1. 15 May, 2020 1 commit
    • Greg Kroah-Hartman's avatar
      Merge tag 'fixes-for-v5.7-rc6' of... · 86e1cf7d
      Greg Kroah-Hartman authored
      Merge tag 'fixes-for-v5.7-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/balbi/usb into usb-linus
      
      Felipe writes:
      
      USB: fixes for v5.7-rc6
      
      The main part here are the important fixes for the raw-gadget before it
      becomes an ABI. We're adding support for stall/halt/wedge which is
      actually pretty important in many situations. There's also a NULL
      pointer deref fix.
      
      Apart from raw-gadget, I've included some recent sparse fixes to a few
      drivers.
      Signed-off-by: default avatarFelipe Balbi <balbi@kernel.org>
      
      * tag 'fixes-for-v5.7-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/balbi/usb:
        usb: cdns3: gadget: make a bunch of functions static
        usb: mtu3: constify struct debugfs_reg32
        usb: gadget: udc: atmel: Make some symbols static
        usb: raw-gadget: fix null-ptr-deref when reenabling endpoints
        usb: raw-gadget: documentation updates
        usb: raw-gadget: support stalling/halting/wedging endpoints
        usb: raw-gadget: fix gadget endpoint selection
        usb: raw-gadget: improve uapi headers comments
      86e1cf7d
  2. 14 May, 2020 11 commits
    • Greg Kroah-Hartman's avatar
      USB: usbfs: fix mmap dma mismatch · a0e710a7
      Greg Kroah-Hartman authored
      In commit 2bef9aed ("usb: usbfs: correct kernel->user page attribute
      mismatch") we switched from always calling remap_pfn_range() to call
      dma_mmap_coherent() to handle issues with systems with non-coherent USB host
      controller drivers.  Unfortunatly, as syzbot quickly told us, not all the world
      is host controllers with DMA support, so we need to check what host controller
      we are attempting to talk to before doing this type of allocation.
      
      Thanks to Christoph for the quick idea of how to fix this.
      
      Fixes: 2bef9aed ("usb: usbfs: correct kernel->user page attribute mismatch")
      Cc: Christoph Hellwig <hch@lst.de>
      Cc: Hillf Danton <hdanton@sina.com>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Jeremy Linton <jeremy.linton@arm.com>
      Cc: stable <stable@vger.kernel.org>
      Reported-by: syzbot+353be47c9ce21b68b7ed@syzkaller.appspotmail.com
      Reviewed-by: default avatarJeremy Linton <jeremy.linton@arm.com>
      Reviewed-by: default avatarChristoph Hellwig <hch@lst.de>
      Link: https://lore.kernel.org/r/20200514112711.1858252-1-gregkh@linuxfoundation.orgSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a0e710a7
    • Li Jun's avatar
      usb: host: xhci-plat: keep runtime active when removing host · 1449cb2c
      Li Jun authored
      While removing the host (e.g. for USB role switch from host to device),
      if runtime pm is enabled by user, below oops occurs on dwc3 and cdns3
      platforms.
      Keeping the xhci-plat device active during host removal, and disabling
      runtime pm before calling pm_runtime_set_suspended() fixes them.
      
      oops1:
      Unable to handle kernel NULL pointer dereference at virtual address
      0000000000000240
      Internal error: Oops: 96000004 [#1] PREEMPT SMP
      Modules linked in:
      CPU: 0 PID: 5 Comm: kworker/0:0 Not tainted 5.4.3-00107-g64d454a-dirty
      Hardware name: FSL i.MX8MP EVK (DT)
      Workqueue: pm pm_runtime_work
      pstate: 60000005 (nZCv daif -PAN -UAO)
      pc : xhci_suspend+0x34/0x698
      lr : xhci_plat_runtime_suspend+0x2c/0x38
      sp : ffff800011ddbbc0
      Call trace:
       xhci_suspend+0x34/0x698
       xhci_plat_runtime_suspend+0x2c/0x38
       pm_generic_runtime_suspend+0x28/0x40
       __rpm_callback+0xd8/0x138
       rpm_callback+0x24/0x98
       rpm_suspend+0xe0/0x448
       rpm_idle+0x124/0x140
       pm_runtime_work+0xa0/0xf8
       process_one_work+0x1dc/0x370
       worker_thread+0x48/0x468
       kthread+0xf0/0x120
       ret_from_fork+0x10/0x1c
      
      oops2:
      usb 2-1: USB disconnect, device number 2
      xhci-hcd xhci-hcd.1.auto: remove, state 4
      usb usb2: USB disconnect, device number 1
      xhci-hcd xhci-hcd.1.auto: USB bus 2 deregistered
      xhci-hcd xhci-hcd.1.auto: remove, state 4
      usb usb1: USB disconnect, device number 1
      Unable to handle kernel NULL pointer dereference at virtual address
      0000000000000138
      Internal error: Oops: 96000004 [#1] PREEMPT SMP
      Modules linked in:
      CPU: 2 PID: 7 Comm: kworker/u8:0 Not tainted 5.6.0-rc4-next-20200304-03578
      Hardware name: Freescale i.MX8QXP MEK (DT)
      Workqueue: 1-0050 tcpm_state_machine_work
      pstate: 20000005 (nzCv daif -PAN -UAO)
      pc : xhci_free_dev+0x214/0x270
      lr : xhci_plat_runtime_resume+0x78/0x88
      sp : ffff80001006b5b0
      Call trace:
       xhci_free_dev+0x214/0x270
       xhci_plat_runtime_resume+0x78/0x88
       pm_generic_runtime_resume+0x30/0x48
       __rpm_callback+0x90/0x148
       rpm_callback+0x28/0x88
       rpm_resume+0x568/0x758
       rpm_resume+0x260/0x758
       rpm_resume+0x260/0x758
       __pm_runtime_resume+0x40/0x88
       device_release_driver_internal+0xa0/0x1c8
       device_release_driver+0x1c/0x28
       bus_remove_device+0xd4/0x158
       device_del+0x15c/0x3a0
       usb_disable_device+0xb0/0x268
       usb_disconnect+0xcc/0x300
       usb_remove_hcd+0xf4/0x1dc
       xhci_plat_remove+0x78/0xe0
       platform_drv_remove+0x30/0x50
       device_release_driver_internal+0xfc/0x1c8
       device_release_driver+0x1c/0x28
       bus_remove_device+0xd4/0x158
       device_del+0x15c/0x3a0
       platform_device_del.part.0+0x20/0x90
       platform_device_unregister+0x28/0x40
       cdns3_host_exit+0x20/0x40
       cdns3_role_stop+0x60/0x90
       cdns3_role_set+0x64/0xd8
       usb_role_switch_set_role.part.0+0x3c/0x68
       usb_role_switch_set_role+0x20/0x30
       tcpm_mux_set+0x60/0xf8
       tcpm_reset_port+0xa4/0xf0
       tcpm_detach.part.0+0x28/0x50
       tcpm_state_machine_work+0x12ac/0x2360
       process_one_work+0x1c8/0x470
       worker_thread+0x50/0x428
       kthread+0xfc/0x128
       ret_from_fork+0x10/0x18
      Code: c8037c02 35ffffa3 17ffe7c3 f9800011 (c85f7c01)
      ---[ end trace 45b1a173d2679e44 ]---
      
      [minor commit message cleanup  -Mathias]
      Cc: Baolin Wang <baolin.wang@linaro.org>
      Cc: <stable@vger.kernel.org>
      Fixes: b0c69b4b ("usb: host: plat: Enable xHCI plat runtime PM")
      Reviewed-by: default avatarPeter Chen <peter.chen@nxp.com>
      Tested-by: default avatarPeter Chen <peter.chen@nxp.com>
      Signed-off-by: default avatarLi Jun <jun.li@nxp.com>
      Signed-off-by: default avatarMathias Nyman <mathias.nyman@linux.intel.com>
      Link: https://lore.kernel.org/r/20200514110432.25564-3-mathias.nyman@linux.intel.comSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1449cb2c
    • Sriharsha Allenki's avatar
      usb: xhci: Fix NULL pointer dereference when enqueuing trbs from urb sg list · 3c6f8cb9
      Sriharsha Allenki authored
      On platforms with IOMMU enabled, multiple SGs can be coalesced into one
      by the IOMMU driver. In that case the SG list processing as part of the
      completion of a urb on a bulk endpoint can result into a NULL pointer
      dereference with the below stack dump.
      
      <6> Unable to handle kernel NULL pointer dereference at virtual address 0000000c
      <6> pgd = c0004000
      <6> [0000000c] *pgd=00000000
      <6> Internal error: Oops: 5 [#1] PREEMPT SMP ARM
      <2> PC is at xhci_queue_bulk_tx+0x454/0x80c
      <2> LR is at xhci_queue_bulk_tx+0x44c/0x80c
      <2> pc : [<c08907c4>]    lr : [<c08907bc>]    psr: 000000d3
      <2> sp : ca337c80  ip : 00000000  fp : ffffffff
      <2> r10: 00000000  r9 : 50037000  r8 : 00004000
      <2> r7 : 00000000  r6 : 00004000  r5 : 00000000  r4 : 00000000
      <2> r3 : 00000000  r2 : 00000082  r1 : c2c1a200  r0 : 00000000
      <2> Flags: nzcv  IRQs off  FIQs off  Mode SVC_32  ISA ARM  Segment none
      <2> Control: 10c0383d  Table: b412c06a  DAC: 00000051
      <6> Process usb-storage (pid: 5961, stack limit = 0xca336210)
      <snip>
      <2> [<c08907c4>] (xhci_queue_bulk_tx)
      <2> [<c0881b3c>] (xhci_urb_enqueue)
      <2> [<c0831068>] (usb_hcd_submit_urb)
      <2> [<c08350b4>] (usb_sg_wait)
      <2> [<c089f384>] (usb_stor_bulk_transfer_sglist)
      <2> [<c089f2c0>] (usb_stor_bulk_srb)
      <2> [<c089fe38>] (usb_stor_Bulk_transport)
      <2> [<c089f468>] (usb_stor_invoke_transport)
      <2> [<c08a11b4>] (usb_stor_control_thread)
      <2> [<c014a534>] (kthread)
      
      The above NULL pointer dereference is the result of block_len and the
      sent_len set to zero after the first SG of the list when IOMMU driver
      is enabled. Because of this the loop of processing the SGs has run
      more than num_sgs which resulted in a sg_next on the last SG of the
      list which has SG_END set.
      
      Fix this by check for the sg before any attributes of the sg are
      accessed.
      
      [modified reason for null pointer dereference in commit message subject -Mathias]
      Fixes: f9c589e1 ("xhci: TD-fragment, align the unsplittable case with a bounce buffer")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarSriharsha Allenki <sallenki@codeaurora.org>
      Signed-off-by: default avatarMathias Nyman <mathias.nyman@linux.intel.com>
      Link: https://lore.kernel.org/r/20200514110432.25564-2-mathias.nyman@linux.intel.comSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3c6f8cb9
    • Jason Yan's avatar
      usb: cdns3: gadget: make a bunch of functions static · 172b14b4
      Jason Yan authored
      Fix the following sparse warning:
      
      drivers/usb/cdns3/gadget.c:85:6: warning: symbol
      'cdns3_clear_register_bit' was not declared. Should it be static?
      drivers/usb/cdns3/gadget.c:140:26: warning: symbol
      'cdns3_next_align_buf' was not declared. Should it be static?
      drivers/usb/cdns3/gadget.c:151:22: warning: symbol
      'cdns3_next_priv_request' was not declared. Should it be static?
      drivers/usb/cdns3/gadget.c:193:5: warning: symbol 'cdns3_ring_size' was
      not declared. Should it be static?
      drivers/usb/cdns3/gadget.c:348:6: warning: symbol
      'cdns3_move_deq_to_next_trb' was not declared. Should it be static?
      drivers/usb/cdns3/gadget.c:514:20: warning: symbol
      'cdns3_wa2_gadget_giveback' was not declared. Should it be static?
      drivers/usb/cdns3/gadget.c:554:5: warning: symbol
      'cdns3_wa2_gadget_ep_queue' was not declared. Should it be static?
      drivers/usb/cdns3/gadget.c:839:6: warning: symbol
      'cdns3_wa1_restore_cycle_bit' was not declared. Should it be static?
      drivers/usb/cdns3/gadget.c:1907:6: warning: symbol
      'cdns3_stream_ep_reconfig' was not declared. Should it be static?
      drivers/usb/cdns3/gadget.c:1928:6: warning: symbol
      'cdns3_configure_dmult' was not declared. Should it be static?
      Reported-by: default avatarHulk Robot <hulkci@huawei.com>
      Reviewed-by: default avatarPeter Chen <peter.chen@nxp.com>
      Signed-off-by: default avatarJason Yan <yanaijie@huawei.com>
      Signed-off-by: default avatarFelipe Balbi <balbi@kernel.org>
      172b14b4
    • Rikard Falkeborn's avatar
      usb: mtu3: constify struct debugfs_reg32 · 6045dd7e
      Rikard Falkeborn authored
      mtu3_prb_regs is never changed and can therefore be made const.
      
      This allows the compiler to put it in the text section instead of the
      data section.
      
      Before:
         text    data     bss     dec     hex filename
        19966    7120       0   27086    69ce drivers/usb/mtu3/mtu3_debugfs.o
      
      After:
         text    data     bss     dec     hex filename
        20142    6992       0   27134    69fe drivers/usb/mtu3/mtu3_debugfs.o
      Signed-off-by: default avatarRikard Falkeborn <rikard.falkeborn@gmail.com>
      Signed-off-by: default avatarFelipe Balbi <balbi@kernel.org>
      6045dd7e
    • Samuel Zou's avatar
      usb: gadget: udc: atmel: Make some symbols static · 4210f3a6
      Samuel Zou authored
      Fix the following sparse warnings:
      
      drivers/usb/gadget/udc/atmel_usba_udc.c:188:30: warning: symbol 'queue_dbg_fops' was not declared.
      drivers/usb/gadget/udc/atmel_usba_udc.c:196:30: warning: symbol 'regs_dbg_fops' was not declared.
      
      queue_dbg_fops and regs_dbg_fops have only call within atmel_usba_udc.c
      They should be static
      
      Fixes: 914a3f3b ("USB: add atmel_usba_udc driver")
      Reported-by: default avatarHulk Robot <hulkci@huawei.com>
      Signed-off-by: default avatarSamuel Zou <zou_wei@huawei.com>
      Signed-off-by: default avatarFelipe Balbi <balbi@kernel.org>
      4210f3a6
    • Andrey Konovalov's avatar
      usb: raw-gadget: fix null-ptr-deref when reenabling endpoints · da39b5ee
      Andrey Konovalov authored
      Currently we preassign gadget endpoints to raw-gadget endpoints during
      initialization. Fix resetting this assignment in raw_ioctl_ep_disable(),
      otherwise we will get null-ptr-derefs when an endpoint is reenabled.
      Signed-off-by: default avatarAndrey Konovalov <andreyknvl@google.com>
      Signed-off-by: default avatarFelipe Balbi <balbi@kernel.org>
      da39b5ee
    • Andrey Konovalov's avatar
      usb: raw-gadget: documentation updates · 61d2658d
      Andrey Konovalov authored
      Mention the issue with fixed UDC addresses.
      
      Links external examples and test suite.
      
      Add more implmenetation details and potential improvements.
      Signed-off-by: default avatarAndrey Konovalov <andreyknvl@google.com>
      Signed-off-by: default avatarFelipe Balbi <balbi@kernel.org>
      61d2658d
    • Andrey Konovalov's avatar
      usb: raw-gadget: support stalling/halting/wedging endpoints · c61769bd
      Andrey Konovalov authored
      Raw Gadget is currently unable to stall/halt/wedge gadget endpoints,
      which is required for proper emulation of certain USB classes.
      
      This patch adds a few more ioctls:
      
      - USB_RAW_IOCTL_EP0_STALL allows to stall control endpoint #0 when
        there's a pending setup request for it.
      - USB_RAW_IOCTL_SET/CLEAR_HALT/WEDGE allow to set/clear halt/wedge status
        on non-control non-isochronous endpoints.
      
      Fixes: f2c2e717 ("usb: gadget: add raw-gadget interface")
      Signed-off-by: default avatarAndrey Konovalov <andreyknvl@google.com>
      Signed-off-by: default avatarFelipe Balbi <balbi@kernel.org>
      c61769bd
    • Andrey Konovalov's avatar
      usb: raw-gadget: fix gadget endpoint selection · 97df5e57
      Andrey Konovalov authored
      Currently automatic gadget endpoint selection based on required features
      doesn't work. Raw Gadget tries iterating over the list of available
      endpoints and finding one that has the right direction and transfer type.
      Unfortunately selecting arbitrary gadget endpoints (even if they satisfy
      feature requirements) doesn't work, as (depending on the UDC driver) they
      might have fixed addresses, and one also needs to provide matching
      endpoint addresses in the descriptors sent to the host.
      
      The composite framework deals with this by assigning endpoint addresses
      in usb_ep_autoconfig() before enumeration starts. This approach won't work
      with Raw Gadget as the endpoints are supposed to be enabled after a
      set_configuration/set_interface request from the host, so it's too late to
      patch the endpoint descriptors that had already been sent to the host.
      
      For Raw Gadget we take another approach. Similarly to GadgetFS, we allow
      the user to make the decision as to which gadget endpoints to use.
      
      This patch adds another Raw Gadget ioctl USB_RAW_IOCTL_EPS_INFO that
      exposes information about all non-control endpoints that a currently
      connected UDC has. This information includes endpoints addresses, as well
      as their capabilities and limits to allow the user to choose the most
      fitting gadget endpoint.
      
      The USB_RAW_IOCTL_EP_ENABLE ioctl is updated to use the proper endpoint
      validation routine usb_gadget_ep_match_desc().
      
      These changes affect the portability of the gadgets that use Raw Gadget
      when running on different UDCs. Nevertheless, as long as the user relies
      on the information provided by USB_RAW_IOCTL_EPS_INFO to dynamically
      choose endpoint addresses, UDC-agnostic gadgets can still be written with
      Raw Gadget.
      
      Fixes: f2c2e717 ("usb: gadget: add raw-gadget interface")
      Signed-off-by: default avatarAndrey Konovalov <andreyknvl@google.com>
      Signed-off-by: default avatarFelipe Balbi <balbi@kernel.org>
      97df5e57
    • Andrey Konovalov's avatar
      usb: raw-gadget: improve uapi headers comments · 17ff3b72
      Andrey Konovalov authored
      Fix typo "trasferred" => "transferred".
      
      Don't call USB requests URBs.
      
      Fix comment style.
      Signed-off-by: default avatarAndrey Konovalov <andreyknvl@google.com>
      Signed-off-by: default avatarFelipe Balbi <balbi@kernel.org>
      17ff3b72
  3. 13 May, 2020 2 commits
  4. 10 May, 2020 7 commits
    • Linus Torvalds's avatar
      Linux 5.7-rc5 · 2ef96a5b
      Linus Torvalds authored
      2ef96a5b
    • Linus Torvalds's avatar
      Merge tag 'x86-urgent-2020-05-10' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · c14cab26
      Linus Torvalds authored
      Pull x86 fixes from Thomas Gleixner:
       "A set of fixes for x86:
      
         - Ensure that direct mapping alias is always flushed when changing
           page attributes. The optimization for small ranges failed to do so
           when the virtual address was in the vmalloc or module space.
      
         - Unbreak the trace event registration for syscalls without arguments
           caused by the refactoring of the SYSCALL_DEFINE0() macro.
      
         - Move the printk in the TSC deadline timer code to a place where it
           is guaranteed to only be called once during boot and cannot be
           rearmed by clearing warn_once after boot. If it's invoked post boot
           then lockdep rightfully complains about a potential deadlock as the
           calling context is different.
      
         - A series of fixes for objtool and the ORC unwinder addressing
           variety of small issues:
      
             - Stack offset tracking for indirect CFAs in objtool ignored
               subsequent pushs and pops
      
             - Repair the unwind hints in the register clearing entry ASM code
      
             - Make the unwinding in the low level exit to usermode code stop
               after switching to the trampoline stack. The unwind hint is no
               longer valid and the ORC unwinder emits a warning as it can't
               find the registers anymore.
      
             - Fix unwind hints in switch_to_asm() and rewind_stack_do_exit()
               which caused objtool to generate bogus ORC data.
      
             - Prevent unwinder warnings when dumping the stack of a
               non-current task as there is no way to be sure about the
               validity because the dumped stack can be a moving target.
      
             - Make the ORC unwinder behave the same way as the frame pointer
               unwinder when dumping an inactive tasks stack and do not skip
               the first frame.
      
             - Prevent ORC unwinding before ORC data has been initialized
      
             - Immediately terminate unwinding when a unknown ORC entry type
               is found.
      
             - Prevent premature stop of the unwinder caused by IRET frames.
      
             - Fix another infinite loop in objtool caused by a negative
               offset which was not catched.
      
             - Address a few build warnings in the ORC unwinder and add
               missing static/ro_after_init annotations"
      
      * tag 'x86-urgent-2020-05-10' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        x86/unwind/orc: Move ORC sorting variables under !CONFIG_MODULES
        x86/apic: Move TSC deadline timer debug printk
        ftrace/x86: Fix trace event registration for syscalls without arguments
        x86/mm/cpa: Flush direct map alias during cpa
        objtool: Fix infinite loop in for_offset_range()
        x86/unwind/orc: Fix premature unwind stoppage due to IRET frames
        x86/unwind/orc: Fix error path for bad ORC entry type
        x86/unwind/orc: Prevent unwinding before ORC initialization
        x86/unwind/orc: Don't skip the first frame for inactive tasks
        x86/unwind: Prevent false warnings for non-current tasks
        x86/unwind/orc: Convert global variables to static
        x86/entry/64: Fix unwind hints in rewind_stack_do_exit()
        x86/entry/64: Fix unwind hints in __switch_to_asm()
        x86/entry/64: Fix unwind hints in kernel exit path
        x86/entry/64: Fix unwind hints in register clearing code
        objtool: Fix stack offset tracking for indirect CFAs
      c14cab26
    • Linus Torvalds's avatar
      Merge tag 'objtool-urgent-2020-05-10' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 8b000832
      Linus Torvalds authored
      Pull objtool fix from Thomas Gleixner:
       "A single fix for objtool to prevent an infinite loop in the
        jump table search which can be triggered when building the
        kernel with '-ffunction-sections'"
      
      * tag 'objtool-urgent-2020-05-10' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        objtool: Fix infinite loop in find_jump_table()
      8b000832
    • Linus Torvalds's avatar
      Merge tag 'locking-urgent-2020-05-10' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · bd2049f8
      Linus Torvalds authored
      Pull locking fix from Thomas Gleixner:
       "A single fix for the fallout of the recent futex uacess rework.
      
        With those changes GCC9 fails to analyze arch_futex_atomic_op_inuser()
        correctly and emits a 'maybe unitialized' warning. While we usually
        ignore compiler stupidity the conditional store is pointless anyway
        because the correct case has to store. For the fault case the extra
        store does no harm"
      
      * tag 'locking-urgent-2020-05-10' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        ARM: futex: Address build warning
      bd2049f8
    • Linus Torvalds's avatar
      Merge tag 'iommu-fixes-v5.7-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu · 27d2dcb1
      Linus Torvalds authored
      Pull iommu fixes from Joerg Roedel:
      
       - Race condition fixes for the AMD IOMMU driver.
      
         These are five patches fixing two race conditions around
         increase_address_space(). The first race condition was around the
         non-atomic update of the domain page-table root pointer and the
         variable containing the page-table depth (called mode). This is fixed
         now be merging page-table root and mode into one 64-bit field which
         is read/written atomically.
      
         The second race condition was around updating the page-table root
         pointer and making it public before the hardware caches were flushed.
         This could cause addresses to be mapped and returned to drivers which
         are not reachable by IOMMU hardware yet, causing IO page-faults. This
         is fixed too by adding the necessary flushes before a new page-table
         root is published.
      
         Related to the race condition fixes these patches also add a missing
         domain_flush_complete() barrier to update_domain() and a fix to bail
         out of the loop which tries to increase the address space when the
         call to increase_address_space() fails.
      
         Qian was able to trigger the race conditions under high load and
         memory pressure within a few days of testing. He confirmed that he
         has seen no issues anymore with the fixes included here.
      
       - Fix for a list-handling bug in the VirtIO IOMMU driver.
      
      * tag 'iommu-fixes-v5.7-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu:
        iommu/virtio: Reverse arguments to list_add
        iommu/amd: Do not flush Device Table in iommu_map_page()
        iommu/amd: Update Device Table in increase_address_space()
        iommu/amd: Call domain_flush_complete() in update_domain()
        iommu/amd: Do not loop forever when trying to increase address space
        iommu/amd: Fix race in increase_address_space()/fetch_pte()
      27d2dcb1
    • Linus Torvalds's avatar
      Merge tag 'block-5.7-2020-05-09' of git://git.kernel.dk/linux-block · 0a85ed6e
      Linus Torvalds authored
      Pull block fixes from Jens Axboe:
      
       - a small series fixing a use-after-free of bdi name (Christoph,Yufen)
      
       - NVMe fix for a regression with the smaller CQ update (Alexey)
      
       - NVMe fix for a hang at namespace scanning error recovery (Sagi)
      
       - fix race with blk-iocost iocg->abs_vdebt updates (Tejun)
      
      * tag 'block-5.7-2020-05-09' of git://git.kernel.dk/linux-block:
        nvme: fix possible hang when ns scanning fails during error recovery
        nvme-pci: fix "slimmer CQ head update"
        bdi: add a ->dev_name field to struct backing_dev_info
        bdi: use bdi_dev_name() to get device name
        bdi: move bdi_dev_name out of line
        vboxsf: don't use the source name in the bdi name
        iocost: protect iocg->abs_vdebt with iocg->waitq.lock
      0a85ed6e
    • Linus Torvalds's avatar
      gcc-10: mark more functions __init to avoid section mismatch warnings · e99332e7
      Linus Torvalds authored
      It seems that for whatever reason, gcc-10 ends up not inlining a couple
      of functions that used to be inlined before.  Even if they only have one
      single callsite - it looks like gcc may have decided that the code was
      unlikely, and not worth inlining.
      
      The code generation difference is harmless, but caused a few new section
      mismatch errors, since the (now no longer inlined) function wasn't in
      the __init section, but called other init functions:
      
         Section mismatch in reference from the function kexec_free_initrd() to the function .init.text:free_initrd_mem()
         Section mismatch in reference from the function tpm2_calc_event_log_size() to the function .init.text:early_memremap()
         Section mismatch in reference from the function tpm2_calc_event_log_size() to the function .init.text:early_memunmap()
      
      So add the appropriate __init annotation to make modpost not complain.
      In both cases there were trivially just a single callsite from another
      __init function.
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      e99332e7
  5. 09 May, 2020 19 commits
    • Linus Torvalds's avatar
      Merge tag 'riscv-for-linus-5.7-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux · 2e28f3b1
      Linus Torvalds authored
      Pull RISC-V fixes from Palmer Dabbelt:
       "A smattering of fixes and cleanups:
      
         - Dead code removal.
      
         - Exporting riscv_cpuid_to_hartid_mask for modules.
      
         - Per-CPU tracking of ISA features.
      
         - Setting max_pfn correctly when probing memory.
      
         - Adding a note to the VDSO so glibc can check the kernel's version
           without a uname().
      
         - A fix to force the bootloader to initialize the boot spin tables,
           which still get used as a fallback when SBI-0.1 is enabled"
      
      * tag 'riscv-for-linus-5.7-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux:
        RISC-V: Remove unused code from STRICT_KERNEL_RWX
        riscv: force __cpu_up_ variables to put in data section
        riscv: add Linux note to vdso
        riscv: set max_pfn to the PFN of the last page
        RISC-V: Remove N-extension related defines
        RISC-V: Add bitmap reprensenting ISA features common across CPUs
        RISC-V: Export riscv_cpuid_to_hartid_mask() API
      2e28f3b1
    • Linus Torvalds's avatar
      gcc-10: avoid shadowing standard library 'free()' in crypto · 1a263ae6
      Linus Torvalds authored
      gcc-10 has started warning about conflicting types for a few new
      built-in functions, particularly 'free()'.
      
      This results in warnings like:
      
         crypto/xts.c:325:13: warning: conflicting types for built-in function ‘free’; expected ‘void(void *)’ [-Wbuiltin-declaration-mismatch]
      
      because the crypto layer had its local freeing functions called
      'free()'.
      
      Gcc-10 is in the wrong here, since that function is marked 'static', and
      thus there is no chance of confusion with any standard library function
      namespace.
      
      But the simplest thing to do is to just use a different name here, and
      avoid this gcc mis-feature.
      
      [ Side note: gcc knowing about 'free()' is in itself not the
        mis-feature: the semantics of 'free()' are special enough that a
        compiler can validly do special things when seeing it.
      
        So the mis-feature here is that gcc thinks that 'free()' is some
        restricted name, and you can't shadow it as a local static function.
      
        Making the special 'free()' semantics be a function attribute rather
        than tied to the name would be the much better model ]
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      1a263ae6
    • Linus Torvalds's avatar
      gcc-10: disable 'restrict' warning for now · adc71920
      Linus Torvalds authored
      gcc-10 now warns about passing aliasing pointers to functions that take
      restricted pointers.
      
      That's actually a great warning, and if we ever start using 'restrict'
      in the kernel, it might be quite useful.  But right now we don't, and it
      turns out that the only thing this warns about is an idiom where we have
      declared a few functions to be "printf-like" (which seems to make gcc
      pick up the restricted pointer thing), and then we print to the same
      buffer that we also use as an input.
      
      And people do that as an odd concatenation pattern, with code like this:
      
          #define sysfs_show_gen_prop(buffer, fmt, ...) \
              snprintf(buffer, PAGE_SIZE, "%s"fmt, buffer, __VA_ARGS__)
      
      where we have 'buffer' as both the destination of the final result, and
      as the initial argument.
      
      Yes, it's a bit questionable.  And outside of the kernel, people do have
      standard declarations like
      
          int snprintf( char *restrict buffer, size_t bufsz,
                        const char *restrict format, ... );
      
      where that output buffer is marked as a restrict pointer that cannot
      alias with any other arguments.
      
      But in the context of the kernel, that 'use snprintf() to concatenate to
      the end result' does work, and the pattern shows up in multiple places.
      And we have not marked our own version of snprintf() as taking restrict
      pointers, so the warning is incorrect for now, and gcc picks it up on
      its own.
      
      If we do start using 'restrict' in the kernel (and it might be a good
      idea if people find places where it matters), we'll need to figure out
      how to avoid this issue for snprintf and friends.  But in the meantime,
      this warning is not useful.
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      adc71920
    • Linus Torvalds's avatar
      gcc-10: disable 'stringop-overflow' warning for now · 5a76021c
      Linus Torvalds authored
      This is the final array bounds warning removal for gcc-10 for now.
      
      Again, the warning is good, and we should re-enable all these warnings
      when we have converted all the legacy array declaration cases to
      flexible arrays. But in the meantime, it's just noise.
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      5a76021c
    • Sagi Grimberg's avatar
      nvme: fix possible hang when ns scanning fails during error recovery · 59c7c3ca
      Sagi Grimberg authored
      When the controller is reconnecting, the host fails I/O and admin
      commands as the host cannot reach the controller. ns scanning may
      revalidate namespaces during that period and it is wrong to remove
      namespaces due to these failures as we may hang (see 205da243).
      
      One command that may fail is nvme_identify_ns_descs. Since we return
      success due to having ns identify descriptor list optional, we continue
      to compare ns identifiers in nvme_revalidate_disk, obviously fail and
      return -ENODEV to nvme_validate_ns, which will remove the namespace.
      
      Exactly what we don't want to happen.
      
      Fixes: 22802bf7 ("nvme: Namepace identification descriptor list is optional")
      Tested-by: default avatarAnton Eidelman <anton@lightbitslabs.com>
      Signed-off-by: default avatarSagi Grimberg <sagi@grimberg.me>
      Reviewed-by: default avatarKeith Busch <kbusch@kernel.org>
      Signed-off-by: default avatarChristoph Hellwig <hch@lst.de>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      59c7c3ca
    • Alexey Dobriyan's avatar
      nvme-pci: fix "slimmer CQ head update" · a8de6639
      Alexey Dobriyan authored
      Pre-incrementing ->cq_head can't be done in memory because OOB value
      can be observed by another context.
      
      This devalues space savings compared to original code :-\
      
      	$ ./scripts/bloat-o-meter ../vmlinux-000 ../obj/vmlinux
      	add/remove: 0/0 grow/shrink: 0/4 up/down: 0/-32 (-32)
      	Function                                     old     new   delta
      	nvme_poll_irqdisable                         464     456      -8
      	nvme_poll                                    455     447      -8
      	nvme_irq                                     388     380      -8
      	nvme_dev_disable                             955     947      -8
      
      But the code is minimal now: one read for head, one read for q_depth,
      one increment, one comparison, single instruction phase bit update and
      one write for new head.
      Signed-off-by: default avatarAlexey Dobriyan <adobriyan@gmail.com>
      Reported-by: default avatarJohn Garry <john.garry@huawei.com>
      Tested-by: default avatarJohn Garry <john.garry@huawei.com>
      Fixes: e2a366a4 ("nvme-pci: slimmer CQ head update")
      Signed-off-by: default avatarChristoph Hellwig <hch@lst.de>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      a8de6639
    • Christoph Hellwig's avatar
      bdi: add a ->dev_name field to struct backing_dev_info · 6bd87eec
      Christoph Hellwig authored
      Cache a copy of the name for the life time of the backing_dev_info
      structure so that we can reference it even after unregistering.
      
      Fixes: 68f23b89 ("memcg: fix a crash in wb_workfn when a device disappears")
      Reported-by: default avatarYufen Yu <yuyufen@huawei.com>
      Signed-off-by: default avatarChristoph Hellwig <hch@lst.de>
      Reviewed-by: default avatarJan Kara <jack@suse.cz>
      Reviewed-by: default avatarBart Van Assche <bvanassche@acm.org>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      6bd87eec
    • Yufen Yu's avatar
      bdi: use bdi_dev_name() to get device name · d51cfc53
      Yufen Yu authored
      Use the common interface bdi_dev_name() to get device name.
      Signed-off-by: default avatarYufen Yu <yuyufen@huawei.com>
      Signed-off-by: default avatarChristoph Hellwig <hch@lst.de>
      Reviewed-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Reviewed-by: default avatarJan Kara <jack@suse.cz>
      Reviewed-by: default avatarBart Van Assche <bvanassche@acm.org>
      
      Add missing <linux/backing-dev.h> include BFQ
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      d51cfc53
    • Linus Torvalds's avatar
      gcc-10: disable 'array-bounds' warning for now · 44720996
      Linus Torvalds authored
      This is another fine warning, related to the 'zero-length-bounds' one,
      but hitting the same historical code in the kernel.
      
      Because C didn't historically support flexible array members, we have
      code that instead uses a one-sized array, the same way we have cases of
      zero-sized arrays.
      
      The one-sized arrays come from either not wanting to use the gcc
      zero-sized array extension, or from a slight convenience-feature, where
      particularly for strings, the size of the structure now includes the
      allocation for the final NUL character.
      
      So with a "char name[1];" at the end of a structure, you can do things
      like
      
             v = my_malloc(sizeof(struct vendor) + strlen(name));
      
      and avoid the "+1" for the terminator.
      
      Yes, the modern way to do that is with a flexible array, and using
      'offsetof()' instead of 'sizeof()', and adding the "+1" by hand.  That
      also technically gets the size "more correct" in that it avoids any
      alignment (and thus padding) issues, but this is another long-term
      cleanup thing that will not happen for 5.7.
      
      So disable the warning for now, even though it's potentially quite
      useful.  Having a slew of warnings that then hide more urgent new issues
      is not an improvement.
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      44720996
    • Linus Torvalds's avatar
      gcc-10: disable 'zero-length-bounds' warning for now · 5c45de21
      Linus Torvalds authored
      This is a fine warning, but we still have a number of zero-length arrays
      in the kernel that come from the traditional gcc extension.  Yes, they
      are getting converted to flexible arrays, but in the meantime the gcc-10
      warning about zero-length bounds is very verbose, and is hiding other
      issues.
      
      I missed one actual build failure because it was hidden among hundreds
      of lines of warning.  Thankfully I caught it on the second go before
      pushing things out, but it convinced me that I really need to disable
      the new warnings for now.
      
      We'll hopefully be all done with our conversion to flexible arrays in
      the not too distant future, and we can then re-enable this warning.
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      5c45de21
    • Linus Torvalds's avatar
      Stop the ad-hoc games with -Wno-maybe-initialized · 78a5255f
      Linus Torvalds authored
      We have some rather random rules about when we accept the
      "maybe-initialized" warnings, and when we don't.
      
      For example, we consider it unreliable for gcc versions < 4.9, but also
      if -O3 is enabled, or if optimizing for size.  And then various kernel
      config options disabled it, because they know that they trigger that
      warning by confusing gcc sufficiently (ie PROFILE_ALL_BRANCHES).
      
      And now gcc-10 seems to be introducing a lot of those warnings too, so
      it falls under the same heading as 4.9 did.
      
      At the same time, we have a very straightforward way to _enable_ that
      warning when wanted: use "W=2" to enable more warnings.
      
      So stop playing these ad-hoc games, and just disable that warning by
      default, with the known and straight-forward "if you want to work on the
      extra compiler warnings, use W=123".
      
      Would it be great to have code that is always so obvious that it never
      confuses the compiler whether a variable is used initialized or not?
      Yes, it would.  In a perfect world, the compilers would be smarter, and
      our source code would be simpler.
      
      That's currently not the world we live in, though.
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      78a5255f
    • Linus Torvalds's avatar
      Merge tag 'io_uring-5.7-2020-05-08' of git://git.kernel.dk/linux-block · 1d3962ae
      Linus Torvalds authored
      Pull io_uring fixes from Jens Axboe:
      
       - Fix finish_wait() balancing in file cancelation (Xiaoguang)
      
       - Ensure early cleanup of resources in ring map failure (Xiaoguang)
      
       - Ensure IORING_OP_SLICE does the right file mode checks (Pavel)
      
       - Remove file opening from openat/openat2/statx, it's not needed and
         messes with O_PATH
      
      * tag 'io_uring-5.7-2020-05-08' of git://git.kernel.dk/linux-block:
        io_uring: don't use 'fd' for openat/openat2/statx
        splice: move f_mode checks to do_{splice,tee}()
        io_uring: handle -EFAULT properly in io_uring_setup()
        io_uring: fix mismatched finish_wait() calls in io_uring_cancel_files()
      1d3962ae
    • Andrey Konovalov's avatar
      usb: raw-gadget: fix return value of ep read ioctls · 6e507644
      Andrey Konovalov authored
      They must return the number of bytes transferred during the data stage.
      
      Fixes: 068fbff4 ("usb: raw-gadget: Fix copy_to/from_user() checks")
      Fixes: f2c2e717 ("usb: gadget: add raw-gadget interface")
      Signed-off-by: default avatarAndrey Konovalov <andreyknvl@google.com>
      Signed-off-by: default avatarFelipe Balbi <balbi@kernel.org>
      6e507644
    • Arnd Bergmann's avatar
      usb: dwc3: select USB_ROLE_SWITCH · 4748d396
      Arnd Bergmann authored
      Calling into the role switch API requires that these functions
      are loaded, if they are in a loadable module and dwc3 itself
      is built-in, this produces a link error:
      
      drivers/usb/dwc3/drd.o: In function `dwc3_usb_role_switch_get':
      drd.c:(.text+0x26): undefined reference to `usb_role_switch_get_drvdata'
      drivers/usb/dwc3/drd.o: In function `dwc3_usb_role_switch_set':
      drd.c:(.text+0x97): undefined reference to `usb_role_switch_get_drvdata'
      drivers/usb/dwc3/drd.o: In function `dwc3_drd_init':
      drd.c:(.text+0x1ca7): undefined reference to `usb_role_switch_register'
      drivers/usb/dwc3/drd.o: In function `dwc3_drd_exit':
      drd.c:(.text+0x1e92): undefined reference to `usb_role_switch_unregister'
      
      Select the USB_ROLE_SWITCH symbol from dwc3 in that configuration.
      
      Fixes: 0339f7fb ("usb: dwc3: fix up for role switch API change")
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Signed-off-by: default avatarFelipe Balbi <balbi@kernel.org>
      4748d396
    • Wei Yongjun's avatar
      usb: gadget: legacy: fix error return code in gncm_bind() · e27d4b30
      Wei Yongjun authored
      If 'usb_otg_descriptor_alloc()' fails, we must return a
      negative error code -ENOMEM, not 0.
      
      Fixes: 1156e91d ("usb: gadget: ncm: allocate and init otg descriptor by otg capabilities")
      Reported-by: default avatarHulk Robot <hulkci@huawei.com>
      Signed-off-by: default avatarWei Yongjun <weiyongjun1@huawei.com>
      Signed-off-by: default avatarFelipe Balbi <balbi@kernel.org>
      e27d4b30
    • Wei Yongjun's avatar
      usb: gadget: legacy: fix error return code in cdc_bind() · e8f7f9e3
      Wei Yongjun authored
      If 'usb_otg_descriptor_alloc()' fails, we must return a
      negative error code -ENOMEM, not 0.
      
      Fixes: ab6796ae ("usb: gadget: cdc2: allocate and init otg descriptor by otg capabilities")
      Reported-by: default avatarHulk Robot <hulkci@huawei.com>
      Signed-off-by: default avatarWei Yongjun <weiyongjun1@huawei.com>
      Signed-off-by: default avatarFelipe Balbi <balbi@kernel.org>
      e8f7f9e3
    • Masahiro Yamada's avatar
      usb: gadget: legacy: fix redundant initialization warnings · d13cce75
      Masahiro Yamada authored
      Fix the following cppcheck warnings:
      
      drivers/usb/gadget/legacy/inode.c:1364:8: style: Redundant initialization for 'value'. The initialized value is overwritten$
       value = -EOPNOTSUPP;
             ^
      drivers/usb/gadget/legacy/inode.c:1331:15: note: value is initialized
       int    value = -EOPNOTSUPP;
                    ^
      drivers/usb/gadget/legacy/inode.c:1364:8: note: value is overwritten
       value = -EOPNOTSUPP;
             ^
      drivers/usb/gadget/legacy/inode.c:1817:8: style: Redundant initialization for 'value'. The initialized value is overwritten$
       value = -EINVAL;
             ^
      drivers/usb/gadget/legacy/inode.c:1787:18: note: value is initialized
       ssize_t   value = len, length = len;
                       ^
      drivers/usb/gadget/legacy/inode.c:1817:8: note: value is overwritten
       value = -EINVAL;
             ^
      Acked-by: default avatarAlan Stern <stern@rowland.harvard.edu>
      Reported-by: default avatarkbuild test robot <lkp@intel.com>
      Signed-off-by: default avatarMasahiro Yamada <masahiroy@kernel.org>
      Signed-off-by: default avatarFelipe Balbi <balbi@kernel.org>
      d13cce75
    • Thierry Reding's avatar
      usb: gadget: tegra-xudc: Fix idle suspend/resume · 0534d401
      Thierry Reding authored
      When the XUDC device is idle (i.e. powergated), care must be taken not
      to access any registers because that would lead to a crash.
      
      Move the call to tegra_xudc_device_mode_off() into the same conditional
      as the tegra_xudc_powergate() call to make sure we only force device
      mode off if the XUDC is actually powered up.
      
      Fixes: 49db4272 ("usb: gadget: Add UDC driver for tegra XUSB device mode controller")
      Acked-by: default avatarJon Hunter <jonathanh@nvidia.com>
      Tested-by: default avatarJon Hunter <jonathanh@nvidia.com>
      Signed-off-by: default avatarThierry Reding <treding@nvidia.com>
      Signed-off-by: default avatarFelipe Balbi <balbi@kernel.org>
      0534d401
    • Christophe JAILLET's avatar
      usb: gadget: net2272: Fix a memory leak in an error handling path in 'net2272_plat_probe()' · ccaef7e6
      Christophe JAILLET authored
      'dev' is allocated in 'net2272_probe_init()'. It must be freed in the error
      handling path, as already done in the remove function (i.e.
      'net2272_plat_remove()')
      
      Fixes: 90fccb52 ("usb: gadget: Gadget directory cleanup - group UDC drivers")
      Signed-off-by: default avatarChristophe JAILLET <christophe.jaillet@wanadoo.fr>
      Signed-off-by: default avatarFelipe Balbi <balbi@kernel.org>
      ccaef7e6