1. 05 Apr, 2019 40 commits
    • Ard Biesheuvel's avatar
      efi/memattr: Don't bail on zero VA if it equals the region's PA · 7d84e045
      Ard Biesheuvel authored
      [ Upstream commit 5de0fef0 ]
      
      The EFI memory attributes code cross-references the EFI memory map with
      the more granular EFI memory attributes table to ensure that they are in
      sync before applying the strict permissions to the regions it describes.
      
      Since we always install virtual mappings for the EFI runtime regions to
      which these strict permissions apply, we currently perform a sanity check
      on the EFI memory descriptor, and ensure that the EFI_MEMORY_RUNTIME bit
      is set, and that the virtual address has been assigned.
      
      However, in cases where a runtime region exists at physical address 0x0,
      and the virtual mapping equals the physical mapping, e.g., when running
      in mixed mode on x86, we encounter a memory descriptor with the runtime
      attribute and virtual address 0x0, and incorrectly draw the conclusion
      that a runtime region exists for which no virtual mapping was installed,
      and give up altogether. The consequence of this is that firmware mappings
      retain their read-write-execute permissions, making the system more
      vulnerable to attacks.
      
      So let's only bail if the virtual address of 0x0 has been assigned to a
      physical region that does not reside at address 0x0.
      Signed-off-by: default avatarArd Biesheuvel <ard.biesheuvel@linaro.org>
      Acked-by: default avatarSai Praneeth Prakhya <sai.praneeth.prakhya@intel.com>
      Cc: AKASHI Takahiro <takahiro.akashi@linaro.org>
      Cc: Alexander Graf <agraf@suse.de>
      Cc: Bjorn Andersson <bjorn.andersson@linaro.org>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: Heinrich Schuchardt <xypron.glpk@gmx.de>
      Cc: Jeffrey Hugo <jhugo@codeaurora.org>
      Cc: Lee Jones <lee.jones@linaro.org>
      Cc: Leif Lindholm <leif.lindholm@linaro.org>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Matt Fleming <matt@codeblueprint.co.uk>
      Cc: Peter Jones <pjones@redhat.com>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: linux-efi@vger.kernel.org
      Fixes: 10f0d2f5 ("efi: Implement generic support for the Memory ...")
      Link: http://lkml.kernel.org/r/20190202094119.13230-4-ard.biesheuvel@linaro.orgSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      7d84e045
    • Hidetoshi Seto's avatar
      sched/debug: Initialize sd_sysctl_cpus if !CONFIG_CPUMASK_OFFSTACK · 351ea69c
      Hidetoshi Seto authored
      [ Upstream commit 1ca4fa3a ]
      
      register_sched_domain_sysctl() copies the cpu_possible_mask into
      sd_sysctl_cpus, but only if sd_sysctl_cpus hasn't already been
      allocated (ie, CONFIG_CPUMASK_OFFSTACK is set).  However, when
      CONFIG_CPUMASK_OFFSTACK is not set, sd_sysctl_cpus is left
      uninitialized (all zeroes) and the kernel may fail to initialize
      sched_domain sysctl entries for all possible CPUs.
      
      This is visible to the user if the kernel is booted with maxcpus=n, or
      if ACPI tables have been modified to leave CPUs offline, and then
      checking for missing /proc/sys/kernel/sched_domain/cpu* entries.
      
      Fix this by separating the allocation and initialization, and adding a
      flag to initialize the possible CPU entries while system booting only.
      Tested-by: default avatarSyuuichirou Ishii <ishii.shuuichir@jp.fujitsu.com>
      Tested-by: default avatarTarumizu, Kohei <tarumizu.kohei@jp.fujitsu.com>
      Signed-off-by: default avatarHidetoshi Seto <seto.hidetoshi@jp.fujitsu.com>
      Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Reviewed-by: default avatarMasayoshi Mizuma <m.mizuma@jp.fujitsu.com>
      Acked-by: default avatarJoe Lawrence <joe.lawrence@redhat.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Masayoshi Mizuma <msys.mizuma@gmail.com>
      Cc: Mike Galbraith <efault@gmx.de>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Link: https://lkml.kernel.org/r/20190129151245.5073-1-msys.mizuma@gmail.comSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      351ea69c
    • wen yang's avatar
      ASoC: fsl-asoc-card: fix object reference leaks in fsl_asoc_card_probe · bdd46d58
      wen yang authored
      [ Upstream commit 11907e9d ]
      
      The of_find_device_by_node() takes a reference to the underlying device
      structure, we should release that reference.
      Signed-off-by: default avatarWen Yang <yellowriver2010@hotmil.com>
      Cc: Timur Tabi <timur@kernel.org>
      Cc: Nicolin Chen <nicoleotsuka@gmail.com>
      Cc: Xiubo Li <Xiubo.Lee@gmail.com>
      Cc: Fabio Estevam <festevam@gmail.com>
      Cc: Liam Girdwood <lgirdwood@gmail.com>
      Cc: Mark Brown <broonie@kernel.org>
      Cc: Jaroslav Kysela <perex@perex.cz>
      Cc: Takashi Iwai <tiwai@suse.com>
      Cc: alsa-devel@alsa-project.org
      Cc: linuxppc-dev@lists.ozlabs.org
      Cc: linux-kernel@vger.kernel.org
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      bdd46d58
    • Rajneesh Bhardwaj's avatar
      platform/x86: intel_pmc_core: Fix PCH IP sts reading · d9e09a1d
      Rajneesh Bhardwaj authored
      [ Upstream commit 0e68eeea ]
      
      A previous commit "platform/x86: intel_pmc_core: Make the driver PCH
      family agnostic <c977b98b>" provided
      better abstraction to this driver but has some fundamental issues.
      
      e.g. the following condition
      
      for (index = 0; index < pmcdev->map->ppfear_buckets &&
      	index < PPFEAR_MAX_NUM_ENTRIES; index++, iter++)
      
      is wrong because for CNL, PPFEAR_MAX_NUM_ENTRIES is hardcoded as 5 which
      is _wrong_ and even though ppfear_buckets is 8, the loop fails to read
      all eight registers needed for CNL PCH i.e. PPFEAR0 and PPFEAR1. This
      patch refactors the pfear show logic to correctly read PCH IP power
      gating status for Cannonlake and beyond.
      
      Cc: "David E. Box" <david.e.box@intel.com>
      Cc: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
      Fixes: c977b98b ("platform/x86: intel_pmc_core: Make the driver PCH family agnostic")
      Signed-off-by: default avatarRajneesh Bhardwaj <rajneesh.bhardwaj@linux.intel.com>
      Signed-off-by: default avatarAndy Shevchenko <andriy.shevchenko@linux.intel.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      d9e09a1d
    • Konstantin Khlebnikov's avatar
      e1000e: fix cyclic resets at link up with active tx · 9ae89542
      Konstantin Khlebnikov authored
      [ Upstream commit 0f9e980b ]
      
      I'm seeing series of e1000e resets (sometimes endless) at system boot
      if something generates tx traffic at this time. In my case this is
      netconsole who sends message "e1000e 0000:02:00.0: Some CPU C-states
      have been disabled in order to enable jumbo frames" from e1000e itself.
      As result e1000_watchdog_task sees used tx buffer while carrier is off
      and start this reset cycle again.
      
      [   17.794359] e1000e: eth1 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: None
      [   17.794714] IPv6: ADDRCONF(NETDEV_CHANGE): eth1: link becomes ready
      [   22.936455] e1000e 0000:02:00.0 eth1: changing MTU from 1500 to 9000
      [   23.033336] e1000e 0000:02:00.0: Some CPU C-states have been disabled in order to enable jumbo frames
      [   26.102364] e1000e: eth1 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: None
      [   27.174495] 8021q: 802.1Q VLAN Support v1.8
      [   27.174513] 8021q: adding VLAN 0 to HW filter on device eth1
      [   30.671724] cgroup: cgroup: disabling cgroup2 socket matching due to net_prio or net_cls activation
      [   30.898564] netpoll: netconsole: local port 6666
      [   30.898566] netpoll: netconsole: local IPv6 address 2a02:6b8:0:80b:beae:c5ff:fe28:23f8
      [   30.898567] netpoll: netconsole: interface 'eth1'
      [   30.898568] netpoll: netconsole: remote port 6666
      [   30.898568] netpoll: netconsole: remote IPv6 address 2a02:6b8:b000:605c:e61d:2dff:fe03:3790
      [   30.898569] netpoll: netconsole: remote ethernet address b0:a8:6e:f4:ff:c0
      [   30.917747] console [netcon0] enabled
      [   30.917749] netconsole: network logging started
      [   31.453353] e1000e 0000:02:00.0: Some CPU C-states have been disabled in order to enable jumbo frames
      [   34.185730] e1000e 0000:02:00.0: Some CPU C-states have been disabled in order to enable jumbo frames
      [   34.321840] e1000e 0000:02:00.0: Some CPU C-states have been disabled in order to enable jumbo frames
      [   34.465822] e1000e 0000:02:00.0: Some CPU C-states have been disabled in order to enable jumbo frames
      [   34.597423] e1000e 0000:02:00.0: Some CPU C-states have been disabled in order to enable jumbo frames
      [   34.745417] e1000e 0000:02:00.0: Some CPU C-states have been disabled in order to enable jumbo frames
      [   34.877356] e1000e 0000:02:00.0: Some CPU C-states have been disabled in order to enable jumbo frames
      [   35.005441] e1000e 0000:02:00.0: Some CPU C-states have been disabled in order to enable jumbo frames
      [   35.157376] e1000e 0000:02:00.0: Some CPU C-states have been disabled in order to enable jumbo frames
      [   35.289362] e1000e 0000:02:00.0: Some CPU C-states have been disabled in order to enable jumbo frames
      [   35.417441] e1000e 0000:02:00.0: Some CPU C-states have been disabled in order to enable jumbo frames
      [   37.790342] e1000e: eth1 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: None
      
      This patch flushes tx buffers only once when carrier is off
      rather than at each watchdog iteration.
      Signed-off-by: default avatarKonstantin Khlebnikov <khlebnikov@yandex-team.ru>
      Tested-by: default avatarAaron Brown <aaron.f.brown@intel.com>
      Signed-off-by: default avatarJeff Kirsher <jeffrey.t.kirsher@intel.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      9ae89542
    • Guenter Roeck's avatar
      cdrom: Fix race condition in cdrom_sysctl_register · 7b3a8430
      Guenter Roeck authored
      [ Upstream commit f25191bb ]
      
      The following traceback is sometimes seen when booting an image in qemu:
      
      [   54.608293] cdrom: Uniform CD-ROM driver Revision: 3.20
      [   54.611085] Fusion MPT base driver 3.04.20
      [   54.611877] Copyright (c) 1999-2008 LSI Corporation
      [   54.616234] Fusion MPT SAS Host driver 3.04.20
      [   54.635139] sysctl duplicate entry: /dev/cdrom//info
      [   54.639578] CPU: 0 PID: 266 Comm: kworker/u4:5 Not tainted 5.0.0-rc5 #1
      [   54.639578] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015
      [   54.641273] Workqueue: events_unbound async_run_entry_fn
      [   54.641273] Call Trace:
      [   54.641273]  dump_stack+0x67/0x90
      [   54.641273]  __register_sysctl_table+0x50b/0x570
      [   54.641273]  ? rcu_read_lock_sched_held+0x6f/0x80
      [   54.641273]  ? kmem_cache_alloc_trace+0x1c7/0x1f0
      [   54.646814]  __register_sysctl_paths+0x1c8/0x1f0
      [   54.646814]  cdrom_sysctl_register.part.7+0xc/0x5f
      [   54.646814]  register_cdrom.cold.24+0x2a/0x33
      [   54.646814]  sr_probe+0x4bd/0x580
      [   54.646814]  ? __driver_attach+0xd0/0xd0
      [   54.646814]  really_probe+0xd6/0x260
      [   54.646814]  ? __driver_attach+0xd0/0xd0
      [   54.646814]  driver_probe_device+0x4a/0xb0
      [   54.646814]  ? __driver_attach+0xd0/0xd0
      [   54.646814]  bus_for_each_drv+0x73/0xc0
      [   54.646814]  __device_attach+0xd6/0x130
      [   54.646814]  bus_probe_device+0x9a/0xb0
      [   54.646814]  device_add+0x40c/0x670
      [   54.646814]  ? __pm_runtime_resume+0x4f/0x80
      [   54.646814]  scsi_sysfs_add_sdev+0x81/0x290
      [   54.646814]  scsi_probe_and_add_lun+0x888/0xc00
      [   54.646814]  ? scsi_autopm_get_host+0x21/0x40
      [   54.646814]  __scsi_add_device+0x116/0x130
      [   54.646814]  ata_scsi_scan_host+0x93/0x1c0
      [   54.646814]  async_run_entry_fn+0x34/0x100
      [   54.646814]  process_one_work+0x237/0x5e0
      [   54.646814]  worker_thread+0x37/0x380
      [   54.646814]  ? rescuer_thread+0x360/0x360
      [   54.646814]  kthread+0x118/0x130
      [   54.646814]  ? kthread_create_on_node+0x60/0x60
      [   54.646814]  ret_from_fork+0x3a/0x50
      
      The only sensible explanation is that cdrom_sysctl_register() is called
      twice, once from the module init function and once from register_cdrom().
      cdrom_sysctl_register() is not mutex protected and may happily execute
      twice if the second call is made before the first call is complete.
      
      Use a static atomic to ensure that the function is executed exactly once.
      Signed-off-by: default avatarGuenter Roeck <linux@roeck-us.net>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      7b3a8430
    • Manfred Schlaegl's avatar
      fbdev: fbmem: fix memory access if logo is bigger than the screen · 11538754
      Manfred Schlaegl authored
      [ Upstream commit a5399db1 ]
      
      There is no clipping on the x or y axis for logos larger that the framebuffer
      size. Therefore: a logo bigger than screen size leads to invalid memory access:
      
      [    1.254664] Backtrace:
      [    1.254728] [<c02714e0>] (cfb_imageblit) from [<c026184c>] (fb_show_logo+0x620/0x684)
      [    1.254763]  r10:00000003 r9:00027fd8 r8:c6a40000 r7:c6a36e50 r6:00000000 r5:c06b81e4
      [    1.254774]  r4:c6a3e800
      [    1.254810] [<c026122c>] (fb_show_logo) from [<c026c1e4>] (fbcon_switch+0x3fc/0x46c)
      [    1.254842]  r10:c6a3e824 r9:c6a3e800 r8:00000000 r7:c6a0c000 r6:c070b014 r5:c6a3e800
      [    1.254852]  r4:c6808c00
      [    1.254889] [<c026bde8>] (fbcon_switch) from [<c029c8f8>] (redraw_screen+0xf0/0x1e8)
      [    1.254918]  r10:00000000 r9:00000000 r8:00000000 r7:00000000 r6:c070d5a0 r5:00000080
      [    1.254928]  r4:c6808c00
      [    1.254961] [<c029c808>] (redraw_screen) from [<c029d264>] (do_bind_con_driver+0x194/0x2e4)
      [    1.254991]  r9:00000000 r8:00000000 r7:00000014 r6:c070d5a0 r5:c070d5a0 r4:c070d5a0
      
      So prevent displaying a logo bigger than screen size and avoid invalid
      memory access.
      Signed-off-by: default avatarManfred Schlaegl <manfred.schlaegl@ginzinger.com>
      Signed-off-by: default avatarMartin Kepplinger <martin.kepplinger@ginzinger.com>
      Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
      Signed-off-by: default avatarBartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      11538754
    • Raju Rangoju's avatar
      iw_cxgb4: fix srqidx leak during connection abort · c0c9311f
      Raju Rangoju authored
      [ Upstream commit f368ff18 ]
      
      When an application aborts the connection by moving QP from RTS to ERROR,
      then iw_cxgb4's modify_rc_qp() RTS->ERROR logic sets the
      *srqidxp to 0 via t4_set_wq_in_error(&qhp->wq, 0), and aborts the
      connection by calling c4iw_ep_disconnect().
      
      c4iw_ep_disconnect() does the following:
       1. sends up a close_complete_upcall(ep, -ECONNRESET) to libcxgb4.
       2. sends abort request CPL to hw.
      
      But, since the close_complete_upcall() is sent before sending the
      ABORT_REQ to hw, libcxgb4 would fail to release the srqidx if the
      connection holds one. Because, the srqidx is passed up to libcxgb4 only
      after corresponding ABORT_RPL is processed by kernel in abort_rpl().
      
      This patch handle the corner-case by moving the call to
      close_complete_upcall() from c4iw_ep_disconnect() to abort_rpl().  So that
      libcxgb4 is notified about the -ECONNRESET only after abort_rpl(), and
      libcxgb4 can relinquish the srqidx properly.
      Signed-off-by: default avatarRaju Rangoju <rajur@chelsio.com>
      Signed-off-by: default avatarJason Gunthorpe <jgg@mellanox.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      c0c9311f
    • Thomas Gleixner's avatar
      genirq: Avoid summation loops for /proc/stat · e4688147
      Thomas Gleixner authored
      [ Upstream commit 1136b072 ]
      
      Waiman reported that on large systems with a large amount of interrupts the
      readout of /proc/stat takes a long time to sum up the interrupt
      statistics. In principle this is not a problem. but for unknown reasons
      some enterprise quality software reads /proc/stat with a high frequency.
      
      The reason for this is that interrupt statistics are accounted per cpu. So
      the /proc/stat logic has to sum up the interrupt stats for each interrupt.
      
      This can be largely avoided for interrupts which are not marked as
      'PER_CPU' interrupts by simply adding a per interrupt summation counter
      which is incremented along with the per interrupt per cpu counter.
      
      The PER_CPU interrupts need to avoid that and use only per cpu accounting
      because they share the interrupt number and the interrupt descriptor and
      concurrent updates would conflict or require unwanted synchronization.
      Reported-by: default avatarWaiman Long <longman@redhat.com>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Reviewed-by: default avatarWaiman Long <longman@redhat.com>
      Reviewed-by: default avatarMarc Zyngier <marc.zyngier@arm.com>
      Reviewed-by: default avatarDavidlohr Bueso <dbueso@suse.de>
      Cc: Matthew Wilcox <willy@infradead.org>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Cc: Alexey Dobriyan <adobriyan@gmail.com>
      Cc: Kees Cook <keescook@chromium.org>
      Cc: linux-fsdevel@vger.kernel.org
      Cc: Davidlohr Bueso <dave@stgolabs.net>
      Cc: Miklos Szeredi <miklos@szeredi.hu>
      Cc: Daniel Colascione <dancol@google.com>
      Cc: Dave Chinner <david@fromorbit.com>
      Cc: Randy Dunlap <rdunlap@infradead.org>
      Link: https://lkml.kernel.org/r/20190208135020.925487496@linutronix.de
      
      8<-------------
      
      v2: Undo the unintentional layout change of struct irq_desc.
      
       include/linux/irqdesc.h |    1 +
       kernel/irq/chip.c       |   12 ++++++++++--
       kernel/irq/internals.h  |    8 +++++++-
       kernel/irq/irqdesc.c    |    7 ++++++-
       4 files changed, 24 insertions(+), 4 deletions(-)
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      e4688147
    • Coly Li's avatar
      bcache: improve sysfs_strtoul_clamp() · 7680e67c
      Coly Li authored
      [ Upstream commit 596b5a5d ]
      
      Currently sysfs_strtoul_clamp() is defined as,
       82 #define sysfs_strtoul_clamp(file, var, min, max)                   \
       83 do {                                                               \
       84         if (attr == &sysfs_ ## file)                               \
       85                 return strtoul_safe_clamp(buf, var, min, max)      \
       86                         ?: (ssize_t) size;                         \
       87 } while (0)
      
      The problem is, if bit width of var is less then unsigned long, min and
      max may not protect var from integer overflow, because overflow happens
      in strtoul_safe_clamp() before checking min and max.
      
      To fix such overflow in sysfs_strtoul_clamp(), to make min and max take
      effect, this patch adds an unsigned long variable, and uses it to macro
      strtoul_safe_clamp() to convert an unsigned long value in range defined
      by [min, max]. Then assign this value to var. By this method, if bit
      width of var is less than unsigned long, integer overflow won't happen
      before min and max are checking.
      
      Now sysfs_strtoul_clamp() can properly handle smaller data type like
      unsigned int, of cause min and max should be defined in range of
      unsigned int too.
      Signed-off-by: default avatarColy Li <colyli@suse.de>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      7680e67c
    • Coly Li's avatar
      bcache: fix input overflow to sequential_cutoff · 70e8b1e0
      Coly Li authored
      [ Upstream commit 8c27a395 ]
      
      People may set sequential_cutoff of a cached device via sysfs file,
      but current code does not check input value overflow. E.g. if value
      4294967295 (UINT_MAX) is written to file sequential_cutoff, its value
      is 4GB, but if 4294967296 (UINT_MAX + 1) is written into, its value
      will be 0. This is an unexpected behavior.
      
      This patch replaces d_strtoi_h() by sysfs_strtoul_clamp() to convert
      input string to unsigned integer value, and limit its range in
      [0, UINT_MAX]. Then the input overflow can be fixed.
      Signed-off-by: default avatarColy Li <colyli@suse.de>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      70e8b1e0
    • Coly Li's avatar
      bcache: fix input overflow to cache set sysfs file io_error_halflife · 77f895ed
      Coly Li authored
      [ Upstream commit a91fbda4 ]
      
      Cache set sysfs entry io_error_halflife is used to set c->error_decay.
      c->error_decay is in type unsigned int, and it is converted by
      strtoul_or_return(), therefore overflow to c->error_decay is possible
      for a large input value.
      
      This patch fixes the overflow by using strtoul_safe_clamp() to convert
      input string to an unsigned long value in range [0, UINT_MAX], then
      divides by 88 and set it to c->error_decay.
      Signed-off-by: default avatarColy Li <colyli@suse.de>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      77f895ed
    • Luc Van Oostenryck's avatar
      sched/topology: Fix percpu data types in struct sd_data & struct s_data · 43a81992
      Luc Van Oostenryck authored
      [ Upstream commit 99687cdb ]
      
      The percpu members of struct sd_data and s_data are declared as:
      
      	struct ... ** __percpu member;
      
      So their type is:
      
      	__percpu pointer to pointer to struct ...
      
      But looking at how they're used, their type should be:
      
      	pointer to __percpu pointer to struct ...
      
      and they should thus be declared as:
      
      	struct ... * __percpu *member;
      
      So fix the placement of '__percpu' in the definition of these
      structures.
      
      This addresses a bunch of Sparse's warnings like:
      
      	warning: incorrect type in initializer (different address spaces)
      	  expected void const [noderef] <asn:3> *__vpp_verify
      	  got struct sched_domain **
      Signed-off-by: default avatarLuc Van Oostenryck <luc.vanoostenryck@gmail.com>
      Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Link: https://lkml.kernel.org/r/20190118144936.79158-1-luc.vanoostenryck@gmail.comSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      43a81992
    • John Stultz's avatar
      usb: f_fs: Avoid crash due to out-of-scope stack ptr access · 74c74604
      John Stultz authored
      [ Upstream commit 54f64d5c ]
      
      Since the 5.0 merge window opened, I've been seeing frequent
      crashes on suspend and reboot with the trace:
      
      [   36.911170] Unable to handle kernel paging request at virtual address ffffff801153d660
      [   36.912769] Unable to handle kernel paging request at virtual address ffffff800004b564
      ...
      [   36.950666] Call trace:
      [   36.950670]  queued_spin_lock_slowpath+0x1cc/0x2c8
      [   36.950681]  _raw_spin_lock_irqsave+0x64/0x78
      [   36.950692]  complete+0x28/0x70
      [   36.950703]  ffs_epfile_io_complete+0x3c/0x50
      [   36.950713]  usb_gadget_giveback_request+0x34/0x108
      [   36.950721]  dwc3_gadget_giveback+0x50/0x68
      [   36.950723]  dwc3_thread_interrupt+0x358/0x1488
      [   36.950731]  irq_thread_fn+0x30/0x88
      [   36.950734]  irq_thread+0x114/0x1b0
      [   36.950739]  kthread+0x104/0x130
      [   36.950747]  ret_from_fork+0x10/0x1c
      
      I isolated this down to in ffs_epfile_io():
      https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/drivers/usb/gadget/function/f_fs.c#n1065
      
      Where the completion done is setup on the stack:
        DECLARE_COMPLETION_ONSTACK(done);
      
      Then later we setup a request and queue it, and wait for it:
        if (unlikely(wait_for_completion_interruptible(&done))) {
          /*
          * To avoid race condition with ffs_epfile_io_complete,
          * dequeue the request first then check
          * status. usb_ep_dequeue API should guarantee no race
          * condition with req->complete callback.
          */
          usb_ep_dequeue(ep->ep, req);
          interrupted = ep->status < 0;
        }
      
      The problem is, that we end up being interrupted, dequeue the
      request, and exit.
      
      But then the irq triggers and we try calling complete() on the
      context pointer which points to now random stack space, which
      results in the panic.
      
      Alan Stern pointed out there is a bug here, in that the snippet
      above "assumes that usb_ep_dequeue() waits until the request has
      been completed." And that:
      
          wait_for_completion(&done);
      
      Is needed right after the usb_ep_dequeue().
      
      Thus this patch implements that change. With it I no longer see
      the crashes on suspend or reboot.
      
      This issue seems to have been uncovered by behavioral changes in
      the dwc3 driver in commit fec9095b ("usb: dwc3: gadget:
      remove wait_end_transfer").
      
      Cc: Alan Stern <stern@rowland.harvard.edu>
      Cc: Felipe Balbi <balbi@kernel.org>
      Cc: Zeng Tao <prime.zeng@hisilicon.com>
      Cc: Jack Pham <jackp@codeaurora.org>
      Cc: Thinh Nguyen <thinh.nguyen@synopsys.com>
      Cc: Chen Yu <chenyu56@huawei.com>
      Cc: Jerry Zhang <zhangjerry@google.com>
      Cc: Lars-Peter Clausen <lars@metafoo.de>
      Cc: Vincent Pelletier <plr.vincent@gmail.com>
      Cc: Andrzej Pietrasiewicz <andrzej.p@samsung.com>
      Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
      Cc: Linux USB List <linux-usb@vger.kernel.org>
      Suggested-by: default avatarAlan Stern <stern@rowland.harvard.edu>
      Signed-off-by: default avatarJohn Stultz <john.stultz@linaro.org>
      Signed-off-by: default avatarFelipe Balbi <felipe.balbi@linux.intel.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      74c74604
    • Ranjani Sridharan's avatar
      ALSA: PCM: check if ops are defined before suspending PCM · 62ecc64c
      Ranjani Sridharan authored
      [ Upstream commit d9c0b2af ]
      
      BE dai links only have internal PCM's and their substream ops may
      not be set. Suspending these PCM's will result in their
       ops->trigger() being invoked and cause a kernel oops.
      So skip suspending PCM's if their ops are NULL.
      
      [ NOTE: this change is required now for following the recent PCM core
        change to get rid of snd_pcm_suspend() call.  Since DPCM BE takes
        the runtime carried from FE while keeping NULL ops, it can hit this
        bug.  See details at:
           https://github.com/thesofproject/linux/pull/582
        -- tiwai ]
      Signed-off-by: default avatarRanjani Sridharan <ranjani.sridharan@linux.intel.com>
      Signed-off-by: default avatarPierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      62ecc64c
    • Nathan Chancellor's avatar
      ARM: 8833/1: Ensure that NEON code always compiles with Clang · 416b593a
      Nathan Chancellor authored
      [ Upstream commit de9c0d49 ]
      
      While building arm32 allyesconfig, I ran into the following errors:
      
        arch/arm/lib/xor-neon.c:17:2: error: You should compile this file with
        '-mfloat-abi=softfp -mfpu=neon'
      
        In file included from lib/raid6/neon1.c:27:
        /home/nathan/cbl/prebuilt/lib/clang/8.0.0/include/arm_neon.h:28:2:
        error: "NEON support not enabled"
      
      Building V=1 showed NEON_FLAGS getting passed along to Clang but
      __ARM_NEON__ was not getting defined. Ultimately, it boils down to Clang
      only defining __ARM_NEON__ when targeting armv7, rather than armv6k,
      which is the '-march' value for allyesconfig.
      
      >From lib/Basic/Targets/ARM.cpp in the Clang source:
      
        // This only gets set when Neon instructions are actually available, unlike
        // the VFP define, hence the soft float and arch check. This is subtly
        // different from gcc, we follow the intent which was that it should be set
        // when Neon instructions are actually available.
        if ((FPU & NeonFPU) && !SoftFloat && ArchVersion >= 7) {
          Builder.defineMacro("__ARM_NEON", "1");
          Builder.defineMacro("__ARM_NEON__");
          // current AArch32 NEON implementations do not support double-precision
          // floating-point even when it is present in VFP.
          Builder.defineMacro("__ARM_NEON_FP",
                              "0x" + Twine::utohexstr(HW_FP & ~HW_FP_DP));
        }
      
      Ard Biesheuvel recommended explicitly adding '-march=armv7-a' at the
      beginning of the NEON_FLAGS definitions so that __ARM_NEON__ always gets
      definined by Clang. This doesn't functionally change anything because
      that code will only run where NEON is supported, which is implicitly
      armv7.
      
      Link: https://github.com/ClangBuiltLinux/linux/issues/287Suggested-by: default avatarArd Biesheuvel <ard.biesheuvel@linaro.org>
      Signed-off-by: default avatarNathan Chancellor <natechancellor@gmail.com>
      Acked-by: default avatarNicolas Pitre <nico@linaro.org>
      Reviewed-by: default avatarNick Desaulniers <ndesaulniers@google.com>
      Reviewed-by: default avatarStefan Agner <stefan@agner.ch>
      Signed-off-by: default avatarRussell King <rmk+kernel@armlinux.org.uk>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      416b593a
    • Chieh-Min Wang's avatar
      netfilter: conntrack: fix cloned unconfirmed skb->_nfct race in __nf_conntrack_confirm · 91a604c2
      Chieh-Min Wang authored
      [ Upstream commit 13f5251f ]
      
      For bridge(br_flood) or broadcast/multicast packets, they could clone
      skb with unconfirmed conntrack which break the rule that unconfirmed
      skb->_nfct is never shared.  With nfqueue running on my system, the race
      can be easily reproduced with following warning calltrace:
      
      [13257.707525] CPU: 0 PID: 12132 Comm: main Tainted: P        W       4.4.60 #7744
      [13257.707568] Hardware name: Qualcomm (Flattened Device Tree)
      [13257.714700] [<c021f6dc>] (unwind_backtrace) from [<c021bce8>] (show_stack+0x10/0x14)
      [13257.720253] [<c021bce8>] (show_stack) from [<c0449e10>] (dump_stack+0x94/0xa8)
      [13257.728240] [<c0449e10>] (dump_stack) from [<c022a7e0>] (warn_slowpath_common+0x94/0xb0)
      [13257.735268] [<c022a7e0>] (warn_slowpath_common) from [<c022a898>] (warn_slowpath_null+0x1c/0x24)
      [13257.743519] [<c022a898>] (warn_slowpath_null) from [<c06ee450>] (__nf_conntrack_confirm+0xa8/0x618)
      [13257.752284] [<c06ee450>] (__nf_conntrack_confirm) from [<c0772670>] (ipv4_confirm+0xb8/0xfc)
      [13257.761049] [<c0772670>] (ipv4_confirm) from [<c06e7a60>] (nf_iterate+0x48/0xa8)
      [13257.769725] [<c06e7a60>] (nf_iterate) from [<c06e7af0>] (nf_hook_slow+0x30/0xb0)
      [13257.777108] [<c06e7af0>] (nf_hook_slow) from [<c07f20b4>] (br_nf_post_routing+0x274/0x31c)
      [13257.784486] [<c07f20b4>] (br_nf_post_routing) from [<c06e7a60>] (nf_iterate+0x48/0xa8)
      [13257.792556] [<c06e7a60>] (nf_iterate) from [<c06e7af0>] (nf_hook_slow+0x30/0xb0)
      [13257.800458] [<c06e7af0>] (nf_hook_slow) from [<c07e5580>] (br_forward_finish+0x94/0xa4)
      [13257.808010] [<c07e5580>] (br_forward_finish) from [<c07f22ac>] (br_nf_forward_finish+0x150/0x1ac)
      [13257.815736] [<c07f22ac>] (br_nf_forward_finish) from [<c06e8df0>] (nf_reinject+0x108/0x170)
      [13257.824762] [<c06e8df0>] (nf_reinject) from [<c06ea854>] (nfqnl_recv_verdict+0x3d8/0x420)
      [13257.832924] [<c06ea854>] (nfqnl_recv_verdict) from [<c06e940c>] (nfnetlink_rcv_msg+0x158/0x248)
      [13257.841256] [<c06e940c>] (nfnetlink_rcv_msg) from [<c06e5564>] (netlink_rcv_skb+0x54/0xb0)
      [13257.849762] [<c06e5564>] (netlink_rcv_skb) from [<c06e4ec8>] (netlink_unicast+0x148/0x23c)
      [13257.858093] [<c06e4ec8>] (netlink_unicast) from [<c06e5364>] (netlink_sendmsg+0x2ec/0x368)
      [13257.866348] [<c06e5364>] (netlink_sendmsg) from [<c069fb8c>] (sock_sendmsg+0x34/0x44)
      [13257.874590] [<c069fb8c>] (sock_sendmsg) from [<c06a03dc>] (___sys_sendmsg+0x1ec/0x200)
      [13257.882489] [<c06a03dc>] (___sys_sendmsg) from [<c06a11c8>] (__sys_sendmsg+0x3c/0x64)
      [13257.890300] [<c06a11c8>] (__sys_sendmsg) from [<c0209b40>] (ret_fast_syscall+0x0/0x34)
      
      The original code just triggered the warning but do nothing. It will
      caused the shared conntrack moves to the dying list and the packet be
      droppped (nf_ct_resolve_clash returns NF_DROP for dying conntrack).
      
      - Reproduce steps:
      
      +----------------------------+
      |          br0(bridge)       |
      |                            |
      +-+---------+---------+------+
        | eth0|   | eth1|   | eth2|
        |     |   |     |   |     |
        +--+--+   +--+--+   +---+-+
           |         |          |
           |         |          |
        +--+-+     +-+--+    +--+-+
        | PC1|     | PC2|    | PC3|
        +----+     +----+    +----+
      
      iptables -A FORWARD -m mark --mark 0x1000000/0x1000000 -j NFQUEUE --queue-num 100 --queue-bypass
      
      ps: Our nfq userspace program will set mark on packets whose connection
      has already been processed.
      
      PC1 sends broadcast packets simulated by hping3:
      
      hping3 --rand-source --udp 192.168.1.255 -i u100
      
      - Broadcast racing flow chart is as follow:
      
      br_handle_frame
        BR_HOOK(NFPROTO_BRIDGE, NF_BR_PRE_ROUTING, br_handle_frame_finish)
        // skb->_nfct (unconfirmed conntrack) is constructed at PRE_ROUTING stage
        br_handle_frame_finish
          // check if this packet is broadcast
          br_flood_forward
            br_flood
              list_for_each_entry_rcu(p, &br->port_list, list) // iterate through each port
                maybe_deliver
                  deliver_clone
                    skb = skb_clone(skb)
                    __br_forward
                      BR_HOOK(NFPROTO_BRIDGE, NF_BR_FORWARD,...)
                      // queue in our nfq and received by our userspace program
                      // goto __nf_conntrack_confirm with process context on CPU 1
          br_pass_frame_up
            BR_HOOK(NFPROTO_BRIDGE, NF_BR_LOCAL_IN,...)
            // goto __nf_conntrack_confirm with softirq context on CPU 0
      
      Because conntrack confirm can happen at both INPUT and POSTROUTING
      stage.  So with NFQUEUE running, skb->_nfct with the same unconfirmed
      conntrack could race on different core.
      
      This patch fixes a repeating kernel splat, now it is only displayed
      once.
      Signed-off-by: default avatarChieh-Min Wang <chiehminw@synology.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      91a604c2
    • Andrea Righi's avatar
      kprobes: Prohibit probing on bsearch() · e62824d1
      Andrea Righi authored
      [ Upstream commit 02106f88 ]
      
      Since kprobe breakpoing handler is using bsearch(), probing on this
      routine can cause recursive breakpoint problem.
      
      int3
       ->do_int3()
         ->ftrace_int3_handler()
           ->ftrace_location()
             ->ftrace_location_range()
               ->bsearch() -> int3
      
      Prohibit probing on bsearch().
      Signed-off-by: default avatarAndrea Righi <righi.andrea@gmail.com>
      Acked-by: default avatarMasami Hiramatsu <mhiramat@kernel.org>
      Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
      Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
      Cc: Jiri Olsa <jolsa@redhat.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Steven Rostedt <rostedt@goodmis.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Link: http://lkml.kernel.org/r/154998813406.31052.8791425358974650922.stgit@devboxSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      e62824d1
    • Hans de Goede's avatar
      ACPI / video: Refactor and fix dmi_is_desktop() · 67dcd5d7
      Hans de Goede authored
      [ Upstream commit cecf3e3e ]
      
      This commit refactors the chassis-type detection introduced by
      commit 53fa1f6e ("ACPI / video: Only default only_lcd to true on
      Win8-ready _desktops_") (where desktop means anything without a builtin
      screen).
      
      The DMI chassis_type is an unsigned integer, so rather then doing a
      whole bunch of string-compares on it, convert it to an int and feed
      the result to a switch case.
      
      Note the switch case uses hex values, this is done because the spec
      uses hex values too. This changes the check for "Main Server Chassis"
      from checking for 11 decimal to 11 hexadecimal, this is a bug fix,
      the original check for 11 decimal was wrong.
      
      Fixes: 53fa1f6e ("ACPI / video: Only default only_lcd to true ...")
      Signed-off-by: default avatarHans de Goede <hdegoede@redhat.com>
      [ rjw: Drop redundant return statements ]
      Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      67dcd5d7
    • Sara Sharon's avatar
      iwlwifi: pcie: fix emergency path · 0fbfca57
      Sara Sharon authored
      [ Upstream commit c6ac9f9f ]
      
      Allocator swaps the pending requests with 0 when it starts
      working. This means that relying on it n RX path to decide if
      to move to emergency is not always a good idea, since it may
      be zero, but there are still a lot of unallocated RBs in the
      system. Change allocator to decrement the pending requests on
      real time. It is more expensive since it accesses the atomic
      variable more times, but it gives the RX path a better idea
      of the system's status.
      Reported-by: default avatarIlan Peer <ilan.peer@intel.com>
      Signed-off-by: default avatarSara Sharon <sara.sharon@intel.com>
      Fixes: 868a1e86 ("iwlwifi: pcie: avoid empty free RB queue")
      Signed-off-by: default avatarLuca Coelho <luciano.coelho@intel.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      0fbfca57
    • Michal Kazior's avatar
      leds: lp55xx: fix null deref on firmware load failure · 0affcd54
      Michal Kazior authored
      [ Upstream commit 5ddb0869 ]
      
      I've stumbled upon a kernel crash and the logs
      pointed me towards the lp5562 driver:
      
      > <4>[306013.841294] lp5562 0-0030: Direct firmware load for lp5562 failed with error -2
      > <4>[306013.894990] lp5562 0-0030: Falling back to user helper
      > ...
      > <3>[306073.924886] lp5562 0-0030: firmware request failed
      > <1>[306073.939456] Unable to handle kernel NULL pointer dereference at virtual address 00000000
      > <4>[306074.251011] PC is at _raw_spin_lock+0x1c/0x58
      > <4>[306074.255539] LR is at release_firmware+0x6c/0x138
      > ...
      
      After taking a look I noticed firmware_release()
      could be called with either NULL or a dangling
      pointer.
      
      Fixes: 10c06d17 ("leds-lp55xx: support firmware interface")
      Signed-off-by: default avatarMichal Kazior <michal@plume.com>
      Signed-off-by: default avatarJacek Anaszewski <jacek.anaszewski@gmail.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      0affcd54
    • Theodore Ts'o's avatar
      jbd2: fix race when writing superblock · 9edb5193
      Theodore Ts'o authored
      [ Upstream commit 538bcaa6 ]
      
      The jbd2 superblock is lockless now, so there is probably a race
      condition between writing it so disk and modifing contents of it, which
      may lead to checksum error. The following race is the one case that we
      have captured.
      
      jbd2                                fsstress
      jbd2_journal_commit_transaction
       jbd2_journal_update_sb_log_tail
        jbd2_write_superblock
         jbd2_superblock_csum_set         jbd2_journal_revoke
                                           jbd2_journal_set_features(revork)
                                           modify superblock
         submit_bh(checksum incorrect)
      
      Fix this by locking the buffer head before modifing it.  We always
      write the jbd2 superblock after we modify it, so this just means
      calling the lock_buffer() a little earlier.
      
      This checksum corruption problem can be reproduced by xfstests
      generic/475.
      Reported-by: default avatarzhangyi (F) <yi.zhang@huawei.com>
      Suggested-by: default avatarJan Kara <jack@suse.cz>
      Signed-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      9edb5193
    • Hong Liu's avatar
      HID: intel-ish-hid: avoid binding wrong ishtp_cl_device · edace601
      Hong Liu authored
      [ Upstream commit 0d28f494 ]
      
      When performing a warm reset in ishtp bus driver, the ishtp_cl_device
      will not be removed, its fw_client still points to the already freed
      ishtp_device.fw_clients array.
      
      Later after driver finishing ishtp client enumeration, this dangling
      pointer may cause driver to bind the wrong ishtp_cl_device to the new
      client, causing wrong callback to be called for messages intended for
      the new client.
      
      This helps in development of firmware where frequent switching of
      firmwares is required without Linux reboot.
      Signed-off-by: default avatarHong Liu <hong.liu@intel.com>
      Tested-by: default avatarHongyan Song <hongyan.song@intel.com>
      Acked-by: default avatarSrinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
      Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      edace601
    • Aurelien Jarno's avatar
      vfs: fix preadv64v2 and pwritev64v2 compat syscalls with offset == -1 · 58c90c4c
      Aurelien Jarno authored
      [ Upstream commit cc4b1242 ]
      
      The preadv2 and pwritev2 syscalls are supposed to emulate the readv and
      writev syscalls when offset == -1. Therefore the compat code should
      check for offset before calling do_compat_preadv64 and
      do_compat_pwritev64. This is the case for the preadv2 and pwritev2
      syscalls, but handling of offset == -1 is missing in their 64-bit
      equivalent.
      
      This patch fixes that, calling do_compat_readv and do_compat_writev when
      offset == -1. This fixes the following glibc tests on x32:
       - misc/tst-preadvwritev2
       - misc/tst-preadvwritev64v2
      
      Cc: Alexander Viro <viro@zeniv.linux.org.uk>
      Cc: H.J. Lu <hjl.tools@gmail.com>
      Signed-off-by: default avatarAurelien Jarno <aurelien@aurel32.net>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      58c90c4c
    • Ezequiel Garcia's avatar
      media: mtk-jpeg: Correct return type for mem2mem buffer helpers · 3dbaa9f3
      Ezequiel Garcia authored
      [ Upstream commit 1b275e4e ]
      
      Fix the assigned type of mem2mem buffer handling API.
      Namely, these functions:
      
       v4l2_m2m_next_buf
       v4l2_m2m_last_buf
       v4l2_m2m_buf_remove
       v4l2_m2m_next_src_buf
       v4l2_m2m_next_dst_buf
       v4l2_m2m_last_src_buf
       v4l2_m2m_last_dst_buf
       v4l2_m2m_src_buf_remove
       v4l2_m2m_dst_buf_remove
      
      return a struct vb2_v4l2_buffer, and not a struct vb2_buffer.
      
      Fixing this is necessary to fix the mem2mem buffer handling API,
      changing the return to the correct struct vb2_v4l2_buffer instead
      of a void pointer.
      Signed-off-by: default avatarEzequiel Garcia <ezequiel@collabora.com>
      Signed-off-by: default avatarHans Verkuil <hverkuil-cisco@xs4all.nl>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      3dbaa9f3
    • Ezequiel Garcia's avatar
      media: mx2_emmaprp: Correct return type for mem2mem buffer helpers · 8234875e
      Ezequiel Garcia authored
      [ Upstream commit 8d20dcef ]
      
      Fix the assigned type of mem2mem buffer handling API.
      Namely, these functions:
      
       v4l2_m2m_next_buf
       v4l2_m2m_last_buf
       v4l2_m2m_buf_remove
       v4l2_m2m_next_src_buf
       v4l2_m2m_next_dst_buf
       v4l2_m2m_last_src_buf
       v4l2_m2m_last_dst_buf
       v4l2_m2m_src_buf_remove
       v4l2_m2m_dst_buf_remove
      
      return a struct vb2_v4l2_buffer, and not a struct vb2_buffer.
      
      Fixing this is necessary to fix the mem2mem buffer handling API,
      changing the return to the correct struct vb2_v4l2_buffer instead
      of a void pointer.
      Signed-off-by: default avatarEzequiel Garcia <ezequiel@collabora.com>
      Signed-off-by: default avatarHans Verkuil <hverkuil-cisco@xs4all.nl>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      8234875e
    • Ezequiel Garcia's avatar
      media: s5p-g2d: Correct return type for mem2mem buffer helpers · 62b2d03e
      Ezequiel Garcia authored
      [ Upstream commit 30fa627b ]
      
      Fix the assigned type of mem2mem buffer handling API.
      Namely, these functions:
      
       v4l2_m2m_next_buf
       v4l2_m2m_last_buf
       v4l2_m2m_buf_remove
       v4l2_m2m_next_src_buf
       v4l2_m2m_next_dst_buf
       v4l2_m2m_last_src_buf
       v4l2_m2m_last_dst_buf
       v4l2_m2m_src_buf_remove
       v4l2_m2m_dst_buf_remove
      
      return a struct vb2_v4l2_buffer, and not a struct vb2_buffer.
      
      Fixing this is necessary to fix the mem2mem buffer handling API,
      changing the return to the correct struct vb2_v4l2_buffer instead
      of a void pointer.
      Signed-off-by: default avatarEzequiel Garcia <ezequiel@collabora.com>
      Signed-off-by: default avatarHans Verkuil <hverkuil-cisco@xs4all.nl>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      62b2d03e
    • Ezequiel Garcia's avatar
      media: s5p-jpeg: Correct return type for mem2mem buffer helpers · e04c19af
      Ezequiel Garcia authored
      [ Upstream commit 4a88f898 ]
      
      Fix the assigned type of mem2mem buffer handling API.
      Namely, these functions:
      
       v4l2_m2m_next_buf
       v4l2_m2m_last_buf
       v4l2_m2m_buf_remove
       v4l2_m2m_next_src_buf
       v4l2_m2m_next_dst_buf
       v4l2_m2m_last_src_buf
       v4l2_m2m_last_dst_buf
       v4l2_m2m_src_buf_remove
       v4l2_m2m_dst_buf_remove
      
      return a struct vb2_v4l2_buffer, and not a struct vb2_buffer.
      
      Fixing this is necessary to fix the mem2mem buffer handling API,
      changing the return to the correct struct vb2_v4l2_buffer instead
      of a void pointer.
      Signed-off-by: default avatarEzequiel Garcia <ezequiel@collabora.com>
      Signed-off-by: default avatarHans Verkuil <hverkuil-cisco@xs4all.nl>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      e04c19af
    • Ezequiel Garcia's avatar
      media: sh_veu: Correct return type for mem2mem buffer helpers · a016d9a3
      Ezequiel Garcia authored
      [ Upstream commit 43c14519 ]
      
      Fix the assigned type of mem2mem buffer handling API.
      Namely, these functions:
      
       v4l2_m2m_next_buf
       v4l2_m2m_last_buf
       v4l2_m2m_buf_remove
       v4l2_m2m_next_src_buf
       v4l2_m2m_next_dst_buf
       v4l2_m2m_last_src_buf
       v4l2_m2m_last_dst_buf
       v4l2_m2m_src_buf_remove
       v4l2_m2m_dst_buf_remove
      
      return a struct vb2_v4l2_buffer, and not a struct vb2_buffer.
      
      Fixing this is necessary to fix the mem2mem buffer handling API,
      changing the return to the correct struct vb2_v4l2_buffer instead
      of a void pointer.
      Signed-off-by: default avatarEzequiel Garcia <ezequiel@collabora.com>
      Signed-off-by: default avatarHans Verkuil <hverkuil-cisco@xs4all.nl>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      a016d9a3
    • Wen Yang's avatar
      SoC: imx-sgtl5000: add missing put_device() · 31b73180
      Wen Yang authored
      [ Upstream commit 8fa857da ]
      
      The of_find_device_by_node() takes a reference to the underlying device
      structure, we should release that reference.
      
      Detected by coccinelle with the following warnings:
      ./sound/soc/fsl/imx-sgtl5000.c:169:1-7: ERROR: missing put_device;
      call of_find_device_by_node on line 105, but without a corresponding
      object release within this function.
      ./sound/soc/fsl/imx-sgtl5000.c:177:1-7: ERROR: missing put_device;
      call of_find_device_by_node on line 105, but without a corresponding
      object release within this function.
      Signed-off-by: default avatarWen Yang <yellowriver2010@hotmail.com>
      Cc: Timur Tabi <timur@kernel.org>
      Cc: Nicolin Chen <nicoleotsuka@gmail.com>
      Cc: Xiubo Li <Xiubo.Lee@gmail.com>
      Cc: Fabio Estevam <festevam@gmail.com>
      Cc: Liam Girdwood <lgirdwood@gmail.com>
      Cc: Mark Brown <broonie@kernel.org>
      Cc: Jaroslav Kysela <perex@perex.cz>
      Cc: Takashi Iwai <tiwai@suse.com>
      Cc: Shawn Guo <shawnguo@kernel.org>
      Cc: Sascha Hauer <s.hauer@pengutronix.de>
      Cc: Pengutronix Kernel Team <kernel@pengutronix.de>
      Cc: NXP Linux Team <linux-imx@nxp.com>
      Cc: alsa-devel@alsa-project.org
      Cc: linuxppc-dev@lists.ozlabs.org
      Cc: linux-arm-kernel@lists.infradead.org
      Cc: linux-kernel@vger.kernel.org
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      31b73180
    • Thomas Richter's avatar
      perf test: Fix failure of 'evsel-tp-sched' test on s390 · f548bbe4
      Thomas Richter authored
      [ Upstream commit 03d30971 ]
      
      Commit 489338a7 ("perf tests evsel-tp-sched: Fix bitwise operator")
      causes test case 14 "Parse sched tracepoints fields" to fail on s390.
      
      This test succeeds on x86.
      
      In fact this test now fails on all architectures with type char treated
      as type unsigned char.
      
      The root cause is the signed-ness of character arrays in the tracepoints
      sched_switch for structure members prev_comm and next_comm.
      
      On s390 the output of:
      
       [root@m35lp76 perf]# cat /sys/kernel/debug/tracing/events/sched/sched_switch/format
       name: sched_switch
       ID: 287
       format:
         field:unsigned short common_type; offset:0; size:2;	signed:0;
         ...
         field:char prev_comm[16]; offset:8; size:16;	signed:0;
         ...
         field:char next_comm[16]; offset:40; size:16; signed:0;
      
      reveals the character arrays prev_comm and next_comm are per
      default unsigned char and have values in the range of 0..255.
      
      On x86 both fields are signed as this output shows:
       [root@f29]# cat /sys/kernel/debug/tracing/events/sched/sched_switch/format
       name: sched_switch
       ID: 287
       format:
         field:unsigned short common_type; offset:0; size:2;	signed:0;
         ...
         field:char prev_comm[16]; offset:8; size:16;	signed:1;
         ...
         field:char next_comm[16]; offset:40; size:16; signed:1;
      
      and the character arrays prev_comm and next_comm are per default signed
      char and have values in the range of -1..127.  The implementation of
      type char is architecture specific.
      
      Since the character arrays in both tracepoints sched_switch and
      sched_wakeup should contain ascii characters, simply omit the check for
      signedness in the test case.
      
      Output before:
      
        [root@m35lp76 perf]# ./perf test -F 14
        14: Parse sched tracepoints fields                        :
        --- start ---
        sched:sched_switch: "prev_comm" signedness(0) is wrong, should be 1
        sched:sched_switch: "next_comm" signedness(0) is wrong, should be 1
        sched:sched_wakeup: "comm" signedness(0) is wrong, should be 1
        ---- end ----
        14: Parse sched tracepoints fields                        : FAILED!
        [root@m35lp76 perf]#
      
      Output after:
      
        [root@m35lp76 perf]# ./perf test -Fv 14
        14: Parse sched tracepoints fields                        :
        --- start ---
        ---- end ----
        Parse sched tracepoints fields: Ok
        [root@m35lp76 perf]#
      
      Fixes: 489338a7 ("perf tests evsel-tp-sched: Fix bitwise operator")
      Signed-off-by: default avatarThomas Richter <tmricht@linux.ibm.com>
      Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
      Cc: Hendrik Brueckner <brueckner@linux.vnet.ibm.com>
      Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
      Link: http://lkml.kernel.org/r/20190219153639.31267-1-tmricht@linux.ibm.comSigned-off-by: default avatarArnaldo Carvalho de Melo <acme@redhat.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      f548bbe4
    • Sedat Dilek's avatar
      scsi: fcoe: make use of fip_mode enum complete · c3ec6241
      Sedat Dilek authored
      [ Upstream commit 8beb90aa ]
      
      commit 1917d42d ("fcoe: use enum for fip_mode") introduces a separate
      enum for the fip_mode that shall be used during initialisation handling
      until it is passed to fcoe_ctrl_link_up to set the initial fip_state.  That
      change was incomplete and gcc quietly converted in various places between
      the fip_mode and the fip_state enum values with implicit enum conversions,
      which fortunately cannot cause any issues in the actual code's execution.
      
      clang however warns about these implicit enum conversions in the scsi
      drivers. This commit consolidates the use of the two enums, guided by
      clang's enum-conversion warnings.
      
      This commit now completes the use of the fip_mode: It expects and uses
      fip_mode in {bnx2fc,fcoe}_interface_create and fcoe_ctlr_init, and it calls
      fcoe_ctrl_set_set() with the correct values in fcoe_ctlr_link_up().  It
      also breaks the association between FIP_MODE_AUTO and FIP_ST_AUTO to
      indicate these two enums are distinct.
      
      Link: https://github.com/ClangBuiltLinux/linux/issues/151
      Fixes: 1917d42d ("fcoe: use enum for fip_mode")
      Reported-by: default avatarDmitry Golovin <dima@golovin.in>
      Original-by: default avatarLukas Bulwahn <lukas.bulwahn@gmail.com>
      CC: Lukas Bulwahn <lukas.bulwahn@gmail.com>
      CC: Nick Desaulniers <ndesaulniers@google.com>
      CC: Nathan Chancellor <natechancellor@gmail.com>
      Reviewed-by: default avatarNathan Chancellor <natechancellor@gmail.com>
      Tested-by: default avatarNathan Chancellor <natechancellor@gmail.com>
      Suggested-by: default avatarJohannes Thumshirn <jthumshirn@suse.de>
      Signed-off-by: default avatarSedat Dilek <sedat.dilek@gmail.com>
      Signed-off-by: default avatarHannes Reinecke <hare@suse.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      c3ec6241
    • Jason Yan's avatar
      scsi: megaraid_sas: return error when create DMA pool failed · 90fca247
      Jason Yan authored
      [ Upstream commit bcf3b67d ]
      
      when create DMA pool for cmd frames failed, we should return -ENOMEM,
      instead of 0.
      In some case in:
      
          megasas_init_adapter_fusion()
      
          -->megasas_alloc_cmds()
             -->megasas_create_frame_pool
                create DMA pool failed,
              --> megasas_free_cmds() [1]
      
          -->megasas_alloc_cmds_fusion()
             failed, then goto fail_alloc_cmds.
          -->megasas_free_cmds() [2]
      
      we will call megasas_free_cmds twice, [1] will kfree cmd_list,
      [2] will use cmd_list.it will cause a problem:
      
      Unable to handle kernel NULL pointer dereference at virtual address
      00000000
      pgd = ffffffc000f70000
      [00000000] *pgd=0000001fbf893003, *pud=0000001fbf893003,
      *pmd=0000001fbf894003, *pte=006000006d000707
      Internal error: Oops: 96000005 [#1] SMP
       Modules linked in:
       CPU: 18 PID: 1 Comm: swapper/0 Not tainted
       task: ffffffdfb9290000 ti: ffffffdfb923c000 task.ti: ffffffdfb923c000
       PC is at megasas_free_cmds+0x30/0x70
       LR is at megasas_free_cmds+0x24/0x70
       ...
       Call trace:
       [<ffffffc0005b779c>] megasas_free_cmds+0x30/0x70
       [<ffffffc0005bca74>] megasas_init_adapter_fusion+0x2f4/0x4d8
       [<ffffffc0005b926c>] megasas_init_fw+0x2dc/0x760
       [<ffffffc0005b9ab0>] megasas_probe_one+0x3c0/0xcd8
       [<ffffffc0004a5abc>] local_pci_probe+0x4c/0xb4
       [<ffffffc0004a5c40>] pci_device_probe+0x11c/0x14c
       [<ffffffc00053a5e4>] driver_probe_device+0x1ec/0x430
       [<ffffffc00053a92c>] __driver_attach+0xa8/0xb0
       [<ffffffc000538178>] bus_for_each_dev+0x74/0xc8
        [<ffffffc000539e88>] driver_attach+0x28/0x34
       [<ffffffc000539a18>] bus_add_driver+0x16c/0x248
       [<ffffffc00053b234>] driver_register+0x6c/0x138
       [<ffffffc0004a5350>] __pci_register_driver+0x5c/0x6c
       [<ffffffc000ce3868>] megasas_init+0xc0/0x1a8
       [<ffffffc000082a58>] do_one_initcall+0xe8/0x1ec
       [<ffffffc000ca7be8>] kernel_init_freeable+0x1c8/0x284
       [<ffffffc0008d90b8>] kernel_init+0x1c/0xe4
      Signed-off-by: default avatarJason Yan <yanaijie@huawei.com>
      Acked-by: default avatarSumit Saxena <sumit.saxena@broadcom.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      90fca247
    • Ross Lagerwall's avatar
      efi: cper: Fix possible out-of-bounds access · 7022c495
      Ross Lagerwall authored
      [ Upstream commit 45b14a4f ]
      
      When checking a generic status block, we iterate over all the generic
      data blocks. The loop condition only checks that the start of the
      generic data block is valid (within estatus->data_length) but not the
      whole block. Because the size of data blocks (excluding error data) may
      vary depending on the revision and the revision is contained within the
      data block, ensure that enough of the current data block is valid before
      dereferencing any members otherwise an out-of-bounds access may occur if
      estatus->data_length is invalid.
      
      This relies on the fact that struct acpi_hest_generic_data_v300 is a
      superset of the earlier version.  Also rework the other checks to avoid
      potential underflow.
      Signed-off-by: default avatarRoss Lagerwall <ross.lagerwall@citrix.com>
      Acked-by: default avatarBorislav Petkov <bp@suse.de>
      Tested-by: default avatarTyler Baicar <baicar.tyler@gmail.com>
      Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      7022c495
    • Erwan Velu's avatar
      cpufreq: acpi-cpufreq: Report if CPU doesn't support boost technologies · 33640a0c
      Erwan Velu authored
      [ Upstream commit 1222d527 ]
      
      There is some rare cases where CPB (and possibly IDA) are missing on
      processors.
      
      This is the case fixed by commit f7f3dc00 ("x86/cpu/AMD: Fix
      erratum 1076 (CPB bit)") and following.
      
      In such context, the boost status isn't reported by
      /sys/devices/system/cpu/cpufreq/boost.
      
      This commit is about printing a message to report that the CPU
      doesn't expose the boost capabilities.
      
      This message could help debugging platforms hit by this phenomena.
      Signed-off-by: default avatarErwan Velu <e.velu@criteo.com>
      [ rjw: Change the message text somewhat ]
      Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      33640a0c
    • Katsuhiro Suzuki's avatar
      clk: fractional-divider: check parent rate only if flag is set · 2c8340ca
      Katsuhiro Suzuki authored
      [ Upstream commit d13501a2 ]
      
      Custom approximation of fractional-divider may not need parent clock
      rate checking. For example Rockchip SoCs work fine using grand parent
      clock rate even if target rate is greater than parent.
      
      This patch checks parent clock rate only if CLK_SET_RATE_PARENT flag
      is set.
      
      For detailed example, clock tree of Rockchip I2S audio hardware.
        - Clock rate of CPLL is 1.2GHz, GPLL is 491.52MHz.
        - i2s1_div is integer divider can divide N (N is 1~128).
          Input clock is CPLL or GPLL. Initial divider value is N = 1.
          Ex) PLL = CPLL, N = 10, i2s1_div output rate is
            CPLL / 10 = 1.2GHz / 10 = 120MHz
        - i2s1_frac is fractional divider can divide input to x/y, x and
          y are 16bit integer.
      
      CPLL --> | selector | ---> i2s1_div -+--> | selector | --> I2S1 MCLK
      GPLL --> |          | ,--------------'    |          |
                            `--> i2s1_frac ---> |          |
      
      Clock mux system try to choose suitable one from i2s1_div and
      i2s1_frac for master clock (MCLK) of I2S1.
      
      Bad scenario as follows:
        - Try to set MCLK to 8.192MHz (32kHz audio replay)
          Candidate setting is
          - i2s1_div: GPLL / 60 = 8.192MHz
          i2s1_div candidate is exactly same as target clock rate, so mux
          choose this clock source. i2s1_div output rate is changed
          491.52MHz -> 8.192MHz
      
        - After that try to set to 11.2896MHz (44.1kHz audio replay)
          Candidate settings are
          - i2s1_div : CPLL / 107 = 11.214945MHz
          - i2s1_frac: i2s1_div   = 8.192MHz
            This is because clk_fd_round_rate() thinks target rate
            (11.2896MHz) is higher than parent rate (i2s1_div = 8.192MHz)
            and returns parent clock rate.
      
      Above is current upstreamed behavior. Clock mux system choose
      i2s1_div, but this clock rate is not acceptable for I2S driver, so
      users cannot replay audio.
      
      Expected behavior is:
        - Try to set master clock to 11.2896MHz (44.1kHz audio replay)
          Candidate settings are
          - i2s1_div : CPLL / 107          = 11.214945MHz
          - i2s1_frac: i2s1_div * 147/6400 = 11.2896MHz
                       Change i2s1_div to GPLL / 1 = 491.52MHz at same
                       time.
      
      If apply this commit, clk_fd_round_rate() calls custom approximate
      function of Rockchip even if target rate is higher than parent.
      Custom function changes both grand parent (i2s1_div) and parent
      (i2s_frac) settings at same time. Clock mux system can choose
      i2s1_frac and audio works fine.
      Signed-off-by: default avatarKatsuhiro Suzuki <katsuhiro@katsuster.net>
      Reviewed-by: default avatarHeiko Stuebner <heiko@sntech.de>
      [sboyd@kernel.org: Make function into a macro instead]
      Signed-off-by: default avatarStephen Boyd <sboyd@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      2c8340ca
    • Håkon Bugge's avatar
      IB/mlx4: Increase the timeout for CM cache · 63d748f3
      Håkon Bugge authored
      [ Upstream commit 2612d723 ]
      
      Using CX-3 virtual functions, either from a bare-metal machine or
      pass-through from a VM, MAD packets are proxied through the PF driver.
      
      Since the VF drivers have separate name spaces for MAD Transaction Ids
      (TIDs), the PF driver has to re-map the TIDs and keep the book keeping
      in a cache.
      
      Following the RDMA Connection Manager (CM) protocol, it is clear when
      an entry has to evicted form the cache. But life is not perfect,
      remote peers may die or be rebooted. Hence, it's a timeout to wipe out
      a cache entry, when the PF driver assumes the remote peer has gone.
      
      During workloads where a high number of QPs are destroyed concurrently,
      excessive amount of CM DREQ retries has been observed
      
      The problem can be demonstrated in a bare-metal environment, where two
      nodes have instantiated 8 VFs each. This using dual ported HCAs, so we
      have 16 vPorts per physical server.
      
      64 processes are associated with each vPort and creates and destroys
      one QP for each of the remote 64 processes. That is, 1024 QPs per
      vPort, all in all 16K QPs. The QPs are created/destroyed using the
      CM.
      
      When tearing down these 16K QPs, excessive CM DREQ retries (and
      duplicates) are observed. With some cat/paste/awk wizardry on the
      infiniband_cm sysfs, we observe as sum of the 16 vPorts on one of the
      nodes:
      
      cm_rx_duplicates:
            dreq  2102
      cm_rx_msgs:
            drep  1989
            dreq  6195
             rep  3968
             req  4224
             rtu  4224
      cm_tx_msgs:
            drep  4093
            dreq 27568
             rep  4224
             req  3968
             rtu  3968
      cm_tx_retries:
            dreq 23469
      
      Note that the active/passive side is equally distributed between the
      two nodes.
      
      Enabling pr_debug in cm.c gives tons of:
      
      [171778.814239] <mlx4_ib> mlx4_ib_multiplex_cm_handler: id{slave:
      1,sl_cm_id: 0xd393089f} is NULL!
      
      By increasing the CM_CLEANUP_CACHE_TIMEOUT from 5 to 30 seconds, the
      tear-down phase of the application is reduced from approximately 90 to
      50 seconds. Retries/duplicates are also significantly reduced:
      
      cm_rx_duplicates:
            dreq  2460
      []
      cm_tx_retries:
            dreq  3010
             req    47
      
      Increasing the timeout further didn't help, as these duplicates and
      retries stems from a too short CMA timeout, which was 20 (~4 seconds)
      on the systems. By increasing the CMA timeout to 22 (~17 seconds), the
      numbers fell down to about 10 for both of them.
      
      Adjustment of the CMA timeout is not part of this commit.
      Signed-off-by: default avatarHåkon Bugge <haakon.bugge@oracle.com>
      Acked-by: default avatarJack Morgenstein <jackm@dev.mellanox.co.il>
      Signed-off-by: default avatarJason Gunthorpe <jgg@mellanox.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      63d748f3
    • Florian Fainelli's avatar
      mlxsw: spectrum: Avoid -Wformat-truncation warnings · 4e07a33d
      Florian Fainelli authored
      [ Upstream commit ab2c4e25 ]
      
      Give precision identifiers to the two snprintf() formatting the priority
      and TC strings to avoid producing these two warnings:
      
      drivers/net/ethernet/mellanox/mlxsw/spectrum.c: In function
      'mlxsw_sp_port_get_prio_strings':
      drivers/net/ethernet/mellanox/mlxsw/spectrum.c:2132:37: warning: '%d'
      directive output may be truncated writing between 1 and 3 bytes into a
      region of size between 0 and 31 [-Wformat-truncation=]
         snprintf(*p, ETH_GSTRING_LEN, "%s_%d",
                                           ^~
      drivers/net/ethernet/mellanox/mlxsw/spectrum.c:2132:3: note: 'snprintf'
      output between 3 and 36 bytes into a destination of size 32
         snprintf(*p, ETH_GSTRING_LEN, "%s_%d",
         ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
           mlxsw_sp_port_hw_prio_stats[i].str, prio);
           ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      drivers/net/ethernet/mellanox/mlxsw/spectrum.c: In function
      'mlxsw_sp_port_get_tc_strings':
      drivers/net/ethernet/mellanox/mlxsw/spectrum.c:2143:37: warning: '%d'
      directive output may be truncated writing between 1 and 11 bytes into a
      region of size between 0 and 31 [-Wformat-truncation=]
         snprintf(*p, ETH_GSTRING_LEN, "%s_%d",
                                           ^~
      drivers/net/ethernet/mellanox/mlxsw/spectrum.c:2143:3: note: 'snprintf'
      output between 3 and 44 bytes into a destination of size 32
         snprintf(*p, ETH_GSTRING_LEN, "%s_%d",
         ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
           mlxsw_sp_port_hw_tc_stats[i].str, tc);
           ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      Signed-off-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Reviewed-by: default avatarIdo Schimmel <idosch@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      4e07a33d
    • Florian Fainelli's avatar
      e1000e: Fix -Wformat-truncation warnings · 8c21b452
      Florian Fainelli authored
      [ Upstream commit 135e7245 ]
      
      Provide precision hints to snprintf() since we know the destination
      buffer size of the RX/TX ring names are IFNAMSIZ + 5 - 1. This fixes the
      following warnings:
      
      drivers/net/ethernet/intel/e1000e/netdev.c: In function
      'e1000_request_msix':
      drivers/net/ethernet/intel/e1000e/netdev.c:2109:13: warning: 'snprintf'
      output may be truncated before the last format character
      [-Wformat-truncation=]
           "%s-rx-0", netdev->name);
                   ^
      drivers/net/ethernet/intel/e1000e/netdev.c:2107:3: note: 'snprintf'
      output between 6 and 21 bytes into a destination of size 20
         snprintf(adapter->rx_ring->name,
         ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
           sizeof(adapter->rx_ring->name) - 1,
           ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
           "%s-rx-0", netdev->name);
           ~~~~~~~~~~~~~~~~~~~~~~~~
      drivers/net/ethernet/intel/e1000e/netdev.c:2125:13: warning: 'snprintf'
      output may be truncated before the last format character
      [-Wformat-truncation=]
           "%s-tx-0", netdev->name);
                   ^
      drivers/net/ethernet/intel/e1000e/netdev.c:2123:3: note: 'snprintf'
      output between 6 and 21 bytes into a destination of size 20
         snprintf(adapter->tx_ring->name,
         ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
           sizeof(adapter->tx_ring->name) - 1,
           ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
           "%s-tx-0", netdev->name);
           ~~~~~~~~~~~~~~~~~~~~~~~~
      Signed-off-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      8c21b452
    • Aaro Koskinen's avatar
      mmc: omap: fix the maximum timeout setting · 17211582
      Aaro Koskinen authored
      [ Upstream commit a6327b5e ]
      
      When running OMAP1 kernel on QEMU, MMC access is annoyingly noisy:
      
      	MMC: CTO of 0xff and 0xfe cannot be used!
      	MMC: CTO of 0xff and 0xfe cannot be used!
      	MMC: CTO of 0xff and 0xfe cannot be used!
      	[ad inf.]
      
      Emulator warnings appear to be valid. The TI document SPRU680 [1]
      ("OMAP5910 Dual-Core Processor MultiMedia Card/Secure Data Memory Card
      (MMC/SD) Reference Guide") page 36 states that the maximum timeout is 253
      cycles and "0xff and 0xfe cannot be used".
      
      Fix by using 0xfd as the maximum timeout.
      
      Tested using QEMU 2.5 (Siemens SX1 machine, OMAP310), and also checked on
      real hardware using Palm TE (OMAP310), Nokia 770 (OMAP1710) and Nokia N810
      (OMAP2420) that MMC works as before.
      
      [1] http://www.ti.com/lit/ug/spru680/spru680.pdf
      
      Fixes: 730c9b7e ("[MMC] Add OMAP MMC host driver")
      Signed-off-by: default avatarAaro Koskinen <aaro.koskinen@iki.fi>
      Signed-off-by: default avatarUlf Hansson <ulf.hansson@linaro.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      17211582