1. 01 Oct, 2020 40 commits
    • Cong Wang's avatar
      atm: fix a memory leak of vcc->user_back · 54d019cd
      Cong Wang authored
      [ Upstream commit 8d9f73c0 ]
      
      In lec_arp_clear_vccs() only entry->vcc is freed, but vcc
      could be installed on entry->recv_vcc too in lec_vcc_added().
      
      This fixes the following memory leak:
      
      unreferenced object 0xffff8880d9266b90 (size 16):
        comm "atm2", pid 425, jiffies 4294907980 (age 23.488s)
        hex dump (first 16 bytes):
          00 00 00 00 00 00 00 00 00 00 00 00 6b 6b 6b a5  ............kkk.
        backtrace:
          [<(____ptrval____)>] kmem_cache_alloc_trace+0x10e/0x151
          [<(____ptrval____)>] lane_ioctl+0x4b3/0x569
          [<(____ptrval____)>] do_vcc_ioctl+0x1ea/0x236
          [<(____ptrval____)>] svc_ioctl+0x17d/0x198
          [<(____ptrval____)>] sock_do_ioctl+0x47/0x12f
          [<(____ptrval____)>] sock_ioctl+0x2f9/0x322
          [<(____ptrval____)>] vfs_ioctl+0x1e/0x2b
          [<(____ptrval____)>] ksys_ioctl+0x61/0x80
          [<(____ptrval____)>] __x64_sys_ioctl+0x16/0x19
          [<(____ptrval____)>] do_syscall_64+0x57/0x65
          [<(____ptrval____)>] entry_SYSCALL_64_after_hwframe+0x49/0xb3
      
      Cc: Gengming Liu <l.dmxcsnsbh@gmail.com>
      Signed-off-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      54d019cd
    • Krzysztof Kozlowski's avatar
      dt-bindings: sound: wm8994: Correct required supplies based on actual implementaion · 34e255a6
      Krzysztof Kozlowski authored
      [ Upstream commit 8c149b7d ]
      
      The required supplies in bindings were actually not matching
      implementation making the bindings incorrect and misleading.  The Linux
      kernel driver requires all supplies to be present.  Also for wlf,wm8994
      uses just DBVDD-supply instead of DBVDDn-supply (n: <1,3>).
      Reported-by: default avatarJonathan Bakker <xc-racer2@live.ca>
      Signed-off-by: default avatarKrzysztof Kozlowski <krzk@kernel.org>
      Link: https://lore.kernel.org/r/20200501133534.6706-1-krzk@kernel.orgSigned-off-by: default avatarMark Brown <broonie@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      34e255a6
    • Madhuparna Bhowmik's avatar
      drivers: char: tlclk.c: Avoid data race between init and interrupt handler · 73b0eb1b
      Madhuparna Bhowmik authored
      [ Upstream commit 44b8fb6e ]
      
      After registering character device the file operation callbacks can be
      called. The open callback registers interrupt handler.
      Therefore interrupt handler can execute in parallel with rest of the init
      function. To avoid such data race initialize telclk_interrupt variable
      and struct alarm_events before registering character device.
      
      Found by Linux Driver Verification project (linuxtesting.org).
      Signed-off-by: default avatarMadhuparna Bhowmik <madhuparnabhowmik10@gmail.com>
      Link: https://lore.kernel.org/r/20200417153451.1551-1-madhuparnabhowmik10@gmail.comSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      73b0eb1b
    • Douglas Anderson's avatar
      bdev: Reduce time holding bd_mutex in sync in blkdev_close() · 789789a6
      Douglas Anderson authored
      [ Upstream commit b849dd84 ]
      
      While trying to "dd" to the block device for a USB stick, I
      encountered a hung task warning (blocked for > 120 seconds).  I
      managed to come up with an easy way to reproduce this on my system
      (where /dev/sdb is the block device for my USB stick) with:
      
        while true; do dd if=/dev/zero of=/dev/sdb bs=4M; done
      
      With my reproduction here are the relevant bits from the hung task
      detector:
      
       INFO: task udevd:294 blocked for more than 122 seconds.
       ...
       udevd           D    0   294      1 0x00400008
       Call trace:
        ...
        mutex_lock_nested+0x40/0x50
        __blkdev_get+0x7c/0x3d4
        blkdev_get+0x118/0x138
        blkdev_open+0x94/0xa8
        do_dentry_open+0x268/0x3a0
        vfs_open+0x34/0x40
        path_openat+0x39c/0xdf4
        do_filp_open+0x90/0x10c
        do_sys_open+0x150/0x3c8
        ...
      
       ...
       Showing all locks held in the system:
       ...
       1 lock held by dd/2798:
        #0: ffffff814ac1a3b8 (&bdev->bd_mutex){+.+.}, at: __blkdev_put+0x50/0x204
       ...
       dd              D    0  2798   2764 0x00400208
       Call trace:
        ...
        schedule+0x8c/0xbc
        io_schedule+0x1c/0x40
        wait_on_page_bit_common+0x238/0x338
        __lock_page+0x5c/0x68
        write_cache_pages+0x194/0x500
        generic_writepages+0x64/0xa4
        blkdev_writepages+0x24/0x30
        do_writepages+0x48/0xa8
        __filemap_fdatawrite_range+0xac/0xd8
        filemap_write_and_wait+0x30/0x84
        __blkdev_put+0x88/0x204
        blkdev_put+0xc4/0xe4
        blkdev_close+0x28/0x38
        __fput+0xe0/0x238
        ____fput+0x1c/0x28
        task_work_run+0xb0/0xe4
        do_notify_resume+0xfc0/0x14bc
        work_pending+0x8/0x14
      
      The problem appears related to the fact that my USB disk is terribly
      slow and that I have a lot of RAM in my system to cache things.
      Specifically my writes seem to be happening at ~15 MB/s and I've got
      ~4 GB of RAM in my system that can be used for buffering.  To write 4
      GB of buffer to disk thus takes ~4000 MB / ~15 MB/s = ~267 seconds.
      
      The 267 second number is a problem because in __blkdev_put() we call
      sync_blockdev() while holding the bd_mutex.  Any other callers who
      want the bd_mutex will be blocked for the whole time.
      
      The problem is made worse because I believe blkdev_put() specifically
      tells other tasks (namely udev) to go try to access the device at right
      around the same time we're going to hold the mutex for a long time.
      
      Putting some traces around this (after disabling the hung task detector),
      I could confirm:
       dd:    437.608600: __blkdev_put() right before sync_blockdev() for sdb
       udevd: 437.623901: blkdev_open() right before blkdev_get() for sdb
       dd:    661.468451: __blkdev_put() right after sync_blockdev() for sdb
       udevd: 663.820426: blkdev_open() right after blkdev_get() for sdb
      
      A simple fix for this is to realize that sync_blockdev() works fine if
      you're not holding the mutex.  Also, it's not the end of the world if
      you sync a little early (though it can have performance impacts).
      Thus we can make a guess that we're going to need to do the sync and
      then do it without holding the mutex.  We still do one last sync with
      the mutex but it should be much, much faster.
      
      With this, my hung task warnings for my test case are gone.
      Signed-off-by: default avatarDouglas Anderson <dianders@chromium.org>
      Reviewed-by: default avatarGuenter Roeck <groeck@chromium.org>
      Reviewed-by: default avatarChristoph Hellwig <hch@lst.de>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      789789a6
    • Steve Rutherford's avatar
      KVM: Remove CREATE_IRQCHIP/SET_PIT2 race · 54d2893f
      Steve Rutherford authored
      [ Upstream commit 7289fdb5 ]
      
      Fixes a NULL pointer dereference, caused by the PIT firing an interrupt
      before the interrupt table has been initialized.
      
      SET_PIT2 can race with the creation of the IRQchip. In particular,
      if SET_PIT2 is called with a low PIT timer period (after the creation of
      the IOAPIC, but before the instantiation of the irq routes), the PIT can
      fire an interrupt at an uninitialized table.
      Signed-off-by: default avatarSteve Rutherford <srutherford@google.com>
      Signed-off-by: default avatarJon Cargille <jcargill@google.com>
      Reviewed-by: default avatarJim Mattson <jmattson@google.com>
      Message-Id: <20200416191152.259434-1-jcargill@google.com>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      54d2893f
    • Jaewon Kim's avatar
      mm/mmap.c: initialize align_offset explicitly for vm_unmapped_area · c21895bb
      Jaewon Kim authored
      [ Upstream commit 09ef5283 ]
      
      On passing requirement to vm_unmapped_area, arch_get_unmapped_area and
      arch_get_unmapped_area_topdown did not set align_offset.  Internally on
      both unmapped_area and unmapped_area_topdown, if info->align_mask is 0,
      then info->align_offset was meaningless.
      
      But commit df529cab ("mm: mmap: add trace point of
      vm_unmapped_area") always prints info->align_offset even though it is
      uninitialized.
      
      Fix this uninitialized value issue by setting it to 0 explicitly.
      
      Before:
        vm_unmapped_area: addr=0x755b155000 err=0 total_vm=0x15aaf0 flags=0x1 len=0x109000 lo=0x8000 hi=0x75eed48000 mask=0x0 ofs=0x4022
      
      After:
        vm_unmapped_area: addr=0x74a4ca1000 err=0 total_vm=0x168ab1 flags=0x1 len=0x9000 lo=0x8000 hi=0x753d94b000 mask=0x0 ofs=0x0
      Signed-off-by: default avatarJaewon Kim <jaewon31.kim@samsung.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Reviewed-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Cc: Matthew Wilcox (Oracle) <willy@infradead.org>
      Cc: Michel Lespinasse <walken@google.com>
      Cc: Borislav Petkov <bp@suse.de>
      Link: http://lkml.kernel.org/r/20200409094035.19457-1-jaewon31.kim@samsung.comSigned-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      c21895bb
    • Xianting Tian's avatar
      mm/filemap.c: clear page error before actual read · ea44cd77
      Xianting Tian authored
      [ Upstream commit faffdfa0 ]
      
      Mount failure issue happens under the scenario: Application forked dozens
      of threads to mount the same number of cramfs images separately in docker,
      but several mounts failed with high probability.  Mount failed due to the
      checking result of the page(read from the superblock of loop dev) is not
      uptodate after wait_on_page_locked(page) returned in function cramfs_read:
      
         wait_on_page_locked(page);
         if (!PageUptodate(page)) {
            ...
         }
      
      The reason of the checking result of the page not uptodate: systemd-udevd
      read the loopX dev before mount, because the status of loopX is Lo_unbound
      at this time, so loop_make_request directly trigger the calling of io_end
      handler end_buffer_async_read, which called SetPageError(page).  So It
      caused the page can't be set to uptodate in function
      end_buffer_async_read:
      
         if(page_uptodate && !PageError(page)) {
            SetPageUptodate(page);
         }
      
      Then mount operation is performed, it used the same page which is just
      accessed by systemd-udevd above, Because this page is not uptodate, it
      will launch a actual read via submit_bh, then wait on this page by calling
      wait_on_page_locked(page).  When the I/O of the page done, io_end handler
      end_buffer_async_read is called, because no one cleared the page
      error(during the whole read path of mount), which is caused by
      systemd-udevd reading, so this page is still in "PageError" status, which
      can't be set to uptodate in function end_buffer_async_read, then caused
      mount failure.
      
      But sometimes mount succeed even through systemd-udeved read loopX dev
      just before, The reason is systemd-udevd launched other loopX read just
      between step 3.1 and 3.2, the steps as below:
      
      1, loopX dev default status is Lo_unbound;
      2, systemd-udved read loopX dev (page is set to PageError);
      3, mount operation
         1) set loopX status to Lo_bound;
         ==>systemd-udevd read loopX dev<==
         2) read loopX dev(page has no error)
         3) mount succeed
      
      As the loopX dev status is set to Lo_bound after step 3.1, so the other
      loopX dev read by systemd-udevd will go through the whole I/O stack, part
      of the call trace as below:
      
         SYS_read
            vfs_read
                do_sync_read
                    blkdev_aio_read
                       generic_file_aio_read
                           do_generic_file_read:
                              ClearPageError(page);
                              mapping->a_ops->readpage(filp, page);
      
      here, mapping->a_ops->readpage() is blkdev_readpage.  In latest kernel,
      some function name changed, the call trace as below:
      
         blkdev_read_iter
            generic_file_read_iter
               generic_file_buffered_read:
                  /*
                   * A previous I/O error may have been due to temporary
                   * failures, eg. mutipath errors.
                   * Pg_error will be set again if readpage fails.
                   */
                  ClearPageError(page);
                  /* Start the actual read. The read will unlock the page*/
                  error=mapping->a_ops->readpage(flip, page);
      
      We can see ClearPageError(page) is called before the actual read,
      then the read in step 3.2 succeed.
      
      This patch is to add the calling of ClearPageError just before the actual
      read of read path of cramfs mount.  Without the patch, the call trace as
      below when performing cramfs mount:
      
         do_mount
            cramfs_read
               cramfs_blkdev_read
                  read_cache_page
                     do_read_cache_page:
                        filler(data, page);
                        or
                        mapping->a_ops->readpage(data, page);
      
      With the patch, the call trace as below when performing mount:
      
         do_mount
            cramfs_read
               cramfs_blkdev_read
                  read_cache_page:
                     do_read_cache_page:
                        ClearPageError(page); <== new add
                        filler(data, page);
                        or
                        mapping->a_ops->readpage(data, page);
      
      With the patch, mount operation trigger the calling of
      ClearPageError(page) before the actual read, the page has no error if no
      additional page error happen when I/O done.
      Signed-off-by: default avatarXianting Tian <xianting_tian@126.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Reviewed-by: default avatarMatthew Wilcox (Oracle) <willy@infradead.org>
      Cc: Jan Kara <jack@suse.cz>
      Cc: <yubin@h3c.com>
      Link: http://lkml.kernel.org/r/1583318844-22971-1-git-send-email-xianting_tian@126.comSigned-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      ea44cd77
    • Andreas Steinmetz's avatar
      ALSA: usb-audio: Fix case when USB MIDI interface has more than one extra endpoint descriptor · 0868bc56
      Andreas Steinmetz authored
      [ Upstream commit 5c6cd702 ]
      
      The Miditech MIDIFACE 16x16 (USB ID 1290:1749) has more than one extra
      endpoint descriptor.
      
      The first extra descriptor is: 0x06 0x30 0x00 0x00 0x00 0x00
      
      As the code in snd_usbmidi_get_ms_info() looks only at the
      first extra descriptor to find USB_DT_CS_ENDPOINT the device
      as such is recognized but there is neither input nor output
      configured.
      
      The patch iterates through the extra descriptors to find the
      proper one. With this patch the device is correctly configured.
      Signed-off-by: default avatarAndreas Steinmetz <ast@domdv.de>
      Link: https://lore.kernel.org/r/1c3b431a86f69e1d60745b6110cdb93c299f120b.camel@domdv.deSigned-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      0868bc56
    • Liu Song's avatar
      ubifs: Fix out-of-bounds memory access caused by abnormal value of node_len · 67ddb32a
      Liu Song authored
      [ Upstream commit acc5af3e ]
      
      In “ubifs_check_node”, when the value of "node_len" is abnormal,
      the code will goto label of "out_len" for execution. Then, in the
      following "ubifs_dump_node", if inode type is "UBIFS_DATA_NODE",
      in "print_hex_dump", an out-of-bounds access may occur due to the
      wrong "ch->len".
      
      Therefore, when the value of "node_len" is abnormal, data length
      should to be adjusted to a reasonable safe range. At this time,
      structured data is not credible, so dump the corrupted data directly
      for analysis.
      Signed-off-by: default avatarLiu Song <liu.song11@zte.com.cn>
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      67ddb32a
    • Chuck Lever's avatar
      svcrdma: Fix leak of transport addresses · 503294dc
      Chuck Lever authored
      [ Upstream commit 1a33d8a2 ]
      
      Kernel memory leak detected:
      
      unreferenced object 0xffff888849cdf480 (size 8):
        comm "kworker/u8:3", pid 2086, jiffies 4297898756 (age 4269.856s)
        hex dump (first 8 bytes):
          30 00 cd 49 88 88 ff ff                          0..I....
        backtrace:
          [<00000000acfc370b>] __kmalloc_track_caller+0x137/0x183
          [<00000000a2724354>] kstrdup+0x2b/0x43
          [<0000000082964f84>] xprt_rdma_format_addresses+0x114/0x17d [rpcrdma]
          [<00000000dfa6ed00>] xprt_setup_rdma_bc+0xc0/0x10c [rpcrdma]
          [<0000000073051a83>] xprt_create_transport+0x3f/0x1a0 [sunrpc]
          [<0000000053531a8e>] rpc_create+0x118/0x1cd [sunrpc]
          [<000000003a51b5f8>] setup_callback_client+0x1a5/0x27d [nfsd]
          [<000000001bd410af>] nfsd4_process_cb_update.isra.7+0x16c/0x1ac [nfsd]
          [<000000007f4bbd56>] nfsd4_run_cb_work+0x4c/0xbd [nfsd]
          [<0000000055c5586b>] process_one_work+0x1b2/0x2fe
          [<00000000b1e3e8ef>] worker_thread+0x1a6/0x25a
          [<000000005205fb78>] kthread+0xf6/0xfb
          [<000000006d2dc057>] ret_from_fork+0x3a/0x50
      
      Introduce a call to xprt_rdma_free_addresses() similar to the way
      that the TCP backchannel releases a transport's peer address
      strings.
      
      Fixes: 5d252f90 ("svcrdma: Add class for RDMA backwards direction transport")
      Signed-off-by: default avatarChuck Lever <chuck.lever@oracle.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      503294dc
    • Christophe JAILLET's avatar
      SUNRPC: Fix a potential buffer overflow in 'svc_print_xprts()' · 778f78f9
      Christophe JAILLET authored
      [ Upstream commit b25b60d7 ]
      
      'maxlen' is the total size of the destination buffer. There is only one
      caller and this value is 256.
      
      When we compute the size already used and what we would like to add in
      the buffer, the trailling NULL character is not taken into account.
      However, this trailling character will be added by the 'strcat' once we
      have checked that we have enough place.
      
      So, there is a off-by-one issue and 1 byte of the stack could be
      erroneously overwridden.
      
      Take into account the trailling NULL, when checking if there is enough
      place in the destination buffer.
      
      While at it, also replace a 'sprintf' by a safer 'snprintf', check for
      output truncation and avoid a superfluous 'strlen'.
      
      Fixes: dc9a16e4 ("svc: Add /proc/sys/sunrpc/transport files")
      Signed-off-by: default avatarChristophe JAILLET <christophe.jaillet@wanadoo.fr>
      [ cel: very minor fix to documenting comment
      Signed-off-by: default avatarChuck Lever <chuck.lever@oracle.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      778f78f9
    • Gabriel Ravier's avatar
      tools: gpio-hammer: Avoid potential overflow in main · 63ab6bce
      Gabriel Ravier authored
      [ Upstream commit d1ee7e1f ]
      
      If '-o' was used more than 64 times in a single invocation of gpio-hammer,
      this could lead to an overflow of the 'lines' array. This commit fixes
      this by avoiding the overflow and giving a proper diagnostic back to the
      user
      Signed-off-by: default avatarGabriel Ravier <gabravier@gmail.com>
      Signed-off-by: default avatarBartosz Golaszewski <bgolaszewski@baylibre.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      63ab6bce
    • Pratik Rajesh Sampat's avatar
      cpufreq: powernv: Fix frame-size-overflow in powernv_cpufreq_work_fn · 3384083d
      Pratik Rajesh Sampat authored
      [ Upstream commit d95fe371 ]
      
      The patch avoids allocating cpufreq_policy on stack hence fixing frame
      size overflow in 'powernv_cpufreq_work_fn'
      
      Fixes: 22794280 ("cpufreq: powernv: Restore cpu frequency to policy->cur on unthrottling")
      Signed-off-by: default avatarPratik Rajesh Sampat <psampat@linux.ibm.com>
      Reviewed-by: default avatarDaniel Axtens <dja@axtens.net>
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Link: https://lore.kernel.org/r/20200316135743.57735-1-psampat@linux.ibm.comSigned-off-by: default avatarSasha Levin <sashal@kernel.org>
      3384083d
    • Vignesh Raghavendra's avatar
      serial: 8250: 8250_omap: Terminate DMA before pushing data on RX timeout · 1ce09dea
      Vignesh Raghavendra authored
      [ Upstream commit 7cf4df30 ]
      
      Terminate and flush DMA internal buffers, before pushing RX data to
      higher layer. Otherwise, this will lead to data corruption, as driver
      would end up pushing stale buffer data to higher layer while actual data
      is still stuck inside DMA hardware and has yet not arrived at the
      memory.
      While at that, replace deprecated dmaengine_terminate_all() with
      dmaengine_terminate_async().
      Signed-off-by: default avatarVignesh Raghavendra <vigneshr@ti.com>
      Link: https://lore.kernel.org/r/20200319110344.21348-2-vigneshr@ti.comSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      1ce09dea
    • Peter Ujfalusi's avatar
      serial: 8250_omap: Fix sleeping function called from invalid context during probe · cd8dda53
      Peter Ujfalusi authored
      [ Upstream commit 4ce35a36 ]
      
      When booting j721e the following bug is printed:
      
      [    1.154821] BUG: sleeping function called from invalid context at kernel/sched/completion.c:99
      [    1.154827] in_atomic(): 0, irqs_disabled(): 128, non_block: 0, pid: 12, name: kworker/0:1
      [    1.154832] 3 locks held by kworker/0:1/12:
      [    1.154836]  #0: ffff000840030728 ((wq_completion)events){+.+.}, at: process_one_work+0x1d4/0x6e8
      [    1.154852]  #1: ffff80001214fdd8 (deferred_probe_work){+.+.}, at: process_one_work+0x1d4/0x6e8
      [    1.154860]  #2: ffff00084060b170 (&dev->mutex){....}, at: __device_attach+0x38/0x138
      [    1.154872] irq event stamp: 63096
      [    1.154881] hardirqs last  enabled at (63095): [<ffff800010b74318>] _raw_spin_unlock_irqrestore+0x70/0x78
      [    1.154887] hardirqs last disabled at (63096): [<ffff800010b740d8>] _raw_spin_lock_irqsave+0x28/0x80
      [    1.154893] softirqs last  enabled at (62254): [<ffff800010080c88>] _stext+0x488/0x564
      [    1.154899] softirqs last disabled at (62247): [<ffff8000100fdb3c>] irq_exit+0x114/0x140
      [    1.154906] CPU: 0 PID: 12 Comm: kworker/0:1 Not tainted 5.6.0-rc6-next-20200318-00094-g45e4089b0bd3 #221
      [    1.154911] Hardware name: Texas Instruments K3 J721E SoC (DT)
      [    1.154917] Workqueue: events deferred_probe_work_func
      [    1.154923] Call trace:
      [    1.154928]  dump_backtrace+0x0/0x190
      [    1.154933]  show_stack+0x14/0x20
      [    1.154940]  dump_stack+0xe0/0x148
      [    1.154946]  ___might_sleep+0x150/0x1f0
      [    1.154952]  __might_sleep+0x4c/0x80
      [    1.154957]  wait_for_completion_timeout+0x40/0x140
      [    1.154964]  ti_sci_set_device_state+0xa0/0x158
      [    1.154969]  ti_sci_cmd_get_device_exclusive+0x14/0x20
      [    1.154977]  ti_sci_dev_start+0x34/0x50
      [    1.154984]  genpd_runtime_resume+0x78/0x1f8
      [    1.154991]  __rpm_callback+0x3c/0x140
      [    1.154996]  rpm_callback+0x20/0x80
      [    1.155001]  rpm_resume+0x568/0x758
      [    1.155007]  __pm_runtime_resume+0x44/0xb0
      [    1.155013]  omap8250_probe+0x2b4/0x508
      [    1.155019]  platform_drv_probe+0x50/0xa0
      [    1.155023]  really_probe+0xd4/0x318
      [    1.155028]  driver_probe_device+0x54/0xe8
      [    1.155033]  __device_attach_driver+0x80/0xb8
      [    1.155039]  bus_for_each_drv+0x74/0xc0
      [    1.155044]  __device_attach+0xdc/0x138
      [    1.155049]  device_initial_probe+0x10/0x18
      [    1.155053]  bus_probe_device+0x98/0xa0
      [    1.155058]  deferred_probe_work_func+0x74/0xb0
      [    1.155063]  process_one_work+0x280/0x6e8
      [    1.155068]  worker_thread+0x48/0x430
      [    1.155073]  kthread+0x108/0x138
      [    1.155079]  ret_from_fork+0x10/0x18
      
      To fix the bug we need to first call pm_runtime_enable() prior to any
      pm_runtime calls.
      Reported-by: default avatarTomi Valkeinen <tomi.valkeinen@ti.com>
      Signed-off-by: default avatarPeter Ujfalusi <peter.ujfalusi@ti.com>
      Link: https://lore.kernel.org/r/20200320125200.6772-1-peter.ujfalusi@ti.comSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      cd8dda53
    • Vignesh Raghavendra's avatar
      serial: 8250_port: Don't service RX FIFO if throttled · 266bda1b
      Vignesh Raghavendra authored
      [ Upstream commit f19c3f6c ]
      
      When port's throttle callback is called, it should stop pushing any more
      data into TTY buffer to avoid buffer overflow. This means driver has to
      stop HW from receiving more data and assert the HW flow control. For
      UARTs with auto HW flow control (such as 8250_omap) manual assertion of
      flow control line is not possible and only way is to allow RX FIFO to
      fill up, thus trigger auto HW flow control logic.
      
      Therefore make sure that 8250 generic IRQ handler does not drain data
      when port is stopped (i.e UART_LSR_DR is unset in read_status_mask). Not
      servicing, RX FIFO would trigger auto HW flow control when FIFO
      occupancy reaches preset threshold, thus halting RX.
      Since, error conditions in UART_LSR register are cleared just by reading
      the register, data has to be drained in case there are FIFO errors, else
      error information will lost.
      Signed-off-by: default avatarVignesh Raghavendra <vigneshr@ti.com>
      Link: https://lore.kernel.org/r/20200319103230.16867-2-vigneshr@ti.comSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      266bda1b
    • Nathan Chancellor's avatar
      tracing: Use address-of operator on section symbols · efff0333
      Nathan Chancellor authored
      [ Upstream commit bf2cbe04 ]
      
      Clang warns:
      
      ../kernel/trace/trace.c:9335:33: warning: array comparison always
      evaluates to true [-Wtautological-compare]
              if (__stop___trace_bprintk_fmt != __start___trace_bprintk_fmt)
                                             ^
      1 warning generated.
      
      These are not true arrays, they are linker defined symbols, which are
      just addresses. Using the address of operator silences the warning and
      does not change the runtime result of the check (tested with some print
      statements compiled in with clang + ld.lld and gcc + ld.bfd in QEMU).
      
      Link: http://lkml.kernel.org/r/20200220051011.26113-1-natechancellor@gmail.com
      
      Link: https://github.com/ClangBuiltLinux/linux/issues/893Suggested-by: default avatarNick Desaulniers <ndesaulniers@google.com>
      Signed-off-by: default avatarNathan Chancellor <natechancellor@gmail.com>
      Signed-off-by: default avatarSteven Rostedt (VMware) <rostedt@goodmis.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      efff0333
    • Stefan Berger's avatar
      tpm: ibmvtpm: Wait for buffer to be set before proceeding · e554d37c
      Stefan Berger authored
      [ Upstream commit d8d74ea3 ]
      
      Synchronize with the results from the CRQs before continuing with
      the initialization. This avoids trying to send TPM commands while
      the rtce buffer has not been allocated, yet.
      
      This patch fixes an existing race condition that may occurr if the
      hypervisor does not quickly respond to the VTPM_GET_RTCE_BUFFER_SIZE
      request sent during initialization and therefore the ibmvtpm->rtce_buf
      has not been allocated at the time the first TPM command is sent.
      
      Fixes: 132f7629 ("drivers/char/tpm: Add new device driver to support IBM vTPM")
      Signed-off-by: default avatarStefan Berger <stefanb@linux.ibm.com>
      Acked-by: default avatarNayna Jain <nayna@linux.ibm.com>
      Tested-by: default avatarNayna Jain <nayna@linux.ibm.com>
      Reviewed-by: default avatarJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
      Signed-off-by: default avatarJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      e554d37c
    • Darrick J. Wong's avatar
      xfs: don't ever return a stale pointer from __xfs_dir3_free_read · c830f942
      Darrick J. Wong authored
      [ Upstream commit 1cb5deb5 ]
      
      If we decide that a directory free block is corrupt, we must take care
      not to leak a buffer pointer to the caller.  After xfs_trans_brelse
      returns, the buffer can be freed or reused, which means that we have to
      set *bpp back to NULL.
      
      Callers are supposed to notice the nonzero return value and not use the
      buffer pointer, but we should code more defensively, even if all current
      callers handle this situation correctly.
      
      Fixes: de14c5f5 ("xfs: verify free block header fields")
      Signed-off-by: default avatarDarrick J. Wong <darrick.wong@oracle.com>
      Reviewed-by: default avatarDave Chinner <dchinner@redhat.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      c830f942
    • Colin Ian King's avatar
      media: tda10071: fix unsigned sign extension overflow · cf9c9494
      Colin Ian King authored
      [ Upstream commit a7463e2d ]
      
      The shifting of buf[3] by 24 bits to the left will be promoted to
      a 32 bit signed int and then sign-extended to an unsigned long. In
      the unlikely event that the the top bit of buf[3] is set then all
      then all the upper bits end up as also being set because of
      the sign-extension and this affect the ev->post_bit_error sum.
      Fix this by using the temporary u32 variable bit_error to avoid
      the sign-extension promotion. This also removes the need to do the
      computation twice.
      
      Addresses-Coverity: ("Unintended sign extension")
      
      Fixes: 267897a4 ("[media] tda10071: implement DVBv5 statistics")
      Signed-off-by: default avatarColin Ian King <colin.king@canonical.com>
      Signed-off-by: default avatarSean Young <sean@mess.org>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+huawei@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      cf9c9494
    • Howard Chung's avatar
      Bluetooth: L2CAP: handle l2cap config request during open state · b7d0ca71
      Howard Chung authored
      [ Upstream commit 96298f64 ]
      
      According to Core Spec Version 5.2 | Vol 3, Part A 6.1.5,
      the incoming L2CAP_ConfigReq should be handled during
      OPEN state.
      
      The section below shows the btmon trace when running
      L2CAP/COS/CFD/BV-12-C before and after this change.
      
      === Before ===
      ...
      > ACL Data RX: Handle 256 flags 0x02 dlen 12                #22
            L2CAP: Connection Request (0x02) ident 2 len 4
              PSM: 1 (0x0001)
              Source CID: 65
      < ACL Data TX: Handle 256 flags 0x00 dlen 16                #23
            L2CAP: Connection Response (0x03) ident 2 len 8
              Destination CID: 64
              Source CID: 65
              Result: Connection successful (0x0000)
              Status: No further information available (0x0000)
      < ACL Data TX: Handle 256 flags 0x00 dlen 12                #24
            L2CAP: Configure Request (0x04) ident 2 len 4
              Destination CID: 65
              Flags: 0x0000
      > HCI Event: Number of Completed Packets (0x13) plen 5      #25
              Num handles: 1
              Handle: 256
              Count: 1
      > HCI Event: Number of Completed Packets (0x13) plen 5      #26
              Num handles: 1
              Handle: 256
              Count: 1
      > ACL Data RX: Handle 256 flags 0x02 dlen 16                #27
            L2CAP: Configure Request (0x04) ident 3 len 8
              Destination CID: 64
              Flags: 0x0000
              Option: Unknown (0x10) [hint]
              01 00                                            ..
      < ACL Data TX: Handle 256 flags 0x00 dlen 18                #28
            L2CAP: Configure Response (0x05) ident 3 len 10
              Source CID: 65
              Flags: 0x0000
              Result: Success (0x0000)
              Option: Maximum Transmission Unit (0x01) [mandatory]
                MTU: 672
      > HCI Event: Number of Completed Packets (0x13) plen 5      #29
              Num handles: 1
              Handle: 256
              Count: 1
      > ACL Data RX: Handle 256 flags 0x02 dlen 14                #30
            L2CAP: Configure Response (0x05) ident 2 len 6
              Source CID: 64
              Flags: 0x0000
              Result: Success (0x0000)
      > ACL Data RX: Handle 256 flags 0x02 dlen 20                #31
            L2CAP: Configure Request (0x04) ident 3 len 12
              Destination CID: 64
              Flags: 0x0000
              Option: Unknown (0x10) [hint]
              01 00 91 02 11 11                                ......
      < ACL Data TX: Handle 256 flags 0x00 dlen 14                #32
            L2CAP: Command Reject (0x01) ident 3 len 6
              Reason: Invalid CID in request (0x0002)
              Destination CID: 64
              Source CID: 65
      > HCI Event: Number of Completed Packets (0x13) plen 5      #33
              Num handles: 1
              Handle: 256
              Count: 1
      ...
      === After ===
      ...
      > ACL Data RX: Handle 256 flags 0x02 dlen 12               #22
            L2CAP: Connection Request (0x02) ident 2 len 4
              PSM: 1 (0x0001)
              Source CID: 65
      < ACL Data TX: Handle 256 flags 0x00 dlen 16               #23
            L2CAP: Connection Response (0x03) ident 2 len 8
              Destination CID: 64
              Source CID: 65
              Result: Connection successful (0x0000)
              Status: No further information available (0x0000)
      < ACL Data TX: Handle 256 flags 0x00 dlen 12               #24
            L2CAP: Configure Request (0x04) ident 2 len 4
              Destination CID: 65
              Flags: 0x0000
      > HCI Event: Number of Completed Packets (0x13) plen 5     #25
              Num handles: 1
              Handle: 256
              Count: 1
      > HCI Event: Number of Completed Packets (0x13) plen 5     #26
              Num handles: 1
              Handle: 256
              Count: 1
      > ACL Data RX: Handle 256 flags 0x02 dlen 16               #27
            L2CAP: Configure Request (0x04) ident 3 len 8
              Destination CID: 64
              Flags: 0x0000
              Option: Unknown (0x10) [hint]
              01 00                                            ..
      < ACL Data TX: Handle 256 flags 0x00 dlen 18               #28
            L2CAP: Configure Response (0x05) ident 3 len 10
              Source CID: 65
              Flags: 0x0000
              Result: Success (0x0000)
              Option: Maximum Transmission Unit (0x01) [mandatory]
                MTU: 672
      > HCI Event: Number of Completed Packets (0x13) plen 5     #29
              Num handles: 1
              Handle: 256
              Count: 1
      > ACL Data RX: Handle 256 flags 0x02 dlen 14               #30
            L2CAP: Configure Response (0x05) ident 2 len 6
              Source CID: 64
              Flags: 0x0000
              Result: Success (0x0000)
      > ACL Data RX: Handle 256 flags 0x02 dlen 20               #31
            L2CAP: Configure Request (0x04) ident 3 len 12
              Destination CID: 64
              Flags: 0x0000
              Option: Unknown (0x10) [hint]
              01 00 91 02 11 11                                .....
      < ACL Data TX: Handle 256 flags 0x00 dlen 18               #32
            L2CAP: Configure Response (0x05) ident 3 len 10
              Source CID: 65
              Flags: 0x0000
              Result: Success (0x0000)
              Option: Maximum Transmission Unit (0x01) [mandatory]
                MTU: 672
      < ACL Data TX: Handle 256 flags 0x00 dlen 12               #33
            L2CAP: Configure Request (0x04) ident 3 len 4
              Destination CID: 65
              Flags: 0x0000
      > HCI Event: Number of Completed Packets (0x13) plen 5     #34
              Num handles: 1
              Handle: 256
              Count: 1
      > HCI Event: Number of Completed Packets (0x13) plen 5     #35
              Num handles: 1
              Handle: 256
              Count: 1
      ...
      Signed-off-by: default avatarHoward Chung <howardchung@google.com>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      b7d0ca71
    • John Clements's avatar
      drm/amdgpu: increase atombios cmd timeout · eedba8ca
      John Clements authored
      [ Upstream commit 1b3460a8 ]
      
      mitigates race condition on BACO reset between GPU bootcode and driver reload
      Reviewed-by: default avatarHawking Zhang <Hawking.Zhang@amd.com>
      Signed-off-by: default avatarJohn Clements <john.clements@amd.com>
      Signed-off-by: default avatarAlex Deucher <alexander.deucher@amd.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      eedba8ca
    • Wen Yang's avatar
      timekeeping: Prevent 32bit truncation in scale64_check_overflow() · 61f27ba2
      Wen Yang authored
      [ Upstream commit 4cbbc3a0 ]
      
      While unlikely the divisor in scale64_check_overflow() could be >= 32bit in
      scale64_check_overflow(). do_div() truncates the divisor to 32bit at least
      on 32bit platforms.
      
      Use div64_u64() instead to avoid the truncation to 32-bit.
      
      [ tglx: Massaged changelog ]
      Signed-off-by: default avatarWen Yang <wenyang@linux.alibaba.com>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Link: https://lkml.kernel.org/r/20200120100523.45656-1-wenyang@linux.alibaba.comSigned-off-by: default avatarSasha Levin <sashal@kernel.org>
      61f27ba2
    • Alain Michaud's avatar
      Bluetooth: guard against controllers sending zero'd events · e500a986
      Alain Michaud authored
      [ Upstream commit 08bb4da9 ]
      
      Some controllers have been observed to send zero'd events under some
      conditions.  This change guards against this condition as well as adding
      a trace to facilitate diagnosability of this condition.
      Signed-off-by: default avatarAlain Michaud <alainm@chromium.org>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      e500a986
    • Takashi Iwai's avatar
      media: go7007: Fix URB type for interrupt handling · 12b28adc
      Takashi Iwai authored
      [ Upstream commit a3ea410c ]
      
      Josef reported that his old-and-good Plextor ConvertX M402U video
      converter spews lots of WARNINGs on the recent kernels, and it turned
      out that the device uses a bulk endpoint for interrupt handling just
      like 2250 board.
      
      For fixing it, generalize the check with the proper verification of
      the endpoint instead of hard-coded board type check.
      
      Fixes: 7e5219d1 ("[media] go7007: Fix 2250 urb type")
      Reported-and-tested-by: default avatarJosef Möllers <josef.moellers@suse.com>
      BugLink: https://bugzilla.suse.com/show_bug.cgi?id=1162583
      BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=206427Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarHans Verkuil <hverkuil-cisco@xs4all.nl>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+huawei@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      12b28adc
    • Dmitry Osipenko's avatar
      dmaengine: tegra-apb: Prevent race conditions on channel's freeing · 2bf54618
      Dmitry Osipenko authored
      [ Upstream commit 8e84172e ]
      
      It's incorrect to check the channel's "busy" state without taking a lock.
      That shouldn't cause any real troubles, nevertheless it's always better
      not to have any race conditions in the code.
      Signed-off-by: default avatarDmitry Osipenko <digetx@gmail.com>
      Acked-by: default avatarJon Hunter <jonathanh@nvidia.com>
      Link: https://lore.kernel.org/r/20200209163356.6439-5-digetx@gmail.comSigned-off-by: default avatarVinod Koul <vkoul@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      2bf54618
    • Thomas Gleixner's avatar
      bpf: Remove recursion prevention from rcu free callback · d59ef312
      Thomas Gleixner authored
      [ Upstream commit 8a37963c ]
      
      If an element is freed via RCU then recursion into BPF instrumentation
      functions is not a concern. The element is already detached from the map
      and the RCU callback does not hold any locks on which a kprobe, perf event
      or tracepoint attached BPF program could deadlock.
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
      Link: https://lore.kernel.org/bpf/20200224145643.259118710@linutronix.deSigned-off-by: default avatarSasha Levin <sashal@kernel.org>
      d59ef312
    • Dave Hansen's avatar
      x86/pkeys: Add check for pkey "overflow" · 33b2fd5f
      Dave Hansen authored
      [ Upstream commit 16171bff ]
      
      Alex Shi reported the pkey macros above arch_set_user_pkey_access()
      to be unused.  They are unused, and even refer to a nonexistent
      CONFIG option.
      
      But, they might have served a good use, which was to ensure that
      the code does not try to set values that would not fit in the
      PKRU register.  As it stands, a too-large 'pkey' value would
      be likely to silently overflow the u32 new_pkru_bits.
      
      Add a check to look for overflows.  Also add a comment to remind
      any future developer to closely examine the types used to store
      pkey values if arch_max_pkey() ever changes.
      
      This boots and passes the x86 pkey selftests.
      Reported-by: default avatarAlex Shi <alex.shi@linux.alibaba.com>
      Signed-off-by: default avatarDave Hansen <dave.hansen@intel.com>
      Signed-off-by: default avatarBorislav Petkov <bp@suse.de>
      Link: https://lkml.kernel.org/r/20200122165346.AD4DA150@viggo.jf.intel.comSigned-off-by: default avatarSasha Levin <sashal@kernel.org>
      33b2fd5f
    • Paolo Bonzini's avatar
      KVM: x86: fix incorrect comparison in trace event · 9ee952c3
      Paolo Bonzini authored
      [ Upstream commit 147f1a1f ]
      
      The "u" field in the event has three states, -1/0/1.  Using u8 however means that
      comparison with -1 will always fail, so change to signed char.
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      9ee952c3
    • Bart Van Assche's avatar
      RDMA/rxe: Fix configuration of atomic queue pair attributes · 7d0284ac
      Bart Van Assche authored
      [ Upstream commit fb3063d3 ]
      
      From the comment above the definition of the roundup_pow_of_two() macro:
      
           The result is undefined when n == 0.
      
      Hence only pass positive values to roundup_pow_of_two(). This patch fixes
      the following UBSAN complaint:
      
        UBSAN: Undefined behaviour in ./include/linux/log2.h:57:13
        shift exponent 64 is too large for 64-bit type 'long unsigned int'
        Call Trace:
         dump_stack+0xa5/0xe6
         ubsan_epilogue+0x9/0x26
         __ubsan_handle_shift_out_of_bounds.cold+0x4c/0xf9
         rxe_qp_from_attr.cold+0x37/0x5d [rdma_rxe]
         rxe_modify_qp+0x59/0x70 [rdma_rxe]
         _ib_modify_qp+0x5aa/0x7c0 [ib_core]
         ib_modify_qp+0x3b/0x50 [ib_core]
         cma_modify_qp_rtr+0x234/0x260 [rdma_cm]
         __rdma_accept+0x1a7/0x650 [rdma_cm]
         nvmet_rdma_cm_handler+0x1286/0x14cd [nvmet_rdma]
         cma_cm_event_handler+0x6b/0x330 [rdma_cm]
         cma_ib_req_handler+0xe60/0x22d0 [rdma_cm]
         cm_process_work+0x30/0x140 [ib_cm]
         cm_req_handler+0x11f4/0x1cd0 [ib_cm]
         cm_work_handler+0xb8/0x344e [ib_cm]
         process_one_work+0x569/0xb60
         worker_thread+0x7a/0x5d0
         kthread+0x1e6/0x210
         ret_from_fork+0x24/0x30
      
      Link: https://lore.kernel.org/r/20200217205714.26937-1-bvanassche@acm.org
      Fixes: 8700e3e7 ("Soft RoCE driver")
      Signed-off-by: default avatarBart Van Assche <bvanassche@acm.org>
      Reviewed-by: default avatarLeon Romanovsky <leonro@mellanox.com>
      Signed-off-by: default avatarJason Gunthorpe <jgg@mellanox.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      7d0284ac
    • Wen Yang's avatar
      drm/omap: fix possible object reference leak · 14674c8e
      Wen Yang authored
      [ Upstream commit 47340e46 ]
      
      The call to of_find_matching_node returns a node pointer with refcount
      incremented thus it must be explicitly decremented after the last
      usage.
      
      Detected by coccinelle with the following warnings:
      drivers/gpu/drm/omapdrm/dss/omapdss-boot-init.c:212:2-8: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 209, but without a corresponding object release within this function.
      drivers/gpu/drm/omapdrm/dss/omapdss-boot-init.c:237:1-7: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 209, but without a corresponding object release within this function.
      Signed-off-by: default avatarWen Yang <wen.yang99@zte.com.cn>
      Reviewed-by: default avatarLaurent Pinchart <laurent.pinchart@ideasonboard.com>
      Reviewed-by: default avatarMukesh Ojha <mojha@codeaurora.org>
      Cc: Tomi Valkeinen <tomi.valkeinen@ti.com>
      Cc: David Airlie <airlied@linux.ie>
      Cc: Daniel Vetter <daniel@ffwll.ch>
      Cc: Sebastian Reichel <sebastian.reichel@collabora.com>
      Cc: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
      Cc: dri-devel@lists.freedesktop.org
      Cc: linux-kernel@vger.kernel.org
      Cc: Markus Elfring <Markus.Elfring@web.de>
      Signed-off-by: default avatarTomi Valkeinen <tomi.valkeinen@ti.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/1554692313-28882-2-git-send-email-wen.yang99@zte.com.cnSigned-off-by: default avatarSasha Levin <sashal@kernel.org>
      14674c8e
    • James Smart's avatar
      scsi: lpfc: Fix coverity errors in fmdi attribute handling · 67169d61
      James Smart authored
      [ Upstream commit 4cb9e1dd ]
      
      Coverity reported a memory corruption error for the fdmi attributes
      routines:
      
        CID 15768 [Memory Corruption] Out-of-bounds access on FDMI
      
      Sloppy coding of the fmdi structures. In both the lpfc_fdmi_attr_def and
      lpfc_fdmi_reg_port_list structures, a field was placed at the start of
      payload that may have variable content. The field was given an arbitrary
      type (uint32_t). The code then uses the field name to derive an address,
      which it used in things such as memset and memcpy. The memset sizes or
      memcpy lengths were larger than the arbitrary type, thus coverity reported
      an error.
      
      Fix by replacing the arbitrary fields with the real field structures
      describing the payload.
      
      Link: https://lore.kernel.org/r/20200128002312.16346-8-jsmart2021@gmail.comSigned-off-by: default avatarDick Kennedy <dick.kennedy@broadcom.com>
      Signed-off-by: default avatarJames Smart <jsmart2021@gmail.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      67169d61
    • James Smart's avatar
      scsi: lpfc: Fix RQ buffer leakage when no IOCBs available · 99511932
      James Smart authored
      [ Upstream commit 39c4f1a9 ]
      
      The driver is occasionally seeing the following SLI Port error, requiring
      reset and reinit:
      
       Port Status Event: ... error 1=0x52004a01, error 2=0x218
      
      The failure means an RQ timeout. That is, the adapter had received
      asynchronous receive frames, ran out of buffer slots to place the frames,
      and the driver did not replenish the buffer slots before a timeout
      occurred. The driver should not be so slow in replenishing buffers that a
      timeout can occur.
      
      When the driver received all the frames of a sequence, it allocates an IOCB
      to put the frames in. In a situation where there was no IOCB available for
      the frame of a sequence, the RQ buffer corresponding to the first frame of
      the sequence was not returned to the FW. Eventually, with enough traffic
      encountering the situation, the timeout occurred.
      
      Fix by releasing the buffer back to firmware whenever there is no IOCB for
      the first frame.
      
      [mkp: typo]
      
      Link: https://lore.kernel.org/r/20200128002312.16346-2-jsmart2021@gmail.comSigned-off-by: default avatarDick Kennedy <dick.kennedy@broadcom.com>
      Signed-off-by: default avatarJames Smart <jsmart2021@gmail.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      99511932
    • Vasily Averin's avatar
      selinux: sel_avc_get_stat_idx should increase position index · 51d729dc
      Vasily Averin authored
      [ Upstream commit 8d269a8e ]
      
      If seq_file .next function does not change position index,
      read after some lseek can generate unexpected output.
      
      $ dd if=/sys/fs/selinux/avc/cache_stats # usual output
      lookups hits misses allocations reclaims frees
      817223 810034 7189 7189 6992 7037
      1934894 1926896 7998 7998 7632 7683
      1322812 1317176 5636 5636 5456 5507
      1560571 1551548 9023 9023 9056 9115
      0+1 records in
      0+1 records out
      189 bytes copied, 5,1564e-05 s, 3,7 MB/s
      
      $# read after lseek to midle of last line
      $ dd if=/sys/fs/selinux/avc/cache_stats bs=180 skip=1
      dd: /sys/fs/selinux/avc/cache_stats: cannot skip to specified offset
      056 9115   <<<< end of last line
      1560571 1551548 9023 9023 9056 9115  <<< whole last line once again
      0+1 records in
      0+1 records out
      45 bytes copied, 8,7221e-05 s, 516 kB/s
      
      $# read after lseek beyond  end of of file
      $ dd if=/sys/fs/selinux/avc/cache_stats bs=1000 skip=1
      dd: /sys/fs/selinux/avc/cache_stats: cannot skip to specified offset
      1560571 1551548 9023 9023 9056 9115  <<<< generates whole last line
      0+1 records in
      0+1 records out
      36 bytes copied, 9,0934e-05 s, 396 kB/s
      
      https://bugzilla.kernel.org/show_bug.cgi?id=206283Signed-off-by: default avatarVasily Averin <vvs@virtuozzo.com>
      Acked-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      Signed-off-by: default avatarPaul Moore <paul@paul-moore.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      51d729dc
    • Steve Grubb's avatar
      audit: CONFIG_CHANGE don't log internal bookkeeping as an event · db8a0b8b
      Steve Grubb authored
      [ Upstream commit 70b3eeed ]
      
      Common Criteria calls out for any action that modifies the audit trail to
      be recorded. That usually is interpreted to mean insertion or removal of
      rules. It is not required to log modification of the inode information
      since the watch is still in effect. Additionally, if the rule is a never
      rule and the underlying file is one they do not want events for, they
      get an event for this bookkeeping update against their wishes.
      
      Since no device/inode info is logged at insertion and no device/inode
      information is logged on update, there is nothing meaningful being
      communicated to the admin by the CONFIG_CHANGE updated_rules event. One
      can assume that the rule was not "modified" because it is still watching
      the intended target. If the device or inode cannot be resolved, then
      audit_panic is called which is sufficient.
      
      The correct resolution is to drop logging config_update events since
      the watch is still in effect but just on another unknown inode.
      Signed-off-by: default avatarSteve Grubb <sgrubb@redhat.com>
      Signed-off-by: default avatarPaul Moore <paul@paul-moore.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      db8a0b8b
    • Qian Cai's avatar
      skbuff: fix a data race in skb_queue_len() · ce5d34a3
      Qian Cai authored
      [ Upstream commit 86b18aaa ]
      
      sk_buff.qlen can be accessed concurrently as noticed by KCSAN,
      
       BUG: KCSAN: data-race in __skb_try_recv_from_queue / unix_dgram_sendmsg
      
       read to 0xffff8a1b1d8a81c0 of 4 bytes by task 5371 on cpu 96:
        unix_dgram_sendmsg+0x9a9/0xb70 include/linux/skbuff.h:1821
      				 net/unix/af_unix.c:1761
        ____sys_sendmsg+0x33e/0x370
        ___sys_sendmsg+0xa6/0xf0
        __sys_sendmsg+0x69/0xf0
        __x64_sys_sendmsg+0x51/0x70
        do_syscall_64+0x91/0xb47
        entry_SYSCALL_64_after_hwframe+0x49/0xbe
      
       write to 0xffff8a1b1d8a81c0 of 4 bytes by task 1 on cpu 99:
        __skb_try_recv_from_queue+0x327/0x410 include/linux/skbuff.h:2029
        __skb_try_recv_datagram+0xbe/0x220
        unix_dgram_recvmsg+0xee/0x850
        ____sys_recvmsg+0x1fb/0x210
        ___sys_recvmsg+0xa2/0xf0
        __sys_recvmsg+0x66/0xf0
        __x64_sys_recvmsg+0x51/0x70
        do_syscall_64+0x91/0xb47
        entry_SYSCALL_64_after_hwframe+0x49/0xbe
      
      Since only the read is operating as lockless, it could introduce a logic
      bug in unix_recvq_full() due to the load tearing. Fix it by adding
      a lockless variant of skb_queue_len() and unix_recvq_full() where
      READ_ONCE() is on the read while WRITE_ONCE() is on the write similar to
      the commit d7d16a89 ("net: add skb_queue_empty_lockless()").
      Signed-off-by: default avatarQian Cai <cai@lca.pw>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      ce5d34a3
    • Mohan Kumar's avatar
      ALSA: hda: Clear RIRB status before reading WP · 60bc60dd
      Mohan Kumar authored
      [ Upstream commit 6d011d50 ]
      
      RIRB interrupt status getting cleared after the write pointer is read
      causes a race condition, where last response(s) into RIRB may remain
      unserviced by IRQ, eventually causing azx_rirb_get_response to fall
      back to polling mode. Clearing the RIRB interrupt status ahead of
      write pointer access ensures that this condition is avoided.
      Signed-off-by: default avatarMohan Kumar <mkumard@nvidia.com>
      Signed-off-by: default avatarViswanath L <viswanathl@nvidia.com>
      Link: https://lore.kernel.org/r/1580983853-351-1-git-send-email-viswanathl@nvidia.comSigned-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      60bc60dd
    • Zhuang Yanying's avatar
      KVM: fix overflow of zero page refcount with ksm running · 154e9494
      Zhuang Yanying authored
      [ Upstream commit 7df003c8 ]
      
      We are testing Virtual Machine with KSM on v5.4-rc2 kernel,
      and found the zero_page refcount overflow.
      The cause of refcount overflow is increased in try_async_pf
      (get_user_page) without being decreased in mmu_set_spte()
      while handling ept violation.
      In kvm_release_pfn_clean(), only unreserved page will call
      put_page. However, zero page is reserved.
      So, as well as creating and destroy vm, the refcount of
      zero page will continue to increase until it overflows.
      
      step1:
      echo 10000 > /sys/kernel/pages_to_scan/pages_to_scan
      echo 1 > /sys/kernel/pages_to_scan/run
      echo 1 > /sys/kernel/pages_to_scan/use_zero_pages
      
      step2:
      just create several normal qemu kvm vms.
      And destroy it after 10s.
      Repeat this action all the time.
      
      After a long period of time, all domains hang because
      of the refcount of zero page overflow.
      
      Qemu print error log as follow:
       …
       error: kvm run failed Bad address
       EAX=00006cdc EBX=00000008 ECX=80202001 EDX=078bfbfd
       ESI=ffffffff EDI=00000000 EBP=00000008 ESP=00006cc4
       EIP=000efd75 EFL=00010002 [-------] CPL=0 II=0 A20=1 SMM=0 HLT=0
       ES =0010 00000000 ffffffff 00c09300 DPL=0 DS   [-WA]
       CS =0008 00000000 ffffffff 00c09b00 DPL=0 CS32 [-RA]
       SS =0010 00000000 ffffffff 00c09300 DPL=0 DS   [-WA]
       DS =0010 00000000 ffffffff 00c09300 DPL=0 DS   [-WA]
       FS =0010 00000000 ffffffff 00c09300 DPL=0 DS   [-WA]
       GS =0010 00000000 ffffffff 00c09300 DPL=0 DS   [-WA]
       LDT=0000 00000000 0000ffff 00008200 DPL=0 LDT
       TR =0000 00000000 0000ffff 00008b00 DPL=0 TSS32-busy
       GDT=     000f7070 00000037
       IDT=     000f70ae 00000000
       CR0=00000011 CR2=00000000 CR3=00000000 CR4=00000000
       DR0=0000000000000000 DR1=0000000000000000 DR2=0000000000000000 DR3=0000000000000000
       DR6=00000000ffff0ff0 DR7=0000000000000400
       EFER=0000000000000000
       Code=00 01 00 00 00 e9 e8 00 00 00 c7 05 4c 55 0f 00 01 00 00 00 <8b> 35 00 00 01 00 8b 3d 04 00 01 00 b8 d8 d3 00 00 c1 e0 08 0c ea a3 00 00 01 00 c7 05 04
       …
      
      Meanwhile, a kernel warning is departed.
      
       [40914.836375] WARNING: CPU: 3 PID: 82067 at ./include/linux/mm.h:987 try_get_page+0x1f/0x30
       [40914.836412] CPU: 3 PID: 82067 Comm: CPU 0/KVM Kdump: loaded Tainted: G           OE     5.2.0-rc2 #5
       [40914.836415] RIP: 0010:try_get_page+0x1f/0x30
       [40914.836417] Code: 40 00 c3 0f 1f 84 00 00 00 00 00 48 8b 47 08 a8 01 75 11 8b 47 34 85 c0 7e 10 f0 ff 47 34 b8 01 00 00 00 c3 48 8d 78 ff eb e9 <0f> 0b 31 c0 c3 66 90 66 2e 0f 1f 84 00 0
       0 00 00 00 48 8b 47 08 a8
       [40914.836418] RSP: 0018:ffffb4144e523988 EFLAGS: 00010286
       [40914.836419] RAX: 0000000080000000 RBX: 0000000000000326 RCX: 0000000000000000
       [40914.836420] RDX: 0000000000000000 RSI: 00004ffdeba10000 RDI: ffffdf07093f6440
       [40914.836421] RBP: ffffdf07093f6440 R08: 800000424fd91225 R09: 0000000000000000
       [40914.836421] R10: ffff9eb41bfeebb8 R11: 0000000000000000 R12: ffffdf06bbd1e8a8
       [40914.836422] R13: 0000000000000080 R14: 800000424fd91225 R15: ffffdf07093f6440
       [40914.836423] FS:  00007fb60ffff700(0000) GS:ffff9eb4802c0000(0000) knlGS:0000000000000000
       [40914.836425] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
       [40914.836426] CR2: 0000000000000000 CR3: 0000002f220e6002 CR4: 00000000003626e0
       [40914.836427] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
       [40914.836427] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
       [40914.836428] Call Trace:
       [40914.836433]  follow_page_pte+0x302/0x47b
       [40914.836437]  __get_user_pages+0xf1/0x7d0
       [40914.836441]  ? irq_work_queue+0x9/0x70
       [40914.836443]  get_user_pages_unlocked+0x13f/0x1e0
       [40914.836469]  __gfn_to_pfn_memslot+0x10e/0x400 [kvm]
       [40914.836486]  try_async_pf+0x87/0x240 [kvm]
       [40914.836503]  tdp_page_fault+0x139/0x270 [kvm]
       [40914.836523]  kvm_mmu_page_fault+0x76/0x5e0 [kvm]
       [40914.836588]  vcpu_enter_guest+0xb45/0x1570 [kvm]
       [40914.836632]  kvm_arch_vcpu_ioctl_run+0x35d/0x580 [kvm]
       [40914.836645]  kvm_vcpu_ioctl+0x26e/0x5d0 [kvm]
       [40914.836650]  do_vfs_ioctl+0xa9/0x620
       [40914.836653]  ksys_ioctl+0x60/0x90
       [40914.836654]  __x64_sys_ioctl+0x16/0x20
       [40914.836658]  do_syscall_64+0x5b/0x180
       [40914.836664]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
       [40914.836666] RIP: 0033:0x7fb61cb6bfc7
      Signed-off-by: default avatarLinFeng <linfeng23@huawei.com>
      Signed-off-by: default avatarZhuang Yanying <ann.zhuangyanying@huawei.com>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      154e9494
    • Hillf Danton's avatar
      Bluetooth: prefetch channel before killing sock · f708f141
      Hillf Danton authored
      [ Upstream commit 2a154903 ]
      
      Prefetch channel before killing sock in order to fix UAF like
      
       BUG: KASAN: use-after-free in l2cap_sock_release+0x24c/0x290 net/bluetooth/l2cap_sock.c:1212
       Read of size 8 at addr ffff8880944904a0 by task syz-fuzzer/9751
      
      Reported-by: syzbot+c3c5bdea7863886115dc@syzkaller.appspotmail.com
      Fixes: 6c08fc89 ("Bluetooth: Fix refcount use-after-free issue")
      Cc: Manish Mandlik <mmandlik@google.com>
      Signed-off-by: default avatarHillf Danton <hdanton@sina.com>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      f708f141
    • Steven Price's avatar
      mm: pagewalk: fix termination condition in walk_pte_range() · d473d4e2
      Steven Price authored
      [ Upstream commit c02a9875 ]
      
      If walk_pte_range() is called with a 'end' argument that is beyond the
      last page of memory (e.g.  ~0UL) then the comparison between 'addr' and
      'end' will always fail and the loop will be infinite.  Instead change the
      comparison to >= while accounting for overflow.
      
      Link: http://lkml.kernel.org/r/20191218162402.45610-15-steven.price@arm.comSigned-off-by: default avatarSteven Price <steven.price@arm.com>
      Cc: Albert Ou <aou@eecs.berkeley.edu>
      Cc: Alexandre Ghiti <alex@ghiti.fr>
      Cc: Andy Lutomirski <luto@kernel.org>
      Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
      Cc: Arnd Bergmann <arnd@arndb.de>
      Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: Catalin Marinas <catalin.marinas@arm.com>
      Cc: Christian Borntraeger <borntraeger@de.ibm.com>
      Cc: Dave Hansen <dave.hansen@linux.intel.com>
      Cc: David S. Miller <davem@davemloft.net>
      Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
      Cc: "H. Peter Anvin" <hpa@zytor.com>
      Cc: Ingo Molnar <mingo@redhat.com>
      Cc: James Hogan <jhogan@kernel.org>
      Cc: James Morse <james.morse@arm.com>
      Cc: Jerome Glisse <jglisse@redhat.com>
      Cc: "Liang, Kan" <kan.liang@linux.intel.com>
      Cc: Mark Rutland <mark.rutland@arm.com>
      Cc: Michael Ellerman <mpe@ellerman.id.au>
      Cc: Paul Burton <paul.burton@mips.com>
      Cc: Paul Mackerras <paulus@samba.org>
      Cc: Paul Walmsley <paul.walmsley@sifive.com>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Ralf Baechle <ralf@linux-mips.org>
      Cc: Russell King <linux@armlinux.org.uk>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Vasily Gorbik <gor@linux.ibm.com>
      Cc: Vineet Gupta <vgupta@synopsys.com>
      Cc: Will Deacon <will@kernel.org>
      Cc: Zong Li <zong.li@sifive.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      d473d4e2