git.osdn.net Git - sagit-ice-cold/kernel_xiaomi

ARM: dts: msm: remove HOME gpio key for qrd devices

For qrd devices, remove HOME gpio key to fix driver probe issue.

Change-Id: I46ba4ef05c795fced67f2db59a3f5ce183bdeba8
Signed-off-by: Fei Mao <feim1@codeaurora.org>

Merge "Merge android-4.4.158 (f9e4134) into msm-4.4"

Merge "ARM: dts: Add new memlat freq map for sdm455"

Merge "clk: qcom: mdss: avoid release of the dynamic fps PLL code memory"

Merge "msm: ipa: Protect ipa default routing table"

Merge "dwc3: Preserve TxFIFO of IN/INT EP for UDC without tx-fifo-resize"

clk: qcom: mdss: avoid release of the dynamic fps PLL code memory

Avoid the release of memory for dynamic fps PLL codes. The memory
is part of the continuous splash memory region and will be freed
eventually as part of the splash screen memory cleanup routine.

Change-Id: I67afb46057770298668ae5790637e8b4b08fd030
Signed-off-by: Padmanabhan Komanduru <pkomandu@codeaurora.org>

ARM: dts: Add new memlat freq map for sdm455

Add new freq map for memlat node for sdm455.

Change-Id: I536b7f3e41610ca78d5cfae08ecbfc1e82b8fe5b
Signed-off-by: Biao long <blong@codeaurora.org>
Signed-off-by: Santosh Mardi <gsantosh@codeaurora.org>

Merge "mdss: mdp: Fix access after null check"

Merge "drm: msm: update cpu1 hotplug by using cpu_device node"

Merge "mdss: mdp: Add error check for split ctl"

Merge "ion: Ensure non-HLOS memory cannot be mapped by CPU"

Merge "fbdev/msm: sanitize debugfs inputs when reading mdp memory"

Merge "drm/msm: add checksum for HDR infoframe"

msm: ipa: Protect ipa default routing table

Protect ipa default routing table from
addition, deletion and modification once after
default rule added by ipa-driver.

Change-Id: I045d9c29fed23edf796d826e440b81124e1f666a
Signed-off-by: Mohammed Javid <mjavid@codeaurora.org>

Merge "cnss2: Add support for genoa pcie"

Merge "soc: qcom: hab: fix the soft lockup in vchan free schedule"

Merge "soc: hab: change lifecycle of exp_id from vchan to ctx"

Merge "soc: hab: fix mmap failure issue when hab import"

Merge "ARM: dts: msm: Add pin control settings for UFS reset on SDM660"

Merge "pinctrl: qcom: Add UFS_RESET pin data for sdm660"

Merge "dwc3: resize txfifo of IN/INT endpoint before enabling it"

Merge "Merge android-4.4.157 (c139ea66) into msm-4.4"

Merge "Merge android-4.4.156 (7eb7037) into msm-4.4"

Merge "drm/msm: add additional HDR state transition"

Merge "ARM: dts: msm: Enable Native SSR for WLAN on GVMQ"

Merge "clk: qcom: mdss: add support for dynamic refresh on DSI 14nm PLL"

Merge "page-flags: define PG_locked behavior on compound pages"

Merge "drm/msm: clear colorimetry block info for HDMI"

Merge "msm: vidc: copy the crop info during dequeue buf"

Merge "usb: dwc3-msm: Release PM wakelock in host mode only for auto targets"

drm/msm: add checksum for HDR infoframe

Checksum for the HDR infoframe is set to zero by default
as this is not a mandatory field as per the HDMI spec.

However certain HDMI sinks still expect a non-zero
checksum. Otherwise they disregard the infoframe
and the sink does not enter HDR mode despite other fields
of the infoframe being valid.

Add a valid checksum to the HDR infoframe to improve
interoperability of our HDR solution for HDMI.

Change-Id: Ie826e5e637fc1f053203bdcf6a829d0246a9ed67
Signed-off-by: Abhinav Kumar <abhinavk@codeaurora.org>

soc: qcom: hab: fix the soft lockup in vchan free schedule

With a certain probability soft lockup when do hab vchan free schedule.
one vchan do the local hab close while another vchan in the same context
through softirq also try to acquire write lock in the free schedule at the
same time, it will cause watchdog bite. Disable local softirq could avoid
race condition handling between tasklet and process context.

Change-Id: I4ee9b980dab7ecb1986af1d61f70157fc30d1048
Signed-off-by: Yao Jiang <yaojia@codeaurora.org>

cnss2: Add support for genoa pcie

Add genoa pcie specific qmi and power up/down handling.

Change-Id: I08e640f775de5436071b457225a8b61f13574d01
CRs-fixed: 2272303
Signed-off-by: Jayachandran Sreekumaran <jsreekum@codeaurora.org>

drm/msm: add additional HDR state transition

Add an additional HDR state transition to cover the HDR
teardown sequence case.

This will avoid the HDR infoframe to be programmed repeatedly
if there is no change in its contents.

Change-Id: Ic2f077f0c2ff01e19db5a59b218c4d824e039773
Signed-off-by: Abhinav Kumar <abhinavk@codeaurora.org>
Signed-off-by: Navid Bahrani <nbahrani@codeaurora.org>

ion: Ensure non-HLOS memory cannot be mapped by CPU

Currently it is possible for an ION client to allocate non-HLOS memory
(ie memory which isn't assigned to the HLOS vmid), map this memory, and
then attempt to access this memory from the CPU.
Attempting to access non-HLOS memory from the CPU will cause a
stage-2 fault.

Fix ION so that non-HLOS memory cannot be mapped by the CPU.

Change-Id: Ifb51de2eabc076cddc744c13f01ef97b4a7c6874
Signed-off-by: Liam Mark <lmark@codeaurora.org>

pinctrl: qcom: Add UFS_RESET pin data for sdm660

UFS_RESET is a single purpose output only pin which can be used to
send reset to connected UFS device. This change adds UFS_RESET
pin data.

Change-Id: I539ae2bef003bccf8aa9c23fb5dde0b263844629
Signed-off-by: Srinivasarao P <spathi@codeaurora.org>

page-flags: define PG_locked behavior on compound pages

lock_page() must operate on the whole compound page.  It doesn't make
much sense to lock part of compound page.  Change code to use head
page's PG_locked, if tail page is passed.

This patch also gets rid of custom helper functions --
__set_page_locked() and __clear_page_locked().  They are replaced with
helpers generated by __SETPAGEFLAG/__CLEARPAGEFLAG.  Tail pages to these
helper would trigger VM_BUG_ON().

SLUB uses PG_locked as a bit spin locked.  IIUC, tail pages should never
appear there.  VM_BUG_ON() is added to make sure that this assumption is
correct.

[akpm@linux-foundation.org: fix fs/cifs/file.c]
Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Cc: Hugh Dickins <hughd@google.com>
Cc: Dave Hansen <dave.hansen@intel.com>
Cc: Mel Gorman <mgorman@suse.de>
Cc: Rik van Riel <riel@redhat.com>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: Christoph Lameter <cl@linux.com>
Cc: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
Cc: Steve Capper <steve.capper@linaro.org>
Cc: "Aneesh Kumar K.V" <aneesh.kumar@linux.vnet.ibm.com>
Cc: Johannes Weiner <hannes@cmpxchg.org>
Cc: Michal Hocko <mhocko@suse.cz>
Cc: Jerome Marchand <jmarchan@redhat.com>
Cc: Jérôme Glisse <jglisse@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Change-Id: Ifeeb98c789880ff34b286383568db60e08672205
Git-Commit: 48c935ad88f5be20eb5445a77c171351b1eb5111
Git-Repo: git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
Signed-off-by: Vinayak Menon <vinmenon@codeaurora.org>

page-flags: introduce page flags policies wrt compound pages

This patch adds a third argument to macros which create function
definitions for page flags.  This argument defines how page-flags
helpers behave on compound functions.

For now we define four policies:

- PF_ANY: the helper function operates on the page it gets, regardless
   if it's non-compound, head or tail.

- PF_HEAD: the helper function operates on the head page of the
   compound page if it gets tail page.

- PF_NO_TAIL: only head and non-compond pages are acceptable for this
   helper function.

- PF_NO_COMPOUND: only non-compound pages are acceptable for this
   helper function.

For now we use policy PF_ANY for all helpers, which matches current
behaviour.

We do not enforce the policy for TESTPAGEFLAG, because we have flags
checked for random pages all over the kernel.  Noticeable exception to
this is PageTransHuge() which triggers VM_BUG_ON() for tail page.

Change-Id: I7b7847a06d9ddaa91ec8fabbbf36772dd4501fb2
Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Cc: Hugh Dickins <hughd@google.com>
Cc: Dave Hansen <dave.hansen@intel.com>
Cc: Mel Gorman <mgorman@suse.de>
Cc: Rik van Riel <riel@redhat.com>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: Christoph Lameter <cl@linux.com>
Cc: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
Cc: Steve Capper <steve.capper@linaro.org>
Cc: "Aneesh Kumar K.V" <aneesh.kumar@linux.vnet.ibm.com>
Cc: Johannes Weiner <hannes@cmpxchg.org>
Cc: Michal Hocko <mhocko@suse.cz>
Cc: Jerome Marchand <jmarchan@redhat.com>
Cc: Jérôme Glisse <jglisse@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Git-Commit: 95ad97554ac81b31139d4fe5ed8757a07087cd90
Git-Repo: git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
Signed-off-by: Vinayak Menon <vinmenon@codeaurora.org>

page-flags: move code around

The preparation patch: we are going to use compound_head(), PageTail()
and PageCompound() to define page-flags helpers.

Let's define them before macros.

We cannot user PageHead() helper in PageCompound() as it's not yet
defined -- use test_bit(PG_head, &page->flags) instead.

Change-Id: I7b6fb5e29c571f740a6390af87794496c5b4d240
Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Cc: Hugh Dickins <hughd@google.com>
Cc: Dave Hansen <dave.hansen@intel.com>
Cc: Mel Gorman <mgorman@suse.de>
Cc: Rik van Riel <riel@redhat.com>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: Christoph Lameter <cl@linux.com>
Cc: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
Cc: Steve Capper <steve.capper@linaro.org>
Cc: "Aneesh Kumar K.V" <aneesh.kumar@linux.vnet.ibm.com>
Cc: Johannes Weiner <hannes@cmpxchg.org>
Cc: Michal Hocko <mhocko@suse.cz>
Cc: Jerome Marchand <jmarchan@redhat.com>
Cc: Jérôme Glisse <jglisse@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Git-Commit: 0e6d31a7336f41ef0375f5398c79e54de8e219b6
Git-Repo: git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
Signed-off-by: Vinayak Menon <vinmenon@codeaurora.org>

dwc3: Preserve TxFIFO of IN/INT EP for UDC without tx-fifo-resize

We are clearing existing allocated TxFIFO during set_config
even if a controller does not have tx-fifo-resize flag set
in the DT. Also we do not resize the FIFOs for such controller.
As a result, the FIFO depths for the IN/INT EPs (excpet 0 IN)
of the controller are 0 and it cannot work in device mode.

Fix this issue by not clearing the default TxFIFO if
tx-fifo-resize flag is not set.

Change-Id: I5cf7d2eb017b8ed55348e578c10856d62a3e282e
Signed-off-by: Ajay Agarwal <ajaya@codeaurora.org>

USB: dwc3: gadget: Fix TxFIFO resizing logic

The TxFIFO RAM start address for some USB controller
might be non-zero. The current FIFO resizing logic in
place always considers that this start address is 0x0000
and writes the RAM start address for subsequent TxFIFOs
with the last FIFO depth only, leading to the controller
not functioning properly.

To make the controller work, start address of GTXFIFOSIZ(#n)
should be written with the start address of GTXFIFOSIZ(0)
+ last FIFO depth. Fix the resizing logic accordingly.

Change-Id: Ia83edef7165b980828f2a43832493be2349ae0dc
Signed-off-by: Ajay Agarwal <ajaya@codeaurora.org>

dwc3: resize txfifo of IN/INT endpoint before enabling it

USB IN/INT endpoint stalls when performing TX FIFO resize functionality
when IN/INT endpoint is already active i.e. usb endpoint is enabled and
usb request is pending with it. Fix this issue by making sure that TX
FIFO resize is performed before enabling endpoint which shall happen
after set_alt(1) and before any function queues request with its allocated
USB endpoint.

CRs-Fixed: 2039310
Change-Id: I13a590f87ab8492f7c95a15b2da9f00c9c63c4f9
Signed-off-by: Mayank Rana <mrana@codeaurora.org>
Signed-off-by: Ajay Agarwal <ajaya@codeaurora.org>

msm: vidc: copy the crop info during dequeue buf

User-space expects the crop data to be notified from the
driver as it was done in kernel 3.16 as part-of
reserved field of v4l2planes.
On 4.4 kernel, as the v4l2planes are removed this
change is required for indicating the crop info
to user client.

Change-Id: I065e514cdd45bfe17206e0e18416a2313bc6a344
Signed-off-by: Paras Nagda <pnagda@codeaurora.org>

ARM: dts: msm: Enable Native SSR for WLAN on GVMQ

Since WLAN is passthrough block for LA-GVM, Enable
native SSR instead of virtual SSR.

Change-Id: I1de983dc570101c508557368b2f7215126221ee5
Signed-off-by: Venkata Rao Kakani <vkakani@codeaurora.org>

drm/msm: fix HDR programming sequence for mastering infoframe

Fix the HDR programming sequence in the HDMI driver to make it
compatible as per the latest hardware programming guide.

Change-Id: Ife5d0ce675a9653e0e44a413bda68b98d506a205
Signed-off-by: Abhinav Kumar <abhinavk@codeaurora.org>

Merge changes into msm-4.4

Merge "mdss: mdp: Fix fudge factor overflow check"

Merge "mdss: mdp: Add null check for ctl"

Merge "msm: dba: adv7533: Fix DSI-HDMI display not up issue"

Merge android-4.4.158 (f9e4134) into msm-4.4

* refs/heads/tmp-f9e4134
  Linux 4.4.158
  MIPS: VDSO: Match data page cache colouring when D$ aliases
  drivers: net: cpsw: fix segfault in case of bad phy-handle
  mei: bus: type promotion bug in mei_nfc_if_version()
  USB: serial: ti_usb_3410_5052: fix array underflow in completion handler
  pinctrl: qcom: spmi-gpio: Fix pmic_gpio_config_get() to be compliant
  drm/panel: type promotion bug in s6e8aa0_read_mtp_id()
  selftest: timers: Tweak raw_skew to SKIP when ADJ_OFFSET/other clock adjustments are in progress
  ALSA: pcm: Fix snd_interval_refine first/last with open min/max
  rtc: bq4802: add error handling for devm_ioremap
  drm/amdkfd: Fix error codes in kfd_get_process
  gpiolib: Mark gpio_suffixes array with __maybe_unused
  coresight: tpiu: Fix disabling timeouts
  coresight: Handle errors in finding input/output ports
  parport: sunbpp: fix error return code
  drm/nouveau: tegra: Detach from ARM DMA/IOMMU mapping
  ARM: hisi: check of_iomap and fix missing of_node_put
  ARM: hisi: fix error handling and missing of_node_put
  ARM: hisi: handle of_iomap and fix missing of_node_put
  MIPS: loongson64: cs5536: Fix PCI_OHCI_INT_REG reads
  mtdchar: fix overflows in adjustment of `count`
  audit: fix use-after-free in audit_add_watch
  binfmt_elf: Respect error return from `regset->active'
  CIFS: fix wrapping bugs in num_entries()
  cifs: prevent integer overflow in nxt_dir_entry()
  usb: cdc-wdm: Fix a sleep-in-atomic-context bug in service_outstanding_interrupt()
  USB: yurex: Fix buffer over-read in yurex_write()
  usb: misc: uss720: Fix two sleep-in-atomic-context bugs
  USB: serial: io_ti: fix array underflow in completion handler
  USB: net2280: Fix erroneous synchronization change
  USB: add quirk for WORLDE Controller KS49 or Prodipe MIDI 49C USB controller
  usb: host: u132-hcd: Fix a sleep-in-atomic-context bug in u132_get_frame()
  usb: Avoid use-after-free by flushing endpoints early in usb_set_interface()
  USB: Add quirk to support DJI CineSSD
  usb: Don't die twice if PCI xhci host is not responding in resume
  misc: hmc6352: fix potential Spectre v1
  Tools: hv: Fix a bug in the key delete code
  IB/ipoib: Avoid a race condition between start_xmit and cm_rep_handler
  xen/netfront: fix waiting for xenbus state change
  pstore: Fix incorrect persistent ram buffer mapping
  RDMA/cma: Protect cma dev list with lock
  xen-netfront: fix warn message as irq device name has '/'
  crypto: sharah - Unregister correct algorithms for SAHARA 3
  platform/x86: toshiba_acpi: Fix defined but not used build warnings
  s390/qeth: reset layer2 attribute on layer switch
  s390/qeth: fix race in used-buffer accounting
  arm64: dts: qcom: db410c: Fix Bluetooth LED trigger
  xen-netfront: fix queue name setting
  mac80211: restrict delayed tailroom needed decrement
  MIPS: jz4740: Bump zload address
  powerpc/powernv: opal_put_chars partial write fix
  perf powerpc: Fix callchain ip filtering
  ARM: exynos: Clear global variable on init error path
  fbdev: Distinguish between interlaced and progressive modes
  perf powerpc: Fix callchain ip filtering when return address is in a register
  fbdev/via: fix defined but not used warning
  video: goldfishfb: fix memory leak on driver remove
  fbdev: omapfb: off by one in omapfb_register_client()
  mtd/maps: fix solutionengine.c printk format warnings
  media: videobuf2-core: check for q->error in vb2_core_qbuf()
  MIPS: ath79: fix system restart
  dmaengine: pl330: fix irq race with terminate_all
  kbuild: add .DELETE_ON_ERROR special target
  clk: imx6ul: fix missing of_node_put()
  gfs2: Special-case rindex for gfs2_grow
  xfrm: fix 'passing zero to ERR_PTR()' warning
  ALSA: usb-audio: Fix multiple definitions in AU0828_DEVICE() macro
  ALSA: msnd: Fix the default sample sizes
  iommu/arm-smmu-v3: sync the OVACKFLG to PRIQ consumer register
  BACKPORT: arm/syscalls: Optimize address limit check
  UPSTREAM: syscalls: Use CHECK_DATA_CORRUPTION for addr_limit_user_check
  BACKPORT: arm64/syscalls: Check address limit on user-mode return
  BACKPORT: x86/syscalls: Check address limit on user-mode return
  BACKPORT: lkdtm: add bad USER_DS test
  UPSTREAM: bug: switch data corruption check to __must_check
  BACKPORT: lkdtm: Add tests for struct list corruption
  UPSTREAM: bug: Provide toggle for BUG on data corruption
  UPSTREAM: list: Split list_del() debug checking into separate function
  UPSTREAM: rculist: Consolidate DEBUG_LIST for list_add_rcu()
  BACKPORT: list: Split list_add() debug checking into separate function
  FROMLIST: ANDROID: binder: Add BINDER_GET_NODE_INFO_FOR_REF ioctl.

Conflicts:
include/linux/bug.h
lib/Kconfig.debug
lib/list_debug.c

Change-Id: I9d87b6b133cac5b642e5e0c928e0bcd0eda6fbdb
Signed-off-by: Srinivasarao P <spathi@codeaurora.org>

Merge android-4.4.157 (c139ea66) into msm-4.4

* refs/heads/tmp-c139ea66
  Linux 4.4.157
  mm: get rid of vmacache_flush_all() entirely
  x86/speculation/l1tf: Increase l1tf memory limit for Nehalem+
  autofs: fix autofs_sbi() does not check super block type
  mtd: ubi: wl: Fix error return code in ubi_wl_init()
  crypto: vmx - Fix sleep-in-atomic bugs
  ethernet: ti: davinci_emac: add missing of_node_put after calling of_parse_phandle
  net: ethernet: ti: cpsw: fix mdio device reference leak
  drivers: net: cpsw: fix parsing of phy-handle DT property in dual_emac config
  netfilter: x_tables: avoid stack-out-of-bounds read in xt_copy_counters_from_user
  vmw_balloon: include asm/io.h
  xhci: Fix use-after-free in xhci_free_virt_device
  RDMA/cma: Do not ignore net namespace for unbound cm_id
  MIPS: WARN_ON invalid DMA cache maintenance, not BUG_ON
  f2fs: fix to do sanity check with {sit,nat}_ver_bitmap_bytesize
  mfd: ti_am335x_tscadc: Fix struct clk memory leak
  iommu/ipmmu-vmsa: Fix allocation in atomic context
  partitions/aix: fix usage of uninitialized lv_info and lvname structures
  partitions/aix: append null character to print data from disk
  Input: atmel_mxt_ts - only use first T9 instance
  net: dcb: For wild-card lookups, use priority -1, not 0
  MIPS: Octeon: add missing of_node_put()
  net: mvneta: fix mtu change on port without link
  gpio: ml-ioh: Fix buffer underwrite on probe error path
  x86/mm: Remove in_nmi() warning from vmalloc_fault()
  Bluetooth: hidp: Fix handling of strncpy for hid->name information
  ath10k: disable bundle mgmt tx completion event support
  scsi: 3ware: fix return 0 on the error path of probe
  ata: libahci: Correct setting of DEVSLP register
  MIPS: Fix ISA virt/bus conversion for non-zero PHYS_OFFSET
  ath10k: prevent active scans on potential unusable channels
  macintosh/via-pmu: Add missing mmio accessors
  NFSv4.0 fix client reference leak in callback
  perf tools: Allow overriding MAX_NR_CPUS at compile time
  f2fs: do not set free of current section
  tty: rocket: Fix possible buffer overwrite on register_PCI
  uio: potential double frees if __uio_register_device() fails
  misc: ti-st: Fix memory leak in the error path of probe()
  md/raid5: fix data corruption of replacements after originals dropped
  scsi: target: fix __transport_register_session locking
  gpio: tegra: Move driver registration to subsys_init level
  Bluetooth: h5: Fix missing dependency on BT_HCIUART_SERDEV
  ethtool: Remove trailing semicolon for static inline
  misc: mic: SCIF Fix scif_get_new_port() error handling
  ARC: [plat-axs*]: Enable SWAP
  locking/osq_lock: Fix osq_lock queue corruption
  selinux: use GFP_NOWAIT in the AVC kmem_caches
  locking/rwsem-xadd: Fix missed wakeup due to reordering of load
  block,blkcg: use __GFP_NOWARN for best-effort allocations in blkcg
  staging/rts5208: Fix read overflow in memcpy
  staging: rt5208: Fix a sleep-in-atomic bug in xd_copy_page
  kthread: fix boot hang (regression) on MIPS/OpenRISC
  kthread: Fix use-after-free if kthread fork fails
  cfq: Give a chance for arming slice idle timer in case of group_idle
  ALSA: hda - Fix cancel_work_sync() stall from jackpoll work
  i2c: i801: fix DNV's SMBCTRL register offset
  i2c: xiic: Make the start and the byte count write atomic

Conflicts:
block/blk-cgroup.c
drivers/net/wireless/ath/ath10k/wmi-tlv.c
kernel/locking/rwsem-xadd.c

Change-Id: If6c24e0c16e173dc2a22e047200bbd7a4f11f713
Signed-off-by: Srinivasarao P <spathi@codeaurora.org>

Merge android-4.4.156 (7eb7037) into msm-4.4

* refs/heads/tmp-7eb7037
  Linux 4.4.156
  btrfs: use correct compare function of dirty_metadata_bytes
  ASoC: wm8994: Fix missing break in switch
  s390/lib: use expoline for all bcr instructions
  mei: me: allow runtime pm for platform with D0i3
  sch_tbf: fix two null pointer dereferences on init failure
  sch_netem: avoid null pointer deref on init failure
  sch_hhf: fix null pointer dereference on init failure
  sch_multiq: fix double free on init failure
  sch_htb: fix crash on init failure
  ovl: proper cleanup of workdir
  ovl: override creds with the ones from the superblock mounter
  ovl: rename is_merge to is_lowest
  irqchip/gic: Make interrupt ID 1020 invalid
  irqchip/gic-v3: Add missing barrier to 32bit version of gic_read_iar()
  irqchip/gicv3-its: Avoid cache flush beyond ITS_BASERn memory size
  irqchip/gicv3-its: Fix memory leak in its_free_tables()
  irqchip/gic-v3-its: Recompute the number of pages on page size change
  genirq: Delay incrementing interrupt count if it's disabled/pending
  Fixes: Commit cdbf92675fad ("mm: numa: avoid waiting on freed migrated pages")
  enic: do not call enic_change_mtu in enic_probe
  Revert "ARM: imx_v6_v7_defconfig: Select ULPI support"
  irda: Only insert new objects into the global database via setsockopt
  irda: Fix memory leak caused by repeated binds of irda socket
  kbuild: make missing $DEPMOD a Warning instead of an Error
  x86/pae: use 64 bit atomic xchg function in native_ptep_get_and_clear
  debugobjects: Make stack check warning more informative
  btrfs: Don't remove block group that still has pinned down bytes
  btrfs: relocation: Only remove reloc rb_trees if reloc control has been initialized
  btrfs: replace: Reset on-disk dev stats value after replace
  powerpc/pseries: Avoid using the size greater than RTAS_ERROR_LOG_MAX.
  SMB3: Number of requests sent should be displayed for SMB3 not just CIFS
  smb3: fix reset of bytes read and written stats
  selftests/powerpc: Kill child processes on SIGINT
  staging: comedi: ni_mio_common: fix subdevice flags for PFI subdevice
  dm kcopyd: avoid softlockup in run_complete_job
  PCI: mvebu: Fix I/O space end address calculation
  scsi: aic94xx: fix an error code in aic94xx_init()
  s390/dasd: fix hanging offline processing due to canceled worker
  powerpc: Fix size calculation using resource_size()
  net/9p: fix error path of p9_virtio_probe
  irqchip/bcm7038-l1: Hide cpu offline callback when building for !SMP
  platform/x86: asus-nb-wmi: Add keymap entry for lid flip action on UX360
  mfd: sm501: Set coherent_dma_mask when creating subdevices
  ipvs: fix race between ip_vs_conn_new() and ip_vs_del_dest()
  fs/dcache.c: fix kmemcheck splat at take_dentry_name_snapshot()
  mm/fadvise.c: fix signed overflow UBSAN complaint
  scripts: modpost: check memory allocation results
  fat: validate ->i_start before using
  hfsplus: fix NULL dereference in hfsplus_lookup()
  reiserfs: change j_timestamp type to time64_t
  fork: don't copy inconsistent signal handler state to child
  hfs: prevent crash on exit from failed search
  hfsplus: don't return 0 when fill_super() failed
  cifs: check if SMB2 PDU size has been padded and suppress the warning
  vti6: remove !skb->ignore_df check from vti6_xmit()
  tcp: do not restart timewait timer on rst reception
  qlge: Fix netdev features configuration.
  net: bcmgenet: use MAC link status for fixed phy
  staging: android: ion: fix ION_IOC_{MAP,SHARE} use-after-free
  x86/speculation/l1tf: Fix up pte->pfn conversion for PAE

Conflicts:
drivers/staging/android/ion/ion.c

Change-Id: I7153f61c3a676a788f64eeb8bab13e840bbbf985
[readded the function ion_handle_get_by_id() which got deleted with
commit 'staging: android: ion: fix ION_IOC_{MAP,SHARE} use-after-free'
since it is used in msm/msm_ion.c]
Signed-off-by: Srinivasarao P <spathi@codeaurora.org>

drm/msm: clear colorimetry block info for HDMI

SDE connector stores the information related to the HDMI
colorimetry data block. This connector information is
retained till the connector is destroyed which does not
happen across hotplug.

Clear the HDMI colorimetry block related data fields when
the bridge is disabled so that across a hotplug stale
information is not retained.

Change-Id: I2333af8835af98f78934df056301648e1cb6f8be
Signed-off-by: Abhinav Kumar <abhinavk@codeaurora.org>

drm: msm: update cpu1 hotplug by using cpu_device node

update cpu1 hotplug by using its device structure
online callback. This is to ensure, sysfs entry for
cpu1 reflects the online status correctly.

Change-Id: Idc77a1074ca030ca826eb1a817b1ab7795e8548c
Signed-off-by: Vivek Kumar <vivekuma@codeaurora.org>

soc: hab: fix mmap failure issue when hab import

If hab client import the same buffer with different
size, only checking pages_list->index is not enough,
so add the buffer size checking.

Change-Id: I92d16d124e69131cee9b81a49dc9fa02075a96b6
Signed-off-by: Yajun Li <yajunl@codeaurora.org>

soc: hab: change lifecycle of exp_id from vchan to ctx

To make sure unexport/unimport the same buffer successfully
in different threads from export/import function, only check
pchan's validation, instead of vchan id.

Change-Id: I3203f198c37e8b169090d8f93d92e87bbd4cdb6e
Signed-off-by: Yajun Li <yajunl@codeaurora.org>

Merge "soc: qcom: fix race condition while freeing private data"

Merge "ARM: dts: msm: change ION layout for msm8996 ivi vplatform"

Merge "defconfig: msm-auto: Disable IOMMU_TESTS from msm8996 auto."

Merge "iommu/debug: Remove dependency on CONFIG_IOMMU_DEBUG_TRACKING"

Merge "ARM: dts: msm: Add support for FHD+ video mode panel"

Merge "msm: camera: Fix arbitrary kernel write"

Merge "ARM: dts: msm: Disable mhi and esoc for msm8996 CV2X"

Merge "wqcrypto: qcedev: Add null pointer check on sg_src"

Merge "soc: soundwire: Fix wsa mute issue for stereo playback"

Merge "soc: swr-wcd-ctrl: Fix wsa mute issue for stereo playback"

usb: dwc3-msm: Release PM wakelock in host mode only for auto targets

Currently the driver releases PM wakelock in host mode. This
causes pm_suspend to get triggered. Although pm_suspend bails out
but xhci_bus_suspend transitions the bus to a bad state leading
to host mode failure.
Fix this by releasing wakelock only for targets on which we allow
PM suspend in host mode irrespective of runtimePM.

Change-Id: I6648991272c0f22b032b526bce3a76864fec63a5
Signed-off-by: Ajay Agarwal <ajaya@codeaurora.org>

clk: qcom: mdss: add support for dynamic refresh on DSI 14nm PLL

Add CLK_SET_RATE_NO_REPARENT flag for the software mux clocks in
DSI 14nm PLL driver which is needed for dynamic refresh feature.
Update the dynamic fps structure to align the PLL codes with
vco frequency instead of fps.

Change-Id: I533f615ce51be7229171b6accac3f14ab2dca949
Signed-off-by: Padmanabhan Komanduru <pkomandu@codeaurora.org>

ARM: dts: msm: Add pin control settings for UFS reset on SDM660

This change adds pin control settings to support UFS device reset
operation on sdm660 target.

Change-Id: I59befba3c019a15e4626f825516787c8c2a1ad7d
Signed-off-by: Sayali Lokhande <sayalil@codeaurora.org>

Merge 4.4.158 into android-4.4

Changes in 4.4.158
iommu/arm-smmu-v3: sync the OVACKFLG to PRIQ consumer register
ALSA: msnd: Fix the default sample sizes
ALSA: usb-audio: Fix multiple definitions in AU0828_DEVICE() macro
xfrm: fix 'passing zero to ERR_PTR()' warning
gfs2: Special-case rindex for gfs2_grow
clk: imx6ul: fix missing of_node_put()
kbuild: add .DELETE_ON_ERROR special target
dmaengine: pl330: fix irq race with terminate_all
MIPS: ath79: fix system restart
media: videobuf2-core: check for q->error in vb2_core_qbuf()
mtd/maps: fix solutionengine.c printk format warnings
fbdev: omapfb: off by one in omapfb_register_client()
video: goldfishfb: fix memory leak on driver remove
fbdev/via: fix defined but not used warning
perf powerpc: Fix callchain ip filtering when return address is in a register
fbdev: Distinguish between interlaced and progressive modes
ARM: exynos: Clear global variable on init error path
perf powerpc: Fix callchain ip filtering
powerpc/powernv: opal_put_chars partial write fix
MIPS: jz4740: Bump zload address
mac80211: restrict delayed tailroom needed decrement
xen-netfront: fix queue name setting
arm64: dts: qcom: db410c: Fix Bluetooth LED trigger
s390/qeth: fix race in used-buffer accounting
s390/qeth: reset layer2 attribute on layer switch
platform/x86: toshiba_acpi: Fix defined but not used build warnings
crypto: sharah - Unregister correct algorithms for SAHARA 3
xen-netfront: fix warn message as irq device name has '/'
RDMA/cma: Protect cma dev list with lock
pstore: Fix incorrect persistent ram buffer mapping
xen/netfront: fix waiting for xenbus state change
IB/ipoib: Avoid a race condition between start_xmit and cm_rep_handler
Tools: hv: Fix a bug in the key delete code
misc: hmc6352: fix potential Spectre v1
usb: Don't die twice if PCI xhci host is not responding in resume
USB: Add quirk to support DJI CineSSD
usb: Avoid use-after-free by flushing endpoints early in usb_set_interface()
usb: host: u132-hcd: Fix a sleep-in-atomic-context bug in u132_get_frame()
USB: add quirk for WORLDE Controller KS49 or Prodipe MIDI 49C USB controller
USB: net2280: Fix erroneous synchronization change
USB: serial: io_ti: fix array underflow in completion handler
usb: misc: uss720: Fix two sleep-in-atomic-context bugs
USB: yurex: Fix buffer over-read in yurex_write()
usb: cdc-wdm: Fix a sleep-in-atomic-context bug in service_outstanding_interrupt()
cifs: prevent integer overflow in nxt_dir_entry()
CIFS: fix wrapping bugs in num_entries()
binfmt_elf: Respect error return from `regset->active'
audit: fix use-after-free in audit_add_watch
mtdchar: fix overflows in adjustment of `count`
MIPS: loongson64: cs5536: Fix PCI_OHCI_INT_REG reads
ARM: hisi: handle of_iomap and fix missing of_node_put
ARM: hisi: fix error handling and missing of_node_put
ARM: hisi: check of_iomap and fix missing of_node_put
drm/nouveau: tegra: Detach from ARM DMA/IOMMU mapping
parport: sunbpp: fix error return code
coresight: Handle errors in finding input/output ports
coresight: tpiu: Fix disabling timeouts
gpiolib: Mark gpio_suffixes array with __maybe_unused
drm/amdkfd: Fix error codes in kfd_get_process
rtc: bq4802: add error handling for devm_ioremap
ALSA: pcm: Fix snd_interval_refine first/last with open min/max
selftest: timers: Tweak raw_skew to SKIP when ADJ_OFFSET/other clock adjustments are in progress
drm/panel: type promotion bug in s6e8aa0_read_mtp_id()
pinctrl: qcom: spmi-gpio: Fix pmic_gpio_config_get() to be compliant
USB: serial: ti_usb_3410_5052: fix array underflow in completion handler
mei: bus: type promotion bug in mei_nfc_if_version()
drivers: net: cpsw: fix segfault in case of bad phy-handle
MIPS: VDSO: Match data page cache colouring when D$ aliases
Linux 4.4.158

Change-Id: I1e31454733d69774fbb97398fd7756438fb8fa17
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>

Linux 4.4.158

MIPS: VDSO: Match data page cache colouring when D$ aliases

commit 0f02cfbc3d9e413d450d8d0fd660077c23f67eff upstream.

When a system suffers from dcache aliasing a user program may observe
stale VDSO data from an aliased cache line. Notably this can break the
expectation that clock_gettime(CLOCK_MONOTONIC, ...) is, as its name
suggests, monotonic.

In order to ensure that users observe updates to the VDSO data page as
intended, align the user mappings of the VDSO data page such that their
cache colouring matches that of the virtual address range which the
kernel will use to update the data page - typically its unmapped address
within kseg0.

This ensures that we don't introduce aliasing cache lines for the VDSO
data page, and therefore that userland will observe updates without
requiring cache invalidation.

Signed-off-by: Paul Burton <paul.burton@mips.com>
Reported-by: Hauke Mehrtens <hauke@hauke-m.de>
Reported-by: Rene Nielsen <rene.nielsen@microsemi.com>
Reported-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Fixes: ebb5e78cc634 ("MIPS: Initial implementation of a VDSO")
Patchwork: https://patchwork.linux-mips.org/patch/20344/
Tested-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Tested-by: Hauke Mehrtens <hauke@hauke-m.de>
Cc: James Hogan <jhogan@kernel.org>
Cc: linux-mips@linux-mips.org
Cc: stable@vger.kernel.org # v4.4+
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

drivers: net: cpsw: fix segfault in case of bad phy-handle

commit d733f7542ad47cf73e033c90cf55158587e1d060 upstream.

If an emac node has a phy-handle property that points to something
which is not a phy, then a segmentation fault will occur when the
interface is brought up. This is because while phy_connect() will
return ERR_PTR() on failure, of_phy_connect() will return NULL.
The common error check uses IS_ERR(), and so missed when
of_phy_connect() fails. The NULL pointer is then dereferenced.

Also, the common error message referenced slave->data->phy_id,
which would be empty in the case of phy-handle. Instead, use the
name of the device_node as a useful identifier. And in the phy_id
case add the error code for completeness.

Fixes: 9e42f715264f ("drivers: net: cpsw: add phy-handle parsing")
Signed-off-by: David Rivshin <drivshin@allworx.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[SZ Lin (林上智): Tweak the patch to use original print function of dev_info()]
Signed-off-by: SZ Lin (林上智) <sz.lin@moxa.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

mei: bus: type promotion bug in mei_nfc_if_version()

commit b40b3e9358fbafff6a4ba0f4b9658f6617146f9c upstream.

We accidentally removed the check for negative returns
without considering the issue of type promotion.
The "if_version_length" variable is type size_t so if __mei_cl_recv()
returns a negative then "bytes_recv" is type promoted
to a high positive value and treated as success.

Cc: <stable@vger.kernel.org>
Fixes: 582ab27a063a ("mei: bus: fix received data size check in NFC fixup")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

USB: serial: ti_usb_3410_5052: fix array underflow in completion handler

commit 5dfdd24eb3d39d815bc952ae98128e967c9bba49 upstream.

Similarly to a recently reported bug in io_ti, a malicious USB device
could set port_number to a negative value and we would underflow the
port array in the interrupt completion handler.

As these devices only have one or two ports, fix this by making sure we
only consider the seventh bit when determining the port number (and
ignore bits 0xb0 which are typically set to 0x30).

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

pinctrl: qcom: spmi-gpio: Fix pmic_gpio_config_get() to be compliant

[ Upstream commit 1cf86bc21257a330e3af51f2a4e885f1a705f6a5 ]

If you do this on an sdm845 board:
  grep "" /sys/kernel/debug/pinctrl/*spmi:pmic*/pinconf-groups

...it looks like nonsense.  For every pin you see listed:
  input bias disabled, input bias high impedance, input bias pull down, input bias pull up, ...

That's because pmic_gpio_config_get() isn't complying with the rules
that pinconf_generic_dump_one() expects.  Specifically for boolean
parameters (anything with a "struct pin_config_item" where has_arg is
false) the function expects that the function should return its value
not through the "config" parameter but should return "0" if the value
is set and "-EINVAL" if the value isn't set.

Let's fix this.

>From a quick sample of other pinctrl drivers, it appears to be
tradition to also return 1 through the config parameter for these
boolean parameters when they exist.  I'm not one to knock tradition,
so I'll follow tradition and return 1 in these cases.  While I'm at
it, I'll also continue searching for four leaf clovers, kocking on
wood three times, and trying not to break mirrors.

NOTE: This also fixes an apparent typo for reading
PIN_CONFIG_BIAS_DISABLE where the old driver was accidentally
using "=" instead of "==" and thus was setting some internal
state when you tried to query PIN_CONFIG_BIAS_DISABLE.  Oops.

Fixes: eadff3024472 ("pinctrl: Qualcomm SPMI PMIC GPIO pin controller driver")
Signed-off-by: Douglas Anderson <dianders@chromium.org>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

drm/panel: type promotion bug in s6e8aa0_read_mtp_id()

[ Upstream commit cd0e0ca69109d025b1a1b6609f70682db62138b0 ]

The ARRAY_SIZE() macro is type size_t. If s6e8aa0_dcs_read() returns a
negative error code, then "ret < ARRAY_SIZE(id)" is false because the
negative error code is type promoted to a high positive value.

Fixes: 02051ca06371 ("drm/panel: add S6E8AA0 driver")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Andrzej Hajda <a.hajda@samsung.com>
Signed-off-by: Thierry Reding <treding@nvidia.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20180704093807.s3lqsb2v6dg2k43d@kili.mountain
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

selftest: timers: Tweak raw_skew to SKIP when ADJ_OFFSET/other clock adjustments are in progress

[ Upstream commit 1416270f4a1ae83ea84156ceba19a66a8f88be1f ]

In the past we've warned when ADJ_OFFSET was in progress, usually
caused by ntpd or some other time adjusting daemon running in non
steady sate, which can cause the skew calculations to be
incorrect.

Thus, this patch checks to see if the clock was being adjusted
when we fail so that we don't cause false negatives.

Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Ingo Molnar <mingo@kernel.org>
Cc: Miroslav Lichvar <mlichvar@redhat.com>
Cc: Richard Cochran <richardcochran@gmail.com>
Cc: Prarit Bhargava <prarit@redhat.com>
Cc: Stephen Boyd <sboyd@kernel.org>
Cc: Shuah Khan <shuah@kernel.org>
Cc: linux-kselftest@vger.kernel.org
Suggested-by: Miroslav Lichvar <mlichvar@redhat.com>
Signed-off-by: John Stultz <john.stultz@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

ALSA: pcm: Fix snd_interval_refine first/last with open min/max

[ Upstream commit ff2d6acdf6f13d9f8fdcd890844c6d7535ac1f10 ]

Without this commit the following intervals [x y), (x y) were be
replaced to (y-1 y) by snd_interval_refine_last(). This was also done
if y-1 is part of the previous interval.
With this changes it will be replaced with [y-1 y) in case of y-1 is
part of the previous interval. A similar behavior will be used for
snd_interval_refine_first().

This commit adapts the changes for alsa-lib of commit
9bb985c ("pcm: snd_interval_refine_first/last: exclude value only if
also excluded before")

Signed-off-by: Timo Wischer <twischer@de.adit-jv.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

rtc: bq4802: add error handling for devm_ioremap

[ Upstream commit 7874b919866ba91bac253fa219d3d4c82bb944df ]

When devm_ioremap fails, the lack of error-handling code may
cause unexpected results.

This patch adds error-handling code after calling devm_ioremap.

Signed-off-by: Zhouyang Jia <jiazhouyang09@gmail.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

drm/amdkfd: Fix error codes in kfd_get_process

[ Upstream commit e47cb828eb3fca3e8999a0b9aa053dda18552071 ]

Return ERR_PTR(-EINVAL) if kfd_get_process fails to find the process.
This fixes kernel oopses when a child process calls KFD ioctls with
a file descriptor inherited from the parent process.

Signed-off-by: Wei Lu <wei.lu2@amd.com>
Reviewed-by: Felix Kuehling <Felix.Kuehling@amd.com>
Signed-off-by: Felix Kuehling <Felix.Kuehling@amd.com>
Acked-by: Christian König <christian.koenig@amd.com>
Signed-off-by: Oded Gabbay <oded.gabbay@gmail.com>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

gpiolib: Mark gpio_suffixes array with __maybe_unused

[ Upstream commit b23ec59926faf05b0c43680d05671c484e810ac4 ]

Since we put static variable to a header file it's copied to each module
that includes the header. But not all of them are actually used it.

Mark gpio_suffixes array with __maybe_unused to hide a compiler warning:

In file included from
drivers/gpio/gpiolib-legacy.c:6:0:
drivers/gpio/gpiolib.h:95:27: warning: ‘gpio_suffixes’ defined but not used [-Wunused-const-variable=]
static const char * const gpio_suffixes[] = { "gpios", "gpio" };
^~~~~~~~~~~~~
In file included from drivers/gpio/gpiolib-devprop.c:17:0:
drivers/gpio/gpiolib.h:95:27: warning: ‘gpio_suffixes’ defined but not used [-Wunused-const-variable=]
static const char * const gpio_suffixes[] = { "gpios", "gpio" };
^~~~~~~~~~~~~

Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

coresight: tpiu: Fix disabling timeouts

[ Upstream commit ccff2dfaceaca4517432f5c149594215fe9098cc ]

Probing the TPIU driver under UBSan triggers an out-of-bounds shift
warning in coresight_timeout():

...
[ 5.677530] UBSAN: Undefined behaviour in drivers/hwtracing/coresight/coresight.c:929:16
[ 5.685542] shift exponent 64 is too large for 64-bit type 'long unsigned int'
...

On closer inspection things are exponentially out of whack because we're
passing a bitmask where a bit number should be. Amusingly, it seems that
both calls will find their expected values by sheer luck and appear to
succeed: 1 << FFCR_FON_MAN ends up at bit 64 which whilst undefined
evaluates as zero in practice, while 1 << FFSR_FT_STOPPED finds bit 2
(TCPresent) which apparently is usually tied high.

Following the examples of other drivers, define separate FOO and FOO_BIT
macros for masks vs. indices, and put things right.

CC: Robert Walker <robert.walker@arm.com>
CC: Mike Leach <mike.leach@linaro.org>
CC: Mathieu Poirier <mathieu.poirier@linaro.org>
Fixes: 11595db8e17f ("coresight: Fix disabling of CoreSight TPIU")
Signed-off-by: Robin Murphy <robin.murphy@arm.com>
Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

coresight: Handle errors in finding input/output ports

[ Upstream commit fe470f5f7f684ed15bc49b6183a64237547910ff ]

If we fail to find the input / output port for a LINK component
while enabling a path, we should fail gracefully rather than
assuming port "0".

Cc: Mathieu Poirier <mathieu.poirier@linaro.org>
Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

parport: sunbpp: fix error return code

[ Upstream commit faa1a47388b33623e4d504c23569188907b039a0 ]

Return an error code on failure. Change leading spaces to tab on the
first if.

Problem found using Coccinelle.

Signed-off-by: Julia Lawall <Julia.Lawall@lip6.fr>
Signed-off-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

drm/nouveau: tegra: Detach from ARM DMA/IOMMU mapping

[ Upstream commit b59fb482b52269977ee5de205308e5b236a03917 ]

Depending on the kernel configuration, early ARM architecture setup code
may have attached the GPU to a DMA/IOMMU mapping that transparently uses
the IOMMU to back the DMA API. Tegra requires special handling for IOMMU
backed buffers (a special bit in the GPU's MMU page tables indicates the
memory path to take: via the SMMU or directly to the memory controller).
Transparently backing DMA memory with an IOMMU prevents Nouveau from
properly handling such memory accesses and causes memory access faults.

As a side-note: buffers other than those allocated in instance memory
don't need to be physically contiguous from the GPU's perspective since
the GPU can map them into contiguous buffers using its own MMU. Mapping
these buffers through the IOMMU is unnecessary and will even lead to
performance degradation because of the additional translation. One
exception to this are compressible buffers which need large pages. In
order to enable these large pages, multiple small pages will have to be
combined into one large (I/O virtually contiguous) mapping via the
IOMMU. However, that is a topic outside the scope of this fix and isn't
currently supported. An implementation will want to explicitly create
these large pages in the Nouveau driver, so detaching from a DMA/IOMMU
mapping would still be required.

Signed-off-by: Thierry Reding <treding@nvidia.com>
Acked-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Robin Murphy <robin.murphy@arm.com>
Tested-by: Nicolas Chauvet <kwizart@gmail.com>
Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

ARM: hisi: check of_iomap and fix missing of_node_put

[ Upstream commit 81646a3d39ef14749301374a3a0b8311384cd412 ]

of_find_compatible_node() returns a device node with refcount incremented
and thus needs an explicit of_node_put(). Further relying on an unchecked
of_iomap() which can return NULL is problematic here, after all ctrl_base
is critical enough for hix5hd2_set_cpu() to call BUG() if not available
so a check seems mandated here.

Signed-off-by: Nicholas Mc Guire <hofrat@osadl.org>
0002 Fixes: commit 06cc5c1d4d73 ("ARM: hisi: enable hix5hd2 SoC")
Signed-off-by: Wei Xu <xuwei5@hisilicon.com>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

ARM: hisi: fix error handling and missing of_node_put

[ Upstream commit 9f30b5ae0585ca5234fe979294b8f897299dec99 ]

of_iomap() can return NULL which seems critical here and thus should be
explicitly flagged so that the cause of system halting can be understood.
As of_find_compatible_node() is returning a device node with refcount
incremented it must be explicitly decremented here.

Signed-off-by: Nicholas Mc Guire <hofrat@osadl.org>
Fixes: commit 7fda91e73155 ("ARM: hisi: enable smp for HiP01")
Signed-off-by: Wei Xu <xuwei5@hisilicon.com>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

ARM: hisi: handle of_iomap and fix missing of_node_put

[ Upstream commit d396cb185c0337aae5664b250cdd9a73f6eb1503 ]

Relying on an unchecked of_iomap() which can return NULL is problematic
here, an explicit check seems mandatory. Also the call to
of_find_compatible_node() returns a device node with refcount incremented
therefor an explicit of_node_put() is needed here.

Signed-off-by: Nicholas Mc Guire <hofrat@osadl.org>
Fixes: commit 22bae4290457 ("ARM: hi3xxx: add hotplug support")
Signed-off-by: Wei Xu <xuwei5@hisilicon.com>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

MIPS: loongson64: cs5536: Fix PCI_OHCI_INT_REG reads

[ Upstream commit cd87668d601f622e0ebcfea4f78d116d5f572f4d ]

The PCI_OHCI_INT_REG case in pci_ohci_read_reg() contains the following
if statement:

if ((lo & 0x00000f00) == CS5536_USB_INTR)

CS5536_USB_INTR expands to the constant 11, which gives us the following
condition which can never evaluate true:

if ((lo & 0xf00) == 11)

At least when using GCC 8.1.0 this falls foul of the tautoligcal-compare
warning, and since the code is built with the -Werror flag the build
fails.

Fix this by shifting lo right by 8 bits in order to match the
corresponding PCI_OHCI_INT_REG case in pci_ohci_write_reg().

Signed-off-by: Paul Burton <paul.burton@mips.com>
Patchwork: https://patchwork.linux-mips.org/patch/19861/
Cc: Huacai Chen <chenhc@lemote.com>
Cc: James Hogan <jhogan@kernel.org>
Cc: Ralf Baechle <ralf@linux-mips.org>
Cc: linux-mips@linux-mips.org
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

mtdchar: fix overflows in adjustment of `count`

[ Upstream commit 6c6bc9ea84d0008024606bf5ba10519e20d851bf ]

The first checks in mtdchar_read() and mtdchar_write() attempt to limit
`count` such that `*ppos + count <= mtd->size`. However, they ignore the
possibility of `*ppos > mtd->size`, allowing the calculation of `count` to
wrap around. `mtdchar_lseek()` prevents seeking beyond mtd->size, but the
pread/pwrite syscalls bypass this.

I haven't found any codepath on which this actually causes dangerous
behavior, but it seems like a sensible change anyway.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Boris Brezillon <boris.brezillon@bootlin.com>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

audit: fix use-after-free in audit_add_watch

[ Upstream commit baa2a4fdd525c8c4b0f704d20457195b29437839 ]

audit_add_watch stores locally krule->watch without taking a reference
on watch. Then, it calls audit_add_to_parent, and uses the watch stored
locally.

Unfortunately, it is possible that audit_add_to_parent updates
krule->watch.
When it happens, it also drops a reference of watch which
could free the watch.

How to reproduce (with KASAN enabled):

auditctl -w /etc/passwd -F success=0 -k test_passwd
auditctl -w /etc/passwd -F success=1 -k test_passwd2

The second call to auditctl triggers the use-after-free, because
audit_to_parent updates krule->watch to use a previous existing watch
and drops the reference to the newly created watch.

To fix the issue, we grab a reference of watch and we release it at the
end of the function.

Signed-off-by: Ronny Chevalier <ronny.chevalier@hp.com>
Reviewed-by: Richard Guy Briggs <rgb@redhat.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

binfmt_elf: Respect error return from `regset->active'

[ Upstream commit 2f819db565e82e5f73cd42b39925098986693378 ]

The regset API documented in <linux/regset.h> defines -ENODEV as the
result of the `->active' handler to be used where the feature requested
is not available on the hardware found. However code handling core file
note generation in `fill_thread_core_info' interpretes any non-zero
result from the `->active' handler as the regset requested being active.
Consequently processing continues (and hopefully gracefully fails later
on) rather than being abandoned right away for the regset requested.

Fix the problem then by making the code proceed only if a positive
result is returned from the `->active' handler.

Signed-off-by: Maciej W. Rozycki <macro@mips.com>
Signed-off-by: Paul Burton <paul.burton@mips.com>
Fixes: 4206d3aa1978 ("elf core dump: notes user_regset")
Patchwork: https://patchwork.linux-mips.org/patch/19332/
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: James Hogan <jhogan@kernel.org>
Cc: Ralf Baechle <ralf@linux-mips.org>
Cc: linux-fsdevel@vger.kernel.org
Cc: linux-mips@linux-mips.org
Cc: linux-kernel@vger.kernel.org
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

CIFS: fix wrapping bugs in num_entries()

commit 56446f218af1133c802dad8e9e116f07f381846c upstream.

The problem is that "entryptr + next_offset" and "entryptr + len + size"
can wrap. I ended up changing the type of "entryptr" because it makes
the math easier when we don't have to do so much casting.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Reviewed-by: Aurelien Aptel <aaptel@suse.com>
Reviewed-by: Pavel Shilovsky <pshilov@microsoft.com>
CC: Stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

cifs: prevent integer overflow in nxt_dir_entry()

commit 8ad8aa353524d89fa2e09522f3078166ff78ec42 upstream.

The "old_entry + le32_to_cpu(pDirInfo->NextEntryOffset)" can wrap
around so I have added a check for integer overflow.

Reported-by: Dr Silvio Cesare of InfoSect <silvio.cesare@gmail.com>
Reviewed-by: Ronnie Sahlberg <lsahlber@redhat.com>
Reviewed-by: Aurelien Aptel <aaptel@suse.com>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
CC: Stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

usb: cdc-wdm: Fix a sleep-in-atomic-context bug in service_outstanding_interrupt()

commit 6e22e3af7bb3a7b9dc53cb4687659f6e63fca427 upstream.

wdm_in_callback() is a completion handler function for the USB driver.
So it should not sleep. But it calls service_outstanding_interrupt(),
which calls usb_submit_urb() with GFP_KERNEL.

To fix this bug, GFP_KERNEL is replaced with GFP_ATOMIC.

This bug is found by my static analysis tool DSAC.

Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

USB: yurex: Fix buffer over-read in yurex_write()

commit 7e10f14ebface44a48275c8d6dc1caae3668d5a9 upstream.

If the written data starts with a digit, yurex_write() tries to parse
it as an integer using simple_strtoull().  This requires a null-
terminator, and currently there's no guarantee that there is one.

(The sample program at
https://github.com/NeoCat/YUREX-driver-for-Linux/blob/master/sample/yurex_clock.pl
writes an integer without a null terminator.  It seems like it must
have worked by chance!)

Always add a null byte after the written data.  Enlarge the buffer
to allow for this.

Cc: stable@vger.kernel.org
Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

usb: misc: uss720: Fix two sleep-in-atomic-context bugs

commit bc8acc214d3f1cafebcbcd101a695bbac716595d upstream.

async_complete() in uss720.c is a completion handler function for the
USB driver. So it should not sleep, but it is can sleep according to the
function call paths (from bottom to top) in Linux-4.16.

[FUNC] set_1284_register(GFP_KERNEL)
drivers/usb/misc/uss720.c, 372:
  set_1284_register in parport_uss720_frob_control
drivers/parport/ieee1284.c, 560:
  [FUNC_PTR]parport_uss720_frob_control in parport_ieee1284_ack_data_avail
drivers/parport/ieee1284.c, 577:
  parport_ieee1284_ack_data_avail in parport_ieee1284_interrupt
./include/linux/parport.h, 474:
  parport_ieee1284_interrupt in parport_generic_irq
drivers/usb/misc/uss720.c, 116:
  parport_generic_irq in async_complete

[FUNC] get_1284_register(GFP_KERNEL)
drivers/usb/misc/uss720.c, 382:
  get_1284_register in parport_uss720_read_status
drivers/parport/ieee1284.c, 555:
  [FUNC_PTR]parport_uss720_read_status in parport_ieee1284_ack_data_avail
drivers/parport/ieee1284.c, 577:
  parport_ieee1284_ack_data_avail in parport_ieee1284_interrupt
./include/linux/parport.h, 474:
  parport_ieee1284_interrupt in parport_generic_irq
drivers/usb/misc/uss720.c, 116:
  parport_generic_irq in async_complete

Note that [FUNC_PTR] means a function pointer call is used.

To fix these bugs, GFP_KERNEL is replaced with GFP_ATOMIC.

These bugs are found by my static analysis tool DSAC.

Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

USB: serial: io_ti: fix array underflow in completion handler

commit 691a03cfe8ca483f9c48153b869d354e4ae3abef upstream.

As reported by Dan Carpenter, a malicious USB device could set
port_number to a negative value and we would underflow the port array in
the interrupt completion handler.

As these devices only have one or two ports, fix this by making sure we
only consider the seventh bit when determining the port number (and
ignore bits 0xb0 which are typically set to 0x30).

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable <stable@vger.kernel.org>
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>