1. 08 Jun, 2018 40 commits
    • Ranjani Sridharan's avatar
      ASoC: topology: create TLV data for dapm widgets · 15eb27da
      Ranjani Sridharan authored
      BugLink: https://bugs.launchpad.net/bugs/1775771
      
      [ Upstream commit bde8b388 ]
      
      This patch adds the change required to create the TLV data
      for dapm widget kcontrols from topology. This also fixes the following
      TLV read error shown in amixer while showing the card control contents.
      "amixer: Control hw:1 element TLV read error: No such device or address"
      Signed-off-by: default avatarRanjani Sridharan <ranjani.sridharan@linux.intel.com>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarJuerg Haefliger <juergh@canonical.com>
      Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
      15eb27da
    • Mathieu Malaterre's avatar
      powerpc: Add missing prototype for arch_irq_work_raise() · 0536757c
      Mathieu Malaterre authored
      BugLink: https://bugs.launchpad.net/bugs/1775771
      
      [ Upstream commit f5246862 ]
      
      In commit 4f8b50bb ("irq_work, ppc: Fix up arch hooks") a new
      function arch_irq_work_raise() was added without a prototype in header
      irq_work.h.
      
      Fix the following warning (treated as error in W=1):
        arch/powerpc/kernel/time.c:523:6: error: no previous prototype for ‘arch_irq_work_raise’
      Signed-off-by: default avatarMathieu Malaterre <malat@debian.org>
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarJuerg Haefliger <juergh@canonical.com>
      Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
      0536757c
    • Lars-Peter Clausen's avatar
      usb: gadget: ffs: Execute copy_to_user() with USER_DS set · 8cd0751f
      Lars-Peter Clausen authored
      BugLink: https://bugs.launchpad.net/bugs/1775771
      
      [ Upstream commit 4058ebf3 ]
      
      When using a AIO read() operation on the function FS gadget driver a URB is
      submitted asynchronously and on URB completion the received data is copied
      to the userspace buffer associated with the read operation.
      
      This is done from a kernel worker thread invoking copy_to_user() (through
      copy_to_iter()). And while the user space process memory is made available
      to the kernel thread using use_mm(), some architecture require in addition
      to this that the operation runs with USER_DS set. Otherwise the userspace
      memory access will fail.
      
      For example on ARM64 with Privileged Access Never (PAN) and User Access
      Override (UAO) enabled the following crash occurs.
      
      	Internal error: Accessing user space memory with fs=KERNEL_DS: 9600004f [#1] SMP
      	Modules linked in:
      	CPU: 2 PID: 1636 Comm: kworker/2:1 Not tainted 4.9.0-04081-g8ab2dfb-dirty #487
      	Hardware name: ZynqMP ZCU102 Rev1.0 (DT)
      	Workqueue: events ffs_user_copy_worker
      	task: ffffffc87afc8080 task.stack: ffffffc87a00c000
      	PC is at __arch_copy_to_user+0x190/0x220
      	LR is at copy_to_iter+0x78/0x3c8
      	[...]
      	[<ffffff800847b790>] __arch_copy_to_user+0x190/0x220
      	[<ffffff80086f25d8>] ffs_user_copy_worker+0x70/0x130
      	[<ffffff80080b8c64>] process_one_work+0x1dc/0x460
      	[<ffffff80080b8f38>] worker_thread+0x50/0x4b0
      	[<ffffff80080bf5a0>] kthread+0xd8/0xf0
      	[<ffffff8008083680>] ret_from_fork+0x10/0x50
      
      Address this by placing a set_fs(USER_DS) before of the copy operation
      and revert it again once the copy operation has finished.
      
      This patch is analogous to commit d7ffde35 ("vhost: use USER_DS in
      vhost_worker thread") which addresses the same underlying issue.
      Signed-off-by: default avatarLars-Peter Clausen <lars@metafoo.de>
      Signed-off-by: default avatarFelipe Balbi <felipe.balbi@linux.intel.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarJuerg Haefliger <juergh@canonical.com>
      Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
      8cd0751f
    • Lars-Peter Clausen's avatar
      usb: gadget: ffs: Let setup() return USB_GADGET_DELAYED_STATUS · f375190d
      Lars-Peter Clausen authored
      BugLink: https://bugs.launchpad.net/bugs/1775771
      
      [ Upstream commit 946ef68a ]
      
      Some UDC drivers (like the DWC3) expect that the response to a setup()
      request is queued from within the setup function itself so that it is
      available as soon as setup() has completed.
      
      Upon receiving a setup request the function fs driver creates an event that
      is made available to userspace. And only once userspace has acknowledged
      that event the response to the setup request is queued.
      
      So it violates the requirement of those UDC drivers and random failures can
      be observed. This is basically a race condition and if userspace is able to
      read the event and queue the response fast enough all is good. But if it is
      not, for example because other processes are currently scheduled to run,
      the USB host that sent the setup request will observe an error.
      
      To avoid this the gadget framework provides the USB_GADGET_DELAYED_STATUS
      return code. If a setup() callback returns this value the UDC driver is
      aware that response is not yet available and can uses the appropriate
      methods to handle this case.
      
      Since in the case of function fs the response will never be available when
      the setup() function returns make sure that this status code is used.
      
      This fixed random occasional failures that were previously observed on a
      DWC3 based system under high system load.
      Signed-off-by: default avatarLars-Peter Clausen <lars@metafoo.de>
      Signed-off-by: default avatarFelipe Balbi <felipe.balbi@linux.intel.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarJuerg Haefliger <juergh@canonical.com>
      Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
      f375190d
    • Grigor Tovmasyan's avatar
      usb: dwc2: Fix interval type issue · 9cfbf2ce
      Grigor Tovmasyan authored
      BugLink: https://bugs.launchpad.net/bugs/1775771
      
      [ Upstream commit 12814a3f ]
      
      The maximum value that unsigned char can hold is 255, meanwhile
      the maximum value of interval is  2^(bIntervalMax-1)=2^15.
      Signed-off-by: default avatarGrigor Tovmasyan <tovmasya@synopsys.com>
      Signed-off-by: default avatarFelipe Balbi <felipe.balbi@linux.intel.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarJuerg Haefliger <juergh@canonical.com>
      Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
      9cfbf2ce
    • Kamlakant Patel's avatar
      ipmi_ssif: Fix kernel panic at msg_done_handler · ad8ea377
      Kamlakant Patel authored
      BugLink: https://bugs.launchpad.net/bugs/1775771
      
      [ Upstream commit f002612b ]
      
      This happens when BMC doesn't return any data and the code is trying
      to print the value of data[2].
      
      Getting following crash:
      [  484.728410] Unable to handle kernel NULL pointer dereference at virtual address 00000002
      [  484.736496] pgd = ffff0000094a2000
      [  484.739885] [00000002] *pgd=00000047fcffe003, *pud=00000047fcffd003, *pmd=0000000000000000
      [  484.748158] Internal error: Oops: 96000005 [#1] SMP
      [...]
      [  485.101451] Call trace:
      [...]
      [  485.188473] [<ffff000000a46e68>] msg_done_handler+0x668/0x700 [ipmi_ssif]
      [  485.195249] [<ffff000000a456b8>] ipmi_ssif_thread+0x110/0x128 [ipmi_ssif]
      [  485.202038] [<ffff0000080f1430>] kthread+0x108/0x138
      [  485.206994] [<ffff0000080838e0>] ret_from_fork+0x10/0x30
      [  485.212294] Code: aa1903e1 aa1803e0 b900227f 95fef6a5 (39400aa3)
      
      Adding a check to validate the data len before printing data[2] to fix this issue.
      Signed-off-by: default avatarKamlakant Patel <kamlakant.patel@cavium.com>
      Signed-off-by: default avatarCorey Minyard <cminyard@mvista.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarJuerg Haefliger <juergh@canonical.com>
      Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
      ad8ea377
    • Rafael J. Wysocki's avatar
      PCI: Restore config space on runtime resume despite being unbound · d4cba602
      Rafael J. Wysocki authored
      BugLink: https://bugs.launchpad.net/bugs/1775771
      
      [ Upstream commit 5775b843 ]
      
      We leave PCI devices not bound to a driver in D0 during runtime suspend.
      But they may have a parent which is bound and can be transitioned to
      D3cold at runtime.  Once the parent goes to D3cold, the unbound child
      may go to D3cold as well.  When the child goes to D3cold, its internal
      state, including configuration of BARs, MSI, ASPM, MPS, etc., is lost.
      
      One example are recent hybrid graphics laptops which cut power to the
      discrete GPU when the root port above it goes to ACPI power state D3.
      Users may provoke this by unbinding the GPU driver and allowing runtime
      PM on the GPU via sysfs:  The PM core will then treat the GPU as
      "suspended", which in turn allows the root port to runtime suspend,
      causing the power resources listed in its _PR3 object to be powered off.
      The GPU's BARs will be uninitialized when a driver later probes it.
      
      Another example are hybrid graphics laptops where the GPU itself (rather
      than the root port) is capable of runtime suspending to D3cold.  If the
      GPU's integrated HDA controller is not bound and the GPU's driver
      decides to runtime suspend to D3cold, the HDA controller's BARs will be
      uninitialized when a driver later probes it.
      
      Fix by saving and restoring config space over a runtime suspend cycle
      even if the device is not bound.
      Acked-by: default avatarBjorn Helgaas <bhelgaas@google.com>
      Tested-by: Peter Wu <peter@lekensteyn.nl>              # Nvidia Optimus
      Tested-by: Lukas Wunner <lukas@wunner.de>              # MacBook Pro
      Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      [lukas: add commit message, bikeshed code comments for clarity]
      Signed-off-by: default avatarLukas Wunner <lukas@wunner.de>
      Link: https://patchwork.freedesktop.org/patch/msgid/92fb6e6ae2730915eb733c08e2f76c6a313e3860.1520068884.git.lukas@wunner.deSigned-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarJuerg Haefliger <juergh@canonical.com>
      Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
      d4cba602
    • Mathias Kresin's avatar
      MIPS: ath79: Fix AR724X_PLL_REG_PCIE_CONFIG offset · 9547a2b4
      Mathias Kresin authored
      BugLink: https://bugs.launchpad.net/bugs/1775771
      
      [ Upstream commit 05454c1b ]
      
      According to the QCA u-boot source the "PCIE Phase Lock Loop
      Configuration (PCIE_PLL_CONFIG)" register is for all SoCs except the
      QCA955X and QCA956X at offset 0x10.
      
      Since the PCIE PLL config register is only defined for the AR724x fix
      only this value. The value is wrong since the day it was added and isn't
      used by any driver yet.
      Signed-off-by: default avatarMathias Kresin <dev@kresin.me>
      Cc: Ralf Baechle <ralf@linux-mips.org>
      Cc: linux-mips@linux-mips.org
      Patchwork: https://patchwork.linux-mips.org/patch/16048/Signed-off-by: default avatarJames Hogan <jhogan@kernel.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarJuerg Haefliger <juergh@canonical.com>
      Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
      9547a2b4
    • Mathias Nyman's avatar
      xhci: zero usb device slot_id member when disabling and freeing a xhci slot · a848d1cf
      Mathias Nyman authored
      BugLink: https://bugs.launchpad.net/bugs/1775771
      
      [ Upstream commit a400efe4 ]
      
      set udev->slot_id to zero when disabling and freeing the xhci slot.
      Prevents usb core from calling xhci with a stale slot id.
      
      xHC controller may be reset during resume to recover from some error.
      All slots are unusable as they are disabled and freed.
      xhci driver starts slot enumeration again from 1 in the order they are
      enabled. In the worst case a stale udev->slot_id for one device matches
      a newly enabled slot_id for a different device, causing us to
      perform a action on the wrong device.
      Signed-off-by: default avatarMathias Nyman <mathias.nyman@linux.intel.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarJuerg Haefliger <juergh@canonical.com>
      Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
      a848d1cf
    • Vitaly Kuznetsov's avatar
      KVM: lapic: stop advertising DIRECTED_EOI when in-kernel IOAPIC is in use · 28ba4838
      Vitaly Kuznetsov authored
      BugLink: https://bugs.launchpad.net/bugs/1775771
      
      [ Upstream commit 0bcc3fb9 ]
      
      Devices which use level-triggered interrupts under Windows 2016 with
      Hyper-V role enabled don't work: Windows disables EOI broadcast in SPIV
      unconditionally. Our in-kernel IOAPIC implementation emulates an old IOAPIC
      version which has no EOI register so EOI never happens.
      
      The issue was discovered and discussed a while ago:
      https://www.spinics.net/lists/kvm/msg148098.html
      
      While this is a guest OS bug (it should check that IOAPIC has the required
      capabilities before disabling EOI broadcast) we can workaround it in KVM:
      advertising DIRECTED_EOI with in-kernel IOAPIC makes little sense anyway.
      Signed-off-by: default avatarVitaly Kuznetsov <vkuznets@redhat.com>
      Signed-off-by: default avatarRadim Krčmář <rkrcmar@redhat.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarJuerg Haefliger <juergh@canonical.com>
      Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
      28ba4838
    • Gregory CLEMENT's avatar
      i2c: mv64xxx: Apply errata delay only in standard mode · 99a80d58
      Gregory CLEMENT authored
      BugLink: https://bugs.launchpad.net/bugs/1775771
      
      [ Upstream commit 31184d8c ]
      
      The errata FE-8471889 description has been updated. There is still a
      timing violation for repeated start. But the errata now states that it
      was only the case for the Standard mode (100 kHz), in Fast mode (400 kHz)
      there is no issue.
      
      This patch limit the errata fix to the Standard mode.
      
      It has been tesed successfully on the clearfog (Aramda 388 based board).
      Signed-off-by: default avatarWolfram Sang <wsa@the-dreams.de>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarJuerg Haefliger <juergh@canonical.com>
      Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
      99a80d58
    • Seunghun Han's avatar
      ACPICA: acpi: acpica: fix acpi operand cache leak in nseval.c · 13bcaf55
      Seunghun Han authored
      BugLink: https://bugs.launchpad.net/bugs/1775771
      
      [ Upstream commit 97f3c0a4 ]
      
      I found an ACPI cache leak in ACPI early termination and boot continuing case.
      
      When early termination occurs due to malicious ACPI table, Linux kernel
      terminates ACPI function and continues to boot process. While kernel terminates
      ACPI function, kmem_cache_destroy() reports Acpi-Operand cache leak.
      
      Boot log of ACPI operand cache leak is as follows:
      >[    0.464168] ACPI: Added _OSI(Module Device)
      >[    0.467022] ACPI: Added _OSI(Processor Device)
      >[    0.469376] ACPI: Added _OSI(3.0 _SCP Extensions)
      >[    0.471647] ACPI: Added _OSI(Processor Aggregator Device)
      >[    0.477997] ACPI Error: Null stack entry at ffff880215c0aad8 (20170303/exresop-174)
      >[    0.482706] ACPI Exception: AE_AML_INTERNAL, While resolving operands for [opcode_name unavailable] (20170303/dswexec-461)
      >[    0.487503] ACPI Error: Method parse/execution failed [\DBG] (Node ffff88021710ab40), AE_AML_INTERNAL (20170303/psparse-543)
      >[    0.492136] ACPI Error: Method parse/execution failed [\_SB._INI] (Node ffff88021710a618), AE_AML_INTERNAL (20170303/psparse-543)
      >[    0.497683] ACPI: Interpreter enabled
      >[    0.499385] ACPI: (supports S0)
      >[    0.501151] ACPI: Using IOAPIC for interrupt routing
      >[    0.503342] ACPI Error: Null stack entry at ffff880215c0aad8 (20170303/exresop-174)
      >[    0.506522] ACPI Exception: AE_AML_INTERNAL, While resolving operands for [opcode_name unavailable] (20170303/dswexec-461)
      >[    0.510463] ACPI Error: Method parse/execution failed [\DBG] (Node ffff88021710ab40), AE_AML_INTERNAL (20170303/psparse-543)
      >[    0.514477] ACPI Error: Method parse/execution failed [\_PIC] (Node ffff88021710ab18), AE_AML_INTERNAL (20170303/psparse-543)
      >[    0.518867] ACPI Exception: AE_AML_INTERNAL, Evaluating _PIC (20170303/bus-991)
      >[    0.522384] kmem_cache_destroy Acpi-Operand: Slab cache still has objects
      >[    0.524597] CPU: 1 PID: 1 Comm: swapper/0 Not tainted 4.12.0-rc5 #26
      >[    0.526795] Hardware name: innotek gmb_h virtual_box/virtual_box, BIOS virtual_box 12/01/2006
      >[    0.529668] Call Trace:
      >[    0.530811]  ? dump_stack+0x5c/0x81
      >[    0.532240]  ? kmem_cache_destroy+0x1aa/0x1c0
      >[    0.533905]  ? acpi_os_delete_cache+0xa/0x10
      >[    0.535497]  ? acpi_ut_delete_caches+0x3f/0x7b
      >[    0.537237]  ? acpi_terminate+0xa/0x14
      >[    0.538701]  ? acpi_init+0x2af/0x34f
      >[    0.540008]  ? acpi_sleep_proc_init+0x27/0x27
      >[    0.541593]  ? do_one_initcall+0x4e/0x1a0
      >[    0.543008]  ? kernel_init_freeable+0x19e/0x21f
      >[    0.546202]  ? rest_init+0x80/0x80
      >[    0.547513]  ? kernel_init+0xa/0x100
      >[    0.548817]  ? ret_from_fork+0x25/0x30
      >[    0.550587] vgaarb: loaded
      >[    0.551716] EDAC MC: Ver: 3.0.0
      >[    0.553744] PCI: Probing PCI hardware
      >[    0.555038] PCI host bridge to bus 0000:00
      > ... Continue to boot and log is omitted ...
      
      I analyzed this memory leak in detail and found acpi_ns_evaluate() function
      only removes Info->return_object in AE_CTRL_RETURN_VALUE case. But, when errors
      occur, the status value is not AE_CTRL_RETURN_VALUE, and Info->return_object is
      also not null. Therefore, this causes acpi operand memory leak.
      
      This cache leak causes a security threat because an old kernel (<= 4.9) shows
      memory locations of kernel functions in stack dump. Some malicious users
      could use this information to neutralize kernel ASLR.
      
      I made a patch to fix ACPI operand cache leak.
      Signed-off-by: default avatarSeunghun Han <kkamagui@gmail.com>
      Signed-off-by: default avatarErik Schmauss <erik.schmauss@intel.com>
      Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarJuerg Haefliger <juergh@canonical.com>
      Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
      13bcaf55
    • Erik Schmauss's avatar
      ACPICA: Events: add a return on failure from acpi_hw_register_read · bd701b37
      Erik Schmauss authored
      BugLink: https://bugs.launchpad.net/bugs/1775771
      
      [ Upstream commit b4c0de31 ]
      
      This ensures that acpi_ev_fixed_event_detect() does not use fixed_status
      and and fixed_enable as uninitialized variables.
      Signed-off-by: default avatarErik Schmauss <erik.schmauss@intel.com>
      Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarJuerg Haefliger <juergh@canonical.com>
      Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
      bd701b37
    • Coly Li's avatar
      bcache: quit dc->writeback_thread when BCACHE_DEV_DETACHING is set · 1f1caa12
      Coly Li authored
      BugLink: https://bugs.launchpad.net/bugs/1775771
      
      [ Upstream commit fadd94e0 ]
      
      In patch "bcache: fix cached_dev->count usage for bch_cache_set_error()",
      cached_dev_get() is called when creating dc->writeback_thread, and
      cached_dev_put() is called when exiting dc->writeback_thread. This
      modification works well unless people detach the bcache device manually by
          'echo 1 > /sys/block/bcache<N>/bcache/detach'
      Because this sysfs interface only calls bch_cached_dev_detach() which wakes
      up dc->writeback_thread but does not stop it. The reason is, before patch
      "bcache: fix cached_dev->count usage for bch_cache_set_error()", inside
      bch_writeback_thread(), if cache is not dirty after writeback,
      cached_dev_put() will be called here. And in cached_dev_make_request() when
      a new write request makes cache from clean to dirty, cached_dev_get() will
      be called there. Since we don't operate dc->count in these locations,
      refcount d->count cannot be dropped after cache becomes clean, and
      cached_dev_detach_finish() won't be called to detach bcache device.
      
      This patch fixes the issue by checking whether BCACHE_DEV_DETACHING is
      set inside bch_writeback_thread(). If this bit is set and cache is clean
      (no existing writeback_keys), break the while-loop, call cached_dev_put()
      and quit the writeback thread.
      
      Please note if cache is still dirty, even BCACHE_DEV_DETACHING is set the
      writeback thread should continue to perform writeback, this is the original
      design of manually detach.
      
      It is safe to do the following check without locking, let me explain why,
      +	if (!test_bit(BCACHE_DEV_DETACHING, &dc->disk.flags) &&
      +	    (!atomic_read(&dc->has_dirty) || !dc->writeback_running)) {
      
      If the kenrel thread does not sleep and continue to run due to conditions
      are not updated in time on the running CPU core, it just consumes more CPU
      cycles and has no hurt. This should-sleep-but-run is safe here. We just
      focus on the should-run-but-sleep condition, which means the writeback
      thread goes to sleep in mistake while it should continue to run.
      1, First of all, no matter the writeback thread is hung or not,
         kthread_stop() from cached_dev_detach_finish() will wake up it and
         terminate by making kthread_should_stop() return true. And in normal
         run time, bit on index BCACHE_DEV_DETACHING is always cleared, the
         condition
      	!test_bit(BCACHE_DEV_DETACHING, &dc->disk.flags)
         is always true and can be ignored as constant value.
      2, If one of the following conditions is true, the writeback thread should
         go to sleep,
         "!atomic_read(&dc->has_dirty)" or "!dc->writeback_running)"
         each of them independently controls the writeback thread should sleep or
         not, let's analyse them one by one.
      2.1 condition "!atomic_read(&dc->has_dirty)"
         If dc->has_dirty is set from 0 to 1 on another CPU core, bcache will
         call bch_writeback_queue() immediately or call bch_writeback_add() which
         indirectly calls bch_writeback_queue() too. In bch_writeback_queue(),
         wake_up_process(dc->writeback_thread) is called. It sets writeback
         thread's task state to TASK_RUNNING and following an implicit memory
         barrier, then tries to wake up the writeback thread.
         In writeback thread, its task state is set to TASK_INTERRUPTIBLE before
         doing the condition check. If other CPU core sets the TASK_RUNNING state
         after writeback thread setting TASK_INTERRUPTIBLE, the writeback thread
         will be scheduled to run very soon because its state is not
         TASK_INTERRUPTIBLE. If other CPU core sets the TASK_RUNNING state before
         writeback thread setting TASK_INTERRUPTIBLE, the implict memory barrier
         of wake_up_process() will make sure modification of dc->has_dirty on
         other CPU core is updated and observed on the CPU core of writeback
         thread. Therefore the condition check will correctly be false, and
         continue writeback code without sleeping.
      2.2 condition "!dc->writeback_running)"
         dc->writeback_running can be changed via sysfs file, every time it is
         modified, a following bch_writeback_queue() is alwasy called. So the
         change is always observed on the CPU core of writeback thread. If
         dc->writeback_running is changed from 0 to 1 on other CPU core, this
         condition check will observe the modification and allow writeback
         thread to continue to run without sleeping.
      Now we can see, even without a locking protection, multiple conditions
      check is safe here, no deadlock or process hang up will happen.
      
      I compose a separte patch because that patch "bcache: fix cached_dev->count
      usage for bch_cache_set_error()" already gets a "Reviewed-by:" from Hannes
      Reinecke. Also this fix is not trivial and good for a separate patch.
      Signed-off-by: default avatarColy Li <colyli@suse.de>
      Reviewed-by: default avatarMichael Lyle <mlyle@lyle.org>
      Cc: Hannes Reinecke <hare@suse.com>
      Cc: Huijun Tang <tang.junhui@zte.com.cn>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarJuerg Haefliger <juergh@canonical.com>
      Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
      1f1caa12
    • Michael Schmitz's avatar
      zorro: Set up z->dev.dma_mask for the DMA API · 39b91698
      Michael Schmitz authored
      BugLink: https://bugs.launchpad.net/bugs/1775771
      
      [ Upstream commit 55496d3f ]
      
      The generic DMA API uses dev->dma_mask to check the DMA addressable
      memory bitmask, and warns if no mask is set or even allocated.
      
      Set z->dev.dma_coherent_mask on Zorro bus scan, and make z->dev.dma_mask
      to point to z->dev.dma_coherent_mask so device drivers that need DMA have
      everything set up to avoid warnings from dma_alloc_coherent(). Drivers can
      still use dma_set_mask_and_coherent() to explicitly set their DMA bit mask.
      Signed-off-by: default avatarMichael Schmitz <schmitzmic@gmail.com>
      [geert: Handle Zorro II with 24-bit address space]
      Acked-by: default avatarChristoph Hellwig <hch@lst.de>
      Signed-off-by: default avatarGeert Uytterhoeven <geert@linux-m68k.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarJuerg Haefliger <juergh@canonical.com>
      Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
      39b91698
    • Shawn Lin's avatar
      clk: Don't show the incorrect clock phase · d46b9d45
      Shawn Lin authored
      BugLink: https://bugs.launchpad.net/bugs/1775771
      
      [ Upstream commit 1f9c63e8 ]
      
      It's found that the clock phase output from clk_summary is
      wrong compared to the actual phase reading from the register.
      
      cat /sys/kernel/debug/clk/clk_summary | grep sdio_sample
      sdio_sample     0        1        0 50000000          0 -22
      
      It exposes an issue that clk core, clk_core_get_phase, always
      returns the cached core->phase which should be either updated
      by calling clk_set_phase or directly from the first place the
      clk was registered.
      
      When registering the clk, the core->phase geting from ->get_phase()
      may return negative value indicating error. This is quite common
      since the clk's phase may be highly related to its parent chain,
      but it was temporarily orphan when registered, since its parent
      chains hadn't be ready at that time, so the clk drivers decide to
      return error in this case. However, if no clk_set_phase is called or
      maybe the ->set_phase() isn't even implemented, the core->phase would
      never be updated. This is wrong, and we should try to update it when
      all its parent chains are settled down, like the way of updating clock
      rate for that. But it's not deserved to complicate the code now and
      just update it anyway when calling clk_core_get_phase, which would be
      much simple and enough.
      Signed-off-by: default avatarShawn Lin <shawn.lin@rock-chips.com>
      Acked-by: default avatarJerome Brunet <jbrunet@baylibre.com>
      Signed-off-by: default avatarStephen Boyd <sboyd@kernel.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarJuerg Haefliger <juergh@canonical.com>
      Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
      d46b9d45
    • Chunyu Hu's avatar
      cpufreq: cppc_cpufreq: Fix cppc_cpufreq_init() failure path · 2235911f
      Chunyu Hu authored
      BugLink: https://bugs.launchpad.net/bugs/1775771
      
      [ Upstream commit 55b55abc ]
      
      Kmemleak reported the below leak. When cppc_cpufreq_init went into
      failure path, the cpu mask is not freed. After fix, this report is
      gone. And to avaoid potential NULL pointer reference, check the cpu
      value first.
      
      unreferenced object 0xffff800fd5ea4880 (size 128):
        comm "swapper/0", pid 1, jiffies 4294939510 (age 668.680s)
        hex dump (first 32 bytes):
          00 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00  .... ...........
          00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
        backtrace:
          [<ffff0000082c4ae4>] __kmalloc_node+0x278/0x634
          [<ffff0000088f4a74>] alloc_cpumask_var_node+0x28/0x60
          [<ffff0000088f4af0>] zalloc_cpumask_var+0x14/0x1c
          [<ffff000008d20254>] cppc_cpufreq_init+0xd0/0x19c
          [<ffff000008083828>] do_one_initcall+0xec/0x15c
          [<ffff000008cd1018>] kernel_init_freeable+0x1f4/0x2a4
          [<ffff0000089099b0>] kernel_init+0x18/0x10c
          [<ffff000008084d50>] ret_from_fork+0x10/0x18
          [<ffffffffffffffff>] 0xffffffffffffffff
      Signed-off-by: default avatarChunyu Hu <chuhu@redhat.com>
      Acked-by: default avatarViresh Kumar <viresh.kumar@linaro.org>
      Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarJuerg Haefliger <juergh@canonical.com>
      Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
      2235911f
    • Thinh Nguyen's avatar
      usb: dwc3: Update DWC_usb31 GTXFIFOSIZ reg fields · 5687d832
      Thinh Nguyen authored
      BugLink: https://bugs.launchpad.net/bugs/1775771
      
      [ Upstream commit 0cab8d26 ]
      
      Update two GTXFIFOSIZ bit fields for the DWC_usb31 controller. TXFDEP
      is a 15-bit value instead of 16-bit value, and bit 15 is TXFRAMNUM.
      
      The GTXFIFOSIZ register for DWC_usb31 is as follows:
       +-------+-----------+----------------------------------+
       | BITS  | Name      | Description                      |
       +=======+===========+==================================+
       | 31:16 | TXFSTADDR | Transmit FIFOn RAM Start Address |
       | 15    | TXFRAMNUM | Asynchronous/Periodic TXFIFO     |
       | 14:0  | TXFDEP    | TXFIFO Depth                     |
       +-------+-----------+----------------------------------+
      Signed-off-by: default avatarThinh Nguyen <thinhn@synopsys.com>
      Signed-off-by: default avatarFelipe Balbi <felipe.balbi@linux.intel.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarJuerg Haefliger <juergh@canonical.com>
      Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
      5687d832
    • Philipp Puschmann's avatar
      arm: dts: socfpga: fix GIC PPI warning · 5fca8b17
      Philipp Puschmann authored
      BugLink: https://bugs.launchpad.net/bugs/1775771
      
      [ Upstream commit 6d97d5ab ]
      
      Fixes the warning "GIC: PPI13 is secure or misconfigured" by
      changing the interrupt type from level_low to edge_raising
      Signed-off-by: default avatarPhilipp Puschmann <pp@emlix.com>
      Signed-off-by: default avatarDinh Nguyen <dinguyen@kernel.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarJuerg Haefliger <juergh@canonical.com>
      Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
      5fca8b17
    • Petr Vorel's avatar
      ima: Fallback to the builtin hash algorithm · 1e8ce4b5
      Petr Vorel authored
      BugLink: https://bugs.launchpad.net/bugs/1775771
      
      [ Upstream commit ab60368a ]
      
      IMA requires having it's hash algorithm be compiled-in due to it's
      early use.  The default IMA algorithm is protected by Kconfig to be
      compiled-in.
      
      The ima_hash kernel parameter allows to choose the hash algorithm. When
      the specified algorithm is not available or available as a module, IMA
      initialization fails, which leads to a kernel panic (mknodat syscall calls
      ima_post_path_mknod()).  Therefore as fallback we force IMA to use
      the default builtin Kconfig hash algorithm.
      
      Fixed crash:
      
      $ grep CONFIG_CRYPTO_MD4 .config
      CONFIG_CRYPTO_MD4=m
      
      [    0.000000] Command line: BOOT_IMAGE=/boot/vmlinuz-4.12.14-2.3-default root=UUID=74ae8202-9ca7-4e39-813b-22287ec52f7a video=1024x768-16 plymouth.ignore-serial-consoles console=ttyS0 console=tty resume=/dev/disk/by-path/pci-0000:00:07.0-part3 splash=silent showopts ima_hash=md4
      ...
      [    1.545190] ima: Can not allocate md4 (reason: -2)
      ...
      [    2.610120] BUG: unable to handle kernel NULL pointer dereference at           (null)
      [    2.611903] IP: ima_match_policy+0x23/0x390
      [    2.612967] PGD 0 P4D 0
      [    2.613080] Oops: 0000 [#1] SMP
      [    2.613080] Modules linked in: autofs4
      [    2.613080] Supported: Yes
      [    2.613080] CPU: 0 PID: 1 Comm: systemd Not tainted 4.12.14-2.3-default #1
      [    2.613080] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.0.0-prebuilt.qemu-project.org 04/01/2014
      [    2.613080] task: ffff88003e2d0040 task.stack: ffffc90000190000
      [    2.613080] RIP: 0010:ima_match_policy+0x23/0x390
      [    2.613080] RSP: 0018:ffffc90000193e88 EFLAGS: 00010296
      [    2.613080] RAX: 0000000000000000 RBX: 000000000000000c RCX: 0000000000000004
      [    2.613080] RDX: 0000000000000010 RSI: 0000000000000001 RDI: ffff880037071728
      [    2.613080] RBP: 0000000000008000 R08: 0000000000000000 R09: 0000000000000000
      [    2.613080] R10: 0000000000000008 R11: 61c8864680b583eb R12: 00005580ff10086f
      [    2.613080] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000008000
      [    2.613080] FS:  00007f5c1da08940(0000) GS:ffff88003fc00000(0000) knlGS:0000000000000000
      [    2.613080] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [    2.613080] CR2: 0000000000000000 CR3: 0000000037002000 CR4: 00000000003406f0
      [    2.613080] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      [    2.613080] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      [    2.613080] Call Trace:
      [    2.613080]  ? shmem_mknod+0xbf/0xd0
      [    2.613080]  ima_post_path_mknod+0x1c/0x40
      [    2.613080]  SyS_mknod+0x210/0x220
      [    2.613080]  entry_SYSCALL_64_fastpath+0x1a/0xa5
      [    2.613080] RIP: 0033:0x7f5c1bfde570
      [    2.613080] RSP: 002b:00007ffde1c90dc8 EFLAGS: 00000246 ORIG_RAX: 0000000000000085
      [    2.613080] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f5c1bfde570
      [    2.613080] RDX: 0000000000000000 RSI: 0000000000008000 RDI: 00005580ff10086f
      [    2.613080] RBP: 00007ffde1c91040 R08: 00005580ff10086f R09: 0000000000000000
      [    2.613080] R10: 0000000000104000 R11: 0000000000000246 R12: 00005580ffb99660
      [    2.613080] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000002
      [    2.613080] Code: 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 41 57 41 56 44 8d 14 09 41 55 41 54 55 53 44 89 d3 09 cb 48 83 ec 38 48 8b 05 c5 03 29 01 <4c> 8b 20 4c 39 e0 0f 84 d7 01 00 00 4c 89 44 24 08 89 54 24 20
      [    2.613080] RIP: ima_match_policy+0x23/0x390 RSP: ffffc90000193e88
      [    2.613080] CR2: 0000000000000000
      [    2.613080] ---[ end trace 9a9f0a8a73079f6a ]---
      [    2.673052] Kernel panic - not syncing: Attempted to kill init! exitcode=0x00000009
      [    2.673052]
      [    2.675337] Kernel Offset: disabled
      [    2.676405] ---[ end Kernel panic - not syncing: Attempted to kill init! exitcode=0x00000009
      Signed-off-by: default avatarPetr Vorel <pvorel@suse.cz>
      Signed-off-by: default avatarMimi Zohar <zohar@linux.vnet.ibm.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarJuerg Haefliger <juergh@canonical.com>
      Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
      1e8ce4b5
    • Juerg Haefliger's avatar
      UBUNTU: [Config] CONFIG_TCG_CRB=y · b217f79f
      Juerg Haefliger authored
      BugLink: https://bugs.launchpad.net/bugs/1775771
      
      Commit "ima: Fix Kconfig to select TPM 2.0 CRB interface" selects TCG_CRB
      to build the driver into the kernel. Update the config files accordingly
      and also remove the module from the ABI.
      Signed-off-by: default avatarJuerg Haefliger <juergh@canonical.com>
      Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
      b217f79f
    • Jiandi An's avatar
      ima: Fix Kconfig to select TPM 2.0 CRB interface · 8b60ff21
      Jiandi An authored
      BugLink: https://bugs.launchpad.net/bugs/1775771
      
      [ Upstream commit fac37c62 ]
      
      TPM_CRB driver provides TPM CRB 2.0 support.  If it is built as a
      module, the TPM chip is registered after IMA init.  tpm_pcr_read() in
      IMA fails and displays the following message even though eventually
      there is a TPM chip on the system.
      
      ima: No TPM chip found, activating TPM-bypass! (rc=-19)
      
      Fix IMA Kconfig to select TPM_CRB so TPM_CRB driver is built in the kernel
      and initializes before IMA.
      Signed-off-by: default avatarJiandi An <anjiandi@codeaurora.org>
      Signed-off-by: default avatarMimi Zohar <zohar@linux.vnet.ibm.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarJuerg Haefliger <juergh@canonical.com>
      Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
      8b60ff21
    • Karthikeyan Periyasamy's avatar
      ath10k: Fix kernel panic while using worker (ath10k_sta_rc_update_wk) · e7dbdee1
      Karthikeyan Periyasamy authored
      BugLink: https://bugs.launchpad.net/bugs/1775771
      
      [ Upstream commit 8b2d93dd ]
      
      When attempt to run worker (ath10k_sta_rc_update_wk) after the station object
      (ieee80211_sta) delete will trigger the kernel panic.
      
      This problem arise in AP + Mesh configuration, Where the current node AP VAP
      and neighbor node mesh VAP MAC address are same. When the current mesh node
      try to establish the mesh link with neighbor node, driver peer creation for
      the neighbor mesh node fails due to duplication MAC address. Already the AP
      VAP created with same MAC address.
      
      It is caused by the following scenario steps.
      
      Steps:
      1. In above condition, ath10k driver sta_state callback (ath10k_sta_state)
         fails to do the state change for a station from IEEE80211_STA_NOTEXIST
         to IEEE80211_STA_NONE due to peer creation fails. Sta_state callback is
         called from ieee80211_add_station() to handle the new station
         (neighbor mesh node) request from the wpa_supplicant.
      2. Concurrently ath10k receive the sta_rc_update callback notification from
         the mesh_neighbour_update() to handle the beacon frames of the above
         neighbor mesh node. since its atomic callback, ath10k driver queue the
         work (ath10k_sta_rc_update_wk) to handle rc update.
      3. Due to driver sta_state callback fails (step 1), mac80211 free the station
         object.
      4. When the worker (ath10k_sta_rc_update_wk) scheduled to run, it will access
         the station object which is already deleted. so it will trigger kernel
         panic.
      
      Added the peer exist check in sta_rc_update callback before queue the work.
      
      Kernel Panic log:
      
      Unable to handle kernel NULL pointer dereference at virtual address 00000000
      pgd = c0204000
      [00000000] *pgd=00000000
      Internal error: Oops: 17 [#1] PREEMPT SMP ARM
      CPU: 1 PID: 1833 Comm: kworker/u4:2 Not tainted 3.14.77 #1
      task: dcef0000 ti: d72b6000 task.ti: d72b6000
      PC is at pwq_activate_delayed_work+0x10/0x40
      LR is at pwq_activate_delayed_work+0xc/0x40
      pc : [<c023f988>]    lr : [<c023f984>]    psr: 40000193
      sp : d72b7f18  ip : 0000007a  fp : d72b6000
      r10: 00000000  r9 : dd404414  r8 : d8c31998
      r7 : d72b6038  r6 : 00000004  r5 : d4907ec8  r4 : dcee1300
      r3 : ffffffe0  r2 : 00000000  r1 : 00000001  r0 : 00000000
      Flags: nZcv  IRQs off  FIQs on  Mode SVC_32  ISA ARM  Segment kernel
      Control: 10c5787d  Table: 595bc06a  DAC: 00000015
      ...
      Process kworker/u4:2 (pid: 1833, stack limit = 0xd72b6238)
      Stack: (0xd72b7f18 to 0xd72b8000)
      7f00:                                                       00000001 dcee1300
      7f20: 00000001 c02410dc d8c31980 dd404400 dd404400 c0242790 d8c31980 00000089
      7f40: 00000000 d93e1340 00000000 d8c31980 c0242568 00000000 00000000 00000000
      7f60: 00000000 c02474dc 00000000 00000000 000000f8 d8c31980 00000000 00000000
      7f80: d72b7f80 d72b7f80 00000000 00000000 d72b7f90 d72b7f90 d72b7fac d93e1340
      7fa0: c0247404 00000000 00000000 c0208d20 00000000 00000000 00000000 00000000
      7fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
      7fe0: 00000000 00000000 00000000 00000000 00000013 00000000 00000000 00000000
      [<c023f988>] (pwq_activate_delayed_work) from [<c02410dc>] (pwq_dec_nr_in_flight+0x58/0xc4)
      [<c02410dc>] (pwq_dec_nr_in_flight) from [<c0242790>] (worker_thread+0x228/0x360)
      [<c0242790>] (worker_thread) from [<c02474dc>] (kthread+0xd8/0xec)
      [<c02474dc>] (kthread) from [<c0208d20>] (ret_from_fork+0x14/0x34)
      Code: e92d4038 e1a05000 ebffffbc[69210.619376] SMP: failed to stop secondary CPUs
      Rebooting in 3 seconds..
      Signed-off-by: default avatarKarthikeyan Periyasamy <periyasa@codeaurora.org>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarJuerg Haefliger <juergh@canonical.com>
      Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
      e7dbdee1
    • Leon Romanovsky's avatar
      net/mlx5: Protect from command bit overflow · 2c6841a0
      Leon Romanovsky authored
      BugLink: https://bugs.launchpad.net/bugs/1775771
      
      [ Upstream commit 957f6ba8 ]
      
      The system with CONFIG_UBSAN enabled on produces the following error
      during driver initialization. The reason to it that max_reg_cmds can be
      larger enough to cause to "1 << max_reg_cmds" overflow the unsigned long.
      
      ================================================================================
      UBSAN: Undefined behaviour in drivers/net/ethernet/mellanox/mlx5/core/cmd.c:1805:42
      signed integer overflow:
      -2147483648 - 1 cannot be represented in type 'int'
      CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.15.0-rc2-00032-g06cda2358d9b-dirty #724
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.7.5-0-ge51488c-20140602_164612-nilsson.home.kraxel.org 04/01/2014
      Call Trace:
       dump_stack+0xe9/0x18f
       ? dma_virt_alloc+0x81/0x81
       ubsan_epilogue+0xe/0x4e
       handle_overflow+0x187/0x20c
       mlx5_cmd_init+0x73a/0x12b0
       mlx5_load_one+0x1c3d/0x1d30
       init_one+0xd02/0xf10
       pci_device_probe+0x26c/0x3b0
       driver_probe_device+0x622/0xb40
       __driver_attach+0x175/0x1b0
       bus_for_each_dev+0xef/0x190
       bus_add_driver+0x2db/0x490
       driver_register+0x16b/0x1e0
       __pci_register_driver+0x177/0x1b0
       init+0x6d/0x92
       do_one_initcall+0x15b/0x270
       kernel_init_freeable+0x2d8/0x3d0
       kernel_init+0x14/0x190
       ret_from_fork+0x24/0x30
      ================================================================================
      Signed-off-by: default avatarLeon Romanovsky <leonro@mellanox.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@mellanox.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarJuerg Haefliger <juergh@canonical.com>
      Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
      2c6841a0
    • Michael Ellerman's avatar
      selftests: Print the test we're running to /dev/kmsg · 350ce0c5
      Michael Ellerman authored
      BugLink: https://bugs.launchpad.net/bugs/1775771
      
      [ Upstream commit 88893cf7 ]
      
      Some tests cause the kernel to print things to the kernel log
      buffer (ie. printk), in particular oops and warnings etc. However when
      running all the tests in succession it's not always obvious which
      test(s) caused the kernel to print something.
      
      We can narrow it down by printing which test directory we're running
      in to /dev/kmsg, if it's writable.
      
      Example output:
      
        [  170.149149] kselftest: Running tests in powerpc
        [  305.300132] kworker/dying (71) used greatest stack depth: 7776 bytes
                       left
        [  808.915456] kselftest: Running tests in pstore
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: default avatarShuah Khan <shuahkh@osg.samsung.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarJuerg Haefliger <juergh@canonical.com>
      Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
      350ce0c5
    • Frank Asseg's avatar
      tools/thermal: tmon: fix for segfault · 2f7fa871
      Frank Asseg authored
      BugLink: https://bugs.launchpad.net/bugs/1775771
      
      [ Upstream commit 6c59f64b ]
      
      Fixes a segfault occurring when e.g. <TAB> is pressed multiple times in the
      ncurses tmon application. The segfault is caused by incrementing
      cur_thermal_record in the main function without checking if it's value reached
      NR_THERMAL_RECORD immediately. Since the boundary check only occurred in
      update_thermal_data a race condition existed, which lead to an attempted read
      beyond the last element of the trec array.
      
      The fix was implemented by moving the cur_thermal_record incrementation to the
      update_thermal_data function using a temporary variable on which the boundary
      condition is checked before updating cur_thread_record, so that the variable is
      never incremented beyond the trec array's boundary.
      
      It seems the segfault does not occur on every machine: On a HP EliteBook G4 the
      segfault happens, while it does not happen on a Thinkpad T540p.
      Signed-off-by: default avatarFrank Asseg <frank.asseg@objecthunter.net>
      Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarJuerg Haefliger <juergh@canonical.com>
      Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
      2f7fa871
    • Michael Ellerman's avatar
      powerpc/perf: Fix kernel address leak via sampling registers · 270b04f4
      Michael Ellerman authored
      BugLink: https://bugs.launchpad.net/bugs/1775771
      
      [ Upstream commit e1ebd0e5 ]
      
      Current code in power_pmu_disable() does not clear the sampling
      registers like Sampling Instruction Address Register (SIAR) and
      Sampling Data Address Register (SDAR) after disabling the PMU. Since
      these are userspace readable and could contain kernel addresses, add
      code to explicitly clear the content of these registers.
      
      Also add a "context synchronizing instruction" to enforce no further
      updates to these registers as suggested by Power ISA v3.0B. From
      section 9.4, on page 1108:
      
        "If an mtspr instruction is executed that changes the value of a
        Performance Monitor register other than SIAR, SDAR, and SIER, the
        change is not guaranteed to have taken effect until after a
        subsequent context synchronizing instruction has been executed (see
        Chapter 11. "Synchronization Requirements for Context Alterations"
        on page 1133)."
      Signed-off-by: default avatarMadhavan Srinivasan <maddy@linux.vnet.ibm.com>
      [mpe: Massage change log and add ISA reference]
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarJuerg Haefliger <juergh@canonical.com>
      Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
      270b04f4
    • Madhavan Srinivasan's avatar
      powerpc/perf: Prevent kernel address leak to userspace via BHRB buffer · 80761cf9
      Madhavan Srinivasan authored
      BugLink: https://bugs.launchpad.net/bugs/1775771
      
      [ Upstream commit bb19af81 ]
      
      The current Branch History Rolling Buffer (BHRB) code does not check
      for any privilege levels before updating the data from BHRB. This
      could leak kernel addresses to userspace even when profiling only with
      userspace privileges. Add proper checks to prevent it.
      Acked-by: default avatarBalbir Singh <bsingharora@gmail.com>
      Signed-off-by: default avatarMadhavan Srinivasan <maddy@linux.vnet.ibm.com>
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarJuerg Haefliger <juergh@canonical.com>
      Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
      80761cf9
    • Alexandre Belloni's avatar
      rtc: hctosys: Ensure system time doesn't overflow time_t · 4077b7e3
      Alexandre Belloni authored
      BugLink: https://bugs.launchpad.net/bugs/1775771
      
      [ Upstream commit b3a5ac42 ]
      
      On 32bit platforms, time_t is still a signed 32bit long. If it is
      overflowed, userspace and the kernel cant agree on the current system time.
      This causes multiple issues, in particular with systemd:
      https://github.com/systemd/systemd/issues/1143
      
      A good workaround is to simply avoid using hctosys which is something I
      greatly encourage as the time is better set by userspace.
      
      However, many distribution enable it and use systemd which is rendering the
      system unusable in case the RTC holds a date after 2038 (and more so after
      2106). Many drivers have workaround for this case and they should be
      eliminated so there is only one place left to fix when userspace is able to
      cope with dates after the 31bit overflow.
      Acked-by: default avatarArnd Bergmann <arnd@arndb.de>
      Signed-off-by: default avatarAlexandre Belloni <alexandre.belloni@bootlin.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarJuerg Haefliger <juergh@canonical.com>
      Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
      4077b7e3
    • Guenter Roeck's avatar
      hwmon: (nct6775) Fix writing pwmX_mode · 778ffd75
      Guenter Roeck authored
      BugLink: https://bugs.launchpad.net/bugs/1775771
      
      [ Upstream commit 415eb2a1 ]
      
      pwmX_mode is defined in the ABI as 0=DC mode, 1=pwm mode. The chip
      register bit is set to 1 for DC mode. This got mixed up, and writing
      1 into pwmX_mode resulted in DC mode enabled. Fix it up by using
      the ABI definition throughout the driver for consistency.
      
      Fixes: 77eb5b37 ("hwmon: (nct6775) Add support for pwm, pwm_mode, ... ")
      Signed-off-by: default avatarGuenter Roeck <linux@roeck-us.net>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarJuerg Haefliger <juergh@canonical.com>
      Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
      778ffd75
    • Helge Deller's avatar
      parisc/pci: Switch LBA PCI bus from Hard Fail to Soft Fail mode · 531733a4
      Helge Deller authored
      BugLink: https://bugs.launchpad.net/bugs/1775771
      
      [ Upstream commit b845f66f ]
      
      Carlo Pisani noticed that his C3600 workstation behaved unstable during heavy
      I/O on the PCI bus with a VIA VT6421 IDE/SATA PCI card.
      
      To avoid such instability, this patch switches the LBA PCI bus from Hard Fail
      mode into Soft Fail mode. In this mode the bus will return -1UL for timed out
      MMIO transactions, which is exactly how the x86 (and most other architectures)
      PCI busses behave.
      
      This patch is based on a proposal by Grant Grundler and Kyle McMartin 10
      years ago:
      https://www.spinics.net/lists/linux-parisc/msg01027.html
      
      Cc: Carlo Pisani <carlojpisani@gmail.com>
      Cc: Kyle McMartin <kyle@mcmartin.ca>
      Reviewed-by: default avatarGrant Grundler <grantgrundler@gmail.com>
      Signed-off-by: default avatarHelge Deller <deller@gmx.de>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarJuerg Haefliger <juergh@canonical.com>
      Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
      531733a4
    • Greg Ungerer's avatar
      m68k: set dma and coherent masks for platform FEC ethernets · 8adcbe5d
      Greg Ungerer authored
      BugLink: https://bugs.launchpad.net/bugs/1775771
      
      [ Upstream commit f61e6431 ]
      
      As of commit 205e1b7f ("dma-mapping: warn when there is no
      coherent_dma_mask") the Freescale FEC driver is issuing the following
      warning on driver initialization on ColdFire systems:
      
      WARNING: CPU: 0 PID: 1 at ./include/linux/dma-mapping.h:516 0x40159e20
      Modules linked in:
      CPU: 0 PID: 1 Comm: swapper Not tainted 4.16.0-rc7-dirty #4
      Stack from 41833dd8:
              41833dd8 40259c53 40025534 40279e26 00000003 00000000 4004e514 41827000
              400255de 40244e42 00000204 40159e20 00000009 00000000 00000000 4024531d
              40159e20 40244e42 00000204 00000000 00000000 00000000 00000007 00000000
              00000000 40279e26 4028d040 40226576 4003ae88 40279e26 418273f6 41833ef8
              7fffffff 418273f2 41867028 4003c9a2 4180ac6c 00000004 41833f8c 4013e71c
              40279e1c 40279e26 40226c16 4013ced2 40279e26 40279e58 4028d040 00000000
      Call Trace:
              [<40025534>] 0x40025534
       [<4004e514>] 0x4004e514
       [<400255de>] 0x400255de
       [<40159e20>] 0x40159e20
       [<40159e20>] 0x40159e20
      
      It is not fatal, the driver and the system continue to function normally.
      
      As per the warning the coherent_dma_mask is not set on this device.
      There is nothing special about the DMA memory coherency on this hardware
      so we can just set the mask to 32bits in the platform data for the FEC
      ethernet devices.
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarJuerg Haefliger <juergh@canonical.com>
      Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
      8adcbe5d
    • Michael Ellerman's avatar
      powerpc/mpic: Check if cpu_possible() in mpic_physmask() · 60704f87
      Michael Ellerman authored
      BugLink: https://bugs.launchpad.net/bugs/1775771
      
      [ Upstream commit 0834d627 ]
      
      In mpic_physmask() we loop over all CPUs up to 32, then get the hard
      SMP processor id of that CPU.
      
      Currently that's possibly walking off the end of the paca array, but
      in a future patch we will change the paca array to be an array of
      pointers, and in that case we will get a NULL for missing CPUs and
      oops. eg:
      
        Unable to handle kernel paging request for data at address 0x88888888888888b8
        Faulting instruction address: 0xc00000000004e380
        Oops: Kernel access of bad area, sig: 11 [#1]
        ...
        NIP .mpic_set_affinity+0x60/0x1a0
        LR  .irq_do_set_affinity+0x48/0x100
      
      Fix it by checking the CPU is possible, this also fixes the code if
      there are gaps in the CPU numbering which probably never happens on
      mpic systems but who knows.
      Debugged-by: default avatarNicholas Piggin <npiggin@gmail.com>
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarJuerg Haefliger <juergh@canonical.com>
      Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
      60704f87
    • Lenny Szubowicz's avatar
      ACPI: acpi_pad: Fix memory leak in power saving threads · 9926c6a4
      Lenny Szubowicz authored
      BugLink: https://bugs.launchpad.net/bugs/1775771
      
      [ Upstream commit 8b29d29a ]
      
      Fix once per second (round_robin_time) memory leak of about 1 KB in
      each acpi_pad kernel idling thread that is activated.
      
      Found by testing with kmemleak.
      Signed-off-by: default avatarLenny Szubowicz <lszubowi@redhat.com>
      Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarJuerg Haefliger <juergh@canonical.com>
      Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
      9926c6a4
    • Dan Carpenter's avatar
      xen/acpi: off by one in read_acpi_id() · 09946bc8
      Dan Carpenter authored
      BugLink: https://bugs.launchpad.net/bugs/1775771
      
      [ Upstream commit c37a3c94 ]
      
      If acpi_id is == nr_acpi_bits, then we access one element beyond the end
      of the acpi_psd[] array or we set one bit beyond the end of the bit map
      when we do __set_bit(acpi_id, acpi_id_present);
      
      Fixes: 59a56802 ("xen/acpi-processor: C and P-state driver that uploads said data to hypervisor.")
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Reviewed-by: default avatarJoao Martins <joao.m.martins@oracle.com>
      Reviewed-by: default avatarJuergen Gross <jgross@suse.com>
      Signed-off-by: default avatarBoris Ostrovsky <boris.ostrovsky@oracle.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarJuerg Haefliger <juergh@canonical.com>
      Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
      09946bc8
    • Jeff Mahoney's avatar
      btrfs: fix lockdep splat in btrfs_alloc_subvolume_writers · b11f4eff
      Jeff Mahoney authored
      BugLink: https://bugs.launchpad.net/bugs/1775771
      
      [ Upstream commit 8a5a916d ]
      
      While running btrfs/011, I hit the following lockdep splat.
      
      This is the important bit:
         pcpu_alloc+0x1ac/0x5e0
         __percpu_counter_init+0x4e/0xb0
         btrfs_init_fs_root+0x99/0x1c0 [btrfs]
         btrfs_get_fs_root.part.54+0x5b/0x150 [btrfs]
         resolve_indirect_refs+0x130/0x830 [btrfs]
         find_parent_nodes+0x69e/0xff0 [btrfs]
         btrfs_find_all_roots_safe+0xa0/0x110 [btrfs]
         btrfs_find_all_roots+0x50/0x70 [btrfs]
         btrfs_qgroup_prepare_account_extents+0x53/0x90 [btrfs]
         btrfs_commit_transaction+0x3ce/0x9b0 [btrfs]
      
      The percpu_counter_init call in btrfs_alloc_subvolume_writers
      uses GFP_KERNEL, which we can't do during transaction commit.
      
      This switches it to GFP_NOFS.
      
      ========================================================
      WARNING: possible irq lock inversion dependency detected
      4.12.14-kvmsmall #8 Tainted: G        W
      --------------------------------------------------------
      kswapd0/50 just changed the state of lock:
       (&delayed_node->mutex){+.+.-.}, at: [<ffffffffc06994fa>] __btrfs_release_delayed_node+0x3a/0x1f0 [btrfs]
      but this lock took another, RECLAIM_FS-unsafe lock in the past:
       (pcpu_alloc_mutex){+.+.+.}
      
      and interrupts could create inverse lock ordering between them.
      
      other info that might help us debug this:
      Chain exists of:
        &delayed_node->mutex --> &found->groups_sem --> pcpu_alloc_mutex
      
       Possible interrupt unsafe locking scenario:
      
             CPU0                    CPU1
             ----                    ----
        lock(pcpu_alloc_mutex);
                                     local_irq_disable();
                                     lock(&delayed_node->mutex);
                                     lock(&found->groups_sem);
        <Interrupt>
          lock(&delayed_node->mutex);
      
       *** DEADLOCK ***
      
      2 locks held by kswapd0/50:
       #0:  (shrinker_rwsem){++++..}, at: [<ffffffff811dc11f>] shrink_slab+0x7f/0x5b0
       #1:  (&type->s_umount_key#30){+++++.}, at: [<ffffffff8126dec6>] trylock_super+0x16/0x50
      
      the shortest dependencies between 2nd lock and 1st lock:
         -> (pcpu_alloc_mutex){+.+.+.} ops: 4904 {
            HARDIRQ-ON-W at:
                                __mutex_lock+0x4e/0x8c0
                                pcpu_alloc+0x1ac/0x5e0
                                alloc_kmem_cache_cpus.isra.70+0x25/0xa0
                                __do_tune_cpucache+0x2c/0x220
                                do_tune_cpucache+0x26/0xc0
                                enable_cpucache+0x6d/0xf0
                                kmem_cache_init_late+0x42/0x75
                                start_kernel+0x343/0x4cb
                                x86_64_start_kernel+0x127/0x134
                                secondary_startup_64+0xa5/0xb0
            SOFTIRQ-ON-W at:
                                __mutex_lock+0x4e/0x8c0
                                pcpu_alloc+0x1ac/0x5e0
                                alloc_kmem_cache_cpus.isra.70+0x25/0xa0
                                __do_tune_cpucache+0x2c/0x220
                                do_tune_cpucache+0x26/0xc0
                                enable_cpucache+0x6d/0xf0
                                kmem_cache_init_late+0x42/0x75
                                start_kernel+0x343/0x4cb
                                x86_64_start_kernel+0x127/0x134
                                secondary_startup_64+0xa5/0xb0
            RECLAIM_FS-ON-W at:
                                   __kmalloc+0x47/0x310
                                   pcpu_extend_area_map+0x2b/0xc0
                                   pcpu_alloc+0x3ec/0x5e0
                                   alloc_kmem_cache_cpus.isra.70+0x25/0xa0
                                   __do_tune_cpucache+0x2c/0x220
                                   do_tune_cpucache+0x26/0xc0
                                   enable_cpucache+0x6d/0xf0
                                   __kmem_cache_create+0x1bf/0x390
                                   create_cache+0xba/0x1b0
                                   kmem_cache_create+0x1f8/0x2b0
                                   ksm_init+0x6f/0x19d
                                   do_one_initcall+0x50/0x1b0
                                   kernel_init_freeable+0x201/0x289
                                   kernel_init+0xa/0x100
                                   ret_from_fork+0x3a/0x50
            INITIAL USE at:
                               __mutex_lock+0x4e/0x8c0
                               pcpu_alloc+0x1ac/0x5e0
                               alloc_kmem_cache_cpus.isra.70+0x25/0xa0
                               setup_cpu_cache+0x2f/0x1f0
                               __kmem_cache_create+0x1bf/0x390
                               create_boot_cache+0x8b/0xb1
                               kmem_cache_init+0xa1/0x19e
                               start_kernel+0x270/0x4cb
                               x86_64_start_kernel+0x127/0x134
                               secondary_startup_64+0xa5/0xb0
          }
          ... key      at: [<ffffffff821d8e70>] pcpu_alloc_mutex+0x70/0xa0
          ... acquired at:
         pcpu_alloc+0x1ac/0x5e0
         __percpu_counter_init+0x4e/0xb0
         btrfs_init_fs_root+0x99/0x1c0 [btrfs]
         btrfs_get_fs_root.part.54+0x5b/0x150 [btrfs]
         resolve_indirect_refs+0x130/0x830 [btrfs]
         find_parent_nodes+0x69e/0xff0 [btrfs]
         btrfs_find_all_roots_safe+0xa0/0x110 [btrfs]
         btrfs_find_all_roots+0x50/0x70 [btrfs]
         btrfs_qgroup_prepare_account_extents+0x53/0x90 [btrfs]
         btrfs_commit_transaction+0x3ce/0x9b0 [btrfs]
         transaction_kthread+0x176/0x1b0 [btrfs]
         kthread+0x102/0x140
         ret_from_fork+0x3a/0x50
      
        -> (&fs_info->commit_root_sem){++++..} ops: 1566382 {
           HARDIRQ-ON-W at:
                              down_write+0x3e/0xa0
                              cache_block_group+0x287/0x420 [btrfs]
                              find_free_extent+0x106c/0x12d0 [btrfs]
                              btrfs_reserve_extent+0xd8/0x170 [btrfs]
                              cow_file_range.isra.66+0x133/0x470 [btrfs]
                              run_delalloc_range+0x121/0x410 [btrfs]
                              writepage_delalloc.isra.50+0xfe/0x180 [btrfs]
                              __extent_writepage+0x19a/0x360 [btrfs]
                              extent_write_cache_pages.constprop.56+0x249/0x3e0 [btrfs]
                              extent_writepages+0x4d/0x60 [btrfs]
                              do_writepages+0x1a/0x70
                              __filemap_fdatawrite_range+0xa7/0xe0
                              btrfs_rename+0x5ee/0xdb0 [btrfs]
                              vfs_rename+0x52a/0x7e0
                              SyS_rename+0x351/0x3b0
                              do_syscall_64+0x79/0x1e0
                              entry_SYSCALL_64_after_hwframe+0x42/0xb7
           HARDIRQ-ON-R at:
                              down_read+0x35/0x90
                              caching_thread+0x57/0x560 [btrfs]
                              normal_work_helper+0x1c0/0x5e0 [btrfs]
                              process_one_work+0x1e0/0x5c0
                              worker_thread+0x44/0x390
                              kthread+0x102/0x140
                              ret_from_fork+0x3a/0x50
           SOFTIRQ-ON-W at:
                              down_write+0x3e/0xa0
                              cache_block_group+0x287/0x420 [btrfs]
                              find_free_extent+0x106c/0x12d0 [btrfs]
                              btrfs_reserve_extent+0xd8/0x170 [btrfs]
                              cow_file_range.isra.66+0x133/0x470 [btrfs]
                              run_delalloc_range+0x121/0x410 [btrfs]
                              writepage_delalloc.isra.50+0xfe/0x180 [btrfs]
                              __extent_writepage+0x19a/0x360 [btrfs]
                              extent_write_cache_pages.constprop.56+0x249/0x3e0 [btrfs]
                              extent_writepages+0x4d/0x60 [btrfs]
                              do_writepages+0x1a/0x70
                              __filemap_fdatawrite_range+0xa7/0xe0
                              btrfs_rename+0x5ee/0xdb0 [btrfs]
                              vfs_rename+0x52a/0x7e0
                              SyS_rename+0x351/0x3b0
                              do_syscall_64+0x79/0x1e0
                              entry_SYSCALL_64_after_hwframe+0x42/0xb7
           SOFTIRQ-ON-R at:
                              down_read+0x35/0x90
                              caching_thread+0x57/0x560 [btrfs]
                              normal_work_helper+0x1c0/0x5e0 [btrfs]
                              process_one_work+0x1e0/0x5c0
                              worker_thread+0x44/0x390
                              kthread+0x102/0x140
                              ret_from_fork+0x3a/0x50
           INITIAL USE at:
                             down_write+0x3e/0xa0
                             cache_block_group+0x287/0x420 [btrfs]
                             find_free_extent+0x106c/0x12d0 [btrfs]
                             btrfs_reserve_extent+0xd8/0x170 [btrfs]
                             cow_file_range.isra.66+0x133/0x470 [btrfs]
                             run_delalloc_range+0x121/0x410 [btrfs]
                             writepage_delalloc.isra.50+0xfe/0x180 [btrfs]
                             __extent_writepage+0x19a/0x360 [btrfs]
                             extent_write_cache_pages.constprop.56+0x249/0x3e0 [btrfs]
                             extent_writepages+0x4d/0x60 [btrfs]
                             do_writepages+0x1a/0x70
                             __filemap_fdatawrite_range+0xa7/0xe0
                             btrfs_rename+0x5ee/0xdb0 [btrfs]
                             vfs_rename+0x52a/0x7e0
                             SyS_rename+0x351/0x3b0
                             do_syscall_64+0x79/0x1e0
                             entry_SYSCALL_64_after_hwframe+0x42/0xb7
         }
         ... key      at: [<ffffffffc0729578>] __key.61970+0x0/0xfffffffffff9aa88 [btrfs]
         ... acquired at:
         cache_block_group+0x287/0x420 [btrfs]
         find_free_extent+0x106c/0x12d0 [btrfs]
         btrfs_reserve_extent+0xd8/0x170 [btrfs]
         btrfs_alloc_tree_block+0x12f/0x4c0 [btrfs]
         btrfs_create_tree+0xbb/0x2a0 [btrfs]
         btrfs_create_uuid_tree+0x37/0x140 [btrfs]
         open_ctree+0x23c0/0x2660 [btrfs]
         btrfs_mount+0xd36/0xf90 [btrfs]
         mount_fs+0x3a/0x160
         vfs_kern_mount+0x66/0x150
         btrfs_mount+0x18c/0xf90 [btrfs]
         mount_fs+0x3a/0x160
         vfs_kern_mount+0x66/0x150
         do_mount+0x1c1/0xcc0
         SyS_mount+0x7e/0xd0
         do_syscall_64+0x79/0x1e0
         entry_SYSCALL_64_after_hwframe+0x42/0xb7
      
       -> (&found->groups_sem){++++..} ops: 2134587 {
          HARDIRQ-ON-W at:
                            down_write+0x3e/0xa0
                            __link_block_group+0x34/0x130 [btrfs]
                            btrfs_read_block_groups+0x33d/0x7b0 [btrfs]
                            open_ctree+0x2054/0x2660 [btrfs]
                            btrfs_mount+0xd36/0xf90 [btrfs]
                            mount_fs+0x3a/0x160
                            vfs_kern_mount+0x66/0x150
                            btrfs_mount+0x18c/0xf90 [btrfs]
                            mount_fs+0x3a/0x160
                            vfs_kern_mount+0x66/0x150
                            do_mount+0x1c1/0xcc0
                            SyS_mount+0x7e/0xd0
                            do_syscall_64+0x79/0x1e0
                            entry_SYSCALL_64_after_hwframe+0x42/0xb7
          HARDIRQ-ON-R at:
                            down_read+0x35/0x90
                            btrfs_calc_num_tolerated_disk_barrier_failures+0x113/0x1f0 [btrfs]
                            open_ctree+0x207b/0x2660 [btrfs]
                            btrfs_mount+0xd36/0xf90 [btrfs]
                            mount_fs+0x3a/0x160
                            vfs_kern_mount+0x66/0x150
                            btrfs_mount+0x18c/0xf90 [btrfs]
                            mount_fs+0x3a/0x160
                            vfs_kern_mount+0x66/0x150
                            do_mount+0x1c1/0xcc0
                            SyS_mount+0x7e/0xd0
                            do_syscall_64+0x79/0x1e0
                            entry_SYSCALL_64_after_hwframe+0x42/0xb7
          SOFTIRQ-ON-W at:
                            down_write+0x3e/0xa0
                            __link_block_group+0x34/0x130 [btrfs]
                            btrfs_read_block_groups+0x33d/0x7b0 [btrfs]
                            open_ctree+0x2054/0x2660 [btrfs]
                            btrfs_mount+0xd36/0xf90 [btrfs]
                            mount_fs+0x3a/0x160
                            vfs_kern_mount+0x66/0x150
                            btrfs_mount+0x18c/0xf90 [btrfs]
                            mount_fs+0x3a/0x160
                            vfs_kern_mount+0x66/0x150
                            do_mount+0x1c1/0xcc0
                            SyS_mount+0x7e/0xd0
                            do_syscall_64+0x79/0x1e0
                            entry_SYSCALL_64_after_hwframe+0x42/0xb7
          SOFTIRQ-ON-R at:
                            down_read+0x35/0x90
                            btrfs_calc_num_tolerated_disk_barrier_failures+0x113/0x1f0 [btrfs]
                            open_ctree+0x207b/0x2660 [btrfs]
                            btrfs_mount+0xd36/0xf90 [btrfs]
                            mount_fs+0x3a/0x160
                            vfs_kern_mount+0x66/0x150
                            btrfs_mount+0x18c/0xf90 [btrfs]
                            mount_fs+0x3a/0x160
                            vfs_kern_mount+0x66/0x150
                            do_mount+0x1c1/0xcc0
                            SyS_mount+0x7e/0xd0
                            do_syscall_64+0x79/0x1e0
                            entry_SYSCALL_64_after_hwframe+0x42/0xb7
          INITIAL USE at:
                           down_write+0x3e/0xa0
                           __link_block_group+0x34/0x130 [btrfs]
                           btrfs_read_block_groups+0x33d/0x7b0 [btrfs]
                           open_ctree+0x2054/0x2660 [btrfs]
                           btrfs_mount+0xd36/0xf90 [btrfs]
                           mount_fs+0x3a/0x160
                           vfs_kern_mount+0x66/0x150
                           btrfs_mount+0x18c/0xf90 [btrfs]
                           mount_fs+0x3a/0x160
                           vfs_kern_mount+0x66/0x150
                           do_mount+0x1c1/0xcc0
                           SyS_mount+0x7e/0xd0
                           do_syscall_64+0x79/0x1e0
                           entry_SYSCALL_64_after_hwframe+0x42/0xb7
        }
        ... key      at: [<ffffffffc0729488>] __key.59101+0x0/0xfffffffffff9ab78 [btrfs]
        ... acquired at:
         find_free_extent+0xcb4/0x12d0 [btrfs]
         btrfs_reserve_extent+0xd8/0x170 [btrfs]
         btrfs_alloc_tree_block+0x12f/0x4c0 [btrfs]
         __btrfs_cow_block+0x110/0x5b0 [btrfs]
         btrfs_cow_block+0xd7/0x290 [btrfs]
         btrfs_search_slot+0x1f6/0x960 [btrfs]
         btrfs_lookup_inode+0x2a/0x90 [btrfs]
         __btrfs_update_delayed_inode+0x65/0x210 [btrfs]
         btrfs_commit_inode_delayed_inode+0x121/0x130 [btrfs]
         btrfs_evict_inode+0x3fe/0x6a0 [btrfs]
         evict+0xc4/0x190
         __dentry_kill+0xbf/0x170
         dput+0x2ae/0x2f0
         SyS_rename+0x2a6/0x3b0
         do_syscall_64+0x79/0x1e0
         entry_SYSCALL_64_after_hwframe+0x42/0xb7
      
      -> (&delayed_node->mutex){+.+.-.} ops: 5580204 {
         HARDIRQ-ON-W at:
                          __mutex_lock+0x4e/0x8c0
                          btrfs_delayed_update_inode+0x46/0x6e0 [btrfs]
                          btrfs_update_inode+0x83/0x110 [btrfs]
                          btrfs_dirty_inode+0x62/0xe0 [btrfs]
                          touch_atime+0x8c/0xb0
                          do_generic_file_read+0x818/0xb10
                          __vfs_read+0xdc/0x150
                          vfs_read+0x8a/0x130
                          SyS_read+0x45/0xa0
                          do_syscall_64+0x79/0x1e0
                          entry_SYSCALL_64_after_hwframe+0x42/0xb7
         SOFTIRQ-ON-W at:
                          __mutex_lock+0x4e/0x8c0
                          btrfs_delayed_update_inode+0x46/0x6e0 [btrfs]
                          btrfs_update_inode+0x83/0x110 [btrfs]
                          btrfs_dirty_inode+0x62/0xe0 [btrfs]
                          touch_atime+0x8c/0xb0
                          do_generic_file_read+0x818/0xb10
                          __vfs_read+0xdc/0x150
                          vfs_read+0x8a/0x130
                          SyS_read+0x45/0xa0
                          do_syscall_64+0x79/0x1e0
                          entry_SYSCALL_64_after_hwframe+0x42/0xb7
         IN-RECLAIM_FS-W at:
                             __mutex_lock+0x4e/0x8c0
                             __btrfs_release_delayed_node+0x3a/0x1f0 [btrfs]
                             btrfs_evict_inode+0x22c/0x6a0 [btrfs]
                             evict+0xc4/0x190
                             dispose_list+0x35/0x50
                             prune_icache_sb+0x42/0x50
                             super_cache_scan+0x139/0x190
                             shrink_slab+0x262/0x5b0
                             shrink_node+0x2eb/0x2f0
                             kswapd+0x2eb/0x890
                             kthread+0x102/0x140
                             ret_from_fork+0x3a/0x50
         INITIAL USE at:
                         __mutex_lock+0x4e/0x8c0
                         btrfs_delayed_update_inode+0x46/0x6e0 [btrfs]
                         btrfs_update_inode+0x83/0x110 [btrfs]
                         btrfs_dirty_inode+0x62/0xe0 [btrfs]
                         touch_atime+0x8c/0xb0
                         do_generic_file_read+0x818/0xb10
                         __vfs_read+0xdc/0x150
                         vfs_read+0x8a/0x130
                         SyS_read+0x45/0xa0
                         do_syscall_64+0x79/0x1e0
                         entry_SYSCALL_64_after_hwframe+0x42/0xb7
       }
       ... key      at: [<ffffffffc072d488>] __key.56935+0x0/0xfffffffffff96b78 [btrfs]
       ... acquired at:
         __lock_acquire+0x264/0x11c0
         lock_acquire+0xbd/0x1e0
         __mutex_lock+0x4e/0x8c0
         __btrfs_release_delayed_node+0x3a/0x1f0 [btrfs]
         btrfs_evict_inode+0x22c/0x6a0 [btrfs]
         evict+0xc4/0x190
         dispose_list+0x35/0x50
         prune_icache_sb+0x42/0x50
         super_cache_scan+0x139/0x190
         shrink_slab+0x262/0x5b0
         shrink_node+0x2eb/0x2f0
         kswapd+0x2eb/0x890
         kthread+0x102/0x140
         ret_from_fork+0x3a/0x50
      
      stack backtrace:
      CPU: 1 PID: 50 Comm: kswapd0 Tainted: G        W        4.12.14-kvmsmall #8 SLE15 (unreleased)
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.0.0-prebuilt.qemu-project.org 04/01/2014
      Call Trace:
       dump_stack+0x78/0xb7
       print_irq_inversion_bug.part.38+0x19f/0x1aa
       check_usage_forwards+0x102/0x120
       ? ret_from_fork+0x3a/0x50
       ? check_usage_backwards+0x110/0x110
       mark_lock+0x16c/0x270
       __lock_acquire+0x264/0x11c0
       ? pagevec_lookup_entries+0x1a/0x30
       ? truncate_inode_pages_range+0x2b3/0x7f0
       lock_acquire+0xbd/0x1e0
       ? __btrfs_release_delayed_node+0x3a/0x1f0 [btrfs]
       __mutex_lock+0x4e/0x8c0
       ? __btrfs_release_delayed_node+0x3a/0x1f0 [btrfs]
       ? __btrfs_release_delayed_node+0x3a/0x1f0 [btrfs]
       ? btrfs_evict_inode+0x1f6/0x6a0 [btrfs]
       __btrfs_release_delayed_node+0x3a/0x1f0 [btrfs]
       btrfs_evict_inode+0x22c/0x6a0 [btrfs]
       evict+0xc4/0x190
       dispose_list+0x35/0x50
       prune_icache_sb+0x42/0x50
       super_cache_scan+0x139/0x190
       shrink_slab+0x262/0x5b0
       shrink_node+0x2eb/0x2f0
       kswapd+0x2eb/0x890
       kthread+0x102/0x140
       ? mem_cgroup_shrink_node+0x2c0/0x2c0
       ? kthread_create_on_node+0x40/0x40
       ret_from_fork+0x3a/0x50
      Signed-off-by: default avatarJeff Mahoney <jeffm@suse.com>
      Reviewed-by: default avatarLiu Bo <bo.liu@linux.alibaba.com>
      Signed-off-by: default avatarDavid Sterba <dsterba@suse.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarJuerg Haefliger <juergh@canonical.com>
      Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
      b11f4eff
    • Filipe Manana's avatar
      Btrfs: fix copy_items() return value when logging an inode · 4345f7b6
      Filipe Manana authored
      BugLink: https://bugs.launchpad.net/bugs/1775771
      
      [ Upstream commit 8434ec46 ]
      
      When logging an inode, at tree-log.c:copy_items(), if we call
      btrfs_next_leaf() at the loop which checks for the need to log holes, we
      need to make sure copy_items() returns the value 1 to its caller and
      not 0 (on success). This is because the path the caller passed was
      released and is now different from what is was before, and the caller
      expects a return value of 0 to mean both success and that the path
      has not changed, while a return value of 1 means both success and
      signals the caller that it can not reuse the path, it has to perform
      another tree search.
      
      Even though this is a case that should not be triggered on normal
      circumstances or very rare at least, its consequences can be very
      unpredictable (especially when replaying a log tree).
      
      Fixes: 16e7549f ("Btrfs: incompatible format change to remove hole extents")
      Signed-off-by: default avatarFilipe Manana <fdmanana@suse.com>
      Signed-off-by: default avatarDavid Sterba <dsterba@suse.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarJuerg Haefliger <juergh@canonical.com>
      Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
      4345f7b6
    • Qu Wenruo's avatar
      btrfs: tests/qgroup: Fix wrong tree backref level · cf115188
      Qu Wenruo authored
      BugLink: https://bugs.launchpad.net/bugs/1775771
      
      [ Upstream commit 3c0efdf0 ]
      
      The extent tree of the test fs is like the following:
      
       BTRFS info (device (null)): leaf 16327509003777336587 total ptrs 1 free space 3919
        item 0 key (4096 168 4096) itemoff 3944 itemsize 51
                extent refs 1 gen 1 flags 2
                tree block key (68719476736 0 0) level 1
                                                 ^^^^^^^
                ref#0: tree block backref root 5
      
      And it's using an empty tree for fs tree, so there is no way that its
      level can be 1.
      
      For REAL (created by mkfs) fs tree backref with no skinny metadata, the
      result should look like:
      
       item 3 key (30408704 EXTENT_ITEM 4096) itemoff 3845 itemsize 51
               refs 1 gen 4 flags TREE_BLOCK
               tree block key (256 INODE_ITEM 0) level 0
                                                 ^^^^^^^
               tree block backref root 5
      
      Fix the level to 0, so it won't break later tree level checker.
      
      Fixes: faa2dbf0 ("Btrfs: add sanity tests for new qgroup accounting code")
      Signed-off-by: default avatarQu Wenruo <wqu@suse.com>
      Signed-off-by: default avatarDavid Sterba <dsterba@suse.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarJuerg Haefliger <juergh@canonical.com>
      Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
      cf115188
    • Vicente Bergas's avatar
      Bluetooth: btusb: Add USB ID 7392:a611 for Edimax EW-7611ULB · 47e28cb3
      Vicente Bergas authored
      BugLink: https://bugs.launchpad.net/bugs/1775771
      
      [ Upstream commit a41e0796 ]
      
      This WiFi/Bluetooth USB dongle uses a Realtek chipset, so, use btrtl for it.
      
      Product information:
      https://wikidevi.com/wiki/Edimax_EW-7611ULB
      
      >From /sys/kernel/debug/usb/devices
      T:  Bus=02 Lev=02 Prnt=02 Port=00 Cnt=01 Dev#=  3 Spd=480  MxCh= 0
      D:  Ver= 2.10 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs=  1
      P:  Vendor=7392 ProdID=a611 Rev= 2.00
      S:  Manufacturer=Realtek
      S:  Product=Edimax Wi-Fi N150 Bluetooth4.0 USB Adapter
      S:  SerialNumber=00e04c000001
      C:* #Ifs= 3 Cfg#= 1 Atr=e0 MxPwr=500mA
      A:  FirstIf#= 0 IfCount= 2 Cls=e0(wlcon) Sub=01 Prot=01
      I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=81(I) Atr=03(Int.) MxPS=  16 Ivl=1ms
      E:  Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      E:  Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=03(O) Atr=01(Isoc) MxPS=   0 Ivl=1ms
      E:  Ad=83(I) Atr=01(Isoc) MxPS=   0 Ivl=1ms
      I:  If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=03(O) Atr=01(Isoc) MxPS=   9 Ivl=1ms
      E:  Ad=83(I) Atr=01(Isoc) MxPS=   9 Ivl=1ms
      I:  If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=03(O) Atr=01(Isoc) MxPS=  17 Ivl=1ms
      E:  Ad=83(I) Atr=01(Isoc) MxPS=  17 Ivl=1ms
      I:  If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=03(O) Atr=01(Isoc) MxPS=  25 Ivl=1ms
      E:  Ad=83(I) Atr=01(Isoc) MxPS=  25 Ivl=1ms
      I:  If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=03(O) Atr=01(Isoc) MxPS=  33 Ivl=1ms
      E:  Ad=83(I) Atr=01(Isoc) MxPS=  33 Ivl=1ms
      I:  If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=03(O) Atr=01(Isoc) MxPS=  49 Ivl=1ms
      E:  Ad=83(I) Atr=01(Isoc) MxPS=  49 Ivl=1ms
      I:* If#= 2 Alt= 0 #EPs= 6 Cls=ff(vend.) Sub=ff Prot=ff Driver=rtl8723bu
      E:  Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      E:  Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      E:  Ad=06(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      E:  Ad=87(I) Atr=03(Int.) MxPS=  64 Ivl=500us
      E:  Ad=08(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      E:  Ad=09(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      Tested-by: default avatarVicente Bergas <vicencb@gmail.com>
      Signed-off-by: default avatarVicente Bergas <vicencb@gmail.com>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarJuerg Haefliger <juergh@canonical.com>
      Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
      47e28cb3
    • Florian Fainelli's avatar
      net: bgmac: Fix endian access in bgmac_dma_tx_ring_free() · 10ea8dab
      Florian Fainelli authored
      BugLink: https://bugs.launchpad.net/bugs/1775771
      
      [ Upstream commit 60d6e6f0 ]
      
      bgmac_dma_tx_ring_free() assigns the ctl1 word which is a litle endian
      32-bit word without using proper accessors, fix this, and because a
      length cannot be negative, use unsigned int while at it.
      
      Fixes: 9cde9450 ("bgmac: implement scatter/gather support")
      Signed-off-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarJuerg Haefliger <juergh@canonical.com>
      Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
      10ea8dab