- 14 May, 2020 40 commits
-
-
Andy Shevchenko authored
BugLink: https://bugs.launchpad.net/bugs/1878232 commit b5f88dd1 upstream. The specific power domain can't be used in a way provided by the commit 01ac170b, i.e. pointer to platform device is a subject to change during unbound / bind cycle. This reverts commit 01ac170b. Fixes: 3df2da96 (Revert "ACPI / LPSS: introduce a 'proxy' device to power on LPSS for DMA") Signed-off-by:
Andy Shevchenko <andriy.shevchenko@linux.intel.com> Signed-off-by:
Rafael J. Wysocki <rafael.j.wysocki@intel.com> Signed-off-by:
Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by:
Ian May <ian.may@canonical.com> Signed-off-by:
Kleber Sacilotto de Souza <kleber.souza@canonical.com>
-
Maciej S. Szmigiero authored
BugLink: https://bugs.launchpad.net/bugs/1878232 commit 3f1c241f upstream. SACNT register should be marked volatile since its WR and RD bits are cleared by SSI after completing the relevant operation. This unbreaks AC'97 register access. Fixes: 05cf2379 ("ASoC: fsl_ssi: Add driver suspend and resume to support MEGA Fast") Signed-off-by:
Maciej S. Szmigiero <mail@maciej.szmigiero.name> Reviewed-by:
Fabio Estevam <fabio.estevam@nxp.com> Signed-off-by:
Mark Brown <broonie@kernel.org> Signed-off-by:
-
Sudip Mukherjee authored
BugLink: https://bugs.launchpad.net/bugs/1878232 commit 319c3259 upstream. We have been returning success even if snd_soc_card_jack_new() fails. Lets check the return value and return error if it fails. Fixes: 12cc6d1d ("ASoC: tegra_alc5632: Register jacks at the card level") Signed-off-by:
Sudip Mukherjee <sudip@vectorindia.org> Signed-off-by:
-
Dan Carpenter authored
BugLink: https://bugs.launchpad.net/bugs/1878232 commit d16a2b9f upstream. "data" is always NULL in this function. I think we should be passing "&data" to sst_prepare_and_post_msg() instead of "data". Fixes: 3d9ff346 ('ASoC: Intel: sst: add stream operations') Signed-off-by:
Dan Carpenter <dan.carpenter@oracle.com> Tested-by:
Dinesh Mirche <dinesh.mirche@intel.com> Acked-by:
Vinod Koul <vinod.koul@intel.com> Signed-off-by:
-
Boris Brezillon authored
BugLink: https://bugs.launchpad.net/bugs/1878232 commit 320092a0 upstream. Unregister the NAND device from the NAND subsystem when removing a denali NAND controller, otherwise the MTD attached to the NAND device is still exposed by the MTD layer, and accesses to this device will likely crash the system. Fixes: 2a0a288e ("mtd: denali: split the generic driver and PCI layer") Signed-off-by:
Boris Brezillon <boris.brezillon@free-electrons.com> Acked-by:
Dinh Nguyen <dinguyen@opensource.altera.com> Signed-off-by:
Brian Norris <computersforpeace@gmail.com> Signed-off-by:
-
Eric Dumazet authored
BugLink: https://bugs.launchpad.net/bugs/1878232 commit adb03115 upstream. Jiri Pirko reported an UBSAN warning happening in ip_idents_reserve() [] UBSAN: Undefined behaviour in ./arch/x86/include/asm/atomic.h:156:11 [] signed integer overflow: [] -2117905507 + -695755206 cannot be represented in type 'int' Since we do not have uatomic_add_return() yet, use atomic_cmpxchg() so that the arithmetics can be done using unsigned int. Fixes: 04ca6973 ("ip: make IP identifiers less predictable") Signed-off-by:
Eric Dumazet <edumazet@google.com> Reported-by:
Jiri Pirko <jiri@resnulli.us> Signed-off-by:
David S. Miller <davem@davemloft.net> Signed-off-by:
-
Chuck Lever authored
BugLink: https://bugs.launchpad.net/bugs/1878232 commit 11476e9d upstream. At Connectathon 2016, we found that recent upstream Linux clients would occasionally send a LOCK operation with a zero stateid. This appeared to happen in close proximity to another thread returning a delegation before unlinking the same file while it remained open. Earlier, the client received a write delegation on this file and returned the open stateid. Now, as it is getting ready to unlink the file, it returns the write delegation. But there is still an open file descriptor on that file, so the client must OPEN the file again before it returns the delegation. Since commit 24311f88 ('NFSv4: Recovery of recalled read delegations is broken'), nfs_open_delegation_recall() clears the NFS_DELEGATED_STATE flag _before_ it sends the OPEN. This allows a racing LOCK on the same inode to be put on the wire before the OPEN operation has returned a valid open stateid. To eliminate this race, serialize delegation return with the acquisition of a file lock on the same file. Adopt the same approach as is used in the unlock path. This patch also eliminates a similar race seen when sending a LOCK operation at the same time as returning a delegation on the same file. Fixes: 24311f88 ('NFSv4: Recovery of recalled read ... ') Signed-off-by:
Chuck Lever <chuck.lever@oracle.com> [Anna: Add sentence about LOCK / delegation race] Signed-off-by:
Anna Schumaker <Anna.Schumaker@Netapp.com> Signed-off-by:
-
Ilan Peer authored
BugLink: https://bugs.launchpad.net/bugs/1878232 commit 4b559ec0 upstream. It is possible that the station is connected to an AP with bandwidth of 80+80MHz or 160MHz. In such cases there is no need to perform an upgrade as the maximal supported bandwidth is 80MHz. In addition, when upgrading and setting center_freq1 and bandwidth to 80MHz also set center_freq2 to 0. Fixes: 0fabfaaf ("mac80211: upgrade BW of TDLS peers when possible" Signed-off-by:
Ilan Peer <ilan.peer@intel.com> Signed-off-by:
Emmanuel Grumbach <emmanuel.grumbach@intel.com> Signed-off-by:
Johannes Berg <johannes.berg@intel.com> Signed-off-by:
-
Arik Nemtsov authored
BugLink: https://bugs.launchpad.net/bugs/1878232 commit 59021c67 upstream. The previous approach simply ignored chandef restrictions when calculating the appropriate peer BW for a WIDER_BW peer. This could result in a regulatory violation if both peers indicated 80MHz support, but the regdomain forbade it. Change the approach to setting a WIDER_BW peer's BW. Don't exempt it from the chandef width at first. If during TDLS negotiation the chandef width is upgraded, update the peer's BW to match. Fixes: 0fabfaaf ("mac80211: upgrade BW of TDLS peers when possible") Signed-off-by:
Arik Nemtsov <arikx.nemtsov@intel.com> Signed-off-by:
-
Arik Nemtsov authored
BugLink: https://bugs.launchpad.net/bugs/1878232 commit db8d9977 upstream. Even if the current chandef width is equal to the station's max-BW, it doesn't mean it's a valid width for TDLS. Make sure to always check regulatory constraints in these cases. Fixes: 0fabfaaf ("mac80211: upgrade BW of TDLS peers when possible") Signed-off-by:
-
Johannes Berg authored
BugLink: https://bugs.launchpad.net/bugs/1878232 commit e673a659 upstream. If a mgmt-tx operation is aborted before it runs, the wrong cookie is reported back to userspace, and the ack_skb gets leaked since the frame is freed directly instead of freeing it using ieee80211_free_txskb(). Fix that. Fixes: 3b79af97 ("mac80211: stop using pointers as userspace cookies") Signed-off-by:
-
Ilan Tayari authored
BugLink: https://bugs.launchpad.net/bugs/1878232 commit b5884793 upstream. commit 1a6509d9 ("[IPSEC]: Add support for combined mode algorithms") introduced aead. The function attach_aead kmemdup()s the algorithm name during xfrm_state_construct(). However this memory is never freed. Implementation has since been slightly modified in commit ee5c2317 ("xfrm: Clone states properly on migration") without resolving this leak. This patch adds a kfree() call for the aead algorithm name. Fixes: 1a6509d9 ("[IPSEC]: Add support for combined mode algorithms") Signed-off-by:
Ilan Tayari <ilant@mellanox.com> Acked-by:
Rami Rosen <roszenrami@gmail.com> Signed-off-by:
Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by:
-
Mathias Krause authored
BugLink: https://bugs.launchpad.net/bugs/1878232 commit 2f30ea50 upstream. When we fail to attach the security context in xfrm_state_construct() we'll return 0 as error value which, in turn, will wrongly claim success to userland when, in fact, we won't be adding / updating the XFRM state. This is a regression introduced by commit fd21150a ("[XFRM] netlink: Inline attach_encap_tmpl(), attach_sec_ctx(), and attach_one_addr()"). Fix it by propagating the error returned by security_xfrm_state_alloc() in this case. Fixes: fd21150a ("[XFRM] netlink: Inline attach_encap_tmpl()...") Signed-off-by:
Mathias Krause <minipli@googlemail.com> Cc: Thomas Graf <tgraf@suug.ch> Signed-off-by:
-
Alexey Kodanev authored
BugLink: https://bugs.launchpad.net/bugs/1878232 commit 1625f452 upstream. Running LTP 'icmp-uni-basic.sh -6 -p ipcomp -m tunnel' test over openvswitch + veth can trigger kernel panic: BUG: unable to handle kernel NULL pointer dereference at 00000000000000e0 IP: [<ffffffff8169d1d2>] xfrm_input+0x82/0x750 ... [<ffffffff816d472e>] xfrm6_rcv_spi+0x1e/0x20 [<ffffffffa082c3c2>] xfrm6_tunnel_rcv+0x42/0x50 [xfrm6_tunnel] [<ffffffffa082727e>] tunnel6_rcv+0x3e/0x8c [tunnel6] [<ffffffff8169f365>] ip6_input_finish+0xd5/0x430 [<ffffffff8169fc53>] ip6_input+0x33/0x90 [<ffffffff8169f1d5>] ip6_rcv_finish+0xa5/0xb0 ... It seems that tunnel.ip6 can have garbage values and also dereferenced without a proper check, only tunnel.ip4 is being verified. Fix it by adding one more if block for AF_INET6 and initialize tunnel.ip6 with NULL inside xfrm6_rcv_spi() (which is similar to xfrm4_rcv_spi()). Fixes: 049f8e2e ("xfrm: Override skb->mark with tunnel->parm.i_key in xfrm_input") Signed-off-by:
Alexey Kodanev <alexey.kodanev@oracle.com> Signed-off-by:
-
Philipp Zabel authored
BugLink: https://bugs.launchpad.net/bugs/1878232 commit dc262dfa upstream. A recent patch broke parsing the gain, offset, and threshold parameters from device tree. Instead of setting the cached values and writing them to the correct registers during probe, it would write the values from DT into the register address variables and never write them to the chip during normal operation. Fixes: 2e23b7a9 ("Input: edt-ft5x06 - use generic properties API") Signed-off-by:
Philipp Zabel <p.zabel@pengutronix.de> Signed-off-by:
Dmitry Torokhov <dmitry.torokhov@gmail.com> Signed-off-by:
-
Dmitry Torokhov authored
BugLink: https://bugs.launchpad.net/bugs/1878232 commit 8679ee42 upstream. Commit 4ea14a53 ("Input: gpio-keys - report error when disabling unsupported key") tried let user know that they attempted to disable an unsupported key, unfortunately the check is wrong as it believes that all codes are invalid. Fix it by ensuring that keys that we try to disable are subset of keys (or switches) that device reports. Fixes: 4ea14a53 ("Input: gpio-keys - report error when disabling unsupported key") Reported-by:
Ivaylo Dimitrov <ivo.g.dimitrov.75@gmail.com> Tested-by:
-
Dan Carpenter authored
BugLink: https://bugs.launchpad.net/bugs/1878232 commit 0dc924c5 upstream. If we return 1 here, then the caller treats it as an error and returns -EINVAL. It causes a static checker warning to treat positive returns as an error. Fixes: 1aba86d6 ('Btrfs: fix easily get into ENOSPC in mixed case') Signed-off-by:
David Sterba <dsterba@suse.com> Signed-off-by:
-
William Breathitt Gray authored
BugLink: https://bugs.launchpad.net/bugs/1878232 commit 32a5a0c0 upstream. The isa_bus_init function must be called before drivers which utilize the ISA bus driver are registered. A race condition for initilization exists if device_initcall is used (the isa_bus_init callback is placed in the same initcall level as dependent drivers which use module_init). This patch ensures that isa_bus_init is called first by utilizing postcore_initcall in favor of device_initcall. Fixes: a5117ba7 ("[PATCH] Driver model: add ISA bus") Cc: Rene Herman <rene.herman@keyaccess.nl> Signed-off-by:
William Breathitt Gray <vilhelm.gray@gmail.com> Signed-off-by:
-
Krzysztof Kozlowski authored
BugLink: https://bugs.launchpad.net/bugs/1878232 commit 926b7b51 upstream. On non-DeviceTree platforms, the index of serial device is a static variable incremented on each probe. It is incremented even if deferred probe happens when getting the clock in s3c24xx_serial_init_port(). This index is used for referencing elements of statically allocated s3c24xx_serial_ports array. In case of re-probe, the index will point outside of this array leading to memory corruption. Increment the index only on successful probe. Reported-by:
Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com> Fixes: b497549a ("[ARM] S3C24XX: Split serial driver into core and per-cpu drivers") Signed-off-by:
Krzysztof Kozlowski <k.kozlowski@samsung.com> Signed-off-by:
-
Stephen Boyd authored
BugLink: https://bugs.launchpad.net/bugs/1878232 commit 98952bf5 upstream. The msm_find_best_baud() function is written with the assumption that the port->uartclk rate is fixed to a particular rate at boot time, but now this driver changes that clk rate at runtime when the baud is changed. The way the hardware works is that an input clk rate comes from the clk controller into the uart hw block. That rate is typically 1843200 or 3686400 Hz. That rate can then be divided by an internal divider in the hw block to achieve a particular baud on the serial wire. msm_find_best_baud() is looking for that divider value. A few things are wrong with the way the code is written. First, it assumes that the maximum baud that the uart can support if the clk rate is fixed at boot is 460800, which would correspond to an input clk rate of 230400 * 16 == 3686400 Hz. Except some devices have a boot rate of 1843200 Hz or max baud of 115200, so achieving 230400 on those devices doesn't work at all because we don't increase the clk rate unless max baud is 460800. Second, we can't achieve bauds higher than 460800 that require anything besides a divisor of 1, because we always call msm_find_best_baud() with a fixed port->uartclk rate that will eventually be changed after we calculate the divisor. So if we need to get a baud of 500000, we'll just multiply that by 16 and hope that the clk can give us 500000 * 16 == 8000000 Hz, which it typically can't do. To really achieve 500000 baud, we need to get an input clk rate of 24000000 Hz and then divide that by 3 inside the uart hardware. Finally, we return success for bauds even when we can't actually achieve them. This means that when the user asks for 500000 baud, we actually get 921600 right now, but the user doesn't know that. Fix all of this by searching through the divisor and clk rate space with a combination of clk_round_rate() and baud calculations, keeping track of the best clk rate and divisor we find if we can't get an exact match. Typically we can get an exact match with a divisor of 1, but sometimes we need to keep track and try more frequencies. On my msm8916 device, this results in all standard bauds in baud_table being supported except for 1800, 576000, 1152000, and 4000000. Fixes: 850b37a7 ("tty: serial: msm: Remove 115.2 Kbps maximum baud rate limitation") Cc: "Ivan T. Ivanov" <iivanov.xz@gmail.com> Cc: Matthew McClintock <mmcclint@codeaurora.org> Signed-off-by:
Stephen Boyd <stephen.boyd@linaro.org> Tested-by:
Srinivas Kandagatla <srinivas.kandagatla@linaro.org> Acked-by:
Andy Gross <andy.gross@linaro.org> Acked-by:
Bjorn Andersson <bjorn.andersson@linaro.org> Tested-by:
Cristian Prundeanu <cprundea@codeaurora.org> Signed-off-by:
-
Simon Wunderlich authored
BugLink: https://bugs.launchpad.net/bugs/1878232 commit 0b3dd7df upstream. If a VLAN tagged frame is received and the corresponding VLAN is not configured on the soft interface, it will splat a WARN on every packet received. This is a quite annoying behaviour for some scenarios, e.g. if bat0 is bridged with eth0, and there are arbitrary VLAN tagged frames from Ethernet coming in without having any VLAN configuration on bat0. The code should probably create vlan objects on the fly and transparently transport these VLAN-tagged Ethernet frames, but until this is done, at least the WARN splat should be replaced by a rate limited output. Fixes: 354136bc ("batman-adv: fix kernel crash due to missing NULL checks") Signed-off-by:
Simon Wunderlich <sw@simonwunderlich.de> Signed-off-by:
Marek Lindner <mareklindner@neomailbox.ch> Signed-off-by:
Sven Eckelmann <sven@narfation.org> Signed-off-by:
-
Sven Eckelmann authored
BugLink: https://bugs.launchpad.net/bugs/1878232 commit 008a3744 upstream. The function handles tlv containers and not tlv handlers. Thus the lockdep_assert_held has to check for the container_list lock. Fixes: 2c72d655 ("batman-adv: Annotate deleting functions with external lock via lockdep") Signed-off-by:
Sven Eckelmann <sven@open-mesh.com> Signed-off-by:
Antonio Quartulli <a@unstable.cc> Signed-off-by:
-
David Ahern authored
BugLink: https://bugs.launchpad.net/bugs/1878232 commit 1d2f7b2d upstream. Responses for packets to unused ports are getting lost with L3 domains. IPv4 has ip_send_unicast_reply for sending TCP responses which accounts for L3 domains; update the IPv6 counterpart tcp_v6_send_response. For icmp the L3 master check needs to be moved up in icmp6_send to properly respond to UDP packets to a port with no listener. Fixes: ca254490 ("net: Add VRF support to IPv6 stack") Signed-off-by:
David Ahern <dsa@cumulusnetworks.com> Signed-off-by:
-
Sowmini Varadhan authored
BugLink: https://bugs.launchpad.net/bugs/1878232 commit eb192840 upstream. There is a race condition between rds_send_xmit -> rds_tcp_xmit and the code that deals with resolution of duelling syns added by commit 241b2719 ("RDS-TCP: Reset tcp callbacks if re-using an outgoing socket in rds_tcp_accept_one()"). Specifically, we may end up derefencing a null pointer in rds_send_xmit if we have the interleaving sequence: rds_tcp_accept_one rds_send_xmit conn is RDS_CONN_UP, so invoke rds_tcp_xmit tc = conn->c_transport_data rds_tcp_restore_callbacks /* reset t_sock */ null ptr deref from tc->t_sock The race condition can be avoided without adding the overhead of additional locking in the xmit path: have rds_tcp_accept_one wait for rds_tcp_xmit threads to complete before resetting callbacks. The synchronization can be done in the same manner as rds_conn_shutdown(). First set the rds_conn_state to something other than RDS_CONN_UP (so that new threads cannot get into rds_tcp_xmit()), then wait for RDS_IN_XMIT to be cleared in the conn->c_flags indicating that any threads in rds_tcp_xmit are done. Fixes: 241b2719 ("RDS-TCP: Reset tcp callbacks if re-using an outgoing socket in rds_tcp_accept_one()") Signed-off-by:
Sowmini Varadhan <sowmini.varadhan@oracle.com> Acked-by:
Santosh Shilimkar <santosh.shilimkar@oracle.com> Signed-off-by:
-
Eric Dumazet authored
BugLink: https://bugs.launchpad.net/bugs/1878232 commit 37202283 upstream. There are some cases where rtt_us derives from deltas of jiffies, instead of using usec timestamps. Since we want to track minimal rtt, better to assume a delta of 0 jiffie might be in fact be very close to 1 jiffie. It is kind of sad jiffies_to_usecs(1) calls a function instead of simply using a constant. Fixes: f6722583 ("tcp: track min RTT using windowed min-filter") Signed-off-by:
Neal Cardwell <ncardwell@google.com> Cc: Yuchung Cheng <ycheng@google.com> Signed-off-by:
-
Johannes Weiner authored
BugLink: https://bugs.launchpad.net/bugs/1878232 commit 8c2c2358 upstream. When charging socket memory, the code currently checks only the local page counter for excess to determine whether the memcg is under socket pressure. But even if the local counter is fine, one of the ancestors could have breached its limit, which should also force this child to enter socket pressure. This currently doesn't happen. Fix this by using page_counter_try_charge() first. If that fails, it means that either the local counter or one of the ancestors are in excess of their limit, and the child should enter socket pressure. Fixes: 3e32cb2e ("mm: memcontrol: lockless page counters") Signed-off-by:
Johannes Weiner <hannes@cmpxchg.org> Acked-by:
Vladimir Davydov <vdavydov@virtuozzo.com> Signed-off-by:
Andrew Morton <akpm@linux-foundation.org> Signed-off-by:
Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by:
-
Yotam Gigi authored
BugLink: https://bugs.launchpad.net/bugs/1878232 commit feb7d387 upstream. In order to specify that the mlxsw spectrum driver needs additional headroom for packets, there have been use of the hard_header_len field of the netdevice struct. This commit changes that to use needed_headroom instead, as this is the correct way to do that. Fixes: 56ade8fe ("mlxsw: spectrum: Add initial support for Spectrum ASIC") Signed-off-by:
Yotam Gigi <yotamg@mellanox.com> Acked-by:
Ido Schimmel <idosch@mellanox.com> Signed-off-by:
Jiri Pirko <jiri@mellanox.com> Signed-off-by:
-
Ido Schimmel authored
BugLink: https://bugs.launchpad.net/bugs/1878232 commit c3f15768 upstream. The device supports link autonegotiation, so let the user know about it by indicating support via ethtool ops. Fixes: 56ade8fe ("mlxsw: spectrum: Add initial support for Spectrum ASIC") Signed-off-by:
-
Nogah Frankel authored
BugLink: https://bugs.launchpad.net/bugs/1878232 commit 63dcdd35 upstream. Stop the SW TX counter from counting the TX header bytes since they are not being sent out. Fixes: 56ade8fe ("mlxsw: spectrum: Add initial support for Spectrum ASIC") Reviewed-by:
Nogah Frankel <nogahf@mellanox.com> Signed-off-by:
-
Ido Schimmel authored
BugLink: https://bugs.launchpad.net/bugs/1878232 commit 45491133 upstream. When port is put into LISTENING state it shouldn't populate the FDB, so set the port's STP state in hardware to DISCARDING instead of LEARNING. It will therefore keep listening to BPDU packets, but discard other non-control packets and won't perform any learning. Fixes: 56ade8fe ("mlxsw: spectrum: Add initial support for Spectrum ASIC") Signed-off-by:
-
Ido Schimmel authored
BugLink: https://bugs.launchpad.net/bugs/1878232 commit 9cb026eb upstream. When STP state is set to DISABLED the port is assumed to be inactive, but currently we forward packets ingressing through it. Instead, set the port's STP state in hardware to DISCARDING, which means it doesn't forward packets or perform any learning, but it does trap control packets. However, these packets will be dropped by bridge code, which results in the expected behavior. Fixes: 56ade8fe ("mlxsw: spectrum: Add initial support for Spectrum ASIC") Signed-off-by:
-
Honggang Li authored
BugLink: https://bugs.launchpad.net/bugs/1878232 commit 0de4cbb3 upstream. [ 598.852037] ------------[ cut here ]------------ [ 598.856698] WARNING: at lib/dma-debug.c:887 check_unmap+0xf8/0x920() [ 598.863079] cxgb3 0000:01:00.0: DMA-API: device driver frees DMA memory with different size [device address=0x0000000003310000] [map size=17 bytes] [unmap size=16 bytes] [ 598.878265] Modules linked in: xprtrdma ib_isert iscsi_target_mod ib_iser libiscsi scsi_transport_iscsi ib_srpt target_core_mod ib_srp scsi_transport_srp scsi_tgt ib_ipoib rdma_ucm ib_ucm ib_uverbs ib_umad rdma_cm ib_cm iw_cm ib_sa ib_mad kvm_amd kvm ipmi_devintf ipmi_ssif dcdbas pcspkr ipmi_si sg ipmi_msghandler acpi_power_meter amd64_edac_mod shpchp edac_core sp5100_tco k10temp edac_mce_amd i2c_piix4 acpi_cpufreq nfsd auth_rpcgss nfs_acl lockd grace sunrpc ip_tables xfs libcrc32c sd_mod crc_t10dif crct10dif_generic crct10dif_common ata_generic iw_cxgb3 pata_acpi ib_core ib_addr mgag200 syscopyarea sysfillrect sysimgblt i2c_algo_bit drm_kms_helper ttm pata_atiixp drm ahci libahci serio_raw i2c_core cxgb3 libata bnx2 mdio dm_mirror dm_region_hash dm_log dm_mod [ 598.946822] CPU: 3 PID: 11820 Comm: cmtime Not tainted 3.10.0-327.el7.x86_64.debug #1 [ 598.954681] Hardware name: Dell Inc. PowerEdge R415/0GXH08, BIOS 2.0.2 10/22/2012 [ 598.962193] ffff8808077479a8 000000000381a432 ffff880807747960 ffffffff81700918 [ 598.969663] ffff880807747998 ffffffff8108b6c0 ffff880807747a80 ffff8808063f55c0 [ 598.977132] ffffffff833ca850 0000000000000282 ffff88080b1bb800 ffff880807747a00 [ 598.984602] Call Trace: [ 598.987062] [<ffffffff81700918>] dump_stack+0x19/0x1b [ 598.992224] [<ffffffff8108b6c0>] warn_slowpath_common+0x70/0xb0 [ 598.998254] [<ffffffff8108b75c>] warn_slowpath_fmt+0x5c/0x80 [ 599.004033] [<ffffffff813903b8>] check_unmap+0xf8/0x920 [ 599.009369] [<ffffffff81025959>] ? sched_clock+0x9/0x10 [ 599.014702] [<ffffffff81390cee>] debug_dma_free_coherent+0x7e/0xa0 [ 599.021008] [<ffffffffa01ece2c>] cxio_destroy_cq+0xcc/0x160 [iw_cxgb3] [ 599.027654] [<ffffffffa01e8da0>] iwch_destroy_cq+0xf0/0x140 [iw_cxgb3] [ 599.034307] [<ffffffffa01c4bfe>] ib_destroy_cq+0x1e/0x30 [ib_core] [ 599.040601] [<ffffffffa04ff2d2>] ib_uverbs_close+0x302/0x4d0 [ib_uverbs] [ 599.047417] [<ffffffff812335a2>] __fput+0x102/0x310 [ 599.052401] [<ffffffff8123388e>] ____fput+0xe/0x10 [ 599.057297] [<ffffffff810bbde4>] task_work_run+0xb4/0xe0 [ 599.062719] [<ffffffff81092a84>] do_exit+0x304/0xc60 [ 599.067789] [<ffffffff81025905>] ? native_sched_clock+0x35/0x80 [ 599.073820] [<ffffffff81025959>] ? sched_clock+0x9/0x10 [ 599.079153] [<ffffffff8170a49c>] ? _raw_spin_unlock_irq+0x2c/0x50 [ 599.085358] [<ffffffff8109346c>] do_group_exit+0x4c/0xc0 [ 599.090779] [<ffffffff810a8661>] get_signal_to_deliver+0x2e1/0x960 [ 599.097071] [<ffffffff8101c497>] do_signal+0x57/0x6e0 [ 599.102229] [<ffffffff81714bd1>] ? sysret_signal+0x5/0x4e [ 599.107738] [<ffffffff8101cb7f>] do_notify_resume+0x5f/0xb0 [ 599.113418] [<ffffffff81714e7d>] int_signal+0x12/0x17 [ 599.118576] ---[ end trace 1e4653102e7e7019 ]--- [ 599.123211] Mapped at: [ 599.125577] [<ffffffff8138ed8b>] debug_dma_alloc_coherent+0x2b/0x80 [ 599.131968] [<ffffffffa01ec862>] cxio_create_cq+0xf2/0x1f0 [iw_cxgb3] [ 599.139920] [<ffffffffa01e9c05>] iwch_create_cq+0x105/0x4e0 [iw_cxgb3] [ 599.147895] [<ffffffffa0500584>] create_cq.constprop.14+0x184/0x2e0 [ib_uverbs] [ 599.156649] [<ffffffffa05027fb>] ib_uverbs_create_cq+0x10b/0x140 [ib_uverbs] Fixes: b955150e ('RDMA/cxgb3: When a user QP is marked in error, also mark the CQs in error') Signed-off-by:
Honggang Li <honli@redhat.com> Reviewed-by:
Leon Romanovsky <leonro@mellanox.com> Reviewed-by:
Steve Wise <swise@opengridcomputing.com> Signed-off-by:
Doug Ledford <dledford@redhat.com> Signed-off-by:
-
Chuck Lever authored
BugLink: https://bugs.launchpad.net/bugs/1878232 commit 9f74660b upstream. Some NFSv4.1 OPEN requests were hanging waiting for the NFS server to finish recalling delegations. Turns out that each NFSv4.1 CB request on RDMA gets a GARBAGE_ARGS reply from the Linux client. Commit 756b9b37 added a line in bc_svc_process that overwrites the incoming rq_rcv_buf's length with the value in rq_private_buf.len. But rpcrdma_bc_receive_call() does not invoke xprt_complete_bc_request(), thus rq_private_buf.len is not initialized. svc_process_common() is invoked with a zero-length RPC message, and fails. Fixes: 756b9b37 ('SUNRPC: Fix callback channel') Signed-off-by:
-
Chuck Lever authored
BugLink: https://bugs.launchpad.net/bugs/1878232 commit ffc4d9b1 upstream. Preserve any rpcrdma_req that is attached to rpc_rqst's allocated for the backchannel. Otherwise, after all the pre-allocated backchannel req's are consumed, incoming backward calls start writing on freed memory. Somehow this hunk got lost. Fixes: f531a5db ('xprtrdma: Pre-allocate backward rpc_rqst') Signed-off-by:
Devesh Sharma <devesh.sharma@avagotech.com> Signed-off-by:
-
Chuck Lever authored
BugLink: https://bugs.launchpad.net/bugs/1878232 commit 9b06688b upstream. Clean up. rb_lock critical sections added in rpcrdma_ep_post_extra_recv() should have first been converted to use normal spin_lock now that the reply handler is a work queue. The backchannel set up code should use the appropriate helper instead of open-coding a rb_recv_bufs list add. Problem introduced by glib patch re-ordering on my part. Fixes: f531a5db ('xprtrdma: Pre-allocate backward rpc_rqst') Signed-off-by:
-
Dan Carpenter authored
BugLink: https://bugs.launchpad.net/bugs/1878232 commit abfb6897 upstream. The rpcrdma_create_req() function returns error pointers or success. It never returns NULL. Fixes: f531a5db ('xprtrdma: Pre-allocate backward rpc_rqst and send/receive buffers') Signed-off-by:
-
Raja Mani authored
BugLink: https://bugs.launchpad.net/bugs/1878232 commit b9c191be upstream. ath10k_core_probe_fw() simply returns error without freeing cached firmware file content when get board id operation fails. Free cached fw bin data in failure case to avoid memory leak. Fixes: db0984e5 ("ath10k: select board data based on BMI chip id and board id") Signed-off-by:
Raja Mani <rmani@qti.qualcomm.com> Signed-off-by:
Kalle Valo <kvalo@qca.qualcomm.com> Signed-off-by:
-
Boris Brezillon authored
BugLink: https://bugs.launchpad.net/bugs/1878232 commit de64aa9e upstream. src_ssync_features field is only 1 byte large, and the 4th reserved area is actually 8 bytes large. Fixes: d1e1f4e4 ("mtd: nand: add support for reading ONFI parameters from NAND device") Signed-off-by:
-
Eric Dumazet authored
BugLink: https://bugs.launchpad.net/bugs/1878232 commit f87fda00 upstream. ether_addr_equal_64bits() requires some care about its arguments, namely that 8 bytes might be read, even if last 2 byte values are not used. KASan detected a violation with null_mac_addr and lacpdu_mcast_addr in bond_3ad.c Same problem with mac_bcast[] and mac_v6_allmcast[] in bond_alb.c : Although the 8-byte alignment was there, KASan would detect out of bound accesses. Fixes: 815117ad ("bonding: use ether_addr_equal_unaligned for bond addr compare") Fixes: bb54e589 ("bonding: Verify RX LACPDU has proper dest mac-addr") Fixes: 885a136c ("bonding: use compare_ether_addr_64bits() in ALB") Signed-off-by:
Dmitry Vyukov <dvyukov@google.com> Acked-by:
Nikolay Aleksandrov <nikolay@cumulusnetworks.com> Acked-by:
Ding Tianhong <dingtianhong@huawei.com> Signed-off-by:
-
Johan Hovold authored
BugLink: https://bugs.launchpad.net/bugs/1878232 commit 17ae1c65 upstream. Make sure to drop the reference taken by bus_find_device_by_name() before returning from phy_connect() and phy_attach(). Note that both function still take a reference to the phy device through phy_attach_direct(). Fixes: e1393456 ("[PATCH] PHY Layer fixup") Cc: Florian Fainelli <f.fainelli@gmail.com> Signed-off-by:
Johan Hovold <johan@kernel.org> Signed-off-by:
-
