AgeCommit message (Collapse)Author
2020-06-09arm: dts: colibri-vf: fix pinmuxing issue with can_int on ptb21Colibri-VF_LXDE-Image_2.8b7.-20200610Marcel Ziswiler
The following pinmuxing error may be seen during boot: [ 20.255028] vf610-pinctrl 40048000.iomuxc: pin VF610_PAD_PTB21 already requested by 40048000.iomuxc; cannot claim for spi1.0 [ 20.281777] vf610-pinctrl 40048000.iomuxc: pin-43 (spi1.0) status -22 [ 20.296277] vf610-pinctrl 40048000.iomuxc: could not request pin 43 (VF610_PAD_PTB21) from group can_int on device 40048000.iomuxc [ 20.324217] mcp251x spi1.0: Error applying setting, reverse things back Luckily, due to the pin already being muxed as a GPIO by means of hogging it still actually functions properly. Related-to: ELB-2785 Signed-off-by: Marcel Ziswiler <>
2020-05-25KEYS: Add a facility to restrict new links into a keyringDavid Howells
commit 5ac7eace2d00eab5ae0e9fdee63e38aee6001f7c upstream Add a facility whereby proposed new links to be added to a keyring can be vetted, permitting them to be rejected if necessary. This can be used to block public keys from which the signature cannot be verified or for which the signature verification fails. It could also be used to provide blacklisting. This affects operations like add_key(), KEYCTL_LINK and KEYCTL_INSTANTIATE. To this end: (1) A function pointer is added to the key struct that, if set, points to the vetting function. This is called as: int (*restrict_link)(struct key *keyring, const struct key_type *key_type, unsigned long key_flags, const union key_payload *key_payload), where 'keyring' will be the keyring being added to, key_type and key_payload will describe the key being added and key_flags[*] can be AND'ed with KEY_FLAG_TRUSTED. [*] This parameter will be removed in a later patch when KEY_FLAG_TRUSTED is removed. The function should return 0 to allow the link to take place or an error (typically -ENOKEY, -ENOPKG or -EKEYREJECTED) to reject the link. The pointer should not be set directly, but rather should be set through keyring_alloc(). Note that if called during add_key(), preparse is called before this method, but a key isn't actually allocated until after this function is called. (2) KEY_ALLOC_BYPASS_RESTRICTION is added. This can be passed to key_create_or_update() or key_instantiate_and_link() to bypass the restriction check. (3) KEY_FLAG_TRUSTED_ONLY is removed. The entire contents of a keyring with this restriction emplaced can be considered 'trustworthy' by virtue of being in the keyring when that keyring is consulted. (4) key_alloc() and keyring_alloc() take an extra argument that will be used to set restrict_link in the new key. This ensures that the pointer is set before the key is published, thus preventing a window of unrestrictedness. Normally this argument will be NULL. (5) As a temporary affair, keyring_restrict_trusted_only() is added. It should be passed to keyring_alloc() as the extra argument instead of setting KEY_FLAG_TRUSTED_ONLY on a keyring. This will be replaced in a later patch with functions that look in the appropriate places for authoritative keys. Tuned for toradex_vf_4.4-next Conflicts: include/linux/key.h security/keys/process_keys.c Signed-off-by: David Howells <> Reviewed-by: Mimi Zohar <> Signed-off-by: Oleksandr Suvorov <>
2020-05-25IMA: prevent keys on the .ima_blacklist from being removedMimi Zohar
commit 501f1bde66525f94403a5b78832a9218ef9b1c14 upstream Set the KEY_FLAGS_KEEP on the .ima_blacklist to prevent userspace from removing keys from the keyring. Signed-off-by: Mimi Zohar <>
2020-05-25KEYS: Generalise system_verify_data() to provide access to internal contentDavid Howells
commit e68503bd6836ba765dc8e0ee77ea675fedc07e41 upstream Generalise system_verify_data() to provide access to internal content through a callback. This allows all the PKCS#7 stuff to be hidden inside this function and removed from the PE file parser and the PKCS#7 test key. If external content is not required, NULL should be passed as data to the function. If the callback is not required, that can be set to NULL. The function is now called verify_pkcs7_signature() to contrast with verify_pefile_signature() and the definitions of both have been moved into linux/verification.h along with the key_being_used_for enum. Signed-off-by: David Howells <>
2020-05-25IMA: allow reading back the current IMA policyPetko Manolov
commit 80eae209d63ac6361c7b445f7e7e41f39c044772 upstream It is often useful to be able to read back the IMA policy. It is even more important after introducing CONFIG_IMA_WRITE_POLICY. This option allows the root user to see the current policy rules. Signed-off-by: Zbigniew Jasinski <> Signed-off-by: Petko Manolov <> Signed-off-by: Mimi Zohar <>
2020-05-25IMA: create machine owner and blacklist keyringsPetko Manolov
commit 41c89b64d7184a780f12f2cccdabe65cb2408893 upstream This option creates IMA MOK and blacklist keyrings. IMA MOK is an intermediate keyring that sits between .system and .ima keyrings, effectively forming a simple CA hierarchy. To successfully import a key into .ima_mok it must be signed by a key which CA is in .system keyring. On turn any key that needs to go in .ima keyring must be signed by CA in either .system or .ima_mok keyrings. IMA MOK is empty at kernel boot. IMA blacklist keyring contains all revoked IMA keys. It is consulted before any other keyring. If the search is successful the requested operation is rejected and error is returned to the caller. Signed-off-by: Petko Manolov <> Signed-off-by: Mimi Zohar <>
2020-05-25IMA: policy can now be updated multiple timesPetko Manolov
commit 38d859f991f3a05b352a06f82af0baa1acf33e02 upstream The new rules get appended to the original policy, forming a queue. The new rules are first added to a temporary list, which on error get released without disturbing the normal IMA operations. On success both lists (the current policy and the new rules) are spliced. IMA policy reads are many orders of magnitude more numerous compared to writes, the match code is RCU protected. The updater side also does list splice in RCU manner. Signed-off-by: Petko Manolov <> Signed-off-by: Mimi Zohar <>
2020-05-25integrity: define '.evm' as a builtin 'trusted' keyringDmitry Kasatkin
commit f4dc37785e9b3373d0cb93125d5579fed2af3a43 upstream Require all keys added to the EVM keyring be signed by an existing trusted key on the system trusted keyring. This patch also switches IMA to use integrity_init_keyring(). Changes in v3: * Added 'init_keyring' config based variable to skip initializing keyring instead of using __integrity_init_keyring() wrapper. * Added dependency back to CONFIG_IMA_TRUSTED_KEYRING Changes in v2: * Replace CONFIG_EVM_TRUSTED_KEYRING with IMA and EVM common CONFIG_INTEGRITY_TRUSTED_KEYRING configuration option * Deprecate CONFIG_IMA_TRUSTED_KEYRING but keep it for config file compatibility. (Mimi Zohar) Signed-off-by: Dmitry Kasatkin <> Signed-off-by: Mimi Zohar <>
2020-05-25KEYS: Add an alloc flag to convey the builtinness of a keyDavid Howells
commit 5d2787cf0b210d2925e8d44e2e79241385249d6b upstream Add KEY_ALLOC_BUILT_IN to convey that a key should have KEY_FLAG_BUILTIN set rather than setting it after the fact. Tuned for toradex_vf_4.4-next Signed-off-by: David Howells <> Acked-by: Mimi Zohar <> Signed-off-by: Oleksandr Suvorov <>
2020-05-25certs: Fix misaligned data in extra certificate listDavid Howells
commit 0d1db3e37022770a221b2a7565cfe425792ed22e upstream Fix the following warning found by kbuild: certs/system_certificates.S:24: Error: misaligned data because: KEYS: Reserve an extra certificate symbol for inserting without recompiling doesn't correctly align system_extra_cert_used. Signed-off-by: David Howells <> cc: Mehmet Kayaalp <>
2020-05-25KEYS: Reserve an extra certificate symbol for inserting without recompilingMehmet Kayaalp
commit c4c36105958576fee87d2c75f4b69b6e5bbde772 upstream Place a system_extra_cert buffer of configurable size, right after the system_certificate_list, so that inserted keys can be readily processed by the existing mechanism. Added script takes a key file and a kernel image and inserts its contents to the reserved area. The system_certificate_list_size is also adjusted accordingly. Call the script as: scripts/insert-sys-cert -b <vmlinux> -c <certfile> If vmlinux has no symbol table, supply file with -s flag. Subsequent runs replace the previously inserted key, instead of appending the new one. Signed-off-by: Mehmet Kayaalp <> Signed-off-by: David Howells <> Acked-by: Mimi Zohar <>
2020-05-21colibri_vf_defconfig: add support of backports-5.4Oleksandr Suvorov
Tune Colibri VF SoM defconfig for backports-5.4. Related-to: ELB-2724 Signed-off-by: Oleksandr Suvorov <>
2020-05-21wireless: make wireless_ext and wext_priv storableOleksandr Suvorov
The config option WIRELESS_EXT and WEXT_PRIV use to build external drivers, such as backports. Make these options storable in config file to be able to set them independently. Related-to: ELB-2388 Signed-off-by: Oleksandr Suvorov <>
2020-05-21Merge tag 'v4.4.220' into toradex_vf_4.4-nextMarcel Ziswiler
This is the 4.4.220 stable release
2020-04-24Linux 4.4.220Greg Kroah-Hartman
2020-04-24x86/vdso: Fix lsl operand orderSamuel Neves
commit e78e5a91456fcecaa2efbb3706572fe043766f4d upstream. In the __getcpu function, lsl is using the wrong target and destination registers. Luckily, the compiler tends to choose %eax for both variables, so it has been working so far. Fixes: a582c540ac1b ("x86/vdso: Use RDPID in preference to LSL when available") Signed-off-by: Samuel Neves <> Signed-off-by: Thomas Gleixner <> Acked-by: Andy Lutomirski <> Cc: Link: Signed-off-by: Nobuhiro Iwamatsu (CIP) <> Signed-off-by: Greg Kroah-Hartman <>
2020-04-24x86/microcode/intel: replace sync_core() with native_cpuid_reg(eax)Evalds Iodzevics
On Intel it is required to do CPUID(1) before reading the microcode revision MSR. Current code in 4.4 an 4.9 relies on sync_core() to call CPUID, unfortunately on 32 bit machines code inside sync_core() always jumps past CPUID instruction as it depends on data structure boot_cpu_data witch are not populated correctly so early in boot sequence. It depends on: commit 5dedade6dfa2 ("x86/CPU: Add native CPUID variants returning a single datum") This patch is for 4.4 but also should apply to 4.9 Signed-off-by: Evalds Iodzevics <> Cc: Signed-off-by: Greg Kroah-Hartman <>
2020-04-24x86/CPU: Add native CPUID variants returning a single datumBorislav Petkov
commit 5dedade6dfa243c130b85d1e4daba6f027805033 upstream. ... similarly to the cpuid_<reg>() variants. Signed-off-by: Borislav Petkov <> Link: Signed-off-by: Thomas Gleixner <> Cc: Evalds Iodzevics <> Signed-off-by: Greg Kroah-Hartman <>
2020-04-24mtd: phram: fix a double free issue in error pathWen Yang
commit 49c64df880570034308e4a9a49c4bc95cf8cdb33 upstream. The variable 'name' is released multiple times in the error path, which may cause double free issues. This problem is avoided by adding a goto label to release the memory uniformly. And this change also makes the code a bit more cleaner. Fixes: 4f678a58d335 ("mtd: fix memory leaks in phram_setup") Signed-off-by: Wen Yang <> Cc: Joern Engel <> Cc: Miquel Raynal <> Cc: Richard Weinberger <> Cc: Vignesh Raghavendra <> Cc: Cc: Signed-off-by: Miquel Raynal <> Link: Signed-off-by: Greg Kroah-Hartman <>
2020-04-24mtd: lpddr: Fix a double free in probe()Dan Carpenter
commit 4da0ea71ea934af18db4c63396ba2af1a679ef02 upstream. This function is only called from lpddr_probe(). We free "lpddr" both here and in the caller, so it's a double free. The best place to free "lpddr" is in lpddr_probe() so let's delete this one. Fixes: 8dc004395d5e ("[MTD] LPDDR qinfo probing.") Signed-off-by: Dan Carpenter <> Signed-off-by: Miquel Raynal <> Link: Signed-off-by: Greg Kroah-Hartman <>
2020-04-24locktorture: Print ratio of acquisitions, not failuresPaul E. McKenney
commit 80c503e0e68fbe271680ab48f0fe29bc034b01b7 upstream. The __torture_print_stats() function in locktorture.c carefully initializes local variable "min" to statp[0].n_lock_acquired, but then compares it to statp[i].n_lock_fail. Given that the .n_lock_fail field should normally be zero, and given the initialization, it seems reasonable to display the maximum and minimum number acquisitions instead of miscomputing the maximum and minimum number of failures. This commit therefore switches from failures to acquisitions. And this turns out to be not only a day-zero bug, but entirely my own fault. I hate it when that happens! Fixes: 0af3fe1efa53 ("locktorture: Add a lock-torture kernel module") Reported-by: Will Deacon <> Signed-off-by: Paul E. McKenney <> Acked-by: Will Deacon <> Cc: Davidlohr Bueso <> Cc: Josh Triplett <> Cc: Peter Zijlstra <> Signed-off-by: Greg Kroah-Hartman <>
2020-04-24tty: evh_bytechan: Fix out of bounds accessesStephen Rothwell
commit 3670664b5da555a2a481449b3baafff113b0ac35 upstream. ev_byte_channel_send() assumes that its third argument is a 16 byte array. Some places where it is called it may not be (or we can't easily tell if it is). Newer compilers have started producing warnings about this, so make sure we actually pass a 16 byte array. There may be more elegant solutions to this, but the driver is quite old and hasn't been updated in many years. The warnings (from a powerpc allyesconfig build) are: In file included from include/linux/byteorder/big_endian.h:5, from arch/powerpc/include/uapi/asm/byteorder.h:14, from include/asm-generic/bitops/le.h:6, from arch/powerpc/include/asm/bitops.h:250, from include/linux/bitops.h:29, from include/linux/kernel.h:12, from include/asm-generic/bug.h:19, from arch/powerpc/include/asm/bug.h:109, from include/linux/bug.h:5, from include/linux/mmdebug.h:5, from include/linux/gfp.h:5, from include/linux/slab.h:15, from drivers/tty/ehv_bytechan.c:24: drivers/tty/ehv_bytechan.c: In function ‘ehv_bc_udbg_putc’: arch/powerpc/include/asm/epapr_hcalls.h:298:20: warning: array subscript 1 is outside array bounds of ‘const char[1]’ [-Warray-bounds] 298 | r6 = be32_to_cpu(p[1]); include/uapi/linux/byteorder/big_endian.h:40:51: note: in definition of macro ‘__be32_to_cpu’ 40 | #define __be32_to_cpu(x) ((__force __u32)(__be32)(x)) | ^ arch/powerpc/include/asm/epapr_hcalls.h:298:7: note: in expansion of macro ‘be32_to_cpu’ 298 | r6 = be32_to_cpu(p[1]); | ^~~~~~~~~~~ drivers/tty/ehv_bytechan.c:166:13: note: while referencing ‘data’ 166 | static void ehv_bc_udbg_putc(char c) | ^~~~~~~~~~~~~~~~ Fixes: dcd83aaff1c8 ("tty/powerpc: introduce the ePAPR embedded hypervisor byte channel driver") Signed-off-by: Stephen Rothwell <> Tested-by: Laurentiu Tudor <> [mpe: Trim warnings from change log] Signed-off-by: Michael Ellerman <> Link: Signed-off-by: Greg Kroah-Hartman <>
2020-04-24fbdev: potential information leak in do_fb_ioctl()Dan Carpenter
commit d3d19d6fc5736a798b118971935ce274f7deaa82 upstream. The "fix" struct has a 2 byte hole after ->ywrapstep and the "fix = info->fix;" assignment doesn't necessarily clear it. It depends on the compiler. The solution is just to replace the assignment with an memcpy(). Fixes: 1f5e31d7e55a ("fbmem: don't call copy_from/to_user() with mutex held") Signed-off-by: Dan Carpenter <> Cc: Andrew Morton <> Cc: Arnd Bergmann <> Cc: "Eric W. Biederman" <> Cc: Andrea Righi <> Cc: Daniel Vetter <> Cc: Sam Ravnborg <> Cc: Maarten Lankhorst <> Cc: Daniel Thompson <> Cc: Peter Rosin <> Cc: Jani Nikula <> Cc: Gerd Hoffmann <> Signed-off-by: Bartlomiej Zolnierkiewicz <> Link: Signed-off-by: Greg Kroah-Hartman <>
2020-04-24iommu/amd: Fix the configuration of GCR3 table root pointerAdrian Huang
[ Upstream commit c20f36534666e37858a14e591114d93cc1be0d34 ] The SPA of the GCR3 table root pointer[51:31] masks 20 bits. However, this requires 21 bits (Please see the AMD IOMMU specification). This leads to the potential failure when the bit 51 of SPA of the GCR3 table root pointer is 1'. Signed-off-by: Adrian Huang <> Fixes: 52815b75682e2 ("iommu/amd: Add support for IOMMUv2 domain mode") Signed-off-by: Joerg Roedel <> Signed-off-by: Sasha Levin <>
2020-04-24ext2: fix empty body warnings when -Wextra is usedRandy Dunlap
[ Upstream commit 44a52022e7f15cbaab957df1c14f7a4f527ef7cf ] When EXT2_ATTR_DEBUG is not defined, modify the 2 debug macros to use the no_printk() macro instead of <nothing>. This fixes gcc warnings when -Wextra is used: ../fs/ext2/xattr.c:252:42: warning: suggest braces around empty body in an ‘if’ statement [-Wempty-body] ../fs/ext2/xattr.c:258:42: warning: suggest braces around empty body in an ‘if’ statement [-Wempty-body] ../fs/ext2/xattr.c:330:42: warning: suggest braces around empty body in an ‘if’ statement [-Wempty-body] ../fs/ext2/xattr.c:872:45: warning: suggest braces around empty body in an ‘else’ statement [-Wempty-body] I have verified that the only object code change (with gcc 7.5.0) is the reversal of some instructions from 'cmp a,b' to 'cmp b,a'. Link: Signed-off-by: Randy Dunlap <> Cc: Jan Kara <> Cc: Signed-off-by: Jan Kara <> Signed-off-by: Sasha Levin <>
2020-04-24NFS: Fix memory leaks in nfs_pageio_stop_mirroring()Trond Myklebust
[ Upstream commit 862f35c94730c9270833f3ad05bd758a29f204ed ] If we just set the mirror count to 1 without first clearing out the mirrors, we can leak queued up requests. Signed-off-by: Trond Myklebust <> Signed-off-by: Sasha Levin <>
2020-04-24compiler.h: fix error in BUILD_BUG_ON() reportingVegard Nossum
[ Upstream commit af9c5d2e3b355854ff0e4acfbfbfadcd5198a349 ] compiletime_assert() uses __LINE__ to create a unique function name. This means that if you have more than one BUILD_BUG_ON() in the same source line (which can happen if they appear e.g. in a macro), then the error message from the compiler might output the wrong condition. For this source file: #include <linux/build_bug.h> #define macro() \ BUILD_BUG_ON(1); \ BUILD_BUG_ON(0); void foo() { macro(); } gcc would output: ./include/linux/compiler.h:350:38: error: call to `__compiletime_assert_9' declared with attribute error: BUILD_BUG_ON failed: 0 _compiletime_assert(condition, msg, __compiletime_assert_, __LINE__) However, it was not the BUILD_BUG_ON(0) that failed, so it should say 1 instead of 0. With this patch, we use __COUNTER__ instead of __LINE__, so each BUILD_BUG_ON() gets a different function name and the correct condition is printed: ./include/linux/compiler.h:350:38: error: call to `__compiletime_assert_0' declared with attribute error: BUILD_BUG_ON failed: 1 _compiletime_assert(condition, msg, __compiletime_assert_, __COUNTER__) Signed-off-by: Vegard Nossum <> Signed-off-by: Andrew Morton <> Reviewed-by: Masahiro Yamada <> Reviewed-by: Daniel Santos <> Cc: Rasmus Villemoes <> Cc: Ian Abbott <> Cc: Joe Perches <> Link: Signed-off-by: Linus Torvalds <> Signed-off-by: Sasha Levin <>
2020-04-24percpu_counter: fix a data race at vm_committed_asQian Cai
[ Upstream commit 7e2345200262e4a6056580f0231cccdaffc825f3 ] "vm_committed_as.count" could be accessed concurrently as reported by KCSAN, BUG: KCSAN: data-race in __vm_enough_memory / percpu_counter_add_batch write to 0xffffffff9451c538 of 8 bytes by task 65879 on cpu 35: percpu_counter_add_batch+0x83/0xd0 percpu_counter_add_batch at lib/percpu_counter.c:91 __vm_enough_memory+0xb9/0x260 dup_mm+0x3a4/0x8f0 copy_process+0x2458/0x3240 _do_fork+0xaa/0x9f0 __do_sys_clone+0x125/0x160 __x64_sys_clone+0x70/0x90 do_syscall_64+0x91/0xb05 entry_SYSCALL_64_after_hwframe+0x49/0xbe read to 0xffffffff9451c538 of 8 bytes by task 66773 on cpu 19: __vm_enough_memory+0x199/0x260 percpu_counter_read_positive at include/linux/percpu_counter.h:81 (inlined by) __vm_enough_memory at mm/util.c:839 mmap_region+0x1b2/0xa10 do_mmap+0x45c/0x700 vm_mmap_pgoff+0xc0/0x130 ksys_mmap_pgoff+0x6e/0x300 __x64_sys_mmap+0x33/0x40 do_syscall_64+0x91/0xb05 entry_SYSCALL_64_after_hwframe+0x49/0xbe The read is outside percpu_counter::lock critical section which results in a data race. Fix it by adding a READ_ONCE() in percpu_counter_read_positive() which could also service as the existing compiler memory barrier. Signed-off-by: Qian Cai <> Signed-off-by: Andrew Morton <> Acked-by: Marco Elver <> Link: Signed-off-by: Linus Torvalds <> Signed-off-by: Sasha Levin <>
2020-04-24ext4: do not commit super on read-only bdevEric Sandeen
[ Upstream commit c96e2b8564adfb8ac14469ebc51ddc1bfecb3ae2 ] Under some circumstances we may encounter a filesystem error on a read-only block device, and if we try to save the error info to the superblock and commit it, we'll wind up with a noisy error and backtrace, i.e.: [ 3337.146838] EXT4-fs error (device pmem1p2): ext4_get_journal_inode:4634: comm mount: inode #0: comm mount: iget: illegal inode # ------------[ cut here ]------------ generic_make_request: Trying to write to read-only block-device pmem1p2 (partno 2) WARNING: CPU: 107 PID: 115347 at block/blk-core.c:788 generic_make_request_checks+0x6b4/0x7d0 ... To avoid this, commit the error info in the superblock only if the block device is writable. Reported-by: Ritesh Harjani <> Signed-off-by: Eric Sandeen <> Reviewed-by: Andreas Dilger <> Link: Signed-off-by: Theodore Ts'o <> Signed-off-by: Sasha Levin <>
2020-04-24NFS: direct.c: Fix memory leak of dreq when nfs_get_lock_context failsMisono Tomohiro
[ Upstream commit 8605cf0e852af3b2c771c18417499dc4ceed03d5 ] When dreq is allocated by nfs_direct_req_alloc(), dreq->kref is initialized to 2. Therefore we need to call nfs_direct_req_release() twice to release the allocated dreq. Usually it is called in nfs_file_direct_{read, write}() and nfs_direct_complete(). However, current code only calls nfs_direct_req_relese() once if nfs_get_lock_context() fails in nfs_file_direct_{read, write}(). So, that case would result in memory leak. Fix this by adding the missing call. Signed-off-by: Misono Tomohiro <> Signed-off-by: Trond Myklebust <> Signed-off-by: Sasha Levin <>
2020-04-24clk: tegra: Fix Tegra PMC clock out parentsSowjanya Komatineni
[ Upstream commit 6fe38aa8cac3a5db38154331742835a4d9740788 ] Tegra PMC clocks clk_out_1, clk_out_2, and clk_out_3 supported parents are osc, osc_div2, osc_div4 and extern clock. Clock driver is using incorrect parents clk_m, clk_m_div2, clk_m_div4 for PMC clocks. This patch fixes this. Tested-by: Dmitry Osipenko <> Reviewed-by: Dmitry Osipenko <> Signed-off-by: Sowjanya Komatineni <> Signed-off-by: Thierry Reding <> Signed-off-by: Sasha Levin <>
2020-04-24clk: at91: usb: continue if clk_hw_round_rate() return zeroClaudiu Beznea
[ Upstream commit b0ecf1c6c6e82da4847900fad0272abfd014666d ] clk_hw_round_rate() may call round rate function of its parents. In case of SAM9X60 two of USB parrents are PLLA and UPLL. These clocks are controlled by clk-sam9x60-pll.c driver. The round rate function for this driver is sam9x60_pll_round_rate() which call in turn sam9x60_pll_get_best_div_mul(). In case the requested rate is not in the proper range (rate < characteristics->output[0].min && rate > characteristics->output[0].max) the sam9x60_pll_round_rate() will return a negative number to its caller (called by clk_core_round_rate_nolock()). clk_hw_round_rate() will return zero in case a negative number is returned by clk_core_round_rate_nolock(). With this, the USB clock will continue its rate computation even caller of clk_hw_round_rate() returned an error. With this, the USB clock on SAM9X60 may not chose the best parent. I detected this after a suspend/resume cycle on SAM9X60. Signed-off-by: Claudiu Beznea <> Link: Signed-off-by: Stephen Boyd <> Signed-off-by: Sasha Levin <>
2020-04-24of: unittest: kmemleak in of_unittest_platform_populate()Frank Rowand
[ Upstream commit 216830d2413cc61be3f76bc02ffd905e47d2439e ] kmemleak reports several memory leaks from devicetree unittest. This is the fix for problem 2 of 5. of_unittest_platform_populate() left an elevated reference count for grandchild nodes (which are platform devices). Fix the platform device reference counts so that the memory will be freed. Fixes: fb2caa50fbac ("of/selftest: add testcase for nodes with same name and address") Reported-by: Erhard F. <> Signed-off-by: Frank Rowand <> Signed-off-by: Rob Herring <> Signed-off-by: Sasha Levin <>
2020-04-24of: fix missing kobject init for !SYSFS && OF_DYNAMIC configRob Herring
[ Upstream commit bd82bbf38cbe27f2c65660da801900d71bcc5cc8 ] The ref counting is broken for OF_DYNAMIC when sysfs is disabled because the kobject initialization is skipped. Only the properties add/remove/update should be skipped for !SYSFS config. Tested-by: Nicolas Pitre <> Reviewed-by: Frank Rowand <> Acked-by: Grant Likely <> Signed-off-by: Rob Herring <> Signed-off-by: Lee Jones <> Signed-off-by: Greg Kroah-Hartman <>
2020-04-24soc: qcom: smem: Use le32_to_cpu for comparisonChris Lew
[ Upstream commit a216000f0140f415cec96129f777b5234c9d142f ] Endianness can vary in the system, add le32_to_cpu when comparing partition sizes from smem. Signed-off-by: Chris Lew <> Acked-by: Bjorn Andersson <> Signed-off-by: Andy Gross <> Signed-off-by: Lee Jones <> Signed-off-by: Greg Kroah-Hartman <>
2020-04-24rtc: pm8xxx: Fix issue in RTC write pathMohit Aggarwal
[ Upstream commit 83220bf38b77a830f8e62ab1a0d0408304f9b966 ] In order to set time in rtc, need to disable rtc hw before writing into rtc registers. Also fixes disabling of alarm while setting rtc time. Signed-off-by: Mohit Aggarwal <> Signed-off-by: Alexandre Belloni <> Signed-off-by: Lee Jones <> Signed-off-by: Greg Kroah-Hartman <>
2020-04-24wil6210: rate limit wil_rx_refill errorDedy Lansky
[ Upstream commit 3d6b72729cc2933906de8d2c602ae05e920b2122 ] wil_err inside wil_rx_refill can flood the log buffer. Replace it with wil_err_ratelimited. Signed-off-by: Dedy Lansky <> Signed-off-by: Maya Erez <> Signed-off-by: Kalle Valo <> Signed-off-by: Lee Jones <> Signed-off-by: Greg Kroah-Hartman <>
2020-04-24scsi: ufs: ufs-qcom: remove broken hci version quirkSubhash Jadavani
[ Upstream commit 69a6fff068567469c0ef1156ae5ac8d3d71701f0 ] UFSHCD_QUIRK_BROKEN_UFS_HCI_VERSION is only applicable for QCOM UFS host controller version 2.x.y and this has been fixed from version 3.x.y onwards, hence this change removes this quirk for version 3.x.y onwards. [mkp: applied by hand] Signed-off-by: Subhash Jadavani <> Signed-off-by: Asutosh Das <> Signed-off-by: Martin K. Petersen <> Signed-off-by: Lee Jones <> Signed-off-by: Greg Kroah-Hartman <>
2020-04-24wil6210: fix temperature debugfsDedy Lansky
[ Upstream commit 6d9eb7ebae3d7e951bc0999235ae7028eb4cae4f ] For negative temperatures, "temp" debugfs is showing wrong values. Use signed types so proper calculations is done for sub zero temperatures. Signed-off-by: Dedy Lansky <> Signed-off-by: Maya Erez <> Signed-off-by: Kalle Valo <> Signed-off-by: Lee Jones <> Signed-off-by: Greg Kroah-Hartman <>
2020-04-24wil6210: increase firmware ready timeoutHamad Kadmany
[ Upstream commit 6ccae584014ef7074359eb4151086beef66ecfa9 ] Firmware ready event may take longer than current timeout in some scenarios, for example with multiple RFs connected where each requires an initial calibration. Increase the timeout to support these scenarios. Signed-off-by: Hamad Kadmany <> Signed-off-by: Maya Erez <> Signed-off-by: Kalle Valo <> Signed-off-by: Lee Jones <> Signed-off-by: Greg Kroah-Hartman <>
2020-04-24drm: NULL pointer dereference [null-pointer-deref] (CWE 476) problemJoe Moriarty
commit 22a07038c0eaf4d1315a493ce66dcd255accba19 upstream. The Parfait (version 2.1.0) static code analysis tool found the following NULL pointer derefernce problem. - drivers/gpu/drm/drm_dp_mst_topology.c The call to drm_dp_calculate_rad() in function drm_dp_port_setup_pdt() could result in a NULL pointer being returned to port->mstb due to a failure to allocate memory for port->mstb. Signed-off-by: Joe Moriarty <> Reviewed-by: Steven Sistare <> Signed-off-by: Daniel Vetter <> Link: Signed-off-by: Lee Jones <> Signed-off-by: Greg Kroah-Hartman <>
2020-04-24video: fbdev: sis: Remove unnecessary parentheses and commented codeNathan Chancellor
commit 864eb1afc60cb43e7df879b97f8ca0d719bbb735 upstream. Clang warns when multiple pairs of parentheses are used for a single conditional statement. drivers/video/fbdev/sis/init301.c:851:42: warning: equality comparison with extraneous parentheses [-Wparentheses-equality] } else if((SiS_Pr->SiS_IF_DEF_LVDS == 1) /* || ~~~~~~~~~~~~~~~~~~~~~~~~^~~~ drivers/video/fbdev/sis/init301.c:851:42: note: remove extraneous parentheses around the comparison to silence this warning } else if((SiS_Pr->SiS_IF_DEF_LVDS == 1) /* || ~ ^ ~ drivers/video/fbdev/sis/init301.c:851:42: note: use '=' to turn this equality comparison into an assignment } else if((SiS_Pr->SiS_IF_DEF_LVDS == 1) /* || ^~ = 1 warning generated. Remove the parentheses and while we're at it, clean up the commented code, which has been here since the beginning of git history. Link: Signed-off-by: Nathan Chancellor <> Cc: Thomas Winischhofer <> Signed-off-by: Bartlomiej Zolnierkiewicz <> Signed-off-by: Greg Kroah-Hartman <>
2020-04-24ALSA: hda: Don't release card at firmware loading errorTakashi Iwai
commit 25faa4bd37c10f19e4b848b9032a17a3d44c6f09 upstream. At the error path of the firmware loading error, the driver tries to release the card object and set NULL to drvdata. This may be referred badly at the possible PM action, as the driver itself is still bound and the PM callbacks read the card object. Instead, we continue the probing as if it were no option set. This is often a better choice than the forced abort, too. Fixes: 5cb543dba986 ("ALSA: hda - Deferred probing with request_firmware_nowait()") BugLink: Link: Signed-off-by: Takashi Iwai <> Signed-off-by: Greg Kroah-Hartman <>
2020-04-24scsi: sg: add sg_remove_request in sg_common_writeLi Bin
commit 849f8583e955dbe3a1806e03ecacd5e71cce0a08 upstream. If the dxfer_len is greater than 256M then the request is invalid and we need to call sg_remove_request in sg_common_write. Link: Fixes: f930c7043663 ("scsi: sg: only check for dxfer_len greater than 256M") Acked-by: Douglas Gilbert <> Signed-off-by: Li Bin <> Signed-off-by: Martin K. Petersen <> Signed-off-by: Greg Kroah-Hartman <>
2020-04-24tracing: Fix the race between registering 'snapshot' event trigger and ↵Xiao Yang
triggering 'snapshot' operation commit 0bbe7f719985efd9adb3454679ecef0984cb6800 upstream. Traced event can trigger 'snapshot' operation(i.e. calls snapshot_trigger() or snapshot_count_trigger()) when register_snapshot_trigger() has completed registration but doesn't allocate buffer for 'snapshot' event trigger. In the rare case, 'snapshot' operation always detects the lack of allocated buffer so make register_snapshot_trigger() allocate buffer first. in kselftest reproduces the issue on slow vm: ----------------------------------------------------------- cat trace ... ftracetest-3028 [002] .... 236.784290: sched_process_fork: comm=ftracetest pid=3028 child_comm=ftracetest child_pid=3036 <...>-2875 [003] .... 240.460335: tracing_snapshot_instance_cond: *** SNAPSHOT NOT ALLOCATED *** <...>-2875 [003] .... 240.460338: tracing_snapshot_instance_cond: *** stopping trace here! *** ----------------------------------------------------------- Link: Cc: Fixes: 93e31ffbf417a ("tracing: Add 'snapshot' event trigger command") Signed-off-by: Xiao Yang <> Signed-off-by: Steven Rostedt (VMware) <> Signed-off-by: Greg Kroah-Hartman <>
2020-04-24x86/mitigations: Clear CPU buffers on the SYSCALL fast pathBorislav Petkov
The fast SYSCALL exit path returns with SYSRET to userspace after verifying that there's no pending work. MDS mitigation mandates that CPU buffers must be cleared on transition from kernel to userspace so do that here too. Signed-off-by: Borislav Petkov <> Signed-off-by: Greg Kroah-Hartman <>
2020-04-24kvm: x86: Host feature SSBD doesn't imply guest feature SPEC_CTRL_SSBDJim Mattson
commit 396d2e878f92ec108e4293f1c77ea3bc90b414ff upstream. The host reports support for the synthetic feature X86_FEATURE_SSBD when any of the three following hardware features are set: CPUID.(EAX=7,ECX=0):EDX.SSBD[bit 31] CPUID.80000008H:EBX.AMD_SSBD[bit 24] CPUID.80000008H:EBX.VIRT_SSBD[bit 25] Either of the first two hardware features implies the existence of the IA32_SPEC_CTRL MSR, but CPUID.80000008H:EBX.VIRT_SSBD[bit 25] does not. Therefore, CPUID.(EAX=7,ECX=0):EDX.SSBD[bit 31] should only be set in the guest if CPUID.(EAX=7,ECX=0):EDX.SSBD[bit 31] or CPUID.80000008H:EBX.AMD_SSBD[bit 24] is set on the host. Fixes: 0c54914d0c52a ("KVM: x86: use Intel speculation bugs and features as derived in generic x86 code") Signed-off-by: Jim Mattson <> Reviewed-by: Jacob Xu <> Reviewed-by: Peter Shier <> Cc: Paolo Bonzini <> Reported-by: Eric Biggers <> Signed-off-by: Paolo Bonzini <> [bwh: Backported to 4.x: adjust indentation] Signed-off-by: Ben Hutchings <> Signed-off-by: Sasha Levin <>
2020-04-24dm flakey: check for null arg_name in parse_features()Goldwyn Rodrigues
[ Upstream commit 7690e25302dc7d0cd42b349e746fe44b44a94f2b ] One can crash dm-flakey by specifying more feature arguments than the number of features supplied. Checking for null in arg_name avoids this. dmsetup create flakey-test --table "0 66076080 flakey /dev/sdb9 0 0 180 2 drop_writes" Signed-off-by: Goldwyn Rodrigues <> Signed-off-by: Mike Snitzer <> Signed-off-by: Sasha Levin <>
2020-04-24ext4: do not zeroout extents beyond i_disksizeJan Kara
commit 801674f34ecfed033b062a0f217506b93c8d5e8a upstream. We do not want to create initialized extents beyond end of file because for e2fsck it is impossible to distinguish them from a case of corrupted file size / extent tree and so it complains like: Inode 12, i_size is 147456, should be 163840. Fix? no Code in ext4_ext_convert_to_initialized() and ext4_split_convert_extents() try to make sure it does not create initialized extents beyond inode size however they check against inode->i_size which is wrong. They should instead check against EXT4_I(inode)->i_disksize which is the current inode size on disk. That's what e2fsck is going to see in case of crash before all dirty data is written. This bug manifests as generic/456 test failure (with recent enough fstests where fsx got fixed to properly pass FALLOC_KEEP_SIZE_FL flags to the kernel) when run with dioread_lock mount option. CC: Fixes: 21ca087a3891 ("ext4: Do not zero out uninitialized extents beyond i_size") Reviewed-by: Lukas Czerner <> Signed-off-by: Jan Kara <> Signed-off-by: Theodore Ts'o <> Link: Signed-off-by: Theodore Ts'o <> Signed-off-by: Greg Kroah-Hartman <>
2020-04-24mac80211_hwsim: Use kstrndup() in place of kasprintf()Tuomas Tynkkynen
commit 7ea862048317aa76d0f22334202779a25530980c upstream. syzbot reports a warning: precision 33020 too large WARNING: CPU: 0 PID: 9618 at lib/vsprintf.c:2471 set_precision+0x150/0x180 lib/vsprintf.c:2471 vsnprintf+0xa7b/0x19a0 lib/vsprintf.c:2547 kvasprintf+0xb2/0x170 lib/kasprintf.c:22 kasprintf+0xbb/0xf0 lib/kasprintf.c:59 hwsim_del_radio_nl+0x63a/0x7e0 drivers/net/wireless/mac80211_hwsim.c:3625 genl_family_rcv_msg_doit net/netlink/genetlink.c:672 [inline] ... entry_SYSCALL_64_after_hwframe+0x49/0xbe Thus it seems that kasprintf() with "%.*s" format can not be used for duplicating a string with arbitrary length. Replace it with kstrndup(). Note that later this string is limited to NL80211_WIPHY_NAME_MAXLEN == 64, but the code is simpler this way. Reported-by: Reported-by: Cc: Signed-off-by: Tuomas Tynkkynen <> Link: [johannes: add note about length limit] Signed-off-by: Johannes Berg <> Signed-off-by: Greg Kroah-Hartman <>