1. 21 Nov, 2018 40 commits
    • Eric W. Biederman's avatar
      signal: Always deliver the kernel's SIGKILL and SIGSTOP to a pid namespace init · 9ab9fc44
      Eric W. Biederman authored
      [ Upstream commit 3597dfe0 ]
      
      Instead of playing whack-a-mole and changing SEND_SIG_PRIV to
      SEND_SIG_FORCED throughout the kernel to ensure a pid namespace init
      gets signals sent by the kernel, stop allowing a pid namespace init to
      ignore SIGKILL or SIGSTOP sent by the kernel.  A pid namespace init is
      only supposed to be able to ignore signals sent from itself and
      children with SIG_DFL.
      
      Fixes: 921cf9f6 ("signals: protect cinit from unblocked SIG_DFL signals")
      Reviewed-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Signed-off-by: default avatar"Eric W. Biederman" <ebiederm@xmission.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9ab9fc44
    • James Smart's avatar
      scsi: lpfc: Correct soft lockup when running mds diagnostics · c9debbd2
      James Smart authored
      [ Upstream commit 0ef01a2d ]
      
      When running an mds diagnostic that passes frames with the switch, soft
      lockups are detected. The driver is in a CQE processing loop and has
      sufficient amount of traffic that it never exits the ring processing routine,
      thus the "lockup".
      
      Cap the number of elements in the work processing routine to 64 elements. This
      ensures that the cpu will be given up and the handler reschedule to process
      additional items.
      Signed-off-by: default avatarDick Kennedy <dick.kennedy@broadcom.com>
      Signed-off-by: default avatarJames Smart <james.smart@broadcom.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c9debbd2
    • Alexandre Belloni's avatar
      uio: ensure class is registered before devices · 2d62826e
      Alexandre Belloni authored
      [ Upstream commit ae61cf5b ]
      
      When both uio and the uio drivers are built in the kernel, it is possible
      for a driver to register devices before the uio class is registered.
      
      This may result in a NULL pointer dereference later on in
      get_device_parent() when accessing the class glue_dirs spinlock.
      
      The trace looks like that:
      
      Unable to handle kernel NULL pointer dereference at virtual address 00000140
      [...]
      [<ffff0000089cc234>] _raw_spin_lock+0x14/0x48
      [<ffff0000084f56bc>] device_add+0x154/0x6a0
      [<ffff0000084f5e48>] device_create_groups_vargs+0x120/0x128
      [<ffff0000084f5edc>] device_create+0x54/0x60
      [<ffff0000086e72c0>] __uio_register_device+0x120/0x4a8
      [<ffff000008528b7c>] jaguar2_pci_probe+0x2d4/0x558
      [<ffff0000083fc18c>] local_pci_probe+0x3c/0xb8
      [<ffff0000083fd81c>] pci_device_probe+0x11c/0x180
      [<ffff0000084f88bc>] driver_probe_device+0x22c/0x2d8
      [<ffff0000084f8a24>] __driver_attach+0xbc/0xc0
      [<ffff0000084f69fc>] bus_for_each_dev+0x4c/0x98
      [<ffff0000084f81b8>] driver_attach+0x20/0x28
      [<ffff0000084f7d08>] bus_add_driver+0x1b8/0x228
      [<ffff0000084f93c0>] driver_register+0x60/0xf8
      [<ffff0000083fb918>] __pci_register_driver+0x40/0x48
      
      Return EPROBE_DEFER in that case so the driver can register the device
      later.
      Signed-off-by: default avatarAlexandre Belloni <alexandre.belloni@bootlin.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2d62826e
    • Waiman Long's avatar
      driver/dma/ioat: Call del_timer_sync() without holding prep_lock · d7a7df4c
      Waiman Long authored
      [ Upstream commit cfb03be6 ]
      
      The following lockdep splat was observed:
      
      [ 1222.241750] ======================================================
      [ 1222.271301] WARNING: possible circular locking dependency detected
      [ 1222.301060] 4.16.0-10.el8+5.x86_64+debug #1 Not tainted
      [ 1222.326659] ------------------------------------------------------
      [ 1222.356565] systemd-shutdow/1 is trying to acquire lock:
      [ 1222.382660]  ((&ioat_chan->timer)){+.-.}, at: [<00000000f71e1a28>] del_timer_sync+0x5/0xf0
      [ 1222.422928]
      [ 1222.422928] but task is already holding lock:
      [ 1222.451743]  (&(&ioat_chan->prep_lock)->rlock){+.-.}, at: [<000000008ea98b12>] ioat_shutdown+0x86/0x100 [ioatdma]
         :
      [ 1223.524987] Chain exists of:
      [ 1223.524987]   (&ioat_chan->timer) --> &(&ioat_chan->cleanup_lock)->rlock --> &(&ioat_chan->prep_lock)->rlock
      [ 1223.524987]
      [ 1223.594082]  Possible unsafe locking scenario:
      [ 1223.594082]
      [ 1223.622630]        CPU0                    CPU1
      [ 1223.645080]        ----                    ----
      [ 1223.667404]   lock(&(&ioat_chan->prep_lock)->rlock);
      [ 1223.691535]                                lock(&(&ioat_chan->cleanup_lock)->rlock);
      [ 1223.728657]                                lock(&(&ioat_chan->prep_lock)->rlock);
      [ 1223.765122]   lock((&ioat_chan->timer));
      [ 1223.784095]
      [ 1223.784095]  *** DEADLOCK ***
      [ 1223.784095]
      [ 1223.813492] 4 locks held by systemd-shutdow/1:
      [ 1223.834677]  #0:  (reboot_mutex){+.+.}, at: [<0000000056d33456>] SYSC_reboot+0x10f/0x300
      [ 1223.873310]  #1:  (&dev->mutex){....}, at: [<00000000258dfdd7>] device_shutdown+0x1c8/0x660
      [ 1223.913604]  #2:  (&dev->mutex){....}, at: [<0000000068331147>] device_shutdown+0x1d6/0x660
      [ 1223.954000]  #3:  (&(&ioat_chan->prep_lock)->rlock){+.-.}, at: [<000000008ea98b12>] ioat_shutdown+0x86/0x100 [ioatdma]
      
      In the ioat_shutdown() function:
      
      	spin_lock_bh(&ioat_chan->prep_lock);
      	set_bit(IOAT_CHAN_DOWN, &ioat_chan->state);
      	del_timer_sync(&ioat_chan->timer);
      	spin_unlock_bh(&ioat_chan->prep_lock);
      
      According to the synchronization rule for the del_timer_sync() function,
      the caller must not hold locks which would prevent completion of the
      timer's handler.
      
      The timer structure has its own lock that manages its synchronization.
      Setting the IOAT_CHAN_DOWN bit should prevent other CPUs from
      trying to use that device anyway, there is probably no need to call
      del_timer_sync() while holding the prep_lock. So the del_timer_sync()
      call is now moved outside of the prep_lock critical section to prevent
      the circular lock dependency.
      Signed-off-by: default avatarWaiman Long <longman@redhat.com>
      Reviewed-by: default avatarDave Jiang <dave.jiang@intel.com>
      Signed-off-by: default avatarVinod Koul <vkoul@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d7a7df4c
    • Loic Poulain's avatar
      usb: chipidea: Prevent unbalanced IRQ disable · d986aedc
      Loic Poulain authored
      [ Upstream commit 8b97d73c ]
      
      The ChipIdea IRQ is disabled before scheduling the otg work and
      re-enabled on otg work completion. However if the job is already
      scheduled we have to undo the effect of disable_irq int order to
      balance the IRQ disable-depth value.
      
      Fixes: be6b0c1b ("usb: chipidea: using one inline function to cover queue work operations")
      Signed-off-by: default avatarLoic Poulain <loic.poulain@linaro.org>
      Signed-off-by: default avatarPeter Chen <peter.chen@nxp.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d986aedc
    • Shaohua Li's avatar
      MD: fix invalid stored role for a disk · 8f177fb6
      Shaohua Li authored
      [ Upstream commit d595567d ]
      
      If we change the number of array's device after device is removed from array,
      then add the device back to array, we can see that device is added as active
      role instead of spare which we expected.
      
      Please see the below link for details:
      https://marc.info/?l=linux-raid&m=153736982015076&w=2
      
      This is caused by that we prefer to use device's previous role which is
      recorded by saved_raid_disk, but we should respect the new number of
      conf->raid_disks since it could be changed after device is removed.
      Reported-by: default avatarGioh Kim <gi-oh.kim@profitbricks.com>
      Tested-by: default avatarGioh Kim <gi-oh.kim@profitbricks.com>
      Acked-by: default avatarGuoqing Jiang <gqjiang@suse.com>
      Signed-off-by: default avatarShaohua Li <shli@fb.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8f177fb6
    • Theodore Ts'o's avatar
      ext4: fix argument checking in EXT4_IOC_MOVE_EXT · c87fb36e
      Theodore Ts'o authored
      [ Upstream commit f18b2b83 ]
      
      If the starting block number of either the source or destination file
      exceeds the EOF, EXT4_IOC_MOVE_EXT should return EINVAL.
      
      Also fixed the helper function mext_check_coverage() so that if the
      logical block is beyond EOF, make it return immediately, instead of
      looping until the block number wraps all the away around.  This takes
      long enough that if there are multiple threads trying to do pound on
      an the same inode doing non-sensical things, it can end up triggering
      the kernel's soft lockup detector.
      
      Reported-by: syzbot+c61979f6f2cba5cb3c06@syzkaller.appspotmail.com
      Signed-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      Cc: stable@kernel.org
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c87fb36e
    • Javier Martinez Canillas's avatar
      tpm: suppress transmit cmd error logs when TPM 1.2 is disabled/deactivated · 3cf68396
      Javier Martinez Canillas authored
      [ Upstream commit 0d6d0d62 ]
      
      For TPM 1.2 chips the system setup utility allows to set the TPM device in
      one of the following states:
      
        * Active: Security chip is functional
        * Inactive: Security chip is visible, but is not functional
        * Disabled: Security chip is hidden and is not functional
      
      When choosing the "Inactive" state, the TPM 1.2 device is enumerated and
      registered, but sending TPM commands fail with either TPM_DEACTIVATED or
      TPM_DISABLED depending if the firmware deactivated or disabled the TPM.
      
      Since these TPM 1.2 error codes don't have special treatment, inactivating
      the TPM leads to a very noisy kernel log buffer that shows messages like
      the following:
      
        tpm_tis 00:05: 1.2 TPM (device-id 0x0, rev-id 78)
        tpm tpm0: A TPM error (6) occurred attempting to read a pcr value
        tpm tpm0: TPM is disabled/deactivated (0x6)
        tpm tpm0: A TPM error (6) occurred attempting get random
        tpm tpm0: A TPM error (6) occurred attempting to read a pcr value
        ima: No TPM chip found, activating TPM-bypass! (rc=6)
        tpm tpm0: A TPM error (6) occurred attempting get random
        tpm tpm0: A TPM error (6) occurred attempting get random
        tpm tpm0: A TPM error (6) occurred attempting get random
        tpm tpm0: A TPM error (6) occurred attempting get random
      
      Let's just suppress error log messages for the TPM_{DEACTIVATED,DISABLED}
      return codes, since this is expected when the TPM 1.2 is set to Inactive.
      
      In that case the kernel log is cleaner and less confusing for users, i.e:
      
        tpm_tis 00:05: 1.2 TPM (device-id 0x0, rev-id 78)
        tpm tpm0: TPM is disabled/deactivated (0x6)
        ima: No TPM chip found, activating TPM-bypass! (rc=6)
      Reported-by: default avatarHans de Goede <hdegoede@redhat.com>
      Signed-off-by: default avatarJavier Martinez Canillas <javierm@redhat.com>
      Reviewed-by: default avatarJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
      Signed-off-by: default avatarJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3cf68396
    • Wenwen Wang's avatar
      scsi: megaraid_sas: fix a missing-check bug · be1851b9
      Wenwen Wang authored
      [ Upstream commit 47db7873 ]
      
      In megasas_mgmt_compat_ioctl_fw(), to handle the structure
      compat_megasas_iocpacket 'cioc', a user-space structure megasas_iocpacket
      'ioc' is allocated before megasas_mgmt_ioctl_fw() is invoked to handle
      the packet. Since the two data structures have different fields, the data
      is copied from 'cioc' to 'ioc' field by field. In the copy process,
      'sense_ptr' is prepared if the field 'sense_len' is not null, because it
      will be used in megasas_mgmt_ioctl_fw(). To prepare 'sense_ptr', the
      user-space data 'ioc->sense_off' and 'cioc->sense_off' are copied and
      saved to kernel-space variables 'local_sense_off' and 'user_sense_off'
      respectively. Given that 'ioc->sense_off' is also copied from
      'cioc->sense_off', 'local_sense_off' and 'user_sense_off' should have the
      same value. However, 'cioc' is in the user space and a malicious user can
      race to change the value of 'cioc->sense_off' after it is copied to
      'ioc->sense_off' but before it is copied to 'user_sense_off'. By doing
      so, the attacker can inject different values into 'local_sense_off' and
      'user_sense_off'. This can cause undefined behavior in the following
      execution, because the two variables are supposed to be same.
      
      This patch enforces a check on the two kernel variables 'local_sense_off'
      and 'user_sense_off' to make sure they are the same after the copy. In
      case they are not, an error code EINVAL will be returned.
      Signed-off-by: default avatarWenwen Wang <wang6495@umn.edu>
      Acked-by: default avatarSumit Saxena <sumit.saxena@broadcom.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      be1851b9
    • Finn Thain's avatar
      scsi: esp_scsi: Track residual for PIO transfers · 8c00d5d7
      Finn Thain authored
      [ Upstream commit fd47d919 ]
      
      If a target disconnects during a PIO data transfer the command may fail
      when the target reconnects:
      
      scsi host1: DMA length is zero!
      scsi host1: cur adr[04380000] len[00000000]
      
      The scsi bus is then reset. This happens because the residual reached
      zero before the transfer was completed.
      
      The usual residual calculation relies on the Transfer Count registers.
      That works for DMA transfers but not for PIO transfers. Fix the problem
      by storing the PIO transfer residual and using that to correctly
      calculate bytes_sent.
      
      Fixes: 6fe07aaf ("[SCSI] m68k: new mac_esp scsi driver")
      Tested-by: default avatarStan Johnson <userm57@yahoo.com>
      Signed-off-by: default avatarFinn Thain <fthain@telegraphics.com.au>
      Tested-by: default avatarMichael Schmitz <schmitzmic@gmail.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8c00d5d7
    • Martin Willi's avatar
      ath10k: schedule hardware restart if WMI command times out · 93ceb8dc
      Martin Willi authored
      [ Upstream commit a9911937 ]
      
      When running in AP mode, ath10k sometimes suffers from TX credit
      starvation. The issue is hard to reproduce and shows up once in a
      few days, but has been repeatedly seen with QCA9882 and a large
      range of firmwares, including 10.2.4.70.67.
      
      Once the module is in this state, TX credits are never replenished,
      which results in "SWBA overrun" errors, as no beacons can be sent.
      Even worse, WMI commands run in a timeout while holding the conf
      mutex for three seconds each, making any further operations slow
      and the whole system unresponsive.
      
      The firmware/driver never recovers from that state automatically,
      and triggering TX flush or warm restarts won't work over WMI. So
      issue a hardware restart if a WMI command times out due to missing
      TX credits. This implies a connectivity outage of about 1.4s in AP
      mode, but brings back the interface and the whole system to a usable
      state. WMI command timeouts have not been seen in absent of this
      specific issue, so taking such drastic actions seems legitimate.
      Signed-off-by: default avatarMartin Willi <martin@strongswan.org>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      93ceb8dc
    • Douglas Anderson's avatar
      pinctrl: ssbi-gpio: Fix pm8xxx_pin_config_get() to be compliant · 1305e3d8
      Douglas Anderson authored
      [ Upstream commit b432414b ]
      
      If you look at "pinconf-groups" in debugfs for ssbi-gpio you'll notice
      it looks like nonsense.
      
      The problem is fairly well described in commit 1cf86bc2 ("pinctrl:
      qcom: spmi-gpio: Fix pmic_gpio_config_get() to be compliant") and
      commit 05e0c828 ("pinctrl: msm: Fix msm_config_group_get() to be
      compliant"), but it was pointed out that ssbi-gpio has the same
      problem.  Let's fix it there too.
      
      Fixes: b4c45fe9 ("pinctrl: qcom: ssbi: Family A gpio & mpp drivers")
      Signed-off-by: default avatarDouglas Anderson <dianders@chromium.org>
      Reviewed-by: default avatarStephen Boyd <sboyd@kernel.org>
      Reviewed-by: default avatarBjorn Andersson <bjorn.andersson@linaro.org>
      Signed-off-by: default avatarLinus Walleij <linus.walleij@linaro.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1305e3d8
    • Douglas Anderson's avatar
      pinctrl: spmi-mpp: Fix pmic_mpp_config_get() to be compliant · ace4787f
      Douglas Anderson authored
      [ Upstream commit 0d5b476f ]
      
      If you look at "pinconf-groups" in debugfs for ssbi-mpp you'll notice
      it looks like nonsense.
      
      The problem is fairly well described in commit 1cf86bc2 ("pinctrl:
      qcom: spmi-gpio: Fix pmic_gpio_config_get() to be compliant") and
      commit 05e0c828 ("pinctrl: msm: Fix msm_config_group_get() to be
      compliant"), but it was pointed out that ssbi-mpp has the same
      problem.  Let's fix it there too.
      
      NOTE: in case it's helpful to someone reading this, the way to tell
      whether to do the -EINVAL or not is to look at the PCONFDUMP for a
      given attribute.  If the last element (has_arg) is false then you need
      to do the -EINVAL trick.
      
      ALSO NOTE: it seems unlikely that the values returned when we try to
      get PIN_CONFIG_BIAS_PULL_UP will actually be printed since "has_arg"
      is false for that one, but I guess it's still fine to return different
      values so I kept doing that.  It seems like another driver (ssbi-gpio)
      uses a custom attribute (PM8XXX_QCOM_PULL_UP_STRENGTH) for something
      similar so maybe a future change should do that here too.
      
      Fixes: cfb24f6e ("pinctrl: Qualcomm SPMI PMIC MPP pin controller driver")
      Signed-off-by: default avatarDouglas Anderson <dianders@chromium.org>
      Reviewed-by: default avatarStephen Boyd <sboyd@kernel.org>
      Reviewed-by: default avatarBjorn Andersson <bjorn.andersson@linaro.org>
      Signed-off-by: default avatarLinus Walleij <linus.walleij@linaro.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ace4787f
    • Stephen Boyd's avatar
      pinctrl: qcom: spmi-mpp: Fix drive strength setting · 37f2457c
      Stephen Boyd authored
      [ Upstream commit 89c68b10 ]
      
      It looks like we parse the drive strength setting here, but never
      actually write it into the hardware to update it. Parse the setting and
      then write it at the end of the pinconf setting function so that it
      actually sticks in the hardware.
      
      Fixes: 0e948042 ("pinctrl: qcom: spmi-mpp: Implement support for sink mode")
      Cc: Doug Anderson <dianders@chromium.org>
      Signed-off-by: default avatarStephen Boyd <swboyd@chromium.org>
      Reviewed-by: default avatarBjorn Andersson <bjorn.andersson@linaro.org>
      Signed-off-by: default avatarLinus Walleij <linus.walleij@linaro.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      37f2457c
    • Hans de Goede's avatar
      ACPI / LPSS: Add alternative ACPI HIDs for Cherry Trail DMA controllers · c55954e7
      Hans de Goede authored
      [ Upstream commit 24071406 ]
      
      Bay and Cherry Trail DSTDs represent a different set of devices depending
      on which OS the device think it is booting. One set of decices for Windows
      and another set of devices for Android which targets the Android-x86 Linux
      kernel fork (which e.g. used to have its own display driver instead of
      using the i915 driver).
      
      Which set of devices we are actually going to get is out of our control,
      this is controlled by the ACPI OSID variable, which gets either set through
      an EFI setup option, or sometimes is autodetected. So we need to support
      both.
      
      This commit adds support for the 80862286 and 808622C0 ACPI HIDs which we
      get for the first resp. second DMA controller on Cherry Trail devices when
      OSID is set to Android.
      Signed-off-by: default avatarHans de Goede <hdegoede@redhat.com>
      Reviewed-by: default avatarAndy Shevchenko <andriy.shevchenko@linux.intel.com>
      Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c55954e7
    • Masami Hiramatsu's avatar
      kprobes: Return error if we fail to reuse kprobe instead of BUG_ON() · 0524e92e
      Masami Hiramatsu authored
      [ Upstream commit 819319fc ]
      
      Make reuse_unused_kprobe() to return error code if
      it fails to reuse unused kprobe for optprobe instead
      of calling BUG_ON().
      Signed-off-by: default avatarMasami Hiramatsu <mhiramat@kernel.org>
      Cc: Anil S Keshavamurthy <anil.s.keshavamurthy@intel.com>
      Cc: David S . Miller <davem@davemloft.net>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Naveen N . Rao <naveen.n.rao@linux.vnet.ibm.com>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Link: http://lkml.kernel.org/r/153666124040.21306.14150398706331307654.stgit@devboxSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0524e92e
    • YueHaibing's avatar
      pinctrl: qcom: spmi-mpp: Fix err handling of pmic_mpp_set_mux · 45947209
      YueHaibing authored
      [ Upstream commit 69f8455f ]
      
      'ret' should be returned while pmic_mpp_write_mode_ctl fails.
      
      Fixes: 0e948042 ("pinctrl: qcom: spmi-mpp: Implement support for sink mode")
      Signed-off-by: default avatarYueHaibing <yuehaibing@huawei.com>
      Signed-off-by: default avatarLinus Walleij <linus.walleij@linaro.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      45947209
    • Ben Hutchings's avatar
      x86: boot: Fix EFI stub alignment · cd6ace69
      Ben Hutchings authored
      [ Upstream commit 9c1442a9 ]
      
      We currently align the end of the compressed image to a multiple of
      16.  However, the PE-COFF header included in the EFI stub says that
      the file alignment is 32 bytes, and when adding an EFI signature to
      the file it must first be padded to this alignment.
      
      sbsigntool commands warn about this:
      
        warning: file-aligned section .text extends beyond end of file
        warning: checksum areas are greater than image size. Invalid section table?
      
      Worse, pesign -at least when creating a detached signature- uses the
      hash of the unpadded file, resulting in an invalid signature if
      padding is required.
      
      Avoid both these problems by increasing alignment to 32 bytes when
      CONFIG_EFI_STUB is enabled.
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      Signed-off-by: default avatarArd Biesheuvel <ard.biesheuvel@linaro.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      cd6ace69
    • Christian Hewitt's avatar
      Bluetooth: btbcm: Add entry for BCM4335C0 UART bluetooth · f88f4125
      Christian Hewitt authored
      [ Upstream commit a357ea09 ]
      
      This patch adds the device ID for the AMPAK AP6335 combo module used
      in the 1st generation WeTek Hub Android/LibreELEC HTPC box. The WiFI
      chip identifies itself as BCM4339, while Bluetooth identifies itself
      as BCM4335 (rev C0):
      
      ```
      [    4.864248] Bluetooth: hci0: BCM: chip id 86
      [    4.866388] Bluetooth: hci0: BCM: features 0x2f
      [    4.889317] Bluetooth: hci0: BCM4335C0
      [    4.889332] Bluetooth: hci0: BCM4335C0 (003.001.009) build 0000
      [    9.778383] Bluetooth: hci0: BCM4335C0 (003.001.009) build 0268
      ```
      
      Output from hciconfig:
      
      ```
      hci0:	Type: Primary  Bus: UART
      	BD Address: 43:39:00:00:1F:AC  ACL MTU: 1021:8  SCO MTU: 64:1
      	UP RUNNING
      	RX bytes:7567 acl:234 sco:0 events:386 errors:0
      	TX bytes:53844 acl:77 sco:0 commands:304 errors:0
      	Features: 0xbf 0xfe 0xcf 0xfe 0xdb 0xff 0x7b 0x87
      	Packet type: DM1 DM3 DM5 DH1 DH3 DH5 HV1 HV2 HV3
      	Link policy: RSWITCH SNIFF
      	Link mode: SLAVE ACCEPT
      	Name: 'HUB'
      	Class: 0x0c0000
      	Service Classes: Rendering, Capturing
      	Device Class: Miscellaneous,
      	HCI Version: 4.0 (0x6)  Revision: 0x10c
      	LMP Version: 4.0 (0x6)  Subversion: 0x6109
      	Manufacturer: Broadcom Corporation (15)
      ```
      Signed-off-by: default avatarChristian Hewitt <christianshewitt@gmail.com>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f88f4125
    • Yu Zhao's avatar
      mmc: sdhci-pci-o2micro: Add quirk for O2 Micro dev 0x8620 rev 0x01 · 8c2c6a9a
      Yu Zhao authored
      [ Upstream commit 51698949 ]
      
      This device reports SDHCI_CLOCK_INT_STABLE even though it's not
      ready to take SDHCI_CLOCK_CARD_EN. The symptom is that reading
      SDHCI_CLOCK_CONTROL after enabling the clock shows absence of the
      bit from the register (e.g. expecting 0x0000fa07 = 0x0000fa03 |
      SDHCI_CLOCK_CARD_EN but only observed the first operand).
      
      mmc1: Timeout waiting for hardware cmd interrupt.
      mmc1: sdhci: ============ SDHCI REGISTER DUMP ===========
      mmc1: sdhci: Sys addr:  0x00000000 | Version:  0x00000603
      mmc1: sdhci: Blk size:  0x00000000 | Blk cnt:  0x00000000
      mmc1: sdhci: Argument:  0x00000000 | Trn mode: 0x00000000
      mmc1: sdhci: Present:   0x01ff0001 | Host ctl: 0x00000001
      mmc1: sdhci: Power:     0x0000000f | Blk gap:  0x00000000
      mmc1: sdhci: Wake-up:   0x00000000 | Clock:    0x0000fa03
      mmc1: sdhci: Timeout:   0x00000000 | Int stat: 0x00000000
      mmc1: sdhci: Int enab:  0x00ff0083 | Sig enab: 0x00ff0083
      mmc1: sdhci: AC12 err:  0x00000000 | Slot int: 0x00000000
      mmc1: sdhci: Caps:      0x25fcc8bf | Caps_1:   0x00002077
      mmc1: sdhci: Cmd:       0x00000000 | Max curr: 0x005800c8
      mmc1: sdhci: Resp[0]:   0x00000000 | Resp[1]:  0x00000000
      mmc1: sdhci: Resp[2]:   0x00000000 | Resp[3]:  0x00000000
      mmc1: sdhci: Host ctl2: 0x00000008
      mmc1: sdhci: ADMA Err:  0x00000000 | ADMA Ptr: 0x00000000
      mmc1: sdhci: ============================================
      
      The problem happens during wakeup from S3. Adding a delay quirk
      after power up reliably fixes the problem.
      Signed-off-by: default avatarYu Zhao <yuzhao@google.com>
      Signed-off-by: default avatarUlf Hansson <ulf.hansson@linaro.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8c2c6a9a
    • Sanskriti Sharma's avatar
      perf tools: Cleanup trace-event-info 'tdata' leak · 7ce210a6
      Sanskriti Sharma authored
      [ Upstream commit faedbf3f ]
      
      Free tracing_data structure in tracing_data_get() error paths.
      
      Fixes the following coverity complaint:
      
        Error: RESOURCE_LEAK (CWE-772):
        leaked_storage: Variable "tdata" going out of scope leaks the storage
      Signed-off-by: default avatarSanskriti Sharma <sansharm@redhat.com>
      Reviewed-by: default avatarJiri Olsa <jolsa@kernel.org>
      Cc: Joe Lawrence <joe.lawrence@redhat.com>
      Link: http://lkml.kernel.org/r/1538490554-8161-3-git-send-email-sansharm@redhat.comSigned-off-by: default avatarArnaldo Carvalho de Melo <acme@redhat.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7ce210a6
    • Sanskriti Sharma's avatar
      perf tools: Free temporary 'sys' string in read_event_files() · d05d8ef0
      Sanskriti Sharma authored
      [ Upstream commit 1e44224f ]
      
      For each system in a given pevent, read_event_files() reads in a
      temporary 'sys' string.  Be sure to free this string before moving onto
      to the next system and/or leaving read_event_files().
      
      Fixes the following coverity complaints:
      
        Error: RESOURCE_LEAK (CWE-772):
      
        tools/perf/util/trace-event-read.c:343: overwrite_var: Overwriting
        "sys" in "sys = read_string()" leaks the storage that "sys" points to.
      
        tools/perf/util/trace-event-read.c:353: leaked_storage: Variable "sys"
        going out of scope leaks the storage it points to.
      Signed-off-by: default avatarSanskriti Sharma <sansharm@redhat.com>
      Reviewed-by: default avatarJiri Olsa <jolsa@kernel.org>
      Cc: Joe Lawrence <joe.lawrence@redhat.com>
      Link: http://lkml.kernel.org/r/1538490554-8161-6-git-send-email-sansharm@redhat.comSigned-off-by: default avatarArnaldo Carvalho de Melo <acme@redhat.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d05d8ef0
    • Serhey Popovych's avatar
      tun: Consistently configure generic netdev params via rtnetlink · 08875323
      Serhey Popovych authored
      [ Upstream commit df52eab2 ]
      
      Configuring generic network device parameters on tun will fail in
      presence of IFLA_INFO_KIND attribute in IFLA_LINKINFO nested attribute
      since tun_validate() always return failure.
      
      This can be visualized with following ip-link(8) command sequences:
      
        # ip link set dev tun0 group 100
        # ip link set dev tun0 group 100 type tun
        RTNETLINK answers: Invalid argument
      
      with contrast to dummy and veth drivers:
      
        # ip link set dev dummy0 group 100
        # ip link set dev dummy0 type dummy
      
        # ip link set dev veth0 group 100
        # ip link set dev veth0 group 100 type veth
      
      Fix by returning zero in tun_validate() when @data is NULL that is
      always in case since rtnl_link_ops->maxtype is zero in tun driver.
      
      Fixes: f019a7a5 ("tun: Implement ip link del tunXXX")
      Signed-off-by: default avatarSerhey Popovych <serhe.popovych@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      08875323
    • Omar Sandoval's avatar
      swim: fix cleanup on setup error · 82e05b99
      Omar Sandoval authored
      [ Upstream commit 1448a2a5 ]
      
      If we fail to allocate the request queue for a disk, we still need to
      free that disk, not just the previous ones. Additionally, we need to
      cleanup the previous request queues.
      Signed-off-by: default avatarOmar Sandoval <osandov@fb.com>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      82e05b99
    • Omar Sandoval's avatar
      ataflop: fix error handling during setup · 7d81f8fe
      Omar Sandoval authored
      [ Upstream commit 71327f54 ]
      
      Move queue allocation next to disk allocation to fix a couple of issues:
      
      - If add_disk() hasn't been called, we should clear disk->queue before
        calling put_disk().
      - If we fail to allocate a request queue, we still need to put all of
        the disks, not just the ones that we allocated queues for.
      Signed-off-by: default avatarOmar Sandoval <osandov@fb.com>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7d81f8fe
    • Waiman Long's avatar
      locking/lockdep: Fix debug_locks off performance problem · ef42ef84
      Waiman Long authored
      [ Upstream commit 9506a742 ]
      
      It was found that when debug_locks was turned off because of a problem
      found by the lockdep code, the system performance could drop quite
      significantly when the lock_stat code was also configured into the
      kernel. For instance, parallel kernel build time on a 4-socket x86-64
      server nearly doubled.
      
      Further analysis into the cause of the slowdown traced back to the
      frequent call to debug_locks_off() from the __lock_acquired() function
      probably due to some inconsistent lockdep states with debug_locks
      off. The debug_locks_off() function did an unconditional atomic xchg
      to write a 0 value into debug_locks which had already been set to 0.
      This led to severe cacheline contention in the cacheline that held
      debug_locks.  As debug_locks is being referenced in quite a few different
      places in the kernel, this greatly slow down the system performance.
      
      To prevent that trashing of debug_locks cacheline, lock_acquired()
      and lock_contended() now checks the state of debug_locks before
      proceeding. The debug_locks_off() function is also modified to check
      debug_locks before calling __debug_locks_off().
      Signed-off-by: default avatarWaiman Long <longman@redhat.com>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Will Deacon <will.deacon@arm.com>
      Link: http://lkml.kernel.org/r/1539913518-15598-1-git-send-email-longman@redhat.comSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ef42ef84
    • Masami Hiramatsu's avatar
      selftests: ftrace: Add synthetic event syntax testcase · 049b96e8
      Masami Hiramatsu authored
      [ Upstream commit ba0e41ca ]
      
      Add a testcase to check the syntax and field types for
      synthetic_events interface.
      
      Link: http://lkml.kernel.org/r/153986838264.18251.16627517536956299922.stgit@devboxAcked-by: default avatarShuah Khan <shuah@kernel.org>
      Signed-off-by: default avatarMasami Hiramatsu <mhiramat@kernel.org>
      Signed-off-by: default avatarSteven Rostedt (VMware) <rostedt@goodmis.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      049b96e8
    • Nathan Chancellor's avatar
      net: qla3xxx: Remove overflowing shift statement · ac435f05
      Nathan Chancellor authored
      [ Upstream commit 8c3bf9b6 ]
      
      Clang currently warns:
      
      drivers/net/ethernet/qlogic/qla3xxx.c:384:24: warning: signed shift
      result (0xF00000000) requires 37 bits to represent, but 'int' only has
      32 bits [-Wshift-overflow]
                          ((ISP_NVRAM_MASK << 16) | qdev->eeprom_cmd_data));
                            ~~~~~~~~~~~~~~ ^  ~~
      1 warning generated.
      
      The warning is certainly accurate since ISP_NVRAM_MASK is defined as
      (0x000F << 16) which is then shifted by 16, resulting in 64424509440,
      well above UINT_MAX.
      
      Given that this is the only location in this driver where ISP_NVRAM_MASK
      is shifted again, it seems likely that ISP_NVRAM_MASK was originally
      defined without a shift and during the move of the shift to the
      definition, this statement wasn't properly removed (since ISP_NVRAM_MASK
      is used in the statenent right above this). Only the maintainers can
      confirm this since this statment has been here since the driver was
      first added to the kernel.
      
      Link: https://github.com/ClangBuiltLinux/linux/issues/127Signed-off-by: default avatarNathan Chancellor <natechancellor@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ac435f05
    • Sebastian Andrzej Siewior's avatar
      x86/fpu: Remove second definition of fpu in __fpu__restore_sig() · 055dbfe1
      Sebastian Andrzej Siewior authored
      [ Upstream commit 6aa67676 ]
      
      Commit:
      
        c5bedc68 ("x86/fpu: Get rid of PF_USED_MATH usage, convert it to fpu->fpstate_active")
      
      introduced the 'fpu' variable at top of __restore_xstate_sig(),
      which now shadows the other definition:
      
        arch/x86/kernel/fpu/signal.c:318:28: warning: symbol 'fpu' shadows an earlier one
        arch/x86/kernel/fpu/signal.c:271:20: originally declared here
      
      Remove the shadowed definition of 'fpu', as the two definitions are the same.
      Signed-off-by: default avatarSebastian Andrzej Siewior <bigeasy@linutronix.de>
      Reviewed-by: default avatarAndy Lutomirski <luto@kernel.org>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: Dave Hansen <dave.hansen@linux.intel.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Fixes: c5bedc68 ("x86/fpu: Get rid of PF_USED_MATH usage, convert it to fpu->fpstate_active")
      Link: http://lkml.kernel.org/r/20181016202525.29437-3-bigeasy@linutronix.deSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      055dbfe1
    • David S. Miller's avatar
      sparc: Fix single-pcr perf event counter management. · 9190b06c
      David S. Miller authored
      [ Upstream commit cfdc3170 ]
      
      It is important to clear the hw->state value for non-stopped events
      when they are added into the PMU.  Otherwise when the event is
      scheduled out, we won't read the counter because HES_UPTODATE is still
      set.  This breaks 'perf stat' and similar use cases, causing all the
      events to show zero.
      
      This worked for multi-pcr because we make explicit sparc_pmu_start()
      calls in calculate_multiple_pcrs().  calculate_single_pcr() doesn't do
      this because the idea there is to accumulate all of the counter
      settings into the single pcr value.  So we have to add explicit
      hw->state handling there.
      
      Like x86, we use the PERF_HES_ARCH bit to track truly stopped events
      so that we don't accidently start them on a reload.
      
      Related to all of this, sparc_pmu_start() is missing a userpage update
      so add it.
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9190b06c
    • Daniel Wagner's avatar
      x86/kconfig: Fall back to ticket spinlocks · 97b8ca65
      Daniel Wagner authored
      Sebastian writes:
      
      """
      We reproducibly observe cache line starvation on a Core2Duo E6850 (2
      cores), a i5-6400 SKL (4 cores) and on a NXP LS2044A ARM Cortex-A72 (4
      cores).
      
      The problem can be triggered with a v4.9-RT kernel by starting
      
          cyclictest -S -p98 -m  -i2000 -b 200
      
      and as "load"
      
          stress-ng --ptrace 4
      
      The reported maximal latency is usually less than 60us. If the problem
      triggers then values around 400us, 800us or even more are reported. The
      upperlimit is the -i parameter.
      
      Reproduction with 4.9-RT is almost immediate on Core2Duo, ARM64 and SKL,
      but it took 7.5 hours to trigger on v4.14-RT on the Core2Duo.
      
      Instrumentation show always the picture:
      
      CPU0                                         CPU1
      => do_syscall_64                              => do_syscall_64
      => SyS_ptrace                                   => syscall_slow_exit_work
      => ptrace_check_attach                          => ptrace_do_notify / rt_read_unlock
      => wait_task_inactive                              rt_spin_lock_slowunlock()
         -> while task_running()                         __rt_mutex_unlock_common()
        /   check_task_state()                           mark_wakeup_next_waiter()
       |     raw_spin_lock_irq(&p->pi_lock);             raw_spin_lock(&current->pi_lock);
       |     .                                               .
       |     raw_spin_unlock_irq(&p->pi_lock);               .
        \  cpu_relax()                                       .
         -                                                   .
          *IRQ*                                          <lock acquired>
      
      In the error case we observe that the while() loop is repeated more than
      5000 times which indicates that the pi_lock can be acquired. CPU1 on the
      other side does not make progress waiting for the same lock with interrupts
      disabled.
      
      This continues until an IRQ hits CPU0. Once CPU0 starts processing the IRQ
      the other CPU is able to acquire pi_lock and the situation relaxes.
      """
      
      This matches with the observeration for v4.4-rt on a Core2Duo E6850:
      
      CPU 0:
      
      - no progress for a very long time in rt_mutex_dequeue_pi):
      
      stress-n-1931    0d..11  5060.891219: function:             __try_to_take_rt_mutex
      stress-n-1931    0d..11  5060.891219: function:                rt_mutex_dequeue
      stress-n-1931    0d..21  5060.891220: function:                rt_mutex_enqueue_pi
      stress-n-1931    0....2  5060.891220: signal_generate:      sig=17 errno=0 code=262148 comm=stress-ng-ptrac pid=1928 grp=1 res=1
      stress-n-1931    0d..21  5060.894114: function:             rt_mutex_dequeue_pi
      stress-n-1931    0d.h11  5060.894115: local_timer_entry:    vector=239
      
      CPU 1:
      
      - IRQ at 5060.894114 on CPU 1 followed by the IRQ on CPU 0
      
      stress-n-1928    1....0  5060.891215: sys_enter:            NR 101 (18, 78b, 0, 0, 17, 788)
      stress-n-1928    1d..11  5060.891216: function:             __try_to_take_rt_mutex
      stress-n-1928    1d..21  5060.891216: function:                rt_mutex_enqueue_pi
      stress-n-1928    1d..21  5060.891217: function:             rt_mutex_dequeue_pi
      stress-n-1928    1....1  5060.891217: function:             rt_mutex_adjust_prio
      stress-n-1928    1d..11  5060.891218: function:                __rt_mutex_adjust_prio
      stress-n-1928    1d.h10  5060.894114: local_timer_entry:    vector=239
      
      Thomas writes:
      
      """
      This has nothing to do with RT. RT is merily exposing the
      problem in an observable way. The same issue happens with upstream, it's
      harder to trigger and it's harder to observe for obvious reasons.
      
      If you read through the discussions [see the links below] then you
      really see that there is an upstream issue with the x86 qrlock
      implementation and Peter has posted fixes which resolve it, both at
      the practical and the theoretical level.
      """
      
      Backporting all qspinlock related patches is very likely to introduce
      regressions on v4.4. Therefore, the recommended solution by Peter and
      Thomas is to drop back to ticket spinlocks for v4.4.
      
      Link :https://lkml.kernel.org/r/20180921120226.6xjgr4oiho22ex75@linutronix.de
      Link: https://lkml.kernel.org/r/20180926110117.405325143@infradead.org
      Cc: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
      Acked-by: default avatarPeter Zijlstra <peterz@infradead.org>
      Acked-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Signed-off-by: default avatarDaniel Wagner <daniel.wagner@siemens.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      97b8ca65
    • He Zhe's avatar
      x86/corruption-check: Fix panic in memory_corruption_check() when boot option... · 52d8cdd9
      He Zhe authored
      x86/corruption-check: Fix panic in memory_corruption_check() when boot option without value is provided
      
      commit ccde460b upstream.
      
      memory_corruption_check[{_period|_size}]()'s handlers do not check input
      argument before passing it to kstrtoul() or simple_strtoull(). The argument
      would be a NULL pointer if each of the kernel parameters, without its
      value, is set in command line and thus cause the following panic.
      
      PANIC: early exception 0xe3 IP 10:ffffffff73587c22 error 0 cr2 0x0
      [    0.000000] CPU: 0 PID: 0 Comm: swapper Not tainted 4.18-rc8+ #2
      [    0.000000] RIP: 0010:kstrtoull+0x2/0x10
      ...
      [    0.000000] Call Trace
      [    0.000000]  ? set_corruption_check+0x21/0x49
      [    0.000000]  ? do_early_param+0x4d/0x82
      [    0.000000]  ? parse_args+0x212/0x330
      [    0.000000]  ? rdinit_setup+0x26/0x26
      [    0.000000]  ? parse_early_options+0x20/0x23
      [    0.000000]  ? rdinit_setup+0x26/0x26
      [    0.000000]  ? parse_early_param+0x2d/0x39
      [    0.000000]  ? setup_arch+0x2f7/0xbf4
      [    0.000000]  ? start_kernel+0x5e/0x4c2
      [    0.000000]  ? load_ucode_bsp+0x113/0x12f
      [    0.000000]  ? secondary_startup_64+0xa5/0xb0
      
      This patch adds checks to prevent the panic.
      Signed-off-by: default avatarHe Zhe <zhe.he@windriver.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: gregkh@linuxfoundation.org
      Cc: kstewart@linuxfoundation.org
      Cc: pombredanne@nexb.com
      Cc: stable@vger.kernel.org
      Link: http://lkml.kernel.org/r/1534260823-87917-1-git-send-email-zhe.he@windriver.comSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      
      52d8cdd9
    • Alex Stanoev's avatar
      ALSA: ca0106: Disable IZD on SB0570 DAC to fix audio pops · 818f57e7
      Alex Stanoev authored
      commit ac237c28 upstream.
      
      The Creative Audigy SE (SB0570) card currently exhibits an audible pop
      whenever playback is stopped or resumed, or during silent periods of an
      audio stream. Initialise the IZD bit to the 0 to eliminate these pops.
      
      The Infinite Zero Detection (IZD) feature on the DAC causes the output
      to be shunted to Vcap after 2048 samples of silence. This discharges the
      AC coupling capacitor through the output and causes the aforementioned
      pop/click noise.
      
      The behaviour of the IZD bit is described on page 15 of the WM8768GEDS
      datasheet: "With IZD=1, applying MUTE for 1024 consecutive input samples
      will cause all outputs to be connected directly to VCAP. This also
      happens if 2048 consecutive zero input samples are applied to all 6
      channels, and IZD=0. It will be removed as soon as any channel receives
      a non-zero input". I believe the second sentence might be referring to
      IZD=1 instead of IZD=0 given the observed behaviour of the card.
      
      This change should make the DAC initialisation consistent with
      Creative's Windows driver, as this popping persists when initialising
      the card in Linux and soft rebooting into Windows, but is not present on
      a cold boot to Windows.
      Signed-off-by: default avatarAlex Stanoev <alex@astanoev.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      818f57e7
    • Jeremy Cline's avatar
      ALSA: hda - Add mic quirk for the Lenovo G50-30 (17aa:3905) · f0a658e5
      Jeremy Cline authored
      commit e7bb6ad5 upstream.
      
      The Lenovo G50-30, like other G50 models, has a Conexant codec that
      requires a quirk for its inverted stereo dmic.
      
      Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1249364Reported-by: default avatarAlexander Ploumistos <alex.ploumistos@gmail.com>
      Tested-by: default avatarAlexander Ploumistos <alex.ploumistos@gmail.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarJeremy Cline <jcline@redhat.com>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f0a658e5
    • Helge Deller's avatar
      parisc: Fix map_pages() to not overwrite existing pte entries · ae53e64e
      Helge Deller authored
      commit 3c229b3f upstream.
      
      Fix a long-existing small nasty bug in the map_pages() implementation which
      leads to overwriting already written pte entries with zero, *if* map_pages() is
      called a second time with an end address which isn't aligned on a pmd boundry.
      This happens for example if we want to remap only the text segment read/write
      in order to run alternative patching on the code. Exiting the loop when we
      reach the end address fixes this.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarHelge Deller <deller@gmx.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ae53e64e
    • John David Anglin's avatar
      parisc: Fix address in HPMC IVA · 7d39307d
      John David Anglin authored
      commit 1138b671 upstream.
      
      Helge noticed that the address of the os_hpmc handler was not being
      correctly calculated in the hpmc macro.  As a result, PDCE_CHECK would
      fail to call os_hpmc:
      
      <Cpu2> e800009802e00000  0000000000000000  CC_ERR_CHECK_HPMC
      <Cpu2> 37000f7302e00000  8040004000000000  CC_ERR_CPU_CHECK_SUMMARY
      <Cpu2> f600105e02e00000  fffffff0f0c00000  CC_MC_HPMC_MONARCH_SELECTED
      <Cpu2> 140003b202e00000  000000000000000b  CC_ERR_HPMC_STATE_ENTRY
      <Cpu2> 5600100b02e00000  00000000000001a0  CC_MC_OS_HPMC_LEN_ERR
      <Cpu2> 5600106402e00000  fffffff0f0438e70  CC_MC_BR_TO_OS_HPMC_FAILED
      <Cpu2> e800009802e00000  0000000000000000  CC_ERR_CHECK_HPMC
      <Cpu2> 37000f7302e00000  8040004000000000  CC_ERR_CPU_CHECK_SUMMARY
      <Cpu2> 4000109f02e00000  0000000000000000  CC_MC_HPMC_INITIATED
      <Cpu2> 4000101902e00000  0000000000000000  CC_MC_MULTIPLE_HPMCS
      <Cpu2> 030010d502e00000  0000000000000000  CC_CPU_STOP
      
      The address problem can be seen by dumping the fault vector:
      
      0000000040159000 <fault_vector_20>:
          40159000:   63 6f 77 73     stb r15,-2447(dp)
          40159004:   20 63 61 6e     ldil L%b747000,r3
          40159008:   20 66 6c 79     ldil L%-1c3b3000,r3
              ...
          40159020:   08 00 02 40     nop
          40159024:   20 6e 60 02     ldil L%15d000,r3
          40159028:   34 63 00 00     ldo 0(r3),r3
          4015902c:   e8 60 c0 02     bv,n r0(r3)
          40159030:   08 00 02 40     nop
          40159034:   00 00 00 00     break 0,0
          40159038:   c0 00 70 00     bb,*< r0,sar,40159840 <fault_vector_20+0x840>
          4015903c:   00 00 00 00     break 0,0
      
      Location 40159038 should contain the physical address of os_hpmc:
      
      000000004015d000 <os_hpmc>:
          4015d000:   08 1a 02 43     copy r26,r3
          4015d004:   01 c0 08 a4     mfctl iva,r4
          4015d008:   48 85 00 68     ldw 34(r4),r5
      
      This patch moves the address setup into initialize_ivt to resolve the
      above problem.  I tested the change by dumping the HPMC entry after setup:
      
      0000000040209020:  8000240
      0000000040209024: 206a2004
      0000000040209028: 34630ac0
      000000004020902c: e860c002
      0000000040209030:  8000240
      0000000040209034: 1bdddce6
      0000000040209038:   15d000
      000000004020903c:      1a0
      Signed-off-by: default avatarJohn David Anglin <dave.anglin@bell.net>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarHelge Deller <deller@gmx.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7d39307d
    • Jan Glauber's avatar
      ipmi: Fix timer race with module unload · eda6ef4a
      Jan Glauber authored
      commit 0711e8c1 upstream.
      
      Please note that below oops is from an older kernel, but the same
      race seems to be present in the upstream kernel too.
      
      ---8<---
      
      The following panic was encountered during removing the ipmi_ssif
      module:
      
      [ 526.352555] Unable to handle kernel paging request at virtual address ffff000006923090
      [ 526.360464] Mem abort info:
      [ 526.363257] ESR = 0x86000007
      [ 526.366304] Exception class = IABT (current EL), IL = 32 bits
      [ 526.372221] SET = 0, FnV = 0
      [ 526.375269] EA = 0, S1PTW = 0
      [ 526.378405] swapper pgtable: 4k pages, 48-bit VAs, pgd = 000000008ae60416
      [ 526.385185] [ffff000006923090] *pgd=000000bffcffe803, *pud=000000bffcffd803, *pmd=0000009f4731a003, *pte=0000000000000000
      [ 526.396141] Internal error: Oops: 86000007 [#1] SMP
      [ 526.401008] Modules linked in: nls_iso8859_1 ipmi_devintf joydev input_leds ipmi_msghandler shpchp sch_fq_codel ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi ip_tables x_tables autofs4 btrfs zstd_compress raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear i2c_smbus hid_generic usbhid uas hid usb_storage ast aes_ce_blk i2c_algo_bit aes_ce_cipher qede ttm crc32_ce ptp crct10dif_ce drm_kms_helper ghash_ce syscopyarea sha2_ce sysfillrect sysimgblt pps_core fb_sys_fops sha256_arm64 sha1_ce mpt3sas qed drm raid_class ahci scsi_transport_sas libahci gpio_xlp i2c_xlp9xx aes_neon_bs aes_neon_blk crypto_simd cryptd aes_arm64 [last unloaded: ipmi_ssif]
      [ 526.468085] CPU: 125 PID: 0 Comm: swapper/125 Not tainted 4.15.0-35-generic #38~lp1775396+build.1
      [ 526.476942] Hardware name: To be filled by O.E.M. Saber/Saber, BIOS 0ACKL022 08/14/2018
      [ 526.484932] pstate: 00400009 (nzcv daif +PAN -UAO)
      [ 526.489713] pc : 0xffff000006923090
      [ 526.493198] lr : call_timer_fn+0x34/0x178
      [ 526.497194] sp : ffff000009b0bdd0
      [ 526.500496] x29: ffff000009b0bdd0 x28: 0000000000000082
      [ 526.505796] x27: 0000000000000002 x26: ffff000009515188
      [ 526.511096] x25: ffff000009515180 x24: ffff0000090f1018
      [ 526.516396] x23: ffff000009519660 x22: dead000000000200
      [ 526.521696] x21: ffff000006923090 x20: 0000000000000100
      [ 526.526995] x19: ffff809eeb466a40 x18: 0000000000000000
      [ 526.532295] x17: 000000000000000e x16: 0000000000000007
      [ 526.537594] x15: 0000000000000000 x14: 071c71c71c71c71c
      [ 526.542894] x13: 0000000000000000 x12: 0000000000000000
      [ 526.548193] x11: 0000000000000001 x10: ffff000009b0be88
      [ 526.553493] x9 : 0000000000000000 x8 : 0000000000000005
      [ 526.558793] x7 : ffff80befc1f8528 x6 : 0000000000000020
      [ 526.564092] x5 : 0000000000000040 x4 : 0000000020001b20
      [ 526.569392] x3 : 0000000000000000 x2 : ffff809eeb466a40
      [ 526.574692] x1 : ffff000006923090 x0 : ffff809eeb466a40
      [ 526.579992] Process swapper/125 (pid: 0, stack limit = 0x000000002eb50acc)
      [ 526.586854] Call trace:
      [ 526.589289] 0xffff000006923090
      [ 526.592419] expire_timers+0xc8/0x130
      [ 526.596070] run_timer_softirq+0xec/0x1b0
      [ 526.600070] __do_softirq+0x134/0x328
      [ 526.603726] irq_exit+0xc8/0xe0
      [ 526.606857] __handle_domain_irq+0x6c/0xc0
      [ 526.610941] gic_handle_irq+0x84/0x188
      [ 526.614679] el1_irq+0xe8/0x180
      [ 526.617822] cpuidle_enter_state+0xa0/0x328
      [ 526.621993] cpuidle_enter+0x34/0x48
      [ 526.625564] call_cpuidle+0x44/0x70
      [ 526.629040] do_idle+0x1b8/0x1f0
      [ 526.632256] cpu_startup_entry+0x2c/0x30
      [ 526.636174] secondary_start_kernel+0x11c/0x130
      [ 526.640694] Code: bad PC value
      [ 526.643800] ---[ end trace d020b0b8417c2498 ]---
      [ 526.648404] Kernel panic - not syncing: Fatal exception in interrupt
      [ 526.654778] SMP: stopping secondary CPUs
      [ 526.658734] Kernel Offset: disabled
      [ 526.662211] CPU features: 0x5800c38
      [ 526.665688] Memory Limit: none
      [ 526.668768] ---[ end Kernel panic - not syncing: Fatal exception in interrupt
      
      Prevent mod_timer from arming a timer that was already removed by
      del_timer during module unload.
      Signed-off-by: default avatarJan Glauber <jglauber@cavium.com>
      Cc: <stable@vger.kernel.org> # 3.19
      Signed-off-by: default avatarCorey Minyard <cminyard@mvista.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      eda6ef4a
    • Maciej S. Szmigiero's avatar
      pcmcia: Implement CLKRUN protocol disabling for Ricoh bridges · 0497878b
      Maciej S. Szmigiero authored
      commit 95691e3e upstream.
      
      Currently, "disable_clkrun" yenta_socket module parameter is only
      implemented for TI CardBus bridges.
      Add also an implementation for Ricoh bridges that have the necessary
      setting documented in publicly available datasheets.
      
      Tested on a RL5C476II with a Sunrich C-160 CardBus NIC that doesn't work
      correctly unless the CLKRUN protocol is disabled.
      
      Let's also make it clear in its description that the "disable_clkrun"
      module parameter only works on these two previously mentioned brands of
      CardBus bridges.
      Signed-off-by: default avatarMaciej S. Szmigiero <mail@maciej.szmigiero.name>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarDominik Brodowski <linux@dominikbrodowski.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0497878b
    • Hou Tao's avatar
      jffs2: free jffs2_sb_info through jffs2_kill_sb() · 85b89ccf
      Hou Tao authored
      commit 92e2921f upstream.
      
      When an invalid mount option is passed to jffs2, jffs2_parse_options()
      will fail and jffs2_sb_info will be freed, but then jffs2_sb_info will
      be used (use-after-free) and freeed (double-free) in jffs2_kill_sb().
      
      Fix it by removing the buggy invocation of kfree() when getting invalid
      mount options.
      
      Fixes: 92abc475 ("jffs2: implement mount option parsing and compression overriding")
      Cc: stable@kernel.org
      Signed-off-by: default avatarHou Tao <houtao1@huawei.com>
      Reviewed-by: default avatarRichard Weinberger <richard@nod.at>
      Signed-off-by: default avatarBoris Brezillon <boris.brezillon@bootlin.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      85b89ccf
    • Dmitry Bazhenov's avatar
      hwmon: (pmbus) Fix page count auto-detection. · dff53cf7
      Dmitry Bazhenov authored
      commit e7c6a556 upstream.
      
      Devices with compatible="pmbus" field have zero initial page count,
      and pmbus_clear_faults() being called before the page count auto-
      detection does not actually clear faults because it depends on the
      page count. Non-cleared faults in its turn may fail the subsequent
      page count auto-detection.
      
      This patch fixes this problem by calling pmbus_clear_fault_page()
      for currently set page and calling pmbus_clear_faults() after the
      page count was detected.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarDmitry Bazhenov <bazhenov.dn@gmail.com>
      Signed-off-by: default avatarGuenter Roeck <linux@roeck-us.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      dff53cf7