1. 03 Mar, 2016 40 commits
    • Nicholas Bellinger's avatar
      target: Fix race with SCF_SEND_DELAYED_TAS handling · b9d99202
      Nicholas Bellinger authored
      commit 310d3d31 upstream.
      
      This patch fixes a race between setting of SCF_SEND_DELAYED_TAS
      in transport_send_task_abort(), and check of the same bit in
      transport_check_aborted_status().
      
      It adds a __transport_check_aborted_status() version that is
      used by target_execute_cmd() when se_cmd->t_state_lock is
      held, and a transport_check_aborted_status() wrapper for
      all other existing callers.
      
      Also, it handles the case where the check happens before
      transport_send_task_abort() gets called.  For this, go
      ahead and set SCF_SEND_DELAYED_TAS early when necessary,
      and have transport_send_task_abort() send the abort.
      
      Cc: Quinn Tran <quinn.tran@qlogic.com>
      Cc: Himanshu Madhani <himanshu.madhani@qlogic.com>
      Cc: Sagi Grimberg <sagig@mellanox.com>
      Cc: Christoph Hellwig <hch@lst.de>
      Cc: Hannes Reinecke <hare@suse.de>
      Cc: Andy Grover <agrover@redhat.com>
      Cc: Mike Christie <mchristi@redhat.com>
      Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b9d99202
    • Nicholas Bellinger's avatar
      target: Fix remote-port TMR ABORT + se_cmd fabric stop · fb6a326e
      Nicholas Bellinger authored
      commit 0f4a9431 upstream.
      
      To address the bug where fabric driver level shutdown
      of se_cmd occurs at the same time when TMR CMD_T_ABORTED
      is happening resulting in a -1 ->cmd_kref, this patch
      adds a CMD_T_FABRIC_STOP bit that is used to determine
      when TMR + driver I_T nexus shutdown is happening
      concurrently.
      
      It changes target_sess_cmd_list_set_waiting() to obtain
      se_cmd->cmd_kref + set CMD_T_FABRIC_STOP, and drop local
      reference in target_wait_for_sess_cmds() and invoke extra
      target_put_sess_cmd() during Task Aborted Status (TAS)
      when necessary.
      
      Also, it adds a new target_wait_free_cmd() wrapper around
      transport_wait_for_tasks() for the special case within
      transport_generic_free_cmd() to set CMD_T_FABRIC_STOP,
      and is now aware of CMD_T_ABORTED + CMD_T_TAS status
      bits to know when an extra transport_put_cmd() during
      TAS is required.
      
      Note transport_generic_free_cmd() is expected to block on
      cmd->cmd_wait_comp in order to follow what iscsi-target
      expects during iscsi_conn context se_cmd shutdown.
      
      Cc: Quinn Tran <quinn.tran@qlogic.com>
      Cc: Himanshu Madhani <himanshu.madhani@qlogic.com>
      Cc: Sagi Grimberg <sagig@mellanox.com>
      Cc: Christoph Hellwig <hch@lst.de>
      Cc: Hannes Reinecke <hare@suse.de>
      Cc: Andy Grover <agrover@redhat.com>
      Cc: Mike Christie <mchristi@redhat.com>
      Signed-off-by: default avatarNicholas Bellinger <nab@daterainc.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      fb6a326e
    • Nicholas Bellinger's avatar
      target: Fix TAS handling for multi-session se_node_acls · 547551e5
      Nicholas Bellinger authored
      commit ebde1ca5 upstream.
      
      This patch fixes a bug in TMR task aborted status (TAS)
      handling when multiple sessions are connected to the
      same target WWPN endpoint and se_node_acl descriptor,
      resulting in TASK_ABORTED status to not be generated
      for aborted se_cmds on the remote port.
      
      This is due to core_tmr_handle_tas_abort() incorrectly
      comparing se_node_acl instead of se_session, for which
      the multi-session case is expected to be sharing the
      same se_node_acl.
      
      Instead, go ahead and update core_tmr_handle_tas_abort()
      to compare tmr_sess + cmd->se_sess in order to determine
      if the LUN_RESET was received on a different I_T nexus,
      and TASK_ABORTED status response needs to be generated.
      Reviewed-by: default avatarChristoph Hellwig <hch@lst.de>
      Cc: Quinn Tran <quinn.tran@qlogic.com>
      Cc: Himanshu Madhani <himanshu.madhani@qlogic.com>
      Cc: Sagi Grimberg <sagig@mellanox.com>
      Cc: Hannes Reinecke <hare@suse.de>
      Cc: Andy Grover <agrover@redhat.com>
      Cc: Mike Christie <mchristi@redhat.com>
      Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      547551e5
    • Nicholas Bellinger's avatar
      target: Fix LUN_RESET active TMR descriptor handling · 91583a21
      Nicholas Bellinger authored
      commit a6d9bb1c upstream.
      
      This patch fixes a NULL pointer se_cmd->cmd_kref < 0
      refcount bug during TMR LUN_RESET with active TMRs,
      triggered during se_cmd + se_tmr_req descriptor
      shutdown + release via core_tmr_drain_tmr_list().
      
      To address this bug, go ahead and obtain a local
      kref_get_unless_zero(&se_cmd->cmd_kref) for active I/O
      to set CMD_T_ABORTED, and transport_wait_for_tasks()
      followed by the final target_put_sess_cmd() to drop
      the local ->cmd_kref.
      
      Also add two new checks within target_tmr_work() to
      avoid CMD_T_ABORTED -> TFO->queue_tm_rsp() callbacks
      ahead of invoking the backend -> fabric put in
      transport_cmd_check_stop_to_fabric().
      
      For good measure, also change core_tmr_release_req()
      to use list_del_init() ahead of se_tmr_req memory
      free.
      Reviewed-by: default avatarQuinn Tran <quinn.tran@qlogic.com>
      Cc: Himanshu Madhani <himanshu.madhani@qlogic.com>
      Cc: Sagi Grimberg <sagig@mellanox.com>
      Cc: Christoph Hellwig <hch@lst.de>
      Cc: Hannes Reinecke <hare@suse.de>
      Cc: Andy Grover <agrover@redhat.com>
      Cc: Mike Christie <mchristi@redhat.com>
      Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      91583a21
    • Nicholas Bellinger's avatar
      target: Fix LUN_RESET active I/O handling for ACK_KREF · 3b493f9f
      Nicholas Bellinger authored
      commit febe562c upstream.
      
      This patch fixes a NULL pointer se_cmd->cmd_kref < 0
      refcount bug during TMR LUN_RESET with active se_cmd
      I/O, that can be triggered during se_cmd descriptor
      shutdown + release via core_tmr_drain_state_list() code.
      
      To address this bug, add common __target_check_io_state()
      helper for ABORT_TASK + LUN_RESET w/ CMD_T_COMPLETE
      checking, and set CMD_T_ABORTED + obtain ->cmd_kref for
      both cases ahead of last target_put_sess_cmd() after
      TFO->aborted_task() -> transport_cmd_finish_abort()
      callback has completed.
      
      It also introduces SCF_ACK_KREF to determine when
      transport_cmd_finish_abort() needs to drop the second
      extra reference, ahead of calling target_put_sess_cmd()
      for the final kref_put(&se_cmd->cmd_kref).
      
      It also updates transport_cmd_check_stop() to avoid
      holding se_cmd->t_state_lock while dropping se_cmd
      device state via target_remove_from_state_list(), now
      that core_tmr_drain_state_list() is holding the
      se_device lock while checking se_cmd state from
      within TMR logic.
      
      Finally, move transport_put_cmd() release of SGL +
      TMR + extended CDB memory into target_free_cmd_mem()
      in order to avoid potential resource leaks in TMR
      ABORT_TASK + LUN_RESET code-paths.  Also update
      target_release_cmd_kref() accordingly.
      Reviewed-by: default avatarQuinn Tran <quinn.tran@qlogic.com>
      Cc: Himanshu Madhani <himanshu.madhani@qlogic.com>
      Cc: Sagi Grimberg <sagig@mellanox.com>
      Cc: Christoph Hellwig <hch@lst.de>
      Cc: Hannes Reinecke <hare@suse.de>
      Cc: Andy Grover <agrover@redhat.com>
      Cc: Mike Christie <mchristi@redhat.com>
      Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3b493f9f
    • Kai-Heng Feng's avatar
      ALSA: hda - Fixing background noise on Dell Inspiron 3162 · 7cb32ae0
      Kai-Heng Feng authored
      commit 3b43b71f upstream.
      
      After login to the desktop on Dell Inspiron 3162,
      there's a very loud background noise comes from the builtin speaker.
      The noise does not go away even if the speaker is muted.
      
      The noise disappears after using the aamix fixup.
      
      Codec: Realtek ALC3234
      Address: 0
      AFG Function Id: 0x1 (unsol 1)
          Vendor Id: 0x10ec0255
          Subsystem Id: 0x10280725
          Revision Id: 0x100002
          No Modem Function Group found
      
      BugLink: http://bugs.launchpad.net/bugs/1549620Signed-off-by: default avatarKai-Heng Feng <kai.heng.feng@canonical.com>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7cb32ae0
    • Takashi Iwai's avatar
      ALSA: hda - Apply clock gate workaround to Skylake, too · 1436e689
      Takashi Iwai authored
      commit 7e31a015 upstream.
      
      Some Skylake machines show the codec probe errors in certain
      situations, e.g. HP Z240 desktop fails to probe the onboard Realtek
      codec at reloading the snd-hda-intel module like:
        snd_hda_intel 0000:00:1f.3: spurious response 0x200:0x2, last cmd=0x000000
        snd_hda_intel 0000:00:1f.3: azx_get_response timeout, switching to polling mode: lastcmd=0x000f0000
        snd_hda_intel 0000:00:1f.3: No response from codec, disabling MSI: last cmd=0x000f0000
        snd_hda_intel 0000:00:1f.3: Codec #0 probe error; disabling it...
        hdaudio hdaudioC0D2: no AFG or MFG node found
        snd_hda_intel 0000:00:1f.3: no codecs initialized
      
      Also, HP G470 G3 suffers from the similar problem, as reported in
      bugzilla below.  On this machine, the codec probe error appears even
      at a fresh boot.
      
      As Libin suggested, the same workaround used for Broxton in the commit
      [6639484d: ALSA: hda - disable dynamic clock gating on Broxton
       before reset] can be applied for Skylake in order to fix this problem.
      The Intel HW team also confirmed that this is needed for SKL.
      
      This patch makes the workaround applied to both SKL and BXT
      platforms.  The referred macros are moved and one superfluous macro
      (IS_BROXTON()) is another one (IS_BXT()) as well.
      
      Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=112731Suggested-by: default avatarLibin Yang <libin.yang@linux.intel.com>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1436e689
    • Tejun Heo's avatar
      Revert "workqueue: make sure delayed work run in local cpu" · 66847104
      Tejun Heo authored
      commit 041bd12e upstream.
      
      This reverts commit 874bbfe6.
      
      Workqueue used to implicity guarantee that work items queued without
      explicit CPU specified are put on the local CPU.  Recent changes in
      timer broke the guarantee and led to vmstat breakage which was fixed
      by 176bed1d ("vmstat: explicitly schedule per-cpu work on the CPU
      we need it to run on").
      
      vmstat is the most likely to expose the issue and it's quite possible
      that there are other similar problems which are a lot more difficult
      to trigger.  As a preventive measure, 874bbfe6 ("workqueue: make
      sure delayed work run in local cpu") was applied to restore the local
      CPU guarnatee.  Unfortunately, the change exposed a bug in timer code
      which got fixed by 22b886dd ("timers: Use proper base migration in
      add_timer_on()").  Due to code restructuring, the commit couldn't be
      backported beyond certain point and stable kernels which only had
      874bbfe6 started crashing.
      
      The local CPU guarantee was accidental more than anything else and we
      want to get rid of it anyway.  As, with the vmstat case fixed,
      874bbfe6 is causing more problems than it's fixing, it has been
      decided to take the chance and officially break the guarantee by
      reverting the commit.  A debug feature will be added to force foreign
      CPU assignment to expose cases relying on the guarantee and fixes for
      the individual cases will be backported to stable as necessary.
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      Fixes: 874bbfe6 ("workqueue: make sure delayed work run in local cpu")
      Link: http://lkml.kernel.org/g/20160120211926.GJ10810@quack.suse.cz
      Cc: Mike Galbraith <umgwanakikbuti@gmail.com>
      Cc: Henrique de Moraes Holschuh <hmh@hmh.eng.br>
      Cc: Daniel Bilik <daniel.bilik@neosystem.cz>
      Cc: Jan Kara <jack@suse.cz>
      Cc: Shaohua Li <shli@fb.com>
      Cc: Sasha Levin <sasha.levin@oracle.com>
      Cc: Ben Hutchings <ben@decadent.org.uk>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Daniel Bilik <daniel.bilik@neosystem.cz>
      Cc: Jiri Slaby <jslaby@suse.cz>
      Cc: Michal Hocko <mhocko@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      66847104
    • Tejun Heo's avatar
      workqueue: handle NUMA_NO_NODE for unbound pool_workqueue lookup · 21b34b45
      Tejun Heo authored
      commit d6e022f1 upstream.
      
      When looking up the pool_workqueue to use for an unbound workqueue,
      workqueue assumes that the target CPU is always bound to a valid NUMA
      node.  However, currently, when a CPU goes offline, the mapping is
      destroyed and cpu_to_node() returns NUMA_NO_NODE.
      
      This has always been broken but hasn't triggered often enough before
      874bbfe6 ("workqueue: make sure delayed work run in local cpu").
      After the commit, workqueue forcifully assigns the local CPU for
      delayed work items without explicit target CPU to fix a different
      issue.  This widens the window where CPU can go offline while a
      delayed work item is pending causing delayed work items dispatched
      with target CPU set to an already offlined CPU.  The resulting
      NUMA_NO_NODE mapping makes workqueue try to queue the work item on a
      NULL pool_workqueue and thus crash.
      
      While 874bbfe6 has been reverted for a different reason making the
      bug less visible again, it can still happen.  Fix it by mapping
      NUMA_NO_NODE to the default pool_workqueue from unbound_pwq_by_node().
      This is a temporary workaround.  The long term solution is keeping CPU
      -> NODE mapping stable across CPU off/online cycles which is being
      worked on.
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      Reported-by: default avatarMike Galbraith <umgwanakikbuti@gmail.com>
      Cc: Tang Chen <tangchen@cn.fujitsu.com>
      Cc: Rafael J. Wysocki <rafael@kernel.org>
      Cc: Len Brown <len.brown@intel.com>
      Link: http://lkml.kernel.org/g/1454424264.11183.46.camel@gmail.com
      Link: http://lkml.kernel.org/g/1453702100-2597-1-git-send-email-tangchen@cn.fujitsu.comSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      21b34b45
    • Sachin Kulkarni's avatar
      mac80211: Requeue work after scan complete for all VIF types. · 81bb6553
      Sachin Kulkarni authored
      commit 4fa11ec7 upstream.
      
      During a sw scan ieee80211_iface_work ignores work items for all vifs.
      However after the scan complete work is requeued only for STA, ADHOC
      and MESH iftypes.
      
      This occasionally results in event processing getting delayed/not
      processed for iftype AP when it coexists with a STA. This can result
      in data halt and eventually disconnection on the AP interface.
      Signed-off-by: default avatarSachin Kulkarni <Sachin.Kulkarni@imgtec.com>
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      81bb6553
    • Johannes Berg's avatar
      rfkill: fix rfkill_fop_read wait_event usage · 33bf18e4
      Johannes Berg authored
      commit 6736fde9 upstream.
      
      The code within wait_event_interruptible() is called with
      !TASK_RUNNING, so mustn't call any functions that can sleep,
      like mutex_lock().
      
      Since we re-check the list_empty() in a loop after the wait,
      it's safe to simply use list_empty() without locking.
      
      This bug has existed forever, but was only discovered now
      because all userspace implementations, including the default
      'rfkill' tool, use poll() or select() to get a readable fd
      before attempting to read.
      
      Fixes: c64fb016 ("rfkill: create useful userspace interface")
      Reported-by: default avatarDmitry Vyukov <dvyukov@google.com>
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      33bf18e4
    • Wanpeng Li's avatar
      tick/nohz: Set the correct expiry when switching to nohz/lowres mode · d024d46e
      Wanpeng Li authored
      commit 1ca8ec53 upstream.
      
      commit 0ff53d09 sets the next tick interrupt to the last jiffies update,
      i.e. in the past, because the forward operation is invoked before the set
      operation. There is no resulting damage (yet), but we get an extra pointless
      tick interrupt.
      
      Revert the order so we get the next tick interrupt in the future.
      
      Fixes: commit 0ff53d09 "tick: sched: Force tick interrupt and get rid of softirq magic"
      Signed-off-by: default avatarWanpeng Li <wanpeng.li@hotmail.com>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Frederic Weisbecker <fweisbec@gmail.com>
      Link: http://lkml.kernel.org/r/1453893967-3458-1-git-send-email-wanpeng.li@hotmail.comSigned-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d024d46e
    • Jiri Olsa's avatar
      perf stat: Do not clean event's private stats · e4319361
      Jiri Olsa authored
      commit 3f416f22 upstream.
      
      Mel reported stddev reporting was broken due to following commit:
      
      	106a94a0 ("perf stat: Introduce read_counters function")
      
      This commit merged interval and overall counters reading into single
      read_counters function.
      
      The old interval code cleaned the stddev data for some reason (it's
      never displayed in interval mode) and the mentioned commit kept on
      cleaning the stddev data in merged function, which resulted in the
      stddev not being displayed.
      
      Removing the wrong stddev data cleanup init_stats call.
      Reported-and-Tested-by: default avatarMel Gorman <mgorman@techsingularity.net>
      Signed-off-by: default avatarJiri Olsa <jolsa@kernel.org>
      Cc: David Ahern <dsahern@gmail.com>
      Cc: Namhyung Kim <namhyung@kernel.org>
      Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
      Fixes: 106a94a0 ("perf stat: Introduce read_counters function")
      Link: http://lkml.kernel.org/r/1453290995-18485-4-git-send-email-jolsa@kernel.orgSigned-off-by: default avatarArnaldo Carvalho de Melo <acme@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e4319361
    • Oliver Neukum's avatar
      cdc-acm:exclude Samsung phone 04e8:685d · 19964740
      Oliver Neukum authored
      commit e912e685 upstream.
      
      This phone needs to be handled by a specialised firmware tool
      and is reported to crash irrevocably if cdc-acm takes it.
      Signed-off-by: default avatarOliver Neukum <oneukum@suse.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      19964740
    • Sudip Mukherjee's avatar
      Revert "Staging: panel: usleep_range is preferred over udelay" · f021f05c
      Sudip Mukherjee authored
      commit b64a1cbe upstream.
      
      This reverts commit ebd43516.
      
      We should not be sleeping inside spin_lock.
      
      Fixes: ebd43516 ("Staging: panel: usleep_range is preferred over udelay")
      Cc: Sirnam Swetha <theonly.ultimate@gmail.com>
      Signed-off-by: default avatarSudip Mukherjee <sudip@vectorindia.org>
      Reported-by: default avatarHuang, Ying <ying.huang@intel.com>
      Tested-by: default avatarHuang, Ying <ying.huang@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f021f05c
    • Samuel Thibault's avatar
      Staging: speakup: Fix getting port information · 16d9f522
      Samuel Thibault authored
      commit 327b882d upstream.
      
      Commit f79b0d9c ("staging: speakup: Fixed warning <linux/serial.h>
      instead of <asm/serial.h>") broke the port information in the speakup
      driver: SERIAL_PORT_DFNS only gets defined if asm/serial.h is included,
      and no other header includes asm/serial.h.
      
      We here make sure serialio.c does get the arch-specific definition of
      SERIAL_PORT_DFNS from asm/serial.h, if any.
      
      Along the way, this makes sure that we do have information for the
      requested serial port number (index)
      
      Fixes: f79b0d9c ("staging: speakup: Fixed warning <linux/serial.h> instead of <asm/serial.h>")
      Signed-off-by: default avatarSamuel Thibault <samuel.thibault@ens-lyon.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      16d9f522
    • Martin K. Petersen's avatar
      sd: Optimal I/O size is in bytes, not sectors · f313f1d8
      Martin K. Petersen authored
      commit d0eb20a8 upstream.
      
      Commit ca369d51 ("block/sd: Fix device-imposed transfer length
      limits") accidentally switched optimal I/O size reporting from bytes to
      block layer sectors.
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Reported-by: default avatarChristian Borntraeger <borntraeger@de.ibm.com>
      Tested-by: default avatarChristian Borntraeger <borntraeger@de.ibm.com>
      Fixes: ca369d51Reviewed-by: default avatarJames E.J. Bottomley <James.Bottomley@HansenPartnership.com>
      Reviewed-by: default avatarEwan D. Milne <emilne@redhat.com>
      Reviewed-by: default avatarMatthew R. Ochs <mrochs@linux.vnet.ibm.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f313f1d8
    • Ilya Dryomov's avatar
      libceph: don't spam dmesg with stray reply warnings · 01c3c0f9
      Ilya Dryomov authored
      commit cd8140c6 upstream.
      
      Commit d15f9d69 ("libceph: check data_len in ->alloc_msg()")
      mistakenly bumped the log level on the "tid %llu unknown, skipping"
      message.  Turn it back into a dout() - stray replies are perfectly
      normal when OSDs flap, crash, get killed for testing purposes, etc.
      Signed-off-by: default avatarIlya Dryomov <idryomov@gmail.com>
      Reviewed-by: default avatarAlex Elder <elder@linaro.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      01c3c0f9
    • Ilya Dryomov's avatar
      libceph: use the right footer size when skipping a message · 10dada9d
      Ilya Dryomov authored
      commit dbc0d3ca upstream.
      
      ceph_msg_footer is 21 bytes long, while ceph_msg_footer_old is only 13.
      Don't skip too much when CEPH_FEATURE_MSG_AUTH isn't negotiated.
      Signed-off-by: default avatarIlya Dryomov <idryomov@gmail.com>
      Reviewed-by: default avatarAlex Elder <elder@linaro.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      10dada9d
    • Ilya Dryomov's avatar
      libceph: don't bail early from try_read() when skipping a message · 50c6a283
      Ilya Dryomov authored
      commit e7a88e82 upstream.
      
      The contract between try_read() and try_write() is that when called
      each processes as much data as possible.  When instructed by osd_client
      to skip a message, try_read() is violating this contract by returning
      after receiving and discarding a single message instead of checking for
      more.  try_write() then gets a chance to write out more requests,
      generating more replies/skips for try_read() to handle, forcing the
      messenger into a starvation loop.
      Reported-by: default avatarVarada Kari <Varada.Kari@sandisk.com>
      Signed-off-by: default avatarIlya Dryomov <idryomov@gmail.com>
      Tested-by: default avatarVarada Kari <Varada.Kari@sandisk.com>
      Reviewed-by: default avatarAlex Elder <elder@linaro.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      50c6a283
    • Ilya Dryomov's avatar
      libceph: fix ceph_msg_revoke() · ee834473
      Ilya Dryomov authored
      commit 67645d76 upstream.
      
      There are a number of problems with revoking a "was sending" message:
      
      (1) We never make any attempt to revoke data - only kvecs contibute to
      con->out_skip.  However, once the header (envelope) is written to the
      socket, our peer learns data_len and sets itself to expect at least
      data_len bytes to follow front or front+middle.  If ceph_msg_revoke()
      is called while the messenger is sending message's data portion,
      anything we send after that call is counted by the OSD towards the now
      revoked message's data portion.  The effects vary, the most common one
      is the eventual hang - higher layers get stuck waiting for the reply to
      the message that was sent out after ceph_msg_revoke() returned and
      treated by the OSD as a bunch of data bytes.  This is what Matt ran
      into.
      
      (2) Flat out zeroing con->out_kvec_bytes worth of bytes to handle kvecs
      is wrong.  If ceph_msg_revoke() is called before the tag is sent out or
      while the messenger is sending the header, we will get a connection
      reset, either due to a bad tag (0 is not a valid tag) or a bad header
      CRC, which kind of defeats the purpose of revoke.  Currently the kernel
      client refuses to work with header CRCs disabled, but that will likely
      change in the future, making this even worse.
      
      (3) con->out_skip is not reset on connection reset, leading to one or
      more spurious connection resets if we happen to get a real one between
      con->out_skip is set in ceph_msg_revoke() and before it's cleared in
      write_partial_skip().
      
      Fixing (1) and (3) is trivial.  The idea behind fixing (2) is to never
      zero the tag or the header, i.e. send out tag+header regardless of when
      ceph_msg_revoke() is called.  That way the header is always correct, no
      unnecessary resets are induced and revoke stands ready for disabled
      CRCs.  Since ceph_msg_revoke() rips out con->out_msg, introduce a new
      "message out temp" and copy the header into it before sending.
      Reported-by: default avatarMatt Conner <matt.conner@keepertech.com>
      Signed-off-by: default avatarIlya Dryomov <idryomov@gmail.com>
      Tested-by: default avatarMatt Conner <matt.conner@keepertech.com>
      Reviewed-by: default avatarSage Weil <sage@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ee834473
    • Jann Horn's avatar
      seccomp: always propagate NO_NEW_PRIVS on tsync · df86161e
      Jann Horn authored
      commit 103502a3 upstream.
      
      Before this patch, a process with some permissive seccomp filter
      that was applied by root without NO_NEW_PRIVS was able to add
      more filters to itself without setting NO_NEW_PRIVS by setting
      the new filter from a throwaway thread with NO_NEW_PRIVS.
      Signed-off-by: default avatarJann Horn <jann@thejh.net>
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      df86161e
    • Viresh Kumar's avatar
      cpufreq: Fix NULL reference crash while accessing policy->governor_data · 0ac4a2a8
      Viresh Kumar authored
      commit e4b133cc upstream.
      
      There is a race discovered by Juri, where we are able to:
      - create and read a sysfs file before policy->governor_data is being set
        to a non NULL value.
        OR
      - set policy->governor_data to NULL, and reading a file before being
        destroyed.
      
      And so such a crash is reported:
      
      Unable to handle kernel NULL pointer dereference at virtual address 0000000c
      pgd = edfc8000
      [0000000c] *pgd=bfc8c835
      Internal error: Oops: 17 [#1] SMP ARM
      Modules linked in:
      CPU: 4 PID: 1730 Comm: cat Not tainted 4.5.0-rc1+ #463
      Hardware name: ARM-Versatile Express
      task: ee8e8480 ti: ee930000 task.ti: ee930000
      PC is at show_ignore_nice_load_gov_pol+0x24/0x34
      LR is at show+0x4c/0x60
      pc : [<c058f1bc>]    lr : [<c058ae88>]    psr: a0070013
      sp : ee931dd0  ip : ee931de0  fp : ee931ddc
      r10: ee4bc290  r9 : 00001000  r8 : ef2cb000
      r7 : ee4bc200  r6 : ef2cb000  r5 : c0af57b0  r4 : ee4bc2e0
      r3 : 00000000  r2 : 00000000  r1 : c0928df4  r0 : ef2cb000
      Flags: NzCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment none
      Control: 10c5387d  Table: adfc806a  DAC: 00000051
      Process cat (pid: 1730, stack limit = 0xee930210)
      Stack: (0xee931dd0 to 0xee932000)
      1dc0:                                     ee931dfc ee931de0 c058ae88 c058f1a4
      1de0: edce3bc0 c07bfca4 edce3ac0 00001000 ee931e24 ee931e00 c01fcb90 c058ae48
      1e00: 00000001 edce3bc0 00000000 00000001 ee931e50 ee8ff480 ee931e34 ee931e28
      1e20: c01fb33c c01fcb0c ee931e8c ee931e38 c01a5210 c01fb314 ee931e9c ee931e48
      1e40: 00000000 edce3bf0 befe4a00 ee931f78 00000000 00000000 000001e4 00000000
      1e60: c00545a8 edce3ac0 00001000 00001000 befe4a00 ee931f78 00000000 00001000
      1e80: ee931ed4 ee931e90 c01fbed8 c01a5038 ed085a58 00020000 00000000 00000000
      1ea0: c0ad72e4 ee931f78 ee8ff488 ee8ff480 c077f3fc 00001000 befe4a00 ee931f78
      1ec0: 00000000 00001000 ee931f44 ee931ed8 c017c328 c01fbdc4 00001000 00000000
      1ee0: ee8ff480 00001000 ee931f44 ee931ef8 c017c65c c03deb10 ee931fac ee931f08
      1f00: c0009270 c001f290 c0a8d968 ef2cb000 ef2cb000 ee8ff480 00000020 ee8ff480
      1f20: ee8ff480 befe4a00 00001000 ee931f78 00000000 00000000 ee931f74 ee931f48
      1f40: c017d1ec c017c2f8 c019c724 c019c684 ee8ff480 ee8ff480 00001000 befe4a00
      1f60: 00000000 00000000 ee931fa4 ee931f78 c017d2a8 c017d160 00000000 00000000
      1f80: 000a9f20 00001000 befe4a00 00000003 c000ffe4 ee930000 00000000 ee931fa8
      1fa0: c000fe40 c017d264 000a9f20 00001000 00000003 befe4a00 00001000 00000000
      Unable to handle kernel NULL pointer dereference at virtual address 0000000c
      1fc0: 000a9f20 00001000 befe4a00 00000003 00000000 00000000 00000003 00000001
      pgd = edfc4000
      [0000000c] *pgd=bfcac835
      1fe0: 00000000 befe49dc 000197f8 b6e35dfc 60070010 00000003 3065b49d 134ac2c9
      
      [<c058f1bc>] (show_ignore_nice_load_gov_pol) from [<c058ae88>] (show+0x4c/0x60)
      [<c058ae88>] (show) from [<c01fcb90>] (sysfs_kf_seq_show+0x90/0xfc)
      [<c01fcb90>] (sysfs_kf_seq_show) from [<c01fb33c>] (kernfs_seq_show+0x34/0x38)
      [<c01fb33c>] (kernfs_seq_show) from [<c01a5210>] (seq_read+0x1e4/0x4e4)
      [<c01a5210>] (seq_read) from [<c01fbed8>] (kernfs_fop_read+0x120/0x1a0)
      [<c01fbed8>] (kernfs_fop_read) from [<c017c328>] (__vfs_read+0x3c/0xe0)
      [<c017c328>] (__vfs_read) from [<c017d1ec>] (vfs_read+0x98/0x104)
      [<c017d1ec>] (vfs_read) from [<c017d2a8>] (SyS_read+0x50/0x90)
      [<c017d2a8>] (SyS_read) from [<c000fe40>] (ret_fast_syscall+0x0/0x1c)
      Code: e5903044 e1a00001 e3081df4 e34c1092 (e593300c)
      ---[ end trace 5994b9a5111f35ee ]---
      
      Fix that by making sure, policy->governor_data is updated at the right
      places only.
      Reported-and-tested-by: default avatarJuri Lelli <juri.lelli@arm.com>
      Signed-off-by: default avatarViresh Kumar <viresh.kumar@linaro.org>
      Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0ac4a2a8
    • Arnd Bergmann's avatar
      cpufreq: pxa2xx: fix pxa_cpufreq_change_voltage prototype · 286ab25d
      Arnd Bergmann authored
      commit fb2a24a1 upstream.
      
      There are two definitions of pxa_cpufreq_change_voltage, with slightly
      different prototypes after one of them had its argument marked 'const'.
      Now the other one (for !CONFIG_REGULATOR) produces a harmless warning:
      
      drivers/cpufreq/pxa2xx-cpufreq.c: In function 'pxa_set_target':
      drivers/cpufreq/pxa2xx-cpufreq.c:291:36: warning: passing argument 1 of 'pxa_cpufreq_change_voltage' discards 'const' qualifier from pointer target type [-Wdiscarded-qualifiers]
         ret = pxa_cpufreq_change_voltage(&pxa_freq_settings[idx]);
                                          ^
      drivers/cpufreq/pxa2xx-cpufreq.c:205:12: note: expected 'struct pxa_freqs *' but argument is of type 'const struct pxa_freqs *'
       static int pxa_cpufreq_change_voltage(struct pxa_freqs *pxa_freq)
                  ^
      
      This changes the prototype in the same way as the other, which
      avoids the warning.
      
      Fixes: 03c22990 (cpufreq: pxa: make pxa_freqs arrays const)
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Acked-by: default avatarViresh Kumar <viresh.kumar@linaro.org>
      Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      286ab25d
    • Peter Rosin's avatar
      hwmon: (ads1015) Handle negative conversion values correctly · 5c2bd0c6
      Peter Rosin authored
      commit acc14694 upstream.
      
      Make the divisor signed as DIV_ROUND_CLOSEST is undefined for negative
      dividends when the divisor is unsigned.
      Signed-off-by: default avatarPeter Rosin <peda@axentia.se>
      Signed-off-by: default avatarGuenter Roeck <linux@roeck-us.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5c2bd0c6
    • Nishanth Menon's avatar
      hwmon: (gpio-fan) Remove un-necessary speed_index lookup for thermal hook · 4bbd7acd
      Nishanth Menon authored
      commit 000e0949 upstream.
      
      Thermal hook gpio_fan_get_cur_state is only interested in knowing
      the current speed index that was setup in the system, this is
      already available as part of fan_data->speed_index which is always
      set by set_fan_speed. Using get_fan_speed_index is useful when we
      have no idea about the fan speed configuration (for example during
      fan_ctrl_init).
      
      When thermal framework invokes
      gpio_fan_get_cur_state=>get_fan_speed_index via gpio_fan_get_cur_state
      especially in a polled configuration for thermal governor, we
      basically hog the i2c interface to the extent that other functions
      fail to get any traffic out :(.
      
      Instead, just provide the last state set in the driver - since the gpio
      fan driver is responsible for the fan state immaterial of override, the
      fan_data->speed_index should accurately reflect the state.
      
      Fixes: b5cf88e4 ("(gpio-fan): Add thermal control hooks")
      Reported-by: default avatarTony Lindgren <tony@atomide.com>
      Cc: Guenter Roeck <linux@roeck-us.net>
      Cc: Eduardo Valentin <edubezval@gmail.com>
      Signed-off-by: default avatarNishanth Menon <nm@ti.com>
      Signed-off-by: default avatarGuenter Roeck <linux@roeck-us.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4bbd7acd
    • Thorsten Leemhuis's avatar
      hwmon: (dell-smm) Blacklist Dell Studio XPS 8000 · 0ff78501
      Thorsten Leemhuis authored
      commit 6220f4eb upstream.
      
      Since Linux 4.0 the CPU fan speed is going up and down on Dell Studio
      XPS 8000 and 8100 for unknown reasons. The 8100 was already
      blacklisted in commit a4b45b25 ("hwmon: (dell-smm) Blacklist
      Dell Studio XPS 8100"). This patch blacklists the XPS 8000.
      
      Without further debugging on the affected machine, it is not possible
      to find the problem. For more details see
      https://bugzilla.kernel.org/show_bug.cgi?id=100121Signed-off-by: default avatarThorsten Leemhuis <linux@leemhuis.info>
      Acked-by: default avatarPali Rohár <pali.rohar@gmail.com>
      Signed-off-by: default avatarGuenter Roeck <linux@roeck-us.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0ff78501
    • Chen Yu's avatar
      Thermal: do thermal zone update after a cooling device registered · 27f35614
      Chen Yu authored
      commit 4511f716 upstream.
      
      When a new cooling device is registered, we need to update the
      thermal zone to set the new registered cooling device to a proper
      state.
      
      This fixes a problem that the system is cool, while the fan devices
      are left running on full speed after boot, if fan device is registered
      after thermal zone device.
      
      Here is the history of why current patch looks like this:
      https://patchwork.kernel.org/patch/7273041/
      
      Reference:https://bugzilla.kernel.org/show_bug.cgi?id=92431Tested-by: default avatarManuel Krause <manuelkrause@netscape.net>
      Tested-by: default avatarszegad <szegadlo@poczta.onet.pl>
      Tested-by: default avatarprash <prash.n.rao@gmail.com>
      Tested-by: default avataramish <ammdispose-arch@yahoo.com>
      Reviewed-by: default avatarJavi Merino <javi.merino@arm.com>
      Signed-off-by: default avatarZhang Rui <rui.zhang@intel.com>
      Signed-off-by: default avatarChen Yu <yu.c.chen@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      27f35614
    • Zhang Rui's avatar
      Thermal: handle thermal zone device properly during system sleep · a67208e9
      Zhang Rui authored
      commit ff140fea upstream.
      
      Current thermal code does not handle system sleep well because
      1. the cooling device cooling state may be changed during suspend
      2. the previous temperature reading becomes invalid after resumed because
         it is got before system sleep
      3. updating thermal zone device during suspending/resuming
         is wrong because some devices may have already been suspended
         or may have not been resumed.
      
      Thus, the proper way to do this is to cancel all thermal zone
      device update requirements during suspend/resume, and after all
      the devices have been resumed, reset and update every registered
      thermal zone devices.
      
      This also fixes a regression introduced by:
      Commit 19593a1f ("ACPI / fan: convert to platform driver")
      Because, with above commit applied, all the fan devices are attached
      to the acpi_general_pm_domain, and they are turned on by the pm_domain
      automatically after resume, without the awareness of thermal core.
      
      Reference: https://bugzilla.kernel.org/show_bug.cgi?id=78201
      Reference: https://bugzilla.kernel.org/show_bug.cgi?id=91411Tested-by: default avatarManuel Krause <manuelkrause@netscape.net>
      Tested-by: default avatarszegad <szegadlo@poczta.onet.pl>
      Tested-by: default avatarprash <prash.n.rao@gmail.com>
      Tested-by: default avataramish <ammdispose-arch@yahoo.com>
      Tested-by: default avatarMatthias <morpheusxyz123@yahoo.de>
      Reviewed-by: default avatarJavi Merino <javi.merino@arm.com>
      Signed-off-by: default avatarZhang Rui <rui.zhang@intel.com>
      Signed-off-by: default avatarChen Yu <yu.c.chen@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a67208e9
    • Zhang Rui's avatar
      Thermal: initialize thermal zone device correctly · 774ac8b7
      Zhang Rui authored
      commit bb431ba2 upstream.
      
      After thermal zone device registered, as we have not read any
      temperature before, thus tz->temperature should not be 0,
      which actually means 0C, and thermal trend is not available.
      In this case, we need specially handling for the first
      thermal_zone_device_update().
      
      Both thermal core framework and step_wise governor is
      enhanced to handle this. And since the step_wise governor
      is the only one that uses trends, so it's the only thermal
      governor that needs to be updated.
      Tested-by: default avatarManuel Krause <manuelkrause@netscape.net>
      Tested-by: default avatarszegad <szegadlo@poczta.onet.pl>
      Tested-by: default avatarprash <prash.n.rao@gmail.com>
      Tested-by: default avataramish <ammdispose-arch@yahoo.com>
      Tested-by: default avatarMatthias <morpheusxyz123@yahoo.de>
      Reviewed-by: default avatarJavi Merino <javi.merino@arm.com>
      Signed-off-by: default avatarZhang Rui <rui.zhang@intel.com>
      Signed-off-by: default avatarChen Yu <yu.c.chen@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      774ac8b7
    • Leon Romanovsky's avatar
      IB/mlx5: Expose correct maximum number of CQE capacity · 2f59395e
      Leon Romanovsky authored
      commit 9f177686 upstream.
      
      Maximum number of EQE capacity per CQ was mistakenly exposed
      as CQE. Fix that.
      
      Fixes: 938fe83c ("net/mlx5_core: New device capabilities handling")
      Signed-off-by: default avatarLeon Romanovsky <leonro@mellanox.com>
      Reviewed-by: default avatarSagi Grimberg <sagig@mellanox.com>
      Signed-off-by: default avatarDoug Ledford <dledford@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2f59395e
    • Vinit Agnihotri's avatar
      IB/qib: Support creating qps with GFP_NOIO flag · e759d318
      Vinit Agnihotri authored
      commit fbbeb863 upstream.
      
      The current code is problematic when the QP creation and ipoib is used to
      support NFS and NFS desires to do IO for paging purposes. In that case, the
      GFP_KERNEL allocation in qib_qp.c causes a deadlock in tight memory
      situations.
      
      This fix adds support to create queue pair with GFP_NOIO flag for connected
      mode only to cleanly fail the create queue pair in those situations.
      Reviewed-by: default avatarMike Marciniszyn <mike.marciniszyn@intel.com>
      Signed-off-by: default avatarVinit Agnihotri <vinit.abhay.agnihotri@intel.com>
      Signed-off-by: default avatarDoug Ledford <dledford@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e759d318
    • Mike Marciniszyn's avatar
      IB/qib: fix mcast detach when qp not attached · 7bf68a0a
      Mike Marciniszyn authored
      commit 09dc9cd6 upstream.
      
      The code produces the following trace:
      
      [1750924.419007] general protection fault: 0000 [#3] SMP
      [1750924.420364] Modules linked in: nfnetlink autofs4 rpcsec_gss_krb5 nfsv4
      dcdbas rfcomm bnep bluetooth nfsd auth_rpcgss nfs_acl dm_multipath nfs lockd
      scsi_dh sunrpc fscache radeon ttm drm_kms_helper drm serio_raw parport_pc
      ppdev i2c_algo_bit lpc_ich ipmi_si ib_mthca ib_qib dca lp parport ib_ipoib
      mac_hid ib_cm i3000_edac ib_sa ib_uverbs edac_core ib_umad ib_mad ib_core
      ib_addr tg3 ptp dm_mirror dm_region_hash dm_log psmouse pps_core
      [1750924.420364] CPU: 1 PID: 8401 Comm: python Tainted: G D
      3.13.0-39-generic #66-Ubuntu
      [1750924.420364] Hardware name: Dell Computer Corporation PowerEdge
      860/0XM089, BIOS A04 07/24/2007
      [1750924.420364] task: ffff8800366a9800 ti: ffff88007af1c000 task.ti:
      ffff88007af1c000
      [1750924.420364] RIP: 0010:[<ffffffffa0131d51>] [<ffffffffa0131d51>]
      qib_mcast_qp_free+0x11/0x50 [ib_qib]
      [1750924.420364] RSP: 0018:ffff88007af1dd70  EFLAGS: 00010246
      [1750924.420364] RAX: 0000000000000001 RBX: ffff88007b822688 RCX:
      000000000000000f
      [1750924.420364] RDX: ffff88007b822688 RSI: ffff8800366c15a0 RDI:
      6764697200000000
      [1750924.420364] RBP: ffff88007af1dd78 R08: 0000000000000001 R09:
      0000000000000000
      [1750924.420364] R10: 0000000000000011 R11: 0000000000000246 R12:
      ffff88007baa1d98
      [1750924.420364] R13: ffff88003ecab000 R14: ffff88007b822660 R15:
      0000000000000000
      [1750924.420364] FS:  00007ffff7fd8740(0000) GS:ffff88007fc80000(0000)
      knlGS:0000000000000000
      [1750924.420364] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [1750924.420364] CR2: 00007ffff597c750 CR3: 000000006860b000 CR4:
      00000000000007e0
      [1750924.420364] Stack:
      [1750924.420364]  ffff88007b822688 ffff88007af1ddf0 ffffffffa0132429
      000000007af1de20
      [1750924.420364]  ffff88007baa1dc8 ffff88007baa0000 ffff88007af1de70
      ffffffffa00cb313
      [1750924.420364]  00007fffffffde88 0000000000000000 0000000000000008
      ffff88003ecab000
      [1750924.420364] Call Trace:
      [1750924.420364]  [<ffffffffa0132429>] qib_multicast_detach+0x1e9/0x350
      [ib_qib]
      [1750924.568035]  [<ffffffffa00cb313>] ? ib_uverbs_modify_qp+0x323/0x3d0
      [ib_uverbs]
      [1750924.568035]  [<ffffffffa0092d61>] ib_detach_mcast+0x31/0x50 [ib_core]
      [1750924.568035]  [<ffffffffa00cc213>] ib_uverbs_detach_mcast+0x93/0x170
      [ib_uverbs]
      [1750924.568035]  [<ffffffffa00c61f6>] ib_uverbs_write+0xc6/0x2c0 [ib_uverbs]
      [1750924.568035]  [<ffffffff81312e68>] ? apparmor_file_permission+0x18/0x20
      [1750924.568035]  [<ffffffff812d4cd3>] ? security_file_permission+0x23/0xa0
      [1750924.568035]  [<ffffffff811bd214>] vfs_write+0xb4/0x1f0
      [1750924.568035]  [<ffffffff811bdc49>] SyS_write+0x49/0xa0
      [1750924.568035]  [<ffffffff8172f7ed>] system_call_fastpath+0x1a/0x1f
      [1750924.568035] Code: 66 2e 0f 1f 84 00 00 00 00 00 31 c0 5d c3 66 2e 0f 1f
      84 00 00 00 00 00 66 90 0f 1f 44 00 00 55 48 89 e5 53 48 89 fb 48 8b 7f 10
      <f0> ff 8f 40 01 00 00 74 0e 48 89 df e8 8e f8 06 e1 5b 5d c3 0f
      [1750924.568035] RIP  [<ffffffffa0131d51>] qib_mcast_qp_free+0x11/0x50
      [ib_qib]
      [1750924.568035]  RSP <ffff88007af1dd70>
      [1750924.650439] ---[ end trace 73d5d4b3f8ad4851 ]
      
      The fix is to note the qib_mcast_qp that was found.   If none is found, then
      return EINVAL indicating the error.
      Reviewed-by: default avatarDennis Dalessandro <dennis.dalessandro@intel.com>
      Reported-by: default avatarJason Gunthorpe <jgunthorpe@obsidianresearch.com>
      Signed-off-by: default avatarMike Marciniszyn <mike.marciniszyn@intel.com>
      Signed-off-by: default avatarDoug Ledford <dledford@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7bf68a0a
    • Bart Van Assche's avatar
      IB/cm: Fix a recently introduced deadlock · e97bff51
      Bart Van Assche authored
      commit 4bfdf635 upstream.
      
      ib_send_cm_drep() calls cm_enter_timewait() while holding a spinlock
      that can be locked from inside an interrupt handler. Hence do not
      enable interrupts inside cm_enter_timewait() if called with interrupts
      disabled.
      
      This patch fixes e.g. the following deadlock:
      Acked-by: default avatarErez Shitrit <erezsh@mellanox.com>
      
      =================================
      [ INFO: inconsistent lock state ]
      4.4.0-rc7+ #1 Tainted: G            E
      ---------------------------------
      inconsistent {HARDIRQ-ON-W} -> {IN-HARDIRQ-W} usage.
      swapper/8/0 [HC1[1]:SC0[0]:HE0:SE1] takes:
      (&(&cm_id_priv->lock)->rlock){?.+...}, at: [<ffffffffa036eec4>] cm_establish+0x
      74/0x1b0 [ib_cm]
      {HARDIRQ-ON-W} state was registered at:
        [<ffffffff810a3c11>] mark_held_locks+0x71/0x90
        [<ffffffff810a3e87>] trace_hardirqs_on_caller+0xa7/0x1c0
        [<ffffffff810a3fad>] trace_hardirqs_on+0xd/0x10
        [<ffffffff8151c40b>] _raw_spin_unlock_irq+0x2b/0x40
        [<ffffffffa036ea8e>] cm_enter_timewait+0xae/0x100 [ib_cm]
        [<ffffffffa036ff76>] ib_send_cm_drep+0xb6/0x190 [ib_cm]
        [<ffffffffa052ed08>] srp_cm_handler+0x128/0x1a0 [ib_srp]
        [<ffffffffa0370340>] cm_process_work+0x20/0xf0 [ib_cm]
        [<ffffffffa0371335>] cm_dreq_handler+0x135/0x2c0 [ib_cm]
        [<ffffffffa03733c5>] cm_work_handler+0x75/0xd0 [ib_cm]
        [<ffffffff8107184d>] process_one_work+0x1bd/0x460
        [<ffffffff81073148>] worker_thread+0x118/0x420
        [<ffffffff81078454>] kthread+0xe4/0x100
        [<ffffffff8151cbbf>] ret_from_fork+0x3f/0x70
      irq event stamp: 1672286
      hardirqs last  enabled at (1672283): [<ffffffff81408ec0>] poll_idle+0x10/0x80
      hardirqs last disabled at (1672284): [<ffffffff8151d304>] common_interrupt+0x84/0x89
      softirqs last  enabled at (1672286): [<ffffffff8105b4dc>] _local_bh_enable+0x1c/0x50
      softirqs last disabled at (1672285): [<ffffffff8105b697>] irq_enter+0x47/0x70
      
      other info that might help us debug this:
       Possible unsafe locking scenario:
      
             CPU0
             ----
        lock(&(&cm_id_priv->lock)->rlock);
        <Interrupt>
          lock(&(&cm_id_priv->lock)->rlock);
      
       *** DEADLOCK ***
      
      no locks held by swapper/8/0.
      
      stack backtrace:
      CPU: 8 PID: 0 Comm: swapper/8 Tainted: G            E   4.4.0-rc7+ #1
      Hardware name: Dell Inc. PowerEdge R430/03XKDV, BIOS 1.0.2 11/17/2014
       ffff88045af5e950 ffff88046e503a88 ffffffff81251c1b 0000000000000007
       0000000000000006 0000000000000003 ffff88045af5ddc0 ffff88046e503ad8
       ffffffff810a32f4 0000000000000000 0000000000000000 0000000000000001
      Call Trace:
       <IRQ>  [<ffffffff81251c1b>] dump_stack+0x4f/0x74
       [<ffffffff810a32f4>] print_usage_bug+0x184/0x190
       [<ffffffff810a36e2>] mark_lock_irq+0xf2/0x290
       [<ffffffff810a3995>] mark_lock+0x115/0x1b0
       [<ffffffff810a3b8c>] mark_irqflags+0x15c/0x170
       [<ffffffff810a4fef>] __lock_acquire+0x1ef/0x560
       [<ffffffff810a53c2>] lock_acquire+0x62/0x80
       [<ffffffff8151bd33>] _raw_spin_lock_irqsave+0x43/0x60
       [<ffffffffa036eec4>] cm_establish+0x74/0x1b0 [ib_cm]
       [<ffffffffa036f031>] ib_cm_notify+0x31/0x100 [ib_cm]
       [<ffffffffa0637f24>] srpt_qp_event+0x54/0xd0 [ib_srpt]
       [<ffffffffa0196052>] mlx4_ib_qp_event+0x72/0xc0 [mlx4_ib]
       [<ffffffffa00775b9>] mlx4_qp_event+0x69/0xd0 [mlx4_core]
       [<ffffffffa006000e>] mlx4_eq_int+0x51e/0xd50 [mlx4_core]
       [<ffffffffa006084f>] mlx4_msi_x_interrupt+0xf/0x20 [mlx4_core]
       [<ffffffff810b67b0>] handle_irq_event_percpu+0x40/0x110
       [<ffffffff810b68bf>] handle_irq_event+0x3f/0x70
       [<ffffffff810ba7f9>] handle_edge_irq+0x79/0x120
       [<ffffffff81007f3d>] handle_irq+0x5d/0x130
       [<ffffffff810071fd>] do_IRQ+0x6d/0x130
       [<ffffffff8151d309>] common_interrupt+0x89/0x89
       <EOI>  [<ffffffff8140895f>] cpuidle_enter_state+0xcf/0x200
       [<ffffffff81408aa2>] cpuidle_enter+0x12/0x20
       [<ffffffff810990d6>] call_cpuidle+0x36/0x60
       [<ffffffff81099163>] cpuidle_idle_call+0x63/0x110
       [<ffffffff8109930a>] cpu_idle_loop+0xfa/0x130
       [<ffffffff8109934e>] cpu_startup_entry+0xe/0x10
       [<ffffffff8103c443>] start_secondary+0x83/0x90
      
      Fixes: commit be4b4993 ("IB/cm: Do not queue work to a device that's going away")
      Signed-off-by: default avatarBart Van Assche <bart.vanassche@sandisk.com>
      Cc: Erez Shitrit <erezsh@mellanox.com>
      Signed-off-by: default avatarDoug Ledford <dledford@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e97bff51
    • Andy Shevchenko's avatar
      dmaengine: dw: disable BLOCK IRQs for non-cyclic xfer · 556dfd8d
      Andy Shevchenko authored
      commit ee1cdcda upstream.
      
      The commit 2895b2ca ("dmaengine: dw: fix cyclic transfer callbacks")
      re-enabled BLOCK interrupts with regard to make cyclic transfers work. However,
      this change becomes a regression for non-cyclic transfers as interrupt counters
      under stress test had been grown enormously (approximately per 4-5 bytes in the
      UART loop back test).
      
      Taking into consideration above enable BLOCK interrupts if and only if channel
      is programmed to perform cyclic transfer.
      
      Fixes: 2895b2ca ("dmaengine: dw: fix cyclic transfer callbacks")
      Signed-off-by: default avatarAndy Shevchenko <andriy.shevchenko@linux.intel.com>
      Acked-by: default avatarMans Rullgard <mans@mansr.com>
      Tested-by: default avatarMans Rullgard <mans@mansr.com>
      Acked-by: default avatarViresh Kumar <viresh.kumar@linaro.org>
      Signed-off-by: default avatarVinod Koul <vinod.koul@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      556dfd8d
    • Songjun Wu's avatar
      dmaengine: at_xdmac: fix resume for cyclic transfers · f4fa3d6f
      Songjun Wu authored
      commit 611dcadb upstream.
      
      When having cyclic transfers, the channel was paused when performing
      suspend but was not correctly resumed.
      Signed-off-by: default avatarSongjun Wu <songjun.wu@atmel.com>
      Signed-off-by: default avatarLudovic Desroches <ludovic.desroches@atmel.com>
      Fixes: e1f7c9ee ("dmaengine: at_xdmac: creation of the atmel eXtended DMA Controller driver")
      Signed-off-by: default avatarVinod Koul <vinod.koul@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f4fa3d6f
    • Mans Rullgard's avatar
      dmaengine: dw: fix cyclic transfer callbacks · 7ed338d4
      Mans Rullgard authored
      commit 2895b2ca upstream.
      
      Cyclic transfer callbacks rely on block completion interrupts which were
      disabled in commit ff7b05f2 ("dmaengine/dw_dmac: Don't handle block
      interrupts").  This re-enables block interrupts so the cyclic callbacks
      can work.  Other transfer types are not affected as they set the INT_EN
      bit only on the last block.
      
      Fixes: ff7b05f2 ("dmaengine/dw_dmac: Don't handle block interrupts")
      Signed-off-by: default avatarMans Rullgard <mans@mansr.com>
      Reviewed-by: default avatarViresh Kumar <viresh.kumar@linaro.org>
      Signed-off-by: default avatarVinod Koul <vinod.koul@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7ed338d4
    • Mans Rullgard's avatar
      dmaengine: dw: fix cyclic transfer setup · 4f29e544
      Mans Rullgard authored
      commit df3bb8a0 upstream.
      
      Commit 61e183f8 ("dmaengine/dw_dmac: Reconfigure interrupt and
      chan_cfg register on resume") moved some channel initialisation to
      a new function which must be called before starting a transfer.
      
      This updates dw_dma_cyclic_start() to use dwc_dostart() like the other
      modes, thus ensuring dwc_initialize() gets called and removing some code
      duplication.
      
      Fixes: 61e183f8 ("dmaengine/dw_dmac: Reconfigure interrupt and chan_cfg register on resume")
      Signed-off-by: default avatarMans Rullgard <mans@mansr.com>
      Reviewed-by: default avatarViresh Kumar <viresh.kumar@linaro.org>
      Signed-off-by: default avatarVinod Koul <vinod.koul@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4f29e544
    • Dan Williams's avatar
      nfit: fix multi-interface dimm handling, acpi6.1 compatibility · ef1fb7d1
      Dan Williams authored
      commit 6697b2cf upstream.
      
      ACPI 6.1 clarified that multi-interface dimms require multiple control
      region entries (DCRs) per dimm.  Previously we were assuming that a
      control region is only present when block-data-windows are present.
      This implementation was done with an eye to be compatibility with the
      looser ACPI 6.0 interpretation of this table.
      
      1/ When coalescing the memory device (MEMDEV) tables for a single dimm,
      coalesce on device_handle rather than control region index.
      
      2/ Whenever we disocver a control region with non-zero block windows
      re-scan for block-data-window (BDW) entries.
      
      We may need to revisit this if a DIMM ever implements a format interface
      outside of blk or pmem, but that is not on the foreseeable horizon.
      Signed-off-by: default avatarDan Williams <dan.j.williams@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ef1fb7d1
    • Insu Yun's avatar
      ACPI / PCI / hotplug: unlock in error path in acpiphp_enable_slot() · 5066e447
      Insu Yun authored
      commit 2c3033a0 upstream.
      
      In acpiphp_enable_slot(), there is a missing unlock path
      when error occurred.  It needs to be unlocked before returning
      an error.
      Signed-off-by: default avatarInsu Yun <wuninsu@gmail.com>
      Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5066e447