1. 09 Jan, 2019 40 commits
    • Nava kishore Manne's avatar
      serial: uartps: Fix interrupt mask issue to handle the RX interrupts properly · 5110d0b4
      Nava kishore Manne authored
      commit 26068313 upstream.
      
      This patch Correct the RX interrupt mask value to handle the
      RX interrupts properly.
      
      Fixes: c8dbdc84 ("serial: xuartps: Rewrite the interrupt handling logic")
      Signed-off-by: default avatarNava kishore Manne <nava.manne@xilinx.com>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarMichal Simek <michal.simek@xilinx.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5110d0b4
    • Martin Blumenstingl's avatar
      f2fs: fix validation of the block count in sanity_check_raw_super · c5e4022f
      Martin Blumenstingl authored
      commit 88960068 upstream.
      
      Treat "block_count" from struct f2fs_super_block as 64-bit little endian
      value in sanity_check_raw_super() because struct f2fs_super_block
      declares "block_count" as "__le64".
      
      This fixes a bug where the superblock validation fails on big endian
      devices with the following error:
        F2FS-fs (sda1): Wrong segment_count / block_count (61439 > 0)
        F2FS-fs (sda1): Can't find valid F2FS filesystem in 1th superblock
        F2FS-fs (sda1): Wrong segment_count / block_count (61439 > 0)
        F2FS-fs (sda1): Can't find valid F2FS filesystem in 2th superblock
      As result of this the partition cannot be mounted.
      
      With this patch applied the superblock validation works fine and the
      partition can be mounted again:
        F2FS-fs (sda1): Mounted with checkpoint version = 7c84
      
      My little endian x86-64 hardware was able to mount the partition without
      this fix.
      To confirm that mounting f2fs filesystems works on big endian machines
      again I tested this on a 32-bit MIPS big endian (lantiq) device.
      
      Fixes: 0cfe75c5 ("f2fs: enhance sanity_check_raw_super() to avoid potential overflows")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarMartin Blumenstingl <martin.blumenstingl@googlemail.com>
      Reviewed-by: default avatarChao Yu <yuchao0@huawei.com>
      Signed-off-by: default avatarJaegeuk Kim <jaegeuk@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c5e4022f
    • Florian Westphal's avatar
      netfilter: nf_conncount: don't skip eviction when age is negative · 052ccb86
      Florian Westphal authored
      commit 4cd273bb upstream.
      
      (not in Linus's tree now, but in nf.git + linux-next.git already.)
      
      age is signed integer, so result can be negative when the timestamps
      have a large delta.  In this case we want to discard the entry.
      
      Instead of using age >= 2 || age < 0, just make it unsigned.
      
      Fixes: b36e4523 ("netfilter: nf_conncount: fix garbage collection confirm race")
      Reviewed-by: default avatarShawn Bohrer <sbohrer@cloudflare.com>
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      
      [mfo: backport: use older file name, nf_conncount.c -> xt_connlimit.c]
      Signed-off-by: default avatarMauricio Faria de Oliveira <mfo@canonical.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      052ccb86
    • Florian Westphal's avatar
      netfilter: nf_conncount: fix garbage collection confirm race · 75af3d78
      Florian Westphal authored
      commit b36e4523 upstream.
      
      Yi-Hung Wei and Justin Pettit found a race in the garbage collection scheme
      used by nf_conncount.
      
      When doing list walk, we lookup the tuple in the conntrack table.
      If the lookup fails we remove this tuple from our list because
      the conntrack entry is gone.
      
      This is the common cause, but turns out its not the only one.
      The list entry could have been created just before by another cpu, i.e. the
      conntrack entry might not yet have been inserted into the global hash.
      
      The avoid this, we introduce a timestamp and the owning cpu.
      If the entry appears to be stale, evict only if:
       1. The current cpu is the one that added the entry, or,
       2. The timestamp is older than two jiffies
      
      The second constraint allows GC to be taken over by other
      cpu too (e.g. because a cpu was offlined or napi got moved to another
      cpu).
      
      We can't pretend the 'doubtful' entry wasn't in our list.
      Instead, when we don't find an entry indicate via IS_ERR
      that entry was removed ('did not exist' or withheld
      ('might-be-unconfirmed').
      
      This most likely also fixes a xt_connlimit imbalance earlier reported by
      Dmitry Andrianov.
      
      Cc: Dmitry Andrianov <dmitry.andrianov@alertme.com>
      Reported-by: default avatarJustin Pettit <jpettit@vmware.com>
      Reported-by: default avatarYi-Hung Wei <yihung.wei@gmail.com>
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Acked-by: default avatarYi-Hung Wei <yihung.wei@gmail.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      
      [mfo: backport: refresh context lines and use older symbol/file names:
       - nf_conncount.c -> xt_connlimit.c.
         - nf_conncount_rb -> xt_connlimit_rb
         - nf_conncount_tuple -> xt_connlimit_conn
         - conncount_conn_cachep -> connlimit_conn_cachep]
      Signed-off-by: default avatarMauricio Faria de Oliveira <mfo@canonical.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      75af3d78
    • Yi-Hung Wei's avatar
      netfilter: nf_conncount: Fix garbage collection with zones · 525e1dff
      Yi-Hung Wei authored
      commit 21ba8847 upstream.
      
      Currently, we use check_hlist() for garbage colleciton. However, we
      use the ‘zone’ from the counted entry to query the existence of
      existing entries in the hlist. This could be wrong when they are in
      different zones, and this patch fixes this issue.
      
      Fixes: e59ea3df ("netfilter: xt_connlimit: honor conntrack zone if available")
      Signed-off-by: default avatarYi-Hung Wei <yihung.wei@gmail.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      
      [mfo: backport: refresh context lines and use older symbol/file names, note hunk 5:
       - nf_conncount.c -> xt_connlimit.c
         - nf_conncount_rb -> xt_connlimit_rb
         - nf_conncount_tuple -> xt_connlimit_conn
         - hunk 5: remove check for non-NULL 'tuple', that isn't required as it's introduced
           by upstream commit 35d8deb8 ("netfilter: conncount: Support count only use case")
           which addresses nf_conncount_count() that does not exist yet -- it's introduced by
           upstream commit 625c5561 ("netfilter: connlimit: split xt_connlimit into front
           and backend"), a refactor change.
       - nft_connlimit.c -> removed, not used/doesn't exist yet.]
      Signed-off-by: default avatarMauricio Faria de Oliveira <mfo@canonical.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      525e1dff
    • Pablo Neira Ayuso's avatar
      netfilter: nf_conncount: expose connection list interface · 15ee3595
      Pablo Neira Ayuso authored
      commit 5e5cbc7b upstream.
      
      This patch provides an interface to maintain the list of connections and
      the lookup function to obtain the number of connections in the list.
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      
      [mfo: backport: refresh context lines and use older symbol/file names:
       - nf_conntrack_count.h: new file, add include guards.
       - nf_conncount.c -> xt_connlimit.c.
         - nf_conncount_rb -> xt_connlimit_rb
         - nf_conncount_tuple -> xt_connlimit_conn
         - conncount_rb_cachep -> connlimit_rb_cachep
         - conncount_conn_cachep -> connlimit_conn_cachep]
      Signed-off-by: default avatarMauricio Faria de Oliveira <mfo@canonical.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      15ee3595
    • Florian Westphal's avatar
      netfilter: xt_connlimit: don't store address in the conn nodes · 5e614e21
      Florian Westphal authored
      commit ce49480d upstream.
      
      Only stored, never read.  This is a leftover from commit 7d084877
      ("netfilter: connlimit: use rbtree for per-host conntrack obj storage"),
      which added the rbtree node struct that stores the address instead.
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      
      [mfo: backport: refresh context lines and use older symbol/file names:
       - nf_conncount.c -> xt_connlimit.c.
         - nf_conncount_rb -> xt_connlimit_rb
         - nf_conncount_tuple -> xt_connlimit_conn
        - additionally, remove the add_hlist() 'addr' parameter that isn't used and removed
          later upstream with commit 625c5561 ("netfilter: connlimit: split xt_connlimit
          into front and backend") in the rename from 'xt_connlimit.c' to 'nf_conncount.c',
          a big refactor, so do it here, while still here in this related patch.]
      Signed-off-by: default avatarMauricio Faria de Oliveira <mfo@canonical.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      5e614e21
    • Filipe Manana's avatar
      Btrfs: fix fsync of files with multiple hard links in new directories · 20373d98
      Filipe Manana authored
      commit 41bd6067 upstream.
      
      The log tree has a long standing problem that when a file is fsync'ed we
      only check for new ancestors, created in the current transaction, by
      following only the hard link for which the fsync was issued. We follow the
      ancestors using the VFS' dget_parent() API. This means that if we create a
      new link for a file in a directory that is new (or in an any other new
      ancestor directory) and then fsync the file using an old hard link, we end
      up not logging the new ancestor, and on log replay that new hard link and
      ancestor do not exist. In some cases, involving renames, the file will not
      exist at all.
      
      Example:
      
        mkfs.btrfs -f /dev/sdb
        mount /dev/sdb /mnt
      
        mkdir /mnt/A
        touch /mnt/foo
        ln /mnt/foo /mnt/A/bar
        xfs_io -c fsync /mnt/foo
      
        <power failure>
      
      In this example after log replay only the hard link named 'foo' exists
      and directory A does not exist, which is unexpected. In other major linux
      filesystems, such as ext4, xfs and f2fs for example, both hard links exist
      and so does directory A after mounting again the filesystem.
      
      Checking if any new ancestors are new and need to be logged was added in
      2009 by commit 12fcfd22 ("Btrfs: tree logging unlink/rename fixes"),
      however only for the ancestors of the hard link (dentry) for which the
      fsync was issued, instead of checking for all ancestors for all of the
      inode's hard links.
      
      So fix this by tracking the id of the last transaction where a hard link
      was created for an inode and then on fsync fallback to a full transaction
      commit when an inode has more than one hard link and at least one new hard
      link was created in the current transaction. This is the simplest solution
      since this is not a common use case (adding frequently hard links for
      which there's an ancestor created in the current transaction and then
      fsync the file). In case it ever becomes a common use case, a solution
      that consists of iterating the fs/subvol btree for each hard link and
      check if any ancestor is new, could be implemented.
      
      This solves many unexpected scenarios reported by Jayashree Mohan and
      Vijay Chidambaram, and for which there is a new test case for fstests
      under review.
      
      Fixes: 12fcfd22 ("Btrfs: tree logging unlink/rename fixes")
      CC: stable@vger.kernel.org # 4.4+
      Reported-by: default avatarVijay Chidambaram <vvijay03@gmail.com>
      Reported-by: default avatarJayashree Mohan <jayashree2912@gmail.com>
      Signed-off-by: default avatarFilipe Manana <fdmanana@suse.com>
      Signed-off-by: default avatarDavid Sterba <dsterba@suse.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      20373d98
    • Macpaul Lin's avatar
      cdc-acm: fix abnormal DATA RX issue for Mediatek Preloader. · 4aac41de
      Macpaul Lin authored
      commit eafb27fa upstream.
      
      Mediatek Preloader is a proprietary embedded boot loader for loading
      Little Kernel and Linux into device DRAM.
      
      This boot loader also handle firmware update. Mediatek Preloader will be
      enumerated as a virtual COM port when the device is connected to Windows
      or Linux OS via CDC-ACM class driver. When the USB enumeration has been
      done, Mediatek Preloader will send out handshake command "READY" to PC
      actively instead of waiting command from the download tool.
      
      Since Linux 4.12, the commit "tty: reset termios state on device
      registration" (93857edd) causes Mediatek
      Preloader receiving some abnoraml command like "READYXX" as it sent.
      This will be recognized as an incorrect response. The behavior change
      also causes the download handshake fail. This change only affects
      subsequent connects if the reconnected device happens to get the same minor
      number.
      
      By disabling the ECHO termios flag could avoid this problem. However, it
      cannot be done by user space configuration when download tool open
      /dev/ttyACM0. This is because the device running Mediatek Preloader will
      send handshake command "READY" immediately once the CDC-ACM driver is
      ready.
      
      This patch wants to fix above problem by introducing "DISABLE_ECHO"
      property in driver_info. When Mediatek Preloader is connected, the
      CDC-ACM driver could disable ECHO flag in termios to avoid the problem.
      Signed-off-by: default avatarMacpaul Lin <macpaul.lin@mediatek.com>
      Cc: stable@vger.kernel.org
      Reviewed-by: default avatarJohan Hovold <johan@kernel.org>
      Acked-by: default avatarOliver Neukum <oneukum@suse.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4aac41de
    • Tejun Heo's avatar
      cgroup: fix CSS_TASK_ITER_PROCS · 8769b27e
      Tejun Heo authored
      commit e9d81a1b upstream.
      
      CSS_TASK_ITER_PROCS implements process-only iteration by making
      css_task_iter_advance() skip tasks which aren't threadgroup leaders;
      however, when an iteration is started css_task_iter_start() calls the
      inner helper function css_task_iter_advance_css_set() instead of
      css_task_iter_advance().  As the helper doesn't have the skip logic,
      when the first task to visit is a non-leader thread, it doesn't get
      skipped correctly as shown in the following example.
      
        # ps -L 2030
          PID   LWP TTY      STAT   TIME COMMAND
         2030  2030 pts/0    Sl+    0:00 ./test-thread
         2030  2031 pts/0    Sl+    0:00 ./test-thread
        # mkdir -p /sys/fs/cgroup/x/a/b
        # echo threaded > /sys/fs/cgroup/x/a/cgroup.type
        # echo threaded > /sys/fs/cgroup/x/a/b/cgroup.type
        # echo 2030 > /sys/fs/cgroup/x/a/cgroup.procs
        # cat /sys/fs/cgroup/x/a/cgroup.threads
        2030
        2031
        # cat /sys/fs/cgroup/x/cgroup.procs
        2030
        # echo 2030 > /sys/fs/cgroup/x/a/b/cgroup.threads
        # cat /sys/fs/cgroup/x/cgroup.procs
        2031
        2030
      
      The last read of cgroup.procs is incorrectly showing non-leader 2031
      in cgroup.procs output.
      
      This can be fixed by updating css_task_iter_advance() to handle the
      first advance and css_task_iters_tart() to call
      css_task_iter_advance() instead of the inner helper.  After the fix,
      the same commands result in the following (correct) result:
      
        # ps -L 2062
          PID   LWP TTY      STAT   TIME COMMAND
         2062  2062 pts/0    Sl+    0:00 ./test-thread
         2062  2063 pts/0    Sl+    0:00 ./test-thread
        # mkdir -p /sys/fs/cgroup/x/a/b
        # echo threaded > /sys/fs/cgroup/x/a/cgroup.type
        # echo threaded > /sys/fs/cgroup/x/a/b/cgroup.type
        # echo 2062 > /sys/fs/cgroup/x/a/cgroup.procs
        # cat /sys/fs/cgroup/x/a/cgroup.threads
        2062
        2063
        # cat /sys/fs/cgroup/x/cgroup.procs
        2062
        # echo 2062 > /sys/fs/cgroup/x/a/b/cgroup.threads
        # cat /sys/fs/cgroup/x/cgroup.procs
        2062
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      Reported-by: default avatar"Michael Kerrisk (man-pages)" <mtk.manpages@gmail.com>
      Fixes: 8cfd8147 ("cgroup: implement cgroup v2 thread support")
      Cc: stable@vger.kernel.org # v4.14+
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8769b27e
    • Wenwen Wang's avatar
      crypto: cavium/nitrox - fix a DMA pool free failure · cf3168c5
      Wenwen Wang authored
      commit 7172122b upstream.
      
      In crypto_alloc_context(), a DMA pool is allocated through dma_pool_alloc()
      to hold the crypto context. The meta data of the DMA pool, including the
      pool used for the allocation 'ndev->ctx_pool' and the base address of the
      DMA pool used by the device 'dma', are then stored to the beginning of the
      pool. These meta data are eventually used in crypto_free_context() to free
      the DMA pool through dma_pool_free(). However, given that the DMA pool can
      also be accessed by the device, a malicious device can modify these meta
      data, especially when the device is controlled to deploy an attack. This
      can cause an unexpected DMA pool free failure.
      
      To avoid the above issue, this patch introduces a new structure
      crypto_ctx_hdr and a new field chdr in the structure nitrox_crypto_ctx hold
      the meta data information of the DMA pool after the allocation. Note that
      the original structure ctx_hdr is not changed to ensure the compatibility.
      
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarWenwen Wang <wang6495@umn.edu>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      cf3168c5
    • Johan Jonker's avatar
      clk: rockchip: fix typo in rk3188 spdif_frac parent · 3f844ac9
      Johan Jonker authored
      commit 8b19faf6 upstream.
      
      Fix typo in common_clk_branches.
      Make spdif_pre parent of spdif_frac.
      
      Fixes: 66746420 ("clk: rockchip: include downstream muxes into fractional dividers")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarJohan Jonker <jbx9999@hotmail.com>
      Acked-by: default avatarElaine Zhang <zhangqing@rock-chips.com>
      Signed-off-by: default avatarHeiko Stuebner <heiko@sntech.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3f844ac9
    • Lukas Wunner's avatar
      spi: bcm2835: Avoid finishing transfer prematurely in IRQ mode · 7c6ac785
      Lukas Wunner authored
      commit 56c17234 upstream.
      
      The IRQ handler bcm2835_spi_interrupt() first reads as much as possible
      from the RX FIFO, then writes as much as possible to the TX FIFO.
      Afterwards it decides whether the transfer is finished by checking if
      the TX FIFO is empty.
      
      If very few bytes were written to the TX FIFO, they may already have
      been transmitted by the time the FIFO's emptiness is checked.  As a
      result, the transfer will be declared finished and the chip will be
      reset without reading the corresponding received bytes from the RX FIFO.
      
      The odds of this happening increase with a high clock frequency (such
      that the TX FIFO drains quickly) and either passing "threadirqs" on the
      command line or enabling CONFIG_PREEMPT_RT_BASE (such that the IRQ
      handler may be preempted between filling the TX FIFO and checking its
      emptiness).
      
      Fix by instead checking whether rx_len has reached zero, which means
      that the transfer has been received in full.  This is also more
      efficient as it avoids one bus read access per interrupt.  Note that
      bcm2835_spi_transfer_one_poll() likewise uses rx_len to determine
      whether the transfer has finished.
      Signed-off-by: default avatarLukas Wunner <lukas@wunner.de>
      Fixes: e34ff011 ("spi: bcm2835: move to the transfer_one driver model")
      Cc: stable@vger.kernel.org # v4.1+
      Cc: Mathias Duckeck <m.duckeck@kunbus.de>
      Cc: Frank Pavlic <f.pavlic@kunbus.de>
      Cc: Martin Sperl <kernel@martin.sperl.org>
      Cc: Noralf Trønnes <noralf@tronnes.org>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7c6ac785
    • Lukas Wunner's avatar
      spi: bcm2835: Fix book-keeping of DMA termination · fef1fb1f
      Lukas Wunner authored
      commit dbc94411 upstream.
      
      If submission of a DMA TX transfer succeeds but submission of the
      corresponding RX transfer does not, the BCM2835 SPI driver terminates
      the TX transfer but neglects to reset the dma_pending flag to false.
      
      Thus, if the next transfer uses interrupt mode (because it is shorter
      than BCM2835_SPI_DMA_MIN_LENGTH) and runs into a timeout,
      dmaengine_terminate_all() will be called both for TX (once more) and
      for RX (which was never started in the first place).  Fix it.
      Signed-off-by: default avatarLukas Wunner <lukas@wunner.de>
      Fixes: 3ecd37ed ("spi: bcm2835: enable dma modes for transfers meeting certain conditions")
      Cc: stable@vger.kernel.org # v4.2+
      Cc: Mathias Duckeck <m.duckeck@kunbus.de>
      Cc: Frank Pavlic <f.pavlic@kunbus.de>
      Cc: Martin Sperl <kernel@martin.sperl.org>
      Cc: Noralf Trønnes <noralf@tronnes.org>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      fef1fb1f
    • Lukas Wunner's avatar
      spi: bcm2835: Fix race on DMA termination · 24fc3cc2
      Lukas Wunner authored
      commit e82b0b38 upstream.
      
      If a DMA transfer finishes orderly right when spi_transfer_one_message()
      determines that it has timed out, the callbacks bcm2835_spi_dma_done()
      and bcm2835_spi_handle_err() race to call dmaengine_terminate_all(),
      potentially leading to double termination.
      
      Prevent by atomically changing the dma_pending flag before calling
      dmaengine_terminate_all().
      Signed-off-by: default avatarLukas Wunner <lukas@wunner.de>
      Fixes: 3ecd37ed ("spi: bcm2835: enable dma modes for transfers meeting certain conditions")
      Cc: stable@vger.kernel.org # v4.2+
      Cc: Mathias Duckeck <m.duckeck@kunbus.de>
      Cc: Frank Pavlic <f.pavlic@kunbus.de>
      Cc: Martin Sperl <kernel@martin.sperl.org>
      Cc: Noralf Trønnes <noralf@tronnes.org>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      24fc3cc2
    • Theodore Ts'o's avatar
      ext4: check for shutdown and r/o file system in ext4_write_inode() · 7f3901d8
      Theodore Ts'o authored
      commit 18f2c4fc upstream.
      
      If the file system has been shut down or is read-only, then
      ext4_write_inode() needs to bail out early.
      
      Also use jbd2_complete_transaction() instead of ext4_force_commit() so
      we only force a commit if it is needed.
      Signed-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      Cc: stable@kernel.org
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7f3901d8
    • Theodore Ts'o's avatar
      ext4: force inode writes when nfsd calls commit_metadata() · dbffc914
      Theodore Ts'o authored
      commit fde87268 upstream.
      
      Some time back, nfsd switched from calling vfs_fsync() to using a new
      commit_metadata() hook in export_operations().  If the file system did
      not provide a commit_metadata() hook, it fell back to using
      sync_inode_metadata().  Unfortunately doesn't work on all file
      systems.  In particular, it doesn't work on ext4 due to how the inode
      gets journalled --- the VFS writeback code will not always call
      ext4_write_inode().
      
      So we need to provide our own ext4_nfs_commit_metdata() method which
      calls ext4_write_inode() directly.
      
      Google-Bug-Id: 121195940
      Signed-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      Cc: stable@kernel.org
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      dbffc914
    • Theodore Ts'o's avatar
      ext4: include terminating u32 in size of xattr entries when expanding inodes · 6ef63893
      Theodore Ts'o authored
      commit a805622a upstream.
      
      In ext4_expand_extra_isize_ea(), we calculate the total size of the
      xattr header, plus the xattr entries so we know how much of the
      beginning part of the xattrs to move when expanding the inode extra
      size.  We need to include the terminating u32 at the end of the xattr
      entries, or else if there is uninitialized, non-zero bytes after the
      xattr entries and before the xattr values, the list of xattr entries
      won't be properly terminated.
      Reported-by: default avatarSteve Graham <stgraham2000@gmail.com>
      Signed-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      Cc: stable@kernel.org
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6ef63893
    • ruippan (潘睿)'s avatar
      ext4: fix EXT4_IOC_GROUP_ADD ioctl · 0bf8b3fd
      ruippan (潘睿) authored
      commit e647e291 upstream.
      
      Commit e2b911c5 ("ext4: clean up feature test macros with
      predicate functions") broke the EXT4_IOC_GROUP_ADD ioctl.  This was
      not noticed since only very old versions of resize2fs (before
      e2fsprogs 1.42) use this ioctl.  However, using a new kernel with an
      enterprise Linux userspace will cause attempts to use online resize to
      fail with "No reserved GDT blocks".
      
      Fixes: e2b911c5 ("ext4: clean up feature test macros with predicate...")
      Cc: stable@kernel.org # v4.4
      Signed-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      Signed-off-by: default avatarruippan (潘睿) <ruippan@tencent.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0bf8b3fd
    • Maurizio Lombardi's avatar
      ext4: missing unlock/put_page() in ext4_try_to_write_inline_data() · 92bb9b06
      Maurizio Lombardi authored
      commit 132d00be upstream.
      
      In case of error, ext4_try_to_write_inline_data() should unlock
      and release the page it holds.
      
      Fixes: f19d5870 ("ext4: add normal write support for inline data")
      Cc: stable@kernel.org # 3.8
      Signed-off-by: default avatarMaurizio Lombardi <mlombard@redhat.com>
      Signed-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      92bb9b06
    • Pan Bian's avatar
      ext4: fix possible use after free in ext4_quota_enable · 34bba27d
      Pan Bian authored
      commit 61157b24 upstream.
      
      The function frees qf_inode via iput but then pass qf_inode to
      lockdep_set_quota_inode on the failure path. This may result in a
      use-after-free bug. The patch frees df_inode only when it is never used.
      
      Fixes: daf647d2 ("ext4: add lockdep annotations for i_data_sem")
      Cc: stable@kernel.org # 4.6
      Reviewed-by: default avatarJan Kara <jack@suse.cz>
      Signed-off-by: default avatarPan Bian <bianpan2016@163.com>
      Signed-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      34bba27d
    • Theodore Ts'o's avatar
      ext4: add ext4_sb_bread() to disambiguate ENOMEM cases · 9da1f6d0
      Theodore Ts'o authored
      commit fb265c9c upstream.
      
      Today, when sb_bread() returns NULL, this can either be because of an
      I/O error or because the system failed to allocate the buffer.  Since
      it's an old interface, changing would require changing many call
      sites.
      
      So instead we create our own ext4_sb_bread(), which also allows us to
      set the REQ_META flag.
      
      Also fixed a problem in the xattr code where a NULL return in a
      function could also mean that the xattr was not found, which could
      lead to the wrong error getting returned to userspace.
      
      Fixes: ac27a0ec ("ext4: initial copy of files from ext3")
      Cc: stable@kernel.org # 2.6.19
      Signed-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9da1f6d0
    • Ben Hutchings's avatar
      perf pmu: Suppress potential format-truncation warning · 9f0fc584
      Ben Hutchings authored
      commit 11a64a05 upstream.
      
      Depending on which functions are inlined in util/pmu.c, the snprintf()
      calls in perf_pmu__parse_{scale,unit,per_pkg,snapshot}() might trigger a
      warning:
      
        util/pmu.c: In function 'pmu_aliases':
        util/pmu.c:178:31: error: '%s' directive output may be truncated writing up to 255 bytes into a region of size between 0 and 4095 [-Werror=format-truncation=]
          snprintf(path, PATH_MAX, "%s/%s.unit", dir, name);
                                     ^~
      
      I found this when trying to build perf from Linux 3.16 with gcc 8.
      However I can reproduce the problem in mainline if I force
      __perf_pmu__new_alias() to be inlined.
      
      Suppress this by using scnprintf() as has been done elsewhere in perf.
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
      Cc: Jiri Olsa <jolsa@redhat.com>
      Cc: Namhyung Kim <namhyung@kernel.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: stable@vger.kernel.org
      Link: http://lkml.kernel.org/r/20181111184524.fux4taownc6ndbx6@decadent.org.ukSigned-off-by: default avatarArnaldo Carvalho de Melo <acme@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9f0fc584
    • Miquel Raynal's avatar
      platform-msi: Free descriptors in platform_msi_domain_free() · 69beeb1c
      Miquel Raynal authored
      commit 81b1e6e6 upstream.
      
      Since the addition of platform MSI support, there were two helpers
      supposed to allocate/free IRQs for a device:
      
          platform_msi_domain_alloc_irqs()
          platform_msi_domain_free_irqs()
      
      In these helpers, IRQ descriptors are allocated in the "alloc" routine
      while they are freed in the "free" one.
      
      Later, two other helpers have been added to handle IRQ domains on top
      of MSI domains:
      
          platform_msi_domain_alloc()
          platform_msi_domain_free()
      
      Seen from the outside, the logic is pretty close with the former
      helpers and people used it with the same logic as before: a
      platform_msi_domain_alloc() call should be balanced with a
      platform_msi_domain_free() call. While this is probably what was
      intended to do, the platform_msi_domain_free() does not remove/free
      the IRQ descriptor(s) created/inserted in
      platform_msi_domain_alloc().
      
      One effect of such situation is that removing a module that requested
      an IRQ will let one orphaned IRQ descriptor (with an allocated MSI
      entry) in the device descriptors list. Next time the module will be
      inserted back, one will observe that the allocation will happen twice
      in the MSI domain, one time for the remaining descriptor, one time for
      the new one. It also has the side effect to quickly overshoot the
      maximum number of allocated MSI and then prevent any module requesting
      an interrupt in the same domain to be inserted anymore.
      
      This situation has been met with loops of insertion/removal of the
      mvpp2.ko module (requesting 15 MSIs each time).
      
      Fixes: 552c494a ("platform-msi: Allow creation of a MSI-based stacked irq domain")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarMiquel Raynal <miquel.raynal@bootlin.com>
      Signed-off-by: default avatarMarc Zyngier <marc.zyngier@arm.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      69beeb1c
    • Sean Christopherson's avatar
      KVM: nVMX: Free the VMREAD/VMWRITE bitmaps if alloc_kvm_area() fails · f7ed75e1
      Sean Christopherson authored
      commit 1b3ab5ad upstream.
      
      Fixes: 34a1cd60 ("kvm: x86: vmx: move some vmx setting from vmx_init() to hardware_setup()")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarSean Christopherson <sean.j.christopherson@intel.com>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f7ed75e1
    • Sean Christopherson's avatar
      KVM: x86: Use jmp to invoke kvm_spurious_fault() from .fixup · a90e0979
      Sean Christopherson authored
      commit e8143499 upstream.
      
      ____kvm_handle_fault_on_reboot() provides a generic exception fixup
      handler that is used to cleanly handle faults on VMX/SVM instructions
      during reboot (or at least try to).  If there isn't a reboot in
      progress, ____kvm_handle_fault_on_reboot() treats any exception as
      fatal to KVM and invokes kvm_spurious_fault(), which in turn generates
      a BUG() to get a stack trace and die.
      
      When it was originally added by commit 4ecac3fd ("KVM: Handle
      virtualization instruction #UD faults during reboot"), the "call" to
      kvm_spurious_fault() was handcoded as PUSH+JMP, where the PUSH'd value
      is the RIP of the faulting instructing.
      
      The PUSH+JMP trickery is necessary because the exception fixup handler
      code lies outside of its associated function, e.g. right after the
      function.  An actual CALL from the .fixup code would show a slightly
      bogus stack trace, e.g. an extra "random" function would be inserted
      into the trace, as the return RIP on the stack would point to no known
      function (and the unwinder will likely try to guess who owns the RIP).
      
      Unfortunately, the JMP was replaced with a CALL when the macro was
      reworked to not spin indefinitely during reboot (commit b7c4145b
      "KVM: Don't spin on virt instruction faults during reboot").  This
      causes the aforementioned behavior where a bogus function is inserted
      into the stack trace, e.g. my builds like to blame free_kvm_area().
      
      Revert the CALL back to a JMP.  The changelog for commit b7c4145b
      ("KVM: Don't spin on virt instruction faults during reboot") contains
      nothing that indicates the switch to CALL was deliberate.  This is
      backed up by the fact that the PUSH <insn RIP> was left intact.
      
      Note that an alternative to the PUSH+JMP magic would be to JMP back
      to the "real" code and CALL from there, but that would require adding
      a JMP in the non-faulting path to avoid calling kvm_spurious_fault()
      and would add no value, i.e. the stack trace would be the same.
      
      Using CALL:
      
      ------------[ cut here ]------------
      kernel BUG at /home/sean/go/src/kernel.org/linux/arch/x86/kvm/x86.c:356!
      invalid opcode: 0000 [#1] SMP
      CPU: 4 PID: 1057 Comm: qemu-system-x86 Not tainted 4.20.0-rc6+ #75
      Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015
      RIP: 0010:kvm_spurious_fault+0x5/0x10 [kvm]
      Code: <0f> 0b 66 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 41 55 49 89 fd 41
      RSP: 0018:ffffc900004bbcc8 EFLAGS: 00010046
      RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffffffffffff
      RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
      RBP: ffff888273fd8000 R08: 00000000000003e8 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000784 R12: ffffc90000371fb0
      R13: 0000000000000000 R14: 000000026d763cf4 R15: ffff888273fd8000
      FS:  00007f3d69691700(0000) GS:ffff888277800000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 000055f89bc56fe0 CR3: 0000000271a5a001 CR4: 0000000000362ee0
      Call Trace:
       free_kvm_area+0x1044/0x43ea [kvm_intel]
       ? vmx_vcpu_run+0x156/0x630 [kvm_intel]
       ? kvm_arch_vcpu_ioctl_run+0x447/0x1a40 [kvm]
       ? kvm_vcpu_ioctl+0x368/0x5c0 [kvm]
       ? kvm_vcpu_ioctl+0x368/0x5c0 [kvm]
       ? __set_task_blocked+0x38/0x90
       ? __set_current_blocked+0x50/0x60
       ? __fpu__restore_sig+0x97/0x490
       ? do_vfs_ioctl+0xa1/0x620
       ? __x64_sys_futex+0x89/0x180
       ? ksys_ioctl+0x66/0x70
       ? __x64_sys_ioctl+0x16/0x20
       ? do_syscall_64+0x4f/0x100
       ? entry_SYSCALL_64_after_hwframe+0x44/0xa9
      Modules linked in: vhost_net vhost tap kvm_intel kvm irqbypass bridge stp llc
      ---[ end trace 9775b14b123b1713 ]---
      
      Using JMP:
      
      ------------[ cut here ]------------
      kernel BUG at /home/sean/go/src/kernel.org/linux/arch/x86/kvm/x86.c:356!
      invalid opcode: 0000 [#1] SMP
      CPU: 6 PID: 1067 Comm: qemu-system-x86 Not tainted 4.20.0-rc6+ #75
      Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015
      RIP: 0010:kvm_spurious_fault+0x5/0x10 [kvm]
      Code: <0f> 0b 66 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 41 55 49 89 fd 41
      RSP: 0018:ffffc90000497cd0 EFLAGS: 00010046
      RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffffffffffff
      RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
      RBP: ffff88827058bd40 R08: 00000000000003e8 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000784 R12: ffffc90000369fb0
      R13: 0000000000000000 R14: 00000003c8fc6642 R15: ffff88827058bd40
      FS:  00007f3d7219e700(0000) GS:ffff888277900000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 00007f3d64001000 CR3: 0000000271c6b004 CR4: 0000000000362ee0
      Call Trace:
       vmx_vcpu_run+0x156/0x630 [kvm_intel]
       ? kvm_arch_vcpu_ioctl_run+0x447/0x1a40 [kvm]
       ? kvm_vcpu_ioctl+0x368/0x5c0 [kvm]
       ? kvm_vcpu_ioctl+0x368/0x5c0 [kvm]
       ? __set_task_blocked+0x38/0x90
       ? __set_current_blocked+0x50/0x60
       ? __fpu__restore_sig+0x97/0x490
       ? do_vfs_ioctl+0xa1/0x620
       ? __x64_sys_futex+0x89/0x180
       ? ksys_ioctl+0x66/0x70
       ? __x64_sys_ioctl+0x16/0x20
       ? do_syscall_64+0x4f/0x100
       ? entry_SYSCALL_64_after_hwframe+0x44/0xa9
      Modules linked in: vhost_net vhost tap kvm_intel kvm irqbypass bridge stp llc
      ---[ end trace f9daedb85ab3ddba ]---
      
      Fixes: b7c4145b ("KVM: Don't spin on virt instruction faults during reboot")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarSean Christopherson <sean.j.christopherson@intel.com>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a90e0979
    • Dan Williams's avatar
      x86/mm: Drop usage of __flush_tlb_all() in kernel_physical_mapping_init() · 9d956533
      Dan Williams authored
      commit ba6f508d upstream.
      
      Commit:
      
        f77084d9 "x86/mm/pat: Disable preemption around __flush_tlb_all()"
      
      addressed a case where __flush_tlb_all() is called without preemption
      being disabled. It also left a warning to catch other cases where
      preemption is not disabled.
      
      That warning triggers for the memory hotplug path which is also used for
      persistent memory enabling:
      
       WARNING: CPU: 35 PID: 911 at ./arch/x86/include/asm/tlbflush.h:460
       RIP: 0010:__flush_tlb_all+0x1b/0x3a
       [..]
       Call Trace:
        phys_pud_init+0x29c/0x2bb
        kernel_physical_mapping_init+0xfc/0x219
        init_memory_mapping+0x1a5/0x3b0
        arch_add_memory+0x2c/0x50
        devm_memremap_pages+0x3aa/0x610
        pmem_attach_disk+0x585/0x700 [nd_pmem]
      
      Andy wondered why a path that can sleep was using __flush_tlb_all() [1]
      and Dave confirmed the expectation for TLB flush is for modifying /
      invalidating existing PTE entries, but not initial population [2]. Drop
      the usage of __flush_tlb_all() in phys_{p4d,pud,pmd}_init() on the
      expectation that this path is only ever populating empty entries for the
      linear map. Note, at linear map teardown time there is a call to the
      all-cpu flush_tlb_all() to invalidate the removed mappings.
      
      [1]: https://lkml.kernel.org/r/9DFD717D-857D-493D-A606-B635D72BAC21@amacapital.net
      [2]: https://lkml.kernel.org/r/749919a4-cdb1-48a3-adb4-adb81a5fa0b5@intel.com
      
      [ mingo: Minor readability edits. ]
      Suggested-by: default avatarDave Hansen <dave.hansen@linux.intel.com>
      Reported-by: default avatarAndy Lutomirski <luto@kernel.org>
      Signed-off-by: default avatarDan Williams <dan.j.williams@intel.com>
      Acked-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Acked-by: default avatarKirill A. Shutemov <kirill.shutemov@linux.intel.com>
      Cc: <stable@vger.kernel.org>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: H. Peter Anvin <hpa@zytor.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Rik van Riel <riel@surriel.com>
      Cc: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: dave.hansen@intel.com
      Fixes: f77084d9 ("x86/mm/pat: Disable preemption around __flush_tlb_all()")
      Link: http://lkml.kernel.org/r/154395944713.32119.15611079023837132638.stgit@dwillia2-desk3.amr.corp.intel.comSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9d956533
    • Michal Hocko's avatar
      x86/speculation/l1tf: Drop the swap storage limit restriction when l1tf=off · 8c34b071
      Michal Hocko authored
      commit 5b5e4d62 upstream.
      
      Swap storage is restricted to max_swapfile_size (~16TB on x86_64) whenever
      the system is deemed affected by L1TF vulnerability. Even though the limit
      is quite high for most deployments it seems to be too restrictive for
      deployments which are willing to live with the mitigation disabled.
      
      We have a customer to deploy 8x 6,4TB PCIe/NVMe SSD swap devices which is
      clearly out of the limit.
      
      Drop the swap restriction when l1tf=off is specified. It also doesn't make
      much sense to warn about too much memory for the l1tf mitigation when it is
      forcefully disabled by the administrator.
      
      [ tglx: Folded the documentation delta change ]
      
      Fixes: 377eeaa8 ("x86/speculation/l1tf: Limit swap file size to MAX_PA/2")
      Signed-off-by: default avatarMichal Hocko <mhocko@suse.com>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Reviewed-by: default avatarPavel Tatashin <pasha.tatashin@soleen.com>
      Reviewed-by: default avatarAndi Kleen <ak@linux.intel.com>
      Acked-by: default avatarJiri Kosina <jkosina@suse.cz>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Dave Hansen <dave.hansen@intel.com>
      Cc: Andi Kleen <ak@linux.intel.com>
      Cc: Borislav Petkov <bp@suse.de>
      Cc: <linux-mm@kvack.org>
      Cc: stable@vger.kernel.org
      Link: https://lkml.kernel.org/r/20181113184910.26697-1-mhocko@kernel.orgSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8c34b071
    • Patrick Dreyer's avatar
      Input: elan_i2c - add ACPI ID for touchpad in ASUS Aspire F5-573G · 9023f52f
      Patrick Dreyer authored
      commit 7db54c89 upstream.
      
      This adds ELAN0501 to the ACPI table to support Elan touchpad found in ASUS
      Aspire F5-573G.
      Signed-off-by: default avatarPatrick Dreyer <Patrick.Dreyer@gmail.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9023f52f
    • Sebastian Ott's avatar
      s390/pci: fix sleeping in atomic during hotplug · e1f2a8b3
      Sebastian Ott authored
      commit 98dfd326 upstream.
      
      When triggered by pci hotplug (PEC 0x306) clp_get_state is called
      with spinlocks held resulting in the following warning:
      
      zpci: n/a: Event 0x306 reconfigured PCI function 0x0
      BUG: sleeping function called from invalid context at mm/page_alloc.c:4324
      in_atomic(): 1, irqs_disabled(): 0, pid: 98, name: kmcheck
      2 locks held by kmcheck/98:
      
      Change the allocation to use GFP_ATOMIC.
      
      Cc: stable@vger.kernel.org # 4.13+
      Signed-off-by: default avatarSebastian Ott <sebott@linux.ibm.com>
      Signed-off-by: default avatarMartin Schwidefsky <schwidefsky@de.ibm.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e1f2a8b3
    • Bjørn Mork's avatar
      qmi_wwan: apply SET_DTR quirk to the SIMCOM shared device ID · df088bbe
      Bjørn Mork authored
      commit 102cd909 upstream.
      
      SIMCOM are reusing a single device ID for many (all of their?)
      different modems, based on different chipsets and firmwares. Newer
      Qualcomm chipset generations require setting DTR to wake the QMI
      function.  The SIM7600E modem is using such a chipset, making it
      fail to work with this driver despite the device ID match.
      
      Fix by unconditionally enabling the SET_DTR quirk for all SIMCOM
      modems using this specific device ID.  This is similar to what
      we already have done for another case of device IDs recycled over
      multiple chipset generations: 14cf4a77 ("drivers: net: usb:
      qmi_wwan: add QMI_QUIRK_SET_DTR for Telit PID 0x1201")
      
      Initial testing on an older SIM7100 modem shows no immediate side
      effects.
      Reported-by: default avatarSebastian Sjoholm <sebastian.sjoholm@gmail.com>
      Cc: Reinhard Speyerer <rspmn@arcor.de>
      Signed-off-by: default avatarBjørn Mork <bjorn@mork.no>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      df088bbe
    • Colin Ian King's avatar
      staging: wilc1000: fix missing read_write setting when reading data · 5b48bec5
      Colin Ian King authored
      commit c58eef06 upstream.
      
      Currently the cmd.read_write setting is not initialized so it contains
      garbage from the stack.  Fix this by setting it to 0 to indicate a
      read is required.
      
      Detected by CoverityScan, CID#1357925 ("Uninitialized scalar variable")
      
      Fixes: c5c77ba1 ("staging: wilc1000: Add SDIO/SPI 802.11 driver")
      Signed-off-by: default avatarColin Ian King <colin.king@canonical.com>
      Cc: stable <stable@vger.kernel.org>
      Acked-by: default avatarAjay Singh <ajay.kathat@microchip.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5b48bec5
    • Jia-Ju Bai's avatar
      usb: r8a66597: Fix a possible concurrency use-after-free bug in r8a66597_endpoint_disable() · 55b3d640
      Jia-Ju Bai authored
      commit c85400f8 upstream.
      
      The function r8a66597_endpoint_disable() and r8a66597_urb_enqueue() may
      be concurrently executed.
      The two functions both access a possible shared variable "hep->hcpriv".
      
      This shared variable is freed by r8a66597_endpoint_disable() via the
      call path:
      r8a66597_endpoint_disable
        kfree(hep->hcpriv) (line 1995 in Linux-4.19)
      
      This variable is read by r8a66597_urb_enqueue() via the call path:
      r8a66597_urb_enqueue
        spin_lock_irqsave(&r8a66597->lock)
        init_pipe_info
          enable_r8a66597_pipe
            pipe = hep->hcpriv (line 802 in Linux-4.19)
      
      The read operation is protected by a spinlock, but the free operation
      is not protected by this spinlock, thus a concurrency use-after-free bug
      may occur.
      
      To fix this bug, the spin-lock and spin-unlock function calls in
      r8a66597_endpoint_disable() are moved to protect the free operation.
      Signed-off-by: default avatarJia-Ju Bai <baijiaju1990@gmail.com>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      55b3d640
    • Jörgen Storvist's avatar
      USB: serial: option: add Fibocom NL678 series · f99dfabb
      Jörgen Storvist authored
      commit 4b2c01ad upstream.
      
      Added USB serial option driver support for Fibocom NL678 series cellular
      module: VID 2cb7 and PIDs 0x0104 and 0x0105.
      Reserved network and ADB interfaces.
      
      T:  Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#=  2 Spd=480 MxCh= 0
      D:  Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs=  1
      P:  Vendor=2cb7 ProdID=0104 Rev=03.10
      S:  Manufacturer=Fibocom
      S:  Product=Fibocom NL678-E Modem
      S:  SerialNumber=12345678
      C:  #Ifs= 6 Cfg#= 1 Atr=a0 MxPwr=500mA
      I:  If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
      I:  If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
      I:  If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
      I:  If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
      I:  If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan
      I:  If#= 5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=(none)
      
      T:  Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#=  3 Spd=480 MxCh= 0
      D:  Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs=  1
      P:  Vendor=2cb7 ProdID=0105 Rev=03.10
      S:  Manufacturer=Fibocom
      S:  Product=Fibocom NL678-E Modem
      S:  SerialNumber=12345678
      C:  #Ifs= 7 Cfg#= 1 Atr=a0 MxPwr=500mA
      I:  If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
      I:  If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
      I:  If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
      I:  If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
      I:  If#= 4 Alt= 0 #EPs= 1 Cls=02(commc) Sub=06 Prot=00 Driver=cdc_ether
      I:  If#= 5 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=00 Driver=cdc_ether
      I:  If#= 6 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=(none)
      Signed-off-by: default avatarJörgen Storvist <jorgen.storvist@gmail.com>
      Cc: stable <stable@vger.kernel.org>
      Acked-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f99dfabb
    • Scott Chen's avatar
      USB: serial: pl2303: add ids for Hewlett-Packard HP POS pole displays · e7d9ee97
      Scott Chen authored
      commit 8d503f20 upstream.
      
      Add device ids to pl2303 for the HP POS pole displays:
      LM920:   03f0:026b
      TD620:   03f0:0956
      LD960TA: 03f0:4439
      LD220TA: 03f0:4349
      LM940:   03f0:5039
      Signed-off-by: default avatarScott Chen <scott@labau.com.tw>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e7d9ee97
    • Sameer Pujar's avatar
      ALSA: hda/tegra: clear pending irq handlers · 30930698
      Sameer Pujar authored
      commit 63d2a9ec upstream.
      
      Even after disabling interrupts on the module, it could be possible
      that irq handlers are still running. System hang is seen during
      suspend path. It was found that, there were pending writes on the
      HDA bus and clock was disabled by that time.
      
      Above mentioned issue is fixed by clearing any pending irq handlers
      before disabling clocks and returning from hda suspend.
      Suggested-by: default avatarMohan Kumar <mkumard@nvidia.com>
      Suggested-by: default avatarDara Ramesh <dramesh@nvidia.com>
      Signed-off-by: default avatarSameer Pujar <spujar@nvidia.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      30930698
    • Takashi Sakamoto's avatar
      ALSA: firewire-lib: use the same print format for 'without_header' tracepoints · 1b7682a0
      Takashi Sakamoto authored
      commit 5ef108c5 upstream.
      
      An initial commit to add tracepoints for packets without CIP headers
      uses different print formats for added tracepoints. However this is not
      convenient for users/developers to prepare debug tools.
      
      This commit uses the same format for the two tracepoints.
      
      Cc: <stable@vger.kernel.org> # v4.12+
      Fixes: b164d2fd ('ALSA: firewire_lib: add tracepoints for packets without CIP headers')
      Signed-off-by: default avatarTakashi Sakamoto <o-takashi@sakamocchi.jp>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1b7682a0
    • Takashi Sakamoto's avatar
      ALSA: firewire-lib: fix wrong assignment for 'out_packet_without_header' tracepoint · cb3343d8
      Takashi Sakamoto authored
      commit aa9a9e39 upstream.
      
      An initial commit to add tracepoints for packets without CIP headers
      introduces a wrong assignment to 'data_blocks' value of
      'out_packet_without_header' tracepoint.
      
      This commit fixes the bug.
      
      Cc: <stable@vger.kernel.org> # v4.12+
      Fixes: b164d2fd ('ALSA: firewire_lib: add tracepoints for packets without CIP headers')
      Signed-off-by: default avatarTakashi Sakamoto <o-takashi@sakamocchi.jp>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      cb3343d8
    • Takashi Sakamoto's avatar
      ALSA: firewire-lib: fix wrong handling payload_length as payload_quadlet · deec542b
      Takashi Sakamoto authored
      commit ada79fa5 upstream.
      
      In IEC 61883-1/6 engine of ALSA firewire stack, a packet handler has a
      second argument for 'the number of bytes in payload of isochronous
      packet'. However, an incoming packet handler without CIP header uses the
      value as 'the number of quadlets in the payload'. This brings userspace
      applications to receive the number of PCM frames as four times against
      real time.
      
      This commit fixes the bug.
      
      Cc: <stable@vger.kernel.org> # v4.12+
      Fixes: 3b196c39 ('ALSA: firewire-lib: add no-header packet processing')
      Signed-off-by: default avatarTakashi Sakamoto <o-takashi@sakamocchi.jp>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      deec542b
    • Takashi Sakamoto's avatar
      ALSA: fireface: fix for state to fetch PCM frames · 47cafb13
      Takashi Sakamoto authored
      commit 3d16200a upstream.
      
      According to my memo at hand and saved records, writing 0x00000001 to
      SND_FF_REG_FETCH_PCM_FRAMES disables fetching PCM frames in corresponding
      channel, however current implement uses reversed logic. This results in
      muted volume in device side during playback.
      
      This commit corrects the bug.
      
      Cc: <stable@vger.kernel.org> # v4.12+
      Fixes: 76fdb3a9 ('ALSA: fireface: add support for Fireface 400')
      Signed-off-by: default avatarTakashi Sakamoto <o-takashi@sakamocchi.jp>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      47cafb13