1. 03 Jul, 2018 40 commits
    • Andy Shevchenko's avatar
      mfd: intel-lpss: Program REMAP register in PIO mode · 473e9c0b
      Andy Shevchenko authored
      commit d28b6252 upstream.
      
      According to documentation REMAP register has to be programmed in
      either DMA or PIO mode of the slice.
      
      Move the DMA capability check below to let REMAP register be programmed
      in PIO mode.
      
      Cc: stable@vger.kernel.org # 4.3+
      Fixes: 4b45efe8 ("mfd: Add support for Intel Sunrisepoint LPSS devices")
      Signed-off-by: default avatarAndy Shevchenko <andriy.shevchenko@linux.intel.com>
      Signed-off-by: default avatarLee Jones <lee.jones@linaro.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      473e9c0b
    • Johan Hovold's avatar
      backlight: tps65217_bl: Fix Device Tree node lookup · 4544b184
      Johan Hovold authored
      commit 2b12dfa1 upstream.
      
      Fix child-node lookup during probe, which ended up searching the whole
      device tree depth-first starting at the parent rather than just matching
      on its children.
      
      This would only cause trouble if the child node is missing while there
      is an unrelated node named "backlight" elsewhere in the tree.
      
      Cc: stable <stable@vger.kernel.org>     # 3.7
      Fixes: eebfdc17 ("backlight: Add TPS65217 WLED driver")
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Acked-by: default avatarDaniel Thompson <daniel.thompson@linaro.org>
      Signed-off-by: default avatarLee Jones <lee.jones@linaro.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4544b184
    • Johan Hovold's avatar
      backlight: max8925_bl: Fix Device Tree node lookup · 1b9ecd3d
      Johan Hovold authored
      commit d1cc0ec3 upstream.
      
      Fix child-node lookup during probe, which ended up searching the whole
      device tree depth-first starting at the parent rather than just matching
      on its children.
      
      To make things worse, the parent mfd node was also prematurely freed,
      while the child backlight node was leaked.
      
      Cc: stable <stable@vger.kernel.org>     # 3.9
      Fixes: 47ec340c ("mfd: max8925: Support dt for backlight")
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Acked-by: default avatarDaniel Thompson <daniel.thompson@linaro.org>
      Signed-off-by: default avatarLee Jones <lee.jones@linaro.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1b9ecd3d
    • Johan Hovold's avatar
      backlight: as3711_bl: Fix Device Tree node lookup · 91a9aaeb
      Johan Hovold authored
      commit 4a9c8bb2 upstream.
      
      Fix child-node lookup during probe, which ended up searching the whole
      device tree depth-first starting at the parent rather than just matching
      on its children.
      
      To make things worse, the parent mfd node was also prematurely freed.
      
      Cc: stable <stable@vger.kernel.org>     # 3.10
      Fixes: 59eb2b5e ("drivers/video/backlight/as3711_bl.c: add OF support")
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Acked-by: default avatarDaniel Thompson <daniel.thompson@linaro.org>
      Signed-off-by: default avatarLee Jones <lee.jones@linaro.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      91a9aaeb
    • Florian Westphal's avatar
      xfrm: skip policies marked as dead while rehashing · 10f64c9d
      Florian Westphal authored
      commit 862591bf upstream.
      
      syzkaller triggered following KASAN splat:
      
      BUG: KASAN: slab-out-of-bounds in xfrm_hash_rebuild+0xdbe/0xf00 net/xfrm/xfrm_policy.c:618
      read of size 2 at addr ffff8801c8e92fe4 by task kworker/1:1/23 [..]
      Workqueue: events xfrm_hash_rebuild [..]
       __asan_report_load2_noabort+0x14/0x20 mm/kasan/report.c:428
       xfrm_hash_rebuild+0xdbe/0xf00 net/xfrm/xfrm_policy.c:618
       process_one_work+0xbbf/0x1b10 kernel/workqueue.c:2112
       worker_thread+0x223/0x1990 kernel/workqueue.c:2246 [..]
      
      The reproducer triggers:
      1016                 if (error) {
      1017                         list_move_tail(&walk->walk.all, &x->all);
      1018                         goto out;
      1019                 }
      
      in xfrm_policy_walk() via pfkey (it sets tiny rcv space, dump
      callback returns -ENOBUFS).
      
      In this case, *walk is located the pfkey socket struct, so this socket
      becomes visible in the global policy list.
      
      It looks like this is intentional -- phony walker has walk.dead set to 1
      and all other places skip such "policies".
      
      Ccing original authors of the two commits that seem to expose this
      issue (first patch missed ->dead check, second patch adds pfkey
      sockets to policies dumper list).
      
      Fixes: 880a6fab ("xfrm: configure policy hash table thresholds by netlink")
      Fixes: 12a169e7 ("ipsec: Put dumpers on the dump list")
      Cc: Herbert Xu <herbert@gondor.apana.org.au>
      Cc: Timo Teras <timo.teras@iki.fi>
      Cc: Christophe Gouault <christophe.gouault@6wind.com>
      Reported-by: default avatarsyzbot <bot+c028095236fcb6f4348811565b75084c754dc729@syzkaller.appspotmail.com>
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarSteffen Klassert <steffen.klassert@secunet.com>
      Cc: Zubin Mithra <zsm@chromium.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      10f64c9d
    • Tobias Brunner's avatar
      xfrm: Ignore socket policies when rebuilding hash tables · 3a727fca
      Tobias Brunner authored
      commit 6916fb3b upstream.
      
      Whenever thresholds are changed the hash tables are rebuilt.  This is
      done by enumerating all policies and hashing and inserting them into
      the right table according to the thresholds and direction.
      
      Because socket policies are also contained in net->xfrm.policy_all but
      no hash tables are defined for their direction (dir + XFRM_POLICY_MAX)
      this causes a NULL or invalid pointer dereference after returning from
      policy_hash_bysel() if the rebuild is done while any socket policies
      are installed.
      
      Since the rebuild after changing thresholds is scheduled this crash
      could even occur if the userland sets thresholds seemingly before
      installing any socket policies.
      
      Fixes: 53c2e285 ("xfrm: Do not hash socket policies")
      Signed-off-by: default avatarTobias Brunner <tobias@strongswan.org>
      Acked-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarSteffen Klassert <steffen.klassert@secunet.com>
      Cc: Zubin Mithra <zsm@chromium.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3a727fca
    • Silvio Cesare's avatar
      UBIFS: Fix potential integer overflow in allocation · 9c3a27c0
      Silvio Cesare authored
      commit 353748a3 upstream.
      
      There is potential for the size and len fields in ubifs_data_node to be
      too large causing either a negative value for the length fields or an
      integer overflow leading to an incorrect memory allocation. Likewise,
      when the len field is small, an integer underflow may occur.
      Signed-off-by: default avatarSilvio Cesare <silvio.cesare@gmail.com>
      Fixes: 1e51764a ("UBIFS: add new flash file system")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9c3a27c0
    • Richard Weinberger's avatar
      ubi: fastmap: Cancel work upon detach · 7cff3147
      Richard Weinberger authored
      commit 6e7d8016 upstream.
      
      Ben Hutchings pointed out that 29b7a6fa ("ubi: fastmap: Don't flush
      fastmap work on detach") does not really fix the problem, it just
      reduces the risk to hit the race window where fastmap work races against
      free()'ing ubi->volumes[].
      
      The correct approach is making sure that no more fastmap work is in
      progress before we free ubi data structures.
      So we cancel fastmap work right after the ubi background thread is
      stopped.
      By setting ubi->thread_enabled to zero we make sure that no further work
      tries to wake the thread.
      
      Fixes: 29b7a6fa ("ubi: fastmap: Don't flush fastmap work on detach")
      Fixes: 74cdaf24 ("UBI: Fastmap: Fix memory leaks while closing the WL sub-system")
      Cc: stable@vger.kernel.org
      Cc: Ben Hutchings <ben.hutchings@codethink.co.uk>
      Cc: Martin Townsend <mtownsend1973@gmail.com>
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7cff3147
    • NeilBrown's avatar
      md: fix two problems with setting the "re-add" device state. · 4028e395
      NeilBrown authored
      commit 011abdc9 upstream.
      
      If "re-add" is written to the "state" file for a device
      which is faulty, this has an effect similar to removing
      and re-adding the device.  It should take up the
      same slot in the array that it previously had, and
      an accelerated (e.g. bitmap-based) rebuild should happen.
      
      The slot that "it previously had" is determined by
      rdev->saved_raid_disk.
      However this is not set when a device fails (only when a device
      is added), and it is cleared when resync completes.
      This means that "re-add" will normally work once, but may not work a
      second time.
      
      This patch includes two fixes.
      1/ when a device fails, record the ->raid_disk value in
          ->saved_raid_disk before clearing ->raid_disk
      2/ when "re-add" is written to a device for which
          ->saved_raid_disk is not set, fail.
      
      I think this is suitable for stable as it can
      cause re-adding a device to be forced to do a full
      resync which takes a lot longer and so puts data at
      more risk.
      
      Cc: <stable@vger.kernel.org> (v4.1)
      Fixes: 97f6cd39 ("md-cluster: re-add capabilities")
      Signed-off-by: default avatarNeilBrown <neilb@suse.com>
      Reviewed-by: default avatarGoldwyn Rodrigues <rgoldwyn@suse.com>
      Signed-off-by: default avatarShaohua Li <shli@fb.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4028e395
    • Robert Elliott's avatar
      linvdimm, pmem: Preserve read-only setting for pmem devices · 37e87504
      Robert Elliott authored
      commit 254a4cd5 upstream.
      
      The pmem driver does not honor a forced read-only setting for very long:
      	$ blockdev --setro /dev/pmem0
      	$ blockdev --getro /dev/pmem0
      	1
      
      followed by various commands like these:
      	$ blockdev --rereadpt /dev/pmem0
      	or
      	$ mkfs.ext4 /dev/pmem0
      
      results in this in the kernel serial log:
      	 nd_pmem namespace0.0: region0 read-write, marking pmem0 read-write
      
      with the read-only setting lost:
      	$ blockdev --getro /dev/pmem0
      	0
      
      That's from bus.c nvdimm_revalidate_disk(), which always applies the
      setting from nd_region (which is initially based on the ACPI NFIT
      NVDIMM state flags not_armed bit).
      
      In contrast, commit 20bd1d02 ("scsi: sd: Keep disk read-only when
      re-reading partition") fixed this issue for SCSI devices to preserve
      the previous setting if it was set to read-only.
      
      This patch modifies bus.c to preserve any previous read-only setting.
      It also eliminates the kernel serial log print except for cases where
      read-write is changed to read-only, so it doesn't print read-only to
      read-only non-changes.
      
      Cc: <stable@vger.kernel.org>
      Fixes: 58138820 ("libnvdimm, nfit: handle unarmed dimms, mark namespaces read-only")
      Signed-off-by: default avatarRobert Elliott <elliott@hpe.com>
      Signed-off-by: default avatarDan Williams <dan.j.williams@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      37e87504
    • Steffen Maier's avatar
      scsi: zfcp: fix missing REC trigger trace on enqueue without ERP thread · f723101e
      Steffen Maier authored
      commit 6a765508 upstream.
      
      Example trace record formatted with zfcpdbf from s390-tools:
      
      Timestamp      : ...
      Area           : REC
      Subarea        : 00
      Level          : 1
      Exception      : -
      CPU ID         : ..
      Caller         : 0x...
      Record ID      : 1                      ZFCP_DBF_REC_TRIG
      Tag            : .......
      LUN            : 0x...
      WWPN           : 0x...
      D_ID           : 0x...
      Adapter status : 0x...
      Port status    : 0x...
      LUN status     : 0x...
      Ready count    : 0x...
      Running count  : 0x...
      ERP want       : 0x0.                   ZFCP_ERP_ACTION_REOPEN_...
      ERP need       : 0xc0                   ZFCP_ERP_ACTION_NONE
      Signed-off-by: default avatarSteffen Maier <maier@linux.ibm.com>
      Cc: <stable@vger.kernel.org> #2.6.38+
      Reviewed-by: default avatarBenjamin Block <bblock@linux.ibm.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f723101e
    • Steffen Maier's avatar
      scsi: zfcp: fix missing REC trigger trace for all objects in ERP_FAILED · 1d7e2354
      Steffen Maier authored
      commit 8c3d20aa upstream.
      
      That other commit introduced an inconsistency because it would trace on
      ERP_FAILED for all callers of port forced reopen triggers (not just
      terminate_rport_io), but it would not trace on ERP_FAILED for all callers of
      other ERP triggers such as adapter, port regular, LUN.
      
      Therefore, generalize that other commit. zfcp_erp_action_enqueue() already
      had two early outs which re-used the one zfcp_dbf_rec_trig() call.  All ERP
      trigger functions finally run through zfcp_erp_action_enqueue().  So move
      the special handling for ZFCP_STATUS_COMMON_ERP_FAILED into
      zfcp_erp_action_enqueue() and add another early out with new trace marker
      for pseudo ERP need in this case. This removes all early returns from all
      ERP trigger functions so we always end up at zfcp_dbf_rec_trig().
      
      Example trace record formatted with zfcpdbf from s390-tools:
      
      Timestamp      : ...
      Area           : REC
      Subarea        : 00
      Level          : 1
      Exception      : -
      CPU ID         : ..
      Caller         : 0x...
      Record ID      : 1                      ZFCP_DBF_REC_TRIG
      Tag            : .......
      LUN            : 0x...
      WWPN           : 0x...
      D_ID           : 0x...
      Adapter status : 0x...
      Port status    : 0x...
      LUN status     : 0x...
      Ready count    : 0x...
      Running count  : 0x...
      ERP want       : 0x0.                   ZFCP_ERP_ACTION_REOPEN_...
      ERP need       : 0xe0                   ZFCP_ERP_ACTION_FAILED
      Signed-off-by: default avatarSteffen Maier <maier@linux.ibm.com>
      Cc: <stable@vger.kernel.org> #2.6.38+
      Reviewed-by: default avatarBenjamin Block <bblock@linux.ibm.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1d7e2354
    • Steffen Maier's avatar
      scsi: zfcp: fix missing REC trigger trace on terminate_rport_io for ERP_FAILED · 24f2f5d7
      Steffen Maier authored
      commit d70aab55 upstream.
      
      For problem determination we always want to see when we were invoked on the
      terminate_rport_io callback whether we perform something or not.
      
      Temporal event sequence of interest with a long fast_io_fail_tmo of 27 sec:
      
      loose remote port
      
      t   workqueue
      [s] zfcp_q_<dev>       IRQ                 zfcperp<dev>
      
      === ================== =================== ============================
      
        0                    recv RSCN
                             q p.test_link_work
          block rport
           start fast_io_fail_tmo
          send ADISC ELS
        4                    recv ADISC fail
                             block zfcp_port
                                                 port forced reopen
                                                 send open port
       12                    recv open port fail
                                                 q p.gid_pn_work
                                                 zfcp_erp_wakeup
                                                 (zfcp_erp_wait would return)
          GID_PN fail
      
      Before this point, we got a SCSI trace with tag "sctrpi1" on fast_io_fail,
      e.g. with the typical 5 sec setting.
      
          port.status |= ERP_FAILED
      
      If fast_io_fail_tmo triggers after this point, we missed a SCSI trace.
      
          workqueue
          fc_dl_<host>
          ==================
       27 fc_timeout_fail_rport_io
          fc_terminate_rport_io
          zfcp_scsi_terminate_rport_io
          zfcp_erp_port_forced_reopen
          _zfcp_erp_port_forced_reopen
           if (port.status & ERP_FAILED)
            return;
      
      Therefore, write a trace before above early return.
      
      Example trace record formatted with zfcpdbf from s390-tools:
      
      Timestamp      : ...
      Area           : REC
      Subarea        : 00
      Level          : 1
      Exception      : -
      CPU ID         : ..
      Caller         : 0x...
      Record ID      : 1                      ZFCP_DBF_REC_TRIG
      Tag            : sctrpi1                SCSI terminate rport I/O
      LUN            : 0xffffffffffffffff                     none (invalid)
      WWPN           : 0x<wwpn>
      D_ID           : 0x<n_port_id>
      Adapter status : 0x...
      Port status    : 0x...
      LUN status     : 0x00000000                             none (invalid)
      Ready count    : 0x...
      Running count  : 0x...
      ERP want       : 0x03                   ZFCP_ERP_ACTION_REOPEN_PORT_FORCED
      ERP need       : 0xe0                   ZFCP_ERP_ACTION_FAILED
      Signed-off-by: default avatarSteffen Maier <maier@linux.ibm.com>
      Cc: <stable@vger.kernel.org> #2.6.38+
      Reviewed-by: default avatarBenjamin Block <bblock@linux.ibm.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      24f2f5d7
    • Steffen Maier's avatar
      scsi: zfcp: fix missing REC trigger trace on terminate_rport_io early return · 24558a87
      Steffen Maier authored
      commit 96d92704 upstream.
      
      get_device() and its internally used kobject_get() only return NULL if they
      get passed NULL as argument. zfcp_get_port_by_wwpn() loops over
      adapter->port_list so the iteration variable port is always non-NULL.
      Struct device is embedded in struct zfcp_port so &port->dev is always
      non-NULL. This is the argument to get_device().  However, if we get an
      fc_rport in terminate_rport_io() for which we cannot find a match within
      zfcp_get_port_by_wwpn(), the latter can return NULL.  v2.6.30 commit
      70932935 ("[SCSI] zfcp: Fix oops when port disappears") introduced an
      early return without adding a trace record for this case.  Even if we don't
      need recovery in this case, for debugging we should still see that our
      callback was invoked originally by scsi_transport_fc.
      
      Example trace record formatted with zfcpdbf from s390-tools:
      
      Timestamp      : ...
      Area           : REC
      Subarea        : 00
      Level          : 1
      Exception      : -
      CPU ID         : ..
      Caller         : 0x...
      Record ID      : 1
      Tag            : sctrpin        SCSI terminate rport I/O, no zfcp port
      LUN            : 0xffffffffffffffff                     none (invalid)
      WWPN           : 0x<wwpn>               WWPN
      D_ID           : 0x<n_port_id>          N_Port-ID
      Adapter status : 0x...
      Port status    : 0xffffffff             unknown (-1)
      LUN status     : 0x00000000                             none (invalid)
      Ready count    : 0x...
      Running count  : 0x...
      ERP want       : 0x03                   ZFCP_ERP_ACTION_REOPEN_PORT_FORCED
      ERP need       : 0xc0                   ZFCP_ERP_ACTION_NONE
      Signed-off-by: default avatarSteffen Maier <maier@linux.ibm.com>
      Fixes: 70932935 ("[SCSI] zfcp: Fix oops when port disappears")
      Cc: <stable@vger.kernel.org> #2.6.38+
      Reviewed-by: default avatarBenjamin Block <bblock@linux.ibm.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      24558a87
    • Steffen Maier's avatar
      scsi: zfcp: fix misleading REC trigger trace where erp_action setup failed · 9ffe2bc9
      Steffen Maier authored
      commit 512857a7 upstream.
      
      If a SCSI device is deleted during scsi_eh host reset, we cannot get a
      reference to the SCSI device anymore since scsi_device_get returns !=0 by
      design. Assuming the recovery of adapter and port(s) was successful,
      zfcp_erp_strategy_followup_success() attempts to trigger a LUN reset for the
      half-gone SCSI device. Unfortunately, it causes the following confusing
      trace record which states that zfcp will do a LUN recovery as "ERP need" is
      ZFCP_ERP_ACTION_REOPEN_LUN == 1 and equals "ERP want".
      
      Old example trace record formatted with zfcpdbf from s390-tools:
      
      Tag:           : ersfs_3 ERP, trigger, unit reopen, port reopen succeeded
      LUN            : 0x<FCP_LUN>
      WWPN           : 0x<WWPN>
      D_ID           : 0x<N_Port-ID>
      Adapter status : 0x5400050b
      Port status    : 0x54000001
      LUN status     : 0x40000000     ZFCP_STATUS_COMMON_RUNNING
                                      but not ZFCP_STATUS_COMMON_UNBLOCKED as it
                                      was closed on close part of adapter reopen
      ERP want       : 0x01
      ERP need       : 0x01           misleading
      
      However, zfcp_erp_setup_act() returns NULL as it cannot get the reference.
      Hence, zfcp_erp_action_enqueue() takes an early goto out and _NO_ recovery
      actually happens.
      
      We always do want the recovery trigger trace record even if no erp_action
      could be enqueued as in this case. For other cases where we did not enqueue
      an erp_action, 'need' has always been zero to indicate this. In order to
      indicate above goto out, introduce an eyecatcher "flag" to mark the "ERP
      need" as 'not needed' but still keep the information which erp_action type,
      that zfcp_erp_required_act() had decided upon, is needed.  0xc_ is chosen to
      be visibly different from 0x0_ in "ERP want".
      
      New example trace record formatted with zfcpdbf from s390-tools:
      
      Tag:           : ersfs_3 ERP, trigger, unit reopen, port reopen succeeded
      LUN            : 0x<FCP_LUN>
      WWPN           : 0x<WWPN>
      D_ID           : 0x<N_Port-ID>
      Adapter status : 0x5400050b
      Port status    : 0x54000001
      LUN status     : 0x40000000
      ERP want       : 0x01
      ERP need       : 0xc1           would need LUN ERP, but no action set up
                         ^
      
      Before v2.6.38 commit ae0904f6 ("[SCSI] zfcp: Redesign of the debug
      tracing for recovery actions.") we could detect this case because the
      "erp_action" field in the trace was NULL. The rework removed erp_action as
      argument and field from the trace.
      
      This patch here is for tracing. A fix to allow LUN recovery in the case at
      hand is a topic for a separate patch.
      
      See also commit fdbd1c5e ("[SCSI] zfcp: Allow running unit/LUN shutdown
      without acquiring reference") for a similar case and background info.
      Signed-off-by: default avatarSteffen Maier <maier@linux.ibm.com>
      Fixes: ae0904f6 ("[SCSI] zfcp: Redesign of the debug tracing for recovery actions.")
      Cc: <stable@vger.kernel.org> #2.6.38+
      Reviewed-by: default avatarBenjamin Block <bblock@linux.ibm.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9ffe2bc9
    • Steffen Maier's avatar
      scsi: zfcp: fix missing SCSI trace for retry of abort / scsi_eh TMF · 9d8aee07
      Steffen Maier authored
      commit 81979ae6 upstream.
      
      We already have a SCSI trace for the end of abort and scsi_eh TMF. Due to
      zfcp_erp_wait() and fc_block_scsi_eh() time can pass between the start of
      our eh callback and an actual send/recv of an abort / TMF request.  In order
      to see the temporal sequence including any abort / TMF send retries, add a
      trace before the above two blocking functions.  This supports problem
      determination with scsi_eh and parallel zfcp ERP.
      
      No need to explicitly trace the beginning of our eh callback, since we
      typically can send an abort / TMF and see its HBA response (in the worst
      case, it's a pseudo response on dismiss all of adapter recovery, e.g. due to
      an FSF request timeout [fsrth_1] of the abort / TMF). If we cannot send, we
      now get a trace record for the first "abrt_wt" or "[lt]r_wait" which denotes
      almost the beginning of the callback.
      
      No need to explicitly trace the wakeup after the above two blocking
      functions because the next retry loop causes another trace in any case and
      that is sufficient.
      
      Example trace records formatted with zfcpdbf from s390-tools:
      
      Timestamp      : ...
      Area           : SCSI
      Subarea        : 00
      Level          : 1
      Exception      : -
      CPU ID         : ..
      Caller         : 0x...
      Record ID      : 1
      Tag            : abrt_wt        abort, before zfcp_erp_wait()
      Request ID     : 0x0000000000000000                     none (invalid)
      SCSI ID        : 0x<scsi_id>
      SCSI LUN       : 0x<scsi_lun>
      SCSI LUN high  : 0x<scsi_lun_high>
      SCSI result    : 0x<scsi_result_of_cmd_to_be_aborted>
      SCSI retries   : 0x<retries_of_cmd_to_be_aborted>
      SCSI allowed   : 0x<allowed_retries_of_cmd_to_be_aborted>
      SCSI scribble  : 0x<req_id_of_cmd_to_be_aborted>
      SCSI opcode    : <CDB_of_cmd_to_be_aborted>
      FCP rsp inf cod: 0x..                                   none (invalid)
      FCP rsp IU     : ...                                    none (invalid)
      
      Timestamp      : ...
      Area           : SCSI
      Subarea        : 00
      Level          : 1
      Exception      : -
      CPU ID         : ..
      Caller         : 0x...
      Record ID      : 1
      Tag            : lr_wait        LUN reset, before zfcp_erp_wait()
      Request ID     : 0x0000000000000000                     none (invalid)
      SCSI ID        : 0x<scsi_id>
      SCSI LUN       : 0x<scsi_lun>
      SCSI LUN high  : 0x<scsi_lun_high>
      SCSI result    : 0x...                                  unrelated
      SCSI retries   : 0x..                                   unrelated
      SCSI allowed   : 0x..                                   unrelated
      SCSI scribble  : 0x...                                  unrelated
      SCSI opcode    : ...                                    unrelated
      FCP rsp inf cod: 0x..                                   none (invalid)
      FCP rsp IU     : ...                                    none (invalid)
      Signed-off-by: default avatarSteffen Maier <maier@linux.ibm.com>
      Fixes: 63caf367 ("[SCSI] zfcp: Improve reliability of SCSI eh handlers in zfcp")
      Fixes: af4de36d ("[SCSI] zfcp: Block scsi_eh thread for rport state BLOCKED")
      Cc: <stable@vger.kernel.org> #2.6.38+
      Reviewed-by: default avatarBenjamin Block <bblock@linux.ibm.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9d8aee07
    • Steffen Maier's avatar
      scsi: zfcp: fix missing SCSI trace for result of eh_host_reset_handler · faeba52a
      Steffen Maier authored
      commit df307816 upstream.
      
      For problem determination we need to see whether and why we were successful
      or not. This allows deduction of scsi_eh escalation.
      
      Example trace record formatted with zfcpdbf from s390-tools:
      
      Timestamp      : ...
      Area           : SCSI
      Subarea        : 00
      Level          : 1
      Exception      : -
      CPU ID         : ..
      Caller         : 0x...
      Record ID      : 1
      Tag            : schrh_r        SCSI host reset handler result
      Request ID     : 0x0000000000000000                     none (invalid)
      SCSI ID        : 0xffffffff                             none (invalid)
      SCSI LUN       : 0xffffffff                             none (invalid)
      SCSI LUN high  : 0xffffffff                             none (invalid)
      SCSI result    : 0x00002002     field re-used for midlayer value: SUCCESS
                                      or in other cases: 0x2009 == FAST_IO_FAIL
      SCSI retries   : 0xff                                   none (invalid)
      SCSI allowed   : 0xff                                   none (invalid)
      SCSI scribble  : 0xffffffffffffffff                     none (invalid)
      SCSI opcode    : ffffffff ffffffff ffffffff ffffffff    none (invalid)
      FCP rsp inf cod: 0xff                                   none (invalid)
      FCP rsp IU     : 00000000 00000000 00000000 00000000    none (invalid)
                       00000000 00000000
      
      v2.6.35 commit a1dbfddd ("[SCSI] zfcp: Pass return code from
      fc_block_scsi_eh to scsi eh") introduced the first return with something
      other than the previously hardcoded single SUCCESS return path.
      Signed-off-by: default avatarSteffen Maier <maier@linux.ibm.com>
      Fixes: a1dbfddd ("[SCSI] zfcp: Pass return code from fc_block_scsi_eh to scsi eh")
      Cc: <stable@vger.kernel.org> #2.6.38+
      Reviewed-by: default avatarJens Remus <jremus@linux.ibm.com>
      Reviewed-by: default avatarBenjamin Block <bblock@linux.ibm.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      faeba52a
    • Himanshu Madhani's avatar
      scsi: qla2xxx: Fix setting lower transfer speed if GPSC fails · 0e5e7585
      Himanshu Madhani authored
      commit 413c2f33 upstream.
      
      This patch prevents driver from setting lower default speed of 1 GB/sec,
      if the switch does not support Get Port Speed Capabilities (GPSC)
      command. Setting this default speed results into much lower write
      performance for large sequential WRITE.  This patch modifies driver to
      check for gpsc_supported flags and prevents driver from issuing
      MBC_SET_PORT_PARAM (001Ah) to set default speed of 1 GB/sec. If driver
      does not send this mailbox command, firmware assumes maximum supported
      link speed and will operate at the max speed.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarHimanshu Madhani <himanshu.madhani@cavium.com>
      Reported-by: default avatarEda Zhou <ezhou@redhat.com>
      Reviewed-by: default avatarEwan D. Milne <emilne@redhat.com>
      Tested-by: default avatarEwan D. Milne <emilne@redhat.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0e5e7585
    • Martin Kelly's avatar
      iio:buffer: make length types match kfifo types · 5c39f9f3
      Martin Kelly authored
      commit c043ec1c upstream.
      
      Currently, we use int for buffer length and bytes_per_datum. However,
      kfifo uses unsigned int for length and size_t for element size. We need
      to make sure these matches or we will have bugs related to overflow (in
      the range between INT_MAX and UINT_MAX for length, for example).
      
      In addition, set_bytes_per_datum uses size_t while bytes_per_datum is an
      int, which would cause bugs for large values of bytes_per_datum.
      
      Change buffer length to use unsigned int and bytes_per_datum to use
      size_t.
      Signed-off-by: default avatarMartin Kelly <mkelly@xevo.com>
      Cc: <Stable@vger.kernel.org>
      Signed-off-by: default avatarJonathan Cameron <Jonathan.Cameron@huawei.com>
      [bwh: Backported to 4.4:
       - Drop change to iio_dma_buffer_set_length()
       - Adjust filename, context]
      Signed-off-by: default avatarBen Hutchings <ben.hutchings@codethink.co.uk>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5c39f9f3
    • Omar Sandoval's avatar
      Btrfs: fix clone vs chattr NODATASUM race · c570525d
      Omar Sandoval authored
      commit b5c40d59 upstream.
      
      In btrfs_clone_files(), we must check the NODATASUM flag while the
      inodes are locked. Otherwise, it's possible that btrfs_ioctl_setflags()
      will change the flags after we check and we can end up with a party
      checksummed file.
      
      The race window is only a few instructions in size, between the if and
      the locks which is:
      
      3834         if (S_ISDIR(src->i_mode) || S_ISDIR(inode->i_mode))
      3835                 return -EISDIR;
      
      where the setflags must be run and toggle the NODATASUM flag (provided
      the file size is 0).  The clone will block on the inode lock, segflags
      takes the inode lock, changes flags, releases log and clone continues.
      
      Not impossible but still needs a lot of bad luck to hit unintentionally.
      
      Fixes: 0e7b824c ("Btrfs: don't make a file partly checksummed through file clone")
      CC: stable@vger.kernel.org # 4.4+
      Signed-off-by: default avatarOmar Sandoval <osandov@fb.com>
      Reviewed-by: default avatarNikolay Borisov <nborisov@suse.com>
      Reviewed-by: default avatarDavid Sterba <dsterba@suse.com>
      [ update changelog ]
      Signed-off-by: default avatarDavid Sterba <dsterba@suse.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      [ adjusted for 4.4 ]
      Signed-off-by: default avatarNikolay Borisov <nborisov@suse.com>
      c570525d
    • Geert Uytterhoeven's avatar
      time: Make sure jiffies_to_msecs() preserves non-zero time periods · 64a7976b
      Geert Uytterhoeven authored
      commit abcbcb80 upstream.
      
      For the common cases where 1000 is a multiple of HZ, or HZ is a multiple of
      1000, jiffies_to_msecs() never returns zero when passed a non-zero time
      period.
      
      However, if HZ > 1000 and not an integer multiple of 1000 (e.g. 1024 or
      1200, as used on alpha and DECstation), jiffies_to_msecs() may return zero
      for small non-zero time periods.  This may break code that relies on
      receiving back a non-zero value.
      
      jiffies_to_usecs() does not need such a fix: one jiffy can only be less
      than one µs if HZ > 1000000, and such large values of HZ are already
      rejected at build time, twice:
      
        - include/linux/jiffies.h does #error if HZ >= 12288,
        - kernel/time/time.c has BUILD_BUG_ON(HZ > USEC_PER_SEC).
      
      Broken since forever.
      Signed-off-by: default avatarGeert Uytterhoeven <geert@linux-m68k.org>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Reviewed-by: default avatarArnd Bergmann <arnd@arndb.de>
      Cc: John Stultz <john.stultz@linaro.org>
      Cc: Stephen Boyd <sboyd@kernel.org>
      Cc: linux-alpha@vger.kernel.org
      Cc: linux-mips@linux-mips.org
      Cc: stable@vger.kernel.org
      Link: https://lkml.kernel.org/r/20180622143357.7495-1-geert@linux-m68k.orgSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      64a7976b
    • Huacai Chen's avatar
      MIPS: io: Add barrier after register read in inX() · 3f74d64b
      Huacai Chen authored
      commit 18f3e95b upstream.
      
      While a barrier is present in the outX() functions before the register
      write, a similar barrier is missing in the inX() functions after the
      register read. This could allow memory accesses following inX() to
      observe stale data.
      
      This patch is very similar to commit a1cc7034 ("MIPS: io: Add
      barrier after register read in readX()"). Because war_io_reorder_wmb()
      is both used by writeX() and outX(), if readX() need a barrier then so
      does inX().
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarHuacai Chen <chenhc@lemote.com>
      Patchwork: https://patchwork.linux-mips.org/patch/19516/Signed-off-by: default avatarPaul Burton <paul.burton@mips.com>
      Cc: James Hogan <james.hogan@mips.com>
      Cc: linux-mips@linux-mips.org
      Cc: Fuxin Zhang <zhangfx@lemote.com>
      Cc: Zhangjin Wu <wuzhangjin@gmail.com>
      Cc: Huacai Chen <chenhuacai@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3f74d64b
    • Mika Westerberg's avatar
      PCI: pciehp: Clear Presence Detect and Data Link Layer Status Changed on resume · 81562a50
      Mika Westerberg authored
      commit 13c65840 upstream.
      
      After a suspend/resume cycle the Presence Detect or Data Link Layer Status
      Changed bits might be set.  If we don't clear them those events will not
      fire anymore and nothing happens for instance when a device is now
      hot-unplugged.
      
      Fix this by clearing those bits in a newly introduced function
      pcie_reenable_notification().  This should be fine because immediately
      after, we check if the adapter is still present by reading directly from
      the status register.
      Signed-off-by: default avatarMika Westerberg <mika.westerberg@linux.intel.com>
      Signed-off-by: default avatarBjorn Helgaas <bhelgaas@google.com>
      Reviewed-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      Reviewed-by: default avatarAndy Shevchenko <andriy.shevchenko@linux.intel.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      81562a50
    • Tokunori Ikegami's avatar
      MIPS: BCM47XX: Enable 74K Core ExternalSync for PCIe erratum · 256acf2c
      Tokunori Ikegami authored
      commit 2a027b47 upstream.
      
      The erratum and workaround are described by BCM5300X-ES300-RDS.pdf as
      below.
      
        R10: PCIe Transactions Periodically Fail
      
          Description: The BCM5300X PCIe does not maintain transaction ordering.
                       This may cause PCIe transaction failure.
          Fix Comment: Add a dummy PCIe configuration read after a PCIe
                       configuration write to ensure PCIe configuration access
                       ordering. Set ES bit of CP0 configu7 register to enable
                       sync function so that the sync instruction is functional.
          Resolution:  hndpci.c: extpci_write_config()
                       hndmips.c: si_mips_init()
                       mipsinc.h CONF7_ES
      
      This is fixed by the CFE MIPS bcmsi chipset driver also for BCM47XX.
      Also the dummy PCIe configuration read is already implemented in the
      Linux BCMA driver.
      
      Enable ExternalSync in Config7 when CONFIG_BCMA_DRIVER_PCI_HOSTMODE=y
      too so that the sync instruction is externalised.
      Signed-off-by: default avatarTokunori Ikegami <ikegami@allied-telesis.co.jp>
      Reviewed-by: default avatarPaul Burton <paul.burton@mips.com>
      Acked-by: default avatarHauke Mehrtens <hauke@hauke-m.de>
      Cc: Chris Packham <chris.packham@alliedtelesis.co.nz>
      Cc: Rafał Miłecki <zajec5@gmail.com>
      Cc: linux-mips@linux-mips.org
      Cc: stable@vger.kernel.org
      Patchwork: https://patchwork.linux-mips.org/patch/19461/Signed-off-by: default avatarJames Hogan <jhogan@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      256acf2c
    • Joakim Tjernlund's avatar
      mtd: cfi_cmdset_0002: Avoid walking all chips when unlocking. · 976c3f4c
      Joakim Tjernlund authored
      commit f1ce87f6 upstream.
      
      cfi_ppb_unlock() walks all flash chips when unlocking sectors,
      avoid walking chips unaffected by the unlock operation.
      
      Fixes: 1648eaaa ("mtd: cfi_cmdset_0002: Support Persistent Protection Bits (PPB) locking")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarJoakim Tjernlund <joakim.tjernlund@infinera.com>
      Signed-off-by: default avatarBoris Brezillon <boris.brezillon@bootlin.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      976c3f4c
    • Joakim Tjernlund's avatar
      mtd: cfi_cmdset_0002: Fix unlocking requests crossing a chip boudary · cd309465
      Joakim Tjernlund authored
      commit 0cd8116f upstream.
      
      The "sector is in requested range" test used to determine whether
      sectors should be re-locked or not is done on a variable that is reset
      everytime we cross a chip boundary, which can lead to some blocks being
      re-locked while the caller expect them to be unlocked.
      Fix the check to make sure this cannot happen.
      
      Fixes: 1648eaaa ("mtd: cfi_cmdset_0002: Support Persistent Protection Bits (PPB) locking")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarJoakim Tjernlund <joakim.tjernlund@infinera.com>
      Signed-off-by: default avatarBoris Brezillon <boris.brezillon@bootlin.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      cd309465
    • Joakim Tjernlund's avatar
      mtd: cfi_cmdset_0002: fix SEGV unlocking multiple chips · 8a3f0a54
      Joakim Tjernlund authored
      commit 5fdfc3db upstream.
      
      cfi_ppb_unlock() tries to relock all sectors that were locked before
      unlocking the whole chip.
      This locking used the chip start address + the FULL offset from the
      first flash chip, thereby forming an illegal address. Fix that by using
      the chip offset(adr).
      
      Fixes: 1648eaaa ("mtd: cfi_cmdset_0002: Support Persistent Protection Bits (PPB) locking")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarJoakim Tjernlund <joakim.tjernlund@infinera.com>
      Signed-off-by: default avatarBoris Brezillon <boris.brezillon@bootlin.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8a3f0a54
    • Joakim Tjernlund's avatar
      mtd: cfi_cmdset_0002: Use right chip in do_ppb_xxlock() · c1508429
      Joakim Tjernlund authored
      commit f93aa8c4 upstream.
      
      do_ppb_xxlock() fails to add chip->start when querying for lock status
      (and chip_ready test), which caused false status reports.
      Fix that by adding adr += chip->start and adjust call sites
      accordingly.
      
      Fixes: 1648eaaa ("mtd: cfi_cmdset_0002: Support Persistent Protection Bits (PPB) locking")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarJoakim Tjernlund <joakim.tjernlund@infinera.com>
      Signed-off-by: default avatarBoris Brezillon <boris.brezillon@bootlin.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c1508429
    • Tokunori Ikegami's avatar
      mtd: cfi_cmdset_0002: Change write buffer to check correct value · 5069cd50
      Tokunori Ikegami authored
      commit dfeae107 upstream.
      
      For the word write it is checked if the chip has the correct value.
      But it is not checked for the write buffer as only checked if ready.
      To make sure for the write buffer change to check the value.
      
      It is enough as this patch is only checking the last written word.
      Since it is described by data sheets to check the operation status.
      Signed-off-by: default avatarTokunori Ikegami <ikegami@allied-telesis.co.jp>
      Reviewed-by: default avatarJoakim Tjernlund <Joakim.Tjernlund@infinera.com>
      Cc: Chris Packham <chris.packham@alliedtelesis.co.nz>
      Cc: Brian Norris <computersforpeace@gmail.com>
      Cc: David Woodhouse <dwmw2@infradead.org>
      Cc: Boris Brezillon <boris.brezillon@free-electrons.com>
      Cc: Marek Vasut <marek.vasut@gmail.com>
      Cc: Richard Weinberger <richard@nod.at>
      Cc: Cyrille Pitchen <cyrille.pitchen@wedev4u.fr>
      Cc: linux-mtd@lists.infradead.org
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarBoris Brezillon <boris.brezillon@bootlin.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5069cd50
    • Leon Romanovsky's avatar
      RDMA/mlx4: Discard unknown SQP work requests · 2f667ff7
      Leon Romanovsky authored
      commit 6b1ca7ec upstream.
      
      There is no need to crash the machine if unknown work request was
      received in SQP MAD.
      
      Cc: <stable@vger.kernel.org> # 3.6
      Fixes: 37bfc7c1 ("IB/mlx4: SR-IOV multiplex and demultiplex MADs")
      Signed-off-by: default avatarLeon Romanovsky <leonro@mellanox.com>
      Signed-off-by: default avatarDoug Ledford <dledford@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2f667ff7
    • Mike Marciniszyn's avatar
      IB/qib: Fix DMA api warning with debug kernel · 586ff170
      Mike Marciniszyn authored
      commit 0252f733 upstream.
      
      The following error occurs in a debug build when running MPI PSM:
      
      [  307.415911] WARNING: CPU: 4 PID: 23867 at lib/dma-debug.c:1158
      check_unmap+0x4ee/0xa20
      [  307.455661] ib_qib 0000:05:00.0: DMA-API: device driver failed to check map
      error[device address=0x00000000df82b000] [size=4096 bytes] [mapped as page]
      [  307.517494] Modules linked in:
      [  307.531584]  ib_isert iscsi_target_mod ib_srpt target_core_mod rpcrdma
      sunrpc ib_srp scsi_transport_srp scsi_tgt ib_iser libiscsi ib_ipoib
      scsi_transport_iscsi rdma_ucm ib_ucm ib_uverbs ib_umad rdma_cm ib_cm iw_cm
      ib_qib intel_powerclamp coretemp rdmavt intel_rapl iosf_mbi kvm_intel kvm
      irqbypass crc32_pclmul ghash_clmulni_intel ipmi_ssif ib_core aesni_intel sg
      ipmi_si lrw gf128mul dca glue_helper ipmi_devintf iTCO_wdt gpio_ich hpwdt
      iTCO_vendor_support ablk_helper hpilo acpi_power_meter cryptd ipmi_msghandler
      ie31200_edac shpchp pcc_cpufreq lpc_ich pcspkr ip_tables xfs libcrc32c sd_mod
      crc_t10dif crct10dif_generic mgag200 i2c_algo_bit drm_kms_helper syscopyarea
      sysfillrect sysimgblt fb_sys_fops ttm ahci crct10dif_pclmul crct10dif_common
      drm crc32c_intel libahci tg3 libata serio_raw ptp i2c_core
      [  307.846113]  pps_core dm_mirror dm_region_hash dm_log dm_mod
      [  307.866505] CPU: 4 PID: 23867 Comm: mpitests-IMB-MP Kdump: loaded Not
      tainted 3.10.0-862.el7.x86_64.debug #1
      [  307.911178] Hardware name: HP ProLiant DL320e Gen8, BIOS J05 11/09/2013
      [  307.944206] Call Trace:
      [  307.956973]  [<ffffffffbd9e915b>] dump_stack+0x19/0x1b
      [  307.982201]  [<ffffffffbd2a2f58>] __warn+0xd8/0x100
      [  308.005999]  [<ffffffffbd2a2fdf>] warn_slowpath_fmt+0x5f/0x80
      [  308.034260]  [<ffffffffbd5f667e>] check_unmap+0x4ee/0xa20
      [  308.060801]  [<ffffffffbd41acaa>] ? page_add_file_rmap+0x2a/0x1d0
      [  308.090689]  [<ffffffffbd5f6c4d>] debug_dma_unmap_page+0x9d/0xb0
      [  308.120155]  [<ffffffffbd4082e0>] ? might_fault+0xa0/0xb0
      [  308.146656]  [<ffffffffc07761a5>] qib_tid_free.isra.14+0x215/0x2a0 [ib_qib]
      [  308.180739]  [<ffffffffc0776bf4>] qib_write+0x894/0x1280 [ib_qib]
      [  308.210733]  [<ffffffffbd540b00>] ? __inode_security_revalidate+0x70/0x80
      [  308.244837]  [<ffffffffbd53c2b7>] ? security_file_permission+0x27/0xb0
      [  308.266025] qib_ib0.8006: multicast join failed for
      ff12:401b:8006:0000:0000:0000:ffff:ffff, status -22
      [  308.323421]  [<ffffffffbd46f5d3>] vfs_write+0xc3/0x1f0
      [  308.347077]  [<ffffffffbd492a5c>] ? fget_light+0xfc/0x510
      [  308.372533]  [<ffffffffbd47045a>] SyS_write+0x8a/0x100
      [  308.396456]  [<ffffffffbd9ff355>] system_call_fastpath+0x1c/0x21
      
      The code calls a qib_map_page() which has never correctly tested for a
      mapping error.
      
      Fix by testing for pci_dma_mapping_error() in all cases and properly
      handling the failure in the caller.
      
      Additionally, streamline qib_map_page() arguments to satisfy just
      the single caller.
      
      Cc: <stable@vger.kernel.org>
      Reviewed-by: default avatarAlex Estrin <alex.estrin@intel.com>
      Tested-by: default avatarDon Dutile <ddutile@redhat.com>
      Reviewed-by: default avatarDon Dutile <ddutile@redhat.com>
      Signed-off-by: default avatarMike Marciniszyn <mike.marciniszyn@intel.com>
      Signed-off-by: default avatarDennis Dalessandro <dennis.dalessandro@intel.com>
      Signed-off-by: default avatarDoug Ledford <dledford@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      586ff170
    • Stefan M Schaeckeler's avatar
      of: unittest: for strings, account for trailing \0 in property length field · 548de4fd
      Stefan M Schaeckeler authored
      commit 3b9cf790 upstream.
      
      For strings, account for trailing \0 in property length field:
      
      This is consistent with how dtc builds string properties.
      
      Function __of_prop_dup() would misbehave on such properties as it duplicates
      properties based on the property length field creating new string values
      without trailing \0s.
      Signed-off-by: default avatarStefan M Schaeckeler <sschaeck@cisco.com>
      Reviewed-by: default avatarFrank Rowand <frank.rowand@sony.com>
      Tested-by: default avatarFrank Rowand <frank.rowand@sony.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarRob Herring <robh@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      548de4fd
    • David Rivshin's avatar
      ARM: 8764/1: kgdb: fix NUMREGBYTES so that gdb_regs[] is the correct size · 523dc24b
      David Rivshin authored
      commit 76ed0b80 upstream.
      
      NUMREGBYTES (which is used as the size for gdb_regs[]) is incorrectly
      based on DBG_MAX_REG_NUM instead of GDB_MAX_REGS. DBG_MAX_REG_NUM
      is the number of total registers, while GDB_MAX_REGS is the number
      of 'unsigned longs' it takes to serialize those registers. Since
      FP registers require 3 'unsigned longs' each, DBG_MAX_REG_NUM is
      smaller than GDB_MAX_REGS.
      
      This causes GDB 8.0 give the following error on connect:
      "Truncated register 19 in remote 'g' packet"
      
      This also causes the register serialization/deserialization logic
      to overflow gdb_regs[], overwriting whatever follows.
      
      Fixes: 834b2964 ("kgdb,arm: fix register dump")
      Cc: <stable@vger.kernel.org> # 2.6.37+
      Signed-off-by: default avatarDavid Rivshin <drivshin@allworx.com>
      Acked-by: default avatarRabin Vincent <rabin@rab.in>
      Tested-by: default avatarDaniel Thompson <daniel.thompson@linaro.org>
      Signed-off-by: default avatarRussell King <rmk+kernel@armlinux.org.uk>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      523dc24b
    • Mahesh Salgaonkar's avatar
      powerpc/fadump: Unregister fadump on kexec down path. · 4c0e24ab
      Mahesh Salgaonkar authored
      commit 722cde76 upstream.
      
      Unregister fadump on kexec down path otherwise the fadump registration
      in new kexec-ed kernel complains that fadump is already registered.
      This makes new kernel to continue using fadump registered by previous
      kernel which may lead to invalid vmcore generation. Hence this patch
      fixes this issue by un-registering fadump in fadump_cleanup() which is
      called during kexec path so that new kernel can register fadump with
      new valid values.
      
      Fixes: b500afff ("fadump: Invalidate registration and release reserved memory for general use.")
      Cc: stable@vger.kernel.org # v3.4+
      Signed-off-by: default avatarMahesh Salgaonkar <mahesh@linux.vnet.ibm.com>
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4c0e24ab
    • Gautham R. Shenoy's avatar
      cpuidle: powernv: Fix promotion from snooze if next state disabled · 9397ee14
      Gautham R. Shenoy authored
      commit 0a4ec6aa upstream.
      
      The commit 78eaa10f ("cpuidle: powernv/pseries: Auto-promotion of
      snooze to deeper idle state") introduced a timeout for the snooze idle
      state so that it could be eventually be promoted to a deeper idle
      state. The snooze timeout value is static and set to the target
      residency of the next idle state, which would train the cpuidle
      governor to pick the next idle state eventually.
      
      The unfortunate side-effect of this is that if the next idle state(s)
      is disabled, the CPU will forever remain in snooze, despite the fact
      that the system is completely idle, and other deeper idle states are
      available.
      
      This patch fixes the issue by dynamically setting the snooze timeout
      to the target residency of the next enabled state on the device.
      
      Before Patch:
        POWER8 : Only nap disabled.
        $ cpupower monitor sleep 30
        sleep took 30.01297 seconds and exited with status 0
                      |Idle_Stats
        PKG |CORE|CPU | snoo | Nap  | Fast
           0|   8|   0| 96.41|  0.00|  0.00
           0|   8|   1| 96.43|  0.00|  0.00
           0|   8|   2| 96.47|  0.00|  0.00
           0|   8|   3| 96.35|  0.00|  0.00
           0|   8|   4| 96.37|  0.00|  0.00
           0|   8|   5| 96.37|  0.00|  0.00
           0|   8|   6| 96.47|  0.00|  0.00
           0|   8|   7| 96.47|  0.00|  0.00
      
        POWER9: Shallow states (stop0lite, stop1lite, stop2lite, stop0, stop1,
        stop2) disabled:
        $ cpupower monitor sleep 30
        sleep took 30.05033 seconds and exited with status 0
                      |Idle_Stats
        PKG |CORE|CPU | snoo | stop | stop | stop | stop | stop | stop | stop | stop
           0|  16|   0| 89.79|  0.00|  0.00|  0.00|  0.00|  0.00|  0.00|  0.00|  0.00
           0|  16|   1| 90.12|  0.00|  0.00|  0.00|  0.00|  0.00|  0.00|  0.00|  0.00
           0|  16|   2| 90.21|  0.00|  0.00|  0.00|  0.00|  0.00|  0.00|  0.00|  0.00
           0|  16|   3| 90.29|  0.00|  0.00|  0.00|  0.00|  0.00|  0.00|  0.00|  0.00
      
      After Patch:
        POWER8 : Only nap disabled.
        $ cpupower monitor sleep 30
        sleep took 30.01200 seconds and exited with status 0
                      |Idle_Stats
        PKG |CORE|CPU | snoo | Nap  | Fast
           0|   8|   0| 16.58|  0.00| 77.21
           0|   8|   1| 18.42|  0.00| 75.38
           0|   8|   2|  4.70|  0.00| 94.09
           0|   8|   3| 17.06|  0.00| 81.73
           0|   8|   4|  3.06|  0.00| 95.73
           0|   8|   5|  7.00|  0.00| 96.80
           0|   8|   6|  1.00|  0.00| 98.79
           0|   8|   7|  5.62|  0.00| 94.17
      
        POWER9: Shallow states (stop0lite, stop1lite, stop2lite, stop0, stop1,
        stop2) disabled:
      
        $ cpupower monitor sleep 30
        sleep took 30.02110 seconds and exited with status 0
                      |Idle_Stats
        PKG |CORE|CPU | snoo | stop | stop | stop | stop | stop | stop | stop | stop
           0|   0|   0|  0.69|  0.00|  0.00|  0.00|  0.00|  0.00|  0.00|  9.39| 89.70
           0|   0|   1|  0.00|  0.00|  0.00|  0.00|  0.00|  0.00|  0.00|  0.05| 93.21
           0|   0|   2|  0.00|  0.00|  0.00|  0.00|  0.00|  0.00|  0.00|  0.00| 89.93
           0|   0|   3|  0.00|  0.00|  0.00|  0.00|  0.00|  0.00|  0.00|  0.00| 93.26
      
      Fixes: 78eaa10f ("cpuidle: powernv/pseries: Auto-promotion of snooze to deeper idle state")
      Cc: stable@vger.kernel.org # v4.2+
      Signed-off-by: default avatarGautham R. Shenoy <ego@linux.vnet.ibm.com>
      Reviewed-by: default avatarBalbir Singh <bsingharora@gmail.com>
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      
      9397ee14
    • Michael Neuling's avatar
      powerpc/ptrace: Fix enforcement of DAWR constraints · 76dcdfe3
      Michael Neuling authored
      commit cd6ef7ee upstream.
      
      Back when we first introduced the DAWR, in commit 4ae7ebe9
      ("powerpc: Change hardware breakpoint to allow longer ranges"), we
      screwed up the constraint making it a 1024 byte boundary rather than a
      512. This makes the check overly permissive. Fortunately GDB is the
      only real user and it always did they right thing, so we never
      noticed.
      
      This fixes the constraint to 512 bytes.
      
      Fixes: 4ae7ebe9 ("powerpc: Change hardware breakpoint to allow longer ranges")
      Cc: stable@vger.kernel.org # v3.9+
      Signed-off-by: default avatarMichael Neuling <mikey@neuling.org>
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      76dcdfe3
    • Michael Neuling's avatar
      powerpc/ptrace: Fix setting 512B aligned breakpoints with PTRACE_SET_DEBUGREG · b3d0e0f0
      Michael Neuling authored
      commit 4f7c06e2 upstream.
      
      In commit e2a800be ("powerpc/hw_brk: Fix off by one error when
      validating DAWR region end") we fixed setting the DAWR end point to
      its max value via PPC_PTRACE_SETHWDEBUG. Unfortunately we broke
      PTRACE_SET_DEBUGREG when setting a 512 byte aligned breakpoint.
      
      PTRACE_SET_DEBUGREG currently sets the length of the breakpoint to
      zero (memset() in hw_breakpoint_init()). This worked with
      arch_validate_hwbkpt_settings() before the above patch was applied but
      is now broken if the breakpoint is 512byte aligned.
      
      This sets the length of the breakpoint to 8 bytes when using
      PTRACE_SET_DEBUGREG.
      
      Fixes: e2a800be ("powerpc/hw_brk: Fix off by one error when validating DAWR region end")
      Cc: stable@vger.kernel.org # v3.11+
      Signed-off-by: default avatarMichael Neuling <mikey@neuling.org>
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b3d0e0f0
    • Aneesh Kumar K.V's avatar
      powerpc/mm/hash: Add missing isync prior to kernel stack SLB switch · 1d92a7b3
      Aneesh Kumar K.V authored
      commit 91d06971 upstream.
      
      Currently we do not have an isync, or any other context synchronizing
      instruction prior to the slbie/slbmte in _switch() that updates the
      SLB entry for the kernel stack.
      
      However that is not correct as outlined in the ISA.
      
      From Power ISA Version 3.0B, Book III, Chapter 11, page 1133:
      
        "Changing the contents of ... the contents of SLB entries ... can
         have the side effect of altering the context in which data
         addresses and instruction addresses are interpreted, and in which
         instructions are executed and data accesses are performed.
         ...
         These side effects need not occur in program order, and therefore
         may require explicit synchronization by software.
         ...
         The synchronizing instruction before the context-altering
         instruction ensures that all instructions up to and including that
         synchronizing instruction are fetched and executed in the context
         that existed before the alteration."
      
      And page 1136:
      
        "For data accesses, the context synchronizing instruction before the
         slbie, slbieg, slbia, slbmte, tlbie, or tlbiel instruction ensures
         that all preceding instructions that access data storage have
         completed to a point at which they have reported all exceptions
         they will cause."
      
      We're not aware of any bugs caused by this, but it should be fixed
      regardless.
      
      Add the missing isync when updating kernel stack SLB entry.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarAneesh Kumar K.V <aneesh.kumar@linux.ibm.com>
      [mpe: Flesh out change log with more ISA text & explanation]
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1d92a7b3
    • Miklos Szeredi's avatar
      fuse: fix control dir setup and teardown · d6f4d0cf
      Miklos Szeredi authored
      commit 6becdb60 upstream.
      
      syzbot is reporting NULL pointer dereference at fuse_ctl_remove_conn() [1].
      Since fc->ctl_ndents is incremented by fuse_ctl_add_conn() when new_inode()
      failed, fuse_ctl_remove_conn() reaches an inode-less dentry and tries to
      clear d_inode(dentry)->i_private field.
      
      Fix by only adding the dentry to the array after being fully set up.
      
      When tearing down the control directory, do d_invalidate() on it to get rid
      of any mounts that might have been added.
      
      [1] https://syzkaller.appspot.com/bug?id=f396d863067238959c91c0b7cfc10b163638cac6Reported-by: default avatarsyzbot <syzbot+32c236387d66c4516827@syzkaller.appspotmail.com>
      Fixes: bafa9654 ("[PATCH] fuse: add control filesystem")
      Cc: <stable@vger.kernel.org> # v2.6.18
      Signed-off-by: default avatarMiklos Szeredi <mszeredi@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d6f4d0cf
    • Tetsuo Handa's avatar
      fuse: don't keep dead fuse_conn at fuse_fill_super(). · 8713c85a
      Tetsuo Handa authored
      commit 543b8f86 upstream.
      
      syzbot is reporting use-after-free at fuse_kill_sb_blk() [1].
      Since sb->s_fs_info field is not cleared after fc was released by
      fuse_conn_put() when initialization failed, fuse_kill_sb_blk() finds
      already released fc and tries to hold the lock. Fix this by clearing
      sb->s_fs_info field after calling fuse_conn_put().
      
      [1] https://syzkaller.appspot.com/bug?id=a07a680ed0a9290585ca424546860464dd9658dbSigned-off-by: default avatarTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
      Reported-by: default avatarsyzbot <syzbot+ec3986119086fe4eec97@syzkaller.appspotmail.com>
      Fixes: 3b463ae0 ("fuse: invalidation reverse calls")
      Cc: John Muir <john@jmuir.com>
      Cc: Csaba Henk <csaba@gluster.com>
      Cc: Anand Avati <avati@redhat.com>
      Cc: <stable@vger.kernel.org> # v2.6.31
      Signed-off-by: default avatarMiklos Szeredi <mszeredi@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8713c85a