commit 7b13756d2c328e35f0640d16b68541e6f72339b8 Author: Greg Kroah-Hartman Date: Fri May 10 18:36:14 2019 +0200 Linux 5.0.15 commit 41d7bb19aa31f1079155c4e07bcb366cf424e8d8 Author: Will Deacon Date: Mon Apr 8 14:23:17 2019 +0100 arm64: futex: Bound number of LDXR/STXR loops in FUTEX_WAKE_OP commit 03110a5cb2161690ae5ac04994d47ed0cd6cef75 upstream. Our futex implementation makes use of LDXR/STXR loops to perform atomic updates to user memory from atomic context. This can lead to latency problems if we end up spinning around the LL/SC sequence at the expense of doing something useful. Rework our futex atomic operations so that we return -EAGAIN if we fail to update the futex word after 128 attempts. The core futex code will reschedule if necessary and we'll try again later. Cc: Fixes: 6170a97460db ("arm64: Atomic operations") Signed-off-by: Will Deacon Signed-off-by: Greg Kroah-Hartman commit 3b928b59fae0e10d856f4a58e67839384239e507 Author: Will Deacon Date: Thu Feb 28 11:58:08 2019 +0000 locking/futex: Allow low-level atomic operations to return -EAGAIN commit 6b4f4bc9cb22875f97023984a625386f0c7cc1c0 upstream. Some futex() operations, including FUTEX_WAKE_OP, require the kernel to perform an atomic read-modify-write of the futex word via the userspace mapping. These operations are implemented by each architecture in arch_futex_atomic_op_inuser() and futex_atomic_cmpxchg_inatomic(), which are called in atomic context with the relevant hash bucket locks held. Although these routines may return -EFAULT in response to a page fault generated when accessing userspace, they are expected to succeed (i.e. return 0) in all other cases. This poses a problem for architectures that do not provide bounded forward progress guarantees or fairness of contended atomic operations and can lead to starvation in some cases. In these problematic scenarios, we must return back to the core futex code so that we can drop the hash bucket locks and reschedule if necessary, much like we do in the case of a page fault. Allow architectures to return -EAGAIN from their implementations of arch_futex_atomic_op_inuser() and futex_atomic_cmpxchg_inatomic(), which will cause the core futex code to reschedule if necessary and return back to the architecture code later on. Cc: Acked-by: Peter Zijlstra (Intel) Signed-off-by: Will Deacon Signed-off-by: Greg Kroah-Hartman commit be4b9a303a25614f92ef1574a1af730ec358fc04 Author: Dan Carpenter Date: Tue Apr 23 13:40:20 2019 +0300 i3c: Fix a shift wrap bug in i3c_bus_set_addr_slot_status() commit 476c7e1d34f2a03b1aa5a924c50703053fe5f77c upstream. The problem here is that addr can be I3C_BROADCAST_ADDR (126). That means we're shifting by (126 * 2) % 64 which is 60. The I3C_ADDR_SLOT_STATUS_MASK is an enum which is an unsigned int in GCC so shifts greater than 31 are undefined. Fixes: 3a379bbcea0a ("i3c: Add core I3C infrastructure") Cc: Signed-off-by: Dan Carpenter Signed-off-by: Boris Brezillon Signed-off-by: Greg Kroah-Hartman commit 4b1f2ad28fe1a950dd42de155be3019878a0224f Author: Ross Zwisler Date: Mon Apr 29 12:25:17 2019 -0600 ASoC: Intel: avoid Oops if DMA setup fails commit 0efa3334d65b7f421ba12382dfa58f6ff5bf83c4 upstream. Currently in sst_dsp_new() if we get an error return from sst_dma_new() we just print an error message and then still complete the function successfully. This means that we are trying to run without sst->dma properly set up, which will result in NULL pointer dereference when sst->dma is later used. This was happening for me in sst_dsp_dma_get_channel(): struct sst_dma *dma = dsp->dma; ... dma->ch = dma_request_channel(mask, dma_chan_filter, dsp); This resulted in: BUG: unable to handle kernel NULL pointer dereference at 0000000000000018 IP: sst_dsp_dma_get_channel+0x4f/0x125 [snd_soc_sst_firmware] Fix this by adding proper error handling for the case where we fail to set up DMA. This change only affects Haswell and Broadwell systems. Baytrail systems explicilty opt-out of DMA via sst->pdata->resindex_dma_base being set to -1. Signed-off-by: Ross Zwisler Cc: stable@vger.kernel.org Acked-by: Pierre-Louis Bossart Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 987722984163181a347569f8c667449d87ac61f5 Author: Oliver Neukum Date: Tue Apr 30 12:21:45 2019 +0200 UAS: fix alignment of scatter/gather segments commit 3ae62a42090f1ed48e2313ed256a1182a85fb575 upstream. This is the UAS version of 747668dbc061b3e62bc1982767a3a1f9815fcf0e usb-storage: Set virt_boundary_mask to avoid SG overflows We are not as likely to be vulnerable as storage, as it is unlikelier that UAS is run over a controller without native support for SG, but the issue exists. The issue has been existing since the inception of the driver. Fixes: 115bb1ffa54c ("USB: Add UAS driver") Signed-off-by: Oliver Neukum Cc: stable Signed-off-by: Greg Kroah-Hartman commit 349bb9138b3a013f5abb5f4ddf61e4da5b266385 Author: Chen-Yu Tsai Date: Mon Apr 1 11:43:12 2019 +0800 Bluetooth: hci_bcm: Fix empty regulator supplies for Intel Macs commit 62611abc8f37d00e3b0cff0eb2d72fa92b05fd27 upstream. The code path for Macs goes through bcm_apple_get_resources(), which skips over the code that sets up the regulator supplies. As a result, the call to regulator_bulk_enable() / regulator_bulk_disable() results in a NULL pointer dereference. This was reported on the kernel.org Bugzilla, bug 202963. Unbreak Broadcom Bluetooth support on Intel Macs by checking if the supplies were set up before enabling or disabling them. The same does not need to be done for the clocks, as the common clock framework API checks for NULL pointers. Fixes: 75d11676dccb ("Bluetooth: hci_bcm: Add support for regulator supplies") Cc: # 5.0.x Signed-off-by: Chen-Yu Tsai Tested-by: Imre Kaloz Signed-off-by: Marcel Holtmann Signed-off-by: Greg Kroah-Hartman commit 41d5f23ef17b8bc4ffc107c0c850a095311b88dd Author: Luiz Augusto von Dentz Date: Thu Mar 14 15:43:37 2019 +0200 Bluetooth: Fix not initializing L2CAP tx_credits commit ba8f5289f706aed94cc95b15cc5b89e22062f61f upstream. l2cap_le_flowctl_init was reseting the tx_credits which works only for outgoing connection since that set the tx_credits on the response, for incoming connections that was not the case which leaves the channel without any credits causing it to be suspended. Signed-off-by: Luiz Augusto von Dentz Signed-off-by: Marcel Holtmann Cc: stable@vger.kernel.org # 4.20+ Signed-off-by: Greg Kroah-Hartman commit 2c93762f4b38d894158bdf73a783685d39d6a981 Author: Marcel Holtmann Date: Wed Apr 24 22:19:17 2019 +0200 Bluetooth: Align minimum encryption key size for LE and BR/EDR connections commit d5bb334a8e171b262e48f378bd2096c0ea458265 upstream. The minimum encryption key size for LE connections is 56 bits and to align LE with BR/EDR, enforce 56 bits of minimum encryption key size for BR/EDR connections as well. Signed-off-by: Marcel Holtmann Signed-off-by: Johan Hedberg Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman commit 1c1727f4b9482b252e2113bd4d9095c086c0d2a0 Author: Young Xiao Date: Fri Apr 12 15:24:30 2019 +0800 Bluetooth: hidp: fix buffer overflow commit a1616a5ac99ede5d605047a9012481ce7ff18b16 upstream. Struct ca is copied from userspace. It is not checked whether the "name" field is NULL terminated, which allows local users to obtain potentially sensitive information from kernel stack memory, via a HIDPCONNADD command. This vulnerability is similar to CVE-2011-1079. Signed-off-by: Young Xiao Signed-off-by: Marcel Holtmann Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman commit 69d6687a5c6638336f99a3ae9cad30bd64aa8710 Author: Quinn Tran Date: Tue Apr 23 14:52:35 2019 -0700 scsi: qla2xxx: Fix device staying in blocked state commit 2137490f2147a8d0799b72b9a1023efb012d40c7 upstream. This patch fixes issue reported by some of the customers, who discovered that after cable pull scenario the devices disappear and path seems to remain in blocked state. Once the device reappears, driver does not seem to update path to online. This issue appears because of the defer flag creating race condition where the same session reappears. This patch fixes this issue by indicating SCSI-ML of device lost when qlt_free_session_done() is called from qlt_unreg_sess(). Fixes: 41dc529a4602a ("qla2xxx: Improve RSCN handling in driver") Signed-off-by: Quinn Tran Cc: stable@vger.kernel.org #4.19 Signed-off-by: Himanshu Madhani Reviewed-by: Ewan D. Milne Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit aee2053554eaa5b887b1a655753f7b8d254fae19 Author: Andrew Vasquez Date: Tue Apr 2 14:24:25 2019 -0700 scsi: qla2xxx: Fix incorrect region-size setting in optrom SYSFS routines commit 5cbdae10bf11f96e30b4d14de7b08c8b490e903c upstream. Commit e6f77540c067 ("scsi: qla2xxx: Fix an integer overflow in sysfs code") incorrectly set 'optrom_region_size' to 'start+size', which can overflow option-rom boundaries when 'start' is non-zero. Continue setting optrom_region_size to the proper adjusted value of 'size'. Fixes: e6f77540c067 ("scsi: qla2xxx: Fix an integer overflow in sysfs code") Cc: stable@vger.kernel.org Signed-off-by: Andrew Vasquez Signed-off-by: Himanshu Madhani Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit 45076c8e403a275185a089a20574fb772134f7c1 Author: Silvio Cesare Date: Thu Mar 21 09:44:32 2019 -0700 scsi: lpfc: change snprintf to scnprintf for possible overflow commit e7f7b6f38a44697428f5a2e7c606de028df2b0e3 upstream. Change snprintf to scnprintf. There are generally two cases where using snprintf causes problems. 1) Uses of size += snprintf(buf, SIZE - size, fmt, ...) In this case, if snprintf would have written more characters than what the buffer size (SIZE) is, then size will end up larger than SIZE. In later uses of snprintf, SIZE - size will result in a negative number, leading to problems. Note that size might already be too large by using size = snprintf before the code reaches a case of size += snprintf. 2) If size is ultimately used as a length parameter for a copy back to user space, then it will potentially allow for a buffer overflow and information disclosure when size is greater than SIZE. When the size is used to index the buffer directly, we can have memory corruption. This also means when size = snprintf... is used, it may also cause problems since size may become large. Copying to userspace is mitigated by the HARDENED_USERCOPY kernel configuration. The solution to these issues is to use scnprintf which returns the number of characters actually written to the buffer, so the size variable will never exceed SIZE. Signed-off-by: Silvio Cesare Signed-off-by: Willy Tarreau Signed-off-by: James Smart Cc: Dick Kennedy Cc: Dan Carpenter Cc: Kees Cook Cc: Will Deacon Cc: Greg KH Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit 185e58d16ac81155bb3c3460788f698049d15b8e Author: Samuel Holland Date: Tue Apr 30 09:59:37 2019 -0500 soc: sunxi: Fix missing dependency on REGMAP_MMIO commit a84014e1db35d8e7af09878d0b4bf30804fb17d5 upstream. When enabling ARCH_SUNXI from allnoconfig, SUNXI_SRAM is enabled, but not REGMAP_MMIO, so the kernel fails to link with an undefined reference to __devm_regmap_init_mmio_clk. Select REGMAP_MMIO, as suggested in drivers/base/regmap/Kconfig. This creates the following dependency loop: drivers/of/Kconfig:68: symbol OF_IRQ depends on IRQ_DOMAIN kernel/irq/Kconfig:63: symbol IRQ_DOMAIN is selected by REGMAP drivers/base/regmap/Kconfig:7: symbol REGMAP default is visible depending on REGMAP_MMIO drivers/base/regmap/Kconfig:39: symbol REGMAP_MMIO is selected by SUNXI_SRAM drivers/soc/sunxi/Kconfig:4: symbol SUNXI_SRAM is selected by USB_MUSB_SUNXI drivers/usb/musb/Kconfig:63: symbol USB_MUSB_SUNXI depends on GENERIC_PHY drivers/phy/Kconfig:7: symbol GENERIC_PHY is selected by PHY_BCM_NS_USB3 drivers/phy/broadcom/Kconfig:29: symbol PHY_BCM_NS_USB3 depends on MDIO_BUS drivers/net/phy/Kconfig:12: symbol MDIO_BUS default is visible depending on PHYLIB drivers/net/phy/Kconfig:181: symbol PHYLIB is selected by ARC_EMAC_CORE drivers/net/ethernet/arc/Kconfig:18: symbol ARC_EMAC_CORE is selected by ARC_EMAC drivers/net/ethernet/arc/Kconfig:24: symbol ARC_EMAC depends on OF_IRQ To fix the circular dependency, make USB_MUSB_SUNXI select GENERIC_PHY instead of depending on it. This matches the use of GENERIC_PHY by all but two other drivers. Cc: # 4.19 Fixes: 5828729bebbb ("soc: sunxi: export a regmap for EMAC clock reg on A64") Signed-off-by: Samuel Holland Acked-by: Maxime Ripard Signed-off-by: Bin Liu Signed-off-by: Greg Kroah-Hartman Signed-off-by: Greg Kroah-Hartman commit 34ebc8ad2ea4eb4f8b981fa403391a6030721f54 Author: Hans de Goede Date: Thu Apr 18 13:39:33 2019 +0200 ACPI / LPSS: Use acpi_lpss_* instead of acpi_subsys_* functions for hibernate commit c8afd03486c26accdda4846e5561aa3f8e862a9d upstream. Commit 48402cee6889 ("ACPI / LPSS: Resume BYT/CHT I2C controllers from resume_noirq") makes acpi_lpss_{suspend_late,resume_early}() bail early on BYT/CHT as resume_from_noirq is set. This means that on resume from hibernate dw_i2c_plat_resume() doesn't get called by the restore_early callback, acpi_lpss_resume_early(). Instead it should be called by the restore_noirq callback matching how things are done when resume_from_noirq is set and we are doing a regular resume. Change the restore_noirq callback to acpi_lpss_resume_noirq so that dw_i2c_plat_resume() gets properly called when resume_from_noirq is set and we are resuming from hibernate. Likewise also change the poweroff_noirq callback so that dw_i2c_plat_suspend gets called properly. Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=202139 Fixes: 48402cee6889 ("ACPI / LPSS: Resume BYT/CHT I2C controllers from resume_noirq") Reported-by: Kai-Heng Feng Signed-off-by: Hans de Goede Cc: 4.20+ # 4.20+ Signed-off-by: Rafael J. Wysocki Signed-off-by: Greg Kroah-Hartman commit 61ae16c4586b34ba00edd5d4357eb37a9bec08ef Author: Gregory CLEMENT Date: Fri Mar 8 17:47:10 2019 +0100 cpufreq: armada-37xx: fix frequency calculation for opp commit 8db82563451f976597ab7b282ec655e4390a4088 upstream. The frequency calculation was based on the current(max) frequency of the CPU. However for low frequency, the value used was already the parent frequency divided by a factor of 2. Instead of using this frequency, this fix directly get the frequency from the parent clock. Fixes: 92ce45fb875d ("cpufreq: Add DVFS support for Armada 37xx") Cc: Reported-by: Christian Neubert Signed-off-by: Gregory CLEMENT Signed-off-by: Viresh Kumar Signed-off-by: Greg Kroah-Hartman commit 573a935bfb4fdd35fe8ca60170322c19ff0fe305 Author: Bjorn Andersson Date: Tue Apr 16 16:49:27 2019 -0700 iio: adc: qcom-spmi-adc5: Fix of-based module autoloading commit 447ccb4e0834a9f9f0dd5643e421c7f1a1649e6a upstream. The of_device_id table needs to be registered as module alias in order for automatic module loading to pick the kernel module based on the DeviceTree compatible. So add MODULE_DEVICE_TABLE() to make this happen. Fixes: e13d757279bb ("iio: adc: Add QCOM SPMI PMIC5 ADC driver") Cc: stable@vger.kernel.org Signed-off-by: Bjorn Andersson Signed-off-by: Jonathan Cameron Signed-off-by: Greg Kroah-Hartman commit 284af27884325c5260dbfd29672a46cc5bf0556c Author: Alexander Shishkin Date: Wed Apr 17 10:35:36 2019 +0300 intel_th: pci: Add Comet Lake support commit e60e9a4b231a20a199d7a61caadc48693c30d695 upstream. This adds support for Intel TH on Comet Lake. Signed-off-by: Alexander Shishkin Cc: stable Signed-off-by: Greg Kroah-Hartman commit 704eaf49399fe5998140c93b9af8acc73b79a813 Author: Alan Stern Date: Mon Apr 15 13:19:25 2019 -0400 usb-storage: Set virt_boundary_mask to avoid SG overflows commit 747668dbc061b3e62bc1982767a3a1f9815fcf0e upstream. The USB subsystem has always had an unusual requirement for its scatter-gather transfers: Each element in the scatterlist (except the last one) must have a length divisible by the bulk maxpacket size. This is a particular issue for USB mass storage, which uses SG lists created by the block layer rather than setting up its own. So far we have scraped by okay because most devices have a logical block size of 512 bytes or larger, and the bulk maxpacket sizes for USB 2 and below are all <= 512. However, USB 3 has a bulk maxpacket size of 1024. Since the xhci-hcd driver includes native SG support, this hasn't mattered much. But now people are trying to use USB-3 mass storage devices with USBIP, and the vhci-hcd driver currently does not have full SG support. The result is an overflow error, when the driver attempts to implement an SG transfer of 63 512-byte blocks as a single 3584-byte (7 blocks) transfer followed by seven 4096-byte (8 blocks) transfers. The device instead sends 31 1024-byte packets followed by a 512-byte packet, and this overruns the first SG buffer. Ideally this would be fixed by adding better SG support to vhci-hcd. But for now it appears we can work around the problem by asking the block layer to respect the maxpacket limitation, through the use of the virt_boundary_mask. Signed-off-by: Alan Stern Reported-by: Seth Bollinger Tested-by: Seth Bollinger CC: Ming Lei Cc: stable Signed-off-by: Greg Kroah-Hartman commit bba2feefcacd3cbdb7b9570debc5cbf80b944944 Author: Johan Hovold Date: Thu Apr 25 18:05:39 2019 +0200 USB: cdc-acm: fix unthrottle races commit 764478f41130f1b8d8057575b89e69980a0f600d upstream. Fix two long-standing bugs which could potentially lead to memory corruption or leave the port throttled until it is reopened (on weakly ordered systems), respectively, when read-URB completion races with unthrottle(). First, the URB must not be marked as free before processing is complete to prevent it from being submitted by unthrottle() on another CPU. CPU 1 CPU 2 ================ ================ complete() unthrottle() process_urb(); smp_mb__before_atomic(); set_bit(i, free); if (test_and_clear_bit(i, free)) submit_urb(); Second, the URB must be marked as free before checking the throttled flag to prevent unthrottle() on another CPU from failing to observe that the URB needs to be submitted if complete() sees that the throttled flag is set. CPU 1 CPU 2 ================ ================ complete() unthrottle() set_bit(i, free); throttled = 0; smp_mb__after_atomic(); smp_mb(); if (throttled) if (test_and_clear_bit(i, free)) return; submit_urb(); Note that test_and_clear_bit() only implies barriers when the test is successful. To handle the case where the URB is still in use an explicit barrier needs to be added to unthrottle() for the second race condition. Also note that the first race was fixed by 36e59e0d70d6 ("cdc-acm: fix race between callback and unthrottle") back in 2015, but the bug was reintroduced a year later. Fixes: 1aba579f3cf5 ("cdc-acm: handle read pipe errors") Fixes: 088c64f81284 ("USB: cdc-acm: re-write read processing") Signed-off-by: Johan Hovold Acked-by: Oliver Neukum Cc: stable Signed-off-by: Greg Kroah-Hartman Signed-off-by: Greg Kroah-Hartman commit 5b1c70f36832900f8090d065a5b2046f5eeb1f9f Author: Ji-Ze Hong (Peter Hong) Date: Tue Apr 30 09:22:29 2019 +0800 USB: serial: f81232: fix interrupt worker not stop commit 804dbee1e49774918339c1e5a87400988c0819e8 upstream. The F81232 will use interrupt worker to handle MSR change. This patch will fix the issue that interrupt work should stop in close() and suspend(). This also fixes line-status events being disabled after a suspend cycle until the port is re-opened. Signed-off-by: Ji-Ze Hong (Peter Hong) [ johan: amend commit message ] Fixes: 87fe5adcd8de ("USB: f81232: implement read IIR/MSR with endpoint") Cc: stable # 4.1 Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 083a8f69962a27ad381658a16d5f2f279e51e554 Author: Thinh Nguyen Date: Thu Apr 25 13:55:23 2019 -0700 usb: dwc3: Fix default lpm_nyet_threshold value commit 8d791929b2fbdf7734c1596d808e55cb457f4562 upstream. The max possible value for DCTL.LPM_NYET_THRES is 15 and not 255. Change the default value to 15. Cc: stable@vger.kernel.org Fixes: 80caf7d21adc ("usb: dwc3: add lpm erratum support") Signed-off-by: Thinh Nguyen Signed-off-by: Felipe Balbi Signed-off-by: Greg Kroah-Hartman commit 9092861ce665d19f1f2a9fc435f420bc9cf74b17 Author: Marc Gonzalez Date: Wed Apr 24 17:00:57 2019 +0200 usb: dwc3: Allow building USB_DWC3_QCOM without EXTCON commit 77a4946516fe488b6a33390de6d749f934a243ba upstream. Keep EXTCON support optional, as some platforms do not need it. Do the same for USB_DWC3_OMAP while we're at it. Fixes: 3def4031b3e3f ("usb: dwc3: add EXTCON dependency for qcom") Signed-off-by: Marc Gonzalez Cc: stable Signed-off-by: Greg Kroah-Hartman commit 70a44a01f8a4853100856bdb65a733772a201bd8 Author: Prasad Sodagudi Date: Sun Mar 24 07:57:04 2019 -0700 genirq: Prevent use-after-free and work list corruption [ Upstream commit 59c39840f5abf4a71e1810a8da71aaccd6c17d26 ] When irq_set_affinity_notifier() replaces the notifier, then the reference count on the old notifier is dropped which causes it to be freed. But nothing ensures that the old notifier is not longer queued in the work list. If it is queued this results in a use after free and possibly in work list corruption. Ensure that the work is canceled before the reference is dropped. Signed-off-by: Prasad Sodagudi Signed-off-by: Thomas Gleixner Cc: marc.zyngier@arm.com Link: https://lkml.kernel.org/r/1553439424-6529-1-git-send-email-psodagud@codeaurora.org Signed-off-by: Sasha Levin commit b5dbb40581836391155197ae62de2e1ba3abb058 Author: Joerg Roedel Date: Fri Apr 12 12:50:31 2019 +0200 iommu/amd: Set exclusion range correctly [ Upstream commit 3c677d206210f53a4be972211066c0f1cd47fe12 ] The exlcusion range limit register needs to contain the base-address of the last page that is part of the range, as bits 0-11 of this register are treated as 0xfff by the hardware for comparisons. So correctly set the exclusion range in the hardware to the last page which is _in_ the range. Fixes: b2026aa2dce44 ('x86, AMD IOMMU: add functions for programming IOMMU MMIO space') Signed-off-by: Joerg Roedel Signed-off-by: Sasha Levin commit 6610c1785f70c385d719d231fc4517db62a8ab65 Author: Peter Zijlstra Date: Thu Apr 4 15:03:00 2019 +0200 perf/core: Fix perf_event_disable_inatomic() race [ Upstream commit 1d54ad944074010609562da5c89e4f5df2f4e5db ] Thomas-Mich Richter reported he triggered a WARN()ing from event_function_local() on his s390. The problem boils down to: CPU-A CPU-B perf_event_overflow() perf_event_disable_inatomic() @pending_disable = 1 irq_work_queue(); sched-out event_sched_out() @pending_disable = 0 sched-in perf_event_overflow() perf_event_disable_inatomic() @pending_disable = 1; irq_work_queue(); // FAILS irq_work_run() perf_pending_event() if (@pending_disable) perf_event_disable_local(); // WHOOPS The problem exists in generic, but s390 is particularly sensitive because it doesn't implement arch_irq_work_raise(), nor does it call irq_work_run() from it's PMU interrupt handler (nor would that be sufficient in this case, because s390 also generates perf_event_overflow() from pmu::stop). Add to that the fact that s390 is a virtual architecture and (virtual) CPU-A can stall long enough for the above race to happen, even if it would self-IPI. Adding a irq_work_sync() to event_sched_in() would work for all hardare PMUs that properly use irq_work_run() but fails for software PMUs. Instead encode the CPU number in @pending_disable, such that we can tell which CPU requested the disable. This then allows us to detect the above scenario and even redirect the IPI to make up for the failed queue. Reported-by: Thomas-Mich Richter Tested-by: Thomas Richter Signed-off-by: Peter Zijlstra (Intel) Acked-by: Mark Rutland Cc: Alexander Shishkin Cc: Arnaldo Carvalho de Melo Cc: Heiko Carstens Cc: Hendrik Brueckner Cc: Jiri Olsa Cc: Kees Cook Cc: Linus Torvalds Cc: Martin Schwidefsky Cc: Peter Zijlstra Cc: Thomas Gleixner Signed-off-by: Ingo Molnar Signed-off-by: Sasha Levin commit a5f62d2c15a2014ffbac47fce46364fd01e4dbf3 Author: Olga Kornievskaia Date: Thu Apr 11 14:34:18 2019 -0400 NFSv4.1 fix incorrect return value in copy_file_range [ Upstream commit 0769663b4f580566ef6cdf366f3073dbe8022c39 ] According to the NFSv4.2 spec if the input and output file is the same file, operation should fail with EINVAL. However, linux copy_file_range() system call has no such restrictions. Therefore, in such case let's return EOPNOTSUPP and allow VFS to fallback to doing do_splice_direct(). Also when copy_file_range is called on an NFSv4.0 or 4.1 mount (ie., a server that doesn't support COPY functionality), we also need to return EOPNOTSUPP and fallback to a regular copy. Fixes xfstest generic/075, generic/091, generic/112, generic/263 for all NFSv4.x versions. Signed-off-by: Olga Kornievskaia Signed-off-by: Trond Myklebust Signed-off-by: Sasha Levin commit a3aa7cab0fc24395c428275c8b994c98502f75fa Author: Stephen Boyd Date: Thu Apr 11 10:22:43 2019 -0700 platform/x86: pmc_atom: Drop __initconst on dmi table [ Upstream commit b995dcca7cf12f208cfd95fd9d5768dca7cccec7 ] It's used by probe and that isn't an init function. Drop this so that we don't get a section mismatch. Reported-by: kbuild test robot Cc: David Müller Cc: Hans de Goede Cc: Andy Shevchenko Fixes: 7c2e07130090 ("clk: x86: Add system specific quirk to mark clocks as critical") Signed-off-by: Stephen Boyd Signed-off-by: Sasha Levin commit e6f2733f48cb0f11d30813b48965f21cae7cb8c6 Author: Keith Busch Date: Tue Apr 9 10:03:59 2019 -0600 nvmet: fix discover log page when offsets are used [ Upstream commit d808b7f759b50acf0784ce6230ffa63e12ef465d ] The nvme target hadn't been taking the Get Log Page offset parameter into consideration, and so has been returning corrupted log pages when offsets are used. Since many tools, including nvme-cli, split the log request to 4k, we've been breaking discovery log responses when more than 3 subsystems exist. Fix the returned data by internally generating the entire discovery log page and copying only the requested bytes into the user buffer. The command log page offset type has been modified to a native __le64 to make it easier to extract the value from a command. Signed-off-by: Keith Busch Tested-by: Minwoo Im Reviewed-by: Chaitanya Kulkarni Reviewed-by: Hannes Reinecke Reviewed-by: James Smart Signed-off-by: Christoph Hellwig Signed-off-by: Sasha Levin commit ea359038ab73da3007f46c6845272bdb43d21482 Author: James Smart Date: Mon Apr 8 11:15:19 2019 -0700 nvme-fc: correct csn initialization and increments on error [ Upstream commit 67f471b6ed3b09033c4ac77ea03f92afdb1989fe ] This patch fixes a long-standing bug that initialized the FC-NVME cmnd iu CSN value to 1. Early FC-NVME specs had the connection starting with CSN=1. By the time the spec reached approval, the language had changed to state a connection should start with CSN=0. This patch corrects the initialization value for FC-NVME connections. Additionally, in reviewing the transport, the CSN value is assigned to the new IU early in the start routine. It's possible that a later dma map request may fail, causing the command to never be sent to the controller. Change the location of the assignment so that it is immediately prior to calling the lldd. Add a comment block to explain the impacts if the lldd were to additionally fail sending the command. Signed-off-by: Dick Kennedy Signed-off-by: James Smart Reviewed-by: Ewan D. Milne Signed-off-by: Christoph Hellwig Signed-off-by: Sasha Levin commit 407bb38bf3f7abf8ee78c247d057b2cea6422bc1 Author: Ming Lei Date: Tue Apr 9 06:31:22 2019 +0800 nvme: cancel request synchronously [ Upstream commit eb3afb75b57c28599af0dfa03a99579d410749e9 ] nvme_cancel_request() is used in error handler, and it is always reliable to cancel request synchronously, and avoids possible race in which request may be completed after real hw queue is destroyed. One issue is reported by our customer on NVMe RDMA, in which freed ib queue pair may be used in nvme_rdma_complete_rq(). Cc: Sagi Grimberg Cc: Bart Van Assche Cc: James Smart Cc: linux-nvme@lists.infradead.org Reviewed-by: Keith Busch Reviewed-by: Christoph Hellwig Signed-off-by: Ming Lei Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit e62732d12bd97ec7a122299356c23e4948db11bc Author: Ming Lei Date: Tue Apr 9 06:31:21 2019 +0800 blk-mq: introduce blk_mq_complete_request_sync() [ Upstream commit 1b8f21b74c3c9c82fce5a751d7aefb7cc0b8d33d ] In NVMe's error handler, follows the typical steps of tearing down hardware for recovering controller: 1) stop blk_mq hw queues 2) stop the real hw queues 3) cancel in-flight requests via blk_mq_tagset_busy_iter(tags, cancel_request, ...) cancel_request(): mark the request as abort blk_mq_complete_request(req); 4) destroy real hw queues However, there may be race between #3 and #4, because blk_mq_complete_request() may run q->mq_ops->complete(rq) remotelly and asynchronously, and ->complete(rq) may be run after #4. This patch introduces blk_mq_complete_request_sync() for fixing the above race. Cc: Sagi Grimberg Cc: Bart Van Assche Cc: James Smart Cc: linux-nvme@lists.infradead.org Reviewed-by: Keith Busch Reviewed-by: Christoph Hellwig Signed-off-by: Ming Lei Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit e81f9ca291ace55959c9ea4ece0bbde7ae9500b9 Author: Dongli Zhang Date: Wed Mar 27 18:36:34 2019 +0800 virtio-blk: limit number of hw queues by nr_cpu_ids [ Upstream commit bf348f9b78d413e75bb079462751a1d86b6de36c ] When tag_set->nr_maps is 1, the block layer limits the number of hw queues by nr_cpu_ids. No matter how many hw queues are used by virtio-blk, as it has (tag_set->nr_maps == 1), it can use at most nr_cpu_ids hw queues. In addition, specifically for pci scenario, when the 'num-queues' specified by qemu is more than maxcpus, virtio-blk would not be able to allocate more than maxcpus vectors in order to have a vector for each queue. As a result, it falls back into MSI-X with one vector for config and one shared for queues. Considering above reasons, this patch limits the number of hw queues used by virtio-blk by nr_cpu_ids. Reviewed-by: Stefan Hajnoczi Signed-off-by: Dongli Zhang Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit 677713b1254fa4f71eec95725088e4322adfaabf Author: Takashi Iwai Date: Wed Apr 10 12:49:55 2019 +0200 ALSA: hda: Fix racy display power access [ Upstream commit d7a181da2dfa3190487c446042ba01e07d851c74 ] snd_hdac_display_power() doesn't handle the concurrent calls carefully enough, and it may lead to the doubly get_power or put_power calls, when a runtime PM and an async work get called in racy way. This patch addresses it by reusing the bus->lock mutex that has been used for protecting the link state change in ext bus code, so that it can protect against racy display state changes. The initialization of bus->lock was moved from snd_hdac_ext_bus_init() to snd_hdac_bus_init() as well accordingly. Testcase: igt/i915_pm_rpm/module-reload #glk-dsi Reported-by: Chris Wilson Reviewed-by: Chris Wilson Cc: Imre Deak Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit 7c7450aa98387a97ccd9ce5a6c02d648382010d9 Author: Olivier Moysan Date: Wed Apr 10 10:08:36 2019 +0200 ASoC: stm32: sai: fix master clock management [ Upstream commit e37c2deafe7058cf7989c4c47bbf1140cc867d89 ] When master clock is used, master clock rate is set exclusively. Parent clocks of master clock cannot be changed after a call to clk_set_rate_exclusive(). So the parent clock of SAI kernel clock must be set before. Ensure also that exclusive rate operations are balanced in STM32 SAI driver. Signed-off-by: Olivier Moysan Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 60ec4c3d39be4d21f4df076521a48cfe8cbad674 Author: Tzung-Bi Shih Date: Mon Apr 8 17:08:58 2019 +0800 ASoC: Intel: kbl: fix wrong number of channels [ Upstream commit d6ba3f815bc5f3c4249d15c8bc5fbb012651b4a4 ] Fix wrong setting on number of channels. The context wants to set constraint to 2 channels instead of 4. Signed-off-by: Tzung-Bi Shih Acked-by: Pierre-Louis Bossart Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit c79f5a7a3559e444cfca8557b48ea0c19ccc6eb1 Author: Wangyan Wang Date: Tue Apr 9 14:53:07 2019 +0800 drm/mediatek: no change parent rate in round_rate() for MT2701 hdmi phy [ Upstream commit 9ee76098a1b8ae21cccac641b735ee4d3a77bccf ] This is the third step to make MT2701 HDMI stable. We should not change the rate of parent for hdmi phy when doing round_rate for this clock. The parent clock of hdmi phy must be the same as it. We change it when doing set_rate only. Signed-off-by: Wangyan Wang Signed-off-by: CK Hu Signed-off-by: Sasha Levin commit 718254750661b06cff47158e6528e9361b7c874f Author: Wangyan Wang Date: Tue Apr 9 14:53:05 2019 +0800 drm/mediatek: using new factor for tvdpll for MT2701 hdmi phy [ Upstream commit 8eeb3946feeb00486ac0909e2309da87db8988a5 ] This is the second step to make MT2701 HDMI stable. The factor depends on the divider of DPI in MT2701, therefore, we should fix this factor to the right and new one. Test: search ok Signed-off-by: Wangyan Wang Signed-off-by: CK Hu Signed-off-by: Sasha Levin commit 5b82d95ac6fe79da1ec70e68f21973ef8444ef8f Author: Wangyan Wang Date: Tue Apr 9 14:53:03 2019 +0800 drm/mediatek: remove flag CLK_SET_RATE_PARENT for MT2701 hdmi phy [ Upstream commit 827abdd024207146822f66ba3ba74867135866b9 ] This is the first step to make MT2701 hdmi stable. The parent rate of hdmi phy had set by DPI driver. We should not set or change the parent rate of MT2701 hdmi phy, as a result we should remove the flags of "CLK_SET_RATE_PARENT" from the clock of MT2701 hdmi phy. Signed-off-by: Wangyan Wang Signed-off-by: CK Hu Signed-off-by: Sasha Levin commit 273ed6c20cb537697f39995b5105c802d7034ac2 Author: Wangyan Wang Date: Tue Apr 9 14:53:06 2019 +0800 drm/mediatek: make implementation of recalc_rate() for MT2701 hdmi phy [ Upstream commit 321b628e6f5a3af999f75eadd373adbcb8b4cb1f ] Recalculate the rate of this clock, by querying hardware to make implementation of recalc_rate() to match the definition. Signed-off-by: Wangyan Wang Signed-off-by: CK Hu Signed-off-by: Sasha Levin commit 4b112e5e6af9cf6d91e19d7329f74928f03bc0a4 Author: Wangyan Wang Date: Tue Apr 9 14:53:04 2019 +0800 drm/mediatek: fix the rate and divder of hdmi phy for MT2701 [ Upstream commit 0c24613cda163dedfa229afc8eff6072e57fac8d ] Due to a clerical error,there is one zero less for 12800000. Fix it for 128000000 Fixes: 0fc721b2968e ("drm/mediatek: add hdmi driver for MT2701 and MT7623") Signed-off-by: Wangyan Wang Signed-off-by: CK Hu Signed-off-by: Sasha Levin commit a873474c769aab1f8e43544a9a26d434dba7d0d4 Author: Wen Yang Date: Thu Apr 4 00:04:09 2019 +0800 drm/mediatek: fix possible object reference leak [ Upstream commit 2ae2c3316fb77dcf64275d011596b60104c45426 ] The call to of_parse_phandle returns a node pointer with refcount incremented thus it must be explicitly decremented after the last usage. Detected by coccinelle with the following warnings: drivers/gpu/drm/mediatek/mtk_hdmi.c:1521:2-8: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 1509, but without a corresponding object release within this function. drivers/gpu/drm/mediatek/mtk_hdmi.c:1524:1-7: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 1509, but without a corresponding object release within this function. Signed-off-by: Wen Yang Cc: CK Hu Cc: Philipp Zabel Cc: David Airlie Cc: Daniel Vetter Cc: Matthias Brugger Cc: dri-devel@lists.freedesktop.org Cc: linux-arm-kernel@lists.infradead.org Cc: linux-mediatek@lists.infradead.org Cc: linux-kernel@vger.kernel.org Signed-off-by: CK Hu Signed-off-by: Sasha Levin commit 3051b6a1a14aebd6f3172caf1f4286de6ced2ac3 Author: Varun Prakash Date: Fri Apr 5 20:39:13 2019 +0530 scsi: csiostor: fix missing data copy in csio_scsi_err_handler() [ Upstream commit 5c2442fd78998af60e13aba506d103f7f43f8701 ] If scsi cmd sglist is not suitable for DDP then csiostor driver uses preallocated buffers for DDP, because of this data copy is required from DDP buffer to scsi cmd sglist before calling ->scsi_done(). Signed-off-by: Varun Prakash Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 353392e5b9a56f59fd9b12e3d51446b7ef7f5119 Author: ndesaulniers@google.com Date: Mon Oct 22 16:43:57 2018 -0700 KEYS: trusted: fix -Wvarags warning [ Upstream commit be24b37e22c20cbaa891971616784dd0f35211e8 ] Fixes the warning reported by Clang: security/keys/trusted.c:146:17: warning: passing an object that undergoes default argument promotion to 'va_start' has undefined behavior [-Wvarargs] va_start(argp, h3); ^ security/keys/trusted.c:126:37: note: parameter of type 'unsigned char' is declared here unsigned char *h2, unsigned char h3, ...) ^ Specifically, it seems that both the C90 (4.8.1.1) and C11 (7.16.1.4) standards explicitly call this out as undefined behavior: The parameter parmN is the identifier of the rightmost parameter in the variable parameter list in the function definition (the one just before the ...). If the parameter parmN is declared with ... or with a type that is not compatible with the type that results after application of the default argument promotions, the behavior is undefined. Link: https://github.com/ClangBuiltLinux/linux/issues/41 Link: https://www.eskimo.com/~scs/cclass/int/sx11c.html Suggested-by: David Laight Suggested-by: Denis Kenzior Suggested-by: James Bottomley Suggested-by: Nathan Chancellor Signed-off-by: Nick Desaulniers Reviewed-by: Nathan Chancellor Tested-by: Nathan Chancellor Reviewed-by: Jarkko Sakkinen Signed-off-by: Jarkko Sakkinen Signed-off-by: James Morris Signed-off-by: Sasha Levin commit 6fb3aa5d730782a0d8195cb7fb365883c0175e6f Author: Lijun Ou Date: Sun Apr 7 13:23:38 2019 +0800 RDMA/hns: Fix bug that caused srq creation to fail [ Upstream commit 4772e03d239484f3461e33c79d721c8ea03f7416 ] Due to the incorrect use of the seg and obj information, the position of the mtt is calculated incorrectly, and the free space of the page is not enough to store the entire mtt, resulting in access to the next page. This patch fixes this problem. Unable to handle kernel paging request at virtual address ffff00006e3cd000 ... Call trace: hns_roce_write_mtt+0x154/0x2f0 [hns_roce] hns_roce_buf_write_mtt+0xa8/0xd8 [hns_roce] hns_roce_create_srq+0x74c/0x808 [hns_roce] ib_create_srq+0x28/0xc8 Fixes: 0203b14c4f32 ("RDMA/hns: Unify the calculation for hem index in hip08") Signed-off-by: chenglang Signed-off-by: Lijun Ou Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit f4d87f9b027a6d962e10b5ff91d8cfd83f834be5 Author: Kamal Heib Date: Wed Apr 3 16:52:54 2019 +0300 RDMA/vmw_pvrdma: Fix memory leak on pvrdma_pci_remove [ Upstream commit ea7a5c706fa49273cf6d1d9def053ecb50db2076 ] Make sure to free the DSR on pvrdma_pci_remove() to avoid the memory leak. Fixes: 29c8d9eba550 ("IB: Add vmw_pvrdma driver") Signed-off-by: Kamal Heib Acked-by: Adit Ranadive Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit 3fa40c30fe4c691915302b28365a54909a67af3b Author: Longpeng Date: Sat Mar 9 15:17:40 2019 +0800 virtio_pci: fix a NULL pointer reference in vp_del_vqs [ Upstream commit 6a8aae68c87349dbbcd46eac380bc43cdb98a13b ] If the msix_affinity_masks is alloced failed, then we'll try to free some resources in vp_free_vectors() that may access it directly. We met the following stack in our production: [ 29.296767] BUG: unable to handle kernel NULL pointer dereference at (null) [ 29.311151] IP: [] vp_free_vectors+0x6a/0x150 [virtio_pci] [ 29.324787] PGD 0 [ 29.333224] Oops: 0000 [#1] SMP [...] [ 29.425175] RIP: 0010:[] [] vp_free_vectors+0x6a/0x150 [virtio_pci] [ 29.441405] RSP: 0018:ffff9a55c2dcfa10 EFLAGS: 00010206 [ 29.453491] RAX: 0000000000000000 RBX: ffff9a55c322c400 RCX: 0000000000000000 [ 29.467488] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff9a55c322c400 [ 29.481461] RBP: ffff9a55c2dcfa20 R08: 0000000000000000 R09: ffffc1b6806ff020 [ 29.495427] R10: 0000000000000e95 R11: 0000000000aaaaaa R12: 0000000000000000 [ 29.509414] R13: 0000000000010000 R14: ffff9a55bd2d9e98 R15: ffff9a55c322c400 [ 29.523407] FS: 00007fdcba69f8c0(0000) GS:ffff9a55c2840000(0000) knlGS:0000000000000000 [ 29.538472] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 29.551621] CR2: 0000000000000000 CR3: 000000003ce52000 CR4: 00000000003607a0 [ 29.565886] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 29.580055] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 29.594122] Call Trace: [ 29.603446] [] vp_request_msix_vectors+0xe2/0x260 [virtio_pci] [ 29.618017] [] vp_try_to_find_vqs+0x95/0x3b0 [virtio_pci] [ 29.632152] [] vp_find_vqs+0x37/0xb0 [virtio_pci] [ 29.645582] [] init_vq+0x153/0x260 [virtio_blk] [ 29.658831] [] virtblk_probe+0xe8/0x87f [virtio_blk] [...] Cc: Gonglei Signed-off-by: Longpeng Signed-off-by: Michael S. Tsirkin Reviewed-by: Gonglei Signed-off-by: Sasha Levin commit e0696fe3c10fa1193d03449c4163326df2032d59 Author: Ondrej Jirman Date: Sat Apr 6 01:30:48 2019 +0200 drm/sun4i: tcon top: Fix NULL/invalid pointer dereference in sun8i_tcon_top_un/bind [ Upstream commit 1a07a94b47b1f528f39c3e6187b5eaf02efe44ea ] There are two problems here: 1. Not all clk_data->hws[] need to be initialized, depending on various configured quirks. This leads to NULL ptr deref in clk_hw_unregister_gate() in sun8i_tcon_top_unbind() 2. If there is error when registering the clk_data->hws[], err_unregister_gates error path will try to unregister IS_ERR()=true (invalid) pointer. For problem (1) I have this stack trace: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000008 Call trace: clk_hw_unregister+0x8/0x18 clk_hw_unregister_gate+0x14/0x28 sun8i_tcon_top_unbind+0x2c/0x60 component_unbind.isra.4+0x2c/0x50 component_bind_all+0x1d4/0x230 sun4i_drv_bind+0xc4/0x1a0 try_to_bring_up_master+0x164/0x1c0 __component_add+0xa0/0x168 component_add+0x10/0x18 sun8i_dw_hdmi_probe+0x18/0x20 platform_drv_probe+0x3c/0x70 really_probe+0xcc/0x278 driver_probe_device+0x34/0xa8 Problem (2) was identified by head scratching. Signed-off-by: Ondrej Jirman Signed-off-by: Maxime Ripard Link: https://patchwork.freedesktop.org/patch/msgid/20190405233048.3823-1-megous@megous.com Signed-off-by: Sasha Levin commit 09c5ad16c22c55616c3ab960b260603a8f5e2a5e Author: Qian Cai Date: Sat Apr 6 18:59:01 2019 -0400 slab: fix a crash by reading /proc/slab_allocators [ Upstream commit fcf88917dd435c6a4cb2830cb086ee58605a1d85 ] The commit 510ded33e075 ("slab: implement slab_root_caches list") changes the name of the list node within "struct kmem_cache" from "list" to "root_caches_node", but leaks_show() still use the "list" which causes a crash when reading /proc/slab_allocators. You need to have CONFIG_SLAB=y and CONFIG_MEMCG=y to see the problem, because without MEMCG all slab caches are root caches, and the "list" node happens to be the right one. Fixes: 510ded33e075 ("slab: implement slab_root_caches list") Signed-off-by: Qian Cai Reviewed-by: Tobin C. Harding Cc: Tejun Heo Cc: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit ad74ab443e3031cd57a3d9771184803d5969f2be Author: Josh Poimboeuf Date: Thu Apr 4 12:17:35 2019 -0500 objtool: Add rewind_stack_do_exit() to the noreturn list [ Upstream commit 4fa5ecda2bf96be7464eb406df8aba9d89260227 ] This fixes the following warning seen on GCC 7.3: arch/x86/kernel/dumpstack.o: warning: objtool: oops_end() falls through to next function show_regs() Reported-by: kbuild test robot Signed-off-by: Josh Poimboeuf Signed-off-by: Thomas Gleixner Cc: Peter Zijlstra Link: https://lkml.kernel.org/r/3418ebf5a5a9f6ed7e80954c741c0b904b67b5dc.1554398240.git.jpoimboe@redhat.com Signed-off-by: Sasha Levin commit fa42760cf27664c9949098e6346a80ef4987bc66 Author: Charles Keepax Date: Thu Apr 4 17:27:20 2019 +0100 ASoC: cs35l35: Disable regulators on driver removal [ Upstream commit 47c4cc08cb5b34e93ab337b924c5ede77ca3c936 ] The chips main power supplies VA and VP are enabled during probe but then never disabled, this will cause warnings from the regulator framework on driver removal. Fix this by adding a remove callback and disabling the supplies, whilst doing so follow best practice and put the chip back into reset as well. Signed-off-by: Charles Keepax Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit c577757d294e4878fa462accdd86e461f72c5190 Author: tiancyin Date: Mon Apr 1 10:15:31 2019 +0800 drm/amd/display: fix cursor black issue [ Upstream commit c1cefe115d1cdc460014483319d440b2f0d07c68 ] [Why] the member sdr_white_level of struct dc_cursor_attributes was not initialized, then the random value result that dcn10_set_cursor_sdr_white_level() set error hw_scale value 0x20D9(normal value is 0x3c00), this cause the black cursor issue. [how] just initilize the obj of struct dc_cursor_attributes to zero to avoid the random value. Reviewed-by: Nicholas Kazlauskas Signed-off-by: Tianci Yin Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 4b5f2b0ce17cf960925f94fcfe9cd1cb452ee580 Author: wentalou Date: Tue Apr 2 17:13:05 2019 +0800 drm/amdgpu: amdgpu_device_recover_vram always failed if only one node in shadow_list [ Upstream commit 1712fb1a2f6829150032ac76eb0e39b82a549cfb ] amdgpu_bo_restore_shadow would assign zero to r if succeeded. r would remain zero if there is only one node in shadow_list. current code would always return failure when r <= 0. restart the timeout for each wait was a rather problematic bug as well. The value of tmo SHOULD be changed, otherwise we wait tmo jiffies on each loop. Signed-off-by: Wentao Lou Reviewed-by: Christian König Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit f528dbeec01762b0381703be2ce5f31c58be263f Author: shaoyunl Date: Mon Apr 1 16:09:34 2019 -0400 drm/amdgpu: Adjust IB test timeout for XGMI configuration [ Upstream commit d4162c61e253177936fcfe6c29f7b224d9a1efb8 ] On XGMI configuration the ib test may take longer to finish Signed-off-by: shaoyunl Reviewed-by: Christian König Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 255063992678e5249faf2db344aff965ccf8d6b7 Author: Alex Deucher Date: Wed Apr 3 12:30:32 2019 -0500 drm/amdkfd: Add picasso pci id [ Upstream commit e7ad88553aa1d48e950ca9a4934d246c1bee4be4 ] Picasso is a new raven variant. Reviewed-by: Kent Russell Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 2f0ec100032e9f23b7561ec6f3b5c8a9806a7100 Author: Sugar Zhang Date: Wed Apr 3 21:40:45 2019 +0800 ASoC: rockchip: pdm: fix regmap_ops hang issue [ Upstream commit c85064435fe7a216ec0f0238ef2b8f7cd850a450 ] This is because set_fmt ops maybe called when PD is off, and in such case, regmap_ops will lead system hang. enale PD before doing regmap_ops. Signed-off-by: Sugar Zhang Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit dfa9efe42df2dabeb34e755338f0af9efcc0ed30 Author: Max Filippov Date: Wed Apr 3 20:22:42 2019 -0700 xtensa: fix initialization of pt_regs::syscall in start_thread [ Upstream commit 2663147dc7465cb29040a05cc4286fdd839978b5 ] New pt_regs should indicate that there's no syscall, not that there's syscall #0. While at it wrap macro body in do/while and parenthesize macro arguments. Signed-off-by: Max Filippov Signed-off-by: Sasha Levin commit 9680a806201d763b9f662b21f28570df7df56d88 Author: YueHaibing Date: Thu Apr 4 10:31:14 2019 +0800 iov_iter: Fix build error without CONFIG_CRYPTO [ Upstream commit 27fad74a5a77fe2e1f876db7bf27efcf2ec304b2 ] If CONFIG_CRYPTO is not set or set to m, gcc building warn this: lib/iov_iter.o: In function `hash_and_copy_to_iter': iov_iter.c:(.text+0x9129): undefined reference to `crypto_stats_get' iov_iter.c:(.text+0x9152): undefined reference to `crypto_stats_ahash_update' Reported-by: Hulk Robot Fixes: d05f443554b3 ("iov_iter: introduce hash_and_copy_to_iter helper") Suggested-by: Al Viro Signed-off-by: YueHaibing Signed-off-by: Al Viro Signed-off-by: Sasha Levin commit 2e94d4e8f2b9ea26e933b8cd1fef5b4b7a3f23db Author: Jann Horn Date: Fri Mar 29 22:46:49 2019 +0100 linux/kernel.h: Use parentheses around argument in u64_to_user_ptr() [ Upstream commit a0fe2c6479aab5723239b315ef1b552673f434a3 ] Use parentheses around uses of the argument in u64_to_user_ptr() to ensure that the cast doesn't apply to part of the argument. There are existing uses of the macro of the form u64_to_user_ptr(A + B) which expands to (void __user *)(uintptr_t)A + B (the cast applies to the first operand of the addition, the addition is a pointer addition). This happens to still work as intended, the semantic difference doesn't cause a difference in behavior. But I want to use u64_to_user_ptr() with a ternary operator in the argument, like so: u64_to_user_ptr(A ? B : C) This currently doesn't work as intended. Signed-off-by: Jann Horn Signed-off-by: Borislav Petkov Reviewed-by: Mukesh Ojha Cc: Andrei Vagin Cc: Andrew Morton Cc: Dan Carpenter Cc: Greg Kroah-Hartman Cc: "H. Peter Anvin" Cc: Ingo Molnar Cc: Jani Nikula Cc: Kees Cook Cc: Masahiro Yamada Cc: NeilBrown Cc: Peter Zijlstra Cc: Qiaowei Ren Cc: Thomas Gleixner Cc: x86-ml Link: https://lkml.kernel.org/r/20190329214652.258477-1-jannh@google.com Signed-off-by: Sasha Levin commit bae9b6b98342914af31a7b296066eb5ba587abf6 Author: Peter Zijlstra Date: Thu Mar 21 13:38:49 2019 +0100 perf/x86/intel: Initialize TFA MSR [ Upstream commit d7262457e35dbe239659e62654e56f8ddb814bed ] Stephane reported that the TFA MSR is not initialized by the kernel, but the TFA bit could set by firmware or as a leftover from a kexec, which makes the state inconsistent. Reported-by: Stephane Eranian Tested-by: Nelson DSouza Signed-off-by: Peter Zijlstra (Intel) Cc: Alexander Shishkin Cc: Arnaldo Carvalho de Melo Cc: Jiri Olsa Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Thomas Gleixner Cc: Vince Weaver Cc: tonyj@suse.com Link: https://lkml.kernel.org/r/20190321123849.GN6521@hirez.programming.kicks-ass.net Signed-off-by: Ingo Molnar Signed-off-by: Sasha Levin commit 9bd3e66587f5de2fa9136430115b8e7c99928002 Author: Stephane Eranian Date: Wed Mar 6 11:50:48 2019 -0800 perf/x86/intel: Fix handling of wakeup_events for multi-entry PEBS [ Upstream commit 583feb08e7f7ac9d533b446882eb3a54737a6dbb ] When an event is programmed with attr.wakeup_events=N (N>0), it means the caller is interested in getting a user level notification after N samples have been recorded in the kernel sampling buffer. With precise events on Intel processors, the kernel uses PEBS. The kernel tries minimize sampling overhead by verifying if the event configuration is compatible with multi-entry PEBS mode. If so, the kernel is notified only when the buffer has reached its threshold. Other PEBS operates in single-entry mode, the kenrel is notified for each PEBS sample. The problem is that the current implementation look at frequency mode and event sample_type but ignores the wakeup_events field. Thus, it may not be possible to receive a notification after each precise event. This patch fixes this problem by disabling multi-entry PEBS if wakeup_events is non-zero. Signed-off-by: Stephane Eranian Signed-off-by: Peter Zijlstra (Intel) Reviewed-by: Andi Kleen Cc: Alexander Shishkin Cc: Arnaldo Carvalho de Melo Cc: Jiri Olsa Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Thomas Gleixner Cc: Vince Weaver Cc: kan.liang@intel.com Link: https://lkml.kernel.org/r/20190306195048.189514-1-eranian@google.com Signed-off-by: Ingo Molnar Signed-off-by: Sasha Levin commit 83f3ed3b4bdebdf9eb83de5e58f6eef49effa4c3 Author: Dan Carpenter Date: Thu Mar 28 17:31:30 2019 +0300 drm/mediatek: Fix an error code in mtk_hdmi_dt_parse_pdata() [ Upstream commit 2d85978341e6a32e7443d9f28639da254d53f400 ] We don't want to overwrite "ret", it already holds the correct error code. The "regmap" variable might be a valid pointer as this point. Fixes: 8f83f26891e1 ("drm/mediatek: Add HDMI support") Signed-off-by: Dan Carpenter Signed-off-by: CK Hu Signed-off-by: Sasha Levin commit 693d72f920e70ca5496b137ef3210f0500a974d2 Author: Annaliese McDermond Date: Sat Mar 30 09:02:02 2019 -0700 ASoC: tlv320aic32x4: Fix Common Pins [ Upstream commit c63adb28f6d913310430f14c69f0a2ea55eed0cc ] The common pins were mistakenly not added to the DAPM graph. Adding these pins will allow valid graphs to be created. Signed-off-by: Annaliese McDermond Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit e904a8b148953ea5c8cf6330c6c857fa2eb81ac2 Author: Chong Qiao Date: Thu Mar 28 07:08:01 2019 +0800 MIPS: KGDB: fix kgdb support for SMP platforms. [ Upstream commit ab8a6d821179ab9bea1a9179f535ccba6330c1ed ] KGDB_call_nmi_hook is called by other cpu through smp call. MIPS smp call is processed in ipi irq handler and regs is saved in handle_int. So kgdb_call_nmi_hook get regs by get_irq_regs and regs will be passed to kgdb_cpu_enter. Signed-off-by: Chong Qiao Reviewed-by: Douglas Anderson Acked-by: Daniel Thompson Signed-off-by: Paul Burton Cc: Ralf Baechle Cc: James Hogan Cc: Will Deacon Cc: Christophe Leroy Cc: linux-mips@vger.kernel.org Cc: linux-kernel@vger.kernel.org Cc: QiaoChong Signed-off-by: Sasha Levin commit 59188acd0c7d0787b6938057f79a49f3ba5aa4ec Author: Kaike Wan Date: Mon Mar 18 09:55:49 2019 -0700 IB/hfi1: Fix the allocation of RSM table [ Upstream commit d0294344470e6b52d097aa7369173f32d11f2f52 ] The receive side mapping (RSM) on hfi1 hardware is a special matching mechanism to direct an incoming packet to a given hardware receive context. It has 4 instances of matching capabilities (RSM0 - RSM3) that share the same RSM table (RMT). The RMT has a total of 256 entries, each of which points to a receive context. Currently, three instances of RSM have been used: 1. RSM0 by QOS; 2. RSM1 by PSM FECN; 3. RSM2 by VNIC. Each RSM instance should reserve enough entries in RMT to function properly. Since both PSM and VNIC could allocate any receive context between dd->first_dyn_alloc_ctxt and dd->num_rcv_contexts, PSM FECN must reserve enough RMT entries to cover the entire receive context index range (dd->num_rcv_contexts - dd->first_dyn_alloc_ctxt) instead of only the user receive contexts allocated for PSM (dd->num_user_contexts). Consequently, the sizing of dd->num_user_contexts in set_up_context_variables is incorrect. Fixes: 2280740f01ae ("IB/hfi1: Virtual Network Interface Controller (VNIC) HW support") Reviewed-by: Mike Marciniszyn Reviewed-by: Michael J. Ruhl Signed-off-by: Kaike Wan Signed-off-by: Dennis Dalessandro Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit a3270ed433898fac2410d48f9f5c0690a82d3c15 Author: Kaike Wan Date: Mon Mar 18 09:55:39 2019 -0700 IB/hfi1: Eliminate opcode tests on mr deref [ Upstream commit a8639a79e85c18c16c10089edd589c7948f19bbd ] When an old ack_queue entry is used to store an incoming request, it may need to clean up the old entry if it is still referencing the MR. Originally only RDMA READ request needed to reference MR on the responder side and therefore the opcode was tested when cleaning up the old entry. The introduction of tid rdma specific operations in the ack_queue makes the specific opcode tests wrong. Multiple opcodes (RDMA READ, TID RDMA READ, and TID RDMA WRITE) may need MR ref cleanup. Remove the opcode specific tests associated with the ack_queue. Fixes: f48ad614c100 ("IB/hfi1: Move driver out of staging") Signed-off-by: Mike Marciniszyn Signed-off-by: Kaike Wan Signed-off-by: Dennis Dalessandro Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit 1f9f22f6c7d6c4e81eea78693355e85d373530b8 Author: Kaike Wan Date: Mon Mar 18 09:55:29 2019 -0700 IB/hfi1: Clear the IOWAIT pending bits when QP is put into error state [ Upstream commit 93b289b9aff66eca7575b09f36f5abbeca8e6167 ] When a QP is put into error state, it may be waiting for send engine resources. In this case, the QP will be removed from the send engine's waiting list, but its IOWAIT pending bits are not cleared. This will normally not have any major impact as the QP is being destroyed. However, the QP still needs to wind down its operations, such as draining the send queue by scheduling the send engine. Clearing the pending bits will avoid any potential complications. In addition, if the QP will eventually hang, clearing the pending bits can help debugging by presenting a consistent picture if the user dumps the qp_stats. This patch clears a QP's IOWAIT_PENDING_IB and IO_PENDING_TID bits in priv->s_iowait.flags in this case. Fixes: 5da0fc9dbf89 ("IB/hfi1: Prepare resource waits for dual leg") Reviewed-by: Mike Marciniszyn Reviewed-by: Alex Estrin Signed-off-by: Kaike Wan Signed-off-by: Dennis Dalessandro Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit a2fdb5d19477f6ad8f1161e2d0f3ed2e7698f6d1 Author: Tony Lindgren Date: Tue Mar 26 08:14:37 2019 -0700 drm/omap: hdmi4_cec: Fix CEC clock handling for PM [ Upstream commit 36a1da15b5df493241b0011d2185fdd724ac1ed1 ] If CONFIG_OMAP4_DSS_HDMI_CEC is enabled in .config, deeper SoC idle states are blocked because the CEC clock gets always enabled on init. Let's fix the issue by moving the CEC clock handling to happen later in hdmi_cec_adap_enable() as suggested by Hans Verkuil . This way the CEC clock gets only enabled when needed. This can be tested by doing cec-ctl --playback to enable the CEC, and doing cec-ctl --clear to disable it. Let's also fix the typo for "divider" in the comments while at it. Fixes: 8d7f934df8d8 ("omapdrm: hdmi4_cec: add OMAP4 HDMI CEC support") Suggested-by: Hans Verkuil Cc: Hans Verkuil Cc: Jyri Sarha Cc: Laurent Pinchart Signed-off-by: Tony Lindgren Reviewed-by: Hans Verkuil Signed-off-by: Tomi Valkeinen Link: https://patchwork.freedesktop.org/patch/msgid/20190326151438.32414-1-tony@atomide.com Signed-off-by: Sasha Levin commit 08aa8be65b52923d8b5adf0f89af0d5b4c87665b Author: Pankaj Bharadiya Date: Fri Mar 22 18:00:09 2019 +0530 ASoC: dapm: Fix NULL pointer dereference in snd_soc_dapm_free_kcontrol [ Upstream commit cacea3a90e211f0c111975535508d446a4a928d2 ] w_text_param can be NULL and it is being dereferenced without checking. Add the missing sanity check to prevent NULL pointer dereference. Signed-off-by: Pankaj Bharadiya Acked-by: Pierre-Louis Bossart Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 15d326f9548bfc3c944ad1d7d4e20f6d1c2ea92e Author: Daniel Mack Date: Wed Mar 20 22:41:56 2019 +0100 ASoC: cs4270: Set auto-increment bit for register writes [ Upstream commit f0f2338a9cfaf71db895fa989ea7234e8a9b471d ] The CS4270 does not by default increment the register address on consecutive writes. During normal operation it doesn't matter as all register accesses are done individually. At resume time after suspend, however, the regcache code gathers the biggest possible block of registers to sync and sends them one on one go. To fix this, set the INCR bit in all cases. Signed-off-by: Daniel Mack Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 1be14f5da0b1df357a0c84c832951b9c16f3b5e4 Author: Olivier Moysan Date: Mon Mar 4 15:52:44 2019 +0100 ASoC: stm32: dfsdm: fix debugfs warnings on entry creation [ Upstream commit c47255b61129857b74b0d86eaf59335348be05e0 ] Register platform component with a prefix, to avoid warnings on debugfs entries creation, due to component name redundancy. Signed-off-by: Olivier Moysan Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 9baa2f8ab75862dc604459da363624a0cc9c741c Author: Olivier Moysan Date: Mon Mar 4 15:52:43 2019 +0100 ASoC: stm32: dfsdm: manage multiple prepare [ Upstream commit 19441e35a43b616ea6afad91ed0d9e77268d8f6a ] The DFSDM must be stopped when a new setting is applied. restart systematically DFSDM on multiple prepare calls, to apply changes. Signed-off-by: Olivier Moysan Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 5bff91d2a18faaa1f29d3056cd49bf1988813ac1 Author: Maxime Jourdan Date: Tue Mar 19 11:25:37 2019 +0100 clk: meson-gxbb: round the vdec dividers to closest [ Upstream commit 9b70c697e87286ade406e6a02091757307dd4b7c ] We want the video decoder clocks to always round to closest. While the muxes are already using CLK_MUX_ROUND_CLOSEST, the corresponding CLK_DIVIDER_ROUND_CLOSEST was forgotten for the dividers. Fix this by adding the flag to the two vdec dividers. Fixes: a565242eb9fc ("clk: meson: gxbb: add the video decoder clocks") Signed-off-by: Maxime Jourdan Acked-by: Neil Armstrong Signed-off-by: Neil Armstrong Link: https://lkml.kernel.org/r/20190319102537.2043-1-mjourdan@baylibre.com Signed-off-by: Sasha Levin commit b2b47cecd2ce58e2acd86ade3e0a7f027b0b097e Author: Charles Keepax Date: Tue Mar 19 11:52:06 2019 +0000 ASoC: wm_adsp: Add locking to wm_adsp2_bus_error [ Upstream commit a2225a6d155fcb247fe4c6d87f7c91807462966d ] Best to lock across handling the bus error to ensure the DSP doesn't change power state as we are reading the status registers. Signed-off-by: Charles Keepax Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 9fb991d9cf503e5b24de33e1b9fbda8a016e76ae Author: Shuming Fan Date: Mon Mar 18 15:17:42 2019 +0800 ASoC: rt5682: recording has no sound after booting [ Upstream commit 1c5b6a27e432e4fe170a924c8b41012271496a4c ] If ASRC turns on, HW will use clk_dac as the reference clock whether recording or playback. Both of clk_dac and clk_adc should set proper clock while using ASRC. Signed-off-by: Shuming Fan Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit b2cb6f8f307b6224d1b93d2dac3a1daaf67b3fbb Author: Shuming Fan Date: Mon Mar 18 15:17:13 2019 +0800 ASoC: rt5682: fix jack type detection issue [ Upstream commit 675212bfb23394514b7f68ebf3954ba936281ccc ] The jack type detection needs the main bias power of analog. The modification makes sure the main bias power on/off while jack plug/unplug. Signed-off-by: Shuming Fan Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 8425db6714401ad79c846199b4d1f4e96a5fd292 Author: Shuming Fan Date: Fri Mar 8 11:36:08 2019 +0800 ASoC: rt5682: Check JD status when system resume [ Upstream commit 4834d7070c85a5fb69637265dbbb05d13043280c ] The IRQ function may not work when system suspend. We remove snd_soc_dapm_force_enable_pin function call to make sure the bias off when idle and run into suspend/resume function. Signed-off-by: Shuming Fan Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 3f60f8813be9eda7ec480deeb4c7007f0439ee44 Author: Sylwester Nawrocki Date: Tue Mar 12 18:40:06 2019 +0100 ASoC: samsung: odroid: Fix clock configuration for 44100 sample rate [ Upstream commit 2b13bee3884926cba22061efa75bd315e871de24 ] After commit fbeec965b8d1c ("ASoC: samsung: odroid: Fix 32000 sample rate handling") the audio root clock frequency is configured improperly for 44100 sample rate. Due to clock rate rounding it's 20070401 Hz instead of 22579000 Hz. This results in a too low value of the PSR clock divider in the CPU DAI driver and too fast actual sample rate for fs=44100. E.g. 1 kHz tone has actual 1780 Hz frequency (1 kHz * 20070401/22579000 * 2). Fix this by increasing the correction passed to clk_set_rate() to take into account inaccuracy of the EPLL frequency properly. Fixes: fbeec965b8d1c ("ASoC: samsung: odroid: Fix 32000 sample rate handling") Reported-by: JaeChul Lee Signed-off-by: Sylwester Nawrocki Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit b44509a152a3237eec2bc68da945f2f4676938b5 Author: John Hsu Date: Wed Mar 13 16:23:44 2019 +0800 ASoC: nau8810: fix the issue of widget with prefixed name [ Upstream commit 54d1cf78b0f4ba348a7c7fb8b7d0708d71b6cc8a ] The driver changes the stream name of DAC and ADC to avoid the issue of widget with prefixed name. When the machine adds prefixed name for codec, the stream name of DAI may not find the widgets. Signed-off-by: John Hsu Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 6c4a8ae4baa6393b6adba0ac3c514cbaa1479a98 Author: John Hsu Date: Mon Mar 11 09:36:45 2019 +0800 ASoC: nau8824: fix the issue of the widget with prefix name [ Upstream commit 844a4a362dbec166b44d6b9b3dd45b08cb273703 ] The driver has two issues when machine add prefix name for codec. (1)The stream name of DAI can't find the AIF widgets. (2)The drivr can enable/disalbe the MICBIAS and SAR widgets. The patch will fix these issues caused by prefixed name added. Signed-off-by: John Hsu Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit f4f4303c6d54d7d7238776ff9afba7fbaeddf384 Author: KaiChieh Chuang Date: Fri Mar 8 13:05:53 2019 +0800 ASoC: dpcm: prevent snd_soc_dpcm use after free [ Upstream commit a9764869779081e8bf24da07ac040e8f3efcf13a ] The dpcm get from fe_clients/be_clients may be free before use Add a spin lock at snd_soc_card level, to protect the dpcm instance. The lock may be used in atomic context, so use spin lock. Use irq spin lock version, since the lock may be used in interrupts. possible race condition between void dpcm_be_disconnect( ... list_del(&dpcm->list_be); list_del(&dpcm->list_fe); kfree(dpcm); ... and for_each_dpcm_fe() for_each_dpcm_be*() race condition example Thread 1: snd_soc_dapm_mixer_update_power() -> soc_dpcm_runtime_update() -> dpcm_be_disconnect() -> kfree(dpcm); Thread 2: dpcm_fe_dai_trigger() -> dpcm_be_dai_trigger() -> snd_soc_dpcm_can_be_free_stop() -> if (dpcm->fe == fe) Excpetion Scenario: two FE link to same BE FE1 -> BE FE2 -> Thread 1: switch of mixer between FE2 -> BE Thread 2: pcm_stop FE1 Exception: Unable to handle kernel paging request at virtual address dead0000000000e0 pc=<> [] dpcm_be_dai_trigger+0x29c/0x47c sound/soc/soc-pcm.c:3226 if (dpcm->fe == fe) lr=<> [] dpcm_fe_dai_do_trigger+0x94/0x26c Backtrace: [] notify_die+0x68/0xb8 [] die+0x118/0x2a8 [] __do_kernel_fault+0x13c/0x14c [] do_translation_fault+0x64/0xa0 [] do_mem_abort+0x4c/0xd0 [] el1_da+0x24/0x40 [] dpcm_be_dai_trigger+0x29c/0x47c [] dpcm_fe_dai_do_trigger+0x94/0x26c [] dpcm_fe_dai_trigger+0x3c/0x44 [] snd_pcm_do_stop+0x50/0x5c [] snd_pcm_action+0xb4/0x13c [] snd_pcm_drop+0xa0/0x128 [] snd_pcm_common_ioctl+0x9d8/0x30f0 [] snd_pcm_ioctl_compat+0x29c/0x2f14 [] compat_SyS_ioctl+0x128/0x244 [] el0_svc_naked+0x34/0x38 [] 0xffffffffffffffff Signed-off-by: KaiChieh Chuang Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 71ec072682ff024ef57fa46fc9e8d63bf0b4bc7a Author: Rander Wang Date: Fri Mar 8 16:38:59 2019 +0800 ASoC:intel:skl:fix a simultaneous playback & capture issue on hda platform [ Upstream commit c899df3e9b0bf7b76e642aed1a214582ea7012d5 ] If playback and capture are enabled concurrently, when the capture stops the output becomes inaudile. The playback application will become stuck and underrun after a timeout. This is caused by mistaken use of the stream_id, which should only be set for playback and not for capture Tested on Apollolake and Kabylake with SST driver. Signed-off-by: Rander Wang Acked-by: Pierre-Louis Bossart Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit ad8af1f8d26eef102d5c784fe04e56c1662072f1 Author: Rander Wang Date: Fri Mar 8 16:38:58 2019 +0800 ASoC:hdac_hda:use correct format to setup hda codec [ Upstream commit 03d0aa4d4fddce4a5d865d819a4d98bfc3d451e6 ] The current implementation of the hdac_hda codec results in zero-valued samples on capture and noise with headset playback when SOF is used on platforms with an on-board HDaudio codec. This is root-caused to SOF using be_hw_params_fixup, and the prepare() call using invalid runtime fields to determine the format. This patch moves the format handling to the hw_params() callback, as done already for hdac_hdmi, to make sure the fixed-up information is taken into account but keeps the codec initialization in prepare() as the stream_tag is only available at that time. Moving everything in the prepare() callback is possible but the code is less elegant so this two-step solution was chosen. The solution was tested with the SST driver with no regressions, and all the issues with SOF playback and capture are solved. Signed-off-by: Rander Wang Acked-by: Pierre-Louis Bossart Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 30d948ac01d98b65fb0f1bb9774e7f60cdfef107 Author: Rander Wang Date: Fri Mar 8 16:38:57 2019 +0800 ASoC:soc-pcm:fix a codec fixup issue in TDM case [ Upstream commit 570f18b6a8d1f0e60e8caf30e66161b6438dcc91 ] On HDaudio platforms, if playback is started when capture is working, there is no audible output. This can be root-caused to the use of the rx|tx_mask to store an HDaudio stream tag. If capture is stared before playback, rx_mask would be non-zero on HDaudio platform, then the channel number of playback, which is in the same codec dai with the capture, would be changed by soc_pcm_codec_params_fixup based on the tx_mask at first, then overwritten by this function based on rx_mask at last. According to the author of tx|rx_mask, tx_mask is for playback and rx_mask is for capture. And stream direction is checked at all other references of tx|rx_mask in ASoC, so here should be an error. This patch checks stream direction for tx|rx_mask for fixup function. This issue would affect not only HDaudio+ASoC, but also I2S codecs if the channel number based on rx_mask is not equal to the one for tx_mask. It could be rarely reproduecd because most drivers in kernel set the same channel number to tx|rx_mask or rx_mask is zero. Tested on all platforms using stream_tag & HDaudio and intel I2S platforms. Signed-off-by: Rander Wang Acked-by: Pierre-Louis Bossart Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 6872cfa57c4289344f8d80a03e33ee56d6c8c8b0 Author: Olivier Moysan Date: Thu Feb 28 14:19:23 2019 +0100 ASoC: stm32: sai: fix race condition in irq handler [ Upstream commit 26f98e82dd49b7c3cc5ef0edd882aa732a62b672 ] When snd_pcm_stop_xrun() is called in interrupt routine, substream context may have already been released. Add protection on substream context. Signed-off-by: Olivier Moysan Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit b329de3769b0120c3152a57deb3a87a283f160bf Author: Olivier Moysan Date: Thu Feb 28 14:19:22 2019 +0100 ASoC: stm32: sai: fix exposed capabilities in spdif mode [ Upstream commit b8468192971807c43a80d6e2c41f83141cb7b211 ] Change capabilities exposed in SAI S/PDIF mode, to match actually supported formats. In S/PDIF mode only 32 bits stereo is supported. Signed-off-by: Olivier Moysan Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 27162c8fdfb9086a59b0c4a10a1f1afd02826826 Author: Olivier Moysan Date: Thu Feb 28 14:19:21 2019 +0100 ASoC: stm32: sai: fix iec958 controls indexation [ Upstream commit 5f8a1000c3e630c3ac06f1d664eeaa755bce8823 ] Allow indexation of sai iec958 controls according to device id. Signed-off-by: Olivier Moysan Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit aba1a357cd907acff358ea3740ab21f287ea3d5a Author: Russell King Date: Thu Feb 28 15:30:34 2019 +0000 ASoC: hdmi-codec: fix S/PDIF DAI [ Upstream commit 2e95f984aae4cf0608d0ba2189c756f2bd50b44a ] When using the S/PDIF DAI, there is no requirement to call snd_soc_dai_set_fmt() as there is no DAI format definition that defines S/PDIF. In any case, S/PDIF does not have separate clocks, this is embedded into the data stream. Consequently, when attempting to use TDA998x in S/PDIF mode, the attempt to configure TDA998x via the hw_params callback fails as the hdmi_codec_daifmt is left initialised to zero. Since the S/PDIF DAI will only be used by S/PDIF, prepare the hdmi_codec_daifmt structure for this format. Signed-off-by: Russell King Reviewed-by: Jyri Sarha Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 045c73ba325da86124b71679d0d684baccee1cf2 Author: Philipp Puschmann Date: Wed Feb 27 16:17:33 2019 +0100 ASoC: tlv320aic3x: fix reset gpio reference counting [ Upstream commit 82ad759143ed77673db0d93d53c1cde7b99917ee ] This patch fixes a bug that prevents freeing the reset gpio on unloading the module. aic3x_i2c_probe is called when loading the module and it calls list_add with a probably uninitialized list entry aic3x->list (next = prev = NULL)). So even if list_del is called it does nothing and in the end the gpio_reset is not freed. Then a repeated module probing fails silently because gpio_request fails. When moving INIT_LIST_HEAD to aic3x_i2c_probe we also have to move list_del to aic3x_i2c_remove because aic3x_remove may be called multiple times without aic3x_i2c_remove being called which leads to a NULL pointer dereference. Signed-off-by: Philipp Puschmann Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit ce3a072f275a0b7214dae646d092521fef77d375 Author: Christian Gromm Date: Tue Apr 30 14:07:48 2019 +0200 staging: most: sound: pass correct device when creating a sound card commit 98592c1faca82a9024a64e4ecead68b19f81c299 upstream. This patch fixes the usage of the wrong struct device when calling function snd_card_new. Reported-by: Eugeniu Rosca Signed-off-by: Christian Gromm Fixes: 69c90cf1b2fa ("staging: most: sound: call snd_card_new with struct device") Cc: stable Signed-off-by: Greg Kroah-Hartman commit 2dbcc037de1a25b78dcb1d570ef401c7b8bdd0c1 Author: Suresh Udipi Date: Wed Apr 24 21:23:43 2019 +0200 staging: most: cdev: fix chrdev_region leak in mod_exit commit af708900e9a48c0aa46070c8a8cdf0608a1d2025 upstream. It looks like v4.18-rc1 commit [0] which upstreams mld-1.8.0 commit [1] missed to fix the memory leak in mod_exit function. Do it now. [0] aba258b7310167 ("staging: most: cdev: fix chrdev_region leak") [1] https://github.com/microchip-ais/linux/commit/a2d8f7ae7ea381 ("staging: most: cdev: fix leak for chrdev_region") Signed-off-by: Suresh Udipi Signed-off-by: Eugeniu Rosca Acked-by: Christian Gromm Fixes: aba258b73101 ("staging: most: cdev: fix chrdev_region leak") Cc: stable Signed-off-by: Greg Kroah-Hartman commit 3f57fef02fa7977ac217b72f382ea5d13a0817e0 Author: Tetsuo Handa Date: Sun Apr 7 21:58:43 2019 +0900 staging: wilc1000: Avoid GFP_KERNEL allocation from atomic context. commit ae26aa844679cdf660e12c7055f958cb90889eb6 upstream. Since wilc_set_multicast_list() is called with dev->addr_list_lock spinlock held, we can't use GFP_KERNEL memory allocation. Signed-off-by: Tetsuo Handa Fixes: e624c58cf8eb ("staging: wilc1000: refactor code to avoid use of wilc_set_multicast_list global") Cc: Ajay Singh Reviewed-by: Adham Abozaeid Cc: stable Signed-off-by: Greg Kroah-Hartman commit 9cccac4ee35f398142a277e57f23abeb7a84acb1 Author: Johan Hovold Date: Thu Apr 4 08:53:30 2019 +0200 staging: greybus: power_supply: fix prop-descriptor request size commit 47830c1127ef166af787caf2f871f23089610a7f upstream. Since moving the message buffers off the stack, the dynamically allocated get-prop-descriptor request buffer is incorrectly sized due to using the pointer rather than request-struct size when creating the operation. Fortunately, the pointer size is always larger than this one-byte request, but this could still cause trouble on the remote end due to the unexpected message size. Fixes: 9d15134d067e ("greybus: power_supply: rework get descriptors") Cc: stable # 4.9 Cc: Rui Miguel Silva Signed-off-by: Johan Hovold Reviewed-by: Rui Miguel Silva Signed-off-by: Greg Kroah-Hartman commit 9fe5b8e9d4c25d30c84703c409f2c62b074c9b2e Author: Andrey Ryabinin Date: Mon May 6 13:45:26 2019 +0300 ubsan: Fix nasty -Wbuiltin-declaration-mismatch GCC-9 warnings commit f0996bc2978e02d2ea898101462b960f6119b18f upstream. Building lib/ubsan.c with gcc-9 results in a ton of nasty warnings like this one: lib/ubsan.c warning: conflicting types for built-in function ‘__ubsan_handle_negate_overflow’; expected ‘void(void *, void *)’ [-Wbuiltin-declaration-mismatch] The kernel's declarations of __ubsan_handle_*() often uses 'unsigned long' types in parameters while GCC these parameters as 'void *' types, hence the mismatch. Fix this by using 'void *' to match GCC's declarations. Reported-by: Linus Torvalds Signed-off-by: Andrey Ryabinin Fixes: c6d308534aef ("UBSAN: run-time undefined behavior sanity checker") Cc: Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 7c03a3534d24924ae6f87ea90b36fc73c4fd7c9a Author: Dexuan Cui Date: Fri Apr 12 23:34:45 2019 +0000 Drivers: hv: vmbus: Remove the undesired put_cpu_ptr() in hv_synic_cleanup() commit a0033bd1eae4650b69be07c17cb87393da584563 upstream. With CONFIG_DEBUG_PREEMPT=y, the put_cpu_ptr() triggers an underflow warning in preempt_count_sub(). Fixes: 37cdd991fac8 ("vmbus: put related per-cpu variable together") Cc: stable@vger.kernel.org Cc: Stephen Hemminger Signed-off-by: Dexuan Cui Reviewed-by: Michael Kelley Signed-off-by: Sasha Levin (Microsoft) Signed-off-by: Greg Kroah-Hartman commit 634424f6337386fd17c782070d4b8402d264d9c7 Author: YueHaibing Date: Wed Apr 17 09:49:39 2019 +0800 net: stmmac: Use bfsize1 in ndesc_init_rx_desc commit f87db4dbd52f2f8a170a2b51cb0926221ca7c9e2 upstream. gcc warn this: drivers/net/ethernet/stmicro/stmmac/norm_desc.c: In function ndesc_init_rx_desc: drivers/net/ethernet/stmicro/stmmac/norm_desc.c:138:6: warning: variable 'bfsize1' set but not used [-Wunused-but-set-variable] Like enh_desc_init_rx_desc, we should use bfsize1 in ndesc_init_rx_desc to calculate 'p->des1' Fixes: 583e63614149 ("net: stmmac: use correct DMA buffer size in the RX descriptor") Signed-off-by: YueHaibing Reviewed-by: Aaro Koskinen Signed-off-by: David S. Miller Cc: Nobuhiro Iwamatsu Signed-off-by: Greg Kroah-Hartman