a7f4fb5fa39550053a080 ] When we traverse xattr entries via __find_xattr(), if the raw filesystem content is faked or any hardware failure occurs, out-of-bound error can be detected by KASAN. Fix the issue by introducing boundary check. [ 38.402878] c7 1827 BUG: KASAN: slab-out-of-bounds in f2fs_getxattr+0x518/0x68c [ 38.402891] c7 1827 Read of size 4 at addr ffffffc0b6fb35dc by task [ 38.402935] c7 1827 Call trace: [ 38.402952] c7 1827 [] dump_backtrace+0x0/0x6bc [ 38.402966] c7 1827 [] show_stack+0x20/0x2c [ 38.402981] c7 1827 [] dump_stack+0xfc/0x140 [ 38.402995] c7 1827 [] print_address_description+0x80/0x2d8 [ 38.403009] c7 1827 [] kasan_report_error+0x198/0x1fc [ 38.403022] c7 1827 [] kasan_report_error+0x0/0x1fc [ 38.403037] c7 1827 [] __asan_load4+0x1b0/0x1b8 [ 38.403051] c7 1827 [] f2fs_getxattr+0x518/0x68c [ 38.403066] c7 1827 [] f2fs_xattr_generic_get+0xb0/0xd0 [ 38.403080] c7 1827 [] __vfs_getxattr+0x1f4/0x1fc [ 38.403096] c7 1827 [] inode_doinit_with_dentry+0x360/0x938 [ 38.403109] c7 1827 [] selinux_d_instantiate+0x2c/0x38 [ 38.403123] c7 1827 [] security_d_instantiate+0x68/0x98 [ 38.403136] c7 1827 [] d_splice_alias+0x58/0x348 [ 38.403149] c7 1827 [] f2fs_lookup+0x608/0x774 [ 38.403163] c7 1827 [] lookup_slow+0x1e0/0x2cc [ 38.403177] c7 1827 [] walk_component+0x160/0x520 [ 38.403190] c7 1827 [] path_lookupat+0x110/0x2b4 [ 38.403203] c7 1827 [] filename_lookup+0x1d8/0x3a8 [ 38.403216] c7 1827 [] user_path_at_empty+0x54/0x68 [ 38.403229] c7 1827 [] SyS_getxattr+0xb4/0x18c [ 38.403241] c7 1827 [] el0_svc_naked+0x34/0x38 Signed-off-by: Randall Huang [Jaegeuk Kim: Fix wrong ending boundary] Reviewed-by: Chao Yu Signed-off-by: Jaegeuk Kim Signed-off-by: Sasha Levin commit ebe07a9d508fdad252231f34cf6930d5e6cee8a6 Author: Young Xiao Date: Fri Apr 12 15:45:06 2019 +0800 Drivers: misc: fix out-of-bounds access in function param_set_kgdbts_var [ Upstream commit b281218ad4311a0342a40cb02fb17a363df08b48 ] There is an out-of-bounds access to "config[len - 1]" array when the variable "len" is zero. See commit dada6a43b040 ("kgdboc: fix KASAN global-out-of-bounds bug in param_set_kgdboc_var()") for details. Signed-off-by: Young Xiao Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit f64406369750fbc2a072466a459eafa99a70cc7c Author: Takashi Iwai Date: Thu Apr 11 19:58:32 2019 +0200 Revert "ALSA: seq: Protect in-kernel ioctl calls with mutex" [ Upstream commit f0654ba94e33699b295ce4f3dc73094db6209035 ] This reverts commit feb689025fbb6f0aa6297d3ddf97de945ea4ad32. The fix attempt was incorrect, leading to the mutex deadlock through the close of OSS sequencer client. The proper fix needs more consideration, so let's revert it now. Fixes: feb689025fbb ("ALSA: seq: Protect in-kernel ioctl calls with mutex") Reported-by: syzbot+47ded6c0f23016cde310@syzkaller.appspotmail.com Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit 4cd664c08f86ce6b38a684331ca6a207484b6479 Author: Takashi Iwai Date: Tue Apr 9 18:04:17 2019 +0200 ALSA: seq: Fix race of get-subscription call vs port-delete ioctls [ Upstream commit 2eabc5ec8ab4d4748a82050dfcb994119b983750 ] The snd_seq_ioctl_get_subscription() retrieves the port subscriber information as a pointer, while the object isn't protected, hence it may be deleted before the actual reference. This race was spotted by syzkaller and may lead to a UAF. The fix is simply copying the data in the lookup function that performs in the rwsem to protect against the deletion. Reported-by: syzbot+9437020c82413d00222d@syzkaller.appspotmail.com Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit d4cd46f2fda10ee16c97c7e1796133077b0c9c3e Author: Takashi Iwai Date: Tue Apr 9 17:35:22 2019 +0200 ALSA: seq: Protect in-kernel ioctl calls with mutex [ Upstream commit feb689025fbb6f0aa6297d3ddf97de945ea4ad32 ] ALSA OSS sequencer calls the ioctl function indirectly via snd_seq_kernel_client_ctl(). While we already applied the protection against races between the normal ioctls and writes via the client's ioctl_mutex, this code path was left untouched. And this seems to be the cause of still remaining some rare UAF as spontaneously triggered by syzkaller. For the sake of robustness, wrap the ioctl_mutex also for the call via snd_seq_kernel_client_ctl(), too. Reported-by: syzbot+e4c8abb920efa77bace9@syzkaller.appspotmail.com Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit ca97e0496e5298126c3f28e0b00b09b35c2e8f6b Author: Peter Zijlstra Date: Thu Mar 7 19:54:25 2019 +0100 x86/uaccess, kcov: Disable stack protector [ Upstream commit 40ea97290b08be2e038b31cbb33097d1145e8169 ] New tooling noticed this mishap: kernel/kcov.o: warning: objtool: write_comp_data()+0x138: call to __stack_chk_fail() with UACCESS enabled kernel/kcov.o: warning: objtool: __sanitizer_cov_trace_pc()+0xd9: call to __stack_chk_fail() with UACCESS enabled All the other instrumentation (KASAN,UBSAN) also have stack protector disabled. Signed-off-by: Peter Zijlstra (Intel) Cc: Borislav Petkov Cc: Josh Poimboeuf Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Thomas Gleixner Signed-off-by: Ingo Molnar Signed-off-by: Sasha Levin commit 81f9ba823490d79a6cabf847199bbea74c8ece57 Author: Lucas De Marchi Date: Wed Jun 5 16:55:35 2019 -0700 drm/i915/dmc: protect against reading random memory commit 326fb6dd1483c985a6ef47db3fa8788bb99e8b83 upstream. While loading the DMC firmware we were double checking the headers made sense, but in no place we checked that we were actually reading memory we were supposed to. This could be wrong in case the firmware file is truncated or malformed. Before this patch: # ls -l /lib/firmware/i915/icl_dmc_ver1_07.bin -rw-r--r-- 1 root root 25716 Feb 1 12:26 icl_dmc_ver1_07.bin # truncate -s 25700 /lib/firmware/i915/icl_dmc_ver1_07.bin # modprobe i915 # dmesg| grep -i dmc [drm:intel_csr_ucode_init [i915]] Loading i915/icl_dmc_ver1_07.bin [drm] Finished loading DMC firmware i915/icl_dmc_ver1_07.bin (v1.7) i.e. it loads random data. Now it fails like below: [drm:intel_csr_ucode_init [i915]] Loading i915/icl_dmc_ver1_07.bin [drm:csr_load_work_fn [i915]] *ERROR* Truncated DMC firmware, rejecting. i915 0000:00:02.0: Failed to load DMC firmware i915/icl_dmc_ver1_07.bin. Disabling runtime power management. i915 0000:00:02.0: DMC firmware homepage: https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/tree/i915 Before reading any part of the firmware file, validate the input first. Fixes: eb805623d8b1 ("drm/i915/skl: Add support to load SKL CSR firmware.") Cc: stable@vger.kernel.org Signed-off-by: Lucas De Marchi Reviewed-by: Rodrigo Vivi Link: https://patchwork.freedesktop.org/patch/msgid/20190605235535.17791-1-lucas.demarchi@intel.com (cherry picked from commit bc7b488b1d1c71dc4c5182206911127bc6c410d6) Signed-off-by: Jani Nikula Signed-off-by: Greg Kroah-Hartman commit 54908d1dc7db0a382d42d7f764650572ad601236 Author: Ville Syrjälä Date: Mon Jun 3 17:25:00 2019 +0300 drm/i915: Fix per-pixel alpha with CCS commit 77ce94dbe586c1a6a26cf021c08109c9ce71b3e0 upstream. We forgot to set .has_alpha=true for the A+CCS formats when the code started to consult .has_alpha. This manifests as A+CCS being treated as X+CCS which means no per-pixel alpha blending. Fix the format list appropriately. Cc: stable@vger.kernel.org Cc: Maarten Lankhorst Cc: Matt Roper Cc: Heinrich Fink Reported-by: Heinrich Fink Tested-by: Heinrich Fink Fixes: b20815255693 ("drm/i915: Add plane alpha blending support, v2.") Signed-off-by: Ville Syrjälä Link: https://patchwork.freedesktop.org/patch/msgid/20190603142500.25680-1-ville.syrjala@linux.intel.com Reviewed-by: Maarten Lankhorst (cherry picked from commit 38f300410f3e15b6fec76c8d8baed7111b5ea4e4) Signed-off-by: Jani Nikula Signed-off-by: Greg Kroah-Hartman commit a51a72a47d73cc0aa6067d0024c98b8d4184e751 Author: Hans de Goede Date: Fri May 24 19:40:27 2019 +0200 drm/i915/dsi: Use a fuzzy check for burst mode clock check commit f9a99131ce18d9dddcaa14ec2c436e42f0bbee5e upstream. Prior to this commit we fail to init the DSI panel on the GPD MicroPC: https://www.indiegogo.com/projects/gpd-micropc-6-inch-handheld-industry-laptop#/ The problem is intel_dsi_vbt_init() failing with the following error: *ERROR* Burst mode freq is less than computed The pclk in the VBT panel modeline is 70000, together with 24 bpp and 4 lines this results in a bitrate value of 70000 * 24 / 4 = 420000. But the target_burst_mode_freq in the VBT is 418000. This commit works around this problem by adding an intel_fuzzy_clock_check when target_burst_mode_freq < bitrate and setting target_burst_mode_freq to bitrate when that checks succeeds, fixing the panel not working. Cc: stable@vger.kernel.org Reviewed-by: Ville Syrjälä Signed-off-by: Hans de Goede Link: https://patchwork.freedesktop.org/patch/msgid/20190524174028.21659-2-hdegoede@redhat.com (cherry picked from commit 2c1c55252647abd989b94f725b190c700312d053) Signed-off-by: Jani Nikula Signed-off-by: Greg Kroah-Hartman commit 86a0dbe0232894bd4bd4b8435f2430c0bf600b02 Author: Ville Syrjälä Date: Tue Apr 9 17:40:49 2019 +0300 drm/i915/sdvo: Implement proper HDMI audio support for SDVO commit d74408f528261f900dddb9778f61b5c5a7a6249c upstream. Our SDVO audio support is pretty bogus. We can't push audio over the SDVO bus, so trying to enable audio in the SDVO control register doesn't do anything. In fact it looks like the SDVO encoder will always mix in the audio coming over HDA, and there's no (at least documented) way to disable that from our side. So HDMI audio does work currently on gen4 but only by luck really. On gen3 it got broken by the referenced commit. And what has always been missing on every platform is the ELD. To pass the ELD to the audio driver we need to write it to magic buffer in the SDVO encoder hardware which then gets pulled out via HDA in the other end. Ie. pretty much the same thing we had for native HDMI before we started to just pass the ELD between the drivers. This sort of explains why we even have that silly hardware buffer with native HDMI. $ cat /proc/asound/card0/eld#1.0 -monitor_present 0 -eld_valid 0 +monitor_present 1 +eld_valid 1 +monitor_name LG TV +connection_type HDMI +... This also fixes our state readout since we can now query the SDVO encoder about the state of the "ELD valid" and "presence detect" bits. As mentioned those don't actually control whether audio gets sent over the HDMI cable, but it's the best we can do. And with the state checker appeased we can re-enable HDMI audio for gen3. Cc: stable@vger.kernel.org Cc: Daniel Vetter Cc: zardam@gmail.com Tested-by: zardam@gmail.com Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=108976 Fixes: de44e256b92c ("drm/i915/sdvo: Shut up state checker with hdmi cards on gen3") Signed-off-by: Ville Syrjälä Link: https://patchwork.freedesktop.org/patch/msgid/20190409144054.24561-3-ville.syrjala@linux.intel.com Reviewed-by: Imre Deak (cherry picked from commit dc49a56bd43bb04982e64b44436831da801d0237) Signed-off-by: Jani Nikula Signed-off-by: Greg Kroah-Hartman commit 4a12cc87a815ea7ba857d0e8b34686ce8477834e Author: Shirish S Date: Tue Jun 4 21:25:03 2019 +0530 drm/amdgpu/{uvd,vcn}: fetch ring's read_ptr after alloc commit 517b91f4cde3043d77b2178548473e8545ef07cb upstream. [What] readptr read always returns zero, since most likely these blocks are either power or clock gated. [How] fetch rptr after amdgpu_ring_alloc() which informs the power management code that the block is about to be used and hence the gating is turned off. Signed-off-by: Louis Li Signed-off-by: Shirish S Reviewed-by: Christian König Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman commit 5d303f97212527788caf03df1802da85f6c08ee9 Author: Kuninori Morimoto Date: Mon May 27 16:51:34 2019 +0900 ASoC: soc-core: fixup references at soc_cleanup_card_resources() commit 29040d1ac569606fece70966179de272cfc0d4db upstream. commit 53e947a0e1f7 ("ASoC: soc-core: merge card resources cleanup method") merged cleanup method of snd_soc_instantiate_card() and soc_cleanup_card_resources(). But, after this commit, if user uses unbind/bind to Component factor drivers, Kernel might indicates refcount error at soc_cleanup_card_resources(). The 1st reason is card->snd_card is still exist even though snd_card_free() was called, but it is already cleaned. We need to set NULL to it. 2nd is card->dapm and card create debugfs, but its dentry is still exist even though it was removed. We need to set NULL to it. Fixes: 53e947a0e1f7 ("ASoC: soc-core: merge card resources cleanup method") Cc: stable@vger.kernel.org # for v5.1 Signed-off-by: Kuninori Morimoto Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 5f3b468a5dc69967930a1a7d6c3d7c3349be866a Author: S.j. Wang Date: Wed May 15 06:42:18 2019 +0000 ASoC: fsl_asrc: Fix the issue about unsupported rate commit b06c58c2a1eed571ea2a6640fdb85b7b00196b1e upstream. When the output sample rate is [8kHz, 30kHz], the limitation of the supported ratio range is [1/24, 8]. In the driver we use (8kHz, 30kHz) instead of [8kHz, 30kHz]. So this patch is to fix this issue and the potential rounding issue with divider. Fixes: fff6e03c7b65 ("ASoC: fsl_asrc: add support for 8-30kHz output sample rate") Cc: Signed-off-by: Shengjiu Wang Acked-by: Nicolin Chen Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 9afd030f66564477deac27f62a3f012c7dba142e Author: S.j. Wang Date: Thu May 16 06:04:29 2019 +0000 ASoC: cs42xx8: Add regcache mask dirty commit ad6eecbfc01c987e0253371f274c3872042e4350 upstream. Add regcache_mark_dirty before regcache_sync for power of codec may be lost at suspend, then all the register need to be reconfigured. Fixes: 0c516b4ff85c ("ASoC: cs42xx8: Add codec driver support for CS42448/CS42888") Cc: Signed-off-by: Shengjiu Wang Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 097b73d405855ec0c2e44b4ba1f54c29dda9b315 Author: Tejun Heo Date: Wed May 29 13:46:25 2019 -0700 cgroup: Use css_tryget() instead of css_tryget_online() in task_get_css() commit 18fa84a2db0e15b02baa5d94bdb5bd509175d2f6 upstream. A PF_EXITING task can stay associated with an offline css. If such task calls task_get_css(), it can get stuck indefinitely. This can be triggered by BSD process accounting which writes to a file with PF_EXITING set when racing against memcg disable as in the backtrace at the end. After this change, task_get_css() may return a css which was already offline when the function was called. None of the existing users are affected by this change. INFO: rcu_sched self-detected stall on CPU INFO: rcu_sched detected stalls on CPUs/tasks: ... NMI backtrace for cpu 0 ... Call Trace: dump_stack+0x46/0x68 nmi_cpu_backtrace.cold.2+0x13/0x57 nmi_trigger_cpumask_backtrace+0xba/0xca rcu_dump_cpu_stacks+0x9e/0xce rcu_check_callbacks.cold.74+0x2af/0x433 update_process_times+0x28/0x60 tick_sched_timer+0x34/0x70 __hrtimer_run_queues+0xee/0x250 hrtimer_interrupt+0xf4/0x210 smp_apic_timer_interrupt+0x56/0x110 apic_timer_interrupt+0xf/0x20 RIP: 0010:balance_dirty_pages_ratelimited+0x28f/0x3d0 ... btrfs_file_write_iter+0x31b/0x563 __vfs_write+0xfa/0x140 __kernel_write+0x4f/0x100 do_acct_process+0x495/0x580 acct_process+0xb9/0xdb do_exit+0x748/0xa00 do_group_exit+0x3a/0xa0 get_signal+0x254/0x560 do_signal+0x23/0x5c0 exit_to_usermode_loop+0x5d/0xa0 prepare_exit_to_usermode+0x53/0x80 retint_user+0x8/0x8 Signed-off-by: Tejun Heo Cc: stable@vger.kernel.org # v4.2+ Fixes: ec438699a9ae ("cgroup, block: implement task_get_css() and use it in bio_associate_current()") Signed-off-by: Greg Kroah-Hartman commit 13101dcfa290eb36af432dc878f655c6ec04b539 Author: Coly Li Date: Mon Jun 10 06:13:35 2019 +0800 bcache: only set BCACHE_DEV_WB_RUNNING when cached device attached commit 1f0ffa67349c56ea54c03ccfd1e073c990e7411e upstream. When people set a writeback percent via sysfs file, /sys/block/bcache/bcache/writeback_percent current code directly sets BCACHE_DEV_WB_RUNNING to dc->disk.flags and schedules kworker dc->writeback_rate_update. If there is no cache set attached to, the writeback kernel thread is not running indeed, running dc->writeback_rate_update does not make sense and may cause NULL pointer deference when reference cache set pointer inside update_writeback_rate(). This patch checks whether the cache set point (dc->disk.c) is NULL in sysfs interface handler, and only set BCACHE_DEV_WB_RUNNING and schedule dc->writeback_rate_update when dc->disk.c is not NULL (it means the cache device is attached to a cache set). This problem might be introduced from initial bcache commit, but commit 3fd47bfe55b0 ("bcache: stop dc->writeback_rate_update properly") changes part of the original code piece, so I add 'Fixes: 3fd47bfe55b0' to indicate from which commit this patch can be applied. Fixes: 3fd47bfe55b0 ("bcache: stop dc->writeback_rate_update properly") Reported-by: Bjørn Forsman Signed-off-by: Coly Li Reviewed-by: Bjørn Forsman Cc: stable@vger.kernel.org Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit 2d87e043ccd40ab179740884499a4de2081bf035 Author: Coly Li Date: Mon Jun 10 06:13:34 2019 +0800 bcache: fix stack corruption by PRECEDING_KEY() commit 31b90956b124240aa8c63250243ae1a53585c5e2 upstream. Recently people report bcache code compiled with gcc9 is broken, one of the buggy behavior I observe is that two adjacent 4KB I/Os should merge into one but they don't. Finally it turns out to be a stack corruption caused by macro PRECEDING_KEY(). See how PRECEDING_KEY() is defined in bset.h, 437 #define PRECEDING_KEY(_k) \ 438 ({ \ 439 struct bkey *_ret = NULL; \ 440 \ 441 if (KEY_INODE(_k) || KEY_OFFSET(_k)) { \ 442 _ret = &KEY(KEY_INODE(_k), KEY_OFFSET(_k), 0); \ 443 \ 444 if (!_ret->low) \ 445 _ret->high--; \ 446 _ret->low--; \ 447 } \ 448 \ 449 _ret; \ 450 }) At line 442, _ret points to address of a on-stack variable combined by KEY(), the life range of this on-stack variable is in line 442-446, once _ret is returned to bch_btree_insert_key(), the returned address points to an invalid stack address and this address is overwritten in the following called bch_btree_iter_init(). Then argument 'search' of bch_btree_iter_init() points to some address inside stackframe of bch_btree_iter_init(), exact address depends on how the compiler allocates stack space. Now the stack is corrupted. Fixes: 0eacac22034c ("bcache: PRECEDING_KEY()") Signed-off-by: Coly Li Reviewed-by: Rolf Fokkens Reviewed-by: Pierre JUHEN Tested-by: Shenghui Wang Tested-by: Pierre JUHEN Cc: Kent Overstreet Cc: Nix Cc: stable@vger.kernel.org Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit 57aa1c63e697c6590c57dc3ab330b4d8017f8a6c Author: Russell King Date: Tue Jun 11 17:48:18 2019 +0100 i2c: acorn: fix i2c warning commit ca21f851cc9643af049226d57fabc3c883ea648e upstream. The Acorn i2c driver (for RiscPC) triggers the "i2c adapter has no name" warning in the I2C core driver, resulting in the RTC being inaccessible. Fix this. Fixes: 2236baa75f70 ("i2c: Sanity checks on adapter registration") Signed-off-by: Russell King Signed-off-by: Wolfram Sang Cc: stable@kernel.org Signed-off-by: Greg Kroah-Hartman commit 67596a397061d38029c4f40fe57c7a97d476d16c Author: Casey Schaufler Date: Fri May 31 11:53:33 2019 +0100 Smack: Restore the smackfsdef mount option and add missing prefixes commit 6e7739fc938c1ec58d321f70ea41d9548a4cca0f upstream. The 5.1 mount system rework changed the smackfsdef mount option to smackfsdefault. This fixes the regression by making smackfsdef treated the same way as smackfsdefault. Also fix the smack_param_specs[] to have "smack" prefixes on all the names. This isn't visible to a user unless they either: (a) Try to mount a filesystem that's converted to the internal mount API and that implements the ->parse_monolithic() context operation - and only then if they call security_fs_context_parse_param() rather than security_sb_eat_lsm_opts(). There are no examples of this upstream yet, but nfs will probably want to do this for nfs2 or nfs3. (b) Use fsconfig() to configure the filesystem - in which case security_fs_context_parse_param() will be called. This issue is that smack_sb_eat_lsm_opts() checks for the "smack" prefix on the options, but smack_fs_context_parse_param() does not. Fixes: c3300aaf95fb ("smack: get rid of match_token()") Fixes: 2febd254adc4 ("smack: Implement filesystem context security hooks") Cc: stable@vger.kernel.org Reported-by: Jose Bollo Signed-off-by: Casey Schaufler Signed-off-by: David Howells Tested-by: Casey Schaufler Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 96613e1962a29d25fa611b3b56e67a31b40dd4a7 Author: Robin Murphy Date: Mon Jun 3 14:15:37 2019 +0200 iommu/arm-smmu: Avoid constant zero in TLBI writes commit 4e4abae311e4b44aaf61f18a826fd7136037f199 upstream. Apparently, some Qualcomm arm64 platforms which appear to expose their SMMU global register space are still, in fact, using a hypervisor to mediate it by trapping and emulating register accesses. Sadly, some deployed versions of said trapping code have bugs wherein they go horribly wrong for stores using r31 (i.e. XZR/WZR) as the source register. While this can be mitigated for GCC today by tweaking the constraints for the implementation of writel_relaxed(), to avoid any potential arms race with future compilers more aggressively optimising register allocation, the simple way is to just remove all the problematic constant zeros. For the write-only TLB operations, the actual value is irrelevant anyway and any old nearby variable will provide a suitable GPR to encode. The one point at which we really do need a zero to clear a context bank happens before any of the TLB maintenance where crashes have been reported, so is apparently not a problem... :/ Reported-by: AngeloGioacchino Del Regno Tested-by: Marc Gonzalez Signed-off-by: Robin Murphy Signed-off-by: Marc Gonzalez Acked-by: Will Deacon Cc: stable@vger.kernel.org Signed-off-by: Joerg Roedel Signed-off-by: Greg Kroah-Hartman commit 33bc7ca8fbba454861230039d65379e25951e808 Author: Sean Young Date: Mon May 20 15:43:49 2019 -0400 media: dvb: warning about dvb frequency limits produces too much noise commit eb96e57b913ff668b8b804178cdc509f9b3d4472 upstream. This can be a debug message. Favour dev_dbg() over dprintk() as this is already used much more than dprintk(). dvb_frontend: dvb_frontend_get_frequency_limits: frequency interval: tuner: 45000000...860000000, frontend: 44250000...867250000 Fixes: 00ecd6bc7128 ("media: dvb_frontend: add debug message for frequency intervals") Cc: # 5.0 Signed-off-by: Sean Young Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit 58fd0749b44328ce5c1ac69358cfe9afda50f0d3 Author: Jann Horn Date: Wed May 29 13:31:57 2019 +0200 ptrace: restore smp_rmb() in __ptrace_may_access() commit f6581f5b55141a95657ef5742cf6a6bfa20a109f upstream. Restore the read memory barrier in __ptrace_may_access() that was deleted a couple years ago. Also add comments on this barrier and the one it pairs with to explain why they're there (as far as I understand). Fixes: bfedb589252c ("mm: Add a user_ns owner to mm_struct and fix ptrace permission checks") Cc: stable@vger.kernel.org Acked-by: Kees Cook Acked-by: Oleg Nesterov Signed-off-by: Jann Horn Signed-off-by: Eric W. Biederman Signed-off-by: Greg Kroah-Hartman commit fc84361156fe2c84197c2c9df32f982c08d79e52 Author: Eric W. Biederman Date: Tue May 28 18:46:37 2019 -0500 signal/ptrace: Don't leak unitialized kernel memory with PTRACE_PEEK_SIGINFO commit f6e2aa91a46d2bc79fce9b93a988dbe7655c90c0 upstream. Recently syzbot in conjunction with KMSAN reported that ptrace_peek_siginfo can copy an uninitialized siginfo to userspace. Inspecting ptrace_peek_siginfo confirms this. The problem is that off when initialized from args.off can be initialized to a negaive value. At which point the "if (off >= 0)" test to see if off became negative fails because off started off negative. Prevent the core problem by adding a variable found that is only true if a siginfo is found and copied to a temporary in preparation for being copied to userspace. Prevent args.off from being truncated when being assigned to off by testing that off is <= the maximum possible value of off. Convert off to an unsigned long so that we should not have to truncate args.off, we have well defined overflow behavior so if we add another check we won't risk fighting undefined compiler behavior, and so that we have a type whose maximum value is easy to test for. Cc: Andrei Vagin Cc: stable@vger.kernel.org Reported-by: syzbot+0d602a1b0d8c95bdf299@syzkaller.appspotmail.com Fixes: 84c751bd4aeb ("ptrace: add ability to retrieve signals without removing from a queue (v4)") Signed-off-by: "Eric W. Biederman" Signed-off-by: Greg Kroah-Hartman commit e78511b7b2c6d73c19d83f7040786c2cf8221f19 Author: Minchan Kim Date: Thu Jun 13 15:56:15 2019 -0700 mm/vmscan.c: fix trying to reclaim unevictable LRU page commit a58f2cef26e1ca44182c8b22f4f4395e702a5795 upstream. There was the below bug report from Wu Fangsuo. On the CMA allocation path, isolate_migratepages_range() could isolate unevictable LRU pages and reclaim_clean_page_from_list() can try to reclaim them if they are clean file-backed pages. page:ffffffbf02f33b40 count:86 mapcount:84 mapping:ffffffc08fa7a810 index:0x24 flags: 0x19040c(referenced|uptodate|arch_1|mappedtodisk|unevictable|mlocked) raw: 000000000019040c ffffffc08fa7a810 0000000000000024 0000005600000053 raw: ffffffc009b05b20 ffffffc009b05b20 0000000000000000 ffffffc09bf3ee80 page dumped because: VM_BUG_ON_PAGE(PageLRU(page) || PageUnevictable(page)) page->mem_cgroup:ffffffc09bf3ee80 ------------[ cut here ]------------ kernel BUG at /home/build/farmland/adroid9.0/kernel/linux/mm/vmscan.c:1350! Internal error: Oops - BUG: 0 [#1] PREEMPT SMP Modules linked in: CPU: 0 PID: 7125 Comm: syz-executor Tainted: G S 4.14.81 #3 Hardware name: ASR AQUILAC EVB (DT) task: ffffffc00a54cd00 task.stack: ffffffc009b00000 PC is at shrink_page_list+0x1998/0x3240 LR is at shrink_page_list+0x1998/0x3240 pc : [] lr : [] pstate: 60400045 sp : ffffffc009b05940 .. shrink_page_list+0x1998/0x3240 reclaim_clean_pages_from_list+0x3c0/0x4f0 alloc_contig_range+0x3bc/0x650 cma_alloc+0x214/0x668 ion_cma_allocate+0x98/0x1d8 ion_alloc+0x200/0x7e0 ion_ioctl+0x18c/0x378 do_vfs_ioctl+0x17c/0x1780 SyS_ioctl+0xac/0xc0 Wu found it's due to commit ad6b67041a45 ("mm: remove SWAP_MLOCK in ttu"). Before that, unevictable pages go to cull_mlocked so that we can't reach the VM_BUG_ON_PAGE line. To fix the issue, this patch filters out unevictable LRU pages from the reclaim_clean_pages_from_list in CMA. Link: http://lkml.kernel.org/r/20190524071114.74202-1-minchan@kernel.org Fixes: ad6b67041a45 ("mm: remove SWAP_MLOCK in ttu") Signed-off-by: Minchan Kim Reported-by: Wu Fangsuo Debugged-by: Wu Fangsuo Tested-by: Wu Fangsuo Reviewed-by: Andrew Morton Acked-by: Michal Hocko Cc: Pankaj Suryawanshi Cc: [4.12+] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 0ef80f61670794ca712e7772ddb61df5764dbf7e Author: Wengang Wang Date: Thu Jun 13 15:56:01 2019 -0700 fs/ocfs2: fix race in ocfs2_dentry_attach_lock() commit be99ca2716972a712cde46092c54dee5e6192bf8 upstream. ocfs2_dentry_attach_lock() can be executed in parallel threads against the same dentry. Make that race safe. The race is like this: thread A thread B (A1) enter ocfs2_dentry_attach_lock, seeing dentry->d_fsdata is NULL, and no alias found by ocfs2_find_local_alias, so kmalloc a new ocfs2_dentry_lock structure to local variable "dl", dl1 ..... (B1) enter ocfs2_dentry_attach_lock, seeing dentry->d_fsdata is NULL, and no alias found by ocfs2_find_local_alias so kmalloc a new ocfs2_dentry_lock structure to local variable "dl", dl2. ...... (A2) set dentry->d_fsdata with dl1, call ocfs2_dentry_lock() and increase dl1->dl_lockres.l_ro_holders to 1 on success. ...... (B2) set dentry->d_fsdata with dl2 call ocfs2_dentry_lock() and increase dl2->dl_lockres.l_ro_holders to 1 on success. ...... (A3) call ocfs2_dentry_unlock() and decrease dl2->dl_lockres.l_ro_holders to 0 on success. .... (B3) call ocfs2_dentry_unlock(), decreasing dl2->dl_lockres.l_ro_holders, but see it's zero now, panic Link: http://lkml.kernel.org/r/20190529174636.22364-1-wen.gang.wang@oracle.com Signed-off-by: Wengang Wang Reported-by: Daniel Sobe Tested-by: Daniel Sobe Reviewed-by: Changwei Ge Reviewed-by: Joseph Qi Cc: Mark Fasheh Cc: Joel Becker Cc: Junxiao Bi Cc: Gang He Cc: Jun Piao Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit e3047644767788eafb79932c9f11c4234089a007 Author: Shakeel Butt Date: Thu Jun 13 15:55:49 2019 -0700 mm/list_lru.c: fix memory leak in __memcg_init_list_lru_node commit 3510955b327176fd4cbab5baa75b449f077722a2 upstream. Syzbot reported following memory leak: ffffffffda RBX: 0000000000000003 RCX: 0000000000441f79 BUG: memory leak unreferenced object 0xffff888114f26040 (size 32): comm "syz-executor626", pid 7056, jiffies 4294948701 (age 39.410s) hex dump (first 32 bytes): 40 60 f2 14 81 88 ff ff 40 60 f2 14 81 88 ff ff @`......@`...... 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: slab_post_alloc_hook mm/slab.h:439 [inline] slab_alloc mm/slab.c:3326 [inline] kmem_cache_alloc_trace+0x13d/0x280 mm/slab.c:3553 kmalloc include/linux/slab.h:547 [inline] __memcg_init_list_lru_node+0x58/0xf0 mm/list_lru.c:352 memcg_init_list_lru_node mm/list_lru.c:375 [inline] memcg_init_list_lru mm/list_lru.c:459 [inline] __list_lru_init+0x193/0x2a0 mm/list_lru.c:626 alloc_super+0x2e0/0x310 fs/super.c:269 sget_userns+0x94/0x2a0 fs/super.c:609 sget+0x8d/0xb0 fs/super.c:660 mount_nodev+0x31/0xb0 fs/super.c:1387 fuse_mount+0x2d/0x40 fs/fuse/inode.c:1236 legacy_get_tree+0x27/0x80 fs/fs_context.c:661 vfs_get_tree+0x2e/0x120 fs/super.c:1476 do_new_mount fs/namespace.c:2790 [inline] do_mount+0x932/0xc50 fs/namespace.c:3110 ksys_mount+0xab/0x120 fs/namespace.c:3319 __do_sys_mount fs/namespace.c:3333 [inline] __se_sys_mount fs/namespace.c:3330 [inline] __x64_sys_mount+0x26/0x30 fs/namespace.c:3330 do_syscall_64+0x76/0x1a0 arch/x86/entry/common.c:301 entry_SYSCALL_64_after_hwframe+0x44/0xa9 This is a simple off by one bug on the error path. Link: http://lkml.kernel.org/r/20190528043202.99980-1-shakeelb@google.com Fixes: 60d3fd32a7a9 ("list_lru: introduce per-memcg lists") Reported-by: syzbot+f90a420dfe2b1b03cb2c@syzkaller.appspotmail.com Signed-off-by: Shakeel Butt Acked-by: Michal Hocko Reviewed-by: Kirill Tkhai Cc: [4.0+] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 3d61202e8a4c021af12a564d8ed42d08ff03ac14 Author: Eric Biggers Date: Wed Jun 12 14:58:43 2019 -0700 io_uring: fix memory leak of UNIX domain socket inode commit 355e8d26f719c207aa2e00e6f3cfab3acf21769b upstream. Opening and closing an io_uring instance leaks a UNIX domain socket inode. This is because the ->file of the io_uring instance's internal UNIX domain socket is set to point to the io_uring file, but then sock_release() sees the non-NULL ->file and assumes the inode reference is held by the file so doesn't call iput(). That's not the case here, since the reference is still meant to be held by the socket; the actual inode of the io_uring file is different. Fix this leak by NULL-ing out ->file before releasing the socket. Reported-by: syzbot+111cb28d9f583693aefa@syzkaller.appspotmail.com Fixes: 2b188cc1bb85 ("Add io_uring IO interface") Cc: # v5.1+ Signed-off-by: Eric Biggers Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit b8833542a91e16b3ff1d4853f846080d656db3bd Author: Hans de Goede Date: Tue Jun 11 16:32:59 2019 +0200 libata: Extend quirks for the ST1000LM024 drives with NOLPM quirk commit 31f6264e225fb92cf6f4b63031424f20797c297d upstream. We've received a bugreport that using LPM with ST1000LM024 drives leads to system lockups. So it seems that these models are buggy in more then 1 way. Add NOLPM quirk to the existing quirks entry for BROKEN_FPDMA_AA. BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1571330 Cc: stable@vger.kernel.org Reviewed-by: Martin K. Petersen Signed-off-by: Hans de Goede Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit 6c729c9b9d42aaafc083907e280343fdb822bb60 Author: Gen Zhang Date: Wed Jun 12 21:55:38 2019 +0800 selinux: fix a missing-check bug in selinux_sb_eat_lsm_opts() commit fec6375320c6399c708fa9801f8cfbf950fee623 upstream. In selinux_sb_eat_lsm_opts(), 'arg' is allocated by kmemdup_nul(). It returns NULL when fails. So 'arg' should be checked. And 'mnt_opts' should be freed when error. Signed-off-by: Gen Zhang Fixes: 99dbbb593fe6 ("selinux: rewrite selinux_sb_eat_lsm_opts()") Cc: Signed-off-by: Paul Moore Signed-off-by: Greg Kroah-Hartman commit ea9a004020c96178f1307019c689d5f588414850 Author: Gen Zhang Date: Wed Jun 12 21:28:21 2019 +0800 selinux: fix a missing-check bug in selinux_add_mnt_opt( ) commit e2e0e09758a6f7597de0f9b819647addfb71b6bd upstream. In selinux_add_mnt_opt(), 'val' is allocated by kmemdup_nul(). It returns NULL when fails. So 'val' should be checked. And 'mnt_opts' should be freed when error. Signed-off-by: Gen Zhang Fixes: 757cbe597fe8 ("LSM: new method: ->sb_add_mnt_opt()") Cc: [PM: fixed some indenting problems] Signed-off-by: Paul Moore Signed-off-by: Greg Kroah-Hartman commit bc690120360b8e56a056dc031b2d29f713910686 Author: Ondrej Mosnacek Date: Tue Jun 11 10:07:19 2019 +0200 selinux: log raw contexts as untrusted strings commit aff7ed4851680d0d28ad9f52cd2f99213e1371b2 upstream. These strings may come from untrusted sources (e.g. file xattrs) so they need to be properly escaped. Reproducer: # setenforce 0 # touch /tmp/test # setfattr -n security.selinux -v 'kuřecí řízek' /tmp/test # runcon system_u:system_r:sshd_t:s0 cat /tmp/test (look at the generated AVCs) Actual result: type=AVC [...] trawcon=kuřecí řízek Expected result: type=AVC [...] trawcon=6B75C5996563C3AD20C599C3AD7A656B Fixes: fede148324c3 ("selinux: log invalid contexts in AVCs") Cc: stable@vger.kernel.org # v5.1+ Signed-off-by: Ondrej Mosnacek Acked-by: Richard Guy Briggs Signed-off-by: Paul Moore Signed-off-by: Greg Kroah-Hartman commit d3a341b4e675ca38d204e2c1b0e53dd46fc10ea3 Author: Takashi Sakamoto Date: Sat Jun 1 12:08:01 2019 +0900 ALSA: firewire-motu: fix destruction of data for isochronous resources commit 0e3fb6995bfabb23c172e8b883bf5ac57102678e upstream. The data for isochronous resources is not destroyed in expected place. This commit fixes the bug. Cc: # v4.12+ Fixes: 9b2bb4f2f4a2 ("ALSA: firewire-motu: add stream management functionality") Signed-off-by: Takashi Sakamoto Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit ff9a9f2425d6a8ed1122471863cb3ff3633a9e83 Author: Kailang Yang Date: Fri May 31 17:16:53 2019 +0800 ALSA: hda/realtek - Update headset mode for ALC256 commit 717f43d81afc1250300479075952a0e36d74ded3 upstream. ALC255 and ALC256 were some difference for hidden register. This update was suitable for ALC256. Fixes: e69e7e03ed22 ("ALSA: hda/realtek - ALC256 speaker noise issue") Signed-off-by: Kailang Yang Cc: Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit f7e3bf3a2c5ddf70bc656451d91e98465430b0a0 Author: Rui Nuno Capela Date: Fri Jun 7 15:13:37 2019 +0100 ALSA: ice1712: Check correct return value to snd_i2c_sendbytes (EWS/DMX 6Fire) commit 352bcae97f9ba87801f497571cdec20af190efe1 upstream. Check for exact and correct return value to snd_i2c_sendbytes call for EWS/DMX 6Fire (snd_ice1712). Fixes a systemic error on every boot starting from kernel 5.1 onwards to snd_ice1712 driver ("cannot send pca") on Terratec EWS/DMX 6Fire PCI soundcards. Check for exact and correct return value to snd_i2c_sendbytes call for EWS/DMX 6Fire (snd_ice1712). Fixes a systemic error on every boot to snd_ice1712 driver ("cannot send pca") on Terratec EWS/DMX 6Fire PCI soundcards. Fixes: c99776cc4018 ("ALSA: ice1712: fix a missing check of snd_i2c_sendbytes") Signed-off-by: Rui Nuno Capela Cc: Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 3e5c551d76f999e388cfb713e0a597d7d3eab3e4 Author: Takashi Sakamoto Date: Sun Jun 9 19:29:12 2019 +0900 ALSA: oxfw: allow PCM capture for Stanton SCS.1m commit d8fa87c368f5b4096c4746894fdcc195da285df1 upstream. Stanton SCS.1m can transfer isochronous packet with Multi Bit Linear Audio data channels, therefore it allows software to capture PCM substream. However, ALSA oxfw driver doesn't. This commit changes the driver to add one PCM substream for capture direction. Fixes: de5126cc3c0b ("ALSA: oxfw: add stream format quirk for SCS.1 models") Cc: # v4.5+ Signed-off-by: Takashi Sakamoto Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 669825b1ca30e85385ead24a10241bf26bc69412 Author: Hui Wang Date: Fri Jun 14 16:44:12 2019 +0800 Revert "ALSA: hda/realtek - Improve the headset mic for Acer Aspire laptops" commit 17d304604a88cf20c8dfd2c95d3decb9c4f8bca4 upstream. This reverts commit 9cb40eb184c4220d244a532bd940c6345ad9dbd9. This patch introduces noise and headphone playback issue after rebooting or suspending/resuming. Let us revert it. BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=203831 Fixes: 9cb40eb184c4 ("ALSA: hda/realtek - Improve the headset mic for Acer Aspire laptops") Cc: Signed-off-by: Hui Wang Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit ffca8e0c6a69f7cd869e34f92ee697d21f9da511 Author: Jason Gerecke Date: Tue May 7 11:53:22 2019 -0700 HID: wacom: Sync INTUOSP2_BT touch state after each frame if necessary commit 69dbdfffef20c715df9f381b2cee4e9e0a4efd93 upstream. The Bluetooth interface of the 2nd-gen Intuos Pro batches together four independent "frames" of finger data into a single report. Each frame is essentially equivalent to a single USB report, with the up-to-10 fingers worth of information being spread across two frames. At the moment the driver only calls `input_sync` after processing all four frames have been processed, which can result in the driver sending multiple updates for a single slot within the same SYN_REPORT. This can confuse userspace, so modify the driver to sync more often if necessary (i.e., after reporting the state of all fingers). Fixes: 4922cd26f03c ("HID: wacom: Support 2nd-gen Intuos Pro's Bluetooth classic interface") Cc: # 4.11+ Signed-off-by: Jason Gerecke Signed-off-by: Benjamin Tissoires Signed-off-by: Greg Kroah-Hartman commit c92181f5f5135a9e9fc8077c9e864261140b461f Author: Jason Gerecke Date: Tue May 7 11:53:21 2019 -0700 HID: wacom: Correct button numbering 2nd-gen Intuos Pro over Bluetooth commit 6441fc781c344df61402be1fde582c4491fa35fa upstream. The button numbering of the 2nd-gen Intuos Pro is not consistent between the USB and Bluetooth interfaces. Over USB, the HID_GENERIC codepath enumerates the eight ExpressKeys first (BTN_0 - BTN_7) followed by the center modeswitch button (BTN_8). The Bluetooth codepath, however, has the center modeswitch button as BTN_0 and the the eight ExpressKeys as BTN_1 - BTN_8. To ensure userspace button mappings do not change depending on how the tablet is connected, modify the Bluetooth codepath to report buttons in the same order as USB. To ensure the mode switch LED continues to toggle in response to the mode switch button, the `wacom_is_led_toggled` function also requires a small update. Link: https://github.com/linuxwacom/input-wacom/pull/79 Fixes: 4922cd26f03c ("HID: wacom: Support 2nd-gen Intuos Pro's Bluetooth classic interface") Cc: # 4.11+ Signed-off-by: Jason Gerecke Reviewed-by: Aaron Skomra Signed-off-by: Benjamin Tissoires Signed-off-by: Greg Kroah-Hartman commit 0618e119af258b70bba3349d2a48465eef752b19 Author: Jason Gerecke Date: Tue May 7 11:53:20 2019 -0700 HID: wacom: Send BTN_TOUCH in response to INTUOSP2_BT eraser contact commit fe7f8d73d1af19b678171170e4e5384deb57833d upstream. The Bluetooth reports from the 2nd-gen Intuos Pro have separate bits for indicating if the tip or eraser is in contact with the tablet. At the moment, only the tip contact bit controls the state of the BTN_TOUCH event. This prevents the eraser from working as expected. This commit changes the driver to send BTN_TOUCH whenever either the tip or eraser contact bit is set. Fixes: 4922cd26f03c ("HID: wacom: Support 2nd-gen Intuos Pro's Bluetooth classic interface") Cc: # 4.11+ Signed-off-by: Jason Gerecke Reviewed-by: Aaron Skomra Signed-off-by: Benjamin Tissoires Signed-off-by: Greg Kroah-Hartman commit 1ee43115baa6136e71f3e4cbe19302a846967774 Author: Jason Gerecke Date: Wed Apr 24 15:12:58 2019 -0700 HID: wacom: Don't report anything prior to the tool entering range commit e92a7be7fe5b2510fa60965eaf25f9e3dc08b8cc upstream. If the tool spends some time in prox before entering range, a series of events (e.g. ABS_DISTANCE, MSC_SERIAL) can be sent before we or userspace have any clue about the pen whose data is being reported. We need to hold off on reporting anything until the pen has entered range. Since we still want to report events that occur "in prox" after the pen has *left* range we use 'wacom-tool[0]' as the indicator that the pen did at one point enter range and provide us/userspace with tool type and serial number information. Fixes: a48324de6d4d ("HID: wacom: Bluetooth IRQ for Intuos Pro should handle prox/range") Cc: # 4.11+ Signed-off-by: Jason Gerecke Reviewed-by: Aaron Armstrong Skomra Signed-off-by: Benjamin Tissoires Signed-off-by: Greg Kroah-Hartman commit c6c01a0d04bcbf886024abb7ea39b994ffaa25d2 Author: Jason Gerecke Date: Wed Apr 24 15:12:57 2019 -0700 HID: wacom: Don't set tool type until we're in range commit 2cc08800a6b9fcda7c7afbcf2da1a6e8808da725 upstream. The serial number and tool type information that is reported by the tablet while a pen is merely "in prox" instead of fully "in range" can be stale and cause us to report incorrect tool information. Serial number, tool type, and other information is only valid once the pen comes fully in range so we should be careful to not use this information until that point. In particular, this issue may cause the driver to incorectly report BTN_TOOL_RUBBER after switching from the eraser tool back to the pen. Fixes: a48324de6d4d ("HID: wacom: Bluetooth IRQ for Intuos Pro should handle prox/range") Cc: # 4.11+ Signed-off-by: Jason Gerecke Reviewed-by: Aaron Armstrong Skomra Signed-off-by: Benjamin Tissoires Signed-off-by: Greg Kroah-Hartman commit f6fa57cc2ac2140e2e5751985d0d5374abdfccd9 Author: Benjamin Tissoires Date: Tue May 21 15:38:31 2019 +0200 HID: multitouch: handle faulty Elo touch device commit 81bcbad53bab4bf9f200eda303d7a05cdb9bd73b upstream. Since kernel v5.0, one single win8 touchscreen device failed. And it turns out this is because it reports 2 InRange usage per touch. It's a first, and I *really* wonder how this was allowed by Microsoft in the first place. But IIRC, Breno told me this happened *after* a firmware upgrade... Anyway, better be safe for those crappy devices, and make sure we have a full slot before jumping to the next. This won't prevent all crappy devices to fail here, but at least we will have a safeguard as long as the contact ID and the X and Y coordinates are placed in the report after the grabage. Fixes: 01eaac7e5713 ("HID: multitouch: remove one copy of values") CC: stable@vger.kernel.org # v5.0+ Reported-and-tested-by: Breno Leitao Signed-off-by: Benjamin Tissoires Signed-off-by: Jiri Kosina Signed-off-by: Greg Kroah-Hartman commit 1af738ad19a722cceb00051742a49eb59ed2328d Author: Benjamin Tissoires Date: Wed Jun 5 14:44:05 2019 +0200 Revert "HID: Increase maximum report size allowed by hid_field_extract()" commit 15fc1b5c86128f91c8c6699c3b0d9615740b13f1 upstream. This reverts commit 94a9992f7dbdfb28976b565af220e0c4a117144a. The commit allows for more than 32 bits in hid_field_extract(), but the return value is a 32 bits int. So basically what this commit is doing is just silencing those legitimate errors. Revert to a previous situation in the hope that a proper fix will be impletemented. Fixes: 94a9992f7dbd ("HID: Increase maximum report size allowed by hid_field_extract()") Cc: stable@vger.kernel.org # v5.1 Acked-by: Jiri Kosina Signed-off-by: Benjamin Tissoires Signed-off-by: Greg Kroah-Hartman commit 0e3b0666fbe80dd239ea3d07c71d3d787eaf80b4 Author: Benjamin Tissoires Date: Thu Apr 18 09:47:41 2019 +0200 HID: input: fix assignment of .value commit 39b3c3a5fbc5d744114e497d35bf0c12f798c134 upstream. The value field is actually an array of .maxfield. We should assign the correct number to the correct usage. Not that we never encounter a device that requires this ATM, but better have the proper code path. Fixes: 2dc702c991e377 ("HID: input: use the Resolution Multiplier for high-resolution scrolling") Cc: stable@vger.kernel.org # v5.0+ Signed-off-by: Benjamin Tissoires Signed-off-by: Greg Kroah-Hartman commit 76f693f078d2e77ab85737d4d5ac07f041578d1f Author: Benjamin Tissoires Date: Wed Apr 3 16:20:20 2019 +0200 HID: input: make sure the wheel high resolution multiplier is set commit d43c17ead879ba7c076dc2f5fd80cd76047c9ff4 upstream. Some old mice have a tendency to not accept the high resolution multiplier. They reply with a -EPIPE which was previously ignored. Force the call to resolution multiplier to be synchronous and actually check for the answer. If this fails, consider the mouse like a normal one. Fixes: 2dc702c991e377 ("HID: input: use the Resolution Multiplier for high-resolution scrolling") Link: https://bugzilla.redhat.com/show_bug.cgi?id=1700071 Reported-and-tested-by: James Feeney Cc: stable@vger.kernel.org # v5.0+ Signed-off-by: Benjamin Tissoires Signed-off-by: Greg Kroah-Hartman commit 2bf61c27223101802311fb1025d617bc14681093 Author: Thomas Backlund Date: Sat Jun 15 12:22:44 2019 +0300 nouveau: Fix build with CONFIG_NOUVEAU_LEGACY_CTX_SUPPORT disabled Not-entirely-upstream-sha1-but-equivalent: bed2dd8421 ("drm/ttm: Quick-test mmap offset in ttm_bo_mmap()") Setting CONFIG_NOUVEAU_LEGACY_CTX_SUPPORT=n (added by commit: b30a43ac7132) causes the build to fail with: ERROR: "drm_legacy_mmap" [drivers/gpu/drm/nouveau/nouveau.ko] undefined! This does not happend upstream as the offending code got removed in: bed2dd8421 ("drm/ttm: Quick-test mmap offset in ttm_bo_mmap()") Fix that by adding check for CONFIG_NOUVEAU_LEGACY_CTX_SUPPORT around the drm_legacy_mmap() call. Also, as Sven Joachim pointed out, we need to make the check in CONFIG_NOUVEAU_LEGACY_CTX_SUPPORT=n case return -EINVAL as its done for basically all other gpu drivers, especially in upstream kernels drivers/gpu/drm/ttm/ttm_bo_vm.c as of the upstream commit bed2dd8421. NOTE. This is a minimal stable-only fix for trees where b30a43ac7132 is backported as the build error affects nouveau only. Fixes: b30a43ac7132 ("drm/nouveau: add kconfig option to turn off nouveau legacy contexts. (v3)") Signed-off-by: Thomas Backlund Cc: stable@vger.kernel.org Cc: Daniel Vetter Cc: Sven Joachim Signed-off-by: Greg Kroah-Hartman commit 3b0a591ce2a0f689d76a207c1b7d031edd823847 Author: Dave Airlie Date: Thu Apr 18 16:45:15 2019 +1000 drm/nouveau: add kconfig option to turn off nouveau legacy contexts. (v3) commit b30a43ac7132cdda833ac4b13dd1ebd35ace14b7 upstream. There was a nouveau DDX that relied on legacy context ioctls to work, but we fixed it years ago, give distros that have a modern DDX the option to break the uAPI and close the mess of holes that legacy context support is. Full context of the story: commit 0e975980d435d58df2d430d688b8c18778b42218 Author: Peter Antoine Date: Tue Jun 23 08:18:49 2015 +0100 drm: Turn off Legacy Context Functions The context functions are not used by the i915 driver and should not be used by modeset drivers. These driver functions contain several bugs and security holes. This change makes these functions optional can be turned on by a setting, they are turned off by default for modeset driver with the exception of the nouvea driver that may require them with an old version of libdrm. The previous attempt was commit 7c510133d93dd6f15ca040733ba7b2891ed61fd1 Author: Daniel Vetter Date: Thu Aug 8 15:41:21 2013 +0200 drm: mark context support as a legacy subsystem but this had to be reverted commit c21eb21cb50d58e7cbdcb8b9e7ff68b85cfa5095 Author: Dave Airlie Date: Fri Sep 20 08:32:59 2013 +1000 Revert "drm: mark context support as a legacy subsystem" v2: remove returns from void function, and formatting (Daniel Vetter) v3: - s/Nova/nouveau/ in the commit message, and add references to the previous attempts - drop the part touching the drm hw lock, that should be a separate patch. Signed-off-by: Peter Antoine (v2) Cc: Peter Antoine (v2) Reviewed-by: Peter Antoine Signed-off-by: Daniel Vetter v2: move DRM_VM dependency into legacy config. v3: fix missing dep (kbuild robot) Cc: stable@vger.kernel.org Reviewed-by: Daniel Vetter Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman