1. 13 Sep, 2017 3 commits
  2. 10 Sep, 2017 1 commit
  3. 09 Sep, 2017 36 commits
    • Sven Joachim's avatar
      rtlwifi: Fix fallback firmware loading · ce4ef934
      Sven Joachim authored
      commit 1d9b168d upstream.
      
      Commit f70e4df2 ("rtlwifi: Add code to read new versions of
      firmware") added code to load an old firmware file if the new one is
      not available.  Unfortunately that code is never reached because
      request_firmware_nowait() does not wait for the firmware to show up
      and returns 0 even if the file is not there.
      
      Use the existing fallback mechanism introduced by commit 62009b7f
      ("rtlwifi: rtl8192cu: Add new firmware") instead.
      
      Fixes: f70e4df2 ("rtlwifi: Add code to read new versions of firmware")
      Signed-off-by: default avatarSven Joachim <svenjoac@gmx.de>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ce4ef934
    • Souptick Joarder's avatar
      rtlwifi: Fix memory leak when firmware request fails · 21da5e36
      Souptick Joarder authored
      commit f2764f61 upstream.
      
      This patch will fix memory leak when firmware request fails
      Signed-off-by: default avatarSouptick Joarder <jrdr.linux@gmail.com>
      Acked-by: default avatarLarry Finger <Larry.Finger@lwfinger.net>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      Cc: Sven Joachim <svenjoac@gmx.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      21da5e36
    • Bjorn Andersson's avatar
      of/device: Prevent buffer overflow in of_device_modalias() · 3ef5220b
      Bjorn Andersson authored
      commit 08ab58d9 upstream.
      
      As of_device_get_modalias() returns the number of bytes that would have
      been written to the target string, regardless of how much did fit in the
      buffer, it's possible that the returned index points beyond the buffer
      passed to of_device_modalias() - causing memory beyond the buffer to be
      null terminated.
      
      Fixes: 0634c295 ("of: Add function for generating a DT modalias with a newline")
      Cc: Rob Herring <robh@kernel.org>
      Signed-off-by: default avatarBjorn Andersson <bjorn.andersson@linaro.org>
      Signed-off-by: default avatarRob Herring <robh@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3ef5220b
    • Todd Poynor's avatar
      scsi: sg: recheck MMAP_IO request length with lock held · aee0b37b
      Todd Poynor authored
      commit 8d26f491 upstream.
      
      Commit 1bc0eb04 ("scsi: sg: protect accesses to 'reserved' page
      array") adds needed concurrency protection for the "reserve" buffer.
      Some checks that are initially made outside the lock are replicated once
      the lock is taken to ensure the checks and resulting decisions are made
      using consistent state.
      
      The check that a request with flag SG_FLAG_MMAP_IO set fits in the
      reserve buffer also needs to be performed again under the lock to ensure
      the reserve buffer length compared against matches the value in effect
      when the request is linked to the reserve buffer.  An -ENOMEM should be
      returned in this case, instead of switching over to an indirect buffer
      as for non-MMAP_IO requests.
      Signed-off-by: default avatarTodd Poynor <toddpoynor@google.com>
      Acked-by: default avatarDouglas Gilbert <dgilbert@interlog.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      aee0b37b
    • Todd Poynor's avatar
      scsi: sg: protect against races between mmap() and SG_SET_RESERVED_SIZE · b0f24dc0
      Todd Poynor authored
      commit 6a8dadcc upstream.
      
      Take f_mutex around mmap() processing to protect against races with the
      SG_SET_RESERVED_SIZE ioctl.  Ensure the reserve buffer length remains
      consistent during the mapping operation, and set the "mmap called" flag
      to prevent further changes to the reserved buffer size as an atomic
      operation with the mapping.
      
      [mkp: fixed whitespace]
      Signed-off-by: default avatarTodd Poynor <toddpoynor@google.com>
      Acked-by: default avatarDouglas Gilbert <dgilbert@interlog.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b0f24dc0
    • Andrey Korolyov's avatar
      cs5536: add support for IDE controller variant · 1054309a
      Andrey Korolyov authored
      commit 591b6bb6 upstream.
      
      Several legacy devices such as Geode-based Cisco ASA appliances
      and DB800 development board do possess CS5536 IDE controller
      with different PCI id than existing one. Using pata_generic is
      not always feasible as at least DB800 requires MSR quirk from
      pata_cs5536 to be used with vendor firmware.
      Signed-off-by: default avatarAndrey Korolyov <andrey@xdel.ru>
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1054309a
    • Christoph Hellwig's avatar
      ahci: don't use MSI for devices with the silly Intel NVMe remapping scheme · e5298cd8
      Christoph Hellwig authored
      commit f723fa4e upstream.
      
      Intel AHCI controllers that also hide NVMe devices in their bar
      can't use MSI interrupts, so disable them.
      Reported-by: default avatarJohn Loy <john.robert.loy@gmail.com>
      Tested-by: default avatarJohn Loy <john.robert.loy@gmail.com>
      Signed-off-by: default avatarChristoph Hellwig <hch@lst.de>
      Fixes: d684a90d ("ahci: per-port msix support")
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e5298cd8
    • Ben Hutchings's avatar
      workqueue: Fix flag collision · f21c4eea
      Ben Hutchings authored
      commit fbf1c41f upstream.
      
      Commit 0a94efb5 ("workqueue: implicit ordered attribute should be
      overridable") introduced a __WQ_ORDERED_EXPLICIT flag but gave it the
      same value as __WQ_LEGACY.  I don't believe these were intended to
      mean the same thing, so renumber __WQ_ORDERED_EXPLICIT.
      
      Fixes: 0a94efb5 ("workqueue: implicit ordered attribute should be ...")
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f21c4eea
    • Maarten Lankhorst's avatar
      drm/nouveau: Fix error handling in nv50_disp_atomic_commit · daf316ac
      Maarten Lankhorst authored
      commit 813a7e16 upstream.
      
      Make it more clear that post commit return ret is really return 0,
      
      and add a missing drm_atomic_helper_cleanup_planes when
      drm_atomic_helper_wait_for_fences fails.
      
      Fixes: 839ca903 ("drm/nouveau/kms/nv50: transition to atomic interfaces internally")
      Cc: Ben Skeggs <bskeggs@redhat.com>
      Cc: dri-devel@lists.freedesktop.org
      Cc: nouveau@lists.freedesktop.org
      Signed-off-by: default avatarMaarten Lankhorst <maarten.lankhorst@linux.intel.com>
      Link: http://patchwork.freedesktop.org/patch/msgid/20170711143314.2148-2-maarten.lankhorst@linux.intel.comReviewed-by: default avatarSean Paul <seanpaul@chromium.org>
      [mlankhorst: Use if (ret) to remove the goto in success case.]
      Reviewed-by: default avatarDaniel Vetter <daniel.vetter@ffwll.ch>
      Signed-off-by: default avatarDaniel Vetter <daniel.vetter@ffwll.ch>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      daf316ac
    • Ilia Mirkin's avatar
      drm/nouveau/pci/msi: disable MSI on big-endian platforms by default · 75bc569a
      Ilia Mirkin authored
      commit bc60c90f upstream.
      
      It appears that MSI does not work on either G5 PPC nor on a E5500-based
      platform, where other hardware is reported to work fine with MSI.
      
      Both tests were conducted with NV4x hardware, so perhaps other (or even
      this) hardware can be made to work. It's still possible to force-enable
      with config=NvMSI=1 on load.
      Signed-off-by: default avatarIlia Mirkin <imirkin@alum.mit.edu>
      Signed-off-by: default avatarBen Skeggs <bskeggs@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      75bc569a
    • Martin Schwidefsky's avatar
      s390/mm: fix BUG_ON in crst_table_upgrade · e3b9fb20
      Martin Schwidefsky authored
      commit 8ab867cb upstream.
      
      A 31-bit compat process can force a BUG_ON in crst_table_upgrade
      with specific, invalid mmap calls, e.g.
      
         mmap((void*) 0x7fff8000, 0x10000, 3, 32, -1, 0)
      
      The arch_get_unmapped_area[_topdown] functions miss an if condition
      in the decision to do a page table upgrade.
      
      [ms: Backport to 4.12, minor context change]
      
      Fixes: 9b11c791 ("s390/mm: simplify arch_get_unmapped_area[_topdown]")
      Signed-off-by: default avatarMartin Schwidefsky <schwidefsky@de.ibm.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e3b9fb20
    • Christian Borntraeger's avatar
      s390/mm: avoid empty zero pages for KVM guests to avoid postcopy hangs · 2ce0e049
      Christian Borntraeger authored
      commit fa41ba0d upstream.
      
      Right now there is a potential hang situation for postcopy migrations,
      if the guest is enabling storage keys on the target system during the
      postcopy process.
      
      For storage key virtualization, we have to forbid the empty zero page as
      the storage key is a property of the physical page frame.  As we enable
      storage key handling lazily we then drop all mappings for empty zero
      pages for lazy refaulting later on.
      
      This does not work with the postcopy migration, which relies on the
      empty zero page never triggering a fault again in the future. The reason
      is that postcopy migration will simply read a page on the target system
      if that page is a known zero page to fault in an empty zero page.  At
      the same time postcopy remembers that this page was already transferred
      - so any future userfault on that page will NOT be retransmitted again
      to avoid races.
      
      If now the guest enters the storage key mode while in postcopy, we will
      break this assumption of postcopy.
      
      The solution is to disable the empty zero page for KVM guests early on
      and not during storage key enablement. With this change, the postcopy
      migration process is guaranteed to start after no zero pages are left.
      
      As guest pages are very likely not empty zero pages anyway the memory
      overhead is also pretty small.
      
      While at it this also adds proper page table locking to the zero page
      removal.
      Signed-off-by: default avatarChristian Borntraeger <borntraeger@de.ibm.com>
      Acked-by: default avatarJanosch Frank <frankja@linux.vnet.ibm.com>
      Signed-off-by: default avatarMartin Schwidefsky <schwidefsky@de.ibm.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2ce0e049
    • Michael Moese's avatar
      MCB: add support for SC31 to mcb-lpc · d859d5a4
      Michael Moese authored
      commit acf5e051 upstream.
      
      This patch adds the resources and DMI ID's for the MEN SC31,
      which uses a different address region to map the LPC bus than
      the one used for the existing SC24.
      Signed-off-by: default avatarMichael Moese <michael.moese@men.de>
      [jth add stable tag]
      Signed-off-by: default avatarJohannes Thumshirn <jthumshirn@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d859d5a4
    • Brian Norris's avatar
      mwifiex: correct channel stat buffer overflows · f7fb7898
      Brian Norris authored
      commit 4b5dde2d upstream.
      
      mwifiex records information about various channels as it receives scan
      information. It does this by appending to a buffer that was sized
      to the max number of supported channels on any band, but there are
      numerous problems:
      
      (a) scans can return info from more than one band (e.g., both 2.4 and 5
          GHz), so the determined "max" is not large enough
      (b) some firmware appears to return multiple results for a given
          channel, so the max *really* isn't large enough
      (c) there is no bounds checking when stashing these stats, so problems
          (a) and (b) can easily lead to buffer overflows
      
      Let's patch this by setting a slightly-more-correct max (that accounts
      for a combination of both 2.4G and 5G bands) and adding a bounds check
      when writing to our statistics buffer.
      
      Due to problem (b), we still might not properly report all known survey
      information (e.g., with "iw <dev> survey dump"), since duplicate results
      (or otherwise "larger than expected" results) will cause some
      truncation. But that's a problem for a future bugfix.
      
      (And because of this known deficiency, only log the excess at the WARN
      level, since that isn't visible by default in this driver and would
      otherwise be a bit too noisy.)
      
      Fixes: bf354433 ("mwifiex: channel statistics support for mwifiex")
      Cc: Avinash Patil <patila@marvell.com>
      Cc: Xinming Hu <huxm@marvell.com>
      Signed-off-by: default avatarBrian Norris <briannorris@chromium.org>
      Reviewed-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      Reviewed-by: default avatarGanapathi Bhat <gbhat@marvell.com>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f7fb7898
    • Edwin Török's avatar
      dlm: avoid double-free on error path in dlm_device_{register,unregister} · 0bfb0782
      Edwin Török authored
      commit 55acdd92 upstream.
      
      Can be reproduced when running dlm_controld (tested on 4.4.x, 4.12.4):
       # seq 1 100 | xargs -P0 -n1 dlm_tool join
       # seq 1 100 | xargs -P0 -n1 dlm_tool leave
      
      misc_register fails due to duplicate sysfs entry, which causes
      dlm_device_register to free ls->ls_device.name.
      In dlm_device_deregister the name was freed again, causing memory
      corruption.
      
      According to the comment in dlm_device_deregister the name should've been
      set to NULL when registration fails,
      so this patch does that.
      
      sysfs: cannot create duplicate filename '/dev/char/10:1'
      ------------[ cut here ]------------
      warning: cpu: 1 pid: 4450 at fs/sysfs/dir.c:31 sysfs_warn_dup+0x56/0x70
      modules linked in: msr rfcomm dlm ccm bnep dm_crypt uvcvideo
      videobuf2_vmalloc videobuf2_memops videobuf2_v4l2 videobuf2_core videodev
      btusb media btrtl btbcm btintel bluetooth ecdh_generic intel_rapl
      x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel kvm
      snd_hda_codec_hdmi irqbypass crct10dif_pclmul crc32_pclmul
      ghash_clmulni_intel thinkpad_acpi pcbc nvram snd_seq_midi
      snd_seq_midi_event aesni_intel snd_hda_codec_realtek snd_hda_codec_generic
      snd_rawmidi aes_x86_64 crypto_simd glue_helper snd_hda_intel snd_hda_codec
      cryptd intel_cstate arc4 snd_hda_core snd_seq snd_seq_device snd_hwdep
      iwldvm intel_rapl_perf mac80211 joydev input_leds iwlwifi serio_raw
      cfg80211 snd_pcm shpchp snd_timer snd mac_hid mei_me lpc_ich mei soundcore
      sunrpc parport_pc ppdev lp parport autofs4 i915 psmouse
       e1000e ahci libahci i2c_algo_bit sdhci_pci ptp drm_kms_helper sdhci
      pps_core syscopyarea sysfillrect sysimgblt fb_sys_fops drm wmi video
      cpu: 1 pid: 4450 comm: dlm_test.exe not tainted 4.12.4-041204-generic
      hardware name: lenovo 232425u/232425u, bios g2et82ww (2.02 ) 09/11/2012
      task: ffff96b0cbabe140 task.stack: ffffb199027d0000
      rip: 0010:sysfs_warn_dup+0x56/0x70
      rsp: 0018:ffffb199027d3c58 eflags: 00010282
      rax: 0000000000000038 rbx: ffff96b0e2c49158 rcx: 0000000000000006
      rdx: 0000000000000000 rsi: 0000000000000086 rdi: ffff96b15e24dcc0
      rbp: ffffb199027d3c70 r08: 0000000000000001 r09: 0000000000000721
      r10: ffffb199027d3c00 r11: 0000000000000721 r12: ffffb199027d3cd1
      r13: ffff96b1592088f0 r14: 0000000000000001 r15: ffffffffffffffef
      fs:  00007f78069c0700(0000) gs:ffff96b15e240000(0000)
      knlgs:0000000000000000
      cs:  0010 ds: 0000 es: 0000 cr0: 0000000080050033
      cr2: 000000178625ed28 cr3: 0000000091d3e000 cr4: 00000000001406e0
      call trace:
       sysfs_do_create_link_sd.isra.2+0x9e/0xb0
       sysfs_create_link+0x25/0x40
       device_add+0x5a9/0x640
       device_create_groups_vargs+0xe0/0xf0
       device_create_with_groups+0x3f/0x60
       ? snprintf+0x45/0x70
       misc_register+0x140/0x180
       device_write+0x6a8/0x790 [dlm]
       __vfs_write+0x37/0x160
       ? apparmor_file_permission+0x1a/0x20
       ? security_file_permission+0x3b/0xc0
       vfs_write+0xb5/0x1a0
       sys_write+0x55/0xc0
       ? sys_fcntl+0x5d/0xb0
       entry_syscall_64_fastpath+0x1e/0xa9
      rip: 0033:0x7f78083454bd
      rsp: 002b:00007f78069bbd30 eflags: 00000293 orig_rax: 0000000000000001
      rax: ffffffffffffffda rbx: 0000000000000006 rcx: 00007f78083454bd
      rdx: 000000000000009c rsi: 00007f78069bee00 rdi: 0000000000000005
      rbp: 00007f77f8000a20 r08: 000000000000fcf0 r09: 0000000000000032
      r10: 0000000000000024 r11: 0000000000000293 r12: 00007f78069bde00
      r13: 00007f78069bee00 r14: 000000000000000a r15: 00007f78069bbd70
      code: 85 c0 48 89 c3 74 12 b9 00 10 00 00 48 89 c2 31 f6 4c 89 ef e8 2c c8
      ff ff 4c 89 e2 48 89 de 48 c7 c7 b0 8e 0c a8 e8 41 e8 ed ff <0f> ff 48 89
      df e8 00 d5 f4 ff 5b 41 5c 41 5d 5d c3 66 0f 1f 84
      ---[ end trace 40412246357cc9e0 ]---
      
      dlm: 59f24629-ae39-44e2-9030-397ebc2eda26: leaving the lockspace group...
      bug: unable to handle kernel null pointer dereference at 0000000000000001
      ip: [<ffffffff811a3b4a>] kmem_cache_alloc+0x7a/0x140
      pgd 0
      oops: 0000 [#1] smp
      modules linked in: dlm 8021q garp mrp stp llc openvswitch nf_defrag_ipv6
      nf_conntrack libcrc32c iptable_filter dm_multipath crc32_pclmul dm_mod
      aesni_intel psmouse aes_x86_64 sg ablk_helper cryptd lrw gf128mul
      glue_helper i2c_piix4 nls_utf8 tpm_tis tpm isofs nfsd auth_rpcgss
      oid_registry nfs_acl lockd grace sunrpc xen_wdt ip_tables x_tables autofs4
      hid_generic usbhid hid sr_mod cdrom sd_mod ata_generic pata_acpi 8139too
      serio_raw ata_piix 8139cp mii uhci_hcd ehci_pci ehci_hcd libata
      scsi_dh_rdac scsi_dh_hp_sw scsi_dh_emc scsi_dh_alua scsi_mod ipv6
      cpu: 0 pid: 394 comm: systemd-udevd tainted: g w 4.4.0+0 #1
      hardware name: xen hvm domu, bios 4.7.2-2.2 05/11/2017
      task: ffff880002410000 ti: ffff88000243c000 task.ti: ffff88000243c000
      rip: e030:[<ffffffff811a3b4a>] [<ffffffff811a3b4a>]
      kmem_cache_alloc+0x7a/0x140
      rsp: e02b:ffff88000243fd90 eflags: 00010202
      rax: 0000000000000000 rbx: ffff8800029864d0 rcx: 000000000007b36c
      rdx: 000000000007b36b rsi: 00000000024000c0 rdi: ffff880036801c00
      rbp: ffff88000243fdc0 r08: 0000000000018880 r09: 0000000000000054
      r10: 000000000000004a r11: ffff880034ace6c0 r12: 00000000024000c0
      r13: ffff880036801c00 r14: 0000000000000001 r15: ffffffff8118dcc2
      fs: 00007f0ab77548c0(0000) gs:ffff880036e00000(0000) knlgs:0000000000000000
      cs: e033 ds: 0000 es: 0000 cr0: 0000000080050033
      cr2: 0000000000000001 cr3: 000000000332d000 cr4: 0000000000040660
      stack:
      ffffffff8118dc90 ffff8800029864d0 0000000000000000 ffff88003430b0b0
      ffff880034b78320 ffff88003430b0b0 ffff88000243fdf8 ffffffff8118dcc2
      ffff8800349c6700 ffff8800029864d0 000000000000000b 00007f0ab7754b90
      call trace:
      [<ffffffff8118dc90>] ? anon_vma_fork+0x60/0x140
      [<ffffffff8118dcc2>] anon_vma_fork+0x92/0x140
      [<ffffffff8107033e>] copy_process+0xcae/0x1a80
      [<ffffffff8107128b>] _do_fork+0x8b/0x2d0
      [<ffffffff81071579>] sys_clone+0x19/0x20
      [<ffffffff815a30ae>] entry_syscall_64_fastpath+0x12/0x71
      ] code: f6 75 1c 4c 89 fa 44 89 e6 4c 89 ef e8 a7 e4 00 00 41 f7 c4 00 80
      00 00 49 89 c6 74 47 eb 32 49 63 45 20 48 8d 4a 01 4d 8b 45 00 <49> 8b 1c
      06 4c 89 f0 65 49 0f c7 08 0f 94 c0 84 c0 74 ac 49 63
      rip [<ffffffff811a3b4a>] kmem_cache_alloc+0x7a/0x140
      rsp <ffff88000243fd90>
      cr2: 0000000000000001
      --[ end trace 70cb9fd1b164a0e8 ]--
      Signed-off-by: default avatarEdwin Török <edvin.torok@citrix.com>
      Signed-off-by: default avatarDavid Teigland <teigland@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0bfb0782
    • Luca Coelho's avatar
      iwlwifi: pci: add new PCI ID for 7265D · 98569691
      Luca Coelho authored
      commit 3f7a5e13 upstream.
      
      We have a new PCI subsystem ID for 7265D.  Add it to the list.
      Signed-off-by: default avatarLuca Coelho <luciano.coelho@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      98569691
    • Dmitry Tunin's avatar
      Bluetooth: Add support of 13d3:3494 RTL8723BE device · cbe865a2
      Dmitry Tunin authored
      commit a81d72d2 upstream.
      
      T: Bus=02 Lev=01 Prnt=01 Port=03 Cnt=03 Dev#= 4 Spd=12 MxCh= 0
      D: Ver= 2.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1
      P: Vendor=13d3 ProdID=3494 Rev= 2.00
      S: Manufacturer=Realtek
      S: Product=Bluetooth Radio
      S: SerialNumber=00e04c000001
      C:* #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=500mA
      I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E: Ad=81(I) Atr=03(Int.) MxPS= 16 Ivl=1ms
      E: Ad=02(O) Atr=02(Bulk) MxPS= 64 Ivl=0ms
      E: Ad=82(I) Atr=02(Bulk) MxPS= 64 Ivl=0ms
      I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E: Ad=03(O) Atr=01(Isoc) MxPS= 0 Ivl=1ms
      E: Ad=83(I) Atr=01(Isoc) MxPS= 0 Ivl=1ms
      I: If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E: Ad=03(O) Atr=01(Isoc) MxPS= 9 Ivl=1ms
      E: Ad=83(I) Atr=01(Isoc) MxPS= 9 Ivl=1ms
      I: If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E: Ad=03(O) Atr=01(Isoc) MxPS= 17 Ivl=1ms
      E: Ad=83(I) Atr=01(Isoc) MxPS= 17 Ivl=1ms
      I: If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E: Ad=03(O) Atr=01(Isoc) MxPS= 25 Ivl=1ms
      E: Ad=83(I) Atr=01(Isoc) MxPS= 25 Ivl=1ms
      I: If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E: Ad=03(O) Atr=01(Isoc) MxPS= 33 Ivl=1ms
      E: Ad=83(I) Atr=01(Isoc) MxPS= 33 Ivl=1ms
      I: If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E: Ad=03(O) Atr=01(Isoc) MxPS= 49 Ivl=1ms
      E: Ad=83(I) Atr=01(Isoc) MxPS= 49 Ivl=1ms
      Signed-off-by: default avatarDmitry Tunin <hanipouspilot@gmail.com>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      cbe865a2
    • Malcolm Priestley's avatar
      rtlwifi: rtl_pci_probe: Fix fail path of _rtl_pci_find_adapter · 7d20c553
      Malcolm Priestley authored
      commit fc81bab5 upstream.
      
      _rtl_pci_find_adapter fail path will jump to label fail3 for
      unsupported adapter types.
      
      However, on course for fail3 there will be call rtl_deinit_core
      before rtl_init_core.
      
      For the inclusion of checking pci_iounmap this fail can be moved to
      fail2.
      
      Fixes
      [    4.492963] BUG: unable to handle kernel NULL pointer dereference at           (null)
      [    4.493067] IP: rtl_deinit_core+0x31/0x90 [rtlwifi]
      Signed-off-by: default avatarMalcolm Priestley <tvboxspy@gmail.com>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7d20c553
    • Oscar Campos's avatar
      Input: trackpoint - assume 3 buttons when buttons detection fails · a47814b2
      Oscar Campos authored
      commit 293b915f upstream.
      
      Trackpoint buttons detection fails on ThinkPad 570 and 470 series,
      this makes the middle button of the trackpoint to not being recogized.
      As I don't believe there is any trackpoint with less than 3 buttons this
      patch just assumes three buttons when the extended button information
      read fails.
      Signed-off-by: default avatarOscar Campos <oscar.campos@member.fsf.org>
      Acked-by: default avatarPeter Hutterer <peter.hutterer@who-t.net>
      Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      Signed-off-by: default avatarAaron Ma <aaron.ma@canonical.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a47814b2
    • Rakesh Pillai's avatar
      ath10k: fix memory leak in rx ring buffer allocation · d49ea1b6
      Rakesh Pillai authored
      commit f35a7f91 upstream.
      
      The rx ring buffers are added to a hash table if
      firmware support full rx reorder. If the full rx
      reorder support flag is not set before allocating
      the rx ring buffers, none of the buffers are added
      to the hash table.
      
      There is a race condition between rx ring refill and
      rx buffer replenish from napi poll. The interrupts are
      enabled in hif start, before the rx ring is refilled during init.
      We replenish buffers from napi poll due to the interrupts which
      get enabled after hif start. Hence before the entire rx ring is
      refilled during the init, the napi poll replenishes a few buffers
      in steps of 100 buffers per attempt. During this rx ring replenish
      from napi poll, the rx reorder flag has not been set due to which
      the replenished buffers are not added to the hash table
      
      Set the rx full reorder support flag before we allocate
      the rx ring buffer to avoid the memory leak.
      Signed-off-by: default avatarRakesh Pillai <pillair@qti.qualcomm.com>
      Signed-off-by: default avatarKalle Valo <kvalo@qca.qualcomm.com>
      Cc: Christian Lamparter <chunkeey@googlemail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d49ea1b6
    • Alexander Shishkin's avatar
      intel_th: pci: Add Cannon Lake PCH-LP support · 270f0aad
      Alexander Shishkin authored
      commit efb3669e upstream.
      
      This adds Intel(R) Trace Hub PCI ID for Cannon Lake PCH-LP.
      Signed-off-by: default avatarAlexander Shishkin <alexander.shishkin@linux.intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      270f0aad
    • Alexander Shishkin's avatar
      intel_th: pci: Add Cannon Lake PCH-H support · d2192374
      Alexander Shishkin authored
      commit 84331e13 upstream.
      
      This adds Intel(R) Trace Hub PCI ID for Cannon Lake PCH-H.
      Signed-off-by: default avatarAlexander Shishkin <alexander.shishkin@linux.intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d2192374
    • Ian Abbott's avatar
      fpga: altera-hps2fpga: fix multiple init of l3_remap_lock · 055be595
      Ian Abbott authored
      commit 4ae2bd4b upstream.
      
      The global spinlock `l3_remap_lock` is reinitialized every time the
      "probe" function `alt_fpga_bridge_probe()` is called.  It should only be
      initialized once.  Use `DEFINE_SPINLOCK()` to initialize it statically.
      
      Fixes: e5f8efa5 ("ARM: socfpga: fpga bridge driver support")
      Signed-off-by: default avatarIan Abbott <abbotti@mev.co.uk>
      Reviewed-By: default avatarMoritz Fischer <mdf@kernel.org>
      Signed-off-by: default avatarAlan Tull <atull@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      055be595
    • Horia Geantă's avatar
      crypto: caam/qi - fix compilation with DEBUG enabled · ba89dc8d
      Horia Geantă authored
      commit 972b812b upstream.
      
      caam/qi driver does not compile when DEBUG is enabled
      (CRYPTO_DEV_FSL_CAAM_DEBUG=y):
      
      drivers/crypto/caam/caamalg_qi.c: In function 'ablkcipher_done':
      drivers/crypto/caam/caamalg_qi.c:794:2: error: implicit declaration of function 'dbg_dump_sg' [-Werror=implicit-function-declaration]
        dbg_dump_sg(KERN_ERR, "dst    @" __stringify(__LINE__)": ",
      
      Since dbg_dump_sg() is shared between caam/jr and caam/qi, move it
      in a shared location and export it.
      
      At the same time:
      -reduce ifdeferry by providing a no-op implementation for !DEBUG case
      -rename it to caam_dump_sg() to be consistent in terms of
      exported symbols namespace (caam_*)
      
      Fixes: b189817c ("crypto: caam/qi - add ablkcipher and authenc algorithms")
      Signed-off-by: default avatarHoria Geantă <horia.geanta@nxp.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ba89dc8d
    • Horia Geantă's avatar
      crypto: caam/qi - fix compilation with CONFIG_DEBUG_FORCE_WEAK_PER_CPU=y · aa57cf57
      Horia Geantă authored
      commit 1ed289f7 upstream.
      
      caam/qi driver fails to compile when CONFIG_DEBUG_FORCE_WEAK_PER_CPU=y.
      Fix it by making the offending local per_cpu variable global.
      
      Fixes: 67c2315d ("crypto: caam - add Queue Interface (QI) backend support")
      Reported-by: default avatarkbuild test robot <fengguang.wu@intel.com>
      Signed-off-by: default avatarHoria Geantă <horia.geanta@nxp.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      aa57cf57
    • Christian Brauner's avatar
      binder: free memory on error · 693ef09d
      Christian Brauner authored
      commit 22eb9476 upstream.
      
      On binder_init() the devices string is duplicated and smashed into individual
      device names which are passed along. However, the original duplicated string
      wasn't freed in case binder_init() failed. Let's free it on error.
      Signed-off-by: default avatarChristian Brauner <christian.brauner@ubuntu.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      693ef09d
    • Jason Gerecke's avatar
      HID: wacom: Do not completely map WACOM_HID_WD_TOUCHRINGSTATUS usage · bbe1a3b3
      Jason Gerecke authored
      commit 8d411cbf upstream.
      
      The WACOM_HID_WD_TOUCHRINGSTATUS usage is a single bit which tells us
      whether the touchring is currently in use or not. Because we need to
      reset the axis value to 0 when the finger is removed, we call
      'wacom_map_usage' to ensure that the required type/code values are
      associated with the usage. The 'wacom_map_usage' also sets up the axis
      range and resolution, however, which is not desired in this particular
      case.
      
      Although xf86-input-wacom doesn't do really do anything with the ring's
      range or resolution, the libinput driver (for Wayland environments)
      uses these values to provide proper angle indications to userspace.
      
      Fixes: 60a22186 ("HID: wacom: generic: add support for touchring")
      Signed-off-by: default avatarJason Gerecke <jason.gerecke@wacom.com>
      Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      bbe1a3b3
    • Christophe JAILLET's avatar
      driver core: bus: Fix a potential double free · af617519
      Christophe JAILLET authored
      commit 0f9b011d upstream.
      
      The .release function of driver_ktype is 'driver_release()'.
      This function frees the container_of this kobject.
      
      So, this memory must not be freed explicitly in the error handling path of
      'bus_add_driver()'. Otherwise a double free will occur.
      Signed-off-by: default avatarChristophe JAILLET <christophe.jaillet@wanadoo.fr>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      af617519
    • Akinobu Mita's avatar
      iio: adc: ti-ads1015: add adequate wait time to get correct conversion · 6c6c3c6b
      Akinobu Mita authored
      commit 4744d4e2 upstream.
      
      This driver assumes that the device is operating in the continuous
      conversion mode which performs the conversion continuously.  So this driver
      inserts a wait time before reading the conversion register if the
      configuration is changed from a previous request.
      
      Currently, the wait time is only the period required for a single
      conversion that is calculated as the reciprocal of the sampling frequency.
      However we also need to wait for the the previous conversion to complete.
      Otherwise we probably get the conversion result for the previous
      configuration when the sampling frequency is lower.
      
      Cc: Daniel Baluta <daniel.baluta@gmail.com>
      Signed-off-by: default avatarAkinobu Mita <akinobu.mita@gmail.com>
      Signed-off-by: default avatarJonathan Cameron <Jonathan.Cameron@huawei.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6c6c3c6b
    • Akinobu Mita's avatar
      iio: adc: ti-ads1015: don't return invalid value from buffer setup callbacks · 00202ded
      Akinobu Mita authored
      commit a6fe5e52 upstream.
      
      pm_runtime_get_sync() and pm_runtime_put_autosuspend() return 0 on
      success, 1 if the device's runtime PM status was already requested status
      or error code on failure.  So a positive return value doesn't indicate an
      error condition.
      
      However, any non-zero return values from buffer preenable and postdisable
      callbacks are recognized as an error and this driver reuses the return
      value from pm_runtime_get_sync() and pm_runtime_put_autosuspend() in
      these callbacks.  This change fixes the false error detections.
      
      Cc: Daniel Baluta <daniel.baluta@gmail.com>
      Signed-off-by: default avatarAkinobu Mita <akinobu.mita@gmail.com>
      Signed-off-by: default avatarJonathan Cameron <Jonathan.Cameron@huawei.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      00202ded
    • Akinobu Mita's avatar
      iio: adc: ti-ads1015: avoid getting stale result after runtime resume · 303d31eb
      Akinobu Mita authored
      commit 73e3e3fc upstream.
      
      This driver assumes that the device is operating in the continuous
      conversion mode which performs the conversion continuously.  So this driver
      doesn't insert a wait time before reading the conversion register if the
      configuration is not changed from a previous request.
      
      This assumption is broken if the device is runtime suspended and entered
      a power-down state.  The forthcoming request causes reading a stale result
      from the conversion register as the device is runtime resumed just before.
      
      Fix it by adding a flag to detect that condition and insert a necessary
      wait time.
      
      Cc: Daniel Baluta <daniel.baluta@gmail.com>
      Signed-off-by: default avatarAkinobu Mita <akinobu.mita@gmail.com>
      Signed-off-by: default avatarJonathan Cameron <Jonathan.Cameron@huawei.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      303d31eb
    • Akinobu Mita's avatar
      iio: adc: ti-ads1015: enable conversion when CONFIG_PM is not set · 6c164a8a
      Akinobu Mita authored
      commit e8245c68 upstream.
      
      The ADS1015 device have two operating modes, continuous conversion mode
      and single-shot mode.  This driver assumes that the continuous conversion
      mode is selected by runtime resume callback when the ADC result is
      requested.
      
      If CONFIG_PM is disabled, the device is always in the default single-shot
      mode and no one begins a single conversion.  So the conversion register
      doesn't contain valid ADC result.  Fix it by changing the continuous mode
      in probe function.
      
      Cc: Daniel Baluta <daniel.baluta@gmail.com>
      Signed-off-by: default avatarAkinobu Mita <akinobu.mita@gmail.com>
      Signed-off-by: default avatarJonathan Cameron <Jonathan.Cameron@huawei.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6c164a8a
    • Akinobu Mita's avatar
      iio: adc: ti-ads1015: fix scale information for ADS1115 · 6c5595e0
      Akinobu Mita authored
      commit 8d0e8e79 upstream.
      
      The ti-ads1015 driver supports ADS1015 and ADS1115 devices.  The same
      scale information is used for both devices in this driver, however they
      have actually different values and the ADS1115's one is not correct.
      
      These devices have the same full-scale input voltage range for each PGA
      selection.  So instead of adding another hardcoded scale information,
      compute a correct scale on demand from each device's resolution.
      
      Cc: Daniel Baluta <daniel.baluta@gmail.com>
      Signed-off-by: default avatarAkinobu Mita <akinobu.mita@gmail.com>
      Signed-off-by: default avatarJonathan Cameron <Jonathan.Cameron@huawei.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6c5595e0
    • Akinobu Mita's avatar
      iio: adc: ti-ads1015: fix incorrect data rate setting update · 1d7fadc5
      Akinobu Mita authored
      commit 0d106b74 upstream.
      
      The ti-ads1015 driver has eight iio voltage channels and each iio channel
      can hold own sampling frequency information.
      
      The ADS1015 device only have a single config register which contains an
      input multiplexer selection, PGA and data rate settings.  So the driver
      should load the correct settings when the input multiplexer selection is
      changed.
      
      However, regardless of which channlel is currently selected, changing any
      iio channel's sampling frequency information immediately overwrites the
      current data rate setting in the config register.
      
      It breaks the current data rate setting if the different channel's sampling
      frequency information is changed because the data rate setting is not
      reloaded when the input multiplexer is switched.
      
      This removes the unexpected config register update and correctly load the
      data rate setting before getting adc result.
      
      Cc: Daniel Baluta <daniel.baluta@gmail.com>
      Signed-off-by: default avatarAkinobu Mita <akinobu.mita@gmail.com>
      Signed-off-by: default avatarJonathan Cameron <Jonathan.Cameron@huawei.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1d7fadc5
    • Colin Ian King's avatar
      staging/rts5208: fix incorrect shift to extract upper nybble · 70bfcf9e
      Colin Ian King authored
      commit 34ff1bf4 upstream.
      
      The mask of sns_key_info1 suggests the upper nybble is being extracted
      however the following shift of 8 bits is too large and always results in
      0.  Fix this by shifting only by 4 bits to correctly get the upper nybble.
      
      Detected by CoverityScan, CID#142891 ("Operands don't affect result")
      
      Fixes: fa590c22 ("staging: rts5208: add support for rts5208 and rts5288")
      Signed-off-by: default avatarColin Ian King <colin.king@canonical.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      70bfcf9e
    • Douglas Anderson's avatar
      USB: core: Avoid race of async_completed() w/ usbdev_release() · ed68c935
      Douglas Anderson authored
      commit ed62ca2f upstream.
      
      While running reboot tests w/ a specific set of USB devices (and
      slub_debug enabled), I found that once every few hours my device would
      be crashed with a stack that looked like this:
      
      [   14.012445] BUG: spinlock bad magic on CPU#0, modprobe/2091
      [   14.012460]  lock: 0xffffffc0cb055978, .magic: ffffffc0, .owner: cryption contexts: %lu/%lu
      [   14.012460] /1025536097, .owner_cpu: 0
      [   14.012466] CPU: 0 PID: 2091 Comm: modprobe Not tainted 4.4.79 #352
      [   14.012468] Hardware name: Google Kevin (DT)
      [   14.012471] Call trace:
      [   14.012483] [<....>] dump_backtrace+0x0/0x160
      [   14.012487] [<....>] show_stack+0x20/0x28
      [   14.012494] [<....>] dump_stack+0xb4/0xf0
      [   14.012500] [<....>] spin_dump+0x8c/0x98
      [   14.012504] [<....>] spin_bug+0x30/0x3c
      [   14.012508] [<....>] do_raw_spin_lock+0x40/0x164
      [   14.012515] [<....>] _raw_spin_lock_irqsave+0x64/0x74
      [   14.012521] [<....>] __wake_up+0x2c/0x60
      [   14.012528] [<....>] async_completed+0x2d0/0x300
      [   14.012534] [<....>] __usb_hcd_giveback_urb+0xc4/0x138
      [   14.012538] [<....>] usb_hcd_giveback_urb+0x54/0xf0
      [   14.012544] [<....>] xhci_irq+0x1314/0x1348
      [   14.012548] [<....>] usb_hcd_irq+0x40/0x50
      [   14.012553] [<....>] handle_irq_event_percpu+0x1b4/0x3f0
      [   14.012556] [<....>] handle_irq_event+0x4c/0x7c
      [   14.012561] [<....>] handle_fasteoi_irq+0x158/0x1c8
      [   14.012564] [<....>] generic_handle_irq+0x30/0x44
      [   14.012568] [<....>] __handle_domain_irq+0x90/0xbc
      [   14.012572] [<....>] gic_handle_irq+0xcc/0x18c
      
      Investigation using kgdb() found that the wait queue that was passed
      into wake_up() had been freed (it was filled with slub_debug poison).
      
      I analyzed and instrumented the code and reproduced.  My current
      belief is that this is happening:
      
      1. async_completed() is called (from IRQ).  Moves "as" onto the
         completed list.
      2. On another CPU, proc_reapurbnonblock_compat() calls
         async_getcompleted().  Blocks on spinlock.
      3. async_completed() releases the lock; keeps running; gets blocked
         midway through wake_up().
      4. proc_reapurbnonblock_compat() => async_getcompleted() gets the
         lock; removes "as" from completed list and frees it.
      5. usbdev_release() is called.  Frees "ps".
      6. async_completed() finally continues running wake_up().  ...but
         wake_up() has a pointer to the freed "ps".
      
      The instrumentation that led me to believe this was based on adding
      some trace_printk() calls in a select few functions and then using
      kdb's "ftdump" at crash time.  The trace follows (NOTE: in the trace
      below I cheated a little bit and added a udelay(1000) in
      async_completed() after releasing the spinlock because I wanted it to
      trigger quicker):
      
      <...>-2104   0d.h2 13759034us!: async_completed at start: as=ffffffc0cc638200
      mtpd-2055    3.... 13759356us : async_getcompleted before spin_lock_irqsave
      mtpd-2055    3d..1 13759362us : async_getcompleted after list_del_init: as=ffffffc0cc638200
      mtpd-2055    3.... 13759371us+: proc_reapurbnonblock_compat: free_async(ffffffc0cc638200)
      mtpd-2055    3.... 13759422us+: async_getcompleted before spin_lock_irqsave
      mtpd-2055    3.... 13759479us : usbdev_release at start: ps=ffffffc0cc042080
      mtpd-2055    3.... 13759487us : async_getcompleted before spin_lock_irqsave
      mtpd-2055    3.... 13759497us!: usbdev_release after kfree(ps): ps=ffffffc0cc042080
      <...>-2104   0d.h2 13760294us : async_completed before wake_up(): as=ffffffc0cc638200
      
      To fix this problem we can just move the wake_up() under the ps->lock.
      There should be no issues there that I'm aware of.
      Signed-off-by: default avatarDouglas Anderson <dianders@chromium.org>
      Acked-by: default avatarAlan Stern <stern@rowland.harvard.edu>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ed68c935