commit 5caae9d1419914177994363218616b869659e871 Author: Greg Kroah-Hartman Date: Wed Nov 8 10:08:37 2017 +0100 Linux 4.9.61 commit be3390d86bc24dc1ceb38e677f8ea2a1cf78d309 Author: Yan Markman Date: Sun Oct 16 00:22:32 2016 +0300 ARM: dts: mvebu: pl310-cache disable double-linefill commit cda80a82ac3e89309706c027ada6ab232be1d640 upstream. Under heavy system stress mvebu SoC using Cortex A9 sporadically encountered instability issues. The "double linefill" feature of L2 cache was identified as causing dependency between read and write which lead to the deadlock. Especially, it was the cause of deadlock seen under heavy PCIe traffic, as this dependency violates PCIE overtaking rule. Fixes: c8f5a878e554 ("ARM: mvebu: use DT properties to fine-tune the L2 configuration") Signed-off-by: Yan Markman Signed-off-by: Igal Liberman Signed-off-by: Nadav Haklai [gregory.clement@free-electrons.com: reformulate commit log, add Armada 375 and add Fixes tag] Signed-off-by: Gregory CLEMENT Signed-off-by: Greg Kroah-Hartman commit 26fc85a0113d5a61c62b6c40a21be2c579c1c526 Author: Larry Finger Date: Fri Feb 10 21:30:27 2017 -0600 staging: r8712u: Fix Sparse warning in rtl871x_xmit.c [ Upstream commit 07222e535831b916221dd2a48a3047ec7e45dc72 ] Sparse reports the following: CHECK drivers/staging/rtl8712/rtl871x_xmit.c drivers/staging/rtl8712/rtl871x_xmit.c:350:44: warning: restricted __le32 degrades to integer drivers/staging/rtl8712/rtl871x_xmit.c:491:23: warning: incorrect type in initializer (different base types) drivers/staging/rtl8712/rtl871x_xmit.c:491:23: expected unsigned short [usertype] *fctrl drivers/staging/rtl8712/rtl871x_xmit.c:491:23: got restricted __le16 * drivers/staging/rtl8712/rtl871x_xmit.c:580:36: warning: incorrect type in assignment (different base types) drivers/staging/rtl8712/rtl871x_xmit.c:580:36: expected unsigned short [unsigned] [short] [usertype] drivers/staging/rtl8712/rtl871x_xmit.c:580:36: got restricted __be16 [usertype] Signed-off-by: Larry Finger Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 244cff7066f6b517ef30bba757e1837d5b8b3aa7 Author: Juergen Gross Date: Tue May 30 20:52:26 2017 +0200 xen: don't print error message in case of missing Xenstore entry [ Upstream commit 4e93b6481c87ea5afde944a32b4908357ec58992 ] When registering for the Xenstore watch of the node control/sysrq the handler will be called at once. Don't issue an error message if the Xenstore node isn't there, as it will be created only when an event is being triggered. Signed-off-by: Juergen Gross Reviewed-by: Boris Ostrovsky Signed-off-by: Juergen Gross Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit c90b65d8b8fb664aa6b50ecbe0fad19ca249b54b Author: Paul Mackerras Date: Mon Jan 30 21:21:34 2017 +1100 powerpc/64: Don't try to use radix MMU under a hypervisor [ Upstream commit 18569c1f134e1c5c88228f043c09678ae6052b7c ] Currently, if the kernel is running on a POWER9 processor under a hypervisor, it will try to use the radix MMU even though it doesn't have the necessary code to use radix under a hypervisor (it doesn't negotiate use of radix, and it doesn't do the H_REGISTER_PROC_TBL hcall). The result is that the guest kernel will crash when it tries to turn on the MMU. This fixes it by looking for the /chosen/ibm,architecture-vec-5 property, and if it exists, clears the radix MMU feature bit, before we decide whether to initialize for radix or HPT. This property is created by the hypervisor as a result of the guest calling the ibm,client-architecture-support method to indicate its capabilities, so it will indicate whether the hypervisor agreed to us using radix. Systems without a hypervisor may have this property also (for example, skiboot creates it), so we check the HV bit in the MSR to see whether we are running as a guest or not. If we are in hypervisor mode, then we can do whatever we like including using the radix MMU. The reason for using this property is that in future, when we have support for using radix under a hypervisor, we will need to check this property to see whether the hypervisor agreed to us using radix. Fixes: 2bfd65e45e87 ("powerpc/mm/radix: Add radix callbacks for early init routines") Cc: stable@vger.kernel.org # v4.7+ Signed-off-by: Paul Mackerras Signed-off-by: Michael Ellerman Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit df0c2d409e9d3159724b206da7e7e697fb5874eb Author: Bjorn Helgaas Date: Sat Oct 7 22:37:34 2017 +0000 PCI: Avoid possible deadlock on pci_lock and p->pi_lock [ Upstream commit cdcb33f9824429a926b971bf041a6cec238f91ff ] pci_lock is an IRQ-safe spinlock that protects all accesses to PCI configuration space (see PCI_OP_READ() and PCI_OP_WRITE() in pci/access.c). The pci_cfg_access_unlock() path acquires pci_lock, then p->pi_lock (inside wake_up_all()). According to lockdep, there is a possible path involving snbep_uncore_pci_read_counter() that could acquire them in the reverse order: acquiring p->pi_lock, then pci_lock, which could result in a deadlock. Lockdep details are in the bugzilla below. Avoid the possible deadlock by dropping pci_lock before waking up any config access waiters. Link: https://bugzilla.kernel.org/show_bug.cgi?id=192901 Signed-off-by: Bjorn Helgaas Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 8e5ca01ac966b91818c9612cc3f988538a261ef2 Author: Joonyoung Shim Date: Sat Oct 7 22:37:34 2017 +0000 drm/exynos: g2d: prevent integer overflow in [ Upstream commit e41456bfc811f12b5dcda6f2d6849bdff68f6c0a ] The size computations done in the ioctl function use an integer. If userspace submits a request with req->cmd_nr or req->cmd_buf_nr set to INT_MAX, the integer computations overflow later, leading to potential (kernel) memory corruption. Prevent this issue by enforcing a limit on the number of submitted commands, so that we have enough headroom later for the size computations. Note that this change has no impact on the currently available users in userspace, like e.g. libdrm/exynos. While at it, also make a comment about the size computation more detailed. Signed-off-by: Joonyoung Shim Signed-off-by: Tobias Jakobi Signed-off-by: Inki Dae Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 2a6576f56eabb84a1e0fe1a6d62a46c106688bae Author: Sudip Mukherjee Date: Sat Oct 7 22:36:57 2017 +0000 bt8xx: fix memory leak [ Upstream commit 6792eb0cf9310ec240b7e7c9bfa86dff4c758c68 ] If dvb_attach() fails then we were just printing an error message and exiting but the memory allocated to state was not released. Signed-off-by: Sudip Mukherjee Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit c31f5651aed76791782e7a0c74fe301ed8f9391e Author: Harald Freudenberger Date: Sat Oct 7 22:36:57 2017 +0000 s390/crypto: Extend key length check for AES-XTS in fips mode. [ Upstream commit a4f2779ecf2f42b0997fedef6fd20a931c40a3e3 ] In fips mode only xts keys with 128 bit or 125 bit are allowed. This fix extends the xts_aes_set_key function to check for these valid key lengths in fips mode. Signed-off-by: Harald Freudenberger Signed-off-by: Martin Schwidefsky Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit aa7a7e92e08e1f096a0eb63fb535d03c323b32e5 Author: Harald Freudenberger Date: Sat Oct 7 22:36:57 2017 +0000 s390/prng: Adjust generation of entropy to produce real 256 bits. [ Upstream commit d34b1acb78af41b8b8d5c60972b6555ea19f7564 ] The generate_entropy function used a sha256 for compacting together 256 bits of entropy into 32 bytes hash. However, it is questionable if a sha256 can really be used here, as potential collisions may reduce the max entropy fitting into a 32 byte hash value. So this batch introduces the use of sha512 instead and the required buffer adjustments for the calling functions. Further more the working buffer for the generate_entropy function has been widened from one page to two pages. So now 1024 stckf invocations are used to gather 256 bits of entropy. This has been done to be on the save side if the jitters of stckf values isn't as good as supposed. Signed-off-by: Harald Freudenberger Signed-off-by: Martin Schwidefsky Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit ba56e6cd9741c8f7454e7712ec5f81c988e5cb9e Author: Stefan Haberland Date: Sat Oct 7 22:36:56 2017 +0000 s390/dasd: check for device error pointer within state change interrupts [ Upstream commit 2202134e48a3b50320aeb9e3dd1186833e9d7e66 ] Check if the device pointer is valid. Just a sanity check since we already are in the int handler of the device. Signed-off-by: Stefan Haberland Signed-off-by: Martin Schwidefsky Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 0b5cdee7df7645b842ef10bebe35b16bd69ab953 Author: Alexander Usyskin Date: Sat Oct 7 22:36:56 2017 +0000 mei: return error on notification request to a disconnected client [ Upstream commit 7c47d2ca0feca767479329da23523ed798acb854 ] Request for a notification from a disconnected client will be ignored silently by the FW but the caller should know that the operation hasn't succeeded. Signed-off-by: Alexander Usyskin Signed-off-by: Tomas Winkler Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit ad1267a0c9f7ba7f8a134ef0c9e4110b4778c0dc Author: Arvind Yadav Date: Sat Oct 7 22:36:56 2017 +0000 exynos4-is: fimc-is: Unmap region obtained by of_iomap() [ Upstream commit 4742575cde1f3cee0ea6b41af42781672315b04b ] Free memory mapping, if fimc_is_probe is not successful. Signed-off-by: Arvind Yadav Signed-off-by: Sylwester Nawrocki Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit bfcbe6cd155114d63364e8d3b5e7d7d46cbb8b05 Author: Pierre-Louis Bossart Date: Sat Oct 7 22:36:56 2017 +0000 ASoC: Intel: boards: remove .pm_ops in all Atom/DPCM machine drivers [ Upstream commit 3639ac1cd5177685a5c8abb7230096b680e1d497 ] This patch corrects an omission in bytcr_rt5640 and bytcr_rt5651. All existing machine drivers shall not use .pm_ops to avoid a double suspend, as initially implemented by 3f2dcbeaeb2b ("ASoC: Intel: Remove soc pm handling to allow platform driver handle it"). Reported-by: Shrirang Bagul Signed-off-by: Pierre-Louis Bossart Signed-off-by: Mark Brown Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 2e727b8abeeb0e4144902cbb485311ad54272601 Author: Seth Forshee Date: Sat Oct 7 22:36:55 2017 +0000 vfs: open() with O_CREAT should not create inodes with unknown ids [ Upstream commit 1328c727004d432bbdfba0ffa02a166df04c7305 ] may_create() rejects creation of inodes with ids which lack a mapping into s_user_ns. However for O_CREAT may_o_create() is is used instead. Add a similar check there. Fixes: 036d523641c6 ("vfs: Don't create inodes with a uid or gid unknown to the vfs") Signed-off-by: Seth Forshee Signed-off-by: "Eric W. Biederman" Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 7ec661f585785ffe20f8dd2849fbde7bf77b24bb Author: Rafał Miłecki Date: Sat Oct 7 22:36:55 2017 +0000 brcmfmac: check brcmf_bus_get_memdump result for error [ Upstream commit f4737a62033d7f3e0db740c449fc62119da7ab8a ] This method may be unsupported (see: USB bus) or may just fail (see: SDIO bus). While at it rework logic in brcmf_sdio_bus_get_memdump function to avoid too many conditional code nesting levels. Signed-off-by: Rafał Miłecki Acked-by: Arend van Spriel Signed-off-by: Kalle Valo Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit a69bec9bd3a4342067d68cb4a63fa64c025c8507 Author: Ulka Vaze Date: Sat Oct 7 22:36:55 2017 +0000 staging: lustre: lmv: Error not handled for lmv_find_target [ Upstream commit 30af99db7ab3483f5ce83ccb890533c9378c2ced ] This issue is found by smatch; has been reported as- Unchecked usage of potential ERR_PTR result in lmv_hsm_req_count and lmv_hsm_req_build. Added ERR_PTR in both functions and also return value check added. Signed-off-by: Ulka Vaze Signed-off-by: Aditya Pandit Intel-bug-id: https://jira.hpdd.intel.com/browse/LU-6523 Reviewed-on: http://review.whamcloud.com/14918 Reviewed-by: Dmitry Eremin Reviewed-by: Andreas Dilger Reviewed-by: Oleg Drokin Signed-off-by: James Simmons Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 758d3ea8247e321a6a125b063dd3a193a21dfd1f Author: Alexander Boyko Date: Sat Oct 7 22:36:54 2017 +0000 staging: lustre: ptlrpc: skip lock if export failed [ Upstream commit 4c43c27ddc461d8473cedd70f2549614641dfbc7 ] This patch resolves IO vs eviction race. After eviction failed export stayed at stale list, a client had IO processing and reconnected during it. A client sent brw rpc with last lock cookie and new connection. The lock with failed export was found and assert was happened. (ost_handler.c:1812:ost_prolong_lock_one()) ASSERTION( lock->l_export == opd->opd_exp ) failed: 1. Skip the lock at ldlm_handle2lock if lock export failed. 2. Validation of lock for IO was added at hpreq_check(). The lock searching is based on granted interval tree. If server doesn`t have a valid lock, it reply to client with ESTALE. Signed-off-by: Alexander Boyko Intel-bug-id: https://jira.hpdd.intel.com/browse/LU-7702 Seagate-bug-id: MRP-2787 Reviewed-on: http://review.whamcloud.com/18120 Reviewed-by: Fan Yong Reviewed-by: Vitaly Fertman Reviewed-by: Oleg Drokin Signed-off-by: James Simmons Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 091f48a6644026950eef116301a5be65e2c060d4 Author: frank zago Date: Sat Oct 7 22:36:54 2017 +0000 staging: lustre: hsm: stack overrun in hai_dump_data_field [ Upstream commit 22aadb91c0a0055935109c175f5446abfb130702 ] The function hai_dump_data_field will do a stack buffer overrun when cat'ing /sys/fs/lustre/.../hsm/actions if an action has some data in it. hai_dump_data_field uses snprintf. But there is no check for truncation, and the value returned by snprintf is used as-is. The coordinator code calls hai_dump_data_field with 12 bytes in the buffer. The 6th byte of data is printed incompletely to make room for the terminating NUL. However snprintf still returns 2, so when hai_dump_data_field writes the final NUL, it does it outside the reserved buffer, in the 13th byte of the buffer. This stack buffer overrun hangs my VM. Fix by checking that there is enough room for the next 2 characters plus the NUL terminator. Don't print half bytes. Change the format to 02X instead of .2X, which makes more sense. Signed-off-by: frank zago Intel-bug-id: https://jira.hpdd.intel.com/browse/LU-8171 Reviewed-on: http://review.whamcloud.com/20338 Reviewed-by: John L. Hammond Reviewed-by: Jean-Baptiste Riaux Reviewed-by: Oleg Drokin Signed-off-by: James Simmons Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit a513df5968ad2bb58c783979a541c9159b00e44f Author: Yang Sheng Date: Sat Oct 7 22:36:54 2017 +0000 staging: lustre: llite: don't invoke direct_IO for the EOF case [ Upstream commit 77759771fb95420d23876cb104ab65c022613325 ] The function generic_file_read_iter() does not check EOF before invoke direct_IO callback. So we have to check it ourselves. Signed-off-by: Yang Sheng Intel-bug-id: https://jira.hpdd.intel.com/browse/LU-8969 Reviewed-on: https://review.whamcloud.com/24552 Reviewed-by: Bob Glossman Reviewed-by: Bobi Jam Reviewed-by: Oleg Drokin Signed-off-by: James Simmons Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit c3f0c2c140005fc041eb6eb5364af46d5ca47e27 Author: Javier Martinez Canillas Date: Sat Oct 7 22:36:54 2017 +0000 platform/x86: intel_mid_thermal: Fix module autoload [ Upstream commit a93151a72061e944a4915458b1b1d6d505c03bbf ] If the driver is built as a module, autoload won't work because the module alias information is not filled. So user-space can't match the registered device with the corresponding module. Export the module alias information using the MODULE_DEVICE_TABLE() macro. Before this patch: $ modinfo drivers/platform/x86/intel_mid_thermal.ko | grep alias $ After this patch: $ modinfo drivers/platform/x86/intel_mid_thermal.ko | grep alias alias: platform:msic_thermal Signed-off-by: Javier Martinez Canillas Signed-off-by: Andy Shevchenko Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit db5323e5088c2df03673c528c9243b723186910e Author: Raghava Aditya Renukunta Date: Sat Oct 7 22:36:53 2017 +0000 scsi: aacraid: Process Error for response I/O [ Upstream commit 4ec57fb4edaec523f0f78a0449a3b063749ac58b ] Make sure that the driver processes error conditions even in the fast response path for response from the adapter. Signed-off-by: Raghava Aditya Renukunta Signed-off-by: Dave Carroll Reviewed-by: Johannes Thumshirn Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit b469d5c393c24a3b1edb3c88e61d2d8c1bc0a38a Author: Jan Beulich Date: Sat Oct 7 22:36:53 2017 +0000 xen/manage: correct return value check on xenbus_scanf() [ Upstream commit 4fed1b125eb6252bde478665fc05d4819f774fa8 ] A negative return value indicates an error; in fact the function at present won't ever return zero. Signed-off-by: Jan Beulich Reviewed-by: Juergen Gross Signed-off-by: Boris Ostrovsky Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit b1a38567a9ed04d0c235023d5b2a70cce1a3bc4c Author: Axel Lin Date: Sat Oct 7 22:36:53 2017 +0000 gpio: mcp23s08: Select REGMAP/REGMAP_I2C to fix build error [ Upstream commit e8e1a5b5679b1ae1ff03a3883b011b84e7226171 ] This driver now using devm_regmap_init/devm_regmap_init_i2c, so it needs to select REGMAP/REGMAP_I2C accordingly. Fixes: ("3d84fdb3f0b5 gpio: mcp23s08: use regmap") Signed-off-by: Axel Lin Acked-By: Sebastian Reichel Signed-off-by: Linus Walleij Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 293c98f15d048148a0130da293cc855721dd4fd8 Author: Boris Brezillon Date: Sat Oct 7 22:36:52 2017 +0000 mtd: nand: sunxi: Fix the non-polling case in sunxi_nfc_wait_events() [ Upstream commit 19649e2c16fbc94b664f7074ec4fa9f15292fdce ] wait_for_completion_timeout() returns 0 if a timeout occurred, 1 otherwise. Fix the sunxi_nfc_wait_events() accordingly. Signed-off-by: Boris Brezillon Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit ceec8374d790f55315deda0cd076b2a556a808c0 Author: Stephen Boyd Date: Sat Oct 7 22:36:52 2017 +0000 clk: sunxi-ng: Check kzalloc() for errors and cleanup error path [ Upstream commit 5d806f9fc8e63d7a44e0fd1ef26a7c27efae0e51 ] This kzalloc() could fail. Let's bail out with -ENOMEM here instead of NULL dereferencing. That silences static checkers. We should also cleanup on the error path even though this function returning an error probably means the system won't boot. Cc: Chen-Yu Tsai Acked-by: Maxime Ripard Signed-off-by: Stephen Boyd Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit d3b56161e0a35ac64203b01a77e3afbc6ae732f7 Author: Ashok Raj Nagarajan Date: Sat Oct 7 22:36:52 2017 +0000 ath10k: fix reading sram contents for QCA4019 [ Upstream commit 7f622593cc5add77a99cd39404e8a851be9de792 ] With QCA4019 platform, SRAM address can be accessed directly from host but currently, we are assuming sram addresses cannot be accessed directly and hence we convert the addresses. While there, clean up growing hw checks during conversion of target CPU address to CE address. Now we have function pointer pertaining to different chips. Signed-off-by: Ashok Raj Nagarajan Signed-off-by: Kalle Valo Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 90400ec14408d06d20538782543151dea613ae68 Author: Oleh Kravchenko Date: Sat Oct 7 22:36:52 2017 +0000 cx231xx: Fix I2C on Internal Master 3 Bus [ Upstream commit 6c5da8031a3abfad259190d35f83d89568b72ee2 ] Internal Master 3 Bus can send and receive only 4 bytes per time. Signed-off-by: Oleh Kravchenko Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 64674bc8eeadb532cfc18e19a500294447d4bb2b Author: Lukasz Majewski Date: Sat Oct 7 22:36:51 2017 +0000 net: phy: dp83867: Recover from "port mirroring" N/A MODE4 [ Upstream commit ac6e058b75be71208e98a5808453aae9a17be480 ] The DP83867 when not properly bootstrapped - especially with LED_0 pin - can enter N/A MODE4 for "port mirroring" feature. To provide normal operation of the PHY, one needs not only to explicitly disable the port mirroring feature, but as well stop some IC internal testing (which disables RGMII communication). To do that the STRAP_STS1 (0x006E) register must be read and RESERVED bit 11 examined. When it is set, the another RESERVED bit (11) at PHYCR (0x0010) register must be clear to disable testing mode and enable RGMII communication. Thorough explanation of the problem can be found at following e2e thread: "DP83867IR: Problem with RESERVED bits in PHY Control Register (PHYCR) - Linux driver" https://e2e.ti.com/support/interface/ethernet/f/903/p/571313/2096954#2096954 Signed-off-by: Lukasz Majewski Reviewed-by: Andrew Lunn Signed-off-by: David S. Miller Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 227afd93a6ad921a89171422b60b91b9aa1d9af1 Author: Ding Tianhong Date: Sat Oct 7 22:36:51 2017 +0000 clocksource/drivers/arm_arch_timer: Add dt binding for hisilicon-161010101 erratum [ Upstream commit 729e55225b1f6225ee7a2a358d5141a3264627c4 ] This erratum describes a bug in logic outside the core, so MIDR can't be used to identify its presence, and reading an SoC-specific revision register from common arch timer code would be awkward. So, describe it in the device tree. Signed-off-by: Ding Tianhong Acked-by: Rob Herring Signed-off-by: Mark Rutland Signed-off-by: Daniel Lezcano Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 35c309e4c44686df7d0e776a8b095efc1d6d5641 Author: Fabio Estevam Date: Sat Oct 7 22:36:51 2017 +0000 drm/fsl-dcu: check for clk_prepare_enable() error [ Upstream commit ef15d36154cc741d7ded4ae4fa0cf7987354e313 ] clk_prepare_enable() may fail, so we should better check its return value. Also place the of_node_put() function right after clk_prepare_enable(), in order to avoid calling of_node_put() twice in case clk_prepare_enable() fails. Signed-off-by: Fabio Estevam Signed-off-by: Stefan Agner Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 2b462a38bfeae50ebf1df120e1a7b2300d767188 Author: Emmanuel Grumbach Date: Sat Oct 7 22:36:51 2017 +0000 iwlwifi: mvm: use the PROBE_RESP_QUEUE to send deauth to unknown station [ Upstream commit d45cb20e123c5d7d6cd56301bc98f0bfd725cd77 ] When we send a deauth to a station we don't know about, we need to use the PROBE_RESP queue. This can happen when we send a deauth to a station that is not associated to us. Signed-off-by: Emmanuel Grumbach Signed-off-by: Luca Coelho Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 195fe2ec8631f426203cfaef5376f5e7e96b731c Author: Taeung Song Date: Sat Oct 7 22:36:50 2017 +0000 perf tools: Only increase index if perf_evsel__new_idx() succeeds [ Upstream commit 75fc5ae5cc53fff71041ecadeb3354a2b4c9fe42 ] Signed-off-by: Taeung Song Cc: Jiri Olsa Cc: Namhyung Kim Cc: Peter Zijlstra Cc: Wang Nan Link: http://lkml.kernel.org/r/1485952447-7013-2-git-send-email-treeze.taeung@gmail.com Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 24cca20a09885765422142dcbe91ed102a305459 Author: Rex Zhu Date: Sat Oct 7 22:36:50 2017 +0000 drm/amdgpu: when dpm disabled, also need to stop/start vce. [ Upstream commit 28ed5504ab4b211a4e589e648e5ebd1e0caa7a6a ] Signed-off-by: Rex Zhu Reviewed-by: Alex Deucher Acked-by: Christian König Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit f04d92e10580f9d8240457624e89c97b015ec0d6 Author: Chris Brandt Date: Sat Oct 7 22:36:50 2017 +0000 i2c: riic: correctly finish transfers [ Upstream commit 71ccea095ea1d4efd004dab971be6d599e06fc3f ] This fixes the condition where the controller has not fully completed its final transfer and leaves the bus and controller in a undesirable state. At the end of the last transmitted byte, the existing driver would just signal for a STOP condition to be transmitted then immediately signal completion. However, the full STOP procedure might not have fully taken place by the time the runtime PM shuts off the peripheral clock, leaving the bus in a suspended state. Alternatively, the STOP condition on the bus may have completed, but when the next transaction is requested by the upper layer, not all the necessary register cleanup was finished from the last transfer which made the driver return BUS BUSY when it really wasn't. This patch now makes all transmit and receive transactions wait for the STOP condition to fully complete before signaling a completed transaction. With this new method, runtime PM no longer seems to be an issue. Fixes: 310c18a41450 ("i2c: riic: add driver") Signed-off-by: Chris Brandt Reviewed-by: Wolfram Sang Signed-off-by: Wolfram Sang Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 46d515488a0766968e9ab25423ac7746dfb568cd Author: Netanel Belgazal Date: Sat Oct 7 22:36:50 2017 +0000 net/ena: change driver's default timeouts [ Upstream commit 7102a18ac3f323805e3cd8f3dc64907644608c1e ] The timeouts were too agressive and sometimes cause false alarms. Signed-off-by: Netanel Belgazal Signed-off-by: David S. Miller Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 16d65c0c01815f45e3ff5bd20dcabfc808dee597 Author: Jan Kara Date: Sat Oct 7 22:36:49 2017 +0000 ext4: do not use stripe_width if it is not set [ Upstream commit 5469d7c3087ecaf760f54b447f11af6061b7c897 ] Avoid using stripe_width for sbi->s_stripe value if it is not actually set. It prevents using the stride for sbi->s_stripe. Signed-off-by: Jan Kara Signed-off-by: Theodore Ts'o Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 0e9deca480c30d78c0b922bff9abe2f81284d8fc Author: Jan Kara Date: Sat Oct 7 22:36:49 2017 +0000 ext4: fix stripe-unaligned allocations [ Upstream commit d9b22cf9f5466a057f2a4f1e642b469fa9d73117 ] When a filesystem is created using: mkfs.ext4 -b 4096 -E stride=512 and we try to allocate 64MB extent, we will end up directly in ext4_mb_complex_scan_group(). This is because the request is detected as power-of-two allocation (so we start in ext4_mb_regular_allocator() with ac_criteria == 0) however the check before ext4_mb_simple_scan_group() refuses the direct buddy scan because the allocation request is too large. Since cr == 0, the check whether we should use ext4_mb_scan_aligned() fails as well and we fall back to ext4_mb_complex_scan_group(). Fix the problem by checking for upper limit on power-of-two requests directly when detecting them. Reported-by: Ross Zwisler Signed-off-by: Jan Kara Signed-off-by: Theodore Ts'o Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit a418b2fd8e53bc297288f6dcd5e8ea37297f3e70 Author: Russell King Date: Sat Oct 7 22:36:49 2017 +0000 net: mvneta: fix build errors when linux/phy*.h is removed from net/dsa.h [ Upstream commit 9303ab2b3402b60f6c39abfdbfa4ce00fce8bee4 ] drivers/net/ethernet/marvell/mvneta.c:2694:26: error: storage size of 'status' isn't known drivers/net/ethernet/marvell/mvneta.c:2695:26: error: storage size of 'changed' isn't known drivers/net/ethernet/marvell/mvneta.c:2695:9: error: variable 'changed' has initializer but incomplete type drivers/net/ethernet/marvell/mvneta.c:2709:2: error: implicit declaration of function 'fixed_phy_update_state' [-Werror=implicit-function-declaration] Add linux/phy_fixed.h to mvneta.c Signed-off-by: Russell King Acked-by: Thomas Petazzoni Signed-off-by: David S. Miller Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit c16283db12e179e34c159941f5bec0aa279529ba Author: Christophe JAILLET Date: Sat Oct 7 22:36:49 2017 +0000 PCI/MSI: Return failure when msix_setup_entries() fails [ Upstream commit 3adfb572f2978a980b250a9e1a56f84f3a031001 ] If alloc_msi_entry() fails, we free resources and set ret = -ENOMEM. However, msix_setup_entries() returns 0 unconditionally. Return the error code instead. Fixes: e75eafb9b039 ("genirq/msi: Switch to new irq spreading infrastructure") Signed-off-by: Christophe JAILLET Signed-off-by: Bjorn Helgaas Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit a624515184da142dbd583ec9d1e01019ac317b17 Author: Larry Finger Date: Sat Oct 7 22:36:48 2017 +0000 staging: rtl8712u: Fix endian settings for structs describing network packets [ Upstream commit 221c46d28957bd6e2158abc2179ce4a8c9ce07d3 ] The headers describing a number of network packets do not have the correct endian settings for several types of data. Signed-off-by: Larry Finger Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 47d7bc22c054ad38c6170ea2f182fe7aef3eb6b9 Author: Deepak Khungar Date: Sat Oct 7 22:36:48 2017 +0000 bnxt_en: Added PCI IDs for BCM57452 and BCM57454 ASICs [ Upstream commit 32b40798c1b40343641f04cdfd09652af70ea0e9 ] Signed-off-by: Deepak Khungar Signed-off-by: Michael Chan Signed-off-by: David S. Miller Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit e6f3caf3bf81d2ace575109aca7d5d547cd3719b Author: Hans de Goede Date: Sat Oct 7 22:36:48 2017 +0000 mfd: axp20x: Fix axp288 PEK_DBR and PEK_DBF irqs being swapped [ Upstream commit 1af468ebe45591651ec3bafc2e9ddc6fdef70ae0 ] The R in PEK_DBR stands for rising, so it should be mapped to AXP288_IRQ_POKP where the last P stands for positive edge. Likewise PEK_DBF should be mapped to the falling edge, aka the _N_egative edge, so it should be mapped to AXP288_IRQ_POKN. This fixes the inverted powerbutton status reporting by the axp20x-pek driver. Signed-off-by: Hans de Goede Acked-by: Chen-Yu Tsai Signed-off-by: Lee Jones Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit b15965b00686e3fb7c489f5cf10bba11ad74339a Author: Linus Walleij Date: Sat Oct 7 22:36:48 2017 +0000 mfd: ab8500-sysctrl: Handle probe deferral [ Upstream commit 7e9c40c63933a643908d686bd89dfc2315e8c70a ] In the current boot, clients making use of the AB8500 sysctrl may be probed before the ab8500-sysctrl driver. This gives them -EINVAL, but should rather give -EPROBE_DEFER. Before this, the abx500 clock driver didn't probe properly, and as a result the codec driver in turn using the clocks did not probe properly. After this patch, everything probes properly. Also add OF compatible-string probing. This driver is all device tree, so let's just make a drive-by-fix of that as well. Signed-off-by: Linus Walleij Signed-off-by: Lee Jones Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 1bd47ceafbd72aa91a3ec00140bb35d495daf837 Author: Arnd Bergmann Date: Sat Oct 7 22:36:47 2017 +0000 mmc: s3cmci: include linux/interrupt.h for tasklet_struct [ Upstream commit e1c6ec26b853e9062f0b3daaf695c546d0702953 ] I got this new build error on today's linux-next drivers/mmc/host/s3cmci.h:69:24: error: field 'pio_tasklet' has incomplete type struct tasklet_struct pio_tasklet; drivers/mmc/host/s3cmci.c: In function 's3cmci_enable_irq': drivers/mmc/host/s3cmci.c:390:4: error: implicit declaration of function 'enable_irq';did you mean 'enable_imask'? [-Werror=implicit-function-declaration] While I haven't found out why this happened now and not earlier, the solution is obvious, we should include the header that defines the structure. Signed-off-by: Arnd Bergmann Signed-off-by: Ulf Hansson Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 31a8b19dbe6a449d0a0e8d0cee209911ba0b6389 Author: Shivasharan S Date: Sat Oct 7 22:36:47 2017 +0000 scsi: megaraid_sas: Do not set fp_possible if TM capable for non-RW syspdIO, change fp_possible to bool [ Upstream commit 1d6dbd1752fb4347a4a5db06c8f5cd35dd1919f4 ] FIX - firmware wants non-RW SYS PD IOs to avoid FastPath for better tracking and other functionalities if the device is task management capable. Signed-off-by: Kashyap Desai Signed-off-by: Shivasharan S Reviewed-by: Hannes Reinecke Reviewed-by: Tomas Henzl Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 7da4cd97f58be693edb2f7b89f3c58ded51f5ad2 Author: Grygorii Strashko Date: Sat Oct 7 22:36:47 2017 +0000 PM / wakeirq: report a wakeup_event on dedicated wekup irq [ Upstream commit 09bb6e93956ae5175b96905b723ec879c3ca0765 ] There are two reasons for reporting wakeup event when dedicated wakeup IRQ is triggered: - wakeup events accounting, so proper statistical data will be displayed in sysfs and debugfs; - there are small window when System is entering suspend during which dedicated wakeup IRQ can be lost: dpm_suspend_noirq() |- device_wakeup_arm_wake_irqs() |- dev_pm_arm_wake_irq(X) |- IRQ is enabled and marked as wakeup source [1]... |- suspend_device_irqs() |- suspend_device_irq(X) |- irqd_set(X, IRQD_WAKEUP_ARMED); |- wakup IRQ armed The wakeup IRQ can be lost if it's triggered at point [1] and not armed yet. Hence, fix above cases by adding simple pm_wakeup_event() call in handle_threaded_wake_irq(). Fixes: 4990d4fe327b (PM / Wakeirq: Add automated device wake IRQ handling) Signed-off-by: Grygorii Strashko Tested-by: Keerthy [ tony@atomide.com: added missing return to avoid warnings ] Tested-by: Tony Lindgren Signed-off-by: Tony Lindgren Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 80eabac6c53aeca0447934bec65fb97449c6b85f Author: Majd Dibbiny Date: Sat Oct 7 22:36:47 2017 +0000 IB/mlx5: Assign DSCP for R-RoCE QPs Address Path [ Upstream commit ed88451e1f2d400fd6a743d0a481631cf9f97550 ] For Routable RoCE QPs, the DSCP should be set in the QP's address path. The DSCP's value is derived from the traffic class. Fixes: 2811ba51b049 ("IB/mlx5: Add RoCE fields to Address Vector") Cc: Achiad Shochat Signed-off-by: Majd Dibbiny Reviewed-by: Moni Shoua Signed-off-by: Leon Romanovsky Reviewed-by: Yuval Shaia Signed-off-by: Doug Ledford Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 733ab05adc1eb37e828bdd51b65704413ca25154 Author: Bogdan Purcareata Date: Sat Oct 7 22:36:46 2017 +0000 staging: fsl-mc: Add missing header [ Upstream commit 07e9ef146071adf316312b3dd4abfe41c9a45a7d ] Compiling the fsl-mc bus driver will yield a couple of static analysis errors: warning: symbol 'fsl_mc_msi_domain_alloc_irqs' was not declared warning: symbol 'fsl_mc_msi_domain_free_irqs' was not declared. warning: symbol 'its_fsl_mc_msi_init' was not declared. warning: symbol 'its_fsl_mc_msi_cleanup' was not declared. Since these are properly declared, but the header is not included, add it in the source files. This way the symbol is properly exported. Signed-off-by: Bogdan Purcareata Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 58b9a54ae03d9fecaaaea83a08098b2aeae41201 Author: Gary R Hook Date: Sat Oct 7 22:36:46 2017 +0000 crypto: ccp - Set the AES size field for all modes [ Upstream commit f7cc02b3c3a33a10dd5bb9e5dfd22e47e09503a2 ] Ensure that the size field is correctly populated for all AES modes. Signed-off-by: Gary R Hook Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 5208153038d3a75bf196869498ffd2926b848b8b Author: Rafael J. Wysocki Date: Sat Oct 7 22:36:46 2017 +0000 cpufreq: Do not clear real_cpus mask on policy init [ Upstream commit f451014692ae34e587b00de6745e16661cf734d8 ] If new_policy is set in cpufreq_online(), the policy object has just been created and its real_cpus mask has been zeroed on allocation, and the driver's ->init() callback should not touch it. It doesn't need to be cleared again, so don't do that. Signed-off-by: Rafael J. Wysocki Acked-by: Viresh Kumar Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit f1e7f9dc11983c9bbc615ef1002df65fb8d8ccd4 Author: Linus Torvalds Date: Fri Oct 27 20:35:31 2017 -0700 Fix tracing sample code warning. commit a0cb2b5c390151837b08e5f7bca4a6ecddbcd39c upstream. Commit 6575257c60e1 ("tracing/samples: Fix creation and deletion of simple_thread_fn creation") introduced a new warning due to using a boolean as a counter. Just make it "int". Fixes: 6575257c60e1 ("tracing/samples: Fix creation and deletion of simple_thread_fn creation") Cc: Steven Rostedt Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 86b0853f73912805d96b87d016599f59b64965f5 Author: Steven Rostedt (VMware) Date: Tue Oct 17 14:55:24 2017 -0400 tracing/samples: Fix creation and deletion of simple_thread_fn creation commit 6575257c60e1a26a5319ccf2b5ce5b6449001017 upstream. Commit 7496946a8 ("tracing: Add samples of DECLARE_EVENT_CLASS() and DEFINE_EVENT()") added template examples for all the events. It created a DEFINE_EVENT_FN() example which reused the foo_bar_reg and foo_bar_unreg functions. Enabling both the TRACE_EVENT_FN() and DEFINE_EVENT_FN() example trace events caused the foo_bar_reg to be called twice, creating the test thread twice. The foo_bar_unreg would remove it only once, even if it was called multiple times, leaving a thread existing when the module is unloaded, causing an oops. Add a ref count and allow foo_bar_reg() and foo_bar_unreg() be called by multiple trace events. Fixes: 7496946a8 ("tracing: Add samples of DECLARE_EVENT_CLASS() and DEFINE_EVENT()") Signed-off-by: Steven Rostedt (VMware) Signed-off-by: Greg Kroah-Hartman commit 8b2653de6f78741b6e5217fc74b538a7f67f1a82 Author: Dan Carpenter Date: Fri Jun 30 10:59:15 2017 +0300 drm/msm: fix an integer overflow test commit 65e93108891e571f177c202add9288eda9ac4100 upstream. We recently added an integer overflow check but it needs an additional tweak to work properly on 32 bit systems. The problem is that we're doing the right hand side of the assignment as type unsigned long so the max it will have an integer overflow instead of being larger than SIZE_MAX. That means the "sz > SIZE_MAX" condition is never true even on 32 bit systems. We need to first cast it to u64 and then do the math. Fixes: 4a630fadbb29 ("drm/msm: Fix potential buffer overflow issue") Signed-off-by: Dan Carpenter Acked-by: Jordan Crouse Signed-off-by: Rob Clark Cc: Ben Hutchings Signed-off-by: Greg Kroah-Hartman commit 06bf74cdbdbeb0035c337f5fd090b15d99e690c4 Author: Kasin Li Date: Mon Jun 19 15:36:53 2017 -0600 drm/msm: Fix potential buffer overflow issue commit 4a630fadbb29d9efaedb525f1a8f7449ad107641 upstream. In function submit_create, if nr_cmds or nr_bos is assigned with negative value, the allocated buffer may be small than intended. Using this buffer will lead to buffer overflow issue. Signed-off-by: Kasin Li Signed-off-by: Jordan Crouse Signed-off-by: Rob Clark Cc: Ben Hutchings Signed-off-by: Greg Kroah-Hartman commit 984dcb32ffd03e852644330edf0220dc16eef1dd Author: Jani Nikula Date: Thu Oct 26 17:29:31 2017 +0300 drm/i915/edp: read edp display control registers unconditionally commit 7c838e2a9be5ab79b11c7f1520813bfdf0f45462 upstream. Per my reading of the eDP spec, DP_DPCD_DISPLAY_CONTROL_CAPABLE bit in DP_EDP_CONFIGURATION_CAP should be set if the eDP display control registers starting at offset DP_EDP_DPCD_REV are "enabled". Currently we check the bit before reading the registers, and DP_EDP_DPCD_REV is the only way to detect eDP revision. Turns out there are (likely buggy) displays that require eDP 1.4+ features, such as supported link rates and link rate select, but do not have the bit set. Read the display control registers unconditionally. They are supposed to read zero anyway if they are not supported, so there should be no harm in this. This fixes the referenced bug by enabling the eDP version check, and thus reading of the supported link rates. The panel in question has 0 in DP_MAX_LINK_RATE which is only supported in eDP 1.4+. Without the supported link rates method we default to RBR which is insufficient for the panel native mode. As a curiosity, the panel also has a bogus value of 0x12 in DP_EDP_DPCD_REV, but that passes our check for >= DP_EDP_14 (which is 0x03). Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=103400 Reported-and-tested-by: Nicolas P. Cc: Ville Syrjälä Reviewed-by: Ville Syrjälä Reviewed-by: Manasi Navare Signed-off-by: Jani Nikula Link: https://patchwork.freedesktop.org/patch/msgid/20171026142932.17737-1-jani.nikula@intel.com (cherry picked from commit 0501a3b0eb01ac2209ef6fce76153e5d6b07034e) Signed-off-by: Rodrigo Vivi Signed-off-by: Greg Kroah-Hartman commit f2fd2d945446f37402ec727b1f3c1ee610b105fe Author: Ashish Samant Date: Thu Nov 2 15:59:37 2017 -0700 ocfs2: fstrim: Fix start offset of first cluster group during fstrim commit 105ddc93f06ebe3e553f58563d11ed63dbcd59f0 upstream. The first cluster group descriptor is not stored at the start of the group but at an offset from the start. We need to take this into account while doing fstrim on the first cluster group. Otherwise we will wrongly start fstrim a few blocks after the desired start block and the range can cross over into the next cluster group and zero out the group descriptor there. This can cause filesytem corruption that cannot be fixed by fsck. Link: http://lkml.kernel.org/r/1507835579-7308-1-git-send-email-ashish.samant@oracle.com Signed-off-by: Ashish Samant Reviewed-by: Junxiao Bi Reviewed-by: Joseph Qi Cc: Mark Fasheh Cc: Joel Becker Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 09907f0cbe61f65d9dba6ad1a3bbb9f5ca31c2c9 Author: Leo Liu Date: Tue Oct 31 21:03:39 2017 -0400 drm/amdgpu: return -ENOENT from uvd 6.0 early init for harvesting commit cb4b02d7cac56a69d8137d8d843507cca9182aed upstream. Fixes init failures on polaris cards with harvested UVD. Signed-off-by: Leo Liu Reviewed-by: Alex Deucher Signed-off-by: Alex Deucher Signed-off-by: Greg Kroah-Hartman commit b3937f55c725894d03ca6592a8dd29662e85251d Author: Arnd Bergmann Date: Fri Oct 20 21:17:05 2017 +0100 ARM: 8715/1: add a private asm/unaligned.h commit 1cce91dfc8f7990ca3aea896bfb148f240b12860 upstream. The asm-generic/unaligned.h header provides two different implementations for accessing unaligned variables: the access_ok.h version used when CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS is set pretends that all pointers are in fact aligned, while the le_struct.h version convinces gcc that the alignment of a pointer is '1', to make it issue the correct load/store instructions depending on the architecture flags. On ARMv5 and older, we always use the second version, to let the compiler use byte accesses. On ARMv6 and newer, we currently use the access_ok.h version, so the compiler can use any instruction including stm/ldm and ldrd/strd that will cause an alignment trap. This trap can significantly impact performance when we have to do a lot of fixups and, worse, has led to crashes in the LZ4 decompressor code that does not have a trap handler. This adds an ARM specific version of asm/unaligned.h that uses the le_struct.h/be_struct.h implementation unconditionally. This should lead to essentially the same code on ARMv6+ as before, with the exception of using regular load/store instructions instead of the trapping instructions multi-register variants. The crash in the LZ4 decompressor code was probably introduced by the patch replacing the LZ4 implementation, commit 4e1a33b105dd ("lib: update LZ4 compressor module"), so linux-4.11 and higher would be affected most. However, we probably want to have this backported to all older stable kernels as well, to help with the performance issues. There are two follow-ups that I think we should also work on, but not backport to stable kernels, first to change the asm-generic version of the header to remove the ARM special case, and second to review all other uses of CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS to see if they might be affected by the same problem on ARM. Signed-off-by: Arnd Bergmann Signed-off-by: Russell King Signed-off-by: Greg Kroah-Hartman commit e059fc3c36c01cf7c67e3177132e18d16278630a Author: Julien Thierry Date: Fri Oct 20 12:34:17 2017 +0100 arm/arm64: kvm: Disable branch profiling in HYP code commit f9b269f3098121b5d54aaf822e0898c8ed1d3fec upstream. When HYP code runs into branch profiling code, it attempts to jump to unmapped memory, causing a HYP Panic. Disable the branch profiling for code designed to run at HYP mode. Signed-off-by: Julien Thierry Acked-by: Marc Zyngier Cc: Christoffer Dall Cc: Catalin Marinas Cc: Will Deacon Cc: Russell King Signed-off-by: Christoffer Dall Signed-off-by: Greg Kroah-Hartman commit d7d5a30e23a2e10210ec9cd92ea64af6649557be Author: Dongjiu Geng Date: Tue Oct 17 22:23:49 2017 +0800 arm/arm64: KVM: set right LR register value for 32 bit guest when inject abort commit fd6c8c206fc5d0717b0433b191de0715122f33bb upstream. When a exception is trapped to EL2, hardware uses ELR_ELx to hold the current fault instruction address. If KVM wants to inject a abort to 32 bit guest, it needs to set the LR register for the guest to emulate this abort happened in the guest. Because ARM32 architecture is pipelined execution, so the LR value has an offset to the fault instruction address. The offsets applied to Link value for exceptions as shown below, which should be added for the ARM32 link register(LR). Table taken from ARMv8 ARM DDI0487B-B, table G1-10: Exception Offset, for PE state of: A32 T32 Undefined Instruction +4 +2 Prefetch Abort +4 +4 Data Abort +8 +8 IRQ or FIQ +4 +4 [ Removed unused variables in inject_abt to avoid compile warnings. -- Christoffer ] Signed-off-by: Dongjiu Geng Tested-by: Haibin Zhang Reviewed-by: Marc Zyngier Signed-off-by: Christoffer Dall Signed-off-by: Greg Kroah-Hartman commit 011b44af00774e76903e9f6356b206a8f9d9d6ce Author: Mark Rutland Date: Thu Nov 2 16:12:03 2017 +0000 arm64: ensure __dump_instr() checks addr_limit commit 7a7003b1da010d2b0d1dc8bf21c10f5c73b389f1 upstream. It's possible for a user to deliberately trigger __dump_instr with a chosen kernel address. Let's avoid problems resulting from this by using get_user() rather than __get_user(), ensuring that we don't erroneously access kernel memory. Where we use __dump_instr() on kernel text, we already switch to KERNEL_DS, so this shouldn't adversely affect those cases. Fixes: 60ffc30d5652810d ("arm64: Exception handling") Acked-by: Will Deacon Signed-off-by: Mark Rutland Signed-off-by: Catalin Marinas Signed-off-by: Greg Kroah-Hartman commit 43f69519e9f9948b0a5db2840f25ba555586c558 Author: Ricard Wanderlof Date: Thu Sep 7 15:31:38 2017 +0200 ASoC: adau17x1: Workaround for noise bug in ADC commit 1e6f4fc06f6411adf98bbbe7fcd79442cd2b2a75 upstream. The ADC in the ADAU1361 (and possibly other Analog Devices codecs) exhibits a cyclic variation in the noise floor (in our test setup between -87 and -93 dB), a new value being attained within this range whenever a new capture stream is started. The cycle repeats after about 10 or 11 restarts. The workaround recommended by the manufacturer is to toggle the ADOSR bit in the Converter Control 0 register each time a new capture stream is started. I have verified that the patch fixes this problem on the ADAU1361, and according to the manufacturer toggling the bit in question in this manner will at least have no detrimental effect on other chips served by this driver. Signed-off-by: Ricard Wanderlof Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit cb14a0dd1f74fc2eb2125d200ef785685fc1098a Author: Eric Biggers Date: Thu Nov 2 00:47:19 2017 +0000 KEYS: fix out-of-bounds read during ASN.1 parsing commit 2eb9eabf1e868fda15808954fb29b0f105ed65f1 upstream. syzkaller with KASAN reported an out-of-bounds read in asn1_ber_decoder(). It can be reproduced by the following command, assuming CONFIG_X509_CERTIFICATE_PARSER=y and CONFIG_KASAN=y: keyctl add asymmetric desc $'\x30\x30' @s The bug is that the length of an ASN.1 data value isn't validated in the case where it is encoded using the short form, causing the decoder to read past the end of the input buffer. Fix it by validating the length. The bug report was: BUG: KASAN: slab-out-of-bounds in asn1_ber_decoder+0x10cb/0x1730 lib/asn1_decoder.c:233 Read of size 1 at addr ffff88003cccfa02 by task syz-executor0/6818 CPU: 1 PID: 6818 Comm: syz-executor0 Not tainted 4.14.0-rc7-00008-g5f479447d983 #2 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:16 [inline] dump_stack+0xb3/0x10b lib/dump_stack.c:52 print_address_description+0x79/0x2a0 mm/kasan/report.c:252 kasan_report_error mm/kasan/report.c:351 [inline] kasan_report+0x236/0x340 mm/kasan/report.c:409 __asan_report_load1_noabort+0x14/0x20 mm/kasan/report.c:427 asn1_ber_decoder+0x10cb/0x1730 lib/asn1_decoder.c:233 x509_cert_parse+0x1db/0x650 crypto/asymmetric_keys/x509_cert_parser.c:89 x509_key_preparse+0x64/0x7a0 crypto/asymmetric_keys/x509_public_key.c:174 asymmetric_key_preparse+0xcb/0x1a0 crypto/asymmetric_keys/asymmetric_type.c:388 key_create_or_update+0x347/0xb20 security/keys/key.c:855 SYSC_add_key security/keys/keyctl.c:122 [inline] SyS_add_key+0x1cd/0x340 security/keys/keyctl.c:62 entry_SYSCALL_64_fastpath+0x1f/0xbe RIP: 0033:0x447c89 RSP: 002b:00007fca7a5d3bd8 EFLAGS: 00000246 ORIG_RAX: 00000000000000f8 RAX: ffffffffffffffda RBX: 00007fca7a5d46cc RCX: 0000000000447c89 RDX: 0000000020006f4a RSI: 0000000020006000 RDI: 0000000020001ff5 RBP: 0000000000000046 R08: fffffffffffffffd R09: 0000000000000000 R10: 0000000000000002 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007fca7a5d49c0 R15: 00007fca7a5d4700 Fixes: 42d5ec27f873 ("X.509: Add an ASN.1 decoder") Signed-off-by: Eric Biggers Signed-off-by: David Howells Signed-off-by: James Morris Signed-off-by: Greg Kroah-Hartman commit 0be72aebbff3d71851dd7ee98ec9f20018456448 Author: Eric Biggers Date: Thu Nov 2 00:47:03 2017 +0000 KEYS: return full count in keyring_read() if buffer is too small commit 3239b6f29bdfb4b0a2ba59df995fc9e6f4df7f1f upstream. Commit e645016abc80 ("KEYS: fix writing past end of user-supplied buffer in keyring_read()") made keyring_read() stop corrupting userspace memory when the user-supplied buffer is too small. However it also made the return value in that case be the short buffer size rather than the size required, yet keyctl_read() is actually documented to return the size required. Therefore, switch it over to the documented behavior. Note that for now we continue to have it fill the short buffer, since it did that before (pre-v3.13) and dump_key_tree_aux() in keyutils arguably relies on it. Fixes: e645016abc80 ("KEYS: fix writing past end of user-supplied buffer in keyring_read()") Reported-by: Ben Hutchings Signed-off-by: Eric Biggers Signed-off-by: David Howells Reviewed-by: James Morris Signed-off-by: James Morris Signed-off-by: Greg Kroah-Hartman commit 5e8b028abaf85502c53fb3af795f3c61d7cbcdc8 Author: Ronnie Sahlberg Date: Mon Oct 30 13:28:03 2017 +1100 cifs: check MaxPathNameComponentLength != 0 before using it commit f74bc7c6679200a4a83156bb89cbf6c229fe8ec0 upstream. And fix tcon leak in error path. Signed-off-by: Ronnie Sahlberg Signed-off-by: Steve French Reviewed-by: David Disseldorp Signed-off-by: Greg Kroah-Hartman commit ffb76bb8aa9e18e97b40cd60f9cb0670cc1b8096 Author: Takashi Iwai Date: Sun Oct 29 11:10:43 2017 +0100 ALSA: seq: Fix nested rwsem annotation for lockdep splat commit 1f20f9ff57ca23b9f5502fca85ce3977e8496cb1 upstream. syzkaller reported the lockdep splat due to the possible deadlock of grp->list_mutex of each sequencer client object. Actually this is rather a false-positive report due to the missing nested lock annotations. The sequencer client may deliver the event directly to another client which takes another own lock. For addressing this issue, this patch replaces the simple down_read() with down_read_nested(). As a lock subclass, the already existing "hop" can be re-used, which indicates the depth of the call. Reference: http://lkml.kernel.org/r/089e082686ac9b482e055c832617@google.com Reported-by: syzbot Reported-by: Dmitry Vyukov Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit c778c8187e442f6f5d111ae41c4730e265dcf084 Author: Takashi Iwai Date: Sun Oct 29 11:02:04 2017 +0100 ALSA: timer: Add missing mutex lock for compat ioctls commit 79fb0518fec8c8b4ea7f1729f54f293724b3dbb0 upstream. The races among ioctl and other operations were protected by the commit af368027a49a ("ALSA: timer: Fix race among timer ioctls") and later fixes, but one code path was forgotten in the scenario: the 32bit compat ioctl. As syzkaller recently spotted, a very similar use-after-free may happen with the combination of compat ioctls. The fix is simply to apply the same ioctl_lock to the compat_ioctl callback, too. Fixes: af368027a49a ("ALSA: timer: Fix race among timer ioctls") Reference: http://lkml.kernel.org/r/089e082686ac9b482e055c832617@google.com Reported-by: syzbot Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman