1. 11 Jun, 2019 40 commits
    • Hante Meuleman's avatar
      brcmfmac: Add length checks on firmware events · 6da841e9
      Hante Meuleman authored
      commit 0aedbcaf
      
       upstream.
      
      Add additional length checks on firmware events to create more
      robust code.
      Reviewed-by: default avatarArend Van Spriel <arend@broadcom.com>
      Reviewed-by: default avatarFranky (Zhenhui) Lin <frankyl@broadcom.com>
      Reviewed-by: default avatarPieter-Paul Giesberts <pieterpg@broadcom.com>
      Reviewed-by: default avatarLei Zhang <leizh@broadcom.com>
      Signed-off-by: default avatarHante Meuleman <meuleman@broadcom.com>
      Signed-off-by: default avatarArend van Spriel <arend@broadcom.com>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      [bwh: Backported to 4.4:
       - Drop changes to brcmf_wowl_nd_results()
       - Adjust filenames]
      Signed-off-by: default avatarBen Hutchings <ben.hutchings@codethink.co.uk>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6da841e9
    • Daniel Axtens's avatar
      bnx2x: disable GSO where gso_size is too big for hardware · c55a2cff
      Daniel Axtens authored
      commit 8914a595
      
       upstream.
      
      If a bnx2x card is passed a GSO packet with a gso_size larger than
      ~9700 bytes, it will cause a firmware error that will bring the card
      down:
      
      bnx2x: [bnx2x_attn_int_deasserted3:4323(enP24p1s0f0)]MC assert!
      bnx2x: [bnx2x_mc_assert:720(enP24p1s0f0)]XSTORM_ASSERT_LIST_INDEX 0x2
      bnx2x: [bnx2x_mc_assert:736(enP24p1s0f0)]XSTORM_ASSERT_INDEX 0x0 = 0x00000000 0x25e43e47 0x00463e01 0x00010052
      bnx2x: [bnx2x_mc_assert:750(enP24p1s0f0)]Chip Revision: everest3, FW Version: 7_13_1
      ... (dump of values continues) ...
      
      Detect when the mac length of a GSO packet is greater than the maximum
      packet size (9700 bytes) and disable GSO.
      Signed-off-by: default avatarDaniel Axtens <dja@axtens.net>
      Reviewed-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarBen Hutchings <ben.hutchings@codethink.co.uk>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c55a2cff
    • Todd Kjos's avatar
      binder: replace "%p" with "%pK" · c53c1a82
      Todd Kjos authored
      commit 8ca86f16
      
       upstream.
      
      The format specifier "%p" can leak kernel addresses. Use
      "%pK" instead. There were 4 remaining cases in binder.c.
      Signed-off-by: default avatarTodd Kjos <tkjos@google.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      [bwh: Backported to 4.4: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben.hutchings@codethink.co.uk>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c53c1a82
    • Ben Hutchings's avatar
      binder: Replace "%p" with "%pK" for stable · 5280efe4
      Ben Hutchings authored
      This was done as part of upstream commits fdfb4a99 "8inder:
      separate binder allocator structure from binder proc", 19c98724
      "binder: separate out binder_alloc functions", and 7a4408c6
      
      
      "binder: make sure accesses to proc/thread are safe".  However, those
      commits made lots of other changes that are not suitable for stable.
      Signed-off-by: default avatarBen Hutchings <ben.hutchings@codethink.co.uk>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5280efe4
    • Joe Burmeister's avatar
      tty: max310x: Fix external crystal register setup · 5db0a9c3
      Joe Burmeister authored
      
      
      commit 5d24f455c182d5116dd5db8e1dc501115ecc9c2c upstream.
      
      The datasheet states:
      
        Bit 4: ClockEnSet the ClockEn bit high to enable an external clocking
      (crystal or clock generator at XIN). Set the ClockEn bit to 0 to disable
      clocking
        Bit 1: CrystalEnSet the CrystalEn bit high to enable the crystal
      oscillator. When using an external clock source at XIN, CrystalEn must
      be set low.
      
      The bit 4, MAX310X_CLKSRC_EXTCLK_BIT, should be set and was not.
      
      This was required to make the MAX3107 with an external crystal on our
      board able to send or receive data.
      Signed-off-by: default avatarJoe Burmeister <joe.burmeister@devtank.co.uk>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5db0a9c3
    • Jorge Ramirez-Ortiz's avatar
      tty: serial: msm_serial: Fix XON/XOFF · e4987453
      Jorge Ramirez-Ortiz authored
      commit 61c0e37950b88bad590056286c1d766b1f167f4e upstream.
      
      When the tty layer requests the uart to throttle, the current code
      executing in msm_serial will trigger "Bad mode in Error Handler" and
      generate an invalid stack frame in pstore before rebooting (that is if
      pstore is indeed configured: otherwise the user shall just notice a
      reboot with no further information dumped to the console).
      
      This patch replaces the PIO byte accessor with the word accessor
      already used in PIO mode.
      
      Fixes: 68252424
      
       ("tty: serial: msm: Support big-endian CPUs")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarJorge Ramirez-Ortiz <jorge.ramirez-ortiz@linaro.org>
      Reviewed-by: default avatarBjorn Andersson <bjorn.andersson@linaro.org>
      Reviewed-by: default avatarStephen Boyd <swboyd@chromium.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e4987453
    • Lyude Paul's avatar
      drm/nouveau/i2c: Disable i2c bus access after ->fini() · 986adddb
      Lyude Paul authored
      
      
      commit 342406e4fbba9a174125fbfe6aeac3d64ef90f76 upstream.
      
      For a while, we've had the problem of i2c bus access not grabbing
      a runtime PM ref when it's being used in userspace by i2c-dev, resulting
      in nouveau spamming the kernel log with errors if anything attempts to
      access the i2c bus while the GPU is in runtime suspend. An example:
      
      [  130.078386] nouveau 0000:01:00.0: i2c: aux 000d: begin idle timeout ffffffff
      
      Since the GPU is in runtime suspend, the MMIO region that the i2c bus is
      on isn't accessible. On x86, the standard behavior for accessing an
      unavailable MMIO region is to just return ~0.
      
      Except, that turned out to be a lie. While computers with a clean
      concious will return ~0 in this scenario, some machines will actually
      completely hang a CPU on certian bad MMIO accesses. This was witnessed
      with someone's Lenovo ThinkPad P50, where sensors-detect attempting to
      access the i2c bus while the GPU was suspended would result in a CPU
      hang:
      
        CPU: 5 PID: 12438 Comm: sensors-detect Not tainted 5.0.0-0.rc4.git3.1.fc30.x86_64 #1
        Hardware name: LENOVO 20EQS64N17/20EQS64N17, BIOS N1EET74W (1.47 ) 11/21/2017
        RIP: 0010:ioread32+0x2b/0x30
        Code: 81 ff ff ff 03 00 77 20 48 81 ff 00 00 01 00 76 05 0f b7 d7 ed c3
        48 c7 c6 e1 0c 36 96 e8 2d ff ff ff b8 ff ff ff ff c3 8b 07 <c3> 0f 1f
        40 00 49 89 f0 48 81 fe ff ff 03 00 76 04 40 88 3e c3 48
        RSP: 0018:ffffaac3c5007b48 EFLAGS: 00000292 ORIG_RAX: ffffffffffffff13
        RAX: 0000000001111000 RBX: 0000000001111000 RCX: 0000043017a97186
        RDX: 0000000000000aaa RSI: 0000000000000005 RDI: ffffaac3c400e4e4
        RBP: ffff9e6443902c00 R08: ffffaac3c400e4e4 R09: ffffaac3c5007be7
        R10: 0000000000000004 R11: 0000000000000001 R12: ffff9e6445dd0000
        R13: 000000000000e4e4 R14: 00000000000003c4 R15: 0000000000000000
        FS:  00007f253155a740(0000) GS:ffff9e644f600000(0000) knlGS:0000000000000000
        CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
        CR2: 00005630d1500358 CR3: 0000000417c44006 CR4: 00000000003606e0
        DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
        DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
        Call Trace:
         g94_i2c_aux_xfer+0x326/0x850 [nouveau]
         nvkm_i2c_aux_i2c_xfer+0x9e/0x140 [nouveau]
         __i2c_transfer+0x14b/0x620
         i2c_smbus_xfer_emulated+0x159/0x680
         ? _raw_spin_unlock_irqrestore+0x1/0x60
         ? rt_mutex_slowlock.constprop.0+0x13d/0x1e0
         ? __lock_is_held+0x59/0xa0
         __i2c_smbus_xfer+0x138/0x5a0
         i2c_smbus_xfer+0x4f/0x80
         i2cdev_ioctl_smbus+0x162/0x2d0 [i2c_dev]
         i2cdev_ioctl+0x1db/0x2c0 [i2c_dev]
         do_vfs_ioctl+0x408/0x750
         ksys_ioctl+0x5e/0x90
         __x64_sys_ioctl+0x16/0x20
         do_syscall_64+0x60/0x1e0
         entry_SYSCALL_64_after_hwframe+0x49/0xbe
        RIP: 0033:0x7f25317f546b
        Code: 0f 1e fa 48 8b 05 1d da 0c 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff
        ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa b8 10 00 00 00 0f 05 <48> 3d 01
        f0 ff ff 73 01 c3 48 8b 0d ed d9 0c 00 f7 d8 64 89 01 48
        RSP: 002b:00007ffc88caab68 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
        RAX: ffffffffffffffda RBX: 00005630d0fe7260 RCX: 00007f25317f546b
        RDX: 00005630d1598e80 RSI: 0000000000000720 RDI: 0000000000000003
        RBP: 00005630d155b968 R08: 0000000000000001 R09: 00005630d15a1da0
        R10: 0000000000000070 R11: 0000000000000246 R12: 00005630d1598e80
        R13: 00005630d12f3d28 R14: 0000000000000720 R15: 00005630d12f3ce0
        watchdog: BUG: soft lockup - CPU#5 stuck for 23s! [sensors-detect:12438]
      
      Yikes! While I wanted to try to make it so that accessing an i2c bus on
      nouveau would wake up the GPU as needed, airlied pointed out that pretty
      much any usecase for userspace accessing an i2c bus on a GPU (mainly for
      the DDC brightness control that some displays have) is going to only be
      useful while there's at least one display enabled on the GPU anyway, and
      the GPU never sleeps while there's displays running.
      
      Since teaching the i2c bus to wake up the GPU on userspace accesses is a
      good deal more difficult than it might seem, mostly due to the fact that
      we have to use the i2c bus during runtime resume of the GPU, we instead
      opt for the easiest solution: don't let userspace access i2c busses on
      the GPU at all while it's in runtime suspend.
      
      Changes since v1:
      * Also disable i2c busses that run over DP AUX
      Signed-off-by: default avatarLyude Paul <lyude@redhat.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarBen Skeggs <bskeggs@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      986adddb
    • Steffen Maier's avatar
      scsi: zfcp: fix to prevent port_remove with pure auto scan LUNs (only sdevs) · af34de02
      Steffen Maier authored
      commit ef4021fe5fd77ced0323cede27979d80a56211ca upstream.
      
      When the user tries to remove a zfcp port via sysfs, we only rejected it if
      there are zfcp unit children under the port. With purely automatically
      scanned LUNs there are no zfcp units but only SCSI devices. In such cases,
      the port_remove erroneously continued. We close the port and this
      implicitly closes all LUNs under the port. The SCSI devices survive with
      their private zfcp_scsi_dev still holding a reference to the "removed"
      zfcp_port (still allocated but invisible in sysfs) [zfcp_get_port_by_wwpn
      in zfcp_scsi_slave_alloc]. This is not a problem as long as the fc_rport
      stays blocked. Once (auto) port scan brings back the removed port, we
      unblock its fc_rport again by design.  However, there is no mechanism that
      would recover (open) the LUNs under the port (no "ersfs_3" without
      zfcp_unit [zfcp_erp_strategy_followup_success]).  Any pending or new I/O to
      such LUN leads to repeated:
      
        Done: NEEDS_RETRY Result: hostbyte=DID_IMM_RETRY driverbyte=DRIVER_OK
      
      See also v4.10 commit 6f2ce1c6 ("scsi: zfcp: fix rport unblock race
      with LUN recovery"). Even a manual LUN recovery
      (echo 0 > /sys/bus/scsi/devices/H:C:T:L/zfcp_failed)
      does not help, as the LUN links to the old "removed" port which remains
      to lack ZFCP_STATUS_COMMON_RUNNING [zfcp_erp_required_act].
      The only workaround is to first ensure that the fc_rport is blocked
      (e.g. port_remove again in case it was re-discovered by (auto) port scan),
      then delete the SCSI devices, and finally re-discover by (auto) port scan.
      The port scan includes an fc_rport unblock, which in turn triggers
      a new scan on the scsi target to freshly get new pure auto scan LUNs.
      
      Fix this by rejecting port_remove also if there are SCSI devices
      (even without any zfcp_unit) under this port. Re-use mechanics from v3.7
      commit d99b601b
      
       ("[SCSI] zfcp: restore refcount check on port_remove").
      However, we have to give up zfcp_sysfs_port_units_mutex earlier in unit_add
      to prevent a deadlock with scsi_host scan taking shost->scan_mutex first
      and then zfcp_sysfs_port_units_mutex now in our zfcp_scsi_slave_alloc().
      Signed-off-by: default avatarSteffen Maier <maier@linux.ibm.com>
      Fixes: b62a8d9b ("[SCSI] zfcp: Use SCSI device data zfcp scsi dev instead of zfcp unit")
      Fixes: f8210e34
      
       ("[SCSI] zfcp: Allow midlayer to scan for LUNs when running in NPIV mode")
      Cc: <stable@vger.kernel.org> #2.6.37+
      Reviewed-by: default avatarBenjamin Block <bblock@linux.ibm.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      af34de02
    • Steffen Maier's avatar
      scsi: zfcp: fix missing zfcp_port reference put on -EBUSY from port_remove · e85d0025
      Steffen Maier authored
      
      
      commit d27e5e07f9c49bf2a6a4ef254ce531c1b4fb5a38 upstream.
      
      With this early return due to zfcp_unit child(ren), we don't use the
      zfcp_port reference from the earlier zfcp_get_port_by_wwpn() anymore and
      need to put it.
      Signed-off-by: default avatarSteffen Maier <maier@linux.ibm.com>
      Fixes: d99b601b
      
       ("[SCSI] zfcp: restore refcount check on port_remove")
      Cc: <stable@vger.kernel.org> #3.7+
      Reviewed-by: default avatarJens Remus <jremus@linux.ibm.com>
      Reviewed-by: default avatarBenjamin Block <bblock@linux.ibm.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e85d0025
    • Mauro Carvalho Chehab's avatar
      media: smsusb: better handle optional alignment · 8282730a
      Mauro Carvalho Chehab authored
      
      
      commit a47686636d84eaec5c9c6e84bd5f96bed34d526d upstream.
      
      Most Siano devices require an alignment for the response.
      
      Changeset f3be52b0056a ("media: usb: siano: Fix general protection fault in smsusb")
      changed the logic with gets such aligment, but it now produces a
      sparce warning:
      
      drivers/media/usb/siano/smsusb.c: In function 'smsusb_init_device':
      drivers/media/usb/siano/smsusb.c:447:37: warning: 'in_maxp' may be used uninitialized in this function [-Wmaybe-uninitialized]
        447 |   dev->response_alignment = in_maxp - sizeof(struct sms_msg_hdr);
            |                             ~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~
      
      The sparse message itself is bogus, but a broken (or fake) USB
      eeprom could produce a negative value for response_alignment.
      
      So, change the code in order to check if the result is not
      negative.
      
      Fixes: 31e0456de5be ("media: usb: siano: Fix general protection fault in smsusb")
      CC: <stable@vger.kernel.org>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8282730a
    • Alan Stern's avatar
      media: usb: siano: Fix false-positive "uninitialized variable" warning · 0bce1ea8
      Alan Stern authored
      
      
      commit 45457c01171fd1488a7000d1751c06ed8560ee38 upstream.
      
      GCC complains about an apparently uninitialized variable recently
      added to smsusb_init_device().  It's a false positive, but to silence
      the warning this patch adds a trivial initialization.
      Signed-off-by: default avatarAlan Stern <stern@rowland.harvard.edu>
      Reported-by: default avatarkbuild test robot <lkp@intel.com>
      CC: <stable@vger.kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0bce1ea8
    • Alan Stern's avatar
      media: usb: siano: Fix general protection fault in smsusb · b1782be7
      Alan Stern authored
      
      
      commit 31e0456de5be379b10fea0fa94a681057114a96e upstream.
      
      The syzkaller USB fuzzer found a general-protection-fault bug in the
      smsusb part of the Siano DVB driver.  The fault occurs during probe
      because the driver assumes without checking that the device has both
      IN and OUT endpoints and the IN endpoint is ep1.
      
      By slightly rearranging the driver's initialization code, we can make
      the appropriate checks early on and thus avoid the problem.  If the
      expected endpoints aren't present, the new code safely returns -ENODEV
      from the probe routine.
      Signed-off-by: default avatarAlan Stern <stern@rowland.harvard.edu>
      Reported-and-tested-by: syzbot+53f029db71c19a47325a@syzkaller.appspotmail.com
      CC: <stable@vger.kernel.org>
      Reviewed-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b1782be7
    • Oliver Neukum's avatar
      USB: rio500: fix memory leak in close after disconnect · d52c0ffb
      Oliver Neukum authored
      
      
      commit e0feb73428b69322dd5caae90b0207de369b5575 upstream.
      
      If a disconnected device is closed, rio_close() must free
      the buffers.
      Signed-off-by: default avatarOliver Neukum <oneukum@suse.com>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d52c0ffb
    • Oliver Neukum's avatar
      USB: rio500: refuse more than one device at a time · b92be99a
      Oliver Neukum authored
      
      
      commit 3864d33943b4a76c6e64616280e98d2410b1190f upstream.
      
      This driver is using a global variable. It cannot handle more than
      one device at a time. The issue has been existing since the dawn
      of the driver.
      Signed-off-by: default avatarOliver Neukum <oneukum@suse.com>
      Reported-by: syzbot+35f04d136fc975a70da4@syzkaller.appspotmail.com
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b92be99a
    • Maximilian Luz's avatar
      USB: Add LPM quirk for Surface Dock GigE adapter · ee9d750e
      Maximilian Luz authored
      
      
      commit ea261113385ac0a71c2838185f39e8452d54b152 upstream.
      
      Without USB_QUIRK_NO_LPM ethernet will not work and rtl8152 will
      complain with
      
          r8152 <device...>: Stop submitting intr, status -71
      
      Adding the quirk resolves this. As the dock is externally powered, this
      should not have any drawbacks.
      Signed-off-by: default avatarMaximilian Luz <luzmaximilian@gmail.com>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ee9d750e
    • Oliver Neukum's avatar
      USB: sisusbvga: fix oops in error path of sisusb_probe · 30e66d7d
      Oliver Neukum authored
      
      
      commit 9a5729f68d3a82786aea110b1bfe610be318f80a upstream.
      
      The pointer used to log a failure of usb_register_dev() must
      be set before the error is logged.
      
      v2: fix that minor is not available before registration
      Signed-off-by: default avataroliver Neukum <oneukum@suse.com>
      Reported-by: syzbot+a0cbdbd6d169020c8959@syzkaller.appspotmail.com
      Fixes: 7b5cd5fe
      
       ("USB: SisUSB2VGA: Convert printk to dev_* macros")
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      30e66d7d
    • Alan Stern's avatar
      USB: Fix slab-out-of-bounds write in usb_get_bos_descriptor · 018b7ea9
      Alan Stern authored
      
      
      commit a03ff54460817c76105f81f3aa8ef655759ccc9a upstream.
      
      The syzkaller USB fuzzer found a slab-out-of-bounds write bug in the
      USB core, caused by a failure to check the actual size of a BOS
      descriptor.  This patch adds a check to make sure the descriptor is at
      least as large as it is supposed to be, so that the code doesn't
      inadvertently access memory beyond the end of the allocated region
      when assigning to dev->bos->desc->bNumDeviceCaps later on.
      Signed-off-by: default avatarAlan Stern <stern@rowland.harvard.edu>
      Reported-and-tested-by: syzbot+71f1e64501a309fcc012@syzkaller.appspotmail.com
      CC: <stable@vger.kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      018b7ea9
    • Carsten Schmid's avatar
      usb: xhci: avoid null pointer deref when bos field is NULL · f5e1ec93
      Carsten Schmid authored
      
      
      commit 7aa1bb2ffd84d6b9b5f546b079bb15cd0ab6e76e upstream.
      
      With defective USB sticks we see the following error happen:
      usb 1-3: new high-speed USB device number 6 using xhci_hcd
      usb 1-3: device descriptor read/64, error -71
      usb 1-3: device descriptor read/64, error -71
      usb 1-3: new high-speed USB device number 7 using xhci_hcd
      usb 1-3: device descriptor read/64, error -71
      usb 1-3: unable to get BOS descriptor set
      usb 1-3: New USB device found, idVendor=0781, idProduct=5581
      usb 1-3: New USB device strings: Mfr=1, Product=2, SerialNumber=3
      ...
      BUG: unable to handle kernel NULL pointer dereference at 0000000000000008
      
      This comes from the following place:
      [ 1660.215380] IP: xhci_set_usb2_hardware_lpm+0xdf/0x3d0 [xhci_hcd]
      [ 1660.222092] PGD 0 P4D 0
      [ 1660.224918] Oops: 0000 [#1] PREEMPT SMP NOPTI
      [ 1660.425520] CPU: 1 PID: 38 Comm: kworker/1:1 Tainted: P     U  W  O    4.14.67-apl #1
      [ 1660.434277] Workqueue: usb_hub_wq hub_event [usbcore]
      [ 1660.439918] task: ffffa295b6ae4c80 task.stack: ffffad4580150000
      [ 1660.446532] RIP: 0010:xhci_set_usb2_hardware_lpm+0xdf/0x3d0 [xhci_hcd]
      [ 1660.453821] RSP: 0018:ffffad4580153c70 EFLAGS: 00010046
      [ 1660.459655] RAX: 0000000000000000 RBX: ffffa295b4d7c000 RCX: 0000000000000002
      [ 1660.467625] RDX: 0000000000000002 RSI: ffffffff984a55b2 RDI: ffffffff984a55b2
      [ 1660.475586] RBP: ffffad4580153cc8 R08: 0000000000d6520a R09: 0000000000000001
      [ 1660.483556] R10: ffffad4580a004a0 R11: 0000000000000286 R12: ffffa295b4d7c000
      [ 1660.491525] R13: 0000000000010648 R14: ffffa295a84e1800 R15: 0000000000000000
      [ 1660.499494] FS:  0000000000000000(0000) GS:ffffa295bfc80000(0000) knlGS:0000000000000000
      [ 1660.508530] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [ 1660.514947] CR2: 0000000000000008 CR3: 000000025a114000 CR4: 00000000003406a0
      [ 1660.522917] Call Trace:
      [ 1660.525657]  usb_set_usb2_hardware_lpm+0x3d/0x70 [usbcore]
      [ 1660.531792]  usb_disable_device+0x242/0x260 [usbcore]
      [ 1660.537439]  usb_disconnect+0xc1/0x2b0 [usbcore]
      [ 1660.542600]  hub_event+0x596/0x18f0 [usbcore]
      [ 1660.547467]  ? trace_preempt_on+0xdf/0x100
      [ 1660.552040]  ? process_one_work+0x1c1/0x410
      [ 1660.556708]  process_one_work+0x1d2/0x410
      [ 1660.561184]  ? preempt_count_add.part.3+0x21/0x60
      [ 1660.566436]  worker_thread+0x2d/0x3f0
      [ 1660.570522]  kthread+0x122/0x140
      [ 1660.574123]  ? process_one_work+0x410/0x410
      [ 1660.578792]  ? kthread_create_on_node+0x60/0x60
      [ 1660.583849]  ret_from_fork+0x3a/0x50
      [ 1660.587839] Code: 00 49 89 c3 49 8b 84 24 50 16 00 00 8d 4a ff 48 8d 04 c8 48 89 ca 4c 8b 10 45 8b 6a 04 48 8b 00 48 89 45 c0 49 8b 86 80 03 00 00 <48> 8b 40 08 8b 40 03 0f 1f 44 00 00 45 85 ff 0f 84 81 01 00 00
      [ 1660.608980] RIP: xhci_set_usb2_hardware_lpm+0xdf/0x3d0 [xhci_hcd] RSP: ffffad4580153c70
      [ 1660.617921] CR2: 0000000000000008
      
      Tracking this down shows that udev->bos is NULL in the following code:
      (xhci.c, in xhci_set_usb2_hardware_lpm)
      	field = le32_to_cpu(udev->bos->ext_cap->bmAttributes);  <<<<<<< here
      
      	xhci_dbg(xhci, "%s port %d USB2 hardware LPM\n",
      			enable ? "enable" : "disable", port_num + 1);
      
      	if (enable) {
      		/* Host supports BESL timeout instead of HIRD */
      		if (udev->usb2_hw_lpm_besl_capable) {
      			/* if device doesn't have a preferred BESL value use a
      			 * default one which works with mixed HIRD and BESL
      			 * systems. See XHCI_DEFAULT_BESL definition in xhci.h
      			 */
      			if ((field & USB_BESL_SUPPORT) &&
      			    (field & USB_BESL_BASELINE_VALID))
      				hird = USB_GET_BESL_BASELINE(field);
      			else
      				hird = udev->l1_params.besl;
      
      The failing case is when disabling LPM. So it is sufficient to avoid
      access to udev->bos by moving the instruction into the "enable" clause.
      
      Cc: Stable <stable@vger.kernel.org>
      Signed-off-by: default avatarCarsten Schmid <carsten_schmid@mentor.com>
      Signed-off-by: default avatarMathias Nyman <mathias.nyman@linux.intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f5e1ec93
    • Andrey Smirnov's avatar
      xhci: Convert xhci_handshake() to use readl_poll_timeout_atomic() · 017e6726
      Andrey Smirnov authored
      
      
      commit f7fac17ca925faa03fc5eb854c081a24075f8bad upstream.
      
      Xhci_handshake() implements the algorithm already captured by
      readl_poll_timeout_atomic(). Convert the former to use the latter to
      avoid repetition.
      
      Turned out this patch also fixes a bug on the AMD Stoneyridge platform
      where usleep(1) sometimes takes over 10ms.
      This means a 5 second timeout can easily take over 15 seconds which will
      trigger the watchdog and reboot the system.
      
      [Add info about patch fixing a bug to commit message -Mathias]
      Signed-off-by: default avatarAndrey Smirnov <andrew.smirnov@gmail.com>
      Tested-by: default avatarRaul E Rangel <rrangel@chromium.org>
      Reviewed-by: default avatarRaul E Rangel <rrangel@chromium.org>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarMathias Nyman <mathias.nyman@linux.intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      017e6726
    • Konrad Rzeszutek Wilk's avatar
      xen/pciback: Don't disable PCI_COMMAND on PCI device reset. · f1613a9e
      Konrad Rzeszutek Wilk authored
      commit 7681f31ec9cdacab4fd10570be924f2cef6669ba upstream.
      
      There is no need for this at all. Worst it means that if
      the guest tries to write to BARs it could lead (on certain
      platforms) to PCI SERR errors.
      
      Please note that with af6fc858
      
      
      "xen-pciback: limit guest control of command register"
      a guest is still allowed to enable those control bits (safely), but
      is not allowed to disable them and that therefore a well behaved
      frontend which enables things before using them will still
      function correctly.
      
      This is done via an write to the configuration register 0x4 which
      triggers on the backend side:
      command_write
        \- pci_enable_device
           \- pci_enable_device_flags
              \- do_pci_enable_device
                 \- pcibios_enable_device
                    \-pci_enable_resourcess
                      [which enables the PCI_COMMAND_MEMORY|PCI_COMMAND_IO]
      
      However guests (and drivers) which don't do this could cause
      problems, including the security issues which XSA-120 sought
      to address.
      Reported-by: default avatarJan Beulich <jbeulich@suse.com>
      Signed-off-by: default avatarKonrad Rzeszutek Wilk <konrad.wilk@oracle.com>
      Reviewed-by: default avatarPrarit Bhargava <prarit@redhat.com>
      Signed-off-by: default avatarJuergen Gross <jgross@suse.com>
      Cc: Ben Hutchings <ben.hutchings@codethink.co.uk>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f1613a9e
    • Daniel Axtens's avatar
      crypto: vmx - ghash: do nosimd fallback manually · 383687e1
      Daniel Axtens authored
      commit 357d065a44cdd77ed5ff35155a989f2a763e96ef upstream.
      
      VMX ghash was using a fallback that did not support interleaving simd
      and nosimd operations, leading to failures in the extended test suite.
      
      If I understood correctly, Eric's suggestion was to use the same
      data format that the generic code uses, allowing us to call into it
      with the same contexts. I wasn't able to get that to work - I think
      there's a very different key structure and data layout being used.
      
      So instead steal the arm64 approach and perform the fallback
      operations directly if required.
      
      Fixes: cc333cd6
      
       ("crypto: vmx - Adding GHASH routines for VMX module")
      Cc: stable@vger.kernel.org # v4.1+
      Reported-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarDaniel Axtens <dja@axtens.net>
      Acked-by: default avatarArd Biesheuvel <ard.biesheuvel@linaro.org>
      Tested-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarDaniel Axtens <dja@axtens.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      383687e1
    • Antoine Tenart's avatar
      net: mvpp2: fix bad MVPP2_TXQ_SCHED_TOKEN_CNTR_REG queue value · 61ba8e9f
      Antoine Tenart authored
      [ Upstream commit 21808437214637952b61beaba6034d97880fbeb3 ]
      
      MVPP2_TXQ_SCHED_TOKEN_CNTR_REG() expects the logical queue id but
      the current code is passing the global tx queue offset, so it ends
      up writing to unknown registers (between 0x8280 and 0x82fc, which
      seemed to be unused by the hardware). This fixes the issue by using
      the logical queue id instead.
      
      Fixes: 3f518509
      
       ("ethernet: Add new driver for Marvell Armada 375 network unit")
      Signed-off-by: default avatarAntoine Tenart <antoine.tenart@bootlin.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      61ba8e9f
    • Michael Chan's avatar
      bnxt_en: Fix aggregation buffer leak under OOM condition. · 1d33a3eb
      Michael Chan authored
      [ Upstream commit 296d5b54163964b7ae536b8b57dfbd21d4e868e1 ]
      
      For every RX packet, the driver replenishes all buffers used for that
      packet and puts them back into the RX ring and RX aggregation ring.
      In one code path where the RX packet has one RX buffer and one or more
      aggregation buffers, we missed recycling the aggregation buffer(s) if
      we are unable to allocate a new SKB buffer.  This leads to the
      aggregation ring slowly running out of buffers over time.  Fix it
      by properly recycling the aggregation buffers.
      
      Fixes: c0c050c5
      
       ("bnxt_en: New Broadcom ethernet driver.")
      Reported-by: default avatarRakesh Hemnani <rhemnani@fb.com>
      Signed-off-by: default avatarMichael Chan <michael.chan@broadcom.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1d33a3eb
    • Kloetzke Jan's avatar
      usbnet: fix kernel crash after disconnect · 332bff9d
      Kloetzke Jan authored
      
      
      [ Upstream commit ad70411a978d1e6e97b1e341a7bde9a79af0c93d ]
      
      When disconnecting cdc_ncm the kernel sporadically crashes shortly
      after the disconnect:
      
        [   57.868812] Unable to handle kernel NULL pointer dereference at virtual address 00000000
        ...
        [   58.006653] PC is at 0x0
        [   58.009202] LR is at call_timer_fn+0xec/0x1b4
        [   58.013567] pc : [<0000000000000000>] lr : [<ffffff80080f5130>] pstate: 00000145
        [   58.020976] sp : ffffff8008003da0
        [   58.024295] x29: ffffff8008003da0 x28: 0000000000000001
        [   58.029618] x27: 000000000000000a x26: 0000000000000100
        [   58.034941] x25: 0000000000000000 x24: ffffff8008003e68
        [   58.040263] x23: 0000000000000000 x22: 0000000000000000
        [   58.045587] x21: 0000000000000000 x20: ffffffc68fac1808
        [   58.050910] x19: 0000000000000100 x18: 0000000000000000
        [   58.056232] x17: 0000007f885aff8c x16: 0000007f883a9f10
        [   58.061556] x15: 0000000000000001 x14: 000000000000006e
        [   58.066878] x13: 0000000000000000 x12: 00000000000000ba
        [   58.072201] x11: ffffffc69ff1db30 x10: 0000000000000020
        [   58.077524] x9 : 8000100008001000 x8 : 0000000000000001
        [   58.082847] x7 : 0000000000000800 x6 : ffffff8008003e70
        [   58.088169] x5 : ffffffc69ff17a28 x4 : 00000000ffff138b
        [   58.093492] x3 : 0000000000000000 x2 : 0000000000000000
        [   58.098814] x1 : 0000000000000000 x0 : 0000000000000000
        ...
        [   58.205800] [<          (null)>]           (null)
        [   58.210521] [<ffffff80080f5298>] expire_timers+0xa0/0x14c
        [   58.215937] [<ffffff80080f542c>] run_timer_softirq+0xe8/0x128
        [   58.221702] [<ffffff8008081120>] __do_softirq+0x298/0x348
        [   58.227118] [<ffffff80080a6304>] irq_exit+0x74/0xbc
        [   58.232009] [<ffffff80080e17dc>] __handle_domain_irq+0x78/0xac
        [   58.237857] [<ffffff8008080cf4>] gic_handle_irq+0x80/0xac
        ...
      
      The crash happens roughly 125..130ms after the disconnect. This
      correlates with the 'delay' timer that is started on certain USB tx/rx
      errors in the URB completion handler.
      
      The problem is a race of usbnet_stop() with usbnet_start_xmit(). In
      usbnet_stop() we call usbnet_terminate_urbs() to cancel all URBs in
      flight. This only makes sense if no new URBs are submitted
      concurrently, though. But the usbnet_start_xmit() can run at the same
      time on another CPU which almost unconditionally submits an URB. The
      error callback of the new URB will then schedule the timer after it was
      already stopped.
      
      The fix adds a check if the tx queue is stopped after the tx list lock
      has been taken. This should reliably prevent the submission of new URBs
      while usbnet_terminate_urbs() does its job. The same thing is done on
      the rx side even though it might be safe due to other flags that are
      checked there.
      Signed-off-by: default avatarJan Klötzke <Jan.Kloetzke@preh.de>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      332bff9d
    • Jisheng Zhang's avatar
      net: stmmac: fix reset gpio free missing · 16ffb5f7
      Jisheng Zhang authored
      [ Upstream commit 49ce881c0d4c4a7a35358d9dccd5f26d0e56fc61 ]
      
      Commit 984203ce ("net: stmmac: mdio: remove reset gpio free")
      removed the reset gpio free, when the driver is unbinded or rmmod,
      we miss the gpio free.
      
      This patch uses managed API to request the reset gpio, so that the
      gpio could be freed properly.
      
      Fixes: 984203ce
      
       ("net: stmmac: mdio: remove reset gpio free")
      Signed-off-by: default avatarJisheng Zhang <Jisheng.Zhang@synaptics.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      16ffb5f7
    • Chris Lesiak's avatar
      spi: Fix zero length xfer bug · 0984cb76
      Chris Lesiak authored
      
      
      [ Upstream commit 5442dcaa0d90fc376bdfc179a018931a8f43dea4 ]
      
      This fixes a bug for messages containing both zero length and
      unidirectional xfers.
      
      The function spi_map_msg will allocate dummy tx and/or rx buffers
      for use with unidirectional transfers when the hardware can only do
      a bidirectional transfer.  That dummy buffer will be used in place
      of a NULL buffer even when the xfer length is 0.
      
      Then in the function __spi_map_msg, if he hardware can dma,
      the zero length xfer will have spi_map_buf called on the dummy
      buffer.
      
      Eventually, __sg_alloc_table is called and returns -EINVAL
      because nents == 0.
      
      This fix prevents the error by not using the dummy buffer when
      the xfer length is zero.
      Signed-off-by: default avatarChris Lesiak <chris.lesiak@licor.com>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      0984cb76
    • Geert Uytterhoeven's avatar
      spi: rspi: Fix sequencer reset during initialization · 854415f3
      Geert Uytterhoeven authored
      [ Upstream commit 26843bb128590edd7eba1ad7ce22e4b9f1066ce3 ]
      
      While the sequencer is reset after each SPI message since commit
      880c6d11 ("spi: rspi: Add support for Quad and Dual SPI
      Transfers on QSPI"), it was never reset for the first message, thus
      relying on reset state or bootloader settings.
      
      Fix this by initializing it explicitly during configuration.
      
      Fixes: 0b2182dd
      
       ("spi: add support for Renesas RSPI")
      Signed-off-by: default avatarGeert Uytterhoeven <geert+renesas@glider.be>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      854415f3
    • Aditya Pakki's avatar
      spi : spi-topcliff-pch: Fix to handle empty DMA buffers · c9274518
      Aditya Pakki authored
      
      
      [ Upstream commit f37d8e67f39e6d3eaf4cc5471e8a3d21209843c6 ]
      
      pch_alloc_dma_buf allocated tx, rx DMA buffers which can fail. Further,
      these buffers are used without a check. The patch checks for these
      failures and sends the error upstream.
      Signed-off-by: default avatarAditya Pakki <pakki001@umn.edu>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      c9274518
    • James Smart's avatar
      scsi: lpfc: Fix SLI3 commands being issued on SLI4 devices · 445c0740
      James Smart authored
      
      
      [ Upstream commit c95a3b4b0fb8d351e2329a96f87c4fc96a149505 ]
      
      During debug, it was seen that the driver is issuing commands specific to
      SLI3 on SLI4 devices. Although the adapter correctly rejected the command,
      this should not be done.
      
      Revise the code to stop sending these commands on a SLI4 adapter.
      Signed-off-by: default avatarDick Kennedy <dick.kennedy@broadcom.com>
      Signed-off-by: default avatarJames Smart <jsmart2021@gmail.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      445c0740
    • Arnd Bergmann's avatar
      media: saa7146: avoid high stack usage with clang · 3a5d1133
      Arnd Bergmann authored
      [ Upstream commit 03aa4f191a36f33fce015387f84efa0eee94408e ]
      
      Two saa7146/hexium files contain a construct that causes a warning
      when built with clang:
      
      drivers/media/pci/saa7146/hexium_orion.c:210:12: error: stack frame size of 2272 bytes in function 'hexium_probe'
            [-Werror,-Wframe-larger-than=]
      static int hexium_probe(struct saa7146_dev *dev)
                 ^
      drivers/media/pci/saa7146/hexium_gemini.c:257:12: error: stack frame size of 2304 bytes in function 'hexium_attach'
            [-Werror,-Wframe-larger-than=]
      static int hexium_attach(struct saa7146_dev *dev, struct saa7146_pci_extension_data *info)
                 ^
      
      This one happens regardless of KASAN, and the problem is that a
      constructor to initialize a dynamically allocated structure leads
      to a copy of that structure on the stack, whereas gcc initializes
      it in place.
      
      Link: https://bugs.llvm.org/show_bug.cgi?id=40776
      
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Reviewed-by: default avatarNick Desaulniers <ndesaulniers@google.com>
      Signed-off-by: default avatarHans Verkuil <hverkuil-cisco@xs4all.nl>
      [hverkuil-cisco@xs4all.nl: fix checkpatch warnings]
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      3a5d1133
    • Arnd Bergmann's avatar
      media: go7007: avoid clang frame overflow warning with KASAN · 5a96cf10
      Arnd Bergmann authored
      [ Upstream commit ed713a4a1367aca5c0f2f329579465db00c17995 ]
      
      clang-8 warns about one function here when KASAN is enabled, even
      without the 'asan-stack' option:
      
      drivers/media/usb/go7007/go7007-fw.c:1551:5: warning: stack frame size of 2656 bytes in function
      
      I have reported this issue in the llvm bugzilla, but to make
      it work with the clang-8 release, a small annotation is still
      needed.
      
      Link: https://bugs.llvm.org/show_bug.cgi?id=38809
      
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Signed-off-by: default avatarHans Verkuil <hverkuil-cisco@xs4all.nl>
      [hverkuil-cisco@xs4all.nl: fix checkpatch warning]
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      5a96cf10
    • James Hutchinson's avatar
      media: m88ds3103: serialize reset messages in m88ds3103_set_frontend · 0e9f0805
      James Hutchinson authored
      [ Upstream commit 981fbe3da20a6f35f17977453bce7dfc1664d74f ]
      
      Ref: https://bugzilla.kernel.org/show_bug.cgi?id=199323
      
      Users are experiencing problems with the DVBSky S960/S960C USB devices
      since the following commit:
      
      9d659ae1
      
      : ("locking/mutex: Add lock handoff to avoid starvation")
      
      The device malfunctions after running for an indeterminable period of
      time, and the problem can only be cleared by rebooting the machine.
      
      It is possible to encourage the problem to surface by blocking the
      signal to the LNB.
      
      Further debugging revealed the cause of the problem.
      
      In the following capture:
      - thread #1325 is running m88ds3103_set_frontend
      - thread #42 is running ts2020_stat_work
      
      a> [1325] usb 1-1: dvb_usb_v2_generic_io: >>> 08 68 02 07 80
         [1325] usb 1-1: dvb_usb_v2_generic_io: <<< 08
         [42] usb 1-1: dvb_usb_v2_generic_io: >>> 09 01 01 68 3f
         [42] usb 1-1: dvb_usb_v2_generic_io: <<< 08 ff
         [42] usb 1-1: dvb_usb_v2_generic_io: >>> 08 68 02 03 11
         [42] usb 1-1: dvb_usb_v2_generic_io: <<< 07
         [42] usb 1-1: dvb_usb_v2_generic_io: >>> 09 01 01 60 3d
         [42] usb 1-1: dvb_usb_v2_generic_io: <<< 07 ff
      b> [1325] usb 1-1: dvb_usb_v2_generic_io: >>> 08 68 02 07 00
         [1325] usb 1-1: dvb_usb_v2_generic_io: <<< 07
         [42] usb 1-1: dvb_usb_v2_generic_io: >>> 08 68 02 03 11
         [42] usb 1-1: dvb_usb_v2_generic_io: <<< 07
         [42] usb 1-1: dvb_usb_v2_generic_io: >>> 09 01 01 60 21
         [42] usb 1-1: dvb_usb_v2_generic_io: <<< 07 ff
         [42] usb 1-1: dvb_usb_v2_generic_io: >>> 08 68 02 03 11
         [42] usb 1-1: dvb_usb_v2_generic_io: <<< 07
         [42] usb 1-1: dvb_usb_v2_generic_io: >>> 09 01 01 60 66
         [42] usb 1-1: dvb_usb_v2_generic_io: <<< 07 ff
         [1325] usb 1-1: dvb_usb_v2_generic_io: >>> 08 68 02 03 11
         [1325] usb 1-1: dvb_usb_v2_generic_io: <<< 07
         [1325] usb 1-1: dvb_usb_v2_generic_io: >>> 08 60 02 10 0b
         [1325] usb 1-1: dvb_usb_v2_generic_io: <<< 07
      
      Two i2c messages are sent to perform a reset in m88ds3103_set_frontend:
      
        a. 0x07, 0x80
        b. 0x07, 0x00
      
      However, as shown in the capture, the regmap mutex is being handed over
      to another thread (ts2020_stat_work) in between these two messages.
      
      >From here, the device responds to every i2c message with an 07 message,
      and will only return to normal operation following a power cycle.
      
      Use regmap_multi_reg_write to group the two reset messages, ensuring
      both are processed before the regmap mutex is unlocked.
      Signed-off-by: default avatarJames Hutchinson <jahutchinson99@googlemail.com>
      Reviewed-by: default avatarAntti Palosaari <crope@iki.fi>
      Signed-off-by: default avatarSean Young <sean@mess.org>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      0e9f0805
    • Arnd Bergmann's avatar
      scsi: qla4xxx: avoid freeing unallocated dma memory · 9effa389
      Arnd Bergmann authored
      [ Upstream commit 608f729c31d4caf52216ea00d20092a80959256d ]
      
      Clang -Wuninitialized notices that on is_qla40XX we never allocate any DMA
      memory in get_fw_boot_info() but attempt to free it anyway:
      
      drivers/scsi/qla4xxx/ql4_os.c:5915:7: error: variable 'buf_dma' is used uninitialized whenever 'if' condition is false
            [-Werror,-Wsometimes-uninitialized]
                      if (!(val & 0x07)) {
                          ^~~~~~~~~~~~~
      drivers/scsi/qla4xxx/ql4_os.c:5985:47: note: uninitialized use occurs here
              dma_free_coherent(&ha->pdev->dev, size, buf, buf_dma);
                                                           ^~~~~~~
      drivers/scsi/qla4xxx/ql4_os.c:5915:3: note: remove the 'if' if its condition is always true
                      if (!(val & 0x07)) {
                      ^~~~~~~~~~~~~~~~~~~
      drivers/scsi/qla4xxx/ql4_os.c:5885:20: note: initialize the variable 'buf_dma' to silence this warning
              dma_addr_t buf_dma;
                                ^
                                 = 0
      
      Skip the call to dma_free_coherent() here.
      
      Fixes: 2a991c21
      
       ("[SCSI] qla4xxx: Boot from SAN support for open-iscsi")
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Reviewed-by: default avatarNathan Chancellor <natechancellor@gmail.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      9effa389
    • Tony Lindgren's avatar
      usb: core: Add PM runtime calls to usb_hcd_platform_shutdown · 95f0bb0a
      Tony Lindgren authored
      
      
      [ Upstream commit 8ead7e817224d7832fe51a19783cb8fcadc79467 ]
      
      If ohci-platform is runtime suspended, we can currently get an "imprecise
      external abort" on reboot with ohci-platform loaded when PM runtime
      is implemented for the SoC.
      
      Let's fix this by adding PM runtime support to usb_hcd_platform_shutdown.
      Signed-off-by: default avatarTony Lindgren <tony@atomide.com>
      Acked-by: default avatarAlan Stern <stern@rowland.harvard.edu>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      95f0bb0a
    • Kangjie Lu's avatar
      tty: ipwireless: fix missing checks for ioremap · 1081d04a
      Kangjie Lu authored
      
      
      [ Upstream commit 1bbb1c318cd8a3a39e8c3e2e83d5e90542d6c3e3 ]
      
      ipw->attr_memory and ipw->common_memory are assigned with the
      return value of ioremap. ioremap may fail, but no checks
      are enforced. The fix inserts the checks to avoid potential
      NULL pointer dereferences.
      Signed-off-by: default avatarKangjie Lu <kjlu@umn.edu>
      Reviewed-by: default avatarDavid Sterba <dsterba@suse.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      1081d04a
    • Pankaj Gupta's avatar
      virtio_console: initialize vtermno value for ports · c05b2ed7
      Pankaj Gupta authored
      
      
      [ Upstream commit 4b0a2c5ff7215206ea6135a405f17c5f6fca7d00 ]
      
      For regular serial ports we do not initialize value of vtermno
      variable. A garbage value is assigned for non console ports.
      The value can be observed as a random integer with [1].
      
      [1] vim /sys/kernel/debug/virtio-ports/vport*p*
      
      This patch initialize the value of vtermno for console serial
      ports to '1' and regular serial ports are initiaized to '0'.
      
      Reported-by: siliu@redhat.com
      Signed-off-by: default avatarPankaj Gupta <pagupta@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      c05b2ed7
    • Dan Carpenter's avatar
      media: wl128x: prevent two potential buffer overflows · 348ec7b9
      Dan Carpenter authored
      [ Upstream commit 9c2ccc324b3a6cbc865ab8b3e1a09e93d3c8ade9 ]
      
      Smatch marks skb->data as untrusted so it warns that "evt_hdr->dlen"
      can copy up to 255 bytes and we only have room for two bytes.  Even
      if this comes from the firmware and we trust it, the new policy
      generally is just to fix it as kernel hardenning.
      
      I can't test this code so I tried to be very conservative.  I considered
      not allowing "evt_hdr->dlen == 1" because it doesn't initialize the
      whole variable but in the end I decided to allow it and manually
      initialized "asic_id" and "asic_ver" to zero.
      
      Fixes: e8454ff7
      
       ("[media] drivers:media:radio: wl128x: FM Driver Common sources")
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarHans Verkuil <hverkuil-cisco@xs4all.nl>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      348ec7b9
    • Sowjanya Komatineni's avatar
      spi: tegra114: reset controller on probe · 557ae685
      Sowjanya Komatineni authored
      
      
      [ Upstream commit 019194933339b3e9b486639c8cb3692020844d65 ]
      
      Fixes: SPI driver can be built as module so perform SPI controller reset
      on probe to make sure it is in valid state before initiating transfer.
      Signed-off-by: default avatarSowjanya Komatineni <skomatineni@nvidia.com>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      557ae685
    • Gustavo A. R. Silva's avatar
      cxgb3/l2t: Fix undefined behaviour · 5e75d5e2
      Gustavo A. R. Silva authored
      [ Upstream commit 76497732932f15e7323dc805e8ea8dc11bb587cf ]
      
      The use of zero-sized array causes undefined behaviour when it is not
      the last member in a structure. As it happens to be in this case.
      
      Also, the current code makes use of a language extension to the C90
      standard, but the preferred mechanism to declare variable-length
      types such as this one is a flexible array member, introduced in
      C99:
      
      struct foo {
              int stuff;
              struct boo array[];
      };
      
      By making use of the mechanism above, we will get a compiler warning
      in case the flexible array does not occur last. Which is beneficial
      to cultivate a high-quality code.
      
      Fixes: e48f129c
      
       ("[SCSI] cxgb3i: convert cdev->l2opt to use rcu to prevent NULL dereference")
      Signed-off-by: default avatarGustavo A. R. Silva <gustavo@embeddedor.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      5e75d5e2
    • Nicolas Saenz Julienne's avatar
      HID: core: move Usage Page concatenation to Main item · 5db3c5ad
      Nicolas Saenz Julienne authored
      
      
      [ Upstream commit 58e75155009cc800005629955d3482f36a1e0eec ]
      
      As seen on some USB wireless keyboards manufactured by Primax, the HID
      parser was using some assumptions that are not always true. In this case
      it's s the fact that, inside the scope of a main item, an Usage Page
      will always precede an Usage.
      
      The spec is not pretty clear as 6.2.2.7 states "Any usage that follows
      is interpreted as a Usage ID and concatenated with the Usage Page".
      While 6.2.2.8 states "When the parser encounters a main item it
      concatenates the last declared Usage Page with a Usage to form a
      complete usage value." Being somewhat contradictory it was decided to
      match Window's implementation, which follows 6.2.2.8.
      
      In summary, the patch moves the Usage Page concatenation from the local
      item parsing function to the main item parsing function.
      Signed-off-by: default avatarNicolas Saenz Julienne <nsaenzjulienne@suse.de>
      Reviewed-by: default avatarTerry Junge <terry.junge@poly.com>
      Signed-off-by: default avatarBenjamin Tissoires <benjamin.tissoires@redhat.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      5db3c5ad