1. 17 Dec, 2018 40 commits
    • Josh Elsasser's avatar
      ixgbe: recognize 1000BaseLX SFP modules as 1Gbps · 689dee4b
      Josh Elsasser authored
      [ Upstream commit a8bf879a ]
      
      Add the two 1000BaseLX enum values to the X550's check for 1Gbps modules,
      allowing the core driver code to establish a link over this SFP type.
      
      This is done by the out-of-tree driver but the fix wasn't in mainline.
      
      Fixes: e23f3336 ("ixgbe: Fix 1G and 10G link stability for X550EM_x SFP+”)
      Fixes: 6a14ee0c ("ixgbe: Add X550 support function pointers")
      Signed-off-by: default avatarJosh Elsasser <jelsasser@appneta.com>
      Tested-by: default avatarAndrew Bowers <andrewx.bowers@intel.com>
      Signed-off-by: default avatarJeff Kirsher <jeffrey.t.kirsher@intel.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      689dee4b
    • Yunjian Wang's avatar
      igb: fix uninitialized variables · 9966f78a
      Yunjian Wang authored
      [ Upstream commit e4c39f79 ]
      
      This patch fixes the variable 'phy_word' may be used uninitialized.
      Signed-off-by: default avatarYunjian Wang <wangyunjian@huawei.com>
      Tested-by: default avatarAaron Brown <aaron.f.brown@intel.com>
      Signed-off-by: default avatarJeff Kirsher <jeffrey.t.kirsher@intel.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      9966f78a
    • Kiran Kumar Modukuri's avatar
      cachefiles: Fix page leak in cachefiles_read_backing_file while vmscan is active · 7b99a0d7
      Kiran Kumar Modukuri authored
      [ Upstream commit 9a24ce5b ]
      
      [Description]
      
      In a heavily loaded system where the system pagecache is nearing memory
      limits and fscache is enabled, pages can be leaked by fscache while trying
      read pages from cachefiles backend.  This can happen because two
      applications can be reading same page from a single mount, two threads can
      be trying to read the backing page at same time.  This results in one of
      the threads finding that a page for the backing file or netfs file is
      already in the radix tree.  During the error handling cachefiles does not
      clean up the reference on backing page, leading to page leak.
      
      [Fix]
      The fix is straightforward, to decrement the reference when error is
      encountered.
      
        [dhowells: Note that I've removed the clearance and put of newpage as
         they aren't attested in the commit message and don't appear to actually
         achieve anything since a new page is only allocated is newpage!=NULL and
         any residual new page is cleared before returning.]
      
      [Testing]
      I have tested the fix using following method for 12+ hrs.
      
      1) mkdir -p /mnt/nfs ; mount -o vers=3,fsc <server_ip>:/export /mnt/nfs
      2) create 10000 files of 2.8MB in a NFS mount.
      3) start a thread to simulate heavy VM presssure
         (while true ; do echo 3 > /proc/sys/vm/drop_caches ; sleep 1 ; done)&
      4) start multiple parallel reader for data set at same time
         find /mnt/nfs -type f | xargs -P 80 cat > /dev/null &
         find /mnt/nfs -type f | xargs -P 80 cat > /dev/null &
         find /mnt/nfs -type f | xargs -P 80 cat > /dev/null &
         ..
         ..
         find /mnt/nfs -type f | xargs -P 80 cat > /dev/null &
         find /mnt/nfs -type f | xargs -P 80 cat > /dev/null &
      5) finally check using cat /proc/fs/fscache/stats | grep -i pages ;
         free -h , cat /proc/meminfo and page-types -r -b lru
         to ensure all pages are freed.
      Reviewed-by: default avatarDaniel Axtens <dja@axtens.net>
      Signed-off-by: default avatarShantanu Goel <sgoel01@yahoo.com>
      Signed-off-by: default avatarKiran Kumar Modukuri <kiran.modukuri@gmail.com>
      [dja: forward ported to current upstream]
      Signed-off-by: default avatarDaniel Axtens <dja@axtens.net>
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      7b99a0d7
    • Taehee Yoo's avatar
      netfilter: nf_tables: deactivate expressions in rule replecement routine · 397727e7
      Taehee Yoo authored
      [ Upstream commit ca089878 ]
      
      There is no expression deactivation call from the rule replacement path,
      hence, chain counter is not decremented. A few steps to reproduce the
      problem:
      
         %nft add table ip filter
         %nft add chain ip filter c1
         %nft add chain ip filter c1
         %nft add rule ip filter c1 jump c2
         %nft replace rule ip filter c1 handle 3 accept
         %nft flush ruleset
      
      <jump c2> expression means immediate NFT_JUMP to chain c2.
      Reference count of chain c2 is increased when the rule is added.
      
      When rule is deleted or replaced, the reference counter of c2 should be
      decreased via nft_rule_expr_deactivate() which calls
      nft_immediate_deactivate().
      
      Splat looks like:
      [  214.396453] WARNING: CPU: 1 PID: 21 at net/netfilter/nf_tables_api.c:1432 nf_tables_chain_destroy.isra.38+0x2f9/0x3a0 [nf_tables]
      [  214.398983] Modules linked in: nf_tables nfnetlink
      [  214.398983] CPU: 1 PID: 21 Comm: kworker/1:1 Not tainted 4.20.0-rc2+ #44
      [  214.398983] Workqueue: events nf_tables_trans_destroy_work [nf_tables]
      [  214.398983] RIP: 0010:nf_tables_chain_destroy.isra.38+0x2f9/0x3a0 [nf_tables]
      [  214.398983] Code: 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 8e 00 00 00 48 8b 7b 58 e8 e1 2c 4e c6 48 89 df e8 d9 2c 4e c6 eb 9a <0f> 0b eb 96 0f 0b e9 7e fe ff ff e8 a7 7e 4e c6 e9 a4 fe ff ff e8
      [  214.398983] RSP: 0018:ffff8881152874e8 EFLAGS: 00010202
      [  214.398983] RAX: 0000000000000001 RBX: ffff88810ef9fc28 RCX: ffff8881152876f0
      [  214.398983] RDX: dffffc0000000000 RSI: 1ffff11022a50ede RDI: ffff88810ef9fc78
      [  214.398983] RBP: 1ffff11022a50e9d R08: 0000000080000000 R09: 0000000000000000
      [  214.398983] R10: 0000000000000000 R11: 0000000000000000 R12: 1ffff11022a50eba
      [  214.398983] R13: ffff888114446e08 R14: ffff8881152876f0 R15: ffffed1022a50ed6
      [  214.398983] FS:  0000000000000000(0000) GS:ffff888116400000(0000) knlGS:0000000000000000
      [  214.398983] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  214.398983] CR2: 00007fab9bb5f868 CR3: 000000012aa16000 CR4: 00000000001006e0
      [  214.398983] Call Trace:
      [  214.398983]  ? nf_tables_table_destroy.isra.37+0x100/0x100 [nf_tables]
      [  214.398983]  ? __kasan_slab_free+0x145/0x180
      [  214.398983]  ? nf_tables_trans_destroy_work+0x439/0x830 [nf_tables]
      [  214.398983]  ? kfree+0xdb/0x280
      [  214.398983]  nf_tables_trans_destroy_work+0x5f5/0x830 [nf_tables]
      [ ... ]
      
      Fixes: bb7b40ae ("netfilter: nf_tables: bogus EBUSY in chain deletions")
      Reported by: Christoph Anton Mitterer <calestyo@scientia.net>
      Link: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=914505
      Link: https://bugzilla.kernel.org/show_bug.cgi?id=201791Signed-off-by: default avatarTaehee Yoo <ap420073@gmail.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      397727e7
    • Marek Szyprowski's avatar
      usb: gadget: u_ether: fix unsafe list iteration · b641ee14
      Marek Szyprowski authored
      [ Upstream commit c9287fa6 ]
      
      list_for_each_entry_safe() is not safe for deleting entries from the
      list if the spin lock, which protects it, is released and reacquired during
      the list iteration. Fix this issue by replacing this construction with
      a simple check if list is empty and removing the first entry in each
      iteration. This is almost equivalent to a revert of the commit mentioned in
      the Fixes: tag.
      
      This patch fixes following issue:
      --->8---
      Unable to handle kernel NULL pointer dereference at virtual address 00000104
      pgd = (ptrval)
      [00000104] *pgd=00000000
      Internal error: Oops: 817 [#1] PREEMPT SMP ARM
      Modules linked in:
      CPU: 1 PID: 84 Comm: kworker/1:1 Not tainted 4.20.0-rc2-next-20181114-00009-g8266b35ec404 #1061
      Hardware name: SAMSUNG EXYNOS (Flattened Device Tree)
      Workqueue: events eth_work
      PC is at rx_fill+0x60/0xac
      LR is at _raw_spin_lock_irqsave+0x50/0x5c
      pc : [<c065fee0>]    lr : [<c0a056b8>]    psr: 80000093
      sp : ee7fbee8  ip : 00000100  fp : 00000000
      r10: 006000c0  r9 : c10b0ab0  r8 : ee7eb5c0
      r7 : ee7eb614  r6 : ee7eb5ec  r5 : 000000dc  r4 : ee12ac00
      r3 : ee12ac24  r2 : 00000200  r1 : 60000013  r0 : ee7eb5ec
      Flags: Nzcv  IRQs off  FIQs on  Mode SVC_32  ISA ARM  Segment none
      Control: 10c5387d  Table: 6d5dc04a  DAC: 00000051
      Process kworker/1:1 (pid: 84, stack limit = 0x(ptrval))
      Stack: (0xee7fbee8 to 0xee7fc000)
      ...
      [<c065fee0>] (rx_fill) from [<c0143b7c>] (process_one_work+0x200/0x738)
      [<c0143b7c>] (process_one_work) from [<c0144118>] (worker_thread+0x2c/0x4c8)
      [<c0144118>] (worker_thread) from [<c014a8a4>] (kthread+0x128/0x164)
      [<c014a8a4>] (kthread) from [<c01010b4>] (ret_from_fork+0x14/0x20)
      Exception stack(0xee7fbfb0 to 0xee7fbff8)
      ...
      ---[ end trace 64480bc835eba7d6 ]---
      
      Fixes: fea14e68 ("usb: gadget: u_ether: use better list accessors")
      Signed-off-by: default avatarMarek Szyprowski <m.szyprowski@samsung.com>
      Signed-off-by: default avatarFelipe Balbi <felipe.balbi@linux.intel.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      b641ee14
    • Lorenzo Bianconi's avatar
      net: thunderx: fix NULL pointer dereference in nic_remove · ff791c9e
      Lorenzo Bianconi authored
      [ Upstream commit 24a6d2dd ]
      
      Fix a possible NULL pointer dereference in nic_remove routine
      removing the nicpf module if nic_probe fails.
      The issue can be triggered with the following reproducer:
      
      $rmmod nicvf
      $rmmod nicpf
      
      [  521.412008] Unable to handle kernel access to user memory outside uaccess routines at virtual address 0000000000000014
      [  521.422777] Mem abort info:
      [  521.425561]   ESR = 0x96000004
      [  521.428624]   Exception class = DABT (current EL), IL = 32 bits
      [  521.434535]   SET = 0, FnV = 0
      [  521.437579]   EA = 0, S1PTW = 0
      [  521.440730] Data abort info:
      [  521.443603]   ISV = 0, ISS = 0x00000004
      [  521.447431]   CM = 0, WnR = 0
      [  521.450417] user pgtable: 4k pages, 48-bit VAs, pgdp = 0000000072a3da42
      [  521.457022] [0000000000000014] pgd=0000000000000000
      [  521.461916] Internal error: Oops: 96000004 [#1] SMP
      [  521.511801] Hardware name: GIGABYTE H270-T70/MT70-HD0, BIOS T49 02/02/2018
      [  521.518664] pstate: 80400005 (Nzcv daif +PAN -UAO)
      [  521.523451] pc : nic_remove+0x24/0x88 [nicpf]
      [  521.527808] lr : pci_device_remove+0x48/0xd8
      [  521.532066] sp : ffff000013433cc0
      [  521.535370] x29: ffff000013433cc0 x28: ffff810f6ac50000
      [  521.540672] x27: 0000000000000000 x26: 0000000000000000
      [  521.545974] x25: 0000000056000000 x24: 0000000000000015
      [  521.551274] x23: ffff8007ff89a110 x22: ffff000001667070
      [  521.556576] x21: ffff8007ffb170b0 x20: ffff8007ffb17000
      [  521.561877] x19: 0000000000000000 x18: 0000000000000025
      [  521.567178] x17: 0000000000000000 x16: 000000000000010ffc33ff98 x8 : 0000000000000000
      [  521.593683] x7 : 0000000000000000 x6 : 0000000000000001
      [  521.598983] x5 : 0000000000000002 x4 : 0000000000000003
      [  521.604284] x3 : ffff8007ffb17184 x2 : ffff8007ffb17184
      [  521.609585] x1 : ffff000001662118 x0 : ffff000008557be0
      [  521.614887] Process rmmod (pid: 1897, stack limit = 0x00000000859535c3)
      [  521.621490] Call trace:
      [  521.623928]  nic_remove+0x24/0x88 [nicpf]
      [  521.627927]  pci_device_remove+0x48/0xd8
      [  521.631847]  device_release_driver_internal+0x1b0/0x248
      [  521.637062]  driver_detach+0x50/0xc0
      [  521.640628]  bus_remove_driver+0x60/0x100
      [  521.644627]  driver_unregister+0x34/0x60
      [  521.648538]  pci_unregister_driver+0x24/0xd8
      [  521.652798]  nic_cleanup_module+0x14/0x111c [nicpf]
      [  521.657672]  __arm64_sys_delete_module+0x150/0x218
      [  521.662460]  el0_svc_handler+0x94/0x110
      [  521.666287]  el0_svc+0x8/0xc
      [  521.669160] Code: aa1e03e0 9102c295 d503201f f9404eb3 (b9401660)
      
      Fixes: 4863dea3 ("net: Adding support for Cavium ThunderX network controller")
      Signed-off-by: default avatarLorenzo Bianconi <lorenzo.bianconi@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      ff791c9e
    • Yi Wang's avatar
      x86/kvm/vmx: fix old-style function declaration · 7fdd58de
      Yi Wang authored
      [ Upstream commit 1e4329ee ]
      
      The inline keyword which is not at the beginning of the function
      declaration may trigger the following build warnings, so let's fix it:
      
      arch/x86/kvm/vmx.c:1309:1: warning: ‘inline’ is not at beginning of declaration [-Wold-style-declaration]
      arch/x86/kvm/vmx.c:5947:1: warning: ‘inline’ is not at beginning of declaration [-Wold-style-declaration]
      arch/x86/kvm/vmx.c:5985:1: warning: ‘inline’ is not at beginning of declaration [-Wold-style-declaration]
      arch/x86/kvm/vmx.c:6023:1: warning: ‘inline’ is not at beginning of declaration [-Wold-style-declaration]
      Signed-off-by: default avatarYi Wang <wang.yi59@zte.com.cn>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      7fdd58de
    • Yi Wang's avatar
      KVM: x86: fix empty-body warnings · bb3f8691
      Yi Wang authored
      [ Upstream commit 354cb410 ]
      
      We get the following warnings about empty statements when building
      with 'W=1':
      
      arch/x86/kvm/lapic.c:632:53: warning: suggest braces around empty body in an ‘if’ statement [-Wempty-body]
      arch/x86/kvm/lapic.c:1907:42: warning: suggest braces around empty body in an ‘if’ statement [-Wempty-body]
      arch/x86/kvm/lapic.c:1936:65: warning: suggest braces around empty body in an ‘if’ statement [-Wempty-body]
      arch/x86/kvm/lapic.c:1975:44: warning: suggest braces around empty body in an ‘if’ statement [-Wempty-body]
      
      Rework the debug helper macro to get rid of these warnings.
      Signed-off-by: default avatarYi Wang <wang.yi59@zte.com.cn>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      bb3f8691
    • Artemy Kovalyov's avatar
      IB/mlx5: Fix page fault handling for MW · 8f859b27
      Artemy Kovalyov authored
      [ Upstream commit 75b7b86b ]
      
      Memory windows are implemented with an indirect MKey, when a page fault
      event comes for a MW Mkey we need to find the MR at the end of the list of
      the indirect MKeys by iterating on all items from the first to the last.
      
      The offset calculated during this process has to be zeroed after the first
      iteration or the next iteration will start from a wrong address, resulting
      incorrect ODP faulting behavior.
      
      Fixes: db570d7d ("IB/mlx5: Add ODP support to MW")
      Signed-off-by: default avatarArtemy Kovalyov <artemyko@mellanox.com>
      Signed-off-by: default avatarMoni Shoua <monis@mellanox.com>
      Signed-off-by: default avatarLeon Romanovsky <leonro@mellanox.com>
      Signed-off-by: default avatarJason Gunthorpe <jgg@mellanox.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      8f859b27
    • Alin Nastac's avatar
      netfilter: ipv6: Preserve link scope traffic original oif · 97f04803
      Alin Nastac authored
      [ Upstream commit 508b0904 ]
      
      When ip6_route_me_harder is invoked, it resets outgoing interface of:
        - link-local scoped packets sent by neighbor discovery
        - multicast packets sent by MLD host
        - multicast packets send by MLD proxy daemon that sets outgoing
          interface through IPV6_PKTINFO ipi6_ifindex
      
      Link-local and multicast packets must keep their original oif after
      ip6_route_me_harder is called.
      Signed-off-by: default avatarAlin Nastac <alin.nastac@gmail.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      97f04803
    • Christian Hewitt's avatar
      drm/meson: add support for 1080p25 mode · f47b8824
      Christian Hewitt authored
      [ Upstream commit 31e1ab49 ]
      
      This essential mode for PAL users is missing, so add it.
      
      Fixes: 335e3713 ("drm/meson: Add support for HDMI venc modes and settings")
      Signed-off-by: default avatarChristian Hewitt <christianshewitt@gmail.com>
      Acked-by: default avatarNeil Armstrong <narmstrong@baylibre.com>
      Signed-off-by: default avatarNeil Armstrong <narmstrong@baylibre.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/1542793169-13008-1-git-send-email-christianshewitt@gmail.comSigned-off-by: default avatarSean Paul <seanpaul@chromium.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      f47b8824
    • Aaro Koskinen's avatar
      USB: omap_udc: fix rejection of out transfers when DMA is used · ca993dea
      Aaro Koskinen authored
      [ Upstream commit 069caf59 ]
      
      Commit 387f869d ("usb: gadget: u_ether: conditionally align
      transfer size") started aligning transfer size only if requested,
      breaking omap_udc DMA mode. Set quirk_ep_out_aligned_size to restore
      the old behaviour.
      
      Fixes: 387f869d ("usb: gadget: u_ether: conditionally align transfer size")
      Signed-off-by: default avatarAaro Koskinen <aaro.koskinen@iki.fi>
      Signed-off-by: default avatarFelipe Balbi <felipe.balbi@linux.intel.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      ca993dea
    • Aaro Koskinen's avatar
      USB: omap_udc: fix USB gadget functionality on Palm Tungsten E · 72c982a3
      Aaro Koskinen authored
      [ Upstream commit 2c2322fb ]
      
      On Palm TE nothing happens when you try to use gadget drivers and plug
      the USB cable. Fix by adding the board to the vbus sense quirk list.
      Signed-off-by: default avatarAaro Koskinen <aaro.koskinen@iki.fi>
      Signed-off-by: default avatarFelipe Balbi <felipe.balbi@linux.intel.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      72c982a3
    • Aaro Koskinen's avatar
      USB: omap_udc: fix omap_udc_start() on 15xx machines · e68f6cb9
      Aaro Koskinen authored
      [ Upstream commit 6ca6695f ]
      
      On OMAP 15xx machines there are no transceivers, and omap_udc_start()
      always fails as it forgot to adjust the default return value.
      Signed-off-by: default avatarAaro Koskinen <aaro.koskinen@iki.fi>
      Signed-off-by: default avatarFelipe Balbi <felipe.balbi@linux.intel.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      e68f6cb9
    • Aaro Koskinen's avatar
      USB: omap_udc: fix crashes on probe error and module removal · 09eb2b90
      Aaro Koskinen authored
      [ Upstream commit 99f70036 ]
      
      We currently crash if usb_add_gadget_udc_release() fails, since the
      udc->done is not initialized until in the remove function.
      Furthermore, on module removal the udc data is accessed although
      the release function is already triggered by usb_del_gadget_udc()
      early in the function.
      
      Fix by rewriting the release and remove functions, basically moving
      all the cleanup into the release function, and doing the completion
      only in the module removal case.
      
      The patch fixes omap_udc module probe with a failing gadged, and also
      allows the removal of omap_udc. Tested by running "modprobe omap_udc;
      modprobe -r omap_udc" in a loop.
      Signed-off-by: default avatarAaro Koskinen <aaro.koskinen@iki.fi>
      Signed-off-by: default avatarFelipe Balbi <felipe.balbi@linux.intel.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      09eb2b90
    • Aaro Koskinen's avatar
      USB: omap_udc: use devm_request_irq() · 11f8633c
      Aaro Koskinen authored
      [ Upstream commit 286afdde ]
      
      The current code fails to release the third irq on the error path
      (observed by reading the code), and we get also multiple WARNs with
      failing gadget drivers due to duplicate IRQ releases. Fix by using
      devm_request_irq().
      Signed-off-by: default avatarAaro Koskinen <aaro.koskinen@iki.fi>
      Signed-off-by: default avatarFelipe Balbi <felipe.balbi@linux.intel.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      11f8633c
    • Xin Long's avatar
      ipvs: call ip_vs_dst_notifier earlier than ipv6_dev_notf · 57dea380
      Xin Long authored
      [ Upstream commit 2a31e4bd ]
      
      ip_vs_dst_event is supposed to clean up all dst used in ipvs'
      destinations when a net dev is going down. But it works only
      when the dst's dev is the same as the dev from the event.
      
      Now with the same priority but late registration,
      ip_vs_dst_notifier is always called later than ipv6_dev_notf
      where the dst's dev is set to lo for NETDEV_DOWN event.
      
      As the dst's dev lo is not the same as the dev from the event
      in ip_vs_dst_event, ip_vs_dst_notifier doesn't actually work.
      Also as these dst have to wait for dest_trash_timer to clean
      them up. It would cause some non-permanent kernel warnings:
      
        unregister_netdevice: waiting for br0 to become free. Usage count = 3
      
      To fix it, call ip_vs_dst_notifier earlier than ipv6_dev_notf
      by increasing its priority to ADDRCONF_NOTIFY_PRIORITY + 5.
      
      Note that for ipv4 route fib_netdev_notifier doesn't set dst's
      dev to lo in NETDEV_DOWN event, so this fix is only needed when
      IP_VS_IPV6 is defined.
      
      Fixes: 7a4f0761 ("IPVS: init and cleanup restructuring")
      Reported-by: default avatarLi Shuang <shuali@redhat.com>
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Acked-by: default avatarJulian Anastasov <ja@ssi.bg>
      Acked-by: default avatarSimon Horman <horms@verge.net.au>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      57dea380
    • Martynas Pumputis's avatar
      bpf: fix check of allowed specifiers in bpf_trace_printk · 9209043b
      Martynas Pumputis authored
      [ Upstream commit 1efb6ee3 ]
      
      A format string consisting of "%p" or "%s" followed by an invalid
      specifier (e.g. "%p%\n" or "%s%") could pass the check which
      would make format_decode (lib/vsprintf.c) to warn.
      
      Fixes: 9c959c86 ("tracing: Allow BPF programs to call bpf_trace_printk()")
      Reported-by: syzbot+1ec5c5ec949c4adaa0c4@syzkaller.appspotmail.com
      Signed-off-by: default avatarMartynas Pumputis <m@lambda.lt>
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      9209043b
    • Pan Bian's avatar
      exportfs: do not read dentry after free · 42cb0b9e
      Pan Bian authored
      [ Upstream commit 2084ac6c ]
      
      The function dentry_connected calls dput(dentry) to drop the previously
      acquired reference to dentry. In this case, dentry can be released.
      After that, IS_ROOT(dentry) checks the condition
      (dentry == dentry->d_parent), which may result in a use-after-free bug.
      This patch directly compares dentry with its parent obtained before
      dropping the reference.
      
      Fixes: a056cc89("exportfs: stop retrying once we race with
      rename/remove")
      Signed-off-by: default avatarPan Bian <bianpan2016@163.com>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      42cb0b9e
    • Peter Ujfalusi's avatar
      ASoC: omap-dmic: Add pm_qos handling to avoid overruns with CPU_IDLE · bdafd18e
      Peter Ujfalusi authored
      [ Upstream commit ffdcc363 ]
      
      We need to block sleep states which would require longer time to leave than
      the time the DMA must react to the DMA request in order to keep the FIFO
      serviced without overrun.
      Signed-off-by: default avatarPeter Ujfalusi <peter.ujfalusi@ti.com>
      Acked-by: default avatarJarkko Nikula <jarkko.nikula@bitmer.com>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      bdafd18e
    • Peter Ujfalusi's avatar
      ASoC: omap-mcpdm: Add pm_qos handling to avoid under/overruns with CPU_IDLE · 997a8d6c
      Peter Ujfalusi authored
      [ Upstream commit 373a500e ]
      
      We need to block sleep states which would require longer time to leave than
      the time the DMA must react to the DMA request in order to keep the FIFO
      serviced without under of overrun.
      Signed-off-by: default avatarPeter Ujfalusi <peter.ujfalusi@ti.com>
      Acked-by: default avatarJarkko Nikula <jarkko.nikula@bitmer.com>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      997a8d6c
    • Peter Ujfalusi's avatar
      ASoC: omap-mcbsp: Fix latency value calculation for pm_qos · 4a3fa2a5
      Peter Ujfalusi authored
      [ Upstream commit dd2f52d8 ]
      
      The latency number is in usec for the pm_qos. Correct the calculation to
      give us the time in usec
      Signed-off-by: default avatarPeter Ujfalusi <peter.ujfalusi@ti.com>
      Acked-by: default avatarJarkko Nikula <jarkko.nikula@bitmer.com>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      4a3fa2a5
    • Kamal Heib's avatar
      RDMA/rdmavt: Fix rvt_create_ah function signature · a625d3e3
      Kamal Heib authored
      [ Upstream commit 4f32fb92 ]
      
      rdmavt uses a crazy system that looses the type checking when assinging
      functions to struct ib_device function pointers. Because of this the
      signature to this function was not changed when the below commit revised
      things.
      
      Fix the signature so we are not calling a function pointer with a
      mismatched signature.
      
      Fixes: 477864c8 ("IB/core: Let create_ah return extended response to user")
      Signed-off-by: default avatarKamal Heib <kamalheib1@gmail.com>
      Reviewed-by: default avatarDennis Dalessandro <dennis.dalessandro@intel.com>
      Signed-off-by: default avatarJason Gunthorpe <jgg@mellanox.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      a625d3e3
    • Majd Dibbiny's avatar
      RDMA/mlx5: Fix fence type for IB_WR_LOCAL_INV WR · 9692eefb
      Majd Dibbiny authored
      [ Upstream commit 074fca3a ]
      
      Currently, for IB_WR_LOCAL_INV WR, when the next fence is None, the
      current fence will be SMALL instead of Normal Fence.
      
      Without this patch krping doesn't work on CX-5 devices and throws
      following error:
      
      The error messages are from CX5 driver are: (from server side)
      [ 710.434014] mlx5_0:dump_cqe:278:(pid 2712): dump error cqe
      [ 710.434016] 00000000 00000000 00000000 00000000
      [ 710.434016] 00000000 00000000 00000000 00000000
      [ 710.434017] 00000000 00000000 00000000 00000000
      [ 710.434018] 00000000 93003204 100000b8 000524d2
      [ 710.434019] krping: cq completion failed with wr_id 0 status 4 opcode 128 vender_err 32
      
      Fixed the logic to set the correct fence type.
      
      Fixes: 6e8484c5 ("RDMA/mlx5: set UMR wqe fence according to HCA cap")
      Signed-off-by: default avatarMajd Dibbiny <majd@mellanox.com>
      Signed-off-by: default avatarLeon Romanovsky <leonro@mellanox.com>
      Signed-off-by: default avatarJason Gunthorpe <jgg@mellanox.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      9692eefb
    • Robbie Ko's avatar
      Btrfs: send, fix infinite loop due to directory rename dependencies · 67080eb2
      Robbie Ko authored
      [ Upstream commit a4390aee ]
      
      When doing an incremental send, due to the need of delaying directory move
      (rename) operations we can end up in infinite loop at
      apply_children_dir_moves().
      
      An example scenario that triggers this problem is described below, where
      directory names correspond to the numbers of their respective inodes.
      
      Parent snapshot:
      
       .
       |--- 261/
             |--- 271/
                   |--- 266/
                         |--- 259/
                         |--- 260/
                         |     |--- 267
                         |
                         |--- 264/
                         |     |--- 258/
                         |           |--- 257/
                         |
                         |--- 265/
                         |--- 268/
                         |--- 269/
                         |     |--- 262/
                         |
                         |--- 270/
                         |--- 272/
                         |     |--- 263/
                         |     |--- 275/
                         |
                         |--- 274/
                               |--- 273/
      
      Send snapshot:
      
       .
       |-- 275/
            |-- 274/
                 |-- 273/
                      |-- 262/
                           |-- 269/
                                |-- 258/
                                     |-- 271/
                                          |-- 268/
                                               |-- 267/
                                                    |-- 270/
                                                         |-- 259/
                                                         |    |-- 265/
                                                         |
                                                         |-- 272/
                                                              |-- 257/
                                                                   |-- 260/
                                                                   |-- 264/
                                                                        |-- 263/
                                                                             |-- 261/
                                                                                  |-- 266/
      
      When processing inode 257 we delay its move (rename) operation because its
      new parent in the send snapshot, inode 272, was not yet processed. Then
      when processing inode 272, we delay the move operation for that inode
      because inode 274 is its ancestor in the send snapshot. Finally we delay
      the move operation for inode 274 when processing it because inode 275 is
      its new parent in the send snapshot and was not yet moved.
      
      When finishing processing inode 275, we start to do the move operations
      that were previously delayed (at apply_children_dir_moves()), resulting in
      the following iterations:
      
      1) We issue the move operation for inode 274;
      
      2) Because inode 262 depended on the move operation of inode 274 (it was
         delayed because 274 is its ancestor in the send snapshot), we issue the
         move operation for inode 262;
      
      3) We issue the move operation for inode 272, because it was delayed by
         inode 274 too (ancestor of 272 in the send snapshot);
      
      4) We issue the move operation for inode 269 (it was delayed by 262);
      
      5) We issue the move operation for inode 257 (it was delayed by 272);
      
      6) We issue the move operation for inode 260 (it was delayed by 272);
      
      7) We issue the move operation for inode 258 (it was delayed by 269);
      
      8) We issue the move operation for inode 264 (it was delayed by 257);
      
      9) We issue the move operation for inode 271 (it was delayed by 258);
      
      10) We issue the move operation for inode 263 (it was delayed by 264);
      
      11) We issue the move operation for inode 268 (it was delayed by 271);
      
      12) We verify if we can issue the move operation for inode 270 (it was
          delayed by 271). We detect a path loop in the current state, because
          inode 267 needs to be moved first before we can issue the move
          operation for inode 270. So we delay again the move operation for
          inode 270, this time we will attempt to do it after inode 267 is
          moved;
      
      13) We issue the move operation for inode 261 (it was delayed by 263);
      
      14) We verify if we can issue the move operation for inode 266 (it was
          delayed by 263). We detect a path loop in the current state, because
          inode 270 needs to be moved first before we can issue the move
          operation for inode 266. So we delay again the move operation for
          inode 266, this time we will attempt to do it after inode 270 is
          moved (its move operation was delayed in step 12);
      
      15) We issue the move operation for inode 267 (it was delayed by 268);
      
      16) We verify if we can issue the move operation for inode 266 (it was
          delayed by 270). We detect a path loop in the current state, because
          inode 270 needs to be moved first before we can issue the move
          operation for inode 266. So we delay again the move operation for
          inode 266, this time we will attempt to do it after inode 270 is
          moved (its move operation was delayed in step 12). So here we added
          again the same delayed move operation that we added in step 14;
      
      17) We attempt again to see if we can issue the move operation for inode
          266, and as in step 16, we realize we can not due to a path loop in
          the current state due to a dependency on inode 270. Again we delay
          inode's 266 rename to happen after inode's 270 move operation, adding
          the same dependency to the empty stack that we did in steps 14 and 16.
          The next iteration will pick the same move dependency on the stack
          (the only entry) and realize again there is still a path loop and then
          again the same dependency to the stack, over and over, resulting in
          an infinite loop.
      
      So fix this by preventing adding the same move dependency entries to the
      stack by removing each pending move record from the red black tree of
      pending moves. This way the next call to get_pending_dir_moves() will
      not return anything for the current parent inode.
      
      A test case for fstests, with this reproducer, follows soon.
      Signed-off-by: default avatarRobbie Ko <robbieko@synology.com>
      Reviewed-by: default avatarFilipe Manana <fdmanana@suse.com>
      [Wrote changelog with example and more clear explanation]
      Signed-off-by: default avatarFilipe Manana <fdmanana@suse.com>
      Signed-off-by: default avatarDavid Sterba <dsterba@suse.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      67080eb2
    • Romain Izard's avatar
      ARM: dts: at91: sama5d2: use the divided clock for SMC · b254f11c
      Romain Izard authored
      [ Upstream commit 4ab7ca09 ]
      
      The SAMA5D2 is different from SAMA5D3 and SAMA5D4, as there are two
      different clocks for the peripherals in the SoC. The Static Memory
      controller is connected to the divided master clock.
      
      Unfortunately, the device tree does not correctly show this and uses the
      master clock directly. This clock is then used by the code for the NAND
      controller to calculate the timings for the controller, and we end up with
      slow NAND Flash access.
      
      Fix the device tree, and the performance of Flash access is improved.
      Signed-off-by: default avatarRomain Izard <romain.izard.pro@gmail.com>
      Signed-off-by: default avatarAlexandre Belloni <alexandre.belloni@bootlin.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      b254f11c
    • Artem Savkov's avatar
      objtool: Fix segfault in .cold detection with -ffunction-sections · 5ce4164f
      Artem Savkov authored
      [ Upstream commit 22566c16 ]
      
      Because find_symbol_by_name() traverses the same lists as
      read_symbols(), changing sym->name in place without copying it affects
      the result of find_symbol_by_name().  In the case where a ".cold"
      function precedes its parent in sec->symbol_list, it can result in a
      function being considered a parent of itself. This leads to function
      length being set to 0 and other consequent side-effects including a
      segfault in add_switch_table().  The effects of this bug are only
      visible when building with -ffunction-sections in KCFLAGS.
      
      Fix by copying the search string instead of modifying it in place.
      Signed-off-by: default avatarArtem Savkov <asavkov@redhat.com>
      Signed-off-by: default avatarJosh Poimboeuf <jpoimboe@redhat.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Fixes: 13810435 ("objtool: Support GCC 8's cold subfunctions")
      Link: http://lkml.kernel.org/r/910abd6b5a4945130fd44f787c24e07b9e07c8da.1542736240.git.jpoimboe@redhat.comSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      5ce4164f
    • Artem Savkov's avatar
      objtool: Fix double-free in .cold detection error path · de21975e
      Artem Savkov authored
      [ Upstream commit 0b9301fb ]
      
      If read_symbols() fails during second list traversal (the one dealing
      with ".cold" subfunctions) it frees the symbol, but never deletes it
      from the list/hash_table resulting in symbol being freed again in
      elf_close(). Fix it by just returning an error, leaving cleanup to
      elf_close().
      Signed-off-by: default avatarArtem Savkov <asavkov@redhat.com>
      Signed-off-by: default avatarJosh Poimboeuf <jpoimboe@redhat.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Fixes: 13810435 ("objtool: Support GCC 8's cold subfunctions")
      Link: http://lkml.kernel.org/r/beac5a9b7da9e8be90223459dcbe07766ae437dd.1542736240.git.jpoimboe@redhat.comSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      de21975e
    • Trent Piepho's avatar
      PCI: imx6: Fix link training status detection in link up check · 7d14117b
      Trent Piepho authored
      [ Upstream commit 68bc10bf ]
      
      This bug was introduced in the interaction for two commits on either
      branch of the merge commit 562df5c8 ("Merge branch
      'pci/host-designware' into next").
      
      Commit 4d107d3b ("PCI: imx6: Move link up check into
      imx6_pcie_wait_for_link()"), changed imx6_pcie_wait_for_link() to poll
      the link status register directly, checking for link up and not
      training, and made imx6_pcie_link_up() only check the link up bit (once,
      not a polling loop).
      
      While commit 886bc5ce ("PCI: designware: Add generic
      dw_pcie_wait_for_link()"), replaced the loop in
      imx6_pcie_wait_for_link() with a call to a new dwc core function, which
      polled imx6_pcie_link_up(), which still checked both link up and not
      training in a loop.
      
      When these two commits were merged, the version of
      imx6_pcie_wait_for_link() from 886bc5ce was kept, which eliminated
      the link training check placed there by 4d107d3b. However, the
      version of imx6_pcie_link_up() from 4d107d3b was kept, which
      eliminated the link training check that had been there and was moved to
      imx6_pcie_wait_for_link().
      
      The result was the link training check got lost for the imx6 driver.
      
      Eliminate imx6_pcie_link_up() so that the default handler,
      dw_pcie_link_up(), is used instead. The default handler has the correct
      code, which checks for link up and also that it still is not training,
      fixing the regression.
      
      Fixes: 562df5c8 ("Merge branch 'pci/host-designware' into next")
      Signed-off-by: default avatarTrent Piepho <tpiepho@impinj.com>
      [lorenzo.pieralisi@arm.com: rewrote the commit log]
      Signed-off-by: default avatarLorenzo Pieralisi <lorenzo.pieralisi@arm.com>
      Reviewed-by: default avatarLucas Stach <l.stach@pengutronix.de>
      Cc: Bjorn Helgaas <bhelgaas@google.com>
      Cc: Joao Pinto <Joao.Pinto@synopsys.com>
      Cc: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
      Cc: Richard Zhu <hongxing.zhu@nxp.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      7d14117b
    • Jiri Olsa's avatar
      perf tools: Restore proper cwd on return from mnt namespace · d36cc607
      Jiri Olsa authored
      [ Upstream commit b01c1f69 ]
      
      When reporting on 'record' server we try to retrieve/use the mnt
      namespace of the profiled tasks. We use following API with cookie to
      hold the return namespace, roughly:
      
        nsinfo__mountns_enter(struct nsinfo *nsi, struct nscookie *nc)
          setns(newns, 0);
        ...
        new ns related open..
        ...
        nsinfo__mountns_exit(struct nscookie *nc)
          setns(nc->oldns)
      
      Once finished we setns to old namespace, which also sets the current
      working directory (cwd) to "/", trashing the cwd we had.
      
      This is mostly fine, because we use absolute paths almost everywhere,
      but it screws up 'perf diff':
      
        # perf diff
        failed to open perf.data: No such file or directory  (try 'perf record' first)
        ...
      
      Adding the current working directory to be part of the cookie and
      restoring it in the nsinfo__mountns_exit call.
      Signed-off-by: default avatarJiri Olsa <jolsa@kernel.org>
      Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
      Cc: Krister Johansen <kjlx@templeofstupid.com>
      Cc: Namhyung Kim <namhyung@kernel.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Fixes: 843ff37b ("perf symbols: Find symbols in different mount namespace")
      Link: http://lkml.kernel.org/r/20181101170001.30019-1-jolsa@kernel.org
      [ No need to check for NULL args for free(), use zfree() for struct members ]
      Signed-off-by: default avatarArnaldo Carvalho de Melo <acme@redhat.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      d36cc607
    • Huacai Chen's avatar
      hwmon: (w83795) temp4_type has writable permission · ca0bcef7
      Huacai Chen authored
      [ Upstream commit 09aaf681 ]
      
      Both datasheet and comments of store_temp_mode() tell us that temp1~4_type
      is writable, so fix it.
      Signed-off-by: default avatarYao Wang <wangyao@lemote.com>
      Signed-off-by: default avatarHuacai Chen <chenhc@lemote.com>
      Fixes: 39deb699 (" hwmon: (w83795) Simplify temperature sensor type handling")
      Signed-off-by: default avatarGuenter Roeck <linux@roeck-us.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      ca0bcef7
    • Taehee Yoo's avatar
      netfilter: xt_hashlimit: fix a possible memory leak in htable_create() · f500a4ef
      Taehee Yoo authored
      [ Upstream commit b4e955e9 ]
      
      In the htable_create(), hinfo is allocated by vmalloc()
      So that if error occurred, hinfo should be freed.
      
      Fixes: 11d5f157 ("netfilter: xt_hashlimit: Create revision 2 to support higher pps rates")
      Signed-off-by: default avatarTaehee Yoo <ap420073@gmail.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      f500a4ef
    • Hans de Goede's avatar
      iio/hid-sensors: Fix IIO_CHAN_INFO_RAW returning wrong values for signed numbers · aa17c9c0
      Hans de Goede authored
      [ Upstream commit 0145b505 ]
      
      Before this commit sensor_hub_input_attr_get_raw_value() failed to take
      the signedness of 16 and 8 bit values into account, returning e.g.
      65436 instead of -100 for the z-axis reading of an accelerometer.
      
      This commit adds a new is_signed parameter to the function and makes all
      callers pass the appropriate value for this.
      
      While at it, this commit also fixes up some neighboring lines where
      statements were needlessly split over 2 lines to improve readability.
      Signed-off-by: default avatarHans de Goede <hdegoede@redhat.com>
      Acked-by: default avatarSrinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
      Acked-by: default avatarBenjamin Tissoires <benjamin.tissoires@redhat.com>
      Cc: <Stable@vger.kernel.org>
      Signed-off-by: default avatarJonathan Cameron <Jonathan.Cameron@huawei.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      aa17c9c0
    • Tzung-Bi Shih's avatar
      ASoC: dapm: Recalculate audio map forcely when card instantiated · 55b648d1
      Tzung-Bi Shih authored
      [ Upstream commit 882eab6c ]
      
      Audio map are possible in wrong state before card->instantiated has
      been set to true.  Imaging the following examples:
      
      time 1: at the beginning
      
        in:-1    in:-1    in:-1    in:-1
       out:-1   out:-1   out:-1   out:-1
       SIGGEN        A        B      Spk
      
      time 2: after someone called snd_soc_dapm_new_widgets()
      (e.g. create_fill_widget_route_map() in sound/soc/codecs/hdac_hdmi.c)
      
         in:1     in:0     in:0     in:0
        out:0    out:0    out:0    out:1
       SIGGEN        A        B      Spk
      
      time 3: routes added
      
         in:1     in:0     in:0     in:0
        out:0    out:0    out:0    out:1
       SIGGEN -----> A -----> B ---> Spk
      
      In the end, the path should be powered on but it did not.  At time 3,
      "in" of SIGGEN and "out" of Spk did not propagate to their neighbors
      because snd_soc_dapm_add_path() will not invalidate the paths if
      the card has not instantiated (i.e. card->instantiated is false).
      To correct the state of audio map, recalculate the whole map forcely.
      Signed-off-by: default avatarTzung-Bi Shih <tzungbi@google.com>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      55b648d1
    • Peter Ujfalusi's avatar
      ASoC: omap-abe-twl6040: Fix missing audio card caused by deferred probing · b65b4228
      Peter Ujfalusi authored
      [ Upstream commit 76836fd3 ]
      
      The machine driver fails to probe in next-20181113 with:
      
      [    2.539093] omap-abe-twl6040 sound: ASoC: CODEC DAI twl6040-legacy not registered
      [    2.546630] omap-abe-twl6040 sound: devm_snd_soc_register_card() failed: -517
      ...
      [    3.693206] omap-abe-twl6040 sound: ASoC: Both platform name/of_node are set for TWL6040
      [    3.701446] omap-abe-twl6040 sound: ASoC: failed to init link TWL6040
      [    3.708007] omap-abe-twl6040 sound: devm_snd_soc_register_card() failed: -22
      [    3.715148] omap-abe-twl6040: probe of sound failed with error -22
      
      Bisect pointed to a merge commit:
      first bad commit: [0f688ab20a540aafa984c5dbd68a71debebf4d7f] Merge remote-tracking branch 'net-next/master'
      
      and a diff between a working kernel does not reveal anything which would
      explain the change in behavior.
      
      Further investigation showed that on the second try of loading fails
      because the dai_link->platform is no longer NULL and it might be pointing
      to uninitialized memory.
      
      The fix is to move the snd_soc_dai_link and snd_soc_card inside of the
      abe_twl6040 struct, which is dynamically allocated every time the driver
      probes.
      Signed-off-by: default avatarPeter Ujfalusi <peter.ujfalusi@ti.com>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      b65b4228
    • Nicolin Chen's avatar
      hwmon: (ina2xx) Fix current value calculation · fd2c1ba1
      Nicolin Chen authored
      [ Upstream commit 38cd989e ]
      
      The current register (04h) has a sign bit at MSB. The comments
      for this calculation also mention that it's a signed register.
      
      However, the regval is unsigned type so result of calculation
      turns out to be an incorrect value when current is negative.
      
      This patch simply fixes this by adding a casting to s16.
      
      Fixes: 5d389b12 ("hwmon: (ina2xx) Make calibration register value fixed")
      Signed-off-by: default avatarNicolin Chen <nicoleotsuka@gmail.com>
      Signed-off-by: default avatarGuenter Roeck <linux@roeck-us.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      fd2c1ba1
    • Thomas Richter's avatar
      s390/cpum_cf: Reject request for sampling in event initialization · 250dea0d
      Thomas Richter authored
      [ Upstream commit 613a41b0 ]
      
      On s390 command perf top fails
      [root@s35lp76 perf] # ./perf top -F100000  --stdio
         Error:
         cycles: PMU Hardware doesn't support sampling/overflow-interrupts.
         	Try 'perf stat'
      [root@s35lp76 perf] #
      
      Using event -e rb0000 works as designed.  Event rb0000 is the event
      number of the sampling facility for basic sampling.
      
      During system start up the following PMUs are installed in the kernel's
      PMU list (from head to tail):
         cpum_cf --> s390 PMU counter facility device driver
         cpum_sf --> s390 PMU sampling facility device driver
         uprobe
         kprobe
         tracepoint
         task_clock
         cpu_clock
      
      Perf top executes following functions and calls perf_event_open(2) system
      call with different parameters many times:
      
      cmd_top
      --> __cmd_top
          --> perf_evlist__add_default
              --> __perf_evlist__add_default
                  --> perf_evlist__new_cycles (creates event type:0 (HW)
      			    		config 0 (CPU_CYCLES)
      	        --> perf_event_attr__set_max_precise_ip
      		    Uses perf_event_open(2) to detect correct
      		    precise_ip level. Fails 3 times on s390 which is ok.
      
      Then functions cmd_top
      --> __cmd_top
          --> perf_top__start_counters
              -->perf_evlist__config
      	   --> perf_can_comm_exec
                     --> perf_probe_api
      	           This functions test support for the following events:
      		   "cycles:u", "instructions:u", "cpu-clock:u" using
      		   --> perf_do_probe_api
      		       --> perf_event_open_cloexec
      		           Test the close on exec flag support with
      			   perf_event_open(2).
      	               perf_do_probe_api returns true if the event is
      		       supported.
      		       The function returns true because event cpu-clock is
      		       supported by the PMU cpu_clock.
      	               This is achieved by many calls to perf_event_open(2).
      
      Function perf_top__start_counters now calls perf_evsel__open() for every
      event, which is the default event cpu_cycles (config:0) and type HARDWARE
      (type:0) which a predfined frequence of 4000.
      
      Given the above order of the PMU list, the PMU cpum_cf gets called first
      and returns 0, which indicates support for this sampling. The event is
      fully allocated in the function perf_event_open (file kernel/event/core.c
      near line 10521 and the following check fails:
      
              event = perf_event_alloc(&attr, cpu, task, group_leader, NULL,
      		                 NULL, NULL, cgroup_fd);
      	if (IS_ERR(event)) {
      		err = PTR_ERR(event);
      		goto err_cred;
      	}
      
              if (is_sampling_event(event)) {
      		if (event->pmu->capabilities & PERF_PMU_CAP_NO_INTERRUPT) {
      			err = -EOPNOTSUPP;
      			goto err_alloc;
      		}
      	}
      
      The check for the interrupt capabilities fails and the system call
      perf_event_open() returns -EOPNOTSUPP (-95).
      
      Add a check to return -ENODEV when sampling is requested in PMU cpum_cf.
      This allows common kernel code in the perf_event_open() system call to
      test the next PMU in above list.
      
      Fixes: 97b1198f (" "s390, perf: Use common PMU interrupt disabled code")
      Signed-off-by: default avatarThomas Richter <tmricht@linux.ibm.com>
      Reviewed-by: default avatarHendrik Brueckner <brueckner@linux.ibm.com>
      Signed-off-by: default avatarMartin Schwidefsky <schwidefsky@de.ibm.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      250dea0d
    • Richard Fitzgerald's avatar
      ASoC: wm_adsp: Fix dma-unsafe read of scratch registers · 5391e32b
      Richard Fitzgerald authored
      [ Upstream commit 20e00db2 ]
      
      Stack memory isn't DMA-safe so it isn't safe to use either
      regmap_raw_read or regmap_bulk_read to read into stack memory.
      
      The two functions to read the scratch registers were using
      stack memory and regmap_raw_read. It's not worth allocating
      memory just for this trivial read, and it isn't time-critical.
      A simple regmap_read for each register is sufficient.
      Signed-off-by: default avatarRichard Fitzgerald <rf@opensource.cirrus.com>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      5391e32b
    • Nicolin Chen's avatar
      hwmon (ina2xx) Fix NULL id pointer in probe() · de2324a0
      Nicolin Chen authored
      [ Upstream commit 70df9ebb ]
      
      When using DT configurations, the id pointer might turn out to
      be NULL. Then the driver encounters NULL pointer access:
      
        Unable to handle kernel read from unreadable memory at vaddr 00000018
        [...]
        PC is at ina2xx_probe+0x114/0x200
        LR is at ina2xx_probe+0x10c/0x200
        [...]
        Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b
      
      The reason is that i2c core returns the id pointer by matching
      id_table with client->name, while the client->name is actually
      using the name from the first string in the DT compatible list,
      not the best one. So i2c core would fail to match the id_table
      if the best matched compatible string isn't the first one, and
      then would return a NULL id pointer.
      
      This probably should be fixed in i2c core. But it doesn't hurt
      to make the driver robust. So this patch fixes it by using the
      "chip" that's added to unify both DT and non-DT configurations.
      
      Additionally, since id pointer could be null, so as id->name:
        ina2xx 10-0047: power monitor (null) (Rshunt = 1000 uOhm)
        ina2xx 10-0048: power monitor (null) (Rshunt = 10000 uOhm)
      
      So this patch also fixes NULL name pointer, using client->name
      to play safe and to align with hwmon->name.
      
      Fixes: bd0ddd4d ("hwmon: (ina2xx) Add OF device ID table")
      Signed-off-by: default avatarNicolin Chen <nicoleotsuka@gmail.com>
      Signed-off-by: default avatarGuenter Roeck <linux@roeck-us.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      de2324a0
    • Florian Westphal's avatar
      netfilter: nf_tables: fix use-after-free when deleting compat expressions · 38e22947
      Florian Westphal authored
      [ Upstream commit 29e38801 ]
      
      nft_compat ops do not have static storage duration, unlike all other
      expressions.
      
      When nf_tables_expr_destroy() returns, expr->ops might have been
      free'd already, so we need to store next address before calling
      expression destructor.
      
      For same reason, we can't deref match pointer after nft_xt_put().
      
      This can be easily reproduced by adding msleep() before
      nft_match_destroy() returns.
      
      Fixes: 0ca743a5 ("netfilter: nf_tables: add compatibility layer for x_tables")
      Reported-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      38e22947