1. 24 Mar, 2018 40 commits
    • Leon Romanovsky's avatar
      RDMA/ucma: Fix access to non-initialized CM_ID object · 0211db68
      Leon Romanovsky authored
      commit 7688f2c3 upstream.
      
      The attempt to join multicast group without ensuring that CMA device
      exists will lead to the following crash reported by syzkaller.
      
      [   64.076794] BUG: KASAN: null-ptr-deref in rdma_join_multicast+0x26e/0x12c0
      [   64.076797] Read of size 8 at addr 00000000000000b0 by task join/691
      [   64.076797]
      [   64.076800] CPU: 1 PID: 691 Comm: join Not tainted 4.16.0-rc1-00219-gb97853b65b93 #23
      [   64.076802] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.11.0-0-g63451fca13-prebuilt.qemu-proj4
      [   64.076803] Call Trace:
      [   64.076809]  dump_stack+0x5c/0x77
      [   64.076817]  kasan_report+0x163/0x380
      [   64.085859]  ? rdma_join_multicast+0x26e/0x12c0
      [   64.086634]  rdma_join_multicast+0x26e/0x12c0
      [   64.087370]  ? rdma_disconnect+0xf0/0xf0
      [   64.088579]  ? __radix_tree_replace+0xc3/0x110
      [   64.089132]  ? node_tag_clear+0x81/0xb0
      [   64.089606]  ? idr_alloc_u32+0x12e/0x1a0
      [   64.090517]  ? __fprop_inc_percpu_max+0x150/0x150
      [   64.091768]  ? tracing_record_taskinfo+0x10/0xc0
      [   64.092340]  ? idr_alloc+0x76/0xc0
      [   64.092951]  ? idr_alloc_u32+0x1a0/0x1a0
      [   64.093632]  ? ucma_process_join+0x23d/0x460
      [   64.094510]  ucma_process_join+0x23d/0x460
      [   64.095199]  ? ucma_migrate_id+0x440/0x440
      [   64.095696]  ? futex_wake+0x10b/0x2a0
      [   64.096159]  ucma_join_multicast+0x88/0xe0
      [   64.096660]  ? ucma_process_join+0x460/0x460
      [   64.097540]  ? _copy_from_user+0x5e/0x90
      [   64.098017]  ucma_write+0x174/0x1f0
      [   64.098640]  ? ucma_resolve_route+0xf0/0xf0
      [   64.099343]  ? rb_erase_cached+0x6c7/0x7f0
      [   64.099839]  __vfs_write+0xc4/0x350
      [   64.100622]  ? perf_syscall_enter+0xe4/0x5f0
      [   64.101335]  ? kernel_read+0xa0/0xa0
      [   64.103525]  ? perf_sched_cb_inc+0xc0/0xc0
      [   64.105510]  ? syscall_exit_register+0x2a0/0x2a0
      [   64.107359]  ? __switch_to+0x351/0x640
      [   64.109285]  ? fsnotify+0x899/0x8f0
      [   64.111610]  ? fsnotify_unmount_inodes+0x170/0x170
      [   64.113876]  ? __fsnotify_update_child_dentry_flags+0x30/0x30
      [   64.115813]  ? ring_buffer_record_is_on+0xd/0x20
      [   64.117824]  ? __fget+0xa8/0xf0
      [   64.119869]  vfs_write+0xf7/0x280
      [   64.122001]  SyS_write+0xa1/0x120
      [   64.124213]  ? SyS_read+0x120/0x120
      [   64.126644]  ? SyS_read+0x120/0x120
      [   64.128563]  do_syscall_64+0xeb/0x250
      [   64.130732]  entry_SYSCALL_64_after_hwframe+0x21/0x86
      [   64.132984] RIP: 0033:0x7f5c994ade99
      [   64.135699] RSP: 002b:00007f5c99b97d98 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
      [   64.138740] RAX: ffffffffffffffda RBX: 00000000200001e4 RCX: 00007f5c994ade99
      [   64.141056] RDX: 00000000000000a0 RSI: 00000000200001c0 RDI: 0000000000000015
      [   64.143536] RBP: 00007f5c99b97ec0 R08: 0000000000000000 R09: 0000000000000000
      [   64.146017] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f5c99b97fc0
      [   64.148608] R13: 0000000000000000 R14: 00007fff660e1c40 R15: 00007f5c99b989c0
      [   64.151060]
      [   64.153703] Disabling lock debugging due to kernel taint
      [   64.156032] BUG: unable to handle kernel NULL pointer dereference at 00000000000000b0
      [   64.159066] IP: rdma_join_multicast+0x26e/0x12c0
      [   64.161451] PGD 80000001d0298067 P4D 80000001d0298067 PUD 1dea39067 PMD 0
      [   64.164442] Oops: 0000 [#1] SMP KASAN PTI
      [   64.166817] CPU: 1 PID: 691 Comm: join Tainted: G    B 4.16.0-rc1-00219-gb97853b65b93 #23
      [   64.170004] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.11.0-0-g63451fca13-prebuilt.qemu-proj4
      [   64.174985] RIP: 0010:rdma_join_multicast+0x26e/0x12c0
      [   64.177246] RSP: 0018:ffff8801c8207860 EFLAGS: 00010282
      [   64.179901] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff94789522
      [   64.183344] RDX: 1ffffffff2d50fa5 RSI: 0000000000000297 RDI: 0000000000000297
      [   64.186237] RBP: ffff8801c8207a50 R08: 0000000000000000 R09: ffffed0039040ea7
      [   64.189328] R10: 0000000000000001 R11: ffffed0039040ea6 R12: 0000000000000000
      [   64.192634] R13: 0000000000000000 R14: ffff8801e2022800 R15: ffff8801d4ac2400
      [   64.196105] FS:  00007f5c99b98700(0000) GS:ffff8801e5d00000(0000) knlGS:0000000000000000
      [   64.199211] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [   64.202046] CR2: 00000000000000b0 CR3: 00000001d1c48004 CR4: 00000000003606a0
      [   64.205032] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      [   64.208221] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      [   64.211554] Call Trace:
      [   64.213464]  ? rdma_disconnect+0xf0/0xf0
      [   64.216124]  ? __radix_tree_replace+0xc3/0x110
      [   64.219337]  ? node_tag_clear+0x81/0xb0
      [   64.222140]  ? idr_alloc_u32+0x12e/0x1a0
      [   64.224422]  ? __fprop_inc_percpu_max+0x150/0x150
      [   64.226588]  ? tracing_record_taskinfo+0x10/0xc0
      [   64.229763]  ? idr_alloc+0x76/0xc0
      [   64.232186]  ? idr_alloc_u32+0x1a0/0x1a0
      [   64.234505]  ? ucma_process_join+0x23d/0x460
      [   64.237024]  ucma_process_join+0x23d/0x460
      [   64.240076]  ? ucma_migrate_id+0x440/0x440
      [   64.243284]  ? futex_wake+0x10b/0x2a0
      [   64.245302]  ucma_join_multicast+0x88/0xe0
      [   64.247783]  ? ucma_process_join+0x460/0x460
      [   64.250841]  ? _copy_from_user+0x5e/0x90
      [   64.253878]  ucma_write+0x174/0x1f0
      [   64.257008]  ? ucma_resolve_route+0xf0/0xf0
      [   64.259877]  ? rb_erase_cached+0x6c7/0x7f0
      [   64.262746]  __vfs_write+0xc4/0x350
      [   64.265537]  ? perf_syscall_enter+0xe4/0x5f0
      [   64.267792]  ? kernel_read+0xa0/0xa0
      [   64.270358]  ? perf_sched_cb_inc+0xc0/0xc0
      [   64.272575]  ? syscall_exit_register+0x2a0/0x2a0
      [   64.275367]  ? __switch_to+0x351/0x640
      [   64.277700]  ? fsnotify+0x899/0x8f0
      [   64.280530]  ? fsnotify_unmount_inodes+0x170/0x170
      [   64.283156]  ? __fsnotify_update_child_dentry_flags+0x30/0x30
      [   64.286182]  ? ring_buffer_record_is_on+0xd/0x20
      [   64.288749]  ? __fget+0xa8/0xf0
      [   64.291136]  vfs_write+0xf7/0x280
      [   64.292972]  SyS_write+0xa1/0x120
      [   64.294965]  ? SyS_read+0x120/0x120
      [   64.297474]  ? SyS_read+0x120/0x120
      [   64.299751]  do_syscall_64+0xeb/0x250
      [   64.301826]  entry_SYSCALL_64_after_hwframe+0x21/0x86
      [   64.304352] RIP: 0033:0x7f5c994ade99
      [   64.306711] RSP: 002b:00007f5c99b97d98 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
      [   64.309577] RAX: ffffffffffffffda RBX: 00000000200001e4 RCX: 00007f5c994ade99
      [   64.312334] RDX: 00000000000000a0 RSI: 00000000200001c0 RDI: 0000000000000015
      [   64.315783] RBP: 00007f5c99b97ec0 R08: 0000000000000000 R09: 0000000000000000
      [   64.318365] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f5c99b97fc0
      [   64.320980] R13: 0000000000000000 R14: 00007fff660e1c40 R15: 00007f5c99b989c0
      [   64.323515] Code: e8 e8 79 08 ff 4c 89 ff 45 0f b6 a7 b8 01 00 00 e8 68 7c 08 ff 49 8b 1f 4d 89 e5 49 c1 e4 04 48 8
      [   64.330753] RIP: rdma_join_multicast+0x26e/0x12c0 RSP: ffff8801c8207860
      [   64.332979] CR2: 00000000000000b0
      [   64.335550] ---[ end trace 0c00c17a408849c1 ]---
      
      Reported-by: <syzbot+e6aba77967bd72cbc9d6@syzkaller.appspotmail.com>
      Fixes: c8f6a362 ("RDMA/cma: Add multicast communication support")
      Signed-off-by: default avatarLeon Romanovsky <leonro@mellanox.com>
      Reviewed-by: default avatarSean Hefty <sean.hefty@intel.com>
      Signed-off-by: default avatarDoug Ledford <dledford@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0211db68
    • Vignesh R's avatar
      dmaengine: ti-dma-crossbar: Fix event mapping for TPCC_EVT_MUX_60_63 · 09b69e6f
      Vignesh R authored
      
      [ Upstream commit d087f157 ]
      
      Register layout of a typical TPCC_EVT_MUX_M_N register is such that the
      lowest numbered event is at the lowest byte address and highest numbered
      event at highest byte address. But TPCC_EVT_MUX_60_63 register layout is
      different,  in that the lowest numbered event is at the highest address
      and highest numbered event is at the lowest address. Therefore, modify
      ti_am335x_xbar_write() to handle TPCC_EVT_MUX_60_63 register
      accordingly.
      Signed-off-by: default avatarVignesh R <vigneshr@ti.com>
      Signed-off-by: default avatarPeter Ujfalusi <peter.ujfalusi@ti.com>
      Signed-off-by: default avatarVinod Koul <vinod.koul@intel.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      09b69e6f
    • Sergej Sawazki's avatar
      clk: si5351: Rename internal plls to avoid name collisions · f6749758
      Sergej Sawazki authored
      
      [ Upstream commit cdba9a4f ]
      
      This drivers probe fails due to a clock name collision if a clock named
      'plla' or 'pllb' is already registered when registering this drivers
      internal plls.
      
      Fix it by renaming internal plls to avoid name collisions.
      
      Cc: Sebastian Hesselbarth <sebastian.hesselbarth@gmail.com>
      Cc: Rabeeh Khoury <rabeeh@solid-run.com>
      Signed-off-by: default avatarSergej Sawazki <sergej@taudac.com>
      Signed-off-by: default avatarStephen Boyd <sboyd@codeaurora.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f6749758
    • Benjamin Coddington's avatar
      nfsd4: permit layoutget of executable-only files · 5c503ff4
      Benjamin Coddington authored
      
      [ Upstream commit 66282ec1 ]
      
      Clients must be able to read a file in order to execute it, and for pNFS
      that means the client needs to be able to perform a LAYOUTGET on the file.
      
      This behavior for executable-only files was added for OPEN in commit
      a043226b "nfsd4: permit read opens of executable-only files".
      
      This fixes up xfstests generic/126 on block/scsi layouts.
      Signed-off-by: default avatarBenjamin Coddington <bcodding@redhat.com>
      Signed-off-by: default avatarJ. Bruce Fields <bfields@redhat.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5c503ff4
    • Anton Vasilyev's avatar
      RDMA/ocrdma: Fix permissions for OCRDMA_RESET_STATS · 9bf0b8a6
      Anton Vasilyev authored
      
      [ Upstream commit 74482086 ]
      
      Debugfs file reset_stats is created with S_IRUSR permissions,
      but ocrdma_dbgfs_ops_read() doesn't support OCRDMA_RESET_STATS,
      whereas ocrdma_dbgfs_ops_write() supports only OCRDMA_RESET_STATS.
      
      The patch fixes misstype with permissions.
      
      Found by Linux Driver Verification project (linuxtesting.org).
      Signed-off-by: default avatarAnton Vasilyev <vasilyev@ispras.ru>
      Acked-by: default avatarSelvin Xavier <selvin.xavier@broadcom.com>
      Signed-off-by: default avatarJason Gunthorpe <jgg@mellanox.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9bf0b8a6
    • Alexey Kodanev's avatar
      ip6_vti: adjust vti mtu according to mtu of lower device · 2fe832c6
      Alexey Kodanev authored
      
      [ Upstream commit 53c81e95 ]
      
      LTP/udp6_ipsec_vti tests fail when sending large UDP datagrams over
      ip6_vti that require fragmentation and the underlying device has an
      MTU smaller than 1500 plus some extra space for headers. This happens
      because ip6_vti, by default, sets MTU to ETH_DATA_LEN and not updating
      it depending on a destination address or link parameter. Further
      attempts to send UDP packets may succeed because pmtu gets updated on
      ICMPV6_PKT_TOOBIG in vti6_err().
      
      In case the lower device has larger MTU size, e.g. 9000, ip6_vti works
      but not using the possible maximum size, output packets have 1500 limit.
      
      The above cases require manual MTU setup after ip6_vti creation. However
      ip_vti already updates MTU based on lower device with ip_tunnel_bind_dev().
      
      Here is the example when the lower device MTU is set to 9000:
      
        # ip a sh ltp_ns_veth2
            ltp_ns_veth2@if7: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9000 ...
              inet 10.0.0.2/24 scope global ltp_ns_veth2
              inet6 fd00::2/64 scope global
      
        # ip li add vti6 type vti6 local fd00::2 remote fd00::1
        # ip li show vti6
            vti6@NONE: <POINTOPOINT,NOARP> mtu 1500 ...
              link/tunnel6 fd00::2 peer fd00::1
      
      After the patch:
        # ip li add vti6 type vti6 local fd00::2 remote fd00::1
        # ip li show vti6
            vti6@NONE: <POINTOPOINT,NOARP> mtu 8832 ...
              link/tunnel6 fd00::2 peer fd00::1
      Reported-by: default avatarPetr Vorel <pvorel@suse.cz>
      Signed-off-by: default avatarAlexey Kodanev <alexey.kodanev@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2fe832c6
    • Jerry Snitselaar's avatar
      iommu/vt-d: clean up pr_irq if request_threaded_irq fails · fb4ff6c7
      Jerry Snitselaar authored
      
      [ Upstream commit 72d54811 ]
      
      It is unlikely request_threaded_irq will fail, but if it does for some
      reason we should clear iommu->pr_irq in the error path. Also
      intel_svm_finish_prq shouldn't try to clean up the page request
      interrupt if pr_irq is 0. Without these, if request_threaded_irq were
      to fail the following occurs:
      
      fail with no fixes:
      
      [    0.683147] ------------[ cut here ]------------
      [    0.683148] NULL pointer, cannot free irq
      [    0.683158] WARNING: CPU: 1 PID: 1 at kernel/irq/irqdomain.c:1632 irq_domain_free_irqs+0x126/0x140
      [    0.683160] Modules linked in:
      [    0.683163] CPU: 1 PID: 1 Comm: swapper/0 Not tainted 4.15.0-rc2 #3
      [    0.683165] Hardware name:                  /NUC7i3BNB, BIOS BNKBL357.86A.0036.2017.0105.1112 01/05/2017
      [    0.683168] RIP: 0010:irq_domain_free_irqs+0x126/0x140
      [    0.683169] RSP: 0000:ffffc90000037ce8 EFLAGS: 00010292
      [    0.683171] RAX: 000000000000001d RBX: ffff880276283c00 RCX: ffffffff81c5e5e8
      [    0.683172] RDX: 0000000000000001 RSI: 0000000000000096 RDI: 0000000000000246
      [    0.683174] RBP: ffff880276283c00 R08: 0000000000000000 R09: 000000000000023c
      [    0.683175] R10: 0000000000000007 R11: 0000000000000000 R12: 000000000000007a
      [    0.683176] R13: 0000000000000001 R14: 0000000000000000 R15: 0000010010000000
      [    0.683178] FS:  0000000000000000(0000) GS:ffff88027ec80000(0000) knlGS:0000000000000000
      [    0.683180] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [    0.683181] CR2: 0000000000000000 CR3: 0000000001c09001 CR4: 00000000003606e0
      [    0.683182] Call Trace:
      [    0.683189]  intel_svm_finish_prq+0x3c/0x60
      [    0.683191]  free_dmar_iommu+0x1ac/0x1b0
      [    0.683195]  init_dmars+0xaaa/0xaea
      [    0.683200]  ? klist_next+0x19/0xc0
      [    0.683203]  ? pci_do_find_bus+0x50/0x50
      [    0.683205]  ? pci_get_dev_by_id+0x52/0x70
      [    0.683208]  intel_iommu_init+0x498/0x5c7
      [    0.683211]  pci_iommu_init+0x13/0x3c
      [    0.683214]  ? e820__memblock_setup+0x61/0x61
      [    0.683217]  do_one_initcall+0x4d/0x1a0
      [    0.683220]  kernel_init_freeable+0x186/0x20e
      [    0.683222]  ? set_debug_rodata+0x11/0x11
      [    0.683225]  ? rest_init+0xb0/0xb0
      [    0.683226]  kernel_init+0xa/0xff
      [    0.683229]  ret_from_fork+0x1f/0x30
      [    0.683259] Code: 89 ee 44 89 e7 e8 3b e8 ff ff 5b 5d 44 89 e7 44 89 ee 41 5c 41 5d 41 5e e9 a8 84 ff ff 48 c7 c7 a8 71 a7 81 31 c0 e8 6a d3 f9 ff <0f> ff 5b 5d 41 5c 41 5d 41 5
      e c3 0f 1f 44 00 00 66 2e 0f 1f 84
      [    0.683285] ---[ end trace f7650e42792627ca ]---
      
      with iommu->pr_irq = 0, but no check in intel_svm_finish_prq:
      
      [    0.669561] ------------[ cut here ]------------
      [    0.669563] Trying to free already-free IRQ 0
      [    0.669573] WARNING: CPU: 3 PID: 1 at kernel/irq/manage.c:1546 __free_irq+0xa4/0x2c0
      [    0.669574] Modules linked in:
      [    0.669577] CPU: 3 PID: 1 Comm: swapper/0 Not tainted 4.15.0-rc2 #4
      [    0.669579] Hardware name:                  /NUC7i3BNB, BIOS BNKBL357.86A.0036.2017.0105.1112 01/05/2017
      [    0.669581] RIP: 0010:__free_irq+0xa4/0x2c0
      [    0.669582] RSP: 0000:ffffc90000037cc0 EFLAGS: 00010082
      [    0.669584] RAX: 0000000000000021 RBX: 0000000000000000 RCX: ffffffff81c5e5e8
      [    0.669585] RDX: 0000000000000001 RSI: 0000000000000086 RDI: 0000000000000046
      [    0.669587] RBP: 0000000000000000 R08: 0000000000000000 R09: 000000000000023c
      [    0.669588] R10: 0000000000000007 R11: 0000000000000000 R12: ffff880276253960
      [    0.669589] R13: ffff8802762538a4 R14: ffff880276253800 R15: ffff880276283600
      [    0.669593] FS:  0000000000000000(0000) GS:ffff88027ed80000(0000) knlGS:0000000000000000
      [    0.669594] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [    0.669596] CR2: 0000000000000000 CR3: 0000000001c09001 CR4: 00000000003606e0
      [    0.669602] Call Trace:
      [    0.669616]  free_irq+0x30/0x60
      [    0.669620]  intel_svm_finish_prq+0x34/0x60
      [    0.669623]  free_dmar_iommu+0x1ac/0x1b0
      [    0.669627]  init_dmars+0xaaa/0xaea
      [    0.669631]  ? klist_next+0x19/0xc0
      [    0.669634]  ? pci_do_find_bus+0x50/0x50
      [    0.669637]  ? pci_get_dev_by_id+0x52/0x70
      [    0.669639]  intel_iommu_init+0x498/0x5c7
      [    0.669642]  pci_iommu_init+0x13/0x3c
      [    0.669645]  ? e820__memblock_setup+0x61/0x61
      [    0.669648]  do_one_initcall+0x4d/0x1a0
      [    0.669651]  kernel_init_freeable+0x186/0x20e
      [    0.669653]  ? set_debug_rodata+0x11/0x11
      [    0.669656]  ? rest_init+0xb0/0xb0
      [    0.669658]  kernel_init+0xa/0xff
      [    0.669661]  ret_from_fork+0x1f/0x30
      [    0.669662] Code: 7a 08 75 0e e9 c3 01 00 00 4c 39 7b 08 74 57 48 89 da 48 8b 5a 18 48 85 db 75 ee 89 ee 48 c7 c7 78 67 a7 81 31 c0 e8 4c 37 fa ff <0f> ff 48 8b 34 24 4c 89 ef e
      8 0e 4c 68 00 49 8b 46 40 48 8b 80
      [    0.669688] ---[ end trace 58a470248700f2fc ]---
      
      Cc: Alex Williamson <alex.williamson@redhat.com>
      Cc: Joerg Roedel <joro@8bytes.org>
      Cc: Ashok Raj <ashok.raj@intel.com>
      Signed-off-by: default avatarJerry Snitselaar <jsnitsel@redhat.com>
      Reviewed-by: default avatarAshok Raj <ashok.raj@intel.com>
      Signed-off-by: default avatarAlex Williamson <alex.williamson@redhat.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      fb4ff6c7
    • Florian Fainelli's avatar
      pinctrl: Really force states during suspend/resume · 3f0ad8ee
      Florian Fainelli authored
      
      [ Upstream commit 981ed1bf ]
      
      In case a platform only defaults a "default" set of pins, but not a
      "sleep" set of pins, and this particular platform suspends and resumes
      in a way that the pin states are not preserved by the hardware, when we
      resume, we would call pinctrl_single_resume() -> pinctrl_force_default()
      -> pinctrl_select_state() and the first thing we do is check that the
      pins state is the same as before, and do nothing.
      
      In order to fix this, decouple the actual state change from
      pinctrl_select_state() and move it pinctrl_commit_state(), while keeping
      the p->state == state check in pinctrl_select_state() not to change the
      caller assumptions. pinctrl_force_sleep() and pinctrl_force_default()
      are updated to bypass the state check by calling pinctrl_commit_state().
      
      [Linus Walleij]
      The forced pin control states are currently only used in some pin
      controller drivers that grab their own reference to their own pins.
      This is equal to the pin control hogs: pins taken by pin control
      devices since there are no corresponding device in the Linux device
      hierarchy, such as memory controller lines or unused GPIO lines,
      or GPIO lines that are used orthogonally from the GPIO subsystem
      but pincontrol-wise managed as hogs (non-strict mode, allowing
      simultaneous use by GPIO and pin control). For this case forcing
      the state from the drivers' suspend()/resume() callbacks makes
      sense and should semantically match the name of the function.
      
      Fixes: 6e5e959d ("pinctrl: API changes to support multiple states per device")
      Signed-off-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Reviewed-by: default avatarAndy Shevchenko <andy.shevchenko@gmail.com>
      Signed-off-by: default avatarLinus Walleij <linus.walleij@linaro.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3f0ad8ee
    • Robert Walker's avatar
      coresight: Fix disabling of CoreSight TPIU · b153ad5f
      Robert Walker authored
      
      [ Upstream commit 11595db8 ]
      
      The CoreSight TPIU should be disabled when tracing to other sinks to allow
      them to operate at full bandwidth.
      
      This patch fixes tpiu_disable_hw() to correctly disable the TPIU by
      configuring the TPIU to stop on flush, initiating a manual flush, waiting
      for the flush to complete and then waits for the TPIU to indicate it has
      stopped.
      Signed-off-by: default avatarRobert Walker <robert.walker@arm.com>
      Tested-by: default avatarMike Leach <mike.leach@linaro.org>
      Signed-off-by: default avatarMathieu Poirier <mathieu.poirier@linaro.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b153ad5f
    • Sahara's avatar
      pty: cancel pty slave port buf's work in tty_release · d06bff35
      Sahara authored
      
      [ Upstream commit 2b022ab7 ]
      
      In case that CONFIG_SLUB_DEBUG is on and pty is used, races between
      release_one_tty and flush_to_ldisc work threads may happen and lead
      to use-after-free condition on tty->link->port. Because SLUB_DEBUG
      is turned on, freed tty->link->port is filled with POISON_FREE value.
      So far without SLUB_DEBUG, port was filled with zero and flush_to_ldisc
      could return without a problem by checking if tty is NULL.
      
      CPU 0                                 CPU 1
      -----                                 -----
      release_tty                           pty_write
         cancel_work_sync(tty)                 to = tty->link
         tty_kref_put(tty->link)               tty_schedule_flip(to->port)
            << workqueue >>                 ...
            release_one_tty                 ...
               pty_cleanup                  ...
                  kfree(tty->link->port)       << workqueue >>
                                               flush_to_ldisc
                                                  tty = READ_ONCE(port->itty)
                                                  tty is 0x6b6b6b6b6b6b6b6b
                                                  !!PANIC!! access tty->ldisc
      
       Unable to handle kernel paging request at virtual address 6b6b6b6b6b6b6b93
       pgd = ffffffc0eb1c3000
       [6b6b6b6b6b6b6b93] *pgd=0000000000000000, *pud=0000000000000000
       ------------[ cut here ]------------
       Kernel BUG at ffffff800851154c [verbose debug info unavailable]
       Internal error: Oops - BUG: 96000004 [#1] PREEMPT SMP
       CPU: 3 PID: 265 Comm: kworker/u8:9 Tainted: G        W 3.18.31-g0a58eeb #1
       Hardware name: Qualcomm Technologies, Inc. MSM 8996pro v1.1 + PMI8996 Carbide (DT)
       Workqueue: events_unbound flush_to_ldisc
       task: ffffffc0ed610ec0 ti: ffffffc0ed624000 task.ti: ffffffc0ed624000
       PC is at ldsem_down_read_trylock+0x0/0x4c
       LR is at tty_ldisc_ref+0x24/0x4c
       pc : [<ffffff800851154c>] lr : [<ffffff800850f6c0>] pstate: 80400145
       sp : ffffffc0ed627cd0
       x29: ffffffc0ed627cd0 x28: 0000000000000000
       x27: ffffff8009e05000 x26: ffffffc0d382cfa0
       x25: 0000000000000000 x24: ffffff800a012f08
       x23: 0000000000000000 x22: ffffffc0703fbc88
       x21: 6b6b6b6b6b6b6b6b x20: 6b6b6b6b6b6b6b93
       x19: 0000000000000000 x18: 0000000000000001
       x17: 00e80000f80d6f53 x16: 0000000000000001
       x15: 0000007f7d826fff x14: 00000000000000a0
       x13: 0000000000000000 x12: 0000000000000109
       x11: 0000000000000000 x10: 0000000000000000
       x9 : ffffffc0ed624000 x8 : ffffffc0ed611580
       x7 : 0000000000000000 x6 : ffffff800a42e000
       x5 : 00000000000003fc x4 : 0000000003bd1201
       x3 : 0000000000000001 x2 : 0000000000000001
       x1 : ffffff800851004c x0 : 6b6b6b6b6b6b6b93
      Signed-off-by: default avatarSahara <keun-o.park@darkmatter.ae>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d06bff35
    • Peter Ujfalusi's avatar
      drm/omap: DMM: Check for DMM readiness after successful transaction commit · 029c2cfd
      Peter Ujfalusi authored
      
      [ Upstream commit b7ea6b28 ]
      
      Check the status of the DMM engine after it is reported that the
      transaction was completed as in rare cases the engine might not reached a
      working state.
      
      The wait_status() will print information in case the DMM is not reached the
      expected state and the dmm_txn_commit() will return with an error code to
      make sure that we are not continuing with a broken setup.
      Signed-off-by: default avatarPeter Ujfalusi <peter.ujfalusi@ti.com>
      Signed-off-by: default avatarTomi Valkeinen <tomi.valkeinen@ti.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      029c2cfd
    • Bjorn Helgaas's avatar
      vgacon: Set VGA struct resource types · aeea6c64
      Bjorn Helgaas authored
      
      [ Upstream commit c8208411 ]
      
      Set the resource type when we reserve VGA-related I/O port resources.
      
      The resource code doesn't actually look at the type, so it inserts
      resources without a type in the tree correctly even without this change.
      But if we ever print a resource without a type, it looks like this:
      
        vga+ [??? 0x000003c0-0x000003df flags 0x0]
      
      Setting the type means it will be printed correctly as:
      
        vga+ [io  0x000003c0-0x000003df]
      Signed-off-by: default avatarBjorn Helgaas <bhelgaas@google.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      aeea6c64
    • Artemy Kovalyov's avatar
      IB/umem: Fix use of npages/nmap fields · 5af22f14
      Artemy Kovalyov authored
      
      [ Upstream commit edf1a84f ]
      
      In ib_umem structure npages holds original number of sg entries, while
      nmap is number of DMA blocks returned by dma_map_sg.
      
      Fixes: c5d76f13 ('IB/core: Add umem function to read data from user-space')
      Signed-off-by: default avatarArtemy Kovalyov <artemyko@mellanox.com>
      Signed-off-by: default avatarLeon Romanovsky <leon@kernel.org>
      Signed-off-by: default avatarJason Gunthorpe <jgg@mellanox.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5af22f14
    • Parav Pandit's avatar
      RDMA/cma: Use correct size when writing netlink stats · 99ee9243
      Parav Pandit authored
      
      [ Upstream commit 7baaa49a ]
      
      The code was using the src size when formatting the dst. They are almost
      certainly the same value but it reads wrong.
      
      Fixes: ce117ffa ("RDMA/cma: Export AF_IB statistics")
      Signed-off-by: default avatarParav Pandit <parav@mellanox.com>
      Reviewed-by: default avatarDaniel Jurgens <danielj@mellanox.com>
      Signed-off-by: default avatarLeon Romanovsky <leon@kernel.org>
      Signed-off-by: default avatarJason Gunthorpe <jgg@mellanox.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      99ee9243
    • Erez Shitrit's avatar
      IB/ipoib: Avoid memory leak if the SA returns a different DGID · 64e3d455
      Erez Shitrit authored
      
      [ Upstream commit 43900089 ]
      
      The ipoib path database is organized around DGIDs from the LLADDR, but the
      SA is free to return a different GID when asked for path. This causes a
      bug because the SA's modified DGID is copied into the database key, even
      though it is no longer the correct lookup key, causing a memory leak and
      other malfunctions.
      
      Ensure the database key does not change after the SA query completes.
      
      Demonstration of the bug is as  follows
      ipoib wants to send to GID fe80:0000:0000:0000:0002:c903:00ef:5ee2, it
      creates new record in the DB with that gid as a key, and issues a new
      request to the SM.
      Now, the SM from some reason returns path-record with other SGID (for
      example, 2001:0000:0000:0000:0002:c903:00ef:5ee2 that contains the local
      subnet prefix) now ipoib will overwrite the current entry with the new
      one, and if new request to the original GID arrives ipoib  will not find
      it in the DB (was overwritten) and will create new record that in its
      turn will also be overwritten by the response from the SM, and so on
      till the driver eats all the device memory.
      Signed-off-by: default avatarErez Shitrit <erezsh@mellanox.com>
      Signed-off-by: default avatarLeon Romanovsky <leon@kernel.org>
      Signed-off-by: default avatarJason Gunthorpe <jgg@mellanox.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      64e3d455
    • Daniel Drake's avatar
      mmc: avoid removing non-removable hosts during suspend · 3ed000cd
      Daniel Drake authored
      
      [ Upstream commit de8dcc3d ]
      
      The Weibu F3C MiniPC has an onboard AP6255 module, presenting
      two SDIO functions on a single MMC host (Bluetooth/btsdio and
      WiFi/brcmfmac), and the mmc layer correctly detects this as
      non-removable.
      
      After suspend/resume, the wifi and bluetooth interfaces disappear
      and do not get probed again.
      
      The conditions here are:
      
       1. During suspend, we reach mmc_pm_notify()
      
       2. mmc_pm_notify() calls mmc_sdio_pre_suspend() to see if we can
          suspend the SDIO host. However, mmc_sdio_pre_suspend() returns
          -ENOSYS because btsdio_driver does not have a suspend method.
      
       3. mmc_pm_notify() proceeds to remove the card
      
       4. Upon resume, mmc_rescan() does nothing with this host, because of
          the rescan_entered check which aims to only scan a non-removable
          device a single time (i.e. during boot).
      
      Fix the loss of functionality by detecting that we are unable to
      suspend a non-removable host, so avoid the forced removal in that
      case. The comment above this function already indicates that this
      code was only intended for removable devices.
      Signed-off-by: default avatarDaniel Drake <drake@endlessm.com>
      Signed-off-by: default avatarUlf Hansson <ulf.hansson@linaro.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3ed000cd
    • Shawn Nematbakhsh's avatar
      platform/chrome: Use proper protocol transfer function · df9d1861
      Shawn Nematbakhsh authored
      
      [ Upstream commit d48b8c58 ]
      
      pkt_xfer should be used for protocol v3, and cmd_xfer otherwise. We had
      one instance of these functions correct, but not the second, fall-back
      case. We use the fall-back only when the first command returns an
      IN_PROGRESS status, which is only used on some EC firmwares where we
      don't want to constantly poll the bus, but instead back off and
      sleep/retry for a little while.
      
      Fixes: 2c7589af ("mfd: cros_ec: add proto v3 skeleton")
      Signed-off-by: default avatarShawn Nematbakhsh <shawnn@chromium.org>
      Signed-off-by: default avatarBrian Norris <briannorris@chromium.org>
      Reviewed-by: default avatarJavier Martinez Canillas <javier@osg.samsung.com>
      Signed-off-by: default avatarBenson Leung <bleung@chromium.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      df9d1861
    • Arnd Bergmann's avatar
      cros_ec: fix nul-termination for firmware build info · bcde6355
      Arnd Bergmann authored
      
      [ Upstream commit 50a0d71a ]
      
      As gcc-8 reports, we zero out the wrong byte:
      
      drivers/platform/chrome/cros_ec_sysfs.c: In function 'show_ec_version':
      drivers/platform/chrome/cros_ec_sysfs.c:190:12: error: array subscript 4294967295 is above array bounds of 'uint8_t[]' [-Werror=array-bounds]
      
      This changes the code back to what it did before changing to a
      zero-length array structure.
      
      Fixes: a8411784 ("mfd: cros_ec: Use a zero-length array for command data")
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Signed-off-by: default avatarBenson Leung <bleung@chromium.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      bcde6355
    • Ron Economos's avatar
      media: [RESEND] media: dvb-frontends: Add delay to Si2168 restart · 17a660a3
      Ron Economos authored
      
      [ Upstream commit 380a6c86 ]
      
      On faster CPUs a delay is required after the resume command and the restart command. Without the delay, the restart command often returns -EREMOTEIO and the Si2168 does not restart.
      
      Note that this patch fixes the same issue as https://patchwork.linuxtv.org/patch/44304/, but I believe my udelay() fix addresses the actual problem.
      Signed-off-by: default avatarRon Economos <w6rz@comcast.net>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@s-opensource.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      17a660a3
    • Christophe JAILLET's avatar
      media: bt8xx: Fix err 'bt878_probe()' · 3e99ac9c
      Christophe JAILLET authored
      
      [ Upstream commit 45392ff6 ]
      
      This is odd to call 'pci_disable_device()' in an error path before a
      coresponding successful 'pci_enable_device()'.
      
      Return directly instead.
      
      Fixes: 77e0be12 ("V4L/DVB (4176): Bug-fix: Fix memory overflow")
      Signed-off-by: default avatarChristophe JAILLET <christophe.jaillet@wanadoo.fr>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@s-opensource.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3e99ac9c
    • Tsang-Shian Lin's avatar
      rtlwifi: rtl_pci: Fix the bug when inactiveps is enabled. · f5ef6dc4
      Tsang-Shian Lin authored
      
      [ Upstream commit b7573a0a ]
      
      Reset the driver current tx read/write index to zero when inactiveps
      nic out of sync with HW state. Wrong driver tx read/write index will
      cause Tx fail.
      Signed-off-by: default avatarTsang-Shian Lin <thlin@realtek.com>
      Signed-off-by: default avatarPing-Ke Shih <pkshih@realtek.com>
      Signed-off-by: default avatarLarry Finger <Larry.Finger@lwfinger.net>
      Cc: Yan-Hsuan Chuang <yhchuang@realtek.com>
      Cc: Birming Chiu <birming@realtek.com>
      Cc: Shaofu <shaofu@realtek.com>
      Cc: Steven Ting <steventing@realtek.com>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f5ef6dc4
    • Geert Uytterhoeven's avatar
      RDMA/iwpm: Fix uninitialized error code in iwpm_send_mapinfo() · 84df9b2a
      Geert Uytterhoeven authored
      
      [ Upstream commit 302d6424 ]
      
      With gcc-4.1.2:
      
          drivers/infiniband/core/iwpm_util.c: In function ‘iwpm_send_mapinfo’:
          drivers/infiniband/core/iwpm_util.c:647: warning: ‘ret’ may be used uninitialized in this function
      
      Indeed, if nl_client is not found in any of the scanned has buckets, ret
      will be used uninitialized.
      
      Preinitialize ret to -EINVAL to fix this.
      
      Fixes: 30dc5e63 ("RDMA/core: Add support for iWARP Port Mapper user space service")
      Signed-off-by: default avatarGeert Uytterhoeven <geert@linux-m68k.org>
      Reviewed-by: default avatarTatyana Nikolova <tatyana.e.nikolova@intel.com>
      Signed-off-by: default avatarJason Gunthorpe <jgg@mellanox.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      84df9b2a
    • Prakash Kamliya's avatar
      drm/msm: fix leak in failed get_pages · c1b1c1af
      Prakash Kamliya authored
      
      [ Upstream commit 62e3a3e3 ]
      
      get_pages doesn't keep a reference of the pages allocated
      when it fails later in the code path. This can lead to
      a memory leak. Keep reference of the allocated pages so
      that it can be freed when msm_gem_free_object gets called
      later during cleanup.
      Signed-off-by: default avatarPrakash Kamliya <pkamliya@codeaurora.org>
      Signed-off-by: default avatarSharat Masetty <smasetty@codeaurora.org>
      Signed-off-by: default avatarRob Clark <robdclark@gmail.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c1b1c1af
    • Gustavo A. R. Silva's avatar
      media: c8sectpfe: fix potential NULL pointer dereference in c8sectpfe_timer_interrupt · 710460e7
      Gustavo A. R. Silva authored
      
      [ Upstream commit baed3c4b ]
      
      _channel_ is being dereferenced before it is null checked, hence there is a
      potential null pointer dereference. Fix this by moving the pointer dereference
      after _channel_ has been null checked.
      
      This issue was detected with the help of Coccinelle.
      
      Fixes: c5f5d0f9 ("[media] c8sectpfe: STiH407/10 Linux DVB demux support")
      Signed-off-by: default avatarGustavo A. R. Silva <garsilva@embeddedor.com>
      Acked-by: default avatarPatrice Chotard <patrice.chotard@st.com>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@s-opensource.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      710460e7
    • Loic Poulain's avatar
      Bluetooth: hci_qca: Avoid setup failure on missing rampatch · 557607d9
      Loic Poulain authored
      
      [ Upstream commit ba8f3597 ]
      
      Assuming that the original code idea was to enable in-band sleeping
      only if the setup_rome method returns succes and run in 'standard'
      mode otherwise, we should not return setup_rome return value which
      makes qca_setup fail if no rampatch/nvm file found.
      
      This fixes BT issue on the dragonboard-820C p4 which includes the
      following QCA controller:
      hci0: Product:0x00000008
      hci0: Patch  :0x00000111
      hci0: ROM    :0x00000302
      hci0: SOC    :0x00000044
      
      Since there is no rampatch for this controller revision, just make
      it work as is.
      Signed-off-by: default avatarLoic Poulain <loic.poulain@linaro.org>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      557607d9
    • Kim Phillips's avatar
      perf tests kmod-path: Don't fail if compressed modules aren't supported · 519d2962
      Kim Phillips authored
      
      [ Upstream commit 805b151a ]
      
      __kmod_path__parse() uses is_supported_compression() to determine and
      parse out compressed module file extensions.  On systems without zlib,
      this test fails and __kmod_path__parse() continues to strcmp "ko" with
      "gz".  Don't do this on those systems.
      Signed-off-by: default avatarKim Phillips <kim.phillips@arm.com>
      Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
      Cc: Jiri Olsa <jolsa@kernel.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Fixes: 3c8a67f5 ("perf tools: Add kmod_path__parse function")
      Link: http://lkml.kernel.org/r/20170503131402.c66e314460026c80cd787b34@arm.comSigned-off-by: default avatarArnaldo Carvalho de Melo <acme@redhat.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      519d2962
    • Moritz Fischer's avatar
      rtc: ds1374: wdt: Fix stop/start ioctl always returning -EINVAL · 2e483c87
      Moritz Fischer authored
      
      [ Upstream commit 538c08f4 ]
      
      The WDIOC_SETOPTIONS case in the watchdog ioctl would alwayss falls
      through to the -EINVAL case. This is wrong since thew watchdog does
      actually get stopped or started correctly.
      
      Fixes: 920f91e5 ("drivers/rtc/rtc-ds1374.c: add watchdog support")
      Signed-off-by: default avatarMoritz Fischer <mdf@kernel.org>
      Signed-off-by: default avatarAlexandre Belloni <alexandre.belloni@free-electrons.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2e483c87
    • Moritz Fischer's avatar
      rtc: ds1374: wdt: Fix issue with timeout scaling from secs to wdt ticks · f20cb85e
      Moritz Fischer authored
      
      [ Upstream commit 453d0744 ]
      
      The issue is that the internal counter that triggers the watchdog reset
      is actually running at 4096 Hz instead of 1Hz, therefore the value
      given by userland (in sec) needs to be multiplied by 4096 to get the
      correct behavior.
      
      Fixes: 920f91e5 ("drivers/rtc/rtc-ds1374.c: add watchdog support")
      Signed-off-by: default avatarMoritz Fischer <mdf@kernel.org>
      Signed-off-by: default avatarAlexandre Belloni <alexandre.belloni@free-electrons.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f20cb85e
    • Dan Carpenter's avatar
      cifs: small underflow in cnvrtDosUnixTm() · 8a584633
      Dan Carpenter authored
      
      [ Upstream commit 564277ec ]
      
      January is month 1.  There is no zero-th month.  If someone passes a
      zero month then it means we read from one space before the start of the
      total_days_of_prev_months[] array.
      
      We may as well also be strict about days as well.
      
      Fixes: 1bd5bbcb ("[CIFS] Legacy time handling for Win9x and OS/2 part 1")
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarSteve French <smfrench@gmail.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8a584633
    • Timmy Li's avatar
      net: hns: fix ethtool_get_strings overflow in hns driver · 7d710009
      Timmy Li authored
      
      [ Upstream commit 412b65d1 ]
      
      hns_get_sset_count() returns HNS_NET_STATS_CNT and the data space allocated
      is not enough for ethtool_get_strings(), which will cause random memory
      corruption.
      
      When SLAB and DEBUG_SLAB are both enabled, memory corruptions like the
      the following can be observed without this patch:
      [   43.115200] Slab corruption (Not tainted): Acpi-ParseExt start=ffff801fb0b69030, len=80
      [   43.115206] Redzone: 0x9f911029d006462/0x5f78745f31657070.
      [   43.115208] Last user: [<5f7272655f746b70>](0x5f7272655f746b70)
      [   43.115214] 010: 70 70 65 31 5f 74 78 5f 70 6b 74 00 6b 6b 6b 6b  ppe1_tx_pkt.kkkk
      [   43.115217] 030: 70 70 65 31 5f 74 78 5f 70 6b 74 5f 6f 6b 00 6b  ppe1_tx_pkt_ok.k
      [   43.115218] Next obj: start=ffff801fb0b69098, len=80
      [   43.115220] Redzone: 0x706d655f6f666966/0x9f911029d74e35b.
      [   43.115229] Last user: [<ffff0000084b11b0>](acpi_os_release_object+0x28/0x38)
      [   43.115231] 000: 74 79 00 6b 6b 6b 6b 6b 70 70 65 31 5f 74 78 5f  ty.kkkkkppe1_tx_
      [   43.115232] 010: 70 6b 74 5f 65 72 72 5f 63 73 75 6d 5f 66 61 69  pkt_err_csum_fai
      Signed-off-by: default avatarTimmy Li <lixiaoping3@huawei.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7d710009
    • Alexey Khoroshilov's avatar
      sm501fb: don't return zero on failure path in sm501fb_start() · 1aca75fc
      Alexey Khoroshilov authored
      
      [ Upstream commit dc85e9a8 ]
      
      If fbmem iomemory mapping failed, sm501fb_start() breaks off
      initialization, deallocates resources, but returns zero.
      As a result, double deallocation can happen in sm501fb_stop().
      
      Found by Linux Driver Verification project (linuxtesting.org).
      Signed-off-by: default avatarAlexey Khoroshilov <khoroshilov@ispras.ru>
      Cc: Tomi Valkeinen <tomi.valkeinen@ti.com>
      Signed-off-by: default avatarBartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1aca75fc
    • Maksim Salau's avatar
      video: fbdev: udlfb: Fix buffer on stack · 86fafbe4
      Maksim Salau authored
      
      [ Upstream commit 45f580c4 ]
      
      Allocate buffers on HEAP instead of STACK for local array
      that is to be sent using usb_control_msg().
      Signed-off-by: default avatarMaksim Salau <maksim.salau@gmail.com>
      Cc: Bernie Thompson <bernie@plugable.com>
      Cc: Geert Uytterhoeven <geert@linux-m68k.org>
      Signed-off-by: default avatarBartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      86fafbe4
    • Dmitry Monakhov's avatar
      tcm_fileio: Prevent information leak for short reads · 365b680f
      Dmitry Monakhov authored
      
      [ Upstream commit f11b55d1 ]
      
      If we failed to read data from backing file (probably because some one
      truncate file under us), we must zerofill cmd's data, otherwise it will
      be returned as is. Most likely cmd's data are unitialized pages from
      page cache. This result in information leak.
      
      (Change BUG_ON into -EINVAL se_cmd failure - nab)
      
      testcase: https://github.com/dmonakhov/xfstests/commit/e11a1b7b907ca67b1be51a1594025600767366d5Signed-off-by: default avatarDmitry Monakhov <dmonakhov@openvz.org>
      Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      365b680f
    • Sergei Trofimovich's avatar
      ia64: fix module loading for gcc-5.4 · 1125637b
      Sergei Trofimovich authored
      
      [ Upstream commit a25fb850 ]
      
      Starting from gcc-5.4+ gcc generates MLX instructions in more cases to
      refer local symbols:
      
          https://gcc.gnu.org/PR60465
      
      That caused ia64 module loader to choke on such instructions:
      
          fuse: invalid slot number 1 for IMM64
      
      The Linux kernel used to handle only case where relocation pointed to
      slot=2 instruction in the bundle.  That limitation was fixed in linux by
      commit 9c184a07 ("[IA64] Fix 2.6 kernel for the new ia64 assembler")
      See
      
          http://sources.redhat.com/bugzilla/show_bug.cgi?id=1433
      
      This change lifts the slot=2 restriction from the kernel module loader.
      
      Tested on 'fuse' and 'btrfs' kernel modules.
      
      Cc: Markus Elfring <elfring@users.sourceforge.net>
      Cc: H J Lu <hjl.tools@gmail.com>
      Cc: Fenghua Yu <fenghua.yu@intel.com>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Bug: https://bugs.gentoo.org/601014Tested-by: default avatarÉmeric MASCHINO <emeric.maschino@gmail.com>
      Signed-off-by: default avatarSergei Trofimovich <slyfox@gentoo.org>
      Signed-off-by: default avatarTony Luck <tony.luck@intel.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1125637b
    • Shaohua Li's avatar
      md/raid10: skip spare disk as 'first' disk · 0f4e3e9a
      Shaohua Li authored
      
      [ Upstream commit b506335e ]
      
      Commit 6f287ca6(md/raid10: reset the 'first' at the end of loop) ignores
      a case in reshape, the first rdev could be a spare disk, which shouldn't
      be accounted as the first disk since it doesn't include the offset info.
      
      Fix: 6f287ca6(md/raid10: reset the 'first' at the end of loop)
      Cc: Guoqing Jiang <gqjiang@suse.com>
      Cc: NeilBrown <neilb@suse.com>
      Signed-off-by: default avatarShaohua Li <shli@fb.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0f4e3e9a
    • Sebastian Reichel's avatar
      Input: twl4030-pwrbutton - use correct device for irq request · e0da4431
      Sebastian Reichel authored
      
      [ Upstream commit 3071e9dd ]
      
      The interrupt should be requested for the platform device
      and not for the input device.
      
      Fixes: 7f9ce649 ("Input: twl4030-pwrbutton - simplify driver using devm_*")
      Signed-off-by: default avatarSebastian Reichel <sebastian.reichel@collabora.co.uk>
      Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e0da4431
    • Michael Trimarchi's avatar
      power: supply: pda_power: move from timer to delayed_work · 448de239
      Michael Trimarchi authored
      
      [ Upstream commit 633e8799 ]
      
      This changed is needed to avoid locking problem during
      boot as shown:
      
      <5>[    8.824096] Registering SWP/SWPB emulation handler
      <6>[    8.977294] clock: disabling unused clocks to save power
      <3>[    9.108154] BUG: sleeping function called from invalid context at kernel_albert/kernel/mutex.c:269
      <3>[    9.122894] in_atomic(): 1, irqs_disabled(): 0, pid: 1, name: swapper/0
      <4>[    9.130249] 3 locks held by swapper/0/1:
      <4>[    9.134613]  #0:  (&__lockdep_no_validate__){......}, at: [<c0342430>] __driver_attach+0x58/0xa8
      <4>[    9.144500]  #1:  (&__lockdep_no_validate__){......}, at: [<c0342440>] __driver_attach+0x68/0xa8
      <4>[    9.154357]  #2:  (&polling_timer){......}, at: [<c0053770>] run_timer_softirq+0x108/0x3ec
      <4>[    9.163726] Backtrace:
      <4>[    9.166473] [<c001269c>] (dump_backtrace+0x0/0x114) from [<c067e5f0>] (dump_stack+0x20/0x24)
      <4>[    9.175811]  r6:00203230 r5:0000010d r4:d782e000 r3:60000113
      <4>[    9.182250] [<c067e5d0>] (dump_stack+0x0/0x24) from [<c007441c>] (__might_sleep+0x10c/0x128)
      <4>[    9.191650] [<c0074310>] (__might_sleep+0x0/0x128) from [<c0688f60>] (mutex_lock_nested+0x34/0x36c)
      <4>[    9.201660]  r5:c02d5350 r4:d79a0c64
      <4>[    9.205688] [<c0688f2c>] (mutex_lock_nested+0x0/0x36c) from [<c02d5350>] (regulator_set_current_limit+0x30/0x118)
      <4>[    9.217071] [<c02d5320>] (regulator_set_current_limit+0x0/0x118) from [<c0435ce0>] (update_charger+0x84/0xc4)
      <4>[    9.228027]  r7:d782fb20 r6:00000101 r5:c1767e94 r4:00000000
      <4>[    9.234436] [<c0435c5c>] (update_charger+0x0/0xc4) from [<c0435d40>] (psy_changed+0x20/0x48)
      <4>[    9.243804]  r5:d782e000 r4:c1767e94
      <4>[    9.247802] [<c0435d20>] (psy_changed+0x0/0x48) from [<c0435dec>] (polling_timer_func+0x84/0xb8)
      <4>[    9.257537]  r4:c1767e94 r3:00000002
      <4>[    9.261566] [<c0435d68>] (polling_timer_func+0x0/0xb8) from [<c00537e4>] (run_timer_softirq+0x17c/0x3ec)
      <4>[    9.272033]  r4:c1767eb0 r3:00000000
      <4>[    9.276062] [<c0053668>] (run_timer_softirq+0x0/0x3ec) from [<c004b000>] (__do_softirq+0xf0/0x298)
      <4>[    9.286010] [<c004af10>] (__do_softirq+0x0/0x298) from [<c004b650>] (irq_exit+0x98/0xa0)
      <4>[    9.295013] [<c004b5b8>] (irq_exit+0x0/0xa0) from [<c000edbc>] (handle_IRQ+0x60/0xc0)
      <4>[    9.303680]  r4:c1194e98 r3:c00bc778
      <4>[    9.307708] [<c000ed5c>] (handle_IRQ+0x0/0xc0) from [<c0008504>] (gic_handle_irq+0x34/0x68)
      <4>[    9.316955]  r8:000ac383 r7:d782fc3c r6:d782fc08 r5:c11936c4 r4:e0802100
      <4>[    9.324310] r3:c026ba48
      <4>[    9.327301] [<c00084d0>] (gic_handle_irq+0x0/0x68) from [<c068c2c0>] (__irq_svc+0x40/0x74)
      <4>[    9.336456] Exception stack(0xd782fc08 to 0xd782fc50)
      <4>[    9.342041] fc00:                   d6e30e6c ac383627 00000000 ac383417 ea19c000 ea200000
      <4>[    9.351104] fc20: beffffff 00000667 000ac383 d6e30670 d6e3066c d782fc94 d782fbe8 d782fc50
      <4>[    9.360168] fc40: c026ba48 c001d1f0 00000113 ffffffff
      
      Fixes: b2998049 ("[BATTERY] pda_power platform driver")
      Signed-off-by: default avatarMichael Trimarchi <michael@amarulasolutions.com>
      Signed-off-by: default avatarAnthony Brandon <anthony@amarulasolutions.com>
      Signed-off-by: default avatarSebastian Reichel <sebastian.reichel@collabora.co.uk>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      448de239
    • Scott Wood's avatar
      bnx2x: Align RX buffers · e10da27a
      Scott Wood authored
      
      [ Upstream commit 9b70de6d ]
      
      The bnx2x driver is not providing proper alignment on the receive buffers it
      passes to build_skb(), causing skb_shared_info to be misaligned.
      skb_shared_info contains an atomic, and while PPC normally supports
      unaligned accesses, it does not support unaligned atomics.
      
      Aligning the size of rx buffers will ensure that page_frag_alloc() returns
      aligned addresses.
      
      This can be reproduced on PPC by setting the network MTU to 1450 (or other
      non-multiple-of-4) and then generating sufficient inbound network traffic
      (one or two large "wget"s usually does it), producing the following oops:
      
      Unable to handle kernel paging request for unaligned access at address 0xc00000ffc43af656
      Faulting instruction address: 0xc00000000080ef8c
      Oops: Kernel access of bad area, sig: 7 [#1]
      SMP NR_CPUS=2048
      NUMA
      PowerNV
      Modules linked in: vmx_crypto powernv_rng rng_core powernv_op_panel leds_powernv led_class nfsd ip_tables x_tables autofs4 xfs lpfc bnx2x mdio libcrc32c crc_t10dif crct10dif_generic crct10dif_common
      CPU: 104 PID: 0 Comm: swapper/104 Not tainted 4.11.0-rc8-00088-g4c761daf #2
      task: c00000ffd4892400 task.stack: c00000ffd4920000
      NIP: c00000000080ef8c LR: c00000000080eee8 CTR: c0000000001f8320
      REGS: c00000ffffc33710 TRAP: 0600   Not tainted  (4.11.0-rc8-00088-g4c761daf)
      MSR: 9000000000009033 <SF,HV,EE,ME,IR,DR,RI,LE>
        CR: 24082042  XER: 00000000
      CFAR: c00000000080eea0 DAR: c00000ffc43af656 DSISR: 00000000 SOFTE: 1
      GPR00: c000000000907f64 c00000ffffc33990 c000000000dd3b00 c00000ffcaf22100
      GPR04: c00000ffcaf22e00 0000000000000000 0000000000000000 0000000000000000
      GPR08: 0000000000b80008 c00000ffc43af636 c00000ffc43af656 0000000000000000
      GPR12: c0000000001f6f00 c00000000fe1a000 000000000000049f 000000000000c51f
      GPR16: 00000000ffffef33 0000000000000000 0000000000008a43 0000000000000001
      GPR20: c00000ffc58a90c0 0000000000000000 000000000000dd86 0000000000000000
      GPR24: c000007fd0ed10c0 00000000ffffffff 0000000000000158 000000000000014a
      GPR28: c00000ffc43af010 c00000ffc9144000 c00000ffcaf22e00 c00000ffcaf22100
      NIP [c00000000080ef8c] __skb_clone+0xdc/0x140
      LR [c00000000080eee8] __skb_clone+0x38/0x140
      Call Trace:
      [c00000ffffc33990] [c00000000080fb74] skb_clone+0x74/0x110 (unreliable)
      [c00000ffffc339c0] [c000000000907f64] packet_rcv+0x144/0x510
      [c00000ffffc33a40] [c000000000827b64] __netif_receive_skb_core+0x5b4/0xd80
      [c00000ffffc33b00] [c00000000082b2bc] netif_receive_skb_internal+0x2c/0xc0
      [c00000ffffc33b40] [c00000000082c49c] napi_gro_receive+0x11c/0x260
      [c00000ffffc33b80] [d000000066483d68] bnx2x_poll+0xcf8/0x17b0 [bnx2x]
      [c00000ffffc33d00] [c00000000082babc] net_rx_action+0x31c/0x480
      [c00000ffffc33e10] [c0000000000d5a44] __do_softirq+0x164/0x3d0
      [c00000ffffc33f00] [c0000000000d60a8] irq_exit+0x108/0x120
      [c00000ffffc33f20] [c000000000015b98] __do_irq+0x98/0x200
      [c00000ffffc33f90] [c000000000027f14] call_do_irq+0x14/0x24
      [c00000ffd4923a90] [c000000000015d94] do_IRQ+0x94/0x110
      [c00000ffd4923ae0] [c000000000008d90] hardware_interrupt_common+0x150/0x160
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e10da27a
    • Mario Kleiner's avatar
      drm/nouveau/kms: Increase max retries in scanout position queries. · 8fffdba3
      Mario Kleiner authored
      
      [ Upstream commit 60b95d70 ]
      
      So far we only allowed for 1 retry and just failed the query
      - and thereby high precision vblank timestamping - if we did
      not get a reasonable result, as such a failure wasn't considered
      all too horrible. There are a few NVidia gpu models out there which
      may need a bit more than 1 retry to get a successful query result
      under some conditions.
      
      Since Linux 4.4 the update code for vblank counter and timestamp
      in drm_update_vblank_count() changed so that the implementation
      assumes that high precision vblank timestamping of a kms driver
      either consistently succeeds or consistently fails for a given
      video mode and encoder/connector combo. Iow. switching from success
      to fail or vice versa on a modeset or connector change is ok, but
      spurious temporary failure for a given setup can confuse the core
      code and potentially cause bad miscounting of vblanks and confusion
      or hangs in userspace clients which rely on vblank  stuff, e.g.,
      desktop compositors.
      
      Therefore change the max retry count to a larger number - more than
      any gpu so far is known to need to succeed, but still low enough
      so that these queries which do also happen in vblank interrupt are
      still fast enough to be not disastrously long if something would
      go badly wrong with them.
      
      As such sporadic retries only happen seldom even on affected gpu's,
      this could mean a vblank irq could take a few dozen microseconds
      longer every few hours of uptime -- better than a desktop compositor
      randomly hanging every couple of hours or days of uptime in a hard
      to reproduce manner.
      Signed-off-by: default avatarMario Kleiner <mario.kleiner.de@gmail.com>
      Signed-off-by: default avatarBen Skeggs <bskeggs@redhat.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8fffdba3
    • Hans de Goede's avatar
      ACPI / PMIC: xpower: Fix power_table addresses · fe10e32a
      Hans de Goede authored
      
      [ Upstream commit 2bde7c32 ]
      
      The power table addresses should be contiguous, but there was a hole
      where 0x34 was missing. On most devices this is not a problem as
      addresses above 0x34 are used for the BUC# convertors which are not
      used in the DSDTs I've access to but after the BUC# convertors
      there is a field named GPI1 in the DSTDs, which does get used in some
      cases and ended up turning BUC6 on and off due to the wrong addresses,
      resulting in turning the entire device off (or causing it to reboot).
      
      Removing the hole in the addresses fixes this, fixing one of my
      Bay Trail tablets turning off while booting the mainline kernel.
      
      While at it add comments with the field names used in the DSDTs to
      make it easier to compare the register and bits used at each address
      with the datasheet.
      Signed-off-by: default avatarHans de Goede <hdegoede@redhat.com>
      Reviewed-by: default avatarAndy Shevchenko <andriy.shevchenko@linux.intel.com>
      Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      fe10e32a