1. 05 Apr, 2019 40 commits
    • Sara Sharon's avatar
      iwlwifi: pcie: fix emergency path · 0fbfca57
      Sara Sharon authored
      [ Upstream commit c6ac9f9f ]
      
      Allocator swaps the pending requests with 0 when it starts
      working. This means that relying on it n RX path to decide if
      to move to emergency is not always a good idea, since it may
      be zero, but there are still a lot of unallocated RBs in the
      system. Change allocator to decrement the pending requests on
      real time. It is more expensive since it accesses the atomic
      variable more times, but it gives the RX path a better idea
      of the system's status.
      Reported-by: default avatarIlan Peer <ilan.peer@intel.com>
      Signed-off-by: default avatarSara Sharon <sara.sharon@intel.com>
      Fixes: 868a1e86 ("iwlwifi: pcie: avoid empty free RB queue")
      Signed-off-by: default avatarLuca Coelho <luciano.coelho@intel.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      0fbfca57
    • Michal Kazior's avatar
      leds: lp55xx: fix null deref on firmware load failure · 0affcd54
      Michal Kazior authored
      [ Upstream commit 5ddb0869 ]
      
      I've stumbled upon a kernel crash and the logs
      pointed me towards the lp5562 driver:
      
      > <4>[306013.841294] lp5562 0-0030: Direct firmware load for lp5562 failed with error -2
      > <4>[306013.894990] lp5562 0-0030: Falling back to user helper
      > ...
      > <3>[306073.924886] lp5562 0-0030: firmware request failed
      > <1>[306073.939456] Unable to handle kernel NULL pointer dereference at virtual address 00000000
      > <4>[306074.251011] PC is at _raw_spin_lock+0x1c/0x58
      > <4>[306074.255539] LR is at release_firmware+0x6c/0x138
      > ...
      
      After taking a look I noticed firmware_release()
      could be called with either NULL or a dangling
      pointer.
      
      Fixes: 10c06d17 ("leds-lp55xx: support firmware interface")
      Signed-off-by: default avatarMichal Kazior <michal@plume.com>
      Signed-off-by: default avatarJacek Anaszewski <jacek.anaszewski@gmail.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      0affcd54
    • Theodore Ts'o's avatar
      jbd2: fix race when writing superblock · 9edb5193
      Theodore Ts'o authored
      [ Upstream commit 538bcaa6 ]
      
      The jbd2 superblock is lockless now, so there is probably a race
      condition between writing it so disk and modifing contents of it, which
      may lead to checksum error. The following race is the one case that we
      have captured.
      
      jbd2                                fsstress
      jbd2_journal_commit_transaction
       jbd2_journal_update_sb_log_tail
        jbd2_write_superblock
         jbd2_superblock_csum_set         jbd2_journal_revoke
                                           jbd2_journal_set_features(revork)
                                           modify superblock
         submit_bh(checksum incorrect)
      
      Fix this by locking the buffer head before modifing it.  We always
      write the jbd2 superblock after we modify it, so this just means
      calling the lock_buffer() a little earlier.
      
      This checksum corruption problem can be reproduced by xfstests
      generic/475.
      Reported-by: default avatarzhangyi (F) <yi.zhang@huawei.com>
      Suggested-by: default avatarJan Kara <jack@suse.cz>
      Signed-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      9edb5193
    • Hong Liu's avatar
      HID: intel-ish-hid: avoid binding wrong ishtp_cl_device · edace601
      Hong Liu authored
      [ Upstream commit 0d28f494 ]
      
      When performing a warm reset in ishtp bus driver, the ishtp_cl_device
      will not be removed, its fw_client still points to the already freed
      ishtp_device.fw_clients array.
      
      Later after driver finishing ishtp client enumeration, this dangling
      pointer may cause driver to bind the wrong ishtp_cl_device to the new
      client, causing wrong callback to be called for messages intended for
      the new client.
      
      This helps in development of firmware where frequent switching of
      firmwares is required without Linux reboot.
      Signed-off-by: default avatarHong Liu <hong.liu@intel.com>
      Tested-by: default avatarHongyan Song <hongyan.song@intel.com>
      Acked-by: default avatarSrinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
      Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      edace601
    • Aurelien Jarno's avatar
      vfs: fix preadv64v2 and pwritev64v2 compat syscalls with offset == -1 · 58c90c4c
      Aurelien Jarno authored
      [ Upstream commit cc4b1242 ]
      
      The preadv2 and pwritev2 syscalls are supposed to emulate the readv and
      writev syscalls when offset == -1. Therefore the compat code should
      check for offset before calling do_compat_preadv64 and
      do_compat_pwritev64. This is the case for the preadv2 and pwritev2
      syscalls, but handling of offset == -1 is missing in their 64-bit
      equivalent.
      
      This patch fixes that, calling do_compat_readv and do_compat_writev when
      offset == -1. This fixes the following glibc tests on x32:
       - misc/tst-preadvwritev2
       - misc/tst-preadvwritev64v2
      
      Cc: Alexander Viro <viro@zeniv.linux.org.uk>
      Cc: H.J. Lu <hjl.tools@gmail.com>
      Signed-off-by: default avatarAurelien Jarno <aurelien@aurel32.net>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      58c90c4c
    • Ezequiel Garcia's avatar
      media: mtk-jpeg: Correct return type for mem2mem buffer helpers · 3dbaa9f3
      Ezequiel Garcia authored
      [ Upstream commit 1b275e4e ]
      
      Fix the assigned type of mem2mem buffer handling API.
      Namely, these functions:
      
       v4l2_m2m_next_buf
       v4l2_m2m_last_buf
       v4l2_m2m_buf_remove
       v4l2_m2m_next_src_buf
       v4l2_m2m_next_dst_buf
       v4l2_m2m_last_src_buf
       v4l2_m2m_last_dst_buf
       v4l2_m2m_src_buf_remove
       v4l2_m2m_dst_buf_remove
      
      return a struct vb2_v4l2_buffer, and not a struct vb2_buffer.
      
      Fixing this is necessary to fix the mem2mem buffer handling API,
      changing the return to the correct struct vb2_v4l2_buffer instead
      of a void pointer.
      Signed-off-by: default avatarEzequiel Garcia <ezequiel@collabora.com>
      Signed-off-by: default avatarHans Verkuil <hverkuil-cisco@xs4all.nl>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      3dbaa9f3
    • Ezequiel Garcia's avatar
      media: mx2_emmaprp: Correct return type for mem2mem buffer helpers · 8234875e
      Ezequiel Garcia authored
      [ Upstream commit 8d20dcef ]
      
      Fix the assigned type of mem2mem buffer handling API.
      Namely, these functions:
      
       v4l2_m2m_next_buf
       v4l2_m2m_last_buf
       v4l2_m2m_buf_remove
       v4l2_m2m_next_src_buf
       v4l2_m2m_next_dst_buf
       v4l2_m2m_last_src_buf
       v4l2_m2m_last_dst_buf
       v4l2_m2m_src_buf_remove
       v4l2_m2m_dst_buf_remove
      
      return a struct vb2_v4l2_buffer, and not a struct vb2_buffer.
      
      Fixing this is necessary to fix the mem2mem buffer handling API,
      changing the return to the correct struct vb2_v4l2_buffer instead
      of a void pointer.
      Signed-off-by: default avatarEzequiel Garcia <ezequiel@collabora.com>
      Signed-off-by: default avatarHans Verkuil <hverkuil-cisco@xs4all.nl>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      8234875e
    • Ezequiel Garcia's avatar
      media: s5p-g2d: Correct return type for mem2mem buffer helpers · 62b2d03e
      Ezequiel Garcia authored
      [ Upstream commit 30fa627b ]
      
      Fix the assigned type of mem2mem buffer handling API.
      Namely, these functions:
      
       v4l2_m2m_next_buf
       v4l2_m2m_last_buf
       v4l2_m2m_buf_remove
       v4l2_m2m_next_src_buf
       v4l2_m2m_next_dst_buf
       v4l2_m2m_last_src_buf
       v4l2_m2m_last_dst_buf
       v4l2_m2m_src_buf_remove
       v4l2_m2m_dst_buf_remove
      
      return a struct vb2_v4l2_buffer, and not a struct vb2_buffer.
      
      Fixing this is necessary to fix the mem2mem buffer handling API,
      changing the return to the correct struct vb2_v4l2_buffer instead
      of a void pointer.
      Signed-off-by: default avatarEzequiel Garcia <ezequiel@collabora.com>
      Signed-off-by: default avatarHans Verkuil <hverkuil-cisco@xs4all.nl>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      62b2d03e
    • Ezequiel Garcia's avatar
      media: s5p-jpeg: Correct return type for mem2mem buffer helpers · e04c19af
      Ezequiel Garcia authored
      [ Upstream commit 4a88f898 ]
      
      Fix the assigned type of mem2mem buffer handling API.
      Namely, these functions:
      
       v4l2_m2m_next_buf
       v4l2_m2m_last_buf
       v4l2_m2m_buf_remove
       v4l2_m2m_next_src_buf
       v4l2_m2m_next_dst_buf
       v4l2_m2m_last_src_buf
       v4l2_m2m_last_dst_buf
       v4l2_m2m_src_buf_remove
       v4l2_m2m_dst_buf_remove
      
      return a struct vb2_v4l2_buffer, and not a struct vb2_buffer.
      
      Fixing this is necessary to fix the mem2mem buffer handling API,
      changing the return to the correct struct vb2_v4l2_buffer instead
      of a void pointer.
      Signed-off-by: default avatarEzequiel Garcia <ezequiel@collabora.com>
      Signed-off-by: default avatarHans Verkuil <hverkuil-cisco@xs4all.nl>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      e04c19af
    • Ezequiel Garcia's avatar
      media: sh_veu: Correct return type for mem2mem buffer helpers · a016d9a3
      Ezequiel Garcia authored
      [ Upstream commit 43c14519 ]
      
      Fix the assigned type of mem2mem buffer handling API.
      Namely, these functions:
      
       v4l2_m2m_next_buf
       v4l2_m2m_last_buf
       v4l2_m2m_buf_remove
       v4l2_m2m_next_src_buf
       v4l2_m2m_next_dst_buf
       v4l2_m2m_last_src_buf
       v4l2_m2m_last_dst_buf
       v4l2_m2m_src_buf_remove
       v4l2_m2m_dst_buf_remove
      
      return a struct vb2_v4l2_buffer, and not a struct vb2_buffer.
      
      Fixing this is necessary to fix the mem2mem buffer handling API,
      changing the return to the correct struct vb2_v4l2_buffer instead
      of a void pointer.
      Signed-off-by: default avatarEzequiel Garcia <ezequiel@collabora.com>
      Signed-off-by: default avatarHans Verkuil <hverkuil-cisco@xs4all.nl>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      a016d9a3
    • Wen Yang's avatar
      SoC: imx-sgtl5000: add missing put_device() · 31b73180
      Wen Yang authored
      [ Upstream commit 8fa857da ]
      
      The of_find_device_by_node() takes a reference to the underlying device
      structure, we should release that reference.
      
      Detected by coccinelle with the following warnings:
      ./sound/soc/fsl/imx-sgtl5000.c:169:1-7: ERROR: missing put_device;
      call of_find_device_by_node on line 105, but without a corresponding
      object release within this function.
      ./sound/soc/fsl/imx-sgtl5000.c:177:1-7: ERROR: missing put_device;
      call of_find_device_by_node on line 105, but without a corresponding
      object release within this function.
      Signed-off-by: default avatarWen Yang <yellowriver2010@hotmail.com>
      Cc: Timur Tabi <timur@kernel.org>
      Cc: Nicolin Chen <nicoleotsuka@gmail.com>
      Cc: Xiubo Li <Xiubo.Lee@gmail.com>
      Cc: Fabio Estevam <festevam@gmail.com>
      Cc: Liam Girdwood <lgirdwood@gmail.com>
      Cc: Mark Brown <broonie@kernel.org>
      Cc: Jaroslav Kysela <perex@perex.cz>
      Cc: Takashi Iwai <tiwai@suse.com>
      Cc: Shawn Guo <shawnguo@kernel.org>
      Cc: Sascha Hauer <s.hauer@pengutronix.de>
      Cc: Pengutronix Kernel Team <kernel@pengutronix.de>
      Cc: NXP Linux Team <linux-imx@nxp.com>
      Cc: alsa-devel@alsa-project.org
      Cc: linuxppc-dev@lists.ozlabs.org
      Cc: linux-arm-kernel@lists.infradead.org
      Cc: linux-kernel@vger.kernel.org
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      31b73180
    • Thomas Richter's avatar
      perf test: Fix failure of 'evsel-tp-sched' test on s390 · f548bbe4
      Thomas Richter authored
      [ Upstream commit 03d30971 ]
      
      Commit 489338a7 ("perf tests evsel-tp-sched: Fix bitwise operator")
      causes test case 14 "Parse sched tracepoints fields" to fail on s390.
      
      This test succeeds on x86.
      
      In fact this test now fails on all architectures with type char treated
      as type unsigned char.
      
      The root cause is the signed-ness of character arrays in the tracepoints
      sched_switch for structure members prev_comm and next_comm.
      
      On s390 the output of:
      
       [root@m35lp76 perf]# cat /sys/kernel/debug/tracing/events/sched/sched_switch/format
       name: sched_switch
       ID: 287
       format:
         field:unsigned short common_type; offset:0; size:2;	signed:0;
         ...
         field:char prev_comm[16]; offset:8; size:16;	signed:0;
         ...
         field:char next_comm[16]; offset:40; size:16; signed:0;
      
      reveals the character arrays prev_comm and next_comm are per
      default unsigned char and have values in the range of 0..255.
      
      On x86 both fields are signed as this output shows:
       [root@f29]# cat /sys/kernel/debug/tracing/events/sched/sched_switch/format
       name: sched_switch
       ID: 287
       format:
         field:unsigned short common_type; offset:0; size:2;	signed:0;
         ...
         field:char prev_comm[16]; offset:8; size:16;	signed:1;
         ...
         field:char next_comm[16]; offset:40; size:16; signed:1;
      
      and the character arrays prev_comm and next_comm are per default signed
      char and have values in the range of -1..127.  The implementation of
      type char is architecture specific.
      
      Since the character arrays in both tracepoints sched_switch and
      sched_wakeup should contain ascii characters, simply omit the check for
      signedness in the test case.
      
      Output before:
      
        [root@m35lp76 perf]# ./perf test -F 14
        14: Parse sched tracepoints fields                        :
        --- start ---
        sched:sched_switch: "prev_comm" signedness(0) is wrong, should be 1
        sched:sched_switch: "next_comm" signedness(0) is wrong, should be 1
        sched:sched_wakeup: "comm" signedness(0) is wrong, should be 1
        ---- end ----
        14: Parse sched tracepoints fields                        : FAILED!
        [root@m35lp76 perf]#
      
      Output after:
      
        [root@m35lp76 perf]# ./perf test -Fv 14
        14: Parse sched tracepoints fields                        :
        --- start ---
        ---- end ----
        Parse sched tracepoints fields: Ok
        [root@m35lp76 perf]#
      
      Fixes: 489338a7 ("perf tests evsel-tp-sched: Fix bitwise operator")
      Signed-off-by: default avatarThomas Richter <tmricht@linux.ibm.com>
      Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
      Cc: Hendrik Brueckner <brueckner@linux.vnet.ibm.com>
      Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
      Link: http://lkml.kernel.org/r/20190219153639.31267-1-tmricht@linux.ibm.comSigned-off-by: default avatarArnaldo Carvalho de Melo <acme@redhat.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      f548bbe4
    • Sedat Dilek's avatar
      scsi: fcoe: make use of fip_mode enum complete · c3ec6241
      Sedat Dilek authored
      [ Upstream commit 8beb90aa ]
      
      commit 1917d42d ("fcoe: use enum for fip_mode") introduces a separate
      enum for the fip_mode that shall be used during initialisation handling
      until it is passed to fcoe_ctrl_link_up to set the initial fip_state.  That
      change was incomplete and gcc quietly converted in various places between
      the fip_mode and the fip_state enum values with implicit enum conversions,
      which fortunately cannot cause any issues in the actual code's execution.
      
      clang however warns about these implicit enum conversions in the scsi
      drivers. This commit consolidates the use of the two enums, guided by
      clang's enum-conversion warnings.
      
      This commit now completes the use of the fip_mode: It expects and uses
      fip_mode in {bnx2fc,fcoe}_interface_create and fcoe_ctlr_init, and it calls
      fcoe_ctrl_set_set() with the correct values in fcoe_ctlr_link_up().  It
      also breaks the association between FIP_MODE_AUTO and FIP_ST_AUTO to
      indicate these two enums are distinct.
      
      Link: https://github.com/ClangBuiltLinux/linux/issues/151
      Fixes: 1917d42d ("fcoe: use enum for fip_mode")
      Reported-by: default avatarDmitry Golovin <dima@golovin.in>
      Original-by: default avatarLukas Bulwahn <lukas.bulwahn@gmail.com>
      CC: Lukas Bulwahn <lukas.bulwahn@gmail.com>
      CC: Nick Desaulniers <ndesaulniers@google.com>
      CC: Nathan Chancellor <natechancellor@gmail.com>
      Reviewed-by: default avatarNathan Chancellor <natechancellor@gmail.com>
      Tested-by: default avatarNathan Chancellor <natechancellor@gmail.com>
      Suggested-by: default avatarJohannes Thumshirn <jthumshirn@suse.de>
      Signed-off-by: default avatarSedat Dilek <sedat.dilek@gmail.com>
      Signed-off-by: default avatarHannes Reinecke <hare@suse.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      c3ec6241
    • Jason Yan's avatar
      scsi: megaraid_sas: return error when create DMA pool failed · 90fca247
      Jason Yan authored
      [ Upstream commit bcf3b67d ]
      
      when create DMA pool for cmd frames failed, we should return -ENOMEM,
      instead of 0.
      In some case in:
      
          megasas_init_adapter_fusion()
      
          -->megasas_alloc_cmds()
             -->megasas_create_frame_pool
                create DMA pool failed,
              --> megasas_free_cmds() [1]
      
          -->megasas_alloc_cmds_fusion()
             failed, then goto fail_alloc_cmds.
          -->megasas_free_cmds() [2]
      
      we will call megasas_free_cmds twice, [1] will kfree cmd_list,
      [2] will use cmd_list.it will cause a problem:
      
      Unable to handle kernel NULL pointer dereference at virtual address
      00000000
      pgd = ffffffc000f70000
      [00000000] *pgd=0000001fbf893003, *pud=0000001fbf893003,
      *pmd=0000001fbf894003, *pte=006000006d000707
      Internal error: Oops: 96000005 [#1] SMP
       Modules linked in:
       CPU: 18 PID: 1 Comm: swapper/0 Not tainted
       task: ffffffdfb9290000 ti: ffffffdfb923c000 task.ti: ffffffdfb923c000
       PC is at megasas_free_cmds+0x30/0x70
       LR is at megasas_free_cmds+0x24/0x70
       ...
       Call trace:
       [<ffffffc0005b779c>] megasas_free_cmds+0x30/0x70
       [<ffffffc0005bca74>] megasas_init_adapter_fusion+0x2f4/0x4d8
       [<ffffffc0005b926c>] megasas_init_fw+0x2dc/0x760
       [<ffffffc0005b9ab0>] megasas_probe_one+0x3c0/0xcd8
       [<ffffffc0004a5abc>] local_pci_probe+0x4c/0xb4
       [<ffffffc0004a5c40>] pci_device_probe+0x11c/0x14c
       [<ffffffc00053a5e4>] driver_probe_device+0x1ec/0x430
       [<ffffffc00053a92c>] __driver_attach+0xa8/0xb0
       [<ffffffc000538178>] bus_for_each_dev+0x74/0xc8
        [<ffffffc000539e88>] driver_attach+0x28/0x34
       [<ffffffc000539a18>] bus_add_driver+0x16c/0x248
       [<ffffffc00053b234>] driver_register+0x6c/0x138
       [<ffffffc0004a5350>] __pci_register_driver+0x5c/0x6c
       [<ffffffc000ce3868>] megasas_init+0xc0/0x1a8
       [<ffffffc000082a58>] do_one_initcall+0xe8/0x1ec
       [<ffffffc000ca7be8>] kernel_init_freeable+0x1c8/0x284
       [<ffffffc0008d90b8>] kernel_init+0x1c/0xe4
      Signed-off-by: default avatarJason Yan <yanaijie@huawei.com>
      Acked-by: default avatarSumit Saxena <sumit.saxena@broadcom.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      90fca247
    • Ross Lagerwall's avatar
      efi: cper: Fix possible out-of-bounds access · 7022c495
      Ross Lagerwall authored
      [ Upstream commit 45b14a4f ]
      
      When checking a generic status block, we iterate over all the generic
      data blocks. The loop condition only checks that the start of the
      generic data block is valid (within estatus->data_length) but not the
      whole block. Because the size of data blocks (excluding error data) may
      vary depending on the revision and the revision is contained within the
      data block, ensure that enough of the current data block is valid before
      dereferencing any members otherwise an out-of-bounds access may occur if
      estatus->data_length is invalid.
      
      This relies on the fact that struct acpi_hest_generic_data_v300 is a
      superset of the earlier version.  Also rework the other checks to avoid
      potential underflow.
      Signed-off-by: default avatarRoss Lagerwall <ross.lagerwall@citrix.com>
      Acked-by: default avatarBorislav Petkov <bp@suse.de>
      Tested-by: default avatarTyler Baicar <baicar.tyler@gmail.com>
      Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      7022c495
    • Erwan Velu's avatar
      cpufreq: acpi-cpufreq: Report if CPU doesn't support boost technologies · 33640a0c
      Erwan Velu authored
      [ Upstream commit 1222d527 ]
      
      There is some rare cases where CPB (and possibly IDA) are missing on
      processors.
      
      This is the case fixed by commit f7f3dc00 ("x86/cpu/AMD: Fix
      erratum 1076 (CPB bit)") and following.
      
      In such context, the boost status isn't reported by
      /sys/devices/system/cpu/cpufreq/boost.
      
      This commit is about printing a message to report that the CPU
      doesn't expose the boost capabilities.
      
      This message could help debugging platforms hit by this phenomena.
      Signed-off-by: default avatarErwan Velu <e.velu@criteo.com>
      [ rjw: Change the message text somewhat ]
      Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      33640a0c
    • Katsuhiro Suzuki's avatar
      clk: fractional-divider: check parent rate only if flag is set · 2c8340ca
      Katsuhiro Suzuki authored
      [ Upstream commit d13501a2 ]
      
      Custom approximation of fractional-divider may not need parent clock
      rate checking. For example Rockchip SoCs work fine using grand parent
      clock rate even if target rate is greater than parent.
      
      This patch checks parent clock rate only if CLK_SET_RATE_PARENT flag
      is set.
      
      For detailed example, clock tree of Rockchip I2S audio hardware.
        - Clock rate of CPLL is 1.2GHz, GPLL is 491.52MHz.
        - i2s1_div is integer divider can divide N (N is 1~128).
          Input clock is CPLL or GPLL. Initial divider value is N = 1.
          Ex) PLL = CPLL, N = 10, i2s1_div output rate is
            CPLL / 10 = 1.2GHz / 10 = 120MHz
        - i2s1_frac is fractional divider can divide input to x/y, x and
          y are 16bit integer.
      
      CPLL --> | selector | ---> i2s1_div -+--> | selector | --> I2S1 MCLK
      GPLL --> |          | ,--------------'    |          |
                            `--> i2s1_frac ---> |          |
      
      Clock mux system try to choose suitable one from i2s1_div and
      i2s1_frac for master clock (MCLK) of I2S1.
      
      Bad scenario as follows:
        - Try to set MCLK to 8.192MHz (32kHz audio replay)
          Candidate setting is
          - i2s1_div: GPLL / 60 = 8.192MHz
          i2s1_div candidate is exactly same as target clock rate, so mux
          choose this clock source. i2s1_div output rate is changed
          491.52MHz -> 8.192MHz
      
        - After that try to set to 11.2896MHz (44.1kHz audio replay)
          Candidate settings are
          - i2s1_div : CPLL / 107 = 11.214945MHz
          - i2s1_frac: i2s1_div   = 8.192MHz
            This is because clk_fd_round_rate() thinks target rate
            (11.2896MHz) is higher than parent rate (i2s1_div = 8.192MHz)
            and returns parent clock rate.
      
      Above is current upstreamed behavior. Clock mux system choose
      i2s1_div, but this clock rate is not acceptable for I2S driver, so
      users cannot replay audio.
      
      Expected behavior is:
        - Try to set master clock to 11.2896MHz (44.1kHz audio replay)
          Candidate settings are
          - i2s1_div : CPLL / 107          = 11.214945MHz
          - i2s1_frac: i2s1_div * 147/6400 = 11.2896MHz
                       Change i2s1_div to GPLL / 1 = 491.52MHz at same
                       time.
      
      If apply this commit, clk_fd_round_rate() calls custom approximate
      function of Rockchip even if target rate is higher than parent.
      Custom function changes both grand parent (i2s1_div) and parent
      (i2s_frac) settings at same time. Clock mux system can choose
      i2s1_frac and audio works fine.
      Signed-off-by: default avatarKatsuhiro Suzuki <katsuhiro@katsuster.net>
      Reviewed-by: default avatarHeiko Stuebner <heiko@sntech.de>
      [sboyd@kernel.org: Make function into a macro instead]
      Signed-off-by: default avatarStephen Boyd <sboyd@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      2c8340ca
    • Håkon Bugge's avatar
      IB/mlx4: Increase the timeout for CM cache · 63d748f3
      Håkon Bugge authored
      [ Upstream commit 2612d723 ]
      
      Using CX-3 virtual functions, either from a bare-metal machine or
      pass-through from a VM, MAD packets are proxied through the PF driver.
      
      Since the VF drivers have separate name spaces for MAD Transaction Ids
      (TIDs), the PF driver has to re-map the TIDs and keep the book keeping
      in a cache.
      
      Following the RDMA Connection Manager (CM) protocol, it is clear when
      an entry has to evicted form the cache. But life is not perfect,
      remote peers may die or be rebooted. Hence, it's a timeout to wipe out
      a cache entry, when the PF driver assumes the remote peer has gone.
      
      During workloads where a high number of QPs are destroyed concurrently,
      excessive amount of CM DREQ retries has been observed
      
      The problem can be demonstrated in a bare-metal environment, where two
      nodes have instantiated 8 VFs each. This using dual ported HCAs, so we
      have 16 vPorts per physical server.
      
      64 processes are associated with each vPort and creates and destroys
      one QP for each of the remote 64 processes. That is, 1024 QPs per
      vPort, all in all 16K QPs. The QPs are created/destroyed using the
      CM.
      
      When tearing down these 16K QPs, excessive CM DREQ retries (and
      duplicates) are observed. With some cat/paste/awk wizardry on the
      infiniband_cm sysfs, we observe as sum of the 16 vPorts on one of the
      nodes:
      
      cm_rx_duplicates:
            dreq  2102
      cm_rx_msgs:
            drep  1989
            dreq  6195
             rep  3968
             req  4224
             rtu  4224
      cm_tx_msgs:
            drep  4093
            dreq 27568
             rep  4224
             req  3968
             rtu  3968
      cm_tx_retries:
            dreq 23469
      
      Note that the active/passive side is equally distributed between the
      two nodes.
      
      Enabling pr_debug in cm.c gives tons of:
      
      [171778.814239] <mlx4_ib> mlx4_ib_multiplex_cm_handler: id{slave:
      1,sl_cm_id: 0xd393089f} is NULL!
      
      By increasing the CM_CLEANUP_CACHE_TIMEOUT from 5 to 30 seconds, the
      tear-down phase of the application is reduced from approximately 90 to
      50 seconds. Retries/duplicates are also significantly reduced:
      
      cm_rx_duplicates:
            dreq  2460
      []
      cm_tx_retries:
            dreq  3010
             req    47
      
      Increasing the timeout further didn't help, as these duplicates and
      retries stems from a too short CMA timeout, which was 20 (~4 seconds)
      on the systems. By increasing the CMA timeout to 22 (~17 seconds), the
      numbers fell down to about 10 for both of them.
      
      Adjustment of the CMA timeout is not part of this commit.
      Signed-off-by: default avatarHåkon Bugge <haakon.bugge@oracle.com>
      Acked-by: default avatarJack Morgenstein <jackm@dev.mellanox.co.il>
      Signed-off-by: default avatarJason Gunthorpe <jgg@mellanox.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      63d748f3
    • Florian Fainelli's avatar
      mlxsw: spectrum: Avoid -Wformat-truncation warnings · 4e07a33d
      Florian Fainelli authored
      [ Upstream commit ab2c4e25 ]
      
      Give precision identifiers to the two snprintf() formatting the priority
      and TC strings to avoid producing these two warnings:
      
      drivers/net/ethernet/mellanox/mlxsw/spectrum.c: In function
      'mlxsw_sp_port_get_prio_strings':
      drivers/net/ethernet/mellanox/mlxsw/spectrum.c:2132:37: warning: '%d'
      directive output may be truncated writing between 1 and 3 bytes into a
      region of size between 0 and 31 [-Wformat-truncation=]
         snprintf(*p, ETH_GSTRING_LEN, "%s_%d",
                                           ^~
      drivers/net/ethernet/mellanox/mlxsw/spectrum.c:2132:3: note: 'snprintf'
      output between 3 and 36 bytes into a destination of size 32
         snprintf(*p, ETH_GSTRING_LEN, "%s_%d",
         ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
           mlxsw_sp_port_hw_prio_stats[i].str, prio);
           ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      drivers/net/ethernet/mellanox/mlxsw/spectrum.c: In function
      'mlxsw_sp_port_get_tc_strings':
      drivers/net/ethernet/mellanox/mlxsw/spectrum.c:2143:37: warning: '%d'
      directive output may be truncated writing between 1 and 11 bytes into a
      region of size between 0 and 31 [-Wformat-truncation=]
         snprintf(*p, ETH_GSTRING_LEN, "%s_%d",
                                           ^~
      drivers/net/ethernet/mellanox/mlxsw/spectrum.c:2143:3: note: 'snprintf'
      output between 3 and 44 bytes into a destination of size 32
         snprintf(*p, ETH_GSTRING_LEN, "%s_%d",
         ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
           mlxsw_sp_port_hw_tc_stats[i].str, tc);
           ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      Signed-off-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Reviewed-by: default avatarIdo Schimmel <idosch@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      4e07a33d
    • Florian Fainelli's avatar
      e1000e: Fix -Wformat-truncation warnings · 8c21b452
      Florian Fainelli authored
      [ Upstream commit 135e7245 ]
      
      Provide precision hints to snprintf() since we know the destination
      buffer size of the RX/TX ring names are IFNAMSIZ + 5 - 1. This fixes the
      following warnings:
      
      drivers/net/ethernet/intel/e1000e/netdev.c: In function
      'e1000_request_msix':
      drivers/net/ethernet/intel/e1000e/netdev.c:2109:13: warning: 'snprintf'
      output may be truncated before the last format character
      [-Wformat-truncation=]
           "%s-rx-0", netdev->name);
                   ^
      drivers/net/ethernet/intel/e1000e/netdev.c:2107:3: note: 'snprintf'
      output between 6 and 21 bytes into a destination of size 20
         snprintf(adapter->rx_ring->name,
         ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
           sizeof(adapter->rx_ring->name) - 1,
           ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
           "%s-rx-0", netdev->name);
           ~~~~~~~~~~~~~~~~~~~~~~~~
      drivers/net/ethernet/intel/e1000e/netdev.c:2125:13: warning: 'snprintf'
      output may be truncated before the last format character
      [-Wformat-truncation=]
           "%s-tx-0", netdev->name);
                   ^
      drivers/net/ethernet/intel/e1000e/netdev.c:2123:3: note: 'snprintf'
      output between 6 and 21 bytes into a destination of size 20
         snprintf(adapter->tx_ring->name,
         ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
           sizeof(adapter->tx_ring->name) - 1,
           ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
           "%s-tx-0", netdev->name);
           ~~~~~~~~~~~~~~~~~~~~~~~~
      Signed-off-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      8c21b452
    • Aaro Koskinen's avatar
      mmc: omap: fix the maximum timeout setting · 17211582
      Aaro Koskinen authored
      [ Upstream commit a6327b5e ]
      
      When running OMAP1 kernel on QEMU, MMC access is annoyingly noisy:
      
      	MMC: CTO of 0xff and 0xfe cannot be used!
      	MMC: CTO of 0xff and 0xfe cannot be used!
      	MMC: CTO of 0xff and 0xfe cannot be used!
      	[ad inf.]
      
      Emulator warnings appear to be valid. The TI document SPRU680 [1]
      ("OMAP5910 Dual-Core Processor MultiMedia Card/Secure Data Memory Card
      (MMC/SD) Reference Guide") page 36 states that the maximum timeout is 253
      cycles and "0xff and 0xfe cannot be used".
      
      Fix by using 0xfd as the maximum timeout.
      
      Tested using QEMU 2.5 (Siemens SX1 machine, OMAP310), and also checked on
      real hardware using Palm TE (OMAP310), Nokia 770 (OMAP1710) and Nokia N810
      (OMAP2420) that MMC works as before.
      
      [1] http://www.ti.com/lit/ug/spru680/spru680.pdf
      
      Fixes: 730c9b7e ("[MMC] Add OMAP MMC host driver")
      Signed-off-by: default avatarAaro Koskinen <aaro.koskinen@iki.fi>
      Signed-off-by: default avatarUlf Hansson <ulf.hansson@linaro.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      17211582
    • Aneesh Kumar K.V's avatar
      powerpc/hugetlb: Handle mmap_min_addr correctly in get_unmapped_area callback · 085aefc2
      Aneesh Kumar K.V authored
      [ Upstream commit 5330367f ]
      
      After we ALIGN up the address we need to make sure we didn't overflow
      and resulted in zero address. In that case, we need to make sure that
      the returned address is greater than mmap_min_addr.
      
      This fixes selftest va_128TBswitch --run-hugetlb reporting failures when
      run as non root user for
      
      mmap(-1, MAP_HUGETLB)
      
      The bug is that a non-root user requesting address -1 will be given address 0
      which will then fail, whereas they should have been given something else that
      would have succeeded.
      
      We also avoid the first mmap(-1, MAP_HUGETLB) returning NULL address as mmap address
      with this change. So we think this is not a security issue, because it only affects
      whether we choose an address below mmap_min_addr, not whether we
      actually allow that address to be mapped. ie. there are existing capability
      checks to prevent a user mapping below mmap_min_addr and those will still be
      honoured even without this fix.
      
      Fixes: 48483760 ("powerpc/mm: Add radix support for hugetlb")
      Reviewed-by: default avatarLaurent Dufour <ldufour@linux.vnet.ibm.com>
      Signed-off-by: default avatarAneesh Kumar K.V <aneesh.kumar@linux.ibm.com>
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      085aefc2
    • Nicolas Boichat's avatar
      iommu/io-pgtable-arm-v7s: Only kmemleak_ignore L2 tables · e42d534d
      Nicolas Boichat authored
      [ Upstream commit 032ebd85 ]
      
      L1 tables are allocated with __get_dma_pages, and therefore already
      ignored by kmemleak.
      
      Without this, the kernel would print this error message on boot,
      when the first L1 table is allocated:
      
      [    2.810533] kmemleak: Trying to color unknown object at 0xffffffd652388000 as Black
      [    2.818190] CPU: 5 PID: 39 Comm: kworker/5:0 Tainted: G S                4.19.16 #8
      [    2.831227] Workqueue: events deferred_probe_work_func
      [    2.836353] Call trace:
      ...
      [    2.852532]  paint_ptr+0xa0/0xa8
      [    2.855750]  kmemleak_ignore+0x38/0x6c
      [    2.859490]  __arm_v7s_alloc_table+0x168/0x1f4
      [    2.863922]  arm_v7s_alloc_pgtable+0x114/0x17c
      [    2.868354]  alloc_io_pgtable_ops+0x3c/0x78
      ...
      
      Fixes: e5fc9753 ("iommu/io-pgtable: Add ARMv7 short descriptor support")
      Signed-off-by: default avatarNicolas Boichat <drinkcat@chromium.org>
      Acked-by: default avatarWill Deacon <will.deacon@arm.com>
      Signed-off-by: default avatarJoerg Roedel <jroedel@suse.de>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      e42d534d
    • Sebastian Andrzej Siewior's avatar
      ARM: 8840/1: use a raw_spinlock_t in unwind · 8b847ace
      Sebastian Andrzej Siewior authored
      [ Upstream commit 74ffe79a ]
      
      Mostly unwind is done with irqs enabled however SLUB may call it with
      irqs disabled while creating a new SLUB cache.
      
      I had system freeze while loading a module which called
      kmem_cache_create() on init. That means SLUB's __slab_alloc() disabled
      interrupts and then
      
      ->new_slab_objects()
       ->new_slab()
        ->setup_object()
         ->setup_object_debug()
          ->init_tracking()
           ->set_track()
            ->save_stack_trace()
             ->save_stack_trace_tsk()
              ->walk_stackframe()
               ->unwind_frame()
                ->unwind_find_idx()
                 =>spin_lock_irqsave(&unwind_lock);
      Signed-off-by: default avatarSebastian Andrzej Siewior <bigeasy@linutronix.de>
      Signed-off-by: default avatarRussell King <rmk+kernel@armlinux.org.uk>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      8b847ace
    • Lubomir Rintel's avatar
      serial: 8250_pxa: honor the port number from devicetree · d208133d
      Lubomir Rintel authored
      [ Upstream commit fe9ed6d2 ]
      
      Like the other OF-enabled drivers, use the port number from the firmware if
      the devicetree specifies an alias:
      
        aliases {
            ...
            serial2 = &uart2; /* Should be ttyS2 */
        }
      
      This is how the deprecated pxa.c driver behaved, switching to 8250_pxa
      messes up the numbering.
      Signed-off-by: default avatarLubomir Rintel <lkundrak@v3.sk>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      d208133d
    • Sai Prakash Ranjan's avatar
      coresight: etm4x: Add support to enable ETMv4.2 · c49d8ee4
      Sai Prakash Ranjan authored
      [ Upstream commit 5666dfd1 ]
      
      SDM845 has ETMv4.2 and can use the existing etm4x driver.
      But the current etm driver checks only for ETMv4.0 and
      errors out for other etm4x versions. This patch adds this
      missing support to enable SoC's with ETMv4x to use same
      driver by checking only the ETM architecture major version
      number.
      
      Without this change, we get below error during etm probe:
      
      / # dmesg | grep etm
      [    6.660093] coresight-etm4x: probe of 7040000.etm failed with error -22
      [    6.666902] coresight-etm4x: probe of 7140000.etm failed with error -22
      [    6.673708] coresight-etm4x: probe of 7240000.etm failed with error -22
      [    6.680511] coresight-etm4x: probe of 7340000.etm failed with error -22
      [    6.687313] coresight-etm4x: probe of 7440000.etm failed with error -22
      [    6.694113] coresight-etm4x: probe of 7540000.etm failed with error -22
      [    6.700914] coresight-etm4x: probe of 7640000.etm failed with error -22
      [    6.707717] coresight-etm4x: probe of 7740000.etm failed with error -22
      
      With this change, etm probe is successful:
      
      / # dmesg | grep etm
      [    6.659198] coresight-etm4x 7040000.etm: CPU0: ETM v4.2 initialized
      [    6.665848] coresight-etm4x 7140000.etm: CPU1: ETM v4.2 initialized
      [    6.672493] coresight-etm4x 7240000.etm: CPU2: ETM v4.2 initialized
      [    6.679129] coresight-etm4x 7340000.etm: CPU3: ETM v4.2 initialized
      [    6.685770] coresight-etm4x 7440000.etm: CPU4: ETM v4.2 initialized
      [    6.692403] coresight-etm4x 7540000.etm: CPU5: ETM v4.2 initialized
      [    6.699024] coresight-etm4x 7640000.etm: CPU6: ETM v4.2 initialized
      [    6.705646] coresight-etm4x 7740000.etm: CPU7: ETM v4.2 initialized
      Signed-off-by: default avatarSai Prakash Ranjan <saiprakash.ranjan@codeaurora.org>
      Reviewed-by: default avatarSuzuki K Poulose <suzuki.poulose@arm.com>
      Signed-off-by: default avatarMathieu Poirier <mathieu.poirier@linaro.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      c49d8ee4
    • Nathan Chancellor's avatar
      powerpc/xmon: Fix opcode being uninitialized in print_insn_powerpc · 13cebeec
      Nathan Chancellor authored
      [ Upstream commit e7140639 ]
      
      When building with -Wsometimes-uninitialized, Clang warns:
      
        arch/powerpc/xmon/ppc-dis.c:157:7: warning: variable 'opcode' is used
        uninitialized whenever 'if' condition is false
        [-Wsometimes-uninitialized]
          if (cpu_has_feature(CPU_FTRS_POWER9))
              ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        arch/powerpc/xmon/ppc-dis.c:167:7: note: uninitialized use occurs here
          if (opcode == NULL)
              ^~~~~~
        arch/powerpc/xmon/ppc-dis.c:157:3: note: remove the 'if' if its
        condition is always true
          if (cpu_has_feature(CPU_FTRS_POWER9))
          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        arch/powerpc/xmon/ppc-dis.c:132:38: note: initialize the variable
        'opcode' to silence this warning
          const struct powerpc_opcode *opcode;
                                             ^
                                              = NULL
        1 warning generated.
      
      This warning seems to make no sense on the surface because opcode is set
      to NULL right below this statement. However, there is a comma instead of
      semicolon to end the dialect assignment, meaning that the opcode
      assignment only happens in the if statement. Properly terminate that
      line so that Clang no longer warns.
      
      Fixes: 5b102782 ("powerpc/xmon: Enable disassembly files (compilation changes)")
      Signed-off-by: default avatarNathan Chancellor <natechancellor@gmail.com>
      Reviewed-by: default avatarNick Desaulniers <ndesaulniers@google.com>
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      13cebeec
    • Benjamin Block's avatar
      scsi: core: replace GFP_ATOMIC with GFP_KERNEL in scsi_scan.c · 39bb97e0
      Benjamin Block authored
      [ Upstream commit 1749ef00 ]
      
      We had a test-report where, under memory pressure, adding LUNs to the
      systems would fail (the tests add LUNs strictly in sequence):
      
      [ 5525.853432] scsi 0:0:1:1088045124: Direct-Access     IBM      2107900          .148 PQ: 0 ANSI: 5
      [ 5525.853826] scsi 0:0:1:1088045124: alua: supports implicit TPGS
      [ 5525.853830] scsi 0:0:1:1088045124: alua: device naa.6005076303ffd32700000000000044da port group 0 rel port 43
      [ 5525.853931] sd 0:0:1:1088045124: Attached scsi generic sg10 type 0
      [ 5525.854075] sd 0:0:1:1088045124: [sdk] Disabling DIF Type 1 protection
      [ 5525.855495] sd 0:0:1:1088045124: [sdk] 2097152 512-byte logical blocks: (1.07 GB/1.00 GiB)
      [ 5525.855606] sd 0:0:1:1088045124: [sdk] Write Protect is off
      [ 5525.855609] sd 0:0:1:1088045124: [sdk] Mode Sense: ed 00 00 08
      [ 5525.855795] sd 0:0:1:1088045124: [sdk] Write cache: enabled, read cache: enabled, doesn't support DPO or FUA
      [ 5525.857838]  sdk: sdk1
      [ 5525.859468] sd 0:0:1:1088045124: [sdk] Attached SCSI disk
      [ 5525.865073] sd 0:0:1:1088045124: alua: transition timeout set to 60 seconds
      [ 5525.865078] sd 0:0:1:1088045124: alua: port group 00 state A preferred supports tolusnA
      [ 5526.015070] sd 0:0:1:1088045124: alua: port group 00 state A preferred supports tolusnA
      [ 5526.015213] sd 0:0:1:1088045124: alua: port group 00 state A preferred supports tolusnA
      [ 5526.587439] scsi_alloc_sdev: Allocation failure during SCSI scanning, some SCSI devices might not be configured
      [ 5526.588562] scsi_alloc_sdev: Allocation failure during SCSI scanning, some SCSI devices might not be configured
      
      Looking at the code of scsi_alloc_sdev(), and all the calling contexts,
      there seems to be no reason to use GFP_ATMOIC here. All the different
      call-contexts use a mutex at some point, and nothing in between that
      requires no sleeping, as far as I could see. Additionally, the code that
      later allocates the block queue for the device (scsi_mq_alloc_queue())
      already uses GFP_KERNEL.
      
      There are similar allocations in two other functions:
      scsi_probe_and_add_lun(), and scsi_add_lun(),; that can also be done with
      GFP_KERNEL.
      
      Here is the contexts for the three functions so far:
      
          scsi_alloc_sdev()
              scsi_probe_and_add_lun()
                  scsi_sequential_lun_scan()
                      __scsi_scan_target()
                          scsi_scan_target()
                              mutex_lock()
                          scsi_scan_channel()
                              scsi_scan_host_selected()
                                  mutex_lock()
                  scsi_report_lun_scan()
                      __scsi_scan_target()
          	            ...
                  __scsi_add_device()
                      mutex_lock()
                  __scsi_scan_target()
                      ...
              scsi_report_lun_scan()
                  ...
              scsi_get_host_dev()
                  mutex_lock()
      
          scsi_probe_and_add_lun()
              ...
      
          scsi_add_lun()
              scsi_probe_and_add_lun()
                  ...
      
      So replace all these, and give them a bit of a better chance to succeed,
      with more chances of reclaim.
      Signed-off-by: default avatarBenjamin Block <bblock@linux.ibm.com>
      Reviewed-by: default avatarBart Van Assche <bvanassche@acm.org>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      39bb97e0
    • Paul Kocialkowski's avatar
      usb: chipidea: Grab the (legacy) USB PHY by phandle first · 52eec5bf
      Paul Kocialkowski authored
      [ Upstream commit 68ef2362 ]
      
      According to the chipidea driver bindings, the USB PHY is specified via
      the "phys" phandle node. However, this only takes effect for USB PHYs
      that use the common PHY framework. For legacy USB PHYs, a simple lookup
      based on the USB PHY type is done instead.
      
      This does not play out well when more than one USB PHY is registered,
      since the first registered PHY matching the type will always be
      returned regardless of what the driver was bound to.
      
      Fix this by looking up the PHY based on the "phys" phandle node.
      Although generic PHYs are rather matched by their "phys-name" and not
      the "phys" phandle directly, there is no helper for similar lookup on
      legacy PHYs and it's probably not worth the effort to add it.
      
      When no legacy USB PHY is found by phandle, fallback to grabbing any
      registered USB2 PHY. This ensures backward compatibility if some users
      were actually relying on this mechanism.
      Signed-off-by: default avatarPaul Kocialkowski <paul.kocialkowski@bootlin.com>
      Signed-off-by: default avatarPeter Chen <peter.chen@nxp.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      52eec5bf
    • Eric Biggers's avatar
      crypto: cavium/zip - fix collision with generic cra_driver_name · a8946469
      Eric Biggers authored
      [ Upstream commit 41798036 ]
      
      The cavium/zip implementation of the deflate compression algorithm is
      incorrectly being registered under the generic driver name, which
      prevents the generic implementation from being registered with the
      crypto API when CONFIG_CRYPTO_DEV_CAVIUM_ZIP=y.  Similarly the lzs
      algorithm (which does not currently have a generic implementation...)
      is incorrectly being registered as lzs-generic.
      
      Fix the naming collision by adding a suffix "-cavium" to the
      cra_driver_name of the cavium/zip algorithms.
      
      Fixes: 640035a2 ("crypto: zip - Add ThunderX ZIP driver core")
      Cc: Mahipal Challa <mahipalreddy2006@gmail.com>
      Cc: Jan Glauber <jglauber@cavium.com>
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      a8946469
    • Julia Lawall's avatar
      crypto: crypto4xx - add missing of_node_put after of_device_is_available · cfac24f7
      Julia Lawall authored
      [ Upstream commit 8c2b43d2 ]
      
      Add an of_node_put when a tested device node is not available.
      
      The semantic patch that fixes this problem is as follows
      (http://coccinelle.lip6.fr):
      
      // <smpl>
      @@
      identifier f;
      local idexpression e;
      expression x;
      @@
      
      e = f(...);
      ... when != of_node_put(e)
          when != x = e
          when != e = x
          when any
      if (<+...of_device_is_available(e)...+>) {
        ... when != of_node_put(e)
      (
        return e;
      |
      + of_node_put(e);
        return ...;
      )
      }
      // </smpl>
      
      Fixes: 5343e674 ("crypto4xx: integrate ppc4xx-rng into crypto4xx")
      Signed-off-by: default avatarJulia Lawall <Julia.Lawall@lip6.fr>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      cfac24f7
    • Alexei Avshalom Lazar's avatar
      wil6210: check null pointer in _wil_cfg80211_merge_extra_ies · 97835921
      Alexei Avshalom Lazar authored
      [ Upstream commit de77a53c ]
      
      ies1 or ies2 might be null when code inside
      _wil_cfg80211_merge_extra_ies access them.
      Add explicit check for null and make sure ies1/ies2 are not
      accessed in such a case.
      
      spos might be null and be accessed inside
      _wil_cfg80211_merge_extra_ies.
      Add explicit check for null in the while condition statement
      and make sure spos is not accessed in such a case.
      Signed-off-by: default avatarAlexei Avshalom Lazar <ailizaro@codeaurora.org>
      Signed-off-by: default avatarMaya Erez <merez@codeaurora.org>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      97835921
    • Rafael J. Wysocki's avatar
      PCI/PME: Fix hotplug/sysfs remove deadlock in pcie_pme_remove() · 005ef9bf
      Rafael J. Wysocki authored
      [ Upstream commit 95c80bc6 ]
      
      Dongdong reported a deadlock triggered by a hotplug event during a sysfs
      "remove" operation:
      
        pciehp 0000:00:0c.0:pcie004: Slot(0-1): Link Up
        # echo 1 > 0000:00:0c.0/remove
      
        PME and hotplug share an MSI/MSI-X vector.  The sysfs "remove" side is:
      
          remove_store
             pci_stop_and_remove_bus_device_locked
      	 pci_lock_rescan_remove
      	 pci_stop_and_remove_bus_device
      	   ...
      	   pcie_pme_remove
      	     pcie_pme_suspend
      	       synchronize_irq        # wait for hotplug IRQ handler
      	 pci_unlock_rescan_remove
      
        The hotplug side is:
      
          pciehp_ist
             pciehp_handle_presence_or_link_change
      	 pciehp_configure_device
      	   pci_lock_rescan_remove     # wait for pci_unlock_rescan_remove()
      
        INFO: task bash:10913 blocked for more than 120 seconds.
      
        # ps -ax |grep D
         PID TTY      STAT   TIME COMMAND
        10913 ttyAMA0  Ds+    0:00 -bash
        14022 ?        D      0:00 [irq/745-pciehp]
      
        # cat /proc/14022/stack
        __switch_to+0x94/0xd8
        pci_lock_rescan_remove+0x20/0x28
        pciehp_configure_device+0x30/0x140
        pciehp_handle_presence_or_link_change+0x324/0x458
        pciehp_ist+0x1dc/0x1e0
      
        # cat /proc/10913/stack
        __switch_to+0x94/0xd8
        synchronize_irq+0x8c/0xc0
        pcie_pme_suspend+0xa4/0x118
        pcie_pme_remove+0x20/0x40
        pcie_port_remove_service+0x3c/0x58
        ...
        pcie_port_device_remove+0x2c/0x48
        pcie_portdrv_remove+0x68/0x78
        pci_device_remove+0x48/0x120
        ...
        pci_stop_bus_device+0x84/0xc0
        pci_stop_and_remove_bus_device_locked+0x24/0x40
        remove_store+0xa4/0xb8
        dev_attr_store+0x44/0x60
        sysfs_kf_write+0x58/0x80
      
      It is incorrect to call pcie_pme_suspend() from pcie_pme_remove() for two
      reasons.
      
      First, pcie_pme_suspend() calls synchronize_irq(), which will wait for the
      native hotplug interrupt handler as well as for the PME one, because they
      share one IRQ (as per the spec).  That may deadlock if hotplug is signaled
      while pcie_pme_remove() is running and the latter calls
      pci_lock_rescan_remove() before the former.
      
      Second, if pcie_pme_suspend() figures out that wakeup needs to be enabled
      for the port, it will return without disabling the interrupt as expected by
      pcie_pme_remove() which was overlooked by commit c7b5a4e6 ("PCI / PM:
      Fix native PME handling during system suspend/resume").
      
      To fix that, rework pcie_pme_remove() to disable the PME interrupt, clear
      its status and prevent the PME worker function from re-enabling it before
      calling free_irq() on it, which should be sufficient.
      
      Fixes: c7b5a4e6 ("PCI / PM: Fix native PME handling during system suspend/resume")
      Link: https://lore.kernel.org/linux-pci/c7697e7c-e1af-13e4-8491-0a3996e6ab5d@huawei.comReported-by: default avatarDongdong Liu <liudongdong3@huawei.com>
      Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      [bhelgaas: add URL and deadlock details from Dongdong]
      Signed-off-by: default avatarBjorn Helgaas <bhelgaas@google.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      005ef9bf
    • Tony Jones's avatar
      tools lib traceevent: Fix buffer overflow in arg_eval · d63dc6f9
      Tony Jones authored
      [ Upstream commit 7c5b019e ]
      
      Fix buffer overflow observed when running perf test.
      
      The overflow is when trying to evaluate "1ULL << (64 - 1)" which is
      resulting in -9223372036854775808 which overflows the 20 character
      buffer.
      
      If is possible this bug has been reported before but I still don't see
      any fix checked in:
      
      See: https://www.spinics.net/lists/linux-perf-users/msg07714.htmlReported-by: default avatarMichael Sartain <mikesart@fastmail.com>
      Reported-by: default avatarMathias Krause <minipli@googlemail.com>
      Signed-off-by: default avatarTony Jones <tonyj@suse.de>
      Acked-by: default avatarSteven Rostedt (VMware) <rostedt@goodmis.org>
      Cc: Frederic Weisbecker <fweisbec@gmail.com>
      Fixes: f7d82350 ("tools/events: Add files to create libtraceevent.a")
      Link: http://lkml.kernel.org/r/20190228015532.8941-1-tonyj@suse.deSigned-off-by: default avatarArnaldo Carvalho de Melo <acme@redhat.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      d63dc6f9
    • Carlos Maiolino's avatar
      fs: fix guard_bio_eod to check for real EOD errors · c263daec
      Carlos Maiolino authored
      [ Upstream commit dce30ca9 ]
      
      guard_bio_eod() can truncate a segment in bio to allow it to do IO on
      odd last sectors of a device.
      
      It already checks if the IO starts past EOD, but it does not consider
      the possibility of an IO request starting within device boundaries can
      contain more than one segment past EOD.
      
      In such cases, truncated_bytes can be bigger than PAGE_SIZE, and will
      underflow bvec->bv_len.
      
      Fix this by checking if truncated_bytes is lower than PAGE_SIZE.
      
      This situation has been found on filesystems such as isofs and vfat,
      which doesn't check the device size before mount, if the device is
      smaller than the filesystem itself, a readahead on such filesystem,
      which spans EOD, can trigger this situation, leading a call to
      zero_user() with a wrong size possibly corrupting memory.
      
      I didn't see any crash, or didn't let the system run long enough to
      check if memory corruption will be hit somewhere, but adding
      instrumentation to guard_bio_end() to check truncated_bytes size, was
      enough to see the error.
      
      The following script can trigger the error.
      
      MNT=/mnt
      IMG=./DISK.img
      DEV=/dev/loop0
      
      mkfs.vfat $IMG
      mount $IMG $MNT
      cp -R /etc $MNT &> /dev/null
      umount $MNT
      
      losetup -D
      
      losetup --find --show --sizelimit 16247280 $IMG
      mount $DEV $MNT
      
      find $MNT -type f -exec cat {} + >/dev/null
      
      Kudos to Eric Sandeen for coming up with the reproducer above
      Reviewed-by: default avatarMing Lei <ming.lei@redhat.com>
      Signed-off-by: default avatarCarlos Maiolino <cmaiolino@redhat.com>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      c263daec
    • luojiajun's avatar
      jbd2: fix invalid descriptor block checksum · 472a0b62
      luojiajun authored
      [ Upstream commit 6e876c3d ]
      
      In jbd2_journal_commit_transaction(), if we are in abort mode,
      we may flush the buffer without setting descriptor block checksum
      by goto start_journal_io. Then fs is mounted,
      jbd2_descriptor_block_csum_verify() failed.
      
      [  271.379811] EXT4-fs (vdd): shut down requested (2)
      [  271.381827] Aborting journal on device vdd-8.
      [  271.597136] JBD2: Invalid checksum recovering block 22199 in log
      [  271.598023] JBD2: recovery failed
      [  271.598484] EXT4-fs (vdd): error loading journal
      
      Fix this problem by keep setting descriptor block checksum if the
      descriptor buffer is not NULL.
      
      This checksum problem can be reproduced by xfstests generic/388.
      Signed-off-by: default avatarluojiajun <luojiajun3@huawei.com>
      Signed-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      Reviewed-by: default avatarJan Kara <jack@suse.cz>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      472a0b62
    • Yao Liu's avatar
      cifs: Fix NULL pointer dereference of devname · 5abc421f
      Yao Liu authored
      [ Upstream commit 68e2672f ]
      
      There is a NULL pointer dereference of devname in strspn()
      
      The oops looks something like:
      
        CIFS: Attempting to mount (null)
        BUG: unable to handle kernel NULL pointer dereference at 0000000000000000
        ...
        RIP: 0010:strspn+0x0/0x50
        ...
        Call Trace:
         ? cifs_parse_mount_options+0x222/0x1710 [cifs]
         ? cifs_get_volume_info+0x2f/0x80 [cifs]
         cifs_setup_volume_info+0x20/0x190 [cifs]
         cifs_get_volume_info+0x50/0x80 [cifs]
         cifs_smb3_do_mount+0x59/0x630 [cifs]
         ? ida_alloc_range+0x34b/0x3d0
         cifs_do_mount+0x11/0x20 [cifs]
         mount_fs+0x52/0x170
         vfs_kern_mount+0x6b/0x170
         do_mount+0x216/0xdc0
         ksys_mount+0x83/0xd0
         __x64_sys_mount+0x25/0x30
         do_syscall_64+0x65/0x220
         entry_SYSCALL_64_after_hwframe+0x49/0xbe
      
      Fix this by adding a NULL check on devname in cifs_parse_devname()
      Signed-off-by: default avatarYao Liu <yotta.liu@ucloud.cn>
      Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      5abc421f
    • Jason Cai (Xiang Feng)'s avatar
      dm thin: add sanity checks to thin-pool and external snapshot creation · af4a3faf
      Jason Cai (Xiang Feng) authored
      [ Upstream commit 70de2cbd ]
      
      Invoking dm_get_device() twice on the same device path with different
      modes is dangerous.  Because in that case, upgrade_mode() will alloc a
      new 'dm_dev' and free the old one, which may be referenced by a previous
      caller.  Dereferencing the dangling pointer will trigger kernel NULL
      pointer dereference.
      
      The following two cases can reproduce this issue.  Actually, they are
      invalid setups that must be disallowed, e.g.:
      
      1. Creating a thin-pool with read_only mode, and the same device as
      both metadata and data.
      
      dmsetup create thinp --table \
          "0 41943040 thin-pool /dev/vdb /dev/vdb 128 0 1 read_only"
      
      BUG: unable to handle kernel NULL pointer dereference at 0000000000000080
      ...
      Call Trace:
       new_read+0xfb/0x110 [dm_bufio]
       dm_bm_read_lock+0x43/0x190 [dm_persistent_data]
       ? kmem_cache_alloc_trace+0x15c/0x1e0
       __create_persistent_data_objects+0x65/0x3e0 [dm_thin_pool]
       dm_pool_metadata_open+0x8c/0xf0 [dm_thin_pool]
       pool_ctr.cold.79+0x213/0x913 [dm_thin_pool]
       ? realloc_argv+0x50/0x70 [dm_mod]
       dm_table_add_target+0x14e/0x330 [dm_mod]
       table_load+0x122/0x2e0 [dm_mod]
       ? dev_status+0x40/0x40 [dm_mod]
       ctl_ioctl+0x1aa/0x3e0 [dm_mod]
       dm_ctl_ioctl+0xa/0x10 [dm_mod]
       do_vfs_ioctl+0xa2/0x600
       ? handle_mm_fault+0xda/0x200
       ? __do_page_fault+0x26c/0x4f0
       ksys_ioctl+0x60/0x90
       __x64_sys_ioctl+0x16/0x20
       do_syscall_64+0x55/0x150
       entry_SYSCALL_64_after_hwframe+0x44/0xa9
      
      2. Creating a external snapshot using the same thin-pool device.
      
      dmsetup create thinp --table \
          "0 41943040 thin-pool /dev/vdc /dev/vdb 128 0 2 ignore_discard"
      dmsetup message /dev/mapper/thinp 0 "create_thin 0"
      dmsetup create snap --table \
                  "0 204800 thin /dev/mapper/thinp 0 /dev/mapper/thinp"
      
      BUG: unable to handle kernel NULL pointer dereference at 0000000000000000
      ...
      Call Trace:
      ? __alloc_pages_nodemask+0x13c/0x2e0
      retrieve_status+0xa5/0x1f0 [dm_mod]
      ? dm_get_live_or_inactive_table.isra.7+0x20/0x20 [dm_mod]
       table_status+0x61/0xa0 [dm_mod]
       ctl_ioctl+0x1aa/0x3e0 [dm_mod]
       dm_ctl_ioctl+0xa/0x10 [dm_mod]
       do_vfs_ioctl+0xa2/0x600
       ksys_ioctl+0x60/0x90
       ? ksys_write+0x4f/0xb0
       __x64_sys_ioctl+0x16/0x20
       do_syscall_64+0x55/0x150
       entry_SYSCALL_64_after_hwframe+0x44/0xa9
      Signed-off-by: default avatarJason Cai (Xiang Feng) <jason.cai@linux.alibaba.com>
      Signed-off-by: default avatarMike Snitzer <snitzer@redhat.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      af4a3faf
    • Louis Taylor's avatar
      cifs: use correct format characters · b923486a
      Louis Taylor authored
      [ Upstream commit 259594be ]
      
      When compiling with -Wformat, clang emits the following warnings:
      
      fs/cifs/smb1ops.c:312:20: warning: format specifies type 'unsigned
      short' but the argument has type 'unsigned int' [-Wformat]
                               tgt_total_cnt, total_in_tgt);
                                              ^~~~~~~~~~~~
      
      fs/cifs/cifs_dfs_ref.c:289:4: warning: format specifies type 'short'
      but the argument has type 'int' [-Wformat]
                       ref->flags, ref->server_type);
                       ^~~~~~~~~~
      
      fs/cifs/cifs_dfs_ref.c:289:16: warning: format specifies type 'short'
      but the argument has type 'int' [-Wformat]
                       ref->flags, ref->server_type);
                                   ^~~~~~~~~~~~~~~~
      
      fs/cifs/cifs_dfs_ref.c:291:4: warning: format specifies type 'short'
      but the argument has type 'int' [-Wformat]
                       ref->ref_flag, ref->path_consumed);
                       ^~~~~~~~~~~~~
      
      fs/cifs/cifs_dfs_ref.c:291:19: warning: format specifies type 'short'
      but the argument has type 'int' [-Wformat]
                       ref->ref_flag, ref->path_consumed);
                                      ^~~~~~~~~~~~~~~~~~
      The types of these arguments are unconditionally defined, so this patch
      updates the format character to the correct ones for ints and unsigned
      ints.
      
      Link: https://github.com/ClangBuiltLinux/linux/issues/378Signed-off-by: default avatarLouis Taylor <louis@kragniz.eu>
      Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
      Reviewed-by: default avatarNick Desaulniers <ndesaulniers@google.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      b923486a
    • Qian Cai's avatar
      page_poison: play nicely with KASAN · d49efeb1
      Qian Cai authored
      [ Upstream commit 4117992d ]
      
      KASAN does not play well with the page poisoning (CONFIG_PAGE_POISONING).
      It triggers false positives in the allocation path:
      
        BUG: KASAN: use-after-free in memchr_inv+0x2ea/0x330
        Read of size 8 at addr ffff88881f800000 by task swapper/0
        CPU: 0 PID: 0 Comm: swapper Not tainted 5.0.0-rc1+ #54
        Call Trace:
         dump_stack+0xe0/0x19a
         print_address_description.cold.2+0x9/0x28b
         kasan_report.cold.3+0x7a/0xb5
         __asan_report_load8_noabort+0x19/0x20
         memchr_inv+0x2ea/0x330
         kernel_poison_pages+0x103/0x3d5
         get_page_from_freelist+0x15e7/0x4d90
      
      because KASAN has not yet unpoisoned the shadow page for allocation
      before it checks memchr_inv() but only found a stale poison pattern.
      
      Also, false positives in free path,
      
        BUG: KASAN: slab-out-of-bounds in kernel_poison_pages+0x29e/0x3d5
        Write of size 4096 at addr ffff8888112cc000 by task swapper/0/1
        CPU: 5 PID: 1 Comm: swapper/0 Not tainted 5.0.0-rc1+ #55
        Call Trace:
         dump_stack+0xe0/0x19a
         print_address_description.cold.2+0x9/0x28b
         kasan_report.cold.3+0x7a/0xb5
         check_memory_region+0x22d/0x250
         memset+0x28/0x40
         kernel_poison_pages+0x29e/0x3d5
         __free_pages_ok+0x75f/0x13e0
      
      due to KASAN adds poisoned redzones around slab objects, but the page
      poisoning needs to poison the whole page.
      
      Link: http://lkml.kernel.org/r/20190114233405.67843-1-cai@lca.pwSigned-off-by: default avatarQian Cai <cai@lca.pw>
      Acked-by: default avatarAndrey Ryabinin <aryabinin@virtuozzo.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      d49efeb1