commit 96c609c50beac276b773ed3427c3aa8558ba3a35 Author: Ben Hutchings Date: Sat Jan 11 02:05:08 2020 +0000 Linux 3.16.81 commit f4e74a1371c84cca35e53afda50759e2d44e0507 Author: Jason Yan Date: Fri Dec 6 09:11:18 2019 +0800 scsi: libsas: stop discovering if oob mode is disconnected commit f70267f379b5e5e11bdc5d72a56bf17e5feed01f upstream. The discovering of sas port is driven by workqueue in libsas. When libsas is processing port events or phy events in workqueue, new events may rise up and change the state of some structures such as asd_sas_phy. This may cause some problems such as follows: ==>thread 1 ==>thread 2 ==>phy up ==>phy_up_v3_hw() ==>oob_mode = SATA_OOB_MODE; ==>phy down quickly ==>hisi_sas_phy_down() ==>sas_ha->notify_phy_event() ==>sas_phy_disconnected() ==>oob_mode = OOB_NOT_CONNECTED ==>workqueue wakeup ==>sas_form_port() ==>sas_discover_domain() ==>sas_get_port_device() ==>oob_mode is OOB_NOT_CONNECTED and device is wrongly taken as expander This at last lead to the panic when libsas trying to issue a command to discover the device. [183047.614035] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000058 [183047.622896] Mem abort info: [183047.625762] ESR = 0x96000004 [183047.628893] Exception class = DABT (current EL), IL = 32 bits [183047.634888] SET = 0, FnV = 0 [183047.638015] EA = 0, S1PTW = 0 [183047.641232] Data abort info: [183047.644189] ISV = 0, ISS = 0x00000004 [183047.648100] CM = 0, WnR = 0 [183047.651145] user pgtable: 4k pages, 48-bit VAs, pgdp = 00000000b7df67be [183047.657834] [0000000000000058] pgd=0000000000000000 [183047.662789] Internal error: Oops: 96000004 [#1] SMP [183047.667740] Process kworker/u16:2 (pid: 31291, stack limit = 0x00000000417c4974) [183047.675208] CPU: 0 PID: 3291 Comm: kworker/u16:2 Tainted: G W OE 4.19.36-vhulk1907.1.0.h410.eulerosv2r8.aarch64 #1 [183047.687015] Hardware name: N/A N/A/Kunpeng Desktop Board D920S10, BIOS 0.15 10/22/2019 [183047.695007] Workqueue: 0000:74:02.0_disco_q sas_discover_domain [183047.700999] pstate: 20c00009 (nzCv daif +PAN +UAO) [183047.705864] pc : prep_ata_v3_hw+0xf8/0x230 [hisi_sas_v3_hw] [183047.711510] lr : prep_ata_v3_hw+0xb0/0x230 [hisi_sas_v3_hw] [183047.717153] sp : ffff00000f28ba60 [183047.720541] x29: ffff00000f28ba60 x28: ffff8026852d7228 [183047.725925] x27: ffff8027dba3e0a8 x26: ffff8027c05fc200 [183047.731310] x25: 0000000000000000 x24: ffff8026bafa8dc0 [183047.736695] x23: ffff8027c05fc218 x22: ffff8026852d7228 [183047.742079] x21: ffff80007c2f2940 x20: ffff8027c05fc200 [183047.747464] x19: 0000000000f80800 x18: 0000000000000010 [183047.752848] x17: 0000000000000000 x16: 0000000000000000 [183047.758232] x15: ffff000089a5a4ff x14: 0000000000000005 [183047.763617] x13: ffff000009a5a50e x12: ffff8026bafa1e20 [183047.769001] x11: ffff0000087453b8 x10: ffff00000f28b870 [183047.774385] x9 : 0000000000000000 x8 : ffff80007e58f9b0 [183047.779770] x7 : 0000000000000000 x6 : 000000000000003f [183047.785154] x5 : 0000000000000040 x4 : ffffffffffffffe0 [183047.790538] x3 : 00000000000000f8 x2 : 0000000002000007 [183047.795922] x1 : 0000000000000008 x0 : 0000000000000000 [183047.801307] Call trace: [183047.803827] prep_ata_v3_hw+0xf8/0x230 [hisi_sas_v3_hw] [183047.809127] hisi_sas_task_prep+0x750/0x888 [hisi_sas_main] [183047.814773] hisi_sas_task_exec.isra.7+0x88/0x1f0 [hisi_sas_main] [183047.820939] hisi_sas_queue_command+0x28/0x38 [hisi_sas_main] [183047.826757] smp_execute_task_sg+0xec/0x218 [183047.831013] smp_execute_task+0x74/0xa0 [183047.834921] sas_discover_expander.part.7+0x9c/0x5f8 [183047.839959] sas_discover_root_expander+0x90/0x160 [183047.844822] sas_discover_domain+0x1b8/0x1e8 [183047.849164] process_one_work+0x1b4/0x3f8 [183047.853246] worker_thread+0x54/0x470 [183047.856981] kthread+0x134/0x138 [183047.860283] ret_from_fork+0x10/0x18 [183047.863931] Code: f9407a80 528000e2 39409281 72a04002 (b9405800) [183047.870097] kernel fault(0x1) notification starting on CPU 0 [183047.875828] kernel fault(0x1) notification finished on CPU 0 [183047.881559] Modules linked in: unibsp(OE) hns3(OE) hclge(OE) hnae3(OE) mem_drv(OE) hisi_sas_v3_hw(OE) hisi_sas_main(OE) [183047.892418] ---[ end trace 4cc26083fc11b783 ]--- [183047.897107] Kernel panic - not syncing: Fatal exception [183047.902403] kernel fault(0x5) notification starting on CPU 0 [183047.908134] kernel fault(0x5) notification finished on CPU 0 [183047.913865] SMP: stopping secondary CPUs [183047.917861] Kernel Offset: disabled [183047.921422] CPU features: 0x2,a2a00a38 [183047.925243] Memory Limit: none [183047.928372] kernel reboot(0x2) notification starting on CPU 0 [183047.934190] kernel reboot(0x2) notification finished on CPU 0 [183047.940008] ---[ end Kernel panic - not syncing: Fatal exception ]--- Fixes: 2908d778ab3e ("[SCSI] aic94xx: new driver") Link: https://lore.kernel.org/r/20191206011118.46909-1-yanaijie@huawei.com Reported-by: Gao Chuan Reviewed-by: John Garry Signed-off-by: Jason Yan Signed-off-by: Martin K. Petersen Signed-off-by: Ben Hutchings commit 3b2f9bd867e1a288b470da440992a908c5972644 Author: Ganapathi Bhat Date: Thu Nov 21 21:34:38 2019 +0530 mwifiex: fix possible heap overflow in mwifiex_process_country_ie() commit 3d94a4a8373bf5f45cf5f939e88b8354dbf2311b upstream. mwifiex_process_country_ie() function parse elements of bss descriptor in beacon packet. When processing WLAN_EID_COUNTRY element, there is no upper limit check for country_ie_len before calling memcpy. The destination buffer domain_info->triplet is an array of length MWIFIEX_MAX_TRIPLET_802_11D(83). The remote attacker can build a fake AP with the same ssid as real AP, and send malicous beacon packet with long WLAN_EID_COUNTRY elemen (country_ie_len > 83). Attacker can force STA connect to fake AP on a different channel. When the victim STA connects to fake AP, will trigger the heap buffer overflow. Fix this by checking for length and if found invalid, don not connect to the AP. This fix addresses CVE-2019-14895. Reported-by: huangwen Signed-off-by: Ganapathi Bhat Signed-off-by: Kalle Valo [bwh: Backported to 3.16: - Use wiphy_dbg() instead of mwifiex_dbg() - Adjust filename] Signed-off-by: Ben Hutchings commit 3b946bf8348fd6d5be6da08938d93e76fb7a0fdf Author: Amitkumar Karwar Date: Fri Dec 4 06:13:05 2015 -0800 mwifiex: don't follow AP if country code received from EEPROM commit 947d315257f9b25b0e24f5706f8184b3b00774d4 upstream. If device has already received country information from EEPROM, we won't parse AP's country IE and download it to firmware. We will also set regulatory flags to disable beacon hints and ignore country IE. Signed-off-by: Amitkumar Karwar Signed-off-by: Cathy Luo Signed-off-by: Kalle Valo [bwh: Backported to 3.16: adjust filenames, context] Signed-off-by: Ben Hutchings commit 56c2514ac65214bfcf60b6df324e3a1d2f31e3b2 Author: YueHaibing Date: Wed Mar 6 07:45:08 2019 -0500 media: cpia2: Fix use-after-free in cpia2_exit commit dea37a97265588da604c6ba80160a287b72c7bfd upstream. Syzkaller report this: BUG: KASAN: use-after-free in sysfs_remove_file_ns+0x5f/0x70 fs/sysfs/file.c:468 Read of size 8 at addr ffff8881f59a6b70 by task syz-executor.0/8363 CPU: 0 PID: 8363 Comm: syz-executor.0 Not tainted 5.0.0-rc8+ #3 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0xfa/0x1ce lib/dump_stack.c:113 print_address_description+0x65/0x270 mm/kasan/report.c:187 kasan_report+0x149/0x18d mm/kasan/report.c:317 sysfs_remove_file_ns+0x5f/0x70 fs/sysfs/file.c:468 sysfs_remove_file include/linux/sysfs.h:519 [inline] driver_remove_file+0x40/0x50 drivers/base/driver.c:122 usb_remove_newid_files drivers/usb/core/driver.c:212 [inline] usb_deregister+0x12a/0x3b0 drivers/usb/core/driver.c:1005 cpia2_exit+0xa/0x16 [cpia2] __do_sys_delete_module kernel/module.c:1018 [inline] __se_sys_delete_module kernel/module.c:961 [inline] __x64_sys_delete_module+0x3dc/0x5e0 kernel/module.c:961 do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x462e99 Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f86f3754c58 EFLAGS: 00000246 ORIG_RAX: 00000000000000b0 RAX: ffffffffffffffda RBX: 000000000073bf00 RCX: 0000000000462e99 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000020000300 RBP: 0000000000000002 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007f86f37556bc R13: 00000000004bcca9 R14: 00000000006f6b48 R15: 00000000ffffffff Allocated by task 8363: set_track mm/kasan/common.c:85 [inline] __kasan_kmalloc.constprop.3+0xa0/0xd0 mm/kasan/common.c:495 kmalloc include/linux/slab.h:545 [inline] kzalloc include/linux/slab.h:740 [inline] bus_add_driver+0xc0/0x610 drivers/base/bus.c:651 driver_register+0x1bb/0x3f0 drivers/base/driver.c:170 usb_register_driver+0x267/0x520 drivers/usb/core/driver.c:965 0xffffffffc1b4817c do_one_initcall+0xfa/0x5ca init/main.c:887 do_init_module+0x204/0x5f6 kernel/module.c:3460 load_module+0x66b2/0x8570 kernel/module.c:3808 __do_sys_finit_module+0x238/0x2a0 kernel/module.c:3902 do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 8363: set_track mm/kasan/common.c:85 [inline] __kasan_slab_free+0x130/0x180 mm/kasan/common.c:457 slab_free_hook mm/slub.c:1430 [inline] slab_free_freelist_hook mm/slub.c:1457 [inline] slab_free mm/slub.c:3005 [inline] kfree+0xe1/0x270 mm/slub.c:3957 kobject_cleanup lib/kobject.c:662 [inline] kobject_release lib/kobject.c:691 [inline] kref_put include/linux/kref.h:67 [inline] kobject_put+0x146/0x240 lib/kobject.c:708 bus_remove_driver+0x10e/0x220 drivers/base/bus.c:732 driver_unregister+0x6c/0xa0 drivers/base/driver.c:197 usb_register_driver+0x341/0x520 drivers/usb/core/driver.c:980 0xffffffffc1b4817c do_one_initcall+0xfa/0x5ca init/main.c:887 do_init_module+0x204/0x5f6 kernel/module.c:3460 load_module+0x66b2/0x8570 kernel/module.c:3808 __do_sys_finit_module+0x238/0x2a0 kernel/module.c:3902 do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe The buggy address belongs to the object at ffff8881f59a6b40 which belongs to the cache kmalloc-256 of size 256 The buggy address is located 48 bytes inside of 256-byte region [ffff8881f59a6b40, ffff8881f59a6c40) The buggy address belongs to the page: page:ffffea0007d66980 count:1 mapcount:0 mapping:ffff8881f6c02e00 index:0x0 flags: 0x2fffc0000000200(slab) raw: 02fffc0000000200 dead000000000100 dead000000000200 ffff8881f6c02e00 raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8881f59a6a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8881f59a6a80: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc >ffff8881f59a6b00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb ^ ffff8881f59a6b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8881f59a6c00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc cpia2_init does not check return value of cpia2_init, if it failed in usb_register_driver, there is already cleanup using driver_unregister. No need call cpia2_usb_cleanup on module exit. Reported-by: Hulk Robot Signed-off-by: YueHaibing Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Ben Hutchings commit 57087b5fae7189f036388760dd21e7a99ced313e Author: Xiaolong Huang Date: Sat Dec 7 22:40:24 2019 +0800 can: kvaser_usb: kvaser_usb_leaf: Fix some info-leaks to USB devices commit da2311a6385c3b499da2ed5d9be59ce331fa93e9 upstream. Uninitialized Kernel memory can leak to USB devices. Fix this by using kzalloc() instead of kmalloc(). Signed-off-by: Xiaolong Huang Fixes: 7259124eac7d ("can: kvaser_usb: Split driver into kvaser_usb_core.c and kvaser_usb_leaf.c") Signed-off-by: Marc Kleine-Budde [bwh: Backported to 3.16: adjust filename, context] Signed-off-by: Ben Hutchings commit 61749beefb4a12af7d91424bcd58ffdc072dad63 Author: Ben Hutchings Date: Tue Jan 7 20:33:32 2020 +0000 Revert "sched/fair: Fix bandwidth timer clock drift condition" This reverts commit eb29ee5a3873134917a760bf9c416da0a089a0be, which was commit 512ac999d2755d2b7109e996a76b6fb8b888631d upstream. This introduced a regression and doesn't seem to have been suitable for older stable branches. (It has been fixed differently upstream.) Signed-off-by: Ben Hutchings commit f01bb82f5cde15ba2f6fc17cf706196a32aecd45 Author: Theodore Ts'o Date: Thu Nov 7 21:43:41 2019 -0500 ext4: add more paranoia checking in ext4_expand_extra_isize handling commit 4ea99936a1630f51fc3a2d61a58ec4a1c4b7d55a upstream. It's possible to specify a non-zero s_want_extra_isize via debugging option, and this can cause bad things(tm) to happen when using a file system with an inode size of 128 bytes. Add better checking when the file system is mounted, as well as when we are actually doing the trying to do the inode expansion. Link: https://lore.kernel.org/r/20191110121510.GH23325@mit.edu Reported-by: syzbot+f8d6f8386ceacdbfff57@syzkaller.appspotmail.com Reported-by: syzbot+33d7ea72e47de3bdf4e1@syzkaller.appspotmail.com Reported-by: syzbot+44b6763edfc17144296f@syzkaller.appspotmail.com Signed-off-by: Theodore Ts'o [bwh: Backported to 3.16: - Use EIO instead of EFSCORRUPTED - Adjust context] Signed-off-by: Ben Hutchings commit 1bbf3c8644266060b0e56ffb2c40a61029957235 Author: Ben Hutchings Date: Tue Jan 7 20:49:33 2020 +0000 ext4: Introduce ext4_clamp_want_extra_isize() Based on commit 7bc04c5c2cc4 "ext4: fix use-after-free race with debug_want_extra_isize". We don't have that bug but this will make it easier to backport commit 4ea99936a163 "ext4: add more paranoia checking in ext4_expand_extra_isize handling". Cc: Barret Rhoden Cc: Theodore Ts'o Signed-off-by: Ben Hutchings commit 0ad70158f3c02e373e17377237b85e43f06d6752 Author: Linus Torvalds Date: Fri Oct 18 18:41:16 2019 -0400 filldir[64]: remove WARN_ON_ONCE() for bad directory entries commit b9959c7a347d6adbb558fba7e36e9fef3cba3b07 upstream. This was always meant to be a temporary thing, just for testing and to see if it actually ever triggered. The only thing that reported it was syzbot doing disk image fuzzing, and then that warning is expected. So let's just remove it before -rc4, because the extra sanity testing should probably go to -stable, but we don't want the warning to do so. Reported-by: syzbot+3031f712c7ad5dd4d926@syzkaller.appspotmail.com Fixes: 8a23eb804ca4 ("Make filldir[64]() verify the directory entry filename is valid") Signed-off-by: Linus Torvalds Cc: Siddharth Chandrasekaran Signed-off-by: Ben Hutchings commit 8b85eda7dac918a308e6e1d9137887930e80827a Author: Linus Torvalds Date: Sat Oct 5 11:32:52 2019 -0700 Make filldir[64]() verify the directory entry filename is valid commit 8a23eb804ca4f2be909e372cf5a9e7b30ae476cd upstream. This has been discussed several times, and now filesystem people are talking about doing it individually at the filesystem layer, so head that off at the pass and just do it in getdents{64}(). This is partially based on a patch by Jann Horn, but checks for NUL bytes as well, and somewhat simplified. There's also commentary about how it might be better if invalid names due to filesystem corruption don't cause an immediate failure, but only an error at the end of the readdir(), so that people can still see the filenames that are ok. There's also been discussion about just how much POSIX strictly speaking requires this since it's about filesystem corruption. It's really more "protect user space from bad behavior" as pointed out by Jann. But since Eric Biederman looked up the POSIX wording, here it is for context: "From readdir: The readdir() function shall return a pointer to a structure representing the directory entry at the current position in the directory stream specified by the argument dirp, and position the directory stream at the next entry. It shall return a null pointer upon reaching the end of the directory stream. The structure dirent defined in the header describes a directory entry. From definitions: 3.129 Directory Entry (or Link) An object that associates a filename with a file. Several directory entries can associate names with the same file. ... 3.169 Filename A name consisting of 1 to {NAME_MAX} bytes used to name a file. The characters composing the name may be selected from the set of all character values excluding the slash character and the null byte. The filenames dot and dot-dot have special meaning. A filename is sometimes referred to as a 'pathname component'." Note that I didn't bother adding the checks to any legacy interfaces that nobody uses. Also note that if this ends up being noticeable as a performance regression, we can fix that to do a much more optimized model that checks for both NUL and '/' at the same time one word at a time. We haven't really tended to optimize 'memchr()', and it only checks for one pattern at a time anyway, and we really _should_ check for NUL too (but see the comment about "soft errors" in the code about why it currently only checks for '/') See the CONFIG_DCACHE_WORD_ACCESS case of hash_name() for how the name lookup code looks for pathname terminating characters in parallel. Link: https://lore.kernel.org/lkml/20190118161440.220134-2-jannh@google.com/ Cc: Alexander Viro Cc: Jann Horn Cc: Eric W. Biederman Signed-off-by: Linus Torvalds Cc: Siddharth Chandrasekaran Signed-off-by: Ben Hutchings commit bd3752fe1311d37cca1bbc0fe8e5876507bab301 Author: Mathias Nyman Date: Wed Dec 11 16:20:03 2019 +0200 xhci: fix USB3 device initiated resume race with roothub autosuspend commit 057d476fff778f1d3b9f861fdb5437ea1a3cfc99 upstream. A race in xhci USB3 remote wake handling may force device back to suspend after it initiated resume siganaling, causing a missed resume event or warm reset of device. When a USB3 link completes resume signaling and goes to enabled (UO) state a interrupt is issued and the interrupt handler will clear the bus_state->port_remote_wakeup resume flag, allowing bus suspend. If the USB3 roothub thread just finished reading port status before the interrupt, finding ports still in suspended (U3) state, but hasn't yet started suspending the hub, then the xhci interrupt handler will clear the flag that prevented roothub suspend and allow bus to suspend, forcing all port links back to suspended (U3) state. Example case: usb_runtime_suspend() # because all ports still show suspended U3 usb_suspend_both() hub_suspend(); # successful as hub->wakeup_bits not set yet ==> INTERRUPT xhci_irq() handle_port_status() clear bus_state->port_remote_wakeup usb_wakeup_notification() sets hub->wakeup_bits; kick_hub_wq() <== END INTERRUPT hcd_bus_suspend() xhci_bus_suspend() # success as port_remote_wakeup bits cleared Fix this by increasing roothub usage count during port resume to prevent roothub autosuspend, and by making sure bus_state->port_remote_wakeup flag is only cleared after resume completion is visible, i.e. after xhci roothub returned U0 or other non-U3 link state link on a get port status request. Issue rootcaused by Chiasheng Lee Cc: Lee, Hou-hsun Reported-by: Lee, Chiasheng Signed-off-by: Mathias Nyman Link: https://lore.kernel.org/r/20191211142007.8847-3-mathias.nyman@linux.intel.com Signed-off-by: Greg Kroah-Hartman [Mathias Nyman: Backport for 4.9 and 4.4 stable kernels] [bwh: Backported to 3.16: USB 3.0 SS is the highest speed we handle] Signed-off-by: Ben Hutchings commit 51789ec317a150e8e2d9e901d10c6ad613a0ecf6 Author: Adrian Bunk Date: Wed Feb 13 15:59:38 2019 +0200 mwifiex: Fix NL80211_TX_POWER_LIMITED commit 65a576e27309120e0621f54d5c81eb9128bd56be upstream. NL80211_TX_POWER_LIMITED was treated as NL80211_TX_POWER_AUTOMATIC, which is the opposite of what should happen and can cause nasty regulatory problems. if/else converted to a switch without default to make gcc warn on unhandled enum values. Signed-off-by: Adrian Bunk Signed-off-by: Kalle Valo [bwh: Backported to 3.16: adjust filenames] Signed-off-by: Ben Hutchings commit 4a60fd942f71fdac487d20880e4ea9d254406b78 Author: Jeffrey Hugo Date: Thu Oct 17 08:26:06 2019 -0700 dmaengine: qcom: bam_dma: Fix resource leak commit 7667819385457b4aeb5fac94f67f52ab52cc10d5 upstream. bam_dma_terminate_all() will leak resources if any of the transactions are committed to the hardware (present in the desc fifo), and not complete. Since bam_dma_terminate_all() does not cause the hardware to be updated, the hardware will still operate on any previously committed transactions. This can cause memory corruption if the memory for the transaction has been reassigned, and will cause a sync issue between the BAM and its client(s). Fix this by properly updating the hardware in bam_dma_terminate_all(). Fixes: e7c0fe2a5c84 ("dmaengine: add Qualcomm BAM dma driver") Signed-off-by: Jeffrey Hugo Link: https://lore.kernel.org/r/20191017152606.34120-1-jeffrey.l.hugo@gmail.com Signed-off-by: Vinod Koul [Jeffrey Hugo: Backported to 4.4 which is lacking 6b4faeac05bc ("dmaengine: qcom-bam: Process multiple pending descriptors")] Signed-off-by: Ben Hutchings commit b1659d0ba0c589ca164bbaf64c895e60c52aa2ce Author: Dmitry Vyukov Date: Fri May 26 19:29:00 2017 +0200 locking/x86: Remove the unused atomic_inc_short() methd commit 31b35f6b4d5285a311e10753f4eb17304326b211 upstream. It is completely unused and implemented only on x86. Remove it. Suggested-by: Mark Rutland Signed-off-by: Dmitry Vyukov Signed-off-by: Peter Zijlstra (Intel) Cc: Andrew Morton Cc: Andrey Ryabinin Cc: H. Peter Anvin Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Thomas Gleixner Link: http://lkml.kernel.org/r/20170526172900.91058-1-dvyukov@google.com Signed-off-by: Ingo Molnar [bwh: Backported to 3.16 because this function is broken after "x86/atomic: Fix smp_mb__{before,after}_atomic()": - Adjust context] Signed-off-by: Ben Hutchings commit 827dbc948ec942b71223b213f5e7f9246fdb1712 Author: Peter Zijlstra Date: Wed Apr 23 17:02:18 2014 +0200 locking,x86: Kill atomic_or_long() commit f6b4ecee0eb7bfa66ae8d5652105ed4da53209a3 upstream. There are no users, kill it. Signed-off-by: Peter Zijlstra Cc: Jesse Brandeburg Cc: Linus Torvalds Cc: Paul E. McKenney Link: http://lkml.kernel.org/r/20140508135851.768177189@infradead.org Signed-off-by: Ingo Molnar [bwh: Backported to 3.16 because this function is broken after "x86/atomic: Fix smp_mb__{before,after}_atomic()"] Signed-off-by: Ben Hutchings commit c6ca8aabc36fc9f268781f0de30a1160b8f8390f Author: Peter Zijlstra Date: Wed Apr 24 13:38:23 2019 +0200 x86/atomic: Fix smp_mb__{before,after}_atomic() commit 69d927bba39517d0980462efc051875b7f4db185 upstream. Recent probing at the Linux Kernel Memory Model uncovered a 'surprise'. Strongly ordered architectures where the atomic RmW primitive implies full memory ordering and smp_mb__{before,after}_atomic() are a simple barrier() (such as x86) fail for: *x = 1; atomic_inc(u); smp_mb__after_atomic(); r0 = *y; Because, while the atomic_inc() implies memory order, it (surprisingly) does not provide a compiler barrier. This then allows the compiler to re-order like so: atomic_inc(u); *x = 1; smp_mb__after_atomic(); r0 = *y; Which the CPU is then allowed to re-order (under TSO rules) like: atomic_inc(u); r0 = *y; *x = 1; And this very much was not intended. Therefore strengthen the atomic RmW ops to include a compiler barrier. NOTE: atomic_{or,and,xor} and the bitops already had the compiler barrier. Signed-off-by: Peter Zijlstra (Intel) Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Thomas Gleixner Signed-off-by: Ingo Molnar Signed-off-by: Jari Ruusu Signed-off-by: Greg Kroah-Hartman Signed-off-by: Ben Hutchings commit 551da7ca4fa4e7356fc921077b0f8419280a34f4 Author: Will Deacon Date: Fri Mar 1 13:28:01 2019 +0000 arm64: debug: Ensure debug handlers check triggering exception level commit 6bd288569b50bc89fa5513031086746968f585cb upstream. Debug exception handlers may be called for exceptions generated both by user and kernel code. In many cases, this is checked explicitly, but in other cases things either happen to work by happy accident or they go slightly wrong. For example, executing 'brk #4' from userspace will enter the kprobes code and be ignored, but the instruction will be retried forever in userspace instead of delivering a SIGTRAP. Fix this issue in the most stable-friendly fashion by simply adding explicit checks of the triggering exception level to all of our debug exception handlers. Reviewed-by: Mark Rutland Signed-off-by: Will Deacon Signed-off-by: Catalin Marinas Signed-off-by: Ben Hutchings commit e2c3a06b65720b4f1f5932e9cb649798d5a82e24 Author: Will Deacon Date: Fri Mar 1 13:28:00 2019 +0000 arm64: debug: Don't propagate UNKNOWN FAR into si_code for debug signals commit b9a4b9d084d978f80eb9210727c81804588b42ff upstream. FAR_EL1 is UNKNOWN for all debug exceptions other than those caused by taking a hardware watchpoint. Unfortunately, if a debug handler returns a non-zero value, then we will propagate the UNKNOWN FAR value to userspace via the si_addr field of the SIGTRAP siginfo_t. Instead, let's set si_addr to take on the PC of the faulting instruction, which we have available in the current pt_regs. Reviewed-by: Mark Rutland Signed-off-by: Will Deacon Signed-off-by: Catalin Marinas Signed-off-by: Ben Hutchings commit 9a557b0d39037abc88bf643cfe5a46eb0870cb8a Author: Bhadram Varka Date: Fri Oct 27 08:22:02 2017 +0530 stmmac: copy unicast mac address to MAC registers commit a830405ee452ddc4101c3c9334e6fedd42c6b357 upstream. Currently stmmac driver not copying the valid ethernet MAC address to MAC registers. This patch takes care of updating the MAC register with MAC address. Signed-off-by: Bhadram Varka Signed-off-by: David S. Miller Cc: Arnd Bergmann [bwh: Backported to 3.16: - Pass priv->ioaddr as first argument to set_umac_addr operation - Adjust context] Signed-off-by: Ben Hutchings commit 546383d4dae597b45f76610be2c54909f38fea9e Author: Eric Biggers Date: Wed Mar 8 16:27:04 2017 -0800 arm64: support keyctl() system call in 32-bit mode commit 5c2a625937ba49bc691089370638223d310cda9a upstream. As is the case for a number of other architectures that have a 32-bit compat mode, enable KEYS_COMPAT if both COMPAT and KEYS are enabled. This allows AArch32 programs to use the keyctl() system call when running on an AArch64 kernel. Signed-off-by: Eric Biggers Signed-off-by: Will Deacon Cc: Arnd Bergmann Signed-off-by: Ben Hutchings commit 73530724b2c54dc12ea420e51527f50705c4d8e7 Author: Johannes Berg Date: Mon Jan 9 11:10:42 2017 +0100 cfg80211: size various nl80211 messages correctly commit 4ef8c1c93f848e360754f10eb2e7134c872b6597 upstream. Ilan reported that sometimes nl80211 messages weren't working if the frames being transported got very large, which was really a problem for userspace-to-kernel messages, but prompted me to look at the code. Upon review, I found various places where variable-length data is transported in an nl80211 message but the message isn't allocated taking that into account. This shouldn't cause any problems since the frames aren't really that long, apart in one place where two (possibly very long frames) might not fit. Fix all the places (that I found) that get variable length data from the driver and put it into a message to take the length of the variable data into account. The 100 there is just a safe constant for the remaining message overhead (it's usually around 50 for most messages.) Signed-off-by: Johannes Berg Cc: Arnd Bergmann Signed-off-by: Ben Hutchings commit d5252c1387ad16c99905b677b378f4cb71acf1ff Author: Chaotian Jing Date: Thu May 19 16:47:42 2016 +0800 mmc: mmc: fix switch timeout issue caused by jiffies precision commit 987aa5f8059613bf85cbb6f64ffbd34f5cb7a9d1 upstream. with CONFIG_HZ=100, the precision of jiffies is 10ms, and the generic_cmd6_time of some card is also 10ms. then, may be current time is only 5ms, but already timed out caused by jiffies precision. Signed-off-by: Chaotian Jing Signed-off-by: Ulf Hansson Cc: Arnd Bergmann Signed-off-by: Ben Hutchings commit 0e741f5ce13aef3dfc3e129357cf096da958912c Author: Ezequiel Garcia Date: Wed Apr 27 13:55:28 2016 -0300 arm64: kconfig: drop CONFIG_RTC_LIB dependency commit 99a507771fa57238dc7ffe674ae06090333d02c9 upstream. The rtc-lib dependency is not required, and seems it was just copy-pasted from ARM's Kconfig. If platform requires rtc-lib, they should select it individually. Reviewed-by: Arnd Bergmann Signed-off-by: Ezequiel Garcia Signed-off-by: Will Deacon Cc: Arnd Bergmann Signed-off-by: Ben Hutchings commit fefa18a9fe8234938e525ab4ba2c6e197c1d2ed6 Author: Christoffer Dall Date: Tue Jul 3 17:43:09 2018 +0200 video: fbdev: Set pixclock = 0 in goldfishfb commit ace6033ec5c356615eaa3582fb1946e9eaff6662 upstream. User space Android code identifies pixclock == 0 as a sign for emulation and will set the frame rate to 60 fps when reading this value, which is the desired outcome. Signed-off-by: Christoffer Dall Signed-off-by: Peter Maydell Signed-off-by: Roman Kiryanov Signed-off-by: Bartlomiej Zolnierkiewicz Cc: Arnd Bergmann Signed-off-by: Ben Hutchings commit 15ed13038a6da5a93d1257afbdf47fba2d47fe1b Author: Xerox Lin Date: Wed Jun 29 14:34:21 2016 +0530 usb: gadget: rndis: free response queue during REMOTE_NDIS_RESET_MSG commit 207707d8fd48ebc977fb2b2794004a020e1ee08e upstream. When rndis data transfer is in progress, some Windows7 Host PC is not sending the GET_ENCAPSULATED_RESPONSE command for receiving the response for the previous SEND_ENCAPSULATED_COMMAND processed. The rndis function driver appends each response for the SEND_ENCAPSULATED_COMMAND in a queue. As the above process got corrupted, the Host sends a REMOTE_NDIS_RESET_MSG command to do a soft-reset. As the rndis response queue is not freed, the previous response is sent as a part of this REMOTE_NDIS_RESET_MSG's reset response and the Host block any more Rndis transfers. Hence free the rndis response queue as a part of this soft-reset so that the correct response for REMOTE_NDIS_RESET_MSG is sent properly during the response command. Signed-off-by: Rajkumar Raghupathy Signed-off-by: Xerox Lin [AmitP: Cherry-picked this patch and folded other relevant fixes from Android common kernel android-4.4] Signed-off-by: Amit Pundir Signed-off-by: Felipe Balbi Cc: Arnd Bergmann [bwh: Backported to 3.16: - Pass configNr instead of params as first argument to rndis_{get_next,free}_response() - Adjust filename, context] Signed-off-by: Ben Hutchings commit db9dbb418de90785deefa6d16d80f0114939b2ed Author: Winter Wang Date: Wed Jul 27 10:03:19 2016 +0800 usb: gadget: configfs: add mutex lock before unregister gadget commit cee51c33f52ebf673a088a428ac0fecc33ab77fa upstream. There may be a race condition if f_fs calls unregister_gadget_item in ffs_closed() when unregister_gadget is called by UDC store at the same time. this leads to a kernel NULL pointer dereference: [ 310.644928] Unable to handle kernel NULL pointer dereference at virtual address 00000004 [ 310.645053] init: Service 'adbd' is being killed... [ 310.658938] pgd = c9528000 [ 310.662515] [00000004] *pgd=19451831, *pte=00000000, *ppte=00000000 [ 310.669702] Internal error: Oops: 817 [#1] PREEMPT SMP ARM [ 310.675211] Modules linked in: [ 310.678294] CPU: 0 PID: 1537 Comm: ->transport Not tainted 4.1.15-03725-g793404c #2 [ 310.685958] Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree) [ 310.692493] task: c8e24200 ti: c945e000 task.ti: c945e000 [ 310.697911] PC is at usb_gadget_unregister_driver+0xb4/0xd0 [ 310.703502] LR is at __mutex_lock_slowpath+0x10c/0x16c [ 310.708648] pc : [] lr : [] psr: 600f0113 [ 311.565585] [] (usb_gadget_unregister_driver) from [] (unregister_gadget_item+0x1c/0x34) [ 311.575426] [] (unregister_gadget_item) from [] (ffs_closed+0x8c/0x9c) [ 311.583702] [] (ffs_closed) from [] (ffs_data_reset+0xc/0xa0) [ 311.591194] [] (ffs_data_reset) from [] (ffs_data_closed+0x90/0xd0) [ 311.599208] [] (ffs_data_closed) from [] (ffs_ep0_release+0xc/0x14) [ 311.607224] [] (ffs_ep0_release) from [] (__fput+0x80/0x1d0) [ 311.614635] [] (__fput) from [] (task_work_run+0xb0/0xe8) [ 311.621788] [] (task_work_run) from [] (do_work_pending+0x7c/0xa4) [ 311.629718] [] (do_work_pending) from [] (work_pending+0xc/0x20) for functions using functionFS, i.e. android adbd will close /dev/usb-ffs/adb/ep0 when usb IO thread fails, but switch adb from on to off also triggers write "none" > UDC. These 2 operations both call unregister_gadget, which will lead to the panic above. add a mutex before calling unregister_gadget for api used in f_fs. Signed-off-by: Winter Wang Signed-off-by: Felipe Balbi Cc: Arnd Bergmann Signed-off-by: Ben Hutchings commit 6a4db07a36cf16d4510658064fee48d8c879ae4c Author: James Morse Date: Wed Apr 27 17:47:11 2016 +0100 PM / Hibernate: Call flush_icache_range() on pages restored in-place commit f6cf0545ec697ddc278b7457b7d0c0d86a2ea88e upstream. Some architectures require code written to memory as if it were data to be 'cleaned' from any data caches before the processor can fetch them as new instructions. During resume from hibernate, the snapshot code copies some pages directly, meaning these architectures do not get a chance to perform their cache maintenance. Modify the read and decompress code to call flush_icache_range() on all pages that are restored, so that the restored in-place pages are guaranteed to be executable on these architectures. Signed-off-by: James Morse Acked-by: Pavel Machek Acked-by: Rafael J. Wysocki Acked-by: Catalin Marinas [will: make clean_pages_on_* static and remove initialisers] Signed-off-by: Will Deacon Cc: Arnd Bergmann Signed-off-by: Ben Hutchings commit d54a2e404f95e02fed77bc229c2425f1745be046 Author: Christoph Hellwig Date: Tue May 19 09:23:23 2015 +0200 suspend: simplify block I/O handling commit 343df3c79c62b644ce6ff5dff96c9e0be1ecb242 upstream. Stop abusing struct page functionality and the swap end_io handler, and instead add a modified version of the blk-lib.c bio_batch helpers. Also move the block I/O code into swap.c as they are directly tied into each other. Signed-off-by: Christoph Hellwig Tested-by: Pavel Machek Tested-by: Ming Lin Acked-by: Pavel Machek Acked-by: Rafael J. Wysocki Signed-off-by: Jens Axboe [bwh: Backported to 3.16 as dependency of commit f6cf0545ec69 "PM / Hibernate: Call flush_icache_range() on pages restored in-place": - Adjust context] Signed-off-by: Ben Hutchings commit 4d1a9f511b3ae28bc83af2c05cd0c39656dcd49a Author: James Morse Date: Wed Apr 27 17:47:08 2016 +0100 arm64: kernel: Include _AC definition in page.h commit 812264550dcba6cdbe84bfac2f27e7d23b5b8733 upstream. page.h uses '_AC' in the definition of PAGE_SIZE, but doesn't include linux/const.h where this is defined. This produces build warnings when only asm/page.h is included by asm code. Signed-off-by: James Morse Acked-by: Mark Rutland Acked-by: Catalin Marinas Signed-off-by: Will Deacon Cc: Arnd Bergmann Signed-off-by: Ben Hutchings commit 3865feeeed4502f7281041b9390b6d06750d9605 Author: Ard Biesheuvel Date: Fri Mar 18 10:58:09 2016 +0100 arm64/kernel: fix incorrect EL0 check in inv_entry macro commit b660950c60a7278f9d8deb7c32a162031207c758 upstream. The implementation of macro inv_entry refers to its 'el' argument without the required leading backslash, which results in an undefined symbol 'el' to be passed into the kernel_entry macro rather than the index of the exception level as intended. This undefined symbol strangely enough does not result in build failures, although it is visible in vmlinux: $ nm -n vmlinux |head U el 0000000000000000 A _kernel_flags_le_hi32 0000000000000000 A _kernel_offset_le_hi32 0000000000000000 A _kernel_size_le_hi32 000000000000000a A _kernel_flags_le_lo32 ..... However, it does result in incorrect code being generated for invalid exceptions taken from EL0, since the argument check in kernel_entry assumes EL1 if its argument does not equal '0'. Signed-off-by: Ard Biesheuvel Signed-off-by: Catalin Marinas Cc: Arnd Bergmann Signed-off-by: Ben Hutchings commit d0dba6ff6e829932ce1a1fcb3c0d459addea4216 Author: Lorenzo Pieralisi Date: Mon Feb 1 18:01:29 2016 +0100 ARM: 8510/1: rework ARM_CPU_SUSPEND dependencies commit 1b9bdf5c1661873a10e193b8cbb803a87fe5c4a1 upstream. The code enabled by the ARM_CPU_SUSPEND config option is used by kernel subsystems for purposes that go beyond system suspend so its config entry should be augmented to take more default options into account and avoid forcing its selection to prevent dependencies override. To achieve this goal, this patch reworks the ARM_CPU_SUSPEND config entry and updates its default config value (by adding the BL_SWITCHER option to it) and its dependencies (ARCH_SUSPEND_POSSIBLE), so that the symbol is still selected by default by the subsystems requiring it and at the same time enforcing the dependencies correctly. Signed-off-by: Lorenzo Pieralisi Cc: Nicolas Pitre Signed-off-by: Russell King Cc: Arnd Bergmann Signed-off-by: Ben Hutchings commit 68377a70d468bf463fa3c03e07145bb710fee3e1 Author: Greg Hackmann Date: Fri Feb 26 19:00:18 2016 +0000 staging: goldfish: audio: fix compiliation on arm commit 4532150762ceb0d6fd765ebcb3ba6966fbb8faab upstream. We do actually need slab.h, by luck we get it on other platforms but not always on ARM. Include it properly. Signed-off-by: Greg Hackmann Signed-off-by: Jin Qian Signed-off-by: Alan Signed-off-by: Greg Kroah-Hartman Cc: Arnd Bergmann Signed-off-by: Ben Hutchings commit 4996ce256c87c67bdae973a7e8372f3097096feb Author: Rajmal Menariya Date: Fri Jan 29 22:07:35 2016 -0800 staging: ion: Set minimum carveout heap allocation order to PAGE_SHIFT commit 1328d8efef17d5e16bd6e9cfe59130a833674534 upstream. In carveout heap, change minimum allocation order from 12 to PAGE_SHIFT. After this change each bit in bitmap (genalloc - General purpose special memory pool) represents one page size memory. Cc: sprd-ind-kernel-group@googlegroups.com Cc: sanjeev.yadav@spreadtrum.com Cc: Colin Cross Cc: Android Kernel Team Cc: Greg KH Cc: Sumit Semwal Signed-off-by: Rajmal Menariya [jstultz: Reworked commit message] Signed-off-by: John Stultz Acked-by: Laura Abbott Signed-off-by: Greg Kroah-Hartman Cc: Arnd Bergmann Signed-off-by: Ben Hutchings commit 599b21f230f79bb06024dde6bf0d1d7f739f7be7 Author: Rom Lemarchand Date: Fri Jan 29 22:07:31 2016 -0800 staging: ashmem: Add missing include commit 90a2f171383b5ae43b33ab4d9d566b9765622ac7 upstream. Include into ashmem.h to ensure referenced types are defined Cc: Android Kernel Team Cc: Greg KH Signed-off-by: Rom Lemarchand [jstultz: Minor commit message tweaks] Signed-off-by: John Stultz Signed-off-by: Greg Kroah-Hartman Cc: Arnd Bergmann Signed-off-by: Ben Hutchings commit 4e52d83f13bcbe1180ff5608c0b4db28e79394ff Author: Laura Abbott Date: Fri Jan 29 22:07:30 2016 -0800 staging: ashmem: Avoid deadlock with mmap/shrink commit 18e77054de741ef3ed2a2489bc9bf82a318b2d5e upstream. Both ashmem_mmap and ashmem_shrink take the ashmem_lock. It may be possible for ashmem_mmap to invoke ashmem_shrink: -000|mutex_lock(lock = 0x0) -001|ashmem_shrink(?, sc = 0x0) <--- try to take ashmem_mutex again -002|shrink_slab(shrink = 0xDA5F1CC0, nr_pages_scanned = 0, lru_pages -002|= -002|124) -003|try_to_free_pages(zonelist = 0x0, ?, ?, ?) -004|__alloc_pages_nodemask(gfp_mask = 21200, order = 1, zonelist = -004|0xC11D0940, -005|new_slab(s = 0xE4841E80, ?, node = -1) -006|__slab_alloc.isra.43.constprop.50(s = 0xE4841E80, gfpflags = -006|2148925462, ad -007|kmem_cache_alloc(s = 0xE4841E80, gfpflags = 208) -008|shmem_alloc_inode(?) -009|alloc_inode(sb = 0xE480E800) -010|new_inode_pseudo(?) -011|new_inode(?) -012|shmem_get_inode(sb = 0xE480E800, dir = 0x0, ?, dev = 0, flags = -012|187) -013|shmem_file_setup(?, ?, flags = 187) -014|ashmem_mmap(?, vma = 0xC5D64210) <---- Acquire ashmem_mutex -015|mmap_region(file = 0xDF8E2C00, addr = 1772974080, len = 233472, -015|flags = 57, -016|sys_mmap_pgoff(addr = 0, len = 230400, prot = 3, flags = 1, fd = -016|157, pgoff -017|ret_fast_syscall(asm) -->|exception -018|NUR:0x40097508(asm) ---|end of frame Avoid this deadlock by using mutex_trylock in ashmem_shrink; if the mutex is already held, do not attempt to shrink. Cc: Greg KH Cc: Android Kernel Team Reported-by: Matt Wagantall Reported-by: Syed Rameez Mustafa Reported-by: Osvaldo Banuelos Reported-by: Subbaraman Narayanamurthy Signed-off-by: Laura Abbott [jstultz: Minor commit message tweaks] Signed-off-by: John Stultz Signed-off-by: Greg Kroah-Hartman Cc: Arnd Bergmann Signed-off-by: Ben Hutchings commit d99743eb7fc4b92af198e170e06dfd1b5b7e7180 Author: Mark Rutland Date: Mon Jan 25 11:44:55 2016 +0000 asm-generic: Fix local variable shadow in __set_fixmap_offset commit 3694bd76781b76c4f8d2ecd85018feeb1609f0e5 upstream. Currently __set_fixmap_offset is a macro function which has a local variable called 'addr'. If a caller passes a 'phys' parameter which is derived from a variable also called 'addr', the local variable will shadow this, and the compiler will complain about the use of an uninitialized variable. To avoid the issue with namespace clashes, 'addr' is prefixed with a liberal sprinkling of underscores. Turning __set_fixmap_offset into a static inline breaks the build for several architectures. Fixing this properly requires updates to a number of architectures to make them agree on the prototype of __set_fixmap (it could be done as a subsequent patch series). Signed-off-by: Mark Rutland Cc: Arnd Bergmann [catalin.marinas@arm.com: squashed the original function patch and macro fixup] Signed-off-by: Catalin Marinas Signed-off-by: Ben Hutchings commit bae17161946432a0c23b2ced885b0b9ae42fbce4 Author: Eric Dumazet Date: Wed Jan 20 16:25:01 2016 -0800 net: diag: support v4mapped sockets in inet_diag_find_one_icsk() commit 7c1306723ee916ea9f1fa7d9e4c7a6d029ca7aaf upstream. Lorenzo reported that we could not properly find v4mapped sockets in inet_diag_find_one_icsk(). This patch fixes the issue. Reported-by: Lorenzo Colitti Signed-off-by: Eric Dumazet Acked-by: Lorenzo Colitti Signed-off-by: David S. Miller Cc: Arnd Bergmann [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings commit bff425948dbde0f082a60b7cee1ba64c5863aed4 Author: Arnd Bergmann Date: Thu Nov 19 15:49:23 2015 +0100 ARM: 8458/1: bL_switcher: add GIC dependency commit 6c044fecdf78be3fda159a5036bb33700cdd5e59 upstream. It is not possible to build the bL_switcher code if the GIC driver is disabled, because it relies on calling into some gic specific interfaces, and that would result in this build error: arch/arm/common/built-in.o: In function `bL_switch_to': :(.text+0x1230): undefined reference to `gic_get_sgir_physaddr' :(.text+0x1244): undefined reference to `gic_send_sgi' :(.text+0x1268): undefined reference to `gic_migrate_target' arch/arm/common/built-in.o: In function `bL_switcher_enable.part.4': :(.text.unlikely+0x2f8): undefined reference to `gic_get_cpu_id' This adds a Kconfig dependency to ensure we only build the big-little switcher if the GIC driver is present as well. Almost all ARMv7 platforms come with a GIC anyway, but it is possible to build a kernel that disables all platforms. Signed-off-by: Arnd Bergmann Acked-by: Nicolas Pitre Signed-off-by: Russell King Cc: Arnd Bergmann Signed-off-by: Ben Hutchings commit c325515b53a6e378f2e2c78be2dc970ae7ad2302 Author: Yury Norov Date: Wed Dec 2 14:00:10 2015 +0000 arm64: fix COMPAT_SHMLBA definition for large pages commit b9b7aebb42d1b1392f3111de61136bb6cf3aae3f upstream. ARM glibc uses (4 * __getpagesize()) for SHMLBA, which is correct for 4KB pages and works fine for 64KB pages, but the kernel uses a hardcoded 16KB that is too small for 64KB page based kernels. This changes the definition to what user space sees when using 64KB pages. Acked-by: Arnd Bergmann Signed-off-by: Yury Norov Signed-off-by: Will Deacon Cc: Arnd Bergmann Signed-off-by: Ben Hutchings commit 17855e598966731f47851d77ba6486a7941af1b9 Author: Colin Cross Date: Thu Oct 22 10:00:41 2015 -0700 mmc: block: Allow more than 8 partitions per card commit 382c55f88ffeb218c446bf0c46d0fc25d2795fe2 upstream. It is quite common for Android devices to utilize more then 8 partitions on internal eMMC storage. The vanilla kernel can support this via CONFIG_MMC_BLOCK_MINORS, however that solution caps the system to 256 minors total, which limits the number of mmc cards the system can support. This patch, which has been carried for quite awhile in the AOSP common tree, provides an alternative solution that doesn't seem to limit the total card count. So I wanted to submit it for consideration upstream. This patch sets the GENHD_FL_EXT_DEVT flag, which will allocate minor number in major 259 for partitions past disk->minors. It also removes the use of disk_devt to determine devidx from md->disk. md->disk->first_minor is always initialized from devidx and can always be used to recover it. Cc: Ulf Hansson Cc: Adrian Hunter Cc: Ben Hutchings Cc: Chuanxiao Dong Cc: Shawn Lin Cc: Austin S Hemmelgarn Cc: Arnd Bergmann Cc: Android Kernel Team Cc: linux-mmc@vger.kernel.org Signed-off-by: Colin Cross [jstultz: Added context to commit message] Signed-off-by: John Stultz Signed-off-by: Ulf Hansson Cc: Arnd Bergmann [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings commit fcb6c0a93d1b8b0e39cac0084daf83a0c99562a6 Author: Mathias Nyman Date: Fri Mar 22 17:50:15 2019 +0200 xhci: Fix port resume done detection for SS ports with LPM enabled commit 6cbcf596934c8e16d6288c7cc62dfb7ad8eadf15 upstream. A suspended SS port in U3 link state will go to U0 when resumed, but can almost immediately after that enter U1 or U2 link power save states before host controller driver reads the port status. Host controller driver only checks for U0 state, and might miss the finished resume, leaving flags unclear and skip notifying usb code of the wake. Add U1 and U2 to the possible link states when checking for finished port resume. Signed-off-by: Mathias Nyman Signed-off-by: Greg Kroah-Hartman [Mathias Nyman: backport to 3.18 stable.] Signed-off-by: Ben Hutchings commit ccdc588e0086a7ddb0da021a4442d6dcd73b4947 Author: Yoshihiro Shimoda Date: Fri Jul 28 19:28:57 2017 +0900 usb: renesas_usbhs: gadget: fix unused-but-set-variable warning commit b7d44c36a6f6d956e1539e0dd42f98b26e5a4684 upstream. The commit b8b9c974afee ("usb: renesas_usbhs: gadget: disable all eps when the driver stops") causes the unused-but-set-variable warning. But, if the usbhsg_ep_disable() will return non-zero value, udc/core.c doesn't clear the ep->enabled flag. So, this driver should not return non-zero value, if the pipe is zero because this means the pipe is already disabled. Otherwise, the ep->enabled flag is never cleared when the usbhsg_ep_disable() is called by the renesas_usbhs driver first. Fixes: b8b9c974afee ("usb: renesas_usbhs: gadget: disable all eps when the driver stops") Fixes: 11432050f070 ("usb: renesas_usbhs: gadget: fix NULL pointer dereference in ep_disable()") Signed-off-by: Yoshihiro Shimoda Signed-off-by: Felipe Balbi Cc: Arnd Bergmann Signed-off-by: Ben Hutchings commit ec4efc4c5fbdd9ad303a9b078b4d72f5a4c7844b Author: Qiao Zhou Date: Fri Jul 7 17:29:34 2017 +0800 arm64: traps: disable irq in die() commit 6f44a0bacb79a03972c83759711832b382b1b8ac upstream. In current die(), the irq is disabled for __die() handle, not including the possible panic() handling. Since the log in __die() can take several hundreds ms, new irq might come and interrupt current die(). If the process calling die() holds some critical resource, and some other process scheduled later also needs it, then it would deadlock. The first panic will not be executed. So here disable irq for the whole flow of die(). Signed-off-by: Qiao Zhou Signed-off-by: Will Deacon Signed-off-by: Arnd Bergmann Signed-off-by: Ben Hutchings commit 54d013527df9042787ede28b13f40446c1997102 Author: Eric Dumazet Date: Wed Oct 26 09:27:57 2016 -0700 tcp/dccp: drop SYN packets if accept queue is full commit 5ea8ea2cb7f1d0db15762c9b0bb9e7330425a071 upstream. Per listen(fd, backlog) rules, there is really no point accepting a SYN, sending a SYNACK, and dropping the following ACK packet if accept queue is full, because application is not draining accept queue fast enough. This behavior is fooling TCP clients that believe they established a flow, while there is nothing at server side. They might then send about 10 MSS (if using IW10) that will be dropped anyway while server is under stress. Signed-off-by: Eric Dumazet Acked-by: Neal Cardwell Acked-by: Yuchung Cheng Signed-off-by: David S. Miller Signed-off-by: Arnd Bergmann [bwh: Backported to 3.16: Apply TCP changes in both tcp_ipv4.c and tcp_ipv6.c] Signed-off-by: Ben Hutchings commit 82967f98bc8dfff2dfdf4359aabab3e4e92f17e8 Author: Baolin Wang Date: Thu Jun 30 17:10:23 2016 +0800 usb: gadget: Add the gserial port checking in gs_start_tx() commit 511a36d2f357724312bb3776d2f6eed3890928b2 upstream. When usb gadget is set gadget serial function, it will be crash in below situation. It will clean the 'port->port_usb' pointer in gserial_disconnect() function when usb link is inactive, but it will release lock for disabling the endpoints in this function. Druing the lock release period, it maybe complete one request to issue gs_write_complete()--->gs_start_tx() function, but the 'port->port_usb' pointer had been set NULL, thus it will be crash in gs_start_tx() function. This patch adds the 'port->port_usb' pointer checking in gs_start_tx() function to avoid this situation. Signed-off-by: Baolin Wang Signed-off-by: Felipe Balbi Cc: Arnd Bergmann [bwh: Backported to 3.16: adjust filename] Signed-off-by: Ben Hutchings commit 6243715124099a2bac7b57441fded861b242f03b Author: Philip Oberstaller Date: Fri Mar 27 17:42:18 2015 +0100 usb: gadget: serial: fix re-ordering of tx data commit 3e9d3d2efc677b501b12512cab5adb4f32a0673a upstream. When a single thread is sending out data over the gadget serial port, gs_start_tx() will be called both from the sender context and from the write completion. Since the port lock is released before the packet is queued, the order in which the URBs are submitted is not guaranteed. E.g. sending thread completion (interrupt) gs_write() LOCK gs_write_complete() LOCK (wait) gs_start_tx() req1 = list_entry(pool->next) UNLOCK LOCK (acquired) gs_start_tx() req2 = list_entry(pool->next) UNLOCK usb_ep_queue(req2) usb_ep_queue(req1) I.e., req2 is submitted before req1 but it contains the data that comes after req1. To reproduce, use SMP with sending thread and completion pinned to different CPUs, or use PREEMPT_RT, and add the following delay just before the call to usb_ep_queue(): if (port->write_started > 0 && !list_empty(pool)) udelay(1000); To work around this problem, make sure that only one thread is running through the gs_start_tx() loop with an extra flag write_busy. Since gs_start_tx() is always called with the port lock held, no further synchronisation is needed. The original caller will continue through the loop when the request was successfully submitted. Signed-off-by: Philip Oberstaller Signed-off-by: Arnout Vandecappelle (Essensium/Mind) Signed-off-by: Felipe Balbi [bwh: Backported to 3.16: adjust filename] Signed-off-by: Ben Hutchings commit 28c391a1bf808ecabb9a60860825fa0467c54d61 Author: Peter Chen Date: Fri Jul 1 15:33:28 2016 +0800 usb: gadget: composite: fix dereference after null check coverify warning commit c526c62d565ea5a5bba9433f28756079734f430d upstream. cdev->config is checked for null pointer at above code, so cdev->config might be null, fix it by adding null pointer check. Signed-off-by: Peter Chen Signed-off-by: Felipe Balbi Cc: Arnd Bergmann Signed-off-by: Ben Hutchings commit 6b3ddae9679c4d34d0be823bc1017699f9b7d978 Author: Wolfram Sang Date: Mon Jun 6 21:00:38 2016 +0200 kbuild: setlocalversion: print error to STDERR commit 78283edf2c01c38eb840a3de5ffd18fe2992ab64 upstream. I tried to use 'make O=...' from an unclean source tree. This triggered the error path of setlocalversion. But by printing to STDOUT, it created a broken localversion which then caused another (unrelated) error: "4.7.0-rc2Error: kernelrelease not valid - run make prepare to update it" exceeds 64 characters After printing to STDERR, the true build error gets displayed later: /home/wsa/Kernel/linux is not clean, please run 'make mrproper' in the '/home/wsa/Kernel/linux' directory. Signed-off-by: Wolfram Sang Signed-off-by: Michal Marek Cc: Arnd Bergmann Signed-off-by: Ben Hutchings commit 0fafb1f868013e4cddeff284bfddf549b14641d0 Author: Konstantin Khlebnikov Date: Thu May 19 17:11:46 2016 -0700 mm/rmap: replace BUG_ON(anon_vma->degree) with VM_WARN_ON commit e4c5800a3991f0c6a766983535dfc10d51802cf6 upstream. This check effectively catches anon vma hierarchy inconsistence and some vma corruptions. It was effective for catching corner cases in anon vma reusing logic. For now this code seems stable so check could be hidden under CONFIG_DEBUG_VM and replaced with WARN because it's not so fatal. Signed-off-by: Konstantin Khlebnikov Suggested-by: Vasily Averin Acked-by: Vlastimil Babka Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Cc: Arnd Bergmann Signed-off-by: Ben Hutchings commit 014ecb13adc7d76e9900641fd9abb8f32edf5ee6 Author: Dong Aisheng Date: Thu Apr 21 00:51:30 2016 +0800 mmc: core: fix using wrong io voltage if mmc_select_hs200 fails commit e51534c806609c806d81bfb034f02737461f855c upstream. Currently MMC core will keep going if HS200/HS timing switch failed with -EBADMSG error by the assumption that the old timing is still valid. However, for mmc_select_hs200 case, the signal voltage may have already been switched. If the timing switch failed, we should fall back to the old voltage in case the card is continue run with legacy timing. If fall back signal voltage failed, we explicitly report an EIO error to force retry during the next power cycle. Signed-off-by: Dong Aisheng Signed-off-by: Ulf Hansson Cc: Arnd Bergmann [bwh: Backported to 3.16: - Delete now-unused err label - Adjust context] Signed-off-by: Ben Hutchings commit fc77274ef0da62cce42699f523bf92794e43e4dd Author: James Morse Date: Wed Apr 13 13:40:00 2016 +0100 arm64: mm: Add trace_irqflags annotations to do_debug_exception() commit 6afedcd23cfd7ac56c011069e4a8db37b46e4623 upstream. With CONFIG_PROVE_LOCKING, CONFIG_DEBUG_LOCKDEP and CONFIG_TRACE_IRQFLAGS enabled, lockdep will compare current->hardirqs_enabled with the flags from local_irq_save(). When a debug exception occurs, interrupts are disabled in entry.S, but lockdep isn't told, resulting in: DEBUG_LOCKS_WARN_ON(current->hardirqs_enabled) ------------[ cut here ]------------ WARNING: at ../kernel/locking/lockdep.c:3523 Modules linked in: CPU: 3 PID: 1752 Comm: perf Not tainted 4.5.0-rc4+ #2204 Hardware name: ARM Juno development board (r1) (DT) task: ffffffc974868000 ti: ffffffc975f40000 task.ti: ffffffc975f40000 PC is at check_flags.part.35+0x17c/0x184 LR is at check_flags.part.35+0x17c/0x184 pc : [] lr : [] pstate: 600003c5 [...] ---[ end trace 74631f9305ef5020 ]--- Call trace: [] check_flags.part.35+0x17c/0x184 [] lock_acquire+0xa8/0xc4 [] breakpoint_handler+0x118/0x288 [] do_debug_exception+0x3c/0xa8 [] el1_dbg+0x18/0x6c [] do_filp_open+0x64/0xdc [] do_sys_open+0x140/0x204 [] SyS_openat+0x10/0x18 [] el0_svc_naked+0x24/0x28 possible reason: unannotated irqs-off. irq event stamp: 65857 hardirqs last enabled at (65857): [] lookup_mnt+0xf4/0x1b4 hardirqs last disabled at (65856): [] lookup_mnt+0xbc/0x1b4 softirqs last enabled at (65790): [] __do_softirq+0x1f8/0x290 softirqs last disabled at (65757): [] irq_exit+0x9c/0xd0 This patch adds the annotations to do_debug_exception(), while trying not to call trace_hardirqs_off() if el1_dbg() interrupted a task that already had irqs disabled. Signed-off-by: James Morse Signed-off-by: Will Deacon Cc: Arnd Bergmann Signed-off-by: Ben Hutchings commit 8cca5c85393a7a490d4d7942c24d73d29cc77b3e Author: Roger Quadros Date: Tue Apr 12 11:33:29 2016 +0300 usb: dwc3: gadget: Fix suspend/resume during device mode commit 9772b47a4c2916d645c551228b6085ea24acbe5d upstream. Gadget controller might not be always active during system suspend/resume as gadget driver might not have yet been loaded or might have been unloaded prior to system suspend. Check if we're active and only then perform necessary actions during suspend/resume. Signed-off-by: Roger Quadros Signed-off-by: Felipe Balbi Cc: Arnd Bergmann [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings commit 6b6329ef1b07fd3cd2b17da5bdcd9c1804ba122c Author: Russell King Date: Fri Jan 29 09:43:50 2016 +0000 mmc: core: shut up "voltage-ranges unspecified" pr_info() commit 10a16a01d8f72e80f4780e40cf3122f4caffa411 upstream. Each time a driver such as sdhci-esdhc-imx is probed, we get a info printk complaining that the DT voltage-ranges property has not been specified. However, the DT binding specifically says that the voltage-ranges property is optional. That means we should not be complaining that DT hasn't specified this property: by indicating that it's optional, it is valid not to have the property in DT. Silence the warning if the property is missing. Signed-off-by: Russell King Signed-off-by: Ulf Hansson Cc: Arnd Bergmann Signed-off-by: Ben Hutchings commit f111fe04cd2a2e1ea4ae0a52827934fba17938f3 Author: Wolfram Sang Date: Fri Jan 29 09:27:50 2016 +0100 mmc: sanitize 'bus width' in debug output commit ed9feec72fc1fa194ebfdb79e14561b35decce63 upstream. The bus width is sometimes the actual bus width, and sometimes indices to different arrays encoding the bus width. In my debugging case "2" could mean 8-bit as well as 4-bit, which was extremly confusing. Let's use the human-readable actual bus width in all places. Signed-off-by: Wolfram Sang Signed-off-by: Ulf Hansson Cc: Arnd Bergmann Signed-off-by: Ben Hutchings commit ebf3e68bd0f24e2d3380084cba7cf63b44b2e575 Author: Chuanxiao Dong Date: Thu Jan 21 13:57:51 2016 +0100 mmc: debugfs: Add a restriction to mmc debugfs clock setting commit e5905ff1281f0a0f5c9863c430ac1ed5faaf5707 upstream. Clock frequency values written to an mmc host should not be less than the minimum clock frequency which the mmc host supports. Signed-off-by: Yuan Juntao Signed-off-by: Pawel Wodkowski Signed-off-by: Ulf Hansson Cc: Arnd Bergmann Signed-off-by: Ben Hutchings commit c32be6fd5c831d8b96fbdb58984b2f7df011a8cc Author: Ravindra Lokhande Date: Mon Dec 7 12:08:31 2015 +0530 ALSA: compress: add support for 32bit calls in a 64bit kernel commit c10368897e104c008c610915a218f0fe5fa4ec96 upstream. Compress offload does not support ioctl calls from a 32bit userspace in a 64 bit kernel. This patch adds support for ioctls from a 32bit userspace in a 64bit kernel Signed-off-by: Ravindra Lokhande Acked-by: Vinod Koul Signed-off-by: Takashi Iwai Cc: Arnd Bergmann Signed-off-by: Ben Hutchings commit e2bd9aac1360f6f5d533308480ea6f28ffc6aecb Author: Ilya Dryomov Date: Tue Feb 5 20:30:27 2019 +0100 libceph: handle an empty authorize reply commit 0fd3fd0a9bb0b02b6435bb7070e9f7b82a23f068 upstream. The authorize reply can be empty, for example when the ticket used to build the authorizer is too old and TAG_BADAUTHORIZER is returned from the service. Calling ->verify_authorizer_reply() results in an attempt to decrypt and validate (somewhat) random data in au->buf (most likely the signature block from calc_signature()), which fails and ends up in con_fault_finish() with !con->auth_retry. The ticket isn't invalidated and the connection is retried again and again until a new ticket is obtained from the monitor: libceph: osd2 192.168.122.1:6809 bad authorize reply libceph: osd2 192.168.122.1:6809 bad authorize reply libceph: osd2 192.168.122.1:6809 bad authorize reply libceph: osd2 192.168.122.1:6809 bad authorize reply Let TAG_BADAUTHORIZER handler kick in and increment con->auth_retry. Fixes: 5c056fdc5b47 ("libceph: verify authorize reply on connect") Link: https://tracker.ceph.com/issues/20164 Signed-off-by: Ilya Dryomov Reviewed-by: Sage Weil [idryomov@gmail.com: backport to 4.4: extra arg, no CEPHX_V2] Signed-off-by: Ben Hutchings commit 626ac2830226d79e8e3629911bdc44d25f484463 Author: Andreas Ziegler Date: Wed Jan 16 15:16:29 2019 +0100 tracing/uprobes: Fix output for multiple string arguments commit 0722069a5374b904ec1a67f91249f90e1cfae259 upstream. When printing multiple uprobe arguments as strings the output for the earlier arguments would also include all later string arguments. This is best explained in an example: Consider adding a uprobe to a function receiving two strings as parameters which is at offset 0xa0 in strlib.so and we want to print both parameters when the uprobe is hit (on x86_64): $ echo 'p:func /lib/strlib.so:0xa0 +0(%di):string +0(%si):string' > \ /sys/kernel/debug/tracing/uprobe_events When the function is called as func("foo", "bar") and we hit the probe, the trace file shows a line like the following: [...] func: (0x7f7e683706a0) arg1="foobar" arg2="bar" Note the extra "bar" printed as part of arg1. This behaviour stacks up for additional string arguments. The strings are stored in a dynamically growing part of the uprobe buffer by fetch_store_string() after copying them from userspace via strncpy_from_user(). The return value of strncpy_from_user() is then directly used as the required size for the string. However, this does not take the terminating null byte into account as the documentation for strncpy_from_user() cleary states that it "[...] returns the length of the string (not including the trailing NUL)" even though the null byte will be copied to the destination. Therefore, subsequent calls to fetch_store_string() will overwrite the terminating null byte of the most recently fetched string with the first character of the current string, leading to the "accumulation" of strings in earlier arguments in the output. Fix this by incrementing the return value of strncpy_from_user() by one if we did not hit the maximum buffer size. Link: http://lkml.kernel.org/r/20190116141629.5752-1-andreas.ziegler@fau.de Cc: Ingo Molnar Fixes: 5baaa59ef09e ("tracing/probes: Implement 'memory' fetch method for uprobes") Acked-by: Masami Hiramatsu Signed-off-by: Andreas Ziegler Signed-off-by: Steven Rostedt (VMware) Signed-off-by: Masami Hiramatsu Signed-off-by: Ben Hutchings commit bef79bb99dd28b4b04c94427746fd0df71577da2 Author: Eric Biggers Date: Mon Jan 14 15:21:45 2019 -0800 crypto: cts - fix crash on short inputs In the CTS template, when the input length is <= one block cipher block (e.g. <= 16 bytes for AES) pass the correct length to the underlying CBC transform rather than one block. This matches the upstream behavior and makes the encryption/decryption operation correctly return -EINVAL when 1 <= nbytes < bsize or succeed when nbytes == 0, rather than crashing. This was fixed upstream incidentally by a large refactoring, commit 0605c41cc53c ("crypto: cts - Convert to skcipher"). But syzkaller easily trips over this when running on older kernels, as it's easily reachable via AF_ALG. Therefore, this patch makes the minimal fix for older kernels. Cc: linux-crypto@vger.kernel.org Fixes: 76cb9521795a ("[CRYPTO] cts: Add CTS mode required for Kerberos AES support") Signed-off-by: Eric Biggers Signed-off-by: Ben Hutchings commit b334b21e3bbf17c00ed226c5521ef7e5fbed27e2 Author: Roderick Colenbrander Date: Wed Nov 23 14:07:11 2016 -0800 HID: sony: Support DS4 dongle commit de66a1a04c25f2560a8dca7a95e2a150b0d5e17e upstream. Add support for USB based DS4 dongle device, which allows connecting a DS4 through Bluetooth, but hides Bluetooth from the host system. Signed-off-by: Roderick Colenbrander Signed-off-by: Jiri Kosina [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings commit 8010c0f5d45992601e8b19995869d955b6f1411e Author: Roderick Colenbrander Date: Fri Oct 7 12:39:40 2016 -0700 HID: sony: Update device ids commit cf1015d65d7c8a5504a4c03afb60fb86bff0f032 upstream. Support additional DS4 model. Signed-off-by: Roderick Colenbrander Reviewed-by: Benjamin Tissoires Signed-off-by: Jiri Kosina [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings commit 6df73cd8d7ba52108502b32edebf98352675dc67 Author: Ben Hutchings Date: Tue Dec 17 01:57:40 2019 +0000 net: qlogic: Fix error paths in ql_alloc_large_buffers() commit cad46039e4c99812db067c8ac22a864960e7acc4 upstream. ql_alloc_large_buffers() has the usual RX buffer allocation loop where it allocates skbs and maps them for DMA. It also treats failure as a fatal error. There are (at least) three bugs in the error paths: 1. ql_free_large_buffers() assumes that the lrg_buf[] entry for the first buffer that couldn't be allocated will have .skb == NULL. But the qla_buf[] array is not zero-initialised. 2. ql_free_large_buffers() DMA-unmaps all skbs in lrg_buf[]. This is incorrect for the last allocated skb, if DMA mapping failed. 3. Commit 1acb8f2a7a9f ("net: qlogic: Fix memory leak in ql_alloc_large_buffers") added a direct call to dev_kfree_skb_any() after the skb is recorded in lrg_buf[], so ql_free_large_buffers() will double-free it. The bugs are somewhat inter-twined, so fix them all at once: * Clear each entry in qla_buf[] before attempting to allocate an skb for it. This goes half-way to fixing bug 1. * Set the .skb field only after the skb is DMA-mapped. This fixes the rest. Fixes: 1357bfcf7106 ("qla3xxx: Dynamically size the rx buffer queue ...") Fixes: 0f8ab89e825f ("qla3xxx: Check return code from pci_map_single() ...") Fixes: 1acb8f2a7a9f ("net: qlogic: Fix memory leak in ql_alloc_large_buffers") Signed-off-by: Ben Hutchings Signed-off-by: David S. Miller commit e1db96134ab329054b73c4075949053e43ac7208 Author: Navid Emamdoost Date: Fri Oct 4 15:24:39 2019 -0500 net: qlogic: Fix memory leak in ql_alloc_large_buffers commit 1acb8f2a7a9f10543868ddd737e37424d5c36cf4 upstream. In ql_alloc_large_buffers, a new skb is allocated via netdev_alloc_skb. This skb should be released if pci_dma_mapping_error fails. Fixes: 0f8ab89e825f ("qla3xxx: Check return code from pci_map_single() in ql_release_to_lrg_buf_free_list(), ql_populate_free_queue(), ql_alloc_large_buffers(), and ql3xxx_send()") Signed-off-by: Navid Emamdoost Signed-off-by: David S. Miller Signed-off-by: Ben Hutchings