* refs/heads/tmp-3e66813:
Linux 4.19.92
perf probe: Fix to show function entry line as probe-able
nbd: fix shutdown and recv work deadlock v2
mmc: sdhci: Add a quirk for broken command queuing
mmc: sdhci: Workaround broken command queuing on Intel GLK
mmc: sdhci-of-esdhc: fix P2020 errata handling
mmc: sdhci: Update the tuning failed messages to pr_debug level
mmc: sdhci-of-esdhc: Revert "mmc: sdhci-of-esdhc: add erratum A-009204 support"
mmc: sdhci-msm: Correct the offset and value for DDR_CONFIG register
powerpc/irq: fix stack overflow verification
powerpc/vcpu: Assume dedicated processors as non-preempt
x86/MCE/AMD: Allow Reserved types to be overwritten in smca_banks[]
x86/MCE/AMD: Do not use rdmsr_safe_on_cpu() in smca_configure()
KVM: arm64: Ensure 'params' is initialised when looking up sys register
ext4: unlock on error in ext4_expand_extra_isize()
ext4: check for directory entries too close to block end
ext4: fix ext4_empty_dir() for directories with holes
staging: comedi: gsc_hpdi: check dma_alloc_coherent() return value
platform/x86: hp-wmi: Make buffer for HPWMI_FEATURE2_QUERY 128 bytes
intel_th: pci: Add Elkhart Lake SOC support
intel_th: pci: Add Comet Lake PCH-V support
USB: EHCI: Do not return -EPIPE when hub is disconnected
cpufreq: Avoid leaving stale IRQ work items during CPU offline
usbip: Fix error path of vhci_recv_ret_submit()
usbip: Fix receive error in vhci-hcd when using scatter-gather
btrfs: return error pointer from alloc_test_extent_buffer
s390/ftrace: fix endless recursion in function_graph tracer
drm/amdgpu: fix uninitialized variable pasid_mapping_needed
usb: xhci: Fix build warning seen with CONFIG_PM=n
can: kvaser_usb: kvaser_usb_leaf: Fix some info-leaks to USB devices
mmc: mediatek: fix CMD_TA to 2 for MT8173 HS200/HS400 mode
Revert "mmc: sdhci: Fix incorrect switch to HS mode"
btrfs: don't prematurely free work in scrub_missing_raid56_worker()
btrfs: don't prematurely free work in reada_start_machine_worker()
net: phy: initialise phydev speed and duplex sanely
drm/amdgpu: fix bad DMA from INTERRUPT_CNTL2
mips: fix build when "48 bits virtual memory" is enabled
libtraceevent: Fix memory leakage in copy_filter_type
crypto: vmx - Avoid weird build failures
mac80211: consider QoS Null frames for STA_NULLFUNC_ACKED
crypto: sun4i-ss - Fix 64-bit size_t warnings on sun4i-ss-hash.c
crypto: sun4i-ss - Fix 64-bit size_t warnings
net: ethernet: ti: ale: clean ale tbl on init and intf restart
fbtft: Make sure string is NULL terminated
iwlwifi: check kasprintf() return value
brcmfmac: remove monitor interface when detaching
x86/insn: Add some Intel instructions to the opcode map
ASoC: Intel: bytcr_rt5640: Update quirk for Acer Switch 10 SW5-012 2-in-1
ASoC: wm5100: add missed pm_runtime_disable
spi: st-ssc4: add missed pm_runtime_disable
ASoC: wm2200: add missed operations in remove and probe failure
btrfs: don't prematurely free work in run_ordered_work()
btrfs: don't prematurely free work in end_workqueue_fn()
mmc: tmio: Add MMC_CAP_ERASE to allow erase/discard/trim requests
crypto: virtio - deal with unsupported input sizes
tun: fix data-race in gro_normal_list()
spi: tegra20-slink: add missed clk_unprepare
ASoC: wm8904: fix regcache handling
iwlwifi: mvm: fix unaligned read of rx_pkt_status
bcache: fix deadlock in bcache_allocator
tracing/kprobe: Check whether the non-suffixed symbol is notrace
tracing: use kvcalloc for tgid_map array allocation
x86/crash: Add a forward declaration of struct kimage
cpufreq: Register drivers only after CPU devices have been registered
bcache: fix static checker warning in bcache_device_free()
parport: load lowlevel driver if ports not found
nvme: Discard workaround for non-conformant devices
s390/disassembler: don't hide instruction addresses
ASoC: Intel: kbl_rt5663_rt5514_max98927: Add dmic format constraint
iio: dac: ad5446: Add support for new AD5600 DAC
ASoC: rt5677: Mark reg RT5677_PWR_ANLG2 as volatile
spi: pxa2xx: Add missed security checks
EDAC/ghes: Fix grain calculation
media: si470x-i2c: add missed operations in remove
ice: delay less
crypto: atmel - Fix authenc support when it is set to m
soundwire: intel: fix PDI/stream mapping for Bulk
media: pvrusb2: Fix oops on tear-down when radio support is not present
fsi: core: Fix small accesses and unaligned offsets via sysfs
ath10k: fix get invalid tx rate for Mesh metric
perf probe: Filter out instances except for inlined subroutine and subprogram
perf probe: Skip end-of-sequence and non statement lines
perf probe: Fix to show calling lines of inlined functions
perf probe: Return a better scope DIE if there is no best scope
perf probe: Skip overlapped location on searching variables
perf parse: If pmu configuration fails free terms
xen/gntdev: Use select for DMA_SHARED_BUFFER
drm/amdgpu: fix potential double drop fence reference
drm/amdgpu: disallow direct upload save restore list from gfx driver
perf tools: Splice events onto evlist even on error
perf probe: Fix to probe a function which has no entry pc
libsubcmd: Use -O0 with DEBUG=1
perf probe: Fix to show inlined function callsite without entry_pc
perf probe: Fix to show ranges of variables in functions without entry_pc
perf probe: Fix to probe an inline function which has no entry pc
perf probe: Walk function lines in lexical blocks
perf jevents: Fix resource leak in process_mapfile() and main()
perf probe: Fix to list probe event with correct line number
perf probe: Fix to find range-only function instance
rtlwifi: fix memory leak in rtl92c_set_fw_rsvdpagepkt()
ALSA: timer: Limit max amount of slave instances
spi: img-spfi: fix potential double release
bnx2x: Fix PF-VF communication over multi-cos queues.
rfkill: allocate static minor
nvmem: imx-ocotp: reset error status on probe
media: v4l2-core: fix touch support in v4l_g_fmt
media: rcar_drif: fix a memory disclosure
ixgbe: protect TX timestamping from API misuse
pinctrl: amd: fix __iomem annotation in amd_gpio_irq_handler()
Bluetooth: Fix advertising duplicated flags
libbpf: Fix error handling in bpf_map__reuse_fd()
iio: dln2-adc: fix iio_triggered_buffer_postenable() position
pinctrl: sh-pfc: sh7734: Fix duplicate TCLK1_B
loop: fix no-unmap write-zeroes request behavior
libata: Ensure ata_port probe has completed before detach
net: hns3: add struct netdev_queue debug info for TX timeout
s390/mm: add mm_pxd_folded() checks to pxd_free()
s390/time: ensure get_clock_monotonic() returns monotonic values
phy: qcom-usb-hs: Fix extcon double register after power cycle
net: dsa: LAN9303: select REGMAP when LAN9303 enable
gpu: host1x: Allocate gather copy for host1x
RDMA/qedr: Fix memory leak in user qp and mr
ACPI: button: Add DMI quirk for Medion Akoya E2215T
spi: sprd: adi: Add missing lock protection when rebooting
drm/tegra: sor: Use correct SOR index on Tegra210
net: phy: dp83867: enable robust auto-mdix
i40e: initialize ITRN registers with correct values
arm64: psci: Reduce the waiting time for cpu_psci_cpu_kill()
md/bitmap: avoid race window between md_bitmap_resize and bitmap_file_clear_bit
media: smiapp: Register sensor after enabling runtime PM on the device
x86/ioapic: Prevent inconsistent state when moving an interrupt
ipmi: Don't allow device module unload when in use
rtl8xxxu: fix RTL8723BU connection failure issue after warm reboot
drm/gma500: fix memory disclosures due to uninitialized bytes
perf tests: Disable bp_signal testing for arm64
x86/mce: Lower throttling MCE messages' priority to warning
bpf/stackmap: Fix deadlock with rq_lock in bpf_get_stack()
Bluetooth: hci_core: fix init for HCI_USER_CHANNEL
Bluetooth: Workaround directed advertising bug in Broadcom controllers
Bluetooth: missed cpu_to_le16 conversion in hci_init4_req
iio: adc: max1027: Reset the device at probe time
usb: usbfs: Suppress problematic bind and unbind uevents.
perf report: Add warning when libunwind not compiled in
perf test: Report failure for mmap events
drm/bridge: dw-hdmi: Restore audio when setting a mode
ath10k: Correct error handling of dma_map_single()
x86/mm: Use the correct function type for native_set_fixmap()
extcon: sm5502: Reset registers during initialization
drm/amd/display: Fix dongle_caps containing stale information.
syscalls/x86: Use the correct function type in SYSCALL_DEFINE0
media: ti-vpe: vpe: fix a v4l2-compliance failure about invalid sizeimage
media: ti-vpe: vpe: ensure buffers are cleaned up properly in abort cases
media: ti-vpe: vpe: fix a v4l2-compliance failure causing a kernel panic
media: ti-vpe: vpe: Make sure YUYV is set as default format
media: ti-vpe: vpe: fix a v4l2-compliance failure about frame sequence number
media: ti-vpe: vpe: fix a v4l2-compliance warning about invalid pixel format
media: ti-vpe: vpe: Fix Motion Vector vpdma stride
media: cx88: Fix some error handling path in 'cx8800_initdev()'
drm/drm_vblank: Change EINVAL by the correct errno
mwifiex: pcie: Fix memory leak in mwifiex_pcie_init_evt_ring
block: Fix writeback throttling W=1 compiler warnings
samples: pktgen: fix proc_cmd command result check logic
drm/bridge: dw-hdmi: Refuse DDC/CI transfers on the internal I2C controller
media: cec-funcs.h: add status_req checks
media: flexcop-usb: fix NULL-ptr deref in flexcop_usb_transfer_init()
regulator: max8907: Fix the usage of uninitialized variable in max8907_regulator_probe()
hwrng: omap3-rom - Call clk_disable_unprepare() on exit only if not idled
usb: renesas_usbhs: add suspend event support in gadget mode
media: venus: Fix occasionally failures to suspend
selftests/bpf: Correct path to include msg + path
drm/amdkfd: fix a potential NULL pointer dereference (v2)
pinctrl: devicetree: Avoid taking direct reference to device name string
ath10k: fix offchannel tx failure when no ath10k_mac_tx_frm_has_freq
media: venus: core: Fix msm8996 frequency table
tools/power/cpupower: Fix initializer override in hsw_ext_cstates
media: ov6650: Fix stored crop rectangle not in sync with hardware
media: ov6650: Fix stored frame format not in sync with hardware
media: i2c: ov2659: Fix missing 720p register config
media: ov6650: Fix crop rectangle alignment not passed back
media: i2c: ov2659: fix s_stream return value
media: am437x-vpfe: Setting STD to current value is not an error
IB/iser: bound protection_sg size by data_sg size
ath10k: fix backtrace on coredump
libertas: fix a potential NULL pointer dereference
rtlwifi: prevent memory leak in rtl_usb_probe
staging: rtl8188eu: fix possible null dereference
staging: rtl8192u: fix multiple memory leaks on error path
spi: Add call to spi_slave_abort() function when spidev driver is released
drm/amdgpu: grab the id mgr lock while accessing passid_mapping
iio: light: bh1750: Resolve compiler warning and make code more readable
drm/bridge: analogix-anx78xx: silence -EPROBE_DEFER warnings
drm/panel: Add missing drm_panel_init() in panel drivers
drm: mst: Fix query_payload ack reply struct
ALSA: hda/ca0132 - Fix work handling in delayed HP detection
ALSA: hda/ca0132 - Avoid endless loop
ALSA: hda/ca0132 - Keep power on during processing DSP response
ALSA: pcm: Avoid possible info leaks from PCM stream buffers
Btrfs: fix removal logic of the tree mod log that leads to use-after-free issues
btrfs: handle ENOENT in btrfs_uuid_tree_iterate
btrfs: do not leak reloc root if we fail to read the fs root
btrfs: skip log replay on orphaned roots
btrfs: abort transaction after failed inode updates in create_subvol
btrfs: send: remove WARN_ON for readonly mount
Btrfs: fix missing data checksums after replaying a log tree
btrfs: do not call synchronize_srcu() in inode_tree_del
btrfs: don't double lock the subvol_sem for rename exchange
selftests: forwarding: Delete IPv6 address at the end
sctp: fully initialize v4 addr in some functions
qede: Fix multicast mac configuration
qede: Disable hardware gro when xdp prog is installed
net: usb: lan78xx: Fix suspend/resume PHY register access error
net: qlogic: Fix error paths in ql_alloc_large_buffers()
net: nfc: nci: fix a possible sleep-in-atomic-context bug in nci_uart_tty_receive()
net: hisilicon: Fix a BUG trigered by wrong bytes_compl
net: gemini: Fix memory leak in gmac_setup_txqs
net: dst: Force 4-byte alignment of dst_metrics
mod_devicetable: fix PHY module format
fjes: fix missed check in fjes_acpi_add
af_packet: set defaule value for tmo
ANDROID: cuttlefish_defconfig: Disable TRANSPARENT_HUGEPAGE
Conflicts:
drivers/mmc/host/sdhci-msm.c
Change-Id: Ic97e378f655dc8e07f5e5dd5b435ec37f60deac0
Signed-off-by: Ivaylo Georgiev <irgeorgiev@codeaurora.org>
* refs/heads/tmp-314ab78:
Linux 4.19.84
kvm: x86: mmu: Recovery of shattered NX large pages
kvm: Add helper function for creating VM worker threads
kvm: mmu: ITLB_MULTIHIT mitigation
KVM: vmx, svm: always run with EFER.NXE=1 when shadow paging is active
KVM: x86: add tracepoints around __direct_map and FNAME(fetch)
KVM: x86: change kvm_mmu_page_get_gfn BUG_ON to WARN_ON
KVM: x86: remove now unneeded hugepage gfn adjustment
KVM: x86: make FNAME(fetch) and __direct_map more similar
kvm: mmu: Do not release the page inside mmu_set_spte()
kvm: Convert kvm_lock to a mutex
kvm: x86, powerpc: do not allow clearing largepages debugfs entry
Documentation: Add ITLB_MULTIHIT documentation
cpu/speculation: Uninline and export CPU mitigations helpers
x86/cpu: Add Tremont to the cpu vulnerability whitelist
x86/bugs: Add ITLB_MULTIHIT bug infrastructure
x86/speculation/taa: Fix printing of TAA_MSG_SMT on IBRS_ALL CPUs
x86/tsx: Add config options to set tsx=on|off|auto
x86/speculation/taa: Add documentation for TSX Async Abort
x86/tsx: Add "auto" option to the tsx= cmdline parameter
kvm/x86: Export MDS_NO=0 to guests when TSX is enabled
x86/speculation/taa: Add sysfs reporting for TSX Async Abort
x86/speculation/taa: Add mitigation for TSX Async Abort
x86/cpu: Add a "tsx=" cmdline option with TSX disabled by default
x86/cpu: Add a helper function x86_read_arch_cap_msr()
x86/msr: Add the IA32_TSX_CTRL MSR
KVM: x86: use Intel speculation bugs and features as derived in generic x86 code
drm/i915/cmdparser: Fix jump whitelist clearing
drm/i915/gen8+: Add RC6 CTX corruption WA
drm/i915: Lower RM timeout to avoid DSI hard hangs
drm/i915/cmdparser: Ignore Length operands during command matching
drm/i915/cmdparser: Add support for backward jumps
drm/i915/cmdparser: Use explicit goto for error paths
drm/i915: Add gen9 BCS cmdparsing
drm/i915: Allow parsing of unsized batches
drm/i915: Support ro ppgtt mapped cmdparser shadow buffers
drm/i915: Add support for mandatory cmdparsing
drm/i915: Remove Master tables from cmdparser
drm/i915: Disable Secure Batches for gen6+
drm/i915: Rename gen7 cmdparser tables
vsock/virtio: fix sock refcnt holding during the shutdown
iio: imu: mpu6050: Fix FIFO layout for ICM20602
net: prevent load/store tearing on sk->sk_stamp
netfilter: ipset: Copy the right MAC address in hash:ip,mac IPv6 sets
usbip: Fix free of unallocated memory in vhci tx
cgroup,writeback: don't switch wbs immediately on dead wbs if the memcg is dead
mm/filemap.c: don't initiate writeback if mapping has no dirty pages
iio: imu: inv_mpu6050: fix no data on MPU6050
iio: imu: mpu6050: Add support for the ICM 20602 IMU
blkcg: make blkcg_print_stat() print stats only for online blkgs
pinctrl: cherryview: Fix irq_valid_mask calculation
ocfs2: protect extent tree in ocfs2_prepare_inode_for_write()
pinctrl: intel: Avoid potential glitches if pin is in GPIO mode
e1000: fix memory leaks
igb: Fix constant media auto sense switching when no cable is connected
net: ethernet: arc: add the missed clk_disable_unprepare
NFSv4: Don't allow a cached open with a revoked delegation
usb: dwc3: gadget: fix race when disabling ep with cancelled xfers
hv_netvsc: Fix error handling in netvsc_attach()
drm/amd/display: Passive DP->HDMI dongle detection fix
drm/amdgpu: If amdgpu_ib_schedule fails return back the error.
iommu/amd: Apply the same IVRS IOAPIC workaround to Acer Aspire A315-41
net: mscc: ocelot: refuse to overwrite the port's native vlan
net: mscc: ocelot: fix vlan_filtering when enslaving to bridge before link is up
net: hisilicon: Fix "Trying to free already-free IRQ"
fjes: Handle workqueue allocation failure
nvme-multipath: fix possible io hang after ctrl reconnect
scsi: qla2xxx: stop timer in shutdown path
RDMA/hns: Prevent memory leaks of eq->buf_list
RDMA/iw_cxgb4: Avoid freeing skb twice in arp failure case
usbip: tools: Fix read_usb_vudc_device() error path handling
USB: ldusb: use unsigned size format specifiers
USB: Skip endpoints with 0 maxpacket length
perf/x86/uncore: Fix event group support
perf/x86/amd/ibs: Handle erratum #420 only on the affected CPU family (10h)
perf/x86/amd/ibs: Fix reading of the IBS OpData register and thus precise RIP validity
usb: dwc3: remove the call trace of USBx_GFLADJ
usb: gadget: configfs: fix concurrent issue between composite APIs
usb: dwc3: pci: prevent memory leak in dwc3_pci_probe
usb: gadget: composite: Fix possible double free memory bug
usb: gadget: udc: atmel: Fix interrupt storm in FIFO mode.
usb: fsl: Check memory resource before releasing it
macsec: fix refcnt leak in module exit routine
bonding: fix unexpected IFF_BONDING bit unset
ipvs: move old_secure_tcp into struct netns_ipvs
ipvs: don't ignore errors in case refcounting ip_vs module fails
netfilter: nf_flow_table: set timeout before insertion into hashes
scsi: qla2xxx: Initialized mailbox to prevent driver load failure
scsi: lpfc: Honor module parameter lpfc_use_adisc
net: openvswitch: free vport unless register_netdevice() succeeds
RDMA/uverbs: Prevent potential underflow
scsi: qla2xxx: fixup incorrect usage of host_byte
net/mlx5: prevent memory leak in mlx5_fpga_conn_create_cq
net/mlx5e: TX, Fix consumer index of error cqe dump
RDMA/qedr: Fix reported firmware version
iw_cxgb4: fix ECN check on the passive accept
RDMA/mlx5: Clear old rate limit when closing QP
HID: intel-ish-hid: fix wrong error handling in ishtp_cl_alloc_tx_ring()
dmaengine: sprd: Fix the possible memory leak issue
dmaengine: xilinx_dma: Fix control reg update in vdma_channel_set_config
HID: google: add magnemite/masterball USB ids
PCI: tegra: Enable Relaxed Ordering only for Tegra20 & Tegra30
usbip: Implement SG support to vhci-hcd and stub driver
usbip: Fix vhci_urb_enqueue() URB null transfer buffer error path
sched/fair: Fix -Wunused-but-set-variable warnings
sched/fair: Fix low cpu usage with high throttling by removing expiration of cpu-local slices
ALSA: usb-audio: Fix copy&paste error in the validator
ALSA: usb-audio: remove some dead code
ALSA: usb-audio: Fix possible NULL dereference at create_yamaha_midi_quirk()
ALSA: usb-audio: Clean up check_input_term()
ALSA: usb-audio: Remove superfluous bLength checks
ALSA: usb-audio: Unify the release of usb_mixer_elem_info objects
ALSA: usb-audio: Simplify parse_audio_unit()
ALSA: usb-audio: More validations of descriptor units
configfs: fix a deadlock in configfs_symlink()
configfs: provide exclusion between IO and removals
configfs: new object reprsenting tree fragments
configfs_register_group() shouldn't be (and isn't) called in rmdirable parts
configfs: stash the data we need into configfs_buffer at open time
can: peak_usb: fix slab info leak
can: mcba_usb: fix use-after-free on disconnect
can: dev: add missing of_node_put() after calling of_get_child_by_name()
can: gs_usb: gs_can_open(): prevent memory leak
can: rx-offload: can_rx_offload_queue_sorted(): fix error handling, avoid skb mem leak
can: peak_usb: fix a potential out-of-sync while decoding packets
can: c_can: c_can_poll(): only read status register after status IRQ
can: flexcan: disable completely the ECC mechanism
can: usb_8dev: fix use-after-free on disconnect
SMB3: Fix persistent handles reconnect
x86/apic/32: Avoid bogus LDR warnings
intel_th: pci: Add Jasper Lake PCH support
intel_th: pci: Add Comet Lake PCH support
netfilter: ipset: Fix an error code in ip_set_sockfn_get()
netfilter: nf_tables: Align nft_expr private data to 64-bit
ARM: sunxi: Fix CPU powerdown on A83T
iio: srf04: fix wrong limitation in distance measuring
iio: imu: adis16480: make sure provided frequency is positive
iio: adc: stm32-adc: fix stopping dma
ceph: add missing check in d_revalidate snapdir handling
ceph: fix use-after-free in __ceph_remove_cap()
arm64: Do not mask out PTE_RDONLY in pte_same()
soundwire: bus: set initial value to port_status
soundwire: depend on ACPI
HID: wacom: generic: Treat serial number and related fields as unsigned
drm/radeon: fix si_enable_smc_cac() failed issue
perf tools: Fix time sorting
tools: gpio: Use !building_out_of_srctree to determine srctree
dump_stack: avoid the livelock of the dump_lock
mm, vmstat: hide /proc/pagetypeinfo from normal users
mm: thp: handle page cache THP correctly in PageTransCompoundMap
mm, meminit: recalculate pcpu batch and high limits after init completes
mm: memcontrol: fix network errors from failing __GFP_ATOMIC charges
ALSA: hda/ca0132 - Fix possible workqueue stall
ALSA: bebob: fix to detect configured source of sampling clock for Focusrite Saffire Pro i/o series
ALSA: timer: Fix incorrectly assigned timer instance
net: hns: Fix the stray netpoll locks causing deadlock in NAPI path
ipv6: fixes rt6_probe() and fib6_nh->last_probe init
net: mscc: ocelot: fix NULL pointer on LAG slave removal
net: mscc: ocelot: don't handle netdev events for other netdevs
qede: fix NULL pointer deref in __qede_remove()
NFC: st21nfca: fix double free
nfc: netlink: fix double device reference drop
NFC: fdp: fix incorrect free object
net: usb: qmi_wwan: add support for DW5821e with eSIM support
net: qualcomm: rmnet: Fix potential UAF when unregistering
net: fix data-race in neigh_event_send()
net: ethernet: octeon_mgmt: Account for second possible VLAN header
ipv4: Fix table id reference in fib_sync_down_addr
CDC-NCM: handle incomplete transfer of MTU
bonding: fix state transition issue in link monitoring
Linux 4.19.83
usb: gadget: udc: core: Fix segfault if udc_bind_to_driver() for pending driver fails
arm64: dts: ti: k3-am65-main: Fix gic-its node unit-address
ASoC: pcm3168a: The codec does not support S32_LE
selftests/powerpc: Fix compile error on tlbie_test due to newer gcc
selftests/powerpc: Add test case for tlbie vs mtpidr ordering issue
powerpc/mm: Fixup tlbie vs mtpidr/mtlpidr ordering issue on POWER9
platform/x86: pmc_atom: Add Siemens SIMATIC IPC227E to critclk_systems DMI table
wireless: Skip directory when generating certificates
net/flow_dissector: switch to siphash
r8152: add device id for Lenovo ThinkPad USB-C Dock Gen 2
net: dsa: fix switch tree list
net: usb: lan78xx: Connect PHY before registering MAC
net: bcmgenet: reset 40nm EPHY on energy detect
net: phy: bcm7xxx: define soft_reset for 40nm EPHY
net: bcmgenet: don't set phydev->link from MAC
net: dsa: b53: Do not clear existing mirrored port mask
net/mlx5e: Fix ethtool self test: link speed
r8169: fix wrong PHY ID issue with RTL8168dp
net/mlx5e: Fix handling of compressed CQEs in case of low NAPI budget
selftests: fib_tests: add more tests for metric update
ipv4: fix route update on metric change.
net: add READ_ONCE() annotation in __skb_wait_for_more_packets()
net: use skb_queue_empty_lockless() in busy poll contexts
net: use skb_queue_empty_lockless() in poll() handlers
udp: use skb_queue_empty_lockless()
net: add skb_queue_empty_lockless()
vxlan: check tun_info options_len properly
udp: fix data-race in udp_set_dev_scratch()
selftests: net: reuseport_dualstack: fix uninitalized parameter
net: Zeroing the structure ethtool_wolinfo in ethtool_get_wol()
net: usb: lan78xx: Disable interrupts before calling generic_handle_irq()
netns: fix GFP flags in rtnl_net_notifyid()
net/mlx4_core: Dynamically set guaranteed amount of counters per VF
net: hisilicon: Fix ping latency when deal with high throughput
net: fix sk_page_frag() recursion from memory reclaim
net: ethernet: ftgmac100: Fix DMA coherency issue with SW checksum
net: dsa: bcm_sf2: Fix IMP setup for port different than 8
net: annotate lockless accesses to sk->sk_napi_id
net: annotate accesses to sk->sk_incoming_cpu
inet: stop leaking jiffies on the wire
erspan: fix the tun_info options_len check for erspan
dccp: do not leak jiffies on the wire
cxgb4: fix panic when attaching to ULD fail
nbd: handle racing with error'ed out commands
nbd: protect cmd->status with cmd->lock
cifs: Fix cifsInodeInfo lock_sem deadlock when reconnect occurs
i2c: stm32f7: remove warning when compiling with W=1
i2c: stm32f7: fix a race in slave mode with arbitration loss irq
i2c: stm32f7: fix first byte to send in slave mode
irqchip/gic-v3-its: Use the exact ITSList for VMOVP
MIPS: bmips: mark exception vectors as char arrays
of: unittest: fix memory leak in unittest_data_add
ARM: 8926/1: v7m: remove register save to stack before svc
tracing: Fix "gfp_t" format for synthetic events
scsi: target: core: Do not overwrite CDB byte 1
drm/amdgpu: fix potential VM faults
ARM: davinci: dm365: Fix McBSP dma_slave_map entry
perf kmem: Fix memory leak in compact_gfp_flags()
8250-men-mcb: fix error checking when get_num_ports returns -ENODEV
perf c2c: Fix memory leak in build_cl_output()
ARM: dts: imx7s: Correct GPT's ipg clock source
scsi: fix kconfig dependency warning related to 53C700_LE_ON_BE
scsi: sni_53c710: fix compilation error
scsi: scsi_dh_alua: handle RTPG sense code correctly during state transitions
scsi: qla2xxx: fix a potential NULL pointer dereference
ARM: mm: fix alignment handler faults under memory pressure
pinctrl: ns2: Fix off by one bugs in ns2_pinmux_enable()
ARM: dts: logicpd-torpedo-som: Remove twl_keypad
ASoc: rockchip: i2s: Fix RPM imbalance
ASoC: wm_adsp: Don't generate kcontrols without READ flags
regulator: pfuze100-regulator: Variable "val" in pfuze100_regulator_probe() could be uninitialized
ASoC: rt5682: add NULL handler to set_jack function
regulator: ti-abb: Fix timeout in ti_abb_wait_txdone/ti_abb_clear_all_txdone
arm64: dts: Fix gpio to pinmux mapping
arm64: dts: allwinner: a64: sopine-baseboard: Add PHY regulator delay
arm64: dts: allwinner: a64: pine64-plus: Add PHY regulator delay
ASoC: wm8994: Do not register inapplicable controls for WM1811
regulator: of: fix suspend-min/max-voltage parsing
kbuild: add -fcf-protection=none when using retpoline flags
Linux 4.19.82
Revert "ALSA: hda: Flush interrupts on disabling"
powerpc/powernv: Fix CPU idle to be called with IRQs disabled
ALSA: usb-audio: Add DSD support for Gustard U16/X26 USB Interface
ALSA: usb-audio: Update DSD support quirks for Oppo and Rotel
ALSA: usb-audio: DSD auto-detection for Playback Designs
ALSA: timer: Fix mutex deadlock at releasing card
ALSA: timer: Simplify error path in snd_timer_open()
sch_netem: fix rcu splat in netem_enqueue()
net: usb: sr9800: fix uninitialized local variable
bonding: fix potential NULL deref in bond_update_slave_arr
NFC: pn533: fix use-after-free and memleaks
rxrpc: Fix trace-after-put looking at the put peer record
rxrpc: rxrpc_peer needs to hold a ref on the rxrpc_local record
rxrpc: Fix call ref leak
llc: fix sk_buff leak in llc_conn_service()
llc: fix sk_buff leak in llc_sap_state_process()
batman-adv: Avoid free/alloc race when handling OGM buffer
NFS: Fix an RCU lock leak in nfs4_refresh_delegation_stateid()
drm/amdgpu/powerplay/vega10: allow undervolting in p7
dmaengine: cppi41: Fix cppi41_dma_prep_slave_sg() when idle
dmaengine: qcom: bam_dma: Fix resource leak
rtlwifi: Fix potential overflow on P2P code
arm64: Ensure VM_WRITE|VM_SHARED ptes are clean by default
s390/idle: fix cpu idle time calculation
s390/cmm: fix information leak in cmm_timeout_handler()
nl80211: fix validation of mesh path nexthop
HID: fix error message in hid_open_report()
HID: Fix assumption that devices have inputs
HID: i2c-hid: add Trekstor Primebook C11B to descriptor override
scsi: target: cxgbit: Fix cxgbit_fw4_ack()
USB: serial: whiteheat: fix line-speed endianness
USB: serial: whiteheat: fix potential slab corruption
usb: xhci: fix __le32/__le64 accessors in debugfs code
USB: ldusb: fix control-message timeout
USB: ldusb: fix ring-buffer locking
usb-storage: Revert commit 747668dbc061 ("usb-storage: Set virt_boundary_mask to avoid SG overflows")
USB: gadget: Reject endpoints with 0 maxpacket value
UAS: Revert commit 3ae62a42090f ("UAS: fix alignment of scatter/gather segments")
ALSA: hda/realtek - Add support for ALC623
ALSA: hda/realtek - Fix 2 front mics of codec 0x623
ALSA: bebob: Fix prototype of helper function to return negative value
fuse: truncate pending writes on O_TRUNC
fuse: flush dirty data/metadata before non-truncate setattr
ath6kl: fix a NULL-ptr-deref bug in ath6kl_usb_alloc_urb_from_pipe()
thunderbolt: Use 32-bit writes when writing ring producer/consumer
USB: legousbtower: fix a signedness bug in tower_probe()
nbd: verify socket is supported during setup
iwlwifi: exclude GEO SAR support for 3168
ALSA: hda/realtek: Reduce the Headphone static noise on XPS 9350/9360
ARM: 8914/1: NOMMU: Fix exc_ret for XIP
tracing: Initialize iter->seq after zeroing in tracing_read_pipe()
s390/uaccess: avoid (false positive) compiler warnings
NFSv4: Fix leak of clp->cl_acceptor string
nbd: fix possible sysfs duplicate warning
virt: vbox: fix memory leak in hgcm_call_preprocess_linaddr
MIPS: fw: sni: Fix out of bounds init of o32 stack
MIPS: include: Mark __xchg as __always_inline
iio: imu: adis16400: release allocated memory on failure
drm/amdgpu: fix memory leak
perf/x86/amd: Change/fix NMI latency mitigation to use a timestamp
sched/vtime: Fix guest/system mis-accounting on task switch
x86/cpu: Add Comet Lake to the Intel CPU models header
arm64: armv8_deprecated: Checking return value for memory allocation
fs: ocfs2: fix a possible null-pointer dereference in ocfs2_info_scan_inode_alloc()
fs: ocfs2: fix a possible null-pointer dereference in ocfs2_write_end_nolock()
fs: ocfs2: fix possible null-pointer dereferences in ocfs2_xa_prepare_entry()
ocfs2: clear zero in unaligned direct IO
x86/xen: Return from panic notifier
MIPS: include: Mark __cmpxchg as __always_inline
efi/x86: Do not clean dummy variable in kexec path
efi/cper: Fix endianness of PCIe class code
serial: mctrl_gpio: Check for NULL pointer
fs: cifs: mute -Wunused-const-variable message
gpio: max77620: Use correct unit for debounce times
tty: n_hdlc: fix build on SPARC
tty: serial: owl: Fix the link time qualifier of 'owl_uart_exit()'
arm64: ftrace: Ensure synchronisation in PLT setup for Neoverse-N1 #1542419
nfs: Fix nfsi->nrequests count error on nfs_inode_remove_request
HID: hyperv: Use in-place iterator API in the channel callback
RDMA/iwcm: Fix a lock inversion issue
RDMA/hfi1: Prevent memory leak in sdma_init
staging: rtl8188eu: fix null dereference when kzalloc fails
perf annotate: Return appropriate error code for allocation failures
perf annotate: Propagate the symbol__annotate() error return
perf annotate: Fix the signedness of failure returns
perf annotate: Propagate perf_env__arch() error
perf tools: Propagate get_cpuid() error
perf jevents: Fix period for Intel fixed counters
perf script brstackinsn: Fix recovery from LBR/binary mismatch
perf map: Fix overlapped map handling
perf tests: Avoid raising SEGV using an obvious NULL dereference
libsubcmd: Make _FORTIFY_SOURCE defines dependent on the feature
iio: fix center temperature of bmc150-accel-core
iio: adc: meson_saradc: Fix memory allocation order
power: supply: max14656: fix potential use-after-free
drm/amd/display: fix odm combine pipe reset
PCI/PME: Fix possible use-after-free on remove
net: dsa: mv88e6xxx: Release lock while requesting IRQ
exec: load_script: Do not exec truncated interpreter path
ext4: disallow files with EXT4_JOURNAL_DATA_FL from EXT4_IOC_SWAP_BOOT
media: vimc: Remove unused but set variables
ALSA: hda/realtek - Apply ALC294 hp init also for S4 resume
cifs: add credits from unmatched responses/messages
CIFS: Respect SMB2 hdr preamble size in read responses
scsi: lpfc: Correct localport timeout duration error
mlxsw: spectrum: Set LAG port collector only when active
arm64: kpti: Whitelist HiSilicon Taishan v110 CPUs
arm64: Add MIDR encoding for HiSilicon Taishan CPUs
rtc: pcf8523: set xtal load capacitance from DT
usb: handle warm-reset port requests on hub resume
ALSA: usb-audio: Cleanup DSD whitelist
usb: dwc3: gadget: clear DWC3_EP_TRANSFER_STARTED on cmd complete
usb: dwc3: gadget: early giveback if End Transfer already completed
samples: bpf: fix: seg fault with NULL pointer arg
HID: steam: fix deadlock with input devices.
HID: steam: fix boot loop with bluetooth firmware
NFSv4: Ensure that the state manager exits the loop on SIGKILL
HID: Add ASUS T100CHI keyboard dock battery quirks
staging: mt7621-pinctrl: use pinconf-generic for 'dt_node_to_map' and 'dt_free_map'
scripts/setlocalversion: Improve -dirty check with git-status --no-optional-locks
clk: boston: unregister clks on failure in clk_boston_setup()
ath10k: assign 'n_cipher_suites = 11' for WCN3990 to enable WPA3
platform/x86: Fix config space access for intel_atomisp2_pm
platform/x86: Add the VLV ISP PCI ID to atomisp2_pm
HID: i2c-hid: Add Odys Winbook 13 to descriptor override
HID: i2c-hid: Ignore input report if there's no data present on Elan touchpanels
HID: i2c-hid: Disable runtime PM for LG touchscreen
netfilter: ipset: Make invalid MAC address checks consistent
Btrfs: fix deadlock on tree root leaf when finding free extent
PCI: Fix Switchtec DMA aliasing quirk dmesg noise
bcache: fix input overflow to writeback_rate_minimum
drm/msm/dpu: handle failures while initializing displays
x86/cpu: Add Atom Tremont (Jacobsville)
tools/power turbostat: fix goldmont C-state limit decoding
usb: dwc2: fix unbalanced use of external vbus-supply
HID: i2c-hid: add Direkt-Tek DTLAPY133-1 to descriptor override
f2fs: fix to recover inode->i_flags of inode block during POR
f2fs: fix to recover inode's i_gc_failures during POR
powerpc/powernv: hold device_hotplug_lock when calling memtrace_offline_pages()
sc16is7xx: Fix for "Unexpected interrupt: 8"
scsi: lpfc: Fix a duplicate 0711 log message number.
f2fs: flush quota blocks after turnning it off
wil6210: fix freeing of rx buffers in EDMA mode
btrfs: tracepoints: Fix wrong parameter order for qgroup events
btrfs: qgroup: Always free PREALLOC META reserve in btrfs_delalloc_release_extents()
Btrfs: fix memory leak due to concurrent append writes with fiemap
Btrfs: fix inode cache block reserve leak on failure to allocate data space
dm snapshot: rework COW throttling to fix deadlock
dm snapshot: introduce account_start_copy() and account_end_copy()
zram: fix race between backing_dev_show and backing_dev_store
Conflicts:
arch/arm64/include/asm/cputype.h
drivers/net/ethernet/qualcomm/rmnet/rmnet_config.c
drivers/net/wireless/ath/wil6210/txrx_edma.c
drivers/usb/dwc3/gadget.c
include/linux/cpu.h
kernel/cpu.c
Following USB commits were reverted on importing android-4.19.57
into msm-4.19 due to BootTimeRunner failure. android-4.19-q.82
introduced new usb changes [1] that fixed the regression, hence it
is safe to restore the reverts. It is done in this merge.
9c423fd89("usb: dwc3: Reset num_trbs after skipping")
385cacd95("usb: dwc3: gadget: Clear req->needs_extra_trb flag on cleanup")
6edcdd0e6("usb: dwc3: gadget: remove wait_end_transfer")
d7ff2e3ff("usb: dwc3: gadget: move requests to cancelled_list")
bba5f9878("usb: dwc3: gadget: introduce cancelled_list")
65e1f3403("usb: dwc3: gadget: extract dwc3_gadget_ep_skip_trbs()")
56092bd50("usb: dwc3: gadget: use num_trbs when skipping TRBs on->dequeue()")
2a2b1c4dc("usb: dwc3: gadget: track number of TRBs per request")
420b1237c("usb: dwc3: gadget: combine unaligned and zero flags")
62805d319("Revert "usb: dwc3: gadget: Clear req->needs_extra_trb flag on cleanup"")
[1]
a0608eec29("usb: dwc3: gadget: clear DWC3_EP_TRANSFER_STARTED on cmd complete")
d0e8b35e91("usb: dwc3: gadget: early giveback if End Transfer already completed")
Change-Id: I77c3490d2c1cf7c8233a7e797c6f217f737621a2
Signed-off-by: Ivaylo Georgiev <irgeorgiev@codeaurora.org>
[ Upstream commit fdea53fe5de532969a332d6e5e727f2ad8bf084d ]
The fuzzer tries to open the timer instances as much as possible, and
this may cause a system hiccup easily. We've already introduced the
cap for the max number of available instances for the h/w timers, and
we should put such a limit also to the slave timers, too.
This patch introduces the limit to the multiple opened slave timers.
The upper limit is hard-coded to 1000 for now, which should suffice
for any practical usages up to now.
Link: https://lore.kernel.org/r/20191106154257.5853-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
commit e7af6307a8a54f0b873960b32b6a644f2d0fbd97 upstream.
The clean up commit 41672c0c24a6 ("ALSA: timer: Simplify error path in
snd_timer_open()") unified the error handling code paths with the
standard goto, but it introduced a subtle bug: the timer instance is
stored in snd_timer_open() incorrectly even if it returns an error.
This may eventually lead to UAF, as spotted by fuzzer.
The culprit is the snd_timer_open() code checks the
SNDRV_TIMER_IFLG_EXCLUSIVE flag with the common variable timeri.
This variable is supposed to be the newly created instance, but we
(ab-)used it for a temporary check before the actual creation of a
timer instance. After that point, there is another check for the max
number of instances, and it bails out if over the threshold. Before
the refactoring above, it worked fine because the code returned
directly from that point. After the refactoring, however, it jumps to
the unified error path that stores the timeri variable in return --
even if it returns an error. Unfortunately this stored value is kept
in the caller side (snd_timer_user_tselect()) in tu->timeri. This
causes inconsistency later, as if the timer was successfully
assigned.
In this patch, we fix it by not re-using timeri variable but a
temporary variable for testing the exclusive connection, so timeri
remains NULL at that point.
Fixes: 41672c0c24a6 ("ALSA: timer: Simplify error path in snd_timer_open()")
Reported-and-tested-by: Tristan Madani <tristmd@gmail.com>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20191106165547.23518-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit a39331867335d4a94b6165e306265c9e24aca073 ]
When a card is disconnected while in use, the system waits until all
opened files are closed then releases the card. This is done via
put_device() of the card device in each device release code.
The recently reported mutex deadlock bug happens in this code path;
snd_timer_close() for the timer device deals with the global
register_mutex and it calls put_device() there. When this timer
device is the last one, the card gets freed and it eventually calls
snd_timer_free(), which has again the protection with the global
register_mutex -- boom.
Basically put_device() call itself is race-free, so a relative simple
workaround is to move this put_device() call out of the mutex. For
achieving that, in this patch, snd_timer_close_locked() got a new
argument to store the card device pointer in return, and each caller
invokes put_device() with the returned object after the mutex unlock.
Reported-and-tested-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 41672c0c24a62699d20aab53b98d843b16483053 ]
Just a minor refactoring to use the standard goto for error paths in
snd_timer_open() instead of open code. The first mutex_lock() is
moved to the beginning of the function to make the code clearer.
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
NULL check timer->card before use to prevent dereferencing
a NULL pointer.
CRs-Fixed: 1046606
Change-Id: I8e359864508cc2307d9e9619f36c7c08cc3842f9
Signed-off-by: Meng Wang <mwang@codeaurora.org>
A timer object for the classes SNDRV_TIMER_CLASS_CARD and
SNDRV_TIMER_CLASS_PCM has to be associated with a card object, but we
have no check at creation time. Such a timer object with NULL card
causes various unexpected problems, e.g. NULL dereference at reading
the sound timer proc file.
So as preventive measure while the creating the sound timer object is
created the card information availability is checked for the mentioned
entries and returned error if its NULL.
Signed-off-by: Srikanth K H <srikanth.h@samsung.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
The kernel may spew a WARNING about UBSAN undefined behavior at
handling ALSA timer ioctl SNDRV_TIMER_IOCTL_NEXT_DEVICE:
UBSAN: Undefined behaviour in sound/core/timer.c:1524:19
signed integer overflow:
2147483647 + 1 cannot be represented in type 'int'
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x122/0x1c8 lib/dump_stack.c:113
ubsan_epilogue+0x12/0x86 lib/ubsan.c:159
handle_overflow+0x1c2/0x21f lib/ubsan.c:190
__ubsan_handle_add_overflow+0x2a/0x31 lib/ubsan.c:198
snd_timer_user_next_device sound/core/timer.c:1524 [inline]
__snd_timer_user_ioctl+0x204d/0x2520 sound/core/timer.c:1939
snd_timer_user_ioctl+0x67/0x95 sound/core/timer.c:1994
....
It happens only when a value with INT_MAX is passed, as we're
incrementing it unconditionally. So the fix is trivial, check the
value with INT_MAX. Although the bug itself is fairly harmless, it's
better to fix it so that fuzzers won't hit this again later.
Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=200213
Reported-and-tested-by: Team OWL337 <icytxw@gmail.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
There are still many places calling the timer's hw.c_resolution
callback without lock, and this may lead to some races, as we faced in
the commit a820ccbe21 ("ALSA: pcm: Fix UAF at PCM release via PCM
timer access").
This patch changes snd_timer_resolution() to take the timer->lock for
avoiding the races. A place calling this function already inside the
lock (from the notifier) is replaced with the
snd_timer_hw_resolution() accordingly, as well as wrapping with the
lock around another place calling snd_timer_hw_resolution(), too.
Reported-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
There multiple open-codes to get the hardware timer resolution.
Make a local helper function snd_timer_hw_resolution() and call it
from all relevant places.
There is no functional change by this, just a preliminary work for the
following timer resolution hardening patch.
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Commit f65e0d2998 ("ALSA: timer: Call notifier in the same spinlock")
combined the start/continue and stop/pause functions, and in doing so
changed the event code for the pause case to SNDRV_TIMER_EVENT_CONTINUE.
Change it back to SNDRV_TIMER_EVENT_PAUSE.
Fixes: f65e0d2998 ("ALSA: timer: Call notifier in the same spinlock")
Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
Cc: stable@vger.kernel.org
Signed-off-by: Takashi Iwai <tiwai@suse.de>
This is the mindless scripted replacement of kernel use of POLL*
variables as described by Al, done by this script:
for V in IN OUT PRI ERR RDNORM RDBAND WRNORM WRBAND HUP RDHUP NVAL MSG; do
L=`git grep -l -w POLL$V | grep -v '^t' | grep -v /um/ | grep -v '^sa' | grep -v '/poll.h$'|grep -v '^D'`
for f in $L; do sed -i "-es/^\([^\"]*\)\(\<POLL$V\>\)/\\1E\\2/" $f; done
done
with de-mangling cleanups yet to come.
NOTE! On almost all architectures, the EPOLL* constants have the same
values as the POLL* constants do. But they keyword here is "almost".
For various bad reasons they aren't the same, and epoll() doesn't
actually work quite correctly in some cases due to this on Sparc et al.
The next patch from Al will sort out the final differences, and we
should be all done.
Scripted-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Currently we allow unlimited number of timer instances, and it may
bring the system hogging way too much CPU when too many timer
instances are opened and processed concurrently. This may end up with
a soft-lockup report as triggered by syzkaller, especially when
hrtimer backend is deployed.
Since such insane number of instances aren't demanded by the normal
use case of ALSA sequencer and it merely opens a risk only for abuse,
this patch introduces the upper limit for the number of instances per
timer backend. As default, it's set to 1000, but for the fine-grained
timer like hrtimer, it's set to 100.
Reported-by: syzbot
Tested-by: Jérôme Glisse <jglisse@redhat.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
In preparation for unconditionally passing the struct timer_list pointer to
all timer callbacks, switch to using the new timer_setup() and from_timer()
to pass the timer pointer explicitly. This adds a pointer back to struct
snd_timer.
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Add a jump target so that a bit of exception handling can be better reused
at the end of this function.
This issue was detected by using the Coccinelle software.
Signed-off-by: Markus Elfring <elfring@users.sourceforge.net>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
The script "checkpatch.pl" pointed information out like the following.
ERROR: do not use assignment in if condition
Thus fix the affected source code place.
Signed-off-by: Markus Elfring <elfring@users.sourceforge.net>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Pull sound updates from Takashi Iwai:
"This development cycle resulted in a fair amount of changes in both
core and driver sides. The most significant change in ALSA core is
about PCM. Also the support of of-graph card and the new DAPM widget
for DSP are noteworthy changes in ASoC core. And there're lots of
small changes splat over the tree, as you can see in diffstat.
Below are a few highlights:
ALSA core:
- Removal of set_fs() hackery from PCM core stuff, and the code
reorganization / optimization thereafter
- Improved support of PCM ack ops, and a new ABI for improved
control/status mmap handling
- Lots of constifications in various codes
ASoC core:
- The support of of-graph card, which may work as a better generic
device for a replacement of simple-card
- New widget types intended mainly for use with DSPs
ASoC drivers:
- New drivers for Allwinner V3s SoCs
- Ensonic ES8316 codec support
- More Intel SKL and KBL works
- More device support for Intel SST Atom (mostly for cheap tablets
and 2-in-1 devices)
- Support for Rockchip PDM controllers
- Support for STM32 I2S and S/PDIF controllers
- Support for ZTE AUD96P22 codecs
HD-audio:
- Support of new Realtek codecs (ALC215/ALC285/ALC289), more quirks
for HP and Dell machines
- A few more fixes for i915 component binding"
* tag 'sound-4.13-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound: (418 commits)
ALSA: hda - Fix unbalance of i915 module refcount
ASoC: Intel: Skylake: Remove driver debugfs exit
ASoC: Intel: Skylake: explicitly add the headers sst-dsp.h
ALSA: hda/realtek - Remove GPIO_MASK
ALSA: hda/realtek - Fix typo of pincfg for Dell quirk
ALSA: pcm: add a documentation for tracepoints
ALSA: atmel: ac97c: fix error return code in atmel_ac97c_probe()
ALSA: x86: fix error return code in hdmi_lpe_audio_probe()
ASoC: Intel: Skylake: Add support to read firmware registers
ASoC: Intel: Skylake: Add sram address to sst_addr structure
ASoC: Intel: Skylake: Debugfs facility to dump module config
ASoC: Intel: Skylake: Add debugfs support
ASoC: fix semicolon.cocci warnings
ASoC: rt5645: Add quirk override by module option
ASoC: rsnd: make arrays path and cmd_case static const
ASoC: audio-graph-card: add widgets and routing for external amplifier support
ASoC: audio-graph-card: update bindings for amplifier support
ASoC: rt5665: calibration should be done before jack detection
ASoC: rsnd: constify dev_pm_ops structures.
ASoC: nau8825: change crosstalk-bypass property to bool type
...
Rename:
wait_queue_t => wait_queue_entry_t
'wait_queue_t' was always a slight misnomer: its name implies that it's a "queue",
but in reality it's a queue *entry*. The 'real' queue is the wait queue head,
which had to carry the name.
Start sorting this out by renaming it to 'wait_queue_entry_t'.
This also allows the real structure name 'struct __wait_queue' to
lose its double underscore and become 'struct wait_queue_entry',
which is the more canonical nomenclature for such data types.
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: linux-kernel@vger.kernel.org
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Just a tidy up to follow the standard EXPORT_SYMBOL*() declarations
in order to improve grep-ability.
- Move EXPORT_SYMBOL*() to the position right after its definition
Signed-off-by: Takashi Iwai <tiwai@suse.de>
For accessing the snd_timer_user queue indices, we take tu->qlock.
But it's forgotten in a couple of places.
The one in snd_timer_user_params() should be safe without the
spinlock as the timer is already stopped. But it's better for
consistency.
The one in poll is just a read-out, so it's not inevitably needed, but
it'd be good to make the result consistent, too.
Tested-by: Alexander Potapenko <glider@google.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
ALSA timer may reallocate the user queue upon request, and it happens
at three places for now: at opening, at SNDRV_TIMER_IOCTL_PARAMS, and
at SNDRV_TIMER_IOCTL_SELECT. However, the last one,
snd_timer_user_tselect(), doesn't need to reallocate the buffer since
it doesn't change the queue size. It does just because tu->tread
might have been changed before starting the timer.
Instead of *_SELECT ioctl, we should reallocate the queue at
SNDRV_TIMER_IOCTL_TREAD; then the timer is guaranteed to be stopped,
thus we can reassign the buffer more safely.
This patch implements that with a slight code refactoring.
Essentially, the patch achieves:
- Introduce realloc_user_queue() for (re-)allocating the ring buffer,
and call it from all places. Also, realloc_user_queue() uses
kcalloc() for avoiding possible leaks.
- Add the buffer reallocation at SNDRV_TIMER_IOCTL_TREAD. When it
fails, tu->tread is restored to the old value, too.
- Drop the buffer reallocation at snd_timer_user_tselect().
Tested-by: Alexander Potapenko <glider@google.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
snd_timer_user_tselect() reallocates the queue buffer dynamically, but
it forgot to reset its indices. Since the read may happen
concurrently with ioctl and snd_timer_user_tselect() allocates the
buffer via kmalloc(), this may lead to the leak of uninitialized
kernel-space data, as spotted via KMSAN:
BUG: KMSAN: use of unitialized memory in snd_timer_user_read+0x6c4/0xa10
CPU: 0 PID: 1037 Comm: probe Not tainted 4.11.0-rc5+ #2739
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:16
dump_stack+0x143/0x1b0 lib/dump_stack.c:52
kmsan_report+0x12a/0x180 mm/kmsan/kmsan.c:1007
kmsan_check_memory+0xc2/0x140 mm/kmsan/kmsan.c:1086
copy_to_user ./arch/x86/include/asm/uaccess.h:725
snd_timer_user_read+0x6c4/0xa10 sound/core/timer.c:2004
do_loop_readv_writev fs/read_write.c:716
__do_readv_writev+0x94c/0x1380 fs/read_write.c:864
do_readv_writev fs/read_write.c:894
vfs_readv fs/read_write.c:908
do_readv+0x52a/0x5d0 fs/read_write.c:934
SYSC_readv+0xb6/0xd0 fs/read_write.c:1021
SyS_readv+0x87/0xb0 fs/read_write.c:1018
This patch adds the missing reset of queue indices. Together with the
previous fix for the ioctl/read race, we cover the whole problem.
Reported-by: Alexander Potapenko <glider@google.com>
Tested-by: Alexander Potapenko <glider@google.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
The read from ALSA timer device, the function snd_timer_user_tread(),
may access to an uninitialized struct snd_timer_user fields when the
read is concurrently performed while the ioctl like
snd_timer_user_tselect() is invoked. We have already fixed the races
among ioctls via a mutex, but we seem to have forgotten the race
between read vs ioctl.
This patch simply applies (more exactly extends the already applied
range of) tu->ioctl_lock in snd_timer_user_tread() for closing the
race window.
Reported-by: Alexander Potapenko <glider@google.com>
Tested-by: Alexander Potapenko <glider@google.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
The "r1" struct has memory holes. We clear it with memset on one path
where it is used but not the other. Let's just memset it at the start
of the function so it's always safe.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
We just checked "id.card < 0" on the lines before so we know it's not
true here. We can delete that check.
Also checkpatch.pl complains about some extra curly braces so we may as
well fix that while we're at it.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
When a user sets a too small ticks with a fine-grained timer like
hrtimer, the kernel tries to fire up the timer irq too frequently.
This may lead to the condensed locks, eventually the kernel spinlock
lockup with warnings.
For avoiding such a situation, we define a lower limit of the
resolution, namely 1ms. When the user passes a too small tick value
that results in less than that, the kernel returns -EINVAL now.
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
When a user timer instance is continued without the explicit start
beforehand, the system gets eventually zero-division error like:
divide error: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN
CPU: 1 PID: 27320 Comm: syz-executor Not tainted 4.8.0-rc3-next-20160825+ #8
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
task: ffff88003c9b2280 task.stack: ffff880027280000
RIP: 0010:[<ffffffff858e1a6c>] [< inline >] ktime_divns include/linux/ktime.h:195
RIP: 0010:[<ffffffff858e1a6c>] [<ffffffff858e1a6c>] snd_hrtimer_callback+0x1bc/0x3c0 sound/core/hrtimer.c:62
Call Trace:
<IRQ>
[< inline >] __run_hrtimer kernel/time/hrtimer.c:1238
[<ffffffff81504335>] __hrtimer_run_queues+0x325/0xe70 kernel/time/hrtimer.c:1302
[<ffffffff81506ceb>] hrtimer_interrupt+0x18b/0x420 kernel/time/hrtimer.c:1336
[<ffffffff8126d8df>] local_apic_timer_interrupt+0x6f/0xe0 arch/x86/kernel/apic/apic.c:933
[<ffffffff86e13056>] smp_apic_timer_interrupt+0x76/0xa0 arch/x86/kernel/apic/apic.c:957
[<ffffffff86e1210c>] apic_timer_interrupt+0x8c/0xa0 arch/x86/entry/entry_64.S:487
<EOI>
.....
Although a similar issue was spotted and a fix patch was merged in
commit [6b760bb2c6: ALSA: timer: fix division by zero after
SNDRV_TIMER_IOCTL_CONTINUE], it seems covering only a part of
iceberg.
In this patch, we fix the issue a bit more drastically. Basically the
continue of an uninitialized timer is supposed to be a fresh start, so
we do it for user timers. For the direct snd_timer_continue() call,
there is no way to pass the initial tick value, so we kick out for the
uninitialized case.
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
I got this with syzkaller:
==================================================================
BUG: KASAN: null-ptr-deref on address 0000000000000020
Read of size 32 by task syz-executor/22519
CPU: 1 PID: 22519 Comm: syz-executor Not tainted 4.8.0-rc2+ #169
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.9.3-0-ge2fc41e-prebuilt.qemu-project.org 04/01/2
014
0000000000000001 ffff880111a17a00 ffffffff81f9f141 ffff880111a17a90
ffff880111a17c50 ffff880114584a58 ffff880114584a10 ffff880111a17a80
ffffffff8161fe3f ffff880100000000 ffff880118d74a48 ffff880118d74a68
Call Trace:
[<ffffffff81f9f141>] dump_stack+0x83/0xb2
[<ffffffff8161fe3f>] kasan_report_error+0x41f/0x4c0
[<ffffffff8161ff74>] kasan_report+0x34/0x40
[<ffffffff82c84b54>] ? snd_timer_user_read+0x554/0x790
[<ffffffff8161e79e>] check_memory_region+0x13e/0x1a0
[<ffffffff8161e9c1>] kasan_check_read+0x11/0x20
[<ffffffff82c84b54>] snd_timer_user_read+0x554/0x790
[<ffffffff82c84600>] ? snd_timer_user_info_compat.isra.5+0x2b0/0x2b0
[<ffffffff817d0831>] ? proc_fault_inject_write+0x1c1/0x250
[<ffffffff817d0670>] ? next_tgid+0x2a0/0x2a0
[<ffffffff8127c278>] ? do_group_exit+0x108/0x330
[<ffffffff8174653a>] ? fsnotify+0x72a/0xca0
[<ffffffff81674dfe>] __vfs_read+0x10e/0x550
[<ffffffff82c84600>] ? snd_timer_user_info_compat.isra.5+0x2b0/0x2b0
[<ffffffff81674cf0>] ? do_sendfile+0xc50/0xc50
[<ffffffff81745e10>] ? __fsnotify_update_child_dentry_flags+0x60/0x60
[<ffffffff8143fec6>] ? kcov_ioctl+0x56/0x190
[<ffffffff81e5ada2>] ? common_file_perm+0x2e2/0x380
[<ffffffff81746b0e>] ? __fsnotify_parent+0x5e/0x2b0
[<ffffffff81d93536>] ? security_file_permission+0x86/0x1e0
[<ffffffff816728f5>] ? rw_verify_area+0xe5/0x2b0
[<ffffffff81675355>] vfs_read+0x115/0x330
[<ffffffff81676371>] SyS_read+0xd1/0x1a0
[<ffffffff816762a0>] ? vfs_write+0x4b0/0x4b0
[<ffffffff82001c2c>] ? __this_cpu_preempt_check+0x1c/0x20
[<ffffffff8150455a>] ? __context_tracking_exit.part.4+0x3a/0x1e0
[<ffffffff816762a0>] ? vfs_write+0x4b0/0x4b0
[<ffffffff81005524>] do_syscall_64+0x1c4/0x4e0
[<ffffffff810052fc>] ? syscall_return_slowpath+0x16c/0x1d0
[<ffffffff83c3276a>] entry_SYSCALL64_slow_path+0x25/0x25
==================================================================
There are a couple of problems that I can see:
- ioctl(SNDRV_TIMER_IOCTL_SELECT), which potentially sets
tu->queue/tu->tqueue to NULL on memory allocation failure, so read()
would get a NULL pointer dereference like the above splat
- the same ioctl() can free tu->queue/to->tqueue which means read()
could potentially see (and dereference) the freed pointer
We can fix both by taking the ioctl_lock mutex when dereferencing
->queue/->tqueue, since that's always held over all the ioctl() code.
Just looking at the code I find it likely that there are more problems
here such as tu->qhead pointing outside the buffer if the size is
changed concurrently using SNDRV_TIMER_IOCTL_PARAMS.
Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
The user timer tu->qused counter may go to a negative value when
multiple concurrent reads are performed since both the check and the
decrement of tu->qused are done in two individual locked contexts.
This results in bogus read outs, and the endless loop in the
user-space side.
The fix is to move the decrement of the tu->qused counter into the
same spinlock context as the zero-check of the counter.
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
The stack object “r1” has a total size of 32 bytes. Its field
“event” and “val” both contain 4 bytes padding. These 8 bytes
padding bytes are sent to user without being initialized.
Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
The stack object “r1” has a total size of 32 bytes. Its field
“event” and “val” both contain 4 bytes padding. These 8 bytes
padding bytes are sent to user without being initialized.
Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
The stack object “tread” has a total size of 32 bytes. Its field
“event” and “val” both contain 4 bytes padding. These 8 bytes
padding bytes are sent to user without being initialized.
Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
There are no users of rtctimer left. Remove its code as this is the
in-kernel user of the legacy PC RTC driver that will hopefully be removed
at some point.
Signed-off-by: Alexandre Belloni <alexandre.belloni@free-electrons.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
ALSA system timer backend stops the timer via del_timer() without sync
and leaves del_timer_sync() at the close instead. This is because of
the restriction by the design of ALSA timer: namely, the stop callback
may be called from the timer handler, and calling the sync shall lead
to a hangup. However, this also triggers a kernel BUG() when the
timer is rearmed immediately after stopping without sync:
kernel BUG at kernel/time/timer.c:966!
Call Trace:
<IRQ>
[<ffffffff8239c94e>] snd_timer_s_start+0x13e/0x1a0
[<ffffffff8239e1f4>] snd_timer_interrupt+0x504/0xec0
[<ffffffff8122fca0>] ? debug_check_no_locks_freed+0x290/0x290
[<ffffffff8239ec64>] snd_timer_s_function+0xb4/0x120
[<ffffffff81296b72>] call_timer_fn+0x162/0x520
[<ffffffff81296add>] ? call_timer_fn+0xcd/0x520
[<ffffffff8239ebb0>] ? snd_timer_interrupt+0xec0/0xec0
....
It's the place where add_timer() checks the pending timer. It's clear
that this may happen after the immediate restart without sync in our
cases.
So, the workaround here is just to use mod_timer() instead of
add_timer(). This looks like a band-aid fix, but it's a right move,
as snd_timer_interrupt() takes care of the continuous rearm of timer.
Reported-by: Jiri Slaby <jslaby@suse.cz>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
'struct snd_timer_gparams' includes some members with 'unsigned long',
therefore its size differs depending on data models of architecture. As
a result, x86/x32 applications fail to execute ioctl(2) with
SNDRV_TIMER_GPARAMS command on x86_64 machine.
This commit fixes this bug by adding a pair of structure and ioctl
command for the compatibility.
Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
snd_timer_notify1() is called outside the spinlock and it retakes the
lock after the unlock. This is rather racy, and it's safer to move
snd_timer_notify() call inside the main spinlock.
The patch also contains a slight refactoring / cleanup of the code.
Now all start/stop/continue/pause look more symmetric and a bit better
readable.
Signed-off-by: Takashi Iwai <tiwai@suse.de>
In order to make the open/close more robust, widen the register_mutex
protection over the whole snd_timer_close() function. Also, the close
procedure is slightly shuffled to be in the safer order, as well as a
few code refactoring.
Signed-off-by: Takashi Iwai <tiwai@suse.de>
snd_timer_user_read() has a potential race among parallel reads, as
qhead and qused are updated outside the critical section due to
copy_to_user() calls. Move them into the critical section, and also
sanitize the relevant code a bit.
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
A slave timer element also unlinks at snd_timer_stop() but it takes
only slave_active_lock. When a slave is assigned to a master,
however, this may become a race against the master's interrupt
handling, eventually resulting in a list corruption. The actual bug
could be seen with a syzkaller fuzzer test case in BugLink below.
As a fix, we need to take timeri->timer->lock when timer isn't NULL,
i.e. assigned to a master, while the assignment to a master itself is
protected by slave_active_lock.
BugLink: http://lkml.kernel.org/r/CACT4Y+Y_Bm+7epAb=8Wi=AaWd+DYS7qawX52qxdCfOfY49vozQ@mail.gmail.com
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
In ALSA timer core, the active timer instance is managed in
active_list linked list. Each element is added / removed dynamically
at timer start, stop and in timer interrupt. The problem is that
snd_timer_interrupt() has a thinko and leaves the element in
active_list when it's the last opened element. This eventually leads
to list corruption or use-after-free error.
This hasn't been revealed because we used to delete the list forcibly
in snd_timer_stop() in the past. However, the recent fix avoids the
double-stop behavior (in commit [f784beb75c: ALSA: timer: Fix link
corruption due to double start or stop]), and this leak hits reality.
This patch fixes the link management in snd_timer_interrupt(). Now it
simply unlinks no matter which stream is.
BugLink: http://lkml.kernel.org/r/CACT4Y+Yy2aukHP-EDp8-ziNqNNmb-NTf=jDWXMP7jB8HDa2vng@mail.gmail.com
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
ALSA timer core framework has no sync point at stopping because it's
called inside the spinlock. Thus we need a sync point at close for
avoiding the stray timer task. This is simply done by implementing
the close callback just calling del_timer_sync(). (It's harmless to
call it unconditionally, as the core timer itself cares of the already
deleted timer instance.)
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Although ALSA timer code got hardening for races, it still causes
use-after-free error. This is however rather a corrupted linked list,
not actually the concurrent accesses. Namely, when timer start is
triggered twice, list_add_tail() is called twice, too. This ends
up with the link corruption and triggers KASAN error.
The simplest fix would be replacing list_add_tail() with
list_move_tail(), but fundamentally it's the problem that we don't
check the double start/stop correctly. So, the right fix here is to
add the proper checks to snd_timer_start() and snd_timer_stop() (and
their variants).
BugLink: http://lkml.kernel.org/r/CACT4Y+ZyPRoMQjmawbvmCEDrkBD2BQuH7R09=eOkf5ESK8kJAw@mail.gmail.com
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
