1. 26 Sep, 2018 18 commits
    • Sandipan Das's avatar
      perf powerpc: Fix callchain ip filtering · d4aa4e4f
      Sandipan Das authored
      [ Upstream commit c715fcfd ]
      
      For powerpc64, redundant entries in the callchain are filtered out by
      determining the state of the return address and the stack frame using
      DWARF debug information.
      
      For making these filtering decisions we must analyze the debug
      information for the location corresponding to the program counter value,
      i.e. the first entry in the callchain, and not the LR value; otherwise,
      perf may filter out either the second or the third entry in the
      callchain incorrectly.
      
      This can be observed on a powerpc64le system running Fedora 27 as shown
      below.
      
      Case 1 - Attaching a probe at inet_pton+0x8 (binary offset 0x15af28).
               Return address is still in LR and a new stack frame is not yet
               allocated. The LR value, i.e. the second entry, should not be
      	 filtered out.
      
        # objdump -d /usr/lib64/libc-2.26.so | less
        ...
        000000000010eb10 <gaih_inet.constprop.7>:
        ...
          10fa48:       78 bb e4 7e     mr      r4,r23
          10fa4c:       0a 00 60 38     li      r3,10
          10fa50:       d9 b4 04 48     bl      15af28 <inet_pton+0x8>
          10fa54:       00 00 00 60     nop
          10fa58:       ac f4 ff 4b     b       10ef04 <gaih_inet.constprop.7+0x3f4>
        ...
        0000000000110450 <getaddrinfo>:
        ...
          1105a8:       54 00 ff 38     addi    r7,r31,84
          1105ac:       58 00 df 38     addi    r6,r31,88
          1105b0:       69 e5 ff 4b     bl      10eb18 <gaih_inet.constprop.7+0x8>
          1105b4:       78 1b 71 7c     mr      r17,r3
          1105b8:       50 01 7f e8     ld      r3,336(r31)
        ...
        000000000015af20 <inet_pton>:
          15af20:       0b 00 4c 3c     addis   r2,r12,11
          15af24:       e0 c1 42 38     addi    r2,r2,-15904
          15af28:       a6 02 08 7c     mflr    r0
          15af2c:       f0 ff c1 fb     std     r30,-16(r1)
          15af30:       f8 ff e1 fb     std     r31,-8(r1)
        ...
      
        # perf probe -x /usr/lib64/libc-2.26.so -a inet_pton+0x8
        # perf record -e probe_libc:inet_pton -g ping -6 -c 1 ::1
        # perf script
      
      Before:
      
        ping  4507 [002] 514985.546540: probe_libc:inet_pton: (7fffa7dbaf28)
                    7fffa7dbaf28 __GI___inet_pton+0x8 (/usr/lib64/libc-2.26.so)
                    7fffa7d705b4 getaddrinfo+0x164 (/usr/lib64/libc-2.26.so)
                       13fb52d70 _init+0xbfc (/usr/bin/ping)
                    7fffa7c836a0 generic_start_main.isra.0+0x140 (/usr/lib64/libc-2.26.so)
                    7fffa7c83898 __libc_start_main+0xb8 (/usr/lib64/libc-2.26.so)
                               0 [unknown] ([unknown])
      
      After:
      
        ping  4507 [002] 514985.546540: probe_libc:inet_pton: (7fffa7dbaf28)
                    7fffa7dbaf28 __GI___inet_pton+0x8 (/usr/lib64/libc-2.26.so)
                    7fffa7d6fa54 gaih_inet.constprop.7+0xf44 (/usr/lib64/libc-2.26.so)
                    7fffa7d705b4 getaddrinfo+0x164 (/usr/lib64/libc-2.26.so)
                       13fb52d70 _init+0xbfc (/usr/bin/ping)
                    7fffa7c836a0 generic_start_main.isra.0+0x140 (/usr/lib64/libc-2.26.so)
                    7fffa7c83898 __libc_start_main+0xb8 (/usr/lib64/libc-2.26.so)
                               0 [unknown] ([unknown])
      
      Case 2 - Attaching a probe at _int_malloc+0x180 (binary offset 0x9cf10).
               Return address in still in LR and a new stack frame has already
               been allocated but not used. The caller's caller, i.e. the third
      	 entry, is invalid and should be filtered out and not the second
      	 one.
      
        # objdump -d /usr/lib64/libc-2.26.so | less
        ...
        000000000009cd90 <_int_malloc>:
           9cd90:       17 00 4c 3c     addis   r2,r12,23
           9cd94:       70 a3 42 38     addi    r2,r2,-23696
           9cd98:       26 00 80 7d     mfcr    r12
           9cd9c:       f8 ff e1 fb     std     r31,-8(r1)
           9cda0:       17 00 e4 3b     addi    r31,r4,23
           9cda4:       d8 ff 61 fb     std     r27,-40(r1)
           9cda8:       78 23 9b 7c     mr      r27,r4
           9cdac:       1f 00 bf 2b     cmpldi  cr7,r31,31
           9cdb0:       f0 ff c1 fb     std     r30,-16(r1)
           9cdb4:       b0 ff c1 fa     std     r22,-80(r1)
           9cdb8:       78 1b 7e 7c     mr      r30,r3
           9cdbc:       08 00 81 91     stw     r12,8(r1)
           9cdc0:       11 ff 21 f8     stdu    r1,-240(r1)
           9cdc4:       4c 01 9d 41     bgt     cr7,9cf10 <_int_malloc+0x180>
           9cdc8:       20 00 a4 2b     cmpldi  cr7,r4,32
        ...
           9cf08:       00 00 00 60     nop
           9cf0c:       00 00 42 60     ori     r2,r2,0
           9cf10:       e4 06 ff 7b     rldicr  r31,r31,0,59
           9cf14:       40 f8 a4 7f     cmpld   cr7,r4,r31
           9cf18:       68 05 9d 41     bgt     cr7,9d480 <_int_malloc+0x6f0>
        ...
        000000000009e3c0 <tcache_init.part.4>:
        ...
           9e420:       40 02 80 38     li      r4,576
           9e424:       78 fb e3 7f     mr      r3,r31
           9e428:       71 e9 ff 4b     bl      9cd98 <_int_malloc+0x8>
           9e42c:       00 00 a3 2f     cmpdi   cr7,r3,0
           9e430:       78 1b 7e 7c     mr      r30,r3
        ...
        000000000009f7a0 <__libc_malloc>:
        ...
           9f8f8:       00 00 89 2f     cmpwi   cr7,r9,0
           9f8fc:       1c ff 9e 40     bne     cr7,9f818 <__libc_malloc+0x78>
           9f900:       c9 ea ff 4b     bl      9e3c8 <tcache_init.part.4+0x8>
           9f904:       00 00 00 60     nop
           9f908:       e8 90 22 e9     ld      r9,-28440(r2)
        ...
      
        # perf probe -x /usr/lib64/libc-2.26.so -a _int_malloc+0x180
        # perf record -e probe_libc:_int_malloc -g ./test-malloc
        # perf script
      
      Before:
      
        test-malloc  6554 [009] 515975.797403: probe_libc:_int_malloc: (7fffa6e6cf10)
                    7fffa6e6cf10 _int_malloc+0x180 (/usr/lib64/libc-2.26.so)
                    7fffa6dd0000 [unknown] (/usr/lib64/libc-2.26.so)
                    7fffa6e6f904 malloc+0x164 (/usr/lib64/libc-2.26.so)
                    7fffa6e6f9fc malloc+0x25c (/usr/lib64/libc-2.26.so)
                        100006b4 main+0x38 (/home/testuser/test-malloc)
                    7fffa6df36a0 generic_start_main.isra.0+0x140 (/usr/lib64/libc-2.26.so)
                    7fffa6df3898 __libc_start_main+0xb8 (/usr/lib64/libc-2.26.so)
                               0 [unknown] ([unknown])
      
      After:
      
        test-malloc  6554 [009] 515975.797403: probe_libc:_int_malloc: (7fffa6e6cf10)
                    7fffa6e6cf10 _int_malloc+0x180 (/usr/lib64/libc-2.26.so)
                    7fffa6e6e42c tcache_init.part.4+0x6c (/usr/lib64/libc-2.26.so)
                    7fffa6e6f904 malloc+0x164 (/usr/lib64/libc-2.26.so)
                    7fffa6e6f9fc malloc+0x25c (/usr/lib64/libc-2.26.so)
                        100006b4 main+0x38 (/home/sandipan/test-malloc)
                    7fffa6df36a0 generic_start_main.isra.0+0x140 (/usr/lib64/libc-2.26.so)
                    7fffa6df3898 __libc_start_main+0xb8 (/usr/lib64/libc-2.26.so)
                               0 [unknown] ([unknown])
      Signed-off-by: default avatarSandipan Das <sandipan@linux.ibm.com>
      Cc: Jiri Olsa <jolsa@redhat.com>
      Cc: Maynard Johnson <maynard@us.ibm.com>
      Cc: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
      Cc: Ravi Bangoria <ravi.bangoria@linux.vnet.ibm.com>
      Cc: Sukadev Bhattiprolu <sukadev@linux.vnet.ibm.com>
      Fixes: a60335ba ("perf tools powerpc: Adjust callchain based on DWARF debug info")
      Link: http://lkml.kernel.org/r/24bb726d91ed173aebc972ec3f41a2ef2249434e.1530724939.git.sandipan@linux.ibm.comSigned-off-by: default avatarArnaldo Carvalho de Melo <acme@redhat.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d4aa4e4f
    • Krzysztof Kozlowski's avatar
      ARM: exynos: Clear global variable on init error path · 016353ef
      Krzysztof Kozlowski authored
      [ Upstream commit cd480691 ]
      
      For most of Exynos SoCs, Power Management Unit (PMU) address space is
      mapped into global variable 'pmu_base_addr' very early when initializing
      PMU interrupt controller.  A lot of other machine code depends on it so
      when doing iounmap() on this address, clear the global as well to avoid
      usage of invalid value (pointing to unmapped memory region).
      
      Properly mapped PMU address space is a requirement for all other machine
      code so this fix is purely theoretical.  Boot will fail immediately in
      many other places after following this error path.
      Signed-off-by: default avatarKrzysztof Kozlowski <krzk@kernel.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      016353ef
    • Fredrik Noring's avatar
      fbdev: Distinguish between interlaced and progressive modes · 57a1dd74
      Fredrik Noring authored
      [ Upstream commit 1ba0a59c ]
      
      I discovered the problem when developing a frame buffer driver for the
      PlayStation 2 (not yet merged), using the following video modes for the
      PlayStation 3 in drivers/video/fbdev/ps3fb.c:
      
          }, {
              /* 1080if */
              "1080if", 50, 1920, 1080, 13468, 148, 484, 36, 4, 88, 5,
              FB_SYNC_BROADCAST, FB_VMODE_INTERLACED
          }, {
              /* 1080pf */
              "1080pf", 50, 1920, 1080, 6734, 148, 484, 36, 4, 88, 5,
              FB_SYNC_BROADCAST, FB_VMODE_NONINTERLACED
          },
      
      In ps3fb_probe, the mode_option module parameter is used with fb_find_mode
      but it can only select the interlaced variant of 1920x1080 since the loop
      matching the modes does not take the difference between interlaced and
      progressive modes into account.
      
      In short, without the patch, progressive 1920x1080 cannot be chosen as a
      mode_option parameter since fb_find_mode (falsely) thinks interlace is a
      perfect match.
      Signed-off-by: default avatarFredrik Noring <noring@nocrew.org>
      Cc: "Maciej W. Rozycki" <macro@linux-mips.org>
      [b.zolnierkie: updated patch description]
      Signed-off-by: default avatarBartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      57a1dd74
    • Sandipan Das's avatar
      perf powerpc: Fix callchain ip filtering when return address is in a register · e71975f0
      Sandipan Das authored
      [ Upstream commit 9068533e ]
      
      For powerpc64, perf will filter out the second entry in the callchain,
      i.e. the LR value, if the return address of the function corresponding
      to the probed location has already been saved on its caller's stack.
      
      The state of the return address is determined using debug information.
      At any point within a function, if the return address is already saved
      somewhere, a DWARF expression can tell us about its location. If the
      return address in still in LR only, no DWARF expression would exist.
      
      Typically, the instructions in a function's prologue first copy the LR
      value to R0 and then pushes R0 on to the stack. If LR has already been
      copied to R0 but R0 is yet to be pushed to the stack, we can still get a
      DWARF expression that says that the return address is in R0. This is
      indicating that getting a DWARF expression for the return address does
      not guarantee the fact that it has already been saved on the stack.
      
      This can be observed on a powerpc64le system running Fedora 27 as shown
      below.
      
        # objdump -d /usr/lib64/libc-2.26.so | less
        ...
        000000000015af20 <inet_pton>:
          15af20:       0b 00 4c 3c     addis   r2,r12,11
          15af24:       e0 c1 42 38     addi    r2,r2,-15904
          15af28:       a6 02 08 7c     mflr    r0
          15af2c:       f0 ff c1 fb     std     r30,-16(r1)
          15af30:       f8 ff e1 fb     std     r31,-8(r1)
          15af34:       78 1b 7f 7c     mr      r31,r3
          15af38:       78 23 83 7c     mr      r3,r4
          15af3c:       78 2b be 7c     mr      r30,r5
          15af40:       10 00 01 f8     std     r0,16(r1)
          15af44:       c1 ff 21 f8     stdu    r1,-64(r1)
          15af48:       28 00 81 f8     std     r4,40(r1)
        ...
      
        # readelf --debug-dump=frames-interp /usr/lib64/libc-2.26.so | less
        ...
        00027024 0000000000000024 00027028 FDE cie=00000000 pc=000000000015af20..000000000015af88
           LOC           CFA      r30   r31   ra
        000000000015af20 r1+0     u     u     u
        000000000015af34 r1+0     c-16  c-8   r0
        000000000015af48 r1+64    c-16  c-8   c+16
        000000000015af5c r1+0     c-16  c-8   c+16
        000000000015af78 r1+0     u     u
        ...
      
        # perf probe -x /usr/lib64/libc-2.26.so -a inet_pton+0x18
        # perf record -e probe_libc:inet_pton -g ping -6 -c 1 ::1
        # perf script
      
      Before:
      
        ping  2829 [005] 512917.460174: probe_libc:inet_pton: (7fff7e2baf38)
                    7fff7e2baf38 __GI___inet_pton+0x18 (/usr/lib64/libc-2.26.so)
                    7fff7e2705b4 getaddrinfo+0x164 (/usr/lib64/libc-2.26.so)
                       12f152d70 _init+0xbfc (/usr/bin/ping)
                    7fff7e1836a0 generic_start_main.isra.0+0x140 (/usr/lib64/libc-2.26.so)
                    7fff7e183898 __libc_start_main+0xb8 (/usr/lib64/libc-2.26.so)
                               0 [unknown] ([unknown])
      
      After:
      
        ping  2829 [005] 512917.460174: probe_libc:inet_pton: (7fff7e2baf38)
                    7fff7e2baf38 __GI___inet_pton+0x18 (/usr/lib64/libc-2.26.so)
                    7fff7e26fa54 gaih_inet.constprop.7+0xf44 (/usr/lib64/libc-2.26.so)
                    7fff7e2705b4 getaddrinfo+0x164 (/usr/lib64/libc-2.26.so)
                       12f152d70 _init+0xbfc (/usr/bin/ping)
                    7fff7e1836a0 generic_start_main.isra.0+0x140 (/usr/lib64/libc-2.26.so)
                    7fff7e183898 __libc_start_main+0xb8 (/usr/lib64/libc-2.26.so)
                               0 [unknown] ([unknown])
      Reported-by: default avatarRavi Bangoria <ravi.bangoria@linux.ibm.com>
      Signed-off-by: default avatarSandipan Das <sandipan@linux.ibm.com>
      Cc: Jiri Olsa <jolsa@redhat.com>
      Cc: Maynard Johnson <maynard@us.ibm.com>
      Cc: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
      Cc: Ravi Bangoria <ravi.bangoria@linux.vnet.ibm.com>
      Cc: Sukadev Bhattiprolu <sukadev@linux.vnet.ibm.com>
      Link: http://lkml.kernel.org/r/66e848a7bdf2d43b39210a705ff6d828a0865661.1530724939.git.sandipan@linux.ibm.comSigned-off-by: default avatarArnaldo Carvalho de Melo <acme@redhat.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e71975f0
    • Randy Dunlap's avatar
      fbdev/via: fix defined but not used warning · 5a85c8d6
      Randy Dunlap authored
      [ Upstream commit b6566b47 ]
      
      Fix a build warning in viafbdev.c when CONFIG_PROC_FS is not enabled
      by marking the unused function as __maybe_unused.
      
      ../drivers/video/fbdev/via/viafbdev.c:1471:12: warning: 'viafb_sup_odev_proc_show' defined but not used [-Wunused-function]
      Signed-off-by: default avatarRandy Dunlap <rdunlap@infradead.org>
      Cc: Florian Tobias Schandinat <FlorianSchandinat@gmx.de>
      Signed-off-by: default avatarBartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5a85c8d6
    • Anton Vasilyev's avatar
      video: goldfishfb: fix memory leak on driver remove · 1401b76d
      Anton Vasilyev authored
      [ Upstream commit 5958fde7 ]
      
      goldfish_fb_probe() allocates memory for fb, but goldfish_fb_remove() does
      not have deallocation of fb, which leads to memory leak on probe/remove.
      
      The patch adds deallocation into goldfish_fb_remove().
      
      Found by Linux Driver Verification project (linuxtesting.org).
      Signed-off-by: default avatarAnton Vasilyev <vasilyev@ispras.ru>
      Cc: Aleksandar Markovic <aleksandar.markovic@mips.com>
      Cc: Miodrag Dinic <miodrag.dinic@mips.com>
      Cc: Goran Ferenc <goran.ferenc@mips.com>
      Signed-off-by: default avatarBartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1401b76d
    • Dan Carpenter's avatar
      fbdev: omapfb: off by one in omapfb_register_client() · 98c05956
      Dan Carpenter authored
      [ Upstream commit 5ec1ec35 ]
      
      The omapfb_register_client[] array has OMAPFB_PLANE_NUM elements so the
      > should be >= or we are one element beyond the end of the array.
      
      Fixes: 8b08cf2b ("OMAP: add TI OMAP framebuffer driver")
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Cc: Imre Deak <imre.deak@solidboot.com>
      Signed-off-by: default avatarBartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      98c05956
    • Randy Dunlap's avatar
      mtd/maps: fix solutionengine.c printk format warnings · 66e32b78
      Randy Dunlap authored
      [ Upstream commit 1d25e3ee ]
      
      Fix 2 printk format warnings (this driver is currently only used by
      arch/sh/) by using "%pap" instead of "%lx".
      
      Fixes these build warnings:
      
      ../drivers/mtd/maps/solutionengine.c: In function 'init_soleng_maps':
      ../include/linux/kern_levels.h:5:18: warning: format '%lx' expects argument of type 'long unsigned int', but argument 2 has type 'resource_size_t' {aka 'unsigned int'} [-Wformat=]
      ../drivers/mtd/maps/solutionengine.c:62:54: note: format string is defined here
        printk(KERN_NOTICE "Solution Engine: Flash at 0x%08lx, EPROM at 0x%08lx\n",
                                                        ~~~~^
                                                        %08x
      ../include/linux/kern_levels.h:5:18: warning: format '%lx' expects argument of type 'long unsigned int', but argument 3 has type 'resource_size_t' {aka 'unsigned int'} [-Wformat=]
      ../drivers/mtd/maps/solutionengine.c:62:72: note: format string is defined here
        printk(KERN_NOTICE "Solution Engine: Flash at 0x%08lx, EPROM at 0x%08lx\n",
                                                                          ~~~~^
                                                                          %08x
      
      Cc: David Woodhouse <dwmw2@infradead.org>
      Cc: Brian Norris <computersforpeace@gmail.com>
      Cc: Boris Brezillon <boris.brezillon@bootlin.com>
      Cc: Marek Vasut <marek.vasut@gmail.com>
      Cc: Richard Weinberger <richard@nod.at>
      Cc: linux-mtd@lists.infradead.org
      Cc: Yoshinori Sato <ysato@users.sourceforge.jp>
      Cc: Rich Felker <dalias@libc.org>
      Cc: linux-sh@vger.kernel.org
      Cc: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
      Signed-off-by: default avatarRandy Dunlap <rdunlap@infradead.org>
      Signed-off-by: default avatarBoris Brezillon <boris.brezillon@bootlin.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      66e32b78
    • Hans Verkuil's avatar
      media: videobuf2-core: check for q->error in vb2_core_qbuf() · 0eda7472
      Hans Verkuil authored
      [ Upstream commit b509d733 ]
      
      The vb2_core_qbuf() function didn't check if q->error was set. It is
      checked in __buf_prepare(), but that function isn't called if the buffer
      was already prepared before with VIDIOC_PREPARE_BUF.
      
      So check it at the start of vb2_core_qbuf() as well.
      Signed-off-by: default avatarHans Verkuil <hans.verkuil@cisco.com>
      Acked-by: default avatarSakari Ailus <sakari.ailus@linux.intel.com>
      Signed-off-by: default avatarHans Verkuil <hans.verkuil@cisco.com>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0eda7472
    • Felix Fietkau's avatar
      MIPS: ath79: fix system restart · 9f6d6fb5
      Felix Fietkau authored
      [ Upstream commit f8a7bfe1 ]
      
      This patch disables irq on reboot to fix hang issues that were observed
      due to pending interrupts.
      Signed-off-by: default avatarFelix Fietkau <nbd@nbd.name>
      Signed-off-by: default avatarJohn Crispin <john@phrozen.org>
      Signed-off-by: default avatarPaul Burton <paul.burton@mips.com>
      Patchwork: https://patchwork.linux-mips.org/patch/19913/
      Cc: James Hogan <jhogan@kernel.org>
      Cc: Ralf Baechle <ralf@linux-mips.org>
      Cc: linux-mips@linux-mips.org
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9f6d6fb5
    • John Keeping's avatar
      dmaengine: pl330: fix irq race with terminate_all · 46c66ac9
      John Keeping authored
      [ Upstream commit e4975654 ]
      
      In pl330_update() when checking if a channel has been aborted, the
      channel's lock is not taken, only the overall pl330_dmac lock.  But in
      pl330_terminate_all() the aborted flag (req_running==-1) is set under
      the channel lock and not the pl330_dmac lock.
      
      With threaded interrupts, this leads to a potential race:
      
          pl330_terminate_all	        pl330_update
          -------------------         ------------
          lock channel
                                      entry
          lock pl330
          _stop channel
          unlock pl330
                                      lock pl330
                                      check req_running != -1
          req_running = -1
                                      _start channel
      Signed-off-by: default avatarJohn Keeping <john@metanate.com>
      Signed-off-by: default avatarVinod Koul <vkoul@kernel.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      46c66ac9
    • Masahiro Yamada's avatar
      kbuild: add .DELETE_ON_ERROR special target · d6ac46c7
      Masahiro Yamada authored
      [ Upstream commit 9c2af1c7 ]
      
      If Make gets a fatal signal while a shell is executing, it may delete
      the target file that the recipe was supposed to update.  This is needed
      to make sure that it is remade from scratch when Make is next run; if
      Make is interrupted after the recipe has begun to write the target file,
      it results in an incomplete file whose time stamp is newer than that
      of the prerequisites files.  Make automatically deletes the incomplete
      file on interrupt unless the target is marked .PRECIOUS.
      
      The situation is just the same as when the shell fails for some reasons.
      Usually when a recipe line fails, if it has changed the target file at
      all, the file is corrupted, or at least it is not completely updated.
      Yet the file’s time stamp says that it is now up to date, so the next
      time Make runs, it will not try to update that file.
      
      However, Make does not cater to delete the incomplete target file in
      this case.  We need to add .DELETE_ON_ERROR somewhere in the Makefile
      to request it.
      
      scripts/Kbuild.include seems a suitable place to add it because it is
      included from almost all sub-makes.
      
      Please note .DELETE_ON_ERROR is not effective for phony targets.
      
      The external module building should never ever touch the kernel tree.
      The following recipe fails if include/generated/autoconf.h is missing.
      However, include/config/auto.conf is not deleted since it is a phony
      target.
      
       PHONY += include/config/auto.conf
      
       include/config/auto.conf:
               $(Q)test -e include/generated/autoconf.h -a -e $@ || (          \
               echo >&2;                                                       \
               echo >&2 "  ERROR: Kernel configuration is invalid.";           \
               echo >&2 "         include/generated/autoconf.h or $@ are missing.";\
               echo >&2 "         Run 'make oldconfig && make prepare' on kernel src to fix it."; \
               echo >&2 ;                                                      \
               /bin/false)
      Signed-off-by: default avatarMasahiro Yamada <yamada.masahiro@socionext.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d6ac46c7
    • Nicholas Mc Guire's avatar
      clk: imx6ul: fix missing of_node_put() · 210006ef
      Nicholas Mc Guire authored
      [ Upstream commit 11177e7a ]
      
      of_find_compatible_node() is returning a device node with refcount
      incremented and must be explicitly decremented after the last use
      which is right after the us in of_iomap() here.
      Signed-off-by: default avatarNicholas Mc Guire <hofrat@osadl.org>
      Fixes: 787b4271 ("clk: imx: add imx6ul clk tree support")
      Signed-off-by: default avatarStephen Boyd <sboyd@kernel.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      210006ef
    • Andreas Gruenbacher's avatar
      gfs2: Special-case rindex for gfs2_grow · 9e8d585c
      Andreas Gruenbacher authored
      [ Upstream commit 77612578 ]
      
      To speed up the common case of appending to a file,
      gfs2_write_alloc_required presumes that writing beyond the end of a file
      will always require additional blocks to be allocated.  This assumption
      is incorrect for preallocates files, but there are no negative
      consequences as long as *some* space is still left on the filesystem.
      
      One special file that always has some space preallocated beyond the end
      of the file is the rindex: when growing a filesystem, gfs2_grow adds one
      or more new resource groups and appends records describing those
      resource groups to the rindex; the preallocated space ensures that this
      is always possible.
      
      However, when a filesystem is completely full, gfs2_write_alloc_required
      will indicate that an additional allocation is required, and appending
      the next record to the rindex will fail even though space for that
      record has already been preallocated.  To fix that, skip the incorrect
      optimization in gfs2_write_alloc_required, but for the rindex only.
      Other writes to preallocated space beyond the end of the file are still
      allowed to fail on completely full filesystems.
      Signed-off-by: default avatarAndreas Gruenbacher <agruenba@redhat.com>
      Reviewed-by: default avatarBob Peterson <rpeterso@redhat.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9e8d585c
    • YueHaibing's avatar
      xfrm: fix 'passing zero to ERR_PTR()' warning · 1e89472f
      YueHaibing authored
      [ Upstream commit 934ffce1 ]
      
      Fix a static code checker warning:
      
        net/xfrm/xfrm_policy.c:1836 xfrm_resolve_and_create_bundle() warn: passing zero to 'ERR_PTR'
      
      xfrm_tmpl_resolve return 0 just means no xdst found, return NULL
      instead of passing zero to ERR_PTR.
      
      Fixes: d809ec89 ("xfrm: do not assume that template resolving always returns xfrms")
      Signed-off-by: default avatarYueHaibing <yuehaibing@huawei.com>
      Signed-off-by: default avatarSteffen Klassert <steffen.klassert@secunet.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1e89472f
    • Takashi Iwai's avatar
      ALSA: usb-audio: Fix multiple definitions in AU0828_DEVICE() macro · 650ca59a
      Takashi Iwai authored
      [ Upstream commit bd1cd0eb ]
      
      AU0828_DEVICE() macro in quirks-table.h uses USB_DEVICE_VENDOR_SPEC()
      for expanding idVendor and idProduct fields.  However, the latter
      macro adds also match_flags and bInterfaceClass, which are different
      from the values AU0828_DEVICE() macro sets after that.
      
      For fixing them, just expand idVendor and idProduct fields manually in
      AU0828_DEVICE().
      
      This fixes sparse warnings like:
        sound/usb/quirks-table.h:2892:1: warning: Initializer entry defined twice
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      650ca59a
    • Takashi Iwai's avatar
      ALSA: msnd: Fix the default sample sizes · 5df13ba4
      Takashi Iwai authored
      [ Upstream commit 7c500f9e ]
      
      The default sample sizes set by msnd driver are bogus; it sets ALSA
      PCM format, not the actual bit width.
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5df13ba4
    • Miao Zhong's avatar
      iommu/arm-smmu-v3: sync the OVACKFLG to PRIQ consumer register · a8323a85
      Miao Zhong authored
      [ Upstream commit 0d535967 ]
      
      When PRI queue occurs overflow, driver should update the OVACKFLG to
      the PRIQ consumer register, otherwise subsequent PRI requests will not
      be processed.
      
      Cc: Will Deacon <will.deacon@arm.com>
      Cc: Robin Murphy <robin.murphy@arm.com>
      Signed-off-by: default avatarMiao Zhong <zhongmiao@hisilicon.com>
      Signed-off-by: default avatarWill Deacon <will.deacon@arm.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a8323a85
  2. 19 Sep, 2018 22 commits
    • Greg Kroah-Hartman's avatar
      Linux 4.4.157 · d9560919
      Greg Kroah-Hartman authored
      d9560919
    • Linus Torvalds's avatar
      mm: get rid of vmacache_flush_all() entirely · 88d69184
      Linus Torvalds authored
      commit 7a9cdebd upstream.
      
      Jann Horn points out that the vmacache_flush_all() function is not only
      potentially expensive, it's buggy too.  It also happens to be entirely
      unnecessary, because the sequence number overflow case can be avoided by
      simply making the sequence number be 64-bit.  That doesn't even grow the
      data structures in question, because the other adjacent fields are
      already 64-bit.
      
      So simplify the whole thing by just making the sequence number overflow
      case go away entirely, which gets rid of all the complications and makes
      the code faster too.  Win-win.
      
      [ Oleg Nesterov points out that the VMACACHE_FULL_FLUSHES statistics
        also just goes away entirely with this ]
      Reported-by: default avatarJann Horn <jannh@google.com>
      Suggested-by: default avatarWill Deacon <will.deacon@arm.com>
      Acked-by: default avatarDavidlohr Bueso <dave@stgolabs.net>
      Cc: Oleg Nesterov <oleg@redhat.com>
      Cc: stable@kernel.org
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      88d69184
    • Andi Kleen's avatar
      x86/speculation/l1tf: Increase l1tf memory limit for Nehalem+ · e29c75d4
      Andi Kleen authored
      [upstream cc51e542 for 4.4.
      Note there might be still a trivial conflict with the backport
      for b0a182f8, but should
      be easy to resolve]
      
      On Nehalem and newer core CPUs the CPU cache internally uses 44 bits
      physical address space. The L1TF workaround is limited by this internal
      cache address width, and needs to have one bit free there for the
      mitigation to work.
      
      Older client systems report only 36bit physical address space so the range
      check decides that L1TF is not mitigated for a 36bit phys/32GB system with
      some memory holes.
      
      But since these actually have the larger internal cache width this warning
      is bogus because it would only really be needed if the system had more than
      43bits of memory.
      
      Add a new internal x86_cache_bits field. Normally it is the same as the
      physical bits field reported by CPUID, but for Nehalem and newerforce it to
      be at least 44bits.
      
      Change the L1TF memory size warning to use the new cache_bits field to
      avoid bogus warnings and remove the bogus comment about memory size.
      
      Fixes: 17dbca11 ("x86/speculation/l1tf: Add sysfs reporting for l1tf")
      Reported-by: default avatarGeorge Anchev <studio@anchev.net>
      Reported-by: default avatarChristopher Snowhill <kode54@gmail.com>
      Signed-off-by: default avatarAndi Kleen <ak@linux.intel.com>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Cc: x86@kernel.org
      Cc: linux-kernel@vger.kernel.org
      Cc: Michael Hocko <mhocko@suse.com>
      Cc: vbabka@suse.cz
      Cc: stable@vger.kernel.org
      Link: https://lkml.kernel.org/r/20180824170351.34874-1-andi@firstfloor.orgSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e29c75d4
    • Ian Kent's avatar
      autofs: fix autofs_sbi() does not check super block type · 4bdac252
      Ian Kent authored
      commit 0633da48 upstream.
      
      autofs_sbi() does not check the superblock magic number to verify it has
      been given an autofs super block.
      
      Backport Note: autofs4 has been renamed to autofs upstream. As a result
      the upstream patch does not apply cleanly onto 4.14.y.
      
      Link: http://lkml.kernel.org/r/153475422934.17131.7563724552005298277.stgit@pluto.themaw.net
      Reported-by: <syzbot+87c3c541582e56943277@syzkaller.appspotmail.com>
      Signed-off-by: default avatarIan Kent <raven@themaw.net>
      Reviewed-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarZubin Mithra <zsm@chromium.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4bdac252
    • Wei Yongjun's avatar
      mtd: ubi: wl: Fix error return code in ubi_wl_init() · da7d5af6
      Wei Yongjun authored
      commit 7233982a upstream.
      
      Fix to return error code -ENOMEM from the kmem_cache_alloc() error
      handling case instead of 0, as done elsewhere in this function.
      
      Fixes: f78e5623 ("ubi: fastmap: Erase outdated anchor PEBs during
      attach")
      Signed-off-by: default avatarWei Yongjun <weiyongjun1@huawei.com>
      Reviewed-by: default avatarBoris Brezillon <boris.brezillon@free-electrons.com>
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      Cc: Ben Hutchings <ben.hutchings@codethink.co.uk>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      da7d5af6
    • Ondrej Mosnacek's avatar
      crypto: vmx - Fix sleep-in-atomic bugs · f1b13e97
      Ondrej Mosnacek authored
      commit 0522236d upstream.
      
      This patch fixes sleep-in-atomic bugs in AES-CBC and AES-XTS VMX
      implementations. The problem is that the blkcipher_* functions should
      not be called in atomic context.
      
      The bugs can be reproduced via the AF_ALG interface by trying to
      encrypt/decrypt sufficiently large buffers (at least 64 KiB) using the
      VMX implementations of 'cbc(aes)' or 'xts(aes)'. Such operations then
      trigger BUG in crypto_yield():
      
      [  891.863680] BUG: sleeping function called from invalid context at include/crypto/algapi.h:424
      [  891.864622] in_atomic(): 1, irqs_disabled(): 0, pid: 12347, name: kcapi-enc
      [  891.864739] 1 lock held by kcapi-enc/12347:
      [  891.864811]  #0: 00000000f5d42c46 (sk_lock-AF_ALG){+.+.}, at: skcipher_recvmsg+0x50/0x530
      [  891.865076] CPU: 5 PID: 12347 Comm: kcapi-enc Not tainted 4.19.0-0.rc0.git3.1.fc30.ppc64le #1
      [  891.865251] Call Trace:
      [  891.865340] [c0000003387578c0] [c000000000d67ea4] dump_stack+0xe8/0x164 (unreliable)
      [  891.865511] [c000000338757910] [c000000000172a58] ___might_sleep+0x2f8/0x310
      [  891.865679] [c000000338757990] [c0000000006bff74] blkcipher_walk_done+0x374/0x4a0
      [  891.865825] [c0000003387579e0] [d000000007e73e70] p8_aes_cbc_encrypt+0x1c8/0x260 [vmx_crypto]
      [  891.865993] [c000000338757ad0] [c0000000006c0ee0] skcipher_encrypt_blkcipher+0x60/0x80
      [  891.866128] [c000000338757b10] [c0000000006ec504] skcipher_recvmsg+0x424/0x530
      [  891.866283] [c000000338757bd0] [c000000000b00654] sock_recvmsg+0x74/0xa0
      [  891.866403] [c000000338757c10] [c000000000b00f64] ___sys_recvmsg+0xf4/0x2f0
      [  891.866515] [c000000338757d90] [c000000000b02bb8] __sys_recvmsg+0x68/0xe0
      [  891.866631] [c000000338757e30] [c00000000000bbe4] system_call+0x5c/0x70
      
      Fixes: 8c755ace ("crypto: vmx - Adding CBC routines for VMX module")
      Fixes: c07f5d3d ("crypto: vmx - Adding support for XTS")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarOndrej Mosnacek <omosnace@redhat.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f1b13e97
    • Peter Chen's avatar
      ethernet: ti: davinci_emac: add missing of_node_put after calling of_parse_phandle · 21de2732
      Peter Chen authored
      commit 5817f977 upstream.
      
      of_node_put needs to be called when the device node which is got
      from of_parse_phandle has finished using.
      Signed-off-by: default avatarPeter Chen <peter.chen@nxp.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSZ Lin (林上智) <sz.lin@moxa.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      21de2732
    • Johan Hovold's avatar
      net: ethernet: ti: cpsw: fix mdio device reference leak · b3179842
      Johan Hovold authored
      commit 86e1d5ad upstream.
      
      Make sure to drop the reference taken by of_find_device_by_node() when
      looking up an mdio device from a phy_id property during probe.
      
      Fixes: 549985ee ("cpsw: simplify the setup of the register
      pointers")
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSZ Lin (林上智) <sz.lin@moxa.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b3179842
    • David Rivshin's avatar
      drivers: net: cpsw: fix parsing of phy-handle DT property in dual_emac config · d02c8708
      David Rivshin authored
      commit 552165bc upstream.
      
      Commit 9e42f715 ("drivers: net: cpsw: add
      phy-handle parsing") saved the "phy-handle" phandle into a new cpsw_priv
      field. However, phy connections are per-slave, so the phy_node field should
      be in cpsw_slave_data rather than cpsw_priv.
      
      This would go unnoticed in a single emac configuration. But in dual_emac
      mode, the last "phy-handle" property parsed for either slave would be used
      by both of them, causing them both to refer to the same phy_device.
      
      Fixes: 9e42f715 ("drivers: net: cpsw: add phy-handle parsing")
      Signed-off-by: default avatarDavid Rivshin <drivshin@allworx.com>
      Tested-by: default avatarNicolas Chauvet <kwizart@gmail.com>
      Tested-by: default avatarAndrew Goodbody <andrew.goodbody@cambrionix.com>
      Reviewed-by: default avatarMugunthan V N <mugunthanvnm@ti.com>
      Reviewed-by: default avatarGrygorii Strashko <grygorii.strashko@ti.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSZ Lin (林上智) <sz.lin@moxa.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d02c8708
    • Eric Dumazet's avatar
      netfilter: x_tables: avoid stack-out-of-bounds read in xt_copy_counters_from_user · f9845426
      Eric Dumazet authored
      commit e466af75 upstream.
      
      syzkaller reports an out of bound read in strlcpy(), triggered
      by xt_copy_counters_from_user()
      
      Fix this by using memcpy(), then forcing a zero byte at the last position
      of the destination, as Florian did for the non COMPAT code.
      
      Fixes: d7591f0c ("netfilter: x_tables: introduce and use xt_copy_counters_from_user")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Willem de Bruijn <willemb@google.com>
      Acked-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      Cc: Greg Hackmann <ghackmann@google.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f9845426
    • Nadav Amit's avatar
      vmw_balloon: include asm/io.h · a3b92ee6
      Nadav Amit authored
      Fix a build error due to missing virt_to_phys()
      Reported-by: default avatarkbuild test robot <lkp@intel.com>
      Fixes: f0a1bf29 ("vmw_balloon: fix inflation with batching")
      Cc: stable@vger.kernel.org
      Cc: Xavier Deguillard <xdeguillard@vmware.com>
      Signed-off-by: default avatarNadav Amit <namit@vmware.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a3b92ee6
    • Mathias Nyman's avatar
      xhci: Fix use-after-free in xhci_free_virt_device · c72a42d3
      Mathias Nyman authored
      commit 44a182b9 upstream.
      
      KASAN found a use-after-free in xhci_free_virt_device+0x33b/0x38e
      where xhci_free_virt_device() sets slot id to 0 if udev exists:
      if (dev->udev && dev->udev->slot_id)
      	dev->udev->slot_id = 0;
      
      dev->udev will be true even if udev is freed because dev->udev is
      not set to NULL.
      
      set dev->udev pointer to NULL in xhci_free_dev()
      
      The original patch went to stable so this fix needs to be applied
      there as well.
      
      Fixes: a400efe4 ("xhci: zero usb device slot_id member when disabling and freeing a xhci slot")
      Cc: <stable@vger.kernel.org>
      Reported-by: default avatarGuenter Roeck <linux@roeck-us.net>
      Reviewed-by: default avatarGuenter Roeck <linux@roeck-us.net>
      Tested-by: default avatarGuenter Roeck <linux@roeck-us.net>
      Signed-off-by: default avatarMathias Nyman <mathias.nyman@linux.intel.com>
      Signed-off-by: default avatarMatthias Kaehlcke <mka@chromium.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c72a42d3
    • Parav Pandit's avatar
      RDMA/cma: Do not ignore net namespace for unbound cm_id · ff75cdad
      Parav Pandit authored
      [ Upstream commit 643d213a ]
      
      Currently if the cm_id is not bound to any netdevice, than for such cm_id,
      net namespace is ignored; which is incorrect.
      
      Regardless of cm_id bound to a netdevice or not, net namespace must
      match. When a cm_id is bound to a netdevice, in such case net namespace
      and netdevice both must match.
      
      Fixes: 4c21b5bc ("IB/cma: Add net_dev and private data checks to RDMA CM")
      Signed-off-by: default avatarParav Pandit <parav@mellanox.com>
      Reviewed-by: default avatarDaniel Jurgens <danielj@mellanox.com>
      Signed-off-by: default avatarLeon Romanovsky <leonro@mellanox.com>
      Signed-off-by: default avatarJason Gunthorpe <jgg@mellanox.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ff75cdad
    • Paul Burton's avatar
      MIPS: WARN_ON invalid DMA cache maintenance, not BUG_ON · d04f1b44
      Paul Burton authored
      [ Upstream commit d4da0e97 ]
      
      If a driver causes DMA cache maintenance with a zero length then we
      currently BUG and kill the kernel. As this is a scenario that we may
      well be able to recover from, WARN & return in the condition instead.
      Signed-off-by: default avatarPaul Burton <paul.burton@mips.com>
      Acked-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Patchwork: https://patchwork.linux-mips.org/patch/14623/
      Cc: Ralf Baechle <ralf@linux-mips.org>
      Cc: linux-mips@linux-mips.org
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d04f1b44
    • Chao Yu's avatar
      f2fs: fix to do sanity check with {sit,nat}_ver_bitmap_bytesize · e498af87
      Chao Yu authored
      [ Upstream commit c77ec61c ]
      
      This patch adds to do sanity check with {sit,nat}_ver_bitmap_bytesize
      during mount, in order to avoid accessing across cache boundary with
      this abnormal bitmap size.
      
      - Overview
      buffer overrun in build_sit_info() when mounting a crafted f2fs image
      
      - Reproduce
      
      - Kernel message
      [  548.580867] F2FS-fs (loop0): Invalid log blocks per segment (8201)
      
      [  548.580877] F2FS-fs (loop0): Can't find valid F2FS filesystem in 1th superblock
      [  548.584979] ==================================================================
      [  548.586568] BUG: KASAN: use-after-free in kmemdup+0x36/0x50
      [  548.587715] Read of size 64 at addr ffff8801e9c265ff by task mount/1295
      
      [  548.589428] CPU: 1 PID: 1295 Comm: mount Not tainted 4.18.0-rc1+ #4
      [  548.589432] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
      [  548.589438] Call Trace:
      [  548.589474]  dump_stack+0x7b/0xb5
      [  548.589487]  print_address_description+0x70/0x290
      [  548.589492]  kasan_report+0x291/0x390
      [  548.589496]  ? kmemdup+0x36/0x50
      [  548.589509]  check_memory_region+0x139/0x190
      [  548.589514]  memcpy+0x23/0x50
      [  548.589518]  kmemdup+0x36/0x50
      [  548.589545]  f2fs_build_segment_manager+0x8fa/0x3410
      [  548.589551]  ? __asan_loadN+0xf/0x20
      [  548.589560]  ? f2fs_sanity_check_ckpt+0x1be/0x240
      [  548.589566]  ? f2fs_flush_sit_entries+0x10c0/0x10c0
      [  548.589587]  ? __put_user_ns+0x40/0x40
      [  548.589604]  ? find_next_bit+0x57/0x90
      [  548.589610]  f2fs_fill_super+0x194b/0x2b40
      [  548.589617]  ? f2fs_commit_super+0x1b0/0x1b0
      [  548.589637]  ? set_blocksize+0x90/0x140
      [  548.589651]  mount_bdev+0x1c5/0x210
      [  548.589655]  ? f2fs_commit_super+0x1b0/0x1b0
      [  548.589667]  f2fs_mount+0x15/0x20
      [  548.589672]  mount_fs+0x60/0x1a0
      [  548.589683]  ? alloc_vfsmnt+0x309/0x360
      [  548.589688]  vfs_kern_mount+0x6b/0x1a0
      [  548.589699]  do_mount+0x34a/0x18c0
      [  548.589710]  ? lockref_put_or_lock+0xcf/0x160
      [  548.589716]  ? copy_mount_string+0x20/0x20
      [  548.589728]  ? memcg_kmem_put_cache+0x1b/0xa0
      [  548.589734]  ? kasan_check_write+0x14/0x20
      [  548.589740]  ? _copy_from_user+0x6a/0x90
      [  548.589744]  ? memdup_user+0x42/0x60
      [  548.589750]  ksys_mount+0x83/0xd0
      [  548.589755]  __x64_sys_mount+0x67/0x80
      [  548.589781]  do_syscall_64+0x78/0x170
      [  548.589797]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
      [  548.589820] RIP: 0033:0x7f76fc331b9a
      [  548.589821] Code: 48 8b 0d 01 c3 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ce c2 2b 00 f7 d8 64 89 01 48
      [  548.589880] RSP: 002b:00007ffd4f0a0e48 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5
      [  548.589890] RAX: ffffffffffffffda RBX: 000000000146c030 RCX: 00007f76fc331b9a
      [  548.589892] RDX: 000000000146c210 RSI: 000000000146df30 RDI: 0000000001474ec0
      [  548.589895] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000013
      [  548.589897] R10: 00000000c0ed0000 R11: 0000000000000206 R12: 0000000001474ec0
      [  548.589900] R13: 000000000146c210 R14: 0000000000000000 R15: 0000000000000003
      
      [  548.590242] The buggy address belongs to the page:
      [  548.591243] page:ffffea0007a70980 count:0 mapcount:0 mapping:0000000000000000 index:0x0
      [  548.592886] flags: 0x2ffff0000000000()
      [  548.593665] raw: 02ffff0000000000 dead000000000100 dead000000000200 0000000000000000
      [  548.595258] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
      [  548.603713] page dumped because: kasan: bad access detected
      
      [  548.605203] Memory state around the buggy address:
      [  548.606198]  ffff8801e9c26480: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
      [  548.607676]  ffff8801e9c26500: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
      [  548.609157] >ffff8801e9c26580: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
      [  548.610629]                                                                 ^
      [  548.612088]  ffff8801e9c26600: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
      [  548.613674]  ffff8801e9c26680: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
      [  548.615141] ==================================================================
      [  548.616613] Disabling lock debugging due to kernel taint
      [  548.622871] WARNING: CPU: 1 PID: 1295 at mm/page_alloc.c:4065 __alloc_pages_slowpath+0xe4a/0x1420
      [  548.622878] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd mac_hid i2c_piix4 soundcore ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid1 raid0 multipath linear 8139too crct10dif_pclmul crc32_pclmul qxl drm_kms_helper syscopyarea aesni_intel sysfillrect sysimgblt fb_sys_fops ttm drm aes_x86_64 crypto_simd cryptd 8139cp glue_helper mii pata_acpi floppy
      [  548.623217] CPU: 1 PID: 1295 Comm: mount Tainted: G    B             4.18.0-rc1+ #4
      [  548.623219] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
      [  548.623226] RIP: 0010:__alloc_pages_slowpath+0xe4a/0x1420
      [  548.623227] Code: ff ff 01 89 85 c8 fe ff ff e9 91 fc ff ff 41 89 c5 e9 5c fc ff ff 0f 0b 89 f8 25 ff ff f7 ff 89 85 8c fe ff ff e9 d5 f2 ff ff <0f> 0b e9 65 f2 ff ff 65 8b 05 38 81 d2 47 f6 c4 01 74 1c 65 48 8b
      [  548.623281] RSP: 0018:ffff8801f28c7678 EFLAGS: 00010246
      [  548.623284] RAX: 0000000000000000 RBX: 00000000006040c0 RCX: ffffffffb82f73b7
      [  548.623287] RDX: 1ffff1003e518eeb RSI: 000000000000000c RDI: 0000000000000000
      [  548.623290] RBP: ffff8801f28c7880 R08: 0000000000000000 R09: ffffed0047fff2c5
      [  548.623292] R10: 0000000000000001 R11: ffffed0047fff2c4 R12: ffff8801e88de040
      [  548.623295] R13: 00000000006040c0 R14: 000000000000000c R15: ffff8801f28c7938
      [  548.623299] FS:  00007f76fca51840(0000) GS:ffff8801f6f00000(0000) knlGS:0000000000000000
      [  548.623302] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  548.623304] CR2: 00007f19b9171760 CR3: 00000001ed952000 CR4: 00000000000006e0
      [  548.623317] Call Trace:
      [  548.623325]  ? kasan_check_read+0x11/0x20
      [  548.623330]  ? __zone_watermark_ok+0x92/0x240
      [  548.623336]  ? get_page_from_freelist+0x1c3/0x1d90
      [  548.623347]  ? _raw_spin_lock_irqsave+0x2a/0x60
      [  548.623353]  ? warn_alloc+0x250/0x250
      [  548.623358]  ? save_stack+0x46/0xd0
      [  548.623361]  ? kasan_kmalloc+0xad/0xe0
      [  548.623366]  ? __isolate_free_page+0x2a0/0x2a0
      [  548.623370]  ? mount_fs+0x60/0x1a0
      [  548.623374]  ? vfs_kern_mount+0x6b/0x1a0
      [  548.623378]  ? do_mount+0x34a/0x18c0
      [  548.623383]  ? ksys_mount+0x83/0xd0
      [  548.623387]  ? __x64_sys_mount+0x67/0x80
      [  548.623391]  ? do_syscall_64+0x78/0x170
      [  548.623396]  ? entry_SYSCALL_64_after_hwframe+0x44/0xa9
      [  548.623401]  __alloc_pages_nodemask+0x3c5/0x400
      [  548.623407]  ? __alloc_pages_slowpath+0x1420/0x1420
      [  548.623412]  ? __mutex_lock_slowpath+0x20/0x20
      [  548.623417]  ? kvmalloc_node+0x31/0x80
      [  548.623424]  alloc_pages_current+0x75/0x110
      [  548.623436]  kmalloc_order+0x24/0x60
      [  548.623442]  kmalloc_order_trace+0x24/0xb0
      [  548.623448]  __kmalloc_track_caller+0x207/0x220
      [  548.623455]  ? f2fs_build_node_manager+0x399/0xbb0
      [  548.623460]  kmemdup+0x20/0x50
      [  548.623465]  f2fs_build_node_manager+0x399/0xbb0
      [  548.623470]  f2fs_fill_super+0x195e/0x2b40
      [  548.623477]  ? f2fs_commit_super+0x1b0/0x1b0
      [  548.623481]  ? set_blocksize+0x90/0x140
      [  548.623486]  mount_bdev+0x1c5/0x210
      [  548.623489]  ? f2fs_commit_super+0x1b0/0x1b0
      [  548.623495]  f2fs_mount+0x15/0x20
      [  548.623498]  mount_fs+0x60/0x1a0
      [  548.623503]  ? alloc_vfsmnt+0x309/0x360
      [  548.623508]  vfs_kern_mount+0x6b/0x1a0
      [  548.623513]  do_mount+0x34a/0x18c0
      [  548.623518]  ? lockref_put_or_lock+0xcf/0x160
      [  548.623523]  ? copy_mount_string+0x20/0x20
      [  548.623528]  ? memcg_kmem_put_cache+0x1b/0xa0
      [  548.623533]  ? kasan_check_write+0x14/0x20
      [  548.623537]  ? _copy_from_user+0x6a/0x90
      [  548.623542]  ? memdup_user+0x42/0x60
      [  548.623547]  ksys_mount+0x83/0xd0
      [  548.623552]  __x64_sys_mount+0x67/0x80
      [  548.623557]  do_syscall_64+0x78/0x170
      [  548.623562]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
      [  548.623566] RIP: 0033:0x7f76fc331b9a
      [  548.623567] Code: 48 8b 0d 01 c3 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ce c2 2b 00 f7 d8 64 89 01 48
      [  548.623632] RSP: 002b:00007ffd4f0a0e48 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5
      [  548.623636] RAX: ffffffffffffffda RBX: 000000000146c030 RCX: 00007f76fc331b9a
      [  548.623639] RDX: 000000000146c210 RSI: 000000000146df30 RDI: 0000000001474ec0
      [  548.623641] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000013
      [  548.623643] R10: 00000000c0ed0000 R11: 0000000000000206 R12: 0000000001474ec0
      [  548.623646] R13: 000000000146c210 R14: 0000000000000000 R15: 0000000000000003
      [  548.623650] ---[ end trace 4ce02f25ff7d3df5 ]---
      [  548.623656] F2FS-fs (loop0): Failed to initialize F2FS node manager
      [  548.627936] F2FS-fs (loop0): Invalid log blocks per segment (8201)
      
      [  548.627940] F2FS-fs (loop0): Can't find valid F2FS filesystem in 1th superblock
      [  548.635835] F2FS-fs (loop0): Failed to initialize F2FS node manager
      
      - Location
      https://elixir.bootlin.com/linux/v4.18-rc1/source/fs/f2fs/segment.c#L3578
      
      	sit_i->sit_bitmap = kmemdup(src_bitmap, bitmap_size, GFP_KERNEL);
      
      Buffer overrun happens when doing memcpy. I suspect there is missing (inconsistent) checks on bitmap_size.
      
      Reported by Wen Xu (wen.xu@gatech.edu) from SSLab, Gatech.
      Reported-by: default avatarWen Xu <wen.xu@gatech.edu>
      Signed-off-by: default avatarChao Yu <yuchao0@huawei.com>
      Signed-off-by: default avatarJaegeuk Kim <jaegeuk@kernel.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e498af87
    • Zumeng Chen's avatar
      mfd: ti_am335x_tscadc: Fix struct clk memory leak · ab140bd2
      Zumeng Chen authored
      [ Upstream commit c2b1509c ]
      
      Use devm_elk_get() to let Linux manage struct clk memory to avoid the following
      memory leakage report:
      
      unreferenced object 0xdd75efc0 (size 64):
        comm "systemd-udevd", pid 186, jiffies 4294945126 (age 1195.750s)
        hex dump (first 32 bytes):
          61 64 63 5f 74 73 63 5f 66 63 6b 00 00 00 00 00  adc_tsc_fck.....
          00 00 00 00 92 03 00 00 00 00 00 00 00 00 00 00  ................
        backtrace:
          [<c0a15260>] kmemleak_alloc+0x40/0x74
          [<c0287a10>] __kmalloc_track_caller+0x198/0x388
          [<c0255610>] kstrdup+0x40/0x5c
          [<c025565c>] kstrdup_const+0x30/0x3c
          [<c0636630>] __clk_create_clk+0x60/0xac
          [<c0630918>] clk_get_sys+0x74/0x144
          [<c0630cdc>] clk_get+0x5c/0x68
          [<bf0ac540>] ti_tscadc_probe+0x260/0x468 [ti_am335x_tscadc]
          [<c06f3c0c>] platform_drv_probe+0x60/0xac
          [<c06f1abc>] driver_probe_device+0x214/0x2dc
          [<c06f1c18>] __driver_attach+0x94/0xc0
          [<c06efe2c>] bus_for_each_dev+0x90/0xa0
          [<c06f1470>] driver_attach+0x28/0x30
          [<c06f1030>] bus_add_driver+0x184/0x1ec
          [<c06f2b74>] driver_register+0xb0/0xf0
          [<c06f3b4c>] __platform_driver_register+0x40/0x54
      Signed-off-by: default avatarZumeng Chen <zumeng.chen@gmail.com>
      Signed-off-by: default avatarLee Jones <lee.jones@linaro.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ab140bd2
    • Geert Uytterhoeven's avatar
      iommu/ipmmu-vmsa: Fix allocation in atomic context · 22fa0358
      Geert Uytterhoeven authored
      [ Upstream commit 46583e8c ]
      
      When attaching a device to an IOMMU group with
      CONFIG_DEBUG_ATOMIC_SLEEP=y:
      
          BUG: sleeping function called from invalid context at mm/slab.h:421
          in_atomic(): 1, irqs_disabled(): 128, pid: 61, name: kworker/1:1
          ...
          Call trace:
           ...
           arm_lpae_alloc_pgtable+0x114/0x184
           arm_64_lpae_alloc_pgtable_s1+0x2c/0x128
           arm_32_lpae_alloc_pgtable_s1+0x40/0x6c
           alloc_io_pgtable_ops+0x60/0x88
           ipmmu_attach_device+0x140/0x334
      
      ipmmu_attach_device() takes a spinlock, while arm_lpae_alloc_pgtable()
      allocates memory using GFP_KERNEL.  Originally, the ipmmu-vmsa driver
      had its own custom page table allocation implementation using
      GFP_ATOMIC, hence the spinlock was fine.
      
      Fix this by replacing the spinlock by a mutex, like the arm-smmu driver
      does.
      
      Fixes: f20ed39f ("iommu/ipmmu-vmsa: Use the ARM LPAE page table allocator")
      Signed-off-by: default avatarGeert Uytterhoeven <geert+renesas@glider.be>
      Reviewed-by: default avatarLaurent Pinchart <laurent.pinchart@ideasonboard.com>
      Signed-off-by: default avatarJoerg Roedel <jroedel@suse.de>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      22fa0358
    • Mauricio Faria de Oliveira's avatar
      partitions/aix: fix usage of uninitialized lv_info and lvname structures · a169d7c8
      Mauricio Faria de Oliveira authored
      [ Upstream commit 14cb2c8a ]
      
      The if-block that sets a successful return value in aix_partition()
      uses 'lvip[].pps_per_lv' and 'n[].name' potentially uninitialized.
      
      For example, if 'numlvs' is zero or alloc_lvn() fails, neither is
      initialized, but are used anyway if alloc_pvd() succeeds after it.
      
      So, make the alloc_pvd() call conditional on their initialization.
      
      This has been hit when attaching an apparently corrupted/stressed
      AIX LUN, misleading the kernel to pr_warn() invalid data and hang.
      
          [...] partition (null) (11 pp's found) is not contiguous
          [...] partition (null) (2 pp's found) is not contiguous
          [...] partition (null) (3 pp's found) is not contiguous
          [...] partition (null) (64 pp's found) is not contiguous
      
      Fixes: 6ceea22b ("partitions: add aix lvm partition support files")
      Signed-off-by: default avatarMauricio Faria de Oliveira <mfo@canonical.com>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a169d7c8
    • Mauricio Faria de Oliveira's avatar
      partitions/aix: append null character to print data from disk · 77d3c98f
      Mauricio Faria de Oliveira authored
      [ Upstream commit d43fdae7 ]
      
      Even if properly initialized, the lvname array (i.e., strings)
      is read from disk, and might contain corrupt data (e.g., lack
      the null terminating character for strings).
      
      So, make sure the partition name string used in pr_warn() has
      the null terminating character.
      
      Fixes: 6ceea22b ("partitions: add aix lvm partition support files")
      Suggested-by: default avatarDaniel J. Axtens <daniel.axtens@canonical.com>
      Signed-off-by: default avatarMauricio Faria de Oliveira <mfo@canonical.com>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      77d3c98f
    • Nick Dyer's avatar
      Input: atmel_mxt_ts - only use first T9 instance · af39fa73
      Nick Dyer authored
      [ Upstream commit 36f5d9ef ]
      
      The driver only registers one input device, which uses the screen
      parameters from the first T9 instance. The first T63 instance also uses
      those parameters.
      
      It is incorrect to send input reports from the second instances of these
      objects if they are enabled: the input scaling will be wrong and the
      positions will be mashed together.
      
      This also causes problems on Android if the number of slots exceeds 32.
      
      In the future, this could be handled by looking for enabled touch object
      instances and creating an input device for each one.
      Signed-off-by: default avatarNick Dyer <nick.dyer@itdev.co.uk>
      Acked-by: default avatarBenson Leung <bleung@chromium.org>
      Acked-by: default avatarYufeng Shen <miletus@chromium.org>
      Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      af39fa73
    • Petr Machata's avatar
      net: dcb: For wild-card lookups, use priority -1, not 0 · bde99d93
      Petr Machata authored
      [ Upstream commit 08193d1a ]
      
      The function dcb_app_lookup walks the list of specified DCB APP entries,
      looking for one that matches a given criteria: ifindex, selector,
      protocol ID and optionally also priority. The "don't care" value for
      priority is set to 0, because that priority has not been allowed under
      CEE regime, which predates the IEEE standardization.
      
      Under IEEE, 0 is a valid priority number. But because dcb_app_lookup
      considers zero a wild card, attempts to add an APP entry with priority 0
      fail when other entries exist for a given ifindex / selector / PID
      triplet.
      
      Fix by changing the wild-card value to -1.
      Signed-off-by: default avatarPetr Machata <petrm@mellanox.com>
      Signed-off-by: default avatarIdo Schimmel <idosch@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      bde99d93
    • Nicholas Mc Guire's avatar
      MIPS: Octeon: add missing of_node_put() · 7ffa0928
      Nicholas Mc Guire authored
      [ Upstream commit b1259519 ]
      
      The call to of_find_node_by_name returns a node pointer with refcount
      incremented thus it must be explicitly decremented here after the last
      usage.
      Signed-off-by: default avatarNicholas Mc Guire <hofrat@osadl.org>
      Signed-off-by: default avatarPaul Burton <paul.burton@mips.com>
      Patchwork: https://patchwork.linux-mips.org/patch/19558/
      Cc: Ralf Baechle <ralf@linux-mips.org>
      Cc: James Hogan <jhogan@kernel.org>
      Cc: linux-mips@linux-mips.org
      Cc: linux-kernel@vger.kernel.org
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7ffa0928