commit 6e8e9958691907e8d7eb3b2107619dddbdaeb175 Author: Greg Kroah-Hartman Date: Sun May 14 14:08:51 2017 +0200 Linux 4.10.16 commit 2262a51b515a958068f8f2a289871652fbd82f64 Author: Ilya Dryomov Date: Tue Apr 18 18:43:20 2017 +0200 block: get rid of blk_integrity_revalidate() commit 19b7ccf8651df09d274671b53039c672a52ad84d upstream. Commit 25520d55cdb6 ("block: Inline blk_integrity in struct gendisk") introduced blk_integrity_revalidate(), which seems to assume ownership of the stable pages flag and unilaterally clears it if no blk_integrity profile is registered: if (bi->profile) disk->queue->backing_dev_info->capabilities |= BDI_CAP_STABLE_WRITES; else disk->queue->backing_dev_info->capabilities &= ~BDI_CAP_STABLE_WRITES; It's called from revalidate_disk() and rescan_partitions(), making it impossible to enable stable pages for drivers that support partitions and don't use blk_integrity: while the call in revalidate_disk() can be trivially worked around (see zram, which doesn't support partitions and hence gets away with zram_revalidate_disk()), rescan_partitions() can be triggered from userspace at any time. This breaks rbd, where the ceph messenger is responsible for generating/verifying CRCs. Since blk_integrity_{un,}register() "must" be used for (un)registering the integrity profile with the block layer, move BDI_CAP_STABLE_WRITES setting there. This way drivers that call blk_integrity_register() and use integrity infrastructure won't interfere with drivers that don't but still want stable pages. Fixes: 25520d55cdb6 ("block: Inline blk_integrity in struct gendisk") Cc: "Martin K. Petersen" Cc: Christoph Hellwig Cc: Mike Snitzer Tested-by: Dan Williams Signed-off-by: Ilya Dryomov [idryomov@gmail.com: backport to < 4.11: bdi is embedded in queue] Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit f89d35abea21d84ed8e9df999842c223cf57f1ba Author: Nicolai Hähnle Date: Sat Feb 18 22:59:56 2017 +0100 drm/ttm: fix use-after-free races in vm fault handling commit 3089c1df10e2931b1d72d2ffa7d86431084c86b3 upstream. The vm fault handler relies on the fact that the VMA owns a reference to the BO. However, once mmap_sem is released, other tasks are free to destroy the VMA, which can lead to the BO being freed. Fix two code paths where that can happen, both related to vm fault retries. Found via a lock debugging warning which flagged &bo->wu_mutex as locked while being destroyed. Fixes: cbe12e74ee4e ("drm/ttm: Allow vm fault retries") Signed-off-by: Nicolai Hähnle Reviewed-by: Christian König Signed-off-by: Alex Deucher Signed-off-by: Greg Kroah-Hartman commit 2f6aeeae43bbb603a47013923402150493e3ac2f Author: Dan Carpenter Date: Tue Dec 13 15:23:32 2016 +0300 drm: mxsfb: drm_dev_alloc() returns error pointers commit e89e50ac35d9126907a436dabe70f9a8311b9981 upstream. We should be checking for IS_ERR() instead of NULL because drm_dev_alloc() returns error pointers. Fixes: 45d59d704080 ("drm: Add new driver for MXSFB controller") Signed-off-by: Dan Carpenter Signed-off-by: Daniel Vetter Link: http://patchwork.freedesktop.org/patch/msgid/20161213122332.GA7519@elgon.mountain Signed-off-by: Greg Kroah-Hartman commit 9302f2b14af11af0054029ba0455f6d9c03d044a Author: Wei Yongjun Date: Thu Jan 12 15:19:21 2017 +0000 drm/hisilicon/hibmc: Fix wrong pointer passed to PTR_ERR() commit bdf6f135973acb409b3ec5a6214fb597670a0bc0 upstream. PTR_ERR should access the value just tested by IS_ERR, otherwise the wrong error code will be returned. Fixes: d1667b86795a ("drm/hisilicon/hibmc: Add support for frame buffer") Signed-off-by: Wei Yongjun Reviewed-by: Gustavo Padovan Signed-off-by: Daniel Vetter Link: http://patchwork.freedesktop.org/patch/msgid/20170112151921.16538-1-weiyj.lk@gmail.com Signed-off-by: Greg Kroah-Hartman commit 4a66b610a8213a9e273914d6feaeda6b1e979c40 Author: Boris Ostrovsky Date: Mon Apr 24 15:04:53 2017 -0400 xen: Revert commits da72ff5bfcb0 and 72a9b186292d commit 84d582d236dc1f9085e741affc72e9ba061a67c2 upstream. Recent discussion (http://marc.info/?l=xen-devel&m=149192184523741) established that commit 72a9b186292d ("xen: Remove event channel notification through Xen PCI platform device") (and thus commit da72ff5bfcb0 ("partially revert "xen: Remove event channel notification through Xen PCI platform device"")) are unnecessary and, in fact, prevent HVM guests from booting on Xen releases prior to 4.0 Therefore we revert both of those commits. The summary of that discussion is below: Here is the brief summary of the current situation: Before the offending commit (72a9b186292): 1) INTx does not work because of the reset_watches path. 2) The reset_watches path is only taken if you have Xen > 4.0 3) The Linux Kernel by default will use vector inject if the hypervisor support. So even INTx does not work no body running the kernel with Xen > 4.0 would notice. Unless he explicitly disabled this feature either in the kernel or in Xen (and this can only be disabled by modifying the code, not user-supported way to do it). After the offending commit (+ partial revert): 1) INTx is no longer support for HVM (only for PV guests). 2) Any HVM guest The kernel will not boot on Xen < 4.0 which does not have vector injection support. Since the only other mode supported is INTx which. So based on this summary, I think before commit (72a9b186292) we were in much better position from a user point of view. Signed-off-by: Boris Ostrovsky Reviewed-by: Juergen Gross Cc: Boris Ostrovsky Cc: Thomas Gleixner Cc: Ingo Molnar Cc: "H. Peter Anvin" Cc: x86@kernel.org Cc: Konrad Rzeszutek Wilk Cc: Bjorn Helgaas Cc: Stefano Stabellini Cc: Julien Grall Cc: Vitaly Kuznetsov Cc: Paul Gortmaker Cc: Ross Lagerwall Cc: xen-devel@lists.xenproject.org Cc: linux-kernel@vger.kernel.org Cc: linux-pci@vger.kernel.org Cc: Anthony Liguori Cc: KarimAllah Ahmed Signed-off-by: Juergen Gross Signed-off-by: Greg Kroah-Hartman commit 6442a7f5d793a5d778d1f0cc62840a3f20dc1d72 Author: Jin Qian Date: Tue Apr 25 16:28:48 2017 -0700 f2fs: sanity check segment count commit b9dd46188edc2f0d1f37328637860bb65a771124 upstream. F2FS uses 4 bytes to represent block address. As a result, supported size of disk is 16 TB and it equals to 16 * 1024 * 1024 / 2 segments. Signed-off-by: Jin Qian Signed-off-by: Jaegeuk Kim Signed-off-by: Greg Kroah-Hartman commit 853151191ef2b62fa02c4a9fdeb90a8baeb3d911 Author: Jarno Rajahalme Date: Tue Feb 14 21:16:28 2017 -0800 openvswitch: Set internal device max mtu to ETH_MAX_MTU. [ Upstream commit 425df17ce3a26d98f76e2b6b0af2acf4aeb0b026 ] Commit 91572088e3fd ("net: use core MTU range checking in core net infra") changed the openvswitch internal device to use the core net infra for controlling the MTU range, but failed to actually set the max_mtu as described in the commit message, which now defaults to ETH_DATA_LEN. This patch fixes this by setting max_mtu to ETH_MAX_MTU after ether_setup() call. Fixes: 91572088e3fd ("net: use core MTU range checking in core net infra") Signed-off-by: Jarno Rajahalme Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 8656ebcc28bc2a2338c1dc9a7f5de10c80e3cc1e Author: Jon Mason Date: Mon May 8 17:48:35 2017 -0400 net: mdio-mux: bcm-iproc: call mdiobus_free() in error path [ Upstream commit 922c60e89d52730050c6ccca218bff40cc8bcd8e ] If an error is encountered in mdio_mux_init(), the error path will call mdiobus_free(). Since mdiobus_register() has been called prior to mdio_mux_init(), the bus->state will not be MDIOBUS_UNREGISTERED. This causes a BUG_ON() in mdiobus_free(). To correct this issue, add an error path for mdio_mux_init() which calls mdiobus_unregister() prior to mdiobus_free(). Signed-off-by: Jon Mason Fixes: 98bc865a1ec8 ("net: mdio-mux: Add MDIO mux driver for iProc SoCs") Acked-by: Florian Fainelli Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit c35107a3bec206f68402236a16be537b6ffce070 Author: Daniel Borkmann Date: Mon May 8 00:04:09 2017 +0200 bpf: don't let ldimm64 leak map addresses on unprivileged [ Upstream commit 0d0e57697f162da4aa218b5feafe614fb666db07 ] The patch fixes two things at once: 1) It checks the env->allow_ptr_leaks and only prints the map address to the log if we have the privileges to do so, otherwise it just dumps 0 as we would when kptr_restrict is enabled on %pK. Given the latter is off by default and not every distro sets it, I don't want to rely on this, hence the 0 by default for unprivileged. 2) Printing of ldimm64 in the verifier log is currently broken in that we don't print the full immediate, but only the 32 bit part of the first insn part for ldimm64. Thus, fix this up as well; it's okay to access, since we verified all ldimm64 earlier already (including just constants) through replace_map_fd_with_map_ptr(). Fixes: 1be7f75d1668 ("bpf: enable non-root eBPF programs") Fixes: cbd357008604 ("bpf: verifier (add ability to receive verification log)") Reported-by: Jann Horn Signed-off-by: Daniel Borkmann Acked-by: Alexei Starovoitov Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit ddbb020a01ec436d5301fb430bbb20c883c5b9b6 Author: Dan Carpenter Date: Sat May 6 03:49:01 2017 +0300 bnxt_en: allocate enough space for ->ntp_fltr_bmap [ Upstream commit ac45bd93a5035c2f39c9862b8b6ed692db0fdc87 ] We have the number of longs, but we need to calculate the number of bytes required. Fixes: c0c050c58d84 ("bnxt_en: New Broadcom ethernet driver.") Signed-off-by: Dan Carpenter Acked-by: Michael Chan Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 912bec79fb2ac79e33549cfeea48fb2756756275 Author: WANG Cong Date: Mon May 8 10:12:13 2017 -0700 ipv6: reorder ip6_route_dev_notifier after ipv6_dev_notf [ Upstream commit 242d3a49a2a1a71d8eb9f953db1bcaa9d698ce00 ] For each netns (except init_net), we initialize its null entry in 3 places: 1) The template itself, as we use kmemdup() 2) Code around dst_init_metrics() in ip6_route_net_init() 3) ip6_route_dev_notify(), which is supposed to initialize it after loopback registers Unfortunately the last one still happens in a wrong order because we expect to initialize net->ipv6.ip6_null_entry->rt6i_idev to net->loopback_dev's idev, thus we have to do that after we add idev to loopback. However, this notifier has priority == 0 same as ipv6_dev_notf, and ipv6_dev_notf is registered after ip6_route_dev_notifier so it is called actually after ip6_route_dev_notifier. This is similar to commit 2f460933f58e ("ipv6: initialize route null entry in addrconf_init()") which fixes init_net. Fix it by picking a smaller priority for ip6_route_dev_notifier. Also, we have to release the refcnt accordingly when unregistering loopback_dev because device exit functions are called before subsys exit functions. Acked-by: David Ahern Tested-by: David Ahern Signed-off-by: Cong Wang Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 062e49d89f6859d7a1e41ea39d5012caa9e4d4b2 Author: WANG Cong Date: Wed May 3 22:07:31 2017 -0700 ipv6: initialize route null entry in addrconf_init() [ Upstream commit 2f460933f58eee3393aba64f0f6d14acb08d1724 ] Andrey reported a crash on init_net.ipv6.ip6_null_entry->rt6i_idev since it is always NULL. This is clearly wrong, we have code to initialize it to loopback_dev, unfortunately the order is still not correct. loopback_dev is registered very early during boot, we lose a chance to re-initialize it in notifier. addrconf_init() is called after ip6_route_init(), which means we have no chance to correct it. Fix it by moving this initialization explicitly after ipv6_add_dev(init_net.loopback_dev) in addrconf_init(). Reported-by: Andrey Konovalov Signed-off-by: Cong Wang Tested-by: Andrey Konovalov Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit d3081680506fe919f1ed51944cafa8c5cb9007ed Author: Michal Schmidt Date: Thu May 4 16:48:58 2017 +0200 rtnetlink: NUL-terminate IFLA_PHYS_PORT_NAME string [ Upstream commit 77ef033b687c3e030017c94a29bf6ea3aaaef678 ] IFLA_PHYS_PORT_NAME is a string attribute, so terminate it with \0. Otherwise libnl3 fails to validate netlink messages with this attribute. "ip -detail a" assumes too that the attribute is NUL-terminated when printing it. It often was, due to padding. I noticed this as libvirtd failing to start on a system with sfc driver after upgrading it to Linux 4.11, i.e. when sfc added support for phys_port_name. Signed-off-by: Michal Schmidt Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit df6f3bcd6667a1a99a699ff12912d5f3952271e1 Author: Alexander Potapenko Date: Wed May 3 17:06:58 2017 +0200 ipv4, ipv6: ensure raw socket message is big enough to hold an IP header [ Upstream commit 86f4c90a1c5c1493f07f2d12c1079f5bf01936f2 ] raw_send_hdrinc() and rawv6_send_hdrinc() expect that the buffer copied from the userspace contains the IPv4/IPv6 header, so if too few bytes are copied, parts of the header may remain uninitialized. This bug has been detected with KMSAN. For the record, the KMSAN report: ================================================================== BUG: KMSAN: use of unitialized memory in nf_ct_frag6_gather+0xf5a/0x44a0 inter: 0 CPU: 0 PID: 1036 Comm: probe Not tainted 4.11.0-rc5+ #2455 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:16 dump_stack+0x143/0x1b0 lib/dump_stack.c:52 kmsan_report+0x16b/0x1e0 mm/kmsan/kmsan.c:1078 __kmsan_warning_32+0x5c/0xa0 mm/kmsan/kmsan_instr.c:510 nf_ct_frag6_gather+0xf5a/0x44a0 net/ipv6/netfilter/nf_conntrack_reasm.c:577 ipv6_defrag+0x1d9/0x280 net/ipv6/netfilter/nf_defrag_ipv6_hooks.c:68 nf_hook_entry_hookfn ./include/linux/netfilter.h:102 nf_hook_slow+0x13f/0x3c0 net/netfilter/core.c:310 nf_hook ./include/linux/netfilter.h:212 NF_HOOK ./include/linux/netfilter.h:255 rawv6_send_hdrinc net/ipv6/raw.c:673 rawv6_sendmsg+0x2fcb/0x41a0 net/ipv6/raw.c:919 inet_sendmsg+0x3f8/0x6d0 net/ipv4/af_inet.c:762 sock_sendmsg_nosec net/socket.c:633 sock_sendmsg net/socket.c:643 SYSC_sendto+0x6a5/0x7c0 net/socket.c:1696 SyS_sendto+0xbc/0xe0 net/socket.c:1664 do_syscall_64+0x72/0xa0 arch/x86/entry/common.c:285 entry_SYSCALL64_slow_path+0x25/0x25 arch/x86/entry/entry_64.S:246 RIP: 0033:0x436e03 RSP: 002b:00007ffce48baf38 EFLAGS: 00000246 ORIG_RAX: 000000000000002c RAX: ffffffffffffffda RBX: 00000000004002b0 RCX: 0000000000436e03 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003 RBP: 00007ffce48baf90 R08: 00007ffce48baf50 R09: 000000000000001c R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000401790 R14: 0000000000401820 R15: 0000000000000000 origin: 00000000d9400053 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59 kmsan_save_stack_with_flags mm/kmsan/kmsan.c:362 kmsan_internal_poison_shadow+0xb1/0x1a0 mm/kmsan/kmsan.c:257 kmsan_poison_shadow+0x6d/0xc0 mm/kmsan/kmsan.c:270 slab_alloc_node mm/slub.c:2735 __kmalloc_node_track_caller+0x1f4/0x390 mm/slub.c:4341 __kmalloc_reserve net/core/skbuff.c:138 __alloc_skb+0x2cd/0x740 net/core/skbuff.c:231 alloc_skb ./include/linux/skbuff.h:933 alloc_skb_with_frags+0x209/0xbc0 net/core/skbuff.c:4678 sock_alloc_send_pskb+0x9ff/0xe00 net/core/sock.c:1903 sock_alloc_send_skb+0xe4/0x100 net/core/sock.c:1920 rawv6_send_hdrinc net/ipv6/raw.c:638 rawv6_sendmsg+0x2918/0x41a0 net/ipv6/raw.c:919 inet_sendmsg+0x3f8/0x6d0 net/ipv4/af_inet.c:762 sock_sendmsg_nosec net/socket.c:633 sock_sendmsg net/socket.c:643 SYSC_sendto+0x6a5/0x7c0 net/socket.c:1696 SyS_sendto+0xbc/0xe0 net/socket.c:1664 do_syscall_64+0x72/0xa0 arch/x86/entry/common.c:285 return_from_SYSCALL_64+0x0/0x6a arch/x86/entry/entry_64.S:246 ================================================================== , triggered by the following syscalls: socket(PF_INET6, SOCK_RAW, IPPROTO_RAW) = 3 sendto(3, NULL, 0, 0, {sa_family=AF_INET6, sin6_port=htons(0), inet_pton(AF_INET6, "ff00::", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, 28) = -1 EPERM A similar report is triggered in net/ipv4/raw.c if we use a PF_INET socket instead of a PF_INET6 one. Signed-off-by: Alexander Potapenko Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 929575fd0dfdaf7de326991fb56d1d11b95e86e6 Author: Eric Dumazet Date: Wed May 3 06:39:31 2017 -0700 tcp: do not inherit fastopen_req from parent [ Upstream commit 8b485ce69876c65db12ed390e7f9c0d2a64eff2c ] Under fuzzer stress, it is possible that a child gets a non NULL fastopen_req pointer from its parent at accept() time, when/if parent morphs from listener to active session. We need to make sure this can not happen, by clearing the field after socket cloning. BUG: Double free or freeing an invalid pointer Unexpected shadow byte: 0xFB CPU: 3 PID: 20933 Comm: syz-executor3 Not tainted 4.11.0+ #306 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:16 [inline] dump_stack+0x292/0x395 lib/dump_stack.c:52 kasan_object_err+0x1c/0x70 mm/kasan/report.c:164 kasan_report_double_free+0x5c/0x70 mm/kasan/report.c:185 kasan_slab_free+0x9d/0xc0 mm/kasan/kasan.c:580 slab_free_hook mm/slub.c:1357 [inline] slab_free_freelist_hook mm/slub.c:1379 [inline] slab_free mm/slub.c:2961 [inline] kfree+0xe8/0x2b0 mm/slub.c:3882 tcp_free_fastopen_req net/ipv4/tcp.c:1077 [inline] tcp_disconnect+0xc15/0x13e0 net/ipv4/tcp.c:2328 inet_child_forget+0xb8/0x600 net/ipv4/inet_connection_sock.c:898 inet_csk_reqsk_queue_add+0x1e7/0x250 net/ipv4/inet_connection_sock.c:928 tcp_get_cookie_sock+0x21a/0x510 net/ipv4/syncookies.c:217 cookie_v4_check+0x1a19/0x28b0 net/ipv4/syncookies.c:384 tcp_v4_cookie_check net/ipv4/tcp_ipv4.c:1384 [inline] tcp_v4_do_rcv+0x731/0x940 net/ipv4/tcp_ipv4.c:1421 tcp_v4_rcv+0x2dc0/0x31c0 net/ipv4/tcp_ipv4.c:1715 ip_local_deliver_finish+0x4cc/0xc20 net/ipv4/ip_input.c:216 NF_HOOK include/linux/netfilter.h:257 [inline] ip_local_deliver+0x1ce/0x700 net/ipv4/ip_input.c:257 dst_input include/net/dst.h:492 [inline] ip_rcv_finish+0xb1d/0x20b0 net/ipv4/ip_input.c:396 NF_HOOK include/linux/netfilter.h:257 [inline] ip_rcv+0xd8c/0x19c0 net/ipv4/ip_input.c:487 __netif_receive_skb_core+0x1ad1/0x3400 net/core/dev.c:4210 __netif_receive_skb+0x2a/0x1a0 net/core/dev.c:4248 process_backlog+0xe5/0x6c0 net/core/dev.c:4868 napi_poll net/core/dev.c:5270 [inline] net_rx_action+0xe70/0x18e0 net/core/dev.c:5335 __do_softirq+0x2fb/0xb99 kernel/softirq.c:284 do_softirq_own_stack+0x1c/0x30 arch/x86/entry/entry_64.S:899 do_softirq.part.17+0x1e8/0x230 kernel/softirq.c:328 do_softirq kernel/softirq.c:176 [inline] __local_bh_enable_ip+0x1cf/0x1e0 kernel/softirq.c:181 local_bh_enable include/linux/bottom_half.h:31 [inline] rcu_read_unlock_bh include/linux/rcupdate.h:931 [inline] ip_finish_output2+0x9ab/0x15e0 net/ipv4/ip_output.c:230 ip_finish_output+0xa35/0xdf0 net/ipv4/ip_output.c:316 NF_HOOK_COND include/linux/netfilter.h:246 [inline] ip_output+0x1f6/0x7b0 net/ipv4/ip_output.c:404 dst_output include/net/dst.h:486 [inline] ip_local_out+0x95/0x160 net/ipv4/ip_output.c:124 ip_queue_xmit+0x9a8/0x1a10 net/ipv4/ip_output.c:503 tcp_transmit_skb+0x1ade/0x3470 net/ipv4/tcp_output.c:1057 tcp_write_xmit+0x79e/0x55b0 net/ipv4/tcp_output.c:2265 __tcp_push_pending_frames+0xfa/0x3a0 net/ipv4/tcp_output.c:2450 tcp_push+0x4ee/0x780 net/ipv4/tcp.c:683 tcp_sendmsg+0x128d/0x39b0 net/ipv4/tcp.c:1342 inet_sendmsg+0x164/0x5b0 net/ipv4/af_inet.c:762 sock_sendmsg_nosec net/socket.c:633 [inline] sock_sendmsg+0xca/0x110 net/socket.c:643 SYSC_sendto+0x660/0x810 net/socket.c:1696 SyS_sendto+0x40/0x50 net/socket.c:1664 entry_SYSCALL_64_fastpath+0x1f/0xbe RIP: 0033:0x446059 RSP: 002b:00007faa6761fb58 EFLAGS: 00000282 ORIG_RAX: 000000000000002c RAX: ffffffffffffffda RBX: 0000000000000017 RCX: 0000000000446059 RDX: 0000000000000001 RSI: 0000000020ba3fcd RDI: 0000000000000017 RBP: 00000000006e40a0 R08: 0000000020ba4ff0 R09: 0000000000000010 R10: 0000000020000000 R11: 0000000000000282 R12: 0000000000708150 R13: 0000000000000000 R14: 00007faa676209c0 R15: 00007faa67620700 Object at ffff88003b5bbcb8, in cache kmalloc-64 size: 64 Allocated: PID = 20909 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59 save_stack+0x43/0xd0 mm/kasan/kasan.c:513 set_track mm/kasan/kasan.c:525 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:616 kmem_cache_alloc_trace+0x82/0x270 mm/slub.c:2745 kmalloc include/linux/slab.h:490 [inline] kzalloc include/linux/slab.h:663 [inline] tcp_sendmsg_fastopen net/ipv4/tcp.c:1094 [inline] tcp_sendmsg+0x221a/0x39b0 net/ipv4/tcp.c:1139 inet_sendmsg+0x164/0x5b0 net/ipv4/af_inet.c:762 sock_sendmsg_nosec net/socket.c:633 [inline] sock_sendmsg+0xca/0x110 net/socket.c:643 SYSC_sendto+0x660/0x810 net/socket.c:1696 SyS_sendto+0x40/0x50 net/socket.c:1664 entry_SYSCALL_64_fastpath+0x1f/0xbe Freed: PID = 20909 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59 save_stack+0x43/0xd0 mm/kasan/kasan.c:513 set_track mm/kasan/kasan.c:525 [inline] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:589 slab_free_hook mm/slub.c:1357 [inline] slab_free_freelist_hook mm/slub.c:1379 [inline] slab_free mm/slub.c:2961 [inline] kfree+0xe8/0x2b0 mm/slub.c:3882 tcp_free_fastopen_req net/ipv4/tcp.c:1077 [inline] tcp_disconnect+0xc15/0x13e0 net/ipv4/tcp.c:2328 __inet_stream_connect+0x20c/0xf90 net/ipv4/af_inet.c:593 tcp_sendmsg_fastopen net/ipv4/tcp.c:1111 [inline] tcp_sendmsg+0x23a8/0x39b0 net/ipv4/tcp.c:1139 inet_sendmsg+0x164/0x5b0 net/ipv4/af_inet.c:762 sock_sendmsg_nosec net/socket.c:633 [inline] sock_sendmsg+0xca/0x110 net/socket.c:643 SYSC_sendto+0x660/0x810 net/socket.c:1696 SyS_sendto+0x40/0x50 net/socket.c:1664 entry_SYSCALL_64_fastpath+0x1f/0xbe Fixes: e994b2f0fb92 ("tcp: do not lock listener to process SYN packets") Fixes: 7db92362d2fe ("tcp: fix potential double free issue for fastopen_req") Signed-off-by: Eric Dumazet Reported-by: Andrey Konovalov Acked-by: Wei Wang Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 3006794169a10ab56d4556c28f59a9bc1a909838 Author: Daniele Palmas Date: Wed May 3 10:30:11 2017 +0200 net: usb: qmi_wwan: add Telit ME910 support [ Upstream commit 4c54dc0277d0d55a9248c43aebd31858f926a056 ] This patch adds support for Telit ME910 PID 0x1100. Signed-off-by: Daniele Palmas Acked-by: Bjørn Mork Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 0735252265e5a83d401851ae5bdcac2fc8957415 Author: David Ahern Date: Tue May 2 14:43:44 2017 -0700 net: ipv6: Do not duplicate DAD on link up [ Upstream commit 6d717134a1a6e1b34a7d0d70e953037bc2642046 ] Andrey reported a warning triggered by the rcu code: ------------[ cut here ]------------ WARNING: CPU: 1 PID: 5911 at lib/debugobjects.c:289 debug_print_object+0x175/0x210 ODEBUG: activate active (active state 1) object type: rcu_head hint: (null) Modules linked in: CPU: 1 PID: 5911 Comm: a.out Not tainted 4.11.0-rc8+ #271 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:16 dump_stack+0x192/0x22d lib/dump_stack.c:52 __warn+0x19f/0x1e0 kernel/panic.c:549 warn_slowpath_fmt+0xe0/0x120 kernel/panic.c:564 debug_print_object+0x175/0x210 lib/debugobjects.c:286 debug_object_activate+0x574/0x7e0 lib/debugobjects.c:442 debug_rcu_head_queue kernel/rcu/rcu.h:75 __call_rcu.constprop.76+0xff/0x9c0 kernel/rcu/tree.c:3229 call_rcu_sched+0x12/0x20 kernel/rcu/tree.c:3288 rt6_rcu_free net/ipv6/ip6_fib.c:158 rt6_release+0x1ea/0x290 net/ipv6/ip6_fib.c:188 fib6_del_route net/ipv6/ip6_fib.c:1461 fib6_del+0xa42/0xdc0 net/ipv6/ip6_fib.c:1500 __ip6_del_rt+0x100/0x160 net/ipv6/route.c:2174 ip6_del_rt+0x140/0x1b0 net/ipv6/route.c:2187 __ipv6_ifa_notify+0x269/0x780 net/ipv6/addrconf.c:5520 addrconf_ifdown+0xe60/0x1a20 net/ipv6/addrconf.c:3672 ... Andrey's reproducer program runs in a very tight loop, calling 'unshare -n' and then spawning 2 sets of 14 threads running random ioctl calls. The relevant networking sequence: 1. New network namespace created via unshare -n - ip6tnl0 device is created in down state 2. address added to ip6tnl0 - equivalent to ip -6 addr add dev ip6tnl0 fd00::bb/1 - DAD is started on the address and when it completes the host route is inserted into the FIB 3. ip6tnl0 is brought up - the new fixup_permanent_addr function restarts DAD on the address 4. exit namespace - teardown / cleanup sequence starts - once in a blue moon, lo teardown appears to happen BEFORE teardown of ip6tunl0 + down on 'lo' removes the host route from the FIB since the dst->dev for the route is loobback + host route added to rcu callback list * rcu callback has not run yet, so rt is NOT on the gc list so it has NOT been marked obsolete 5. in parallel to 4. worker_thread runs addrconf_dad_completed - DAD on the address on ip6tnl0 completes - calls ipv6_ifa_notify which inserts the host route All of that happens very quickly. The result is that a host route that has been deleted from the IPv6 FIB and added to the RCU list is re-inserted into the FIB. The exit namespace eventually gets to cleaning up ip6tnl0 which removes the host route from the FIB again, calls the rcu function for cleanup -- and triggers the double rcu trace. The root cause is duplicate DAD on the address -- steps 2 and 3. Arguably, DAD should not be started in step 2. The interface is in the down state, so it can not really send out requests for the address which makes starting DAD pointless. Since the second DAD was introduced by a recent change, seems appropriate to use it for the Fixes tag and have the fixup function only start DAD for addresses in the PREDAD state which occurs in addrconf_ifdown if the address is retained. Big thanks to Andrey for isolating a reliable reproducer for this problem. Fixes: f1705ec197e7 ("net: ipv6: Make address flushing on ifdown optional") Reported-by: Andrey Konovalov Signed-off-by: David Ahern Tested-by: Andrey Konovalov Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit ae2f8e28b40eadbb5fe698efeb8a27956f12d7ff Author: Eric Dumazet Date: Mon May 1 15:29:48 2017 -0700 tcp: fix wraparound issue in tcp_lp [ Upstream commit a9f11f963a546fea9144f6a6d1a307e814a387e7 ] Be careful when comparing tcp_time_stamp to some u32 quantity, otherwise result can be surprising. Fixes: 7c106d7e782b ("[TCP]: TCP Low Priority congestion control") Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 38904075d9bc80cdbead535099d88fe4c4caf8fa Author: Daniel Borkmann Date: Tue May 2 20:34:54 2017 +0200 bpf, arm64: fix jit branch offset related to ldimm64 [ Upstream commit ddc665a4bb4b728b4e6ecec8db1b64efa9184b9c ] When the instruction right before the branch destination is a 64 bit load immediate, we currently calculate the wrong jump offset in the ctx->offset[] array as we only account one instruction slot for the 64 bit load immediate although it uses two BPF instructions. Fix it up by setting the offset into the right slot after we incremented the index. Before (ldimm64 test 1): [...] 00000020: 52800007 mov w7, #0x0 // #0 00000024: d2800060 mov x0, #0x3 // #3 00000028: d2800041 mov x1, #0x2 // #2 0000002c: eb01001f cmp x0, x1 00000030: 54ffff82 b.cs 0x00000020 00000034: d29fffe7 mov x7, #0xffff // #65535 00000038: f2bfffe7 movk x7, #0xffff, lsl #16 0000003c: f2dfffe7 movk x7, #0xffff, lsl #32 00000040: f2ffffe7 movk x7, #0xffff, lsl #48 00000044: d29dddc7 mov x7, #0xeeee // #61166 00000048: f2bdddc7 movk x7, #0xeeee, lsl #16 0000004c: f2ddddc7 movk x7, #0xeeee, lsl #32 00000050: f2fdddc7 movk x7, #0xeeee, lsl #48 [...] After (ldimm64 test 1): [...] 00000020: 52800007 mov w7, #0x0 // #0 00000024: d2800060 mov x0, #0x3 // #3 00000028: d2800041 mov x1, #0x2 // #2 0000002c: eb01001f cmp x0, x1 00000030: 540000a2 b.cs 0x00000044 00000034: d29fffe7 mov x7, #0xffff // #65535 00000038: f2bfffe7 movk x7, #0xffff, lsl #16 0000003c: f2dfffe7 movk x7, #0xffff, lsl #32 00000040: f2ffffe7 movk x7, #0xffff, lsl #48 00000044: d29dddc7 mov x7, #0xeeee // #61166 00000048: f2bdddc7 movk x7, #0xeeee, lsl #16 0000004c: f2ddddc7 movk x7, #0xeeee, lsl #32 00000050: f2fdddc7 movk x7, #0xeeee, lsl #48 [...] Also, add a couple of test cases to make sure JITs pass this test. Tested on Cavium ThunderX ARMv8. The added test cases all pass after the fix. Fixes: 8eee539ddea0 ("arm64: bpf: fix out-of-bounds read in bpf2a64_offset()") Reported-by: David S. Miller Signed-off-by: Daniel Borkmann Acked-by: Alexei Starovoitov Cc: Xi Wang Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit b3468d7ea8c91bfeefa424e90d933869c5924172 Author: Yonghong Song Date: Sat Apr 29 22:52:42 2017 -0700 bpf: enhance verifier to understand stack pointer arithmetic [ Upstream commit 332270fdc8b6fba07d059a9ad44df9e1a2ad4529 ] llvm 4.0 and above generates the code like below: .... 440: (b7) r1 = 15 441: (05) goto pc+73 515: (79) r6 = *(u64 *)(r10 -152) 516: (bf) r7 = r10 517: (07) r7 += -112 518: (bf) r2 = r7 519: (0f) r2 += r1 520: (71) r1 = *(u8 *)(r8 +0) 521: (73) *(u8 *)(r2 +45) = r1 .... and the verifier complains "R2 invalid mem access 'inv'" for insn #521. This is because verifier marks register r2 as unknown value after #519 where r2 is a stack pointer and r1 holds a constant value. Teach verifier to recognize "stack_ptr + imm" and "stack_ptr + reg with const val" as valid stack_ptr with new offset. Signed-off-by: Yonghong Song Acked-by: Martin KaFai Lau Acked-by: Daniel Borkmann Signed-off-by: Alexei Starovoitov Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit ec2f9263d6a50d9ff614681764e0302c4f47c165 Author: Girish Moodalbail Date: Thu Apr 27 14:11:53 2017 -0700 geneve: fix incorrect setting of UDP checksum flag [ Upstream commit 5e0740c445e6ae4026f5e52456ff8d0be9725183 ] Creating a geneve link with 'udpcsum' set results in a creation of link for which UDP checksum will NOT be computed on outbound packets, as can be seen below. 11: gen0: mtu 1500 qdisc noop state DOWN link/ether c2:85:27:b6:b4:15 brd ff:ff:ff:ff:ff:ff promiscuity 0 geneve id 200 remote 192.168.13.1 dstport 6081 noudpcsum Similarly, creating a link with 'noudpcsum' set results in a creation of link for which UDP checksum will be computed on outbound packets. Fixes: 9b4437a5b870 ("geneve: Unify LWT and netdev handling.") Signed-off-by: Girish Moodalbail Acked-by: Pravin B Shelar Acked-by: Lance Richardson Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 9cd3670409a92fe6cc8b1b2c1e76feeaa5cb2a4c Author: Alexandre Belloni Date: Wed Apr 26 12:06:28 2017 +0200 net: macb: fix phy interrupt parsing [ Upstream commit ae3696c167cc04d32634c4af82f43b446c5176b0 ] Since 83a77e9ec415, the phydev irq is explicitly set to PHY_POLL when there is no pdata. It doesn't work on DT enabled platforms because the phydev irq is already set by libphy before. Fixes: 83a77e9ec415 ("net: macb: Added PCI wrapper for Platform Driver.") Signed-off-by: Alexandre Belloni Acked-by: Nicolas Ferre Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 99975dd434618b24585acc83b87a11b7fc9686c6 Author: Eric Dumazet Date: Wed Apr 26 09:07:46 2017 -0700 net: adjust skb->truesize in ___pskb_trim() [ Upstream commit c21b48cc1bbf2f5af3ef54ada559f7fadf8b508b ] Andrey found a way to trigger the WARN_ON_ONCE(delta < len) in skb_try_coalesce() using syzkaller and a filter attached to a TCP socket. As we did recently in commit 158f323b9868 ("net: adjust skb->truesize in pskb_expand_head()") we can adjust skb->truesize from ___pskb_trim(), via a call to skb_condense(). If all frags were freed, then skb->truesize can be recomputed. This call can be done if skb is not yet owned, or destructor is sock_edemux(). Signed-off-by: Eric Dumazet Reported-by: Andrey Konovalov Cc: Willem de Bruijn Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 748838198f1e4b43a3660c823068d0601c6397d9 Author: Eric Dumazet Date: Wed Apr 26 17:15:40 2017 -0700 tcp: do not underestimate skb->truesize in tcp_trim_head() [ Upstream commit 7162fb242cb8322beb558828fd26b33c3e9fc805 ] Andrey found a way to trigger the WARN_ON_ONCE(delta < len) in skb_try_coalesce() using syzkaller and a filter attached to a TCP socket over loopback interface. I believe one issue with looped skbs is that tcp_trim_head() can end up producing skb with under estimated truesize. It hardly matters for normal conditions, since packets sent over loopback are never truncated. Bytes trimmed from skb->head should not change skb truesize, since skb->head is not reallocated. Signed-off-by: Eric Dumazet Reported-by: Andrey Konovalov Tested-by: Andrey Konovalov Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 8743096ed3f0dc277ae9266a0ee1d6e84746fd7b Author: Jason A. Donenfeld Date: Tue Apr 25 19:08:18 2017 +0200 macsec: dynamically allocate space for sglist [ Upstream commit 5294b83086cc1c35b4efeca03644cf9d12282e5b ] We call skb_cow_data, which is good anyway to ensure we can actually modify the skb as such (another error from prior). Now that we have the number of fragments required, we can safely allocate exactly that amount of memory. Fixes: c09440f7dcb3 ("macsec: introduce IEEE 802.1AE driver") Signed-off-by: Jason A. Donenfeld Acked-by: Sabrina Dubroca Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit e288821b3842664234e40d74a991aef84b6a3cf7 Author: Dave Aldridge Date: Tue May 9 02:57:35 2017 -0600 sparc64: fix fault handling in NGbzero.S and GENbzero.S commit 3c7f62212018b904ae17f5636ead18a4dca3a88f upstream. When any of the functions contained in NGbzero.S and GENbzero.S vector through *bzero_from_clear_user, we may end up taking a fault when executing one of the store alternate address space instructions. If this happens, the exception handler does not restore the %asi register. This commit fixes the issue by introducing a new exception handler that ensures the %asi register is restored when a fault is handled. Orabug: 25577560 Signed-off-by: Dave Aldridge Reviewed-by: Rob Gardner Reviewed-by: Babu Moger Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 01995a54c747939b40bb98f246b89101af06daaa Author: Takashi Iwai Date: Mon Jan 2 11:37:04 2017 +0100 ALSA: hda - Fix deadlock of controller device lock at unbinding commit ab949d519601880fd46e8bc1445d6a453bf2dc09 upstream. Imre Deak reported a deadlock of HD-audio driver at unbinding while it's still in probing. Since we probe the codecs asynchronously in a work, the codec driver probe may still be kicked off while the controller itself is being unbound. And, azx_remove() tries to process all pending tasks via cancel_work_sync() for fixing the other races (see commit [0b8c82190c12: ALSA: hda - Cancel probe work instead of flush at remove]), now we may meet a bizarre deadlock: Unbind snd_hda_intel via sysfs: device_release_driver() -> device_lock(snd_hda_intel) -> azx_remove() -> cancel_work_sync(azx_probe_work) azx_probe_work(): codec driver probe() -> __driver_attach() -> device_lock(snd_hda_intel) This deadlock is caused by the fact that both device_release_driver() and driver_probe_device() take both the device and its parent locks at the same time. The codec device sets the controller device as its parent, and this lock is taken before the probe() callback is called, while the controller remove() callback gets called also with the same lock. In this patch, as an ugly workaround, we unlock the controller device temporarily during cancel_work_sync() call. The race against another bind call should be still suppressed by the parent's device lock. Reported-by: Imre Deak Fixes: 0b8c82190c12 ("ALSA: hda - Cancel probe work instead of flush at remove") Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 9576fcd1d93199441dcd1608b1729dabe1b68dab Author: Arnd Bergmann Date: Wed Jan 25 23:36:34 2017 +0100 staging: lustre: ptlrpc: avoid warning on missing return commit 74e3bb75315ce62a4567f2871276bab32802e8b4 upstream. The newly added function triggers a harmless warning: drivers/staging/lustre/lustre/ptlrpc/pack_generic.c: In function 'lustre_shrink_msg': drivers/staging/lustre/lustre/ptlrpc/pack_generic.c:472:1: error: control reaches end of non-void function [-Werror=return-type] This probably happens because LASSERTF() contains an 'unlikely()' that sometimes prevents gcc from analysing the control flow correctly. Adding a return statement here seems harmless and lets us keep that unlikely(). Fixes: 96049bd1ecd0 ("staging: lustre: ptlrpc: embed highest XID in each request") Signed-off-by: Arnd Bergmann Signed-off-by: Greg Kroah-Hartman commit e7d743d68744a8a2132bc94d7060d054f505a10e Author: Arnd Bergmann Date: Fri Dec 16 10:09:39 2016 +0100 staging: emxx_udc: remove incorrect __init annotations commit 4f3445067d5f78fb8d1970b02610f85c2f377ea4 upstream. The probe function is not marked __init, but some other functions are. This leads to a warning on older compilers (e.g. gcc-4.3), and can cause executing freed memory when built with those compilers: WARNING: drivers/staging/emxx_udc/emxx_udc.o(.text+0x2d78): Section mismatch in reference from the function nbu2ss_drv_probe() to the function .init.text:nbu2ss_drv_contest_init() This removes the annotations. Fixes: 33aa8d45a4fe ("staging: emxx_udc: Add Emma Mobile USB Gadget driver") Signed-off-by: Arnd Bergmann Signed-off-by: Greg Kroah-Hartman commit e368150f2942ab21a327a88c97e12d9ac9a45bf0 Author: Igor Pylypiv Date: Mon Jan 30 21:39:54 2017 -0800 staging: wlan-ng: add missing byte order conversion commit 2c474b8579e9b67ff72b2bcefce9f53c7f4469d4 upstream. Conversion macros le16_to_cpu was removed and that caused new sparse warning sparse output: drivers/staging/wlan-ng/p80211netdev.c:241:44: warning: incorrect type in argument 2 (different base types) drivers/staging/wlan-ng/p80211netdev.c:241:44: expected unsigned short [unsigned] [usertype] fc drivers/staging/wlan-ng/p80211netdev.c:241:44: got restricted __le16 [usertype] fc Fixes: 7ad82572348c ("staging:wlan-ng:Fix sparse warning") Signed-off-by: Igor Pylypiv Signed-off-by: Greg Kroah-Hartman commit debb50cbeda59430ec1de1192bbd8a54938f44a6 Author: Oleg Drokin Date: Wed Dec 7 17:41:27 2016 -0500 staging/lustre/llite: move root_squash from sysfs to debugfs commit 4c13990e35b9f053857d4ad83bf0f58e612ec414 upstream. root_squash control got accidentally moved to sysfs instead of debugfs, and the write side of it was also broken expecting a userspace buffer. It contains both uid and gid values in a single file, so debugfs is a clear place for it. Reported-by: Al Viro Fixes: c948390f10ccc "fix inconsistencies of root squash feature" Signed-off-by: Oleg Drokin Reviewed-by: James Simmons Signed-off-by: Greg Kroah-Hartman commit 9663ece4a7349ed176513bc17bcb97e1d5371305 Author: James Hughes Date: Tue Apr 25 10:15:06 2017 +0100 brcmfmac: Make skb header writable before use commit 9cc4b7cb86cbcc6330a3faa8cd65268cd2d3c227 upstream. The driver was making changes to the skb_header without ensuring it was writable (i.e. uncloned). This patch also removes some boiler plate header size checking/adjustment code as that is also handled by the skb_cow_header function used to make header writable. Signed-off-by: James Hughes Acked-by: Arend van Spriel Signed-off-by: Kalle Valo Signed-off-by: Arend van Spriel Signed-off-by: Greg Kroah-Hartman commit d67be3c4b85268acf3873f366ff254562d1e29ba Author: James Hughes Date: Mon Apr 24 12:40:50 2017 +0100 brcmfmac: Ensure pointer correctly set if skb data location changes commit 455a1eb4654c24560eb9dfc634f29cba3d87601e upstream. The incoming skb header may be resized if header space is insufficient, which might change the data adddress in the skb. Ensure that a cached pointer to that data is correctly set by moving assignment to after any possible changes. Signed-off-by: James Hughes Acked-by: Arend van Spriel Signed-off-by: Kalle Valo Signed-off-by: Arend van Spriel Signed-off-by: Greg Kroah-Hartman commit cbd7c3465eec82914e7163b1a8e7b5d6b49e6b6c Author: Leonid Yegoshin Date: Thu Aug 25 10:37:38 2016 -0700 MIPS: R2-on-R6 MULTU/MADDU/MSUBU emulation bugfix commit d65e5677ad5b3a49c43f60ec07644dc1f87bbd2e upstream. MIPS instructions MULTU, MADDU and MSUBU emulation requires registers HI/LO to be converted to signed 32bits before 64bit sign extension on MIPS64. Bug was found on running MIPS32 R2 test application on MIPS64 R6 kernel. Fixes: b0a668fb2038 ("MIPS: kernel: mips-r2-to-r6-emul: Add R2 emulator for MIPS R6") Signed-off-by: Leonid Yegoshin Reported-by: Nikola.Veljkovic@imgtec.com Cc: paul.burton@imgtec.com Cc: yamada.masahiro@socionext.com Cc: akpm@linux-foundation.org Cc: andrea.gelmini@gelma.net Cc: macro@imgtec.com Cc: linux-mips@linux-mips.org Patchwork: https://patchwork.linux-mips.org/patch/14043/ Signed-off-by: Ralf Baechle Signed-off-by: Greg Kroah-Hartman commit 2523b0855c42245b715d0e913fea8f8e5af3c6d1 Author: Arnd Bergmann Date: Fri Feb 17 16:03:52 2017 +0100 scsi: smartpqi: fix time handling commit ed10858eadd4988260c6bc7d75fc25176342b5a7 upstream. When we have turned off RTC support, the smartpqi driver fails to build: ERROR: "rtc_time64_to_tm" [drivers/scsi/smartpqi/smartpqi.ko] undefined! This is easily avoided by using the generic 'struct tm' based helper rather than the RTC specific one. While fixing this, I noticed that even though the driver uses time64_t for storing seconds, it gets them from the old 32-bit struct timeval. To address this, we can simplify the code by calling ktime_get_real_seconds() directly. Fixes: 6c223761eb54 ("smartpqi: initial commit of Microsemi smartpqi driver") Signed-off-by: Arnd Bergmann Acked-by: Don Brace Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit a538d5f72454fb4c76a5dc74d732268cb4b2cffd Author: Finn Thain Date: Thu Feb 23 09:08:02 2017 +1100 scsi: mac_scsi: Fix MAC_SCSI=m option when SCSI=m commit 2559a1ef688f933835912c731bed2254146a9b04 upstream. The mac_scsi driver still gets disabled when SCSI=m. This should have been fixed back when I enabled the tristate but I didn't see the bug. Fixes: 6e9ae6d560e1 ("[PATCH] mac_scsi: Add module option to Kconfig") Signed-off-by: Finn Thain Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit 7f3f10d2150f0991f459ce3ce12f0d317134affb Author: Bill Kuzeja Date: Tue Mar 14 13:28:44 2017 -0400 scsi: qla2xxx: Fix crash in qla2xxx_eh_abort on bad ptr commit 5f7c2beef819d9ea2d1b814edf6f5981420e9cf8 upstream. After a Qlogic card breaks when initializing (test case), the system can crash in qla2xxx_eh_abort if processing anything but a scsi command type srb. Fixes: 1535aa75a3d8 ("scsi: qla2xxx: fix invalid DMA access after command aborts in PCI device remove") Signed-off-by: Bill Kuzeja Acked-By: Himanshu Madhani Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit 463232f51f91154b704cbe5667b2122974440fc5 Author: Arnd Bergmann Date: Thu Mar 2 15:58:03 2017 +0100 scsi: qedi: fix build error without DEBUG_FS commit bd571195c9535c0b074fc7cd1b541b93817ed647 upstream. Without CONFIG_DEBUG_FS, we run into a link error: drivers/scsi/qedi/qedi_iscsi.o: In function `qedi_ep_poll': qedi_iscsi.c:(.text.qedi_ep_poll+0x134): undefined reference to `do_not_recover' drivers/scsi/qedi/qedi_iscsi.o: In function `qedi_ep_disconnect': qedi_iscsi.c:(.text.qedi_ep_disconnect+0x36c): undefined reference to `do_not_recover' drivers/scsi/qedi/qedi_iscsi.o: In function `qedi_ep_connect': qedi_iscsi.c:(.text.qedi_ep_connect+0x350): undefined reference to `do_not_recover' drivers/scsi/qedi/qedi_fw.o: In function `qedi_tmf_work': qedi_fw.c:(.text.qedi_tmf_work+0x3b4): undefined reference to `do_not_recover' This defines the symbol as a constant in this case, as there is no way to set it to anything other than zero without DEBUG_FS. In addition, I'm renaming it to qedi_do_not_recover in order to put it into a driver specific namespace, as "do_not_recover" is a really bad name for a kernel-wide global identifier when it is used only in one driver. Fixes: ace7f46ba5fd ("scsi: qedi: Add QLogic FastLinQ offload iSCSI driver framework.") Reviewed-by: Johannes Thumshirn Signed-off-by: Arnd Bergmann Acked-by: Manish Rangankar Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit 5102b4022080105d125d8ee5cb9c7751c1b01ea4 Author: Wei Yongjun Date: Tue Feb 7 14:52:58 2017 +0000 scsi: qedi: Fix possible memory leak in qedi_iscsi_update_conn() commit 8b9b22ba75907dcced88c815a5427ec0b4298aec upstream. 'conn_info' is malloced in qedi_iscsi_update_conn() and should be freed before leaving from the error handling cases, otherwise it will cause memory leak. Fixes: ace7f46ba5fd ("scsi: qedi: Add QLogic FastLinQ offload iSCSI driver framework.") Signed-off-by: Wei Yongjun Acked-by: Manish Rangankar Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit eb1ef03d903301d367b0244411223e6e42b66a7d Author: Tony Lindgren Date: Fri Jan 20 12:22:31 2017 -0800 serial: 8250_omap: Fix probe and remove for PM runtime commit 4e0f5cc65098ea32a1e77baae74215b9bd5276b1 upstream. Otherwise the interconnect related code implementing PM runtime will produce these errors on a failed probe: omap_uart 48066000.serial: omap_device: omap_device_enable() called from invalid state 1 omap_uart 48066000.serial: use pm_runtime_put_sync_suspend() in driver? Note that we now also need to check for priv in omap8250_runtime_suspend() as it has not yet been registered if probe fails. And we need to use pm_runtime_put_sync() to properly idle the device like we already do in omap8250_remove(). Fixes: 61929cf0169d ("tty: serial: Add 8250-core based omap driver") Signed-off-by: Tony Lindgren Signed-off-by: Greg Kroah-Hartman commit 8b62d12c1a53c4cede6cf6491ee922632ea8a525 Author: Stephen Boyd Date: Thu Mar 9 13:45:44 2017 +0530 phy: qcom-usb-hs: Add depends on EXTCON commit 1a09b6a7c10e22c489a8b212dd6862b1fd9674ad upstream. We get the following compile errors if EXTCON is enabled as a module but this driver is builtin: drivers/built-in.o: In function `qcom_usb_hs_phy_power_off': phy-qcom-usb-hs.c:(.text+0x1089): undefined reference to `extcon_unregister_notifier' drivers/built-in.o: In function `qcom_usb_hs_phy_probe': phy-qcom-usb-hs.c:(.text+0x11b5): undefined reference to `extcon_get_edev_by_phandle' drivers/built-in.o: In function `qcom_usb_hs_phy_power_on': phy-qcom-usb-hs.c:(.text+0x128e): undefined reference to `extcon_get_state' phy-qcom-usb-hs.c:(.text+0x12a9): undefined reference to `extcon_register_notifier' so let's mark this as needing to follow the modular status of the extcon framework. Fixes: 9994a33865f4 e2427b09ba929c2b9 (phy: Add support for Qualcomm's USB HS phy") Signed-off-by: Stephen Boyd Signed-off-by: Kishon Vijay Abraham I Signed-off-by: Greg Kroah-Hartman commit c6a6118496c87355aa10408c99a32a275b2b90d6 Author: Heiko Stuebner Date: Wed Mar 1 22:00:41 2017 +0100 clk: rockchip: add "," to mux_pll_src_apll_dpll_gpll_usb480m_p on rk3036 commit 9b1b23f03abdd25ffde8bbfe5824b89bc0448c28 upstream. The mux_pll_src_apll_dpll_gpll_usb480m_p parent list was missing a "," between the 3rd and 4th parent names, making them fall together and thus lookups fail. Fix that. Fixes: 5190c08b2989 ("clk: rockchip: add clock controller for rk3036") Signed-off-by: Heiko Stuebner Signed-off-by: Stephen Boyd Signed-off-by: Greg Kroah-Hartman commit bc6e823fdcf2e409a6e2ea0847c9d8227fbf5c9d Author: Johan Hovold Date: Thu Jan 12 14:56:14 2017 +0100 USB: serial: io_edgeport: fix descriptor error handling commit 3c0e25d883d06a1fbd1ad35257e8abaa57befb37 upstream. Make sure to detect short control-message transfers and log an error when reading incomplete manufacturer and boot descriptors. Note that the default all-zero descriptors will now be used after a short transfer is detected instead of partially initialised ones. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Reviewed-by: Greg Kroah-Hartman Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 1077176a2456691525a02a666e9d1d24447341f7 Author: Johan Hovold Date: Fri Jan 6 19:15:17 2017 +0100 USB: serial: ch341: fix modem-status handling commit a0467a967f347842b30739aae636c44980265265 upstream. The modem-status register was read as part of device configuration at port_probe and then again at open (and reset-resume). During open (and reset-resume) the MSR was read before submitting the interrupt URB, something which could lead to an MSR-change going unnoticed when it races with open (reset-resume). Fix this by dropping the redundant reconfiguration of the port at every open, and only read the MSR after the interrupt URB has been submitted. Fixes: 664d5df92e88 ("USB: usb-serial ch341: support for DTR/RTS/CTS") Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit e40bbb3970749d490af2c2d52de496e85f810ea1 Author: Johan Hovold Date: Thu Jan 12 14:56:16 2017 +0100 USB: serial: mct_u232: fix modem-status error handling commit 36356a669eddb32917fc4b5c2b9b8bf80ede69de upstream. Make sure to detect short control-message transfers so that errors are logged when reading the modem status at open. Note that while this also avoids initialising the modem status using uninitialised heap data, these bits could not leak to user space as they are currently not used. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Reviewed-by: Greg Kroah-Hartman Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit f665109e63c1350be9857459a8c22d145eb20479 Author: Johan Hovold Date: Thu Jan 12 14:56:20 2017 +0100 USB: serial: quatech2: fix control-message error handling commit 8c34cb8ddfe808d557b51da983ff10c02793beb2 upstream. Make sure to detect short control-message transfers when fetching modem and line state in open and when retrieving registers. This specifically makes sure that an errno is returned to user space on errors in TIOCMGET instead of a zero bitmask. Also drop the unused getdevice function which also lacked appropriate error handling. Fixes: f7a33e608d9a ("USB: serial: add quatech2 usb to serial driver") Reviewed-by: Greg Kroah-Hartman Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit aa0b4b2ff04ec66783a0c2050fc21be1a5c51741 Author: Johan Hovold Date: Thu Jan 12 14:56:12 2017 +0100 USB: serial: ftdi_sio: fix latency-timer error handling commit e3e574ad85a208cb179f33720bb5f12b453de33c upstream. Make sure to detect short responses when reading the latency timer to avoid using stale buffer data. Note that no heap data would currently leak through sysfs as ASYNC_LOW_LATENCY is set by default. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Reviewed-by: Greg Kroah-Hartman Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 44d7d23192fef78ae71ba345b68d4d36fa530b21 Author: Johan Hovold Date: Thu Jan 12 14:56:10 2017 +0100 USB: serial: ark3116: fix open error handling commit b631433b175f1002a31020e09bbfc2e5caecf290 upstream. Fix open error handling which failed to detect errors when reading the MSR and LSR registers, something which could lead to the shadow registers being initialised from errnos. Note that calling the generic close implementation is sufficient in the error paths as the interrupt urb has not yet been submitted and the register updates have not been made. Fixes: f4c1e8d597d1 ("USB: ark3116: Make existing functions 16450-aware and add close and release functions.") Reviewed-by: Greg Kroah-Hartman Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 39581ca08fb971ce8a2ef474205f100e7642f5e9 Author: Johan Hovold Date: Thu Jan 12 14:56:23 2017 +0100 USB: serial: ti_usb_3410_5052: fix control-message error handling commit 39712e8bfa8d3aa6ce1e60fc9d62c9b076c17a30 upstream. Make sure to detect and return an error on zero-length control-message transfers when reading from the device. This addresses a potential failure to detect an empty transmit buffer during close. Also remove a redundant check for short transfer when sending a command. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Reviewed-by: Greg Kroah-Hartman Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit c5cd729ca1009ed68a2ff21357cf72ff44acc808 Author: Johan Hovold Date: Thu Jan 12 14:56:13 2017 +0100 USB: serial: io_edgeport: fix epic-descriptor handling commit e4457d9798adb96272468e93da663de9bd0a4198 upstream. Use a dedicated buffer for the DMA transfer and make sure to detect short transfers to avoid parsing a corrupt descriptor. Fixes: 6e8cf7751f9f ("USB: add EPIC support to the io_edgeport driver") Reviewed-by: Greg Kroah-Hartman Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit d75ac2f21f5375e7d058065373916a23733b795c Author: Johan Hovold Date: Thu Jan 12 14:56:22 2017 +0100 USB: serial: ssu100: fix control-message error handling commit 1eac5c244f705182d1552a53e2f74e2775ed95d6 upstream. Make sure to detect short control-message transfers rather than continue with zero-initialised data when retrieving modem status and during device initialisation. Fixes: 52af95459939 ("USB: add USB serial ssu100 driver") Reviewed-by: Greg Kroah-Hartman Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 7db2c56df28a1c59acf4ebe6b689936961790d80 Author: Johan Hovold Date: Tue Jan 31 17:17:28 2017 +0100 USB: serial: digi_acceleport: fix incomplete rx sanity check commit 1b0aed2b1600f6e5c7b9acfbd610a4e351ef5232 upstream. Make sure the received data has the required headers before parsing it. Also drop the redundant urb-status check, which has already been handled by the caller. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Reviewed-by: Greg Kroah-Hartman Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit cfbe048303d2e24dd03698748220988afc68e15d Author: Johan Hovold Date: Tue Jan 31 17:17:29 2017 +0100 USB: serial: keyspan_pda: fix receive sanity checks commit c528fcb116e61afc379a2e0a0f70906b937f1e2c upstream. Make sure to check for short transfers before parsing the receive buffer to avoid acting on stale data. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Reviewed-by: Greg Kroah-Hartman Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 7916a663940bf29e8f683c1b1df622bb1e878acb Author: Stephen Boyd Date: Wed Dec 28 14:56:51 2016 -0800 usb: chipidea: Handle extcon events properly commit a89b94b53371bbfa582787c2fa3378000ea4263d upstream. We're currently emulating the vbus and id interrupts in the OTGSC read API, but we also need to make sure that if we're handling the events with extcon that we don't enable the interrupts for those events in the hardware. Therefore, properly emulate this register if we're using extcon, but don't enable the interrupts. This allows me to get my cable connect/disconnect working properly without getting spurious interrupts on my device that uses an extcon for these two events. Acked-by: Peter Chen Cc: Greg Kroah-Hartman Cc: "Ivan T. Ivanov" Fixes: 3ecb3e09b042 ("usb: chipidea: Use extcon framework for VBUS and ID detect") Signed-off-by: Stephen Boyd Signed-off-by: Peter Chen Signed-off-by: Greg Kroah-Hartman commit 7a93680fe2593aab27cf8a396899da5fed69fd01 Author: Stephen Boyd Date: Wed Dec 28 14:56:50 2016 -0800 usb: chipidea: Only read/write OTGSC from one place commit f60f8ccd54e03c1afafb2b20ceb029a0eaf7a134 upstream. With the id and vbus detection done via extcon we need to make sure we poll the status of OTGSC properly by considering what the extcon is saying, and not just what the register is saying. Let's move this hw_wait_reg() function to the only place it's used and simplify it for polling the OTGSC register. Then we can make certain we only use the hw_read_otgsc() API to read OTGSC, which will make sure we properly handle extcon events. Acked-by: Peter Chen Cc: Greg Kroah-Hartman Cc: "Ivan T. Ivanov" Fixes: 3ecb3e09b042 ("usb: chipidea: Use extcon framework for VBUS and ID detect") Signed-off-by: Stephen Boyd Signed-off-by: Peter Chen Signed-off-by: Greg Kroah-Hartman commit cc771fa1d711cf58dc6f4630fc8207199a4d9084 Author: Krzysztof Kozlowski Date: Sat Jan 7 10:41:41 2017 +0200 usb: host: ohci-exynos: Decrese node refcount on exynos_ehci_get_phy() error paths commit 68bd6fc3cfa98ef253e17307ccafd8ef907b5556 upstream. Returning from for_each_available_child_of_node() loop requires cleaning up node refcount. Error paths lacked it so for example in case of deferred probe, the refcount of phy node was left increased. Fixes: 6d40500ac9b6 ("usb: ehci/ohci-exynos: Fix of_node_put() for child when getting PHYs") Signed-off-by: Krzysztof Kozlowski Acked-by: Alan Stern Reviewed-by: Javier Martinez Canillas Signed-off-by: Greg Kroah-Hartman commit d286acdd40edf66cdb05cce514fe48b3d839ca2c Author: Krzysztof Kozlowski Date: Sat Jan 7 10:41:40 2017 +0200 usb: host: ehci-exynos: Decrese node refcount on exynos_ehci_get_phy() error paths commit 3f6026b1dcb3c8ee71198c485a72ac674c6890dd upstream. Returning from for_each_available_child_of_node() loop requires cleaning up node refcount. Error paths lacked it so for example in case of deferred probe, the refcount of phy node was left increased. Fixes: 6d40500ac9b6 ("usb: ehci/ohci-exynos: Fix of_node_put() for child when getting PHYs") Signed-off-by: Krzysztof Kozlowski Acked-by: Alan Stern Reviewed-by: Javier Martinez Canillas Signed-off-by: Greg Kroah-Hartman commit 5605e5c50f342addd16c2bb9b3efb7d5ee7c7423 Author: Nicholas Mc Guire Date: Mon Jan 23 15:00:40 2017 -0800 usb: dwc2: host: use msleep() for long delay commit d3fe81d2ccc41b355e494413115c0c7c18426fa1 upstream. ulseep_range() uses hrtimers and provides no advantage over msleep() for larger delays. Fix up the 100ms delays here passing the adjusted "min" value to msleep(). This helps reduce the load on the hrtimer subsystem. Link: http://lkml.org/lkml/2017/1/11/377 Fixes: commit 2938fc63e0c2 ("usb: dwc2: Properly account for the force mode delays") Signed-off-by: Nicholas Mc Guire Signed-off-by: John Youn Signed-off-by: Felipe Balbi Signed-off-by: Greg Kroah-Hartman commit 69a09d73e8bd8434e34c5b83913937cc202d87a7 Author: Ladi Prosek Date: Fri Mar 31 10:19:26 2017 +0200 KVM: nVMX: do not leak PML full vmexit to L1 commit ab007cc94ff9d82f5a8db8363b3becbd946e58cf upstream. The PML feature is not exposed to guests so we should not be forwarding the vmexit either. This commit fixes BSOD 0x20001 (HYPERVISOR_ERROR) when running Hyper-V enabled Windows Server 2016 in L1 on hardware that supports PML. Fixes: 843e4330573c ("KVM: VMX: Add PML support in VMX") Signed-off-by: Ladi Prosek Reviewed-by: David Hildenbrand Signed-off-by: Radim Krčmář Signed-off-by: Greg Kroah-Hartman commit 22e025bc1af900e4ac8b2bea9772cead23d402a1 Author: Ladi Prosek Date: Tue Apr 4 14:18:53 2017 +0200 KVM: nVMX: initialize PML fields in vmcs02 commit 1fb883bb827ee8efc1cc9ea0154f953f8a219d38 upstream. L2 was running with uninitialized PML fields which led to incomplete dirty bitmap logging. This manifested as all kinds of subtle erratic behavior of the nested guest. Fixes: 843e4330573c ("KVM: VMX: Add PML support in VMX") Signed-off-by: Ladi Prosek Signed-off-by: Radim Krčmář Signed-off-by: Greg Kroah-Hartman commit 4897ec5ece6c0ac1138a0546df7705865b44b1fa Author: Jim Mattson Date: Tue Dec 20 16:34:50 2016 -0800 Revert "KVM: nested VMX: disable perf cpuid reporting" commit 0b4c208d443ba2af82b4c70f99ca8df31e9a0020 upstream. This reverts commit bc6134942dbbf31c25e9bd7c876be5da81c9e1ce. A CPUID instruction executed in VMX non-root mode always causes a VM-exit, regardless of the leaf being queried. Fixes: bc6134942dbb ("KVM: nested VMX: disable perf cpuid reporting") Signed-off-by: Jim Mattson [The issue solved by bc6134942dbb has been resolved with ff651cb613b4 ("KVM: nVMX: Add nested msr load/restore algorithm").] Signed-off-by: Radim Krčmář Signed-off-by: Greg Kroah-Hartman commit 78a43e2c2c9877f55562d3c6e7fb7bb2aba38c33 Author: Paul Mackerras Date: Tue Dec 20 14:02:29 2016 +1100 KVM: PPC: Book3S HV: Don't try to signal cpu -1 commit 3deda5e50c893be38c1b6b3a73f8f8fb5560baa4 upstream. If the target vcpu for kvmppc_fast_vcpu_kick_hv() is not running on any CPU, then we will have vcpu->arch.thread_cpu == -1, and as it happens, kvmppc_fast_vcpu_kick_hv will call kvmppc_ipi_thread with -1 as the cpu argument. Although this is not meaningful, in the past, before commit 1704a81ccebc ("KVM: PPC: Book3S HV: Use msgsnd for IPIs to other cores on POWER9", 2016-11-18), it was harmless because CPU -1 is not in the same core as any real CPU thread. On a POWER9, however, we don't do the "same core" check, so we were trying to do a msgsnd to thread -1, which is invalid. To avoid this, we add a check to see that vcpu->arch.thread_cpu is >= 0 before calling kvmppc_ipi_thread() with it. Since vcpu->arch.thread_vcpu can change asynchronously, we use READ_ONCE to ensure that the value we check is the same value that we use as the argument to kvmppc_ipi_thread(). Fixes: 1704a81ccebc ("KVM: PPC: Book3S HV: Use msgsnd for IPIs to other cores on POWER9") Signed-off-by: Paul Mackerras Signed-off-by: Greg Kroah-Hartman commit f82a54b53ca2b7f16c3b20713f9187c32ca5b487 Author: Andy Shevchenko Date: Sun Mar 12 17:07:44 2017 +0200 x86/platform/intel-mid: Correct MSI IRQ line for watchdog device commit 80354c29025833acd72ddac1ffa21c6cb50128cd upstream. The interrupt line used for the watchdog is 12, according to the official Intel Edison BSP code. And indeed after fixing it we start getting an interrupt and thus the watchdog starts working again: [ 191.699951] Kernel panic - not syncing: Kernel Watchdog Signed-off-by: Andy Shevchenko Cc: Borislav Petkov Cc: David Cohen Cc: H. Peter Anvin Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Thomas Gleixner Fixes: 78a3bb9e408b ("x86: intel-mid: add watchdog platform code for Merrifield") Link: http://lkml.kernel.org/r/20170312150744.45493-1-andriy.shevchenko@linux.intel.com Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 743cfeb7bcddd3646988890c7a0f157e0895c8f3 Author: Masami Hiramatsu Date: Wed Mar 1 01:23:24 2017 +0900 kprobes/x86: Fix kernel panic when certain exception-handling addresses are probed commit 75013fb16f8484898eaa8d0b08fed942d790f029 upstream. Fix to the exception table entry check by using probed address instead of the address of copied instruction. This bug may cause unexpected kernel panic if user probe an address where an exception can happen which should be fixup by __ex_table (e.g. copy_from_user.) Unless user puts a kprobe on such address, this doesn't cause any problem. This bug has been introduced years ago, by commit: 464846888d9a ("x86/kprobes: Fix a bug which can modify kernel code permanently"). Signed-off-by: Masami Hiramatsu Cc: Borislav Petkov Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Thomas Gleixner Fixes: 464846888d9a ("x86/kprobes: Fix a bug which can modify kernel code permanently") Link: http://lkml.kernel.org/r/148829899399.28855.12581062400757221722.stgit@devbox Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit d696d9cfea735c2521ecaaac4eafd39d359feb61 Author: Andrey Ryabinin Date: Thu Jan 26 17:27:23 2017 +0300 platform/x86: intel_pmc_core: fix out-of-bounds accesses on stack commit 4f24ecff0153047a4a8b53c31d8001ee79e1cab7 upstream. pmc_core_mtpmc_link_status() an pmc_core_check_read_lock_bit() use test_bit() on local 32-bit variable. This causes out-of-bounds access since test_bit() expects object at least of 'unsigned long' size: BUG: KASAN: stack-out-of-bounds in pmc_core_probe+0x3aa/0x3b0 Call Trace: __asan_report_load_n_noabort+0x5c/0x80 pmc_core_probe+0x3aa/0x3b0 local_pci_probe+0xf9/0x1e0 pci_device_probe+0x27b/0x350 driver_probe_device+0x419/0x830 __driver_attach+0x15f/0x1d0 bus_for_each_dev+0x129/0x1d0 driver_attach+0x42/0x70 bus_add_driver+0x385/0x690 driver_register+0x1a9/0x3d0 __pci_register_driver+0x1a2/0x290 intel_pmc_core_driver_init+0x19/0x1b do_one_initcall+0x12e/0x280 kernel_init_freeable+0x57c/0x623 kernel_init+0x13/0x140 ret_from_fork+0x2e/0x40 Fix this by open coding bit test. While at it, also refactor this code a little bit. Fixes: 173943b3dae5 ("platform/x86: intel_pmc_core: ModPhy core lanes pg status") Signed-off-by: Andrey Ryabinin [andy: reverted not related changes, used BIT() macro] Signed-off-by: Andy Shevchenko Signed-off-by: Greg Kroah-Hartman commit 5e10d8dc000351158f06314448013a3b5f951795 Author: Pierre-Louis Bossart Date: Mon Jan 23 12:07:41 2017 -0600 clk: Make x86/ conditional on CONFIG_COMMON_CLK commit f35b6542c3ac3f28056d298348a81f7d56d3a041 upstream. Fix Makefile for x86 support, dependency on CONFIG_COMMON_CLK was not explicit Fixes: 701190fd7419 ('clk: x86: add support for Lynxpoint LPSS clocks') Signed-off-by: Pierre-Louis Bossart Acked-by: Andy Shevchenko Signed-off-by: Stephen Boyd Signed-off-by: Greg Kroah-Hartman commit 4a8fa15cec039d6cb963f5a3f8a8ae8f747df82e Author: Dave Hansen Date: Wed Feb 1 14:56:29 2017 -0800 x86/mpx: Re-add MPX to selftests Makefile commit e64d5fbe56259c94df504af8ce804cfc6a022adb upstream. Ingo pointed out that the MPX tests were no longer in the selftests Makefile. It appears that I shot myself in the foot on this one and accidentally removed them when I added the pkeys tests, probably from bungling a merge conflict. Reported-by: Ingo Molnar Signed-off-by: Dave Hansen Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Thomas Gleixner Fixes: 5f23f6d082a9 ("x86/pkeys: Add self-tests") Link: http://lkml.kernel.org/r/20170201225629.C3070852@viggo.jf.intel.com Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit d4462702edd1a2bd51ce6e0e148ac8ac80df37ea Author: Nikola Pajkovsky Date: Tue Nov 15 09:47:49 2016 +0100 x86/pci-calgary: Fix iommu_free() comparison of unsigned expression >= 0 commit 68dee8e2f2cacc54d038394e70d22411dee89da2 upstream. commit 8fd524b355da ("x86: Kill bad_dma_address variable") has killed bad_dma_address variable and used instead of macro DMA_ERROR_CODE which is always zero. Since dma_addr is unsigned, the statement dma_addr >= DMA_ERROR_CODE is always true, and not needed. arch/x86/kernel/pci-calgary_64.c: In function ‘iommu_free’: arch/x86/kernel/pci-calgary_64.c:299:2: warning: comparison of unsigned expression >= 0 is always true [-Wtype-limits] if (unlikely((dma_addr >= DMA_ERROR_CODE) && (dma_addr < badend))) { Fixes: 8fd524b355da ("x86: Kill bad_dma_address variable") Signed-off-by: Nikola Pajkovsky Cc: iommu@lists.linux-foundation.org Cc: Jon Mason Cc: Muli Ben-Yehuda Link: http://lkml.kernel.org/r/7612c0f9dd7c1290407dbf8e809def922006920b.1479161177.git.npajkovsky@suse.cz Signed-off-by: Thomas Gleixner Signed-off-by: Greg Kroah-Hartman commit 679dd20cc34ebfe2c2fb666a2f13f19834978f6d Author: Ruslan Ruslichenko Date: Tue Jan 17 16:13:52 2017 +0200 x86/ioapic: Restore IO-APIC irq_chip retrigger callback commit a9b4f08770b415f30f2fb0f8329a370c8f554aa3 upstream. commit d32932d02e18 removed the irq_retrigger callback from the IO-APIC chip and did not add it to the new IO-APIC-IR irq chip. There is no harm because the interrupts are resent in software when the retrigger callback is NULL, but it's less efficient. So restore them. [ tglx: Massaged changelog ] Fixes: d32932d02e18 ("x86/irq: Convert IOAPIC to use hierarchical irqdomain interfaces") Signed-off-by: Ruslan Ruslichenko Cc: xe-linux-external@cisco.com Link: http://lkml.kernel.org/r/1484662432-13580-1-git-send-email-rruslich@cisco.com Signed-off-by: Thomas Gleixner Signed-off-by: Greg Kroah-Hartman commit 6e4623e517db556f665573a7e3d501f56d4365c1 Author: Sara Sharon Date: Thu Jan 26 14:43:32 2017 +0200 iwlwifi: mvm: fix accessing fw_id_to_mac_id commit a95600294157ca7527ee7c70249fb53e09d8c566 upstream. Access should be by rcu_dereference. Issue was found by sparse. Fixes: 65e254821cee ("iwlwifi: mvm: use firmware station PM notification for AP_LINK_PS") Signed-off-by: Sara Sharon Signed-off-by: Luca Coelho Signed-off-by: Greg Kroah-Hartman commit bcb28cb399309a4c1172b748704a1682cad7f4de Author: Dan Carpenter Date: Thu Mar 23 13:40:00 2017 +0300 iwlwifi: mvm: writing zero bytes to debugfs causes a crash commit 251fe09f13bfb54c1ede66ee8bf8ddd0061c4f7c upstream. This is a static analysis fix. The warning is: drivers/net/wireless/intel/iwlwifi/mvm/fw-dbg.c:912 iwl_mvm_fw_dbg_collect() warn: integer overflows 'sizeof(*desc) + len' I guess this code is supposed to take a NUL character, but if we write zero bytes then it tries to write -1 characters and crashes. Fixes: c91b865cb14d ("iwlwifi: mvm: support description for user triggered fw dbg collection") Signed-off-by: Dan Carpenter Signed-off-by: Luca Coelho Signed-off-by: Greg Kroah-Hartman commit bd78746f3225df60d5d6818009b9e4fa9dc44047 Author: Sara Sharon Date: Wed Nov 30 16:49:11 2016 +0200 iwlwifi: mvm: synchronize firmware DMA paging memory commit 4b70f07686d75d1eb5d956812cc810944e0b29b2 upstream. When driver needs to access the contents of a streaming DMA buffer without unmapping it it should call dma_sync_single_for_cpu(). Once the call has been made, the CPU "owns" the DMA buffer and can work with it as needed. Before the device accesses the buffer, however, ownership should be transferred back to it with dma_sync_single_for_device(). Both calls weren't performed by the driver, resulting with odd paging errors on some platforms. Fix it. Fixes: a6c4fb4441f4 ("iwlwifi: mvm: Add FW paging mechanism for the UMAC on PCI") Signed-off-by: Sara Sharon Signed-off-by: Luca Coelho Signed-off-by: Greg Kroah-Hartman commit 39e4ab1d46faffcecbcb083bc101d81b518e772b Author: Sara Sharon Date: Sun Jan 1 18:42:23 2017 +0200 iwlwifi: mvm: fix references to first_agg_queue in DQA mode commit c56108b58ab870892277940a1def0d6b153f3e26 upstream. In DQA mode, first_agg_queue is initialized to IWL_MVM_DQA_MIN_DATA_QUEUE. This causes two bugs in the tx response flow: 1. When TX fails, we set IEEE80211_TX_STAT_AMPDU_NO_BACK regardless if we actually have aggregation open on the queue. This causes mac80211 to send a BAR frame even though there is no aggregation open. Fix that by simply checking the AMPDU flag that is set on by mac80211 for AMPDU packets. 2. When reclaiming frames in aggregation mode, we reclaim based on scheduler ssn and not the SN. The reason is that scheduler ssn may be ahead of SN due to a hole in the BA window that was filled. However, if we have aggregations open on IWL_MVM_DQA_BSS_CLIENT_QUEUE the reclaim flow will still go to the code of non-aggregation instead of the aggregation code since IWL_MVM_DQA_BSS_CLIENT_QUEUE is smaller than IWL_MVM_DQA_MIN_DATA_QUEUE, although it is a valid aggregation queue. Fix that by always using the aggregation reclaim code by default in DQA mode (currently it is implicitly used by default for all queues except the reserved BSS queue). Fixes: cf961e16620f ("iwlwifi: mvm: support dqa-mode agg on non-shared queue") Signed-off-by: Sara Sharon Signed-off-by: Luca Coelho Signed-off-by: Greg Kroah-Hartman commit 82e158e124437829186d05b9446d753ea56d7d12 Author: Sara Sharon Date: Wed Dec 7 15:04:37 2016 +0200 iwlwifi: mvm: fix pending frame counter calculation commit 94c3e614df2117626fccfac8f821c66e30556384 upstream. In DQA mode the check whether to decrement the pending frames counter relies on the tid status and not on the txq id. This may result in an inconsistent state of the pending frames counter in case frame is queued on a non aggregation queue but with this TID, and will be followed by a failure to remove the station and later on SYSASSERT 0x3421 when trying to remove the MAC. Such frames are for example bar and qos NDPs. Fix it by aligning the condition of incrementing the counter with the condition of decrementing it - rely on TID state for DQA mode. Also, avoid internal error like this affecting station removal for DQA mode - since we can know for sure it is an internal error. Fixes: cf961e16620f ("iwlwifi: mvm: support dqa-mode agg on non-shared queue") Signed-off-by: Sara Sharon Signed-off-by: Luca Coelho Signed-off-by: Greg Kroah-Hartman commit fa251bac18691faf12eea9b4e637ec7133429350 Author: Johannes Berg Date: Fri Dec 2 10:04:49 2016 +0100 iwlwifi: mvm/pcie: adjust A-MSDU tx_cmd length in PCIe commit 05e5a7e58d3f8f597ebe6f78aaa13a2656b78239 upstream. Instead of setting the tx_cmd length in the mvm code, which is complicated by the fact that DQA may want to temporarily store the SKB on the side, adjust the length in the PCIe code which also knows about this since it's responsible for duplicating all those headers that are account for in this code. As the PCIe code already relies on the tx_cmd->len field, this doesn't really introduce any new dependencies. To make this possible we need to move the memcpy() of the TX command until after it was updated. This does even simplify the code though, since the PCIe code already does a lot of manipulations to build A-MSDUs correctly and changing the length becomes a simple operation to see how much was added/removed, rather than predicting it. Fixes: 24afba7690e4 ("iwlwifi: mvm: support bss dynamic alloc/dealloc of queues") Signed-off-by: Johannes Berg Signed-off-by: Luca Coelho Signed-off-by: Greg Kroah-Hartman commit 441f52f1943520d9779757994b24bb3187c945c9 Author: Beni Lev Date: Thu Nov 17 14:03:17 2016 +0200 iwlwifi: mvm: Use aux queue for offchannel frames in dqa commit 6574dc943fc32a2fce69fab14891abca7eecb67c upstream. Since offchannel activity doesn't always require a BSS, e.g. ANQP sessions, offchannel frames should not use the BSS queue, because it might not be initialized. Use the auxilary queue instead Fixes: e3118ad74d7e ("iwlwifi: mvm: support tdls in dqa mode") Signed-off-by: Beni Lev Signed-off-by: Luca Coelho Signed-off-by: Greg Kroah-Hartman commit ab735bec18d4d60ba8655667fb8bf1965aa5b994 Author: Sara Sharon Date: Tue Jan 3 21:03:35 2017 +0200 iwlwifi: mvm: fix reorder timer re-arming commit 5351f9ab254c30d41659924265f1ecd7b4758d9e upstream. When NSSN is behind the reorder buffer due to timeout the reorder timer isn't getting re-armed until NSSN catches up. Fix it. Fixes: 0690405fef29 ("iwlwifi: mvm: add reorder timeout per frame") Signed-off-by: Sara Sharon Signed-off-by: Luca Coelho Signed-off-by: Greg Kroah-Hartman commit 7478a09f262cfb50b8ce67c546963a42e8b773c3 Author: Sara Sharon Date: Wed Dec 7 12:22:11 2016 +0200 iwlwifi: pcie: fix the set of DMA memory mask commit 2c6262b754f3c3338cb40b23880a3ac1f4693b25 upstream. Our 9000 device supports 64 bit DMA address for RX only, and not for TX. Setting DMA mask to 64 for the whole device is erroneous - we can do it only for a000 devices where device is capable of both RX & TX DMA with 64 bit address space. Fixes: 96a6497bc3ed ("iwlwifi: pcie: add 9000 series multi queue rx DMA support") Signed-off-by: Sara Sharon Signed-off-by: Luca Coelho Signed-off-by: Greg Kroah-Hartman commit 0633d3269a69fde55a2437b18cfd8f25dd141310 Author: Kirtika Ruchandani Date: Tue Nov 8 21:50:48 2016 -0800 iwlwifi: pcie: trans: Remove unused 'shift_param' commit 3ce4a03852d6dd3fd28c2fb2ee9f89bb9ccf9a9b upstream. shift_param is defined and set in iwl_pcie_load_cpu_sections but not used. Fix this to avoid -Wunused-but-set-variable warning. The code using it turned into dead code with commit dcab8ecd5617 ("iwlwifi: mvm: support ucode load for family_8000 B0 only") which added a separate function iwl_pcie_load_given_ucode_8000 (then 8000b) for IWL_DEVICE_FAMILY_8000. Commit 76f8c0e17edc ("iwlwifi: pcie: remove dead code") removed the dead code but left shift_param as is. iwlwifi/pcie/trans.c: In function ‘iwl_pcie_load_cpu_sections’: iwlwifi/pcie/trans.c:871:6: warning: variable ‘shift_param’ set but not used [-Wunused-but-set-variable] Fixes: dcab8ecd5617 ("iwlwifi: mvm: support ucode load for family_8000 B0 only") Fixes: 76f8c0e17edc ("iwlwifi: pcie: remove dead code") Signed-off-by: Kirtika Ruchandani Cc: Sara Sharon Cc: Luca Coelho Cc: Liad Kaufman Cc: Emmanuel Grumbach [removed some unnecessary braces] Signed-off-by: Luca Coelho Signed-off-by: Greg Kroah-Hartman commit e864e96864428951d632929534794559742516de Author: Emmanuel Grumbach Date: Sat Jan 7 20:11:47 2017 +0200 iwlwifi: pcie: don't increment / decrement a bool commit 04fa3e680b4dd2fdd11d0152fb9b6067e7aac140 upstream. David reported that the code I added uses the decrement and increment operator on a boolean variable. Fix that. Fixes: 0cd58eaab148 ("iwlwifi: pcie: allow the op_mode to block the tx queues") Reported-by: David Binderman Signed-off-by: Emmanuel Grumbach Signed-off-by: Luca Coelho Signed-off-by: Greg Kroah-Hartman commit 7e375d6d605645b31480d70f6c12b2c67d71404c Author: Johannes Berg Date: Fri Dec 2 09:57:40 2016 +0100 iwlwifi: mvm: overwrite skb info later commit bd05a5bd6b11d7fd26a668de83c5cb996de05f8f upstream. We don't really need clear the skb's status area nor store the dev_cmd into it until we really commit to the frame by handing it to the transport - defer those operations until just before we do that. This doesn't entirely fix the bug with frames not getting sent out after having been deferred due to DQA, because it doesn't restore the info->driver_data[0] place that was already set to zero (or another value) by the A-MSDU logic. Fixes: 24afba7690e4 ("iwlwifi: mvm: support bss dynamic alloc/dealloc of queues") Signed-off-by: Johannes Berg Signed-off-by: Luca Coelho Signed-off-by: Greg Kroah-Hartman commit 827181091199a46ed986fea4fbc3021becc214a0 Author: Luca Coelho Date: Fri Oct 7 15:16:26 2016 +0300 iwlwifi: mvm: don't restart HW if suspend fails with unified image commit bac453ab3745eaa64137ea6e77e009b45954f0ae upstream. For unified images, we shouldn't restart the HW if suspend fails. The only reason for restarting the HW with non-unified images is to go back to the D0 image. Fixes: 23ae61282b88 ("iwlwifi: mvm: Do not switch to D3 image on suspend") Signed-off-by: Luca Coelho Signed-off-by: Greg Kroah-Hartman commit 3aff5ebef0b44c1b6e4b2ce3401e79e9b0d0fcf7 Author: Jürg Billeter Date: Mon Oct 10 18:30:00 2016 +0200 iwlwifi: fix MODULE_FIRMWARE for 6030 commit d8320d75b59ecdc1b8e60ac793d3a54d84333a18 upstream. IWL6000G2B_UCODE_API_MAX is not defined. ucode_api_max of IWL_DEVICE_6030 uses IWL6000G2_UCODE_API_MAX. Use this also for MODULE_FIRMWARE. Fixes: 9d9b21d1b616 ("iwlwifi: remove IWL_*_UCODE_API_OK") Signed-off-by: Jürg Billeter Signed-off-by: Luca Coelho Signed-off-by: Greg Kroah-Hartman commit e9a20a1525989a93fb592ee953d7319f27a11d2e Author: Johannes Berg Date: Thu Oct 20 15:25:00 2016 +0200 iwlwifi: mvm: properly check for transport data in dump commit c2e27e16f2411155b906db201b7e478144034ffe upstream. When copying from vmalloc'ed memory to the SG list, don't crash if the transport didn't provide any data. Fixes: 7e62a699aafb ("iwlwifi: mvm: use dev_coredumpsg()") Signed-off-by: Johannes Berg Signed-off-by: Luca Coelho Signed-off-by: Greg Kroah-Hartman commit 47b8d37b4c629a1133ec4f8fdcc077b7113de720 Author: Brian Norris Date: Fri Mar 10 17:39:22 2017 -0800 mwifiex: set adapter->dev before starting to use mwifiex_dbg() commit ba1c7e45ec224cc8d2df33ecaee1946d48e79231 upstream. The mwifiex_dbg() log handler utilizes the struct device in adapter->dev. Without it, it decides not to print anything. As of commit 2e02b5814217 ("mwifiex: Allow mwifiex early access to device structure"), we started assigning that pointer only after we finished mwifiex_register() -- this effectively neuters any mwifiex_dbg() logging done before this point. Let's move the device assignment into mwifiex_register(). Fixes: 2e02b5814217 ("mwifiex: Allow mwifiex early access to device structure") Cc: Rajat Jain Signed-off-by: Brian Norris Signed-off-by: Kalle Valo Signed-off-by: Greg Kroah-Hartman commit 219083c8972518ca620f3677c75532d899ba9b62 Author: Brian Norris Date: Fri Feb 10 13:55:25 2017 -0800 mwifiex: don't enable/disable IRQ 0 during suspend/resume commit 2447e2cad75239ae407c0f98acf12511354208c5 upstream. If we don't have an out-of-band wakeup IRQ configured through DT (as most platforms don't), then we fall out of this function with 'irq_wakeup == 0'. Other code (e.g., mwifiex_disable_wake() and mwifiex_enable_wake()) treats 'irq_wakeup >= 0' as a valid IRQ, and so we end up calling {enable,disable}_irq() on IRQ 0. That seems bad, so let's not do that. Same problem as fixed in this patch: https://patchwork.kernel.org/patch/9531693/ [PATCH v2 2/3] btmrvl: set irq_bt to -1 when failed to parse it with the difference that: (a) this one is actually a regression and (b) this affects both device tree and non-device-tree systems While fixing the regression, also drop the verbosity on the parse failure, so we don't see this when a DT node is present but doesn't have an interrupt property (this is perfectly legal): [ 21.999000] mwifiex_pcie 0000:01:00.0: fail to parse irq_wakeup from device tree Fixes: 853402a00823 ("mwifiex: Enable WoWLAN for both sdio and pcie") Signed-off-by: Brian Norris Acked-by: Rajat Jain Signed-off-by: Kalle Valo Signed-off-by: Greg Kroah-Hartman commit 33d8a1d4086e088ff63794794073216a91abb5d5 Author: Ganapathi Bhat Date: Fri Feb 3 18:30:22 2017 +0530 mwifiex: Avoid skipping WEP key deletion for AP commit a5b60de6972decc6b50a39abb376077c3c3621c8 upstream. This patch fixes the issue specific to AP. AP is started with WEP security and external station is connected to it. Data path works in this case. Now if AP is restarted with WPA/WPA2 security, station is able to connect but ping fails. Driver skips the deletion of WEP keys if interface type is AP. Removing that redundant check resolves the issue. Fixes: e57f1734d87a ("mwifiex: add key material v2 support") Signed-off-by: Ganapathi Bhat Signed-off-by: Amitkumar Karwar Signed-off-by: Kalle Valo Signed-off-by: Greg Kroah-Hartman commit 6a9d22e988c3a14e511920f71e96d111ff33d3e1 Author: Xinming Hu Date: Wed Jan 11 21:41:24 2017 +0530 mwifiex: remove redundant dma padding in AMSDU commit 5f0a221f59ad6b72202ef9c6e232086de8c336f2 upstream. We already ensure 64 bytes alignment and add padding if required during skb_aggr allocation. Alignment and padding in mwifiex_11n_form_amsdu_txpd() is redundant. We may end up accessing more data than allocated size with this. This patch fixes following issue by removing redundant padding. [ 370.241338] skbuff: skb_over_panic: text:ffffffffc046946a len:3550 put:72 head:ffff880000110000 data:ffff8800001100e4 tail:0xec2 end:0xec0 dev: [ 370.241374] ------------[ cut here ]------------ [ 370.241382] kernel BUG at net/core/skbuff.c:104! 370.244032] Call Trace: [ 370.244041] [] skb_put+0x44/0x45 [ 370.244055] [] mwifiex_11n_aggregate_pkt+0x1e9/0xa50 [mwifiex] [ 370.244067] [] mwifiex_wmm_process_tx+0x44a/0x6b7 [mwifiex] [ 370.244074] [] ? 0xffffffffc0411eb8 [ 370.244084] [] mwifiex_main_process+0x476/0x5a5 [mwifiex] [ 370.244098] [] mwifiex_main_process+0x5a3/0x5a5 [mwifiex] [ 370.244113] [] process_one_work+0x1a4/0x309 [ 370.244123] [] worker_thread+0x20c/0x2ee [ 370.244130] [] ? rescuer_thread+0x383/0x383 [ 370.244136] [] ? rescuer_thread+0x383/0x383 [ 370.244143] [] kthread+0x11c/0x124 [ 370.244150] [] ? kthread_parkme+0x24/0x24 [ 370.244157] [] ret_from_fork+0x3f/0x70 [ 370.244168] [] ? kthread_parkme+0x24/0x24 Fixes: 84b313b35f8158d ("mwifiex: make tx packet 64 byte DMA aligned") Signed-off-by: Xinming Hu Signed-off-by: Amitkumar Karwar Signed-off-by: Kalle Valo Signed-off-by: Greg Kroah-Hartman commit 4b8badac65259afb061ec73e96c839be51386da2 Author: Brian Norris Date: Mon Jan 9 15:33:50 2017 -0800 mwifiex: debugfs: Fix (sometimes) off-by-1 SSID print commit 6183468a23fc6b6903f8597982017ad2c7fdefcf upstream. Similar to commit fcd2042e8d36 ("mwifiex: printk() overflow with 32-byte SSIDs"), we failed to account for the existence of 32-char SSIDs in our debugfs code. Unlike in that case though, we zeroed out the containing struct first, and I'm pretty sure we're guaranteed to have some padding after the 'ssid.ssid' and 'ssid.ssid_len' fields (the struct is 33 bytes long). So, this is the difference between: # cat /sys/kernel/debug/mwifiex/mlan0/info ... essid="0123456789abcdef0123456789abcdef " ... and the correct output: # cat /sys/kernel/debug/mwifiex/mlan0/info ... essid="0123456789abcdef0123456789abcdef" ... Fixes: 5e6e3a92b9a4 ("wireless: mwifiex: initial commit for Marvell mwifiex driver") Signed-off-by: Brian Norris Signed-off-by: Kalle Valo Signed-off-by: Greg Kroah-Hartman commit ed65aff890b94ff646f0f99041b17e7b90dc5b5a Author: Florian Fainelli Date: Sat Mar 18 21:53:20 2017 -0700 ARM: dts: sun7i: lamobo-r1: Fix CPU port RGMII settings commit 0cdefd5b5485ee6eb3512a75739d09a4090176ed upstream. The CPU port of the BCM53125 is configured with RGMII (no delays) but this should actually be RGMII with transmit delay (rgmii-txid) because STMMAC takes care of inserting the transmitter delay. This fixes occasional packet loss encountered. Fixes: d7b9eaff5f0c ("ARM: dts: sun7i: Add BCM53125 switch nodes to the lamobo-r1 board") Reported-by: Hartmut Knaack Signed-off-by: Florian Fainelli Signed-off-by: Maxime Ripard Signed-off-by: Greg Kroah-Hartman commit c78c87249cd6489b063616a261138c96fb64d288 Author: Sekhar Nori Date: Wed Feb 15 20:42:52 2017 +0530 ARM: dts: am57xx-idk: tpic2810 is on I2C bus, not SPI commit f5432f01240ef69a391940d623b6a51768aefd65 upstream. commit 50e95b6b854c ("ARM: dts: am57xx-idk: Add Industrial output support") added the TPIC2810 device-tree node under SPI bus instead of I2C1. Fix it. Tested on AM572x IDK by driving on-board LEDs connected to TPIC2810 Fixes: 50e95b6b854c ("ARM: dts: am57xx-idk: Add Industrial output support") Signed-off-by: Sekhar Nori Acked-by: Andrew F. Davis Signed-off-by: Tony Lindgren Signed-off-by: Greg Kroah-Hartman commit 8848163aa114c4d38f353df0e37292f9c28fe4da Author: Tony Lindgren Date: Tue Feb 14 10:26:03 2017 -0800 ARM: OMAP3: Fix smartreflex platform data regression commit 179125085bd4ca70e8e028913193a93653bd12f7 upstream. Commit d9d9cec02835 ("ARM: OMAP2+: Remove legacy data from hwmod for omap3") dropped platform data that should no longer be used as we're booting with device tree. It turns out that smartreflex is still using platform data and produces the following errors during probe: smartreflex smartreflex.0: invalid resource smartreflex smartreflex.0: omap_sr_probe: ioremap fail smartreflex: probe of smartreflex.0 failed with error -22 smartreflex smartreflex.1: invalid resource smartreflex smartreflex.1: omap_sr_probe: ioremap fail smartreflex: probe of smartreflex.1 failed with error -22 Let's fix the regression by adding back the smartreflex hwmod data. The long term is to update the smartreflex driver to use device tree based probing. Fixes: d9d9cec02835 ("ARM: OMAP2+: Remove legacy data from hwmod for omap3") Reported-by: Adam Ford Tested-by: Adam Ford Signed-off-by: Tony Lindgren Signed-off-by: Greg Kroah-Hartman commit 097336fc693d9d49c66d8f53dfe9c5d141b80722 Author: Matthijs van Duin Date: Thu Feb 16 01:05:04 2017 +0100 ARM: OMAP5 / DRA7: Fix HYP mode boot for thumb2 build commit 448c077eeb02240c430db2a2c3bf5285a4c65d66 upstream. 'adr' yields a data-pointer, not a function-pointer. Fixes: 999f934de195 ("ARM: omap5/dra7xx: Enable booting secondary CPU in HYP mode") Signed-off-by: Matthijs van Duin Signed-off-by: Tony Lindgren Signed-off-by: Greg Kroah-Hartman commit 98fa203aa7cda0ccdbdc0319253c15018e34381d Author: Fabio Estevam Date: Tue Feb 7 17:14:14 2017 -0200 ARM: dts: imx6sx-udoo-neo: Fix reboot hang commit 12aff99723901bcc0e2a6a34343a4f62c371fdd9 upstream. After issuing a 'reboot' command the imx6sx-udoo-neo board does not reboot as expected and it just hangs instead. In mainline kernel only LDO enabled mode is supported. Do not provide arm-supply/soc-supply nodes in the device tree, so that the board operates in LDO enabled mode and can then successfully reboot via watchdog. Fixes: 76e691fc7653b85d39 ("ARM: dts: imx6sx: Add UDOO Neo support") Signed-off-by: Fabio Estevam Tested-by: Breno Lima Signed-off-by: Shawn Guo Signed-off-by: Greg Kroah-Hartman commit 32b0a3d444197121d439cf90f8a4976e18b26753 Author: Jon Mason Date: Wed Mar 1 18:02:28 2017 -0500 ARM: dts: NSP: GPIO reboot open-source commit acfa28b3649ec07775efaac0c00de2db39d71634 upstream. The libgpio code pre-sets the GPIO values for the gpio-reset in the device tree. This results in the device being reset during bringup. To prevent this pre-setting, use the "open-source" flag in the device tree. Signed-off-by: Jon Mason Fixes: b1aaf88 ("ARM: dts: NSP: Add GPIO reboot method to bcm958625hr DTS file") Fixes: 10baed1 ("ARM: dts: NSP: Add GPIO reboot method to bcm958625xmc DTS file") Fixes: 088e3148 ("ARM: dts: NSP: Add new DT file for bcm958522er") Fixes: e3227c1 ("ARM: dts: NSP: Add new DT file for bcm958525er") Fixes: 2f8bc00 ("ARM: dts: NSP: Add new DT file for bcm958622hr") Fixes: d454c37 ("ARM: dts: NSP: Add new DT file for bcm958623hr") Fixes: f27eacf ("ARM: dts: NSP: Add new DT file for bcm988312hr") Signed-off-by: Florian Fainelli Signed-off-by: Greg Kroah-Hartman commit 96b61a1bad475eb71a219cc48e1f17f281623ac7 Author: Arnd Bergmann Date: Thu Nov 24 17:29:18 2016 +0100 ARM: pxa: ezx: fix a910 camera data commit 67af5ebde1a4cd10e7bb663440de0773b7597c70 upstream. The camera_supply_dummy_device definition is shared between a780 and a910, but only provided when the first is enabled and fails to build for a configuration with only a910: arch/arm/mach-pxa/ezx.c:1097:3: error: 'camera_supply_dummy_device' undeclared here (not in a function) This moves the definition into its own section. Fixes: 6c1b417adc8f ("ARM: pxa: ezx: use the new pxa_camera platform_data") Signed-off-by: Arnd Bergmann Signed-off-by: Robert Jarzmik Signed-off-by: Greg Kroah-Hartman commit baebaada5f010857331fda6fbcc1e7789aa15d62 Author: Arnd Bergmann Date: Wed Jan 25 23:22:36 2017 +0100 leds: ktd2692: avoid harmless maybe-uninitialized warning commit cbe99c538d1776009e8710755bb6e726f7fffa9b upstream. gcc gets confused about the control flow in ktd2692_parse_dt(), causing it to warn about what seems like a potential bug: drivers/leds/leds-ktd2692.c: In function 'ktd2692_probe': drivers/leds/leds-ktd2692.c:244:15: error: '*((void *)&led_cfg+8)' may be used uninitialized in this function [-Werror=maybe-uninitialized] drivers/leds/leds-ktd2692.c:225:7: error: 'led_cfg.flash_max_microamp' may be used uninitialized in this function [-Werror=maybe-uninitialized] drivers/leds/leds-ktd2692.c:232:3: error: 'led_cfg.movie_max_microamp' may be used uninitialized in this function [-Werror=maybe-uninitialized] The code is fine, and slightly reworking it in an equivalent way lets gcc figure that out too, which gets rid of the warning. Fixes: 77e7915b15bb ("leds: ktd2692: Add missing of_node_put") Signed-off-by: Arnd Bergmann Acked-by: Pavel Machek Signed-off-by: Jacek Anaszewski Signed-off-by: Greg Kroah-Hartman commit 359ccd6e366711abba021dd7e0f37ea8d20f8b18 Author: Wei Yongjun Date: Sun Feb 5 15:49:40 2017 +0000 spi: armada-3700: Remove spi_master_put in a3700_spi_remove() commit e92f0051c0c65d7bee989884a233cfcd80303bdf upstream. The call to spi_master_put() in a3700_spi_remove() is redundant since the master is registered using devm_spi_register_master() and no reference hold by using spi_master_get() in a3700_spi_remove(). This is detected by Coccinelle semantic patch. Fixes: 5762ab71eb24 ("spi: Add support for Armada 3700 SPI Controller") Signed-off-by: Wei Yongjun Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 0136fa36c8afd2f6aa6b6e3950b625c16404b3ef Author: Catalin Marinas Date: Fri Jan 27 10:54:12 2017 +0000 arm64: Improve detection of user/non-user mappings in set_pte(_at) commit ec663d967b2276448a416406ca59ff247c0c80c5 upstream. Commit cab15ce604e5 ("arm64: Introduce execute-only page access permissions") allowed a valid user PTE to have the PTE_USER bit clear. As a consequence, the pte_valid_not_user() macro in set_pte() was replaced with pte_valid_global() under the assumption that only user pages have the nG bit set. EFI mappings, however, also have the nG bit set and set_pte() wrongly ignores issuing the DSB+ISB. This patch reinstates the pte_valid_not_user() macro and adds the PTE_UXN bit check since all kernel mappings have this bit set. For clarity, pte_exec() is renamed to pte_user_exec() as it only checks for the absence of PTE_UXN. Consequently, the user executable check in set_pte_at() drops the pte_ng() test since pte_user_exec() is sufficient. Fixes: cab15ce604e5 ("arm64: Introduce execute-only page access permissions") Signed-off-by: Catalin Marinas Signed-off-by: Will Deacon Signed-off-by: Greg Kroah-Hartman commit a0435d6cdccc38ddffb008f9a1ea2216c4d98666 Author: Juri Lelli Date: Mon Feb 6 16:00:09 2017 +0000 arm64: remove wrong CONFIG_PROC_SYSCTL ifdef commit fe0a7ef74d1f65b86820a54636323df2b31e0c3f upstream. The sysfs cpu_capacity entry for each CPU has nothing to do with PROC_FS, nor it's in /proc/sys path. Remove such ifdef. Cc: Will Deacon Cc: Catalin Marinas Reported-and-suggested-by: Sudeep Holla Fixes: be8f185d8af4 ('arm64: add sysfs cpu_capacity attribute') Signed-off-by: Juri Lelli Signed-off-by: Will Deacon Signed-off-by: Greg Kroah-Hartman commit e60a59f80b969a04ab1ad553095c4f62827b9dcb Author: Stephen Boyd Date: Wed Nov 9 17:13:57 2016 -0800 arm: dts: qcom: Fix ipq board clock rates commit 06dbf468a2c42bf6c327a8eaf11ecb3ea96196f9 upstream. The ipq board has these rates as 25MHz, and not 19.2 and 27. I copy/pasted from other boards that have those rates but forgot to fix the rates here. Fixes: 30fc4212d541 ("arm: dts: qcom: Add more board clocks") Signed-off-by: Stephen Boyd Signed-off-by: Andy Gross Signed-off-by: Greg Kroah-Hartman commit 3e1418c687ac9a41814aad8ffe53c2cdd59bc1e5 Author: Geert Uytterhoeven Date: Wed Jan 25 14:19:30 2017 +0100 arm64: dts: r8a7795: Mark EthernetAVB device node disabled commit 0d1390ff283f6c38595288e7f74da6829896b8b7 upstream. Device nodes representing I/O devices should be marked disabled in the SoC-specific DTS, and overridden by board-specific DTSes where needed. Fixes: a92843c8a6f8c039 ("arm64: dts: r8a7795: add EthernetAVB device node") Signed-off-by: Geert Uytterhoeven Signed-off-by: Simon Horman Signed-off-by: Greg Kroah-Hartman commit 12f072e19606dc5411648f37bac075ce2a04fabb Author: Liam Breck Date: Wed Jan 18 09:26:54 2017 -0800 power: supply: bq24190_charger: Handle fault before status on interrupt commit ba52e75718784fda1b683ee0bfded72a0b83b047 upstream. Reading both fault and status registers and logging any fault should take priority over handling status register update. Fix by moving the status handling to later in interrupt routine. Fixes: d7bf353fd0aa3 ("bq24190_charger: Add support for TI BQ24190 Battery Charger") Signed-off-by: Liam Breck Acked-by: Mark Greer Acked-by: Tony Lindgren Signed-off-by: Sebastian Reichel Signed-off-by: Greg Kroah-Hartman commit c963edc736f7388e7f4c6e1c98e23f2388fcf289 Author: Liam Breck Date: Wed Jan 18 09:26:53 2017 -0800 power: supply: bq24190_charger: Don't read fault register outside irq_handle_thread() commit 68abfb8015832ddf728b911769659468efaf8bd9 upstream. Caching the fault register after a single I2C read may not keep an accurate value. Fix by doing two reads in irq_handle_thread() and using the cached value elsewhere. If a safety timer fault later clears itself, we apparently don't get an interrupt (INT), however other interrupts would refresh the register cache. From the data sheet: "When a fault occurs, the charger device sends out INT and keeps the fault state in REG09 until the host reads the fault register. Before the host reads REG09 and all the faults are cleared, the charger device would not send any INT upon new faults. In order to read the current fault status, the host has to read REG09 two times consecutively. The 1st reads fault register status from the last read [1] and the 2nd reads the current fault register status." [1] presumably a typo; should be "last fault" Fixes: d7bf353fd0aa3 ("bq24190_charger: Add support for TI BQ24190 Battery Charger") Signed-off-by: Liam Breck Acked-by: Mark Greer Acked-by: Tony Lindgren Signed-off-by: Sebastian Reichel Signed-off-by: Greg Kroah-Hartman commit 9e9cd6500d2c6f707acdafe4bc3aaeb78e287800 Author: Liam Breck Date: Wed Jan 18 09:26:52 2017 -0800 power: supply: bq24190_charger: Call power_supply_changed() for relevant component commit 2d9fee6a42ea170e4378b3363a7ad385d0e67281 upstream. We wrongly get uevents for bq24190-charger and bq24190-battery on every register change. Fix by checking the association with charger and battery before emitting uevent(s). Fixes: d7bf353fd0aa3 ("bq24190_charger: Add support for TI BQ24190 Battery Charger") Signed-off-by: Liam Breck Acked-by: Mark Greer Acked-by: Tony Lindgren Signed-off-by: Sebastian Reichel Signed-off-by: Greg Kroah-Hartman commit 34ba5925c01e2b08b5a97e89d2604f8526c6b8b1 Author: Liam Breck Date: Wed Jan 18 09:26:50 2017 -0800 power: supply: bq24190_charger: Install irq_handler_thread() at end of probe() commit d62acc5ef0621463446091ebd7a345e06e9ab80c upstream. The device specific data is not fully initialized on request_threaded_irq(). This may cause a crash when the IRQ handler tries to reference them. Fix the issue by installing IRQ handler at the end of the probe. Fixes: d7bf353fd0aa3 ("bq24190_charger: Add support for TI BQ24190 Battery Charger") Signed-off-by: Liam Breck Acked-by: Mark Greer Acked-by: Tony Lindgren Signed-off-by: Sebastian Reichel Signed-off-by: Greg Kroah-Hartman commit 8c94da036756c32566c2da0c5c33f519b1dbbfeb Author: Liam Breck Date: Wed Jan 18 09:26:49 2017 -0800 power: supply: bq24190_charger: Call set_mode_host() on pm_resume() commit e05ad7e0741ce0505e1df157c62b22b95172bb97 upstream. pm_resume() does a register_reset() which clears charger host mode. Fix by calling set_mode_host() after the reset. Fixes: d7bf353fd0aa3 ("bq24190_charger: Add support for TI BQ24190 Battery Charger") Signed-off-by: Liam Breck Acked-by: Mark Greer Acked-by: Tony Lindgren Signed-off-by: Sebastian Reichel Signed-off-by: Greg Kroah-Hartman commit d6ea2f1dd25903d8cb2fedcf3bd855d8c64a6d08 Author: Liam Breck Date: Wed Jan 18 09:26:48 2017 -0800 power: supply: bq24190_charger: Fix irq trigger to IRQF_TRIGGER_FALLING commit 767eee362fd72bb2ca44cc80419ca4b38c6d8369 upstream. The interrupt signal is TRIGGER_FALLING. This is is specified in the data sheet PIN FUNCTIONS: "The INT pin sends active low, 256us pulse to host to report charger device status and fault." Also the direction can be seen in the data sheet Figure 37 "BQ24190 with D+/D- Detection and USB On-The-Go (OTG)" which shows a 10k pull-up resistor installed for the sample configurations. Fixes: d7bf353fd0aa3 ("bq24190_charger: Add support for TI BQ24190 Battery Charger") Signed-off-by: Liam Breck Acked-by: Mark Greer Acked-by: Tony Lindgren Signed-off-by: Sebastian Reichel Signed-off-by: Greg Kroah-Hartman commit b7634bdbb695f770c1d0705e9242c39cc9b3ac67 Author: Alexander Shishkin Date: Fri Jan 27 17:16:43 2017 +0200 perf/x86/intel/pt: Add format strings for PTWRITE and power event tracing commit 5443624bedd0d23e112d5f2a919435182875bce9 upstream. Commit: 8ee83b2ab3 ("perf/x86/intel/pt: Add support for PTWRITE and power event tracing") forgot to add format strings to the PT driver. So one could enable these features by setting corresponding bits in the event config, but not by their mnemonic names. This patch adds the format strings. Signed-off-by: Alexander Shishkin Signed-off-by: Peter Zijlstra (Intel) Cc: Arnaldo Carvalho de Melo Cc: Arnaldo Carvalho de Melo Cc: Borislav Petkov Cc: Jiri Olsa Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Stephane Eranian Cc: Thomas Gleixner Cc: Vince Weaver Cc: vince@deater.net Fixes: 8ee83b2ab3 ("perf/x86/intel/pt: Add support for PTWRITE...") Link: http://lkml.kernel.org/r/20170127151644.8585-2-alexander.shishkin@linux.intel.com Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit ce6f9a237a6cbe94f38691c13d73d71776c2be6e Author: Andrew Donnellan Date: Tue Dec 6 17:27:59 2016 +1100 powerpc: Correctly disable latent entropy GCC plugin on prom_init.o commit eac6f8b0c7adb003776dbad9d037ee2fc64f9d62 upstream. Commit 38addce8b600 ("gcc-plugins: Add latent_entropy plugin") excludes certain powerpc early boot code from the latent entropy plugin by adding appropriate CFLAGS. It looks like this was supposed to cover prom_init.o, but ended up saying init.o (which doesn't exist) instead. Fix the typo. Fixes: 38addce8b600 ("gcc-plugins: Add latent_entropy plugin") Signed-off-by: Andrew Donnellan Signed-off-by: Michael Ellerman Signed-off-by: Greg Kroah-Hartman commit 803969dd92f1c42d474f1a485f00f3c356a47085 Author: Anton Blanchard Date: Fri Feb 10 12:16:59 2017 +1100 powerpc/ftrace: Fix confusing help text for DISABLE_MPROFILE_KERNEL commit 496e9cb5b2aa2ba303d2bbd08518f9be2219ab4b upstream. The final paragraph of the help text is reversed. We want to enable this option by default, and disable it if the toolchain has a working -mprofile-kernel. Fixes: 8c50b72a3b4f ("powerpc/ftrace: Add Kconfig & Make glue for mprofile-kernel") Signed-off-by: Anton Blanchard Signed-off-by: Michael Ellerman Signed-off-by: Greg Kroah-Hartman commit d0addb34980a9ba2524a2288c17baa15c4473ffe Author: Michael Ellerman Date: Tue Feb 14 13:44:05 2017 +1100 powerpc/mm: Fix build break when CMA=n && SPAPR_TCE_IOMMU=y commit a05ef161cdd22faccffe06f21fc8f1e249565385 upstream. Currently the build breaks if CMA=n and SPAPR_TCE_IOMMU=y: arch/powerpc/mm/mmu_context_iommu.c: In function ‘mm_iommu_get’: arch/powerpc/mm/mmu_context_iommu.c:193:42: error: ‘MIGRATE_CMA’ undeclared (first use in this function) if (get_pageblock_migratetype(page) == MIGRATE_CMA) { ^~~~~~~~~~~ Fix it by using the existing is_migrate_cma_page(), which evaulates to false when CMA=n. Fixes: 2e5bbb5461f1 ("KVM: PPC: Book3S HV: Migrate pinned pages out of CMA") Signed-off-by: Michael Ellerman Signed-off-by: Greg Kroah-Hartman commit 690bba9d641a965fecdbb7b9392dce01e6f209b6 Author: Michael Ellerman Date: Tue Feb 7 21:01:01 2017 +1100 powerpc/powernv: Fix opal_exit tracepoint opcode commit a7e0fb6c2029a780444d09560f739e020d54fe4d upstream. Currently the opal_exit tracepoint usually shows the opcode as 0: -0 [047] d.h. 635.654292: opal_entry: opcode=63 -0 [047] d.h. 635.654296: opal_exit: opcode=0 retval=0 kopald-1209 [019] d... 636.420943: opal_entry: opcode=10 kopald-1209 [019] d... 636.420959: opal_exit: opcode=0 retval=0 This is because we incorrectly load the opcode into r0 before calling __trace_opal_exit(), whereas it expects the opcode in r3 (first function parameter). In fact we are leaving the retval in r3, so opcode and retval will always show the same value. Instead load the opcode into r3, resulting in: -0 [040] d.h. 636.618625: opal_entry: opcode=63 -0 [040] d.h. 636.618627: opal_exit: opcode=63 retval=0 Fixes: c49f63530bb6 ("powernv: Add OPAL tracepoints") Signed-off-by: Michael Ellerman Signed-off-by: Greg Kroah-Hartman commit 3ead745aef02e0e6c0fd6fd5ec1d9b9c21666298 Author: Aneesh Kumar K.V Date: Thu Dec 8 09:12:13 2016 +0530 powerpc/mm: Fixup wrong LPCR_VRMASD value commit 4ab2537c4204b976e4ca350bbdc193b4649cad28 upstream. In commit a4b349540a26af ("powerpc/mm: Cleanup LPCR defines") we updated LPCR_VRMASD wrongly as below. -#define LPCR_VRMASD (0x1ful << (63-16)) +#define LPCR_VRMASD_SH 47 +#define LPCR_VRMASD (ASM_CONST(1) << LPCR_VRMASD_SH) We initialize the VRMA bits in LPCR to 0x00 in kvm. Hence using a different mask value as above while updating lpcr should not have any impact. This patch updates it to the correct value. Fixes: a4b349540a26 ("powerpc/mm: Cleanup LPCR defines") Reported-by: Ram Pai Signed-off-by: Aneesh Kumar K.V Signed-off-by: Jia He Acked-by: Paul Mackerras Signed-off-by: Michael Ellerman Signed-off-by: Greg Kroah-Hartman commit 72cd64df59f3726fc937e1f69a3d6c9a9bb1d1b6 Author: Madhavan Srinivasan Date: Mon Feb 13 17:02:54 2017 +0530 powerpc/perf: Avoid FAB_*_MATCH checks for power9 commit 78a16d9fc1206e1a484b6ac96348756f3846bfea upstream. Since power9 does not support FAB_*_MATCH bits in MMCR1, avoid these checks for power9. For this, patch factor out code in isa207_get_constraint() to retain these checks only for power8. Patch also updates the comment in power9-pmu raw event encode layout to remove FAB_*_MATCH. Finally for power9, patch adds additional check for threshold events when adding the thresh mask and value in isa207_get_constraint(). fixes: 7ffd948fae4c ('powerpc/perf: factor out power8 pmu functions') fixes: 18201b204286 ('powerpc/perf: power9 raw event format encoding') Signed-off-by: Ravi Bangoria Signed-off-by: Madhavan Srinivasan Signed-off-by: Michael Ellerman Signed-off-by: Greg Kroah-Hartman commit 8c34e65205b7a0fdabfc954b1f26890900092e3b Author: Madhavan Srinivasan Date: Mon Feb 20 19:29:03 2017 +0530 powerpc/perf: Handle sdar_mode for marked event in power9 commit 78b4416aa249365dd3c1b64da4d3a232014320b0 upstream. MMCRA[SDAR_MODE] specifices how the SDAR should be updated in continous sampling mode. On P9 it must be set to 0b00 when MMCRA[63] is set. Fixes: c7c3f568beff2 ('powerpc/perf: macros for power9 format encoding') Signed-off-by: Madhavan Srinivasan Signed-off-by: Michael Ellerman Signed-off-by: Greg Kroah-Hartman commit d2264474c9c2582fafcd5836dd80b83c95b04e1d Author: Madhavan Srinivasan Date: Mon Feb 20 19:26:30 2017 +0530 powerpc/perf: Fix perf_get_data_addr() for power9 DD1 commit f04d108029063a8a67528a88449c412aecf4d3d8 upstream. Power9 DD1 do not support PMU_HAS_SIER flag and sdsync in perf_get_data_addr() defaults to MMCRA_SDSYNC which is wrong. Since power9 MMCRA does not support SDSYNC bit, patch includes PPMU_NO_SIAR flag to the check and set the sdsync with MMCRA_SAMPLE_ENABLE; Fixes: 27593d72c4ad ("powerpc/perf: Use MSR to report privilege level on P9 DD1") Signed-off-by: Madhavan Srinivasan Signed-off-by: Michael Ellerman Signed-off-by: Greg Kroah-Hartman commit 0587b73378b2f58f4af12a330c8894889ad8b987 Author: Ben Hutchings Date: Tue Apr 11 00:29:44 2017 +0100 cpupower: Fix turbo frequency reporting for pre-Sandy Bridge cores commit 4cca0457686e4ee1677d69469e4ddfd94d389a80 upstream. The switch that conditionally sets CPUPOWER_CAP_HAS_TURBO_RATIO and CPUPOWER_CAP_IS_SNB flags is missing a break, so all cores get both flags set and an assumed base clock of 100 MHz for turbo values. Reported-by: GSR Tested-by: GSR References: https://bugs.debian.org/859978 Fixes: 8fb2e440b223 (cpupower: Show Intel turbo ratio support via ...) Signed-off-by: Ben Hutchings Signed-off-by: Rafael J. Wysocki Signed-off-by: Greg Kroah-Hartman commit bfa87eca09cec1c87e3f5b8f81843e4e650e492c Author: Giedrius Statkevičius Date: Sat Mar 25 18:00:49 2017 +0200 power: supply: lp8788: prevent out of bounds array access commit bdd9968d35f7fcdb76089347d1529bf079534214 upstream. val might become 7 in which case stime[7] (array of length 7) would be accessed during the scnprintf call later and that will cause issues. Obviously, string concatenation is not intended here so just a comma needs to be added to fix the issue. Fixes: 98a276649358 ("power_supply: Add new lp8788 charger driver") Signed-off-by: Giedrius Statkevičius Acked-by: Milo Kim Signed-off-by: Sebastian Reichel Signed-off-by: Greg Kroah-Hartman commit 8a4963a051180e00906cc6d528929bc283fc58ce Author: Horia Geantă Date: Fri Feb 10 14:07:21 2017 +0200 crypto: caam - don't dma_map key for hash algorithms commit cfb725f6d3d31355fa4510da7d7bdce807045b42 upstream. Shared descriptors for hash algorithms are small enough for (split) keys to be inlined in all cases. Since driver already does this, all what's left is to remove unused ctx->key_dma. Fixes: 045e36780f115 ("crypto: caam - ahash hmac support") Signed-off-by: Horia Geantă Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit 3e871381811a3fffd4a9befc6c41a5f7c3ce0525 Author: Horia Geantă Date: Fri Feb 10 14:07:23 2017 +0200 crypto: caam - fix error path for ctx_dma mapping failure commit 87ec02e7409d787348c244039aa3536a812dfa8b upstream. In case ctx_dma dma mapping fails, ahash_unmap_ctx() tries to dma unmap an invalid address: map_seq_out_ptr_ctx() / ctx_map_to_sec4_sg() -> goto unmap_ctx -> -> ahash_unmap_ctx() -> dma unmap ctx_dma There is also possible to reach ahash_unmap_ctx() with ctx_dma uninitialzed or to try to unmap the same address twice. Fix these by setting ctx_dma = 0 where needed: -initialize ctx_dma in ahash_init() -clear ctx_dma in case of mapping error (instead of holding the error code returned by the dma map function) -clear ctx_dma after each unmapping Fixes: 32686d34f8fb6 ("crypto: caam - ensure that we clean up after an error") Signed-off-by: Horia Geantă Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit 93bb6661baf0467dc9db2d2a8ef6cf92131977b6 Author: Winkler, Tomas Date: Wed Nov 23 12:04:13 2016 +0200 tmp: use pdev for parent device in tpm_chip_alloc commit 2998b02b2fb58f36ccbc318b00513174e9947d8e upstream. The tpm stack uses pdev name convention for the parent device. Fix that also in tpm_chip_alloc(). Fixes: 3897cd9c8d1d ("tpm: Split out the devm stuff from tpmm_chip_alloc")' Signed-off-by: Tomas Winkler Reviewed-by: Jarkko Sakkinen Tested-by: Jarkko Sakkinen Signed-off-by: Jarkko Sakkinen Signed-off-by: Greg Kroah-Hartman commit c6131528430987246a2bc3f4244b2e001493cfd3 Author: Jarkko Sakkinen Date: Wed Jan 25 23:00:22 2017 +0200 tpm: fix RC value check in tpm2_seal_trusted commit 7d761119a914ec0ac05ec2a5378d1f86e680967d upstream. The error code handling is broken as any error code that has the same bits set as TPM_RC_HASH passes. Implemented tpm2_rc_value() helper to parse the error value from FMT0 and FMT1 error codes so that these types of mistakes are prevented in the future. Fixes: 5ca4c20cfd37 ("keys, trusted: select hash algorithm for TPM2 chips") Signed-off-by: Jarkko Sakkinen Reviewed-by: Jason Gunthorpe Signed-off-by: Greg Kroah-Hartman commit c5f7ba5f591162e9ce585d76c3ad415751989edd Author: Jean Delvare Date: Mon Jan 9 11:58:14 2017 +0100 mtd: nand: Add OX820 NAND hardware dependency commit de0b34455afd1204a3644c9eb25b0b3b0aeb2fe9 upstream. The oxnas NAND driver is only needed for a specific platform, do not propose it on other platforms unless build-testing. Signed-off-by: Jean Delvare Fixes: 668592492409 ("mtd: nand: Add OX820 NAND Support") Cc: Rob Herring Cc: Neil Armstrong Cc: Boris Brezillon Cc: Richard Weinberger Cc: David Woodhouse Cc: Brian Norris Cc: Marek Vasut Cc: Cyrille Pitchen Acked-by: Marek Vasut Acked-by: Neil Armstrong Signed-off-by: Boris Brezillon Signed-off-by: Greg Kroah-Hartman commit 2586f8f02455a9d8316658fd80cc96ade7048af9 Author: Guenter Roeck Date: Wed Feb 8 14:05:56 2017 -0800 hwmon: (it87) Fix pwm4 detection for IT8620 and IT8628 commit d66777caa57ffade6061782f3a4d4056f0b0c1ac upstream. pwm4 is enabled if bit 2 of GPIO control register 4 is disabled, not when it is enabled. Since the check is for the skip condition, it is reversed. This applies to both IT8620 and IT8628. Fixes: 36c4d98a7883d ("hwmon: (it87) Add support for all pwm channels ...") Signed-off-by: Guenter Roeck Signed-off-by: Greg Kroah-Hartman commit 5e7b84228b518ef91a3c58f4a433820c69e6874d Author: Vincent Abriou Date: Thu Mar 23 15:44:52 2017 +0100 drm/sti: fix GDP size to support up to UHD resolution commit 2f410f88c0a1c7e19762918d2614f506a7b63a82 upstream. On stih407-410 chip family the GDP layers are able to support up to UHD resolution (3840 x 2160). Signed-off-by: Vincent Abriou Acked-by: Lee Jones Tested-by: Lee Jones Link: http://patchwork.freedesktop.org/patch/msgid/1490280292-30466-1-git-send-email-vincent.abriou@st.com Signed-off-by: Greg Kroah-Hartman commit 206472df12f1044909c6377831c15adf99e0c989 Author: Cong Wang Date: Wed Feb 22 15:40:53 2017 -0800 9p: fix a potential acl leak commit b5c66bab72a6a65edb15beb60b90d3cb84c5763b upstream. posix_acl_update_mode() could possibly clear 'acl', if so we leak the memory pointed by 'acl'. Save this pointer before calling posix_acl_update_mode() and release the memory if 'acl' really gets cleared. Link: http://lkml.kernel.org/r/1486678332-2430-1-git-send-email-xiyou.wangcong@gmail.com Signed-off-by: Cong Wang Reported-by: Mark Salyzyn Reviewed-by: Jan Kara Reviewed-by: Greg Kurz Cc: Eric Van Hensbergen Cc: Ron Minnich Cc: Latchesar Ionkov Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman