ti-linux-kernel/ti-linux-kernel-next.git
18 months agoMerged TI feature vigneshr_next into ti-linux-4.19.y-next ti-linux-4.19.y-next-20191025
LCPD Auto Merger [Fri, 25 Oct 2019 07:25:11 +0000 (02:25 -0500)]
Merged TI feature vigneshr_next into ti-linux-4.19.y-next

TI-Feature: vigneshr_next
TI-Tree: git://git.ti.com/~vigneshr/ti-linux-kernel/vigneshr-ti-linux-kernel.git
TI-Branch: ti-linux-4.19.y-for-next

* 'ti-linux-4.19.y-for-next' of git://git.ti.com/~vigneshr/ti-linux-kernel/vigneshr-ti-linux-kernel:
  serial: 8250: 8250_omap: Remove redundant call to omap_8250_rx_dma_flush
  serial: 8250: 8250_omap: Fix DMA teardown sequence during RX timeout

Signed-off-by: LCPD Auto Merger <lcpd_integration@list.ti.com>
18 months agoMerged TI feature kishon_next into ti-linux-4.19.y-next
LCPD Auto Merger [Fri, 25 Oct 2019 07:25:09 +0000 (02:25 -0500)]
Merged TI feature kishon_next into ti-linux-4.19.y-next

TI-Feature: kishon_next
TI-Tree: git://git.ti.com/linux-phy/kishons-ti-linux-kernel.git
TI-Branch: ti-linux-4.19.y-for-next

* 'ti-linux-4.19.y-for-next' of git://git.ti.com/linux-phy/kishons-ti-linux-kernel:
  PCI: keystone: Fix outbound ATU configuration
  PCI: keystone: Fix ks_pcie_stop_link() from incorrectly setting LTSSM EN

Signed-off-by: LCPD Auto Merger <lcpd_integration@list.ti.com>
18 months agoMerged TI feature rpmsg_next into ti-linux-4.19.y-next
LCPD Auto Merger [Fri, 25 Oct 2019 07:25:06 +0000 (02:25 -0500)]
Merged TI feature rpmsg_next into ti-linux-4.19.y-next

TI-Feature: rpmsg_next
TI-Tree: git://git.ti.com/rpmsg/rpmsg.git
TI-Branch: rpmsg-ti-linux-4.19.y-next

* 'rpmsg-ti-linux-4.19.y-next' of git://git.ti.com/rpmsg/rpmsg:
  soc: ti: pruss: update pruss_get() to retrieve a PRUSS id
  soc: ti: pruss: store the pruss instance id
  ARM: dts: am571x-idk: Provide support for early-booted IPU1 & IPU2
  ARM: dts: am572x-idk-common: Provide support for early-booted IPU1 & IPU2
  ARM: dts: beagle-x15-common: Provide support for early-booted IPU1 & IPU2
  ARM: dts: dra71-evm: Provide support for early-booted IPU1 & IPU2
  ARM: dts: dra72-evms: Provide support for early-booted IPU1 & IPU2
  ARM: dts: dra76-evm: Provide support for early-booted IPU1 & IPU2
  ARM: dts: dra7-evm: Provide support for early-booted IPU1 & IPU2

Signed-off-by: LCPD Auto Merger <lcpd_integration@list.ti.com>
18 months agoMerged TI feature connectivity_next into ti-linux-4.19.y-next
LCPD Auto Merger [Fri, 25 Oct 2019 07:25:05 +0000 (02:25 -0500)]
Merged TI feature connectivity_next into ti-linux-4.19.y-next

TI-Feature: connectivity_next
TI-Tree: ssh://git@bitbucket.itg.ti.com/~a0875516/ti-linux-kernel.git
TI-Branch: connectivity-next

* 'connectivity-next' of ssh://bitbucket.itg.ti.com/~a0875516/ti-linux-kernel:
  mmc: cqhci: commit descriptors before setting the doorbell
  ntb: ntb_hw_epf: Error out from probe() for bridge devices
  mmc: sdhci-omap: Fix Tuning procedure for temperatures < 20C
  PCI: endpoint: pci-epf-ntb: Set error status on command failure
  NTB: ntb_hw_epf: Decode error command status
  PCI: dwc: pci-dra7xx: Use devm_ioremap_resource() to get virtual address
  PCI: endpoint: pci-epf-ntb: Fix possible Out of Bound Array Access
  PCI: cadence: Explicitly cast pointer returned by phys_to_virt() to __iomem
  PCI: keystone: Fix outbound ATU configuration
  PCI: keystone: Fix ks_pcie_stop_link() from incorrectly setting LTSSM EN

Signed-off-by: LCPD Auto Merger <lcpd_integration@list.ti.com>
18 months agoMerged TI feature platform_next into ti-linux-4.19.y-next
LCPD Auto Merger [Fri, 25 Oct 2019 07:24:54 +0000 (02:24 -0500)]
Merged TI feature platform_next into ti-linux-4.19.y-next

TI-Feature: platform_next
TI-Tree: ssh://git@bitbucket.itg.ti.com/lcpdpublicdom/platform.git
TI-Branch: platform-ti-linux-4.19.y-next

* 'platform-ti-linux-4.19.y-next' of ssh://bitbucket.itg.ti.com/lcpdpublicdom/platform:
  ti_config_fragments: v8_baseport: Enable watchdog
  arm64: dts: ti: k3-j721e-main: Add MAIN domain watchdog entries
  watchdog: Add K3 RTI watchdog support
  dt-bindings: watchdog: Add support for TI K3 RTI watchdog
  watchdog: add support for resetting keepalive timers at start

Signed-off-by: LCPD Auto Merger <lcpd_integration@list.ti.com>
18 months agoMerged TI feature linux-stable-4.19-rc into ti-linux-4.19.y-next
LCPD Auto Merger [Fri, 25 Oct 2019 07:24:51 +0000 (02:24 -0500)]
Merged TI feature linux-stable-4.19-rc into ti-linux-4.19.y-next

TI-Feature: linux-stable-4.19-rc
TI-Tree: http://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git
TI-Branch: linux-4.19.y

* 'linux-4.19.y' of http://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc: (82 commits)
  Linux 4.19.80-rc1
  perf/hw_breakpoint: Fix arch_hw_breakpoint use-before-initialization
  PCI: vmd: Fix config addressing when using bus offsets
  x86/asm: Fix MWAITX C-state hint value
  hwmon: Fix HWMON_P_MIN_ALARM mask
  tracing: Get trace_array reference for available_tracers files
  ftrace: Get a reference counter for the trace_array on filter files
  tracing/hwlat: Don't ignore outer-loop duration when calculating max_latency
  tracing/hwlat: Report total time spent in all NMIs during the sample
  arm64/sve: Fix wrong free for task->thread.sve_state
  media: stkwebcam: fix runtime PM after driver unbind
  Fix the locking in dcache_readdir() and friends
  arm64: topology: Use PPTT to determine if PE is a thread
  ACPI/PPTT: Add support for ACPI 6.3 thread flag
  ACPICA: ACPI 6.3: PPTT add additional fields in Processor Structure Flags
  MIPS: elf_hwcap: Export userspace ASEs
  MIPS: Disable Loongson MMI instructions for kernel build
  NFS: Fix O_DIRECT accounting of number of bytes read/written
  btrfs: fix uninitialized ret in ref-verify
  btrfs: fix incorrect updating of log root tree
  ...

Signed-off-by: LCPD Auto Merger <lcpd_integration@list.ti.com>
18 months agoti_config_fragments: v8_baseport: Enable watchdog
Tero Kristo [Thu, 26 Sep 2019 12:20:25 +0000 (15:20 +0300)]
ti_config_fragments: v8_baseport: Enable watchdog

Enable RTI watchdog support for K3 SoCs.

Signed-off-by: Tero Kristo <t-kristo@ti.com>
18 months agoarm64: dts: ti: k3-j721e-main: Add MAIN domain watchdog entries
Tero Kristo [Thu, 26 Sep 2019 12:20:24 +0000 (15:20 +0300)]
arm64: dts: ti: k3-j721e-main: Add MAIN domain watchdog entries

Add DT entries for main domain watchdog0 and 1 instances.

Signed-off-by: Tero Kristo <t-kristo@ti.com>
18 months agowatchdog: Add K3 RTI watchdog support
Tero Kristo [Thu, 26 Sep 2019 12:20:23 +0000 (15:20 +0300)]
watchdog: Add K3 RTI watchdog support

Texas Instruments K3 SoCs contain an RTI (Real Time Interrupt) module
which can be used as a watchdog. This IP provides a support for
windowed watchdog mode, in which the watchdog must be petted within
a certain time window. If it is petted either too soon, or too late,
a watchdog error will be triggered.

Signed-off-by: Tero Kristo <t-kristo@ti.com>
18 months agodt-bindings: watchdog: Add support for TI K3 RTI watchdog
Tero Kristo [Thu, 26 Sep 2019 12:20:22 +0000 (15:20 +0300)]
dt-bindings: watchdog: Add support for TI K3 RTI watchdog

TI K3 SoCs contain an RTI (Real Time Interrupt) module which can be
used to implement a windowed watchdog functionality.

Signed-off-by: Tero Kristo <t-kristo@ti.com>
18 months agowatchdog: add support for resetting keepalive timers at start
Tero Kristo [Thu, 26 Sep 2019 12:20:21 +0000 (15:20 +0300)]
watchdog: add support for resetting keepalive timers at start

Current watchdog core pets the timer always after the initial keepalive
time has expired from boot-up. This is incorrect for certain timers that
don't like to be petted immediately when they are started, if they have
not been running over the boot.

To allow drivers to reset their keepalive timers during startup, add
a new watchdog flag to the api, WDOG_RESET_KEEPALIVE.

Signed-off-by: Tero Kristo <t-kristo@ti.com>
18 months agoMerged TI feature audio-display into ti-linux-4.19.y
LCPD Auto Merger [Thu, 24 Oct 2019 11:35:48 +0000 (06:35 -0500)]
Merged TI feature audio-display into ti-linux-4.19.y

TI-Feature: audio-display
TI-Branch: audio_display-ti-linux-4.19.y

* 'audio_display-ti-linux-4.19.y' of ssh://bitbucket.itg.ti.com/lcpdpublicdom/audio-display:
  drm/bridge: tc358767: fix max_tu_symbol value
  drm/tidss: fix probe-time memleak
  drm/tidss: remove empty function

Signed-off-by: LCPD Auto Merger <lcpd_integration@list.ti.com>
18 months agoMerge branch 'ti/4.19-pull-2' of https://bitbucket.itg.ti.com/scm/~a0400822/linux...
Jyri Sarha [Thu, 24 Oct 2019 06:01:57 +0000 (09:01 +0300)]
Merge branch 'ti/4.19-pull-2' of https://bitbucket.itg.ti.com/scm/~a0400822/linux into audio_display-ti-linux-4.19.y

Display patches for .05, part 2

* 'ti/4.19-pull-2' of https://bitbucket.itg.ti.com/scm/~a0400822/linux:
  drm/bridge: tc358767: fix max_tu_symbol value
  drm/tidss: fix probe-time memleak
  drm/tidss: remove empty function

18 months agoMerged TI feature audio-display into ti-linux-4.19.y
LCPD Auto Merger [Wed, 23 Oct 2019 22:55:12 +0000 (17:55 -0500)]
Merged TI feature audio-display into ti-linux-4.19.y

TI-Feature: audio-display
TI-Branch: audio_display-ti-linux-4.19.y

* 'audio_display-ti-linux-4.19.y' of ssh://bitbucket.itg.ti.com/lcpdpublicdom/audio-display: (29 commits)
  drm/tidss: dispc7: Change all const static to static const to silence W=1
  drm/tidss: dispc7: Fix W=1 warnings from dispc6_vp_mode_valid()
  drm/tidss: dispc6: Remove unsused fir coefs to fix W=1 warnings
  drm/tidss: dispc6: Fix W=1 warnings from dispc6_vp_mode_valid()
  drm/tidss: scale_coefs: Remove unused coefs_null to silence W=1
  drm/tidss: WB: fix error reporting in tidss_wb_init
  drm/tidss: WB: remove unnecessary kernel trace
  media: i2c: ov5640: fix potential null pointer dereference
  drm/tidss: dispc7: Drop redundant and uneeded max_pclk and min_pclk
  drm/tidss: dispc7: Implement VP bus format specific limits
  drm/tidss: dispc7: More explicit enum and struct member name
  drm/tidss: dispc7: Ensure output width is divisible by 2
  drm/bridge: cdns-mhdp: Check link status if HPD interrupt is received
  drm/bridge: cdns-mhdp: Protect firmware mailbox messaging with mutex
  drm/bridge: cdns-mhdp: Add missing resource deallocations
  drm/bridge: cdns-mhdp: Print error if DP link BW isn't enough for mode
  drm/bridge: cdns-mhdp: Add simple mode_valid()
  drm/bridge: sii902x: fix missing static
  drm/omap: hdmi4: fix use of uninitialized var
  drm/tidss: cleanup dma related settings
  ...

Signed-off-by: LCPD Auto Merger <lcpd_integration@list.ti.com>
18 months agoMerged TI feature rpmsg into ti-linux-4.19.y
LCPD Auto Merger [Wed, 23 Oct 2019 20:38:53 +0000 (15:38 -0500)]
Merged TI feature rpmsg into ti-linux-4.19.y

TI-Feature: rpmsg
TI-Branch: rpmsg-ti-linux-4.19.y-intg

* 'rpmsg-ti-linux-4.19.y-intg' of git://git.ti.com/rpmsg/rpmsg:
  remoteproc/k3-r5: initialize TCM memories for ECC

Signed-off-by: LCPD Auto Merger <lcpd_integration@list.ti.com>
18 months agoMerge tag 'v4.19.79' of http://git.kernel.org/pub/scm/linux/kernel/git/stable/linux...
Dan Murphy [Wed, 23 Oct 2019 17:14:19 +0000 (12:14 -0500)]
Merge tag 'v4.19.79' of git./linux/kernel/git/stable/linux-stable into ti-linux-4.19.y

This is the 4.19.79 stable release

* tag 'v4.19.79' of http://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable: (627 commits)
  Linux 4.19.79
  nl80211: validate beacon head
  cfg80211: Use const more consistently in for_each_element macros
  cfg80211: add and use strongly typed element iteration macros
  staging: erofs: detect potential multiref due to corrupted images
  staging: erofs: add two missing erofs_workgroup_put for corrupted images
  staging: erofs: some compressed cluster should be submitted for corrupted images
  staging: erofs: fix an error handling in erofs_readdir()
  coresight: etm4x: Use explicit barriers on enable/disable
  vfs: Fix EOVERFLOW testing in put_compat_statfs64
  arm64/speculation: Support 'mitigations=' cmdline option
  arm64: Use firmware to detect CPUs that are not affected by Spectre-v2
  arm64: Force SSBS on context switch
  arm64: ssbs: Don't treat CPUs with SSBS as unaffected by SSB
  arm64: add sysfs vulnerability show for speculative store bypass
  arm64: add sysfs vulnerability show for spectre-v2
  arm64: Always enable spectre-v2 vulnerability detection
  arm64: Advertise mitigation of Spectre-v2, or lack thereof
  arm64: Provide a command line to disable spectre_v2 mitigation
  arm64: Always enable ssb vulnerability detection
  ...

Signed-off-by: Dan Murphy <dmurphy@ti.com>
18 months agommc: cqhci: commit descriptors before setting the doorbell
Faiz Abbas [Fri, 18 Oct 2019 07:58:12 +0000 (13:28 +0530)]
mmc: cqhci: commit descriptors before setting the doorbell

Add a write memory barrier to make sure that descriptors are actually
written to memory before ringing the doorbell.

Signed-off-by: Faiz Abbas <faiz_abbas@ti.com>
Acked-by: Adrian Hunter <adrian.hunter@intel.com>
Signed-off-by: Sekhar Nori <nsekhar@ti.com>
18 months agontb: ntb_hw_epf: Error out from probe() for bridge devices
Kishon Vijay Abraham I [Tue, 15 Oct 2019 05:33:06 +0000 (11:03 +0530)]
ntb: ntb_hw_epf: Error out from probe() for bridge devices

ntb_hw_epf should be probed only for endpoints configured with
pci-epf-ntb function driver. Controllers that can be configured
both as RC and EP have the same vendor id/device id for both EP
and RC making ntb_epf_pci_probe() invoked for host bridge. Error
out from probe() for bridge devices so that unnecessary warnings
are not seen.

Signed-off-by: Kishon Vijay Abraham I <kishon@ti.com>
Signed-off-by: Sekhar Nori <nsekhar@ti.com>
18 months agommc: sdhci-omap: Fix Tuning procedure for temperatures < 20C
Faiz Abbas [Tue, 15 Oct 2019 13:01:35 +0000 (18:31 +0530)]
mmc: sdhci-omap: Fix Tuning procedure for temperatures < 20C

According to the App note[1] detailing the tuning algorithm, for
temperatures < 20C, the initial tuning value should be as min(largest
value in LPW - 24, ceil(13/16 ratio of LPW)). The largest value in LPW is
max_len - 1 and not max_len itself. Fix this implementation.

[1] http://www.ti.com/lit/an/spraca9b/spraca9b.pdf

Signed-off-by: Faiz Abbas <faiz_abbas@ti.com>
Signed-off-by: Sekhar Nori <nsekhar@ti.com>
18 months agoPCI: endpoint: pci-epf-ntb: Set error status on command failure
Kishon Vijay Abraham I [Thu, 10 Oct 2019 11:15:05 +0000 (16:45 +0530)]
PCI: endpoint: pci-epf-ntb: Set error status on command failure

pci-epf-ntb supports 3 commands: command to configure doorbell,
command to configure memory window and command to indicate link up.
These commands are given to the endpoint by the host. All of these
commands can fail in the endpoint. However there is no mechanism for
the endpoint to indicate the failure to the host. Add a new bit in the
STATUS register to indicate any error in command processing to the host.

Signed-off-by: Kishon Vijay Abraham I <kishon@ti.com>
Signed-off-by: Sekhar Nori <nsekhar@ti.com>
18 months agoNTB: ntb_hw_epf: Decode error command status
Kishon Vijay Abraham I [Wed, 9 Oct 2019 09:49:47 +0000 (15:19 +0530)]
NTB: ntb_hw_epf: Decode error command status

ntb_epf_send_command() only checks if COMMAND_STATUS_OK is set or
not. However the endpoint can also set an error if the command failed.
Add a new status bit for command error and decode error in commands
status here.

Signed-off-by: Kishon Vijay Abraham I <kishon@ti.com>
Signed-off-by: Sekhar Nori <nsekhar@ti.com>
18 months agoPCI: dwc: pci-dra7xx: Use devm_ioremap_resource() to get virtual address
Kishon Vijay Abraham I [Wed, 9 Oct 2019 09:49:46 +0000 (15:19 +0530)]
PCI: dwc: pci-dra7xx: Use devm_ioremap_resource() to get virtual address

devm_ioremap_resource() performs all the basic error checks which
should otherwise be done in the peripheral driver. Use
devm_ioremap_resource() instead of devm_ioremap_nocache() here.

This was reported by Klokworks
Pointer 'res' returned from call to function 'platform_get_resource_byname' at line 731 may be NULL and will be dereferenced at line 732.
  * pci-dra7xx.c:731: 'res' is assigned the return value from function 'platform_get_resource_byname'.
    * platform.c:193: 'platform_get_resource_byname' explicitly returns a NULL value.
  * pci-dra7xx.c:732: 'res' is dereferenced by passing argument 1 to function 'resource_size'.
    * ioport.h:196: 'res' is passed to function 'resource_size'.
    * ioport.h:198: 'res' is explicitly dereferenced.

Signed-off-by: Kishon Vijay Abraham I <kishon@ti.com>
Signed-off-by: Sekhar Nori <nsekhar@ti.com>
18 months agoPCI: endpoint: pci-epf-ntb: Fix possible Out of Bound Array Access
Kishon Vijay Abraham I [Wed, 9 Oct 2019 09:49:45 +0000 (15:19 +0530)]
PCI: endpoint: pci-epf-ntb: Fix possible Out of Bound Array Access

struct epf_ntb_ctrl has db_data structure member which is an array of
length 32. epf_ntb_configure_db() can be passed a db_count value which
is more than 32 that can cause an Out of Bound Array Access.

This was reported by Klokworks
Array 'peer_ctrl->db_data' of size 32 may use index value(s) 0..USHRT_MAX-1
  * pci-epf-ntb.c:213: 'db_count' is passed as argument '$3' to function 'epf_ntb_configure_db'.
  * pci-epf-ntb.c:213: Index value(s) 0..USHRT_MAX-1 may be used to access array of size 32 while calling 'epf_ntb_configure_db'.
    * pci-epf-ntb.c:213: Result of expression '$3+(-1)' is [0,65534].
      * pci-epf-ntb.c:213: Function argument '$3' is [1,65535].
    * pci-epf-ntb.c:213: Value(s) [0,65534] is used as violation index in function 'epf_ntb_configure_db'.
      * pci-epf-ntb.c:180: Array 'peer_ctrl->db_data' of size 32 is used.

Signed-off-by: Kishon Vijay Abraham I <kishon@ti.com>
Signed-off-by: Sekhar Nori <nsekhar@ti.com>
18 months agoMerge branch 'audio_display-ti-linux-2019.05' into audio_display-ti-linux-4.19.y
Jyri Sarha [Wed, 23 Oct 2019 11:52:47 +0000 (14:52 +0300)]
Merge branch 'audio_display-ti-linux-2019.05' into audio_display-ti-linux-4.19.y

* audio_display-ti-linux-2019.05: (29 commits)
  drm/tidss: dispc7: Change all const static to static const to silence W=1
  drm/tidss: dispc7: Fix W=1 warnings from dispc6_vp_mode_valid()
  drm/tidss: dispc6: Remove unsused fir coefs to fix W=1 warnings
  drm/tidss: dispc6: Fix W=1 warnings from dispc6_vp_mode_valid()
  drm/tidss: scale_coefs: Remove unused coefs_null to silence W=1
  drm/tidss: WB: fix error reporting in tidss_wb_init
  drm/tidss: WB: remove unnecessary kernel trace
  media: i2c: ov5640: fix potential null pointer dereference
  drm/tidss: dispc7: Drop redundant and uneeded max_pclk and min_pclk
  drm/tidss: dispc7: Implement VP bus format specific limits
  drm/tidss: dispc7: More explicit enum and struct member name
  drm/tidss: dispc7: Ensure output width is divisible by 2
  drm/bridge: cdns-mhdp: Check link status if HPD interrupt is received
  drm/bridge: cdns-mhdp: Protect firmware mailbox messaging with mutex
  drm/bridge: cdns-mhdp: Add missing resource deallocations
  drm/bridge: cdns-mhdp: Print error if DP link BW isn't enough for mode
  drm/bridge: cdns-mhdp: Add simple mode_valid()
  drm/bridge: sii902x: fix missing static
  drm/omap: hdmi4: fix use of uninitialized var
  drm/tidss: cleanup dma related settings
  ...

18 months agodrm/bridge: tc358767: fix max_tu_symbol value
Tomi Valkeinen [Tue, 24 Sep 2019 13:17:02 +0000 (16:17 +0300)]
drm/bridge: tc358767: fix max_tu_symbol value

max_tu_symbol was programmed to TU_SIZE_RECOMMENDED - 1, which is not
what the spec says. The spec says:

roundup ((input active video bandwidth in bytes/output active video
bandwidth in bytes) * tu_size)

It is not quite clear what the above means, but calculating
max_tu_symbol = (input Bps / output Bps) * tu_size seems to work and
fixes the issues seen.

This fixes artifacts in some videomodes (e.g. 1024x768@60 on 2-lanes &
1.62Gbps was pretty bad for me).

Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ti.com>
Tested-by: Jyri Sarha <jsarha@ti.com>
Signed-off-by: Andrzej Hajda <a.hajda@samsung.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20190924131702.9988-1-tomi.valkeinen@ti.com
18 months agodrm/tidss: fix probe-time memleak
Tomi Valkeinen [Mon, 21 Oct 2019 11:59:16 +0000 (14:59 +0300)]
drm/tidss: fix probe-time memleak

If tidss_modeset_init fails, which happens easily due to deferred
probing, drm_mode_config_cleanup() is not called and we leak lots of DRM
objects.

Fix this by adding the proper error handling, and for consistency, add
tidss_modeset_cleanup() which is the mirror for tidss_modeset_init().

Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ti.com>
18 months agodrm/tidss: remove empty function
Tomi Valkeinen [Mon, 21 Oct 2019 11:47:22 +0000 (14:47 +0300)]
drm/tidss: remove empty function

tidss_modeset_init_properties() is empty, and called during modeset
init. Drop the useless function.

Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ti.com>
18 months agoMerge branch 'topic/4.19/dra7-late-attach' of git://git.ti.com/rpmsg/remoteproc into...
Dave Gerlach [Fri, 18 Oct 2019 21:35:40 +0000 (16:35 -0500)]
Merge branch 'topic/4.19/dra7-late-attach' of git://git.ti.com/rpmsg/remoteproc into rpmsg-ti-linux-4.19.y-next

Signed-off-by: Suman Anna <s-anna@ti.com>
Signed-off-by: Dave Gerlach <d-gerlach@ti.com>
18 months agosoc: ti: pruss: update pruss_get() to retrieve a PRUSS id
Suman Anna [Mon, 17 Jun 2019 21:15:41 +0000 (16:15 -0500)]
soc: ti: pruss: update pruss_get() to retrieve a PRUSS id

Update the pruss_get() function to take in an additional integer
pointer argument in which the PRUSS instance id is filled in and
provided back to the callers. This allows the drivers to add some
instance-specific logic/customization in their code, as the PRUSS
handle is not useful to build this logic.

The already existing usage within both the regular PRU Ethernet
and the ICSSG PRU Ethernet drivers have also been updated accordingly,
and this will cater to its need for supporting switching between
different Ethernet protocols dynamically per instance. The invocation
within the PRU Soft UART driver and PRU PWM drivers have also been
updated, with these drivers not needing the PRUSS instance id at present.

Signed-off-by: Suman Anna <s-anna@ti.com>
18 months agosoc: ti: pruss: store the pruss instance id
Suman Anna [Thu, 2 May 2019 22:18:05 +0000 (17:18 -0500)]
soc: ti: pruss: store the pruss instance id

Add logic to the PRUSS platform driver to store the instance id
of a PRUSS instance. This is being added to enable support for
the PRU Ethernet driver to be able to switch between different
Ethernet protocols dynamically per instance.

The values for instance ids are not always zero-indexed on all
SoCs, they were chosen to match the numbering used in the TRMs.
The instance ids are computed assigned using the PRUSS memory
region base address lookup table. The base address matching
logic is not robust for long-term for newer SoCs, but is okay
for currently supported SoCs as all the addresses are unique.
This is done this way to retain the current usage of minimal
static data and to avoid having to introduce the instance
specific static data just for the instance id data.

Signed-off-by: Suman Anna <s-anna@ti.com>
18 months agoMerge branch 'topic/4.19/am65x' into ti-linux-4.19.y
Suman Anna [Tue, 8 Oct 2019 23:38:16 +0000 (18:38 -0500)]
Merge branch 'topic/4.19/am65x' into ti-linux-4.19.y

* topic/4.19/am65x:
  remoteproc/k3-r5: initialize TCM memories for ECC

Signed-off-by: Suman Anna <s-anna@ti.com>
18 months agoMerge branch 'rpmsg-ti-linux-4.19.y' of git://git.ti.com/rpmsg/rpmsg into rpmsg-ti...
Dave Gerlach [Fri, 18 Oct 2019 21:30:37 +0000 (16:30 -0500)]
Merge branch 'rpmsg-ti-linux-4.19.y' of git://git.ti.com/rpmsg/rpmsg into rpmsg-ti-linux-4.19.y-intg

Signed-off-by: Dave Gerlach <d-gerlach@ti.com>
18 months agoMerge branch 'topic/4.19/am65x' of git://git.ti.com/rpmsg/remoteproc into rpmsg-ti...
Dave Gerlach [Fri, 18 Oct 2019 21:18:19 +0000 (16:18 -0500)]
Merge branch 'topic/4.19/am65x' of git://git.ti.com/rpmsg/remoteproc into rpmsg-ti-linux-4.19.y

Pull in the am65x topic branch that includes a fix for initializing TCM
memories for ECC.

* 'topic/4.19/am65x' of git://git.ti.com/rpmsg/remoteproc:
  remoteproc/k3-r5: initialize TCM memories for ECC

Signed-off-by: Dave Gerlach <d-gerlach@ti.com>
18 months agoLinux 4.19.80-rc1
Greg Kroah-Hartman [Wed, 16 Oct 2019 21:48:01 +0000 (14:48 -0700)]
Linux 4.19.80-rc1

18 months agoperf/hw_breakpoint: Fix arch_hw_breakpoint use-before-initialization
Mark-PK Tsai [Fri, 6 Sep 2019 06:01:16 +0000 (14:01 +0800)]
perf/hw_breakpoint: Fix arch_hw_breakpoint use-before-initialization

commit 310aa0a25b338b3100c94880c9a69bec8ce8c3ae upstream.

If we disable the compiler's auto-initialization feature, if
-fplugin-arg-structleak_plugin-byref or -ftrivial-auto-var-init=pattern
are disabled, arch_hw_breakpoint may be used before initialization after:

  9a4903dde2c86 ("perf/hw_breakpoint: Split attribute parse and commit")

On our ARM platform, the struct step_ctrl in arch_hw_breakpoint, which
used to be zero-initialized by kzalloc(), may be used in
arch_install_hw_breakpoint() without initialization.

Signed-off-by: Mark-PK Tsai <mark-pk.tsai@mediatek.com>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Alix Wu <alix.wu@mediatek.com>
Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: YJ Chiang <yj.chiang@mediatek.com>
Link: https://lkml.kernel.org/r/20190906060115.9460-1-mark-pk.tsai@mediatek.com
[ Minor edits. ]
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Cc: Doug Anderson <dianders@chromium.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
18 months agoPCI: vmd: Fix config addressing when using bus offsets
Jon Derrick [Mon, 16 Sep 2019 13:54:34 +0000 (07:54 -0600)]
PCI: vmd: Fix config addressing when using bus offsets

commit e3dffa4f6c3612dea337c9c59191bd418afc941b upstream.

VMD maps child device config spaces to the VMD Config BAR linearly
regardless of the starting bus offset. Because of this, the config
address decode must ignore starting bus offsets when mapping the BDF to
the config space address.

Fixes: 2a5a9c9a20f9 ("PCI: vmd: Add offset to bus numbers if necessary")
Signed-off-by: Jon Derrick <jonathan.derrick@intel.com>
Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
Cc: stable@vger.kernel.org # v5.2+
Signed-off-by: Sushma Kalakota <sushmax.kalakota@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
18 months agox86/asm: Fix MWAITX C-state hint value
Janakarajan Natarajan [Mon, 7 Oct 2019 19:00:22 +0000 (19:00 +0000)]
x86/asm: Fix MWAITX C-state hint value

commit 454de1e7d970d6bc567686052329e4814842867c upstream.

As per "AMD64 Architecture Programmer's Manual Volume 3: General-Purpose
and System Instructions", MWAITX EAX[7:4]+1 specifies the optional hint
of the optimized C-state. For C0 state, EAX[7:4] should be set to 0xf.

Currently, a value of 0xf is set for EAX[3:0] instead of EAX[7:4]. Fix
this by changing MWAITX_DISABLE_CSTATES from 0xf to 0xf0.

This hasn't had any implications so far because setting reserved bits in
EAX is simply ignored by the CPU.

 [ bp: Fixup comment in delay_mwaitx() and massage. ]

Signed-off-by: Janakarajan Natarajan <Janakarajan.Natarajan@amd.com>
Signed-off-by: Borislav Petkov <bp@suse.de>
Cc: Frederic Weisbecker <frederic@kernel.org>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: "x86@kernel.org" <x86@kernel.org>
Cc: Zhenzhong Duan <zhenzhong.duan@oracle.com>
Cc: <stable@vger.kernel.org>
Link: https://lkml.kernel.org/r/20191007190011.4859-1-Janakarajan.Natarajan@amd.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
18 months agohwmon: Fix HWMON_P_MIN_ALARM mask
Nuno Sá [Tue, 24 Sep 2019 12:49:43 +0000 (14:49 +0200)]
hwmon: Fix HWMON_P_MIN_ALARM mask

commit 30945d31e5761436d9eba6b8cff468a5f7c9c266 upstream.

Both HWMON_P_MIN_ALARM and HWMON_P_MAX_ALARM were using
BIT(hwmon_power_max_alarm).

Fixes: aa7f29b07c870 ("hwmon: Add support for power min, lcrit, min_alarm and lcrit_alarm")
CC: <stable@vger.kernel.org>
Signed-off-by: Nuno Sá <nuno.sa@analog.com>
Link: https://lore.kernel.org/r/20190924124945.491326-2-nuno.sa@analog.com
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
18 months agotracing: Get trace_array reference for available_tracers files
Steven Rostedt (VMware) [Fri, 11 Oct 2019 22:19:17 +0000 (18:19 -0400)]
tracing: Get trace_array reference for available_tracers files

commit 194c2c74f5532e62c218adeb8e2b683119503907 upstream.

As instances may have different tracers available, we need to look at the
trace_array descriptor that shows the list of the available tracers for the
instance. But there's a race between opening the file and an admin
deleting the instance. The trace_array_get() needs to be called before
accessing the trace_array.

Cc: stable@vger.kernel.org
Fixes: 607e2ea167e56 ("tracing: Set up infrastructure to allow tracers for instances")
Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
18 months agoftrace: Get a reference counter for the trace_array on filter files
Steven Rostedt (VMware) [Fri, 11 Oct 2019 21:56:57 +0000 (17:56 -0400)]
ftrace: Get a reference counter for the trace_array on filter files

commit 9ef16693aff8137faa21d16ffe65bb9832d24d71 upstream.

The ftrace set_ftrace_filter and set_ftrace_notrace files are specific for
an instance now. They need to take a reference to the instance otherwise
there could be a race between accessing the files and deleting the instance.

It wasn't until the :mod: caching where these file operations started
referencing the trace_array directly.

Cc: stable@vger.kernel.org
Fixes: 673feb9d76ab3 ("ftrace: Add :mod: caching infrastructure to trace_array")
Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
18 months agotracing/hwlat: Don't ignore outer-loop duration when calculating max_latency
Srivatsa S. Bhat (VMware) [Thu, 10 Oct 2019 18:51:01 +0000 (11:51 -0700)]
tracing/hwlat: Don't ignore outer-loop duration when calculating max_latency

commit fc64e4ad80d4b72efce116f87b3174f0b7196f8e upstream.

max_latency is intended to record the maximum ever observed hardware
latency, which may occur in either part of the loop (inner/outer). So
we need to also consider the outer-loop sample when updating
max_latency.

Link: http://lkml.kernel.org/r/157073345463.17189.18124025522664682811.stgit@srivatsa-ubuntu
Fixes: e7c15cd8a113 ("tracing: Added hardware latency tracer")
Cc: stable@vger.kernel.org
Signed-off-by: Srivatsa S. Bhat (VMware) <srivatsa@csail.mit.edu>
Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
18 months agotracing/hwlat: Report total time spent in all NMIs during the sample
Srivatsa S. Bhat (VMware) [Thu, 10 Oct 2019 18:50:46 +0000 (11:50 -0700)]
tracing/hwlat: Report total time spent in all NMIs during the sample

commit 98dc19c11470ee6048aba723d77079ad2cda8a52 upstream.

nmi_total_ts is supposed to record the total time spent in *all* NMIs
that occur on the given CPU during the (active portion of the)
sampling window. However, the code seems to be overwriting this
variable for each NMI, thereby only recording the time spent in the
most recent NMI. Fix it by accumulating the duration instead.

Link: http://lkml.kernel.org/r/157073343544.17189.13911783866738671133.stgit@srivatsa-ubuntu
Fixes: 7b2c86250122 ("tracing: Add NMI tracing in hwlat detector")
Cc: stable@vger.kernel.org
Signed-off-by: Srivatsa S. Bhat (VMware) <srivatsa@csail.mit.edu>
Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
18 months agoarm64/sve: Fix wrong free for task->thread.sve_state
Masayoshi Mizuma [Mon, 30 Sep 2019 20:56:00 +0000 (16:56 -0400)]
arm64/sve: Fix wrong free for task->thread.sve_state

commit 4585fc59c0e813188d6a4c5de1f6976fce461fc2 upstream.

The system which has SVE feature crashed because of
the memory pointed by task->thread.sve_state was destroyed
by someone.

That is because sve_state is freed while the forking the
child process. The child process has the pointer of sve_state
which is same as the parent's because the child's task_struct
is copied from the parent's one. If the copy_process()
fails as an error on somewhere, for example, copy_creds(),
then the sve_state is freed even if the parent is alive.
The flow is as follows.

copy_process
        p = dup_task_struct
            => arch_dup_task_struct
                *dst = *src;  // copy the entire region.
:
        retval = copy_creds
        if (retval < 0)
                goto bad_fork_free;
:
bad_fork_free:
...
        delayed_free_task(p);
          => free_task
             => arch_release_task_struct
                => fpsimd_release_task
                   => __sve_free
                      => kfree(task->thread.sve_state);
                         // free the parent's sve_state

Move child's sve_state = NULL and clearing TIF_SVE flag
to arch_dup_task_struct() so that the child doesn't free the
parent's one.
There is no need to wait until copy_process() to clear TIF_SVE for
dst, because the thread flags for dst are initialized already by
copying the src task_struct.
This change simplifies the code, so get rid of comments that are no
longer needed.

As a note, arm64 used to have thread_info on the stack. So it
would not be possible to clear TIF_SVE until the stack is initialized.
From commit c02433dd6de3 ("arm64: split thread_info from task stack"),
the thread_info is part of the task, so it should be valid to modify
the flag from arch_dup_task_struct().

Cc: stable@vger.kernel.org # 4.15.x-
Fixes: bc0ee4760364 ("arm64/sve: Core task context handling")
Signed-off-by: Masayoshi Mizuma <m.mizuma@jp.fujitsu.com>
Reported-by: Hidetoshi Seto <seto.hidetoshi@jp.fujitsu.com>
Suggested-by: Dave Martin <Dave.Martin@arm.com>
Reviewed-by: Dave Martin <Dave.Martin@arm.com>
Tested-by: Julien Grall <julien.grall@arm.com>
Signed-off-by: Will Deacon <will@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
18 months agomedia: stkwebcam: fix runtime PM after driver unbind
Johan Hovold [Tue, 1 Oct 2019 08:49:08 +0000 (10:49 +0200)]
media: stkwebcam: fix runtime PM after driver unbind

commit 30045f2174aab7fb4db7a9cf902d0aa6c75856a7 upstream.

Since commit c2b71462d294 ("USB: core: Fix bug caused by duplicate
interface PM usage counter") USB drivers must always balance their
runtime PM gets and puts, including when the driver has already been
unbound from the interface.

Leaving the interface with a positive PM usage counter would prevent a
later bound driver from suspending the device.

Note that runtime PM has never actually been enabled for this driver
since the support_autosuspend flag in its usb_driver struct is not set.

Fixes: c2b71462d294 ("USB: core: Fix bug caused by duplicate interface PM usage counter")
Cc: stable <stable@vger.kernel.org>
Acked-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://lore.kernel.org/r/20191001084908.2003-5-johan@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
18 months agoFix the locking in dcache_readdir() and friends
Al Viro [Sun, 15 Sep 2019 16:12:39 +0000 (12:12 -0400)]
Fix the locking in dcache_readdir() and friends

commit d4f4de5e5ef8efde85febb6876cd3c8ab1631999 upstream.

There are two problems in dcache_readdir() - one is that lockless traversal
of the list needs non-trivial cooperation of d_alloc() (at least a switch
to list_add_rcu(), and probably more than just that) and another is that
it assumes that no removal will happen without the directory locked exclusive.
Said assumption had always been there, never had been stated explicitly and
is violated by several places in the kernel (devpts and selinuxfs).

        * replacement of next_positive() with different calling conventions:
it returns struct list_head * instead of struct dentry *; the latter is
passed in and out by reference, grabbing the result and dropping the original
value.
        * scan is under ->d_lock.  If we run out of timeslice, cursor is moved
after the last position we'd reached and we reschedule; then the scan continues
from that place.  To avoid livelocks between multiple lseek() (with cursors
getting moved past each other, never reaching the real entries) we always
skip the cursors, need_resched() or not.
        * returned list_head * is either ->d_child of dentry we'd found or
->d_subdirs of parent (if we got to the end of the list).
        * dcache_readdir() and dcache_dir_lseek() switched to new helper.
dcache_readdir() always holds a reference to dentry passed to dir_emit() now.
Cursor is moved to just before the entry where dir_emit() has failed or into
the very end of the list, if we'd run out.
        * move_cursor() eliminated - it had sucky calling conventions and
after fixing that it became simply list_move() (in lseek and scan_positives)
or list_move_tail() (in readdir).

        All operations with the list are under ->d_lock now, and we do not
depend upon having all file removals done with parent locked exclusive
anymore.

Cc: stable@vger.kernel.org
Reported-by: "zhengbin (A)" <zhengbin13@huawei.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
18 months agoarm64: topology: Use PPTT to determine if PE is a thread
Jeremy Linton [Mon, 14 Oct 2019 09:56:26 +0000 (17:56 +0800)]
arm64: topology: Use PPTT to determine if PE is a thread

Commit 98dc19902a0b2e5348e43d6a2c39a0a7d0fc639e upstream.

ACPI 6.3 adds a thread flag to represent if a CPU/PE is
actually a thread. Given that the MPIDR_MT bit may not
represent this information consistently on homogeneous machines
we should prefer the PPTT flag if its available.

Signed-off-by: Jeremy Linton <jeremy.linton@arm.com>
Reviewed-by: Sudeep Holla <sudeep.holla@arm.com>
Reviewed-by: Robert Richter <rrichter@marvell.com>
[will: made acpi_cpu_is_threaded() return 'bool']
Signed-off-by: Will Deacon <will@kernel.org>
Signed-off-by: John Garry <john.garry@huawei.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
18 months agoACPI/PPTT: Add support for ACPI 6.3 thread flag
Jeremy Linton [Mon, 14 Oct 2019 09:56:25 +0000 (17:56 +0800)]
ACPI/PPTT: Add support for ACPI 6.3 thread flag

Commit bbd1b70639f785a970d998f35155c713f975e3ac upstream.

ACPI 6.3 adds a flag to the CPU node to indicate whether
the given PE is a thread. Add a function to return that
information for a given linux logical CPU.

Signed-off-by: Jeremy Linton <jeremy.linton@arm.com>
Reviewed-by: Sudeep Holla <sudeep.holla@arm.com>
Reviewed-by: Robert Richter <rrichter@marvell.com>
Acked-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Will Deacon <will@kernel.org>
[jpg: backport for 4.19, replace acpi_pptt_warn_missing()]
Signed-off-by: John Garry <john.garry@huawei.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
18 months agoACPICA: ACPI 6.3: PPTT add additional fields in Processor Structure Flags
Erik Schmauss [Mon, 14 Oct 2019 09:56:24 +0000 (17:56 +0800)]
ACPICA: ACPI 6.3: PPTT add additional fields in Processor Structure Flags

Commit b5eab512e7cffb2bb37c4b342b5594e9e75fd486 upstream.

ACPICA commit c736ea34add19a3a07e0e398711847cd6b95affd

Link: https://github.com/acpica/acpica/commit/c736ea34
Signed-off-by: Erik Schmauss <erik.schmauss@intel.com>
Signed-off-by: Bob Moore <robert.moore@intel.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: John Garry <john.garry@huawei.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
18 months agoMIPS: elf_hwcap: Export userspace ASEs
Jiaxun Yang [Thu, 10 Oct 2019 15:01:57 +0000 (23:01 +0800)]
MIPS: elf_hwcap: Export userspace ASEs

commit 38dffe1e4dde1d3174fdce09d67370412843ebb5 upstream.

A Golang developer reported MIPS hwcap isn't reflecting instructions
that the processor actually supported so programs can't apply optimized
code at runtime.

Thus we export the ASEs that can be used in userspace programs.

Reported-by: Meng Zhuo <mengzhuo1203@gmail.com>
Signed-off-by: Jiaxun Yang <jiaxun.yang@flygoat.com>
Cc: linux-mips@vger.kernel.org
Cc: Paul Burton <paul.burton@mips.com>
Cc: <stable@vger.kernel.org> # 4.14+
Signed-off-by: Paul Burton <paul.burton@mips.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
18 months agoMIPS: Disable Loongson MMI instructions for kernel build
Paul Burton [Thu, 10 Oct 2019 18:54:03 +0000 (18:54 +0000)]
MIPS: Disable Loongson MMI instructions for kernel build

commit 2f2b4fd674cadd8c6b40eb629e140a14db4068fd upstream.

GCC 9.x automatically enables support for Loongson MMI instructions when
using some -march= flags, and then errors out when -msoft-float is
specified with:

  cc1: error: ‘-mloongson-mmi’ must be used with ‘-mhard-float’

The kernel shouldn't be using these MMI instructions anyway, just as it
doesn't use floating point instructions. Explicitly disable them in
order to fix the build with GCC 9.x.

Signed-off-by: Paul Burton <paul.burton@mips.com>
Fixes: 3702bba5eb4f ("MIPS: Loongson: Add GCC 4.4 support for Loongson2E")
Fixes: 6f7a251a259e ("MIPS: Loongson: Add basic Loongson 2F support")
Fixes: 5188129b8c9f ("MIPS: Loongson-3: Improve -march option and move it to Platform")
Cc: Huacai Chen <chenhc@lemote.com>
Cc: Jiaxun Yang <jiaxun.yang@flygoat.com>
Cc: stable@vger.kernel.org # v2.6.32+
Cc: linux-mips@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
18 months agoNFS: Fix O_DIRECT accounting of number of bytes read/written
Trond Myklebust [Mon, 30 Sep 2019 18:02:56 +0000 (14:02 -0400)]
NFS: Fix O_DIRECT accounting of number of bytes read/written

commit 031d73ed768a40684f3ca21992265ffdb6a270bf upstream.

When a series of O_DIRECT reads or writes are truncated, either due to
eof or due to an error, then we should return the number of contiguous
bytes that were received/sent starting at the offset specified by the
application.

Currently, we are failing to correctly check contiguity, and so we're
failing the generic/465 in xfstests when the race between the read
and write RPCs causes the file to get extended while the 2 reads are
outstanding. If the first read RPC call wins the race and returns with
eof set, we should treat the second read RPC as being truncated.

Reported-by: Su Yanjun <suyj.fnst@cn.fujitsu.com>
Fixes: 1ccbad9f9f9bd ("nfs: fix DIO good bytes calculation")
Cc: stable@vger.kernel.org # 4.1+
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
18 months agobtrfs: fix uninitialized ret in ref-verify
Josef Bacik [Wed, 2 Oct 2019 14:03:36 +0000 (10:03 -0400)]
btrfs: fix uninitialized ret in ref-verify

commit c5f4987e86f6692fdb12533ea1fc7a7bb98e555a upstream.

Coverity caught a case where we could return with a uninitialized value
in ret in process_leaf.  This is actually pretty likely because we could
very easily run into a block group item key and have a garbage value in
ret and think there was an errror.  Fix this by initializing ret to 0.

Reported-by: Colin Ian King <colin.king@canonical.com>
Fixes: fd708b81d972 ("Btrfs: add a extent ref verify tool")
CC: stable@vger.kernel.org # 4.19+
Signed-off-by: Josef Bacik <josef@toxicpanda.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
18 months agobtrfs: fix incorrect updating of log root tree
Josef Bacik [Mon, 30 Sep 2019 20:27:25 +0000 (16:27 -0400)]
btrfs: fix incorrect updating of log root tree

commit 4203e968947071586a98b5314fd7ffdea3b4f971 upstream.

We've historically had reports of being unable to mount file systems
because the tree log root couldn't be read.  Usually this is the "parent
transid failure", but could be any of the related errors, including
"fsid mismatch" or "bad tree block", depending on which block got
allocated.

The modification of the individual log root items are serialized on the
per-log root root_mutex.  This means that any modification to the
per-subvol log root_item is completely protected.

However we update the root item in the log root tree outside of the log
root tree log_mutex.  We do this in order to allow multiple subvolumes
to be updated in each log transaction.

This is problematic however because when we are writing the log root
tree out we update the super block with the _current_ log root node
information.  Since these two operations happen independently of each
other, you can end up updating the log root tree in between writing out
the dirty blocks and setting the super block to point at the current
root.

This means we'll point at the new root node that hasn't been written
out, instead of the one we should be pointing at.  Thus whatever garbage
or old block we end up pointing at complains when we mount the file
system later and try to replay the log.

Fix this by copying the log's root item into a local root item copy.
Then once we're safely under the log_root_tree->log_mutex we update the
root item in the log_root_tree.  This way we do not modify the
log_root_tree while we're committing it, fixing the problem.

CC: stable@vger.kernel.org # 4.4+
Reviewed-by: Chris Mason <clm@fb.com>
Reviewed-by: Filipe Manana <fdmanana@suse.com>
Signed-off-by: Josef Bacik <josef@toxicpanda.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
18 months agocifs: use cifsInodeInfo->open_file_lock while iterating to avoid a panic
Dave Wysochanski [Thu, 3 Oct 2019 05:16:27 +0000 (15:16 +1000)]
cifs: use cifsInodeInfo->open_file_lock while iterating to avoid a panic

Commit 487317c99477 ("cifs: add spinlock for the openFileList to
cifsInodeInfo") added cifsInodeInfo->open_file_lock spin_lock to protect
the openFileList, but missed a few places where cifs_inode->openFileList
was enumerated.  Change these remaining tcon->open_file_lock to
cifsInodeInfo->open_file_lock to avoid panic in is_size_safe_to_change.

[17313.245641] RIP: 0010:is_size_safe_to_change+0x57/0xb0 [cifs]
[17313.245645] Code: 68 40 48 89 ef e8 19 67 b7 f1 48 8b 43 40 48 8d 4b 40 48 8d 50 f0 48 39 c1 75 0f eb 47 48 8b 42 10 48 8d 50 f0 48 39 c1 74 3a <8b> 80 88 00 00 00 83 c0 01 a8 02 74 e6 48 89 ef c6 07 00 0f 1f 40
[17313.245649] RSP: 0018:ffff94ae1baefa30 EFLAGS: 00010202
[17313.245654] RAX: dead000000000100 RBX: ffff88dc72243300 RCX: ffff88dc72243340
[17313.245657] RDX: dead0000000000f0 RSI: 00000000098f7940 RDI: ffff88dd3102f040
[17313.245659] RBP: ffff88dd3102f040 R08: 0000000000000000 R09: ffff94ae1baefc40
[17313.245661] R10: ffffcdc8bb1c4e80 R11: ffffcdc8b50adb08 R12: 00000000098f7940
[17313.245663] R13: ffff88dc72243300 R14: ffff88dbc8f19600 R15: ffff88dc72243428
[17313.245667] FS:  00007fb145485700(0000) GS:ffff88dd3e000000(0000) knlGS:0000000000000000
[17313.245670] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[17313.245672] CR2: 0000026bb46c6000 CR3: 0000004edb110003 CR4: 00000000007606e0
[17313.245753] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[17313.245756] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[17313.245759] PKRU: 55555554
[17313.245761] Call Trace:
[17313.245803]  cifs_fattr_to_inode+0x16b/0x580 [cifs]
[17313.245838]  cifs_get_inode_info+0x35c/0xa60 [cifs]
[17313.245852]  ? kmem_cache_alloc_trace+0x151/0x1d0
[17313.245885]  cifs_open+0x38f/0x990 [cifs]
[17313.245921]  ? cifs_revalidate_dentry_attr+0x3e/0x350 [cifs]
[17313.245953]  ? cifsFileInfo_get+0x30/0x30 [cifs]
[17313.245960]  ? do_dentry_open+0x132/0x330
[17313.245963]  do_dentry_open+0x132/0x330
[17313.245969]  path_openat+0x573/0x14d0
[17313.245974]  do_filp_open+0x93/0x100
[17313.245979]  ? __check_object_size+0xa3/0x181
[17313.245986]  ? audit_alloc_name+0x7e/0xd0
[17313.245992]  do_sys_open+0x184/0x220
[17313.245999]  do_syscall_64+0x5b/0x1b0

Fixes: 487317c99477 ("cifs: add spinlock for the openFileList to cifsInodeInfo")

CC: Stable <stable@vger.kernel.org>
Signed-off-by: Dave Wysochanski <dwysocha@redhat.com>
Reviewed-by: Ronnie Sahlberg <lsahlber@redhat.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
18 months agoiio: adc: stm32-adc: fix a race when using several adcs with dma and irq
Fabrice Gasnier [Tue, 17 Sep 2019 12:38:16 +0000 (14:38 +0200)]
iio: adc: stm32-adc: fix a race when using several adcs with dma and irq

[ Upstream commit dcb10920179ab74caf88a6f2afadecfc2743b910 ]

End of conversion may be handled by using IRQ or DMA. There may be a
race when two conversions complete at the same time on several ADCs.
EOC can be read as 'set' for several ADCs, with:
- an ADC configured to use IRQs. EOCIE bit is set. The handler is normally
  called in this case.
- an ADC configured to use DMA. EOCIE bit isn't set. EOC triggers the DMA
  request instead. It's then automatically cleared by DMA read. But the
  handler gets called due to status bit is temporarily set (IRQ triggered
  by the other ADC).
So both EOC status bit in CSR and EOCIE control bit must be checked
before invoking the interrupt handler (e.g. call ISR only for
IRQ-enabled ADCs).

Fixes: 2763ea0585c9 ("iio: adc: stm32: add optional dma support")

Signed-off-by: Fabrice Gasnier <fabrice.gasnier@st.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
18 months agoiio: adc: stm32-adc: move registers definitions
Fabrice Gasnier [Tue, 17 Sep 2019 12:38:15 +0000 (14:38 +0200)]
iio: adc: stm32-adc: move registers definitions

[ Upstream commit 31922f62bb527d749b99dbc776e514bcba29b7fe ]

Move STM32 ADC registers definitions to common header.
This is precursor patch to:
- iio: adc: stm32-adc: fix a race when using several adcs with dma and irq

It keeps registers definitions as a whole block, to ease readability and
allow simple access path to EOC bits (readl) in stm32-adc-core driver.

Fixes: 2763ea0585c9 ("iio: adc: stm32: add optional dma support")

Signed-off-by: Fabrice Gasnier <fabrice.gasnier@st.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
18 months agogpiolib: don't clear FLAG_IS_OUT when emulating open-drain/open-source
Bartosz Golaszewski [Mon, 14 Oct 2019 15:54:35 +0000 (17:54 +0200)]
gpiolib: don't clear FLAG_IS_OUT when emulating open-drain/open-source

[ Upstream commit e735244e2cf068f98b6384681a38993e0517a838 ]

When emulating open-drain/open-source by not actively driving the output
lines - we're simply changing their mode to input. This is wrong as it
will then make it impossible to change the value of such line - it's now
considered to actually be in input mode. If we want to still use the
direction_input() callback for simplicity then we need to set FLAG_IS_OUT
manually in gpiod_direction_output() and not clear it in
gpio_set_open_drain_value_commit() and
gpio_set_open_source_value_commit().

Fixes: c663e5f56737 ("gpio: support native single-ended hardware drivers")
Cc: stable@vger.kernel.org
Reported-by: Kent Gibson <warthog618@gmail.com>
Signed-off-by: Bartosz Golaszewski <bgolaszewski@baylibre.com>
[Bartosz: backported to v5.3, v4.19]
Signed-off-by: Bartosz Golaszewski <bgolaszewski@baylibre.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
18 months agofirmware: google: increment VPD key_len properly
Brian Norris [Mon, 30 Sep 2019 21:45:22 +0000 (14:45 -0700)]
firmware: google: increment VPD key_len properly

[ Upstream commit 442f1e746e8187b9deb1590176f6b0ff19686b11 ]

Commit 4b708b7b1a2c ("firmware: google: check if size is valid when
decoding VPD data") adds length checks, but the new vpd_decode_entry()
function botched the logic -- it adds the key length twice, instead of
adding the key and value lengths separately.

On my local system, this means vpd.c's vpd_section_create_attribs() hits
an error case after the first attribute it parses, since it's no longer
looking at the correct offset. With this patch, I'm back to seeing all
the correct attributes in /sys/firmware/vpd/...

Fixes: 4b708b7b1a2c ("firmware: google: check if size is valid when decoding VPD data")
Cc: <stable@vger.kernel.org>
Cc: Hung-Te Lin <hungte@chromium.org>
Signed-off-by: Brian Norris <briannorris@chromium.org>
Reviewed-by: Stephen Boyd <swboyd@chromium.org>
Reviewed-by: Guenter Roeck <groeck@chromium.org>
Link: https://lore.kernel.org/r/20190930214522.240680-1-briannorris@chromium.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
18 months agomm/vmpressure.c: fix a signedness bug in vmpressure_register_event()
Dan Carpenter [Mon, 7 Oct 2019 00:58:28 +0000 (17:58 -0700)]
mm/vmpressure.c: fix a signedness bug in vmpressure_register_event()

commit 518a86713078168acd67cf50bc0b45d54b4cce6c upstream.

The "mode" and "level" variables are enums and in this context GCC will
treat them as unsigned ints so the error handling is never triggered.

I also removed the bogus initializer because it isn't required any more
and it's sort of confusing.

[akpm@linux-foundation.org: reduce implicit and explicit typecasting]
[akpm@linux-foundation.org: fix return value, add comment, per Matthew]
Link: http://lkml.kernel.org/r/20190925110449.GO3264@mwanda
Fixes: 3cadfa2b9497 ("mm/vmpressure.c: convert to use match_string() helper")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Acked-by: David Rientjes <rientjes@google.com>
Reviewed-by: Matthew Wilcox <willy@infradead.org>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Enrico Weigelt <info@metux.net>
Cc: Kate Stewart <kstewart@linuxfoundation.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
18 months agokernel/sysctl.c: do not override max_threads provided by userspace
Michal Hocko [Mon, 7 Oct 2019 00:58:19 +0000 (17:58 -0700)]
kernel/sysctl.c: do not override max_threads provided by userspace

commit b0f53dbc4bc4c371f38b14c391095a3bb8a0bb40 upstream.

Partially revert 16db3d3f1170 ("kernel/sysctl.c: threads-max observe
limits") because the patch is causing a regression to any workload which
needs to override the auto-tuning of the limit provided by kernel.

set_max_threads is implementing a boot time guesstimate to provide a
sensible limit of the concurrently running threads so that runaways will
not deplete all the memory.  This is a good thing in general but there
are workloads which might need to increase this limit for an application
to run (reportedly WebSpher MQ is affected) and that is simply not
possible after the mentioned change.  It is also very dubious to
override an admin decision by an estimation that doesn't have any direct
relation to correctness of the kernel operation.

Fix this by dropping set_max_threads from sysctl_max_threads so any
value is accepted as long as it fits into MAX_THREADS which is important
to check because allowing more threads could break internal robust futex
restriction.  While at it, do not use MIN_THREADS as the lower boundary
because it is also only a heuristic for automatic estimation and admin
might have a good reason to stop new threads to be created even when
below this limit.

This became more severe when we switched x86 from 4k to 8k kernel
stacks.  Starting since 6538b8ea886e ("x86_64: expand kernel stack to
16K") (3.16) we use THREAD_SIZE_ORDER = 2 and that halved the auto-tuned
value.

In the particular case

  3.12
  kernel.threads-max = 515561

  4.4
  kernel.threads-max = 200000

Neither of the two values is really insane on 32GB machine.

I am not sure we want/need to tune the max_thread value further.  If
anything the tuning should be removed altogether if proven not useful in
general.  But we definitely need a way to override this auto-tuning.

Link: http://lkml.kernel.org/r/20190922065801.GB18814@dhcp22.suse.cz
Fixes: 16db3d3f1170 ("kernel/sysctl.c: threads-max observe limits")
Signed-off-by: Michal Hocko <mhocko@suse.com>
Reviewed-by: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Heinrich Schuchardt <xypron.glpk@gmx.de>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
18 months agoCIFS: Force reval dentry if LOOKUP_REVAL flag is set
Pavel Shilovsky [Mon, 30 Sep 2019 17:06:20 +0000 (10:06 -0700)]
CIFS: Force reval dentry if LOOKUP_REVAL flag is set

commit 0b3d0ef9840f7be202393ca9116b857f6f793715 upstream.

Mark inode for force revalidation if LOOKUP_REVAL flag is set.
This tells the client to actually send a QueryInfo request to
the server to obtain the latest metadata in case a directory
or a file were changed remotely. Only do that if the client
doesn't have a lease for the file to avoid unneeded round
trips to the server.

Cc: <stable@vger.kernel.org>
Signed-off-by: Pavel Shilovsky <pshilov@microsoft.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
18 months agoCIFS: Force revalidate inode when dentry is stale
Pavel Shilovsky [Mon, 30 Sep 2019 17:06:19 +0000 (10:06 -0700)]
CIFS: Force revalidate inode when dentry is stale

commit c82e5ac7fe3570a269c0929bf7899f62048e7dbc upstream.

Currently the client indicates that a dentry is stale when inode
numbers or type types between a local inode and a remote file
don't match. If this is the case attributes is not being copied
from remote to local, so, it is already known that the local copy
has stale metadata. That's why the inode needs to be marked for
revalidation in order to tell the VFS to lookup the dentry again
before openning a file. This prevents unexpected stale errors
to be returned to the user space when openning a file.

Cc: <stable@vger.kernel.org>
Signed-off-by: Pavel Shilovsky <pshilov@microsoft.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
18 months agoCIFS: Gracefully handle QueryInfo errors during open
Pavel Shilovsky [Mon, 30 Sep 2019 17:06:18 +0000 (10:06 -0700)]
CIFS: Gracefully handle QueryInfo errors during open

commit 30573a82fb179420b8aac30a3a3595aa96a93156 upstream.

Currently if the client identifies problems when processing
metadata returned in CREATE response, the open handle is being
leaked. This causes multiple problems like a file missing a lease
break by that client which causes high latencies to other clients
accessing the file. Another side-effect of this is that the file
can't be deleted.

Fix this by closing the file after the client hits an error after
the file was opened and the open descriptor wasn't returned to
the user space. Also convert -ESTALE to -EOPENSTALE to allow
the VFS to revalidate a dentry and retry the open.

Cc: <stable@vger.kernel.org>
Signed-off-by: Pavel Shilovsky <pshilov@microsoft.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
18 months agoblk-wbt: fix performance regression in wbt scale_up/scale_down
Harshad Shirwadkar [Sat, 5 Oct 2019 18:59:27 +0000 (11:59 -0700)]
blk-wbt: fix performance regression in wbt scale_up/scale_down

commit b84477d3ebb96294f87dc3161e53fa8fe22d9bfd upstream.

scale_up wakes up waiters after scaling up. But after scaling max, it
should not wake up more waiters as waiters will not have anything to
do. This patch fixes this by making scale_up (and also scale_down)
return when threshold is reached.

This bug causes increased fdatasync latency when fdatasync and dd
conv=sync are performed in parallel on 4.19 compared to 4.14. This
bug was introduced during refactoring of blk-wbt code.

Fixes: a79050434b45 ("blk-rq-qos: refactor out common elements of blk-wbt")
Cc: stable@vger.kernel.org
Cc: Josef Bacik <jbacik@fb.com>
Signed-off-by: Harshad Shirwadkar <harshadshirwadkar@gmail.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
18 months agoperf inject jit: Fix JIT_CODE_MOVE filename
Steve MacLean [Sat, 28 Sep 2019 01:41:18 +0000 (01:41 +0000)]
perf inject jit: Fix JIT_CODE_MOVE filename

commit b59711e9b0d22fd47abfa00602fd8c365cdd3ab7 upstream.

During perf inject --jit, JIT_CODE_MOVE records were injecting MMAP records
with an incorrect filename. Specifically it was missing the ".so" suffix.

Further the JIT_CODE_LOAD record were silently truncating the
jr->load.code_index field to 32 bits before generating the filename.

Make both records emit the same filename based on the full 64 bit
code_index field.

Fixes: 9b07e27f88b9 ("perf inject: Add jitdump mmap injection support")
Cc: stable@vger.kernel.org # v4.6+
Signed-off-by: Steve MacLean <Steve.MacLean@Microsoft.com>
Acked-by: Jiri Olsa <jolsa@kernel.org>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Andi Kleen <ak@linux.intel.com>
Cc: Brian Robbins <brianrob@microsoft.com>
Cc: Davidlohr Bueso <dave@stgolabs.net>
Cc: Eric Saint-Etienne <eric.saint.etienne@oracle.com>
Cc: John Keeping <john@metanate.com>
Cc: John Salem <josalem@microsoft.com>
Cc: Leo Yan <leo.yan@linaro.org>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Song Liu <songliubraving@fb.com>
Cc: Stephane Eranian <eranian@google.com>
Cc: Tom McDonald <thomas.mcdonald@microsoft.com>
Link: http://lore.kernel.org/lkml/BN8PR21MB1362FF8F127B31DBF4121528F7800@BN8PR21MB1362.namprd21.prod.outlook.com
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
18 months agoperf llvm: Don't access out-of-scope array
Ian Rogers [Thu, 26 Sep 2019 22:00:18 +0000 (15:00 -0700)]
perf llvm: Don't access out-of-scope array

commit 7d4c85b7035eb2f9ab217ce649dcd1bfaf0cacd3 upstream.

The 'test_dir' variable is assigned to the 'release' array which is
out-of-scope 3 lines later.

Extend the scope of the 'release' array so that an out-of-scope array
isn't accessed.

Bug detected by clang's address sanitizer.

Fixes: 07bc5c699a3d ("perf tools: Make fetch_kernel_version() publicly available")
Cc: stable@vger.kernel.org # v4.4+
Signed-off-by: Ian Rogers <irogers@google.com>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Andi Kleen <ak@linux.intel.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Stephane Eranian <eranian@google.com>
Cc: Wang Nan <wangnan0@huawei.com>
Link: http://lore.kernel.org/lkml/20190926220018.25402-1-irogers@google.com
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
18 months agoefivar/ssdt: Don't iterate over EFI vars if no SSDT override was specified
Ard Biesheuvel [Wed, 2 Oct 2019 16:58:59 +0000 (18:58 +0200)]
efivar/ssdt: Don't iterate over EFI vars if no SSDT override was specified

commit c05f8f92b701576b615f30aac31fabdc0648649b upstream.

The kernel command line option efivar_ssdt= allows the name to be
specified of an EFI variable containing an ACPI SSDT table that should
be loaded into memory by the OS, and treated as if it was provided by
the firmware.

Currently, that code will always iterate over the EFI variables and
compare each name with the provided name, even if the command line
option wasn't set to begin with.

So bail early when no variable name was provided. This works around a
boot regression on the 2012 Mac Pro, as reported by Scott.

Tested-by: Scott Talbert <swt@techie.net>
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: <stable@vger.kernel.org> # v4.9+
Cc: Ben Dooks <ben.dooks@codethink.co.uk>
Cc: Dave Young <dyoung@redhat.com>
Cc: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Cc: Jerry Snitselaar <jsnitsel@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Lukas Wunner <lukas@wunner.de>
Cc: Lyude Paul <lyude@redhat.com>
Cc: Matthew Garrett <mjg59@google.com>
Cc: Octavian Purdila <octavian.purdila@intel.com>
Cc: Peter Jones <pjones@redhat.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: linux-efi@vger.kernel.org
Cc: linux-integrity@vger.kernel.org
Fixes: 475fb4e8b2f4 ("efi / ACPI: load SSTDs from EFI variables")
Link: https://lkml.kernel.org/r/20191002165904.8819-3-ard.biesheuvel@linaro.org
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
18 months agoiio: light: opt3001: fix mutex unlock race
David Frey [Thu, 19 Sep 2019 22:54:18 +0000 (15:54 -0700)]
iio: light: opt3001: fix mutex unlock race

commit 82f3015635249a8c8c45bac303fd84905066f04f upstream.

When an end-of-conversion interrupt is received after performing a
single-shot reading of the light sensor, the driver was waking up the
result ready queue before checking opt->ok_to_ignore_lock to determine
if it should unlock the mutex. The problem occurred in the case where
the other thread woke up and changed the value of opt->ok_to_ignore_lock
to false prior to the interrupt thread performing its read of the
variable. In this case, the mutex would be unlocked twice.

Signed-off-by: David Frey <dpfrey@gmail.com>
Reviewed-by: Andreas Dannenberg <dannenberg@ti.com>
Fixes: 94a9b7b1809f ("iio: light: add support for TI's opt3001 light sensor")
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
18 months agoiio: adc: axp288: Override TS pin bias current for some models
Hans de Goede [Sun, 15 Sep 2019 18:53:42 +0000 (20:53 +0200)]
iio: adc: axp288: Override TS pin bias current for some models

commit 972917419a0ba25afbf69d5d8c9fa644d676f887 upstream.

Since commit 9bcf15f75cac ("iio: adc: axp288: Fix TS-pin handling") we
preserve the bias current set by the firmware at boot.  This fixes issues
we were seeing on various models, but it seems our old hardcoded 80ųA bias
current was working around a firmware bug on at least one model laptop.

In order to both have our cake and eat it, this commit adds a dmi based
list of models where we need to override the firmware set bias current and
adds the one model we now know needs this to it: The Lenovo Ideapad 100S
(11 inch version).

Fixes: 9bcf15f75cac ("iio: adc: axp288: Fix TS-pin handling")
BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=203829
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
18 months agoiio: adc: ad799x: fix probe error handling
Marco Felsch [Tue, 17 Sep 2019 16:09:23 +0000 (18:09 +0200)]
iio: adc: ad799x: fix probe error handling

commit c62dd44901cfff12acc5792bf3d2dec20bcaf392 upstream.

Since commit 0f7ddcc1bff1 ("iio:adc:ad799x: Write default config on probe
and reset alert status on probe") the error path is wrong since it
leaves the vref regulator on. Fix this by disabling both regulators.

Fixes: 0f7ddcc1bff1 ("iio:adc:ad799x: Write default config on probe and reset alert status on probe")
Signed-off-by: Marco Felsch <m.felsch@pengutronix.de>
Reviewed-by: Alexandru Ardelean <alexandru.ardelean@analog.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
18 months agoiio: adc: hx711: fix bug in sampling of data
Andreas Klinger [Mon, 9 Sep 2019 12:37:21 +0000 (14:37 +0200)]
iio: adc: hx711: fix bug in sampling of data

commit 4043ecfb5fc4355a090111e14faf7945ff0fdbd5 upstream.

Fix bug in sampling function hx711_cycle() when interrupt occures while
PD_SCK is high. If PD_SCK is high for at least 60 us power down mode of
the sensor is entered which in turn leads to a wrong measurement.

Switch off interrupts during a PD_SCK high period and move query of DOUT
to the latest point of time which is at the end of PD_SCK low period.

This bug exists in the driver since it's initial addition. The more
interrupts on the system the higher is the probability that it happens.

Fixes: c3b2fdd0ea7e ("iio: adc: hx711: Add IIO driver for AVIA HX711")
Signed-off-by: Andreas Klinger <ak@it-klinger.de>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
18 months agostaging: vt6655: Fix memory leak in vt6655_probe
Navid Emamdoost [Fri, 4 Oct 2019 20:03:15 +0000 (15:03 -0500)]
staging: vt6655: Fix memory leak in vt6655_probe

commit 80b15db5e1e9c3300de299b2d43d1aafb593e6ac upstream.

In vt6655_probe, if vnt_init() fails the cleanup code needs to be called
like other error handling cases. The call to device_free_info() is
added.

Fixes: 67013f2c0e58 ("staging: vt6655: mac80211 conversion add main mac80211 functions")
Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
Cc: stable <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20191004200319.22394-1-navid.emamdoost@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
18 months agoStaging: fbtft: fix memory leak in fbtft_framebuffer_alloc
Navid Emamdoost [Mon, 30 Sep 2019 03:09:45 +0000 (22:09 -0500)]
Staging: fbtft: fix memory leak in fbtft_framebuffer_alloc

commit 5bdea6060618cfcf1459dca137e89aee038ac8b9 upstream.

In fbtft_framebuffer_alloc the error handling path should take care of
releasing frame buffer after it is allocated via framebuffer_alloc, too.
Therefore, in two failure cases the goto destination is changed to
address this issue.

Fixes: c296d5f9957c ("staging: fbtft: core support")
Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
Reviewed-by: Dan Carpenter <dan.carpenter@gmail.com>
Cc: stable <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20190930030949.28615-1-navid.emamdoost@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
18 months agogpio: eic: sprd: Fix the incorrect EIC offset when toggling
Bruce Chen [Mon, 16 Sep 2019 09:56:56 +0000 (17:56 +0800)]
gpio: eic: sprd: Fix the incorrect EIC offset when toggling

commit e91aafcb51f3c5001ae76c3ee027beb0b8506447 upstream.

When toggling the level trigger to emulate the edge trigger, the
EIC offset is incorrect without adding the corresponding bank index,
thus fix it.

Fixes: 7bf0d7f62282 ("gpio: eic: Add edge trigger emulation for EIC")
Cc: stable@vger.kernel.org
Signed-off-by: Bruce Chen <bruce.chen@unisoc.com>
Signed-off-by: Baolin Wang <baolin.wang@linaro.org>
Signed-off-by: Bartosz Golaszewski <bgolaszewski@baylibre.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
18 months agomei: avoid FW version request on Ibex Peak and earlier
Alexander Usyskin [Fri, 4 Oct 2019 18:17:22 +0000 (21:17 +0300)]
mei: avoid FW version request on Ibex Peak and earlier

commit f8204f0ddd62966a0e79c2804963a21e3540dd82 upstream.

The fixed MKHI client on PCH 6 gen platforms
does not support fw version retrieval.
The error is not fatal, but it fills up the kernel logs and
slows down the driver start.
This patch disables requesting FW version on GEN6 and earlier platforms.

Fixes warning:
[   15.964298] mei mei::55213584-9a29-4916-badf-0fb7ed682aeb:01: Could not read FW version
[   15.964301] mei mei::55213584-9a29-4916-badf-0fb7ed682aeb:01: version command failed -5

Cc: <stable@vger.kernel.org> +v4.18
Cc: Paul Menzel <pmenzel@molgen.mpg.de>
Signed-off-by: Alexander Usyskin <alexander.usyskin@intel.com>
Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
Link: https://lore.kernel.org/r/20191004181722.31374-1-tomas.winkler@intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
18 months agomei: me: add comet point (lake) LP device ids
Tomas Winkler [Tue, 1 Oct 2019 23:59:57 +0000 (02:59 +0300)]
mei: me: add comet point (lake) LP device ids

commit 4d86dfd38285c83a6df01093b8547f742e3b2470 upstream.

Add Comet Point devices IDs for Comet Lake U platforms.

Cc: <stable@vger.kernel.org>
Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
Link: https://lore.kernel.org/r/20191001235958.19979-1-tomas.winkler@intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
18 months agoUSB: legousbtower: fix use-after-free on release
Johan Hovold [Wed, 9 Oct 2019 15:38:47 +0000 (17:38 +0200)]
USB: legousbtower: fix use-after-free on release

commit 726b55d0e22ca72c69c947af87785c830289ddbc upstream.

The driver was accessing its struct usb_device in its release()
callback without holding a reference. This would lead to a
use-after-free whenever the device was disconnected while the character
device was still open.

Fixes: fef526cae700 ("USB: legousbtower: remove custom debug macro")
Cc: stable <stable@vger.kernel.org> # 3.12
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://lore.kernel.org/r/20191009153848.8664-5-johan@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
18 months agoUSB: legousbtower: fix open after failed reset request
Johan Hovold [Thu, 19 Sep 2019 08:30:39 +0000 (10:30 +0200)]
USB: legousbtower: fix open after failed reset request

commit 0b074f6986751361ff442bc1127c1648567aa8d6 upstream.

The driver would return with a nonzero open count in case the reset
control request failed. This would prevent any further attempts to open
the char dev until the device was disconnected.

Fix this by incrementing the open count only on successful open.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Johan Hovold <johan@kernel.org>
Cc: stable <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20190919083039.30898-5-johan@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
18 months agoUSB: legousbtower: fix potential NULL-deref on disconnect
Johan Hovold [Thu, 19 Sep 2019 08:30:38 +0000 (10:30 +0200)]
USB: legousbtower: fix potential NULL-deref on disconnect

commit cd81e6fa8e033e7bcd59415b4a65672b4780030b upstream.

The driver is using its struct usb_device pointer as an inverted
disconnected flag, but was setting it to NULL before making sure all
completion handlers had run. This could lead to a NULL-pointer
dereference in a number of dev_dbg and dev_err statements in the
completion handlers which relies on said pointer.

Fix this by unconditionally stopping all I/O and preventing
resubmissions by poisoning the interrupt URBs at disconnect and using a
dedicated disconnected flag.

This also makes sure that all I/O has completed by the time the
disconnect callback returns.

Fixes: 9d974b2a06e3 ("USB: legousbtower.c: remove err() usage")
Fixes: fef526cae700 ("USB: legousbtower: remove custom debug macro")
Fixes: 4dae99638097 ("USB: legotower: remove custom debug macro and module parameter")
Cc: stable <stable@vger.kernel.org> # 3.5
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://lore.kernel.org/r/20190919083039.30898-4-johan@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
18 months agoUSB: legousbtower: fix deadlock on disconnect
Johan Hovold [Thu, 19 Sep 2019 08:30:37 +0000 (10:30 +0200)]
USB: legousbtower: fix deadlock on disconnect

commit 33a7813219f208f4952ece60ee255fd983272dec upstream.

Fix a potential deadlock if disconnect races with open.

Since commit d4ead16f50f9 ("USB: prevent char device open/deregister
race") core holds an rw-semaphore while open is called and when
releasing the minor number during deregistration. This can lead to an
ABBA deadlock if a driver takes a lock in open which it also holds
during deregistration.

This effectively reverts commit 78663ecc344b ("USB: disconnect open race
in legousbtower") which needlessly introduced this issue after a generic
fix for this race had been added to core by commit d4ead16f50f9 ("USB:
prevent char device open/deregister race").

Fixes: 78663ecc344b ("USB: disconnect open race in legousbtower")
Cc: stable <stable@vger.kernel.org> # 2.6.24
Reported-by: syzbot+f9549f5ee8a5416f0b95@syzkaller.appspotmail.com
Tested-by: syzbot+f9549f5ee8a5416f0b95@syzkaller.appspotmail.com
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://lore.kernel.org/r/20190919083039.30898-3-johan@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
18 months agoUSB: legousbtower: fix slab info leak at probe
Johan Hovold [Thu, 19 Sep 2019 08:30:36 +0000 (10:30 +0200)]
USB: legousbtower: fix slab info leak at probe

commit 1d427be4a39defadda6dd8f4659bc17f7591740f upstream.

Make sure to check for short transfers when retrieving the version
information at probe to avoid leaking uninitialised slab data when
logging it.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://lore.kernel.org/r/20190919083039.30898-2-johan@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
18 months agousb: renesas_usbhs: gadget: Fix usb_ep_set_{halt,wedge}() behavior
Yoshihiro Shimoda [Tue, 1 Oct 2019 10:10:33 +0000 (19:10 +0900)]
usb: renesas_usbhs: gadget: Fix usb_ep_set_{halt,wedge}() behavior

commit 4d599cd3a097a85a5c68a2c82b9a48cddf9953ec upstream.

According to usb_ep_set_halt()'s description,
__usbhsg_ep_set_halt_wedge() should return -EAGAIN if the IN endpoint
has any queue or data. Otherwise, this driver is possible to cause
just STALL without sending a short packet data on g_mass_storage driver,
and then a few resetting a device happens on a host side during
a usb enumaration.

Fixes: 2f98382dcdfe ("usb: renesas_usbhs: Add Renesas USBHS Gadget")
Cc: <stable@vger.kernel.org> # v3.0+
Signed-off-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
Link: https://lore.kernel.org/r/1569924633-322-3-git-send-email-yoshihiro.shimoda.uh@renesas.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
18 months agousb: renesas_usbhs: gadget: Do not discard queues in usb_ep_set_{halt,wedge}()
Yoshihiro Shimoda [Tue, 1 Oct 2019 10:10:32 +0000 (19:10 +0900)]
usb: renesas_usbhs: gadget: Do not discard queues in usb_ep_set_{halt,wedge}()

commit 1aae1394294cb71c6aa0bc904a94a7f2f1e75936 upstream.

The commit 97664a207bc2 ("usb: renesas_usbhs: shrink spin lock area")
had added a usbhsg_pipe_disable() calling into
__usbhsg_ep_set_halt_wedge() accidentally. But, this driver should
not call the usbhsg_pipe_disable() because the function discards
all queues. So, this patch removes it.

Fixes: 97664a207bc2 ("usb: renesas_usbhs: shrink spin lock area")
Cc: <stable@vger.kernel.org> # v3.1+
Signed-off-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
Link: https://lore.kernel.org/r/1569924633-322-2-git-send-email-yoshihiro.shimoda.uh@renesas.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
18 months agoUSB: dummy-hcd: fix power budget for SuperSpeed mode
Jacky.Cao@sony.com [Thu, 5 Sep 2019 04:11:57 +0000 (04:11 +0000)]
USB: dummy-hcd: fix power budget for SuperSpeed mode

commit 2636d49b64671d3d90ecc4daf971b58df3956519 upstream.

The power budget for SuperSpeed mode should be 900 mA
according to USB specification, so set the power budget
to 900mA for dummy_start_ss which is only used for
SuperSpeed mode.

If the max power consumption of SuperSpeed device is
larger than 500 mA, insufficient available bus power
error happens in usb_choose_configuration function
when the device connects to dummy hcd.

Signed-off-by: Jacky Cao <Jacky.Cao@sony.com>
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Cc: stable <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/16EA1F625E922C43B00B9D82250220500871CDE5@APYOKXMS108.ap.sony.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
18 months agoUSB: microtek: fix info-leak at probe
Johan Hovold [Thu, 3 Oct 2019 07:09:31 +0000 (09:09 +0200)]
USB: microtek: fix info-leak at probe

commit 177238c3d47d54b2ed8f0da7a4290db492f4a057 upstream.

Add missing bulk-in endpoint sanity check to prevent uninitialised stack
data from being reported to the system log and used as endpoint
addresses.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable <stable@vger.kernel.org>
Reported-by: syzbot+5630ca7c3b2be5c9da5e@syzkaller.appspotmail.com
Signed-off-by: Johan Hovold <johan@kernel.org>
Acked-by: Oliver Neukum <oneukum@suse.com>
Link: https://lore.kernel.org/r/20191003070931.17009-1-johan@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
18 months agoUSB: usblcd: fix I/O after disconnect
Johan Hovold [Thu, 26 Sep 2019 09:12:25 +0000 (11:12 +0200)]
USB: usblcd: fix I/O after disconnect

commit eb7f5a490c5edfe8126f64bc58b9ba2edef0a425 upstream.

Make sure to stop all I/O on disconnect by adding a disconnected flag
which is used to prevent new I/O from being started and by stopping all
ongoing I/O before returning.

This also fixes a potential use-after-free on driver unbind in case the
driver data is freed before the completion handler has run.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable <stable@vger.kernel.org> # 7bbe990c989e
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://lore.kernel.org/r/20190926091228.24634-7-johan@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
18 months agoUSB: serial: fix runtime PM after driver unbind
Johan Hovold [Tue, 1 Oct 2019 08:49:07 +0000 (10:49 +0200)]
USB: serial: fix runtime PM after driver unbind

commit d51bdb93ca7e71d7fb30a572c7b47ed0194bf3fe upstream.

Since commit c2b71462d294 ("USB: core: Fix bug caused by duplicate
interface PM usage counter") USB drivers must always balance their
runtime PM gets and puts, including when the driver has already been
unbound from the interface.

Leaving the interface with a positive PM usage counter would prevent a
later bound driver from suspending the device.

Fixes: c2b71462d294 ("USB: core: Fix bug caused by duplicate interface PM usage counter")
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://lore.kernel.org/r/20191001084908.2003-4-johan@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
18 months agoUSB: serial: option: add support for Cinterion CLS8 devices
Reinhard Speyerer [Thu, 3 Oct 2019 16:53:21 +0000 (18:53 +0200)]
USB: serial: option: add support for Cinterion CLS8 devices

commit dfbac2f4da6a0c4a8f6b4d715a4077a7b8df53ad upstream.

Add support for the serial ports of Cinterion CLS8 devices.

T:  Bus=01 Lev=03 Prnt=05 Port=01 Cnt=02 Dev#= 25 Spd=480  MxCh= 0
D:  Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs=  1
P:  Vendor=1e2d ProdID=00b0 Rev= 3.18
S:  Manufacturer=GEMALTO
S:  Product=USB Modem
C:* #Ifs= 5 Cfg#= 1 Atr=80 MxPwr=500mA
I:* If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=(none)
E:  Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E:  Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
E:  Ad=83(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
E:  Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E:  Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
E:  Ad=85(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
E:  Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E:  Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
E:  Ad=87(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
E:  Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E:  Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan
E:  Ad=89(I) Atr=03(Int.) MxPS=   8 Ivl=32ms
E:  Ad=88(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E:  Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms

Signed-off-by: Reinhard Speyerer <rspmn@arcor.de>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
18 months agoUSB: serial: option: add Telit FN980 compositions
Daniele Palmas [Mon, 23 Sep 2019 10:23:28 +0000 (12:23 +0200)]
USB: serial: option: add Telit FN980 compositions

commit 5eb3f4b87a0e7e949c976f32f296176a06d1a93b upstream.

This patch adds the following Telit FN980 compositions:

0x1050: tty, adb, rmnet, tty, tty, tty, tty
0x1051: tty, adb, mbim, tty, tty, tty, tty
0x1052: rndis, tty, adb, tty, tty, tty, tty
0x1053: tty, adb, ecm, tty, tty, tty, tty

Signed-off-by: Daniele Palmas <dnlplm@gmail.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
18 months agoUSB: serial: ftdi_sio: add device IDs for Sienna and Echelon PL-20
Beni Mahler [Wed, 4 Sep 2019 22:26:20 +0000 (00:26 +0200)]
USB: serial: ftdi_sio: add device IDs for Sienna and Echelon PL-20

commit 357f16d9e0194cdbc36531ff88b453481560b76a upstream.

Both devices added here have a FTDI chip inside. The device from Echelon
is called 'Network Interface' it is actually a LON network gateway.

 ID 0403:8348 Future Technology Devices International, Ltd
 https://www.eltako.com/fileadmin/downloads/de/datenblatt/Datenblatt_PL-SW-PROF.pdf

 ID 0920:7500 Network Interface
 https://www.echelon.com/products/u20-usb-network-interface

Signed-off-by: Beni Mahler <beni.mahler@gmx.net>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
18 months agoUSB: serial: keyspan: fix NULL-derefs on open() and write()
Johan Hovold [Thu, 3 Oct 2019 13:49:58 +0000 (15:49 +0200)]
USB: serial: keyspan: fix NULL-derefs on open() and write()

commit 7d7e21fafdbc7fcf0854b877bd0975b487ed2717 upstream.

Fix NULL-pointer dereferences on open() and write() which can be
triggered by a malicious USB device.

The current URB allocation helper would fail to initialise the newly
allocated URB if the device has unexpected endpoint descriptors,
something which could lead NULL-pointer dereferences in a number of
open() and write() paths when accessing the URB. For example:

BUG: kernel NULL pointer dereference, address: 0000000000000000
...
RIP: 0010:usb_clear_halt+0x11/0xc0
...
Call Trace:
 ? tty_port_open+0x4d/0xd0
 keyspan_open+0x70/0x160 [keyspan]
 serial_port_activate+0x5b/0x80 [usbserial]
 tty_port_open+0x7b/0xd0
 ? check_tty_count+0x43/0xa0
 tty_open+0xf1/0x490

BUG: kernel NULL pointer dereference, address: 0000000000000000
...
RIP: 0010:keyspan_write+0x14e/0x1f3 [keyspan]
...
Call Trace:
 serial_write+0x43/0xa0 [usbserial]
 n_tty_write+0x1af/0x4f0
 ? do_wait_intr_irq+0x80/0x80
 ? process_echoes+0x60/0x60
 tty_write+0x13f/0x2f0

BUG: kernel NULL pointer dereference, address: 0000000000000000
...
RIP: 0010:keyspan_usa26_send_setup+0x298/0x305 [keyspan]
...
Call Trace:
 keyspan_open+0x10f/0x160 [keyspan]
 serial_port_activate+0x5b/0x80 [usbserial]
 tty_port_open+0x7b/0xd0
 ? check_tty_count+0x43/0xa0
 tty_open+0xf1/0x490

Fixes: fdcba53e2d58 ("fix for bugzilla #7544 (keyspan USB-to-serial converter)")
Cc: stable <stable@vger.kernel.org> # 2.6.21
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
18 months agoserial: uartlite: fix exit path null pointer
Randy Dunlap [Mon, 16 Sep 2019 23:12:23 +0000 (16:12 -0700)]
serial: uartlite: fix exit path null pointer

commit a553add0846f355a28ed4e81134012e4a1e280c2 upstream.

Call uart_unregister_driver() conditionally instead of
unconditionally, only if it has been previously registered.

This uses driver.state, just as the sh-sci.c driver does.

Fixes this null pointer dereference in tty_unregister_driver(),
since the 'driver' argument is null:

  general protection fault: 0000 [#1] PREEMPT SMP KASAN PTI
  RIP: 0010:tty_unregister_driver+0x25/0x1d0

Fixes: 238b8721a554 ("[PATCH] serial uartlite driver")
Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
Cc: stable <stable@vger.kernel.org>
Cc: Peter Korsgaard <jacmet@sunsite.dk>
Link: https://lore.kernel.org/r/9c8e6581-6fcc-a595-0897-4d90f5d710df@infradead.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
18 months agoUSB: ldusb: fix NULL-derefs on driver unbind
Johan Hovold [Wed, 9 Oct 2019 15:38:46 +0000 (17:38 +0200)]
USB: ldusb: fix NULL-derefs on driver unbind

commit 58ecf131e74620305175a7aa103f81350bb37570 upstream.

The driver was using its struct usb_interface pointer as an inverted
disconnected flag, but was setting it to NULL before making sure all
completion handlers had run. This could lead to a NULL-pointer
dereference in a number of dev_dbg, dev_warn and dev_err statements in
the completion handlers which relies on said pointer.

Fix this by unconditionally stopping all I/O and preventing
resubmissions by poisoning the interrupt URBs at disconnect and using a
dedicated disconnected flag.

This also makes sure that all I/O has completed by the time the
disconnect callback returns.

Fixes: 2824bd250f0b ("[PATCH] USB: add ldusb driver")
Cc: stable <stable@vger.kernel.org> # 2.6.13
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://lore.kernel.org/r/20191009153848.8664-4-johan@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
18 months agoUSB: chaoskey: fix use-after-free on release
Johan Hovold [Wed, 9 Oct 2019 15:38:45 +0000 (17:38 +0200)]
USB: chaoskey: fix use-after-free on release

commit 93ddb1f56ae102f14f9e46a9a9c8017faa970003 upstream.

The driver was accessing its struct usb_interface in its release()
callback without holding a reference. This would lead to a
use-after-free whenever the device was disconnected while the character
device was still open.

Fixes: 66e3e591891d ("usb: Add driver for Altus Metrum ChaosKey device (v2)")
Cc: stable <stable@vger.kernel.org> # 4.1
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://lore.kernel.org/r/20191009153848.8664-3-johan@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
18 months agoUSB: usblp: fix runtime PM after driver unbind
Johan Hovold [Tue, 1 Oct 2019 08:49:06 +0000 (10:49 +0200)]
USB: usblp: fix runtime PM after driver unbind

commit 9a31535859bfd8d1c3ed391f5e9247cd87bb7909 upstream.

Since commit c2b71462d294 ("USB: core: Fix bug caused by duplicate
interface PM usage counter") USB drivers must always balance their
runtime PM gets and puts, including when the driver has already been
unbound from the interface.

Leaving the interface with a positive PM usage counter would prevent a
later bound driver from suspending the device.

Fixes: c2b71462d294 ("USB: core: Fix bug caused by duplicate interface PM usage counter")
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://lore.kernel.org/r/20191001084908.2003-3-johan@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
18 months agoUSB: iowarrior: fix use-after-free after driver unbind
Johan Hovold [Wed, 9 Oct 2019 10:48:43 +0000 (12:48 +0200)]
USB: iowarrior: fix use-after-free after driver unbind

commit b5f8d46867ca233d773408ffbe691a8062ed718f upstream.

Make sure to stop also the asynchronous write URBs on disconnect() to
avoid use-after-free in the completion handler after driver unbind.

Fixes: 946b960d13c1 ("USB: add driver for iowarrior devices.")
Cc: stable <stable@vger.kernel.org> # 2.6.21: 51a2f077c44e ("USB: introduce usb_anchor")
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://lore.kernel.org/r/20191009104846.5925-4-johan@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
18 months agoUSB: iowarrior: fix use-after-free on release
Johan Hovold [Wed, 9 Oct 2019 10:48:42 +0000 (12:48 +0200)]
USB: iowarrior: fix use-after-free on release

commit 80cd5479b525093a56ef768553045741af61b250 upstream.

The driver was accessing its struct usb_interface from its release()
callback without holding a reference. This would lead to a
use-after-free whenever debugging was enabled and the device was
disconnected while its character device was open.

Fixes: 549e83500b80 ("USB: iowarrior: Convert local dbg macro to dev_dbg")
Cc: stable <stable@vger.kernel.org> # 3.16
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://lore.kernel.org/r/20191009104846.5925-3-johan@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
18 months agoUSB: iowarrior: fix use-after-free on disconnect
Johan Hovold [Wed, 9 Oct 2019 10:48:41 +0000 (12:48 +0200)]
USB: iowarrior: fix use-after-free on disconnect

commit edc4746f253d907d048de680a621e121517f484b upstream.

A recent fix addressing a deadlock on disconnect introduced a new bug
by moving the present flag out of the critical section protected by the
driver-data mutex. This could lead to a racing release() freeing the
driver data before disconnect() is done with it.

Due to insufficient locking a related use-after-free could be triggered
also before the above mentioned commit. Specifically, the driver needs
to hold the driver-data mutex also while checking the opened flag at
disconnect().

Fixes: c468a8aa790e ("usb: iowarrior: fix deadlock on disconnect")
Fixes: 946b960d13c1 ("USB: add driver for iowarrior devices.")
Cc: stable <stable@vger.kernel.org> # 2.6.21
Reported-by: syzbot+0761012cebf7bdb38137@syzkaller.appspotmail.com
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://lore.kernel.org/r/20191009104846.5925-2-johan@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
18 months agoUSB: adutux: fix use-after-free on release
Johan Hovold [Wed, 9 Oct 2019 15:38:44 +0000 (17:38 +0200)]
USB: adutux: fix use-after-free on release

commit 123a0f125fa3d2104043697baa62899d9e549272 upstream.

The driver was accessing its struct usb_device in its release()
callback without holding a reference. This would lead to a
use-after-free whenever the device was disconnected while the character
device was still open.

Fixes: 66d4bc30d128 ("USB: adutux: remove custom debug macro")
Cc: stable <stable@vger.kernel.org> # 3.12
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://lore.kernel.org/r/20191009153848.8664-2-johan@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
18 months agoUSB: adutux: fix NULL-derefs on disconnect
Johan Hovold [Wed, 25 Sep 2019 09:29:13 +0000 (11:29 +0200)]
USB: adutux: fix NULL-derefs on disconnect

commit b2fa7baee744fde746c17bc1860b9c6f5c2eebb7 upstream.

The driver was using its struct usb_device pointer as an inverted
disconnected flag, but was setting it to NULL before making sure all
completion handlers had run. This could lead to a NULL-pointer
dereference in a number of dev_dbg statements in the completion handlers
which relies on said pointer.

The pointer was also dereferenced unconditionally in a dev_dbg statement
release() something which would lead to a NULL-deref whenever a device
was disconnected before the final character-device close if debugging
was enabled.

Fix this by unconditionally stopping all I/O and preventing
resubmissions by poisoning the interrupt URBs at disconnect and using a
dedicated disconnected flag.

This also makes sure that all I/O has completed by the time the
disconnect callback returns.

Fixes: 1ef37c6047fe ("USB: adutux: remove custom debug macro and module parameter")
Fixes: 66d4bc30d128 ("USB: adutux: remove custom debug macro")
Cc: stable <stable@vger.kernel.org> # 3.12
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://lore.kernel.org/r/20190925092913.8608-2-johan@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>