1. 09 Feb, 2017 40 commits
    • Vincent Pelletier's avatar
      usb: gadget: f_fs: Assorted buffer overflow checks. · 12a9c11c
      Vincent Pelletier authored
      commit 83e526f2 upstream.
      
      OS descriptor head, when flagged as provided, is accessed without
      checking if it fits in provided buffer. Verify length before access.
      Also, there are other places where buffer length it checked
      after accessing offsets which are potentially past the end. Check
      buffer length before as well to fail cleanly.
      Signed-off-by: default avatarVincent Pelletier <plr.vincent@gmail.com>
      Acked-by: default avatarFelipe Balbi <felipe.balbi@linux.intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      12a9c11c
    • Tony Lindgren's avatar
      usb: musb: Fix host mode error -71 regression · e40d15fc
      Tony Lindgren authored
      commit 407788b5 upstream.
      
      Commit 467d5c98 ("usb: musb: Implement session bit based runtime PM for
      musb-core") started implementing musb generic runtime PM support by
      introducing devctl register session bit based state control.
      
      This caused a regression where if a USB mass storage device is connected
      to a USB hub, we can get:
      
      usb 1-1: reset high-speed USB device number 2 using musb-hdrc
      usb 1-1: device descriptor read/64, error -71
      usb 1-1.1: new high-speed USB device number 4 using musb-hdrc
      
      This is because before the USB storage device is connected, musb is
      in OTG_STATE_A_SUSPEND. And we currently only set need_finish_resume
      in musb_stage0_irq() and the related code calling finish_resume_work
      in musb_resume() and musb_runtime_resume() never gets called.
      
      To fix the issue, we can call schedule_delayed_work() directly in
      musb_stage0_irq() to have finish_resume_work run.
      
      And we should no longer never get interrupts when when suspended.
      We have changed musb to no longer need pm_runtime_irqsafe().
      The need_finish_resume flag was added in commit 9298b4aa ("usb:
      musb: fix device hotplug behind hub") and no longer applies as far
      as I can tell. So let's just remove the earlier code that no longer
      is needed.
      
      Fixes: 467d5c98 ("usb: musb: Implement session bit based runtime PM for musb-core")
      Reported-by: default avatarBin Liu <b-liu@ti.com>
      Signed-off-by: default avatarTony Lindgren <tony@atomide.com>
      Signed-off-by: default avatarBin Liu <b-liu@ti.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e40d15fc
    • Lukáš Lalinský's avatar
      USB: Add quirk for WORLDE easykey.25 MIDI keyboard · cbd819e7
      Lukáš Lalinský authored
      commit d9b2997e upstream.
      
      Add a quirk for WORLDE easykey.25 MIDI keyboard (idVendor=0218,
      idProduct=0401). The device reports that it has config string
      descriptor at index 3, but when the system selects the configuration
      and tries to get the description, it returns a -EPROTO error,
      the communication restarts and this keeps repeating over and over again.
      Not requesting the string descriptor makes the device work correctly.
      
      Relevant info from Wireshark:
      
      [...]
      
      CONFIGURATION DESCRIPTOR
          bLength: 9
          bDescriptorType: 0x02 (CONFIGURATION)
          wTotalLength: 101
          bNumInterfaces: 2
          bConfigurationValue: 1
          iConfiguration: 3
          Configuration bmAttributes: 0xc0  SELF-POWERED  NO REMOTE-WAKEUP
              1... .... = Must be 1: Must be 1 for USB 1.1 and higher
              .1.. .... = Self-Powered: This device is SELF-POWERED
              ..0. .... = Remote Wakeup: This device does NOT support remote wakeup
          bMaxPower: 50  (100mA)
      
      [...]
      
           45 0.369104       host                  2.38.0                USB      64     GET DESCRIPTOR Request STRING
      
      [...]
      
      URB setup
          bmRequestType: 0x80
              1... .... = Direction: Device-to-host
              .00. .... = Type: Standard (0x00)
              ...0 0000 = Recipient: Device (0x00)
          bRequest: GET DESCRIPTOR (6)
          Descriptor Index: 0x03
          bDescriptorType: 0x03
          Language Id: English (United States) (0x0409)
          wLength: 255
      
           46 0.369255       2.38.0                host                  USB      64     GET DESCRIPTOR Response STRING[Malformed Packet]
      
      [...]
      
      Frame 46: 64 bytes on wire (512 bits), 64 bytes captured (512 bits) on interface 0
      USB URB
          [Source: 2.38.0]
          [Destination: host]
          URB id: 0xffff88021f62d480
          URB type: URB_COMPLETE ('C')
          URB transfer type: URB_CONTROL (0x02)
          Endpoint: 0x80, Direction: IN
          Device: 38
          URB bus id: 2
          Device setup request: not relevant ('-')
          Data: present (0)
          URB sec: 1484896277
          URB usec: 455031
          URB status: Protocol error (-EPROTO) (-71)
          URB length [bytes]: 0
          Data length [bytes]: 0
          [Request in: 45]
          [Time from request: 0.000151000 seconds]
          Unused Setup Header
          Interval: 0
          Start frame: 0
          Copy of Transfer Flags: 0x00000200
          Number of ISO descriptors: 0
      [Malformed Packet: USB]
          [Expert Info (Error/Malformed): Malformed Packet (Exception occurred)]
              [Malformed Packet (Exception occurred)]
              [Severity level: Error]
              [Group: Malformed]
      Signed-off-by: default avatarLukáš Lalinský <lukas@oxygene.sk>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      cbd819e7
    • Marcel J.E. Mol's avatar
      USB: serial: pl2303: add ATEN device ID · 4807725a
      Marcel J.E. Mol authored
      commit d07830db upstream.
      
      Seems that ATEN serial-to-usb devices using pl2303 exist with
      different device ids. This patch adds a missing device ID so it
      is recognised by the driver.
      Signed-off-by: default avatarMarcel J.E. Mol <marcel@mesa.nl>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4807725a
    • Aleksander Morgado's avatar
      USB: serial: qcserial: add Dell DW5570 QDL · 8bc382a9
      Aleksander Morgado authored
      commit 24d615a6 upstream.
      
      The Dell DW5570 is a re-branded Sierra Wireless MC8805 which will by
      default boot with vid 0x413c and pid 0x81a3. When triggered QDL download
      mode, the device switches to pid 0x81a6 and provides the standard TTY
      used for firmware upgrade.
      Signed-off-by: default avatarAleksander Morgado <aleksander@aleksander.es>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8bc382a9
    • Radim Krčmář's avatar
      KVM: x86: do not save guest-unsupported XSAVE state · 0dcbd0aa
      Radim Krčmář authored
      commit 00c87e9a upstream.
      
      Saving unsupported state prevents migration when the new host does not
      support a XSAVE feature of the original host, even if the feature is not
      exposed to the guest.
      
      We've masked host features with guest-visible features before, with
      4344ee98 ("KVM: x86: only copy XSAVE state for the supported
      features") and dropped it when implementing XSAVES.  Do it again.
      
      Fixes: df1daba7 ("KVM: x86: support XSAVES usage in the host")
      Reviewed-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      Signed-off-by: default avatarRadim Krčmář <rkrcmar@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0dcbd0aa
    • Tony Lindgren's avatar
      dmaengine: cppi41: Fix oops in cppi41_runtime_resume · bc05a2e9
      Tony Lindgren authored
      commit 362f4562 upstream.
      
      Commit fdea2d09 ("dmaengine: cppi41: Add basic PM runtime support")
      together with recent MUSB changes allowed USB and DMA on BeagleBone to idle
      when no cable is connected. But looks like few corner case issues still
      remain.
      
      Looks like just by re-plugging USB cable about ten or so times on BeagleBone
      when configured in USB peripheral mode we can get warnings and eventually
      trigger an oops in cppi41 DMA:
      
      WARNING: CPU: 0 PID: 14 at drivers/dma/cppi41.c:1154 cppi41_runtime_suspend+
      x28/0x38 [cppi41]
      ...
      
      WARNING: CPU: 0 PID: 14 at drivers/dma/cppi41.c:452
      push_desc_queue+0x94/0x9c [cppi41]
      ...
      
      Unable to handle kernel NULL pointer dereference at virtual
      address 00000104
      pgd = c0004000
      [00000104] *pgd=00000000
      Internal error: Oops: 805 [#1] SMP ARM
      ...
      [<bf0d92cc>] (cppi41_runtime_resume [cppi41]) from [<c0589838>]
      (__rpm_callback+0xc0/0x214)
      [<c0589838>] (__rpm_callback) from [<c05899ac>] (rpm_callback+0x20/0x80)
      [<c05899ac>] (rpm_callback) from [<c0589460>] (rpm_resume+0x504/0x78c)
      [<c0589460>] (rpm_resume) from [<c058a1a0>] (pm_runtime_work+0x60/0xa8)
      [<c058a1a0>] (pm_runtime_work) from [<c0156120>] (process_one_work+0x2b4/0x808)
      
      This is because of a race with runtime PM and cppi41_dma_issue_pending()
      as reported by Alexandre Bailon <abailon@baylibre.com> in earlier
      set of patches. Based on mailing list discussions we however came to the
      conclusion that a different fix from Alexandre's fix is needed in order
      to guarantee that DMA is really active when we try to use it.
      
      To fix the issue, we need to add a driver specific flag as we otherwise
      can have -EINPROGRESS state set by runtime PM and can't rely on
      pm_runtime_active() to tell us when we can use the DMA.
      
      And we need to make sure the DMA transfers get triggered in the queued
      order. So let's always queue the transfers, then flush the queue
      from both cppi41_dma_issue_pending() and cppi41_runtime_resume()
      as suggested by Grygorii Strashko <grygorii.strashko@ti.com> in an
      earlier example patch.
      
      For reference, this is also documented in Documentation/power/runtime_pm.txt
      in the example at the end of the file as pointed out by Grygorii Strashko
      <grygorii.strashko@ti.com>.
      
      Based on earlier patches from Alexandre Bailon <abailon@baylibre.com>
      and Grygorii Strashko <grygorii.strashko@ti.com> modified based on
      testing and what was discussed on the mailing lists.
      
      Fixes: fdea2d09 ("dmaengine: cppi41: Add basic PM runtime support")
      Cc: Andy Shevchenko <andy.shevchenko@gmail.com>
      Cc: Bin Liu <b-liu@ti.com>
      Cc: Grygorii Strashko <grygorii.strashko@ti.com>
      Cc: Kevin Hilman <khilman@baylibre.com>
      Cc: Patrick Titiano <ptitiano@baylibre.com>
      Cc: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
      Reported-by: default avatarAlexandre Bailon <abailon@baylibre.com>
      Signed-off-by: default avatarTony Lindgren <tony@atomide.com>
      Tested-by: default avatarBin Liu <b-liu@ti.com>
      Signed-off-by: default avatarVinod Koul <vinod.koul@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      bc05a2e9
    • Tony Lindgren's avatar
      dmaengine: cppi41: Fix runtime PM timeouts with USB mass storage · 2c2e7fe7
      Tony Lindgren authored
      commit ae4a3e02 upstream.
      
      Commit fdea2d09 ("dmaengine: cppi41: Add basic PM runtime support")
      added runtime PM support for cppi41, but had corner case issues. Some of
      the issues were fixed with commit 098de42a ("dmaengine: cppi41: Fix
      unpaired pm runtime when only a USB hub is connected"). That fix however
      caused a new regression where we can get error -115 messages with USB on
      BeagleBone when connecting a USB mass storage device to a hub.
      
      This is because when connecting a USB mass storage device to a hub, the
      initial DMA transfers can take over 200ms to complete and cppi41
      autosuspend delay times out.
      
      To fix the issue, we want to implement refcounting for chan_busy array
      that contains the active dma transfers. Increasing the autosuspend delay
      won't help as that the delay could be potentially seconds, and it's best
      to let the USB subsystem to deal with the timeouts on errors.
      
      The earlier attempt for runtime PM was buggy as the pm_runtime_get/put()
      calls could get unpaired easily as they did not follow the state of
      the chan_busy array as described in commit 098de42a ("dmaengine:
      cppi41: Fix unpaired pm runtime when only a USB hub is connected".
      
      Let's fix the issue by adding pm_runtime_get() to where a new transfer
      is added to the chan_busy array, and calls to pm_runtime_put() where
      chan_busy array entry is cleared. This prevents any autosuspend timeouts
      from happening while dma transfers are active.
      
      Fixes: 098de42a ("dmaengine: cppi41: Fix unpaired pm runtime when
      only a USB hub is connected")
      Fixes: fdea2d09 ("dmaengine: cppi41: Add basic PM runtime support")
      Cc: Andy Shevchenko <andy.shevchenko@gmail.com>
      Cc: Bin Liu <b-liu@ti.com>
      Cc: Grygorii Strashko <grygorii.strashko@ti.com>
      Cc: Kevin Hilman <khilman@baylibre.com>
      Cc: Patrick Titiano <ptitiano@baylibre.com>
      Cc: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
      Signed-off-by: default avatarTony Lindgren <tony@atomide.com>
      Tested-by: default avatarBin Liu <b-liu@ti.com>
      Signed-off-by: default avatarVinod Koul <vinod.koul@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2c2e7fe7
    • Thomas Gleixner's avatar
      perf/x86/intel/uncore: Clean up hotplug conversion fallout · bebb9d75
      Thomas Gleixner authored
      commit 1aa6cfd3 upstream.
      
      The recent conversion to the hotplug state machine kept two mechanisms from
      the original code:
      
       1) The first_init logic which adds the number of online CPUs in a package
          to the refcount. That's wrong because the callbacks are executed for
          all online CPUs.
      
          Remove it so the refcounting is correct.
      
       2) The on_each_cpu() call to undo box->init() in the error handling
          path. That's bogus because when the prepare callback fails no box has
          been initialized yet.
      
          Remove it.
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
      Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
      Cc: Jiri Olsa <jolsa@redhat.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Sebastian Siewior <bigeasy@linutronix.de>
      Cc: Stephane Eranian <eranian@google.com>
      Cc: Vince Weaver <vincent.weaver@maine.edu>
      Cc: Yasuaki Ishimatsu <yasu.isimatu@gmail.com>
      Fixes: 1a246b9f ("perf/x86/intel/uncore: Convert to hotplug state machine")
      Link: http://lkml.kernel.org/r/20170131230141.298032324@linutronix.deSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      bebb9d75
    • Jason Gerecke's avatar
      HID: wacom: Fix poor prox handling in 'wacom_pl_irq' · e6bd7121
      Jason Gerecke authored
      commit 282e4637 upstream.
      
      Commit 025bcc15 performed cleanup work on the 'wacom_pl_irq' function, making
      it follow the standards used in the rest of the codebase. The change
      unintiontionally allowed the function to send input events from reports
      that are not marked as being in prox. This can cause problems as the
      report values for X, Y, etc. are not guaranteed to be correct. In
      particular, occasionally the tablet will send a report with these values
      set to zero. If such a report is received it can caus an unexpected jump
      in the XY position.
      
      This patch surrounds more of the processing code with a proximity check,
      preventing these zeroed reports from overwriting the current state. To
      be safe, only the tool type and ABS_MISC events should be reported when
      the pen is marked as being out of prox.
      
      Fixes: 025bcc15 ("HID: wacom: Simplify 'wacom_pl_irq'")
      Signed-off-by: default avatarJason Gerecke <jason.gerecke@wacom.com>
      Reviewed-by: default avatarPing Cheng <pingc@wacom.com>
      Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e6bd7121
    • Ardinartsev Nikita's avatar
      HID: hid-lg: Fix immediate disconnection of Logitech Rumblepad 2 · f24bc920
      Ardinartsev Nikita authored
      commit 877a021e upstream.
      
      With NOGET quirk Logitech F510 is now fully workable in dinput mode including
      rumble effects (according to fftest).
      
      Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=117091
      
      [jkosina@suse.cz: fix patch format]
      Signed-off-by: default avatarArdinartsev Nikita <ardinar23@gmail.com>
      Acked-by: default avatarBenjamin Tissoires <benjamin.tissoires@redhat.com>
      Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f24bc920
    • Colin Ian King's avatar
      HID: usbhid: Quirk a AMI virtual mouse and keyboard with ALWAYS_POLL · 80246551
      Colin Ian King authored
      commit ed9ab428 upstream.
      
      Quirking the following AMI USB device with ALWAYS_POLL fixes an AMI
      virtual keyboard and mouse from not responding and timing out when
      it is attached to a ppc64el Power 8 system and when we have some
      rapid open/closes on the mouse device.
      
       usb 1-3: new high-speed USB device number 2 using xhci_hcd
       usb 1-3: New USB device found, idVendor=046b, idProduct=ff01
       usb 1-3: New USB device strings: Mfr=1, Product=2, SerialNumber=3
       usb 1-3: Product: Virtual Hub
       usb 1-3: Manufacturer: American Megatrends Inc.
       usb 1-3: SerialNumber: serial
       usb 1-3.3: new high-speed USB device number 3 using xhci_hcd
       usb 1-3.3: New USB device found, idVendor=046b, idProduct=ff31
       usb 1-3.3: New USB device strings: Mfr=1, Product=2, SerialNumber=3
       usb 1-3.3: Product: Virtual HardDisk Device
       usb 1-3.3: Manufacturer: American Megatrends Inc.
       usb 1-3.4: new low-speed USB device number 4 using xhci_hcd
       usb 1-3.4: New USB device found, idVendor=046b, idProduct=ff10
       usb 1-3.4: New USB device strings: Mfr=1, Product=2, SerialNumber=0
       usb 1-3.4: Product: Virtual Keyboard and Mouse
       usb 1-3.4: Manufacturer: American Megatrends Inc.
      
      With the quirk I have not been able to trigger the issue with
      half an hour of saturation soak testing.
      Signed-off-by: default avatarColin Ian King <colin.king@canonical.com>
      Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      80246551
    • Johannes Berg's avatar
      iwlwifi: mvm: avoid crash on restart w/o reserved queues · 40add19d
      Johannes Berg authored
      commit 03c902bf upstream.
      
      When the firmware restarts in a situation in which any station
      has no queue reserved anymore because that queue was used, the
      code will crash trying to access the queue_info array at the
      offset 255, which is far too big. Fix this by checking that a
      queue is actually reserved before writing its status.
      
      Fixes: 8d98ae6e ("iwlwifi: mvm: re-assign old queues after hw restart in dqa mode")
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: default avatarLuca Coelho <luciano.coelho@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      40add19d
    • Jürg Billeter's avatar
      iwlwifi: fix double hyphen in MODULE_FIRMWARE for 8000 · 97663735
      Jürg Billeter authored
      commit 7941c59e upstream.
      
      Mistakenly, the driver is trying to load the 8000C firmware with an
      incorrect name (i.e. with two hyphens where there should be only one)
      and that fails.  Fix that by removing the hyphen from the format
      macro.
      
      Fixes: e1ba684f ("iwlwifi: 8000: fix MODULE_FIRMWARE input")
      Signed-off-by: default avatarJürg Billeter <j@bitron.ch>
      Signed-off-by: default avatarLuca Coelho <luciano.coelho@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      97663735
    • Andy Shevchenko's avatar
      pinctrl: intel: merrifield: Add missed check in mrfld_config_set() · 3d8ec7d2
      Andy Shevchenko authored
      commit 19b26d92 upstream.
      
      Not every pin can be configured. Add missed check to prevent access
      violation.
      
      Fixes: 4e80c8f5 ("pinctrl: intel: Add Intel Merrifield pin controller support")
      Acked-by: default avatarMika Westerberg <mika.westerberg@linux.intel.com>
      Signed-off-by: default avatarAndy Shevchenko <andriy.shevchenko@linux.intel.com>
      Signed-off-by: default avatarLinus Walleij <linus.walleij@linaro.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3d8ec7d2
    • Andy Shevchenko's avatar
      pinctrl: baytrail: Debounce register is one per community · 2cf6c492
      Andy Shevchenko authored
      commit 1b89970d upstream.
      
      Debounce value is set globally per community. Otherwise user will easily
      get a kernel crash when they start using the feature:
      
      BUG: unable to handle kernel paging request at ffffc900003be000
      IP: byt_gpio_dbg_show+0xa9/0x430
      
      Make it clear in byt_gpio_reg().
      
      Note that this fix just prevents kernel to crash, but doesn't make any
      difference to the existing logic. It means the last caller will win the
      trade and debounce value will be configured accordingly. The actual
      logic fix needs to be thought about and it's not as important as crash
      fix. That's why the latter goes separately and right now.
      
      Fixes: 658b476c ("pinctrl: baytrail: Add debounce configuration")
      Cc: Cristina Ciocan <cristina.ciocan@intel.com>
      Signed-off-by: default avatarAndy Shevchenko <andriy.shevchenko@linux.intel.com>
      Reviewed-by: default avatarJean Delvare <jdelvare@suse.de>
      Acked-by: default avatarMika Westerberg <mika.westerberg@linux.intel.com>
      Signed-off-by: default avatarLinus Walleij <linus.walleij@linaro.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2cf6c492
    • Michael S. Tsirkin's avatar
      Revert "vring: Force use of DMA API for ARM-based systems with legacy devices" · 449d3ecf
      Michael S. Tsirkin authored
      commit 0d5415b4 upstream.
      
      This reverts commit c7070619.
      
      This has been shown to regress on some ARM systems:
      
      by forcing on DMA API usage for ARM systems, we have inadvertently
      kicked open a hornets' nest in terms of cache-coherency. Namely that
      unless the virtio device is explicitly described as capable of coherent
      DMA by firmware, the DMA APIs on ARM and other DT-based platforms will
      assume it is non-coherent. This turns out to cause a big problem for the
      likes of QEMU and kvmtool, which generate virtio-mmio devices in their
      guest DTs but neglect to add the often-overlooked "dma-coherent"
      property; as a result, we end up with the guest making non-cacheable
      accesses to the vring, the host doing so cacheably, both talking past
      each other and things going horribly wrong.
      
      We are working on a safer work-around.
      
      Fixes: c7070619 ("vring: Force use of DMA API for ARM-based systems with legacy devices")
      Reported-by: default avatarRobin Murphy <robin.murphy@arm.com>
      Signed-off-by: default avatarWill Deacon <will.deacon@arm.com>
      Signed-off-by: default avatarMichael S. Tsirkin <mst@redhat.com>
      Acked-by: default avatarMarc Zyngier <marc.zyngier@arm.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      449d3ecf
    • Rafał Miłecki's avatar
      Revert "bcma: init serial console directly from ChipCommon code" · 16f61dee
      Rafał Miłecki authored
      commit 7195439d upstream.
      
      This reverts commit 4c81acab ("bcma: init serial console directly
      from ChipCommon code") as it broke IRQ assignment. Getting IRQ with
      bcma_core_irq helper on SoC requires MIPS core to be set. It happens
      *after* ChipCommon initialization so we can't do this so early.
      
      This fixes a user reported regression. It wasn't critical as serial was
      still somehow working but lack of IRQs was making in unreliable.
      
      Fixes: 4c81acab ("bcma: init serial console directly from ChipCommon code")
      Reported-by: default avatarFelix Fietkau <nbd@nbd.name>
      Signed-off-by: default avatarRafał Miłecki <rafal@milecki.pl>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      16f61dee
    • Douglas Miller's avatar
      percpu-refcount: fix reference leak during percpu-atomic transition · 12f822d2
      Douglas Miller authored
      commit 966d2b04 upstream.
      
      percpu_ref_tryget() and percpu_ref_tryget_live() should return
      "true" IFF they acquire a reference. But the return value from
      atomic_long_inc_not_zero() is a long and may have high bits set,
      e.g. PERCPU_COUNT_BIAS, and the return value of the tryget routines
      is bool so the reference may actually be acquired but the routines
      return "false" which results in a reference leak since the caller
      assumes it does not need to do a corresponding percpu_ref_put().
      
      This was seen when performing CPU hotplug during I/O, as hangs in
      blk_mq_freeze_queue_wait where percpu_ref_kill (blk_mq_freeze_queue_start)
      raced with percpu_ref_tryget (blk_mq_timeout_work).
      Sample stack trace:
      
      __switch_to+0x2c0/0x450
      __schedule+0x2f8/0x970
      schedule+0x48/0xc0
      blk_mq_freeze_queue_wait+0x94/0x120
      blk_mq_queue_reinit_work+0xb8/0x180
      blk_mq_queue_reinit_prepare+0x84/0xa0
      cpuhp_invoke_callback+0x17c/0x600
      cpuhp_up_callbacks+0x58/0x150
      _cpu_up+0xf0/0x1c0
      do_cpu_up+0x120/0x150
      cpu_subsys_online+0x64/0xe0
      device_online+0xb4/0x120
      online_store+0xb4/0xc0
      dev_attr_store+0x68/0xa0
      sysfs_kf_write+0x80/0xb0
      kernfs_fop_write+0x17c/0x250
      __vfs_write+0x6c/0x1e0
      vfs_write+0xd0/0x270
      SyS_write+0x6c/0x110
      system_call+0x38/0xe0
      
      Examination of the queue showed a single reference (no PERCPU_COUNT_BIAS,
      and __PERCPU_REF_DEAD, __PERCPU_REF_ATOMIC set) and no requests.
      However, conditions at the time of the race are count of PERCPU_COUNT_BIAS + 0
      and __PERCPU_REF_DEAD and __PERCPU_REF_ATOMIC set.
      
      The fix is to make the tryget routines use an actual boolean internally instead
      of the atomic long result truncated to a int.
      
      Fixes: e625305b percpu-refcount: make percpu_ref based on longs instead of ints
      Link: https://bugzilla.kernel.org/show_bug.cgi?id=190751Signed-off-by: default avatarDouglas Miller <dougmill@linux.vnet.ibm.com>
      Reviewed-by: default avatarJens Axboe <axboe@fb.com>
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      Fixes: e625305b ("percpu-refcount: make percpu_ref based on longs instead of ints")
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      12f822d2
    • Rask Ingemann Lambertsen's avatar
      regulator: axp20x: AXP806: Fix dcdcb being set instead of dcdce · 8ee8ff9e
      Rask Ingemann Lambertsen authored
      commit d0e287a4 upstream.
      
      A typo or copy-paste bug means that the register access intended for
      regulator dcdce goes to dcdcb instead. This patch corrects it.
      
      Fixes: 2ca342d3 (regulator: axp20x: Support AXP806 variant)
      Signed-off-by: default avatarRask Ingemann Lambertsen <rask@formelder.dk>
      Acked-by: default avatarChen-Yu Tsai <wens@csie.org>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8ee8ff9e
    • Halil Pasic's avatar
      vhost: fix initialization for vq->is_le · 1594edd9
      Halil Pasic authored
      commit cda8bba0 upstream.
      
      Currently, under certain circumstances vhost_init_is_le does just a part
      of the initialization job, and depends on vhost_reset_is_le being called
      too. For this reason vhost_vq_init_access used to call vhost_reset_is_le
      when vq->private_data is NULL. This is not only counter intuitive, but
      also real a problem because it breaks vhost_net. The bug was introduced to
      vhost_net with commit 2751c988 ("vhost: cross-endian support for
      legacy devices"). The symptom is corruption of the vq's used.idx field
      (virtio) after VHOST_NET_SET_BACKEND was issued as a part of the vhost
      shutdown on a vq with pending descriptors.
      
      Let us make sure the outcome of vhost_init_is_le never depend on the state
      it is actually supposed to initialize, and fix virtio_net by removing the
      reset from vhost_vq_init_access.
      
      With the above, there is no reason for vhost_reset_is_le to do just half
      of the job. Let us make vhost_reset_is_le reinitialize is_le.
      Signed-off-by: default avatarHalil Pasic <pasic@linux.vnet.ibm.com>
      Reported-by: default avatarMichael A. Tebolt <miket@us.ibm.com>
      Reported-by: default avatarDr. David Alan Gilbert <dgilbert@redhat.com>
      Fixes: commit 2751c988 ("vhost: cross-endian support for legacy devices")
      Signed-off-by: default avatarMichael S. Tsirkin <mst@redhat.com>
      Reviewed-by: default avatarGreg Kurz <groug@kaod.org>
      Tested-by: default avatarMichael A. Tebolt <miket@us.ibm.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1594edd9
    • Gabriel Krisman Bertazi's avatar
      mmc: sdhci: Ignore unexpected CARD_INT interrupts · 04eb7db2
      Gabriel Krisman Bertazi authored
      commit 161e6d44 upstream.
      
      One of our kernelCI boxes hanged at boot because a faulty eSDHC device
      was triggering spurious CARD_INT interrupts for SD cards, causing CMD52
      reads, which are not allowed for SD devices.  This adds a sanity check
      to the interruption path, preventing that illegal command from getting
      sent if the CARD_INT interruption should be disabled.
      
      This quirk allows that particular machine to resume boot despite the
      faulty hardware, instead of getting hung dealing with thousands of
      mishandled interrupts.
      Suggested-by: default avatarAdrian Hunter <adrian.hunter@intel.com>
      Signed-off-by: default avatarGabriel Krisman Bertazi <krisman@collabora.co.uk>
      Acked-by: default avatarAdrian Hunter <adrian.hunter@intel.com>
      Signed-off-by: default avatarUlf Hansson <ulf.hansson@linaro.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      04eb7db2
    • Tejun Heo's avatar
      cgroup: don't online subsystems before cgroup_name/path() are operational · 1d88791d
      Tejun Heo authored
      commit 07cd1294 upstream.
      
      While refactoring cgroup creation, a5bca215 ("cgroup: factor out
      cgroup_create() out of cgroup_mkdir()") incorrectly onlined subsystems
      before the new cgroup is associated with it kernfs_node.  This is fine
      for cgroup proper but cgroup_name/path() depend on the associated
      kernfs_node and if a subsystem makes the new cgroup_subsys_state
      visible, which they're allowed to after onlining, it can lead to NULL
      dereference.
      
      The current code performs cgroup creation and subsystem onlining in
      cgroup_create() and cgroup_mkdir() makes the cgroup and subsystems
      visible afterwards.  There's no reason to online the subsystems early
      and we can simply drop cgroup_apply_control_enable() call from
      cgroup_create() so that the subsystems are onlined and made visible at
      the same time.
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      Reported-by: default avatarKonstantin Khlebnikov <khlebnikov@yandex-team.ru>
      Fixes: a5bca215 ("cgroup: factor out cgroup_create() out of cgroup_mkdir()")
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1d88791d
    • Oliver Hartkopp's avatar
      can: bcm: fix hrtimer/tasklet termination in bcm op removal · a150e087
      Oliver Hartkopp authored
      commit a06393ed upstream.
      
      When removing a bcm tx operation either a hrtimer or a tasklet might run.
      As the hrtimer triggers its associated tasklet and vice versa we need to
      take care to mutually terminate both handlers.
      Reported-by: default avatarMichael Josenhans <michael.josenhans@web.de>
      Signed-off-by: default avatarOliver Hartkopp <socketcan@hartkopp.net>
      Tested-by: default avatarMichael Josenhans <michael.josenhans@web.de>
      Signed-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a150e087
    • Steven Rostedt (VMware)'s avatar
      tracing: Fix hwlat kthread migration · a93ae8dc
      Steven Rostedt (VMware) authored
      commit 79c6f448 upstream.
      
      The hwlat tracer creates a kernel thread at start of the tracer. It is
      pinned to a single CPU and will move to the next CPU after each period of
      running. If the user modifies the migration thread's affinity, it will not
      change after that happens.
      
      The original code created the thread at the first instance it was called,
      but later was changed to destroy the thread after the tracer was finished,
      and would not be created until the next instance of the tracer was
      established. The code that initialized the affinity was only called on the
      initial instantiation of the tracer. After that, it was not initialized, and
      the previous affinity did not match the current newly created one, making
      it appear that the user modified the thread's affinity when it did not, and
      the thread failed to migrate again.
      
      Fixes: 0330f7aa ("tracing: Have hwlat trace migrate across tracing_cpumask CPUs")
      Signed-off-by: default avatarSteven Rostedt (VMware) <rostedt@goodmis.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a93ae8dc
    • Michal Hocko's avatar
      mm, fs: check for fatal signals in do_generic_file_read() · b67c7d39
      Michal Hocko authored
      commit 5abf186a upstream.
      
      do_generic_file_read() can be told to perform a large request from
      userspace.  If the system is under OOM and the reading task is the OOM
      victim then it has an access to memory reserves and finishing the full
      request can lead to the full memory depletion which is dangerous.  Make
      sure we rather go with a short read and allow the killed task to
      terminate.
      
      Link: http://lkml.kernel.org/r/20170201092706.9966-3-mhocko@kernel.orgSigned-off-by: default avatarMichal Hocko <mhocko@suse.com>
      Reviewed-by: default avatarChristoph Hellwig <hch@lst.de>
      Cc: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b67c7d39
    • Toshi Kani's avatar
      base/memory, hotplug: fix a kernel oops in show_valid_zones() · 6cb0497a
      Toshi Kani authored
      commit a96dfddb upstream.
      
      Reading a sysfs "memoryN/valid_zones" file leads to the following oops
      when the first page of a range is not backed by struct page.
      show_valid_zones() assumes that 'start_pfn' is always valid for
      page_zone().
      
       BUG: unable to handle kernel paging request at ffffea017a000000
       IP: show_valid_zones+0x6f/0x160
      
      This issue may happen on x86-64 systems with 64GiB or more memory since
      their memory block size is bumped up to 2GiB.  [1] An example of such
      systems is desribed below.  0x3240000000 is only aligned by 1GiB and
      this memory block starts from 0x3200000000, which is not backed by
      struct page.
      
       BIOS-e820: [mem 0x0000003240000000-0x000000603fffffff] usable
      
      Since test_pages_in_a_zone() already checks holes, fix this issue by
      extending this function to return 'valid_start' and 'valid_end' for a
      given range.  show_valid_zones() then proceeds with the valid range.
      
      [1] 'Commit bdee237c ("x86: mm: Use 2GB memory block size on
          large-memory x86-64 systems")'
      
      Link: http://lkml.kernel.org/r/20170127222149.30893-3-toshi.kani@hpe.comSigned-off-by: default avatarToshi Kani <toshi.kani@hpe.com>
      Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
      Cc: Zhang Zhen <zhenzhang.zhang@huawei.com>
      Cc: Reza Arbab <arbab@linux.vnet.ibm.com>
      Cc: David Rientjes <rientjes@google.com>
      Cc: Dan Williams <dan.j.williams@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      6cb0497a
    • Toshi Kani's avatar
      mm/memory_hotplug.c: check start_pfn in test_pages_in_a_zone() · 72f74196
      Toshi Kani authored
      commit deb88a2a upstream.
      
      Patch series "fix a kernel oops when reading sysfs valid_zones", v2.
      
      A sysfs memory file is created for each 2GiB memory block on x86-64 when
      the system has 64GiB or more memory.  [1] When the start address of a
      memory block is not backed by struct page, i.e.  a memory range is not
      aligned by 2GiB, reading its 'valid_zones' attribute file leads to a
      kernel oops.  This issue was observed on multiple x86-64 systems with
      more than 64GiB of memory.  This patch-set fixes this issue.
      
      Patch 1 first fixes an issue in test_pages_in_a_zone(), which does not
      test the start section.
      
      Patch 2 then fixes the kernel oops by extending test_pages_in_a_zone()
      to return valid [start, end).
      
      Note for stable kernels: The memory block size change was made by commit
      bdee237c ("x86: mm: Use 2GB memory block size on large-memory x86-64
      systems"), which was accepted to 3.9.  However, this patch-set depends
      on (and fixes) the change to test_pages_in_a_zone() made by commit
      5f0f2887 ("mm/memory_hotplug.c: check for missing sections in
      test_pages_in_a_zone()"), which was accepted to 4.4.
      
      So, I recommend that we backport it up to 4.4.
      
      [1] 'Commit bdee237c ("x86: mm: Use 2GB memory block size on
          large-memory x86-64 systems")'
      
      This patch (of 2):
      
      test_pages_in_a_zone() does not check 'start_pfn' when it is aligned by
      section since 'sec_end_pfn' is set equal to 'pfn'.  Since this function
      is called for testing the range of a sysfs memory file, 'start_pfn' is
      always aligned by section.
      
      Fix it by properly setting 'sec_end_pfn' to the next section pfn.
      
      Also make sure that this function returns 1 only when the range belongs
      to a zone.
      
      Link: http://lkml.kernel.org/r/20170127222149.30893-2-toshi.kani@hpe.comSigned-off-by: default avatarToshi Kani <toshi.kani@hpe.com>
      Cc: Andrew Banman <abanman@sgi.com>
      Cc: Reza Arbab <arbab@linux.vnet.ibm.com>
      Cc: Greg KH <greg@kroah.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      72f74196
    • Rabin Vincent's avatar
      cifs: initialize file_info_lock · 9e255997
      Rabin Vincent authored
      commit 81ddd8c0 upstream.
      Reviewed-by: default avatarJeff Layton <jlayton@redhat.com>
      
      file_info_lock is not initalized in initiate_cifs_search(), leading to the
      following splat after a simple "mount.cifs ... dir && ls dir/":
      
       BUG: spinlock bad magic on CPU#0, ls/486
        lock: 0xffff880009301110, .magic: 00000000, .owner: <none>/-1, .owner_cpu: 0
       CPU: 0 PID: 486 Comm: ls Not tainted 4.9.0 #27
       Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)
        ffffc900042f3db0 ffffffff81327533 0000000000000000 ffff880009301110
        ffffc900042f3dd0 ffffffff810baf75 ffff880009301110 ffffffff817ae077
        ffffc900042f3df0 ffffffff810baff6 ffff880009301110 ffff880008d69900
       Call Trace:
        [<ffffffff81327533>] dump_stack+0x65/0x92
        [<ffffffff810baf75>] spin_dump+0x85/0xe0
        [<ffffffff810baff6>] spin_bug+0x26/0x30
        [<ffffffff810bb159>] do_raw_spin_lock+0xe9/0x130
        [<ffffffff8159ad2f>] _raw_spin_lock+0x1f/0x30
        [<ffffffff8127e50d>] cifs_closedir+0x4d/0x100
        [<ffffffff81181cfd>] __fput+0x5d/0x160
        [<ffffffff81181e3e>] ____fput+0xe/0x10
        [<ffffffff8109410e>] task_work_run+0x7e/0xa0
        [<ffffffff81002512>] exit_to_usermode_loop+0x92/0xa0
        [<ffffffff810026f9>] syscall_return_slowpath+0x49/0x50
        [<ffffffff8159b484>] entry_SYSCALL_64_fastpath+0xa7/0xa9
      
      Fixes: 3afca265 ("Clarify locking of cifs file and tcon structures and make more granular")
      Signed-off-by: default avatarRabin Vincent <rabinv@axis.com>
      Signed-off-by: default avatarSteve French <smfrench@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9e255997
    • Dan Streetman's avatar
      zswap: disable changing params if init fails · f0c3a0ac
      Dan Streetman authored
      commit d7b028f5 upstream.
      
      Add zswap_init_failed bool that prevents changing any of the module
      params, if init_zswap() fails, and set zswap_enabled to false.  Change
      'enabled' param to a callback, and check zswap_init_failed before
      allowing any change to 'enabled', 'zpool', or 'compressor' params.
      
      Any driver that is built-in to the kernel will not be unloaded if its
      init function returns error, and its module params remain accessible for
      users to change via sysfs.  Since zswap uses param callbacks, which
      assume that zswap has been initialized, changing the zswap params after
      a failed initialization will result in WARNING due to the param
      callbacks expecting a pool to already exist.  This prevents that by
      immediately exiting any of the param callbacks if initialization failed.
      
      This was reported here:
        https://marc.info/?l=linux-mm&m=147004228125528&w=4
      
      And fixes this WARNING:
        [  429.723476] WARNING: CPU: 0 PID: 5140 at mm/zswap.c:503 __zswap_pool_current+0x56/0x60
      
      The warning is just noise, and not serious.  However, when init fails,
      zswap frees all its percpu dstmem pages and its kmem cache.  The kmem
      cache might be serious, if kmem_cache_alloc(NULL, gfp) has problems; but
      the percpu dstmem pages are definitely a problem, as they're used as
      temporary buffer for compressed pages before copying into place in the
      zpool.
      
      If the user does get zswap enabled after an init failure, then zswap
      will likely Oops on the first page it tries to compress (or worse, start
      corrupting memory).
      
      Fixes: 90b0fc26 ("zswap: change zpool/compressor at runtime")
      Link: http://lkml.kernel.org/r/20170124200259.16191-2-ddstreet@ieee.orgSigned-off-by: default avatarDan Streetman <dan.streetman@canonical.com>
      Reported-by: default avatarMarcin Miroslaw <marcin@mejor.pl>
      Cc: Seth Jennings <sjenning@redhat.com>
      Cc: Michal Hocko <mhocko@kernel.org>
      Cc: Sergey Senozhatsky <sergey.senozhatsky.work@gmail.com>
      Cc: Minchan Kim <minchan@kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f0c3a0ac
    • J. Bruce Fields's avatar
      svcrpc: fix oops in absence of krb5 module · a3d72952
      J. Bruce Fields authored
      commit 034dd34f upstream.
      
      Olga Kornievskaia says: "I ran into this oops in the nfsd (below)
      (4.10-rc3 kernel). To trigger this I had a client (unsuccessfully) try
      to mount the server with krb5 where the server doesn't have the
      rpcsec_gss_krb5 module built."
      
      The problem is that rsci.cred is copied from a svc_cred structure that
      gss_proxy didn't properly initialize.  Fix that.
      
      [120408.542387] general protection fault: 0000 [#1] SMP
      ...
      [120408.565724] CPU: 0 PID: 3601 Comm: nfsd Not tainted 4.10.0-rc3+ #16
      [120408.567037] Hardware name: VMware, Inc. VMware Virtual =
      Platform/440BX Desktop Reference Platform, BIOS 6.00 07/02/2015
      [120408.569225] task: ffff8800776f95c0 task.stack: ffffc90003d58000
      [120408.570483] RIP: 0010:gss_mech_put+0xb/0x20 [auth_rpcgss]
      ...
      [120408.584946]  ? rsc_free+0x55/0x90 [auth_rpcgss]
      [120408.585901]  gss_proxy_save_rsc+0xb2/0x2a0 [auth_rpcgss]
      [120408.587017]  svcauth_gss_proxy_init+0x3cc/0x520 [auth_rpcgss]
      [120408.588257]  ? __enqueue_entity+0x6c/0x70
      [120408.589101]  svcauth_gss_accept+0x391/0xb90 [auth_rpcgss]
      [120408.590212]  ? try_to_wake_up+0x4a/0x360
      [120408.591036]  ? wake_up_process+0x15/0x20
      [120408.592093]  ? svc_xprt_do_enqueue+0x12e/0x2d0 [sunrpc]
      [120408.593177]  svc_authenticate+0xe1/0x100 [sunrpc]
      [120408.594168]  svc_process_common+0x203/0x710 [sunrpc]
      [120408.595220]  svc_process+0x105/0x1c0 [sunrpc]
      [120408.596278]  nfsd+0xe9/0x160 [nfsd]
      [120408.597060]  kthread+0x101/0x140
      [120408.597734]  ? nfsd_destroy+0x60/0x60 [nfsd]
      [120408.598626]  ? kthread_park+0x90/0x90
      [120408.599448]  ret_from_fork+0x22/0x30
      
      Fixes: 1d658336 "SUNRPC: Add RPC based upcall mechanism for RPCGSS auth"
      Cc: Simo Sorce <simo@redhat.com>
      Reported-by: default avatarOlga Kornievskaia <kolga@netapp.com>
      Tested-by: default avatarOlga Kornievskaia <kolga@netapp.com>
      Signed-off-by: default avatarJ. Bruce Fields <bfields@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a3d72952
    • Kinglong Mee's avatar
      NFSD: Fix a null reference case in find_or_create_lock_stateid() · 743146d3
      Kinglong Mee authored
      commit d19fb70d upstream.
      
      nfsd assigns the nfs4_free_lock_stateid to .sc_free in init_lock_stateid().
      
      If nfsd doesn't go through init_lock_stateid() and put stateid at end,
      there is a NULL reference to .sc_free when calling nfs4_put_stid(ns).
      
      This patch let the nfs4_stid.sc_free assignment to nfs4_alloc_stid().
      
      Fixes: 356a95ec "nfsd: clean up races in lock stateid searching..."
      Signed-off-by: default avatarKinglong Mee <kinglongmee@gmail.com>
      Reviewed-by: default avatarJeff Layton <jlayton@redhat.com>
      Signed-off-by: default avatarJ. Bruce Fields <bfields@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      743146d3
    • Reza Arbab's avatar
      powerpc/mm: Use the correct pointer when setting a 2MB pte · 4c953848
      Reza Arbab authored
      commit a0615a16 upstream.
      
      When setting a 2MB pte, radix__map_kernel_page() is using the address
      
      	ptep = (pte_t *)pudp;
      
      Fix this conversion to use pmdp instead. Use pmdp_ptep() to do this
      instead of casting the pointer.
      
      Fixes: 2bfd65e4 ("powerpc/mm/radix: Add radix callbacks for early init routines")
      Reviewed-by: default avatarAneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
      Signed-off-by: default avatarReza Arbab <arbab@linux.vnet.ibm.com>
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4c953848
    • Michael Ellerman's avatar
      powerpc: Fix build failure with clang due to BUILD_BUG_ON() · 8f415333
      Michael Ellerman authored
      commit b5fa0f7f upstream.
      
      Anton says: In commit 4db73271 ("powerpc: Add option to use jump
      label for cpu_has_feature()") and commit c12e6f24 ("powerpc: Add
      option to use jump label for mmu_has_feature()") we added:
      
        BUILD_BUG_ON(!__builtin_constant_p(feature))
      
      to cpu_has_feature() and mmu_has_feature() in order to catch usage
      issues (such as cpu_has_feature(cpu_has_feature(X), which has happened
      once in the past). Unfortunately LLVM isn't smart enough to resolve
      this, and it errors out.
      
      I work around it in my clang/LLVM builds of the kernel, but I have just
      discovered that it causes a lot of issues for the bcc (eBPF) trace tool
      (which uses LLVM).
      
      For now just #ifdef it away for clang builds.
      
      Fixes: 4db73271 ("powerpc: Add option to use jump label for cpu_has_feature()")
      Fixes: c12e6f24 ("powerpc: Add option to use jump label for mmu_has_feature()")
      Reported-by: default avatarAnton Blanchard <anton@samba.org>
      Tested-by: default avatarNaveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8f415333
    • Darren Stevens's avatar
      powerpc: Add missing error check to prom_find_boot_cpu() · bbf69e51
      Darren Stevens authored
      commit af2b7fa1 upstream.
      
      prom_init.c calls 'instance-to-package' twice, but the return
      is not checked during prom_find_boot_cpu(). The result is then
      passed to prom_getprop(), which could be PROM_ERROR. Add a return check
      to prevent this.
      
      This was found on a pasemi system, where CFE doesn't have a working
      'instance-to package' prom call.
      
      Before Commit 5c0484e2 ('powerpc: Endian safe trampoline') the area
      around addr 0 was mostly 0's and this doesn't cause a problem. Once the
      macro 'FIXUP_ENDIAN' has been added to head_64.S, the low memory area
      now has non-zero values, which cause the prom_getprop() call
      to hang.
      
      mpe: Also confirmed that under SLOF if 'instance-to-package' did fail
      with PROM_ERROR we would crash in SLOF. So the bug is not specific to
      CFE, it's just that other open firmwares don't trigger it because they
      have a working 'instance-to-package'.
      
      Fixes: 5c0484e2 ("powerpc: Endian safe trampoline")
      Signed-off-by: default avatarDarren Stevens <darren@stevens-zone.net>
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      bbf69e51
    • Gavin Shan's avatar
      powerpc/eeh: Fix wrong flag passed to eeh_unfreeze_pe() · 73d45909
      Gavin Shan authored
      commit f05fea5b upstream.
      
      In __eeh_clear_pe_frozen_state(), we should pass the flag's value
      instead of its address to eeh_unfreeze_pe(). The isolated flag is
      cleared if no error returned from __eeh_clear_pe_frozen_state(). We
      never observed the error from the function. So the isolated flag should
      have been always cleared, no real issue is caused because of the misused
      @flag.
      
      This fixes the code by passing the value of @flag to eeh_unfreeze_pe().
      
      Fixes: 5cfb20b9 ("powerpc/eeh: Emulate EEH recovery for VFIO devices")
      Signed-off-by: default avatarGavin Shan <gwshan@linux.vnet.ibm.com>
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      73d45909
    • Damien Le Moal's avatar
      libata: Fix ATA request sense · 4b70d598
      Damien Le Moal authored
      commit 2dae9955 upstream.
      
      For an ATA device supporting the sense data reporting feature set, a
      failed command will trigger the execution of ata_eh_request_sense if
      the result task file of the failed command has the ATA_SENSE bit set
      (sense data available bit). ata_eh_request_sense executes the REQUEST
      SENSE DATA EXT command to retrieve the sense data of the failed
      command. On success of REQUEST SENSE DATA EXT, the ATA_SENSE bit will
      NOT be set (the command succeeded) but ata_eh_request_sense
      nevertheless tests the availability of sense data by testing that bit
      presence in the result tf of the REQUEST SENSE DATA EXT command.  This
      leads us to falsely assume that request sense data failed and to the
      warning message:
      
      atax.xx: request sense failed stat 50 emask 0
      
      Upon success of REQUEST SENSE DATA EXT, set the ATA_SENSE bit in the
      result task file command so that sense data can be returned by
      ata_eh_request_sense.
      Signed-off-by: default avatarDamien Le Moal <damien.lemoal@wdc.com>
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4b70d598
    • Tejun Heo's avatar
      libata: apply MAX_SEC_1024 to all CX1-JB*-HP devices · 6d08607e
      Tejun Heo authored
      commit e0edc8c5 upstream.
      
      Marko reports that CX1-JB512-HP shows the same timeout issues as
      CX1-JB256-HP.  Let's apply MAX_SEC_128 to all devices in the series.
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      Reported-by: default avatarMarko Koski-Vähälä <marko@koski-vahala.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6d08607e
    • Arvind Yadav's avatar
      ata: sata_mv:- Handle return value of devm_ioremap. · fc794153
      Arvind Yadav authored
      commit 064c3db9 upstream.
      
      Here, If devm_ioremap will fail. It will return NULL.
      Then hpriv->base = NULL - 0x20000; Kernel can run into
      a NULL-pointer dereference. This error check will avoid
      NULL pointer dereference.
      Signed-off-by: default avatarArvind Yadav <arvind.yadav.cs@gmail.com>
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      fc794153
    • Peter Zijlstra's avatar
      perf/core: Fix PERF_RECORD_MMAP2 prot/flags for anonymous memory · b41615aa
      Peter Zijlstra authored
      commit 0b3589be upstream.
      
      Andres reported that MMAP2 records for anonymous memory always have
      their protection field 0.
      
      Turns out, someone daft put the prot/flags generation code in the file
      branch, leaving them unset for anonymous memory.
      Reported-by: default avatarAndres Freund <andres@anarazel.de>
      Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
      Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
      Cc: Don Zickus <dzickus@redhat.com
      Cc: Jiri Olsa <jolsa@redhat.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Stephane Eranian <eranian@gmail.com>
      Cc: Stephane Eranian <eranian@google.com>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: acme@kernel.org
      Cc: anton@ozlabs.org
      Cc: namhyung@kernel.org
      Fixes: f972eb63 ("perf: Pass protection and flags bits through mmap2 interface")
      Link: http://lkml.kernel.org/r/20170126221508.GF6536@twins.programming.kicks-ass.netSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b41615aa