1. 26 Jul, 2019 40 commits
    • Russell King's avatar
      gpio: omap: ensure irq is enabled before wakeup · fd40385f
      Russell King authored
      [ Upstream commit c859e0d4 ]
      
      Documentation states:
      
        NOTE: There must be a correlation between the wake-up enable and
        interrupt-enable registers. If a GPIO pin has a wake-up configured
        on it, it must also have the corresponding interrupt enabled (on
        one of the two interrupt lines).
      
      Ensure that this condition is always satisfied by enabling the detection
      events after enabling the interrupt, and disabling the detection before
      disabling the interrupt.  This ensures interrupt/wakeup events can not
      happen until both the wakeup and interrupt enables correlate.
      
      If we do any clearing, clear between the interrupt enable/disable and
      trigger setting.
      Signed-off-by: default avatarRussell King <rmk+kernel@armlinux.org.uk>
      Signed-off-by: default avatarGrygorii Strashko <grygorii.strashko@ti.com>
      Tested-by: default avatarTony Lindgren <tony@atomide.com>
      Signed-off-by: default avatarLinus Walleij <linus.walleij@linaro.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      fd40385f
    • Russell King's avatar
      gpio: omap: fix lack of irqstatus_raw0 for OMAP4 · e1a324cc
      Russell King authored
      [ Upstream commit 64ea3e90 ]
      
      Commit 384ebe1c ("gpio/omap: Add DT support to GPIO driver") added
      the register definition tables to the gpio-omap driver. Subsequently to
      that commit, commit 4e962e89 ("gpio/omap: remove cpu_is_omapxxxx()
      checks from *_runtime_resume()") added definitions for irqstatus_raw*
      registers to the legacy OMAP4 definitions, but missed the DT
      definitions.
      
      This causes an unintentional change of behaviour for the 1.101 errata
      workaround on OMAP4 platforms. Fix this oversight.
      
      Fixes: 4e962e89 ("gpio/omap: remove cpu_is_omapxxxx() checks from *_runtime_resume()")
      Signed-off-by: default avatarRussell King <rmk+kernel@armlinux.org.uk>
      Signed-off-by: default avatarGrygorii Strashko <grygorii.strashko@ti.com>
      Tested-by: default avatarTony Lindgren <tony@atomide.com>
      Signed-off-by: default avatarLinus Walleij <linus.walleij@linaro.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      e1a324cc
    • Eric Auger's avatar
      iommu: Fix a leak in iommu_insert_resv_region · 47b6814f
      Eric Auger authored
      [ Upstream commit ad0834de ]
      
      In case we expand an existing region, we unlink
      this latter and insert the larger one. In
      that case we should free the original region after
      the insertion. Also we can immediately return.
      
      Fixes: 6c65fb31 ("iommu: iommu_get_group_resv_regions")
      Signed-off-by: default avatarEric Auger <eric.auger@redhat.com>
      Signed-off-by: default avatarJoerg Roedel <jroedel@suse.de>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      47b6814f
    • Kieran Bingham's avatar
      media: fdp1: Support M3N and E3 platforms · f7604fc3
      Kieran Bingham authored
      [ Upstream commit 4e8c120d ]
      
      New Gen3 R-Car platforms incorporate the FDP1 with an updated version
      register. No code change is required to support these targets, but they
      will currently report an error stating that the device can not be
      identified.
      
      Update the driver to match against the new device types.
      Signed-off-by: default avatarKieran Bingham <kieran.bingham+renesas@ideasonboard.com>
      Signed-off-by: default avatarLaurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      f7604fc3
    • Oliver Neukum's avatar
      media: uvcvideo: Fix access to uninitialized fields on probe error · 22b193c0
      Oliver Neukum authored
      [ Upstream commit 11a087f4 ]
      
      We need to check whether this work we are canceling actually is
      initialized.
      Signed-off-by: default avatarOliver Neukum <oneukum@suse.com>
      Reported-by: syzbot+2e1ef9188251d9cc7944@syzkaller.appspotmail.com
      Signed-off-by: default avatarLaurent Pinchart <laurent.pinchart@ideasonboard.com>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      22b193c0
    • Xingyu Chen's avatar
      irqchip/meson-gpio: Add support for Meson-G12A SoC · d47f5d15
      Xingyu Chen authored
      [ Upstream commit c64a9e80 ]
      
      The Meson-G12A SoC uses the same GPIO interrupt controller IP block as the
      other Meson SoCs, A totle of 100 pins can be spied on, which is the sum of:
      
      - 223:100 undefined (no interrupt)
      - 99:97   3 pins on bank GPIOE
      - 96:77   20 pins on bank GPIOX
      - 76:61   16 pins on bank GPIOA
      - 60:53   8 pins on bank GPIOC
      - 52:37   16 pins on bank BOOT
      - 36:28   9 pins on bank GPIOH
      - 27:12   16 pins on bank GPIOZ
      - 11:0    12 pins in the AO domain
      Signed-off-by: default avatarXingyu Chen <xingyu.chen@amlogic.com>
      Signed-off-by: default avatarJianxin Pan <jianxin.pan@amlogic.com>
      Signed-off-by: default avatarMartin Blumenstingl <martin.blumenstingl@googlemail.com>
      Signed-off-by: default avatarMarc Zyngier <marc.zyngier@arm.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      d47f5d15
    • Thomas Richter's avatar
      perf report: Fix OOM error in TUI mode on s390 · e8fb963c
      Thomas Richter authored
      [ Upstream commit 8a07aa4e ]
      
      Debugging a OOM error using the TUI interface revealed this issue
      on s390:
      
      [tmricht@m83lp54 perf]$ cat /proc/kallsyms |sort
      ....
      00000001119b7158 B radix_tree_node_cachep
      00000001119b8000 B __bss_stop
      00000001119b8000 B _end
      000003ff80002850 t autofs_mount	[autofs4]
      000003ff80002868 t autofs_show_options	[autofs4]
      000003ff80002a98 t autofs_evict_inode	[autofs4]
      ....
      
      There is a huge gap between the last kernel symbol
      __bss_stop/_end and the first kernel module symbol
      autofs_mount (from autofs4 module).
      
      After reading the kernel symbol table via functions:
      
       dso__load()
       +--> dso__load_kernel_sym()
            +--> dso__load_kallsyms()
      	   +--> __dso_load_kallsyms()
      	        +--> symbols__fixup_end()
      
      the symbol __bss_stop has a start address of 1119b8000 and
      an end address of 3ff80002850, as can be seen by this debug statement:
      
        symbols__fixup_end __bss_stop start:0x1119b8000 end:0x3ff80002850
      
      The size of symbol __bss_stop is 0x3fe6e64a850 bytes!
      It is the last kernel symbol and fills up the space until
      the first kernel module symbol.
      
      This size kills the TUI interface when executing the following
      code:
      
        process_sample_event()
          hist_entry_iter__add()
            hist_iter__report_callback()
              hist_entry__inc_addr_samples()
                symbol__inc_addr_samples(symbol = __bss_stop)
                  symbol__cycles_hist()
                     annotated_source__alloc_histograms(...,
      				                symbol__size(sym),
      		                                ...)
      
      This function allocates memory to save sample histograms.
      The symbol_size() marco is defined as sym->end - sym->start, which
      results in above value of 0x3fe6e64a850 bytes and
      the call to calloc() in annotated_source__alloc_histograms() fails.
      
      The histgram memory allocation might fail, make this failure
      no-fatal and continue processing.
      
      Output before:
      [tmricht@m83lp54 perf]$ ./perf --debug stderr=1 report -vvvvv \
      					      -i ~/slow.data 2>/tmp/2
      [tmricht@m83lp54 perf]$ tail -5 /tmp/2
        __symbol__inc_addr_samples(875): ENOMEM! sym->name=__bss_stop,
      		start=0x1119b8000, addr=0x2aa0005eb08, end=0x3ff80002850,
      		func: 0
      problem adding hist entry, skipping event
      0x938b8 [0x8]: failed to process type: 68 [Cannot allocate memory]
      [tmricht@m83lp54 perf]$
      
      Output after:
      [tmricht@m83lp54 perf]$ ./perf --debug stderr=1 report -vvvvv \
      					      -i ~/slow.data 2>/tmp/2
      [tmricht@m83lp54 perf]$ tail -5 /tmp/2
         symbol__inc_addr_samples map:0x1597830 start:0x110730000 end:0x3ff80002850
         symbol__hists notes->src:0x2aa2a70 nr_hists:1
         symbol__inc_addr_samples sym:unlink_anon_vmas src:0x2aa2a70
         __symbol__inc_addr_samples: addr=0x11094c69e
         0x11094c670 unlink_anon_vmas: period++ [addr: 0x11094c69e, 0x2e, evidx=0]
         	=> nr_samples: 1, period: 526008
      [tmricht@m83lp54 perf]$
      
      There is no error about failed memory allocation and the TUI interface
      shows all entries.
      Signed-off-by: default avatarThomas Richter <tmricht@linux.ibm.com>
      Reviewed-by: default avatarHendrik Brueckner <brueckner@linux.ibm.com>
      Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
      Cc: Hendrik Brueckner <brueckner@linux.vnet.ibm.com>
      Link: http://lkml.kernel.org/r/90cb5607-3e12-5167-682d-978eba7dafa8@linux.ibm.comSigned-off-by: default avatarArnaldo Carvalho de Melo <acme@redhat.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      e8fb963c
    • Thomas Richter's avatar
      perf test 6: Fix missing kvm module load for s390 · 629bb02f
      Thomas Richter authored
      [ Upstream commit 53fe307d ]
      
      Command
      
         # perf test -Fv 6
      
      fails with error
      
         running test 100 'kvm-s390:kvm_s390_create_vm' failed to parse
          event 'kvm-s390:kvm_s390_create_vm', err -1, str 'unknown tracepoint'
          event syntax error: 'kvm-s390:kvm_s390_create_vm'
                               \___ unknown tracepoint
      
      when the kvm module is not loaded or not built in.
      
      Fix this by adding a valid function which tests if the module
      is loaded. Loaded modules (or builtin KVM support) have a
      directory named
        /sys/kernel/debug/tracing/events/kvm-s390
      for this tracepoint.
      
      Check for existence of this directory.
      Signed-off-by: default avatarThomas Richter <tmricht@linux.ibm.com>
      Reviewed-by: default avatarChristian Borntraeger <borntraeger@de.ibm.com>
      Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
      Cc: Hendrik Brueckner <brueckner@linux.vnet.ibm.com>
      Link: http://lkml.kernel.org/r/20190604053504.43073-1-tmricht@linux.ibm.comSigned-off-by: default avatarArnaldo Carvalho de Melo <acme@redhat.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      629bb02f
    • Mathieu Poirier's avatar
      perf cs-etm: Properly set the value of 'old' and 'head' in snapshot mode · f511db18
      Mathieu Poirier authored
      [ Upstream commit e45c48a9 ]
      
      This patch adds the necessary intelligence to properly compute the value
      of 'old' and 'head' when operating in snapshot mode.  That way we can
      get the latest information in the AUX buffer and be compatible with the
      generic AUX ring buffer mechanic.
      
      Tester notes:
      
      > Leo, have you had the chance to test/review this one? Suzuki?
      
      Sure.  I applied this patch on the perf/core branch (with latest
      commit 3e4fbf36c1e3 'perf augmented_raw_syscalls: Move reading
      filename to the loop') and passed testing with below steps:
      
        # perf record -e cs_etm/@tmc_etr0/ -S -m,64 --per-thread ./sort &
        [1] 19097
        Bubble sorting array of 30000 elements
      
        # kill -USR2 19097
        # kill -USR2 19097
        # kill -USR2 19097
        [ perf record: Woken up 4 times to write data ]
        [ perf record: Captured and wrote 0.753 MB perf.data ]
      Signed-off-by: default avatarMathieu Poirier <mathieu.poirier@linaro.org>
      Tested-by: default avatarLeo Yan <leo.yan@linaro.org>
      Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
      Cc: Jiri Olsa <jolsa@redhat.com>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Suzuki Poulouse <suzuki.poulose@arm.com>
      Cc: linux-arm-kernel@lists.infradead.org
      Link: http://lkml.kernel.org/r/20190605161633.12245-1-mathieu.poirier@linaro.orgSigned-off-by: default avatarArnaldo Carvalho de Melo <acme@redhat.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      f511db18
    • Stefano Brivio's avatar
      ipset: Fix memory accounting for hash types on resize · 3711cf11
      Stefano Brivio authored
      [ Upstream commit 11921796 ]
      
      If a fresh array block is allocated during resize, the current in-memory
      set size should be increased by the size of the block, not replaced by it.
      
      Before the fix, adding entries to a hash set type, leading to a table
      resize, caused an inconsistent memory size to be reported. This becomes
      more obvious when swapping sets with similar sizes:
      
        # cat hash_ip_size.sh
        #!/bin/sh
        FAIL_RETRIES=10
      
        tries=0
        while [ ${tries} -lt ${FAIL_RETRIES} ]; do
        	ipset create t1 hash:ip
        	for i in `seq 1 4345`; do
        		ipset add t1 1.2.$((i / 255)).$((i % 255))
        	done
        	t1_init="$(ipset list t1|sed -n 's/Size in memory: \(.*\)/\1/p')"
      
        	ipset create t2 hash:ip
        	for i in `seq 1 4360`; do
        		ipset add t2 1.2.$((i / 255)).$((i % 255))
        	done
        	t2_init="$(ipset list t2|sed -n 's/Size in memory: \(.*\)/\1/p')"
      
        	ipset swap t1 t2
        	t1_swap="$(ipset list t1|sed -n 's/Size in memory: \(.*\)/\1/p')"
        	t2_swap="$(ipset list t2|sed -n 's/Size in memory: \(.*\)/\1/p')"
      
        	ipset destroy t1
        	ipset destroy t2
        	tries=$((tries + 1))
      
        	if [ ${t1_init} -lt 10000 ] || [ ${t2_init} -lt 10000 ]; then
        		echo "FAIL after ${tries} tries:"
        		echo "T1 size ${t1_init}, after swap ${t1_swap}"
        		echo "T2 size ${t2_init}, after swap ${t2_swap}"
        		exit 1
        	fi
        done
        echo "PASS"
        # echo -n 'func hash_ip4_resize +p' > /sys/kernel/debug/dynamic_debug/control
        # ./hash_ip_size.sh
        [ 2035.018673] attempt to resize set t1 from 10 to 11, t 00000000fe6551fa
        [ 2035.078583] set t1 resized from 10 (00000000fe6551fa) to 11 (00000000172a0163)
        [ 2035.080353] Table destroy by resize 00000000fe6551fa
        FAIL after 4 tries:
        T1 size 9064, after swap 71128
        T2 size 71128, after swap 9064
      Reported-by: default avatarNOYB <JunkYardMail1@Frontier.com>
      Fixes: 9e41f26a ("netfilter: ipset: Count non-static extension memory for userspace")
      Signed-off-by: default avatarStefano Brivio <sbrivio@redhat.com>
      Signed-off-by: default avatarJozsef Kadlecsik <kadlec@blackhole.kfki.hu>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      3711cf11
    • Robert Hancock's avatar
      net: sfp: add mutex to prevent concurrent state checks · b892e3cf
      Robert Hancock authored
      [ Upstream commit 2158e856 ]
      
      sfp_check_state can potentially be called by both a threaded IRQ handler
      and delayed work. If it is concurrently called, it could result in
      incorrect state management. Add a st_mutex to protect the state - this
      lock gets taken outside of code that checks and handle state changes, and
      the existing sm_mutex nests inside of it.
      Suggested-by: default avatarRussell King <rmk+kernel@armlinux.org.uk>
      Signed-off-by: default avatarRobert Hancock <hancock@sedsystems.ca>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      b892e3cf
    • Borislav Petkov's avatar
      RAS/CEC: Fix pfn insertion · 5b27bd98
      Borislav Petkov authored
      [ Upstream commit 6d8e294b ]
      
      When inserting random PFNs for debugging the CEC through
      (debugfs)/ras/cec/pfn, depending on the return value of pfn_set(),
      multiple values get inserted per a single write.
      
      That is because simple_attr_write() interprets a retval of 0 as
      success and claims the whole input. However, pfn_set() returns the
      cec_add_elem() value, which, if > 0 and smaller than the whole input
      length, makes glibc continue issuing the write syscall until there's
      input left:
      
        pfn_set
        simple_attr_write
        debugfs_attr_write
        full_proxy_write
        vfs_write
        ksys_write
        do_syscall_64
        entry_SYSCALL_64_after_hwframe
      
      leading to those repeated calls.
      
      Return 0 to fix that.
      Signed-off-by: default avatarBorislav Petkov <bp@suse.de>
      Cc: Tony Luck <tony.luck@intel.com>
      Cc: linux-edac <linux-edac@vger.kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      5b27bd98
    • Julian Wiedmann's avatar
      s390/qdio: handle PENDING state for QEBSM devices · df2c88a7
      Julian Wiedmann authored
      [ Upstream commit 04310324 ]
      
      When a CQ-enabled device uses QEBSM for SBAL state inspection,
      get_buf_states() can return the PENDING state for an Output Queue.
      get_outbound_buffer_frontier() isn't prepared for this, and any PENDING
      buffer will permanently stall all further completion processing on this
      Queue.
      
      This isn't a concern for non-QEBSM devices, as get_buf_states() for such
      devices will manually turn PENDING buffers into EMPTY ones.
      
      Fixes: 104ea556 ("qdio: support asynchronous delivery of storage blocks")
      Signed-off-by: default avatarJulian Wiedmann <jwi@linux.ibm.com>
      Signed-off-by: default avatarHeiko Carstens <heiko.carstens@de.ibm.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      df2c88a7
    • Robert Hancock's avatar
      net: axienet: Fix race condition causing TX hang · 5b0c0598
      Robert Hancock authored
      [ Upstream commit 7de44285 ]
      
      It is possible that the interrupt handler fires and frees up space in
      the TX ring in between checking for sufficient TX ring space and
      stopping the TX queue in axienet_start_xmit. If this happens, the
      queue wake from the interrupt handler will occur before the queue is
      stopped, causing a lost wakeup and the adapter's transmit hanging.
      
      To avoid this, after stopping the queue, check again whether there is
      sufficient space in the TX ring. If so, wake up the queue again.
      Signed-off-by: default avatarRobert Hancock <hancock@sedsystems.ca>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      5b0c0598
    • Fabio Estevam's avatar
      net: fec: Do not use netdev messages too early · a32d4cf2
      Fabio Estevam authored
      [ Upstream commit a19a0582 ]
      
      When a valid MAC address is not found the current messages
      are shown:
      
      fec 2188000.ethernet (unnamed net_device) (uninitialized): Invalid MAC address: 00:00:00:00:00:00
      fec 2188000.ethernet (unnamed net_device) (uninitialized): Using random MAC address: aa:9f:25:eb:7e:aa
      
      Since the network device has not been registered at this point, it is better
      to use dev_err()/dev_info() instead, which will provide cleaner log
      messages like these:
      
      fec 2188000.ethernet: Invalid MAC address: 00:00:00:00:00:00
      fec 2188000.ethernet: Using random MAC address: aa:9f:25:eb:7e:aa
      
      Tested on a imx6dl-pico-pi board.
      Signed-off-by: default avatarFabio Estevam <festevam@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      a32d4cf2
    • Antoine Tenart's avatar
      crypto: inside-secure - do not rely on the hardware last bit for result descriptors · c9fd5afc
      Antoine Tenart authored
      [ Upstream commit 89332590 ]
      
      When performing a transformation the hardware is given result
      descriptors to save the result data. Those result descriptors are
      batched using a 'first' and a 'last' bit. There are cases were more
      descriptors than needed are given to the engine, leading to the engine
      only using some of them, and not setting the last bit on the last
      descriptor we gave. This causes issues were the driver and the hardware
      aren't in sync anymore about the number of result descriptors given (as
      the driver do not give a pool of descriptor to use for any
      transformation, but a pool of descriptors to use *per* transformation).
      
      This patch fixes it by attaching the number of given result descriptors
      to the requests, and by using this number instead of the 'last' bit
      found on the descriptors to process them.
      Signed-off-by: default avatarAntoine Tenart <antoine.tenart@bootlin.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      c9fd5afc
    • Biao Huang's avatar
      net: stmmac: modify default value of tx-frames · bfaada52
      Biao Huang authored
      [ Upstream commit d2facb4b ]
      
      the default value of tx-frames is 25, it's too late when
      passing tstamp to stack, then the ptp4l will fail:
      
      ptp4l -i eth0 -f gPTP.cfg -m
      ptp4l: selected /dev/ptp0 as PTP clock
      ptp4l: port 1: INITIALIZING to LISTENING on INITIALIZE
      ptp4l: port 0: INITIALIZING to LISTENING on INITIALIZE
      ptp4l: port 1: link up
      ptp4l: timed out while polling for tx timestamp
      ptp4l: increasing tx_timestamp_timeout may correct this issue,
             but it is likely caused by a driver bug
      ptp4l: port 1: send peer delay response failed
      ptp4l: port 1: LISTENING to FAULTY on FAULT_DETECTED (FT_UNSPECIFIED)
      
      ptp4l tests pass when changing the tx-frames from 25 to 1 with
      ethtool -C option.
      It should be fine to set tx-frames default value to 1, so ptp4l will pass
      by default.
      Signed-off-by: default avatarBiao Huang <biao.huang@mediatek.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      bfaada52
    • Biao Huang's avatar
      net: stmmac: dwmac4: fix flow control issue · ef5f55ea
      Biao Huang authored
      [ Upstream commit ee326fd0 ]
      
      Current dwmac4_flow_ctrl will not clear
      GMAC_RX_FLOW_CTRL_RFE/GMAC_RX_FLOW_CTRL_RFE bits,
      so MAC hw will keep flow control on although expecting
      flow control off by ethtool. Add codes to fix it.
      
      Fixes: 477286b5 ("stmmac: add GMAC4 core support")
      Signed-off-by: default avatarBiao Huang <biao.huang@mediatek.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      ef5f55ea
    • Jae Hyun Yoo's avatar
      media: aspeed: change irq to threaded irq · 467d4560
      Jae Hyun Yoo authored
      [ Upstream commit 12ae1c1b ]
      
      Differently from other Aspeed drivers, this driver calls clock
      control APIs in interrupt context. Since ECLK is coupled with a
      reset bit in clk-aspeed module, aspeed_clk_enable will make 10ms of
      busy waiting delay for triggering the reset and it will eventually
      disturb other drivers' interrupt handling. To fix this issue, this
      commit changes this driver's irq to threaded irq so that the delay
      can be happened in a thread context.
      Signed-off-by: default avatarJae Hyun Yoo <jae.hyun.yoo@linux.intel.com>
      Reviewed-by: default avatarEddie James <eajames@linux.ibm.com>
      Signed-off-by: default avatarHans Verkuil <hverkuil-cisco@xs4all.nl>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      467d4560
    • Jiri Olsa's avatar
      perf jvmti: Address gcc string overflow warning for strncpy() · 94140c6f
      Jiri Olsa authored
      [ Upstream commit 279ab04d ]
      
      We are getting false positive gcc warning when we compile with gcc9 (9.1.1):
      
           CC       jvmti/libjvmti.o
         In file included from /usr/include/string.h:494,
                          from jvmti/libjvmti.c:5:
         In function ‘strncpy’,
             inlined from ‘copy_class_filename.constprop’ at jvmti/libjvmti.c:166:3:
         /usr/include/bits/string_fortified.h:106:10: error: ‘__builtin_strncpy’ specified bound depends on the length of the source argument [-Werror=stringop-overflow=]
           106 |   return __builtin___strncpy_chk (__dest, __src, __len, __bos (__dest));
               |          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
         jvmti/libjvmti.c: In function ‘copy_class_filename.constprop’:
         jvmti/libjvmti.c:165:26: note: length computed here
           165 |   size_t file_name_len = strlen(file_name);
               |                          ^~~~~~~~~~~~~~~~~
         cc1: all warnings being treated as errors
      
      As per Arnaldo's suggestion use strlcpy(), which does the same thing and keeps
      gcc silent.
      Suggested-by: default avatarArnaldo Carvalho de Melo <acme@redhat.com>
      Signed-off-by: default avatarJiri Olsa <jolsa@kernel.org>
      Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
      Cc: Ben Gainey <ben.gainey@arm.com>
      Cc: Namhyung Kim <namhyung@kernel.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Stephane Eranian <eranian@google.com>
      Link: http://lkml.kernel.org/r/20190531131321.GB1281@kravaSigned-off-by: default avatarArnaldo Carvalho de Melo <acme@redhat.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      94140c6f
    • Fabio Estevam's avatar
      media: imx7-mipi-csis: Propagate the error if clock enabling fails · 5b41a2ed
      Fabio Estevam authored
      [ Upstream commit 2b393f91 ]
      
      Currently the return value from clk_bulk_prepare_enable() is checked,
      but it is not propagate it in the case of failure.
      
      Fix it and also move the error message to the caller of
      mipi_csis_clk_enable().
      Signed-off-by: default avatarFabio Estevam <festevam@gmail.com>
      Reviewed-by: default avatarRui Miguel Silva <rmfrfs@gmail.com>
      Signed-off-by: default avatarHans Verkuil <hverkuil-cisco@xs4all.nl>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      5b41a2ed
    • Miles Chen's avatar
      arm64: mm: make CONFIG_ZONE_DMA32 configurable · 37243454
      Miles Chen authored
      [ Upstream commit 0c1f14ed ]
      
      This change makes CONFIG_ZONE_DMA32 defuly y and allows users
      to overwrite it only when CONFIG_EXPERT=y.
      
      For the SoCs that do not need CONFIG_ZONE_DMA32, this is the
      first step to manage all available memory by a single
      zone(normal zone) to reduce the overhead of multiple zones.
      
      The change also fixes a build error when CONFIG_NUMA=y and
      CONFIG_ZONE_DMA32=n.
      
      arch/arm64/mm/init.c:195:17: error: use of undeclared identifier 'ZONE_DMA32'
                      max_zone_pfns[ZONE_DMA32] = PFN_DOWN(max_zone_dma_phys());
      
      Change since v1:
      1. only expose CONFIG_ZONE_DMA32 when CONFIG_EXPERT=y
      2. remove redundant IS_ENABLED(CONFIG_ZONE_DMA32)
      
      Cc: Robin Murphy <robin.murphy@arm.com>
      Signed-off-by: default avatarMiles Chen <miles.chen@mediatek.com>
      Signed-off-by: default avatarCatalin Marinas <catalin.marinas@arm.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      37243454
    • Abhishek Goel's avatar
      cpupower : frequency-set -r option misses the last cpu in related cpu list · 6aed94de
      Abhishek Goel authored
      [ Upstream commit 04507c0a ]
      
      To set frequency on specific cpus using cpupower, following syntax can
      be used :
      cpupower -c #i frequency-set -f #f -r
      
      While setting frequency using cpupower frequency-set command, if we use
      '-r' option, it is expected to set frequency for all cpus related to
      cpu #i. But it is observed to be missing the last cpu in related cpu
      list. This patch fixes the problem.
      Signed-off-by: default avatarAbhishek Goel <huntbag@linux.vnet.ibm.com>
      Reviewed-by: default avatarThomas Renninger <trenn@suse.de>
      Signed-off-by: default avatarShuah Khan <skhan@linuxfoundation.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      6aed94de
    • Weihang Li's avatar
      net: hns3: set ops to null when unregister ad_dev · 28a7d7a6
      Weihang Li authored
      [ Upstream commit 594a81b3 ]
      
      The hclge/hclgevf and hns3 module can be unloaded independently,
      when hclge/hclgevf unloaded firstly, the ops of ae_dev should
      be set to NULL, otherwise it will cause an use-after-free problem.
      
      Fixes: 38caee9d ("net: hns3: Add support of the HNAE3 framework")
      Signed-off-by: default avatarWeihang Li <liweihang@hisilicon.com>
      Signed-off-by: default avatarPeng Li <lipeng321@huawei.com>
      Signed-off-by: default avatarHuazhong Tan <tanhuazhong@huawei.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      28a7d7a6
    • Weihang Li's avatar
      net: hns3: add a check to pointer in error_detected and slot_reset · bd87e2a1
      Weihang Li authored
      [ Upstream commit 661262bc ]
      
      If we add a VF without loading hclgevf.ko and then there is a RAS error
      occurs, PCIe AER will call error_detected and slot_reset of all functions,
      and will get a NULL pointer when we check ad_dev->ops->handle_hw_ras_error.
      This will cause a call trace and failures on handling of follow-up RAS
      errors.
      
      This patch check ae_dev and ad_dev->ops at first to solve above issues.
      Signed-off-by: default avatarWeihang Li <liweihang@hisilicon.com>
      Signed-off-by: default avatarPeng Li <lipeng321@huawei.com>
      Signed-off-by: default avatarHuazhong Tan <tanhuazhong@huawei.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      bd87e2a1
    • Kefeng Wang's avatar
      media: wl128x: Fix some error handling in fm_v4l2_init_video_device() · b46ef18c
      Kefeng Wang authored
      [ Upstream commit 69fbb3f4 ]
      
      X-Originating-IP: [10.175.113.25]
      X-CFilter-Loop: Reflected
      The fm_v4l2_init_video_device() forget to unregister v4l2/video device
      in the error path, it could lead to UAF issue, eg,
      
        BUG: KASAN: use-after-free in atomic64_read include/asm-generic/atomic-instrumented.h:836 [inline]
        BUG: KASAN: use-after-free in atomic_long_read include/asm-generic/atomic-long.h:28 [inline]
        BUG: KASAN: use-after-free in __mutex_unlock_slowpath+0x92/0x690 kernel/locking/mutex.c:1206
        Read of size 8 at addr ffff8881e84a7c70 by task v4l_id/3659
      
        CPU: 1 PID: 3659 Comm: v4l_id Not tainted 5.1.0 #8
        Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
        Call Trace:
         __dump_stack lib/dump_stack.c:77 [inline]
         dump_stack+0xa9/0x10e lib/dump_stack.c:113
         print_address_description+0x65/0x270 mm/kasan/report.c:187
         kasan_report+0x149/0x18d mm/kasan/report.c:317
         atomic64_read include/asm-generic/atomic-instrumented.h:836 [inline]
         atomic_long_read include/asm-generic/atomic-long.h:28 [inline]
         __mutex_unlock_slowpath+0x92/0x690 kernel/locking/mutex.c:1206
         fm_v4l2_fops_open+0xac/0x120 [fm_drv]
         v4l2_open+0x191/0x390 [videodev]
         chrdev_open+0x20d/0x570 fs/char_dev.c:417
         do_dentry_open+0x700/0xf30 fs/open.c:777
         do_last fs/namei.c:3416 [inline]
         path_openat+0x7c4/0x2a90 fs/namei.c:3532
         do_filp_open+0x1a5/0x2b0 fs/namei.c:3563
         do_sys_open+0x302/0x490 fs/open.c:1069
         do_syscall_64+0x9f/0x450 arch/x86/entry/common.c:290
         entry_SYSCALL_64_after_hwframe+0x49/0xbe
        RIP: 0033:0x7f8180c17c8e
        ...
        Allocated by task 3642:
         set_track mm/kasan/common.c:87 [inline]
         __kasan_kmalloc.constprop.3+0xa0/0xd0 mm/kasan/common.c:497
         fm_drv_init+0x13/0x1000 [fm_drv]
         do_one_initcall+0xbc/0x47d init/main.c:901
         do_init_module+0x1b5/0x547 kernel/module.c:3456
         load_module+0x6405/0x8c10 kernel/module.c:3804
         __do_sys_finit_module+0x162/0x190 kernel/module.c:3898
         do_syscall_64+0x9f/0x450 arch/x86/entry/common.c:290
         entry_SYSCALL_64_after_hwframe+0x49/0xbe
      
        Freed by task 3642:
         set_track mm/kasan/common.c:87 [inline]
         __kasan_slab_free+0x130/0x180 mm/kasan/common.c:459
         slab_free_hook mm/slub.c:1429 [inline]
         slab_free_freelist_hook mm/slub.c:1456 [inline]
         slab_free mm/slub.c:3003 [inline]
         kfree+0xe1/0x270 mm/slub.c:3958
         fm_drv_init+0x1e6/0x1000 [fm_drv]
         do_one_initcall+0xbc/0x47d init/main.c:901
         do_init_module+0x1b5/0x547 kernel/module.c:3456
         load_module+0x6405/0x8c10 kernel/module.c:3804
         __do_sys_finit_module+0x162/0x190 kernel/module.c:3898
         do_syscall_64+0x9f/0x450 arch/x86/entry/common.c:290
         entry_SYSCALL_64_after_hwframe+0x49/0xbe
      
      Add relevant unregister functions to fix it.
      
      Cc: Hans Verkuil <hans.verkuil@cisco.com>
      Reported-by: default avatarHulk Robot <hulkci@huawei.com>
      Signed-off-by: default avatarKefeng Wang <wangkefeng.wang@huawei.com>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      b46ef18c
    • Imre Deak's avatar
      locking/lockdep: Fix merging of hlocks with non-zero references · 3e6d03e7
      Imre Deak authored
      [ Upstream commit d9349850 ]
      
      The sequence
      
      	static DEFINE_WW_CLASS(test_ww_class);
      
      	struct ww_acquire_ctx ww_ctx;
      	struct ww_mutex ww_lock_a;
      	struct ww_mutex ww_lock_b;
      	struct ww_mutex ww_lock_c;
      	struct mutex lock_c;
      
      	ww_acquire_init(&ww_ctx, &test_ww_class);
      
      	ww_mutex_init(&ww_lock_a, &test_ww_class);
      	ww_mutex_init(&ww_lock_b, &test_ww_class);
      	ww_mutex_init(&ww_lock_c, &test_ww_class);
      
      	mutex_init(&lock_c);
      
      	ww_mutex_lock(&ww_lock_a, &ww_ctx);
      
      	mutex_lock(&lock_c);
      
      	ww_mutex_lock(&ww_lock_b, &ww_ctx);
      	ww_mutex_lock(&ww_lock_c, &ww_ctx);
      
      	mutex_unlock(&lock_c);	(*)
      
      	ww_mutex_unlock(&ww_lock_c);
      	ww_mutex_unlock(&ww_lock_b);
      	ww_mutex_unlock(&ww_lock_a);
      
      	ww_acquire_fini(&ww_ctx); (**)
      
      will trigger the following error in __lock_release() when calling
      mutex_release() at **:
      
      	DEBUG_LOCKS_WARN_ON(depth <= 0)
      
      The problem is that the hlock merging happening at * updates the
      references for test_ww_class incorrectly to 3 whereas it should've
      updated it to 4 (representing all the instances for ww_ctx and
      ww_lock_[abc]).
      
      Fix this by updating the references during merging correctly taking into
      account that we can have non-zero references (both for the hlock that we
      merge into another hlock or for the hlock we are merging into).
      Signed-off-by: default avatarImre Deak <imre.deak@intel.com>
      Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Cc: =?UTF-8?q?Ville=20Syrj=C3=A4l=C3=A4?= <ville.syrjala@linux.intel.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Will Deacon <will.deacon@arm.com>
      Link: https://lkml.kernel.org/r/20190524201509.9199-2-imre.deak@intel.comSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      3e6d03e7
    • Imre Deak's avatar
      locking/lockdep: Fix OOO unlock when hlocks need merging · 90b05e4e
      Imre Deak authored
      [ Upstream commit 8c8889d8 ]
      
      The sequence
      
      	static DEFINE_WW_CLASS(test_ww_class);
      
      	struct ww_acquire_ctx ww_ctx;
      	struct ww_mutex ww_lock_a;
      	struct ww_mutex ww_lock_b;
      	struct mutex lock_c;
      	struct mutex lock_d;
      
      	ww_acquire_init(&ww_ctx, &test_ww_class);
      
      	ww_mutex_init(&ww_lock_a, &test_ww_class);
      	ww_mutex_init(&ww_lock_b, &test_ww_class);
      
      	mutex_init(&lock_c);
      
      	ww_mutex_lock(&ww_lock_a, &ww_ctx);
      
      	mutex_lock(&lock_c);
      
      	ww_mutex_lock(&ww_lock_b, &ww_ctx);
      
      	mutex_unlock(&lock_c);		(*)
      
      	ww_mutex_unlock(&ww_lock_b);
      	ww_mutex_unlock(&ww_lock_a);
      
      	ww_acquire_fini(&ww_ctx);
      
      triggers the following WARN in __lock_release() when doing the unlock at *:
      
      	DEBUG_LOCKS_WARN_ON(curr->lockdep_depth != depth - 1);
      
      The problem is that the WARN check doesn't take into account the merging
      of ww_lock_a and ww_lock_b which results in decreasing curr->lockdep_depth
      by 2 not only 1.
      
      Note that the following sequence doesn't trigger the WARN, since there
      won't be any hlock merging.
      
      	ww_acquire_init(&ww_ctx, &test_ww_class);
      
      	ww_mutex_init(&ww_lock_a, &test_ww_class);
      	ww_mutex_init(&ww_lock_b, &test_ww_class);
      
      	mutex_init(&lock_c);
      	mutex_init(&lock_d);
      
      	ww_mutex_lock(&ww_lock_a, &ww_ctx);
      
      	mutex_lock(&lock_c);
      	mutex_lock(&lock_d);
      
      	ww_mutex_lock(&ww_lock_b, &ww_ctx);
      
      	mutex_unlock(&lock_d);
      
      	ww_mutex_unlock(&ww_lock_b);
      	ww_mutex_unlock(&ww_lock_a);
      
      	mutex_unlock(&lock_c);
      
      	ww_acquire_fini(&ww_ctx);
      
      In general both of the above two sequences are valid and shouldn't
      trigger any lockdep warning.
      
      Fix this by taking the decrement due to the hlock merging into account
      during lock release and hlock class re-setting. Merging can't happen
      during lock downgrading since there won't be a new possibility to merge
      hlocks in that case, so add a WARN if merging still happens then.
      Signed-off-by: default avatarImre Deak <imre.deak@intel.com>
      Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Will Deacon <will.deacon@arm.com>
      Cc: ville.syrjala@linux.intel.com
      Link: https://lkml.kernel.org/r/20190524201509.9199-1-imre.deak@intel.comSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      90b05e4e
    • Sven Eckelmann's avatar
      batman-adv: Fix duplicated OGMs on NETDEV_UP · a2b46e78
      Sven Eckelmann authored
      [ Upstream commit 9e6b5648 ]
      
      The state of slave interfaces are handled differently depending on whether
      the interface is up or not. All active interfaces (IFF_UP) will transmit
      OGMs. But for B.A.T.M.A.N. IV, also non-active interfaces are scheduling
      (low TTL) OGMs on active interfaces. The code which setups and schedules
      the OGMs must therefore already be called when the interfaces gets added as
      slave interface and the transmit function must then check whether it has to
      send out the OGM or not on the specific slave interface.
      
      But the commit f0d97253 ("batman-adv: remove ogm_emit and ogm_schedule
      API calls") moved the setup code from the enable function to the activate
      function. The latter is called either when the added slave was already up
      when batadv_hardif_enable_interface processed the new interface or when a
      NETDEV_UP event was received for this slave interfac. As result, each
      NETDEV_UP would schedule a new OGM worker for the interface and thus OGMs
      would be send a lot more than expected.
      
      Fixes: f0d97253 ("batman-adv: remove ogm_emit and ogm_schedule API calls")
      Reported-by: default avatarLinus Lüssing <linus.luessing@c0d3.blue>
      Tested-by: default avatarLinus Lüssing <linus.luessing@c0d3.blue>
      Acked-by: default avatarMarek Lindner <mareklindner@neomailbox.ch>
      Signed-off-by: default avatarSven Eckelmann <sven@narfation.org>
      Signed-off-by: default avatarSimon Wunderlich <sw@simonwunderlich.de>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      a2b46e78
    • David S. Miller's avatar
      tua6100: Avoid build warnings. · 6d4ed791
      David S. Miller authored
      [ Upstream commit 621ccc6c ]
      
      Rename _P to _P_VAL and _R to _R_VAL to avoid global
      namespace conflicts:
      
      drivers/media/dvb-frontends/tua6100.c: In function ‘tua6100_set_params’:
      drivers/media/dvb-frontends/tua6100.c:79: warning: "_P" redefined
       #define _P 32
      
      In file included from ./include/acpi/platform/aclinux.h:54,
                       from ./include/acpi/platform/acenv.h:152,
                       from ./include/acpi/acpi.h:22,
                       from ./include/linux/acpi.h:34,
                       from ./include/linux/i2c.h:17,
                       from drivers/media/dvb-frontends/tua6100.h:30,
                       from drivers/media/dvb-frontends/tua6100.c:32:
      ./include/linux/ctype.h:14: note: this is the location of the previous definition
       #define _P 0x10 /* punct */
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      6d4ed791
    • Christophe Leroy's avatar
      crypto: talitos - Align SEC1 accesses to 32 bits boundaries. · e96316e5
      Christophe Leroy authored
      [ Upstream commit c9cca703 ]
      
      The MPC885 reference manual states:
      
      SEC Lite-initiated 8xx writes can occur only on 32-bit-word boundaries, but
      reads can occur on any byte boundary. Writing back a header read from a
      non-32-bit-word boundary will yield unpredictable results.
      
      In order to ensure that, cra_alignmask is set to 3 for SEC1.
      Signed-off-by: default avatarChristophe Leroy <christophe.leroy@c-s.fr>
      Fixes: 9c4a7965 ("crypto: talitos - Freescale integrated security engine (SEC) driver")
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      e96316e5
    • Christophe Leroy's avatar
      crypto: talitos - properly handle split ICV. · 01f8f49d
      Christophe Leroy authored
      [ Upstream commit eae55a58 ]
      
      The driver assumes that the ICV is as a single piece in the last
      element of the scatterlist. This assumption is wrong.
      
      This patch ensures that the ICV is properly handled regardless of
      the scatterlist layout.
      
      Fixes: 9c4a7965 ("crypto: talitos - Freescale integrated security engine (SEC) driver")
      Signed-off-by: default avatarChristophe Leroy <christophe.leroy@c-s.fr>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      01f8f49d
    • Ioana Ciornei's avatar
      net: phy: Check against net_device being NULL · 8db10b19
      Ioana Ciornei authored
      [ Upstream commit 82c76aca ]
      
      In general, we don't want MAC drivers calling phy_attach_direct with the
      net_device being NULL. Add checks against this in all the functions
      calling it: phy_attach() and phy_connect_direct().
      Signed-off-by: default avatarIoana Ciornei <ioana.ciornei@nxp.com>
      Suggested-by: default avatarAndrew Lunn <andrew@lunn.ch>
      Reviewed-by: default avatarAndrew Lunn <andrew@lunn.ch>
      Reviewed-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      8db10b19
    • Shailendra Verma's avatar
      media: staging: media: davinci_vpfe: - Fix for memory leak if decoder initialization fails. · 8e53ed20
      Shailendra Verma authored
      [ Upstream commit 6995a659 ]
      
      Fix to avoid possible memory leak if the decoder initialization
      got failed.Free the allocated memory for file handle object
      before return in case decoder initialization fails.
      Signed-off-by: default avatarShailendra Verma <shailendra.v@samsung.com>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      8e53ed20
    • Kefeng Wang's avatar
      media: saa7164: fix remove_proc_entry warning · 139f99f5
      Kefeng Wang authored
      [ Upstream commit 50710eee ]
      
      if saa7164_proc_create() fails, saa7164_fini() will trigger a warning,
      
      name 'saa7164'
      WARNING: CPU: 1 PID: 6311 at fs/proc/generic.c:672 remove_proc_entry+0x1e8/0x3a0
        ? remove_proc_entry+0x1e8/0x3a0
        ? try_stop_module+0x7b/0x240
        ? proc_readdir+0x70/0x70
        ? rcu_read_lock_sched_held+0xd7/0x100
        saa7164_fini+0x13/0x1f [saa7164]
        __x64_sys_delete_module+0x30c/0x480
        ? __ia32_sys_delete_module+0x480/0x480
        ? __x64_sys_clock_gettime+0x11e/0x1c0
        ? __x64_sys_timer_create+0x1a0/0x1a0
        ? trace_hardirqs_off_caller+0x40/0x180
        ? do_syscall_64+0x18/0x450
        do_syscall_64+0x9f/0x450
        entry_SYSCALL_64_after_hwframe+0x49/0xbe
      
      Fix it by checking the return of proc_create_single() before
      calling remove_proc_entry().
      Signed-off-by: default avatarKefeng Wang <wangkefeng.wang@huawei.com>
      Signed-off-by: default avatarHans Verkuil <hverkuil-cisco@xs4all.nl>
      [hverkuil-cisco@xs4all.nl: use 0444 instead of S_IRUGO]
      [hverkuil-cisco@xs4all.nl: use pr_info instead of KERN_INFO]
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      139f99f5
    • Hans Verkuil's avatar
      media: mc-device.c: don't memset __user pointer contents · 7816f742
      Hans Verkuil authored
      [ Upstream commit 518fa4e0 ]
      
      You can't memset the contents of a __user pointer. Instead, call copy_to_user to
      copy links.reserved (which is zeroed) to the user memory.
      
      This fixes this sparse warning:
      
      SPARSE:drivers/media/mc/mc-device.c drivers/media/mc/mc-device.c:521:16:  warning: incorrect type in argument 1 (different address spaces)
      
      Fixes: f4930887 ("media: media_device_enum_links32: clean a reserved field")
      Signed-off-by: default avatarHans Verkuil <hverkuil-cisco@xs4all.nl>
      Reviewed-by: default avatarSakari Ailus <sakari.ailus@linux.intel.com>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      7816f742
    • Arnaldo Carvalho de Melo's avatar
      perf annotate TUI browser: Do not use member from variable within its own initialization · 341b1fa4
      Arnaldo Carvalho de Melo authored
      [ Upstream commit da201963 ]
      
      Some compilers will complain when using a member of a struct to
      initialize another member, in the same struct initialization.
      
      For instance:
      
        debian:8      Debian clang version 3.5.0-10 (tags/RELEASE_350/final) (based on LLVM 3.5.0)
        oraclelinux:7 clang version 3.4.2 (tags/RELEASE_34/dot2-final)
      
      Produce:
      
        ui/browsers/annotate.c:104:12: error: variable 'ops' is uninitialized when used within its own initialization [-Werror,-Wuninitialized]
                                                    (!ops.current_entry ||
                                                      ^~~
        1 error generated.
      
      So use an extra variable, initialized just before that struct, to have
      the value used in the expressions used to init two of the struct
      members.
      
      Cc: Adrian Hunter <adrian.hunter@intel.com>
      Cc: Jiri Olsa <jolsa@kernel.org>
      Cc: Namhyung Kim <namhyung@kernel.org>
      Fixes: c298304b ("perf annotate: Use a ops table for annotation_line__write()")
      Link: https://lkml.kernel.org/n/tip-f9nexro58q62l3o9hez8hr0i@git.kernel.orgSigned-off-by: default avatarArnaldo Carvalho de Melo <acme@redhat.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      341b1fa4
    • Vandana BN's avatar
      media: usb:zr364xx:Fix KASAN:null-ptr-deref Read in zr364xx_vidioc_querycap · dbabee0c
      Vandana BN authored
      [ Upstream commit 5d2e73a5 ]
      
      SyzKaller hit the null pointer deref while reading from uninitialized
      udev->product in zr364xx_vidioc_querycap().
      
      ==================================================================
      BUG: KASAN: null-ptr-deref in read_word_at_a_time+0xe/0x20
      include/linux/compiler.h:274
      Read of size 1 at addr 0000000000000000 by task v4l_id/5287
      
      CPU: 1 PID: 5287 Comm: v4l_id Not tainted 5.1.0-rc3-319004-g43151d6 #6
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
      Google 01/01/2011
      Call Trace:
        __dump_stack lib/dump_stack.c:77 [inline]
        dump_stack+0xe8/0x16e lib/dump_stack.c:113
        kasan_report.cold+0x5/0x3c mm/kasan/report.c:321
        read_word_at_a_time+0xe/0x20 include/linux/compiler.h:274
        strscpy+0x8a/0x280 lib/string.c:207
        zr364xx_vidioc_querycap+0xb5/0x210 drivers/media/usb/zr364xx/zr364xx.c:706
        v4l_querycap+0x12b/0x340 drivers/media/v4l2-core/v4l2-ioctl.c:1062
        __video_do_ioctl+0x5bb/0xb40 drivers/media/v4l2-core/v4l2-ioctl.c:2874
        video_usercopy+0x44e/0xf00 drivers/media/v4l2-core/v4l2-ioctl.c:3056
        v4l2_ioctl+0x14e/0x1a0 drivers/media/v4l2-core/v4l2-dev.c:364
        vfs_ioctl fs/ioctl.c:46 [inline]
        file_ioctl fs/ioctl.c:509 [inline]
        do_vfs_ioctl+0xced/0x12f0 fs/ioctl.c:696
        ksys_ioctl+0xa0/0xc0 fs/ioctl.c:713
        __do_sys_ioctl fs/ioctl.c:720 [inline]
        __se_sys_ioctl fs/ioctl.c:718 [inline]
        __x64_sys_ioctl+0x74/0xb0 fs/ioctl.c:718
        do_syscall_64+0xcf/0x4f0 arch/x86/entry/common.c:290
        entry_SYSCALL_64_after_hwframe+0x49/0xbe
      RIP: 0033:0x7f3b56d8b347
      Code: 90 90 90 48 8b 05 f1 fa 2a 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff
      ff c3 90 90 90 90 90 90 90 90 90 90 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff
      ff 73 01 c3 48 8b 0d c1 fa 2a 00 31 d2 48 29 c2 64
      RSP: 002b:00007ffe005d5d68 EFLAGS: 00000202 ORIG_RAX: 0000000000000010
      RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f3b56d8b347
      RDX: 00007ffe005d5d70 RSI: 0000000080685600 RDI: 0000000000000003
      RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000400884
      R13: 00007ffe005d5ec0 R14: 0000000000000000 R15: 0000000000000000
      ==================================================================
      
      For this device udev->product is not initialized and accessing it causes a NULL pointer deref.
      
      The fix is to check for NULL before strscpy() and copy empty string, if
      product is NULL
      
      Reported-by: syzbot+66010012fd4c531a1a96@syzkaller.appspotmail.com
      Signed-off-by: default avatarVandana BN <bnvandana@gmail.com>
      Signed-off-by: default avatarHans Verkuil <hverkuil-cisco@xs4all.nl>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      dbabee0c
    • Eric Biggers's avatar
      fscrypt: clean up some BUG_ON()s in block encryption/decryption · 2bff4642
      Eric Biggers authored
      [ Upstream commit eeacfdc6 ]
      
      Replace some BUG_ON()s with WARN_ON_ONCE() and returning an error code,
      and move the check for len divisible by FS_CRYPTO_BLOCK_SIZE into
      fscrypt_crypt_block() so that it's done for both encryption and
      decryption, not just encryption.
      Reviewed-by: default avatarChandan Rajendra <chandan@linux.ibm.com>
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      2bff4642
    • sumitg's avatar
      media: v4l2-core: fix use-after-free error · bcf628be
      sumitg authored
      [ Upstream commit 3e0f7243 ]
      
      Fixing use-after-free within __v4l2_ctrl_handler_setup().
      Memory is being freed with kfree(new_ref) for duplicate
      control reference entry but ctrl->cluster pointer is still
      referring to freed duplicate entry resulting in error on
      access. Change done to update cluster pointer only when new
      control reference is added.
      
       ==================================================================
       BUG: KASAN: use-after-free in __v4l2_ctrl_handler_setup+0x388/0x428
       Read of size 8 at addr ffffffc324e78618 by task systemd-udevd/312
      
       Allocated by task 312:
      
       Freed by task 312:
      
       The buggy address belongs to the object at ffffffc324e78600
        which belongs to the cache kmalloc-64 of size 64
       The buggy address is located 24 bytes inside of
        64-byte region [ffffffc324e78600, ffffffc324e78640)
       The buggy address belongs to the page:
       page:ffffffbf0c939e00 count:1 mapcount:0 mapping:
      					(null) index:0xffffffc324e78f80
       flags: 0x4000000000000100(slab)
       raw: 4000000000000100 0000000000000000 ffffffc324e78f80 000000018020001a
       raw: 0000000000000000 0000000100000001 ffffffc37040fb80 0000000000000000
       page dumped because: kasan: bad access detected
      
       Memory state around the buggy address:
        ffffffc324e78500: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
        ffffffc324e78580: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
       >ffffffc324e78600: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
                                   ^
        ffffffc324e78680: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
        ffffffc324e78700: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc
       ==================================================================
      Suggested-by: default avatarHans Verkuil <hverkuil-cisco@xs4all.nl>
      Signed-off-by: default avatarSumit Gupta <sumitg@nvidia.com>
      Signed-off-by: default avatarHans Verkuil <hverkuil-cisco@xs4all.nl>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      bcf628be